Activ all user publications. What is Active Directory, and how to install and configure the database. Installing Active Directory

over the participants of the Mobile World Congress exhibition. Company employees created three open Wi-Fi points at the airport near the stand for registration of exhibition visitors and named them with standard names “Starbucks”, “MWC Free WiFi” and “Airport_Free_Wifi_AENA”. In 4 hours, 2,000 people connected to these points.

As a result of the experiment, a report was compiled in which Avast employees analyzed the traffic of all people connected to open Wi-Fi points. Personal information of 63% of those who connected was also disclosed: logins, passwords, email addresses, etc. If it were not for the report presented at the exhibition, the participants in the experiment would never have realized that someone had access to their data.

We connect to our company’s network from home, a hotel or a cafe and don’t even understand the damage we can cause to it.

According to statistical studies, more than 40 percent of company employees work remotely at least one day a week.

But it turns out that an employee working remotely via the Internet is much more vulnerable than a local user and poses a potential threat to the company. Therefore, the security of remote users must be given special attention.

Threats

Remote workplace user creates, in comparison with a local office workplace, three additional threat factors:

1. The remote user is out of range physical control organizations. Proof is required that it is a company employee and not an attacker who is connecting to the corporate resource.
2. Remote user data is distributed through channels that are outside the organization's control. This data is subject to interception, unauthorized modification, and “mixing” with extraneous traffic.
3. For a remote workplace, the company itself cannot provide physical security. Also, the computer you are using may not meet the configuration requirements

Therefore, when organizing remote access Three basic principles of information security must be observed:

• confidentiality (important information should be available only to a limited number of persons);
• integrity(changes to information leading to its loss or distortion must be prohibited);
• availability(information should be available to authorized users when they need it).

How to protect remote access?

To organize the work of remote employees, you can use the following protection mechanisms:

• a reliable means of user authentication (passwords, hardware, biometric data, etc.);
• access control system (centralized access control to the company’s IT resources);
• VPN organization tool (hardware devices, software solutions, firewall extensions, etc.);
• a means of countering attacks (protecting the internal network and employees from attacks).

We will talk about one of the protection mechanisms - VPN.

Why do you need a VPN?

A VPN connection provides a more secure connection to your corporate network and the Internet.

Areas of application of VPN:

• Internet access;
• access to the corporate network from outside;
• unification of corporate network components.

Your company's network infrastructure can be prepared for VPN use using software or hardware.

Exists a large number of paid and free VPN services.

Such services mainly operate on 4 protocols:

1. IPSec, operating in transport and tunnel modes. Encrypting the messages in a data packet using transport mode is called payload, while encrypting the entire packet is called tunneling.
2. PPTP is a point-to-point tunnel protocol using a tunneling method in which data is stored in the form of PPP packets. They, in turn, are placed in IP packets and transmitted to their destination.
3. L2TP- a second-level tunneling protocol running on two main nodes: L2TP access concentrator (LAC), L2TP network server (LNS). The LAC is the device that terminates the call while the LNS authenticates PPP packets.
4. TLS and SSL- cryptographic protocols that use a combination of authentication and encryption to exchange data between a server and a client.

There are also VPN services for corporate use. One of the most famous is OpenVPN. It is a safe and inexpensive service.

Its advantages are:

1. Safety. The use of several cryptographic protocols (HMAC, 3DES, AES, RSA) and a 2048-bit key allows for reliable encryption of all data.
2. The flexible capabilities of OpenVPN allow you to launch a connection through Proxy/Socks, through various protocols and with forced blocking of the DHCP protocol, as well as through firewalls.
3. Supported by most devices, including Apple iOS and Google Android platforms.

Is it possible to organize VPN connections without using third-party programs?

Sometimes there is no point in using third-party services if similar capabilities are built into the operating system.

We want to demonstrate how to set up a secure SSTP VPN connection using standard Windows features.

The VPN connection is protected in this case through traffic encryption mechanisms using a digital certificate (SSL) provided by the VPN server. Software When establishing a VPN connection, the client operating system checks the VPN server certificate, in particular, it checks whether the server certificate has been revoked, and also checks whether the root certificate of the Certification Authority that issued the certificate for the VPN server can be trusted. That is why one of the requirements for a successful VPN connection using the SSTP protocol is the ability to automatically update the list of root certificates via the Internet.

