Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
en:services:network_services:active_directory:start [2020/10/22 11:23] – [Connection to Active Directory] 0nkopp1en:services:network_services:active_directory:start [2021/07/30 13:36] (current) – [Outside the GÖNET] kgermer
Line 1: Line 1:
 +====== Active Directory ======
 +
 +===== GWDG's Active Directory =====
 +
 +The Active Directory forest (abbreviated AD) comes from GWDG's PC-Network and has always evolved over the years. Its structure is divided into different domains. A domain is an organizational construct that manages and networks computer and user. Such integration enables centralized administrative management and the use of shared resources. The allocation of administrative privileges can also be limited by the parts of a domain structures, so-called Organizational Units (OU).
 +
 +The most significant feature of the Active Directory structure is the "single sign on". This allows a user with a single authentication to access all hosts and services for which he is entitled, without having to log in each time. By default, each user has only one account. If a person multiple roles in the system, they can also use multiple accounts. An administrator has, for example, in addition to his normal user account  an administrator account.
 +
 +The aim is to facilitate access to resources on the network for users through centralized management of user IDs, computers and printers. At the same time it eases the workload and improves the support from the GWDG for the IT executives in the institutes.
 +====Our AD-specific services:====
 +
 +  * [[en:services:storage_services:file_service:start|File Services]]: Every user has a directory on the file server GWDG to store his data, which is backed up daily. Upon request, common data areas for institutions or departments are set up.
 +  * [[en:services:general_services:print_scan_services:start|Printing Services]]: Documents to selectively print on specialty printers GWDG or the Institute printers
 +  * [[en:services:email_collaboration:email_service:start|Exchange Instructions]]: e-mail, calendar and address are common. 
 +  * [[en:services:email_collaboration:ms_sharepoint:start|SharePoint administrative services]]: That allow a very good document- and information-centric workgroup collaboration.
 +  * [[workplace environment|The workplace environment]]: The institutes orient on our standard Windows workstation. In order to facilitate the management of jobs there are techniques such as Microsoft Windows Server Update Services (WSUS), Sophos Enterprise Console or the central software distribution who are used.
 +
 +<WRAP center round important 85%>
 +For the use of Windows computers in the Active Directory, it is generally recommended to **not store any data on the desktop** and to **shut down the computer completely after each working day**. This is necessary for all backup and update mechanisms to function correctly.
 +</WRAP>
 +
 +==== Connection to Active Directory ====
 +=== Inside the GÖNET ===
 +The Active Directory of the GWDG is accessible for users and computers within the entire [[en:services:network_services:goenet:start|GÖNET]]. From the local institutes, users can log in directly to the devices managed in the Active Directory with their GWDG account. During the login process, the familiar working environment is loaded with a GWDG ID from the user profile, which is stored on the [[en:services:storage_services:file_service:fileservice_ad:personal_drive|Personal Drive]] of the user account. In addition, device and user settings (so-called //group policies//) are synchronized with the Active Directory and set during login. Thus, all important settings are made before starting work on the device and the user finds the familiar working environment.
 +
 +=== Outside the GÖNET ===
 +
 +However, if a device leaves the institute and is used from outside the GÖNET, no connection to the Active Directory can be established at the next login. The consequences are long waiting times during the login process and temporary profiles because the personal drive cannot be accessed. For these cases, the GWDG provides a [[en:services:network_services:vpn:start|VPN solution]] using the VPN client AnyConnect, which can be used before the user logon (so-called //device VPN//). The connection between the device and Active Directory is established by the software and the login works as usual. This VPN solution can be activated by institute administrators via policy and does not require any manual installation on the device. 
 +
 +After activation, another icon appears in the lower right corner of the Windows device login screen.
 +
 +
 +{{ :en:services:network_services:active_directory:ad-device-vpn_0.jpg?direct |}}
 +
 +One click opens the AnyConnect window. Here a connection to the VPN service of the GWDG via vpn.gwdg.de (or alternative accesses, see [[en:services:network_services:vpn:start|Overview]]) can be established.
 +
 +{{ :en:services:network_services:active_directory:ad-device-vpn_1.jpg?direct |}}
 +
 +
 +The GWDG registration data are required to establish the connection. The account that is to be used to log on to the Windows PC should be used here.
 +
 +{{ :en:services:network_services:active_directory:ad-device-vpn_2.jpg?direct |}}
 +
 +After the VPN connection is established, you can continue with the user login as usual. 
 +
 +====Sources of information====
 +      * GWDG News Article [[https://www.gwdg.de/documents/20182/27257/GN_06-2015_www.pdf#page=4|"Grundstruktur des Active Directory der GWDG"]] (Issue 6/2015; only in German)
 +   * [[en:services:general_services:courses:program|Courses]] and [[en:services:general_services:courses:scripts|course scripts]] concerning Windows and Active Directory (only in German)
 +
 +
 +
 +
 +
 +
 +
 +