Introduction to Active Directory Domain Services - Training Slides PDF

Unit 02 INTRODUCTION TO ACTIVE DIRECTORY DOMAIN SERVICES Lesson 1: Overview of AD DS What is Directory What is Directory Service Microsoft Active Directory Core Services Centralized management Component of Active Directory ◦ Logical ◦ Physical What is Directory Collection of information You can also compare Directory with Phonebook Services Active Directory is not the first Directory Service NDS from Novell was present before release of AD Active Directory was introduced with Windows Server 2000 The goal of directory services is to bring order to both big and small networks With a directory, users can perform search queries Also user can find network information quickly and easily Directory services provide a streamlined Microsoft Active Directory Active Directory is Microsoft’s implementation of directory services It is based on standards like LDAP and X.500 (the schema is based on X.500). Active Directory provides integration to Windows Domain It also provides integration with DNS (Domain Name Service) Security, Authentication and access control are major features of Microsoft AD Core Services Directory services. Active Directory stores user, group, computer, and much other information about a network. Security services. Active Directory enables clients to retrieve information from its data store in order to provide services such as authentication and authorization. Centralized Management Components of Active Directory Active Directory Directory Service (AD DS) is composed of both logical and physical components Logical components Partitions Schema Domains Domain trees Forests Sites OUs Containers Components of Active Directory Physical components Domain controllers Data stores Global catalog servers Read-only Domain controller (RODCs) Lesson 2 : Revisiting the concept Domain Explained OUs and Containers Forest and Domains ADDS Schema Authentication and Authorization Domains Explained AD DS requires one or more domain controllers All domain controllers hold a User copy of the domain database, s AD DS which is continually synchronized Computer Group s s The domain is the context within which user accounts, computer accounts, and groups are created The domain is a replication boundary The domain is an User administrative center for s AD DS configuring and managing objects Any domain controller can Computer Group authenticate any sign-in s s anywhere in the domain The domain provides authorization Organizational Unit (OU) and containers Containers that can be used to group objects within a domain Create OUs to: Configure objects by assigning Group Policy Objects (GPOs) Delegate administrative OUs are represented permissions by a folder with a book on it Containers are represented by a blank folder Forest and domain Forest root Domain: Tree root set of trees in an Domain active directory Tree is a collection adatum.com of domains fabrikam.com atl.adatum.com Child domain AD DS Schema The schema defines the objects that can be stored in AD DS Authentication and Authorization Authentication and authorization—both integral components of identity and access management Authentication. Verifying that a user, computer, or service (such as an application provided on a network server) is the entity that it claims to be. Authorization. Determining which actions an authenticated principal is authorized to perform on the network. the relationship between authentication and authorization might be summarized as "Now that I know who you are, here's what you can do." Authentication The authentication process is done using Kerberos protocol. Kerberos protocol consists of three key components: Kerberos Key Distribution Center (KDC) - part of the domain controller and it performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). Client - The machine trying to access the resource from target server Target server – Server hosting services Authorization Each object has access control list associated with it, which are as below DACL- The Discretionary Access Control List (DACL) specifies a list of user accounts, groups that are allowed or denied access to a particular object. SACL- The System Access Control List (SACL) defines operations Each such list as is made up of Access control entries read, writethat or delete list the permissions allowed or denied for that should be a user or a group audited for a user or What Is New in Directory 2012? Virtualization that just works Rapid deployment with cloning Safer virtualization of domain controllers Simplified deployment and upgrade preparation Simplified management Dynamic Access Control DirectAccess Offline Domain Join Active Directory Federation Services (AD FS) Windows PowerShell History Viewer Active Directory Recycle Bin User Interface Fine-Grained Password Policy User Interface Active Directory Replication and Topology Windows PowerShell cmdlets Active Directory Based Activation (AD BA) Improvements for using consumer devices in the enterprise: Workplace Join Allows consumer devices to participate in the domain Web Application Proxy Allows applications to