Windows Server Admin Fundamentals - Module 3: Active Directory PDF

Summary

This document is a module on Windows Server Administration, focusing on Active Directory. It covers topics like Active Directory infrastructure, accounts, groups, organizational units, and Group Policy. It also includes a review of DNS.

Full Transcript

40554A: Windows Server Admin Fundamentals

Module 3: Active Directory
Module overview
Lesson 0: DNS Review.
Lesson 1: Active Directory
infrastructure
Lesson 2: Accounts and groups
Lesson 3: Organizational units
and containers
Lesson 4: Group Policy
Module objectives
After completing this module, you
will be able to:
Describe the Microsoft Active
Directory infrastructure
Understand the different types
of accounts and groups
Explain the function of OUs and
containers
Comprehend the function of
Group Policy
Lesson 0: DNS Review
Lesson 1 objectives
After completing this lesson, you’ll be able
to:
Understand the functionality of domains and forests
Describe the functionality of an Active Directory
domain controller
Explain the Active Directory FMSO roles
Describe the different Active Directory domain and
forest functional levels
Explain the functionality of trust relationships between
domains and forests
Understand when to use Active Directory sites
Describe the purpose of the Active Directory Recycle
Bin
URL : Uniform www.edu.gov.q
Resource Locator: a
www edu gov qa
www: This is the subdomain, commonly used for "World Wide Web." It is
often used as a standard prefix for websites.

edu: This is the second-level domain, which typically represents educational
institutions or services.

gov: This is the top-level domain (TLD), indicating that the website is
associated with a government entity.

qa: This is the country code top-level domain (ccTLD) for Qatar, indicating
that the website is associated with the country of Qatar.
How to call
someone Hamad Number:444444
Khalaf number = 55555550

Call Khalaf

Call center
Call Hamad
 r e ?
he
n do
ma
t hi s
hat
W
How the DNS Work
 What is the DNS Server
What is The Server :
A server is a
computer or
software that
provides services,
resources, or data to
other computers,
known as clients,
over a network. And
its saved a virous
type of files like
( images ,
videos ,voices and
texts).
DNS Server types:
Click the picture bellow to see the video
Lesson 1: Active
Directory
infrastructure
Lesson 1
Domains and forests
Domain controllers
Operations master roles
Functional levels
Trust relationships
Sites
Active Directory Recycle Bin
and restoration
Lesson 1 objectives
After completing this lesson, you’ll be able
to:
Understand the functionality of domains and forests
Describe the functionality of an Active Directory
domain controller
Explain the Active Directory FMSO roles
Describe the different Active Directory domain and
forest functional levels
Explain the functionality of trust relationships between
domains and forests
Understand when to use Active Directory sites
Describe the purpose of the Active Directory Recycle
Bin
Domains and forests: forests

Forest root
domain
Tree root
domain adatum.com

fabrikam.com

atl.adatum.com
Child domain
Domains and forests: domains
AD DS requires one or more domain
controllers
Each domain controller contains a copy
of the domain database, which
continually syncs
The domain is the context within user
accounts, computer accounts, and
groups are created User
The domain: s
AD DS
Is a replication boundary
Is an administrative center for configuring
and managing objects
Provides authorization Computer Group
Any domain controller can authenticate s s
any sign-in anywhere in the domain
Domain controllers
Domain controllers:
Are servers that host the AD DS database (Ntds.dit) and
SYSVOL
Host the Kerberos authentication service and Key Distribution
Center service to perform authentication
Have best practices for:
Availability:
Use at least two domain controllers in a domain
Security:
Use an RODC or BitLocker Drive Encryption
Operations master roles
In the multimaster replication model, some operations need to
be single master operations
Many terms are used for single master operations in AD DS,
including:
Operations master (or operations master role)
Single master role
FSMO
The five FSMOs
Forest: Domain:
Domain naming RID master
master Infrastructure master
Schema master PDC emulator master
Functional levels: domain
New functionality requires that domain controllers run a
particular version of the Windows OS:
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003

You can’t:
Raise the functional level while domain controllers are running previous versions of
Windows Server
Add domain controllers running previous versions of Windows Server after raising the
functional level
Functional levels: forest
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Trust relationships
Trust type Transitive?
P/C – Parent/child Yes
R – Tree root Yes
E – External (domain or Kerberos realm) No
S – Shortcut Yes
F – Forest (complete or selective) Yes

Engineering (Kerberos realm)
E
F
R

P/C P/C
P/C
Contoso
P/C
(Windows NT 4.0 domain)
S E
Separate forest
Sites
Sites identify network locations with fast, reliable network
connections
Sites are associated with subnet objects
Sites are used to manage:
Replication, when domain controllers are separated by slow, expensive
links
Service localization: A1
Domain controller authentication
A2
Services or applications aware of AD DS Site A
(that is, site-aware)
Site B
Active Directory Recycle Bin and restoration
The Active Directory Recycle Bin provides a way to restore deleted
objects without Active Directory downtime
To restore objects, use:
Active Directory module for Windows PowerShell
Active Directory Administrative Center

