CST8200 Windows Domain Administration PDF

Summary

These lecture notes cover Windows Domain Administration, focusing on Active Directory concepts, including its role, structure, and installation procedures. The information is presented using slide-based graphics and covers concepts like organizational units (OUs), domains, trees, and forests. It also discusses Active Directory's physical and logical structure.

Full Transcript

CST8200 –Windows
Domain Administration
Professor: Denis Latremouille
Week 03

CST8200

2
Agenda

3
The Role of a Directory Service
 A network directory service stores
information about a computer network
and offers features for retrieving and
managing that information.
 Generally considered to be an
administrative tool, but users make use of
directory services to find resources
 Directory services provide a centralized
management tool, but due to complexity,
requires careful planning prior to setup
4
Windows Active Directory
 Active Directory – a directory service based on
standards for defining, storing, and accessing
directory service objects
 X.500 is the basis for its hierarchical structure
 Lightweight Directory Access Protocol (LDAP) is
based on the X.500 Directory Access Protocol
◼ Uses the more efficient T C P/I P protocol
 Integrating other OS’s, such as Linux into an
Active Directory network requires using LDAP
 Windows Active Directory was first used in
Windows 2000 Server

5
Windows Active Directory
 ActiveDirectory offers the following
features:
◼ Hierarchical organization
◼ Centralized but distributed database
◼ Scalability
◼ Security
◼ Flexibility
◼ Policy-based administration

6
Overview of the Active Directory
Structure
 Physical structure
◼ Consists of sites and servers configured as
domain controllers
 Logical structure
◼ Makes it possible to pattern the directory
service’s look and feel after the organization in
which it runs

7
Active Directory’s Physical Structure
 An Active Directory site is a physical location in which
domain controllers communicate and replicate information
periodically
 Domain controller (DC) – a computer running Windows
Server 2016 with the Active Directory Domain Services role
installed
◼ Services one domain
 Each domain controller contains a full replica of the objects
that make up the domain and is responsible for:
◼ Storing a copy of the domain data and replicating changes to
that data to all other domain controllers in the domain
◼ Providing data search and retrieval functions for users
attempting to locate objects in the directory
◼ Providing authentication and authorization services for users
who log on to the domain and attempt to access network
resources 8
Active Directory’s Logical Structure
 Four organizing components of Active Directory:
◼ Organizational Units (O U s)
◼ Domains
◼ Trees
◼ Forests
 The organizational unit (OU) is an Active
Directory container used to organize a network’s
users and resources into logical administrative
units
 An OU contains Active Directory objects, such as:
◼ User accounts, groups, computer accounts, printers,
shared folders, applications, servers, and domain
controllers
9
Active Directory’s Logical Structure

10
Active Directory’s Logical Structure
 Domain - the core structural unit of an Active Directory
◼ Contains OUs and represents administrative, security, and policy
boundaries
 Small to medium companies usually have one domain
◼ Larger companies may have several domains to separate
geographical regions or administrative responsibilities

11
Active Directory’s Logical Structure
 Tree - a grouping of domains that share a
common naming structure
◼ Can consist of a parent domain and possibly
one or more child domains
 Forest - a collection of one or more Active
Directory trees that provide a common
Active Directory environment
◼ All domains in all trees can communicate and
share information
◼ Can consist of a single tree with a single
domain, or it can contain several trees, each
with a hierarchy of parent and child domains 12
Active Directory’s Logical Structure

13
Active Directory’s Logical Structure

14
Installing Active Directory
 The Windows Active Directory service is commonly referred
to as Active Directory Domain Services (ADDS)
 To install ADDS, use Server Manager
 If DNS is not already present on the network, you must
install the DNS Server Role.
 After installation is finished, you must configure Active
Directory
◼ Click the notifications flag in Server Manager and click
“Promote this server to a D C”
 In the Deployment Configuration window, select from these
options:
◼ Add a domain controller to an existing domain
◼ Add a new domain to an existing forest
◼ Add a new forest (choose this if it is the first D C in the
network)
15
Installing Active Directory
 Next, you’re prompted for the fully qualified domain name
(FQDN) for the new forest root
◼ An FQDN is a domain name that includes all parts of the name
 In the Domain Controller Options window you will:
 Choose the forest and domain functional levels
 Select domain controller capabilities
◼ Domain Name System (DNS) server
◼ Global Catalog (GC)
◼ Read only domain controller (RODC)
 Enter a password for Directory Services Restore Mode
(DSRM)
◼ A boot mode used to perform restore operations on Active Directory if
it becomes corrupted or parts of it are deleted accidentally

