CH 04

MCITP Guide to Microsoft
Windows Server 2008 Server

Administration (Exam #70-646)
Chapter 4
Introduction to Active Directory and
Account Management
Learning Objectives
Understand Active Directory basic concepts

Install and configure Active Directory
Plan and implement Active Directory containers
Create and manage user accounts
Configure and use security groups
MCITP Guide to Microsoft Windows Server 2008,

Server Administration (Exam #70-646)
Learning Objectives (contd.)

Plan how to delegate object management
Describe and implement new Active Directory
features

Active Directory Basics

Directory service
Houses information about all network resources:
Servers, printers, user accounts, groups of user
accounts, security policies, and other information
Domain controllers (DCs)

Servers that have the AD DS server role installed
Member servers
Do not have AD installed

Active Directory Basics (contd.)

Domain
Fundamental component or container
Holds information about all network resources that
are grouped within it
Each DC is equal to every other DC

Multimaster replication
Advantage
If one DC goes down, no network interruption

Active Directory Basics (contd.)

Activity 4-1: Installing Active Directory
Figure 4-2 Installation

Results window
Courtesy Course
Technology/Cengage Learning

Schema
Defines objects and the information pertaining to
those objects that can be stored in Active Directory
Characteristics of objects
Sample schema for user account

Includes globally unique identifier (GUID)
Unique number associated with the object name
Each attribute automatically given a version number

and date
When created or changed

Global Catalog
Stores information about every object within forest
First DC configured in a forest becomes global
catalog
Can change to another DC
Purposes:
Authentication
Forest-wide searches of data
Replication of key AD elements
Keeps copy of most used attributes for quick access

Namespace
Name resolution
Converts computer and domain names to IP
addresses
Namespace
Logical area on a network that contains directory
services and named objects
Has the ability to perform name resolution

Namespace (contd.)
Contiguous namespace
Every child object contains the name of the parent
object
Disjointed namespace
Child name does not resemble the name of its parent
object

10
Containers in Active Directory

Treelike structure
Containers:
Forests
Trees
Domains
Organizational units
(OUs)
Sites
Figure 4-5 Active Directory hierarchical
containers
Courtesy Course Technology/Cengage Learning
11
Forest
Highest level in an Active Directory
One or more Active Directory trees that are in a
common relationship
Forest functional level
Active Directory functions supported forest-wide
Levels:
Windows 2000 native forest functional level
Windows Server 2003 forest functional level
Windows Server 2008 forest functional level

12
Tree
Contains one or more domains that are in a
common relationship
Domains in a tree typically have a hierarchical
structure
Kerberos transitive trust relationship
Two-way trusts between parent domains and child
domains

13
Tree (contd.)
Transitive trust
If A and B have a trust and B and C have a trust, A
and C automatically have a trust as well
Trusted domain
Granted access to resources
Trusting domain
One granting access to another domain

14
Tree (contd.)
All domains within a single tree share the same
schema
Defines all the object types that can be stored within
Active Directory
All domains in a tree share same global catalog and
a portion of their namespace

15
Domain
Logical partition within an Active Directory forest
Primary container within Active Directory
Basic functions
To provide an AD partition to house objects
To establish a set of information to be replicated
To expedite management of a set of objects

16
Domain (contd.)
Domain functional levels:
Windows 2000 domain functional level
Windows Server 2003 domain functional level
Windows Server 2008 domain functional level
Activity 4-2: Managing Domains

Objective: Learn where to manage domains and
domain trust relationships

17
Organizational Unit
Grouping of related objects within a domain
Allow the grouping of objects so that they can be
administered using the same group policies
Such as security and desktop setup
Can be nested within other OUs

Best practices when creating OUs
Keep to 10 or fewer
Set up horizontally for best efficiency
Activity 4-3: Managing OUs

Objective: Create an OU and delegate control over it
18
Site
TCP/IP-based concept (container) within Active
Directory
Linked to IP address
Functions
Based on connectivity and replication functions
Bridgehead server
DC designated to have role of exchanging replication
information
One per site
19
Active Directory Guidelines
Keep Active Directory as simple as possible

Implement the smallest number of domains possible
Use OUs to reflect organizations structure
Use domains as partitions in forests to demarcate
commonly associated accounts and resources
governed by group and security policies
Implement multiple trees and forests only as
necessary
Use sites in situations where there are multiple IP
subnets and multiple geographic locations
20
Planning Functional Levels and Trusts

