View
600
Download
0
Category
Tags:
Preview:
Citation preview
9/24/2008
1
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 1
Welcome to Windows Server
2008 Active Directory
Your Host:
Coach Culbertson
MCT, MCITP, MCTS, MCSA, MCDBA, and several other random IT certifications
Train Signal, Inc.
Coach Culbertson
Welcome to Windows Server 2008 Active Directory
•About Your Instructor and Train
Signal
•Overall Scope of the Course
•What’s Covered in this Course
•The Globomantics Scenario
•What We’ll Build in this Course
In this video:
Train Signal, Inc.
Coach Culbertson
About Your Instructor and Train Signal
•MCITP: Server Administrator, MCTS: SharePoint Server
2007, MCSA, MCDBA, MCT, A+, Net+, CIW, and a few
others
•2 Year Tour of Duty as an Inner City High School Teacher in
Chicago
•Launched a couple hundred careers
About Train Signal
•Casual Training Method that teaches real skills first
•Scenario-Based Training to answer the question "Why does
this change my life?"
About Benjamin “Coach” Culbertson
9/24/2008
2
Train Signal, Inc.
Coach Culbertson
What’s Covered in this Course
2. What is Active Directory?
3. The First Two Domain Controllers
4. Setting Up Remote Desktop on Your Personal
Vista Client
5. Creating Organizational Units, User and
Computer Accounts, and Groups
6. Sharing Stuff On Servers
7. Get Your Control Freak On!
8. How to Make Your Boss Mad and then Fix it
Really Fast
What’s on the hit parade for this one, Coach? Can we dance to it?
Train Signal, Inc.
Coach Culbertson
What’s Covered in this Course
9. Make Your Life Easier with Computer
Policies and Preferences
10.How to Push Software Onto a Lot of
Machines Without Getting Up From
Your Desk
11. What’s My P@ssw0rd again?
12.Passing the Buck
13.Creating Backup Solutions BEFORE
Stuff Blows Up
Train Signal, Inc.
Coach Culbertson
What’s Covered in this Course
14.Reducing Single Points of Failure
15.Monitoring , Auditing, and
Defragging
16.Creating the Chicago Location
17.How To Give People Access to Stuff
That’s 790 Miles Away
18.Creating The Dallas Branch Office
19.Bringing an OU and Users Back from
the Dead
9/24/2008
3
Train Signal, Inc.
Coach Culbertson
What’s Covered in this Course
20. What Do You Do When A Domain Controller
Blows Up?
21. Get Your Old Domain Controllers Up To Date
22. Connecting the Continents
23. Certification: It’s Really Not That Scary
24.DNS Stuff
25.Active Directory Certificate Services 101
26.Active Directory Lightweight Directory
Services 101
27.Active Directory Rights Management 101
Train Signal, Inc.
Coach Culbertson
The Globomantics Scenario
You are the newly hired Systems Administrator for a new startup
company called Globomantics, a stock brokerage. Hank Richards, our
Founder and CEO, is a rough and tumble Texan who isn’t the most tech
savvy individual, but knows the value of having good people who know
the ropes when it comes to computers.
You’ll have the rare opportunity to build out the corporate network,
specifically Active Directory, for Globomantics, including:
–The Main Office in New York
–The Chicago Office
–The Dallas Branch Office
–And melding networks with a small company in Tokyo, Verde
Petra, which Hank will buy out.
Here’s the story about a man named Hank…
Train Signal, Inc.
Coach Culbertson
What We’ll Build in this Course
We’ll start with this…
9/24/2008
4
Train Signal, Inc.
Coach Culbertson
What We’ll Build in this Course
…and end up with this!
Yeah, it’s a lot—
but we’ll take it a
step at a time!
Train Signal, Inc.
Coach Culbertson
So How About It?
Are You Ready?
C’mon, Let’s Go!
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 2
What is Active Directory?
And Why You Need To Care
9/24/2008
5
Train Signal, Inc.
Coach Culbertson
What is Active Directory?
•What is Active Directory and Why
Should I Care?
•What is a Domain Controller?
•What is a Domain?
•What is a Server Role?
•What is DNS?
In this video:
Train Signal, Inc.
Coach Culbertson
What is Active Directory and Why Should I Care?
