mcitp guide to microsoft windows server 2008 server administration (exam #70-646)

MCITP Guide to Microsoft Windows Server 2008 Server

Administration (Exam #70-646)

Chapter 4

Introduction to Active Directory and Account Management

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

2

Learning Objectives

• Understand Active Directory basic concepts

• Install and configure Active Directory

• Plan and implement Active Directory containers

• Create and manage user accounts

• Configure and use security groups

Learning Objectives (cont’d.)

• Plan how to delegate object management

• Describe and implement new Active Directory features


3

Active Directory Basics

• Directory service

• Houses information about all network resources:– Servers, printers, user accounts, groups of user

accounts, security policies, and other information

• Domain controllers (DCs)– Servers that have the AD DS server role installed

• Member servers– Do not have AD installed


4

Active Directory Basics (cont’d.)

• Domain – Fundamental component or container – Holds information about all network resources that are

grouped within it

• Each DC is equal to every other DC

• Multimaster replication– Advantage

• If one DC goes down, no network interruption


5

Active Directory Basics (cont’d.)

• Activity 4-1: Installing Active Directory


6

Figure 4-2 Installation Results windowCourtesy Course Technology/Cengage Learning

Schema

• Defines objects and the information pertaining to those objects that can be stored in Active Directory– Characteristics of objects

• Sample schema for user account– Includes globally unique identifier (GUID)

• Unique number associated with the object name

• Each attribute automatically given a version number and date – When created or changed


7

Global Catalog

• Stores information about every object within forest

• First DC configured in a forest becomes global catalog– Can change to another DC

• Purposes:– Authentication– Forest-wide searches of data– Replication of key AD elements– Keeps copy of most used attributes for quick access


8

Namespace

• Name resolution– Converts computer and domain names to IP

addresses

• Namespace – Logical area on a network that contains directory

services and named objects– Has the ability to perform name resolution


9

Namespace (cont’d.)

• Contiguous namespace – Every child object contains the name of the parent

object

• Disjointed namespace– Child name does not resemble the name of its parent

object


10

Containers in Active Directory

• Treelike structure

• Containers:– Forests– Trees– Domains– Organizational units

(OUs)– Sites


11

Figure 4-5 Active Directory hierarchical containersCourtesy Course Technology/Cengage Learning

Forest

• Highest level in an Active Directory

• One or more Active Directory trees that are in a common relationship

• Forest functional level – Active Directory functions supported forest-wide– Levels:

• Windows 2000 native forest functional level

• Windows Server 2003 forest functional level

• Windows Server 2008 forest functional level


12

Tree

• Contains one or more domains that are in a common relationship

• Domains in a tree typically have a hierarchical structure

• Kerberos transitive trust relationship– Two-way trusts between parent domains and child

domains


13

Tree (cont’d.)

• Transitive trust– If A and B have a trust and B and C have a trust, A

and C automatically have a trust as well

• Trusted domain – Granted access to resources

• Trusting domain– One granting access to another domain


14

Tree (cont’d.)

• All domains within a single tree share the same schema

• Defines all the object types that can be stored within Active Directory

• All domains in a tree share same global catalog and a portion of their namespace


15

Domain

• Logical partition within an Active Directory forest

• Primary container within Active Directory

• Basic functions– To provide an AD partition to house objects– To establish a set of information to be replicated– To expedite management of a set of objects


16

Domain (cont’d.)

• Domain functional levels:– Windows 2000 domain functional level– Windows Server 2003 domain functional level– Windows Server 2008 domain functional level

• Activity 4-2: Managing Domains– Objective: Learn where to manage domains and

domain trust relationships


17

Organizational Unit

• Grouping of related objects within a domain

• Allow the grouping of objects so that they can be administered using the same group policies– Such as security and desktop setup

• Can be nested within other OUs

• Best practices when creating OUs– Keep to 10 or fewer– Set up horizontally for best efficiency

• Activity 4-3: Managing OUs– Objective: Create an OU and delegate control over it


