ITEC1420_Chapter 3.pptx
Document Details
Uploaded by IndebtedOwl
Full Transcript
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410 Chapter 3 Introducing Active Directory Objectives Describe the role of a Active directory service Install Active Directory Describe objects found in Active Directo...
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410 Chapter 3 Introducing Active Directory Objectives Describe the role of a Active directory service Install Active Directory Describe objects found in Active Directory Work with forests, trees, and domains Configure group policies MCSA Guide to Installing and Configuring Windows Server 201 2 2/R2, Exam 70-410 © Cengage Learning 2015 Active Directory Domain Services (AD DS Active Directory (AD) is a Microsoft service that provides centralized authentication and authorization to network resources. Active Directory is used in business environments to simplify user management, control access to data and enforce company security policies. MCSA Guide to Installing and Configuring Windows Server 201 3 2/R2, Exam 70-410 © Cengage Learning 2015 The Role of a Directory Service A network directory service stores information about a computer network and offers features for retrieving and managing that information. Considered to be an administrative tool, but you can use of directory services to find resources. MCSA Guide to Installing and Configuring Windows Server 201 4 2/R2, Exam 70-410 © Cengage Learning 2015 Windows Active Directory Active Directory offers the following features: – Hierarchical organization – Centralized but distributed database – Scalability – Security – Flexibility – Policy-based administration MCSA Guide to Installing and Configuring Windows Server 5 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory Structure Physical structure – Consists of sites and servers configured as domain controllers. Logical structure – the directory service’s look and feel after the organization in which it runs. MCSA Guide to Installing and Configuring Windows Server 6 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory’s Physical Structure An Active Directory site is simply a physical location in which domain controllers communicate and replicate information regularly. Each domain controller contains a full replica of the objects that make up the domain and is responsible for: – Storing a copy of the domain data and replicating changes to that data to all other domain controllers in the domain. – Providing data search and retrieval functions for users attempting to locate objects in the directory. – Providing authentication and authorization services for users who log on to the domain and attempt to access network resources. MCSA Guide to Installing and Configuring Windows Server 7 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory’s Logical Structure Four organizing components of Active Directory: – Organizational Units (OUs) – Domains – Trees – Forests The organizational unit (OU) is an Active Directory container used to organize a network’s users and resources into logical administrative units. MCSA Guide to Installing and Configuring Windows Server 8 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory’s Logical Structure An OU contains Active Directory objects, such as: – User accounts – Groups – Computer accounts – Printers – Shared folders – Applications – Servers – Domain controllers MCSA Guide to Installing and Configuring Windows Server 9 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory’s Logical Structure Domain –represents administrative, security, and policy boundaries. Small to medium companies usually have one domain. Larger companies may have several domains to separate geographical regions or administrative responsibilities. MCSA Guide to Installing and Configuring Windows Server 10 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory’s Logical Structure A tree is a grouping of domains that share a common naming structure. – It can consist of a parent domain and possibly one or more child domains. Forest - A collection of one or more Active Directory trees that provide a common Active Directory environment. – All domains in all trees can communicate and share information. – Can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains. MCSA Guide to Installing and Configuring Windows Server 11 © Cengage Learning 2015 2012/R2, Exam 70-410 Figure 3-1 An Active Directory forest MCSA Guide to Installing and Configuring Windo 12 ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015 Installing Active Directory The Windows Active Directory service is commonly referred to as Active Directory Domain Services (AD DS). To install AD DS, use Server Manager. If DNS is not already present on the network, you must install the DNS Server Role. MCSA Guide to Installing and Configuring Windows Server 13 © Cengage Learning 2015 2012/R2, Exam 70-410 Installing