Thanks to updated management utilities and a slightly enhanced user interface, Win- dows 2000 Server can be easily configured by using new and improved configuration wizards. If this is your first boot-up of the new operating system, you’ll see the Con- figure Your Server utility shown in Figure 1.1, which will facilitate some of the basic
Figure 1.1 Windows 2000 Configure Your Server.
N OT E If this is not the first boot-up of the new operating system, and you’ve elected not to be greeted by the configuration utility, you can retrieve it from Start/Programs/Administrative Tools/Configure Your Server. It’s a good idea to do that now so you can follow along here.
Active Directory
Active Directory stores information about network objects, such as user accounts and shared printers, and provides access to that information. Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the manage- ment of even the most complex network.
To make this server a new domain controller, you must install Active Directory. A domain controller in a Windows 2000 Server domain is a computer running Windows 2000 Server that manages user access to a network, which includes logons, authentica- tion, and access to the directory and shared resources. The Active Directory Installation wizard configures this server as a domain controller and sets up the DNS if it is not already available on the network. DNS is a system for naming computers and network services; these names are organized into a hierarchy of domains. DNS is used in 16 Chapter 1
TCP/IP networks, such as the Internet, to locate computers and services through user- friendly names. When a user enters a DNS name in an application, DNS services can resolve the name to other information associated with the name, such as an IP address.
You can use this wizard for the following scenarios:
No Existing Domain Controller. Sets up your server as the first domain controller on the network.
Domain Controller Already on Network. Sets up your server as an additional domain controller, anew child domain, anew domain tree, or a new forest. These enti- ties are defined in the following paragraphs.
An additional domain controller is a Windows 2000 domain controller installed into an existing domain. All domain controllers participate equally in Active Directory replication, but by default the first domain controller installed into a domain is assigned ownership of at least three floating single-master operations. Additional domain controllers installed into an existing domain do not assume ownership of these operations by default.
A child domain is a domain located in the namespace tree directly beneath another domain name (the parent domain). For example, example.microsoft.com would be a child domain of the parent domain, microsoft.com. A child domain is also known as a subdomain.
The domain tree is the hierarchical structure that is used to index domain names.
Domain trees are similar in purpose and concept to directory trees, which are used by computer filing systems for disk storage. For example, when numerous files are stored on disk, directories can be used to organize the files into logical collections. When a domain tree has one or more branches, each branch can organize domain names used in the namespace into logical collections.
A forest is a set of one or more trees that do not form a contiguous namespace. All trees in a forest share a common schema, configuration, and global catalog. The trees must trust one another through transitive, bidirectional trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of cross-reference objects and trust relationships known to the member trees. Trees in a forest form a hier- archy for the purpose of trust.
N OT E To host Active Directory, you need a partition formatted with the version of NTFS used in Windows 2000.
Creating a New Domain
To create a new domain, we’ll install Active Directory using the Active Directory Installation wizard, which installs and configures components that provide Active Directory service to network users and computers. In the menu listing of the configu- ration utility shown in Figure 1.1, click the Active Directory icon to reach the screen shown in Figure 1.2. At that screen, click Next; then click Start the Active Directory Installation wizard shown in Figure 1.3. Click Next to continue.
Basic Windows 2000/Windows 2000 Server Installation and Configuration 17
Figure 1.2 Active Directory wizard front end.
Recall that a domain controller is a computer running Windows 2000 Server, which stores directory data and manages user domain interactions, including user logon processes, authentication, and directory searches. Windows 2000 Server domain con- trollers provide an extension of the capabilities and features provided by Windows NT Server 4.0 domain controllers. A domain can have one or more domain controllers. For high availability and fault tolerance, a small organization using a single local area net- work (LAN) might need only one domain with two domain controllers, whereas a large company with many network locations would need one or more domain con- trollers in each location.
A domain controller in Windows 2000 is also configured using the Active Directory Installation wizard. Active Directory supports multimaster replication of directory data between all domain controllers in the domain. Multimaster replication is an evolution of the primary and backup domain controller (BDC) model used in Windows NT Server 4.0, in which only one server, the primary domain controller (PDC), had a read- and-write copy of the directory. Windows 2000 Server multimaster replication syn- chronizes directory data on each domain controller, ensuring consistency of information over time. Changes in the PDC can be impractical to perform in a multi- master fashion; therefore, only one domain controller, the operations master, accepts requests for such changes. In any Active Directory forest, there are at least five differ- ent operations’ master roles that are assigned to one or more domain controllers.
Figure 1.3 Starting the Active Directory wizard.
18 Chapter 1
Let’s create a new domain in Active Directory:
Step 1. Once Active Directory is installed, from the Configure Your Server utility, click Active Directory; from the Active Directory window, choose the domain controller type to create a new domain by selecting Domain controller for a new domain; then click Next.
Step 2. In the next window, choose to create a new domain tree by selecting Cre- ate a new domain tree; then click Next.
