Transcript template draft v3 06.04.2005

Active Directory Fundamentals
®
Dan Lewis - MCT
Welcome to this TechNet Event
We would like to bring your attention to the key elements of the
TechNet programme; the central information and community
resource for IT professionals in the UK:
FREE fortnightly technical newsletter: “The TechNet Flash”
FREE regular technical events hosted across the UK
FREE weekly UK & US led technical webcasts
FREE comprehensive technical web site
FREE quarterly technical magazine
Monthly CD / DVD subscription with the latest technical tools & resources
and full-version evaluation and beta software. New Low Price from 1st Oct 05
To subscribe to the newsletter or just to find out more, please visit
www.microsoft.com/uk/technet or speak to a Microsoft
representative during the break
Prerequisites
Understanding of day-to-day administration tasks
Understanding of administration challenges in a network
environment
Session Outline
Introduction to Active Directory
Group Policy
Advanced Active Directory Tasks
Microsoft Resources and Training Options
Introduction to Active
Directory
Overview
Active Directory Basics
Creating the Organization
Lesson: Active Directory Basics
What are Directory Services?
Benefits of Active Directory
The Logical Structure of Active Directory
What are Directory Services?
Windows Users
• Account info
• Privileges
• Profiles
• Policy
Other
Directories
• White pages
• E-Commerce
Other NOS
• User registry
• Security
• Policy
E-Mail Servers
• Mailbox info
• Address book
Windows Clients
• Mgmt profile
• Network info
• Policy
Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy
Network Devices
• Configuration
• QoS policy
• Security policy
Active
A Focal Point for:
Directory • Manageability
• Security
• Interoperability
Applications
• Server config
• Single Sign-On
• App-specific
directory info
• Policy
Internet
Firewall Services
• Configuration
• Security policy
• VPN policy
Provides a focal point for management, security, and interoperability
Benefits of Active Directory
Simplified Administration
Flexible
Administration
Sales
Paris
Repair
User1 Computer1 User2
Scalability
Reduced TCO
Printer1
The Logical Structure of Active Directory
Domain Tree
Domain
Domain
Domain
Domain
Domain
Domain
OU
Objects
OU
OU
Domain
Organizational Unit
Forest
Lesson: Creating the Organization
Microsoft Management Console
Organizational Units
Organization Unit Hierarchical models
User Accounts
Groups Printers
Demonstration: Creating Active Directory Objects
Microsoft Management Console
MMC hosts tools, called snap-ins, that perform
administrative functions
Snap-ins
Organizational Units
Organizes objects in a domain
Allows you to delegate administrative control
Simplifies the management of commonly grouped resources
Organizational Unit Hierarchical Models
Function-based
S
C
M
Examples of Hybrid-based
S – Sales
C – Consultants
M – Marketing
Function
 Organization
Location
 Function
Organization-based
M
E
R
M – Manufacturing
E – Engineering
R – Research
Location-based
N
F
I
N – Norway
F – France
I – Indonesia
Organization
 Location
User Accounts
Local user accounts
(stored on local computer)
Domain user accounts
(stored in Active Directory)
Windows Server 2003 Domain
Groups
Groups simplify administration by
enabling you to assign permissions
for resources
Group
Groups are characterized by scope and type
– The group scope determines whether the group spans
multiple domains or is limited to a single domain
– The three group scopes are global, domain local, and
universal
Group
Type
Description
Security
Used to assign user rights and permissions
Can be used as an e-mail distribution list
Distribution
Can be used only with e-mail applications
Cannot be used to assign permissions
Printers
Local printers:
Network printers:
Print Server
Print Server
LPT or
USB or
IR
TCP/IP or
IPX or
AppleTalk
Print Device
Print Device
Print Device
Demonstration: Creating Active Directory Objects
How to create:
Organizational Units
User Accounts
Groups
Printers
Summary
Active Directory Basics
Creating the Organization
Group Policy
Overview
Introduction to Group Policy
Using Group Policy for Organizational Control
Demonstration: Controlling the User Environment
Lesson: Introduction to Group Policy
Purpose of Group Policy
Group Policy Processing
Demonstration: GPMC Administration
Purpose of Group Policy
1
2
3
Apply Group
Policy Once
Domain
TM
Windows Server
Enforces Continually
OU1
OU2
OU3
1 2 3
Computer Configuration
Consistent Configurations
User Configuration
Automatic Configurations
Security Settings
Centralized Management
Group Policy Processing
GPO1
Site
GPO2
GPO3
Domain
GPO4
OU
OU
OU
Group Policy Management Console
What is the GPMC?
