Active Directory

Discussion in 'Software' started by Mr.Cheeks, May 17, 2006.

  1. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    Hi all,

    I only know the extreme basics of AD, from my A+ studies... This AD seems to be of extreme interest only if my answer of my queston is true:

    Active Directory - stores all the details and information of my comps into a db. also i understand that AD can deploy programs across my network without me doing anything (obviously, i have to do the initial setup).

    so if i try and set this thing up, can i deploy updates, extensions automatically???

    ...or have i got this all wrong? :oops:
     
  2. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    btw: i will test on a VMC [win2kpro or xp pro sp2] physical machines = 2xwinxp pro sp2 + 1xwinxp pro sp2, win mce (dual boot) if that will help
     
  3. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    a lot can be said about active directory, and i could correct you on a few minor things there, but those are indeed the very basics.

    i don't see a server. you need a domain controller.
     
  4. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    D- please do the corrections, plus why do you need a domain controller?
     
  5. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    i hope d doesnt mind! A domain controller is a server that is running the active directory service or database. You can use Group Policy (this could get complicated) to deploy applications using .msi packages - to your clients. To deploy updates to your clients you need to create a WSUS server.

    getting complicated or should i carry on? :biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  6. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    Zimbo - err getting bit too complicated... but its all good

    Server -> Domain Controller - > Active Directory - > WSUS -> Deployment? is that the route?

    btw: say i want to update a piece of software on 1 machine, can this update be done to all other machines automatically over the network, w/o use of 3rd party app? or is that only avaliable using WSUS, and latest but no least why a server machine? i though 2k and xp has the ability of an AD?
     
  7. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    WSUS is a service too that you can have running on Server. I havent thought of but i would think its because win xp pro can only handle 10 con-current connections at a time and server much more. So what if more than 10 people were to log on at the same time? Also Server os is more secure.

    your route is correct. How the updates work is that you download them from the ms update site and you put your clients into groups. you then deploy those windows updates to the client in the groups you specified.
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  8. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    im only doing this as a test [vmc], so XP/2K should be ok, are the updates only applicable to ms or can you do any other update?

    a bad example e.g. firefox extensions, could i install the extensions on other machines or is it only ms patches that can be installed?
     
  9. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    well, not so much corrections. elaborations maybe.

    i'm not much of a teacher, so please bare with me.

    active directory is a tool, or rather a set of tools, (the directory service), that is used to store, organize and manage information (and the relations between the different parts of information) about your windows network environment into a database (the directory). this information is mostly made up of objects, like printers, computers, shared folders, user accounts, applications, groups, dns zones, logon scripts, policies, e-mail, etc. etc. each object is made up of a number of attributes. for instance, a user account has many attributes, like name, location, e-mail address, etc.
    now, when you say that active directory stores all the details and information about your computers into the directory, then that is only partly true. yes, it stores information about your computers (and its relations to other objects) into the directory, but the amount of data is surprisingly low, especially when compared to other objects, like user accounts.

    one of the active directory objects i mentioned are policies. a policy (or rather group policy object, or gpo) is a set of rules that you can apply to a user, a computer, or a particular grouping of users (and/or computers). for example, you can determine that if user1 logs on to computer1, he/she will get a white wallpaper, while if user2 logs on to the same computer, he/she will get a black wallpaper. in a similar, but much more complex fashion, you can indeed create a policy to deploy applications to users and/or computers, but don't get too excited about this. active directory supplies the basic infrastructure for policy based application deployment, but once your organization reaches a certain size (or once your active directory reaches a certain complexity), you will start to notice the limitations of this technique. you will soon find yourself looking for third party tools or addons.

    updates is a totally different story, that is if you're talking about security updates and patches. yes, it is possible to use a gpo to deploy patches, but it's highly inefficient, especially in a complex environment. a better way to deploy security updates is with a wsus server. you can still use a gpo to configure the way your workstations handle security updates and where they get them from, but you should let the wsus server take care of the actual deployment.

    okay, why a domain controller, and not just workstations. active directory is not a democracy. it requires a leader, or better yet a group of leaders, that will control the domain, that are always available, that have all the answers, and that you can trust to keep your information safe. a group of peers can never fill those shoes.
     
  10. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    only microsoft patches and security updates. firefox extentions you would have to deploy using a gpo.
     
  11. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    this GPO, is that the groups for users, i.e. user 1, 2, 3 are under the administrators, user 5, 6, 7 are power users etc? or are they something else?
     
  12. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    read my other reply earlier. i've explained what a gpo is there. a gpo is a group policy object, emphasis on policy, not on group.
     
  13. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Just to add my 2 cents..

    Active Directory is the modern version of an NT4 domain. Hence to have an Active Directory domain, you need at least one domain controller, preferably more for performance and disaster recovery reasons.

    Microsoft with Windows 2000 Server and Server 2003 have followed Novell with their NDS (Novell Directory Services) which they clearly saw as the way forward.

    Active Directory is a complex beast and it is hard to understand unless you have delved into it by studying it.

    Group policy is similar to the old NT system policies but much more powerful. You can basically lock your W2K and XP workstations down in many different ways, you can control what users can do and what they see. For example you could remove the windows update icon from just the sales group or remove the recent documents from just the accounts group. You can create an OU (organisation unit) in Active Directory Users and Computers and apply a GPO (group policy object) to that OU. Then any object (group) you place in that OU will be affected by the GPO. It's much more complicated than that, as there is a hierarchy with GPOs but I won't delve into that.

    Also, with Active Directory you can delegate admin functions to specific users. You can make a user able to reset passwords for example without having to give them full administrator rights.

    It's hard to summarise what one learnt in 70-217 and 70-219 in a single forum post :oops:
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  14. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Cheek,

    lets just say that I learnt more about how windows works studying for 217 than I did studying for any other exam. 8)
     
  15. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    cheers for the replies, perhaps, i should leave this project out for the time being...

    i'll continue with my vpn project...

    cheers...
     
  16. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Great post, with loads of info, thanks :thumbleft
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.