active directory network

7/24/2019 Active Directory network

1/52

Introduction of Network

NETWORK:

A network is a collection of computers connected together.

NETWORKIN:

It is a process of communication !etween the interconnected de"ices !asicall# to

share the network resources.

$enefits of Networking:

%. &hare resources.

i' (ata

ii' )ardware

*. &hare &+W

,. &haring of license

Network is a collection of computers connected together to get !enefited from

networking.

Networking:Networking is a process of communication among s#stems.

T#pes of Networks

%'-ocal Area Network -AN':

stems connected within the same geographical area is called -AN. A -AN can

span * kilometers.

/omponents of -AN:

%. NI/ Network Interface /ard'

*. /a!le 0 /o a1ial2 cat3 or cat4

,. )u!s or &witches.

*'5etropolitan Area Networking:

5AN is a com!ination of -ANs or WAN& located and connected within the same

cit#.
http://system-administration-material.blogspot.com/2008/06/introduction-of-network.htmlhttp://system-administration-material.blogspot.com/2008/06/types-of-networks.htmlhttp://system-administration-material.blogspot.com/2008/06/introduction-of-network.htmlhttp://system-administration-material.blogspot.com/2008/06/types-of-networks.html


2/52

/omponents of 5AN:

%. Router

*. $router $router is a com!ination of !ridge or router'

,. AT5 &witches

6. (&- connecti"it# (&- 0 (igital &u!scri!er -ink' e1: &tar ca!les.

,' Wide Area Networking WAN':

Interconnection of -ANs or 5ANs located within the same geographical area or

different area it depends on telecommunication ser"ices.

/omponents of WAN: &ame as 5AN:

Network (e"ices

)u!s2 &witches2 Routers and NI/s.

)7$:

)u! is a centrali8ed de"ice pro"ides communication among s#stems when we

ha"e more that * computers we need to ha"e a de"ice called hu! to interconnect.

(isad"antage of a )u!:

%'When we want to transfer some data from one s#stem to another s#stem.*'If our network has *6 s#stems the data packet instead of !eing sent onl# to the

destined s#stem it is !eing send to all the network participants. i.e. *6 s#stems.'

,')u!s follow !roadcasting

&WIT/):

%'It is an ad"anced "ersion o"er a )u!.

*'The main !enefit of switch is 7nicast. (ata packets are transmitted onl# to the

target computer instead of all.

,'&witch maintains a ta!le called 5IT 5ac Information Ta!le.' which is

generated as soon as we turn on the switch2 which acts like an inde1 ta!le andeas# the process of finding the networked s#stem. 5IT contains the port no2 I9

address and 5A/ address.

5A/: 5edia Access /ontrol': It is an address !urnt in the NI/ !# the

manufacturer.

5A/ address is of 6 !its in the farm of )e1a decimal.
http://system-administration-material.blogspot.com/2008/06/network-devices.htmlhttp://system-administration-material.blogspot.com/2008/06/network-devices.html


3/52

E"er# NI/ has its own uni;ue 5A/ address.

5A/ address determines the ph#sical location of a s#stem.

RO7TER:

Router is a de"ice connects two different networks.

/lass A network with /lass / network etc.

Routing is a process of communication !etween two different networks.

Topolog#

The wa# of ca!ling is called topolog#.

The architecture of a network is called topolog#

There are * Topologies :

%' Network Topologies

*' -ogi"al Topologies

Network Topologies:

E.g.: $us2 &tar2 Ring2 and 5esh Topologies.

$us Topolog#:

/omponents of $us Topolog#:

%. /o


4/52

hu! or a switch2 it uses cat3+4 ca!les.

It uses connecters called Recommend >ack' < R>63

&tar topolog# offers faster data transfer or processing.

Ring Topolog#:

Ring topolog# is useful when we want redundanc# fault tolerance' we go with

this t#pe of topolog#.

Ring topolog# uses a de"ice called 5&A7. 5ulti &tation Access 7nit'

It is a unit inside which a logical ring is formed. This ring ensures the a"aila!ilit#

of Network. The a"aila!ilit# of ring ensures a"aila!ilit# of network.

It was !asicall# implemented in I$5 networks.

-ogical Topologies:

There are * t#pes:

%'Work roup*'(omain

Workgroup peer to peer':

% /ollection of computers connected together to share the resources.

* No ser"ers are used.

, Onl# /lient O& is mostl# used.

6 An# O+& like2 (O&2 ?32 ?2 workstation2 win *@@@ pro2 and 9 pro can !e

configured as work


5/52

%. (esktop O.&.: (O&2 ?32 WK&2 ?2 *k 9rof.2 9


6/52

** 9rocessor: 9entium B,,5)8

*, )(( free space %.3$

*6 &59: 46 processors

I9


7/52

/lass E: 7sed for E1perimentation.

The first four !its of first octet are reser"ed as %%%%'

The first !it of first octet is called as priorit# !it which determines the class of

N+W

@.@.@.@. Are reser"ed as N+W I(.

*33.*33.*33.*33 is reser"ed as !roadcast I(.

%*B.@.@.% Is reser"ed as loop !ack I(

Implementing+/onfiguring T/9+I9:

On (esktop

Right click on m# network places


8/52

9urpose of A.(.:

%. 9ro"ides user logon authentication ser"ices.

*. To organi8e and manage user A+/s2 computers2 groups and n+w resources.

,. Ena!les authori8ed users to easil# locate n+w resources.

=eatures of A.(.:

%. =ull# integrated securit# s#stem with the help of Ker!eros.

*. Eas# administration using group polic#.