16
Installing Active Directory

17
Installing Active Directory
 In the DNS options window, you must:
 Create the DNS delegation, which allows Windows to create the
necessary records on the DNS server for the new domain
 In the Additional Options window, you:
◼ Specify a NetBIOS domain name (used for backward compatibility with systems
that don’t use DNS)
 In the Paths window, you:
◼ Specify the location of the Active Directory database, log files, and SYSVOL
folder
 Next, review your selections in the Review Options window
 Windows then does a prerequisite check before starting the Active
Directory installation

18
Installing Active Directory

19
Installing Active Directory

20
Installing Additional Domain
Controllers in a Domain
 Microsoft recommends at least two DCs in every
domain
◼ For fault tolerance and load balancing
 Installing additional DC in an existing domain is
not unlike installing the first DC
◼ Biggest difference is that you select “Add a domain
controller to an existing domain” instead of “Add a new
forest”
 When a new DC is added, you need to know the
answers to the following questions:
◼ Should you install DNS?
◼ Should the DC be a global catalog (GC) server?
◼ Should this be a read only domain controller (RODC)?
21
◼ In which site should the D C be located?
Installing a New Domain in an Existing
Forest
 Two variations to adding a domain to an existing forest:
◼ Add a child domain - you’re adding a domain that shares at least
the top-level and second-level domain name structure as an
existing domain in the forest
◼ Add a new tree - you’re adding a new domain with a separate
naming structure from any existing domains in the forest

22
What’s Inside Active Directory?
 Explore Active Directory using the Active Directory
Administrative Center (ADAC) or Active Directory Users and
Computers MMC
 Use ADAC to perform the following AD tasks:
◼ Create and manage users, group, and computer accounts
◼ Manage OUs
◼ Connect to other domain controllers in the same or a different
domain
◼ Change the domain’s functional level and enable the AD
Recycle Bin
 ADAC is built on PowerShell
◼ Each command you use in A D A C issues a PowerShell
command
◼ Use the Windows PowerShell History pane in A D A C to see a
list of commands generated
23
What’s Inside Active Directory?

24
What’s Inside Active Directory?

25
The Active Directory Schema
 An object is a group of information that describes
a network resource
 The schema defines the type, organization, and
structure of data stored in the AD database
 Schema classes define the types of objects that
can be stored in Active Directory
 Schema attributes define what type of
information is stored in each object
 The information stored in each attribute is called
the attribute value

26
The Active Directory Schema

27
The Active Directory Schema

28
Active Directory Container Objects
 A container object contains other objects
◼ Used to organize and manage users and
resources on the network
◼ Can also act as administrative and security
boundaries
 Three container objects are found in A D:
◼ Organizational Units
◼ Folder Objects
◼ Domain objects

29
Organizational Units
 An OU is a primary container object for
organizing and managing resources in a domain
 OUs can organize multiple objects into logical
administrative groups that can be configured with
specific policies relevant to that group
 Authority of an OU can be delegated
 Nesting OUs can build a hierarchical Active
Directory structure that mimics the corporate
structure for easier object management

30
Folder Objects
 Five are created by default:
◼ Builtin - houses default groups created by Windows
◼ Computers - default location for computer accounts
created when a new computer or server becomes a
domain member
◼ Foreign Security Principals - contains user accounts from
other domains added as members of the local domain’s
groups
◼ Managed Service Accounts - created specifically for
services to access domain resources
◼ Users - Stores two default users (Administrator and
Guest) and several default groups

31
Domain Objects
 The domain is the core logical structure in AD
◼ Contains OU and folder container objects, as well as leaf
objects
 Larger companies may use multiple domains to
separate administration, define security
boundaries, and define policy boundaries
 Each domain object has a default GPO linked to it
that can affect all objects in the domain
 The domain object in ADUC is represented by an
icon with three tower computers