be published to the Internet Multi-Factor Authentication Allows you to specify the use of multiple factors for authentication Multi-Factor Access Control Overview of Domain Controllers What Is a Domain Controller? What Is the Global Catalog? The AD DS Sign-in Process Demonstration: Viewing the SRV Records in DNS What Are Operations Masters? Introduction to Domain Controller Domain controllers Servers that host the AD DS database (Ntds.dit) and system volume ( SYSVOL collection of folders exists on each domain controller in a domain) Kerberos authentication service and KDC services perform authentication Best practices: Availability: At least two domain controllers in a domain Security: RODC and BitLocker What Is the Global Catalog? Schema The global catalog: Configuration Hosts a partial attribute Domain A set for other domains in Schema the forest Configuration Supports queries for Domain A objects throughout the Domain B forest Schema Global catalog Configuration server Domain B Schema Configuration AD DS Domain B Viewing the SRV Records in DNS Open DNS Manger from Administrative Tools, and locate below path. Let’s discuss SRV records What Are Operations Masters? In the multi-master replication model, some operations must be single master Many terms are used for single master operations in AD DS, including: Operations master (or operations master roles) Single master roles Flexible single master operations (FSMOs) The five FSMOs are: Domain naming RID master (Relative master ID) Schema master Infrastructure master PDC Emulator master Installing a Domain Controller Installing a Domain Controller from Server Manager Installing a Domain Controller on a Server Core Installation of Windows Server 2012 Upgrading a Domain Controller Installing a Domain Controller by Using Install from Media What Is Windows Azure Active Directory? Deploying Domain Controllers in Windows Azure Installing from Server Manager Deployment Configuration section of the Active Directory Domain Services Configuration Wizard Follow the lab manual to Install a new domain controller. Document name Install a New Windows Server 2012 Active Directory Forest.docx Installing on a Server Core Installing AD DS is a two-step process regardless of which installation method you use Method 1, use Server Manager on a Windows 2012 server with a GUI interface to connect to the system 1. Install the files by installing the Active Directory Domain Services role 2. Install the domain controller role by running the Active Directory Domain Services Configuration Wizard Method 2, Use Windows PowerShell locally, or remotely using WinRM 1. Install the files by running the command Install-WindowsFeature AD-Domain- Services 2. Install the domain controller role by running the Upgrading a Domain Controller Options to upgrade AD DS to Windows Server 2012: In-place upgrade from Windows Server 2008 to Windows Server 2012 Benefit: Except for the prerequisite checks, all the files and programs stay in place and there is no additional work required Risk: May leave legacy files and DLLs Introduce a new Windows Server 2012 server into the domain and promote it to be a domain controller This option is usually preferable Benefit: The new server has no accumulated legacy files and settings Risk: May need additional work to migrate administrators’ files and settings Installation from Media Install from Media section on the Additional Options page of the Active Directory Domain Services Configuration Wizard What Is Windows Azure Active Directory? Exchang e Online SharePoin t Online Lync Office Onlin 365 Windows e Azure Active Directory e o n iz Interne t r Windows ch Azure Apps n Sy On- Internet premises connected AD DS apps Deploying Domain Controllers in Windows Azure Windows Server 2012 is cloud-ready and virtualization safe Considerations for deploying in Windows Azure include: Rollback Resource limitations Virtualization considerations for deploying AD DS Time synchronization Single point of failure Installing Domain controller in Microsoft Azure & Others Follow the lab manual to Install a new domain controller. 1. Install a New Windows Server 2012 domain controller in Azure.docx 2. Install a Replica Windows Server 2012 Domain Controller in an Existing Domain.docx 3. Install a Windows Server 2012 Active Directory RODC.docx Lab: Installing Domain Controllers Exercise 1: Installing a Domain Controller Exercise 2: Installing a Domain Controller by Using IFM Lab Scenario Your manager has asked you to install a new domain controller in the datacenter to improve sign-in performance and to create a new domain controller for a branch office by using IFM Lab Review Why did you use Server Manager and not dcpromo when you promoted a server to be a domain controller? What are the three operations masters found in each domain? What are the two operations masters that are present in a forest? What is the benefit of performing an IFM install of a domain controller? Module Review and Takeaways Review Questions

Introduction to Active Directory Domain Services - Training Slides PDF

Document Details

Tags

Related

Summary

Full Transcript