kaplan school of information systems and technology welcome to unit 4 it278 network administration...
TRANSCRIPT
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY
Welcome to Unit 4Welcome to Unit 4IT278 Network IT278 Network AdministrationAdministration
Course Name – IT278 Network Administration Instructor – Jan McDanolds, MSContact Information: AIM – JMcDanolds Email – [email protected]
UNIT 3 REVIEW
What we learned in UNIT 21. Use Server Manager and ServerManagerCmd.exe to
manage a server2. Install and remove server roles3. Configure server hardware4. Configure the operating system5. Understand and configure the Registry6. Use the Security Configuration Wizard (SCW) to
harden a server 7. Install and use Windows PowerShell
UNIT 4
Introduction to Active Directory and Account Manager
Chapter 4 - Objectives
Understand Active Directory basic conceptsInstall and configure Active DirectoryImplement Active Directory containersCreate and manage user accountsConfigure and use security groupsDescribe and implement new Active Directory features
UNIT 4
Active Directory BasicsActive Directory – Microsoft’s Directory Service
Domain controllers with Active Directory house information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information
What is a directory service?Directory Service versus Relational Database More than a collection of tables and fieldsProvides hierarchical data organizationRepresents network entities as objects that contain attributes. Light-weight Directory Access Protocol (LDAP) to quickly access specific resourcesAll directories kept up-to-date and synchronized with each other.http://technet.microsoft.com/en-us/library/bb727070.aspx
UNIT 4
Active Directory Basics (cont.)
Windows Server 2008 uses Active Directory to manage accounts, groups…Domain controllers (DCs)
Servers that have the AD DS server role installedContain writable copies of information in Active Directory
Member serversServers on a network managed by Active Directory that do not have Active Directory installed
DomainContainer that holds information about all network resources that are grouped within it - every resource is called an object
Multimaster replicationEach DC is equal to every other DC. Active Directory makes replication efficient.
SecurityBefore users can access data, they must provide credentials
UNIT 4
SchemaActive Directory schema
Defines the objects and the information pertaining to those objects that can be stored in Active Directory
Example:User account - one class of object in Active Directory that is defined through schema elements unique to that class
UNIT 4
Global CatalogThe global catalog - Stores information about every object within a forest
Stores a full replica of every object within its own domain and a partial replica of each object within every domain in the forest
The first DC configured in a forest becomes the global catalog server
The global catalog server enables forest-wide searches of data
The global catalog:Authenticates users when they log onProvides lookup and access to all resources in all domainsProvides replication of key Active Directory elementsKeeps a copy of the most used attributes for quick access
UNIT 4
NamespaceActive Directory uses Domain Name System (DNS)
There must be a DNS server on the network that Active Directory can access
Namespace A logical area on a network that contains directory services and named objects - has the ability to perform name resolution
Active Directory depends on one or more DNS servers
Active Directory employs two kinds of namespaces: contiguous and disjointed
Contiguous – every child object contains the name of the parent objectDisjointed – child objects do not contain the name of the parent object
UNIT 4
Containers in Active Directory
Active Directory has an upside down treelike structureThe hierarchical elements, or containers, of Active Directory include forests, trees, domains, organizational units (OUs), and sites
UNIT 4
ForestForest - Consists of one or more Active Directory trees that are in a common relationship and have the following characteristics:
The trees can use a disjointed namespaceAll trees use the same schemaAll trees use the same global catalogDomains enable administration of commonly associated objectsTwo-way transitive trusts are automatically configured between domains
A forest provides a means to relate trees that use a contiguous namespace in domains within each tree, but that have disjointed namespaces in relationship to each other
The advantage of joining trees into a forest is that all domains share the same schema and global catalog
Forest functional level - Refers to the Active Directory functions supported forest-wideWindows Server 2008 Active Directory recognizes three types of forest functional levels
Windows 2000 Native forest functional levelWindows Server 2003 forest functional levelWindows Server 2008 forest functional level
UNIT 4
TreeTree - contains one or more domains that are in a common relationship and have the following characteristics:
Domains are represented in a contiguous namespaceTwo-way trust relationships exist between parent domains and child domainsAll domains in a single tree use the same schemaAll domains use the same global catalog
The domains in a tree typically have a hierarchical structure such as a root domain at the top and other domains under the root
The domains within a tree are in what is called a Kerberos transitive trust relationship. This consists of two-way trusts between parent domains and child domains. Because of the trust relationship between parent and child domains, any one domain can have access to the resources of all others
UNIT 4
Tree (cont.)
Kerberos transitive trust relationship consists of two-way trusts between parent domains and child domains
Transitive trust – if A and B have a trust and B and C have a trust, A and C automatically have a trust.
UNIT 4
DomainMicrosoft views a domain as a logical partition within an Active Directory forest - a grouping of objects that typically exists as a primary containerThe basic functions of a domain are:
To provide an Active Directory ‘‘partition’’ in which to house objects that have a common relationship in terms of management and securityTo establish a set of information to be replicated from one DC to anotherTo expedite management of a set of objects
Domain functional levelsRefers to the Windows Server operating systems on domain controllers and the domain-specific functions they support
Windows Server 2008 Active Directory recognizes three domain functional levels
Windows 2000 domain functional levelWindows Server 2003 domain functional levelWindows Server 2008 domain functional level
UNIT 4
Organizational UnitOrganizational unit (OU) - An OU is a grouping of related objects within a domain
OUs allow the grouping of objects so that they can be administered using the same group policies
OUs can be nested within OUs
When you plan to create OUs, keep three concerns in mind:Microsoft recommends that you limit OUs to 10 levels or fewerActive Directory works more efficiently when OUs are set up horizontally instead of verticallyThe creation of OUs involves more processing resources because each request through an OU requires CPU time
UNIT 4
SiteSite - A TCP/IP-based concept (container) in Active Directory linked to IP subnetsA site has the following functions:
Reflects one or more interconnected subnetsReflects the physical aspect of the networkIs used for DC replicationIs used to enable a client to access the DC that is physically closestComposed of two types of objects: servers and configuration objects
Sites are based on connectivity and replication functionsReasons to define a site:
Enable a client to access network servers using the most efficient physical route
Create a site to set up redundant paths between DCsBridgehead server - a DC that is designated to exchange replication information Only one bridgehead server is set up per site
UNIT 4
What is that thing called?