32
Active Directory Leaf Objects
 A leaf object doesn’t contain other objects and
usually represents one of the following:
◼ Security account
◼ Network resource
◼ GPO
 Security account objects include users, groups,
and computers
 Network resource objects include servers, domain
controllers, file shares, printers, etc.
 GPO s aren’t viewed as objects in the same way
as other AD objects are
◼ They are managed by the Group Policy Management
MMC 33
User Accounts
 User account object contains information such as
group memberships, account restrictions, profile
path, and dial-in permissions
 Authentication confirms a user’s identity
◼ The account is then assigned permissions and rights
 Local user account - authorized to access
resources only on that computer
 Domain user account - provides a single logon for
users to access all resources in the domain
 Windows creates two built-in user accounts
◼ Administrator and Guest

34
Zone Type
 Three different types of zones:
◼ Primary zone - contains a read/write master
copy of all resource records for the zone; it is
considered authoritative for the zone
◼ Secondary zone - contains a read-only copy of
all resource records for the zone; it is
considered authoritative for the zone
◼ Stub zone - contains a read-only copy of only
the SOA and NS records for a zone and the
necessary A records to resolve NS records; not
authoritative

35
Groups
 A group object represents a collection of users
with common permissions or rights
 Permissions - define which resources users can
access and what level of access they have
 Right - specifies what types of actions a user can
perform on a computer or network
 Groups are used to assign members permissions
and rights
◼ More efficient than assigning permissions and rights to
each user separately

36
Computer Accounts
 A computer account object represents a
computer that’s a domain controller or
domain member
◼ Used to identify, authenticate, and manage
computers in the domain
 Computer accounts are created
automatically when AD is installed on a
server
 The computer account object’s name must
match the name of the computer that the
account represents
37
Locating Active Directory Objects
 Active Directory objects can be searched for using
the Find Users, Contacts, and Groups dialog box
 You can search a single domain or an entire
directory (all domains)
 Not all objects are available to all users
◼ Depends on the object’s security settings and its container

38
Active Directory Terminology
 The next few sections examine terms
associated with:
◼ Replication
◼ Directory partitions
◼ Operations masters
◼ Trust relationships

39
Active Directory Replication
 Replication is the process of maintaining a
consistent database of information when the
database is distributed among several locations
 Intrasite replication - replication between domain
controllers in the same site
 Intersite replication- occurs between two or more
sites
 Multimaster replication - used by AD for replacing
AD objects
 Knowledge Consistency Checker (KCC) runs on all
DCs to determine the replication topology
◼ Defines the domain controller path that AD changes flow
through and ensures no more than three hops exist 40
between any two D C s
Directory Partitions
 Directory partition - each section of an Active
Directory database
 There are five directory partition types in the AD
database:
◼ Domain directory partition - contains all objects in a
domain, including users, groups, computers, OUs, and
so forth
◼ Schema directory partition - contains information
needed to define AD objects and object attributes
◼ Global catalog partition - holds the global catalog, which
is a partial replica of all objects in the forest
◼ Application directory partition - used by applications and
services to hold information that benefits from
◼ Configuration partition - holds configuration information 41
that can affect the entire forest
Operations Master Roles
 Several operations in a forest require having a
single domain controller, called the operations
master, with sole responsibility for the function
 The first domain controller in the forest generally
takes on the role of the operations master
 If necessary, responsibility for these roles can be
transferred to another domain controller
 5 operations master roles referred to as Flexible
Single Master Operation (FSMO) roles:
◼ Schema Master
◼ Infrastructure master
◼ Domain Naming master
◼ RID master
42
◼ PDC Emulator master
Zone Type
 Three different types of zones:
◼ Primary zone - contains a read/write master
copy of all resource records for the zone; it is
considered authoritative for the zone
◼ Secondary zone - contains a read-only copy of
all resource records for the zone; it is
considered authoritative for the zone
◼ Stub zone - contains a read-only copy of only
the SOA and NS records for a zone and the
necessary A records to resolve NS records; not
authoritative

43
Using PowerShell to View FSMO Roles
 To view the holder of the three domain-wide
roles, use the following PowerShell command:
◼ Get-AD Domain

44
Using PowerShell to View FSMO Roles
 To view the folder of the two forest-wide roles,
use the following PowerShell command:
◼ Get-AD Forest