,. &cala!le to an# si8e n+w

6. =le1i!le install+uninstall'

3. E1tensi!le modif# the schema'

New features in *@@,

4. Rename computer name D (omain names.B. /ross 0forest trust relationship.

. &ite


9/52

&tep%: on *@@, machine

&tart Run dcpromone1tne1t

&elect domain controller for a new domain

(omain in a new forest ne1t&pecif# the domain name E1: 8oom.com'

Net !ios name do nothing'Ne1t

data!asene1t

s"olne1t

&elect middle onene1t

9ro"ide pwdne1t

Restart < when it prompts

After installing A.(. :

o to

&tartprograms administration tools

We should notice 3 options like A(7/2 A((T2 A(&&2 (/&92 and (&9

Remo"al of Acti"e (irector#

&afe remo"al of A.(.:

&tart run dcpromo

=orceful remo"al of A.(:.

&tart run dcpromo +forceremo"al

Tools used for Acti"e (irector#

Acti"e (irector# (omains and Trusts:

% Implementing trusts

* Raising domain+forest functional le"els

, Adding user logon suffi1es

Acti"e (irector# &ites and &er"ices:
http://system-administration-material.blogspot.com/2008/06/removal-of-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/tools-used-for-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/tools-used-for-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/removal-of-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/tools-used-for-active-directory.html


10/52

*3 /onfiguring intrasite+intersite replication

*4 /onfiguring glo!al catalog

*B /reation of sites2 site links2 su!nets.

* &cheduling replication

Acti"e (irector# 7sers and /omputers:

*? 5anaging users+groups

,@ 5anaging computers.

,% 5anaging O7s

,* 5anaging roup 9olic# (omain -e"el'

,, 5anaging Operations masters.

,6 Raising domain functional le"el.

(omain controller securit# polic#:

% &et account2 audit and password policies

* &et user rights

, 9ermissions or policies 9ertains onl# to the (/ where #ou set.

(omain securit# polic#:

6 &et account2 audit and password policies

3 &et user rights

4 9ermissions or policies 9ertain to the (/ as well as to all the domains within.

Additional (omain /ontroller

Re;uirements:

(./.

&tatic .9.

(N&

&tand


11/52

&tep*: start run dcpromone1tne1tselect A(/ for an e1isting domain

, &pecif# administratorLs name D pwd.

,? (omain name of (/ eg.8oom.com'

6@ $rowse the domain

6% Ne1tne1t restore pwd.

A(/ is a !ack up for (/

6* A(/ maintains a !ack up cop# of A.(.2 which will !e in read onl# format.

6, A(/s pro"ide fault tolerance D load !alancing

66 There can !e an# no. of A(/s for a (/.

63 A(/s should !e placed and maintained offsite awa# from the (/.

64 A(/ maintains same domain name.

Gerif#ing whether the ser"er is configured as (/ or A(/.

6B &tartruncmdnet accounts

6 =or (/ we will find Mprimar#H

6? =or A(/ we will find M$ackupH

Acti"e (irector# /omponent

-ogical &tructure 9h#sical &tructure:

(omains sites

Trees (omain /ontrollers

=orest

Organi8ational 7nit

A.(. /omponents:

% -ogical structure is useful for organi8ing the network.

* -ogical components cannot !e seen

, 9h#sical structure is useful for representing our organi8ation for de"elopingthe organi8ational structure.

6 It reflects the organi8ation mirrors'

3 9h#sical structure can !e seen. E1. &ite 0 India2 7&2 7K etc.

TREE:

A tree is a group of domains which share contiguous name space.
http://system-administration-material.blogspot.com/2008/06/active-directory-component.htmlhttp://system-administration-material.blogspot.com/2008/06/active-directory-component.htmlhttp://system-administration-material.blogspot.com/2008/06/active-directory-component.html


12/52

If more than one domain e1its we can com!ine the multiple domains into

hierarchical tree structures.

The first domain created is the root domain of the first tree.

Additional domains in the same domain tree are child domains.

A domain immediatel# a!o"e another domain in the same domain tree is its

parent.

=ORE&T:

5ultiple domain trees within a single forest do not form a contiguous

namespace. i.e. the# ha"e non


13/52

9ractcal &teps for &ite

Implementing sites:

=orceful replication:

On (/

&tart programs admin tools A(&& e1pand sites default first siteser"ers

E1pand (/ ser"er NT(& settings right click on automaticall# generated

replicate nowok.

Repeat the same for (/ D A(/

/reating a site:

Open A(&&Right click on sitesNew site&ite name e.g. 7K2 7&'&elect default site linkOk

5o"ing A(/ into another site:

&elect A(/Right click on A(/&elect mo"e&elect site.

/reating a &ite link:

E1pand inter site transportsRight click on I9&elect new site link

-ink name e1. -ink 7& 07K'

&cheduling a site link:

E1pand inter site transportI9(ou!le click on site link/hange schedule

/lick on replication not a"aila!leset the timingsclick on replication a"aila!le.

NT(&.(IT :

K//: Knowledge /onsistenc# /hecker':

It is a ser"ice of A.(.2 which is responsi!le for intimating2 or updating the

changes made either in (/ or A(/.

Acti"e (irector# is sa"ed in a file called NT(&.(IT

/:windowsntdsntds.dit

NT(&.(IT < New Technolog# (irector# &er"ices. (irector# Information Tree

It is a file logicall# di"ided into four partitions.
http://system-administration-material.blogspot.com/2008/06/practcal-steps-for-site.htmlhttp://system-administration-material.blogspot.com/2008/06/ntdsdit-new-technology-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/practcal-steps-for-site.htmlhttp://system-administration-material.blogspot.com/2008/06/ntdsdit-new-technology-directory.html


14/52

%. &chema partition

*. /onfiguration partition

,. (omain partition

6. Application partition

It is a set of rules schema defines A(2 it is of * parts classes D attri!utes.Ad is constructed with the help of classes and attri!utes.

