Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 3: Configuring Active Directory Objects and Trusts.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 3: Configuring Active Directory Objects and Trusts."— Presentation transcript:

1 Module 3: Configuring Active Directory Objects and Trusts

2 Module Overview Configuring Active Directory Objects Strategies for Using Groups Automating AD DS Object Management Delegating Administrative Access to AD DS Objects Configuring AD DS Trusts

3 Lesson 1: Configuring Active Directory Objects Types of AD DS Objects Demonstration: Configuring AD DS User Accounts AD DS Group Types AD DS Group Scopes Default AD DS Groups AD DS Special Identities Discussion: Using Default Groups and Special Identities Demonstration: Configuring AD DS Group Accounts Demonstration: Configuring Additional AD DS Objects

4 Types of AD DS Objects User accounts Enables a single sign-on for a user Provides access to resources Computer accounts Enables authentication and auditing of computer access to resources Group accounts Helps simplify administration InetOrgPerson Similar to a user account Used for compatibility with other directory services Organizational Unit Used to group similar objects for administration Printers Used to simplify the process of locating and connecting to printers Shared folders Used to simplify the process of locating and connecting to shared folders

5 Demonstration: Configuring AD DS User Accounts In this demonstration, you will see how to configure AD DS user accounts

6 AD DS Group Types Distribution groups Used only with e-mail applications Not security-enabled Security groups Used to assign rights and permissions to groups of users and computers Used most effectively when nested The functional level determines the type of groups that you can create

7 Local AD DS Group Scopes Group members can include In the same domain Domain Local In any trusted domain Global Universal Can be used to assign permissions Group scope Universal groups, global groups, and other domain local groups from its own domain Accounts from any trusted domain Users, groups, and computers as members from any trusted domain Users, groups, and computers from its own domain In any trusted domain Users, groups, and computers as members from any trusted domain On the local computer

8 Default AD DS Groups Default groups are designed to manage shared resources and delegate specific domain-wide administrative roles Account Operators Administrators Backup Operators Incoming Forest Trust Builders Network Configuration Operators Performance Log Users Performance Monitor Users Pre-Windows 2000 Compatible Access Print Operators Remote Desktop Users Replicator Server Operators Users

9 AD DS Special Identities Designed to provide access to resources without administrative or user interaction Anonymous Logon Authenticated Users Batch Creator Group Creator Owner Dialup Everyone Interactive Local System Network Self Service Terminal Server Users Other Organization This Organization

10 Discussion: Using Default Groups and Special Identities Using the scenario, answer the questions in your workbook

11 Demonstration: Configuring AD DS Group Accounts In this demonstration, you will see how to configure AD DS group accounts

12 Demonstration: Configuring Additional AD DS Objects In this demonstration, you will see how to configure additional AD DS objects

13 Lesson 2: Strategies for Using Groups Options for Assigning Access to Resources Using Account Groups to Assign Access to Resources Using Account Groups and Resource Groups Discussion: Using Groups in a Single-Domain or Multiple- Domain Environment

14 Options for Assigning Access to Resources When assigning access to resources: Plan for the lowest level of permissions Keep the plan as simple as possible Document the plan Options include: Adding user accounts to the ACL on the resource Adding user accounts to groups, and adding the groups to the ACL on the resource Adding user accounts to account groups, adding the account groups to resource groups, and adding the resource groups to the ACL on the resource

15 Using Account Groups to Assign Access to Resources Permissions Account Groups User Accounts

16 Using Account Groups and Resource Groups Resource Groups Permissions Account Groups User Accounts

17 Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Using the scenarios, answer the questions in your workbooks

18 Lesson 3: Automating AD DS Object Management Tools for Automating AD DS Object Management Configuring AD DS Objects Using Command-Line Tools Managing User Objects with LDIFDE Managing User Objects with CSVDE What Is Windows Powershell? Windows Powershell Cmdlets Demonstration: Configuring Active Directory Objects Using Windows Powershell

19 Tools for Automating AD DS Object Management Active Directory Users and Computers Directory Service Tools Dsadd Dsmod Dsrm Csvde and Ldifde ToolsWindows Powershell

20 Configuring AD DS Objects Using Command-Line Tools Command line tools: Dsadd Dsmod Dsrm Dsget net user Net group Net computer

21 filename.ldf Managing User Objects with LDIFDE Active Directory import export LDIFDE.exe

22 Managing User Objects with CSVDE filename.csv Active Directory import export CSVDE.exe

23 What Is Windows Powershell? Windows Powershell is a scripting and command line technology that you can use to manage Active Directory and other Windows components Windows Powershell features include: Powerful single line cmdlets Aliases Variables Pipelining Scripting support Access to all cmd.exe commands

24 Windows Powershell Cmdlets Windows Powershell cmdlets all use the same syntax Noun Verb Date ParametersExample Get Get-Date Start Service W3SVC Start-Service W3SVC Results from one cmdlet can be pipelined to another Get-Service W3svc | format-list Get-Service | sort-object name Get-Service |where-object {$_.status –eq “running”} | sort-object name

25 Demonstration: Configuring Active Directory Objects Using Windows Powershell In this demonstration, you will see how to configure Active Directory Objects using Windows Powershell

26 Lab A: Configuring Active Directory Objects Exercise 1: Configuring AD DS Objects Exercise 2: Implementing an AD DS Group Strategy Exercise 3: Automating the Management of AD DS Objects Logon information Virtual machines 6425A-NYC-DC1, 6425A-NYC-DC2, 6425A-NYC-CL1 User nameAdministrator Password Pa$$w0rd Estimated time: 40 minutes

27 Lab A Review How will the group strategies you use in your organization compare with the strategy used in this lab? Which of the options for automating AD DS object management will be most useful in your organization?

