Logic Development: Network Software

Getting Your Microsoft Active Directory Network Off the Ground

by Kevin Spaeth

Introduction

You have just been assigned the task of creating a new network for your organization. You have all the computers and network equipment in place, but you don't know where to start. This article is an overview of the process of how to get your network off the ground and running and will provide starter information about managing security on your workstations. It assumes that you are familiar with your way around Windows and now need to enter the networking arena.

History

Microsoft created Windows NT (New Technology) to provide a networked version of Windows that had a tight security policy, forcing users to login with a username and password before they could access a computer running NT and any resource on that computer or the network. In other words, Windows NT was the first operating system released by Microsoft that contained a Network Operating System which was a competing product to other network operating systems such as Novell's Netware.

Since the release of Windows NT in the mid-90's, networks evolved to a greater level of complexity and Microsoft realized that Windows NT was becoming outdated and so with the release of Windows 2000, Microsoft included a new version of their network operating system entitled Microsoft Active Directory. Active Directory is like a giant centralized phone book that contains entries in it about the users, computers, and other resources on your network. This directory can be fairly easily searched and edited and made the administration of networks much easier than Windows NT. Microsoft took their network operating system to the next level with the release of Active Directory.

The rest of this article is devoted to information on setting up and administering this new technology.

Setting Up Your Network

In order to use Active Directory, you will need either a Windows 2000 Server or Windows 2003 Server. Windows NT servers do not support Active Directory. Once you have your server setup and running, then you can configure it to run Active Directory. Microsoft has included a nice configuration tool that you can find under the administration menu called "Configure Your Server". Start this application and a screen will appear asking for a role that you would like to configure this server for. Select that you would like this server to be a domain controller.

A wizard will take you through the steps of setting up this server as a domain controller. The first networking concept you will need to understand is what a domain is, and what is Microsoft talking about when they refer to forrests. Basically, a domain is a collection of resources on your network. These resources include user accounts, computer, printers, shared files etc. A domain is a container that stores all of these resources and the settings associated with the resources. In practical terms, Microsoft just sets up a folder with some files in it that store the names and details of the resources, not too complicated is it? As for the forrest, domains can be related to each other. You can have parent domains and child domains, child domains can have access to resources provided by the parent domain yet is distinct from the parent. A forrest is a "familiy tree" of domains. When you declare that this server will be a domain controller for a domain in a new forrest, you are telling Microsoft that you do not already have an existing domain of which this new domain will be a child. One tip that I have for you when creating a domain name is to give it a .com, .local or some other suffix. If you want to call your domain "mydomain", call it "mydomain.local" or "mydomain.com". Doing this will make life easier for you down the road.

Next, Microsoft will ask your about a DNS server (domain name server). Whereas humans like to deal with pronouncable and understandstable names like David's computer, or the copier room printer, computer only understand IP addresses such 192.168.0.56. To bridge these two world, some bright computer guys created the DNS server. DNS servers can take a human name and lookup the associated IP address for the computer to use or vice versa. So when you tell your computer to access David's computer, it can query the DNS server and know that you are really talking about 192.168.0.56. As you can see, a DNS server is intregal to your network. The beauty is that Microsoft has integrated DNS into Active Directory. So you will definietely want to install the DNS service along with Active Directory at this point.

The server will then take a while to setup the domain and to reconfigure your server as a domain controller. Once it is finished, you will need to reboot and then you can start adding resources to your domain.

Setting Up Users on Your Network

Once you have installed Active Directory on your network, next you will want to start adding users. To manage your users, you will want to go to the Administrative Tools and open the Active Directory Users and Computers program. When it opens, you will be looking at the resources on your domain. Before you start adding users to your domain, you will want to take advantage of a new feature in Active Directory called Organizational Unites (OU). An Organizational Unit is like a folder to hold you users. You can do a lot of neat things with OU's like setting different permissions for different OU's, so if you are at a school, you could provide more access to an OU holding teachers than for an OU holding students.