18

Site

• TCP/IP-based concept (container) within Active Directory

• Linked to IP address

• Functions

• Based on connectivity and replication functions

• Bridgehead server – DC designated to have role of exchanging replication

information– One per site


19

Active Directory Guidelines

• Keep Active Directory as simple as possible

• Implement the smallest number of domains possible

• Use OUs to reflect organization’s structure

• Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies

• Implement multiple trees and forests only as necessary

• Use sites in situations where there are multiple IP subnets and multiple geographic locations


20

Planning Functional Levels and Trusts

• Carefully plan trusts between forests • External trust

– Creates a trust relationship with a domain that is outside of a forest

• Realm trust– Enables one- or two-way access between a Windows

Server domain within a forest and a realm of UNIX/Linux computers

• Shortcut trust – Enable a domain in one forest to quickly access

resources in a domain within a different forestMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

21

User Account Management

• General environments:– Accounts that are set up through a stand-alone server

that does not have Active Directory installed– Accounts that are set up in a domain when Active

Directory is installed


22

Creating Accounts when Active Directory Is Not Installed

• Install Local Users and Groups MMC snap-in:– For standalone servers that do not use Active

Directory

• Create a local user account on a server that is not a DC– See text for steps


23

Creating Accounts when Active Directory Is Not Installed (cont’d.)


24

Figure 4-11 Selecting the Local Users and Groups MMC snap-inCourtesy Course Technology/Cengage Learning

Creating Accounts when Active Directory Is Not Installed (cont’d.)


25

Figure 4-12 Creating a user account without Active Directory installedCourtesy Course Technology/Cengage Learning

Creating Accounts when Active Directory Is Installed

• Use Active Directory Users and Computers tool – From the Administrative Tools menu or as an MMC

snap-in

• Create each new account by entering account information and password controls

• Activity 4-4: Creating User Accounts in Active Directory– Objective: Learn how to create a user account in

Active Directory


26

Creating Accounts when Active Directory Is Installed (cont’d.)


27

Figure 4-13 Creating a user accountCourtesy Course Technology/Cengage Learning

Creating Accounts when Active Directory Is Installed (cont’d.)


28

Figure 4-14 User account propertiesCourtesy Course Technology/Cengage Learning

Disabling, Enabling, and Renaming Accounts

• When to disable

• Activity 4-5: Disabling, Renaming, and Enabling an Account– Objective: Practice disabling,

renaming, and then enabling an account


29

Figure 4-15 Disabling an accountCourtesy Course Technology/Cengage Learning

Moving an Account

• May need to move a person’s account from one container to another

• Activity 4-6: Moving an Account– Objective: Practice

moving an account


30

Figure 4-16 Moving an accountCourtesy Course Technology/Cengage Learning

Resetting a Password

• Cannot look up forgotten passwords– Reset instead

• Maintain guidelines for resetting passwords

• Activity 4-7: Changing an Account’s Password– Objective: Practice changing an account’s password


31

Figure 4-17 Resetting a passwordCourtesy Course Technology/Cengage Learning

Deleting an Account

• Delete accounts that are no longer in use

• Globally unique identifier (GUID) is also deleted – Will not be reused even if you create another account

using the same name

• Activity 4-8: Deleting an Account– Objective: Practice deleting an account


32

Security Group Management

• Group accounts with similar characteristics together

• Scope of influence (or scope)– Reach of a group for gaining access to resources in

Active Directory

• Types of groups and associated scopes:– Local– Domain local– Global– Universal


33

Security Group Management (cont’d.)

• Security groups – Enable access to resources on a stand-alone server

or in Active Directory

• Distribution groups– Used for e-mail or telephone lists


34

Implementing Local Groups

• Local security group – Used to manage resources on a stand-alone

computer that is not part of a domain and on member servers in a domain (non-DCs)

• Create using the Local Users and Groups MMC snap-in


35

Implementing Domain Local Groups

• Domain local security group – Used when Active Directory is deployed

• Manage resources in a domain – Give global groups from the same and other domains

access to those resources

• Scope of a domain local group – Domain in which the group exists– Can convert a domain local group to a universal

group


36

Implementing Domain Local Groups (cont’d.)

