Professional Documents
Culture Documents
Active Directory
Objects and Trusts
Module Overview
• Configuring Active Directory Objects
• Configuring AD DS Trusts
Lesson 1: Configuring Active Directory Objects
• Types of AD DS Objects
• AD DS Group Types
• AD DS Group Scopes
• Default AD DS Groups
• AD DS Special Identities
Shared folders
• Used to simplify the
process of locating and
connecting to shared folders
Demonstration: Configuring AD DS User Accounts
In this demonstration, you will see how to configure AD DS
user accounts
AD DS Group Types
Distribution groups
Security groups
Used to assign rights and
permissions to groups of users
and computers
Used most effectively when nested
Performance monitor
Account operators users
Administrators Pre-Windows 2000
compatible access
Backup operators
Print operators
Incoming forest
trust builders Remote Desktop
users
Network configuration
operators Replicator
Performance log users Server operators
Users
AD DS Special Identities
Interactive
Anonymous logon
Local system
Authenticated users
Network
Batch
Self
Creator group
Service
Creator owner
Terminal Server users
Dialup
Other organization
Everyone
This organization
Discussion: Using Default Groups and
Special Identities
Using the scenario, answer the questions in your workbook
Demonstration: Configuring AD DS
Group Accounts
In this demonstration, you will see how to configure AD DS
group accounts
Demonstration: Configuring Additional
AD DS Objects
In this demonstration, you will see how to configure
additional AD DS objects
Lesson 2: Strategies for Using Groups
• Options for Assigning Access to Resources
Options include:
User Account
Permissions
Accounts Groups
Using Account Groups and Resource Groups
• Dsadd
• Dsmod
• Dsrm
• Dsadd
• Dsmod
• Dsrm
• Dsget
• net user
• Net group
• Net computer
Managing User Objects with LDIFDE
• LDIFDE.exe
import
export
Active Directory
filename.ldf
Managing User Objects with CSVDE
• CSVDE.exe
import
export
filename.csv Active Directory
What Is Windows PowerShell?
Logon information
Virtual machines 6425A-NYC-DC1,
6425A-NYC-DC2,
6425A-NYC-CL1
User name Administrator
Password Pa$$w0rd
• Delegated administration:
Eases administration by
distributing routine administrative
tasks
Provides users or groups more
control over local network
resources
OU1 Admin1
Eliminates the need for multiple
administrative accounts
OU2 OU3
• AD DS Trust Options
Trust characteristics:
Forest 1 Forest 2
Tree/Root Forest
Trust Trust
Parent/Child
Trust
Forest
Forest (root)
Domain D (root)
Shortcut Trust
Realm External
Trust Trust
Domain F Domain C
Kerberos Realm
How Trusts Work Within a Forest
Forest Root
Domain
Tree One
Tree Root
Domain
Domain 1
Domain A
Domain 2
Tree Two
Domain B Domain C
How Trusts Work Between Forests
Forest 1 Forest 2
Forest trust
Global
6 Global
catalog catalog
WoodgroveBank.co contoso.com
m
4
2
5 Seattle
3 7
8
1
Vancouver 9
EMEA.WoodgroveBank.com NA.Contoso.com
Demonstration: Configuring Trusts
In this demonstration, you will see how to configure
shortcut, external, and forest trusts
What Are User Principal Names?
UPN suffixes can be used for routing authentication requests between trusted
forests:
• UPN suffix routing is automatically disabled if the same
UPN suffix is used in both forests
• You can manually enable or disable name suffix routing
across trusts
What Are the Selective Authentication Settings?
Selective authentication:
Logon information
Virtual machines 6425A-VAN-DC1,
6425A-NYC-DC2
6425A-NYC-DC1
6425A-NYC-CL1
User name Administrator
Password Pa$$w0rd
• Tools