Active Directory Structure
Active Directory has a very unique and specific structure that can be applied to any role-based access control system. Specifically, Active Directory domains have Forests, which contain Trees, which contain Domains. Within a Domain, there may be Security Groups, Distribution Groups, Users, Computers, Contacts, and so forth. While all of these units can be utilized to perform specific functions, that is out of the scope of this tutorial. I will explain to you how to simply create users within a domain so that you can try logging on to the domain from a client PC. It is very easy to do this, and correspondingly easy to create other units, so I will leave that task to you.
Creating an Active Directory User
Go to Start -> Administrative Tools -> Active Directory Users and Computers. Here you will find the MMC (management console) for adding and removing different Domain organizational elements. The task at hand, of course, is to create a user, so go to your domain, expand that, then find the “Users” folder and it should appear in the right side after clicking on it. The next step is to click Action -> New -> User, and a dialogue window should show up. Fill in the relevant fields, and press Next. The next dialogue will ask you to enter and confirm a password as well as set policy on the password. For now, you will need to choose a password that is at least 7 characters long, includes at least one capital letter, one lower-case letter, one number, and one symbol. Later, we will learn how to change this policy. Choose the appropriate options (I typically do not allow users to change their passwords, nor do I set any expiration date for the passwords) and click Next. Finally, make sure that you review all of the information, and choose Finish. If everything goes right, you have created your first user!
|
|
|
|
| The Active Directory Users/Computers MMC | Adding a New User | You must choose a password that meets complexity requirements |
Although it may seem somewhat of a trivial task to create users, it is an invaluable ability when setting up access control (to files and folders), mail accounts, distribution lists, and other policy options. There are many things that you can do within this console; you can read about all of these on Microsoft’s TechNet Knowledge Base and many fine systems admin websites across the Internet.
Joining a Client
Now that you have set up your first user, you might want to try to login to the domain on a connected client PC. To do so, you will first have to join it on the client. (IMPORTANT: THE FOLLOWING INSTRUCTIONS ARE ONLY FOR CLIENTS!) To begin, go to Start -> Control Panel -> System. Next, click on the Computer Name tab. Choose “Change” and when the window comes up, choose the “Domain” radio button and type in the name of your domain. In my case, it is “foxden.” It will probably ask you for the credentials of an account authorized to join the domain. Type in your domain Administrator name and password (in our case, it is just the user name “Administrator” and the password that I configured when I installed Windows Server). Finally, click “OK” and then “OK” again. You will be asked if you wish to restart. Choose no, because we are not done here. Now, go to the “User Accounts” and make the domain user a local Administrator. Finally, go to Network Connections -> Your Connection -> Properties -> TCP/IP Properties and change the DNS settings from “Automatically configure” to “Manually configure,” setting your primary DNS server to the IP address of your domain controller (Active Directory server). You may want to set your alternate DNS server to the one that your ISP provides, just in case there is a problem with the controller. Restart the computer, and be sure to log on to the domain and NOT “This Computer.”
Some Access Control Tips
Active Directory can also be utilized to create Groups, which are basically as simple as their name implies. You can add Users to groups to make access control or policy settings easier to implement. To add a user to a group, simply right-click on the desired user and press “Add to a Group.” You should also note that there are several built-in groups (also known as security principles), including “Administrators,” “Domain Users,” and the ubiquitous “Everyone.”
With Active Directory, you can define access to resources on a PC or shared folder by Active Directory username or group. For example, let’s say I have a file, C:/secretc4.txt, that I only want the group “Special Ops” to see. I would right-click the folder “secret” and go to “Properties.” Then, I would go to the Security tab, and set Security settings as I would any other time – except now I would be able to specify Active Directory Users and Groups, which gives me much more control. I can do the same with Sharing permissions as well (as a note: In Windows, DENY Security permissions supersede ALLOW Sharing permissions. This means that if I specify that the Accounting group can read the secret folder in the Sharing permissions tab, but I specifically deny them access to the resource on the Security tab, they will not be given access. In general, all DENY permissions supersede ALLOW permissions. So, If Bob is in Sales, and Sales has been given access to secret, but Bob has been specifically denied access, he will not be able to read secret.
