Chapter-Eight

Active directory, configuring domain

controller and domain clients

1
 Microsoft Windows Server 2012

Outline:-

 Logical Topologies
 ADDS
 Creating Users
 Installing Active Directory
 Promoting Active Directory as DC
 Adding Client to Active Directory Domain

2
Workgroup Vs. Domain Model

3
 Logical Topologies
1. WorkGroup Model
2. Domain Model

WorkGroup Model: A workgroup

is a peer-to-peer network connected
together. A workgroup allows all
participating and connected systems
to access shared resources such as
files, system resources and printers,
but using separate Database.
If you install any OS (client/server),
by default that machine belongs to
workgroup model.
4
 Logical Topologies

Domain Model: It’s also a collection

of devices that are connected physically
and logically and every computer shares a
common Domain Directory Database.
If you want to create a Domain Model, at
least, based on the companies
requirements one server is mandatory.
In the Domain, based on the server
administrator’s allowance, each and every
employee can log on or access any
computer in the network.
5
What is an Active Directory / ADDS ???

6
 Active Directory Domain Services (ADDS)
Active Directory (AD) is a proprietary directory service developed by Microsoft to
manage the authentication and authorization of users and machines on a
Windows domain network. Active Directory was first released in 2000 and runs
on Windows Server.

Active Directory stores data as objects. An object is a single element, such as

a user, group, application or device, such as a printer. Objects are normally
defined as either resources -- such as printers or computers -- or security
principals -- such as users or groups.

Active Directory allows network administrators to create and manage domains,

users, and objects within a network. For example, an admin can create a group
of users and give them specific access privileges to certain directories on the
server. As a network grows, Active Directory provides a way to organize a large
number of users into logical groups and subgroups, while providing access
control at each level.
7
 Active Directory Domain Services (AD DS)
Active Directory categorizes objects by name and attributes. For example, the
name of a user might include the name string, along with information
associated with the user, such as passwords and Secure Shell (SSH) keys.

The Active Directory structure includes three main tiers: 1) domains, 2) trees,
and 3) forests. Several objects (users or devices) that all use the
same database may be grouped into a single domain. Multiple domains can be
combined into a single group called a tree. Multiple trees may be grouped into a
collection called a forest. Each one of these levels can be assigned specific
access rights and communication privileges.

8
 Active Directory Domain Services (AD DS)

Active Directory provides several different services, which fall under the umbrella of
"Active Directory Domain Services," or AD DS. These services include:

• Domain Services – stores centralized data and manages communication between

users and domains; includes login authentication and search functionality
• Certificate Services – creates, distributes, and manages secure certificates
• Lightweight Directory Services Protocol (LDAP) - provides a common
language for clients and servers to speak to one another.
• Directory Federation Services – provides single-sign-on (SSO) to authenticate a
user in multiple web applications in a single session
• Rights Management – protects copyrighted information by preventing
unauthorized use and distribution of digital content

9
Structures of Active Directory
Domain
• Is a logical grouping of users, computers and group
objects for the purpose of management and security
• Domain should have at least one Domain Controller.

Tree
• Is made of one or more domains with contiguous
name space.

Forest
• Is made of one or more trees. A forest differs from a
tree because it uses disjointed namespaces between
the trees.
For example, in a forest, you could have microsoft.com
as the root for one tree. Say that Microsoft then
purchases another company called Acme (acme.com),
and acme.com then becomes the root of another tree.
Both trees could be combined into a forest, yet each
tree’s identity could be kept separate.

10
 Domain Controller
What is a Domain Controller?

• A domain controller (DC) is a server that responds to security authentication requests

within a Windows Server domain.
• It is a server on a Microsoft Windows network that is responsible for allowing host
access to Windows domain resources.
• A DC is the centerpiece of the Windows Active Directory service. It authenticates users,
stores user account information and enforces security policy for a Windows domain.
• It allows hierarchical organization and protection of users and computers operating on
the same network.
• In simpler terms, when a user logs into their domain, the DC authenticates and
validates their credentials (usually in the form of username, password and/or IP
location) and then allows or denies access.

11
 Domain Controller

Why is a Domain Controller Important?

• Domain controllers contain the data that determines and validates access to your network,
including any group policies and all computer names. Everything an attacker could possibly
need to cause massive damage to your data and network is on the DC, which makes a DC a
primary target during a cyberattack.

Domain Controller vs. Active Directory

• ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine
• Active Directory is a type of domain, and a domain controller is an important server on that
domain. Kind of like how there are many types of cars, and every car needs an engine to
operate. Every domain has a domain controller, but not every domain is Active Directory.

12
AD DS Installation

13
 Installation Prerequisites

This step by step tutorial will guide you to set up active directory
on your Windows Server 2012 R2 machine. The article has been
divided into following two parts:

1. Installing active directory on a machine

2. Promoting that machine to act as a domain controller

Prerequisites

Administrator’s account must have strong password

Static IP is configured
Latest windows updates are installed
Firewall is turned off
Administrator’s Log on is required
14
 AD DS Installation

In Windows Server 2012,

you can use the Server
Manager to install AD DS
roles. To install the AD DS
role here, simply click
the Manage menu and
click Add Roles and
Features.

