Transcript Active Directory - KSU Faculty Member websites

Hands-On Microsoft
Windows Server 2003
Administration
Chapter 1
Windows Server 2003 Network
Administration
Objectives
• List the various tasks of a Windows Server 2003
Network administrator
• Understand general troubleshooting techniques
• Ease network management with the help of
various Windows Server 2003 Administration
Tools
• Explain Windows Server 2003 Active Directory
concepts
2
Network Administration Overview
• Some of the tasks of a Windows Server 2003
Network administrator
–
–
–
–
–
–
Installing and maintaining the operating system
Administering Active Directory
Administering file and print resources
Administering Internet resources
Administering the network infrastructure
Monitoring and troubleshooting Windows Server
2003
– Administering Routing and Remote Access
Services (RRAS)
3
Installing and Maintaining the
Operating System
• Tasks related to the operating system
–
–
–
–
Install the client workstation operating systems
Install and configure the server environment
Troubleshoot and resolve installation problems
Install and manage the required service packs
and hot fixes
4
Administering Active Directory
• Involves
–
–
–
–
Creating and modifying user objects
Creating and modifying computer objects
Creating and modifying group objects
Managing Active Directory container and object
permissions
– Creating and troubleshooting Group Policy
objects
• Group Policy: a Windows Server 2003 feature that
enables you to create policies that affect domain
users and computers
5
Administering File and Print
Resources
• Tasks included in administering file and print
resources
– Troubleshooting user access to files and printers
– Planning and maintaining the most efficient and
secure way for users to work with file and print
resources
6
Administering Internet Resources
• Internet administration
– Needed because of B2B and B2C online
commerce opportunities
– Requires mastery of the configuration options
within the Windows Server 2003 IIS, including
• Providing secure access to Internet-accessible
resources
• Troubleshooting client connectivity problems
7
Administering the Network
Infrastructure
• Administering the network infrastructure requires
maintaining and troubleshooting network
services, protocols, and hardware
– TCP/IP protocol
• Used by Windows Server 2003 for network
communications throughout the infrastructure and
the Internet
– Domain Name System (DNS) service
• Provides name resolution and network service
location capabilities
8
Administering the Network
Infrastructure (Continued)
– Routers
– Dynamic Host Configuration Protocol (DHCP)
servers
– WINS servers
9
Monitoring and Troubleshooting
Windows Server 2003
• Maintenance
– Monitoring server health
– Monitoring system performance
• Maintenance tools
– System Monitor
– Event Viewer
• Troubleshooting tools
– Recovery Console
– Safe Mode
10
Administering Routing and Remote
Access Services
• Windows Server 2003 Routing and Remote
Access Services (RRAS)
– Access to the company network using dial-up
modems
– Virtual private networking (VPN)
– Internet connection sharing (ICS)
– Network address translation (NAT)
– A basic firewall
– Remote Desktop for Administration
• Enables administrators to network servers
remotely
11
Network Administration Procedures
• Possible reasons for network problems
– Hardware failures
– Security or virus attacks
– File corruption
12
Network Troubleshooting Process
• A systematic approach to troubleshooting helps
– Define the exact problem
– Quickly solve the problem
• Steps of a successful troubleshooting process
– Define the problem
– Gather detailed information about what has
changed
– Devise a plan to solve the problem
– Implement the plan and observe the results
– Document all changes and results
13
Windows Server 2003 Management
Tools
• Features and utilities that assist in daily
management tasks
–
–
–
–
–
The Microsoft Management Console (MMC)
The secondary logon feature
The Task Scheduler
The netdiag command
The Shutdown Event Tracker
• Logs each time a server is shut down or restarted
14
Windows Server 2003 Management
Tools (Continued)
• The Microsoft Management Console
– A customizable management framework that can
host a number of management tools
– Saved as a Management Saved Console (MSC)
file with the .msc extension
• Snap-ins
– Management tools that are added to the MMC
– Can be obtained from Microsoft or third-party
companies
15
An Empty MMC
16
Add/Remove Snap-in dialog box
17
Customized MMC
18
Windows Server 2003 Management
Tools (Continued)
• Taskpad view
– Simplifies administrative procedures
– Provides a graphical representation of the tasks
that can be performed in an MMC
19
Taskpad view of the Services snapin
20
The Secondary Logon Feature
• Network administrators should keep two
accounts