• Active Directory is the Brain of a Windows Server Network.
• It’s a database that keeps track of a huge amount of stuff and gives us a
centralized way to manage all our network machines, users, and resources.
Okay, time for the secret
Users and
Groups
Services (i.e. Email, etc.)
Resources
(Printers, Shared Folders, etc.)
We say that
these items are
Objects in the
Active Directory
Database
Train Signal, Inc.
Coach Culbertson
What is Active Directory and Why Should I Care?
Every time you log in to a corporate network, you’re using Active Directory
As a matter of fact….
Hold up, let me check
the Active Directory
Database to see if you
get access!
Domain Controller
Active Directory
Database
Ok, I see your User
Account, it’s valid,
and it has these
permissions.
Here ya go!
9/24/2008
6
Train Signal, Inc.
Coach Culbertson
What is a Domain Controller?
•A Domain Controller is a Windows Server Machine that
runs Active Directory Domain Services.
•Think of it as the Boss of your network.
•You may have multiple Domain Controllers that all have
copies of the same Active Directory database.
Big Boss Machine comin’ at ya!
Domain Controller
Active Directory
Database
Domain Controller
Active Directory
Database
Domain Controller
Active Directory
Database
Train Signal, Inc.
Coach Culbertson
What is a Domain?
• A Windows Server domain is a logical group of computers running versions of
the Microsoft Windows operating system that share a central directory
database.
• The machines are all named with part of a Domain name like
globomantics.com (also called a “suffix”) and are registered in the Active
Directory Database so they can be managed.
Big word: “Namespace”
CL1.globomantics.com
CL2.globomantics.com
CL2.globomantics.com
Globomantics.com
Domain Controller
NY-DC1.globomantics.com
Train Signal, Inc.
Coach Culbertson
What is a Domain?
You’ll often see Domains represented like this:
globomantics.com
Na.globomantics.com
(Forest Root)
A Forest is comprised of
ALL the Domains in your
Enterprise. Your Forest
may only have one
domain!
9/24/2008
7
Train Signal, Inc.
Coach Culbertson
What is a Domain?
•Users are also part of the “namespace.”
•Example: Your email address is part of a domain
namespace:
– hrichardson@globomantics.com
Note: Email-like logins are also called “User Principle
Names” when used to log into a Server 2008 network.
Don’t forget about users!
Train Signal, Inc.
Coach Culbertson
What is a Server Role?
•Servers need jobs, too.
•A Server Role is a major job that a Server can perform.
•It’s recommended that a Server not have too many Roles
Everybody needs a job—even servers!
A Domain Controller usually
has only two Roles:
•Active Directory Domain Services
•DNS
Train Signal, Inc.
Coach Culbertson
What is DNS?
•DNS is a service provided by a Server that allows you
to find other computers in your network.
•DNS allows you to type in a friendly name of a
machine instead of its IP Address, allowing your client
to get the IP address from the DNS server and go find
the resource.
•Without DNS, Active Directory will not work. Period.
•In Server 2008, it’s recommended that you integrate
DNS with Active Directory to make your IT life easier.
Domain Name Services are your friend
9/24/2008
8
Train Signal, Inc.
Coach Culbertson
What We Covered
•Define briefly what Active Directory is
•Describe what three primary types of Objects that
Active Directory provides
•Describe what happens when you log in to an
Active Directory network
•Define what a Domain Controller is
•Describe a Forest
•Describe a Domain
•Define briefly what a Server Role is
After watching this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 3
The First Two Domain
Controllers:
Installing Server 2008 and Active
Directory
Train Signal, Inc.
Coach Culbertson
The First Two Domain Controllers
In this video:
• Building the Brain of the Globomantics Network
• Quick Server 2008 Requirements and Editions Check
• The Bare Metal Installation Process
• The Initial Configuration Task List
• Installation of Active Directory Domain Services
• Setting up a Second Domain Controller
• Can We Talk? Replication Testing
9/24/2008
9
Train Signal, Inc.
Coach Culbertson
Building the Brain of the Globomantics Network
Your mission should you choose to accept it: build 2 Domain Controllers to start
the Globomantics network at the New York headquarters. Here’s your
hardware and what we’re going to build.
