Chapter 6

Download Report

Transcript Chapter 6 

MCSA Guide to Installing and
Configuring Windows Server
2012/R2, Exam 70-410
Chapter 6
Introducing Active Directory
Objectives
•
•
•
•
•
Describe the role of a directory service
Install Active Directory
Describe objects found in Active Directory
Work with forests, trees, and domains
Configure group policies
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
2
The Role of a Directory Service
• A network directory service stores information
about a computer network and offers features for
retrieving and managing that information.
• Generally considered to be an administrative tool,
but users make use of directory services to find
resources
• Directory services provide a centralized
management tool, but due to complexity, requires
careful planning prior to setup
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
3
Windows Active Directory
• X.500 is the basis for its hierarchical structure
• Lightweight Directory Access Protocol (LDAP) is
based on the X.500 Directory Access Protocol
– Uses the more efficient TCP/IP protocol
• Integrating other OSs, such as Linux and UNIX into
an Active Directory network requires using LDAP
• Windows Active Directory was first used in
Windows 2000 Server
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
4
Windows Active Directory
• Active Directory offers the following features:
–
–
–
–
–
–
Hierarchical organization
Centralized but distributed database
Scalability
Security
Flexibility
Policy-based administration
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
5
Overview of the Active Directory
Structure
• Physical structure
– Consists of sites and servers configured as domain
controllers
• Logical structure
– Makes it possible to pattern the directory service’s
look and feel after the organization in which it runs
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
6
Active Directory’s Physical Structure
• An Active Directory site is simply a physical location in
which domain controllers communicate and replicate
information regularly
• Each domain controller contains a full replica of the
objects that make up the domain and is responsible for:
– Storing a copy of the domain data and replicating
changes to that data to all other domain controllers in the
domain
– Providing data search and retrieval functions for users
attempting to locate objects in the directory
– Providing authentication and authorization services for
users who log on to the domain and attempt to access
network resources
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
7
Active Directory’s Logical Structure
• Four organizing components of Active Directory:
–
–
–
–
Organizational Units (OUs)
Domains
Trees
Forests
• The organizational unit (OU) is an Active
Directory container used to organize a network’s
users and resources into logical administrative
units
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
8
Active Directory’s Logical Structure
• An OU contains Active Directory objects, such as:
–
–
–
–
–
–
–
–
User accounts
Groups
Computer accounts
Printers
Shared folders
Applications
Servers
Domain controllers
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
9
Active Directory’s Logical Structure
• Domain - The core structural unit of an Active
Directory
– Contains OUs and represents administrative,
security, and policy boundaries
• Small to medium companies usually have one
domain; larger companies may have several
domains to separate geographical regions or
administrative responsibilities
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
10
Active Directory’s Logical Structure
• A tree is a grouping of domains that share a
common naming structure
– Can consist of a parent domain and possibly one or
more child domains
• Forest - A collection of one or more Active
Directory trees that provide a common Active
Directory environment
– All domains in all trees can communicate and share
information
– Can consist of a single tree with a single domain, or it
can contain several trees, each with a hierarchy of
parent and child domains
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
11
Figure 6-4 An Active Directory forest
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
12
Installing Active Directory
• The Windows Active Directory service is commonly
referred to as Active Directory Domain Services
(AD DS)
• To install AD DS, use Server Manager
• If DNS is not already present on the network, you
must install the DNS Server Role.
• After role is installed, you must configure Active
Directory
– Click the notifications flag in Server Manager and
click “Promote this server to a DC”
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
13
Installing Active Directory
• In the Deployment Configuration window, select
from these options:
– Add a domain controller to an existing domain
– Add a new domain to an existing forest
– Add a new forest (choose this if it is the first DC in
the network)
• Next, you’re prompted for the fully qualified
domain name (FQDN) for the new forest root
– An FQDN is a domain name that includes all parts of
the name
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
14
Installing Active Directory
• In the Domain Controller Options window you will:
– Choose the forest and domain functional levels
– Select domain controller capabilities
• Domain Name System (DNS) server
• Global Catalog (GC)
• Read only domain controller (RODC)
– Enter a password for Directory Services Restore
Mode (DSRM)
• A boot mode used to perform restore operations on
Active Directory if it becomes corrupted or parts of it
are deleted accidentally
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
15
Figure 6-6 Choosing the forest and domain functional levels
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
16
Installing Active Directory
• In the DNS options window, you must:
– Create the DNS delegation, which allows Windows
to create the necessary records on the DNS server
for the new domain
• In the Path window, you:
– Specify the location of the Active Directory database,
log files, and SYSVOL folder
• Next, review your selections in the Review Options
window
• Windows then does a prerequisite check before
starting the Active Directory installation
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
17
Figure 6-8 The Prerequisites Check window
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
18
Installing Additional Domain
Controllers in a Domain
• Microsoft recommends at least two DCs in every
domain
– For fault tolerance and load balancing
• Installing additional DC in an existing domain is not
unlike installing the first DC
– Biggest difference is that you select “Add a domain
controller to an existing domain” instead of “Add a
new forest”
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
19
Installing Additional Domain
Controllers in a Domain
• When a new DC is added, you need to know the
answers to the following questions:
– Should you install DNS?