• Access control list (ACL) – List of security descriptors (privileges) that have been

set up for a particular object


37

Table 4-1 Membership capabilities of a domain local group

Implementing Global Groups

• Global security group – Contains user accounts from a single domain

– Can also be set up as a member of a domain local group in the same or another domain

• Broader scope than domain local groups• Can be nested• Typical use:

– Add accounts that need access to resources in the same or in another domain

– Make the global group in one domain a member of a domain local group in the same or another domain


38

Implementing Global Groups (cont’d.)


39

Figure 4-18 Nested global groupsCourtesy Course Technology/Cengage Learning

Implementing Global Groups (cont’d.)

• Activity 4-9: Creating Domain Local and Global Security Groups– Objective: Create a domain local and a global security

group and make the global group a member of the domain local group


40

Implementing Universal Groups

• Universal security groups – Span domains and trees

• Can include – User accounts from any domain– Global groups from any domain– Other universal groups from any domain

• Guidelines to help simplify how you plan to use groups– See text


41

Implementing Universal Groups (cont’d.)


42

Figure 4-21 Managing security through universal and global groupsCourtesy Course Technology/Cengage Learning

Properties of Groups

• To edit properties:– Double-click group in the Local Users and Groups tool

for a stand-alone (non domain) or member server– Or in the Active Directory Users and Computers tool

for DC servers in a domain

• Properties– General– Members– Member of– Managed by


43

Planning the Delegation of Object Management

• Security groups and user accounts enable an organization to delegate authority over objects

• Establish and document policies

• Common objects that are delegated include OUs, user accounts, and groups

• Use Delegation of Control Wizard


44

Implementing User Profiles

• Local user profile – Automatically created at the local computer when you

log on with an account for the first time

• Advantages of user profiles

• Roaming profile– Downloaded to client workstation each time user

account is logged on

• Mandatory user profile– Certain users cannot change their profiles


45

What’s New in Windows Server 2008 Active Directory

• Restart capability

• Read-Only Domain Controller (RODC)

• Auditing improvements

• Multiple password and account lockout policies in a single domain

• Active Directory Lightweight Directory Services role


46

Restart Capability

• Stop Active Directory Domain Services without taking down the computer

• General steps– See text for steps


47

Read-Only Domain Controller

• Cannot use to update information in Active Directory

• Does not replicate to regular DCs

• Can function as a Key Distribution Center for the Kerberos authentication method

• Provides better security at branch locations– Example

• Can be configured as DNS server


48

Auditing Improvements

• Audit trail of many types of changes

• Records successful completion or reason for failure

• Must set up in two places


49

Multiple Password and Account Lockout Policies in a Single Domain

• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU

• Can now create more than one set of account policies within a domain

• Password settings container (PSC)– Contains password settings objects (PSOs)

• Represent unique set of password policies

• Three policy sets: – Ordinary users, administrators, service accounts


50

Active Directory Lightweight Directory Services Role

• Targeted for servers that manage user applications

• Skeleton version of Active Directory Domain Services

• Installed as a server role via Server Manager


51

Taking Active Directory Snapshots

• Tools for making snapshots:– ntdsutil.exe Active Directory database management

tool – Active Directory Database Mounting Tool or

dsamain.exe tool

• Enable Active Directory snapshots to be taken for later viewing– Compare to what is in the Active Directory after it is

restored– Determine which of several restores has the most

complete Active Directory dataMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

52

Summary

• Active Directory houses information about network resources– Domain controllers– Hierarchy: forest, tree, domain, organizational unit– Global catalog

• User accounts and profiles

• Functional levels for domain and forest

• New features of Active Directory in Windows Server 2008


53

mcitp guide to microsoft windows server 2008 server administration (exam #70-646)

Documents

microsoft windows server

server administration

active directorymcitp

resolutionmcitp guide

changedmcitp guide

ad installedmcitp guide

security groupsmcitp

account managementmcitp