%. &chema:

-ogical partition in A( data!ase MtemplateH for A( data!ase.

=orms the data!ase structures in which data is stored.

E1tensi!le

(#namic

9rotect !# A/- Access /ontrol -ists' (A/-s and &A/-s (irector#Dstem

A/-s'

One schema for A( forest.

/ollection of o!ects is called class.

9iece of information a!out the o!ect is called attri!ute.

*. /onfiguration 9artition:

-ogical partition in A( data!ase.

% MmapH of A( implementation

* /ontains information used for replication logon searches.

, (omains6 Trust relationships

3 &itesD site links

4 &u!nets

B (omain controller locations.

,. (omain 9artition:

% -ogical partition in A( data!ase.

* /ollections of users2 computers2 groups etc.

, 7nits of replication.

6 (omain controllers in a domain replicate with each other and contain a fullcop# of the domain partition for their domain.

3 (/s do not replicate domain partition information for other domains

6. Application 9artition:

% It is a newl# added partition in win*@@,. It can !e added or remo"ed


15/52

* It can !e replicated onl# to the specified (/s.

, 7seful when we are using A( integrated ser"ices like (N&2 TA9I ser"ices etc..

=&5O Roles:

=le1i!le &ingle 5aster Operations Roles :

=orest wide 5aster Operation:

%. &chema master *.(omain Naming master

(omain wide master operation:

,. 9(/ emulator

6. RI( master

3. Infrastructure master

%.&chema 5aster:

Responsi!le for o"erall management of the entire schema in a forest.

The first (/ installed acts as a schema master in the entire forest.

There can !e onl# one schema master in the entire forest

*.(omain Naming 5aster:

Responsi!le for addition +remo"al of domains.It maintains the uni;ueness of domain names.

There can !e onl# one (N5 in the entire forest.

,. 9(/ emulator:

9(/ pro"ides !ackward compati!ilit# for e1isting NT $(/s and workstations.

If it is running in mi1ed mode'

9(/ updates the password changes made !# the users.

It is also responsi!le for s#nchroni8ing the time.

There can !e onl# one 9(/ emulator per domain.

6. RI( master:

Responsi!le for assigning uni;ue I(s to the o!ects created in the domain.

There can !e onl# one RI( master per domain

&I( 0 &ecurit# Identifier it maintains a access control list. It is di"ided into two

parts.

%. (I( (omain Identifier'
http://system-administration-material.blogspot.com/2008/06/fsmo-roles-flexible-single-master.htmlhttp://system-administration-material.blogspot.com/2008/06/fsmo-roles-flexible-single-master.html


16/52

*. RI( Relati"e Identifier'

=or knowing the &I( of the user

&tartruncmd whoami +user.

3. Infrastructure master:

Responsi!le for maintaining the updates made to the user D group mem!ership.

It also maintains uni"ersal group mem!ership.

There can !e onl# one infrastructure master per domain

The term fle1i!ilit# means we can transfer an# of the 3 roles from (/ to A(/.

Transfer of RO-E&

We can transfer the roles for some temporar# maintenance issues on to A(/ and

again we can transfer !ack the roles onto (/.

We can transfer the roles in two wa#s

%. /ommand mode

*. raphical mode

Transfer of roles through command:

On (/

o to command prompt and t#pe ntdsutil

T#pe: roles

/onnections

/onnect to ser"er name of A(/ e1.s#s*'

C

Transfer schema master

Transfer RI( master

Transfer infrastructure master

Transfer 9(/CC

E1it

Transferring roles using 7I:

On (/

Register the schema
http://system-administration-material.blogspot.com/2008/06/transfer-of-roles.htmlhttp://system-administration-material.blogspot.com/2008/06/transfer-of-roles.html


17/52

=or registering schema

&tart run regs"r,* schmmgmt.dll

Transferring schema master

On (c&tartRunmmcclick on file select add+remo"e snap in

&elect A.(.&chemaaddcloseok

=rom console root

E1pand console root

Right click A( &chema

/hange domain controller

&pecif# name

Ok

Right click A( schema

&elect operations master

/lick on changePes ok file e1it need not to sa"e'

Transferring (omain naming master:

On (/

&tartpadmin tools A((Tright click on A((T

/onnect to domain controller

&elect A(/

Ok

Right click on A((TOperations master

/lick on change#esok close

Transferring (omain wide master operations:

&tart padmin tools A(7/

Right click on A(7/

/onnect to (/

&elect A(/ ok

Right click on (omain name

&elect operations master/hange#es

&elect 9(/ change#esselect infrastructurechangecloseclose.

lo!al /atalog
http://system-administration-material.blogspot.com/2008/06/global-catalog.htmlhttp://system-administration-material.blogspot.com/2008/06/global-catalog.html


18/52

It is a ser"ice responsi!le for maintaining information a!out the o!ects and

ser"ing the re;uests made !# the users !# pro"iding the location of the o!ect.

lo!al /atalog runs on the port num!er ,*4.

All t#pes of ;ueries are first heard on this port num!er and forward the ;uer# toport no.,? -(A9Ls'.

5aintains the complete information a!out the o!ects within the same domain

and partial information a!out other domains.

/ communicates to infrastructure master.

If (/ D A(/ are located in the same location onl# one / is enough.

If the (/DA(/ are located remotel# to a"oid network traffic we need to

configure A(/ as /

Infrastructure master contacts glo!al catalog for o!taining the updates a!out

user D group mem!ership and uni"ersal group mem!ership.

The primar# functions of /

To maintain uni"ersal group mem!ership information2 to easil# locate the

o!ects with in the A(.:

/onfiguring a lo!al catalog ser"er.

Either on A(/ or on /hild (/

&tart programadmin tools A(&&

e1pand sites default first siteser"er

On NT(& right click properties

check the !o1 lo!al /atalog.

