Reseaux III Win2k8

7/28/2019 Reseaux III Win2k8

1/153

Reseaux III

Windows Server 2008Prsent par :

Willio St Preux


2/153

Windows Server 2008 Context Versions

Full

Core Minimum requirement:

512 MB of RAM, 10 GB HD, 1GHz of processor 32 bits,or 1.4 GHz

h"p://www.microso .com/windowsserver2008


3/153

Ac=ve Directory Presenta=onAc ve Directory, Iden ty and Acess (IDA) Stores informa on : users, groups, and other iden es Authen cate and iden ty Control Acces Provide an audit trail


4/153

Ac=ve Directory Presenta=on Consolida on of previous components

Ac ve Directory Domain Services (Iden es) Ac ve Directory Lightweight Directory Services

(Applica on) Ac ve Directory Cer cate Services (Trust) Ac ve Directory Right Management Services

(Integrity) Ac ve Directory Federa on Services (Partership)


5/153

Ac=ve Directory Presenta=on Component of an Ac ve Directory

Infrastructure Ac ve Directory data store Domain controllers Domain Forest Tree


6/153

Ac=ve Directory Presenta=on Component of an Ac ve Directory

Infrastructure Func onal level Organiza onal units Sites


7/153

Presenta=on dAc=ve Directory Preparing to create a new Windows Server

2008 Forest Domains name Whether to support or not previous DC Will DNS be integrated in Ac ve Directory IP congura on for DCs User name and password of the administrator Loca on of data store (ntds.dit) and SYSVOL


8/153

Presenta=on dAc=ve Directory

Adding AD DS Role using Windows Inface

Crea on a Domain Controller


9/153

Administra=on Working With Ac ve Directory Snap-ins

Understanding the Microso_ ManagementConsole

Ac ve Directory Administra ve tools Ac ve Directory Users and Computers Ac ve Directory Sites and Services Ac ve Directory Domains and Trust Ac ve Directory Schema


10/153

Administra=on Working With Ac ve Directory Snap-ins

Finding the Ac ve Directory Administra ve Tools Adding the Administra ve Tools to your Start

Menu Running Administra ve Tools With Alternate

Creden als Crea ng, Distribu ng and Saving a Custom

Console with Ac ve Directory Snap-ins


11/153

Administra=on Crea ng Objects in Ac ve Directory

Crea ng an Organiza onal Unit Crea ng a User Object Crea ng a Group object Crea ng a Computer Object Finding Objects in Ac ve Directory Understanding DNs, RDNs, CNs


12/153

Administra=on Delega on and Security of Ac ve Directory

Objects Understanding Delega on Viewing the ACL of an Ac ve Directory Object Object, Property, and Control Access Right Assigning a Permission Using the Advanded

Security Se ngs Dialog Box Understanding and Managing with Inheritance


13/153

Administra=on Delega on and Security of Ac ve Directory

Objects Repor ng and Viewing Permissions

Dsacl.exe ou=people, dc=contoso ,dc=com Removing or Rese ng Permissions on an Object Understanding effec ve Permissions Designing an OU Structure to Support Delega on


14/153

Users Automa ng the Crea on of User Accounts

Crea ng Users with Templates General Address Account Prole Organiza on Member Of


15/153

Users Automa ng the Crea on of User Accounts

Using Ac ve Diretory Command-Line tools Dsadd :Creates an object in the directory

Ex: dsadd user cn=Mike Fritzmaurice, ou=people,dc=contoso, dc=com Dsget returns specied a ributes of an object

Ex: dsget user cn=Mike Fritzmaurice, ou=people,dc=contoso, dc=com-hmdir

Dsmod Modies a specied a ributes of an object Ex: dsmod user cn=Mike Fritzmaurice, ou=people,dc=contoso.com

dc=com office Amsterdam

Dsrm : removes an object to a new container ou OU EX: dsrm user cn=Mike Fritzmaurice, ou=people,dc=contoso, dc=com


16/153

Users Crea ng Users with Windows PowerShell and

VBScript PowerShell: command lines, Scrip ng language An installed feature of Windows Server 2008 Direct Manipula on of Microso_ .NET

Understanding Windows PowerShell Syntax, Cmdlet, Object Cmdlet : Verb -Noun a verb and a noun separated by an hyphen

Ex: Get-Service and Start-Service

Object : An instance of a class Using variables

$DNS=get-service DNS $DNS.status


17/153

Users Cre ng Users with PowerShell and VBScript

PowerShell: Connect to container ou in which the object will be created

$objOU=[ADSI] LDAP://OU=People, DC=contoso, DC=com

Invoke the create methode of the container with the object class $objUser=$objOU.Create(user, CN=Mary North)

Populate a ributes of the object with put method $objUser.put(sAMAccountName, mary.north)

Commit changes to Ac ve Directory with the objects seCnfo method $objectUser.se nfo()

VBScript: Set objectUser=Getbject(LDAP://UserDN) objectUser.putcompany, contoso, ltd. objectUser.SetInfo()


18/153

Users Administering User Account

Purpose of user object Support to authen ca on of human being or services

User account are provisioned,administered, anddeprovisioned

Administra ves task rela ve to user accounts are:

Resse ng password, unlocking an account, enabling,dele ng, moving and renaming.


19/153

Users Administering user accounts

Resse ng a users Password Commande-line: dsmod UserDN pwd newpassword mustchpwd yes Powershell: $objUser=[ADSI] LDAP://UserDN

$objUser.setPassword(NewPassword) with no commit

$objUser=[ADSI] LDAP://UserDN$objUser.Put(pwdLastSet, 0)

VBScript: Set objUser=GetObject(LDAP://UserDN) objUser.SetPassword NewPassword objUser.Put pwdlastSet, 0 objUser.SetInfo


20/153


Unlocking a User Account Neither the command line nor PowerShell provides tool for unlocking account

- VBScript: Set objUser=GetObject(LDAP://UserDN)

objUser.IsAccountLocked = FalseobjUser.SetInfo

Disabling and Enabling a User Account Command line: dsmod user UserDN disabled yes

PowerShell : $objUser=[ADSI] LDAP://UserDN$objUser.psbase.InvokeSet(account Disabled, $true)

$objUser.SetInfo()- VBScript : Set objUser=GetObject(LDAP://UserDN)

objUser.AccountDisabled=True


21/153


Dele ng a User Account Command line : dsrm UserDN PowerShell : SobjOU = [ADSI] LDAP://Organiza onal units DN

$objOU.Delete (user, CN=UserCN

VBScript : Set objOU = GetObject(LDAP://Organiza onal units DN)objOU.Delete user, CN=UserCN

