Transcript Chapter 4 Powerpoint
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)
Chapter 4 Introduction to Active Directory and Account Management
Learning Objectives
• Understand Active Directory basic concepts • Install and configure Active Directory • Plan and implement Active Directory containers • Create and manage user accounts • Configure and use security groups MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 2
Learning Objectives (cont’d.)
• Plan how to delegate object management • Describe and implement new Active Directory features MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 3
Active Directory Basics
• • •
Directory service
• Houses information about all network resources: – Servers, printers, user accounts, groups of user accounts, security policies, and other information
Domain controllers (DCs)
– Servers that have the AD DS server role installed
Member servers
– Do not have AD installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 4
Active Directory Basics (cont’d.)
• Domain – Fundamental component or container – Holds information about all network resources that are grouped within it • • Each DC is equal to every other DC
Multimaster replication
– Advantage • If one DC goes down, no network interruption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 5
Active Directory Basics (cont’d.)
• Activity 4-1: Installing Active Directory
Figure 4-2
Installation Results window
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 6
Schema
• Defines objects and the information pertaining to those objects that can be stored in Active Directory – Characteristics of objects • Sample schema for user account – Includes
globally unique identifier (GUID)
• Unique number associated with the object name • Each attribute automatically given a version number and date – When created or changed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 7
Global Catalog
• Stores information about every object within forest • First DC configured in a forest becomes
global catalog
– Can change to another DC • Purposes: – Authentication – Forest-wide searches of data – Replication of key AD elements – Keeps copy of most used attributes for quick access MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 8
Namespace
• •
Name resolution
– Converts computer and domain names to IP addresses
Namespace
– Logical area on a network that contains directory services and named objects – Has the ability to perform name resolution MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 9
Namespace (cont’d.)
• •
Contiguous namespace
– Every child object contains the name of the parent object
Disjointed namespace
– Child name does not resemble the name of its parent object MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 10
Containers in Active Directory
• • Treelike structure
Containers
: – Forests – Trees – Domains – Organizational units (OUs) – Sites
Figure 4-5
Active Directory hierarchical containers
Courtesy Course Technology/Cengage Learning
11 MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
Forest
• • Highest level in an Active Directory • One or more Active Directory trees that are in a common relationship
Forest functional level
– Active Directory functions supported forest-wide – Levels: • Windows 2000 native forest functional level • Windows Server 2003 forest functional level • Windows Server 2008 forest functional level MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 12
Tree
• • Contains one or more domains that are in a common relationship • Domains in a tree typically have a hierarchical structure
Kerberos transitive trust relationship
–
Two-way trusts
between parent domains and child domains MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 13
Tree (cont’d.)
•
Transitive trust
– If A and B have a trust and B and C have a trust, A and C automatically have a trust as well • Trusted domain – Granted access to resources • Trusting domain – One granting access to another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 14
Tree (cont’d.)
• All domains within a single tree share the same schema • Defines all the object types that can be stored within Active Directory • All domains in a tree share same global catalog and a portion of their namespace MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 15
Domain
• Logical partition within an Active Directory forest • Primary container within Active Directory • Basic functions – To provide an AD partition to house objects – To establish a set of information to be replicated – To expedite management of a set of objects MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 16
Domain (cont’d.)
•
Domain functional levels:
– Windows 2000 domain functional level – Windows Server 2003 domain functional level – Windows Server 2008 domain functional level • Activity 4-2: Managing Domains – Objective: Learn where to manage domains and domain trust relationships MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 17
Organizational Unit
• Grouping of related objects within a domain • Allow the grouping of objects so that they can be administered using the same group policies – Such as security and desktop setup • Can be nested within other OUs • Best practices when creating OUs – Keep to 10 or fewer – Set up horizontally for best efficiency • Activity 4-3: Managing OUs – Objective: Create an OU and delegate control over it MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 18
Site
• • TCP/IP-based concept (container) within Active Directory • Linked to IP address • Functions • Based on connectivity and replication functions
Bridgehead server
– DC designated to have role of exchanging replication information – One per site MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 19
Active Directory Guidelines
• Keep Active Directory as simple as possible • Implement the smallest number of domains possible • Use OUs to reflect organization’s structure • Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies • Implement multiple trees and forests only as necessary • Use sites in situations where there are multiple IP subnets and multiple geographic locations MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 20
Planning Functional Levels and Trusts
• • • Carefully plan trusts between forests
External trust
– Creates a trust relationship with a domain that is outside of a forest
Realm trust
– Enables one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers •
Shortcut trust
– Enable a domain in one forest to quickly access resources in a domain within a different forest MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 21
User Account Management
• General environments: – Accounts that are set up through a stand-alone server that does not have Active Directory installed – Accounts that are set up in a domain when Active Directory is installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 22
Creating Accounts when Active Directory Is Not Installed
• Install Local Users and Groups MMC snap-in: – For standalone servers that do not use Active Directory • Create a local user account on a server that is not a DC – See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 23
Creating Accounts when Active Directory Is Not Installed (cont’d.)
Figure 4-11
Selecting the Local Users and Groups MMC snap-in
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 24
Creating Accounts when Active Directory Is Not Installed (cont’d.)
Figure 4-12
Creating a user account without Active Directory installed
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 25
Creating Accounts when Active Directory Is Installed
• Use Active Directory Users and Computers tool – From the Administrative Tools menu or as an MMC snap-in • Create each new account by entering account information and password controls • Activity 4-4: Creating User Accounts in Active Directory – Objective: Learn how to create a user account in Active Directory MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 26
Creating Accounts when Active Directory Is Installed (cont’d.)