SSTP is a modern and secure protocol. Additional benefit is its ability to work over the ubiquitously accessible HTTPS protocol port (TCP 443), used for regular web browsing, that is, an SSTP VPN connection will work over almost any Internet connection.

VPN and two-factor authentication

The VPN connection itself is encrypted. But using a login and password for authentication in a VPN is completely unsafe. But there is a way out - two-factor authentication. It allows the user to confirm their identity in two ways. It is advisable to use hardware (token or smart card) to configure it. Then, when establishing a VPN connection, the user will need not a password, but the device itself and its PIN code.

The main advantage of a hardware device when using a VPN is the uniqueness of the private key. This is due to the fact that the private key from the device cannot be copied and reproduced. After all, if the authentication means is not unique, then you cannot be sure that the user who has received access is the same user to whom this access was assigned.

In the case of using a password, the situation is completely different. Any person who specifically or accidentally finds out your password can use it without your knowledge. This means that he can do whatever he wants on behalf of the password owner. It is quite difficult to track such a situation, especially if the attacker is technically savvy.

Setting up a VPN server

We'll start setting up a VPN connection by deploying a simple VPN server based on Windows Server 2012 R2.

Such a server, installed on standard equipment, can be used for a small office network with the need to organize a remote connection for several dozen employees (30-50 people).

VPN server configuration

Let's open Server Manager and click on the link Add roles and features.

Let's choose a role Remote access.

Let's select the role service DirectAccess and VPN (RAS).

Click on the button [Install]. This will start the remote access role installation process.

In the Remote Access Initial Setup Wizard window, select Deploy VPN only.

After that we will add the server. In the window Routing and remote access select a menu item Action and subparagraph Add server. Next we will confirm the addition.

Right-click on the name of the added server and select Configure and enable routing and remote access.

Let's select an item Special configuration.

As a custom configuration we indicate Virtual Private Network (VPN) Access.

Let's start the service by clicking on the button [Start service].

The server is almost ready.

For example, we use the simplest and most obvious method - we will set a statistical pool of addresses for 5 users.

Open the properties of the added server.

Let's select an item Statistical address pool and press the button [Add].

In the window New IPv4 address range We indicate the starting and ending IP addresses.

Click on the button [Apply]

The remote access role is configured, now let's open the ports in the firewall.

Opening firewall ports

For TCP protocol let's open the ports 1723 And 443 .

For UDP protocol let's open the ports 1701 , 500 And 50 .

At the next stage, we will configure the local security policy.

Setting up local security policy

Open the list of local security policies and select the item Assigning user rights.

Select a policy Allow login via Remote Desktop Service.

Click on the button [Add user or group].

Find the department name Domain users and add it.

Well, the penultimate step will be setting up access for specific users.

Setting up access for a specific user

Open Server Manager, select item Facilities and subparagraph Active Directory Users and Computers.

Find the name of the required user, go to it Properties, on the tab Incoming calls select setting Allow access. Click on the button [Apply].

And finally, let’s check whether remote access is allowed in the system properties.

To do this, open the system properties, select the item Setting up remote access and set the switch Allow remote connections to this computer.

That's all, the server setup is complete. Now let's set up a VPN connection on the computer that will be used for remote access.

Setting up a VPN connection

Setting up a VPN on a Windows 10 computer is extremely simple. To implement it, you will need account information (login, password), server IP address and Internet connection. To organize hardware two-factor authentication, you will need a token.

None additional programs There is no need to install, Windows itself already has everything.

Let's get started with the setup. As an example hardware I will use the device to securely store keys and certificates Rutoken EDS PKI.

To configure the connection, we need a certificate that contains the Smart Card Logon and Client Authentication policies.

We have already described the process of creating such a certificate. Link to description.

Let's open the window. Let's click on the link Create and configure a new connection or network.

A window will open Setting up a connection or network. Select the item Connect to a workplace and click on the button [Further].

In field Internet address indicate the VPN server details.

In field Destination name indicate the name of the VPN connection.

Check the box Use smart card and press the button Create.

The VPN connection has been created. But we need to change its parameters.

Let's open the window again Network and Sharing Center and click on the link Change adapter settings.

In the window Network connections Right-click on the name of the created VPN connection and select Properties.