- Moving a User account Command line : dsmove UuserDN newparent TargetOUDN

PowerShell : $objUser=[ADSI] LDAP://UserDN$objUser.psbase.MoveTo(LDAP://TargetOUDN)

VBScript Set obJOU = GetObjec(LDAP://TargetDN)ObjOU.MoveHere LDAP://UserDN, MoveHere


22/153

Groups Crea ng and managing groups

Dening Group Naming Conven ons It should reects the type and the purpose

Ex: ACL Sales Folder Read Understanding Group Types

Security and Distribu on

Uderstanding scope Local, Domain local, Global, Universal


23/153

Groups Understanding Scope

Local , characteris cs: Replica on

The group is dine only in the local SAM of a member server The group and its membership are not replicated to any other system

Membership Any security principal from the domain : users, computers, global groups, or domain local

groups Users, computers, and global groups from any domain in the forest. Users, computers, and global groups from any trusted domain Universal groups dened in any domain in the forest

Availability Only computer wide scope, it cannot be used as a member of any other group


24/153


Domain Local Groups Replica on

To every domain controller in the in the domain Membership

Users, computers, global groups, or other domain local groups Users, computers, and global groups from any domain in the forest Users, computers, and global groups from any trusted domain Universal groups dened in any domain in the forest

Availability

Can be added to ACLs on any ressource on any domain member Can be a member of any other domain local groups or even computer local group


25/153


Global Groups Replica on

To all domain controllers in the domain Membership

Can contain as members: users, computers, and other global groups in the same domainonly.

Availability Can be used by all domain members as well as all other domain in the forest and all

external trus ng domain Can be added to any domain local or universal group in the domain or forest Can be added to ACLs in the domain, forest, or trus ng domain


26/153


Universal Groups Replica on

Dened in a single domain but replicated to global catalog Membership

Can contain as members: users, global groups, and other universal groups from any domain in theforest.

Availability Can be a member of a universal group or domain local group anywhere in the forest Can also be used to manage ressource as a domain local group does


27/153

Groups Conver ng Group Scope and Type

A group type can be converted at any me By conver ng a Security group to Distribu on one

any permission assigned to this group will be lost A group scope can be changed the following way:

Global to Universal

Domain Local to Universal Universal to global Universal Domain Local


28/153

Groups Managing Group Membership

Membership of a group can be added or removed Group nes ng:

Accounts are members of Global Groups are members of Domain Local groups that represent management rules

that are added to Acces control lists(ACLs), which provide level access

required by the rule


29/153

Groups Automa ng the Crea on and Management of

Groups Crea ng Groups with Dsadd

Dsadd group groupDN Dsadd group cn=MarkeCng, ou=Groups, dc=contoso, dc=com samid

MarkeCng secgrp yes -scope g A"ributes of group:

-secgrp {yes | no} specied group type

-scope {I |g|u} determine the scope domain local (L), global (g) oruniversal (u) -samid Name species the sAMAccountName of the group -desc DescripCon congures the group descripCon -members MemberDN adds members to the groups


30/153

Groups Impor ng Groups with SVDE

Introduced in chapter 3 csvde import and exportdata from comma-separated value

Ex: objectClass, sAMAccount,DN,membergroup,Marke ng, CN=Marke ng,ou=Groups,dc=contoso,dc=com , cn=linda

mitchel, ou=people,dc=contoso,dc=com;cn=scomitchel,ou=people,dc=contoso,dc=com

File can be imported into ac ve directory using this commandEx: csvde -i f lename k

Csvde can be used to retrieve le, not to modied


31/153

Groups Retrieving Group Membership with Dsget

Ac ve Directory users and computers contains noop on to list all member of a group

Dsget allows to retrieve all members of a groupincluding nested members, or the groups of whicha user is a member

Dsget group groupDN members [-expend] Dsget user UserDN memberof [-expand]


32/153

Groups Changing group membership with dsmod

Dsmod group groupDN [op on] -addmbr Member DN adds members to the group

-rmmbr MemberDN Removes members from the group ex: dsmod group

cn=research,ou=Groups,dc=contoso,dc=com addmbrcn=mike danseglio, ou=people,dc=contoso,dc=com

Dsget combines with dsmod Ex: dsget group cn=sales,

ou=groups,dc=contoso,dc=com | dsmod groupcn=marke ng, ou=Groups, dc=contoso,dc=com -addmbr


33/153

Groups Moving and Renaming Groups with dsmove

Dsmove objectDN [-Newname NewName] [-Newparentnewparent]

To change the name of marke ng group to public rela on

Dsmove cn=marke ng, ou=groups,dc=contoso,dc=com newname public rela on

Move that group to Marke ng OU Dsmove cn=public rela on,

ou=groups,dc=contoso,dc=com newparentou=Marke ng, dc=contoso, dc=com


34/153

Groups Dele ng Groups with Dsrm

Basic syntax: dsrm objectDN .[-subtree [-exclude]] [-noprompt] [-c] Object is specied by its objectDN You are asked for conrma on of each object dele on, unless specied with

noprompt. [-c] puts the command in con nuous opera on mode in which errors are reported

without the command will stop at rst error. Ex: dsrm CN=Public Rela on, ou=Marke ng,dc=contoso,dc=com


35/153

Groups Managing Group Membership with Windows

PowerShell and VBScript Determine the aDSPath of the member Connect to the group Use the Add or Remove method specifying the aDSPath PowerShell: $MemberADSPath = LDAP://cn=Mike Danseglio, OU=people,dc=contoso,dc=com

$objGroup=[ADSI] LDAP://CN=Research,OU=Group,DC=contoso,DC=com$objGroup.Add ($MemberADSPath)

VBScript: MemberADSPath = LDAP://cn=Mike Danseglio, OU=people,dc=contoso,dc=comSet ObjGroup = GetObject(LDAP://CN=Research,OU=Group,DC=contoso,DC=com)objGroup.Add MemberADSPath

To remove members use the remove method instead of Add


36/153

Groups Administering Group in an Enterprise

Best Prac ce for Groups A ributes Establish and adhere to a strict naming conven on Summarize a groups purpose with its descripCon

a ribute Details a groups purpose in its Notes


37/153

Groups Protec ng Groups from Accidental Dele on

Groups is used to manage ressources, its dele on result the lost of access by itsmembers or giving acces to those that have been assigned access deny

Recreate the group will not give acces to ressources because it has been given adifferent SID

Instead you should perform a recovery to reanimate the group before the tomstoneinterval is reached 60 days to be deleted from ac ve directory.