This is how we begin
Internet T-1 connection
Computer Name: NY-DC1-2K8
IP: 192.168.5.2
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
This Domain Controller
will create the Domain
globomantics.com
Computer Name: NY-DC2-2K8
IP:192.168.5.3
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
This Domain Controller
will join the Domain
globomantics.com
Network Switch
We’re setting up two almost identical DC’s for fault tolerance and better
performance. If one crashes, we have another!
Train Signal, Inc.
Coach Culbertson
Building the Brain of the Globomantics Network
Once we set up these two DC’s, we’ll have this:
NY-DC2-2K8
IP:192.168.5.3
NY-DC1-2K8
IP:192.168.5.2
globomantics.comForest Root Domain
Because it’s the
very first domain
New York Site
Train Signal, Inc.
Coach Culbertson
The Big Picture
globomantics.com
New York Site
na.globomantics.com
Chicago Site
asia.globomantics.com
Tokyo Site
9/24/2008
10
Train Signal, Inc.
Coach Culbertson
Quick Server 2008 Editions and Requirements Check
Hardware Requirements:
http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx
Component Requirement
Processor
Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)
Recommended: 2 GHz or fasterNote: An Intel Itanium 2 processor is required for Windows Server 2008 for
Itanium-Based Systems
MemoryMinimum: 512 MB RAM just to install
Recommended: 2 GB RAM or greaterCoach Says: As much as you can get!
Available Disk
Space
Minimum: 10 GB
Recommended: 40 GB or greaterNote: Computers with more than 16 GB of RAM will require more disk space for
paging, hibernation, and dump files
Other BFO Stuff
DVD-ROM drive
Super VGA (800 × 600) or higher resolution monitor Keyboard and Microsoft Mouse or compatible pointing device, NIC
BFO: Blinding Flash of the Obvious
Train Signal, Inc.
Coach Culbertson
Quick Server 2008 Editions and Requirements Check
Which Edition of Server 2K8 should we use for our first two DC’s?
http://www.microsoft.com/windowsserver2008/en/us/editions.aspx
Edition Description Price Max.
Ram for
32-bit
Max.
Ram for
64-bit
When to use
Standard Does almost
everything
$999 w/5
CAL’s
4 GB 32GB Small to medium environments, File and
Print Servers, less intensive applications
Enterprise Does it all $3999 w/25
CAL’s
64GB 2TB Large environments, clustering
Datacenter All that and a bag
of chips
$2999 PER
PROCESSOR
64GB 2TB For massive environments – includes
unlimited virtualization licenses!
Web Server Just a Web Server
(IIS 7.0)
$469 4GB 32GB You don’t need me to explain this. Really,
you don’t.
Itanium For high-end
web/application
servers
$2,999 N/A 2TB When you need to run super powered
databases or high end applications. Only
has Application Server Role.
Train Signal, Inc.
Coach Culbertson
Quick Server 2008 Editions and Requirements Check
And the winner for Globomantics’ Edition for the first 2 DC’s is...
Enterprise Edition 64-bit!
• We select Enterprise 64-bit for it’s ability to handle up to 2TB of Memory and
complete set of features for future growth (and we have the $$$).
•Each of our machines which we will be setting up as DC’s have:
– 4GB of RAM,
– 2 120GB hard drives installed
– A 3GHz 64-bit Quad-Core Intel processors
– Gigabit network cards
This will easily handle the Enterprise edition (at least at first).
9/24/2008
11
Train Signal, Inc.
Coach Culbertson
The Bare Metal Installation Process
•Two types of Server 2008 installations:
– Bare Metal – No existing Operating System on the HDD
– Upgrade—Installing over Server 2003 that is already installed on the HDD.
•Bare Metal is the simplest installation possible (and is recommended by Microsoft as the preferred method) —pop in the DVD and boot up!
•For Globomantics, we’ll be doing two bare metal installations of Server 2008 64-bit Enterprise edition. We’ll start by installing 2K8 on the first machine. Our hardware is set up and plugged in to the power and the network switch, so let’s go!
What do we mean by “bare metal?”
Train Signal, Inc.
Coach Culbertson
The Initial Configuration Task List
The Initial Task Configuration list is sheer hedonistic convenience. It groups together all the common tasks that you have to set up in one convenient place.
