ch04

MC

ITP

G

uide to M

icrosoft

Window

s Server

2008 S

erver A

dminis

tration (E

xam

#70-646)

Chapter 4

Introduction

to A

ctive D

irectory and

Account

Manag

ement

2

• NT3-4 modelDomain controller (DC)

A Server which contains a directory of all objects in the

domain

1 primary domain controller, multiple backup domain controllers

MyDomain

All changes made on primary replicated to backup domain controllers

Adequate for smaller organizations located on a single high speed network

Used NetBios names, broadcast resolution difficult to locate resources

Resource sharing between domains cumbersome to set up and control

3

• Active Directory modelDomain controller (DC)

A Server which contains: • a directory of all objects in the

domain• Configuration information for all

sites within the forest• A subset of information of all

objects within the forest• A common Schema

Multiple domain controllers, all equal

MyDomain.class

Multi master replication

Adaptable to worldwide organizations with multiple WAN connected locations

Uses host names, resolution of servers, services and workstations via DNS

Automatically enables resource sharing between domains in a forest

Containers in Active Directory

• Treelike structure• Logical Containers:

– Forests– Trees– Domains– Organizational units

(OUs)• Physical

– Sites

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

4

Figure 4-5 Active Directory hierarchical containersCourtesy Course Technology/Cengage Learning

Active Directory partitions resident in every Domain Controller

• Domain level– Domain partition containing a full copy of every object

in the domain

• Forest level:– A common schema– A global catalog– A common knowledge of the forests physical locations

(sites) known as the configuration partition


5

Schema

• Defines all the objects and attributes that the directory service uses to store data Characteristics of objects– Classes of objects (~260)– Required and optional attributes (~1,550)

• Installing active directory loads the default schema• Schema can be changed via upgrades, application

installs and manually• Schema changes cannot be reversed• regsvr32 schmmgmt.dll


6

Global Catalog

• Stores information about every object within forest• First DC configured in a forest becomes global

catalog– Can change to another DC

• Purposes:– Authentication– Forest-wide searches of data– Replication of key AD elements– Keeps copy of most used attributes for quick access


7

Configuration

• Is the physical component of Active directory• Contains Sites (physical locations) • Sites are based on IP subnets• Allows users/machines to locate services in the same

location as they are• Defines replication paths and schedules between sites• Bridgehead server

– DC designated to have role of exchanging replication information

– One per site


8

Active Directory Forests and trees


9

Forest

• Highest level in an Active Directory• One or more Active Directory trees that are in a

common relationship• Forest functional level

– Active Directory functions supported forest-wide– Levels:

• Windows 2000 native forest functional level• Windows Server 2003 forest functional level• Windows Server 2008 forest functional level


10

Tree

• Contains one or more domains that are in a hierarchal naming relationship

• Kerberos transitive trust relationship– Two-way trusts between parent domains and child

domains


11

Domain

• Logical partition within an Active Directory forest• Primary container within Active Directory• Basic functions

– To provide an AD partition to house objects– To establish a set of information to be replicated– To expedite management of a set of objects

• Domain functional levels:– Windows 2000 domain functional level– Windows Server 2003 domain functional level– Windows Server 2008 domain functional level

12

13

walt.class

Table1.walt.class Table2.walt.class

southTable2.walt.class

mike.class

Table1.mike.class

Tree


14

walt.class

Mike.walt.class Sue.walt.class Nate.walt.class Pete.walt.class Ron.walt.class

• Activity 4-1 install Active directory• Activity 4-2: Managing Domains

– Objective: Learn where to manage domains and domain trust relationships

• Notes to me– show current DNS structure– Show Domains and Trusts– Students to confirm DNS settings, workgroup

membership


15

Exersize Testing trusts

• partner with someone at your table• Open Active Directory Users and Computers (ADUC)• Right click the users container and create a new user

using your partners name

• Log off and log back on using your name from your partners domain – I.E log in as partner domainName\yourname


16

Organizational Unit

• Grouping of related objects within a domain• Allow the grouping of objects so that they can be

administered using the same group policies– Such as security and desktop setup

• Can be nested within other OUs• Best practices when creating OUs

– Keep to 10 or fewer– Set up horizontally for best efficiency

• Activity 4-3 create OU delegate permissions


17

Active Directory Guidelines

• Keep Active Directory as simple as possible• Implement the smallest number of domains possible• Use OUs to reflect organization’s structure• Use domains as partitions in forests to demarcate

commonly associated accounts and resources governed by group and security policies

