mcitp guide to microsoft windows server 2008 server administration (exam #70-646)
DESCRIPTION
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646). Chapter 4 Introduction to Active Directory and Account Management. Learning Objectives. Understand Active Directory basic concepts Install and configure Active Directory - PowerPoint PPT PresentationTRANSCRIPT
MCITP Guide to Microsoft Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 4
Introduction to Active Directory and Account Management
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
2
Learning Objectives
• Understand Active Directory basic concepts
• Install and configure Active Directory
• Plan and implement Active Directory containers
• Create and manage user accounts
• Configure and use security groups
Learning Objectives (cont’d.)
• Plan how to delegate object management
• Describe and implement new Active Directory features
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
3
Active Directory Basics
• Directory service
• Houses information about all network resources:– Servers, printers, user accounts, groups of user
accounts, security policies, and other information
• Domain controllers (DCs)– Servers that have the AD DS server role installed
• Member servers– Do not have AD installed
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
4
Active Directory Basics (cont’d.)
• Domain – Fundamental component or container – Holds information about all network resources that are
grouped within it
• Each DC is equal to every other DC
• Multimaster replication– Advantage
• If one DC goes down, no network interruption
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
5
Active Directory Basics (cont’d.)
• Activity 4-1: Installing Active Directory
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
6
Figure 4-2 Installation Results windowCourtesy Course Technology/Cengage Learning
Schema
• Defines objects and the information pertaining to those objects that can be stored in Active Directory– Characteristics of objects
• Sample schema for user account– Includes globally unique identifier (GUID)
• Unique number associated with the object name
• Each attribute automatically given a version number and date – When created or changed
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
7
Global Catalog
• Stores information about every object within forest
• First DC configured in a forest becomes global catalog– Can change to another DC
• Purposes:– Authentication– Forest-wide searches of data– Replication of key AD elements– Keeps copy of most used attributes for quick access
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
8
Namespace
• Name resolution– Converts computer and domain names to IP
addresses
• Namespace – Logical area on a network that contains directory
services and named objects– Has the ability to perform name resolution
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
9
Namespace (cont’d.)
• Contiguous namespace – Every child object contains the name of the parent
object
• Disjointed namespace– Child name does not resemble the name of its parent
object
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
10
Containers in Active Directory
• Treelike structure
• Containers:– Forests– Trees– Domains– Organizational units
(OUs)– Sites
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
11
Figure 4-5 Active Directory hierarchical containersCourtesy Course Technology/Cengage Learning
Forest
• Highest level in an Active Directory
• One or more Active Directory trees that are in a common relationship
• Forest functional level – Active Directory functions supported forest-wide– Levels:
• Windows 2000 native forest functional level
• Windows Server 2003 forest functional level
• Windows Server 2008 forest functional level
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
12
Tree
• Contains one or more domains that are in a common relationship
• Domains in a tree typically have a hierarchical structure
• Kerberos transitive trust relationship– Two-way trusts between parent domains and child
domains
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
13
Tree (cont’d.)
• Transitive trust– If A and B have a trust and B and C have a trust, A
and C automatically have a trust as well
• Trusted domain – Granted access to resources
• Trusting domain– One granting access to another domain
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
14
Tree (cont’d.)
• All domains within a single tree share the same schema
• Defines all the object types that can be stored within Active Directory
• All domains in a tree share same global catalog and a portion of their namespace
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
15
Domain
• Logical partition within an Active Directory forest
• Primary container within Active Directory
• Basic functions– To provide an AD partition to house objects– To establish a set of information to be replicated– To expedite management of a set of objects
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
16
Domain (cont’d.)