Delet Garbage
Recycle collection Physically
Live e Delete Recycle
d d deleted
Authoritati
ve
restore
Deleted Recycled
object object
lifetime lifetime
Lesson 2: Accounts
and groups
Lesson 2
Account types
Group types, scopes, and
nesting
Group Managed Service
Accounts and virtual accounts
Lesson 2 objectives
After completing this lesson, you’ll be able
to:
Describe the different types of Active
Directory accounts
Explain the different group types, group
scopes, and group nesting options
Understand gMSAs and virtual accounts
Account types: users
User accounts:
Allow or deny permission to sign in to computers
Grant access to processes and services
Manage access to network resources
You can create user accounts by using:
Active Directory Users and Computers
The Active Directory Administrative Center
PowerShell
The dsadd command-line tool
Considerations for naming users include:
Naming formats
User principal name suffixes
Account types: computers
Computers have accounts that:
Use a SAMAccountName and password
Are used to create a security-enhanced channel between a
computer and a domain controller
Group types
Distribution groups:
Are used only with email applications
Aren’t security enabled—that is, they have no SIDs
Can’t be granted permissions
Security groups:
Are security principals with SIDs
Can be granted permissions
Can also be email enabled
You can convert security groups to distribution groups and vice
versa
Group scopes (slide 1 of 3)
Local groups:
Can contain:
Users
Computers
Global groups
Domain local groups
Universal groups
Must be from the:
Same domain
Domains in the same forest
Other trusted domains
Can be granted permissions to resources only on the local computer
Group scopes (slide 2 of 3)
Domain local groups:
Have the same membership possibilities but can be granted permissions
to resources anywhere in the domain
Global groups:
Can only contain:
Users
Computers
Other global groups from the same domain
Can be granted permissions to resources in the domain or in any trusted
domain
Group scopes (slide 3 of 3)
Universal groups:
Can contain:
Users
Computers
Global groups
Other Universal groups from the same domain
Other Universal groups from domains in the same forest
Can be granted permissions to any resources in the forest
Nesting
The best practice for nesting
groups is IGDLA:
Identities (users, or
Sales Auditors
computers), which are (global group) (global group)
members of global groups
ACL_Sales_Read
Global groups, which collect (domain local group)
members based on their
roles and which are
members of domain local
groups
DL Domain local groups,
which provide management
such as that for resource
access
Group Managed Service Accounts and virtual accounts
Use MSAs to automate password and service principal
name management for service accounts that services and
applications use
gMSAs extend the capability of standard MSAs by:
Enabling MSAs for use on more than one computer in the domain
Storing MSA authentication information on domain controllers
To support gMSAs, your environment needs:
At least one Windows Server 2012 or newer domain controller
A Key Distribution Service root key created for the domain
Lesson 3:
Organizational units
and containers
Lesson 3
Organizational units
Default containers
Delegation
Lesson 3 objectives
After completing this lesson, you’ll be able
to:
Describe the function of Active Directory
OUs
Explain the purpose of different default
containers in Active Directory
Understand delegation of administrative
privileges through OUs
Organizational units
Use containers to group
objects within a domain:
You can’t apply GPOs to
containers
Containers are used for system
objects and as the default
location for new objects
Create OUs to:
Configure objects by assigning
GPOs to them
Delegate administrative
permissions
Default containers
AD DS has several built-in
containers, known as generic
containers:
Domain
Built-in container
Computers container
Foreign Security Principals
container
Managed Service Accounts
Users container
Domain Controllers OU
Delegation
Permissions on AD DS objects can be granted to users or
groups
Permissions models are usually object based or role based
The Delegation of Control Wizard might simplify assigning
common administrative tasks
The OU advanced security properties allow you to grant
granular permissions
Demonstration: Managing OUs and accounts
In this demonstration, you’ll learn how to manage OUs by:
Adding an OU
Adding users and groups
Lesson 4: Group Policy
Lesson 4
Group Policy overview
Group Policy management
Group Policy processing
Lesson 4 objectives
After completing this lesson, you’ll be able
to:
Describe the purpose and structure of
Group Policy
Understand common Group Policy tasks
Explain Group Policy processing
Group Policy overview
Group Policy is a powerful
administrative tool
You can use it to enforce
various types of settings for a
large number of users and
computers
Typically, you use GPOs to:
Apply security settings
Manage desktop application
settings
Deploy software
Manage Folder Redirection
Group Policy management
You can use the GPMC to:
Back up GPOs
Restore backed-up GPOs
Import GPO settings from a
backed-up GPO
Copy GPOs
Manage migration tables
Demonstration: Managing GPOs
In this demonstration, you’ll learn how to manage GPOs
Activity
Activity: Managing AD DS

In this activity, you’ll:
Promote a domain controller
Create an OU
Add user and group accounts
Create a GPO and link it to an OU

45 min
© 2019 Microsoft Corporation. All rights reserved.