A Note About Security Policy
While we will devote the next page to Group Policy, let’s talk about Security Policy for a second. Domain Security Policy is where the settings that control password policy, lockout policy, and many other such security settings. If you find the password restrictions very annoying (although they certainly help protect you!) you can change them from the Domain Security Policy console. Go to Start -> Administrative Tools -> Domain Security Policy and go to Account Policies -> Password Policy. On the right, you can adjust the settings to your pleasing, but the setting most Administrators opt to change is the “Passwords must meet complexity requirements” to “Disabled.” While I will certainly not recommend doing so, it’s your server and your decision.
There are many other options within Domain Security Policy (in fact, entire books are dedicated to the subject!) but I will trust that you can configure most of the more relevant options yourself as most are rather obvious and self-explanatory.
On the next page, we will talk more about Group Policy and how to implement it.
The PCMech.com weekly newsletter has been running strong for over 8 years. Sign up to get tech news, updates and exclusive content - right in your inbox. Also get (several) free gifts.
i really want to know more about windows server 2003.
After I setup my Windows Server 2003, I am failig to log on with the domain server that I have just created. Can somebody tell me how to link other computers (with Win XP and Vista) to my server
Hi folks,
I appreciate the effort, but the title is “Windows Server 2003 Setup Guide” and I was hoping for some setup information – not a buyers guide.
Thanks ,
— Deck
This was not a bad beginner’s article. In fact, it is the first one that explained the domain name in AD setup. I was really confused by this initially. There was nothing saying you could have yourcompanydomain.com or yourcompany.local and what the differences were. It REALLY pissed me off when the books would all say (Use Appropriate Server Info) for that section. How was I supposed to know what was appropriate on my first install. You might want to even expand that a little. You should do a follow on or expansion for the DHCP, DNS, and WINS as well. This can be confusing as well, and in an XP or Vista environment, you would be using them.
To John’s comment – You need to add the workstation to the Domain. I am assuming you got into the server just fine. On one of the workstations, go to My Computer and right click, and then select Properties. Now click on the Computer Name tab. Near the bottom right of the window select change. At the top will be the comnputer name, and at the bottom will be Workgroup and Domain. Change the radio button to Domain, and then enter the name of the domain you created. If you picked YourCompany.local in the setup, enter YourCompany, and select OK. You will be prompted for the domain administrator credentials. Administrator and what ever you set the server administrator password to. You will get a series of dialogue boxes you hiy ok to. After the last one, you will need to restart the workstation. When it restartes, you can use Administrator, the domain administrator password, and there will be a new drop down box. It will probably says “This Computer”. Change it to the domain you picked, and then login. You are now on the domain. If you followed the tutorial and setup user accounts, you need to add those domain users to the workstation to login as the user. The user effectively has no right at the moment to the workstation. If you setup a user named “userone”, we add them to the workstation as follows. Right click My Computer and select Manage. Select Local User and Groups. The Users folder is “LOCAL” user accounts – meaning only on that workstation. So you want to select GROUPS. You can select the level of user rights and add them to that group. generally you do not want your users above Power User, but this is dictated by the software you use, and the level of control you want the user to have. There are tons of articles on this stuff. So let’s click Power Users. In the new window, select Add, and in the white open space, start typing “userone” (this is just an example name – you might use first initial and last name such as jsmith – or – john.smith – etc — again – there are tons of articles on naming schemes for users and workstations). So in our example, we start typing “userone” – we can actually type “user” and then use the check name button to the right, and it should either find the user or give you a list. For example if we had userone, usertwo, userthree – it would find all three in the list because they all start with user. It would be waiting for you to pick which one. So pick the user, and it should appear in the white window where you were typing. Be careful if you have a local user account with the same name, it can get confused. You see people using things like John for user names. They have no place on a domain – so don’t do it. It also gives you the chance to migrate the user’s profile to their new domain account profile you are going to create the first time you login as the user. So once you have the use in, hit ok until your boxes are gone, and then logoff as the Domain Administrator. Now change the user name to the user you picked. In our example it was userone. Login with the password. The first login will take a while as it sets up the profile. You are now on the domain as a user you setup.
