1 / 53

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646). Chapter 4 Introduction to Active Directory and Account Management. Learning Objectives. Understand Active Directory basic concepts Install and configure Active Directory

vanida
Download Presentation

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 4 Introduction to Active Directory and Account Management

  2. Learning Objectives • Understand Active Directory basic concepts • Install and configure Active Directory • Plan and implement Active Directory containers • Create and manage user accounts • Configure and use security groups MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  3. Learning Objectives (cont’d.) • Plan how to delegate object management • Describe and implement new Active Directory features MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  4. Active Directory Basics • Directory service • Houses information about all network resources: • Servers, printers, user accounts, groups of user accounts, security policies, and other information • Domain controllers (DCs) • Servers that have the AD DS server role installed • Member servers • Do not have AD installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  5. Active Directory Basics (cont’d.) • Domain • Fundamental component or container • Holds information about all network resources that are grouped within it • Each DC is equal to every other DC • Multimaster replication • Advantage • If one DC goes down, no network interruption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  6. Active Directory Basics (cont’d.) • Activity 4-1: Installing Active Directory Figure 4-2 Installation Results window Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  7. Schema • Defines objects and the information pertaining to those objects that can be stored in Active Directory • Characteristics of objects • Sample schema for user account • Includes globally unique identifier (GUID) • Unique number associated with the object name • Each attribute automatically given a version number and date • When created or changed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  8. Global Catalog • Stores information about every object within forest • First DC configured in a forest becomes global catalog • Can change to another DC • Purposes: • Authentication • Forest-wide searches of data • Replication of key AD elements • Keeps copy of most used attributes for quick access MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  9. Namespace • Name resolution • Converts computer and domain names to IP addresses • Namespace • Logical area on a network that contains directory services and named objects • Has the ability to perform name resolution MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  10. Namespace (cont’d.) • Contiguous namespace • Every child object contains the name of the parent object • Disjointed namespace • Child name does not resemble the name of its parent object MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  11. Containers in Active Directory • Treelike structure • Containers: • Forests • Trees • Domains • Organizational units (OUs) • Sites Figure 4-5 Active Directory hierarchical containers Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  12. Forest • Highest level in an Active Directory • One or more Active Directory trees that are in a common relationship • Forest functional level • Active Directory functions supported forest-wide • Levels: • Windows 2000 native forest functional level • Windows Server 2003 forest functional level • Windows Server 2008 forest functional level MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  13. Tree • Contains one or more domains that are in a common relationship • Domains in a tree typically have a hierarchical structure • Kerberos transitive trust relationship • Two-way trusts between parent domains and child domains MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  14. Tree (cont’d.) • Transitive trust • If A and B have a trust and B and C have a trust, A and C automatically have a trust as well • Trusted domain • Granted access to resources • Trusting domain • One granting access to another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  15. Tree (cont’d.) • All domains within a single tree share the same schema • Defines all the object types that can be stored within Active Directory • All domains in a tree share same global catalog and a portion of their namespace MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  16. Domain • Logical partition within an Active Directory forest • Primary container within Active Directory • Basic functions • To provide an AD partition to house objects • To establish a set of information to be replicated • To expedite management of a set of objects MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  17. Domain (cont’d.) • Domain functional levels: • Windows 2000 domain functional level • Windows Server 2003 domain functional level • Windows Server 2008 domain functional level • Activity 4-2: Managing Domains • Objective: Learn where to manage domains and domain trust relationships MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  18. Organizational Unit • Grouping of related objects within a domain • Allow the grouping of objects so that they can be administered using the same group policies • Such as security and desktop setup • Can be nested within other OUs • Best practices when creating OUs • Keep to 10 or fewer • Set up horizontally for best efficiency • Activity 4-3: Managing OUs • Objective: Create an OU and delegate control over it MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  19. Site • TCP/IP-based concept (container) within Active Directory • Linked to IP address • Functions • Based on connectivity and replication functions • Bridgehead server • DC designated to have role of exchanging replication information • One per site MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  20. Active Directory Guidelines • Keep Active Directory as simple as possible • Implement the smallest number of domains possible • Use OUs to reflect organization’s structure • Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies • Implement multiple trees and forests only as necessary • Use sites in situations where there are multiple IP subnets and multiple geographic locations MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  21. Planning Functional Levels and Trusts • Carefully plan trusts between forests • External trust • Creates a trust relationship with a domain that is outside of a forest • Realm trust • Enables one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers • Shortcut trust • Enable a domain in one forest to quickly access resources in a domain within a different forest MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  22. User Account Management • General environments: • Accounts that are set up through a stand-alone server that does not have Active Directory installed • Accounts that are set up in a domain when Active Directory is installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  23. Creating Accounts when Active Directory Is Not Installed • Install Local Users and Groups MMC snap-in: • For standalone servers that do not use Active Directory • Create a local user account on a server that is not a DC • See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  24. Creating Accounts when Active Directory Is Not Installed (cont’d.) Figure 4-11 Selecting the Local Users and Groups MMC snap-in Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  