We will need to:– Configure Time Zone info
– Configure the network settings for 192.168.5.2 and an initial DNS server.
– Rename the computer to NY-DC1-2K8 and reboot
– Configure Automatic Updates and Feedback
– Configure Remote Desktop (Optional)
– Turn off the ICT from coming back because it’s annoying after set-up.
Back to the basics
Train Signal, Inc.
Coach Culbertson
Installation of Active Directory Domain Services
•Setting up a Domain Controller has two basic parts:
1. Installing the AD DS Role.
2. Running DCPromo.exe.
• Installing the AD DS Role is done from Server Manager using Add Roles.
•Dcpromo can be ran from the link provided in Server Manager after AD DS installation or from the Search box.
Now we’re ready to set this machine up as a DC
9/24/2008
12
Train Signal, Inc.
Coach Culbertson
Building the Brain of the Globomantics Network
Passwords
NY-DC1-2K8
IP:192.168.5.2
globomantics.comForest Root Domain
New York Site
The first password you create
is the Local Administrator only
for this one Server!
When you create a domain on
your first Server, the Local
Administrator Password
becomes the Domain
Administrator Password for all
the machines in your domain!
It’s a good idea to change the name of your
Domain Administrator account and its
password for security,
Train Signal, Inc.
Coach Culbertson
Building the Brain of the Globomantics Network
So we now have a functional DC and Domain!
NY-DC2-2K8
IP:192.168.5.3
NY-DC1-2K8
IP:192.168.5.2
globomantics.comForest Root Domain
New York Site
Train Signal, Inc.
Coach Culbertson
Setting Up Our Second Domain Controller
• We now need to set up our second DC, so here we go again:
1. Install Server 2K8 “Bare Metal.”
2. Configure the basic stuff using the ICT.
3. Install the AD DS Role.
4. Run DCPromo
Everything we’ve just done again, only faster this time
Internet T-1 connectionComputer Name: NY-DC1-2K8
IP: 192.168.5.2
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
This Domain Controller
will create the Domain
globomantics.com
Computer Name: NY-DC2-2K8
IP:192.168.5.3
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
This Domain Controller
will join the Domain
globomantics.com
Network Switch
9/24/2008
13
Train Signal, Inc.
Coach Culbertson
Setting Up Our Second Domain Controller
• We now need to set up our second DC, so here we go again:
1. Install Server 2K8 “Bare Metal.”
2. Configure the basic stuff using the ICT.
3. Install the AD DS Role binaries.
4. Run DCPromo• When we run DCPromo this time, we will be adding a Domain Controller to the domain we just
created, globomantics.com.
Everything we’ve just done again, only faster this time
Internet T-1 connectionComputer Name: NY-DC1-2K8
IP: 192.168.5.2
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
This Domain Controller
will create the Domain
globomantics.com
Computer Name: NY-DC2-2K8
IP:192.168.5.3
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
This Domain Controller
will join the Domain
globomantics.com
Network Switch
Train Signal, Inc.
Coach Culbertson
Replication: Can we talk?
•DC’s need to be able to talk and keep duplicate records in their respective
databases. When something changes in the domain, those changes have to
be communicated and recorded.
Our new DC’s need to be friends
NY-DC1-2K8
NY-DC2-2K8Network Switch
Hey, the admin just added three
OU’s, four user accounts, and
renamed one of the old user
accounts.
Got it, I’ll record those changed in
my copy of the Active Directory
database. Here’s the changes I’ve
received.
Great, I’ll record
your changes, too.
Train Signal, Inc.
Coach Culbertson
Replication: Can we talk?
The easiest way to check replication:
1. Create a new Organizational Unit in Active Directory Users and
Computers on either DC.
2. Go to the command line and type repadmin /syncall.
3. Check the other DC’s Active Directory Users and Computers to see if
the Organizational Unit also shows up there as well. If it does, your
DC’s are now BFF’s.
You might need to hit F5 to Refresh the screen to see the new items in
the Server Manager
Our new DC’s need to be friends
Best Friends Forever!
9/24/2008
14
Train Signal, Inc.
Coach Culbertson
Building the Brain of the Globomantics Network
So we now have the brain of the network done
NY-DC2-2K8
IP:192.168.5.3
NY-DC1-2K8
IP:192.168.5.2
Because it’s the
very first domain
globomantics.comForest Root Domain
New York Site
Train Signal, Inc.