Installing /hild (omain

Re;uirements:

9arent (/

5em!er ser"er or stand alone ser"er

&tatic I9

(N&

NT=& "olume with *3@ 5$ of free )(( space
http://system-administration-material.blogspot.com/2008/06/installing-child-domain.htmlhttp://system-administration-material.blogspot.com/2008/06/installing-child-domain.html


19/52

On 5em!er &er"er or stand alone machine specif# the ser"erLs (N&.

&tart rundcpromone1tne1tne1t

domain controller for a new domainne1t

/hild (omain in an e1isting treespecif# the parent domainLs administratorLs name D pwd.

&pecif# the child namene1tnet!ios name

ne1t data!ase folder ne1ts"olne1trestart.

New (omain Tree in E1isting =orest

Re;uirements:

=orest initial domain controller or root domain controller'On mem!er ser"er or stand


20/52

*. =orest =unctional -e"el:

a' Windows *@@@ mi1ed

!' Interimc' Windows *@@, ser"er.

%.a.' Windows *@@@ mi1ed:

$# default when we install *@@@ or *@@, o+s it gets installed in win *@@@ mi1ed

mode.

This mode supports older "ersions of win*@@,. We can add NT2 *@@@ fla"ors in

*@@, networks.

%.!.'Windows *@@@ nati"e:

It supports onl# *@@@ and *@@,2 Nati"e mode can ha"e *@@@D*@@, fla"ors onl#.

%.c'Interim:

This mode can ha"e NT and *@@,. 7seful when we upgrade NT to *@@,

%.d'Windows *@@, ser"er:

This mode supports onl# *@@, ser"er famil#.

We canLt oin NT+*@@@ domains

T#pes of Trusts:

Trust relationships in Windows ser"er*@@,:

(efault two wa# transiti"e Ker!eros trusts intra forest'

&hortcut 0 one or two awa# transiti"e Ker!eros trusts intraforest'Reduce authentication re;uests

=orest


21/52

Realm 0 one or two wa# non


22/52

Raising (omain =unctional in !oth the machines:

&tartprogramadmin toolsA((Tright click on (omain

raise (omain =unctional -e"elselect win *@@,click on raiseokok

Raising =orest =unctional -e"el:

&tartpA((Tright click on A((T

raise forest functional le"elselect win*@@,raiseok.

5em!er &er"er

A ser"er2 which is a part of (/2 is called 5em!er &er"er.

&er"er like WINNT2 *@@@ and *@@, can !e configured as 5em!er &er"er.

&er"er2 which is part of the (omain2 is called 5em!er &er"er.

5em!er &er"ers are used

-oad !alancing

-oad sharing form (/s

A mem!er ser"er can !e configured as an# of the following

ser"ers.

%' Application ser"ice oracle+&C-'

*' 5ail ser"er

,' =ile ser"er

6' 9rint ser"er

3' (N& ser"er

4' ()/9 se"erB' We! ser"er

' RI& ser"er

?' RA& ser"er

%@'T.&.

/onfiguring a mem!er ser"er :
http://system-administration-material.blogspot.com/2008/06/member-server.htmlhttp://system-administration-material.blogspot.com/2008/06/member-server.html


23/52

Re;uirements:

(/

&tand alone ser"er *@@, fla"or

On &tand


24/52

These can !e created on the -ocal machines where the client works. E1. *@@@

prof. 9 prof.

/reating a (omain 7ser Accounts :

On (/&tart 9rogramsAdmin tools

A(7/e1pand domain namee1.I$5.com'

Right click on usersnewuser

suppl# name Dpwd.

7ser must change pwd at ne1t logon

ne1tfinish

/reating a (omain 7ser A+/ through command prompt:

&tartrun

cmd dsadd user cnQusername2cnQusers2dcQi!m2dcQcom 0pwd 8oom%*,

=or remo"ing:

dsrm user cnQusernameSS.

/reating a local user Account in 5em!er &er"er:

On mem!er ser"er -og on to local user a+c

Right click on m# computer

5anageE1pand local users Right click on users.

New user &uppl# the user nameDpwd

/lick on create

-og off

-og in as user

/reating a -ocal user a+c from command mode:

On mem!er ser"er

-ogin as administrator

o to command promptNet user username

9assword

E1: net user u% 8oom%*, +add

If we want to delete.. +del

Editing 9olocies
http://system-administration-material.blogspot.com/2008/06/editing-account-polocy-and-local-polocy.htmlhttp://system-administration-material.blogspot.com/2008/06/editing-account-polocy-and-local-polocy.html


25/52

7ser right assignments -ogon locall# allowing logon locall# right to a normal

user.':

On (/

/reate a user a+c in A(7/Allowing him to logon

&tart programsadmin tools(/&9

e1pand local policiesuser rights

(+/ allow logon locall#add the user.

&tartrungpupdate.

Gerif#:

On (/ logon as a user

(isa!ling password comple1it# polic#:

&tart programsadmin toolsdomain securit# polic#

e1pand a+c policiespassword polic#

(ou!le click on p+w must meet comple1it# re;uirements.

&elect disa!led

Appl# ok

5inimum pwd length do it as @ characters'

/lose

=or refreshing polic#

&tart runcmdgpupdate

9assword policies: Enforce password histor# *6 pwds remem!ered'

5a1imum p+w age

5inimum pwd age

9wd must meet comple1it# re;uirements

&tore pwds using re"ersi!le encr#ption.

Re


26/52

In order to make a resource to !e a"aila!le o"er the network and to !e accessed

!# network users we need to implement sharing.

The moment we create a share on a ser"er2 ser"er acts like a file ser"er.