To protect a group follow the steps In the Ac ve Directory Users And Computers Snap-ins, click View menu and make sure the Advanced Feature is

selected Open the Proper es dialog box for a group On the Object tab, select the Protect Object From Accidental Delec on check box Click OKThis is one of the few places in Windows where you actually have to click OK, clicking Apply does not modify the

ACL based on your selec on


38/153

Groups Delega ng the Management of Group

Membership Delega ng Membership Management with the

managed By Tab


39/153

GROUPS Understanding Groups

Group that contains same users as an OU Default Groups

Enterprise Admins Schema Admins Administrators Domain Admins Server Operators Account Operators Backup Operator Print OperatorBe careful with these groups in adding members in them because they are very powerful


40/153

Special Iden==e These groups are controlled by the OS, and are not visible in

Ac ve Directory Users And Computers. They can be seenwhen permission is assigning. Anonymous Logon Authen cated Users Everyone Interac ve NetWork


41/153

Computers Crea ng Computers and Joining the Domain

The default congura on of any version of windows isworkgroup.

Before you can log on to a computer with a domain account

that computer must belong to the domain. To join the domain, the computer must have an account

which like a user account, include a logon name(sAMAccountName), a password, and a security iden er(SID).

Those creden als enable the computer to authen cateagainst the domain and to create a secure rela onship thatto enable users to log on to the system with a domainaccount


42/153


Understanding Workgroups, Domain, and Trust In a workgroup, each system maintains an iden ty store of

user and group accounts against which users can beauthen cated and access can begin.

The local iden ty store on each computer is called SecurityAccount Manager (SAM) database.

If a user connect to another system to access a le forexample, the user is re-authen cated against the iden tystore of the remote system.

From a security perspec ve, a Workgroup is, for all intentsand purpose, a stand alone system.


43/153


Understanding Workgroups, Domain, and Trust When a computer joins a domain, it delegates the task of

authen ca ng users to the domain.

The computer con nues to maintain its SAM database to supportlocal user and group accounts. When a user logs on the computer with a domain account, the

user is now authen cated by a domain controller rather than bythe computer SAM.

Said another way, the computer trust another authority tovalidate a users iden ty.

Trust generally discussed in the context of two domains, but thereis also trust between each domain member computer and itsdomain that is established when the computer joins the domain.


44/153


Iden fying Requirements for Joining a Computerto the Domain

Three things are required to join a computer to anAc ve Directory Domain

A computer object must be created in the directory services You must have the appropriate permissions to join the

computer object. The permissions allow you to join acomputer with the same name as the object to the domain. You must be a member of the local Administrator group on

the computer to change its domain or workgroupmembership


45/153


Computers Container When you create a domain, the Computers container is

created by default (CN=Computers) this container is not anOU; it is an object of class container.

There is a subtle but important differences between acontainer and an OU.

You can not create an OU within a container, so can notsubdivide the computers OU, and you can not link a GPO toa container.

Therefore, it is highly recommended to create custom OUsto host computer objects instead of using the computerscontainer


46/153


Crea ng OUs for Computers Most organiza ons create at least 2 OUs for computer

objects; one to host computer accounts for client andanother for servers beside of the Domain Controllers OUcreated by default during the installa on of Ac ve Directory.

Your administra ve model might necessitate further dividingyour client and server OUs for specic types ofmanagement. For instance your OU server might contain

other OUs for database, les, and print servers. By doing sothe team of administrators for each type of server can bedelegated permission to manage computer object in theappropriate OU.


47/153


Crea ng OUs for Computers Addi onally, separate OUs enable you to create

different baseline congura ons, using different GPOlinked to client and server OUs


48/153


Delega ng Permission to Create Computers By default, the enterprise Admins, Domain admins,

Administrators, and Account Operators groups have permission tocreate computer objects in a new OU. However it is recommended

that you restrict ghtly the membership of the rst three, and youdo not add any member to the Account Operators group. Instead, delegate permission to create computer objects to

appropriate member or support personel. The permission required to create a computer object is Create

Computer Object. This permission is assigned to group of an OU, allows members ofthe group to create computer objects in that OU. Crea ng

Computers and Joining the Domain


49/153


Prestaging a Computer Account A_er having the permission to create computer object,

you can do so by right-clicking the OU an choosingComputer from the New Menu.


50/153


Prestaging a Computer Account Enter the name, following the naming conven on of

your Enterprise. Select the user or the group that will be allowed to join

the computer to the domain by clicking the changebuton.

This process is called prestaging the account. This givesyou the advantage of crea ng the object in the correctOU.


51/153


Importance of Prestaging Computer Objects The best prac ce is to prestage a computer account prior joining

the computer to the domain. Unfortunately windows enables youto join a computer without following the best prac ce.

You can log to a Workgroup as local administrator and change thecomputers membership to the domain There are three problems with this behavior.

First the computer created is place in the default Computer Container You must move the computer to the correct container Any user can join a computer to the domain, no domain level

administra ve privilege is required. This expose a poten al security vulnerability, because a computer object

is a security principal thus the creator is the owner, and can change thea ributes.


52/153


Importance of Prestaging Computer Objects When you join a computer to domain without prior prestaging it,

windows creates it in the default computer container, the problemrelates to this has already been discussed earlier.

Two steps are recommended to reduce the likelyhood of thisproblem. First always try to prestage computer accounts

Second to reduce the possibility of joining a computer object tothe domain without prior prestaging it, change the defaultcomputer container so that it is not the computer container itselfbut, instead, is an OU that is subject to appropriate delega on andcongura on.

Here is the command: redircmp DN of OU for the new computerobject


53/153


Importance of Prestaging Computer Objects Restric ng the Ability or Users to Create Computers

When a computer object is prestage, the permissions on theaccount determine who is allowed to join the computer to thedomain. When it is not prestage, windows will allow anyauthen cated user to join this computer to the domain in thedefault computer container.

Windows will allows any authen cated user to create up to tencomputer objects in default computer container by default.

Ten computer quota is congured by the ms-DS-MachineAccountQuota a ribute of the domain. This allow anyauthen cated user to join a computer to the domain, noques ons asked


54/153


Importance of Prestaging Computer Objects It is highly recommended that you close this loophole

so that non administra ve users cannot join computersto the domain. To change the ms-DS-MachineAccountQuota a ribute, follow these steps:


55/153


Importance of Prestaging Computer Objects


56/153

Computers Automa ng the crea on of Computer Objects

As users objects you can import Computers with LIDIFDEor CSVDE.

As well you can create computer object with:Dsadd, Netdom, PowerShell or VBScript


57/153

Computers Suppor ng Computer Objects and Accounts

- A computer account begin his life cycle when it iscreated and when the computer joins the domain.

