Windows Server Admin Fundamentals - Module 3: Active Directory PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document is a module on Windows Server Administration, focusing on Active Directory. It covers topics like Active Directory infrastructure, accounts, groups, organizational units, and Group Policy. It also includes a review of DNS.
Full Transcript
40554A: Windows Server Admin Fundamentals Module 3: Active Directory Module overview Lesson 0: DNS Review. Lesson 1: Active Directory infrastructure Lesson 2: Accounts and groups Lesson 3: Organizational units and containers Lesson 4: Group Policy Module objectives After completing...
40554A: Windows Server Admin Fundamentals Module 3: Active Directory Module overview Lesson 0: DNS Review. Lesson 1: Active Directory infrastructure Lesson 2: Accounts and groups Lesson 3: Organizational units and containers Lesson 4: Group Policy Module objectives After completing this module, you will be able to: Describe the Microsoft Active Directory infrastructure Understand the different types of accounts and groups Explain the function of OUs and containers Comprehend the function of Group Policy Lesson 0: DNS Review Lesson 1 objectives After completing this lesson, you’ll be able to: Understand the functionality of domains and forests Describe the functionality of an Active Directory domain controller Explain the Active Directory FMSO roles Describe the different Active Directory domain and forest functional levels Explain the functionality of trust relationships between domains and forests Understand when to use Active Directory sites Describe the purpose of the Active Directory Recycle Bin URL : Uniform www.edu.gov.q Resource Locator: a www edu gov qa www: This is the subdomain, commonly used for "World Wide Web." It is often used as a standard prefix for websites. edu: This is the second-level domain, which typically represents educational institutions or services. gov: This is the top-level domain (TLD), indicating that the website is associated with a government entity. qa: This is the country code top-level domain (ccTLD) for Qatar, indicating that the website is associated with the country of Qatar. How to call someone Hamad Number:444444 Khalaf number = 55555550 Call Khalaf Call center Call Hamad r e ? he n do ma t hi s hat W How the DNS Work What is the DNS Server What is The Server : A server is a computer or software that provides services, resources, or data to other computers, known as clients, over a network. And its saved a virous type of files like ( images , videos ,voices and texts). DNS Server types: Click the picture bellow to see the video Lesson 1: Active Directory infrastructure Lesson 1 Domains and forests Domain controllers Operations master roles Functional levels Trust relationships Sites Active Directory Recycle Bin and restoration Lesson 1 objectives After completing this lesson, you’ll be able to: Understand the functionality of domains and forests Describe the functionality of an Active Directory domain controller Explain the Active Directory FMSO roles Describe the different Active Directory domain and forest functional levels Explain the functionality of trust relationships between domains and forests Understand when to use Active Directory sites Describe the purpose of the Active Directory Recycle Bin Domains and forests: forests Forest root domain Tree root domain adatum.com fabrikam.com atl.adatum.com Child domain Domains and forests: domains AD DS requires one or more domain controllers Each domain controller contains a copy of the domain database, which continually syncs The domain is the context within user accounts, computer accounts, and groups are created User The domain: s AD DS Is a replication boundary Is an administrative center for configuring and managing objects Provides authorization Computer Group Any domain controller can authenticate s s any sign-in anywhere in the domain Domain controllers Domain controllers: Are servers that host the AD DS database (Ntds.dit) and SYSVOL Host the Kerberos authentication service and Key Distribution Center service to perform authentication Have best practices for: Availability: Use at least two domain controllers in a domain Security: Use an RODC or BitLocker Drive Encryption Operations master roles In the multimaster replication model, some operations need to be single master operations Many terms are used for single master operations in AD DS, including: Operations master (or operations master role) Single master role FSMO The five FSMOs Forest: Domain: Domain naming RID master master Infrastructure master Schema master PDC emulator master Functional levels: domain New functionality requires that domain controllers run a particular version of the Windows OS: Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 You can’t: Raise the functional level while domain controllers are running previous versions of Windows Server Add domain controllers running previous versions of Windows Server after raising the functional level Functional levels: forest Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Trust relationships Trust type Transitive? P/C – Parent/child Yes R – Tree root Yes E – External (domain or Kerberos realm) No S – Shortcut Yes F – Forest (complete or selective) Yes Engineering (Kerberos realm) E F R P/C P/C P/C Contoso P/C (Windows NT 4.0 domain) S E Separate forest Sites Sites identify network locations with fast, reliable network connections Sites are associated with subnet objects Sites are used to manage: Replication, when domain controllers are separated by slow, expensive links Service localization: A1 Domain controller authentication A2 Services or applications aware of AD DS Site A (that is, site-aware) Site B Active