Active Directory management

AD data is stored in a central, organized, accessible database. Active Directory networks can vary from a small installation with just a few hundred objects to millions of them. It is a key component when it comes to managing very large networks.

Their manager calls the help desk, which calls IT support to action the changes in AD. Once these are made, the manager is notified that the user has been set up. This can take hours, sometimes days. Not only does this process tie up IT with mundane admin chores, but it can mean that staff can't be productive during this hiatus. The other side of the coin applies equally - you can't remove a user's access rights immediately.

Active Directory offers a cost-effective solution. It neatly overcomes these AD admin headaches by effectively delegating AD object management to line managers. If changes have to be made, managers can make them on the spot, with changes going live in as little as ten seconds.

Active Directory uses a web-based AD management interface - it can be installed quickly through a company's internal network as there are no desktop clients to install, and the familiar web-browser user interface cuts the need for training. In fact, it's so simple and intuitive that most staff probably won't need any training.

Active Directory provides granular access control to entrusted staff with no limitations. Once logged in your presented with a home page offering just three options: update access, view access groups and view audited history. Changes to the AD are made via a wizard. A search option is provided, useful if you have thousands of AD objects to contend with.

When you have finished making your changes you simply click the "update all groups" button and it's done.

Paperwork is kept to a minimum. Changes to working practices and user privileges are managed through work flow emails. As well as greatly simplifying AD admin for both line managers and IT support staff, security is also improved by automating a usually manual security process. All Active Directory updates are logged to allow for auditing, which is essential to meet compliance standards.

In fact, Active Directory management can be standardized worldwide and can be used as part of the enterprise's Quality Management. The audit history option on the home page lets you view log information by group/role, date or user. Data can be downloaded and displayed in Excel.

Although Active Directory is a standalone product and doesn't integrate with other network management tools, its web services programming interface (API) will allow the integration of separate systems. As a result, Active Directory can complement existing identity management or account provisioning solutions. At the moment, Active Directory can support up to 100,000 users. System pre-requisites include Windows Server 2000/2003, IIS 6,.NET Framework 1.1, an SMTP e-mail server and MS SL Server, either 2000, 2005 or Express 2005 - most organizations contemplating deploying Active Directory will most likely meet these criteria from the off.

Installation is a doddle - in fact, if you spend more than ten minutes on it, you're probably doing something wrong.

In conclusion, Active Directory is an AD management tool that's well-suited to organizations with more than 300 seats, as well as to managed-data centers looking for a painless and secure method of passing security management tasks back to the client.

Source:securecomputing.net

Windows Server 2008

Over the weekend I installed the released version of Windows Server 2008 (after having worked with the release candidate previously), and the experience reminded how impressed I am by Win2008's ease of installation. I have a Intel quad-CPU set up, along with some 7200rpm drives because I do a lot of testing, and the 64-bit version Windows Server 2008 Standard Edition installation just flew onto my hard drive. Following that, deciding what you want your Win2008 to be in life is a relatively straightforward, guided process.

If you are new to Win2008, it includes something called Server Roles. What do you want this server to be? An Active Directory domain controller (called Domain Services), a file or print server, an IIS Web server, a combination, or maybe something else? Win2008 comes with some 17 Server Roles, each comprising a number of appropriate options. Let's say you want to set up a multipurpose server as a domain controller, DHCP server, file server, print server and Web server -- a configuration you might use in a smaller organization. Each of those functions are Server Roles within Win2008. Active Directory Domain Services will also require you set up the server using the DNS Server role.

Each Server Role starts with a wizard for basic configuration information (like setting up scopes for the DHCP Server role, for example) and concludes with an installation step. If some feature selections within a Server Role have other software dependencies, those are shown with an easy-to-understand "okay" box to add those to the installation. If you are a beginner or don't happen to know about a certain feature set within a Server Role, help is there right upfront about what it does and the installation options that may be relevant to you (like setting up a new domain vs. adding a controller to an existing domain services forest).

You'll likely have to reboot Win2008 after most installation steps, so you'll want to get everything installed and configured before a bunch of users sign on. While there's a big difference in pricing, I've found Win2008 Standard Edition about as easy to set up as the Win2008 Small Business Edition. SBE obviously consolidates some steps, but Win2008 isn't all that hard to set up -- the basic stuff anyway. If you are going to exceed the license restrictions, don't fear setting up Win2008, as it's not that much harder.

Active Server Directory

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schema's.

Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schema's can not be deleted, they can only be deactivated. Others types of schema's with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.

When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.