Quick Check of Terms…
1) Active Directory is a(n) ___________________ that houses information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information. 2)The Active Directory __________________ defines the objects and the information pertaining to those objects that can be stored in Active Directory. 3)The _______________ stores information about every object within a forest.
4) A(n) _______________ is a logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution.
UNIT 4
User Account Management
Default accounts: Administrator and GuestAccounts can be set up in two general environments:
Accounts that are set up through a stand-alone server that does not have Active Directory installed – No AD, use Local Users and Groups
Accounts that are set up in a domain when Active Directory is installedOn a stand-alone or member server, you create local security groups to help manage user accounts
Creating User Accounts in Active Directory, use Active Directory Users and Computers
UNIT 4
New Object – User
User account properties
Tabs
Resetting a Password is not here…
UNIT 4
Security Group ManagementThe best way to manage accounts is by grouping accounts with similar characteristicsScope of influence (or scope) - the reach of a group for gaining access to resources in Active Directory
Types of groups: Local, Domain Local, Global and Universal
All of these groups can be used for security or distribution groupsSecurity groups - Used to enable access to resources on a stand-alone server or in Active DirectoryDistribution groups - Used for e-mail or telephone lists, to provide quick, mass distribution of information
UNIT 4
Implementing Local Groups
Local security groupUsed to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain
Instead of installing Active Directory, you can divide accounts into local groups
Each group would be given different security access based on the resources at the server
UNIT 4
Implementing Domain Local Groups
Domain local security groupUsed when Active Directory is deployed
Typically used to manage resources in a domain and to give global groups from the same and other domains access to those resources
The scope of a domain local group is the domain in which the group exists
The typical purpose of a domain local group is to provide access to resources
You grant access to servers, folders, shared folders, and printers to a domain local group
UNIT 4
Implementing Domain Local Groups
UNIT 4
Implementing Global GroupsGlobal security group - Intended to contain user accounts from a single domain. Can also be set up as a member of a domain local group in the same or another domain
A global group can contain user accounts and other global groups from the domain in which it was created
A global group can be converted to a universal group as long as it is not nested in another global group or in a universal group
A typical use for a global group is to contain accounts that need access to resources in the same or in another domain, then make the global group in one domain a member of a domain local group in the same or another domain - This model enables you to manage user accounts and their access to resources through one or more global groups
UNIT 4
Implementing Global Groups
Nested global groups
Reflects the OU structure and enables security settings for each level
UNIT 4
Implementing Global Groups (cont.)
Domain local and global groups
UNIT 4
Implementing Universal Groups
Universal security groupsProvide a means to span domains and trees
Universal group membership can include user accounts from any domain, global groups from any domain, and other universal groups from any domainUniversal groups provide an easy way to access resources in a tree
Or among trees in a forest
Simplify how you plan to use groups:Use global groups to hold accounts as membersUse domain local groups to provide access to resources in a specific domainUse universal groups to provide extensive access to resources
UNIT 4
Implementing Universal Groups
Universal and global groups
UNIT 4
Implementing User ProfilesA local user profile is automatically created at the local computer when you log on with an account for the first time
The profile can be modified to consist of desktop settings that are customized for one or more clients who log on locally
Advantages of User Profiles:Multiple users can use the same computer and maintain their own customized settingProfiles are stored on a network server to use to log on any (roaming profile)Profiles can be made mandatory so users have the same settings each time they log on (mandatory profile)
One way to set up a profile is to first set up a generic account on the server with the desired desktop configuration. Next, copy the Ntuser.dat file to the \Users\Default folder in Windows Server 2008To create the roaming profile, set up a generic account and customize the desktop
Set up users to access a profile by opening the Profile tab in each user’s account properties and entering the path to that profile
UNIT 4
New Features in Windows Server 2008Five new features deserve particular mention:
Restart capabilityRead-Only Domain Controller (RDOC)Auditing improvementsMultiple password and account lockout policies in a single domainActive Directory Lightweight Directory Services role
UNIT 4
RestartNo need to shut down the server, stop the Active Directory Service
UNIT 4
Assignments for UNIT 4Read Chapter 4 – Covers a lot of material!Post to the Discussion BoardComplete the Unit 4 Project – download the assignment .pdf file
1. Install Active Directory on your Windows Server 2008 by initiating the dcpromoprocess. (take screenshot of Active Directory Users and Computers)2. View SYSVOL and subdirectories. (take screenshot)3. Create a test user in the Users container. Name the user Fred Flintstone(username FFlintstone). Create a security group called Bedrock. Add Fred as amember to the Bedrock group.(take screenshot)4. Explain LDAP (Lightweight Directory Access Protocol) and how it works relating to Active Directory in a 200 word summary.5. Explain Kerberos and its purpose in Active Directory in a 200 word summary. 6. No spelling or grammar errors7. Title and reference page