– Should the DC be a global catalog (GC) server?
– Should this be a read only domain controller
(RODC)?
– In which site should the DC be located?
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
20
Installing a New Domain in an Existing
Forest
• Two variations to adding a domain to an existing
forest:
– Add a child domain - you’re adding a domain that
shares at least the top-level and second-level
domain name structure as an existing domain in the
forest
– Add a new tree - you’re adding a new domain with a
separate naming structure from any existing
domains in the forest
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
21
Figure 6-9 Adding a new child domain in an existing forest
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
22
What’s Inside Active Directory
• Explore Active Directory using the Active Directory
Administrative Center (ADAC) or Active Directory
Users and Computers MMC
• Use ADAC to perform the following AD tasks:
– Create and manage users, group, and computer
accounts
– Manage OUs
– Connect to other domain controllers in the same or a
different domain
– Change the domain’s functional level and enable the
AD Recycle Bin
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
23
Figure 6-15 The Active Directory Users and Computers MMC
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
24
The Active Directory Schema
• An object is a grouping of information that
describes a network resource
• The schema defines the type, organization, and
structure of data stored in the AD database
• Schema classes define the types of objects that
can be stored in Active Directory
• Schema attributes define what type of information
is stored in each object
• The information stored in each attribute is called
the attribute value
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
25
Figure 6-16 Schema classes, schema attributes, and Active Directory objects
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
26
Active Directory Container Objects
• A container object contains other objects
– Used to organize and manage users and resources
on the network
– Can also act as administrative and security
boundaries
• Three container objects are found in AD:
– Organizational Units
– Folder Objects
– Domain objects
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
27
Organizational Units
• An OU is a primary container object for organizing
and managing resources in a domain
• OUs can organize multiple objects into logical
administrative groups that can be configured with
specific policies relevant to that group
• Authority of an OU can be delegated
• Nesting OUs can build a hierarchical Active
Directory structure that mimics the corporate
structure for easier object management
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
28
Folder Objects
• Five are created by default:
– Builtin - houses default groups created by Windows
– Computers - default location for computer accounts
created when a new computer or server becomes a
domain member
– Foreign Security Principals - contains user accounts
from other domains added as members of the local
domain’s groups
– Managed Service Accounts - created specifically for
services to access domain resources
– Users - Stores two default users (Administrator and
Guest) and several default groups
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
29
Domain Objects
• Core logical structure in AD, contains OU and
folder container objects, as well as leaf objects
• Larger companies may use multiple domains to
separate administration, define security
boundaries, and define policy boundaries
• Each domain object has a default GPO linked to it
that can affect all objects in the domain
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
30
Active Directory Leaf Objects
• A leaf object doesn’t contain other objects and
usually represents one of the following:
– Security account
– Network resource
– GPO
• Security account objects include users, groups,
and computers
• Network resource objects include servers, domain
controllers, file shares, printers, etc.
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
31
User Accounts
• User account object contains information such as
group memberships, account restrictions, profile
path, and dial-in permissions
• Authentication confirms a user’s identity
– The account is then assigned permissions and rights
• Local user account - authorized to access
resources only on that computer
• Domain user account - provides a single logon for
users to access all resources in the domain
• Windows creates two built-in user accounts
– Administrator and Guest
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
32
Groups
• A group object represents a collection of users with
common permissions or rights
• Permissions - define which resources users can
access and what level of access they have
• Right - specifies what types of actions a user can
perform on a computer or network
• Groups are used to assign members permissions
and rights
– More efficient than assigning permissions and rights
to each user separately
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
33
Computer Accounts
• A computer account object represents a computer
that’s a domain controller or domain member
– Used to identify, authenticate, and manage
computers in the domain
• Computer accounts are created automatically when
AD is installed on a server
• The computer account object’s name must match
the name of the computer that the account
represents
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
34
Other Leaf Objects
• Other leaf objects commonly created in AD:
– Contact - a person associated with the company but
not a network user
– Printer - represents a shared printer in the domain
– Shared folder - represents a shared folder on a
computer in the network
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
35
Locating Active Directory Objects
• Active Directory objects can be searched for using
the Find Users, Contacts, and Groups dialog box
• You can search a single domain or an entire
directory (all domains)
• Not all objects are available to all users
– Depends on the object’s security settings and its
container
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
36
Working with Forests, Trees, and
Domains
• Smaller organizations most likely focus on OUs
and their child objects
• Larger organizations might require an AD structure
composed of several domains, multiple trees, and
even a few forests
• The first domain controller creates more than just a
new domain, it also creates a new tree and the root
of a new forest