Active Directory In the Deployment Configuration window, select from these options: – Add a domain controller to an existing domain – Add a new domain to an existing forest – Add a new forest (choose this if it is the first DC in the network) You will be prompted for the fully qualified domain name (FQDN) for the new forest root – An FQDN is a domain name that includes all parts of the name. MCSA Guide to Installing and Configuring Windows Server 14 © Cengage Learning 2015 2012/R2, Exam 70-410 Figure 3-2 Choosing the forest and domain functional levels MCSA Guide to Installing and Configuring Windo 15 ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015 What’s Inside Active Directory Explore Active Directory using the Active Directory Administrative Center (ADAC) Active Directory Users and Computers management console Use ADAC to perform the following AD tasks: – Create and manage users, group, and computer accounts – Manage OUs – Connect to other domain controllers in the same or a different domain – Change the domain’s functional level and enable the AD Recycle Bin MCSA Guide to Installing and Configuring Windows Server 16 © Cengage Learning 2015 2012/R2, Exam 70-410 Figure 3-4 The Active Directory Users and Computers MMC MCSA Guide to Installing and Configuring Windo 17 ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015 The Active Directory Schema An object is a grouping of information that describes a network resource. The schema defines the type, organization, and structure of data stored in the AD database. Schema classes define the types of objects that can be stored in Active Directory. Schema attributes define what type of information is stored in each object The information stored in each attribute is called the attribute value MCSA Guide to Installing and Configuring Windows Server 18 © Cengage Learning 2015 2012/R2, Exam 70-410 Figure 3-5 Schema classes, schema attributes, and Active Directory objects MCSA Guide to Installing and Configuring Windo 19 ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015 Active Directory Container Objects A container object contains other objects – Used to organize and manage users and resources on the network – Can also act as administrative and security boundaries Three container objects are found in AD: – Organizational Units – Folder Objects – Domain objects MCSA Guide to Installing and Configuring Windows Server 20 © Cengage Learning 2015 2012/R2, Exam 70-410 Organizational Units An OU is a primary container object for organizing and managing resources in a domain. www.microsoft.com MCSA Guide to Installing and Configuring Windows Server 21 © Cengage Learning 2015 2012/R2, Exam 70-410 Organizational Units OUs can organize multiple objects into logical administrative groups that can be configured with specific policies relevant to that group. MCSA Guide to Installing and Configuring Windows Server 22 © Cengage Learning 2015 2012/R2, Exam 70-410 Organizational Units Authority of an OU can be delegated. Nesting OUs can build a hierarchical Active Directory structure that mimics the corporate structure for easier object management MCSA Guide to Installing and Configuring Windows Server 23 © Cengage Learning 2015 2012/R2, Exam 70-410 Folder Objects MCSA Guide to Installing and Configuring Windows Server 24 © Cengage Learning 2015 2012/R2, Exam 70-410 Folder Objects Five are created by default: – Builtin - houses default groups created by Windows – Computers - default location for computer accounts created when a new computer or server becomes a domain member. – Foreign Security Principals - contains user accounts from other domains added as members of the local domain’s groups. – Managed Service Accounts - created specifically for services to access domain resources. – Users - Stores two default users (Administrator and Guest) and several default groups MCSA Guide to Installing and Configuring Windows Server 25 © Cengage Learning 2015 2012/R2, Exam 70-410 Domain Objects Core logical structure in AD, contains OU and folder container objects, as well as leaf objects Larger companies may use multiple domains to separate administration, define security boundaries, and define policy boundaries. MCSA Guide to Installing and Configuring Windows Server 26 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory Leaf Objects A leaf object doesn’t contain other objects and usually represents one of the following: – Security account – Network resource – Group Policy Object (GPO) Security account objects include users, groups, and computers Network resource objects include servers, domain controllers, file shares, printers, etc. MCSA Guide to Installing and Configuring Windows Server 27 © Cengage Learning 2015 2012/R2, Exam 70-410 Other Leaf Objects Other leaf objects commonly created in AD: – Contact - a person associated with the company but not a network user – Printer - represents