&haring a resource:

On (/

Open m# computer

&elect an# dri"e

/reate a new folder

i"e name of the folder

Right click on the folder

&elect sharing and securit#

&hare this folder

Appl# ok

Accessing share resources from a client machine:

On client machine

Open m# network places

Entire network

5icrosoft windows n+w

(omain name e1. oom'

/omputer name

/reating a share through command line:

On (/

o to command prompt

md sharename

net share sharenameQc: share name

/onnecting to a share resource through a command prompt:

On mem!er ser"er

o to command prompt

net use 8:computernamesharename

5apping a dri"e connecting to the share from 7I':

On mem!er ser"er

Right click on m# computer

5ap network dri"e

&elect the dri"e letter


27/52

7ncheck or check reconnect logon

$rowse the share folder

/omputer nameshare nameokfinish.

9ermissions:

7sing permissions an administrator can either allow or den# access to a resource.

Resource can !e a network resource or local resource

9ermissions are of two t#pes:

%. &hare le"el

*. =ile s#stem or NT=&

&hare le"el permissions

&hare le"el permissions are applied o"er the network.

&hare le"el permissions are not applied on the local machine where the resource

is e1isting.

There are three t#pes of share le"el permissions

=ull control RW(O Read+Write+E1ecute+(elete+Ownership'

/hange RW(

Read R

9ractice:

On (/

/reate a share

/reate three users

&et permissions

&etting permissions:

/reate folder share right click on folder properties permission

Remo"e e"er#one

Add all the users whom #ou want to allow or den#.

Appl#ok.

Gerification:

5o"e on to client machine

-ogin as different users

Tr# to access the n+w resources.


28/52

*. NT=& permissions:

NT=& permissions are powerful permissions and the# offer file and folder le"el

securit#. NT=& permissions are useful for securing locall# a"aila!le resources.

NT=& =eatures:

=ile+folder le"el securit#

/ompress

Encr#ption

Cuotas

Reduced fragmentation

)ot fi1ing

Golume shadow cop# ser"ices

5ounting

&eparate rec#cle !in for each user

NT=& permissions:

=ull control RW(O

5odif# RW(

Read D E1ecute R

-ist folder contents -

Read R

Write RW

Implementing NT=& permissions:

On mem!er ser"er


29/52

-ogin as administrator on mem!er ser"er

/reate a folder

=older properties

&ecurit#

Ad"anced


30/52

9rofiles are used for pro"iding !asic user en"ironment needs

En"ironment needs can !e

(esktop settings

&tartup applications

N+w connecti"it#.

9rofile is responsi!le for pro"iding the initial desktop en"ironment needs with

the help of desktop folder2 fa"orites2 cookies2 m# documents2 start menu2 and

Internet settings2 n+w connections and etc.

When a user logs in for the first time the user will !e loaded with a default user

profile.

(efault user profile is located under

/:documents and settingsdefault user

T#pes of profiles:

%'-ocal profile

*'Roaming profile

,'5andator# profile

-ocal profile:

It is a profile loaded for the user and sa"ed in the local hard dri"e where the user

works.

And profile will !e sa"ed when a user logs off

-ocal profiles are limited onl# to the machine where the# are sa"ed.

A user with a local profile will not !e loaded with a network profile when he logs

on from another machine.

Gerif#ing the t#pe of the profile:

5# computer

9ropertiesAd"anced

7ser profile 0 settings

Roaming 9rofile:

It is a profile2 which is sa"ed in the shared folder on the ser"er. )ence a"aila!le


31/52

in the entire network.

Roaming profile is a n+w profile which is a"aila!le in the entire network. As a

result when a user logs in from an# machine in the n+w he will !e loaded with a

roaming.

/reating a roaming profile:

On (/

/reate a user A+/

/reate a folder

And share it and gi"e full control permission for e"er#one

&tart 9A(7/

(ou!le click the user

9rofile

9rofile path e1: s#s%profileusername

Appl# 0 ok

5o"e on to mem!er ser"er:

-og in as user

5# computer

9roperties

Ad"anced


32/52

Ntuser.dat to ntuser.man

$ack

i"e !ack the permission ownership'

=older

9roperties

&ecurit# 0 ad"anced/heck the !o1 Allow inherita!le

/heck < Replace permission entries on all

Appl# 0 ok.

Gerif#ing:

5o"e on to client machine

-ogin as user

5ake some desktop changes

/reate a folder or delete a folder

=or remo"ing mandator# profile ust rename ntuser.man to ntuser.dat

)ome folders:

)ome folders are separate folders where users sa"e their data and protect their

data from other users e"er# user can ha"e one home folder either on the ser"er

on the local machine.

If the home folder is in the ser"er an administrator can secure it and !ack


33/52

Appl# ok

Gerif#ing:

On client machine

-og in as userOpen m# computer

We should notice an e1tra dri"e letter

o to cmd prompt

We should not get the dri"e letter we ha"e assigned.

/reating a local home folder:

On 5em!er ser"er


/reate a folder in an# dri"e

&hare it9ermissions

Remo"e e"er#one

Add administrator Du*

i"e full access

Appl# 0 ok

5o"e on to ser"er or (/

Open A(7/create a user

o to user properties9rofile

)ome folder

i"e local path

E1: E:u*home

Appl#


34/52

offline'

Implementing offline folders:

On ser"er client

Open m# computerTools

=older options

Offline files

/heck the !o1 ena!le offline files

Appl# 0 ok

Repeat same process on the client also

On ser"er

/reate a folder

&hare it

E"er#one full access

On the client machine

Access the share resources through the n+w places

Right click on the share resources

5ake a"aila!le offline

Ne1t

/heck the !o1 automaticall#

Ne1t 0 finish

On the client machine

Access the n+w share

(isa!ling NI/

Network places

9roperties

Right click on -ANselect disa!le

Open n+w places

We will notice another s#stem

Access the offline folder from ser"er

(o some modifications to that folderEna!le NI/.

