Guide to Micros oft Window s Server 2008 Server Admini strati on (Exam #70- Chapt er 4 Introd uction to Active Direct ory and Accou nt Mana geme nt
MC
ITP
G
uide to M
icrosoft
Window
s Server
2008 S
erver A
dminis
tration (E
xam
#70-646)
Chapter 4
Introduction
to A
ctive D
irectory and
Account
Manag
ement
2
• NT3-4 modelDomain controller (DC)
A Server which contains a directory of all objects in the
domain
1 primary domain controller, multiple backup domain controllers
MyDomain
All changes made on primary replicated to backup domain controllers
Adequate for smaller organizations located on a single high speed network
Used NetBios names, broadcast resolution difficult to locate resources
Resource sharing between domains cumbersome to set up and control
3
• Active Directory modelDomain controller (DC)
A Server which contains: • a directory of all objects in the
domain• Configuration information for all
sites within the forest• A subset of information of all
objects within the forest• A common Schema
Multiple domain controllers, all equal
MyDomain.class
Multi master replication
Adaptable to worldwide organizations with multiple WAN connected locations
Uses host names, resolution of servers, services and workstations via DNS
Automatically enables resource sharing between domains in a forest
Containers in Active Directory
• Treelike structure• Logical Containers:
– Forests– Trees– Domains– Organizational units
(OUs)• Physical
– Sites
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
4
Figure 4-5 Active Directory hierarchical containersCourtesy Course Technology/Cengage Learning
Active Directory partitions resident in every Domain Controller
• Domain level– Domain partition containing a full copy of every object
in the domain
• Forest level:– A common schema– A global catalog– A common knowledge of the forests physical locations
(sites) known as the configuration partition
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
5
Schema
• Defines all the objects and attributes that the directory service uses to store data Characteristics of objects– Classes of objects (~260)– Required and optional attributes (~1,550)
• Installing active directory loads the default schema• Schema can be changed via upgrades, application
installs and manually• Schema changes cannot be reversed• regsvr32 schmmgmt.dll
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
6
Global Catalog
• Stores information about every object within forest• First DC configured in a forest becomes global
catalog– Can change to another DC
• Purposes:– Authentication– Forest-wide searches of data– Replication of key AD elements– Keeps copy of most used attributes for quick access
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
7
Configuration
• Is the physical component of Active directory• Contains Sites (physical locations) • Sites are based on IP subnets• Allows users/machines to locate services in the same
location as they are• Defines replication paths and schedules between sites• Bridgehead server
– DC designated to have role of exchanging replication information
– One per site
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
8
Active Directory Forests and trees
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
9
Forest
• Highest level in an Active Directory• One or more Active Directory trees that are in a
common relationship• Forest functional level
– Active Directory functions supported forest-wide– Levels:
• Windows 2000 native forest functional level• Windows Server 2003 forest functional level• Windows Server 2008 forest functional level
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
10
Tree
• Contains one or more domains that are in a hierarchal naming relationship
• Kerberos transitive trust relationship– Two-way trusts between parent domains and child
domains
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
11
Domain
• Logical partition within an Active Directory forest• Primary container within Active Directory• Basic functions
– To provide an AD partition to house objects– To establish a set of information to be replicated– To expedite management of a set of objects
• Domain functional levels:– Windows 2000 domain functional level– Windows Server 2003 domain functional level– Windows Server 2008 domain functional level
12
13
walt.class
Table1.walt.class Table2.walt.class
southTable2.walt.class
mike.class
Table1.mike.class
Tree
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
14
walt.class
Mike.walt.class Sue.walt.class Nate.walt.class Pete.walt.class Ron.walt.class
• Activity 4-1 install Active directory• Activity 4-2: Managing Domains
– Objective: Learn where to manage domains and domain trust relationships
• Notes to me– show current DNS structure– Show Domains and Trusts– Students to confirm DNS settings, workgroup
membership
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
15
Exersize Testing trusts
• partner with someone at your table• Open Active Directory Users and Computers (ADUC)• Right click the users container and create a new user
using your partners name
• Log off and log back on using your name from your partners domain – I.E log in as partner domainName\yourname
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
16
Organizational Unit
• Grouping of related objects within a domain• Allow the grouping of objects so that they can be
administered using the same group policies– Such as security and desktop setup
• Can be nested within other OUs• Best practices when creating OUs
– Keep to 10 or fewer– Set up horizontally for best efficiency
• Activity 4-3 create OU delegate permissions
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
17
Active Directory Guidelines