So the first thing you want to do is to create an OU to hold your users. Right click on the domain (the first item on the left side that has an icon of a computer) and choose to create an organizational unit, name it, then you will be able to start creating users. You will see the OU that you've just created appear in the tree. Right click on it and select to create a new user. This is where you will give your users a username, password and any other information you want to fill in about the user. When you are finished, you will notice that you user appears inside your organizational unit. One thing to note is that Active Directory comes with complex passwords enabled by default. The password that you give this user must be complex enough, or Microsoft will reject it. An example of a complex password is xc!te56. It has numbers and letters and a special character (!) in it.

Setting Up Computers on Your Network

The easiest way to add computers to your domain is to physically go over to the desired computer and change the settings on it. Once you are at the computer, the first step is to right click on My Computer and go into Properties. There is a network tab in the ensuing dialog that you need to click on. At the bottom of this screen you will be able to tell the computer to join the network by click on the radio button next to domain and by entering in the domain name that you created when you setup your domain. You should receive a second dialog asking for a login and password. You should use the administrator login and password to the domain you created earlier. I would recommend entering the domain name, a slash, then administrator for the username (mydomain\administrator), mydomain being the name of the domain you created, so that the computer can better identify the account you are entering.

If you receive a message saying the domain could not be found, then you will need to reconfigure either your DHCP server (not covered in this article because it is complicated) or the computer network settings to find this domain. Before you do this, make sure your typed in the domain name properly. To reconfigure your computer, go to the control panel and access the network properties. Open your LAN connection and go into the properties for the TCP/IP protocol. Once here you need to specify a DNS server in the bottom section of the screen. Click on the option to manually specify DNS servers, then enter the IP address of your server into the box. Once this is finished, repeat the instructions on joining the domain from the previous paragraph and you will have added this computer into the domain.

If you do not know the IP address of the server, you will need to walk back over to the server. Once there, open the command prompt (under the Accessories menu) and type in ipconfig and hit enter. The computer will give you the IP address that should be formatted like 192.168.0.1. Copy these numbers down off the server and enter them into the computer that you are adding to the domain under the DNS address.

Logging In to Your Network

Once you have added both a user and a computer to your network, you will then be able to login with that username on the computer. When you are at the login screen, simply type username and password that you specified when you created the user. Before you try to login, make sure the domain select box reads the name of the domain that you specified when you created the domain. If you do not see a domain select box, there will be an options button that will add this extra select box to your login dialog screen.

Managing the Users and Computers on Your Network

Microsoft has added another neat feature into Active Directory called Group Policy that lets you manage what users can and cannot do on your computers. The Group Policy will tell the computer whether the user can access the run menu, changes the desktop wallpaper or just about anything else you want to control on that a user could do. You can specify one group policy for your whole domain and group policies for each organizational unit that you've created in your domain. This is a major advantage to using organizational units in that you have specify different group policies for different users. Right click on your domain or an organizational unit and go into properties. Click on the group policy tab and it will give you a list of the group policies for the domain or OU. If there is already one there, hit the edit button, otherwise, hit the new button to make a new one, and then edit it with the edit button.

Once you are in the editor, access the User Configuration section on the left side. Click on the Administrative Templates section and there are a number of subsections that contain the different areas that you can control the permissions for. Just double click on one of the options, and you can either enable it, disable it, or choose not configured. It not configured is selected, the policy will not be enabled and it will seek what the policy is for the parent Group Policy if one exists.

Lets make it so that your users cannot see the My Computer icon on their desktop. Go into the desktop folder and double click on "Remove My Computer icon on the desktop". Enable this policy and hit ok. One final thing that you made need to do is to refresh the policy so that it takes effect immediately. To do this, go to the command prompt and enter gpupdate.

Conclusion

You now have a network up and running. Users can log in to computers and you can control their environment so your network is fairly secure. You now have a platform where you can start adding printers to the network and start sharing folders for your users to access.