- A day-to-day administra ve tasks include:- Conguring computer proper es- Moving computer between OUs- Managing computer itself- Renaming, rese ng, disabling, enabling and eventually

dele ng the computer object.


58/153


Understanding the Computer Secure Chanel Every computer in an Ac ve Directory Domain

maintains a computer account with user name(sAMAccount) and a password, just like a user accountdoes. This computer stores its password in the form ofa local security authority (LSA) secret and change itspassword every 30 days or so.

The Netlogon service uses the creden als to log on tothe domain, which establishes the secure chanel with adomain controller.


59/153


Recognizing Computer Account Problems Computer accounts and the secure rela onships between

the computers and their domain are strong. However itmight arise certain scenarios in which a computer is nolonger able to authen cate with the domain. Example ofsuch scenario includes:

A_er reinstalling the opera ng system on a worksta on, it willhave a new SID, thus it does not know the password toauthen cate with the domain.

A computer is completely restored from a outdate backup that isolder than 30 days. The fact that every 30 days the password ofthe computer changes. The old password from the backup is nolonger existed.

A computers LSA secret gets out of synch with the passwordknown by the domain. It is like the computer forgets hispassword


60/153


The most common sign of computer account problemsare:

Messages at log on indicate that a domain could not becontacted.

The computer account might be missing The password on the computer account is incorrect The trust between the computer and the domain has been

lost. An example is shown in the following gure:


61/153


Recognizing Computer Account Problems


62/153

Group Policy Infrastructure Implemen ng Group Policy

Group Policy is a feature of Windows that enables you to managechange and congura on for users from a central point ofadministra on

Policy se ngs The most granular component of the group policy is an individual

policy se ng.

Group Policy Object (GPOs)A GPO is an object that contains one or more policy se ngs an thereby apply one or more congura on se ngs for a user or computer


63/153

Group Policy Infrastructre Implemen ng Group Policy

Edi ng a GPO A GPO is divided in two parts: Users and Computer se ng

Conguring a Policy Se ng

Scope : collec on of users and computers that willapply the se ngs in the GOP.

Resultant Set of Policy (RSoP)

Group Policy refresh


64/153

Group Policy Infrastructre Implemen ng Group Policy

Group Policy Refresh: every 90- 120 a_er the start up Group Policy Client and Client-Side Extensions

Slow Links and Disconnected System Detec on of the connec on speed Speed is considered as slow if less than 500kbs When working disconnected previously GPO are applied exept

that startup, shutdown, logon and logoff will not run if user isdisconnected.

Group Policy Object Local GPOs


65/153

Group Policy Infrastructure Domain based GOPs

Default Domain Policy Default Domain Controllers Policy

Crea ng, Linking, and Edi ng GPO GPO Storage GPO Replica on

Policy Se ngs Computer Congura on and User Congura on

So_ware Se ngs Node Windows Se ngs Administra ve Templates Node Preference Node: New to Windows gives more than 20 CSE


66/153

Group Policy Infrastructure Administra ve Template Node

Central Store : New to Windows 2008 Reside in SYSVOL holds all the ADMX and ADML les that are

required, once set up GPME loads from it all the

administra ve templates instead of local computer Filtering Administra ve Template Policy Se ngs Commen ng Starter GPO

Contains administra ve templates se ngs, GPO can be createdfrom a starter GPO in which case it contain the se ngs of thestarter GPO

Manage and Unmanaged Policy Se ngs


67/153

Managing Group Policy Scope GPO Links

Link a GPO to Mul ple Ous Dele ng or Disabling a GPO Link GPO Inherintance and Precedence Precedence of Mul ple Linked Group Policy Object Block Policy Inheritance Enforcin a GPO Link


68/153

Managing Group Policy Scope Using Security Filtering to Modify GPO Scope

Filtering a GPO to Apply to Specic Groups Filtering a GPO to Exclude Specic Groups

Enabling or Disabling GPOs and GPO Nodes Enabled : Computer and User congura on se ngs will be

processed by CSE during the policy refresh All Se ngs Disabled: CSE will not process to GPO to policy

refresh Computer or User congura ons disabled GPO will not

processed during the policy refresh.


69/153

Managing Group Policy Scope Targe ng Preferences

Preferences New to Windows 2008 have built-in scoping mechanism called item-level

targeCng. A single GOP can have mul ple preference items Each preference can be targe ng or ltered

Ex: you could have a single GOP with a preference that specied folder op ons forengineers, and another item that specied folder op ons for sales people.

Items can be targeted by using a security group or OU.

There are over a dozen other criteria that can be used for various purpose Using item-level may have impact performance on your system, be aware

of that.


70/153

Managing Group Policy Scope Loopback Policy Processing

Replace Merge


71/153

Suppor=ng Group Policy Resultant set of Policy

The following tools are provided by Windows 2008 forperforming RSoP analysys

The Group Policy Results Wizard The Group Policy Modeling Wizard Gpresult.exe

Genera ng RSoP Reports with the Group Policy ResultsWizard

Group Policy Results tool helps you understand which policyse ngs that have applied to a user or computer and why


72/153

Suppor=ng Group Policy There several requirements for running the Group Policy

Result Wizard: You must have administra ve creden als on the target

computer The target computer must be runnig Windows XP or later

Group Policy Result can not reach Windows 2000Systems.

You must be able to Acces WMI on the target Computer.Meaning it must be running, connected to the networkand accessible through ports 135 and 445

The WMI service must be started on the target computer To analyze the RSoP for a User he must at least have

logged once on the computer


73/153

Suppor=ng Group Policy If the requirements are met run the Group Policy Result by

right clicking in the GPMC and choose Group Policy ResultWizard. You will be prompted to select a computer.

A report will be produced including: A summary Se ngs Policy Events

Genera ng RSoP Report with Gpresult.exe

Gpresult.exe a the command line version of GroupPolicy Result.


74/153

Suppor=ng Group Policy Troubleshoo ng Group Policy with Group Policy

Result and Gpresult.exe You likely encounter scenarios that require GPO

troubleshoo ng, you might need to diagnose and solveproblems including:

GPO are not applied at all The resultant set of policies for computer are not those that

were expected


75/153

Suppor=ng Group Policy Performing What-Analyses with the Group Policy

Modeling wizard. Group Policy Modeling helps foresee through a

simula on what will happen for a given situa on like: Move a computer or user between site, domains, or OU orchange its security membership.

The GPOSs scoped to that user or computer will change andtherefore, the RSoP will be different.