Let's go to the tab Safety and select the following options.

These VPN connection settings are enough to successfully connect via a secure VPN protocol to the specified network. However, once the VPN connection is made, all network traffic from the computer will default to the gateway of the specified network. This may lead to the fact that while connected to the VPN, working with Internet resources will not be possible. In order to exclude this problem let's go to the tab Net, click on the line IP version 4 (TCP/IPv4) and press the button Properties.

On the page with the properties of IP version 4, click on the button [Additionally].

Uncheck the box Use default gateway on remote network.

We will confirm all changes made. The setup process is complete.

Now let's check the connection.

In the taskbar on the desktop, click on the icon Internet access and select the created VPN connection. A window will open Options.

Click on the name of the VPN connection and press the button Connect.

Enter the token PIN and click on the button [OK].

As a result, the created VPN connection will be established.

To check the status of the VPN connection, open a window Network connections, find the name of the created connection. Its status should be “Connected”.

To disconnect the VPN connection, in the same window, find the created connection, right-click on its name and select Connect/Disconnect.

Let's summarize

Once the VPN connection is established, all traffic begins to flow through the VPN server.

The reliability of VPN traffic protection lies in the fact that even if attackers somehow intercept the transmitted data, they still will not be able to use it, since the data is encrypted.

And if you also install special applications for monitoring traffic and configure them, you will be able to successfully filter traffic. For example, automatically check it for viruses.

I hope we were able to convince you that VPN is simple, affordable, and most importantly safe!

Active Directory (AD) is a utility program designed for the Microsoft Server operating system. It was originally created as a lightweight algorithm for accessing user directories. Since the version of Windows Server 2008, integration with authorization services has appeared.

Makes it possible to comply with group policy that applies the same type of settings and software on all controlled PCs using System Center Configuration Manager.

If in simple words for beginners, this is a server role that allows you to manage all access and permissions on your local network from one place

Functions and purposes

Microsoft Active Directory – (the so-called directory) a package of tools that allows you to manipulate users and network data. primary goal creation – facilitating the work of system administrators in large networks.

Directories contain various information related to users, groups, network devices, file resources - in a word, objects. For example, user attributes that are stored in the directory should be the following: address, login, password, number mobile phone etc. The directory is used as authentication points, with which you can find out the necessary information about the user.

Basic concepts encountered during work

There are a number of specialized concepts that are used when working with AD:

1. Server is a computer that contains all the data.
2. The controller is a server with the AD role that processes requests from people using the domain.
3. An AD domain is a collection of devices united under one unique name, simultaneously using a common directory database.
4. The data store is the part of the directory responsible for storing and retrieving data from any domain controller.

How active directories work

The main operating principles are:

• Authorization, with which you can use your PC on the network simply by entering your personal password. In this case, all information from the account is transferred.
• Security. Active Directory contains user recognition functions. For any network object, you can remotely, from one device, set the necessary rights, which will depend on the categories and specific users.
• Network administration from one point. When working with the Active Directory, the system administrator does not need to reconfigure all PCs if it is necessary to change access rights, for example, to a printer. Changes are carried out remotely and globally.
• Full DNS integration. With its help, there is no confusion in AD; all devices are designated exactly the same as on the World Wide Web.
• Large scale. A set of servers can be controlled by one Active Directory.
• Search performed according to various parameters, for example, computer name, login.

Objects and Attributes

An object is a set of attributes, united under its own name, representing a network resource.

Attribute - characteristics of an object in the catalog. For example, these include the user’s full name and login. But the attributes of a PC account can be the name of this computer and its description.

“Employee” is an object that has the attributes “Name”, “Position” and “TabN”.

LDAP container and name

Container is a type of object that can consist of other objects. A domain, for example, may include account objects.

Their main purpose is organizing objects by types of signs. Most often, containers are used to group objects with the same attributes.

Almost all containers map a collection of objects, and resources are mapped to a unique Active Directory object. One of the main types of AD containers is the organization module, or OU (organizational unit). Objects that are placed in this container belong only to the domain in which they are created.

Lightweight Directory Access Protocol (LDAP) is the basic algorithm for TCP/IP connections. It is designed to reduce the amount of nuance when accessing directory services. LDAP also defines the actions used to query and edit directory data.

