Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Microsoft Active Directory

This document provides an overview of Microsoft Active Directory, including definitions of key terms like domain, domain controller, organizational units, and group policy objects. It also discusses why PPM standalone may not work in an Active Directory environment due to Microsoft defaults preventing unknown programs from running and potential group policy restrictions. The document emphasizes getting accurate details about any issues and working with domain administrators, and reassures that the Level 2 support team can help if needed.

1 of 22

1

Microsoft Active Directory

2

Microsoft Active Directory Scope Understanding Directory Services Master “what is a domain?” ARBITRON.COM Domain Tree Domain Forests What is a domain controller? Is there a simple example of an Active Directory? Trust Relationships Users, Groups & Windows Permissions Practice What You Preach Organizational Units Group Policy Objects Why does PPM Standalone not work on Active Directory network? Active Directory & PPM So what have you learned so far? Apply what you have learned… The most important thing is… Questions?

3

Understanding Directory Services A directory is a stored collection of information about objects that are related to one another in some way. Network resources stored in a directory, also known as objects, can include: File servers, printers, fax servers, applications, databases & users A directory service stores all information needed to use and manage these objects in a centralized location. The primary function of a directory is that users must be able to locate and use these objects and administrators must be able to manage how they are used.

4

Master “what is a domain?” A domain is a collection of computer, user and group objects defined by an administrator. These domain defined objects share common characteristics, security policies and relationships with other domains in the corporate network. Trees A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace, example birmingham.arbitron.com, columbia.arbitron.com Forests A forest is a collection of trees that don’t necessarily share a contiguous namespace, example arbitron.com, scarborough.com, insideradio.com

5

ARBITRON.COM Domain Tree ARBITRON.COM US.ARBITRON.COM UK.ARBITRON.COM NYC.US. ARBITRON.COM CHICAGO.US. ARBITRON.COM LONDON.UK. ARBITRON.COM

6

Domain Forests ARBITRON.COM US.ARBITRON.COM UK.ARBITRON.COM SCARBOROUGH.COM WEST. SCARBOROUGH.COM EAST. SCARBOROUGH.COM Trust Relationship

7

What is a domain controller? A domain controller is a server that responds to security authentication requests (logging in, checking permissions, etc.) within a domain. Smaller companies will likely only have one domain controller whereas larger organizations will have multiple domain controllers. This allows user login requests and resources to be distributed across multiple servers and provides fault tolerance in the event one domain controller is down. Multiple domain controllers backup Active Directory information to each other on a periodic basis. Permission changes will have to be replicated to all domain controllers before all users can benefit. This is important if you change permissions in Chicago but the user you are working with is in Los Angeles. A single domain controller can manage multiple domain trees or forests.

8

A domain controller implements the security and intrusion detection model of an organization. In short, a domain controller says… “ I am a cop, and you WILL respect my AUTHORITAH!”

9

Is there a simple example of an Active Directory? Yes, Microsoft Outlook Contacts! Outlook stores contact information and attributes you can search such as Name and Email address. Active Directory works under the same concept only with a much larger scope. Active Directory was designed to centralize large company networks into one repository where administrators can manage easily. With Active Directory users can search an infinite amount of resources without leaving their desks.

10

Trust Relationships Trust relationships between domains are how users from one domain can access resources in another domain. Trust relationships secure resources by grouping users and computers with like characteristics. A trust relationship must be established when a user from another domain needs access to your domain’s resources. Active Directory domain trust relationships are two-way… Meaning I trust you, you trust me. Formula to remember… Domain A trusts Domain B. Domain B trusts Domain C. Therefore, Domain A trusts Domain C.

11

Domain Trust Relationships ARBITRON.COM US.ARBITRON.COM UK.ARBITRON.COM OE.US.ARBITRON.COM SALES.US.ARBITRON.COM DEV.UK.ARBITRON.COM

12

 

13

Users, Groups & Windows Permissions User accounts Represent each user that has access to login to a network Users must have an account/password created for them before they can login and access network resources. Group accounts Provide access to resources for users who share common functions or geographic locations Individually granting users access to resources in unrealistic in large environments. Adding users to a group is the easiest way to grant access without having to create permissions each time. If the user leaves or no longer needs the resource simply remove the user from the group. Users can be members of multiple groups in Active Directory Permissions in Windows networks are applied as “most restrictive first” If Dexter is a member of the PPMAT group that allows access to the PPM folder and is also a member of the Guests group that is denied access to the PPM folder he will not be able to access the PPM folder.

