active directory ® fundamentals dan lewis - mct. welcome to this technet event free fortnightly...
TRANSCRIPT
Active Directory® Fundamentals
Dan Lewis - MCT
Welcome to this TechNet Event
FREE fortnightly technical newsletter: “The TechNet Flash”
FREE regular technical events hosted across the UK
FREE weekly UK & US led technical webcasts
FREE comprehensive technical web site
FREE quarterly technical magazine
Monthly CD / DVD subscription with the latest technical tools & resources and full-version evaluation and beta software. New Low Price from 1st Oct 05
We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK:
To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break
Prerequisites
Understanding of day-to-day administration tasks
Understanding of administration challenges in a network environment
Session Outline
Introduction to Active Directory
Group Policy
Advanced Active Directory Tasks
Microsoft Resources and Training Options
Introduction to Active Directory
Overview
Active Directory Basics
Creating the Organization
Lesson: Active Directory Basics
What are Directory Services?
Benefits of Active Directory
The Logical Structure of Active Directory
What are Directory Services?
Windows UsersWindows Users• Account infoAccount info• PrivilegesPrivileges• ProfilesProfiles• PolicyPolicy
Windows ClientsWindows Clients• Mgmt profileMgmt profile• Network infoNetwork info• PolicyPolicy
Windows ServersWindows Servers• Mgmt profileMgmt profile• Network infoNetwork info• ServicesServices• PrintersPrinters• File sharesFile shares• PolicyPolicy
A Focal Point for:A Focal Point for:• ManageabilityManageability• SecuritySecurity• InteroperabilityInteroperability
ActiveActiveDirectoryDirectory
Other NOSOther NOS• User registryUser registry• SecuritySecurity• PolicyPolicy
OtherOtherDirectoriesDirectories• White pagesWhite pages• E-CommerceE-Commerce
ApplicationsApplications• Server configServer config• Single Sign-OnSingle Sign-On• App-specificApp-specific
directory info directory info • PolicyPolicy
InternetInternet
Firewall ServicesFirewall Services• ConfigurationConfiguration• Security policySecurity policy• VPN policyVPN policy
Network DevicesNetwork Devices• ConfigurationConfiguration• QoS policyQoS policy• Security policySecurity policy
E-Mail ServersE-Mail Servers• Mailbox infoMailbox info• Address bookAddress book
Provides a focal point for management, security, and interoperability
Benefits of Active Directory
Flexible Flexible AdministrationAdministration
ParisParis
RepairRepairSalesSales
User1User1 Computer1Computer1 Printer1Printer1User2User2
Simplified AdministrationSimplified Administration
ScalabilityScalability Reduced TCOReduced TCO
The Logical Structure of Active Directory
DomainDomain
Domain
Domain
Domain
DomainOU
OU OU
Domain TreeDomain Tree
DomainDomain
ForestForest
Organizational UnitOrganizational Unit
ObjectsObjects
Lesson: Creating the Organization
Microsoft Management Console
Organizational Units
Organization Unit Hierarchical models
User Accounts
Groups Printers
Demonstration: Creating Active Directory Objects
Microsoft Management Console
Snap-insSnap-ins
MMC hosts tools, called snap-ins, that perform administrative functionsMMC hosts tools, called snap-ins, that perform administrative functions
Organizational Units
Organizes objects in a domain
Allows you to delegate administrative control
Simplifies the management of commonly grouped resources
Organizational Unit Hierarchical Models
Function-based
S
C M
S – SalesC – ConsultantsM – Marketing
Examples of Hybrid-based
Function Organization
Location Function
Organization Location
Organization-based
M
E R
M – ManufacturingE – EngineeringR – Research
Location-based
N
F I
N – Norway F – FranceI – Indonesia
User Accounts