Tree and site

A domain tree is a structure, a collection of domains that have general diagram and configuration, which form a common namespace and are bound by trust relationships.

A domain forest is a collection of trees connected to each other.

A site is a collection of devices in IP subnets, representing a physical model of the network, the planning of which is carried out regardless of the logical representation of its construction. Active Directory has the ability to create an n-number of sites or combine an n-number of domains under one site.

Installing and configuring Active Directory

Now let's move directly to setting up Active Directory using Windows Server 2008 as an example (the procedure is identical on other versions):

Click on the “OK” button. It is worth noting that such values ​​are not required. You can use the IP address and DNS from your network.

• Next, you need to go to the “Start” menu, select “Administration” and “”.
  
• Go to the “Roles” item, select the “ Add roles”.
  
• Select “Active Directory Domain Services”, click “Next” twice, and then “Install”.
  
• Wait for the installation to complete.
  
• Open the “Start” menu-“ Execute" Enter dcpromo.exe in the field.
  
• Click “Next”.
  
• Select “ Create a new domain in a new forest” and click “Next” again.
  
• In the next window, enter a name and click “Next”.
  
• Choose Compatibility Mode(Windows Server 2008).
  
• In the next window, leave everything as default.
  
• Will start configuration windowDNS. Since it had not been used on the server before, no delegation was created.
  
• Select the installation directory.
  
• After this step you need to set administration password.

To be secure, the password must meet the following requirements:

After AD completes the component configuration process, you must reboot the server.

The setup is complete, the snap-in and role are installed on the system. AD can only be installed on Windows Server family, regular versions, such as 7 or 10, may only allow installation of the management console.

Administration in Active Directory

By default, in Windows Server, the Active Directory Users and Computers console works with the domain to which the computer belongs. You can access computer and user objects in this domain through the console tree or connect to another controller.

The tools in the same console allow you to view Extra options objects and search for them, you can create new users, groups and change permissions.

By the way, there is 2 types of groups in the Asset Directory - security and distribution. Security groups are responsible for delimiting access rights to objects; they can be used as distribution groups.

Distribution groups cannot differentiate rights and are used primarily for distributing messages on the network.

What is AD delegation

Delegation itself is transfer of part of permissions and control from the parent to another responsible party.

It is known that every organization has several system administrators at its headquarters. Miscellaneous tasks should be placed on different shoulders. In order to apply changes, you must have rights and permissions, which are divided into standard and special. Specific permissions apply to a specific object, while standard permissions are a set of existing permissions that make specific features available or unavailable.

Establishing trust

There are two types of trust relationships in AD: "unidirectional" and "bidirectional". In the first case, one domain trusts the other, but not vice versa; accordingly, the first has access to the resources of the second, but the second does not have access. In the second type, trust is “mutual”. There are also “outgoing” and “incoming” relationships. In outgoing, the first domain trusts the second, thus allowing users of the second to use the resources of the first.

During installation, the following procedures should be followed:

• Check network connections between controllers.
• Check settings.
• Tune name resolution for external domains.
• Create a connection from the trusting domain.
• Create a connection from the side of the controller to which the trust is addressed.
• Check the created one-way relationships.
• If the need arises in establishing bilateral relations - make an installation.

Global catalog

This is a domain controller that stores copies of all objects in the forest. It gives users and programs the ability to search for objects in any domain of the current forest using attribute discovery tools included in the global catalog.

The global catalog (GC) includes a limited set of attributes for each forest object in each domain. It receives data from all domain directory partitions in the forest, and it is copied using the standard Active Directory replication process.

The schema determines whether the attribute will be copied. There is a possibility configure additional features, which will be re-created in the global catalog using the “Active Directory Schema”. To add an attribute to the global catalog, you need to select the replication attribute and use the “Copy” option. This will create replication of the attribute to the global catalog. Attribute parameter value isMemberOfPartialAttributeSet will become true.

In order to find out location global catalog, you need to enter on the command line:

Dsquery server –isgc

Data replication in Active Directory

Replication is a copying procedure that is carried out when it is necessary to store equally current information that exists on any controller.

It is produced without operator participation. There are the following types of replica content:

• Data replicas are created from all existing domains.
• Replicas of data schemas. Since the data schema is the same for all objects in the Active Directory forest, replicas of it are maintained across all domains.
• Configuration data. Shows the construction of copies among controllers. The information is distributed to all domains in the forest.