Server Manager Dashboard

15
 AD DS Installation

Before you continue,

make sure you have a
strong administrator
password, static IP is
configured and
security updates are
installed on your
machine. Click Next

16
 AD DS Installation

Always leave the default

selection in place when
installing AD DS: Role-
based or Feature-based
Installation and click next
button

Installation Type

17
 AD DS Installation

The Server Selection dialog

enables you to choose from
one of the servers previously
added to the pool, as long as
it is accessible. The local
server running Server
Manager is automatically
available.
Click Next.

Server Selection
18
 AD DS Installation

Select the Active Directory

Domain Services role if you
intend to promote a domain
controller. All Active
Directory administration
features and required
services install
automatically, even if they
are apparently part of
another role or do not
appear selected in the
Server Manager interface.

Server Roles and Features

19
 AD DS Installation
Click Add Features and then Click Next

Add Features

20
 AD DS Installation

The Active Directory Domain

Services dialog provides
limited information on
requirements and best
practices. It mainly acts as a
confirmation that you chose
the AD DS role " if this screen
does not appear, you did not
select AD DS’’.

Active Directory Domain Services

21
 AD DS Installation

The Confirmation dialog is the

final checkpoint before role
installation starts. It offers an
option to restart the computer
as needed after role
installation, but AD DS
installation does not require a
reboot.

By clicking Install, you confirm

you are ready to begin role
installation. You cannot cancel
a role installation once it
begins.
Confirmation

22
 AD DS Installation

The Results dialog shows the

current installation progress
and current installation status.
Role installation continues
regardless of whether Server
Manager is closed.
When an installation
completes, click Close

Results

23
 AD DS Installation

Verifying the installation results Task Notification

is still a best practice. If you

close the Results dialog before
installation completes, you can
check the results using the
Server Manager notification
flag. Server Manager also
shows a warning message for
any servers that have installed
the AD DS role but not been
further configured as domain
controllers.
24
How to Promote a Server to a
Domain Controller

25
 DC Promotion

After installing the Active Directory Domain Services

feature on your server, you can promote the server to a
domain controller. If you have just finished the feature
installation, the AD DS Configuration Wizard begins
automatically.

However, if the feature installation has already been

closed, you can start the Active Directory Domain
Services Configuration Window by clicking the Tasks icon
along the top of Server Manager.

26
 DC Promotion

In the server manager,

you can see the post
deployment actions,
needed to promote this
server to a domain
controller
Click the option :
Promote this server to
a domain controller

27
 DC Promotion

To create a new Active

Directory forest, click Add a
new forest. You must provide
a valid root domain name; the
name cannot be single-labeled
(for example, the name must
be SNU.com or similar and not
just SNU) and must use
allowed DNS domain naming
requirements.

When selecting the Root

domain, don’t forget to give
an extension !

28
 DC Promotion

Directory Services Restore Mode

(DSRM) is a safe mode boot option for
Windows Server domain controllers.
DSRM allows an administrator to
repair or recover an Active
Directory database.

When Active Directory is installed, the

install wizard prompts the
administrator to choose a DSRM
password. This password provides the
administrator with a back door to the
database in case something goes
wrong later on, but it does not
provide access to the domain or to
any services. In the event a DSRM
password is forgotten, it can be
changed by using the command-line
tool NTDSUtil.
29
 DC Promotion

Ignore warnings in DNS options window and Click Next

30
 DC Promotion

In additional options window, verify NetBIOS name of domain and click Next
31
 DC Promotion

Note down the Database, Log files and SYSVOL folder paths and click Next
32
 DC Promotion

In review options window, review your choices including domain name,

NetBIOS name, and Global catalog etc. Click Next
33
 DC Promotion

Click Install because all prerequisite have been successfully passed

34
DC Promotion

35
Users

36
 User Management

A user is a person who utilizes a computer or network service. Users of

computer systems and software products generally lack the technical
expertise required to fully understand how they work.

Local User Domain User

• A user account created in local – A user account created in
Database of a computer. ACTIVE DIRECTORY Database.
• Local users are generally used – Domain users are used in
in WORKGROUP model. DOMAIN model.
• Local can login only on the – Domain users con logon to any
respective computer. computer in the DOMAIN.

37
 Creating New User- Windows Server 2012

There is two ways:-

1) Click Start- control panel –
User account. Select configure
advanced user profile properties.

38
 Creating New User- Windows Server 2012

Click button “click here” Right click and choose New User
39
Creating New User- Windows Server 2012

Enter the User Information, Click “Next,

then finish” 40
 How to Create a New User in Domain Controller

1. Choose Start→ Administrative Tools → Active Directory Users and

Computers.
2. Right-click the domain that you want to add the user to and then choose
New →User from the contextual menu.
3. Enter the user’s first name, middle initial, and last name.
4. Change the Full Name field if you want it to appear different from what the
wizard proposes.
5. Enter the user logon name.
6. Click Next.
7. Enter the password twice.
8. Specify the password options that you want to apply.
9. Click Next. You’re taken to the final.
10.Verify that the information is correct and then click Finish to create the
account.
41
 Clients and Member Server

 Clients: A computer joined in the domain with Client Operating

System.
 Client OS's like
 Windows Vista, Windows 7, Windows 8 and Windows 10

 Member Sever: A computer that runs a Server Operating System,

belongs to a domain, and is not a domain controller.
 Server OS's like
 Windows Server 2003, Windows Server 2008 Windows Server 2012
and Windows Server 2016

42
Configuring Clients and Member Server

43
Configuring Clients and Member Server

44
END
45