45
Trust Relationships
 In Active Directory, a trust relationship
defines whether and how security
principals from one domain can access
network resources in another domain
 Trust relationships are established
automatically between all domains in the
forest
 Trusts do not equal permissions
◼ Permissions are still required to access
resources, even if a trust relationship exists
 When there is no trust between domains,
no access across domains is possible
46
The Role of Forests
 All domains in a forest share some
common characteristics:
◼ A single schema
◼ Forest-wide administrative accounts
◼ Operations masters
◼ Global Catalog
◼ Trusts between domains
◼ Replication between domains

47
The Importance of the Global Catalog
Server
 The first DC installed in a forest is
automatically designated as a Global
Catalog server, but additional global
catalog servers can be configured
 Global Catalog servers perform the
following vital functions:
◼ Facilitates domain and forest-wide searches
◼ Facilitates logon across domains - Users can
log on to computers in any domain by using
their user principal name (UPN)
◼ Hold universal group membership information
48
Introducing Group Policies
 A Group Policy Object (GPO) is a list of settings
that administrators use to configure user and
computer operating environments remotely
 The GPO scope defines which objects a GPO
affects
 Installing Active Directory creates two GPO’s by
default:
◼ Default Domain Policy
◼ Default Domain Controllers Policy
 You can view, create, and manage GPO’s by
using the Group Policy Management console
(GPMC)
49
Introducing Group Policies

50
Introducing Group Policies
 Each GPO has two main nodes in GPMC:
◼ Computer Configuration - Used to set policies that apply
to computers within the GPO’s scope
◼ User Configuration - Used to set policies that apply to all
users within the GPO’s scope
 Each node contains a Policies folder and
Preferences folder
 Settings configured in the Policies folder are
applied to users or computer
◼ Can’t be overridden by users
 To change a GPO’s settings, you use the Group
Policy Management Editor (GPME)
◼ Open by right-clicking a GPO and clicking Edit 51
The Computer Configuration Node
 Three folders under the Policies folder contain the
following information:
◼ Software Settings - enables Administrators to install and
manage applications remotely
◼ Windows Settings - contains Name Resolution Policy
node, Scripts extension, Security Settings node, and the
Policy-based QoS node
◼ Administrative Templates - contains the Control Panel,
Network, Printers, System, and Windows Components
folders.
 Policies configured in the Computer Configuration
node affect all computers in the container to
which the GPO is linked
52
The User Configuration Node
 Policies folder contains the same three folders as
in the Computer Configuration node, but policies
defined here affect domain users within the
GPO’s scope:
◼ Software Settings - can assign or publish application
packages
◼ Windows Settings – Contains four items:
 Scripts extension
 Security Settings node
 Folder Redirection node
 Policy based QoS node
 Administrative templates - contains settings that
enable administrators to control users’ computer
and network environments 53
How Group Policies Are Applied
 GPO’s can be applied in four places:
◼ Local Computer
◼ Site
◼ Domain
◼ Organizational Unit
 Policies are applied in the above order
◼ Policies that are not defined or configured are
not applied at all
◼ Last policy to be defined takes precedence

54
Chapter Summary
 A directory service is a database that stores network resource
information and can be used to manage users, computers, and
resources throughout the network
 Active Directory is based on the X.500 standard and LDAP
 Use Server Manager to install the Active Directory Domain
Services role
 Installing the first DC in a network creates a new forest and the
domain is called the forest root domain
 The data in Active Directory is organized as objects
 There are two types of objects in Active Directory: container
objects and leaf objects
 Leaf objects generally represent security accounts, network
resources, and GPOs

55
Chapter Summary
 The AD Recycle Bin can be enabled in A D A C, but after it’s
enabled, it can’t be disabled
 Active Directory objects can be located easily with search
functions in Active Directory Users and Computers and Windows
Explorer
 Large organizations might require multiple domains, trees, and
forests
 Directory partitions are sections of the Active Directory database
that holds varied types of data and are managed by different
processes
 The forest is the broadest logical Active Directory component
 A domain is the primary identifying and administrative unit of
Active Directory

56
Chapter Summary
 GPO s are lists of settings that enable administrators to configure
user and computer environments remotely
 Policies defined in the Computer Configuration node affect all
computers in the Active Directory container to which the GPO is
linked

57