View
216
Download
0
Embed Size (px)
Citation preview
3.1 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Identifying the Features of Active Directory Active Directory is the directory service for Windows Server 2003
Features
Centralized management
Security
Object-oriented storage
Hierarchical organization
Multi-master replication
Integration with DNS
Lightweight Directory Access Protocol (LDAP) support
Standard name formats
Scalability
(Skill 1)
3.2 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-1 Active Directory
(Skill 1)
3.3 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-2 Replication
(Skill 1)
3.4 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-4 Schema
(Skill 3)
3.5 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Examining Underlying Active Directory Concepts (2)
Global catalog Stores a full Read-Write replica of all object attributes in
the directory for its host domain Stores a partial replica of all object attributes contained in
the directory for every domain in the forest along with universal groups and group members
Has the ability to search the entire forest, but also keeps the database relatively light, allowing for improved replication
Global catalog server is the name of the domain controller that maintains the global catalog
(Skill 3)
3.6 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-5 Global Catalog in Active Directory
(Skill 3)
3.7 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Examining Underlying Active Directory Concepts (3)
Namespace Bounded area in which the names used to identify objects are resolved Defines the domain structure in Active Directory
Provides name resolution through the use of the Domain Name System (DNS), which is central to the operation of Windows networks
Without proper name resolution, users cannot locate resources on the network
Domains with contiguous namespaces are members of the same tree A forest is a collection of domains sharing the same schema,
configuration, and global catalog
(Skill 3)
3.8 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-6 Contiguous namespaces (tree)
(Skill 3)
3.9 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-7 Disjointed namespaces (multiple trees)
(Skill 3)
3.10 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-8 Naming conventions
(Skill 3)
3.11 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory
ObjectAny “thing” (tangible or abstract) about which data is
storedCan be a network resource, such as a user, group,
printer, or a virtual object such as a forest, tree, domain, or OU
Each is defined by a set of attributes related to its properties
When you create an object, the Active Directory is populated with some of the attributes for the object
(Skill 4)
3.12 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory (2)
Common types of objects Computer User Group Shared Folder Printer
(Skill 4)
3.13 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory (3)
Domain A group of computers and devices on a network that
constitute a single security boundary within Active Directory, but can span more than one physical location
Each has its own security policies and security relationships with other domains
Domains co-existing under the same namespace form a single tree
When multiple domains are connected by trust relationships and share a common schema, configuration, and global catalog, they constitute a forest
(Skill 4)
3.14 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory (4)
Types of computers in a domain Domain controller
A computer that stores a replica of the directory database Stores security policies and accounts
Member server A Windows NT 4.0, 2000, or Server 2003 computer that is part of
a domain Does not store a replica of the directory database
Client computers Computers running operating systems that can communicate
with the Active Directory for user authentication and resource access
(Skill 4)
3.15 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-10 Hierarchical structure of Active Directory
(Skill 4)
3.16 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory (5)
Organizational unit (OU) A container object for organizing objects within a domain Can contain users, groups, resources, and other OUs Enables the delegation of administration to distinct segments of the
directory, which provides more flexibility in managing the objects in a business unit, department, or other organizational division
Administration of grouped OUs Creation and organization of child OUs Delegation of permissions within specific OUs Assignment of Group Policy links
(Skill 4)
3.17 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory (6)
Tree A set of one or more domains in a hierarchical structure The first domain created in the forest is called the forest root and this
is where the forest name is specified All domain trees in a forest share the same forest root If a new tree is created after the forest root, the first domain that is
added to this tree is called the root domain Domains under the root domain are called child domains Any domain immediately above another domain is called the parent
domain
(Skill 4)
3.18 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-11 Multiple domains in a tree
(Skill 4)
3.19 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Introducing the Basic Elements ofActive Directory (7)
Forest A group of one or more Active Directory domains sharing a
common schema, configuration, global catalog, and two-way, transitive trusts
All trees in a given forest trust each other through transitive two-way trust relationships
A forest exists as a set of cross-referenced objects and trust relationships known to the member trees
Trees in a forest form a hierarchy for the purposes of trust
(Skill 4)
3.20 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-12 Forest
(Skill 4)
3.21 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-14 A domain/OU structure for an organization
(Skill 5)
3.22 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Installing Active Directory
After completing the planning phase, install Active Directory on the Windows Server 2003 using the Active Directory Installation Wizard (Dcpromo.exe)
After first-time installationActive Directory forest is createdFirst domain created in the forest is the forest rootForest root comprises the first Active Directory tree and
this first domain is called the root domainDomains created under the root domain are called child
domains
(Skill 6)
3.23 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Installing Active Directory (2)
Mixed mode When you create a domain, by default the domain is
configured to run in Windows 2000 mixed mode Allows the coexistence of Windows NT, Windows 2000,
and Windows Server 2003 domains
Windows 2000 native mode If your domain consists of only Windows 2000 domain
controllers, you can switch to Windows 2000 native mode
Native mode supports Windows 2000 and Windows Server 2003 domains
(Skill 6)
3.24 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Installing Active Directory (3)
Windows Server 2003 interim mode If your domain has only Windows NT 4.0 servers, and
you upgrade a server to Windows Server 2003, you can use Windows Server 2003 interim mode
Used when there are no Windows 2000 servers and you upgrade a Windows NT PDC to Windows Server 2003
Windows Server 2003 mode If your domain consists of only Windows Server 2003
domain controllers, you can switch to Windows Server 2003 mode
Supports the full Windows Server 2003 Active Directory implementation
(Skill 6)
3.25 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-18 The Domain Controller Type screen
(Skill 6)
3.26 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-19 The Create New Domain screen
(Skill 6)
3.27 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-20 Specifying the full DNS domain name
(Skill 6)
3.28 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-21 The NetBIOS Domain Name screen
(Skill 6)
3.29 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-22 The Permissions screen
(Skill 6)
3.30 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-23 An empty console window
(Skill 7)
3.31 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-24 Setting the Author mode in the Console Options dialog box
(Skill 7)
3.32 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-25 The Add Standalone Snap-in dialog box
(Skill 7)
3.33 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-26 Using a snap-in to manage the local computer
(Skill 7)
3.34 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Creating Organizational Units
You use the Active Directory Users and Computers console to create an organizational unit (OU) and to add objects to OUs
You can create an OU in a domain, in a domain controller object, or in another OU if you have been delegated permission to do so
By default, Windows Server 2003 grants permission to members of the Administrators group to create an OU
(Skill 8)
3.35 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-29 Creating an Organizational Unit (OU)
(Skill 8)
3.36 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-30 The Marketing OU added to the domain
(Skill 8)
3.37 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-31 Creating a new user object
(Skill 8)
3.38 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-32 <User object> Properties dialog box
(Skill 8)
3.39 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-33 The Find Users, Contacts, and Groups dialog box
(Skill 9)
3.40 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-34 Finding a user in Active Directory
(Skill 9)
3.41 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Managing Active Directory Objects (2)
Securing resources Object security
Active Directory provides a set of security descriptors for each object called a Discretionary Access Control List (DACL) defining how the object can be accessed
Each file or folder on an NTFS drive has a DACL, which contains Access Control Entries (ACEs)
ACEs contain the SID of the user or group and the permissions associated with that user or group
Account logon security protects a computer and its resources from unauthorized access
(Skill 9)
3.42 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-35 Finding the Distinguished Name
(Skill 9)
3.43 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 3: Introducing Active Directory
Figure 3-36 Moving a user object
(Skill 9)