mcitp guide to microsoft windows server 2008 server administration (exam #70-646)

53
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 4 Introduction to Active Directory and Account Management

Upload: vanida

Post on 01-Feb-2016

37 views

Category:

Documents


0 download

DESCRIPTION

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646). Chapter 4 Introduction to Active Directory and Account Management. Learning Objectives. Understand Active Directory basic concepts Install and configure Active Directory - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

MCITP Guide to Microsoft Windows Server 2008 Server

Administration (Exam #70-646)

Chapter 4

Introduction to Active Directory and Account Management

Page 2: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

2

Learning Objectives

• Understand Active Directory basic concepts

• Install and configure Active Directory

• Plan and implement Active Directory containers

• Create and manage user accounts

• Configure and use security groups

Page 3: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Learning Objectives (cont’d.)

• Plan how to delegate object management

• Describe and implement new Active Directory features

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

3

Page 4: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Active Directory Basics

• Directory service

• Houses information about all network resources:– Servers, printers, user accounts, groups of user

accounts, security policies, and other information

• Domain controllers (DCs)– Servers that have the AD DS server role installed

• Member servers– Do not have AD installed

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

4

Page 5: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Active Directory Basics (cont’d.)

• Domain – Fundamental component or container – Holds information about all network resources that are

grouped within it

• Each DC is equal to every other DC

• Multimaster replication– Advantage

• If one DC goes down, no network interruption

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

5

Page 6: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Active Directory Basics (cont’d.)

• Activity 4-1: Installing Active Directory

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

6

Figure 4-2 Installation Results windowCourtesy Course Technology/Cengage Learning

Page 7: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Schema

• Defines objects and the information pertaining to those objects that can be stored in Active Directory– Characteristics of objects

• Sample schema for user account– Includes globally unique identifier (GUID)

• Unique number associated with the object name

• Each attribute automatically given a version number and date – When created or changed

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

7

Page 8: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Global Catalog

• Stores information about every object within forest

• First DC configured in a forest becomes global catalog– Can change to another DC

• Purposes:– Authentication– Forest-wide searches of data– Replication of key AD elements– Keeps copy of most used attributes for quick access

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

8

Page 9: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Namespace

• Name resolution– Converts computer and domain names to IP

addresses

• Namespace – Logical area on a network that contains directory

services and named objects– Has the ability to perform name resolution

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

9

Page 10: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Namespace (cont’d.)

• Contiguous namespace – Every child object contains the name of the parent

object

• Disjointed namespace– Child name does not resemble the name of its parent

object

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

10

Page 11: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Containers in Active Directory

• Treelike structure

• Containers:– Forests– Trees– Domains– Organizational units

(OUs)– Sites

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

11

Figure 4-5 Active Directory hierarchical containersCourtesy Course Technology/Cengage Learning

Page 12: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Forest

• Highest level in an Active Directory

• One or more Active Directory trees that are in a common relationship

• Forest functional level – Active Directory functions supported forest-wide– Levels:

• Windows 2000 native forest functional level

• Windows Server 2003 forest functional level

• Windows Server 2008 forest functional level

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

12

Page 13: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Tree

• Contains one or more domains that are in a common relationship

• Domains in a tree typically have a hierarchical structure

• Kerberos transitive trust relationship– Two-way trusts between parent domains and child

domains

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

13

Page 14: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Tree (cont’d.)

• Transitive trust– If A and B have a trust and B and C have a trust, A

and C automatically have a trust as well

• Trusted domain – Granted access to resources

• Trusting domain– One granting access to another domain

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

14

Page 15: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Tree (cont’d.)

• All domains within a single tree share the same schema

• Defines all the object types that can be stored within Active Directory

• All domains in a tree share same global catalog and a portion of their namespace

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

15

Page 16: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Domain

• Logical partition within an Active Directory forest

• Primary container within Active Directory

• Basic functions– To provide an AD partition to house objects– To establish a set of information to be replicated– To expedite management of a set of objects

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

16

Page 17: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Domain (cont’d.)

