Sherbimet Esenciale Moduli 5

Objektiva Koncepte Objektiva Te shohim objektet Hyrje ne grupe Te kuptojme llogarite e perdoruesit dhe grupet Hyrje ne Introducing Domains, Trees dhe Forests, Njesite Organizative Te kuptojme Njesite Organizative (OUs) dhe kontenierat Hyrje ne sherbimet Directory ne Active Directory Te kuptojme infrastrukturen Active Directory Hyrje ne politikat e Grupeve Te kuptojme politikat e grupeve This should also be a review for the 70-642.

Name Resolution/Zgjidhja e emrit Ne rrjetet e sotme adresimi ne rrjet realizohet npm adresimit logjik sic eshte adresimi IP. Fatkeqsisht keto adresa jane te veshtira per tu mbajtur mend, sidomos ne rastin e adresimit IPv6 qe eshte edhe me I komplikuar Ndaj duhet perdorur nje lloj forme e sherbimit te emrave qe duhet tju lejoje ju te perktheni emrat logjike, te cilet jane me te lehte per tu mbajtur mend, ne adresa logjike. Sherbimi me I zakonshem qe e realizon kete eshte Domain Name System, or DNS. Another one is WINS

Domain Name System DNS == Domain Name System. DNS eshte nje databaze e shperndare hierarkike client/server-based ne forme sistemi qe perkthen emrat domain/hosts ne adresa IP. Maja e pemes njihet ndryshe si domaini rrenje. Poshte domain-it rrenje, do te gjeni domain-et e nivelit me te larte/top-level sic jane .com, .edu, .org, and .net, gjithshtu edhe kodet me 2 shifra te shteteve sic jane .uk, .ca, and .us.

DNS Zones Types/Llojet e zonave DNS Kur percaktoni zonat DNS, ju krijoni nje zone “forward lookup zone” ose nje zone “reverse lookup zone”. Zona forward lookup (such as technet.microsoft.com or microsoft.com) ka pjesen me te madhe te rekordeve burim, duke perfshire ketu rekordet A dhe CNAME , ndersa “reverse lookup zone” ka rekordet PTR “reverse lookup zone” percaktohet nga formati “reverse lookup”

DNS Round Robin Serverat DNS mund te perdorin nje mekanizem te quajtur round-robin per te shperndare ngarkesen e sherbimeve te rrjetit. Round-robin e rrotullon radhen e rekordeve burim me te njejtin emer qe referojne adresa IP te ndryshme.

DNQ Queries and Transfers Querite DNS dhe transfertat DNS midis zonve primare dhe sekondare ndodhin ne rrjetin TCP/UDP ne porten 53. Keshtu ne rast se ju keni firewall midis serverave (duke perfshire firewalle qe egzekutohen ne servera), do tju duhet te hapni porten 53.

Windows Internet Service (WINS) Windows Internet Name Service (WINS) eshte nje sherbim emertimqe perkthen nga (emri I kompjuterit )is NetBIOS per te specifikuar nje sherbim rrjeti . Nje WINS server permban nje databze te adresasve IP dhe emrave NetBIOS qe perditesojne ne menyre dinamike. Por nuk eshte nje sistem hierarkik sic eshte DNS, ndaj eshte e pershtatshme vetem per organizaten tuaj; dhe funksionon veteme per sistemet e shfrtytezimit Windows. Pajisjet e rrjetit dhe sherbimet nuk mund te regjistrohen ne nje server WINS. Ndaj ju duhet te shtroni rekorde/entries statike per keto pajisje nese deshironi te perdorni zgjidhjen en emrit WINS.

DHCP Sherbimet Dynamic Host Configuration Protocol (DHCP) asenjojne ne menyre automatike adresa IP dhe parametrat e lidhur me to (duke perfshire ketu subnet mask dhe default gateway) keshtu qe nje host mund te komunikoje menjehere ne nje rrjet IP kur ai beht pjese e tij. Nje server DHCP mban nje liste te adresave IP te quajtur pool Kur nje klient DHCP nis komunikimin dhe ka nevoje per nje adrese qe ti asenjohet atyre, ja con ate broadcast nje serveri DHCP duke I kerkuar per nje adrese te re. Klienti con mesazhe ne porten 67 me UDP, dhe serveri dergon mesazhe ne porten 68.

Directory Services/Sherbimet Directory Nje sherbim directoty, ruan, organizon, dhe ofron akses informacioni ne nje direktori. Sherbimet direktori perdoren per te gjetur, menaxhuar, administruar dhe organizuar tema te zakonshme dhe burime rrjeti, te tilla si volume, foldera, file, printera, perdorues, grupe, pajisje, numra telefoni dhe objekte te tjera. Nje sherbim I njohur direktori I perdorur nga shume organizata eshte sherbimi Active Directory I Microsoftit

Active Directory Active Directory is eshte nje teknologjie e krijuar nga Microsoft, I cili ofron nje larmi sherbimesh ne rrjet, duke perfshire edhe te meposhtmet: LDAP Autentifikim ne Kerberos-based dhe autentifikim I thjeshte sign-on Emertim I bazuar ne DNS-based dhe informacione te tjera per rrjetin Nje vendodhje qendrore per administrimin ne rrejt dhe delegim I autoritetit Active Directory kerkon DNS.

Active Directory Logical Structure/Struktura Logjike AD Pylli, pemet, dhe domainet ne Active Directory jane formacione logjike te organizimit te rrjetit, qe ju lejojne ta organizoni ate ne menyren me te mire Forest Tree Domain Per ti lejuar perdoruesit e nje domaini qe te aksesojne burimet e nje domaini tjeter, AD perdor lidhjet e besimit.