14

Practice What You Preach! Aaron is an Radio Sales member at the Best Freakin Radio Company Ever . He belongs to the following Active Directory groups at his company: PPMApps Finance HR_1 Remote Users Best Freakin Radio Company Ever had a network virus earlier in the week. The network was taken down as a security measure to prevent additional computers from becoming infected. Aaron has called Arbitron to say he cannot access the PPM folder or software on the Applications server due to an “Access is denied” error. What suggestions can you offer Aaron that may help him solve his issue?

15

Organizational Units Organizational Units (OU’s) allow resources with common attributes such as access to resources to be managed and secured simultaneously. OU’s group resources together that have similar permissions, access levels and functions such as… The Finance OU contains users who need access to resources on the FINANCE1 server The Sales OU contains users and printers that only the Sales department needs access to. The Human Resources OU contains users who need access to the HR1 server exclusively since it contains payroll data and social security numbers. OU’s could also organize resources by geographic location: Birmingham Paul Dunlap, Chris Felder, Maria Petrey, Ted Frankenfield, Kelly Duvall, Tasia Martin, Tara Ward, BHMPrint01, BHMServer1 Columbia Dexter Beane, Nick Leaf, Allen Scott, CMBPrint, Nancy Pivec, CMBServer3

16

Group Policy Objects Group policy governs how a user is able to use Windows. Local application behavior is also governed with group policy such as local system services like PostgreSQL. Group policy objects are applied to Organizational Units in the Active Directory by an Administrator. When a user logs in the group policy settings are applied to all Active Directory objects in the OU the policy is applied to.

17

Why does PPM Standalone not work on Active Directory network? Microsoft defaults Microsoft Active Directory is designed “out-of-box” to prevent unknown programs and services from launching and running on AD managed PC’s and Servers. PostgreSQL is an unknown program to the Microsoft Active Directory. Administrative planning Network administrators set custom group policies to prevent unknown programs from replicating across their networks. Group Policy Object (GPO) Group policies apply settings and permissions to govern user environments and tasks on workstations. GPO settings will also prevent unrecognized programs and services from launching to protect network integrity.

18

Active Directory and PPM PPM installations have well documented issues when installed in Microsoft Active Directory environments. Common errors and conditions of this environment are: PostgreSQL service does not start in STANDALONE mode, you could also see this error as “Connecting to ODBC” freeze or “Connection to database failed.” Memorize the three items from the previous screen. If the PostgreSQL 8.1 Database Service is not running, neither will the PPM software. The MKDFostgresUser account is not shown under Local Users & Groups on the workstation The MKDFostgresUser account is added to the Users container in the Microsoft Active Directory by default. To change or remove this account you must access the Active Directory Users & Computers MMC.

19

So what have you learned so far? Name 3 Active Directory objects. A: Users, Groups, Computers, Printers, Servers, Organizational Units The Microsoft Active Directory is a centralized ____________used to store an organizations user accounts, printers, servers, file shares, computers. A: Database What are 2 reasons PPM STANDALONE would not work in an Active Directory environment? A: Microsoft defaults, Administrative planning or Group Policy An _________________ is used to group like objects together to administer more easily. Common groupings would be departments or geographic locations. A: Organizational Unit How are permissions applied in an Active Directory environment? A: Most restrictive takes precedence What one item must a user have before they can login to and use resources in a Windows Active Directory? A: User account

20

Apply what you have learned… Domain A trusts Domain B but does not trust Domain C or Domain D. Domain B trusts Domain D but does not trust Domain C. Which domains can Domain A view resources and objects in? A: Domain A, Domain B, and Domain D Alex calls from his Chicago office to ask for help with PPM ANALYSIS TOOL. He can see the PPM shared folder on the server but he cannot launch PPM using the icon on his Desktop. You have checked the PostgreSQL service on his workstation and it is running properly. What should your next step be? A: What permissions do you have on the PPM share? Stewie is a member of the PPMUsers group which has access to the PPM and WEEKLIES shares on the server and is also a member of the LimitedUsers group preventing access to the PPM share. Describe Stewie’s user experience when he uses his desktop icons. A: WEEKLIES will launch, ANALYSIS TOOL will not launch. The Birmingham OU has a group policy that requires Windows passwords to be reset every 90 days. The Columbia OU has a policy that logs users out every 20 minutes if inactive. When will Allen Scott have to reset his password? A: Whenever he likes, no password policy was specified.

21

The most important thing is… … don’t become frustrated. Just because you have an Active Directory install doesn’t mean you can’t fix it. … determine if you are you dealing with Active Directory. How do you eat an elephant? One bite at a time. … to get as much information about the issue as possible. Details help everyone…EVERYONE! … to document error messages exactly as they are. Accurate details help everyone…EVERYONE! … to document functional conditions as they are. For example “Joe’s PPM works but mine doesn’t.” … determine if an IT or domain administrator for the customer can assist you. Since this is their network after all, they should have a vested interest in helping you as well. … reassure the customer that you will assist them to resolve their issue. … when all else fails you have support from the Level 2 team to rely on.