Directory Recycle Bin and restoration The Active Directory Recycle Bin provides a way to restore deleted objects without Active Directory downtime To restore objects, use: Active Directory module for Windows PowerShell Active Directory Administrative Center Delet Garbage Recycle collection Physically Live e Delete Recycle d d deleted Authoritati ve restore Deleted Recycled object object lifetime lifetime Lesson 2: Accounts and groups Lesson 2 Account types Group types, scopes, and nesting Group Managed Service Accounts and virtual accounts Lesson 2 objectives After completing this lesson, you’ll be able to: Describe the different types of Active Directory accounts Explain the different group types, group scopes, and group nesting options Understand gMSAs and virtual accounts Account types: users User accounts: Allow or deny permission to sign in to computers Grant access to processes and services Manage access to network resources You can create user accounts by using: Active Directory Users and Computers The Active Directory Administrative Center PowerShell The dsadd command-line tool Considerations for naming users include: Naming formats User principal name suffixes Account types: computers Computers have accounts that: Use a SAMAccountName and password Are used to create a security-enhanced channel between a computer and a domain controller Group types Distribution groups: Are used only with email applications Aren’t security enabled—that is, they have no SIDs Can’t be granted permissions Security groups: Are security principals with SIDs Can be granted permissions Can also be email enabled You can convert security groups to distribution groups and vice versa Group scopes (slide 1 of 3) Local groups: Can contain: Users Computers Global groups Domain local groups Universal groups Must be from the: Same domain Domains in the same forest Other trusted domains Can be granted permissions to resources only on the local computer Group scopes (slide 2 of 3) Domain local groups: Have the same membership possibilities but can be granted permissions to resources anywhere in the domain Global groups: Can only contain: Users Computers Other global groups from the same domain Can be granted permissions to resources in the domain or in any trusted domain Group scopes (slide 3 of 3) Universal groups: Can contain: Users Computers Global groups Other Universal groups from the same domain Other Universal groups from domains in the same forest Can be granted permissions to any resources in the forest Nesting The best practice for nesting groups is IGDLA: Identities (users, or Sales Auditors computers), which are (global group) (global group) members of global groups ACL_Sales_Read Global groups, which collect (domain local group) members based on their roles and which are members of domain local groups DL Domain local groups, which provide management such as that for resource access Group Managed Service Accounts and virtual accounts Use MSAs to automate password and service principal name management for service accounts that services and applications use gMSAs extend the capability of standard MSAs by: Enabling MSAs for use on more than one computer in the domain Storing MSA authentication information on domain controllers To support gMSAs, your environment needs: At least one Windows Server 2012 or newer domain controller A Key Distribution Service root key created for the domain Lesson 3: Organizational units and containers Lesson 3 Organizational units Default containers Delegation Lesson 3 objectives After completing this lesson, you’ll be able to: Describe the function of Active Directory OUs Explain the purpose of different default containers in Active Directory Understand delegation of administrative privileges through OUs Organizational units Use containers to group objects within a domain: You can’t apply GPOs to containers Containers are used for system objects and as the default location for new objects Create OUs to: Configure objects by assigning GPOs to them Delegate administrative permissions Default containers AD DS has several built-in containers, known as generic containers: Domain Built-in container Computers container Foreign Security Principals container Managed Service Accounts Users container Domain Controllers OU Delegation Permissions on AD DS objects can be granted to users or groups Permissions models are usually object based or role based The Delegation of Control Wizard might simplify assigning common administrative tasks The OU advanced security properties allow you to grant granular permissions Demonstration: Managing OUs and accounts In this demonstration, you’ll learn how to manage OUs by: Adding an OU Adding users and groups Lesson 4: Group Policy Lesson 4 Group Policy overview Group Policy management Group Policy processing Lesson 4 objectives After completing this lesson, you’ll be able to: Describe the purpose and structure of Group Policy Understand common Group Policy tasks Explain Group Policy processing Group Policy overview Group Policy is a powerful administrative tool You can use it to enforce various types of settings for a large number of users and computers Typically, you use GPOs to: Apply security settings Manage desktop application settings Deploy software Manage Folder Redirection Group Policy management You can use the GPMC to: Back up GPOs Restore backed-up GPOs Import GPO settings from a backed-up GPO Copy GPOs Manage migration tables Demonstration: Managing GPOs In this demonstration, you’ll learn how to manage GPOs Activity Activity: Managing AD DS In this activity, you’ll: Promote a domain controller Create an OU Add user and group accounts Create a GPO and link it to an OU 45 min © 2019 Microsoft Corporation. All rights reserved.