• Domain functional levels:– Windows 2000 domain functional level– Windows Server 2003 domain functional level– Windows Server 2008 domain functional level
• Activity 4-2: Managing Domains– Objective: Learn where to manage domains and
domain trust relationships
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
17
Organizational Unit
• Grouping of related objects within a domain
• Allow the grouping of objects so that they can be administered using the same group policies– Such as security and desktop setup
• Can be nested within other OUs
• Best practices when creating OUs– Keep to 10 or fewer– Set up horizontally for best efficiency
• Activity 4-3: Managing OUs– Objective: Create an OU and delegate control over it
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
18
Site
• TCP/IP-based concept (container) within Active Directory
• Linked to IP address
• Functions
• Based on connectivity and replication functions
• Bridgehead server – DC designated to have role of exchanging replication
information– One per site
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
19
Active Directory Guidelines
• Keep Active Directory as simple as possible
• Implement the smallest number of domains possible
• Use OUs to reflect organization’s structure
• Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies
• Implement multiple trees and forests only as necessary
• Use sites in situations where there are multiple IP subnets and multiple geographic locations
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
20
Planning Functional Levels and Trusts
• Carefully plan trusts between forests • External trust
– Creates a trust relationship with a domain that is outside of a forest
• Realm trust– Enables one- or two-way access between a Windows
Server domain within a forest and a realm of UNIX/Linux computers
• Shortcut trust – Enable a domain in one forest to quickly access
resources in a domain within a different forestMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
21
User Account Management
• General environments:– Accounts that are set up through a stand-alone server
that does not have Active Directory installed– Accounts that are set up in a domain when Active
Directory is installed
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
22
Creating Accounts when Active Directory Is Not Installed
• Install Local Users and Groups MMC snap-in:– For standalone servers that do not use Active
Directory
• Create a local user account on a server that is not a DC– See text for steps
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
23
Creating Accounts when Active Directory Is Not Installed (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
24
Figure 4-11 Selecting the Local Users and Groups MMC snap-inCourtesy Course Technology/Cengage Learning
Creating Accounts when Active Directory Is Not Installed (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
25
Figure 4-12 Creating a user account without Active Directory installedCourtesy Course Technology/Cengage Learning
Creating Accounts when Active Directory Is Installed
• Use Active Directory Users and Computers tool – From the Administrative Tools menu or as an MMC
snap-in
• Create each new account by entering account information and password controls
• Activity 4-4: Creating User Accounts in Active Directory– Objective: Learn how to create a user account in
Active Directory
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
26
Creating Accounts when Active Directory Is Installed (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
27
Figure 4-13 Creating a user accountCourtesy Course Technology/Cengage Learning
Creating Accounts when Active Directory Is Installed (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
28
Figure 4-14 User account propertiesCourtesy Course Technology/Cengage Learning
Disabling, Enabling, and Renaming Accounts
• When to disable
• Activity 4-5: Disabling, Renaming, and Enabling an Account– Objective: Practice disabling,
renaming, and then enabling an account
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
29
Figure 4-15 Disabling an accountCourtesy Course Technology/Cengage Learning
Moving an Account
• May need to move a person’s account from one container to another
• Activity 4-6: Moving an Account– Objective: Practice
moving an account
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
30
Figure 4-16 Moving an accountCourtesy Course Technology/Cengage Learning
Resetting a Password
• Cannot look up forgotten passwords– Reset instead
• Maintain guidelines for resetting passwords
• Activity 4-7: Changing an Account’s Password– Objective: Practice changing an account’s password
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
31
Figure 4-17 Resetting a passwordCourtesy Course Technology/Cengage Learning
Deleting an Account
• Delete accounts that are no longer in use
• Globally unique identifier (GUID) is also deleted – Will not be reused even if you create another account
using the same name
• Activity 4-8: Deleting an Account– Objective: Practice deleting an account
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
32
Security Group Management
• Group accounts with similar characteristics together
• Scope of influence (or scope)– Reach of a group for gaining access to resources in
Active Directory
• Types of groups and associated scopes:– Local– Domain local– Global– Universal
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
33
Security Group Management (cont’d.)