22

Questions?

More Related Content

Microsoft Active Directory

  • 2. Microsoft Active Directory Scope Understanding Directory Services Master “what is a domain?” ARBITRON.COM Domain Tree Domain Forests What is a domain controller? Is there a simple example of an Active Directory? Trust Relationships Users, Groups & Windows Permissions Practice What You Preach Organizational Units Group Policy Objects Why does PPM Standalone not work on Active Directory network? Active Directory & PPM So what have you learned so far? Apply what you have learned… The most important thing is… Questions?
  • 3. Understanding Directory Services A directory is a stored collection of information about objects that are related to one another in some way. Network resources stored in a directory, also known as objects, can include: File servers, printers, fax servers, applications, databases & users A directory service stores all information needed to use and manage these objects in a centralized location. The primary function of a directory is that users must be able to locate and use these objects and administrators must be able to manage how they are used.
  • 4. Master “what is a domain?” A domain is a collection of computer, user and group objects defined by an administrator. These domain defined objects share common characteristics, security policies and relationships with other domains in the corporate network. Trees A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace, example birmingham.arbitron.com, columbia.arbitron.com Forests A forest is a collection of trees that don’t necessarily share a contiguous namespace, example arbitron.com, scarborough.com, insideradio.com
  • 5. ARBITRON.COM Domain Tree ARBITRON.COM US.ARBITRON.COM UK.ARBITRON.COM NYC.US. ARBITRON.COM CHICAGO.US. ARBITRON.COM LONDON.UK. ARBITRON.COM
  • 6. Domain Forests ARBITRON.COM US.ARBITRON.COM UK.ARBITRON.COM SCARBOROUGH.COM WEST. SCARBOROUGH.COM EAST. SCARBOROUGH.COM Trust Relationship
  • 7. What is a domain controller? A domain controller is a server that responds to security authentication requests (logging in, checking permissions, etc.) within a domain. Smaller companies will likely only have one domain controller whereas larger organizations will have multiple domain controllers. This allows user login requests and resources to be distributed across multiple servers and provides fault tolerance in the event one domain controller is down. Multiple domain controllers backup Active Directory information to each other on a periodic basis. Permission changes will have to be replicated to all domain controllers before all users can benefit. This is important if you change permissions in Chicago but the user you are working with is in Los Angeles. A single domain controller can manage multiple domain trees or forests.
  • 8. A domain controller implements the security and intrusion detection model of an organization. In short, a domain controller says… “ I am a cop, and you WILL respect my AUTHORITAH!”
  • 9. Is there a simple example of an Active Directory? Yes, Microsoft Outlook Contacts! Outlook stores contact information and attributes you can search such as Name and Email address. Active Directory works under the same concept only with a much larger scope. Active Directory was designed to centralize large company networks into one repository where administrators can manage easily. With Active Directory users can search an infinite amount of resources without leaving their desks.
  • 10. Trust Relationships Trust relationships between domains are how users from one domain can access resources in another domain. Trust relationships secure resources by grouping users and computers with like characteristics. A trust relationship must be established when a user from another domain needs access to your domain’s resources. Active Directory domain trust relationships are two-way… Meaning I trust you, you trust me. Formula to remember… Domain A trusts Domain B. Domain B trusts Domain C. Therefore, Domain A trusts Domain C.
  • 11. Domain Trust Relationships ARBITRON.COM US.ARBITRON.COM UK.ARBITRON.COM OE.US.ARBITRON.COM SALES.US.ARBITRON.COM DEV.UK.ARBITRON.COM
  • 12.  
  • 13. Users, Groups & Windows Permissions User accounts Represent each user that has access to login to a network Users must have an account/password created for them before they can login and access network resources. Group accounts Provide access to resources for users who share common functions or geographic locations Individually granting users access to resources in unrealistic in large environments. Adding users to a group is the easiest way to grant access without having to create permissions each time. If the user leaves or no longer needs the resource simply remove the user from the group. Users can be members of multiple groups in Active Directory Permissions in Windows networks are applied as “most restrictive first” If Dexter is a member of the PPMAT group that allows access to the PPM folder and is also a member of the Guests group that is denied access to the PPM folder he will not be able to access the PPM folder.
  • 14. Practice What You Preach! Aaron is an Radio Sales member at the Best Freakin Radio Company Ever . He belongs to the following Active Directory groups at his company: PPMApps Finance HR_1 Remote Users Best Freakin Radio Company Ever had a network virus earlier in the week. The network was taken down as a security measure to prevent additional computers from becoming infected. Aaron has called Arbitron to say he cannot access the PPM folder or software on the Applications server due to an “Access is denied” error. What suggestions can you offer Aaron that may help him solve his issue?