– New administrative tool for managing Group Policy
– Set of scriptable interfaces for managing Group Policy
– MMC Snap-in, built on these interfaces
– Web release of stand-alone version concurrent with launch of Windows® Server 2003
– Requires users to have a licensed copy of Windows Server 2003 in their organization
GPMC Design Goals
– Unify management of Group Policy, including both Windows 2000 and Windows Server
2003 domains
– Address key deployment issues
– Provide better UI for visualization
– Enable programmatic access to Group Policy
Demonstration: GPMC Administration
Create a GPO
Modify GPO policy settings
Edit GPO properties
Link a GPO
Delegate control of a GPO
Backup and restore of a GPO
Save a report of settings
Lesson: Using Group Policy for Organizational Control
Using Group Policy to Control Security
Security Templates
OU Design for Security
Demonstration: Applying a Security Template
Using Group Policy to Control the User Environment
GPO Settings to Control the User Environment
Software Restriction Policies
ADM Templates
Deploying Software
Assigning and Deploying Software
Best Practices
Controlling the User Environment
Using Group Policy to Control Security
Create an OU structure
Determine Multiple Operating System Requirements
Use Security Templates Based on Role
Use Group Policy to apply templates
Security Templates
Template
Description
Pre-Defined Security
Templates
Provide variant security for workstations
and domain controllers. These are not rolebased.
Server 2003 Security Guide
Templates
Server role based templates for various
security environments.
Windows XP Security Guide
Templates
Client role based templates for various
security environments.
Industry Standard Templates
Templates created by third parties or
organizations for security standardization.
Custom Templates
Custom templates that are created when
existing templates do not meet
organizational needs.
OU Design for Security
Identify the security template that most closely
matches the configuration required by client
computers or servers
Create a new Group Policy object for each security
template you will be using
In the new Group Policy object, import the security
template
If necessary, modify the group policy object to add
any additional security settings
Link the new Group Policy object to the
appropriate OU
Move computer objects for client computers and
servers to the appropriate OU
Demonstration: Applying a Security Template
Create a new GPO
Import a security template
Using Group Policy to Control the User
Environment
Use Group Policy to:
Manage users and computers
Deploy software
Enforce security settings
Enforce a consistent desktop environment
GPO Settings to Control the User Environment
Group Policy settings for users:
– Desktop settings
– Software settings
– Windows settings
– Security settings
Group Policy settings for
computers:
– Desktop settings
– Software settings
– Windows settings
– Security settings
Software Restriction Policies
Group Policy can restrict software installation
and execution
Can restrict by:
– Hash rule
– Path rule
– Certificate rule
– Zone rule
Administrative Templates
Default templates
Office templates
Custom templates
– Text files that end with an .adm extension
– Update the user or computer portion of the registry
Adding ADM templates into a GPO
Overview of the Software Deployment Process
1
2
Publish
Assign
Create a software distribution
point (shared folder)
Use a GPO to deploy software
3
Property 1
Property 2
Property 3
Change the software deployment properties
Assigning Software vs. Publishing Software
Assign: The application is installed the
next time the user activates the
application
Publish:
– The application is installed when the user
selects it from Add/Remove Programs in
Control Panel
– The application is installed when the user
User
configuration
double-clicks an unknown file type
(document activation)
Assign: The application is installed the
next time the computer starts
Computer
configuration
Group Policy Best Practices
Create as few GPOs as possible
Large numbers of GPOs make troubleshooting difficult
Disable unused portions of GPOs
Limit use of enforcement
Limit use of block inheritance
Create documentation and regular backups
Link a GPO to only one location
Demonstration: Controlling the User Environment
Securing Client and Servers Using
Administrative Templates
Deploying Software
Controlling the User Environment
Testing the User Environment
Summary
Introduction to Group Policy
Using Group Policy for Organizational Control
Advanced Active Directory
Tasks
Overview
Delegation and Custom MMCs
File Server Management
Additional Management Techniques
Lesson: Delegation and Custom MMCs
Delegating Control
Demonstration: Delegating Control
MMC Taskpads
Demonstration: How to Create a Custom MMC
Delegation of Control
Domain
OU1
Admin1
Grant Permissions to:
OU2
Admin2
– Delegate control to other
administrators for specific
organizational
units
OU3
– Modify specific attributes
of an object in a single organizational unit
– Perform the same task in all
organizational units
Admin3
Demonstration: Delegating Control
How to delegate control of an OU for specific
tasks
MMC Taskpads