Step 3. Next, choose to create a new forest of domain trees by selecting Create a new forest of domain trees; then click Next.
Step 4. Specify a name for the new domain by typing the full DNS name (see Fig- ure 1.4); then click Next.
Step 5. Specify the Network Basic Input/Output System (NetBIOS) name for the new domain. Earlier versions of Windows will use this to identify the new domain. Click Next.
Step 6. In the next window, specify in the fields provided the locations of the Active Directory database and log, either by accepting the default locations or by clicking Browse to find new ones. Click Next to continue.
Step 7. In the next window, you must specify the folder to be shared as the sys- tem volume. The Sysvol folder stores the server’s copy of the domain’s public files. Either accept the default location or click Browse to find a new one. Click Next to continue.
Step 8. DNS must be installed. If DNS is not available; the wizard will configure it for the new domain. Select Yes to install DNS, as shown in Figure 1.5; then click Next.
Figure 1.4 Specifying a new domain.
Basic Windows 2000/Windows 2000 Server Installation and Configuration 19
Figure 1.5 Installing DNS for the new domain.
Step 9. In the next window, you must select the default permissions for user and group objects. You do this by selecting Permissions compatible with pre- Windows 2000 serversoverPermissions compatible only with Windows 2000 servers to be compatible with our NT server programs. Click Next to continue.
Step 10. In Figure 1.6, specify an administrator password to use when starting the computer in restore mode; then click Next.
Step 11. In the next window, review and confirm the previously selected options; then click Next. The wizard will configure Active Directory, as shown in Figure 1.7.
Figure 1.6 Specifying an administrator password for directory restore mode.
20 Chapter 1
Figure 1.7 Configuring the Active Directory installation.
Step 12. In the next window, click Finish to close the wizard; then click Restart Now to reboot the server.
Now you’re ready to learn how to manage Active Directory.
Managing Active Directory
From Start/Programs/Administrative Tools/Configure Your Server, start the wizard again by clicking Active Directory in the menu listing on the left (refer back to Figure 1.1). Click Manage user accounts and group settings,shown in Figure 1.8, to start the Active Directory admin utility, shown in Figure 1.9. This utility is used to manage domain controllers, user accounts, computer accounts, groups, organizational units, and published resources. We’ll begin our investigation of these processes by learning how to manage domain controllers.
Figure 1.8 Starting the Active Directory admin utility.
Basic Windows 2000/Windows 2000 Server Installation and Configuration 21
Figure 1.9 Active Directory admin utility.
Managing Domain Controllers
To find a domain controller by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, right-click any node or folder; then click Find.
Step 2. Under Find, click Computers; in Role, click Domain Controller (see Figure 1.10). If you know which folder contains the domain controller, click the folder in the In field; to search the entire directory, click Entire Directory.
Step 3. Click the Find Now button.
Figure 1.10 Searching for a domain controller.
22 Chapter 1
TE AM FL Y
Team-Fly®
You can delegate administrative control of a particular domain or organizational unit to individual administrators who are responsible for only that domain or organi- zational unit. To delegate control by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, double-click the domain node to expand the domain tree.
Step 2. Right-click the folder that you want another user or group to control; then click Delegate Control to start the Delegation of Control wizard, whose welcome page is shown in Figure 1.11. You can grant users permission to manage users, groups, computers, organizational units, and other objects stored in Active Directory. Click Next to begin the wizard.
Step 3. Click Add and/or select one or more users or groups to which you want to delegate control (see Figure 1.12); then click Next.
Figure 1.11 Delegation of Control wizard.
Basic Windows 2000/Windows 2000 Server Installation and Configuration 23
Figure 1.12 Selecting to whom to delegate control.
Step 4. Select from the common-task list shown in Figure 1.13 or select Create a custom task to delegate to customize your own. When you’re finished, click Next and then Finish to complete the control delegation.
Figure 1.13 Selecting control from the common tasks list.
24 Chapter 1
By default, domain controllers are installed in the Domain Controllers folder. Cer- tain properties (e.g., Name, Role, and Operating System) are automatically assigned when the computer is added to the domain or whenever it is started, and these prop- erties cannot be modified by the administrator. Other domain controller properties can be modified by using the Active Directory admin utility. To do so, follow these steps:
Step 1. In the Console Tree, double-click the domain node.
Step 2. Click the folder containing the domain controller. In the details panel, right-click the domain controller that you want to modify; then click Properties.
As you can see in Figure 1.14, the following property tabs will be displayed:
■■ General
■■ Operating System
■■ Member Of
■■ Location
■■ Managed By
Step 3. Click the property tab that contains the property you want to modify.
Figure 1.14 Modifying domain controller properties.
Basic Windows 2000/Windows 2000 Server Installation and Configuration 25
Managing User and Computer Accounts
Microsoft defines Active Directory user and computer accounts as representing physi- cal entities such as a computer or a person. Accounts provide security credentials for users or computers, enabling those users and computers to log on to the network and access domain resources. An account is used to:
■■ Authenticate the identity of the user or computer
■■ Authorize access to domain resources
■■ Audit actions performed using the user or computer account
An Active Directory user account enables a user to log on to computers and domains with an identity that can be authenticated and authorized for access to domain resources. Each user who logs on to the network should have his or her own unique user account and password. User accounts can also be used as service accounts for some applications.
