CH 04

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)
Chapter 4 Introduction to Active Directory and Account Management
NT3-4 model
Domain controller (DC) A Server which contains a directory of all objects in the domain
MyDomain 1 primary domain controller, multiple backup domain controllers All changes made on primary replicated to backup domain controllers Adequate for smaller organizations located on a single high speed network Used NetBios names, broadcast resolution difficult to locate resources Resource sharing between domains cumbersome to set up and control
2
Active Directory model
Domain controller (DC) A Server which contains: a directory of all objects in the domain Configuration information for all sites within the forest A subset of information of all objects within the forest A common Schema
MyDomain.class Multiple domain controllers, all equal Multi master replication Adaptable to worldwide organizations with multiple WAN connected locations Uses host names, resolution of servers, services and workstations via DNS Automatically enables resource sharing between domains in a forest
3
Containers in Active Directory

Treelike structure Logical Containers:
Forests Trees Domains Organizational units (OUs)
Figure 4-5 Active Directory hierarchical containers
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
Physical
Sites
Active Directory partitions resident in every Domain Controller

Domain level
Domain partition containing a full copy of every object in the domain
Forest level:
A common schema A global catalog A common knowledge of the forests physical locations (sites) known as the configuration partition
Schema
Defines all the objects and attributes that the directory service uses to store data Characteristics of objects
Classes of objects (~260) Required and optional attributes (~1,550)
Installing active directory loads the default schema Schema can be changed via upgrades, application installs and manually Schema changes cannot be reversed regsvr32 schmmgmt.dll
Global Catalog
Stores information about every object within forest First DC configured in a forest becomes global catalog
Can change to another DC
Purposes:
Authentication Forest-wide searches of data Replication of key AD elements Keeps copy of most used attributes for quick access
7
Configuration
Is the physical component of Active directory Contains Sites (physical locations) Sites are based on IP subnets Allows users/machines to locate services in the same location as they are Defines replication paths and schedules between sites Bridgehead server
DC designated to have role of exchanging replication information One per site
Active Directory Forests and trees
Forest
Highest level in an Active Directory One or more Active Directory trees that are in a common relationship Forest functional level
Active Directory functions supported forest-wide Levels:
Windows 2000 native forest functional level Windows Server 2003 forest functional level Windows Server 2008 forest functional level
10
Tree
Contains one or more domains that are in a hierarchal naming relationship Kerberos transitive trust relationship
Two-way trusts between parent domains and child domains
11
Domain
Logical partition within an Active Directory forest Primary container within Active Directory Basic functions
To provide an AD partition to house objects To establish a set of information to be replicated To expedite management of a set of objects
Domain functional levels:

Windows 2000 domain functional level Windows Server 2003 domain functional level Windows Server 2008 domain functional level
12
walt.class
mike.class
Table1.walt.class
Table2.walt.class
Table1.mike.class
southTable2.walt.class
13
walt.class
Mike.walt.class
Sue.walt.class
Nate.walt.class
Pete.walt.class
Ron.walt.class
14
Activity 4-1 install Active directory Activity 4-2: Managing Domains

Objective: Learn where to manage domains and domain trust relationships
Notes to me
show current DNS structure Show Domains and Trusts Students to confirm DNS settings, workgroup membership
15
Exersize Testing trusts

partner with someone at your table Open Active Directory Users and Computers (ADUC) Right click the users container and create a new user using your partners name Log off and log back on using your name from your partners domain
I.E log in as partner domainName\yourname
16
Organizational Unit
Grouping of related objects within a domain Allow the grouping of objects so that they can be administered using the same group policies
Such as security and desktop setup
Can be nested within other OUs Best practices when creating OUs
Keep to 10 or fewer Set up horizontally for best efficiency
Activity 4-3 create OU delegate permissions

17
Active Directory Guidelines

Keep Active Directory as simple as possible Implement the smallest number of domains possible Use OUs to reflect organizations structure Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies Implement multiple trees and forests only as necessary Use sites in situations where there are multiple IP subnets and multiple geographic locations
18
Trusts
Trusts at the forest level
Transitive 2 way Forest trust Non transitive 2 way 1 way outgoing or incoming
Realm trust Shortcut trust
19
walt.class
mike.class
Table1.walt.class
Table2.walt.class
Table1.mike.class
southTable2.walt.class
20
Creating Local Accounts when Active Directory Is Installed
Figure 4-11 Selecting the Local Users and Groups MMC snap-in
21
Creating Accounts when Active Directory Is Installed