a shared printer in the domain – Shared folder - represents a shared folder on a computer in the network MCSA Guide to Installing and Configuring Windows Server 28 © Cengage Learning 2015 2012/R2, Exam 70-410 User Accounts User account object contains information such as group memberships, account restrictions, profile path, and dial-in permissions. Authentication confirms a user’s identity – The account is then assigned permissions and rights Local user account - authorized to access resources only on that computer. Domain user account - provides a single logon for users to access all resources in the domain. Windows creates two built-in user accounts – Administrator and Guest MCSA Guide to Installing and Configuring Windows Server 29 © Cengage Learning 2015 2012/R2, Exam 70-410 Groups A group object represents a collection of users with common permissions or rights Permissions - define which resources users can access and what level of access they have Right - specifies what types of actions a user can perform on a computer or network Groups are used to assign members permissions and rights – More efficient than assigning permissions and rights to each user separately MCSA Guide to Installing and Configuring Windows Server 30 © Cengage Learning 2015 2012/R2, Exam 70-410 Computer Accounts A computer account object represents a computer that’s a domain controller or domain member – Used to identify, authenticate, and manage computers in the domain. MCSA Guide to Installing and Configuring Windows Server 31 © Cengage Learning 2015 2012/R2, Exam 70-410 Working with Forests, Trees, and Domains Smaller organizations most likely focus on OUs and their child objects. Larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests. The first domain controller creates more than just a new domain, it also creates a new tree and the root of a new forest. MCSA Guide to Installing and Configuring Windows Server 32 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory Replication Replication is the process of maintaining a consistent database of information when the database is distributed among several locations. MCSA Guide to Installing and Configuring Windows Server 33 © Cengage Learning 2015 2012/R2, Exam 70-410 Active Directory Replication Cont. Intrasite replication - replication between domain controllers in the same site Intersite replication- occurs between two or more sites Multimaster replication - used by AD for replacing AD objects. Knowledge Consistency Checker (KCC) runs on all DCs to determine the replication topology MCSA Guide to Installing and Configuring Windows Server 34 © Cengage Learning 2015 2012/R2, Exam 70-410 The Importance of the Global Catalog Server The first domain controller installed in a forest is automatically designated as a Global Catalog server. Global Catalog servers perform the following vital functions: – Facilitates domain and forest-wide searches. – Facilitates logon across domains - Users can log on to computers in any domain by using their user principal name (UPN). MCSA Guide to Installing and Configuring Windows Server 35 © Cengage Learning 2015 2012/R2, Exam 70-410 Designing the Domain Structure Most small and medium businesses choose a single domain for the following reasons: – Simplicity – Lower costs – Easier management – Easier access to resources A single-domain structure is usually easier and less expensive than a multidomain structure. MCSA Guide to Installing and Configuring Windows Server 36 © Cengage Learning 2015 2012/R2, Exam 70-410 Summary A directory service is a database that stores network resource information and can be used to manage users, computers, and resources throughout the network. Use Server Manager to install the Active Directory Domain Services role. Installing the first DC in a network creates a new forest and the domain is called the forest root domain. The data in Active Directory is organized as objects. MCSA Guide to Installing and Configuring Windows Server 201 37 2/R2, Exam 70-410 © Cengage Learning 2015 Summary There are two types of objects in Active Directory: container objects and leaf objects Leaf objects generally represent security accounts, network resources, and GPOs Active Directory objects can be located easily with search functions in Active Directory Users and Computers and Windows Explorer Large organizations might require multiple domains, trees, and forests MCSA Guide to Installing and Configuring Windows Server 201 38 2/R2, Exam 70-410 © Cengage Learning 2015 Summary Directory partitions are sections of the Active Directory database that holds varied types of data and are managed by different processes. The forest is the broadest logical Active Directory component. A domain is the primary identifying and administrative unit of Active Directory. MCSA Guide to Installing and Configuring Windows Server 201 39 2/R2, Exam 70-410 © Cengage Learning 2015