Domain user accounts (stored in Active Directory)Domain user accounts (stored in Active Directory)
Local user accounts (stored on local computer)Local user accounts (stored on local computer)
Windows Server 2003 Domain
Groups
Groups simplify administration by enabling you to assign permissions for resources
Groups are characterized by scope and type
Group Type Description
SecurityUsed to assign user rights and permissions Can be used as an e-mail distribution list
DistributionCan be used only with e-mail applicationsCannot be used to assign permissions
–The group scope determines whether the group spans multiple domains or is limited to a single domain
–The three group scopes are global, domain local, and universal
GroupGroup
Printers
Local printers:Local printers:
Print ServerPrint Server
Print DevicePrint Device
LPT orUSB orIR
LPT orUSB orIR
Network printers:Network printers:
TCP/IP orIPX orAppleTalk
TCP/IP orIPX orAppleTalk
Print ServerPrint Server
Print DevicePrint Device
Print DevicePrint Device
Demonstration: Creating Active Directory Objects
How to create:
Organizational Units
User Accounts
Groups
Printers
Summary
Active Directory Basics
Creating the Organization
Group Policy
Overview
Introduction to Group Policy
Using Group Policy for Organizational Control
Demonstration: Controlling the User Environment
Lesson: Introduction to Group Policy
Purpose of Group Policy
Group Policy Processing
Demonstration: GPMC Administration
Purpose of Group Policy
1122
33
Apply Group Policy OnceApply Group Policy Once
Windows Server Enforces Continually
Windows Server Enforces Continually
Domain
OU1 OU2 OU3
11 22 33
TM
Computer Configuration
User Configuration
Security Settings
Centralized Management
Consistent Configurations
Automatic Configurations
Group Policy Processing
Site
Domain
OUOUOUOU
OU
GPO1GPO1
GPO2GPO2
GPO3GPO3
GPO4GPO4
Group Policy Management Console
What is the GPMC?
– New administrative tool for managing Group Policy
– Set of scriptable interfaces for managing Group Policy
– MMC Snap-in, built on these interfaces
– Web release of stand-alone version concurrent with launch of Windows® Server 2003
– Requires users to have a licensed copy of Windows Server 2003 in their organization
GPMC Design Goals
– Unify management of Group Policy, including both Windows 2000 and Windows Server 2003 domains
– Address key deployment issues
– Provide better UI for visualization
– Enable programmatic access to Group Policy
Demonstration: GPMC Administration
Create a GPO
Modify GPO policy settings
Edit GPO properties
Link a GPO
Delegate control of a GPO
Backup and restore of a GPO
Save a report of settings
Lesson: Using Group Policy for Organizational Control
Using Group Policy to Control Security
Security Templates
OU Design for Security
Demonstration: Applying a Security Template
Using Group Policy to Control the User Environment
GPO Settings to Control the User Environment
Software Restriction Policies
ADM Templates
Deploying Software
Assigning and Deploying Software
Best Practices
Controlling the User Environment
Using Group Policy to Control Security
Create an OU structure
Determine Multiple Operating System Requirements
Use Security Templates Based on Role
Use Group Policy to apply templates
Security Templates
Template Description
Pre-Defined Security Templates
Provide variant security for workstations and domain controllers. These are not role-based.
Server 2003 Security Guide Templates
Server role based templates for various security environments.
Windows XP Security Guide Templates
Client role based templates for various security environments.
Industry Standard TemplatesTemplates created by third parties or organizations for security standardization.
Custom TemplatesCustom templates that are created when existing templates do not meet organizational needs.