Physical Structure/Struktura Fizike Megjithese domains, trees, and forests jane formacione logjike per organizaten tuaj, ndersa sitet dhe domain controllers perfaqsojne strukturen fizike per rrjetin tuaj. Sites: jane nje ose me shume subnete IP qe jane te lidhur nepermjet nje linje te shpejtesise se larte, qe percaktohen nga vendodhja gjeografike. Domain Controllers: Nje Windows server qe ruan replika te informacionit per llogarite dhe informacionit te sigurise per domainin dhe percakton kufijte e nje domaini.

Member Server/Serveri anetar Nje server qe nuk egzekutohet si domain controller dhe njihet si server anetar Per ta kthyer nje domain controller ne nje server anetar, ju duhet te riegzekutoni programin dcpromo

Global Catalogs/Katalogu Global Meqe domain controller-I ka informacion vetem per domainin dhe nuk ruan nje kopje te objekteve per domainet e tjera, juve ju duhet nje rruge per te gjetur dhe aksesuar objektet ne domainet e tjera ne pemet apo ne pyllin tuaj. Nje katalog global e replikon informacionin e cilitdo objekt ne nje peme apo ne nje pyll By default, nje katalog global krijohet automatikisht ne domain controllerin e pare ne pyll, por cdo domain controller mund te kthehet nje nje katalog global.

FSMO Roles Active Directory perdor replikimin multimaster, qe do te thote se nuk ka nje master domain controller, qe zakonisht i referohemi si domain controller primar ne domainet brenda Windows NT. Megjithate, jane disa funskione te cilat mund te administrohen vetem nga nje domain controller ne nje moment kohor, Active Directory perdor rolet Flexible Single Master Operations (FSMO), te njohura si operacionet per rolet master.

FSMO Roles Roli Qellimi PDC Emulatori Domain Infrastruktura Master RID Master Masteri I Emertimit te Domainit Forest Schema Master

Functional Levels/Nivelet funksionale In Active Directory, domain controllers egzekutojne versione te ndryshme perWindows servers, sic mund te jene Windows 2000, Windows Server 2003, or Windows Server 2008. Niveli funksional I nje domaini ose foresti depends on which Windows Server operating system versions are running on the domain controllers in that domain or forest. The functional level also controls which advanced features are available in the domain or forest.

Delegation of Control By delegating administration, you can assign a range of administrative tasks to the appropriate users and groups. Containers are objects that can store or hold other objects. They include the forest, tree, domain, and organizational unit. To help manage your objects, you can delegate authority to a container, particularly the domain or organizational unit.

Active Directory Objects An object is a distinct, named set of attributes or characteristics that represent a network resource. Common objects used within Active Directory are computers, users, groups, and printers. Attributes have values that define the specific object. Active Directory objects are assigned a 128-bit unique number called a globally unique identifier (GUID), sometimes referred to as a security identifier (SID), to uniquely identify an object.

User Accounts A user account enables a user to log on to a computer and domain. As a result, it can be used to prove the identity of a user, and this identity information can then be used to determine what the user can access and what kind of authorization he or she has. It can also be used for auditing. On today’s Windows networks, there are two types of user accounts: Local user accounts and Domain user accounts

Permissions A permission defines the type of access that is granted to an object (an object can be identified with a security identifier) or object attribute. The most common objects assigned permissions are NTFS files and folders, printers, and Active Directory objects. Which users can access an object and what actions those users are authorized to perform are recorded in the access control list (ACL), which lists all users and groups that have access to the object.

Computer Accounts Like user accounts, Windows computer accounts provide a means for authenticating and auditing a computer’s access to a Windows network and access to domain resources. Each Windows computer to which you want to grant access must have a unique computer account. A computer account can also be used for auditing purposes, specifying what system was used when something was accessed.

Groups A group is a collection or list of user accounts or computer accounts. Different from a container, a group does not store user or computer information; rather, it just lists it. The advantage of using groups is that they simplify administration, especially when assigning rights and permissions. In Windows Active Directory, there are there are two types of groups: Security and Distribution group

Using Groups To effectively manage the use of groups when assigning access to a network resource using global groups and domain local groups, remember the mnemonic AGDLP Accounts Global Domain Local Permissions If you are using universal groups, the mnemonic is expanded to AGUDLP:

Built-In Groups Similar to the administrator and guest accounts, Windows has default groups called built-in groups. These default groups are granted specific rights and permissions to get you started. Various built-in groups are as follows: Domain Admins Domain Users Account Operators Backup Operators Authenticated Users Everyone

Active Directory Management Tools After you have promoted a computer to a domain controller, you can use several MMC snap-in consoles to manage Active Directory. These consoles are as follows: Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Administrative Center Group Policy Management Console (GPMC)

DEMO: Active Directory Management Tools Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Administrative Center Group Policy Management Console (GPMC)

DEMO: AD Objects Users Groups (Types and Scopes) Computers Organizational Units

Group Policies Group Policy is one of the most powerful features of Active Directory that controls the working environment for user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment.

Apply Group Policies Group Policy can be set locally on a workstation or set at different levels (site, domain, or organizational unit) within Active Directory. Generally speaking, you will not find as many settings locally as you will at the site, domain, or OU level. When group policies are applied, they are applied in the following order: Local Site Domain OU

DEMO: Group Policies