28 Lesson 4: Delegating Administrative Access to AD DS Objects Active Directory Object Permissions Demonstration: Active Directory Domain Services Object Permission Inheritance What Are Effective Permissions? What Is Delegation of Control? Discussion: Scenarios for Delegating Control Demonstration: Configuring Delegation of Control

29 Active Directory Object Permissions Active Directory permissions: Include standard permissions and special permissions:  Standard permissions are the most frequently assigned permissions  Special permissions provide a finer degree of control for assigning access to objects Can be allowed, implicitly denied, or explicitly denied Can be set at the object level or inherited from the parent object

30 Demonstration: Active Directory Domain Services Object Permission Inheritance In this demonstration, you will see how permissions are inherited for AD DS object

31 What Are Effective Permissions? Effective permissions are the actual permissions that are granted to the specified user or group: Permissions are cumulative, including permissions assigned to the user account and the group account Explicitly deny permissions override allow permissions Explicitly allow permissions override explicit deny permissions Object owners can always change permissions Special identities are not used when this tool calculates special permissions

32 What Is Delegation of Control? Domain OU1 OU2 Admin2 Admin1 Admin3 OU3 Assigns the responsibility of managing Active Directory objects to another user or group Delegated administration:  Eases administration by distributing routine administrative tasks  Provides users or groups more control over local network resources  Eliminates the need for multiple administrative accounts

33 Discussion: Scenarios for Delegating Control What are the benefits of delegating administrative permissions? How would you use delegation of control in your organization?

34 Demonstration: Configuring Delegation of Control In this demonstration, you will see how to configure delegation of control

35 Lesson 5: Configuring AD DS Trusts What Are AD DS Trusts? AD DS Trust Options How Trusts Work Within a Forest How Trusts Work Between Forests Demonstration: Configuring Trusts What Are Universal Principal Names? What Are the Selective Authentication Settings? Demonstration: Configuring Advanced Trust Settings

36 What Are AD DS Trusts? Provide a mechanism for users to gain access to resources in another domain Trust characteristics: Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains Trust direction – the trust direction defines the account domain and the resource domain Authentication protocol – the protocol that you use to establish and maintain the trust

37 AD DS Trust Options Forest (root) Tree/Root Trust Tree/Root Trust Forest Trust Forest Trust Shortcut Trust External Trust External Trust Kerberos Realm Realm Trust Realm Trust Domain D Forest 1 Domain B Domain A Domain E Domain F Forest (root) Domain P Domain Q Parent/Child Trust Forest 2 Domain C

38 How Trusts Work Within a Forest Tree One Tree Two Domain 1 Tree Root Domain Forest Root Domain Domain 2 Domain C Domain A Domain B

39 How Trusts Work Between Forests WoodgroveBank. com contoso.com Forest trust Global catalog Seattle EMEA.WoodgroveBank.com NA.Contoso.com Vancouver 2 2 4 4 6 6 1 1 3 3 5 5 7 7 8 8 9 9 Forest 1 Forest 2

40 Demonstration: Configuring Trusts In this demonstration, you will see how to configure shortcut, external, and forest trusts

41 What Are User Principal Names? The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name Additional UPN domain suffixes can be added UPNs must be unique in a forest UPN suffixes can be used for routing authentication requests between trusted forests: UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests You can manually enable or disable name suffix routing across trusts A UPN is a logon name that includes the user logon name and a domain suffix

42 What Are the Selective Authentication Settings? Selective authentication: Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer Configured on the security descriptor of the computer object located in Active Directory To configure selective authentication: Configure the forest or external trust to use selective rather than domain wide authentication Configure the computer accounts for selective authentication

43 Demonstration: Configuring Advanced Trust Settings In this demonstration, you will see how to configure advanced trust settings

44 Lab B: Configuring Active Directory Delegation and Trusts Exercise 1: Delegating Control of AD DS Objects Exercise 2: Configuring AD DS Trusts Logon information Virtual machines 6425A-VAN-DC1, 6425A-NYC-DC2 6425A-NYC-SVR1 User nameAdministrator Password Pa$$w0rd Estimated time: 20 minutes

45 Lab B Review After the trusts are configured as described in the lab, what resources will users in Woodgrove Bank be able to access in the NorthwindTraders.com domain? How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials?

46 Module Review and Takeaways Review questions Considerations for configuring Active Directory objects Tools

47 Beta Feedback Tool Beta feedback tool helps:  Collect student roster information, module feedback, and course evaluations.  Identify and sort the changes that students request, thereby facilitating a quick team triage.  Save data to a database in SQL Server that you can later query. Walkthrough of the tool

48 Beta Feedback Overall flow of module:  Which topics did you think flowed smoothly from topic to topic?  Was something taught out of order? Pacing:  Were you able to keep up? Are there any places where the pace felt too slow?  Were you able to process what the instructor said before moving on to next topic?  Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Learner activities:  Which demos helped you learn the most? Why do you think that is?  Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?  Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?

Download ppt "Module 3: Configuring Active Directory Objects and Trusts."

Similar presentations

Course 2786B Module 8: Implementing an Active Directory® Domain Services Monitoring Plan Presentation: 60 minutes Lab: 60 minutes This module helps students.

Course 2786B Module 8: Implementing an Active Directory® Domain Services Monitoring Plan Presentation: 60 minutes Lab: 60 minutes This module helps students.
Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.

Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Microsoft ® Official Course Module 7 Configuring File Access and Printers on Windows ® 8 Clients.

Microsoft ® Official Course Module 7 Configuring File Access and Printers on Windows ® 8 Clients.
Understanding Active Directory

Understanding Active Directory
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.

Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Module 7: Implementing Security Using Group Policies.

Module 7: Implementing Security Using Group Policies.

Similar presentations

Ads by Google