Mcts chapter 3

MCTS Guide to Configuring
Microsoft Windows Server 2008
Active Directory

Chapter 3: Introducing Active Directory

Objectives
• Describe the role of a directory service and the
physical and logical Active Directory structure
• Install Active Directory
• Describe the main Active Directory objects
• Explain configuring and applying group policies

MCTS Windows Server 2008 Active Directory 2

The Role of a Directory Service
• A network directory service stores information
about a computer network and offers features for
retrieving and managing that information.
• Generally considered to be an administrative tool,
but users make use of directory services to find
resources
• Directory services provide a centralized
management tool, but due to complexity, requires
careful planning prior to setup


Windows Active Directory
• First used by Windows 2000 Server
• Offers the following features:
– Hierarchical organization
– Centralized but distributed database
– Scalability
– Security
– Flexibility
– Policy-based administration


Overview of the Active Directory Structure

• Physical structure
– Consists of sites and servers configured as domain controllers
• Logical structure
– Makes it possible to pattern the directory service’s look and feel
after the organization in which it runs


Active Directory’s Physical Structure
• An Active Directory site is simply a physical
location in which domain controllers communicate
and replicate information regularly
• Each domain controller contains a full replica of the
objects that make up the domain and is responsible
for the following functions:
– Storing a copy of the domain data and replicating changes to
that data to all other domain controllers throughout the domain
– Providing data search and retrieval functions for users
attempting to locate objects in the directory
– Providing authentication and authorization services for users
who log on to the domain and attempt to access network
resources


Active Directory’s Logical Structure
• Organizational Units (OUs)
• Domains
• Trees
• Forests


Active Directory’s Logical Structure (cont.)

• The Organizational Unit (OU) is an Active Directory
container used to organize a network’s users and
resources into logical administrative units
• An OU contains Active Directory objects, such as:
– User accounts
– Groups
– Computer accounts
– Printers
– Shared folders
– Applications
– Servers
– Domain controllers



• Domain: The core structural unit of an Active
Directory; contains OUs and represents
administrative, security, and policy boundaries
• Small to medium companies usually have one
domain; larger companies may have several
domains to separate geographical regions or
administrative responsibilities



• A tree is a grouping of domains that share a
common naming structure
• Can consist of a parent domain and possibly one or
more child domains
• Child domains can also have child domains



• Forest: A collection of one or more Active Directory
trees. A forest can consist of a single tree with a
single domain, or it can contain several trees, each
with a hierarchy of parent and child domains
• Main purpose is to provide a common Active
Directory environment, in which all domains in all
trees can communicate and share information,
while simultaneously allowing independent
operation and administration


Installing Active Directory
• To install AD DS on a full Windows Server 2008
installation, use Server Manager
• If DNS is not already present on the network, you
must install the DNS Server Role.
• Once the Server Manager wizard for installing
Active Directory finishes, you must run
dcpromo.exe


Installing Active Directory (cont.)
• Dcpromo.exe steps to install:
– Step 1: Existing domain or new domain
– Step 2: Fully qualified domain name (FQDN) for new forest root
domain
– Step 3: Choose forest functional level
• The functional level is critical to the feature set available to
administrators after install, as well as the software
requirements for any other DCs
– If you want backwards compatibility with older domain controllers on
the network, choose Windows 2000 functional level
– If you choose Windows Server 2008 functional level, you can’t run
Windows Server 2003 or Windows 2000 domain controllers (but they
can run as member servers)


• After step 3, you have three additional options for
the DC:
• Install DNS Server
– Recommended for the first domain controller in a new domain
• Global Catalog
– Selected by default (and can not be disabled) if the server is to
be the first DC in a forest
• Read-only Domain Controller (RODC)
– Not selected by default, and disabled for the first DC in the
domain


• The sysvol folder is a shared folder that stores the
information from Active Directory that’s replicated
to other domain controllers
• Directory Services Restore Mode is used to
perform restore operations on Active Directory if it
becomes corrupted or parts of it are deleted
accidentally.


The Active Directory Schema
• An object is a grouping of information that
describes a network resource
• The schema defines the type, organization, and
structure of data stored in the AD database
• Schema classes define the types of objects that
can be stored in Active Directory
• Schema attributes define what type of information
is stored in each object
• The information stored in each attribute is called
the attribute value

The Active Directory Schema (cont.)