- Examining Policy Event Logs


76/153

Group Policy SeJngs Delega ng the Support of Computers

Tasks can be delegated to support users in order toperform troubleshoo ng on client computers

These task require most of the me administra veprivileges, however support users do not need the highlevel given to the Domain Admins group it is notrecommended to place them in that group.

Therefore, the creden als used by support personnel mustbe at the level of local administrator.

Instead , congure client systems so that a grouprepresen ng support personnel is added to the localadministrators group.

This can be done by Restricted groups


77/153

Group Policy SeJngs Delega ng the Support of Computers

Understanding Restricted Groups Policies Restricted groups policy se ngs enable you to manage

the memberships of groups, there are two types: This Group Is A Member Of: species that the group is a

member of another group Member Of This Group: mean that the group contains other

members


78/153

Suppor=ng Group Policy Managing So_ware with Group Policy

So_ware installa on. Some tools are available to deploy so_ware

installa on within an organiza on including: Microso_ System Congura on Manager Microso_ System Management Server.GPO can be used to effec vely deploy most so ware

without these tools using GPO So_Ware Installa on


79/153

Suppor=ng Group Policy Managing So_ware with Group Policy So_ware

installa on. Understanding Group Policy So_ware Installa on

Group Policy Sofware installa on is used to create a managehd environment that has the

following characteris cs: Users have acces to the applica on they need to do their job, no ma er which computer they

log on to Computer have the required applica ons, whitout interven on from a technical support

representa ve Applica on can be updated, maintained, or removed to meet the needs of the organiza on

Windows Installer Packages GPSI uses Windows Installer Service to install, maintain, or remove so_ware Windows Intaller Service manages so_ware using the informa on contained

in the applica ons Windows installer packges


80/153

Suppor=ng Group Policy Windows Installer Packages

The package contains explicit instruc ons regarding theinstalla on and removal of an applica on

It can be customized by using one of the following type ofles:

Transform (.mst) les: these les provide a means forcustomizing the installa on.

Patch (.msp) these le are use to update an exis ng .msifor security updates, bug xes, and service pack

GPSI can make limited use of non-MSI le (.zap), also knownas down level applica on packages, that specify theloca on of the so_ware distribu on point and thecommand set up


81/153

Suppor=ng Group Policy Managing So_ware with Group Policy So_ware

installa on. So_ware Deployment Op ons

So_ware can deployed either by assignment to users or

computer or by publishing the applica on for users Assigning Applica on: When you assign an applica on to a user the applica on local

registry se ngs, including lename extensions, are updated andits shortcuts are created on the start menu or desktop toadver se the availability of the applica on

Publishing an applica on: When you publish an applica on to users, the applica on doesnot appear as if it is installed on the users computer, norshortcut are visible on the desktop or Start menu


82/153

Suppor=ng Group Policy Preparing an SDP

SDP is a shared folder from which users andcomputers can install applica ons

Create a shared folder Create a separate folder for each applica on Then copy the so_ware, modica on, and all necessary

le to the applica on folders Set the appropriate permission that allow users or

computers Read and Execute permission theminimum required.


83/153

Suppor=ng Group Policy Crea ng a So_Ware Deployment GPO

Advanced op on enables you to specied whether the applica on ispublished or assigned and gives you as well the opportunity tocongure advanced proper es of the so_ware package.

Deployment type : congure Published or Advanced

Deployment Op=ons : based on the selected type, different choices will appear onin the deployment sec on.

Unistall This Applica=on When It Falls Out Of The Scope Of Management : if thisop on is selected, the applica on will be automa cally removed when the GPO nolonger applies to the user or computer

Upgrade: you can specied

Categories: it enable you to associate the package with one or more categories Modica=on: if you have a transform (.mst) that customizes the package, click Add

bu on to associate the transform with the epackag


84/153

Suppor=ng Group Policy Managing a Scope with a So_ware

Deployment GPO Maintaining Applica on Deployed with Group

Policy You need redeploy an applica on if you want to

update

You can upgrade it with the GPSI, for a newversion of the applica on in so_ware installa onnode of the GPO


85/153

Suppor=ng Group Policy Two op ons are offered to remove an

applica on: Right click the package, chose all task then select

remove to choose one of the following op ons: Immediately Uninstall The So_ware from the users and

computers. (Forcing removal) Allow Users To Con nue To Use The So_ware, But

Prevents New Installa ons (Op onal removal) GPSI and Slow Links


86/153

Suppor=ng Group Policy Audi ng

Audit policy at Default Domain Controller Policylevel

Dene the policy Succes or Faillure events can be enable

Audi ng Acces o Files and Folders Specifying Audi ng Se ngs on a File or Folder

File or Folder can be audited by adding audi ng entries to itsACL.

This can be achieved through security tab from the proper esdialog box of the le or object


87/153

Suppor=ng Group Policy Evalua ng Events in the Security Log

Events log can be viewed in the security log of the server Open Event Viewer console from the Administra ve Tools Expand

Windows Logs\Security Audi ng Directory Service Changes Audit Directory Services Access policy enables you to log

a empts to access objects in Ac ve Directory Difference between Audit Directory Service Access and

audit Directory Service Changes Directory Service Access enables you to monitor changes in

directory objects Directory Sevice Access lets you see the previous and the current

value of a change a ribute Directoy Service Access needs to be enable:

Auditpol /set /subcategory: directory service change /success:enables


88/153

Authen=ca=on Conguring Password and Lockout Policies

Understanding Password Policies Understanding Password Lockout Policies Conguring Domain Password and Lockout Policy Fine-Grained Password and Lockout Policy

Domain password and lockout policy can be overideswith a new feature of Windows 2008 called ne-grained password policy

Domain Func onal level must be at Windows 2008


89/153

Authen=ca=on Understanding Password Se ngs Objects

Se ng are inden cals to those in the PasswordPolicy And Account Policy node of a GPO.

Fine-grained password policies are not part ofGPO nor they are as part of the GPO

They are separated class of object in Ac veDirectory : password se ng object


90/153

Authen=ca=on PSO Precedence and Resultant PSO

If mul ple PSO apply to groups to which the userbelongs. The PSO with highest precedence prevail

If one or more PSO are linked directly to a user,PSO linked to groups are ignore, the user-linkedPSO with highest precedence prevail

If one or more PSO have the same precedence,Ac ve Directory choses the one with lowerst GUID

PSO and UOs


91/153

Authen=ca=on Audi ng Authen ca on

Account Logon and Logon Events Account log on Event occurs:

When a user log on to any computer using his account, andthe domain controller authen cates the a empt to log on tothe domain account.