Coach Culbertson
Terms You Should Know
• Bare Metal Installation—Installing an OS on a clean hard drive.
• Upgrade Installation—Installing Server 2008 on a machine already running
Server 2003.
• Initial Configuration Task List—Convenient list of common tasks to set up
Server 2008.
• DCPromo.exe – The wizard that sets up Active Directory and promotes a
machine to Domain Controller status.
Train Signal, Inc.
Coach Culbertson
Terms You Should Know
• NTDS.dit—The database file for Active Directory.
• Sysvol—The shared folder that stores the server copy of the domain's public
files that must be shared for common access and replication throughout a
domain
• Replication—The process of exchanging and recording changes in Active
Directory between Domain Controllers.
9/24/2008
15
Train Signal, Inc.
Coach Culbertson
What We Covered
�Evaluate hardware to determine whether or not it will support Server 2008.
�Describe basic differences between versions of Server 2008.
�Describe what a Bare Metal Installation is.
�Perform a Bare Metal Installation of Server 2008.
After viewing this video, you should be able to:
Train Signal, Inc.
Coach Culbertson
What We Covered
�Use the Initial Configuration Task List to:
� Configure Time and Date
� Rename a Machine
� Configure a Static IP Address and DNS for
Networking
� Configure Automatic Updates and Feedback
�Install Active Directory Domain Services Role.
�Run the DCPromo Wizard to promote a server to
Domain Controller Status for both a first and second
domain controller.
After viewing this video, you should be able to:
Train Signal, Inc.
Coach Culbertson
What We Covered
�Verify if two Domain Controllers are replicating.
�Force two Domain Controllers to replicate using
repadmin /syncall.
Now that our first two DC’s are up, in the next video we’ll
start adding User Accounts for Globomantics, organizing
them according to departments, and more!
After viewing this video, you should be able to:
9/24/2008
16
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 4
Setting Up Remote Desktop
on Your Personal Vista Client
Because you don’t want to have to go into
the Server Room every time you need to do
something
Train Signal, Inc.
Coach Culbertson
Setting up Remote Desktop on Your Vista Client
•The DC’s Are Up And
Running...Now What?
•Why Remote Desktop Is
Just Great
In this video:
Train Signal, Inc.
Coach Culbertson
The DC’s Are Up And Running...Now What?
•You have a Vista machine
that you’ll be using for
everyday tasks, and you can
use Remote Desktop to
administer Servers without
having to be right at the
machine.
•Because we selected the
more secure option when we
set up Remote Desktop on
the Servers, we have to join
the Vista client machine to
the Globomantics Domain in
order to access DC1 and DC2
from the client machine.
Time to set up our Vista Client so we can access the servers remotely
9/24/2008
17
Train Signal, Inc.
Coach Culbertson
Your mission: Add the Client
•You first need to rename the client machine
to fit the Globomantics naming convention.
•The name of the machine needs to become
CL-NY-VIS and then rebooted.
•Then you’ll join the client to the
Globomantics Domain.
In order to make all this work...
Train Signal, Inc.
Coach Culbertson
Why Remote Desktop Is Just Great
•Once we have Remote
Desktop set up, you can
access your Servers just like
you’re at the machine.
•Create Remote Desktop
Shortcuts and the process is
even easier.
•You’re going to create 2
Remote Desktop shortcuts
on the Desktop so you can
get to DC1 and DC2 easily.
Why get out of your comfy office chair to go do Server stuff
when you can do it from your desk?
Train Signal, Inc.
Coach Culbertson
So now that you’re added your client to the domain
This is what our network looks like:
NY-DC2-2K8
IP:192.168.5.3
NY-DC1-2K8
IP:192.168.5.2
globomantics.comForest Root Domain
New York Site
CL1-NY-VIS
DHCP Address
9/24/2008
18
Train Signal, Inc.
Coach Culbertson
What We Covered
�Join a Vista Client to a Domain
�Create Remote Desktop
Shortcuts
�Log in to a Server using Remote
Desktop
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 5
Creating Organizational
Units, User and Computer
Accounts, and Groups
Train Signal, Inc.