(=& (istri!uted =ile stem'

(=& allows administrators to make it easier for users to access and manage file
http://system-administration-material.blogspot.com/2008/06/dfs-distributed-file-system.htmlhttp://system-administration-material.blogspot.com/2008/06/dfs-distributed-file-system.html


35/52

that are ph#sicall# distri!uted across a network.

With (=&2 #ou can make files distri!uted across multiple ser"ers. It ma# appear

for users that files actuall# reside in one place computer' on the network.

$enefits of (=&

%. Easil# access:

7sers need not remem!er multiple locations form where the# get data ust !#

remem!ering one location the# get access to the data.

*. =all tolerance:

=or master (=& ser"er we can ha"e a replica Target' on another (=& ser"er.

With the master (=& ser"er face users can still continue accessing the data from

!ack up (=& Target'There is no interruption to accessing data.

,. -oad !alancing:

If all the (=& root ser"ers and targets are working fine it leads to load !alancing.

This is achie"ed !# specif#ing locations for separate users.

6. &ecurit#:

We can implement securit# !# using NT=& settings.

(=& Terminolog#:

%. (=& root

*. (=& links

,. (=& targets

6. (omain (=& root

3. &tand 0 alone (=& root

(omain (=& root:

It is a ser"er configura!le in the domain and offers fall tolerance and load

!alancing. It is a root ser"er2 which maintains links from other file ser"ers

Re;uirements:

(/ or 5em!er &er"er


36/52

&tand


37/52

/reate * folders.

&hare them D gi"e full control permission

On 5em!er &er"er also same process

On (/

&tart 9Admin tools(=&right click on (=&

New link-ink name e.g. erman#'

$rowse the share folder from (/

Ok

/reate all four links two from (/ D two from mem!er ser"er

Accessing the resources links':

Either on (/ or mem!er ser"er

domain name(=& root name

e1: 8oom.com(=& root

Implementing of (=& target:

On (c

Open (=s

Right click on (=s root

&elect new root target

$rowse ser"er name ne1t

$rowse folder to share

Ne1tfinish

Replication:

After configuring the target we can configure the replication !etween (=& root

and (=& target.

And this can !e scheduled.

T#pes of replication topologies:

Ring topolog#

)u! D spoke topolog#

5esh topolog#

/onfiguring replication !etween (=& root D target.

On (/

Open (=&

Right click on the (=& root

/onfigure replicationne1t


38/52

&elect topolog#

=inish

(isk Cuotas

It is a new feature of *@@@D@,

7sing this feature an administrator can restrict the users from using disk space.

i.e. an administrator can limit the si8e of the disk space usage.

Cuotas can !e implemented in two wa#s:

%'On computer !asis local machine'

*'7ser !asis network resource'

Cuotas can !e implemented onl# on NT=& "olumes.

Implementing D ;uota for a user user !asis' :

On mem!er ser"er


Open m# computer

Right click on ( or E dri"e

9roperties

Cuota

/heck the !o1 ena!le ;uota management and

(en# disk space to users

/lick on ;uota entries ta!&elect ;uota

New ;uota entr#

&elect the user

&et limit disk space to the user in K$ or 5$ onl#'

Gerification

-ogin as user

Open the restricted or ;uota dri"e

Tr# to sa"e something

Implementing ;uota on computers

On mem!er ser"er

-ogin as admin

Open m# computer

E dri"e properties
http://system-administration-material.blogspot.com/2008/06/disk-quotas.htmlhttp://system-administration-material.blogspot.com/2008/06/disk-quotas.html


39/52

Cuota

Ena!le ;uota management

(en# disk space to user

&elect limit disk space

&pecif# the limits in K$ or 5$

Appl# 0 ok

Organi8ational 7nits O7' :

It is a logical component of A(

It is a container o!ect

It can contain o!ects like users2 groups2 computers2 share folder2 printer2 and

contacts.

O7s are !asicall# used for di"iding a single domain into smaller portions for

efficient management and organi8ation of the resources

/reation of O7s:

On (/

&tart 9admin toolsA(7/

Right click on the domain

New

Organi8ational unit

i"e the name of the unit

(elegate /ontrol

7seful when an administrator to hando"er partial administration of the domain

to an assistant administrator delegate control can !e assigned to su! admins on

O7s or on domains.

Assigning (elegate control for su! administrator.

On (/

Open A(7/select domain controller right click'

New user

Right click on O7(elegate control

Ne1t 0 add the user weL"e created.

Ne1tselect as our wish

Ne1t 0 finish

Gerification:
http://system-administration-material.blogspot.com/2008/06/delegate-control.htmlhttp://system-administration-material.blogspot.com/2008/06/delegate-control.html


40/52

5o"e on to mem!er ser"er

-ogin as su! administrator

&tart 0 run 0 dsa.msc

Tr# to create users in delegated O7

Taking !ack delegation of control from a 7ser:

On (/

Open A(7/

/lick on "iew

Ad"anced features

&elect the O7 which we want to take !ack control

Right click properties

&ecurit#

&elect the su! admin user

Remo"e 0 appl# 0 ok

roup 9oloc#

It is a feature of *@@@D@, with which an administrator can ha"e full control on

users and computers. 7sing group polic# we can implement securit#2 policies2

software deplo#ment2 folder redirection2 Internet e1plorer maintenance.

roup policies ena!le the users either to access or to !e denied of an o!ect.

roup polic# can !e implemented on computers Dusers.

roup 9olic# O!ect 9O' :