• Implement multiple trees and forests only as necessary

• Use sites in situations where there are multiple IP subnets and multiple geographic locations


18

Trusts

• Trusts at the forest level – Transitive 2 way Forest trust– Non transitive 2 way– 1 way outgoing or incoming

• Realm trust• Shortcut trust


19

20

walt.class

Table1.walt.class Table2.walt.class

southTable2.walt.class

mike.class

Table1.mike.class

Creating Local Accounts when Active Directory Is Installed


21

Figure 4-11 Selecting the Local Users and Groups MMC snap-inCourtesy Course Technology/Cengage Learning

Creating Accounts when Active Directory Is Installed

• Activity 4-4: Creating User Accounts in Active Directory– Objective: Learn how to create a user account in

Active Directory


22

Account Activities

• Disabling Enabling an an Account• Renaming an Account• Moving an Account• Changing an Account’s Password• Deleting an Account


23

Figure 4-15 Disabling an accountCourtesy Course Technology/Cengage Learning

Security Group Management

• Group accounts with similar characteristics together• Scope of influence (or scope)

– Reach of a group for gaining access to resources in Active Directory

• Types of groups and associated scopes:– Local– Domain local– Global– Universal


24

Implementing Local Groups

• Local security group – Used to manage resources on a stand-alone

computer that is not part of a domain and on member servers in a domain (non-DCs)

• Create using the Local Users and Groups MMC snap-in


26

Implementing Global Groups

• Global security group – Contains user accounts from a single domain – Can also be set up as a member of a domain local

group in the same or another domain• Broader scope than domain local groups• Can be nested• Typical use:

– Add accounts that need access to resources in the same or in another domain

– Make the global group in one domain a member of a domain local group in the same or another domain


28

Implementing Global Groups (cont’d.)


29

Figure 4-18 Nested global groupsCourtesy Course Technology/Cengage Learning

Implementing Global Groups (cont’d.)

• Creating Domain Local and Global Security Groups


30

Implementing Universal Groups

• Universal security groups – Span domains and trees

• Can include – User accounts from any domain– Global groups from any domain– Other universal groups from any domain


31

Implementing Universal Groups (cont’d.)


32

Figure 4-21 Managing security through universal and global groupsCourtesy Course Technology/Cengage Learning

Properties of Groups

• To edit properties:– Double-click group in the Local Users and Groups tool

for a stand-alone (non domain) or member server– Or in the Active Directory Users and Computers tool

for DC servers in a domain• Properties

– General– Members– Member of– Managed by


33

Planning the Delegation of Object Management

• Security groups and user accounts enable an organization to delegate authority over objects

• Establish and document policies• Common objects that are delegated include OUs,

user accounts, and groups• Use Delegation of Control Wizard


34

Implementing User Profiles

• Local user profile – Automatically created at the local computer when you

log on with an account for the first time• Advantages of user profiles• Roaming profile

– Downloaded to client workstation each time user account is logged on

• Mandatory user profile– Certain users cannot change their profiles


35

What’s New in Windows Server 2008 Active Directory

• Restart capability• Read-Only Domain Controller (RODC)• Auditing improvements• Multiple password and account lockout policies in a

single domain• Active Directory Lightweight Directory Services role


36

Read-Only Domain Controller

• Cannot use to update information in Active Directory • Does not replicate to regular DCs• Can function as a Key Distribution Center for the

Kerberos authentication method• Provides better security at branch locations

– Example• Can be configured as DNS server


37

Multiple Password and Account Lockout Policies in a Single Domain

• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU

• Can now create more than one set of account policies within a domain

• Password settings container (PSC)– Contains password settings objects (PSOs)

• Represent unique set of password policies

• Three policy sets: – Ordinary users, administrators, service accounts


38

Active Directory Lightweight Directory Services Role

• Targeted for servers that manage user applications• Skeleton version of Active Directory Domain

Services• Installed as a server role via Server Manager


39

ch04

Documents

microsoft windows server

server administration

domain forest level

active directory forests

active directory trees

active directory activity

sites bridgehead server

class mcitp guide