OU Design for Security
Identify the security template that most closely matches the configuration required by client computers or servers
Create a new Group Policy object for each security template you will be using
In the new Group Policy object, import the security template
If necessary, modify the group policy object to add any additional security settings
Link the new Group Policy object to the appropriate OU
Move computer objects for client computers and servers to the appropriate OU
Demonstration: Applying a Security Template
Create a new GPO
Import a security template
Using Group Policy to Control the User Environment
Use Group Policy to:Use Group Policy to:
Manage users and computers
Deploy software
Enforce security settings
Enforce a consistent desktop environment
Manage users and computers
Deploy software
Enforce security settings
Enforce a consistent desktop environment
Group Policy settings for users:
–Desktop settings
–Software settings
–Windows settings
–Security settings
Group Policy settings for computers:
–Desktop settings
–Software settings
–Windows settings
–Security settings
GPO Settings to Control the User Environment
Software Restriction Policies
Group Policy can restrict software installation and execution
Can restrict by:
–Hash rule
–Path rule
–Certificate rule
–Zone rule
Administrative Templates
Default templates
Office templates
Custom templates
–Text files that end with an .adm extension
–Update the user or computer portion of the registry
Adding ADM templates into a GPO
Overview of the Software Deployment Process
Change the software deployment properties Change the software deployment properties
33
Use a GPO to deploy softwareUse a GPO to deploy software
22
Create a software distribution point (shared folder)Create a software distribution point (shared folder)
11Publish
Assign
Property 1 Property 2 Property 3
Assigning Software vs. Publishing Software
User configuration
Assign: The application is installed the next time the user activates the application
Publish:
– The application is installed when the user selects it from Add/Remove Programs in Control Panel
– The application is installed when the user double-clicks an unknown file type (document activation)
Computer configuration
Assign: The application is installed the next time the computer starts
Group Policy Best Practices
Create as few GPOs as possibleCreate as few GPOs as possible
Large numbers of GPOs make troubleshooting difficultLarge numbers of GPOs make troubleshooting difficult
Disable unused portions of GPOsDisable unused portions of GPOs
Limit use of enforcementLimit use of enforcement
Limit use of block inheritanceLimit use of block inheritance
Create documentation and regular backupsCreate documentation and regular backups
Link a GPO to only one locationLink a GPO to only one location
Demonstration: Controlling the User Environment
Securing Client and Servers Using Administrative Templates
Deploying Software
Controlling the User Environment
Testing the User Environment
Summary
Introduction to Group Policy
Using Group Policy for Organizational Control
Advanced Active Directory Tasks
Overview
Delegation and Custom MMCs
File Server Management
Additional Management Techniques
Lesson: Delegation and Custom MMCs
Delegating Control
Demonstration: Delegating Control
MMC Taskpads
Demonstration: How to Create a Custom MMC
Delegation of Control
Grant Permissions to:
–Delegate control to other administrators for specific organizational units
–Modify specific attributes of an object in a single organizational unit
–Perform the same task in all organizational units
Domain
Admin1
Admin2
Admin3
OU1
OU2
OU3
Demonstration: Delegating Control
How to delegate control of an OU for specific tasks
MMC Taskpads
Creates custom of the MMC snap-in
Allows for specific tasks to be set in Task Pad
Customizes view of MMC
–Removes confusing toolbars
–Removes menu options
–Removes configuration options
Useful for novice administrators
Demonstration: How to Create a Custom MMC
Lesson: File Server Management
Encrypting File System
Disk Quotas
Volume Shadow Copies
Demonstration: How to Restore a Previous Version
Distributed File System
Distributed File System Capabilities
Encrypting File System
EFS encryption makes data unintelligible without a decryption key EFS encryption makes data unintelligible without a decryption key
EFS encrypts data Users encrypt a file or folder by setting the encryption property All files and subfolders created in or added to an encrypted folder
are automatically encrypted Use EFS to access encrypted data
When accessing an encrypted file, users can read the file normally When users close the file, EFS encrypts it again
Use EFS to decrypt data The file remains decrypted until it is encrypted again
Use the cipher command to display or alter encryption of folders and files on NTFS volumes
EFS encrypts data Users encrypt a file or folder by setting the encryption property All files and subfolders created in or added to an encrypted folder
are automatically encrypted Use EFS to access encrypted data
When accessing an encrypted file, users can read the file normally When users close the file, EFS encrypts it again