The main types of replicas are intra-node and inter-node.

In the first case, after the changes, the system waits, then notifies the partner to create a replica to complete the changes. Even in the absence of changes, the replication process occurs automatically after a certain period of time. After breaking changes are applied to directories, replication occurs immediately.

Replication procedure between nodes happens in between minimal load on the network, this avoids information loss.

Active Directory is a Microsoft directory service for the Windows NT family of operating systems.

This service allows administrators to use group policies to ensure uniformity of user work environment settings, software installations, updates, etc.

What is the essence of Active Directory and what problems does it solve? Read on.

Principles of organizing peer-to-peer and multi-peer networks

But another problem arises, what if user2 on PC2 decides to change his password? Then if user1 changes the account password, user2 on PC1 will not be able to access the resource.

Another example: we have 20 workstations with 20 accounts to which we want to provide access to a certain . To do this, we must create 20 accounts on the file server and provide access to the required resource.

What if there are not 20 but 200 of them?

As you understand, network administration with this approach turns into absolute hell.

Therefore, the workgroup approach is suitable for small office networks with no more than 10 PCs.

If there are more than 10 workstations in the network, the approach in which one network node is delegated the rights to perform authentication and authorization becomes rationally justified.

This node is the domain controller - Active Directory.

Domain Controller

The controller stores a database of accounts, i.e. it stores accounts for both PC1 and PC2.

Now all accounts are registered once on the controller, and the need for local accounts becomes meaningless.

Now, when a user logs into a PC, entering his username and password, this data is transferred to closed to the domain controller, which performs authentication and authorization procedures.

Afterwards, the controller issues the user who has logged in something like a passport, with which he subsequently works on the network and which he presents at the request of other network computers, servers to whose resources he wants to connect.

Important! A domain controller is a computer running Active Directory that controls user access to network resources. It stores resources (eg printers, shared folders), services (eg email), people (user and user group accounts), computers (computer accounts).

The number of such stored resources can reach millions of objects.

The following versions of MS Windows can act as a domain controller: Windows Server 2000/2003/2008/2012 except Web-Edition.

The domain controller, in addition to being the authentication center for the network, is also the control center for all computers.

Immediately after turning on, the computer begins to contact the domain controller, long before the authentication window appears.

Thus, not only the user entering the login and password is authenticated, but also the client computer is authenticated.

Installing Active Directory

Let's look at an example of installing Active Directory on Windows Server 2008 R2. So, to install the Active Directory role, go to “Server Manager”:

Add the role “Add Roles”:

Select the Active Directory Domain Services role:

And let's start the installation:

After which we receive a notification window about the installed role:

After installing the domain controller role, let's proceed to installing the controller itself.

Click “Start” in the program search field, enter the name of the DCPromo wizard, launch it and check the box for advanced installation settings:

Click “Next” and choose to create a new domain and forest from the options offered.

Enter the domain name, for example, example.net.

We write NetBIOS domain name, without zone:

Select the functional level of our domain:

Due to the peculiarities of the functioning of the domain controller, we also install a DNS server.

The locations of the database, log file, and system volume are left unchanged:

Enter the domain administrator password:

We check the correctness of filling and if everything is in order, click “Next”.

After this, the installation process will begin, at the end of which a window will appear informing you that the installation was successful:

Introduction to Active Directory

The report discusses two types of computer networks that can be created using operating systems Microsoft: workgroup and Active Directory domain.

Active Directory - Extensible and scalable Active Directory directory service allows you to effectively manage network resources.
Active Directory is a hierarchically organized repository of data about network objects, providing convenient means for searching and using this data. The computer that runs Active Directory is called a domain controller. Almost all administrative tasks are related to Active Directory.
Active Directory technology is based on standard Internet protocols and helps to clearly define the structure of the network; read more about how to deploy an Active Directory domain from scratch here..

Active Directory and DNS

Active Directory uses the domain name system.

Active Directory Administration

Using the Active Directory service, computer accounts are created, connected to the domain, and computers, domain controllers, and organizational units (OUs) are managed.