– One for network management
– One for nonadministrative tasks
• The secondary logon feature allows the
administrator to
– Log on with the regular user account, then
– Open administrative tools as an administrator
• Administrator account
– A command prompt can be used to start
applications
21
Run As dialog box
22
Additional Administrator Utilities
• Several additional utilities are available with
Windows Server 2003 or the Windows Server
2003 Resource Kit
– Examples
• Windows Server 2003 Task Scheduler
• netdiag
• net command
23
Introduction to Windows Server
2003 Active Directory
• Active Directory
– A directory service database
– Services and features:
• Central point for storing, organizing, managing,
and controlling network objects
• Single point of administration of objects and Active
Directory-published resources
• Logon and authentication services for users
• Delegation of administration
24
Introduction to Windows Server
2003 Active Directory
• The Active Directory database
– Can be stored on any Windows Server 2003
server promoted to domain controller
• Multi-master replication
– Each domain controller throughout the
network has a writeable copy of directory
database
– Provides a form of fault-tolerance
• Active Directory
– Uses DNS to
• Maintain domain-naming structures
• Locate network resources
25
Active Directory Objects
Active Directory
Objects
Attributes
Printers
Users
Printers
Printer1
Printer Name
Printer Location
Printer2
Printer3
Attributes
First Name
Last Name
Logon Name
Users
Attribute
Value
Don Hall
Suzan Fine
• Objects Represent Network Resources
(Users,Groups,Computers,Printers)
• Attributes Store Information About an Object
26
The Active Directory Schema
• Active Directory schema
– Defines objects and attributes for entire Active
Directory structure
– Consists of two main definitions
• Object classes
• Attributes
– Stored in the Active Directory database
– Replicated among all domain controllers within
the network
27
Active Directory Schema
Active Directory Schema Is:
 Dynamically Available
 Dynamically Updateable
 Protected by DACLs
Objects
Class Examples
Computers
Users
Printers
Attribute
Examples
Attributes of Users
Might Contain:
accountExpires
department
distinguishedName
middleName
List of Attributes
accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…
28
Active Directory Components
• Logical components of the Active Directory
– Provide a way to design and administer the
hierarchical, logical structure of the network
– Include
• Domains and organizational units
• Trees and forests
• A global catalog
29
Active Directory Components
(Continued)
• Windows Server 2003 domain
– Logically structured organization of objects that
• Are part of a network, and
• Share a common directory database
• Each domain
– Has a unique name
– Is organized in levels
– Is administered as a unit with common rules and
procedures
– Is defined by an IP address on the Internet
30
Active Directory Domains
Boundary of
Policies
Boundary of
Authentication
CONTOSO.COM
Boundary of Replication
31
Active Directory Components
(Continued)
• An organizational unit (OU)
Organizational Unit
– A logical container used to organize objects
within a single domain
• Benefits of using OUs
– Easier to locate and manage the Active Directory
objects
– Define more advanced features by applying
Group Policy to an OU
– Delegate administrative control over OUs
32
An Active Directory Domain and OU
structure
33
Characteristics of Multiple Domains
Separate Administrative Control
•Geographic basis
•Large number of objects
Reduce Replication Traffic
Maintain Separate and Distinct
Security Policies Between Domains
Preserve the Domain Structure of
Earlier Versions of Windows NT
Seattle
Chicago
Los Angeles
New York
Active Directory Components
(Continued)
• Trees and forests
– Forest root domain
• First Active Directory domain created in an
organization
– Tree
• Hierarchical collection of domains that share a
contiguous DNS namespace
35
What Is a Tree?
Tree Root Domain
& Forest Root Domain
Parent Domain
Parent
contoso.msft
a two-way,
transitive trust relationship
Child
Child Domain
sales.contoso.msft
Contiguous Namespace
sales.contoso.msft
New
Domain
Active Directory Components
(Continued)
– Whenever a child domain is created, a two-way,
transitive trust relationship is automatically
created between the child and parent domains
• Transitive trust
– All other trusted domains implicitly trust one another
37
The Dovercorp.net domain tree
38
Active Directory Components
(Continued)
• Forest
– Collection of trees that do not share a contiguous
DNS naming structure
– The trees in a forest share a single Active
Directory schema
• Enterprise Admins
– Special user group
– Allows members to manage objects throughout
the entire forest
39
Example of an Active Directory
forest
40
What Is the Forest Root Domain?
