AD 活动目录管理

域和活动目录的概念

域和活动目录的价值

Force security policies and desktop/application environments for terminal computers and users, and can realize batch and automatic deployment, reducing the daily management difficulty and work intensity of IT personnel

Access control of various services and resources in the domain (file and print sharing, etc.) can be flexibly combined with the enterprise's hierarchical organizational structure to meet complex management needs such as permission allocation.

Unified authentication means can be integrated with a variety of Windows application services (such as Exchange, Sharepoint, etc.) and third-party software to realize single sign-in and improve user's operational experience in switching between multiple services.

域中的角色

DC-Domain Controller

Member Server

Terminal computer

域控制器中的 AD 数据库文件

AD database file is saved in the C:\Windows\NTDS directory by default

When necessary during the AD database maintenance process, you can perform operations such as Wufu start and stop, folder redirection, offline sorting, backup and recovery.

域控制器之间的 AD 数据库同步

The AD database will be replicated synchronously between DCs when changes occur. The frequency and time windows of synchronous replication can be configured and defined.

特殊类型的域控制器

RODC

RODC saves read replicas of AD database in domain controller

No more RODC changes are allowed locally to be made to the database

RODC is suitable for deployment in remote branches without administrative requirements

全局编录服务器 GC

GC is a special domain controller, at least one is deployed in one domain

GC is used to synchronize data in multi-domain environments and other domains (but not all data is synchronized. Usually, the data that needs to be synchronized only accounts for 5% to 10% of the total AD database) to optimize the efficiency of global or cross-domain search for applications such as Exchange Server.

域和活动目录规划

多域环境的需求

A domain can contain 1 million objects, and most enterprises only need one domain in technology

Multi-domain deployment may need to be considered when the following requirements occur:

IT management policies require separate or independent IT management boundaries

Restructuring or merger affects changes in the domain

The transformation and migration of domains require coexistence of new and old domains at the same time

多域的分布式架构

A domain forest can contain multiple domains, and a domain can contain multiple subdomains

The namespaces of the parent and child domains (FQDN domain name suffix) must remain the same and continuous

域和域之间的信任关系

信任关系可实现跨域的身份验证和资源访问

If there is no trust relationship between domains, users in each domain can only access resources in this domain

Depending on the scenario, some trust relationships exist by default, while some require manual configuration.

站点

A site refers to a network that contains a specific IP subnet in the same domain and is associated with a specific domain controller.

The purpose of deploying multiple sites is to optimize the replication and synchronization of DCs between sites, while enabling clients to prioritize communication with nearby DCs and optimize login verification operations.

活动目录的规划

OU Hierarchical Structure Planning

User and computer naming specifications

Group planning

Planning of AD management permissions

活动目录中的对象管理

图形化管理工具

命令行管理工具

DS 系列命令集

dsquery, dsadd, dsmod, dsmove, dsrm, etc.

PowerShell 系列命令

Get-ADDomain, New-Aduser, Search-ADAccount, etc.

活动目录中的对象

Object

Common objects include: users, groups, computers, etc.

Container

The system is built-in and is the default logical storage location for some objects.

Cannot delete or edit, cannot be further hierarchical

Organizational Unit (OU)

User-created, used to customize the logical storage location of objects

Supports hierarchical structure and allows editing

OU(组织单位)规划

Generally, it is necessary to reflect the organizational structure or geographical characteristics of the enterprise

Whether the object types in OU are mixed depends on management needs

The main function of OU is to control the scope of Group Policy deployment and the delegation of management permissions in the active directory.

对象类型1:用户

域用户的登录

Domain username@domain name (such as [email protected])

Domain name\Domain username (such as abc\tester)

查看 SID

1

get-aduser -Identify [username]

用户单个用户的创建和管理方式

AD Users and Computers

AD Management Center

批量用户的创建和管理方式

The server built-in command line tools (such as csvde and ldifde)

Writing Powershell scripts

对象类型2：组

组的用途

Set user's permissions or rights in batches

组的分类

Press whether to be built-in: built-in group, custom group

By scope of action: local group, global group, general group

对象类型3：计算机

计算机被动加域

The computer account was not created in the active directory in advance. After adding the domain, the computer account will be automatically saved in the default Computers container.

计算机主动加域

The administrator has created a computer account in the specified OU in advance in the active directory. After adding the domain, the computer account in the specified OU will be created according to the corresponding computer name association.

计算机账户密码/安全通道

The Secure Channel (Secure Channel) for communication between the domain-joined computer and the domain controller is required to establish a password. It is generated locally by the client computer and uploaded to the active directory of the domain controller to save. By default, the password will be automatically changed every 30 days.

If the client computer fails to communicate with the domain controller for more than 30 days, the domain controller allows the secure channel to be maintained using the last expired computer account password saved in the active directory, but the time cannot exceed two password update cycles at most (the default maximum is 60 days). Otherwise, the secure channel will be destroyed and the client will automatically de-domain, causing the user to be unable to log in.