Administration and support tools are provided to manage Active Directory. The tools listed below are also implemented as snap-ins in the MMC console (Microsoft Management Console):

• Active Directory - users and computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational units (OU);
• Active Directory - domains and trusts (Active Directory Domains and Trusts) is used to work with domains, domain trees and domain forests;
• Active Directory Sites and Services allows you to manage sites and subnets;
• The Resultant Set of Policy is used to view the current policy of a user or system and to schedule changes to the policy.
• In Microsoft Windows 2003 Server, you can access these snap-ins directly from the Administrative Tools menu.

Another administrative tool, the Active Directory Schema snap-in, allows you to manage and modify the directory schema.

Active Directory Command Line Utilities

To manage Active Directory objects, there are command line tools that allow you to wide range administrative tasks:

• DSADD - adds computers, contacts, groups, OUs and users to Active Directory.
• DSGET - displays properties of computers, contacts, groups, OUs, users, sites, subnets and servers registered in Active Directory.
• DSMOD - changes the properties of computers, contacts, groups, OPs, users and servers registered in Active Directory.
• DSMOVE - Moves a single object to a new location within a domain or renames the object without moving it.
• DSQXJERY - searches for computers, contacts, groups, OPs, users, sites, subnets and servers in Active Directory according to specified criteria.
• DSRM - removes an object from Active Directory.
• NTDSUTIL - allows you to view information about a site, domain or server, manage operations masters and maintain the Active Directory database.

Active Directory provides systems management services. They are much the best alternative local groups and allow you to create computer networks with effective management And reliable protection data.

If you have not previously encountered the concept of Active Directory and do not know how such services work, this article is for you. Let's figure out what it means this concept, what are the advantages of such databases and how to create and configure them for initial use.

Active Directory is very convenient way system management. Using Active Directory, you can effectively manage your data.

These services allow you to create a single database managed by domain controllers. If you own a business, manage an office, or generally control the activities of many people who need to be united, such a domain will be useful to you.

It includes all objects - computers, printers, faxes, user accounts, etc. The sum of domains on which data is located is called a “forest”. The Active Directory database is a domain environment where the number of objects can be up to 2 billion. Can you imagine these scales?

That is, with the help of such a “forest” or database, you can connect a large number of employees and equipment in an office, and without being tied to a location - other users can also be connected in the services, for example, from a company office in another city.

In addition, within the framework of Active Directory services, several domains are created and combined - the larger the company, the more tools are needed to control its equipment within the database.

Further, when creating such a network, one controlling domain is determined, and even with the subsequent presence of other domains, the original one still remains “parent” - that is, only it has full access to information management.

Where is this data stored, and what ensures the existence of domains? To create Active Directory, controllers are used. Usually there are two of them - if something happens to one, the information will be saved on the second controller.

Another option for using the database is if, for example, your company cooperates with another, and you have to perform general project. In this case, unauthorized persons may need access to domain files, and here you can set up a kind of “relationship” between two different “forests”, allowing access to the required information without risking the security of the remaining data.

In general, Active Directory is a tool for creating a database within a certain structure, regardless of its size. Users and all equipment are united into one “forest”, domains are created and placed on controllers.

It is also advisable to clarify that services can only operate on devices with server Windows systems. In addition, 3-4 DNS servers are created on the controllers. They serve the main zone of the domain, and if one of them fails, other servers replace it.

After brief overview Active Directory for dummies, you are naturally interested in the question - why change a local group for an entire database? Naturally, the field of possibilities here is many times wider, and in order to find out other differences between these services for system management, let’s take a closer look at their advantages.

Benefits of Active Directory

The advantages of Active Directory are:

1. Using a single resource for authentication. In this situation, you need to add on each PC all accounts that require access to general information. The more users and equipment there are, the more difficult it is to synchronize this data between them.

And so, when using services with a database, accounts are stored in one point, and changes take effect immediately on all computers.

How it works? Each employee, coming to the office, launches the system and logs into his account. The login request will be automatically submitted to the server and authentication will take place through it.

As for a certain order in keeping records, you can always divide users into groups - “HR Department” or “Accounting”.

In this case, it is even easier to provide access to information - if you need to open a folder for employees from one department, you do this through the database. Together they gain access to the required folder with data, while for others the documents remain closed.

1. Control over each database participant.

If in a local group each member is independent and difficult to control from another computer, then in domains you can set certain rules that comply with company policy.