Creates custom of the MMC snap-in
Allows for specific tasks to be set in Task Pad
Customizes view of MMC
– Removes confusing toolbars
– Removes menu options
– Removes configuration options
Useful for novice administrators
Demonstration: How to Create a Custom MMC
Lesson: File Server Management
Encrypting File System
Disk Quotas
Volume Shadow Copies
Demonstration: How to Restore a Previous Version
Distributed File System
Distributed File System Capabilities
Encrypting File System
EFS encryption makes data unintelligible without a decryption key
EFS encrypts data
 Users encrypt a file or folder by setting the encryption property
 All files and subfolders created in or added to an encrypted folder
are automatically encrypted
Use EFS to access encrypted data
 When accessing an encrypted file, users can read the file normally
 When users close the file, EFS encrypts it again
Use EFS to decrypt data
 The file remains decrypted until it is encrypted again
Use the cipher command to display or alter encryption of
folders and files on NTFS volumes
Disk Quotas
Track and control user’s disk space on NTFS volumes
Prevent users from taking any additional disk space
above their quota limit
Log events when users near and exceed quota limits
Can be enabled on local volumes, network volumes,
and removable drives if they are formatted with NTFS
Can be enabled on local computers and remote
computers
Cannot use file compression to prevent users from
exceeding their limits
Volume Shadow Copies
Views the read-only contents of network folders as
they existed at various points of time
Use shadow copies to:
– Recover files that were accidentally deleted
– Recover files that were accidentally overwritten
– Allow version checking while working on
documents
Is enabled on a per-volume basis, not on specific
shares
Is not a replacement for regular backups
When storage limits are reached, the oldest
shadow copy is deleted and cannot be retrieved
Demonstration: How to Restore a Previous
Version
How to set up volume shadow copy
How to use the previous versions client
Distributed File System
Logically group shared folders into a single hierarchy
– Shared folders reside on different servers
– Single shared folder contains all network resources
Distributed File System Capabilities
Unified namespace
Name transparency
Flexible storage management
Load sharing
Fault tolerance
Security integration
Client caching of DFS namespace
Compatibility with Windows NT , Windows 95, and Windows
98
Windows Server Update Services
WSUS downloads all critical updates and
security patches to servers and clients as
soon as they are posted to the Windows
Update Web site
Test Clients
Microsoft Update
Web site
Automatic
Updates
Server Running
WSUS
LAN
Test Server
Internet
Automatic
Updates
Demonstration: How to Install and Configure
Windows Server Update Services
How to configure WSUS
How to configure Automatics Updates with
group policy
Summary
Delegation and Custom MMCs
File Server Management
Microsoft Resource and
Training Options
Overview
Windows Server 2003 Versions
Windows NT 4.0 Migration Strategies
Novell Migration Strategies
Microsoft Learning Courses
Windows Server 2003 Family
Productive
Easier for you to deploy, manage, and use
Dependable
Connected
Best
Economies
Enables you to deliver a reliable, secure, and
scalable platform for applications and network
services
Empowers you with a complete server platform to
quickly build connected solutions
Enables you to maximize business value by
leveraging the largest partner-solution ecosystem
Windows NT 4.0 Upgrade
Maximize return/minimize risk when choosing
servers/roles to upgrade
– Domain Controller upgrades provide the most
immediate benefits of Active Directory
– File Server upgrades give greatest ROI
Always have a fallback plan
– Test your plan before the upgrade
Leverage your partner’s expertise in the upgrade
process
– Excellent experience to draw upon
Novell Migration Strategies
Inventory NetWare Servers and Respective
Roles
Determine Migration Methodology
– Gradual
– Direct
Prepare and install Microsoft Directory
Synchronization Service (MSDSS )
Migrate NDS/Bindery to Active Directory
Migrate File and Print
Migrate Files
Microsoft Official Learning Products
Course 2273,
Managing and Maintaining a Microsoft Windows Server 2003
Environment (5 Day)
Course 2276,
Implementing a Microsoft Windows Server 2003 Network Infrastructure:
Network Hosts (2 Day)
Course 2277,
Implementing, Managing and Maintaining a Microsoft Windows Server
2003 Network Infrastructure: Network Services (5 Day)
Microsoft Official Learning Products
Course 2278,
Planning and Maintaining a Microsoft Windows Server 2003
Network Infrastructure (5 Day)
Course 2279,
Planning, Implementing, and Maintaining a Microsoft Windows
Server 2003 Active Directory Infrastructure (5 Day)
Course 2282,
Designing a Microsoft Windows Server 2003 Active Directory and
Network Infrastructure (5 Day)
Microsoft Certified Professional Program
MCP
MCSA
MCSE
MCAD
MCSD
MCDBA
MCT
http://www.microsoft.com/learning/
Summary
Windows Server 2003 Versions
Windows NT 4.0 Migration Strategies
Novell Migration Strategies
Microsoft Learning Courses
Evaluation
http://www.microsoft.com/uk/technet