Active Directory Container Objects
• Organizational Units
• Folder Objects
• Domain objects


Organizational Units
• Primary container object for organizing and
managing resources in a domain
• OUs can organize multiple objects into one
administrative group that can be configured with
specific policies relevant to that group
• Authority of an OU can be delegated
• Nesting OUs can build a hierarchical Active
Directory structure that mimics the corporate
structure for easier object management


Folder Objects
• Four created by default:
– Builtin; Houses default groups created by Windows
– Computers; The default location for computer accounts created
when a new computer or server becomes a domain member
– ForeignSecurityPrincipals; Initially empty but later contains user
accounts from other domains added as members of the local
domain’s groups
– Users; Stores two default users (Administrator and Guest) and
several default groups
• New folder objects cannot be created
• Administrative control can be delegated (except on
builtin folder)

Domain Objects
• Core logical structure in AD, contains OU and
folder container objects, as well as leaf objects
• Larger companies may use multiple domains to
separate administration, define security
boundaries, and define policy boundaries
• Each domain object has a default GPO linked to it
that can affect all objects in the domain


Active Directory Leaf Objects
• User Accounts
– Three types: Local, domain, and built-in
• Groups
– Consists of users with common permissions
• Computer Accounts
– Represents a computer that is a domain controller or domain
member
• Other Leaf Objects:
– Contact
– Printer
– Shared folder


Locating Active Directory Objects
• Active Directory objects can be searched for using
the Find Users, Contacts, and Groups dialog box
• Can search a single domain or an entire directory
(all domains)
• Not all objects are available to all users


Introducing Group Policies
• A Group Policy Object (GPO) is a list of settings
that administrators use to configure user and
computer operating environments remotely.
• Installing Active Directory creates two GPO’s by
default:
– Default Domain Policy
– Default Domain Controllers Policy


Introducing Group Policies (cont.)
• You can edit existing GPO’s (including defaults)
and create and manage GPO’s by using the Group
Policy Management MMC
• Two nodes for every GPO:
– Computer Configuration; Used to set policies that apply to
computers within the GPO’s scope
– User Configuration; Used to set policies that apply to all users
within the GPO’s scope


The Computer Configuration Node
• Software Settings
– Enables Administrators to install and manage applications
remotely
• Windows Settings
– Contains Scripts extension, Security Settings node, and the
Policy-based QoS node
• Administrative Templates
– Contains the Control Panel, Network, Printers, System, and
Windows Components folders.


The User Configuration Node
• Policies folder contains the same three folders as in the
Computer Configuration node, but policies defined here
affect domain users within the GPO’s scope, regardless of
which computer the user logs on to.
• Software Settings
– Can assign or publish application packages
• Windows Settings – Contains six items
– Remote Installation Services
– Scripts extension
– Security Settings node
– Folder Redirection node
– Policy based QoS node
– Internet Explorer Maintenance node
• Administrative templates

How Group Policies Are Applied
• GPO’s can be applied in four places:
– Local Computer
– Site
– Domain
– Organizational Unit
• Policies are applied in the above order
– Policies that are not defined or configured are not applied at all
– Last policy to be defined takes precedence; If a policy is
defined at the domain level and OU level, then the OU level’s
setting is the one applied


Chapter Summary
• A directory service is a database that stores
network resource information and can be used to
manage users, computers, and resources
throughout the network.
• Active Directory is a hierarchical, distributed
database that’s scalable, secure, and flexible.
Active Directory’s physical structure is composed of
sites and domain controllers, and the logical
structure is composed of organizational units,
domains, trees, and forests.


Chapter Summary (cont.)
• Server manager installs the Active Directory
Domain Services role. Once Server Manager is
finished, dcpromo.exe is used to finish installation.
• The data in Active Directory is organized as
objects. Available objects and their structure are
defined by the Active Directory schema, which is
composed of schema classes and schema
attributes. The data in a schema attribute is called
an attribute value


• Two types of objects in AD: Container objects and
leaf objects
• Leaf objects generally represent security accounts,
network resources, and GPOs
• Active Directory objects can be located easily with
search functions in Active Directory Users and
Computers and Windows Explorer
• GPOs are lists of settings that enable
administrators to configure user and computer
operating environments remotely


• Policies defined in the Computer Configuration
node affect all computers in the Active Directory
container to which the GPO is linked. Policies
defined in the User Configuration node affect all
users in the Active Directory container to which the
GPO is linked.


Mcts chapter 3

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Mcts chapter 3

Similar to Mcts chapter 3 (20)

Recently uploaded

Recently uploaded (20)

Mcts chapter 3