Log on Event occurs: When a user connects to a folder on a server in the domain,

that server authorizes the user to a type of log on called a

network log on. (local)again the server does not authen cate the user, it relies on acket given to the user by the domain controller


92/153


93/153

Authen=ca=on Scoping Audit Policie

Domain users logging on to a client computer toconnec ng to a server generate a logon event on

that system Only domain controllers generates account logon

events Viewing Log on Events

Account and log on event, if audited appears in thesecurity log of the system that generated the event


94/153

Authentication Conguring Read-Only Domain Controleur

Authen ca on and domain controller placement in abranch office

Read Only Domain Controllers Deploying an RODC

Ensure that the forest func onal level is Windows Server2008

If the forest has any DC running Microso_ Windows Server2003, run Adprep /rodcprep

Ensure at least on writable DC is running Windows Server2008 Install the RODC


95/153

Authen=ca=on Placing a writable Windows Server 2008 Domain

Controller Installing a RODC

Password Replica on Policy Congure Domain-Wide Password Replica on Policy

Allowed RODC Password Replica on group is added to the allowedlist of each new RODC

If needed add users to the group. By default a new RODC will not any user creden al

Denied RODC Password Replica on group is added to the Deniedlist of each new RODC

Congure RODC-Specique Password Replica on Policy


96/153

Authen=ca=on Administer RODC Creden al Caching

Account Whose Password Are Stored On ThisRead Only Domain Controller

Account That Have Been Authen cated To ThisRead Only Domain Controller.


97/153

Authen=ca=on Administra ve Role Separa on

RODC support local Administra on through a featurecalled AdminiCve Role SeparaCon

Each RODC maintains a local database of groups forspecique administra ve purpose

It can be congured the following ways From a command prompt Type dsmgmt and press Enter Type local role and press Enter Type Add the username administrators. Where username is

the pre-windows 2000 logon of a domain users


98/153

Integra=ng Domain Name System With AD DS

Understanding DNS First thing to understand when working

with DNS is how it works to resolve a me.DNS relies on a hierarchy of servers becausea DNS server cannot hold all possible namerecords within itself. Because of this DNS

service relies on name referrals to performme resolu on


99/153



100/153

Integra=ng Domain Name System With AD DS Here is how the name resolu on works

1. You try to look up a Web page on Microso_ Technet Web Site. To do so you typeh p://technet.microso_.com in the address bar et press Enter

2. Your computer sends a request to its local DNS server or at least one of the serverslisted in its IP congura on se ngs for the name

3. If the server does not include the name in its own database or cache, it sends a referralrequest to the.com name server (referral server)

4. The .com server is the authority for all names that ends in the .com suffix.5. The DNS server for Microso_.com sends the corresponding IP address for the

requested page to the client computer.6. The name resolver on the client uses the IP address to request the actual page from its

Internet provider7. If the page is not already in the local cache of the internet provider, it requests the

actual page and sends to the clientThis procedure occurs within second depending of internet connec on speed.


101/153

Integra=ng Domain Name System With AD DS Understanding DNS

Windows Server 2008 DNS Service support tree typeof DNS server

Primary Zones that can be integrated with AD DS or that can be of the

former type. They are authorita ve for the name space Secondary

Zones that are of the former, standard type and are only a replicaof the data maintained by a primary or authorita ve server for aname space, it needs the address of the primary server

Stub Zone Zones that are nothing but pointers to other, authorita ve for

the servers they maintain. Once again, a stub zone needs a list ofserver(s) that are authorita ve for the namespace


102/153


Understanding DNS Type of records of DNS in Windows Server 2008

Alias (CNAME): Used to create an alternate record or alias for aname that already specied as another record type in a speciczone, it is also known as a canonical name

Host record (A or AAAA): The most common record type in DNS.They represent computer objects in the namespace and are usedto resolve a specic IP address to a device

Mail exchange (MX): Route e-mail messages to a specicnamespace.

Pointer (PTR): Point to a specic loca on within the namespace.PTR records are usually used to provide reverse lookup capabili eswithin the namespace.

Service loca on: indicates the loca on of a specic TCP/IP service


103/153


104/153

Integra=ng Domain Name System With AD DS Windows Server DNS creates 2 applica on

directory par ons to host data for each forest. These par ons are respec vely :

ForestDnsZones : for the en re forest DomainDnsZones: for each child domain within a forest

To provide security against spoong DNS nowsupports the addi on of global query block list forclients that use Web Proxy Automa c DiscoveryProtocol (WPAD) and rely on DNS to resolve hostnames.


105/153

Integra=ng Domain Name System With AD DS Integra on with AD DS

Because of its special windows features, always deployWindows DNS server when you deploy AD DS.

When you use the Windows DNS server with AD DS, all DNScontent is congured by default. However a third-party can be

used to provide name resolu on, but it is signicantly morework to set up. If AD DS is deployed for a forest domain root, a place holder will

be created for the forward lookup zone (FLZ), the reverselookup zone, and the condi onal forwarder (CF)

Two zones will then be generated for the FLZ. The rst will be acontainer for the en re forest created during the installa on ofAD DS, and one within the FLZ for the root domain itself asshown in the following gure.


106/153



107/153

Integra=ng Domain Name System With AD DS When AD DS process creates a domain tree in an exis ngforest, a manual delega on is required before the domain

tree is created, because the name of the domain tree isdifferent from the root domain name

It must be different because that is the deni on of thetree within a forest

When AD DS process creates a child domain in an exis ngforest, it automa cally creates a delega on within the top-level root domain and properly stores the DNS data for the

child domain in the child domain par on. Dcpromo.exe allows you remove DC role and the DNS data

created for a domain if this DC is the least DC in a domain


108/153

Integra=ng Domain Name System With AD DS Congura on and Using Domain Name System

Conguring DNS The DNS congura on involves several ac vi es

including: Considering the security of your DNS server to reduce their

a ack surface Conguring scavenging se ngs for the servers as a whole. Finalizing the congura on of your FLZs Crea ng RLZs Adding custum records to FLZs for specic services and

resources


109/153

Conguring and Using Domain Name System

security considera on for DNS Server Role DNS servers that are exposed to the internet are notorious

for malicious users The most common a ack is a denial-of-service (DNS). Another common a ack form occurs when an a ackers tries

to obtain all the data contain within a DNS server. Intendingto use it to inden fy the object a network contains. This iscalled footprinCng the network

Two more a ack: a empt to modify data within the serveror redirect the users query from a valid DNS servers thatwould under the a ackers control


110/153


111/153

Integra=ng Domain Name System With AD DS Working with DNS Server Se ngs

Finalizing FLZ Congura on by conguring the followingse ngs on each produc on DNS zone as a best prac ce:

Domain based DNS zones should replicate to all DNSserver in the domain. Each DC that hosts the DNS role willall include the role

Forest DNS should replicate to all DNS servers in theforest

If you maintain Windows 2000 Servers DC in yournetwork, you must use the To All Domain Controllers InThis Domain (For Windows 2000 Compa bility) op onbecause Windows Server does not support applica ondirectorys


112/153


You can also set replica on to custom applica ondirectory par ons, but you must create the par onrst

Crea ng Reverse Lookup Zones Network fewer than 500 does not require RLZ. These zones

are used to provide resolu on from an IP address to a nameinstead of a name to an IP address. They are most used byapplica on.