9O defines polices implemental for the o!ects. One group polic# o!ect can !e

linked with multiple o!ects like site2 domains2 (/s2 O7s2 etcS

The order in which the group polic# is applied. When user logs in

/omputer polic#

Eg: no shut down2 no time setting7ser profile

Eg. -ocal2 roaming2 mandator#

7ser polic# local computer'

&ite
http://system-administration-material.blogspot.com/2008/06/group-polocy.htmlhttp://system-administration-material.blogspot.com/2008/06/group-polocy.html


41/52

(omain

O7

Implementing group polic# on O7:

Aim: (en# accessing /ontrol 9anel

On (/

Open A(7/

/reate an O7

/reate user within the O7

Right click properties

roup polic# new

&pecif# 9O name

Edit

E1pand user configuration

&elect administrati"e templates/ontrol panel

(ou!le click Mprohi!it access to control panelH

&elect ena!le

Appl# 0 ok

9olic# inheritance:

If we implement polic# on sites it applies to all the domains and O7s within that

site. All the domains D O7s within that site inherit polic# from its parent.

$lock polic# inheritance:

$lock polic# inheritance is useful for !locking the inheritance of the polic# from

its parent o!ect

Note:

%. 7seful when we ha"e to perform shorter administrati"e tasks.

*. When there is conflict !etween two policies applied to the same o!ect.

Implementing !lock polic# inheritance:

On (/

Open A(7/create an O7 and a child O7 within it.

/reate a user a+c in child O7

On the parent O7 den# control panel

&elect child O7 properties

roup polic#


42/52

/heck the !o1 !lock polic# inheritance

Gerification

5o"e client machine log in as user2 we ha"e created in child O7.

We should notice control panel.

No o"erride:

It is an option a"aila!le from group polic# useful when we want to o"erride all

the policies implemented on the child o!ects

Implementing o"erride

On (/

Open A(7/

&elect the parent O7We ha"e created

9roperties

roup polic#

Options select no o"er ride

Note: No o"er ride is opposite to !lock polic# inheritanceJ

Important group policies

7ser configuration

Administration templatesWindows components

Windows e1plorer


43/52

* Windows settings

, &ecurit# settings

*. 7ser configuration

6 &oftware setting3 Windows setting

4 Administrati"e templates

&oftware (eplo#ment

It is a feature of *@@@D@, can !e implemented through group policies either on

computers or users.

It is a process of spreading out the software re;uired onto the client machines

when a user starts the computer.

With the help of software deplo#ment we can install2 uninstall2 upgrade2 repair

and add patches Dser"ice packets.

&oftware deplo#ment is possi!le onl# when the software is with .msi e1tension.

msi 0 5icrosoft Installer'

5&I pro"ides the ser"ices like

Installation

7ninstallation

Roll !ack

Repair o"er the network.

&oftware deplo#ment is possi!le onl# with .msi or .8ap e1tension.

7sing WININ&TA---E *@@, software we can con"ert U.e1e files to U.msi files

&etup.e1e file cannot !e deplo#ed o"er the network !ut can !e con"erted to

setup.msi files with the help of the software Vwininstall le*@@,L. This is the

product of Geritas /ompan#.

Installing wininstall le*@@, software

On (/

Open ( or E dri"eApplication folder

(ou!le click on wininstallle.e1e

Ne1t 0 I accept 0 ne1t

9ro"ide email details 0 ne1t

Ne1t 0 ne1t 0 install 0 finish.

9hase 0 I
http://system-administration-material.blogspot.com/2008/06/software-deployment.htmlhttp://system-administration-material.blogspot.com/2008/06/software-deployment.html


44/52

/on"erting .e1e to .msi !efore snap shot'

On (/

Open m# computer

&elect an# dri"e

/reate * folders with the names .e1e and .msi

And share them with full accessOpen ( or E dri"e

Open application folder

/op# acro!at Dretina

9aste it in the .e1e folder we ha"e created

On (/

&tart p wininstall le*@@,

Right click on that

Run disco"er ok 0 ne1t

&pecif# the name of the application e1. Acro!at'

/lick on the dotted ta!

$rowse .e1e folder from m# n+w placesOpen the folder and name the application e1. Acro!at.msi'

Open 0 ne1t < select / dri"e

Add the dri"es2 which we ha"e

Ne1t 0 finish

9hase 0 II

Installation

On (/

Open m# computerOpen e1e folder we ha"e created

Install acro!at software

In this phase II process comes up to .m1i

9hase 0 III

9erforming After snap shot

On (/

In wininstall le

Right click on wininstall le packagesRun disco"er 0 ok

9erform after snap shot

Ne1t

9


45/52

Registr#

&oftware

A"aila!le

. m1i .msi

/on"ersion 9rocess

9hase 0I !efore snap shot'

In this wininstall le scans the complete s#stem and the register and checks for

installed applications. And takes the snap shot of the current condition of the O&.

9hase< II Installation' :

In this phase we ha"e to install the software2 which we want to con"ert to .msi

9hase 0 III After snap shot' :

In this phase wininstall le compares two pre"ious states2 !efore snap shot

Dinstallation and takes another snap shot with installation.

Note: 7sing these three phases the 5icrosoft software installer can trou!le< shoot

or deplo# the software.

&oftware (eplo#ment

On (/

Open A(7/

/reate * O7s

/reate a user in each O7

&elect %st O7 properties

roup polic# new

Name the 9O e1. (eplo#'

Edit user configuration

&oftware settings

Right click s+w installationNew package

$rowse the msi s+w from m# n+w places

&elect .msi

&elect pu!lish

Ok

Gerification:


46/52

On mem!er ser"er

-ogin as user weL"e created in O7

Open control panel

We should notice the s+w weL"e deplo#ed

Add+remo"e program

Ok

T#pes of deplo#ment

%' 9u!lish

*' Assigned

,' Ad"anced

%' 9u!lish

If we use pu!lish software will !e a"aila!le in control panel and can !e installed

when the user wants. on demand'

*. Assigned

If we select assigned2 s+w gets installed on the client machine when a user opens

the application for the first time.