Deck hanzen – dude – you have to clieck the next button at the bottom of the article. In his defense – i did not see it at first either. You guys need to put space between the buttons. Keep up the good work though.
Oops – made a typo in there when I was changing a few things around. WINS for a mixed NT, 98 with XP and Vista.
beginner question.. what is the difference between windows server 2003 and r2?
after i installed windows server 2003, what should i do next?
tnx
Google it =:) as there is way to much to list on that one, but in general 03 is much the same as r2 !
I thought this tutorial for an entry level tutorial was laid out quite well. I pass this tutorial to others who are curious or have questions on a base level how a domain is set up. In my opinion this tutorial is 5\5 stars. For those who commented about the websites format and lay out; I agree about the previous-Next Page link. Whoever href’d that was in a hurry and it probably was not at focus, but it makes up for such a nit picky code eye pain by the one of a kind windows server 2003 tutorial. This gentlemen really took his time of the day to paint the bigger picture in a “for Dummies” level tutorial. If you have been working as a desktop technician pushing images to workstations, building batch scripts and been using AD users and Computers snap in with limited rights to AD and always wanted to grasp the true understanding of how your jobs network operates this tutorial teaches you how you would set it up. The rest of the gaps were clearly stated “Out Of Scope”, thus issues that go to mind such as security policy settings, and all the in’s and out’s of security options one could do would have taken way to long. A great job here was done, and if anyone has written a tutorial you know the temptation to want to deviate and go on tangents explaining things more in depth while at the same time getting further off track of the focus of the tutorials direction. He kept great control here with that, and this tutorial litterally brought it together for me. My mind goes crazy on what I want to do at work with this information in mind. Most of us who work desktop support jobs have what it takes to engineer a domain, and could code in share point scripts to write credentials to apps, and so forth, but because were not MCSE certified we dont get to touch the DC’s. “In my case that is” . I recently took a job where “I” am the “ADMIN” over the domain for a very small business, and with freedom to do as I wish on the domain I created with only but 60 machines and users I am advancing allot. We use a cisco router here and a business line broadband modem since I am the sould systems engineer per say I am also responsible for it. So I play with subnetting and so forth in my free time, and every day is not a boring day all because of this tutorial which helped me get the job! Every day I am setting policies, locking down users machines. The boss\Owner who didnt have a domain setup and each phone agent was just taking calls, and had an independent machine with full admin rights didnt know any better. I made suggestions and told him we were going to need to domain this work environment and sold him on letting me go to Dell’s website, bought a server with a packaged lisence deal. Then I setup 3 other child servers, one as a file server, printer server, and using newer workstations with the w2k3 OS for the roles. I build scripts in c++ to do profile backups etc… my days flyyyyyyy it’s almost not even a job to me, but a do something I love and get paid type of work. This tutorial being primarily text based versus youtube video’s really put the confidence in me enough to present the benefits to the owner to make him buy a $3k server package. It was all worth it to him once I setup policies that allowed him to stealthly RDC into his employee’s workstations and see what they are doing when he wanted. I am doing research on Magic Jack type phone setups to save the token phone setup he is paying out the nose for on a monthly basis. My ideal is to have a very cost efficient call system in which phone calls can be recorded and monitored and even be remotely monitored real time to kind of do some call quality. All of these measures are being coerced by the knowledge I have and how it can save money and make business operations more efficient ALL THANKS TO GOOD LAID OUT TUTORIALS LIKE THIS ONE!!! It’s only until now that I wrote a comment on this tutorial I should have done so when I first read it.
I can’t see the link for the next page of the tutorial. Where is it?
Guide is excellent however please correct the images. They are currently broken due to a script error.
Any chance you could fix the images and also expand on roaming profiles?
Thanks
Cant say much for this posting its of little or no use to anyone setting up sever 2003 like my dad used to tell me if you dount know what ur talking about just shut up and listen to some one thats done it instead of waisting every ones time good intensions are like ass holes everyones got one
Bla Bla Bla why don’t you suck my dick???