Activity 4-4: Creating User Accounts in Active Directory
Objective: Learn how to create a user account in Active Directory
22
Account Activities
Disabling Enabling an an Account Renaming an Account Moving an Account Changing an Accounts Password Deleting an Account
Figure 4-15 Disabling an account

Courtesy Course Technology/Cengage Learning 23
Security Group Management

Group accounts with similar characteristics together Scope of influence (or scope)
Reach of a group for gaining access to resources in Active Directory
Types of groups and associated scopes:

Local Domain local Global Universal
24
Implementing Local Groups

Local security group
Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs)
Create using the Local Users and Groups MMC snap-in
26
Implementing Global Groups

Global security group
Contains user accounts from a single domain Can also be set up as a member of a domain local group in the same or another domain
Broader scope than domain local groups Can be nested Typical use:
Add accounts that need access to resources in the same or in another domain Make the global group in one domain a member of a domain local group in the same or another domain
28
Implementing Global Groups (contd.)
Figure 4-18 Nested global groups

29
Implementing Global Groups (contd.)

Creating Domain Local and Global Security Groups
30
Implementing Universal Groups

Universal security groups
Span domains and trees
Can include
User accounts from any domain Global groups from any domain Other universal groups from any domain
31
Implementing Universal Groups (contd.)
Figure 4-21 Managing security through universal and global groups

32
Properties of Groups
To edit properties:
Double-click group in the Local Users and Groups tool for a stand-alone (non domain) or member server Or in the Active Directory Users and Computers tool for DC servers in a domain
Properties
General Members Member of Managed by
33
Planning the Delegation of Object Management

Security groups and user accounts enable an organization to delegate authority over objects Establish and document policies Common objects that are delegated include OUs, user accounts, and groups Use Delegation of Control Wizard
34
Implementing User Profiles

Local user profile
Automatically created at the local computer when you log on with an account for the first time
Advantages of user profiles Roaming profile

Downloaded to client workstation each time user account is logged on
Mandatory user profile

Certain users cannot change their profiles
35
Whats New in Windows Server 2008 Active Directory

Restart capability Read-Only Domain Controller (RODC) Auditing improvements Multiple password and account lockout policies in a single domain Active Directory Lightweight Directory Services role
36
Read-Only Domain Controller

Cannot use to update information in Active Directory Does not replicate to regular DCs Can function as a Key Distribution Center for the Kerberos authentication method Provides better security at branch locations
Example
Can be configured as DNS server
37
Multiple Password and Account Lockout Policies in a Single Domain

Set up multiple password and account lockout security requirements
Associate them with a security group, user or OU
Can now create more than one set of account policies within a domain Password settings container (PSC)
Contains password settings objects (PSOs)
Represent unique set of password policies
Three policy sets:

Ordinary users, administrators, service accounts
38
Active Directory Lightweight Directory Services Role

Targeted for servers that manage user applications Skeleton version of Active Directory Domain Services Installed as a server role via Server Manager
39

CH 04

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 04

Uploaded by

Copyright:

Available Formats

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

Chapter 4 Introduction to Active Directory and Account Management

Active Directory model

Containers in Active Directory

Active Directory partitions resident in every Domain Controller

Active Directory Forests and trees

Domain functional levels:

Activity 4-1 install Active directory Activity 4-2: Managing Domains

Exersize Testing trusts

Activity 4-3 create OU delegate permissions

Active Directory Guidelines

Realm trust Shortcut trust

Creating Local Accounts when Active Directory Is Installed

Creating Accounts when Active Directory Is Installed

Figure 4-15 Disabling an account

Courtesy Course Technology/Cengage Learning 23

Security Group Management

Types of groups and associated scopes:

Implementing Local Groups

Create using the Local Users and Groups MMC snap-in

Implementing Global Groups

Implementing Global Groups (contd.)

Figure 4-18 Nested global groups

Implementing Global Groups (contd.)

Implementing Universal Groups

Implementing Universal Groups (contd.)

Figure 4-21 Managing security through universal and global groups

Planning the Delegation of Object Management

Implementing User Profiles

Advantages of user profiles Roaming profile

Mandatory user profile

Whats New in Windows Server 2008 Active Directory

Read-Only Domain Controller

Can be configured as DNS server

Multiple Password and Account Lockout Policies in a Single Domain

Three policy sets:

Active Directory Lightweight Directory Services Role

You might also like