,. Ad"anced:

It is useful when we want to upgrades s+w2 install ser"ice packs or patches etcS

=older Redirection

It is useful when we ha"e implemented mandator# profile for users as a result

the# cannot sa"e an#thing on the desktop2 unknowingl# if the# sa"e2 that sa"ed

desktop contents should !e sa"ed in another location we call it as folder

redirection. 7sers do not lose their data'

Implementing folder redirection:

On (//reate a roaming profile for a user

And con"ert it into mandator#

Note: create a new O7 at first and create a user in that and make that user

profile as mandator#.

On (/

Open A(7/
http://system-administration-material.blogspot.com/2008/06/folder-redirection.htmlhttp://system-administration-material.blogspot.com/2008/06/folder-redirection.html


47/52

Right click on O7 weL"e created

roup polic#

New 9O name edit

7ser configuration

Windows settings

=older redirectionOn desktop right click

9roperties

&elect the settings as !asic

$rowse share folder from n+w places

Ok.

/reate a folder

&hare it

E"er# one full access

Gerification

On mem!er ser"er

-ogin as user weL"e created in O7

&a"e something on the desktop

E1: sa"e some folders properties

We should notice the location should !e 7N/ path 7ni"ersal Naming

/on"ention'

-ogoff Dlogin

&cripts

&cripts are useful to automate administrati"e tasks2 which are routine. We can

ha"e startup and shutdown scripts2 administrati"e scripts2 login D logoff scripts

Implementing scripts using group polic#:

On (/

/reate a folder in ( or E dri"e'

&hare it with full control

&tart


48/52

Edit

7ser configuration

Windows settings

&cripts

(ou!le click on logon

Add$rowse the script weL"e sa"e in the share folder from n+w places

Ok

Gerification:

5o"e on to mem!er ser"er

-og in as a userWe should notice a welcome message

$ackup

It is a process of protecting user data or s#stem state data on to separate storage

de"ices.

NT supported onl# one t#pe of storage media2 i.e. tapes.

*@@@D@, supports tapes2 floppies2 )((& )ard (isk (ri"es'2 8ip floppies2 R&(

Remote &torage (e"ices'

$ack up utilities:

The default !ackup utilit# pro"ided !# NT2 *@@@2 *@@,.

NT!ackup utilit# /omes along with the O&. 9ro"ides minimum !enefits couldha"e optimum !enefits.

There are some third part utilities

% Geritas < $ackupE1ec

* Geritas < =oundation suite for 7NI fla"ors'

, Geritas < "olume manager

6 Ti"oli storage manager I$5'

3 Net!ack up

&tarting !ack up utilit#:

On (/

Or mem!er ser"er

&tart

Run 0 nt!ackup or' start programs accessoriess#stem tools!ackup
http://system-administration-material.blogspot.com/2008/06/backup.htmlhttp://system-administration-material.blogspot.com/2008/06/backup.html


49/52

$acking up a folder:

/reate a folder in ( dri"e and a file in that

&tart < run 0 nt!ackup 0 click on ad"anced mode

$ack up

Ne1t&elect *nd option !ackup selected files.'

E1pand m# computer from ( dri"e select the folder #ouL"e created

Ne1t

&elect the destination to sa"e the !ack up

Ne1t 0 select the t#pe of !ack up e1. Normal'

/heck the !o1 disa!les "olume shadow cop#

Ne1t 0 finish

Gerif#ing

(elete the !acked up folder

Restoring the !acked up folder:

&tart 0 run 0 nt!ackup'

Ad"anced 0 restore 0 ne1t

&elect the !acked


50/52

up. /op# is used !etween normal !ackup and incremental !ackup.

,. Incremental !ackup:

$acks up all selected files D folders which are changed since !ackup marks the

files as ha"ing !een !acked up. Remo"es the archi"e !it after !ack up.

6. (ifferential !ackup:

$acks up all selected files D folders. After !ackup does not remo"e the archi"e

!it. It !acks up all the files changed since normal !ack up.

3. (ail# !ackup:

It !acks up all selected files D folders created or changed during the da# after

!acked up does not remo"e the archi"e !it.

Recommended !ackup strateg#:

%. If we select incremental !ack up it is faster and restoration is slower. I.e. more

num!er of tapes ha"e to !e restored

*. If we go with differential !ackup2 !ackup is slow2 !ut restoration is fast i.e.2

ust !# restoring * tapes.

stem state data:

/omponents of &&(:

%* A(

%, $oot files

%6 stem files

%3 &er"ices

%4 Registr#

%B /ominf

% /luster info

%? I.I.&.

&&( is a data store if we want to !ackup complete A( we can !ack up s#stemstate data from !ackup utilit#.

Taking a !ack up of s#stem state data:

&tart < run 0 nt!ackup 0 click on ad"anced mode

0 !ackup 0 ne1t


51/52

create a folder &&(' in this folder create a file with filename .!kf

0 ne1t 0 ad"anced < ne1t

Restoration

There are two t#pes of restoration:

%'Non


52/52

Tom!stone:

It is an o!ect deleted from A( !ut not remo"ed. It remains in the A( for ?@

da#s.

9ractice:

On (/

Open A(7/

/reate O7 D users

$ack up &&(check the 7&N "alues of user

(elete the user%

Restart the s#stem in (&R5 mode

$# pressing =

Open !ackup utilit#

Restore &&((o not restart

&tart run ntdsutil

Authoritati"e restore

Restore su!tree cnQu%2ouQIndia2dcQ8oom2dcQcom

Pes or'

Restore data!ase

C

C

E1it

active directory network

Documents