Carefully plan trusts between forests
External trust
Creates a trust relationship with a domain that is outside
of a forest
Realm trust
Enables one- or two-way access between a Windows
Server domain within a forest and a realm of UNIX/Linux
computers
Shortcut trust
Enable a domain in one forest to quickly access
resources in a domain within a different forest
21
User Account Management

General environments:
Accounts that are set up through a stand-alone server
that does not have Active Directory installed
Accounts that are set up in a domain when Active
Directory is installed

22
Creating Accounts when Active

Directory Is Not Installed
Install Local Users and Groups MMC snap-in:
For standalone servers that do not use Active
Directory
Create a local user account on a server that is not a

DC
See text for steps

23

Directory Is Not Installed (contd.)
Figure 4-11 Selecting the Local Users and

Groups MMC snap-in
24

Directory Is Not Installed (contd.)
Figure 4-12 Creating a

user account without
Active Directory installed
Courtesy Course
Technology/Cengage Learning

25

Directory Is Installed
Use Active Directory Users and Computers tool
From the Administrative Tools menu or as an MMC
snap-in
Create each new account by entering account

information and password controls
Activity 4-4: Creating User Accounts in Active
Directory
Objective: Learn how to create a user account in
Active Directory

26

Directory Is Installed (contd.)
Figure 4-13 Creating a

user account
Courtesy Course
Technology/Cengage
Learning

27

Directory Is Installed (contd.)
Figure 4-14 User account

properties
Courtesy Course Technology/Cengage
Learning

28
Disabling, Enabling, and Renaming

Accounts
When to disable
Activity 4-5: Disabling, Renaming,
and Enabling an Account
Objective: Practice disabling,
renaming, and then enabling an
account
Figure 4-15 Disabling an account


29
Moving an Account
May need to move a
persons account from one
container to another
Activity 4-6: Moving an
Account
Objective: Practice
moving an account
Figure 4-16 Moving an account

30
Resetting a Password
Cannot look up forgotten passwords
Reset instead
Maintain guidelines for resetting passwords

Activity 4-7: Changing an Accounts Password
Objective: Practice changing an accounts password
Figure 4-17 Resetting a password


31
Deleting an Account
Delete accounts that are no longer in use
Globally unique identifier (GUID) is also deleted
Will not be reused even if you create another account
using the same name
Activity 4-8: Deleting an Account

Objective: Practice deleting an account

32
Security Group Management

Group accounts with similar characteristics together
Scope of influence (or scope)
Reach of a group for gaining access to resources in
Active Directory
Types of groups and associated scopes:
Local
Domain local
Global
Universal

33
Security Group Management (contd.)

Security groups
Enable access to resources on a stand-alone server
or in Active Directory
Distribution groups
Used for e-mail or telephone lists

34
Implementing Local Groups

Local security group
Used to manage resources on a stand-alone
computer that is not part of a domain and on member
servers in a domain (non-DCs)
Create using the Local Users and Groups MMC

snap-in

35
Implementing Domain Local Groups

Domain local security group
Used when Active Directory is deployed
Manage resources in a domain

Give global groups from the same and other domains
access to those resources
Scope of a domain local group

Domain in which the group exists
Can convert a domain local group to a universal
group

36
Implementing Domain Local Groups

(contd.)
Access control list (ACL)
List of security descriptors (privileges) that have been
set up for a particular object
Table 4-1 Membership capabilities of a domain local group

37
Implementing Global Groups

Global security group
Contains user accounts from a single domain
Can also be set up as a member of a domain local group
in the same or another domain
Broader scope than domain local groups

Can be nested
Typical use:
Add accounts that need access to resources in the same
or in another domain
Make the global group in one domain a member of a
domain local group in the same or another domain
38
Implementing Global Groups (contd.)
Figure 4-18 Nested global groups

39
Implementing Global Groups (contd.)

Activity 4-9: Creating Domain Local and Global
Security Groups
Objective: Create a domain local and a global security
group and make the global group a member of the
domain local group

40
Implementing Universal Groups

Universal security groups
Span domains and trees
Can include
User accounts from any domain
Global groups from any domain
Other universal groups from any domain
Guidelines to help simplify how you plan to use

groups
See text
41
Implementing Universal Groups

(contd.)
Figure 4-21 Managing security through

universal and global groups
42
Properties of Groups
To edit properties:
Double-click group in the Local Users and Groups tool
for a stand-alone (non domain) or member server
Or in the Active Directory Users and Computers tool
for DC servers in a domain
Properties
General
Members
Member of
Managed by

