Chapter 4 Introduction to Active Directory and Account Management

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.
Introduction to Active Directory
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 1 Windows Server 2003 Network Administration.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008
Chapter 4: Active Directory Design and Security Concepts
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Nassau Community College
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Directory services Unit objectives
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
Windows Server 2008 Chapter 4 Last Update
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2008
Working with domains and Active Directory
Designing Active Directory for Security
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 4 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Maintaining Active Directory Domain Services
Module 7 Active Directory and Account Management.
Session 7 Windows Platform Eng. Dina Alkhoudari. Learning Objectives Active Directory review Managing users and groups Single Master Operations Delegation.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) Chapter 1 Designing Active Directory Domain Services.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 1: Introduction to Active Directory
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
Chapter4 Part2. User Account Management Once Active Directory is installed and configured, you enable users to access network servers and resources through.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Overview of Active Directory Domain Services
Implementing Active Directory Domain Services
Overview of Active Directory Domain Services
(ITI310) SESSIONS 6-7-8: Active Directory.
Active Directory Administration
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
Chapter 4: Planning the Active Directory and Security
CNT 4603: System Administration Fall 2010
Presentation transcript:

Chapter 4 Introduction to Active Directory and Account Management MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 4 Introduction to Active Directory and Account Management

Learning Objectives Understand Active Directory basic concepts Install and configure Active Directory Plan and implement Active Directory containers Create and manage user accounts Configure and use security groups MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Learning Objectives (cont’d.) Plan how to delegate object management Describe and implement new Active Directory features MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Active Directory Basics A large container (database) of network data and resources, such as computers, printers, user accounts, and user groups, that enables management and fast access to those resources. Directory service Houses information about all network resources: Servers, printers, user accounts, groups of user accounts, security policies, and other information Domain controllers (DCs) Servers that have the AD DS server role installed Member servers Do not have AD installed A Windows Server 2003 or 2008 server that contains a full copy of the Active Directory information, is used to add a new object to Active Directory, and replicates all changes made to it so the changes are updated on every DC in the same domain. A server on an Active Directory managed network that is not installed to have Active Directory. MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Active Directory Basics (cont’d.) Domain Fundamental component or container Holds information about all network resources that are grouped within it Each DC is equal to every other DC Multimaster replication Advantage If one DC goes down, no network interruption multimaster replication: Windows Server 2003 and 2008 networks can have multiple servers called DCs that store Active Directory information and replicate it to each other. Because each DC acts as a master, replication does not stop when one DC is down, and updates to Active Directory continue, for example creating a new account.

Active Directory Basics (cont’d.) Activity 4-1: Installing Active Directory Figure 4-2 Installation Results window Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Schema Defines objects and the information pertaining to those objects that can be stored in Active Directory Characteristics of objects Sample schema for user account Includes globally unique identifier (GUID) Unique number associated with the object name Each attribute automatically given a version number and date When created or changed *globally unique identifier (GUID) A unique number, up to 16 characters long, that is associated with an Active Directory object. MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Global Catalog Stores information about every object within forest First DC configured in a forest becomes global catalog Can change to another DC Purposes: Authentication Forest-wide searches of data Replication of key AD elements Keeps copy of most used attributes for quick access A repository for all objects and the most frequently used attributes for each object in all domains. Each forest has a single global catalog that can be replicated onto multiple servers. MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Namespace Name resolution Namespace A process used to translate a computer’s logical or host name into a network address, such as to a dotted decimal address associated with a computer—and vice versa. Name resolution Converts computer and domain names to IP addresses Namespace Logical area on a network that contains directory services and named objects Has the ability to perform name resolution A logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution. MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Namespace (cont’d.) Contiguous namespace Disjointed namespace A namespace in which every child object has a portion of its name from its parent object. Contiguous namespace Every child object contains the name of the parent object Disjointed namespace Child name does not resemble the name of its parent object A namespace in which the child object name does not resemble the parent object name. MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Containers in Active Directory Treelike structure Containers: Forests Trees Domains Organizational units (OUs) Sites Figure 4-5 Active Directory hierarchical containers Courtesy Course Technology/Cengage Learning *container An Active Directory object that houses other objects, such as a tree that houses domains or a domain that houses organizational units.