Coach Culbertson
Creating the Globomantics Active Directory Structure
•The DC’s Are Up and Running...Now What?-
- Part 2
•What’s an OU Again?
•How About Some Users!
•Creating a Whole Bunch of Users at Once
•Give Me Some Computer Accounts!
•The Difference Between OU’s and Groups
In this video:
9/24/2008
19
Train Signal, Inc.
Coach Culbertson
The DC’s Are Up And Running...Now What?—Part 2
•“Populate” is a fancy word that means “put stuff into a space,” i.e. add in Objects to our Active Directory.
•We have the “Brain” of the Globomantics network, but it’s not particularly usable yet. We need to add in Organizational Units, User Accounts, Computer Accounts, and Groups.
• We’ll be accessing DC1 via Remote Desktop to add in all of our objects, and let replication add them to DC2.
Now that we can access DC1 remotely, we populate!
Train Signal, Inc.
Coach Culbertson
The DC’s Are Up And Running...Now What?
The Beginning Globomantics AD Structure- Here’s what we’re going build
2 Computer Accounts(the other 23 are on back order)
4 Groups for Users
2 Groups for Computers
The Domain Administrator
Account is already created
Train Signal, Inc.
Coach Culbertson
The DC’s Are Up And Running...Now What?
And they all live together in one big shoe—I mean Domain
globomantics.comForest Root Domain
2 Computer Accounts
(the other 23 are on back order)
4 Groups for Users
2 Groups for Computers
The Domain Administrator
Account is already created
NY-DC1-2K8 NY-DC2-2K8
Everything lives in the
Active Directory Databaseon our Domain Controllers
9/24/2008
20
Train Signal, Inc.
Coach Culbertson
What’s an OU Again?
• An Organizational Unit is a container (read: folder) that holds AD Objects like User Accounts, Computer Accounts, and Groups.
• OU’s help to keep your Objects organized, but also are used to control what your Users can and can’t do (among other things).
• You can also pass the buck by delegating control over OU’s.
Big Words, Simple Meaning
User Group
Computer Group
User Account
Computer Account
Train Signal, Inc.
Coach Culbertson
What’s an OU Again?
• The easiest way to create an OU is to use Active Directory Users and
Computers.
– Right-click on the Domain icon, Select New, and then Organizational
Unit.
• You can also create an OU using the command line with this command:
dsadd ou “ou=NameOfOU, dc=YourDomain, dc=YourSuffix”
Ex: dsadd ou “ou=SalesUsers, dc=globomantics, dc=com”
• Even better, write a batch script in Notepad:
1. Open up Notepad
2. Type: dsadd ou “ou=%1, dc=YourDomain, dc=YourSuffix” replacing the
Domain and Suffix with your domain’s.
3. Save the file as addou.bat somewhere convenient.
4. Open up a Command Line box, navigate to the directory where you
saved it, and type addou WhateverNameYouWant
Two ways to create OU’s
This is called
the
Distinguished
Name
Train Signal, Inc.
Coach Culbertson
What’s an OU Again?
• Keep your OU’s for Users and OU’s for Computers Separate!
• You can create OU’s:
– Geographically
– By Function (Departments, etc.)
– and a billion other ways!
– But remember to KISS as much as you’re able to!
We’ll start off building a few OU’s so our User and Computer Accounts
will have a place to live
Keep It Simple, Sysadmin!
ChildOU
ChildOU
9/24/2008
21
Train Signal, Inc.
Coach Culbertson
How About Some Users!
User Accounts allow users to access network resources.
Well, you do want people to log in and use your network, right?
Stock Broker Billy
logs in with his User Name
and Password
Time to make some money!
Give me access to stuff!
NY-DC2-2K8Request to log on sent
Yep, I found it,
and it’s all good.
I’m giving you
access to your
stuff now.
Stock Broker Billy’s User Account
Access granted
Hold up there,
Billy, let me see if
you have an
account in Active
Directory!
Train Signal, Inc.
Coach Culbertson
Hank Richardson, the CEO of Globomantics, has just sent you an Excel Sheet of
25 names of new employees that will be needing User Accounts. Here they are:
How About Some Users!