43
Planning the Delegation of Object

Management
Security groups and user accounts enable an
organization to delegate authority over objects
Establish and document policies
Common objects that are delegated include OUs,
user accounts, and groups
Use Delegation of Control Wizard

44
Implementing User Profiles

Local user profile
Automatically created at the local computer when you
log on with an account for the first time
Advantages of user profiles

Roaming profile
Downloaded to client workstation each time user
account is logged on
Mandatory user profile

Certain users cannot change their profiles
45
Whats New in Windows Server 2008

Active Directory
Restart capability
Read-Only Domain Controller (RODC)
Auditing improvements
Multiple password and account lockout policies in a
single domain
Active Directory Lightweight Directory Services role

46
Restart Capability
Stop Active Directory Domain Services without
taking down the computer
General steps
See text for steps

47
Read-Only Domain Controller

Cannot use to update information in Active Directory
Does not replicate to regular DCs
Can function as a Key Distribution Center for the
Kerberos authentication method
Provides better security at branch locations
Example
Can be configured as DNS server

48
Auditing Improvements
Audit trail of many types of changes
Records successful completion or reason for failure
Must set up in two places

49
Multiple Password and Account

Lockout Policies in a Single Domain
Set up multiple password and account lockout
security requirements
Associate them with a security group, user or OU
Can now create more than one set of account

policies within a domain
Password settings container (PSC)
Contains password settings objects (PSOs)
Represent unique set of password policies
Three policy sets:

Ordinary users, administrators, service accounts
50
Active Directory Lightweight Directory

Services Role
Targeted for servers that manage user applications
Skeleton version of Active Directory Domain
Services
Installed as a server role via Server Manager

51
Taking Active Directory Snapshots

Tools for making snapshots:
ntdsutil.exe Active Directory database management
tool
Active Directory Database Mounting Tool or
dsamain.exe tool
Enable Active Directory snapshots to be taken for

later viewing
Compare to what is in the Active Directory after it is
restored
Determine which of several restores has the most
complete Active Directory data
52
Summary
Active Directory houses information about network
resources
Domain controllers
Hierarchy: forest, tree, domain, organizational unit
Global catalog
User accounts and profiles

Functional levels for domain and forest
New features of Active Directory in Windows Server
2008
53

CH 04

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CH 04

Загружено:

Авторское право:

Доступные форматы

MCITP Guide to Microsoft

Windows Server 2008 Server

Understand Active Directory basic concepts

MCITP Guide to Microsoft Windows Server 2008,

Learning Objectives (contd.)

MCITP Guide to Microsoft Windows Server 2008,

Active Directory Basics

Domain controllers (DCs)

MCITP Guide to Microsoft Windows Server 2008,

Active Directory Basics (contd.)

Each DC is equal to every other DC

MCITP Guide to Microsoft Windows Server 2008,

Active Directory Basics (contd.)

Figure 4-2 Installation

MCITP Guide to Microsoft Windows Server 2008,

Sample schema for user account

Each attribute automatically given a version number

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

Containers in Active Directory

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

MCITP Guide to Microsoft Windows Server 2008,

Activity 4-2: Managing Domains

MCITP Guide to Microsoft Windows Server 2008,

Can be nested within other OUs

Activity 4-3: Managing OUs

Active Directory Guidelines

Keep Active Directory as simple as possible

Planning Functional Levels and Trusts

User Account Management

MCITP Guide to Microsoft Windows Server 2008,

Creating Accounts when Active

Create a local user account on a server that is not a

MCITP Guide to Microsoft Windows Server 2008,

Creating Accounts when Active

Figure 4-11 Selecting the Local Users and

Creating Accounts when Active

Figure 4-12 Creating a

MCITP Guide to Microsoft Windows Server 2008,

Creating Accounts when Active

Create each new account by entering account

MCITP Guide to Microsoft Windows Server 2008,

Creating Accounts when Active

Figure 4-13 Creating a

MCITP Guide to Microsoft Windows Server 2008,

Creating Accounts when Active

Figure 4-14 User account

MCITP Guide to Microsoft Windows Server 2008,

Disabling, Enabling, and Renaming

Figure 4-15 Disabling an account

Courtesy Course Technology/Cengage Learning

Figure 4-16 Moving an account

Maintain guidelines for resetting passwords

Figure 4-17 Resetting a password

MCITP Guide to Microsoft Windows Server 2008,

Activity 4-8: Deleting an Account

MCITP Guide to Microsoft Windows Server 2008,