• Domain functional levels:– Windows 2000 domain functional level– Windows Server 2003 domain functional level– Windows Server 2008 domain functional level

• Activity 4-2: Managing Domains– Objective: Learn where to manage domains and

domain trust relationships

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

17

Page 18: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Organizational Unit

• Grouping of related objects within a domain

• Allow the grouping of objects so that they can be administered using the same group policies– Such as security and desktop setup

• Can be nested within other OUs

• Best practices when creating OUs– Keep to 10 or fewer– Set up horizontally for best efficiency

• Activity 4-3: Managing OUs– Objective: Create an OU and delegate control over it

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

18

Page 19: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Site

• TCP/IP-based concept (container) within Active Directory

• Linked to IP address

• Functions

• Based on connectivity and replication functions

• Bridgehead server – DC designated to have role of exchanging replication

information– One per site

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

19

Page 20: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Active Directory Guidelines

• Keep Active Directory as simple as possible

• Implement the smallest number of domains possible

• Use OUs to reflect organization’s structure

• Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies

• Implement multiple trees and forests only as necessary

• Use sites in situations where there are multiple IP subnets and multiple geographic locations

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

20

Page 21: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Planning Functional Levels and Trusts

• Carefully plan trusts between forests • External trust

– Creates a trust relationship with a domain that is outside of a forest

• Realm trust– Enables one- or two-way access between a Windows

Server domain within a forest and a realm of UNIX/Linux computers

• Shortcut trust – Enable a domain in one forest to quickly access

resources in a domain within a different forestMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

21

Page 22: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

User Account Management

• General environments:– Accounts that are set up through a stand-alone server

that does not have Active Directory installed– Accounts that are set up in a domain when Active

Directory is installed

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

22

Page 23: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Not Installed

• Install Local Users and Groups MMC snap-in:– For standalone servers that do not use Active

Directory

• Create a local user account on a server that is not a DC– See text for steps

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

23

Page 24: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Not Installed (cont’d.)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

24

Figure 4-11 Selecting the Local Users and Groups MMC snap-inCourtesy Course Technology/Cengage Learning

Page 25: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Not Installed (cont’d.)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

25

Figure 4-12 Creating a user account without Active Directory installedCourtesy Course Technology/Cengage Learning

Page 26: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Installed

• Use Active Directory Users and Computers tool – From the Administrative Tools menu or as an MMC

snap-in

• Create each new account by entering account information and password controls

• Activity 4-4: Creating User Accounts in Active Directory– Objective: Learn how to create a user account in

Active Directory

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

26

Page 27: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Installed (cont’d.)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

27

Figure 4-13 Creating a user accountCourtesy Course Technology/Cengage Learning

Page 28: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Installed (cont’d.)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

28

Figure 4-14 User account propertiesCourtesy Course Technology/Cengage Learning

Page 29: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Disabling, Enabling, and Renaming Accounts

• When to disable

• Activity 4-5: Disabling, Renaming, and Enabling an Account– Objective: Practice disabling,

renaming, and then enabling an account

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

29

Figure 4-15 Disabling an accountCourtesy Course Technology/Cengage Learning

Page 30: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Moving an Account

• May need to move a person’s account from one container to another

• Activity 4-6: Moving an Account– Objective: Practice

moving an account

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

30

Figure 4-16 Moving an accountCourtesy Course Technology/Cengage Learning

Page 31: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Resetting a Password

• Cannot look up forgotten passwords– Reset instead

• Maintain guidelines for resetting passwords

• Activity 4-7: Changing an Account’s Password– Objective: Practice changing an account’s password

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

31

Figure 4-17 Resetting a passwordCourtesy Course Technology/Cengage Learning

Page 32: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Deleting an Account

• Delete accounts that are no longer in use

• Globally unique identifier (GUID) is also deleted – Will not be reused even if you create another account

using the same name

• Activity 4-8: Deleting an Account– Objective: Practice deleting an account

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

32

Page 33: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Security Group Management

• Group accounts with similar characteristics together

• Scope of influence (or scope)– Reach of a group for gaining access to resources in

Active Directory

• Types of groups and associated scopes:– Local– Domain local– Global– Universal

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

33

Page 34: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Security Group Management (cont’d.)