  • 15. Organizational Units Organizational Units (OU’s) allow resources with common attributes such as access to resources to be managed and secured simultaneously. OU’s group resources together that have similar permissions, access levels and functions such as… The Finance OU contains users who need access to resources on the FINANCE1 server The Sales OU contains users and printers that only the Sales department needs access to. The Human Resources OU contains users who need access to the HR1 server exclusively since it contains payroll data and social security numbers. OU’s could also organize resources by geographic location: Birmingham Paul Dunlap, Chris Felder, Maria Petrey, Ted Frankenfield, Kelly Duvall, Tasia Martin, Tara Ward, BHMPrint01, BHMServer1 Columbia Dexter Beane, Nick Leaf, Allen Scott, CMBPrint, Nancy Pivec, CMBServer3
  • 16. Group Policy Objects Group policy governs how a user is able to use Windows. Local application behavior is also governed with group policy such as local system services like PostgreSQL. Group policy objects are applied to Organizational Units in the Active Directory by an Administrator. When a user logs in the group policy settings are applied to all Active Directory objects in the OU the policy is applied to.
  • 17. Why does PPM Standalone not work on Active Directory network? Microsoft defaults Microsoft Active Directory is designed “out-of-box” to prevent unknown programs and services from launching and running on AD managed PC’s and Servers. PostgreSQL is an unknown program to the Microsoft Active Directory. Administrative planning Network administrators set custom group policies to prevent unknown programs from replicating across their networks. Group Policy Object (GPO) Group policies apply settings and permissions to govern user environments and tasks on workstations. GPO settings will also prevent unrecognized programs and services from launching to protect network integrity.
  • 18. Active Directory and PPM PPM installations have well documented issues when installed in Microsoft Active Directory environments. Common errors and conditions of this environment are: PostgreSQL service does not start in STANDALONE mode, you could also see this error as “Connecting to ODBC” freeze or “Connection to database failed.” Memorize the three items from the previous screen. If the PostgreSQL 8.1 Database Service is not running, neither will the PPM software. The MKDFostgresUser account is not shown under Local Users & Groups on the workstation The MKDFostgresUser account is added to the Users container in the Microsoft Active Directory by default. To change or remove this account you must access the Active Directory Users & Computers MMC.
  • 19. So what have you learned so far? Name 3 Active Directory objects. A: Users, Groups, Computers, Printers, Servers, Organizational Units The Microsoft Active Directory is a centralized ____________used to store an organizations user accounts, printers, servers, file shares, computers. A: Database What are 2 reasons PPM STANDALONE would not work in an Active Directory environment? A: Microsoft defaults, Administrative planning or Group Policy An _________________ is used to group like objects together to administer more easily. Common groupings would be departments or geographic locations. A: Organizational Unit How are permissions applied in an Active Directory environment? A: Most restrictive takes precedence What one item must a user have before they can login to and use resources in a Windows Active Directory? A: User account
  • 20. Apply what you have learned… Domain A trusts Domain B but does not trust Domain C or Domain D. Domain B trusts Domain D but does not trust Domain C. Which domains can Domain A view resources and objects in? A: Domain A, Domain B, and Domain D Alex calls from his Chicago office to ask for help with PPM ANALYSIS TOOL. He can see the PPM shared folder on the server but he cannot launch PPM using the icon on his Desktop. You have checked the PostgreSQL service on his workstation and it is running properly. What should your next step be? A: What permissions do you have on the PPM share? Stewie is a member of the PPMUsers group which has access to the PPM and WEEKLIES shares on the server and is also a member of the LimitedUsers group preventing access to the PPM share. Describe Stewie’s user experience when he uses his desktop icons. A: WEEKLIES will launch, ANALYSIS TOOL will not launch. The Birmingham OU has a group policy that requires Windows passwords to be reset every 90 days. The Columbia OU has a policy that logs users out every 20 minutes if inactive. When will Allen Scott have to reset his password? A: Whenever he likes, no password policy was specified.
  • 21. The most important thing is… … don’t become frustrated. Just because you have an Active Directory install doesn’t mean you can’t fix it. … determine if you are you dealing with Active Directory. How do you eat an elephant? One bite at a time. … to get as much information about the issue as possible. Details help everyone…EVERYONE! … to document error messages exactly as they are. Accurate details help everyone…EVERYONE! … to document functional conditions as they are. For example “Joe’s PPM works but mine doesn’t.” … determine if an IT or domain administrator for the customer can assist you. Since this is their network after all, they should have a vested interest in helping you as well. … reassure the customer that you will assist them to resolve their issue. … when all else fails you have support from the Level 2 team to rely on.