– May eventually become necessary to add domains
to the tree, create new trees or forests, and add sites
to the AD structure
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
37
Active Directory Replication
• Replication is the process of maintaining a consistent
database of information when the database is
distributed among several locations
• Intrasite replication - replication between domain
controllers in the same site
• Intersite replication- occurs between two or more sites
• Multimaster replication - used by AD for replacing AD
objects
• Knowledge Consistency Checker (KCC) runs on all
DCs to determine the replication topology
– Defines the domain controller path that AD changes flow
through and ensures no more than three hops exist
between any two DCs
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
38
Directory Partitions
• Directory partition - each section of an Active Directory
database
• There are five directory partition types in the AD database:
– Domain directory partition - contains all objects in a domain,
including users, groups, computers, OUs, and so forth
– Schema directory partition - contains information needed to
define AD objects and object attributes
– Global catalog partition - holds the global catalog, which is a
partial replica of all objects in the forest
– Application directory partition - used by applications and
services to hold information that benefits from
– Configuration partition - holds configuration information that can
affect the entire forest
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
39
Operations Master Roles
• Several operations in a forest require having a
single domain controller, called the operations
master, with sole responsibility for the function
• The first domain controller in the forest generally
takes on the role of the operations master
• If necessary, responsibility for these roles can be
transferred to another domain controller
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
40
Operations Master Roles
• 5 operations master roles referred to as Flexible
Single Master Operation (FSMO) roles:
–
–
–
–
–
Schema Master
Infrastructure master
Domain Naming master
RID master
PDC Emulator master
• When removing DCs from a forest, be careful that
these roles are not removed from the network
accidentally
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
41
Trust Relationships
• In Active Directory, a trust relationship defines
whether and how security principals from one
domain can access network resources in another
domain
• Trust relationships are established automatically
between all domains in the forest
• Trusts do not equal permissions
– Permissions are still required to access resources,
even if a trust relationship exists
• When there is no trust between domains, no
access across domains is possible
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
42
The Role of Forests
• All domains in a forest share some common
characteristics:
–
–
–
–
–
–
A single schema
Forest-wide administrative accounts
Operations masters
Global Catalog
Trusts between domains
Replication between domains
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
43
The Importance of the Global Catalog
Server
• The first DC installed in a forest is automatically
designated as a Global Catalog server, but
additional global catalog servers can be configured
• Global Catalog servers perform the following vital
functions:
– Facilitates domain and forest-wide searches
– Facilitates logon across domains - Users can log on
to computers in any domain by using their user
principal name (UPN)
– Hold universal group membership information
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
44
Forest Root Domain
• The first domain is the forest root and is referred to
as the forest root domain
• Imperative to the functionality of AD; if it
disappears, the entire structure ceases to operate
• Functions the forest root domain usually handles:
–
–
–
–
DNS server
Global catalog server
Forest-wide administrative accounts
Operations masters
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
45
Figure 6-30 The forest root domain
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
46
Understanding Domains and Trees
• Organizations operating under a single name
internally
– An AD forest with only one tree is best
• When two companies merge or a large company
splits into separate business units
– A multiple tree structure makes sense
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
47
Designing the Domain Structure
• Most small and medium businesses choose a
single domain for the following reasons:
–
–
–
–
Simplicity
Lower costs
Easier management
Easier access to resources
• A single-domain structure is usually easier and less
expensive than a multidomain structure
– May not always be a better solution
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
48
Designing the Domain Structure
• Using more than one domain makes sense or even
necessity in the following circumstances:
–
–
–
–
–
Need for differing account policies
Need for different name identities
Replication control
Need for internal versus external domains
Need for tight security
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
49
Summary
• A directory service is a database that stores network
resource information and can be used to manage users,
computers, and resources throughout the network
• Active Directory is based on the X.500 standard and
LDAP
• Use Server Manager to install the Active Directory
Domain Services role
• Installing the first DC in a network creates a new forest
and the domain is called the forest root domain
• The data in Active Directory is organized as objects
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
50
Summary
• There are two types of objects in Active Directory:
container objects and leaf objects
• Leaf objects generally represent security accounts,
network resources, and GPOs
• The AD Recycle Bin can be enabled in ADAC, but after
it’s enabled, it can’t be disabled
• Active Directory objects can be located easily with
search functions in Active Directory Users and
Computers and Windows Explorer
• Large organizations might require multiple domains,
trees, and forests
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
51
Summary
• Directory partitions are sections of the Active Directory
database that holds varied types of data and are
managed by different processes
• The forest is the broadest logical Active Directory
component
• A domain is the primary identifying and administrative
unit of Active Directory
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
52