By default, Windows 2000 provides predefined user accounts, known as Administra- torand Guestaccounts, that you can use for logging on to a computer that is running Windows 2000. Predefined accounts are designed to let users log on to a local com- puter and access resources from that computer. As such, these accounts are designed primarily for initial logon and configuration of a local computer. Each predefined account has a different combination of rights and permissions. As you might assume, the Administrator account has the most extensive rights and permissions; the Guest account, the least.
Though convenient, predefined accounts pose a significant problem: If their rights and permissions are not modified or disabled by a network administrator, they could be used by any user or service to log on to a network by using the Administrator or Guest identity. To implement the security of user authentication and authorization, you must create an individual user account for each user who will participate, by way of the Active Directory Users and Computers utility, on your network. Each user account (including the Administrator and Guest accounts) can then be added to Win- dows 2000 groups to control the rights and permissions assigned to the account.
Using accounts and groups that are appropriate for your network ensures that users logging on to a network can be identified and can access only the permitted resources.
Each Active Directory user account has a number of security-related options that determine how someone logging on with that particular user account is authenticated on the network. Several of these options are specific to passwords:
■■ User must change password at next logon.
■■ User cannot change password.
■■ Password never expires.
■■ Password is saved as encrypted clear text.
These options are self-explanatory except for the last one. If you have users logging on to your Windows 2000 network from Apple computers, you should select this option for those user accounts.
26 Chapter 1
User and computer accounts are added, disabled, reset, and deleted with the Active Directory Users and Computers utility. Note the following in regard to these actions:
■■ If you create a new user account with the same name as that of a previously deleted user account, the new account will not automatically assume the per- missions and memberships of the deleted account, because the security descriptor for each account is unique.
■■ To duplicate a deleted user account, all permissions and memberships must be manually re-created.
To add a user account by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, double-click the domain node. In the details panel, right-click the organizational unit where you want to add the user, point to New, and click User (see Figure 1.15).
■■ In First name, type the user’s first name.
■■ In Initials, type the user’s initials.
■■ In Last name, type the user’s last name.
■■ Modify Full name as desired.
■■ In User logon name, type the name with which the user will log on, and from the drop-down list, click the user principal name (UPN) suffix that must be appended to the user logon name (following the @symbol). If the user will use a different name with which to log on from computers running Windows NT, Windows XP (which adds fast user switching), Windows Mil- lennium, Windows 98, or Windows 95, change the user logon name as it appears in User logon name (pre-Windows 2000) to the different name.
■■ In Password and Confirm password, type the user’s password.
■■ Select the appropriate password options.
Basic Windows 2000/Windows 2000 Server Installation and Configuration 27
Figure 1.16 Editing a user account.
Step 2. After creating the user account, right-click the new user and click Proper- ties to edit the user account and/or enter additional user account information, as shown in Figure 1.16. You can edit general user information, group member- ships, dial-in access, terminal server access, and session settings.
Rather than deleting an unused user account, you can disable it as a security mea- sure to prevent a particular user from logging on. Disabled accounts can also serve a useful purpose. Disabled user accounts with common group memberships can be used as account templates to simplify user account creation. Therefore, instead of manually creating the exact same type of account for, say, 20 new users, an account template can be copied, renamed, and activated for each. Doing so could save a great deal of admin- istrative time.
To disable/enable a user account by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, double-click the domain node to expand the domain tree.
Step 2. In the Console Tree, click Users or click the folder that contains the desired user account.
Step 3. In the details panel, right-click on the user and click Disable or Enable Account (see Figure 1.17).
28 Chapter 1
Figure 1.17 Enabling/disabling a user account.
To copy, delete, rename, or move a user account by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, double-click the domain node to expand the domain tree.
Step 2. In the Console Tree, click Users or click the folder that contains the desired user account.
Step 3. In the details panel, right-click on the user and select the appropriate course of action.
Managing Computer Accounts
As set up by Microsoft, every computer running Windows 2000, Windows XP, or Win- dows NT that joins a domain has a computer account. Similar to user accounts, com- puter accounts provide a means for authenticating and auditing the computer’s access to the network and to domain resources. Each computer connected to the network should have its own unique computer account.
By default, domain policy settings enable only domain administrators (members of the group Domain Admins) to add a computer account to a domain.
To add a computer account to a domain by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, click Computers or click the container (the directory service object that includes subcontainers for computer and user Group Policy information) in which you want to add the computer.
Step 2. Right-click Computers or the container in which you want to add the computer, point to New, and then click on the computer.
Step 3. Type the computer name (see Figure 1.18).
Basic Windows 2000/Windows 2000 Server Installation and Configuration 29