Part 3: Active Directory & User Creation
In part 2 of this guide we configured our domain controller by setting up DNS and Active Directory Domain services. Now we shall take a brief look at Active Directory itself including adding users and joining client computers to the domain.
Check network configuration before proceeding:
Before attempting to add users and join clients to the domain you must make sure that your DNS configuration is correct. Active Directory Domain Services rely heavily on DNS for name resolution across the network, hence why you really want to make your first domain controller act as the primary DNS server too.
Like I explained in Part 2, for name resolution to function correctly the server must point to itself for DNS. For example, within TCP/IP settings under DNS Servers set the preferred DNS server address as the servers IP address:
If you have a second Windows DNS server on your network then you can input its IP address into the alternative DNS server entry. If this is the only DNS server on your network then it is recommended to input the loopback address of 127.0.0.1 into this field rather than leaving it blank.
If you are configuring your domain controller in a production environment or even in a home network then you will will also want ensure that your server can properly resolve web addresses from the internet. To do this first enter the DNS Manager by going to Start > Administrative Tools > DNS. From there select your server listed in the left hand pane where you will see the Forwarders option displayed to the right.
Navigate to the properties of this item by right clicking, this will bring you to the Forwarders tab for your DNS server. Forwarders are basically DNS servers that can be used to resolve addresses that your server can’t. For example; www.google.co.uk Servers added to the list of forwarders must be valid DNS servers. To add Forwarders hit the Edit button and type the IP addresses of the DNS servers you want to use, ideally you want at least two.
For this example I am using the OpenDNS server addresses, you can use these or any other valid DNS servers, including your ISP’s. At home I prefer to use OpenDNS.
Now that we have properly configured our network and DNS settings let’s dive into Active Directory.
What is Active Directory?
Active Directory is a directory based service that runs under the Windows Server family of Operating Systems from Server 2000 onwards. Al information and configuration settings are stored within its database. This information can contain such properties as user accounts to physical site links across several geographical locations.
Administrators use Active Directory to manage such things as User Accounts, Computers Network Printers, Groups, Permissions, Resources, Sites and much more.
Things such as Users, Computers, Printers and Groups are defined as Objects within Active Directory.
Adding & Configuring Users
In this section of the guide I will be focusing on Active Directory Users and Computers. Launch this by simply going to Start > Administrative Tools > Active Directory Users and Computers It should look similar to what’s shown below:
What we have here is essentially a fresh panel with nothing added or taken away, with only the default containers. This is where we will add and manage users and client computers in the domain.
By default Active Directory provides us with containers for both Users and Computers, if we select the Users container we will see that it contains the default Administrator user account along with various Security Groups.
In a production environment with a fairly large user base you wouldn’t typically find user accounts being added into this container. However, for the purpose of this example we will create a new user into this container before moving onto a more organised structure later.
To create a new user you can right click on the highlighted users container and go to New > User or simply right click in an empty area within the container and choose New > User Alternatively you can perform the same option from the Action menu at the top.
This will bring up a new object window for you to enter the details for our user including the domain that they will be a part of. I’ve filled out the appropriate fields for the user John Smith.
Hit next where you will enter a password for the user. By default this password has to be a minimum of 7 characters in length and be somewhat complex e.g Uppercase, Lowercase Number and or Symbol, similar to what was required at first logon to the server. You also have the option to prompt the user to change their password at next logon along with a few other account options. I would recommend to enforce a password prompt change for production environments, it lets the user choose a password of their choice.
By default users are members of the Domain Users security group. Different security groups have different sets of permissions across the domain. For example, a domain user will have less permissions and overall access than a domain admin. You can also add users to different security groups.
Once you have created the user it will appear within the container in which it was created.
Adding users to Security Groups:
I mentioned Security Groups briefly, and that there are various default groups available within Active Directory. In your own organisation you may want to add users to other groups for overall efficiently when it comes to such things as assigning and controlling access to resources on the network. You can also create your own groups for specific needs, and have users be part of them.
To add a user to a specific group or groups, right click on the user within Active Directory and select Properties.
From within Properties navigate to the Member Of tab and select the Add button
Select the appropriate object type followed by the location of the group. (Default Security Groups are held within the Users container.)
Finally, enter the name of the group that would want the user to be part of (eg. Domain Admins) and hit check names followed by OK.
The group should now appear in the Member Of list.
In the continuation to this stage I will covering the installation and configuration of the DHCP role, including how to join client computers to the domain.