Figure 4-13
Creating a user account
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 27
Creating Accounts when Active Directory Is Installed (cont’d.)
Figure 4-14
User account properties
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 28
Disabling, Enabling, and Renaming Accounts
• When to disable • Activity 4-5: Disabling, Renaming, and Enabling an Account – Objective: Practice disabling, renaming, and then enabling an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
Figure 4-15
Disabling an account
Courtesy Course Technology/Cengage Learning
29
Moving an Account
• May need to move a person’s account from one container to another • Activity 4-6: Moving an Account – Objective: Practice moving an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
Figure 4-16
Moving an account
Courtesy Course Technology/Cengage Learning
30
Resetting a Password
• Cannot look up forgotten passwords – Reset instead • Maintain guidelines for resetting passwords • Activity 4-7: Changing an Account’s Password – Objective: Practice changing an account’s password
Figure 4-17
Resetting a password
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 31
Deleting an Account
• Delete accounts that are no longer in use • Globally unique identifier (GUID) is also deleted – Will not be reused even if you create another account using the same name • Activity 4-8: Deleting an Account – Objective: Practice deleting an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 32
Security Group Management
• • Group accounts with similar characteristics together
Scope of influence (or scope)
– Reach of a group for gaining access to resources in Active Directory • Types of groups and associated scopes: – Local – Domain local – Global – Universal MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 33
Security Group Management (cont’d.)
• •
Security groups
– Enable access to resources on a stand-alone server or in Active Directory
Distribution groups
– Used for e-mail or telephone lists MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 34
Implementing Local Groups
•
Local security group
– Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs) • Create using the Local Users and Groups MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 35
Implementing Domain Local Groups
•
Domain local security group
– Used when Active Directory is deployed • Manage resources in a domain – Give global groups from the same and other domains access to those resources • Scope of a domain local group – Domain in which the group exists – Can convert a domain local group to a universal group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 36
Implementing Domain Local Groups (cont’d.)
•
Access control list (ACL)
– List of security descriptors (privileges) that have been set up for a particular object
Table 4-1
Membership capabilities of a domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 37
Implementing Global Groups
•
Global security group
– Contains user accounts from a single domain – Can also be set up as a member of a domain local group in the same or another domain • Broader scope than domain local groups • Can be nested • Typical use: – Add accounts that need access to resources in the same or in another domain – Make the global group in one domain a member of a domain local group in the same or another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 38
Implementing Global Groups (cont’d.)
Figure 4-18
Nested global groups
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 39
Implementing Global Groups (cont’d.)
• Activity 4-9: Creating Domain Local and Global Security Groups – Objective: Create a domain local and a global security group and make the global group a member of the domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 40
Implementing Universal Groups
•
Universal security groups
– Span domains and trees • Can include – User accounts from any domain – Global groups from any domain – Other universal groups from any domain • Guidelines to help simplify how you plan to use groups – See text MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 41
Implementing Universal Groups (cont’d.)
Figure 4-21
Managing security through universal and global groups
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 42
Properties of Groups
• To edit properties: – Double-click group in the Local Users and Groups tool for a stand-alone (non domain) or member server – Or in the Active Directory Users and Computers tool for DC servers in a domain • Properties – General – Members – Member of – Managed by MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 43
Planning the Delegation of Object Management
• Security groups and user accounts enable an organization to delegate authority over objects • Establish and document policies • Common objects that are delegated include OUs, user accounts, and groups • Use Delegation of Control Wizard MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 44
Implementing User Profiles
• •
Local user profile
– Automatically created at the local computer when you log on with an account for the first time • • Advantages of user profiles
Roaming profile
– Downloaded to client workstation each time user account is logged on
Mandatory user profile
– Certain users cannot change their profiles MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 45
What’s New in Windows Server 2008 Active Directory
• • Restart capability
Read-Only Domain Controller (RODC)
• Auditing improvements • Multiple password and account lockout policies in a single domain • Active Directory Lightweight Directory Services role MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 46
Restart Capability
• Stop Active Directory Domain Services without taking down the computer • General steps – See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 47
Read-Only Domain Controller
• Cannot use to update information in Active Directory • Does not replicate to regular DCs • Can function as a Key Distribution Center for the Kerberos authentication method • Provides better security at branch locations – Example • Can be configured as DNS server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 48
Auditing Improvements
• Audit trail of many types of changes • Records successful completion or reason for failure • Must set up in two places MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 49
Multiple Password and Account Lockout Policies in a Single Domain
• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU • Can now create more than one set of account policies within a domain • Password settings container (PSC) – Contains password settings objects (PSOs) • Represent unique set of password policies • Three policy sets: – Ordinary users, administrators, service accounts MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 50
Active Directory Lightweight Directory Services Role
• Targeted for servers that manage user applications • Skeleton version of Active Directory Domain Services • Installed as a server role via Server Manager MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 51
Taking Active Directory Snapshots
• Tools for making snapshots: – ntdsutil.exe Active Directory database management tool – Active Directory Database Mounting Tool or dsamain.exe tool • Enable Active Directory snapshots to be taken for later viewing – Compare to what is in the Active Directory after it is restored – Determine which of several restores has the most complete Active Directory data MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 52
Summary
• Active Directory houses information about network resources – Domain controllers – Hierarchy: forest, tree, domain, organizational unit – Global catalog • User accounts and profiles • Functional levels for domain and forest • New features of Active Directory in Windows Server 2008 MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 53