25. Creating Accounts when Active Directory Is Not Installed (cont’d.) Figure 4-12 Creating a user account without Active Directory installed Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  26. Creating Accounts when Active Directory Is Installed • Use Active Directory Users and Computers tool • From the Administrative Tools menu or as an MMC snap-in • Create each new account by entering account information and password controls • Activity 4-4: Creating User Accounts in Active Directory • Objective: Learn how to create a user account in Active Directory MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  27. Creating Accounts when Active Directory Is Installed (cont’d.) Figure 4-13 Creating a user account Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  28. Creating Accounts when Active Directory Is Installed (cont’d.) Figure 4-14 User account properties Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  29. Disabling, Enabling, and Renaming Accounts • When to disable • Activity 4-5: Disabling, Renaming, and Enabling an Account • Objective: Practice disabling, renaming, and then enabling an account Figure 4-15 Disabling an account Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  30. Moving an Account • May need to move a person’s account from one container to another • Activity 4-6: Moving an Account • Objective: Practice moving an account Figure 4-16 Moving an account Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  31. Resetting a Password • Cannot look up forgotten passwords • Reset instead • Maintain guidelines for resetting passwords • Activity 4-7: Changing an Account’s Password • Objective: Practice changing an account’s password Figure 4-17 Resetting a password Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  32. Deleting an Account • Delete accounts that are no longer in use • Globally unique identifier (GUID) is also deleted • Will not be reused even if you create another account using the same name • Activity 4-8: Deleting an Account • Objective: Practice deleting an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  33. Security Group Management • Group accounts with similar characteristics together • Scope of influence (or scope) • Reach of a group for gaining access to resources in Active Directory • Types of groups and associated scopes: • Local • Domain local • Global • Universal MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  34. Security Group Management (cont’d.) • Security groups • Enable access to resources on a stand-alone server or in Active Directory • Distribution groups • Used for e-mail or telephone lists MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  35. Implementing Local Groups • Local security group • Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs) • Create using the Local Users and Groups MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  36. Implementing Domain Local Groups • Domain local security group • Used when Active Directory is deployed • Manage resources in a domain • Give global groups from the same and other domains access to those resources • Scope of a domain local group • Domain in which the group exists • Can convert a domain local group to a universal group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  37. Implementing Domain Local Groups (cont’d.) • Access control list (ACL) • List of security descriptors (privileges) that have been set up for a particular object Table 4-1 Membership capabilities of a domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  38. Implementing Global Groups • Global security group • Contains user accounts from a single domain • Can also be set up as a member of a domain local group in the same or another domain • Broader scope than domain local groups • Can be nested • Typical use: • Add accounts that need access to resources in the same or in another domain • Make the global group in one domain a member of a domain local group in the same or another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  39. Implementing Global Groups (cont’d.) Figure 4-18 Nested global groups Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  40. Implementing Global Groups (cont’d.) • Activity 4-9: Creating Domain Local and Global Security Groups • Objective: Create a domain local and a global security group and make the global group a member of the domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  41. Implementing Universal Groups • Universal security groups • Span domains and trees • Can include • User accounts from any domain • Global groups from any domain • Other universal groups from any domain • Guidelines to help simplify how you plan to use groups • See text MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  42. Implementing Universal Groups (cont’d.) Figure 4-21 Managing security through universal and global groups Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  43. Properties of Groups • To edit properties: • Double-click group in the Local Users and Groups tool for a stand-alone (non domain) or member server • Or in the Active Directory Users and Computers tool for DC servers in a domain • Properties • General • Members • Member of • Managed by MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  44. Planning the Delegation of Object Management • Security groups and user accounts enable an organization to delegate authority over objects • Establish and document policies • Common objects that are delegated include OUs, user accounts, and groups • Use Delegation of Control Wizard MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  45. Implementing User Profiles • Local user profile • Automatically created at the local computer when you log on with an account for the first time • Advantages of user profiles • Roaming profile • Downloaded to client workstation each time user account is logged on • Mandatory user profile • Certain users cannot change their profiles MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  46. What’s New in Windows Server 2008 Active Directory • Restart capability • Read-Only Domain Controller (RODC) • Auditing improvements • Multiple password and account lockout policies in a single domain • Active Directory Lightweight Directory Services role MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  47. Restart Capability • Stop Active Directory Domain Services without taking down the computer • General steps • See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  48. Read-Only Domain Controller • Cannot use to update information in Active Directory • Does not replicate to regular DCs • Can function as a Key Distribution Center for the Kerberos authentication method • Provides better security at branch locations • Example • Can be configured as DNS server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  49. Auditing Improvements • Audit trail of many types of changes • Records successful completion or reason for failure • Must set up in two places MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

  50. Multiple Password and Account Lockout Policies in a Single Domain • Set up multiple password and account lockout security requirements • Associate them with a security group, user or OU • Can now create more than one set of account policies within a domain • Password settings container (PSC) • Contains password settings objects (PSOs) • Represent unique set of password policies • Three policy sets: • Ordinary users, administrators, service accounts MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

More Related