The Forest Root Domain Is
the First Domain Created
in a Forest
Forest Root Domain
Global Catalog
Forest
Configuration
and Schema
Tree Root Domain
nwtraders.msft
Tree
marketing.nwtraders.msft
contoso.msftTree
Enterprise Admins
Schema Admins
sales.contoso.msft
Active Directory Components
(Continued)
• Global catalog
– Index and partial replica of the objects and
attributes most frequently used throughout the
entire Active Directory structure
– Replicated to any server within the forest that is
configured to be a global catalog server
– The first domain controller in Active Directory
automatically becomes a global catalog server
– Additional domain controllers can also be
configured to be global catalog servers
42
Global Catalog
Subset of the
Attributes of All
Objects
Domain
Domain
Domain
Global Catalog
Domain
Domain
Domain
Queries
Group membership
when user logs on
Global Catalog Server
Active Directory Communication
Standards
• DNS naming standard
– Used by Active Directory for
• IP name resolution
• Providing information on the location of network
services and resources
• Lightweight Directory Access Protocol (LDAP)
– Used to query or update the Active Directory
database directly
44
Active Directory Communication
Standards (Continued)
• LDAP naming paths
– Used when referring to objects stored within the
Active Directory
– Main components
• Distinguished name
• Relative distinguished name
45
Active Directory Physical Structure
• Relates to the actual connectivity of the physical
network
– Domain Controllers
– Sites
46
Domain Controller
•A domain controller is a server containing a copy of the
Active Directory.
•All domain controllers are peers, and maintain replicated
versions of the Active Directory for their domains.
•The domain controller plays an important role in both the
logical and physical structure of the Active Directory.
•It organizes all the domain's object data in a logical and
hierarchical data store.
•It also authenticates users, provides responses to
queries about network objects, and replicates directory
services. (The physical structure provides the means to
transmit this data through well-connected sites.)
47
Domain Controllers roles
48
Domain Controllers
Reasons for Creating Multiple Domain Controllers:
•it is recommended that each domain and each site have more than one
domain controller to provide logical and physical structure redundancy and
fault tolerance.
Replication
Domain
Controller
Domain
Controller
Domain
= A Writeable Copy of the Active Directory Database
Sites
Seattle
WAN Link
Chicago
New York
Los Angeles
IP subnet
Site
Sites:
IP subnet
Combination of
one or more
Internet
Protocol (IP)
subnets
connected by a
high-speed
connection
•
Optimize replication traffic
•
Enable users to log on to a domain controller by using a
reliable, high-speed connection
Active Directory Physical Structure
(Continued)
• Aims regarding replication
– Make sure that any modification to the Active
Directory database is replicated as quickly as
possible between domain controllers
– Make sure that replication does not saturate the
available network bandwidth
51
Active Directory Physical Structure
(Continued)
• A site link
– A configurable object that represents a lowbandwidth or unreliable/occasional connection
between sites
– Can be adjusted for
• Replication availability
» Using the Schedule onSite Links
• Bandwidth costs
» Higher Cost Numbers Represent Lower Priority Replication
Paths
• Replication frequency
» by Setting the Number of Minutes Between
52
The site structure of Dovercorp.net
53
Domains & sites
• No formal relationship exists between the
boundaries of a site or domain.
• sites and domains do not have to
maintain the same namespace.
• Sites Can Contain
– All domain controllers in a single domain
– Some of the domain controllers in a single
domain
– Domain controllers from different domains
54
Sites and Domains
Site A
US.CONTOSO.COM
CONTOSO.COM
Site B
Summary
• Tasks of a network administrator include:
–
–
–
–
–
–
Software installation
Active Directory (AD) administration
File and print administration
Internet and remote access administration
Network performance monitoring
Troubleshooting
• Network administrator needs to follow a
systematic approach to troubleshooting network
problems
56
Summary (Continued)
• Some tools that a network administrator can use
to help with routine network management
include:
– The Microsoft Management Console (MMC)
– The secondary logon service
– Command-line utilities, such as netdiag.exe and
the net command
• Active Directory is a directory service database
provided with Windows Server 2003 Operating
Systems
57
Summary (Continued)
• Logical components of an Active Directory
structure
– Domains and organizational units
– Trees and forests
– Global catalog
• Active Directory uses the DNS naming
standard for
– IP name resolution
– Providing information on the location of network
services
• Active Directory replication traffic and network
logon traffic can be controlled by configuring
sites and site links
58
References
• Text Book
• InformIT: Understand Active Directory partIII,
http://www.informit.com/articles/article.aspx?p=26866
• Microsoft TechNote, Active Directory Structure and Storage
Technologies, http://technet.microsoft.com/enus/library/cc759186(WS.10).aspx
• Microsoft TechNote,Introduction to Active Directory,
http://download.microsoft.com/download/3/5/4/35415b82-399d-4ba3-a24fea151742611e/Introduzione_a_Active_Directory.PPT
• Active Directory Fundumentals,
http://winserver.members.winisp.net/Active%20Directory%20Content/Active%20Directory%20Fun
damentals/ITPROADD-01%2075%20minute%20version.ppt .
• And much more..
59