However clients that have the ability to update their ownrecords dynamically will also create a PTR record a reverserecord that maps the IP address to the name


113/153

Integra=ng Domain Name System With AD DS Conguring and using Domain Name System

Custom records They are created manually and provide a variety of services

in your network like crea ng an MX record to point your e-mail server, an alias record such as intranet.contoso

Forwarder vs. Root Hints Name resolu on is performed by using two methods

Root Hints or Forwarders By default, Windows DNS Server relies on root hints to perform

lookups. This ts small network Forwarders are preferred for highly secured network


114/153


Single-Label Name Management To use Single-label names, you need to create manually

a GNZ, a single GNZ is required for each forest. If you are using AD DS integrated DNS server and each

of your DC is also running the DNS service, thisopera on must be performed on each DC, it is a vesteps required opera on.

However you can create GNZ, but enabling its supportin a DNS server requires a modica on of the Windowsregistry with the dnscmd.exe

Dnscmd /cong /enableglobalnamessuport 1


115/153


Working with Applica on Directory Par ons In certain circumstances, you will want to create

applica on directory par on to support datareplica on; applica on directory par on controls theyreplica on data scope of the data it contains, DNScreates to applica on directory, these two applica onmight not be appropriate in complex forests


116/153

Integra=ng Domain Name System With AD DS Consider this scenario, your forest includes 3domains: the forest root, a global child

produc on, and a produc on domain. Youcreated the development domain because your

developers have special access rightrequirements and you do not want to grantthese access right in the produc on domain. Allproduc on domain users except for systemadministrators have standard user rights. In thedevelopment domain, however you can grantdeveloper higher access right, because thisdomain does not affect produc on opera on.


117/153

Integra=ng Domain Name System With AD DS In addi on, you created only one single

domain account for each developer. Thisaccount is located in the global child domain

and has standard user right, but throughtransi ve trust inherent in each forestdeveloper can use their account from theproduc on domain to access objects indevelopment domain where their produc ondomain account have higher access rights.


118/153

Integra=ng Domain Name System With AD DS By default, name resolu on between the twochild domain passes through the forest root

domain. Developers can access this domain on aconstant basis every day, so to provide them with

faster name resolu on, you create a customapplica on directory par on to share the DNSrecords between the development domain andthe produc on domain, produc on DNS serverwill not need to pass through the forest rootdomain to resolve development domain names.(See the scenario in next gure)


119/153



120/153

Domain controllersInstalling a domain controller with Windows interface


121/153

Domain controllers Una ended Installa on Op ons and Answer Files Installing Addi onal Domain Controllers in a

Domain Installing the rst Windows Server 2008 Domain

Controller in an Exis ng Forest or Domain. Logon sur le shema master comme adminitrator Copier le contenu du repertoir \source\Aprep du Windows

Server 2008 dans un repertoire sur le schema master Ouvrir un command prompt et changer de repertoire au

Adprep Taper adprep /forestprep Et/ou adprep /rodc selon que vous installer un RODC dans

un domain ayant un DC 2003


122/153

Domain controllers Installing an Addi onal Domain Controller

Install From Media Source Domain Controller by specifying Use This

Specic Domain controller

Installing a Windows 2008 Child domain


123/153

Domain Controllers


124/153

Domain ControllersInstalling a New Domain Tree


125/153


126/153

Domain Controllers Intalling AD DS from Media Removing a Domain control

To remove forcefully, use: dcpromo /forceremoval


127/153

Domain Controllers Conguring Opera ons Masters

Understanding Single Masters Opera ons A number of opera ons are not permi ed to occur at

different places at the same me and must be the

responsibility of only one domain controller in andomain or forest. These opera ons and the donmainare perform are refered to by a variety of term:

Opera ons Masters Opera ons master roles Single master roles Opera on token Flexible single master opera on


128/153

Domain Controllers Forest Wide Opera ons Master Roles

Domain Naming Master Role Schema Master Role

Domain Wide Opera on Master Role RID Master Role Infrastructure Master Role PDC Emulator Role


129/153

Domain Controllers Forest Wide Opera ons Master Roles

Domain Naming Master Role It is used when adding or removing domains in the forest, it

must be accessible when performing such opera on.

Schema Master Role It responsible of making any changes to the forests schema,

all other DCs hold a copy of the schema. If you want tomodify the schama, or install anpplica on that modify the

schema, it recommanded that you do so on the domaincontroller that holding the schema master role


130/153

Domain Controllers Domain Wide Opera on Master Role

RID Master Role It allocates a pool of unique RIDs to each domain controller in the

domain, thus in domain controller can be condent that the SID itgenerates are unique.

Infrastructure Master Role In a mul domain environment, it is common for an objectto reference object in other domains, for instance a groupcan include members from another domain, it mul valuedmember a ribute contains the dis nguished names of

each member. If the member in other domain is moved orrenamed, the infrastructure master of the groups domainupdates the groups member a ribute accordingly.


131/153

Domain Controllers Domain Wide Opera on Master Role

PDC Emulator The PDC Emulator tools performs mul ple func on for

a domain: Emulates a PDC for backward compa bility Par cipates is special update handling for the domain Manage group policy updates within the domain Provides a master me source for the domain Act as a domain master browser


132/153

Domain Controllers Placing Opera on Masters

When the forest root domain is created with isrst domain controller, all ve opera ons master

role are performed by the same domaincontroller. As domain controllers are added,opera on master roles can be transferred toother domain controllers. The best prac ces for

placement of opera on master role are as follow:


133/153

Domain Controllers Placing Opera on Masters

Co-locate the schema master and the domain namingmaster

Co-locate the RID and PDC Emulator Place the infrastructure on a DC that is not a GC

It can only be done if all roles are place on a single DC For install if you only on DC for your en re forest

Have a fail over plan Determine in advance, a plan for transferring the opera ons

roles in other DCs in the event that one master role is offline


134/153

Domain Controllers Iden fying Opera ons Masters

PDC Emulator, RID, Infrastructure Master : Ac=veDirectory Users And Computers snap-in. Right click thedomain and Opera on Masters.

