Chapter 4 Powerpoint

Download Report

Transcript Chapter 4 Powerpoint

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Chapter 4 Introduction to Active Directory and Account Management

Learning Objectives

• Understand Active Directory basic concepts • Install and configure Active Directory • Plan and implement Active Directory containers • Create and manage user accounts • Configure and use security groups MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 2

Learning Objectives (cont’d.)

• Plan how to delegate object management • Describe and implement new Active Directory features MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 3

Active Directory Basics

• • •

Directory service

• Houses information about all network resources: – Servers, printers, user accounts, groups of user accounts, security policies, and other information

Domain controllers (DCs)

– Servers that have the AD DS server role installed

Member servers

– Do not have AD installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 4

Active Directory Basics (cont’d.)

• Domain – Fundamental component or container – Holds information about all network resources that are grouped within it • • Each DC is equal to every other DC

Multimaster replication

– Advantage • If one DC goes down, no network interruption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 5

Active Directory Basics (cont’d.)

• Activity 4-1: Installing Active Directory

Figure 4-2

Installation Results window

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 6

Schema

• Defines objects and the information pertaining to those objects that can be stored in Active Directory – Characteristics of objects • Sample schema for user account – Includes

globally unique identifier (GUID)

• Unique number associated with the object name • Each attribute automatically given a version number and date – When created or changed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 7

Global Catalog

• Stores information about every object within forest • First DC configured in a forest becomes

global catalog

– Can change to another DC • Purposes: – Authentication – Forest-wide searches of data – Replication of key AD elements – Keeps copy of most used attributes for quick access MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 8

Namespace

• •

Name resolution

– Converts computer and domain names to IP addresses

Namespace

– Logical area on a network that contains directory services and named objects – Has the ability to perform name resolution MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 9

Namespace (cont’d.)

• •

Contiguous namespace

– Every child object contains the name of the parent object

Disjointed namespace

– Child name does not resemble the name of its parent object MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 10

Containers in Active Directory

• • Treelike structure

Containers

: – Forests – Trees – Domains – Organizational units (OUs) – Sites

Figure 4-5

Active Directory hierarchical containers

Courtesy Course Technology/Cengage Learning

11 MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Forest

• • Highest level in an Active Directory • One or more Active Directory trees that are in a common relationship

Forest functional level

– Active Directory functions supported forest-wide – Levels: • Windows 2000 native forest functional level • Windows Server 2003 forest functional level • Windows Server 2008 forest functional level MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 12

Tree

• • Contains one or more domains that are in a common relationship • Domains in a tree typically have a hierarchical structure

Kerberos transitive trust relationship

Two-way trusts

between parent domains and child domains MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 13

Tree (cont’d.)

Transitive trust

– If A and B have a trust and B and C have a trust, A and C automatically have a trust as well • Trusted domain – Granted access to resources • Trusting domain – One granting access to another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 14

Tree (cont’d.)

• All domains within a single tree share the same schema • Defines all the object types that can be stored within Active Directory • All domains in a tree share same global catalog and a portion of their namespace MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 15

Domain

• Logical partition within an Active Directory forest • Primary container within Active Directory • Basic functions – To provide an AD partition to house objects – To establish a set of information to be replicated – To expedite management of a set of objects MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 16

Domain (cont’d.)

Domain functional levels:

– Windows 2000 domain functional level – Windows Server 2003 domain functional level – Windows Server 2008 domain functional level • Activity 4-2: Managing Domains – Objective: Learn where to manage domains and domain trust relationships MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 17

Organizational Unit

• Grouping of related objects within a domain • Allow the grouping of objects so that they can be administered using the same group policies – Such as security and desktop setup • Can be nested within other OUs • Best practices when creating OUs – Keep to 10 or fewer – Set up horizontally for best efficiency • Activity 4-3: Managing OUs – Objective: Create an OU and delegate control over it MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 18

Site

• • TCP/IP-based concept (container) within Active Directory • Linked to IP address • Functions • Based on connectivity and replication functions

Bridgehead server

– DC designated to have role of exchanging replication information – One per site MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 19

Active Directory Guidelines

• Keep Active Directory as simple as possible • Implement the smallest number of domains possible • Use OUs to reflect organization’s structure • Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies • Implement multiple trees and forests only as necessary • Use sites in situations where there are multiple IP subnets and multiple geographic locations MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 20

Planning Functional Levels and Trusts

• • • Carefully plan trusts between forests

External trust

– Creates a trust relationship with a domain that is outside of a forest

Realm trust

– Enables one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers •

Shortcut trust

– Enable a domain in one forest to quickly access resources in a domain within a different forest MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 21

User Account Management

• General environments: – Accounts that are set up through a stand-alone server that does not have Active Directory installed – Accounts that are set up in a domain when Active Directory is installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 22

Creating Accounts when Active Directory Is Not Installed

• Install Local Users and Groups MMC snap-in: – For standalone servers that do not use Active Directory • Create a local user account on a server that is not a DC – See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 23

Creating Accounts when Active Directory Is Not Installed (cont’d.)

Figure 4-11

Selecting the Local Users and Groups MMC snap-in

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 24

Creating Accounts when Active Directory Is Not Installed (cont’d.)

Figure 4-12

Creating a user account without Active Directory installed

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 25

Creating Accounts when Active Directory Is Installed

• Use Active Directory Users and Computers tool – From the Administrative Tools menu or as an MMC snap-in • Create each new account by entering account information and password controls • Activity 4-4: Creating User Accounts in Active Directory – Objective: Learn how to create a user account in Active Directory MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 26

Creating Accounts when Active Directory Is Installed (cont’d.)