• Security groups – Enable access to resources on a stand-alone server

or in Active Directory

• Distribution groups– Used for e-mail or telephone lists

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

34

Page 35: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Local Groups

• Local security group – Used to manage resources on a stand-alone

computer that is not part of a domain and on member servers in a domain (non-DCs)

• Create using the Local Users and Groups MMC snap-in

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

35

Page 36: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Domain Local Groups

• Domain local security group – Used when Active Directory is deployed

• Manage resources in a domain – Give global groups from the same and other domains

access to those resources

• Scope of a domain local group – Domain in which the group exists– Can convert a domain local group to a universal

group

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

36

Page 37: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Domain Local Groups (cont’d.)

• Access control list (ACL) – List of security descriptors (privileges) that have been

set up for a particular object

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

37

Table 4-1 Membership capabilities of a domain local group

Page 38: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Global Groups

• Global security group – Contains user accounts from a single domain

– Can also be set up as a member of a domain local group in the same or another domain

• Broader scope than domain local groups• Can be nested• Typical use:

– Add accounts that need access to resources in the same or in another domain

– Make the global group in one domain a member of a domain local group in the same or another domain

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

38

Page 39: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Global Groups (cont’d.)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

39

Figure 4-18 Nested global groupsCourtesy Course Technology/Cengage Learning

Page 40: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Global Groups (cont’d.)

• Activity 4-9: Creating Domain Local and Global Security Groups– Objective: Create a domain local and a global security

group and make the global group a member of the domain local group

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

40

Page 41: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Universal Groups

• Universal security groups – Span domains and trees

• Can include – User accounts from any domain– Global groups from any domain– Other universal groups from any domain

• Guidelines to help simplify how you plan to use groups– See text

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

41

Page 42: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing Universal Groups (cont’d.)

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

42

Figure 4-21 Managing security through universal and global groupsCourtesy Course Technology/Cengage Learning

Page 43: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Properties of Groups

• To edit properties:– Double-click group in the Local Users and Groups tool

for a stand-alone (non domain) or member server– Or in the Active Directory Users and Computers tool

for DC servers in a domain

• Properties– General– Members– Member of– Managed by

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

43

Page 44: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Planning the Delegation of Object Management

• Security groups and user accounts enable an organization to delegate authority over objects

• Establish and document policies

• Common objects that are delegated include OUs, user accounts, and groups

• Use Delegation of Control Wizard

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

44

Page 45: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Implementing User Profiles

• Local user profile – Automatically created at the local computer when you

log on with an account for the first time

• Advantages of user profiles

• Roaming profile– Downloaded to client workstation each time user

account is logged on

• Mandatory user profile– Certain users cannot change their profiles

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

45

Page 46: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

What’s New in Windows Server 2008 Active Directory

• Restart capability

• Read-Only Domain Controller (RODC)

• Auditing improvements

• Multiple password and account lockout policies in a single domain

• Active Directory Lightweight Directory Services role

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

46

Page 47: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Restart Capability

• Stop Active Directory Domain Services without taking down the computer

• General steps– See text for steps

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

47

Page 48: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Read-Only Domain Controller

• Cannot use to update information in Active Directory

• Does not replicate to regular DCs

• Can function as a Key Distribution Center for the Kerberos authentication method

• Provides better security at branch locations– Example

• Can be configured as DNS server

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

48

Page 49: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Auditing Improvements

• Audit trail of many types of changes

• Records successful completion or reason for failure

• Must set up in two places

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

49

Page 50: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Multiple Password and Account Lockout Policies in a Single Domain

• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU

• Can now create more than one set of account policies within a domain

• Password settings container (PSC)– Contains password settings objects (PSOs)

• Represent unique set of password policies

• Three policy sets: – Ordinary users, administrators, service accounts

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

50

Page 51: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Active Directory Lightweight Directory Services Role

• Targeted for servers that manage user applications

• Skeleton version of Active Directory Domain Services

• Installed as a server role via Server Manager

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

51

Page 52: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Taking Active Directory Snapshots

• Tools for making snapshots:– ntdsutil.exe Active Directory database management

tool – Active Directory Database Mounting Tool or

dsamain.exe tool

• Enable Active Directory snapshots to be taken for later viewing– Compare to what is in the Active Directory after it is

restored– Determine which of several restores has the most

complete Active Directory dataMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

52

Page 53: MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Summary

• Active Directory houses information about network resources– Domain controllers– Hierarchy: forest, tree, domain, organizational unit– Global catalog

• User accounts and profiles

• Functional levels for domain and forest

• New features of Active Directory in Windows Server 2008

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

53