01_Intro Active Directory

8/13/2019 01_Intro Active Directory

1/30

www

.technocorp.co.in

Active DirectoryIntroducing Active Directory Domain Services


2/30

www

.technocorp.co.in

Module Overview

Overview of Active Directory, Identity, and Access Active Directory Components and Concepts

Install Active Directory Domain Services


3/30

www

.technocorp.co.in

Identity and Access

Identity: User account

Saved in an identity store(directory database)

Security principal

Represented uniquely by the SID

Resource: Shared Folder

Secured with a securitydescriptor

DACL or ACL

ACEs or permissions


4/30

www

.technocorp.co.in

Authentication and Authorization

The system creates a security

token that represents the userwith the users SID and allrelated group SIDs

A resources is secured with an

ACL: permissions that pair aSID with a level of access

The users security token is

compared with the ACL of theresource to authorize arequested level of access

A user presents credentials

that are authenticated byusing the information storedwith the usersidentity


5/30

www

.technocorp.co.in

Authentication

Two types of authentication

Local (interactive) Logonauthentication for logon to thelocal computer

Remote (network) logonauthentication for access toresources on another computer

Authentication is the process that verifies a users identity

Credentials: At least two components required

User name Secret, for example, password


6/30

www

.technocorp.co.in

Stand-Alone (Workgroup) Authentic

The identity store is the SAM database on the Windows syst No shared identity store

Multiple user accounts

Management of passwords is challenging


7/30

www

.technocorp.co.in

Active Directory Domains: TrustedIdentity Store

Centralized identity store trusted by all domain members Centralized authentication service

Hosted by a server performing the role of an AD DS domain


8/30

www

.technocorp.co.in

Active Directory and IDA Services

Active Directory IDA services : Active Directory Lightweight Directory Services (AD LDS)

Active Directory Certificate Services (AD CS)

Active Directory Rights Management Services (AD RMS)

Active Directory Federation Services (AD FS)


9/30

www.technocorp.co.in

Active Directory Components andConcepts Active Directory as a Database

Organizational Units Policy-Based Management

Active Directory Data Store

Domain Controllers

Domain

Replication

Sites Forest

Tree

Global Catalog

Functional Levels


10/30


Active Directory As a Database

Active Directory is a database Each record is an object

Users, groups, computers, and so on

Each field is an attribute

Logon name, SID, password, description, membership, and so on

Identities (security principals or accounts)

Services: Kerberos, DNS, and replication

Accessing the database Windows tools, user interfaces, and components

APIs (.NET, VBScript, Windows PowerShell)


11/30


Organizational Units

Containers Users

Computers

Organizational Units Containers that also support the

management and configuration ofobjects by using Group Policy

Create OUs to:

Delegate administrativepermissions

Apply Group Policy


12/30


Policy-Based Management

Active Directory provides a single point of management for and configuration through policies Group Policy

Domain password and lockout policy

Audit policy

Configuration

Applied to users or computers by scoping a GPO containing configuration settings

Fine-grained password and lockout policies


13/30


Active Directory Data Store

%systemroot%\NTDS\ntds.dit Logical partitions

Domain naming context

Schema

Configuration

Global catalog (Partial Attribute Set)

DNS (application partitions)

SYSVOL %systemroot%\SYSVOL

Logon scripts

Policies

*D

Conf

Sc

NTDS.DIT


14/30


Domain Controllers

Servers that perform the AD DS role Host the Active Directory database (NTDS.DIT) and SYSVOL Replicated between domain controllers

Kerberos KDC service: Performs authentication

Other Active Directory services

Best practices Availability: At least two in a domain

Security: Server Core and RODCs


15/30


Domain

Made up of one or more DCs

All DCs replicate the Domain naming context(Domain NC)

The domain is the context within which Users, Groups, Computers, and soon are created

Replication boundary

Trusted identity source: Any DC can authenticate

any logon in the domain The domain is the maximumscope (boundary) for

certain administrative policies Password

Lockout


16/30


Replication

Multimaster replication Objects and attributes in the database Contents of SYSVOL are replicated

Several components work to create an efficient and robust rtopology and to replicate granular changes to AD

The Configuration partition of the database stores informat

sites, network topology, and replication

DC2

DC1


17/30


Sites

An Active Directory object that represents a well-connectedof your network Associated with subnet objects representing IP subnets