• Security groups – Enable access to resources on a stand-alone server
or in Active Directory
• Distribution groups– Used for e-mail or telephone lists
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
34
Implementing Local Groups
• Local security group – Used to manage resources on a stand-alone
computer that is not part of a domain and on member servers in a domain (non-DCs)
• Create using the Local Users and Groups MMC snap-in
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
35
Implementing Domain Local Groups
• Domain local security group – Used when Active Directory is deployed
• Manage resources in a domain – Give global groups from the same and other domains
access to those resources
• Scope of a domain local group – Domain in which the group exists– Can convert a domain local group to a universal
group
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
36
Implementing Domain Local Groups (cont’d.)
• Access control list (ACL) – List of security descriptors (privileges) that have been
set up for a particular object
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
37
Table 4-1 Membership capabilities of a domain local group
Implementing Global Groups
• Global security group – Contains user accounts from a single domain
– Can also be set up as a member of a domain local group in the same or another domain
• Broader scope than domain local groups• Can be nested• Typical use:
– Add accounts that need access to resources in the same or in another domain
– Make the global group in one domain a member of a domain local group in the same or another domain
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
38
Implementing Global Groups (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
39
Figure 4-18 Nested global groupsCourtesy Course Technology/Cengage Learning
Implementing Global Groups (cont’d.)
• Activity 4-9: Creating Domain Local and Global Security Groups– Objective: Create a domain local and a global security
group and make the global group a member of the domain local group
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
40
Implementing Universal Groups
• Universal security groups – Span domains and trees
• Can include – User accounts from any domain– Global groups from any domain– Other universal groups from any domain
• Guidelines to help simplify how you plan to use groups– See text
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
41
Implementing Universal Groups (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
42
Figure 4-21 Managing security through universal and global groupsCourtesy Course Technology/Cengage Learning
Properties of Groups
• To edit properties:– Double-click group in the Local Users and Groups tool
for a stand-alone (non domain) or member server– Or in the Active Directory Users and Computers tool
for DC servers in a domain
• Properties– General– Members– Member of– Managed by
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
43
Planning the Delegation of Object Management
• Security groups and user accounts enable an organization to delegate authority over objects
• Establish and document policies
• Common objects that are delegated include OUs, user accounts, and groups
• Use Delegation of Control Wizard
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
44
Implementing User Profiles
• Local user profile – Automatically created at the local computer when you
log on with an account for the first time
• Advantages of user profiles
• Roaming profile– Downloaded to client workstation each time user
account is logged on
• Mandatory user profile– Certain users cannot change their profiles
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
45
What’s New in Windows Server 2008 Active Directory
• Restart capability
• Read-Only Domain Controller (RODC)
• Auditing improvements
• Multiple password and account lockout policies in a single domain
• Active Directory Lightweight Directory Services role
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
46
Restart Capability
• Stop Active Directory Domain Services without taking down the computer
• General steps– See text for steps
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
47
Read-Only Domain Controller
• Cannot use to update information in Active Directory
• Does not replicate to regular DCs
• Can function as a Key Distribution Center for the Kerberos authentication method
• Provides better security at branch locations– Example
• Can be configured as DNS server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
48
Auditing Improvements
• Audit trail of many types of changes
• Records successful completion or reason for failure
• Must set up in two places
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
49
Multiple Password and Account Lockout Policies in a Single Domain
• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU
• Can now create more than one set of account policies within a domain
• Password settings container (PSC)– Contains password settings objects (PSOs)
• Represent unique set of password policies
• Three policy sets: – Ordinary users, administrators, service accounts
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
50
Active Directory Lightweight Directory Services Role
• Targeted for servers that manage user applications
• Skeleton version of Active Directory Domain Services
• Installed as a server role via Server Manager
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
51
Taking Active Directory Snapshots
• Tools for making snapshots:– ntdsutil.exe Active Directory database management
tool – Active Directory Database Mounting Tool or
dsamain.exe tool
• Enable Active Directory snapshots to be taken for later viewing– Compare to what is in the Active Directory after it is
restored– Determine which of several restores has the most
complete Active Directory dataMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
52
Summary
• Active Directory houses information about network resources– Domain controllers– Hierarchy: forest, tree, domain, organizational unit– Global catalog
• User accounts and profiles
• Functional levels for domain and forest
• New features of Active Directory in Windows Server 2008
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
53