Forest Highest level in an Active Directory One or more Active Directory trees that are in a common relationship Forest functional level Active Directory functions supported forest-wide Levels: Windows 2000 native forest functional level Windows Server 2003 forest functional level Windows Server 2008 forest functional level A grouping of Active Directory trees that each have contiguous namespaces within their own domain structure, but that have disjointed namespaces between trees. The trees and their domains use the same schema and global catalog. MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Tree Contains one or more domains that are in a common relationship Domains in a tree typically have a hierarchical structure Kerberos transitive trust relationship Two-way trusts between parent domains and child domains MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Tree (cont’d.) Transitive trust Trusted domain Trusting domain If A and B have a trust and B and C have a trust, A and C automatically have a trust as well Trusted domain Granted access to resources Trusting domain One granting access to another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Tree (cont’d.) All domains within a single tree share the same schema Defines all the object types that can be stored within Active Directory All domains in a tree share same global catalog and a portion of their namespace MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Domain Logical partition within an Active Directory forest Primary container within Active Directory Basic functions To provide an AD partition to house objects To establish a set of information to be replicated To expedite management of a set of objects MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Domain (cont’d.) Domain functional levels: Windows 2000 domain functional level Windows Server 2003 domain functional level Windows Server 2008 domain functional level Activity 4-2: Managing Domains Objective: Learn where to manage domains and domain trust relationships MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Organizational Unit Grouping of related objects within a domain Allow the grouping of objects so that they can be administered using the same group policies Such as security and desktop setup Can be nested within other OUs Best practices when creating OUs Keep to 10 or fewer Set up horizontally for best efficiency Activity 4-3: Managing OUs Objective: Create an OU and delegate control over it MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Site TCP/IP-based concept (container) within Active Directory Linked to IP address Functions Based on connectivity and replication functions Bridgehead server DC designated to have role of exchanging replication information One per site MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Active Directory Guidelines Keep Active Directory as simple as possible Implement the smallest number of domains possible Use OUs to reflect organization’s structure Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies Implement multiple trees and forests only as necessary Use sites in situations where there are multiple IP subnets and multiple geographic locations MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Planning Functional Levels and Trusts Carefully plan trusts between forests External trust Creates a trust relationship with a domain that is outside of a forest Realm trust Enables one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers Shortcut trust Enable a domain in one forest to quickly access resources in a domain within a different forest MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

User Account Management General environments: Accounts that are set up through a stand-alone server that does not have Active Directory installed Accounts that are set up in a domain when Active Directory is installed MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Not Installed Install Local Users and Groups MMC snap-in: For standalone servers that do not use Active Directory Create a local user account on a server that is not a DC See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Not Installed (cont’d.) Figure 4-11 Selecting the Local Users and Groups MMC snap-in Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Not Installed (cont’d.) Figure 4-12 Creating a user account without Active Directory installed Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Installed Use Active Directory Users and Computers tool From the Administrative Tools menu or as an MMC snap-in Create each new account by entering account information and password controls Activity 4-4: Creating User Accounts in Active Directory Objective: Learn how to create a user account in Active Directory MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Installed (cont’d.) Figure 4-13 Creating a user account Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Creating Accounts when Active Directory Is Installed (cont’d.) Figure 4-14 User account properties Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Disabling, Enabling, and Renaming Accounts When to disable Activity 4-5: Disabling, Renaming, and Enabling an Account Objective: Practice disabling, renaming, and then enabling an account Figure 4-15 Disabling an account Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Moving an Account May need to move a person’s account from one container to another Activity 4-6: Moving an Account Objective: Practice moving an account Figure 4-16 Moving an account Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Resetting a Password Cannot look up forgotten passwords Reset instead Maintain guidelines for resetting passwords Activity 4-7: Changing an Account’s Password Objective: Practice changing an account’s password Figure 4-17 Resetting a password Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Deleting an Account Delete accounts that are no longer in use Globally unique identifier (GUID) is also deleted Will not be reused even if you create another account using the same name Activity 4-8: Deleting an Account Objective: Practice deleting an account MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Quick Quiz 1 Answer: member 1. Servers on a network managed by Active Directory that do not have Active Directory installed are called ____ servers. Answer: member 2. The Active Directory ____ defines the objects and the information pertaining to those objects that can be stored in Active Directory. Answer: schema 3. The domains in a(n) ____ typically have a hierarchical structure, such as a root domain at the top and other domains under the root. Answer: tree 4. (True/False) OUs can be nested within OUs. Answer: True 5. (True/False) You can choose to look up or reset a forgotten password. Answer: False