Intrasite vs. intersite replication Replication within a site occurs very quickly (1545 seconds)

Replication between sites can be managed

Service localization Log on to a DC in your site

Site A


18/30


Forest

A collection of one or more Active Directory domain trees

First domain is theforest root domain

Single configuration and schemareplicated to all DCs in the forest

A security and replication boundary


19/30

ww

w.technocorp.co.in

Tree

One or more domains in a single instance of AD DS that shacontiguous DNS namespace

Microsoftlearning.c

Microsoft.com

Training.Microsoftlearn


20/30

ww

w.technocorp.co.in

Global Catalog

Partial Attribute Set or Global

Catalog Contains every object in every

domain in the forest

Contains only selectedattributes

A type of index

Can be searched from anydomain

Very important for manyapplications

PAS

Domain A

PAS

Domain B


21/30

ww

w.technocorp.co.in

Functional Levels Domain functional levels

Forest functional levels

New functionality requires that domain controllers are running a particularversion of Windows

Windows 2000

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Cannot raise functional levelwhile domain controllers are runningprevious Windows versions

Cannot add domain controllersrunning previous Windows versionsafter raising functional level


22/30

ww

w.technocorp.co.in

DNS and Application Partitions

Active Directory and DNS are closely

integrated One-to-one relationship between the

DNS domain name and the logicaldomain unit of Active Directory

Complete reliance on DNS to locatecomputers and services in the domain

A domain controller acting as a DNSserver can store the zone data inActive Directory itselfin anapplication partition PAS

DNS

Domain

Configuratio

Schema


23/30

ww

w.technocorp.co.in

Trust Relationships

Extends concept of trusted identity store to another domain

Trusting domain (with the resource) trusts the identity store and authenticatof the trusted domain

A trusted user can authenticate to, and be given access to resources in, the tdomain

Within a forest, each domain trusts all other domains

Trust relationships can be established with external domains

Trusted Domain Trusting Domain


24/30

ww

w.technocorp.co.in

Install Active Directory Domain Serv

Install Windows Server 2008 R2

Server Manager and Role-Based Configuration of Windows 2008 R2

Prepare to Create a New Forest with Windows Server 2008

Install and Configure a Domain Controller


25/30

ww

w.technocorp.co.in

Prepare to Create a New Forest witWindows Server 2008 Domains DNS name (domainname.com)

Domains NetBIOS name (domainname)

Whether the new forest will need to support DCs running previoof Windows (affects choice of functional level)

Details about how DNS will be implemented to support AD DS Default: Creating domain controller adds DNS Server role as well

IP configuration for the DC IPv4 and, optionally, IPv6

User name and password of an account in the serversAdministrators group. Account must have a password.

Location for data store (ntds.dit) and SYSVOL Default: %systemroot% (c:\windows)


26/30

ww

w.technocorp.co.in

Install and Configure a Domain Con

Install the Active Directory Domain Services role by using the Server Manager1

Choose the deployment configuration3

Select the additional domain controller features4

Run the Active Directory Domain Services Installation Wizard2

Select the location for the database, log files, and SYSVOL folder5

Configure the Directory Services Restore Mode Administrator Password6


27/30

ww

w.technocorp.co.in

Module Overview

Work with Active Directory Administration Tools

Custom Consoles and Least Privilege

Find Objects in Active Directory

Use Windows PowerShell to Administer Active Directory


28/30

ww

w.technocorp.co.in

Work with Active Directory AdministTools

MMC Console

Active Directory Administration Snap-Ins

What Is the Active Directory Administrative Center?

Find Active Directory Administration Tools

Demonstration: Perform Administrative Tasks by Using Activ

Directory Administrative Tools


29/30

ww

w.technocorp.co.in

MMC ConsoleShow/HideConsoleTree

Show/HideActionsPane

Console

Tree

Details

Pane

Actions

Pane


30/30

ww

w.technocorp.co.in

Active Directory Administration Snap

Active Directory Users and Computers

Manage most common day-to-day objects, including users, groupscomputers, printers, and shared folders

Active Directory Sites and Services

Manage replication, network topology, and related services

Active Directory Domains and Trusts

Configure and maintain trust relationships and the domain and fofunctional level

Active Directory Schema

Administer the Schema

Documents

01_Intro Active Directory