Use EFS to decrypt data The file remains decrypted until it is encrypted again
Use the cipher command to display or alter encryption of folders and files on NTFS volumes
Disk Quotas
Track and control user’s disk space on NTFS volumes
Prevent users from taking any additional disk space above their quota limit
Log events when users near and exceed quota limits
Can be enabled on local volumes, network volumes, and removable drives if they are formatted with NTFS
Can be enabled on local computers and remote computers
Cannot use file compression to prevent users from exceeding their limits
Track and control user’s disk space on NTFS volumes
Prevent users from taking any additional disk space above their quota limit
Log events when users near and exceed quota limits
Can be enabled on local volumes, network volumes, and removable drives if they are formatted with NTFS
Can be enabled on local computers and remote computers
Cannot use file compression to prevent users from exceeding their limits
Volume Shadow Copies
Views the read-only contents of network folders as they existed at various points of time
Use shadow copies to:
–Recover files that were accidentally deleted
–Recover files that were accidentally overwritten
–Allow version checking while working on documents
Is enabled on a per-volume basis, not on specific shares
Is not a replacement for regular backups
When storage limits are reached, the oldest shadow copy is deleted and cannot be retrieved
Demonstration: How to Restore a Previous Version
How to set up volume shadow copy
How to use the previous versions client
Distributed File System
Logically group shared folders into a single hierarchy
–Shared folders reside on different servers
–Single shared folder contains all network resources
Distributed File System Capabilities
Unified namespace
Name transparency
Flexible storage management
Load sharing
Fault tolerance
Security integration
Client caching of DFS namespace
Compatibility with Windows NT , Windows 95, and Windows 98
Test Server
Test Clients Automatic Updates
Server Running WSUS
Automatic Updates
LAN
Windows Server Update Services
Microsoft Update Web site
Internet
WSUS downloads all critical updates and security patches to servers and clients as soon as they are posted to the Windows Update Web site
WSUS downloads all critical updates and security patches to servers and clients as soon as they are posted to the Windows Update Web site
Demonstration: How to Install and Configure Windows Server Update Services
How to configure WSUS
How to configure Automatics Updates with group policy
Summary
Delegation and Custom MMCs
File Server Management
Microsoft Resource and Training Options
Overview
Windows Server 2003 Versions
Windows NT 4.0 Migration Strategies
Novell Migration Strategies
Microsoft Learning Courses
Windows Server 2003 Family
Easier for you to deploy, manage, and useEasier for you to deploy, manage, and useProductiveProductive
Enables you to deliver a reliable, secure, and scalable platform for applications and network services
Enables you to deliver a reliable, secure, and scalable platform for applications and network services
DependableDependable
Empowers you with a complete server platform to quickly build connected solutionsEmpowers you with a complete server platform to quickly build connected solutions
ConnectedConnected
Enables you to maximize business value by leveraging the largest partner-solution ecosystemEnables you to maximize business value by leveraging the largest partner-solution ecosystem
BestEconomies
BestEconomies
Windows NT 4.0 Upgrade
Maximize return/minimize risk when choosing servers/roles to upgrade
–Domain Controller upgrades provide the most immediate benefits of Active Directory
–File Server upgrades give greatest ROI
Always have a fallback plan
–Test your plan before the upgrade
Leverage your partner’s expertise in the upgrade process
–Excellent experience to draw upon
Novell Migration Strategies
Inventory NetWare Servers and Respective Roles
Determine Migration Methodology
– Gradual
– Direct
Prepare and install Microsoft Directory Synchronization Service (MSDSS )
Migrate NDS/Bindery to Active Directory
Migrate File and Print
Migrate Files
Microsoft Official Learning Products
Course 2273, Managing and Maintaining a Microsoft Windows Server 2003
Environment (5 Day)
Course 2276, Implementing a Microsoft Windows Server 2003 Network Infrastructure:
Network Hosts (2 Day)
Course 2277, Implementing, Managing and Maintaining a Microsoft Windows Server
2003 Network Infrastructure: Network Services (5 Day)
Microsoft Official Learning Products
Course 2278, Planning and Maintaining a Microsoft Windows Server 2003
Network Infrastructure (5 Day)
Course 2279, Planning, Implementing, and Maintaining a Microsoft Windows
Server 2003 Active Directory Infrastructure (5 Day)
Course 2282, Designing a Microsoft Windows Server 2003 Active Directory and
Network Infrastructure (5 Day)
Microsoft Certified Professional Program
http://www.microsoft.com/learning/
MCP MCSA
MCSE MCAD
MCSD MCDBA
MCT
Summary
Windows Server 2003 Versions
Windows NT 4.0 Migration Strategies
Novell Migration Strategies
Microsoft Learning Courses
Evaluation
http://www.microsoft.com/uk/technet