Figure 4-13

Creating a user account

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 27

Creating Accounts when Active Directory Is Installed (cont’d.)

Figure 4-14

User account properties

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 28

Disabling, Enabling, and Renaming Accounts

• When to disable • Activity 4-5: Disabling, Renaming, and Enabling an Account – Objective: Practice disabling, renaming, and then enabling an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Figure 4-15

Disabling an account

Courtesy Course Technology/Cengage Learning

29

Moving an Account

• May need to move a person’s account from one container to another • Activity 4-6: Moving an Account – Objective: Practice moving an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Figure 4-16

Moving an account

Courtesy Course Technology/Cengage Learning

30

Resetting a Password

• Cannot look up forgotten passwords – Reset instead • Maintain guidelines for resetting passwords • Activity 4-7: Changing an Account’s Password – Objective: Practice changing an account’s password

Figure 4-17

Resetting a password

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 31

Deleting an Account

• Delete accounts that are no longer in use • Globally unique identifier (GUID) is also deleted – Will not be reused even if you create another account using the same name • Activity 4-8: Deleting an Account – Objective: Practice deleting an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 32

Security Group Management

• • Group accounts with similar characteristics together

Scope of influence (or scope)

– Reach of a group for gaining access to resources in Active Directory • Types of groups and associated scopes: – Local – Domain local – Global – Universal MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 33

Security Group Management (cont’d.)

• •

Security groups

– Enable access to resources on a stand-alone server or in Active Directory

Distribution groups

– Used for e-mail or telephone lists MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 34

Implementing Local Groups

Local security group

– Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs) • Create using the Local Users and Groups MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 35

Implementing Domain Local Groups

Domain local security group

– Used when Active Directory is deployed • Manage resources in a domain – Give global groups from the same and other domains access to those resources • Scope of a domain local group – Domain in which the group exists – Can convert a domain local group to a universal group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 36

Implementing Domain Local Groups (cont’d.)

Access control list (ACL)

– List of security descriptors (privileges) that have been set up for a particular object

Table 4-1

Membership capabilities of a domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 37

Implementing Global Groups

Global security group

– Contains user accounts from a single domain – Can also be set up as a member of a domain local group in the same or another domain • Broader scope than domain local groups • Can be nested • Typical use: – Add accounts that need access to resources in the same or in another domain – Make the global group in one domain a member of a domain local group in the same or another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 38

Implementing Global Groups (cont’d.)

Figure 4-18

Nested global groups

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 39

Implementing Global Groups (cont’d.)

• Activity 4-9: Creating Domain Local and Global Security Groups – Objective: Create a domain local and a global security group and make the global group a member of the domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 40

Implementing Universal Groups

Universal security groups

– Span domains and trees • Can include – User accounts from any domain – Global groups from any domain – Other universal groups from any domain • Guidelines to help simplify how you plan to use groups – See text MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 41

Implementing Universal Groups (cont’d.)

Figure 4-21

Managing security through universal and global groups

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 42

Properties of Groups

• To edit properties: – Double-click group in the Local Users and Groups tool for a stand-alone (non domain) or member server – Or in the Active Directory Users and Computers tool for DC servers in a domain • Properties – General – Members – Member of – Managed by MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 43

Planning the Delegation of Object Management

• Security groups and user accounts enable an organization to delegate authority over objects • Establish and document policies • Common objects that are delegated include OUs, user accounts, and groups • Use Delegation of Control Wizard MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 44

Implementing User Profiles

• •

Local user profile

– Automatically created at the local computer when you log on with an account for the first time • • Advantages of user profiles

Roaming profile

– Downloaded to client workstation each time user account is logged on

Mandatory user profile

– Certain users cannot change their profiles MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 45

What’s New in Windows Server 2008 Active Directory

• • Restart capability

Read-Only Domain Controller (RODC)

• Auditing improvements • Multiple password and account lockout policies in a single domain • Active Directory Lightweight Directory Services role MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 46

Restart Capability

• Stop Active Directory Domain Services without taking down the computer • General steps – See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 47

Read-Only Domain Controller

• Cannot use to update information in Active Directory • Does not replicate to regular DCs • Can function as a Key Distribution Center for the Kerberos authentication method • Provides better security at branch locations – Example • Can be configured as DNS server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 48

Auditing Improvements

• Audit trail of many types of changes • Records successful completion or reason for failure • Must set up in two places MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 49

Multiple Password and Account Lockout Policies in a Single Domain

• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU • Can now create more than one set of account policies within a domain • Password settings container (PSC) – Contains password settings objects (PSOs) • Represent unique set of password policies • Three policy sets: – Ordinary users, administrators, service accounts MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 50

Active Directory Lightweight Directory Services Role

• Targeted for servers that manage user applications • Skeleton version of Active Directory Domain Services • Installed as a server role via Server Manager MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 51

Taking Active Directory Snapshots

• Tools for making snapshots: – ntdsutil.exe Active Directory database management tool – Active Directory Database Mounting Tool or dsamain.exe tool • Enable Active Directory snapshots to be taken for later viewing – Compare to what is in the Active Directory after it is restored – Determine which of several restores has the most complete Active Directory data MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 52

Summary

• Active Directory houses information about network resources – Domain controllers – Hierarchy: forest, tree, domain, organizational unit – Global catalog • User accounts and profiles • Functional levels for domain and forest • New features of Active Directory in Windows Server 2008 MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 53