Domain Naming: Ac=ve Directory Domain And Trustsnap-in. Right click the root node of the snap-in (Ac veDirectory Domain And Trust) and Opera on Master

Schema Master : The Ac=ve Directory Schema snap-n

Right click the node of the snap-in(Ac ve DirectorySchema) and choose Opera on Master


135/153

Domain Controllers Transferring Opera ons Master Roles

You can transfer a single master role easily. It can betransferred in the following scenarios:

When a forest is rst established all roles reside in the samedomain controller. When you add a domain in the forest allthree are performed by the rst domain controller in thatdomain. As you add DCs you can transfer the roles

If you plan to take a domain controller offline that is currentlyholding an opera on master role transfer that role to anotherdomain controller prior taking it offline.

If you decommissioning a domain controller that is currentlyholding an opera on master role transfer that role to anotherdomain controller prior to decommissioning.


136/153

Domain Controllers Recognizing Opera on Master Failures

Several opera ons master roles can be unavailable forquite some me before their absence becomes aproblem. Other master roles play a crucial role in theday-to-day opera on of your enterprise. Problems canbe iden ed by viewing the event log in DirectoryService event log.However you will o_en discover that an opera on hasfailed when you a empt to perform a func on

managed by the master and the func on fails. Forinstance the RID master fails, eventually you will beprevented from crea ng new security principals.


137/153

Domain Controllers Seizing and Returning Master Roles

In case of failure roles can be seized some can bereturned to their original holder other cannot:

PDC and Infrastructure: holder can be brought online Schema, Master, and Domain holders can not be brought

online


138/153

Domain Controllers Conguring DFS Replica on of SYSVOL

THE SYSVOL folder locates at %SystemRoot%\SYSVOL bydefault. It contains logon script, group policy templates(GPT)and other cri cal resources for the health management of theAc ve Directory domain, it should be consistent for eachdomain controller. However, changes to GPO and logonscripts are made from me to me, so you must be ensurethat those changes are replicated effec vely and efficiently to

all domain controllers.


139/153

Domain Controllers Conguring DFS Replica on of SYSVOL

In previous version of Windows, FRS was used toreplicates the content of SYSVOL between alldomain controllers. FRS has limita on in bothcapacity and performance that cause it to breakoccasionally. Unfortunately, troubleshoo ng andconguring FRS is quite difficult. In Windows

Server 2008 domains, you have the op on to useDFS-R to replicate the contents of SYSVOL.


140/153

Domain Controllers Raising the domain controllers Understanding Migra on Stages

Because SYSVOL is cri cal to the health of your domain,Windows does not provide a mechanism with which tconvert replica on of SYSVOL from FRS to DFS-Rinstantly. In fact, migra on to DFS-R involves crea on aparallel SYSVOL structure, when the parallel structure issuccessfully in place clients are redirected to the new

structure as domains system volume, when theopera on has proven successfully, you can eliminateFRS.

ll


141/153

Domain Controllers Migra on to DFS-R consists of four stages or status:

0 (start) the default state of a domain controller 1 (prepared) a copy of SYSVOL is created in folder called

SYSVOL DFSR folder on all domain controllers and is added

to a replica on set. DFSR begins to replicate the contents ofthe SYSVOL DFSR to all domains controllers. However FRScon nue to use to replicates the original folders and clientscon nue to use SYSVOL.

2 (redirected) the SYSVOL share, which originally refers toSYSVOL\sysvol, is change to refer to SYSVOL DFSR\sysvol

3 (eliminated) replica on of the old SYSVOL is stopped


142/153

i i k l d


143/153

Managing Disk, Volume, and Par==on Understanding Basic and Dynamic disks

On basic disk that use the GUID par on table(GPT) par on style, you can create up to 128primary par ons

Because of this you do not need an extendedpar on

GPT disks are recommended for disks larger than2 terabytes and for disk on 64 bits systems

U d di B i d D i di k


144/153

Understanding Basic and Dynamic disks Dynamic disks provide advanced features that

basic disks do not support, features such as theability to create an unlimited number of volumesthere are 5 types of volumes:

Simple, Spanned, Striped, mirrored, and RAID-5

M i Di k V l d P


145/153

Managing Disk, Volume, and Par==on

Crea ng volumes Volumes are basic drives that are not fault tolerant. A

basic volume can consist of a single disk or mul pleregion on the same disk and linked together.

Spanned volumes A spanned volume is a dynamic volume consis ng of

disk space on more than one physical disk, if a volumeis not a system volume or a boot volume you can

extend it across addi onal disks to create a spannedvolume, or you can a new volume by using unallocatedspace on one or more than one disks

M i Di k V l d P


146/153

Managing Disk, Volume, and Par==on Striped volume A striped volume, which is also known as RAID-0, is a

dynamic volume that stores data in stripes across to or morephysical disks. Striped volumes offer the best performanceof all the volumes available in Windows. They do notprovide fault tolerance

Mirrored volumes Also known as RAID-1, a mirrored volume is a fault-tolerant

volume that provide redundancy by using two copies, ormirrors, of the same volume. All data wri en mirrored toboth volumes, which are located on separated physical

disks. If one of the physical disk fails, the data on the fail diskbecomes unavailable, but the system con nue to operateusing the unaffected disk

M i Di k V l d P


147/153


RAID-5 volume A RAID-5 volume is a fault tolerant volume that

combines areas of free space from at least 3 physicalhard disks into a logical one volume. RAID-5 volumes

stripe data along with parity informa on across a set ofdisk. When a single disk fails, Windows Server 2008user this parity informa on to re-create the data on thefailed disk. RAID-5 volumes can accept the loss of onlyone disk in the set.

M i Di k V l d P


148/153


Extending a volume You can add more space to exis ng simple or spanned

volumes by extending them into unallocated space onthe same disk or on a different disk. To extend a

volume, it must be either forma ed with NTFS lesystem or unforma ed. Extended a volume can bedone in Disk management.

Shrinking a Volume You can decrease the space used by a simple or

spanned volume into a con guous free space at theend of the volume.

df df df


149/153

gsdfgsdfgsdf

df df df


150/153

gsdfgsdfgsdf

g dfg dfg df


151/153

gsdfgsdfgsdf


152/153

gsdfgsdfgsdf


153/153

gsdfgsdfgsdf

Documents

Reseaux III Win2k8