Security Group Management Group accounts with similar characteristics together Scope of influence (or scope) Reach of a group for gaining access to resources in Active Directory Types of groups and associated scopes: Local Domain local Global Universal MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Security Group Management (cont’d.) Security groups Enable access to resources on a stand-alone server or in Active Directory Distribution groups Used for e-mail or telephone lists MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Local Groups Local security group Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs) Create using the Local Users and Groups MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Domain Local Groups Domain local security group Used when Active Directory is deployed Manage resources in a domain Give global groups from the same and other domains access to those resources Scope of a domain local group Domain in which the group exists Can convert a domain local group to a universal group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Domain Local Groups (cont’d.) Access control list (ACL) List of security descriptors (privileges) that have been set up for a particular object Table 4-1 Membership capabilities of a domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Global Groups Global security group Contains user accounts from a single domain Can also be set up as a member of a domain local group in the same or another domain Broader scope than domain local groups Can be nested Typical use: Add accounts that need access to resources in the same or in another domain Make the global group in one domain a member of a domain local group in the same or another domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Global Groups (cont’d.) Figure 4-18 Nested global groups Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Global Groups (cont’d.) Activity 4-9: Creating Domain Local and Global Security Groups Objective: Create a domain local and a global security group and make the global group a member of the domain local group MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Universal Groups Universal security groups Span domains and trees Can include User accounts from any domain Global groups from any domain Other universal groups from any domain Guidelines to help simplify how you plan to use groups See text MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing Universal Groups (cont’d.) Figure 4-21 Managing security through universal and global groups Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Properties of Groups To edit properties: Properties Double-click group in the Local Users and Groups tool for a stand-alone (non domain) or member server Or in the Active Directory Users and Computers tool for DC servers in a domain Properties General Members Member of Managed by MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Planning the Delegation of Object Management Security groups and user accounts enable an organization to delegate authority over objects Establish and document policies Common objects that are delegated include OUs, user accounts, and groups Use Delegation of Control Wizard MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Implementing User Profiles Local user profile Automatically created at the local computer when you log on with an account for the first time Advantages of user profiles Roaming profile Downloaded to client workstation each time user account is logged on Mandatory user profile Certain users cannot change their profiles MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

What’s New in Windows Server 2008 Active Directory Restart capability Read-Only Domain Controller (RODC) Auditing improvements Multiple password and account lockout policies in a single domain Active Directory Lightweight Directory Services role MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Restart Capability Stop Active Directory Domain Services without taking down the computer General steps See text for steps MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Read-Only Domain Controller Cannot use to update information in Active Directory Does not replicate to regular DCs Can function as a Key Distribution Center for the Kerberos authentication method Provides better security at branch locations Example Can be configured as DNS server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Auditing Improvements Audit trail of many types of changes Records successful completion or reason for failure Must set up in two places MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Multiple Password and Account Lockout Policies in a Single Domain Set up multiple password and account lockout security requirements Associate them with a security group, user or OU Can now create more than one set of account policies within a domain Password settings container (PSC) Contains password settings objects (PSOs) Represent unique set of password policies Three policy sets: Ordinary users, administrators, service accounts MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Active Directory Lightweight Directory Services Role Targeted for servers that manage user applications Skeleton version of Active Directory Domain Services Installed as a server role via Server Manager MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Taking Active Directory Snapshots Tools for making snapshots: ntdsutil.exe Active Directory database management tool Active Directory Database Mounting Tool or dsamain.exe tool Enable Active Directory snapshots to be taken for later viewing Compare to what is in the Active Directory after it is restored Determine which of several restores has the most complete Active Directory data MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Quick Quiz 2 1. A(n) ____ security group is used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain. Answer: local 2. ____ security groups provide a means to span domains and trees. Answer: Universal 3. A local user ____is automatically created at the local computer when you log on with an account for the first time. Answer: profile 4. (True/False) An Active Directory snapshot is used to restore lost data. Answer: False

Summary Active Directory houses information about network resources Domain controllers Hierarchy: forest, tree, domain, organizational unit Global catalog User accounts and profiles Functional levels for domain and forest New features of Active Directory in Windows Server 2008 MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.