• Keep Active Directory as simple as possible• Implement the smallest number of domains possible• Use OUs to reflect organization’s structure• Use domains as partitions in forests to demarcate
commonly associated accounts and resources governed by group and security policies
• Implement multiple trees and forests only as necessary
• Use sites in situations where there are multiple IP subnets and multiple geographic locations
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
18
Trusts
• Trusts at the forest level – Transitive 2 way Forest trust– Non transitive 2 way– 1 way outgoing or incoming
• Realm trust• Shortcut trust
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
19
20
walt.class
Table1.walt.class Table2.walt.class
southTable2.walt.class
mike.class
Table1.mike.class
Creating Local Accounts when Active Directory Is Installed
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
21
Figure 4-11 Selecting the Local Users and Groups MMC snap-inCourtesy Course Technology/Cengage Learning
Creating Accounts when Active Directory Is Installed
• Activity 4-4: Creating User Accounts in Active Directory– Objective: Learn how to create a user account in
Active Directory
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
22
Account Activities
• Disabling Enabling an an Account• Renaming an Account• Moving an Account• Changing an Account’s Password• Deleting an Account
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
23
Figure 4-15 Disabling an accountCourtesy Course Technology/Cengage Learning
Security Group Management
• Group accounts with similar characteristics together• Scope of influence (or scope)
– Reach of a group for gaining access to resources in Active Directory
• Types of groups and associated scopes:– Local– Domain local– Global– Universal
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
24
Implementing Local Groups
• Local security group – Used to manage resources on a stand-alone
computer that is not part of a domain and on member servers in a domain (non-DCs)
• Create using the Local Users and Groups MMC snap-in
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
26
Implementing Global Groups
• Global security group – Contains user accounts from a single domain – Can also be set up as a member of a domain local
group in the same or another domain• Broader scope than domain local groups• Can be nested• Typical use:
– Add accounts that need access to resources in the same or in another domain
– Make the global group in one domain a member of a domain local group in the same or another domain
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
28
Implementing Global Groups (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
29
Figure 4-18 Nested global groupsCourtesy Course Technology/Cengage Learning
Implementing Global Groups (cont’d.)
• Creating Domain Local and Global Security Groups
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
30
Implementing Universal Groups
• Universal security groups – Span domains and trees
• Can include – User accounts from any domain– Global groups from any domain– Other universal groups from any domain
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
31
Implementing Universal Groups (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
32
Figure 4-21 Managing security through universal and global groupsCourtesy Course Technology/Cengage Learning
Properties of Groups
• To edit properties:– Double-click group in the Local Users and Groups tool
for a stand-alone (non domain) or member server– Or in the Active Directory Users and Computers tool
for DC servers in a domain• Properties
– General– Members– Member of– Managed by
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
33
Planning the Delegation of Object Management
• Security groups and user accounts enable an organization to delegate authority over objects
• Establish and document policies• Common objects that are delegated include OUs,
user accounts, and groups• Use Delegation of Control Wizard
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
34
Implementing User Profiles
• Local user profile – Automatically created at the local computer when you
log on with an account for the first time• Advantages of user profiles• Roaming profile
– Downloaded to client workstation each time user account is logged on
• Mandatory user profile– Certain users cannot change their profiles
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
35
What’s New in Windows Server 2008 Active Directory
• Restart capability• Read-Only Domain Controller (RODC)• Auditing improvements• Multiple password and account lockout policies in a
single domain• Active Directory Lightweight Directory Services role
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
36
Read-Only Domain Controller
• Cannot use to update information in Active Directory • Does not replicate to regular DCs• Can function as a Key Distribution Center for the
Kerberos authentication method• Provides better security at branch locations
– Example• Can be configured as DNS server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
37
Multiple Password and Account Lockout Policies in a Single Domain
• Set up multiple password and account lockout security requirements – Associate them with a security group, user or OU
• Can now create more than one set of account policies within a domain
• Password settings container (PSC)– Contains password settings objects (PSOs)
• Represent unique set of password policies
• Three policy sets: – Ordinary users, administrators, service accounts
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
38
Active Directory Lightweight Directory Services Role
• Targeted for servers that manage user applications• Skeleton version of Active Directory Domain
Services• Installed as a server role via Server Manager
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
39