Parameters such as the update cycle and validity of computer passwords can be adjusted through Group Policy

对象的查找和筛选

AD 用户和计算机

AD 管理中心

PS 脚本

AD 管理的权利委派

Operation delegation to AD can be configured at the OU level to allocate common management tasks for objects in the OU to designated users or groups to reduce the workload of domain administrators (such as modifying the attributes of department accounts, unlocking account numbers, resetting account passwords, etc.)

RSAT 工具

RAT (Remote Server Administration Tool) can be used to cooperate with AD rights delegation to perform remote operations of AD domain services on the client operating system (such as resetting passwords, unblocking passwords, etc.)

组策略的配置

组策略概述

The essence of group policy is to modify the computer's registry in a more friendly way. Each setting in the group policy can correspond to the key value in the registry to achieve operational control of the operating system and application

Group Policy includes local group policy and domain group policy

Local Group Policy : gpedit.msc

Domain Group Policy: Use the Group Policy Tool to configure and issue on the domain controller

Domain group policy helps regulate unified management of terminals within the domain and reduce workload of people

组策略的常见用途

Account Security/Authment Policy

Power on/off script

Folder redirection

Deploy printer/shared folder mapping

Client desktop environment settings

Setting parameters of Microsoft applications such as IE

Automatic software installation and deployment

Restrict the software to run

Firewall security settings

组策略的分类

维度一：按配置生效的阶段

Computer configuration

User Configuration

维度二：安配置是否可以被更改

Strategy

Preferences

维度三：按配置内容领域

Windows Settings

Administrative templates

组策略的配置

The system contains two default GPOs by default

Default Domain Policy Domain level affects all computers and users in the domain

Default Domain Controller Policy Container Level, affecting all domain controllers

Other GPOs need to create configurations and links by themselves

部署的注意事项

GPO needs to be configured on the domain controller and will be synchronized to other domain controls through AD replication mechanism

After the GPO creates an edit, the group policy can only be effective if it links to the domain or OU.

A GPO can be associated with multiple OUs, and a single OU can also contain multiple different GPOs.

Deleting a GPO link does not mean deleting a GPO, but deleting a GPO will automatically delete the associated GPO link.

If you want to make a GPO not effective, you can disable a link to the GPO, or you can not enable the GPO as a whole. You do not necessarily need to delete the GPO link or delete the GPO

组策略的应用范围

After creation, GPO cannot be directly applied to computers, users, or user groups, but must be linked to containers or OUs in the AD active directory, or directly applied to the entire domain level.

GPO will be effective for all computers/users under the domain or OU by default. If you want to further precisely control the scope of your application, you can use Security Filtering or WMI Filtering.

GPO can also set individual exclusion objects for the default application scope.

组策略的生效时间

Automatically obtain and take effect on the computer's "Computer Configuration" entry

The user logs in automatically and takes effect on the "User Configuration" entry

If the computer is turned on or the user is logged in, it will take 90-120 minutes to take effect by default (the random value of 90 minutes plus 30 minutes is added to avoid concurrent peaks, and this time can be matched)

The client can force the group policy to be retrieved and refreshed through the command gpupdate/force

Some settings need to restart the computer or log out of the user to log in again even after application.

客户端查看当前应用的 GPO：

1

2

gpresult /h d:\gporesult.html

gpresult /r

##Type processing principles

Inheritance principle

Enable/disable inheritance

The principle of accumulation

Priority Principle

Child OU Parent OU Domain Site Local Policy

Sequence principle

Multiple GPOs in the same OU are in order of up and down

Other principles

Only computers in OU will only apply "Computer Configuration"

Only users in OU will only apply to "user configuration"

If there are both computers and users in OU, both types of configurations are enabled (computer configuration is preferred when there is conflict)

组策略的其它操作

组策略的备份与恢复

You can back up a single GPO or all GPOs

Timestamp is recorded for each backup, so accurate recovery can be done based on saving multiple historical versions.

组策略的存储

域的信任关系

信任关系的概念

Domain is a security boundary. If there is no trust relationship between domains, users in each domain can only access resources in this domain.

Trust relationship builds a bridge (trust path) between two domains, allowing domain user accounts to be used across domains, realizing cross-domain authentication and resource access

Commonly used scenarios for trust relationships include company mergers and acquisitions, external cooperation, activity directory migration, etc.

Depending on the domain type, some trust relationships exist by default, while others need to be created manually

信任关系的方向性

Domain A One-way Trust Domain B

Resources in Domain A can be accessed by Domain B

Bidirectional trust in domain A and domain B

Resources in Domain A can be accessed by Domain B

Resources in domain B can be accessed by domain A

信任关系的传递性

If the trust relationship is transitive, multiple trust relationships that can be passed on can be automatically connected.

If the trust relationship is not passed, the trust chain will be broken and the automatic connection of the trust relationship cannot be completed.

林内的信任关系

林间的信任关系

快捷信任