As a system administrator, you can set access settings and security settings, and then apply them to each user group. Naturally, depending on the hierarchy, some groups can be given more stringent settings, while others can be given access to other files and actions in the system.

In addition, when a new person joins the company, his computer will immediately receive the necessary set of settings, which includes components for work.

1. Versatility in software installation.

Speaking of components, using Active Directory you can assign printers, install the necessary programs for all employees at once, and set privacy settings. In general, creating a database will significantly optimize work, monitor security and unite users for maximum work efficiency.

And if a company operates a separate utility or special services, they can be synchronized with domains and simplified access to them. How? If you combine all the products used in the company, the employee will not need to enter different logins and passwords to enter each program - this information will be common.

Now that the benefits and meaning of using Active Directory become clear, let's look at the process of installing these services.

We use a database on Windows Server 2012

Installing and configuring Active Directory is not a difficult task, and is also easier than it seems at first glance.

To load services, you first need to do the following:

1. Change the computer name: click on “Start”, open Control Panel, select “System”. Select “Change settings” and in Properties, opposite the “Computer name” line, click “Change”, enter a new value for the main PC.
2. Reboot your PC as required.
3. Set the network settings like this:
   • Through the control panel, open the menu with networks and sharing.
   • Adjust the adapter settings. Right-click “Properties” and open the “Network” tab.
   • In the window from the list, click on Internet protocol number 4, again click on “Properties”.
   • Enter the required settings, for example: IP address - 192.168.10.252, subnet mask - 255.255.255.0, main gateway - 192.168.10.1.
   • In the “Preferred DNS server” line, specify the address of the local server, in “Alternative...” - other DNS server addresses.
   • Save your changes and close the windows.

Set up Active Directory roles like this:

1. Through Start, open Server Manager.
2. From the menu, select Add Roles and Features.
3. The wizard will launch, but you can skip the first window with a description.
4. Check the line “Installing roles and components”, proceed further.
5. Select your computer to install Active Directory on it.
6. From the list, select the role that needs to be loaded - in your case it is “Active Directory Domain Services”.
7. A small window will appear asking you to download the components required for the services - accept it.
8. You will then be prompted to install other components - if you don’t need them, just skip this step by clicking “Next”.
9. The setup wizard will display a window with descriptions of the services you are installing - read and move on.
10. A list of components that we are going to install will appear - check if everything is correct, and if so, press the appropriate button.
11. When the process is complete, close the window.
12. That's it - the services are downloaded to your computer.

Setting up Active Directory

To configure a domain service you need to do the following:

• Launch the setup wizard of the same name.
• Click on the yellow pointer at the top of the window and select “Promote the server to a domain controller.”
• Click on add a new forest and create a name for the root domain, then click Next.
• Specify the operating modes of the “forest” and the domain - most often they coincide.
• Create a password, but be sure to remember it. Continue further.
• After this, you may see a warning that the domain is not delegated and a prompt to check the domain name - you can skip these steps.
• In the next window you can change the path to the database directories - do this if they do not suit you.
• You'll now see all the options you're about to set - check to see if you've selected them correctly and move on.
• The application will check whether the prerequisites are met, and if there are no comments, or they are not critical, click “Install”.
• After installation is complete, the PC will reboot on its own.

You might also be wondering how to add a user to the database. To do this, use the “Active Directory Users or Computers” menu, which you will find in the “Administration” section in the control panel, or use the database settings menu.

To add a new user, right-click on the domain name, select “Create”, then “Division”. A window will appear in front of you where you need to enter the name of the new department - it serves as a folder where you can collect users by different departments. In the same way, you will later create several more divisions and correctly place all employees.

Next, when you have created a department name, right-click on it and select “Create”, then “User”. Now all that remains is to enter the necessary data and set the access settings for the user.

When the new profile is created, click on it by selecting the context menu and open “Properties”. In the “Account” tab, remove the checkbox next to “Block...”. That's all.

The general conclusion is that Active Directory is a powerful and useful system management tool that will help unite all employee computers into one team. Using services, you can create a secure database and significantly optimize the work and synchronization of information between all users. If the activities of your company or any other place of work are related to electronic computers and network, you need to consolidate accounts and monitor performance and privacy, installing an Active Directory-based database will be a great solution.