Here’s the users we’re going to add
Hank Richardson
Melanie Halal
Joshua Hartson
Bill Altman
Steve Singer
Frieda Smith
William Switzer
Michael Barber
George Gibbs
Jennifer Owens
Bradley Stewart
Caroline Tooley
Paula Turk
Christina Winger
Michael Huntt
Lance Binga
Bill Mosher
Carol Reagan
Shirley Thomas
Jerry Watts
Alana Childs
Erin Rose
Todd Booth
Chika Briscoll
Rivena Martin
Kim Neff
•Are you serious? Are we going to right click for these 25 users?
Train Signal, Inc.
Coach Culbertson
•Dsadd is a command-line option that will allow you to create users with
the keyboard.
•Here’s the basic command:
dsadd user “cn=UserName, ou=OUName, dc=YourDomain, dc=YourSuffix”
•Here’s what it would look like in real life:
dsadd user “cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics,
dc=com”
•Then we add some switches for First Name, Last Name, Password, and
Must Change Password when the user first logs in:
dsadd user “cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics,
dc=com” -fn Hank –ln Richardson –pwd P@ssw0rd –mustchpwd yes
How About Some Users!
Introducing....DSADD!
This is called
the
Distinguished
Name
9/24/2008
22
Train Signal, Inc.
Coach Culbertson
How About Some Users!
Open Up Notepad and Type:
dsadd user “cn=%1, ou=OUName, dc=YourDomain,
dc=YourSuffix” –fn %2 –ln %3 –pwd P@ssw0rd
–mustchpwd yes
– Save it as addOUName.bat in a convenient place.
– Open up a command line, navigate to the
directory where the script lives, and type:
addOUName tmiller Tonia Miller
Let’s Do It Fast And Easy!
Replaces %1 Replaces %2 Replaces %3
Train Signal, Inc.
Coach Culbertson
Creating a Whole Bunch of Users At Once
•You can create a Batch Script for mass population using Excel.
• It’s even included with this course! Man, that Coach is a great guy!
Dude, there must be a faster way
Train Signal, Inc.
Coach Culbertson
Who Let The Computers In Here?
•Computer Accounts allow AD to keep track of and control the
computers in your network. A computer without an Account in
AD can’t access the network—it’s a security thing.
•Computer Accounts live in OU’s, which will allow you to install
software to all machines in an OU at once! (among other things)
•When you join a computer to a Domain (you’ll need Domain
Administrator level credentials), a Computer Account is
automatically created in AD.
•After Joining the Domain, you’ll have to move your Computer
Accounts to the appropriate OU.
•You can create accounts manually, but it’s not a very good idea.
Keeping track of your computers is a really really good idea
(and you don’t really have a choice)
9/24/2008
23
Train Signal, Inc.
Coach Culbertson
Who let the Computers In Here?
You have exactly two Vista machines (since all the rest are on backorder) to use to test out your Active Directory. The first one is already joined (CL1-NY-VIS), since it’s the one that you’ll be using as your day-to-day machine to access the Servers remotely.
Join your other machine to the Domain and then move them to the NYComputers OU. You’ll be using it to test the rest of our network functionality as you proceed.
So....
Train Signal, Inc.
Coach Culbertson
The Difference between OU’s and Groups
No.
Here’s the difference:
– OU’s keep your objects organized and are used
to control what users and computers can and
can’t do.
– Groups are Active Directory Objects that allow
you to provide and deny access to resources
like printers and folders en masse.
– Groups live in OU’s.
Hey! Aren’t our Accounts Already in OU’s? Aren’t
they grouped?
Train Signal, Inc.
Coach Culbertson
The Difference between OU’s and Groups
OU’s can be used to control what a User Can Do
Yes, All these users
can:
• Save docs to their
desktops
• Lock or Hide the
Taskbar
No, these users may
not:
• Change the Desktop
Wallpaper
• Install Software
9/24/2008
24
Train Signal, Inc.
Coach Culbertson
The Difference Between OU’s and Groups
SalesUsersGroup
Shared Sales Folder
Sales Printer
Groups control what a User Has Access To
Shared Ops Folder
Ops Printer
Train Signal, Inc.
Coach Culbertson
The Difference between OU’s and Groups
•Create Groups either from Active Directory Users and
Computers (again the whole Right-Click in an OU thing) or from
the command line:
– dsadd group “cn=GroupName, ou=OUName,
dc=YourDomain, dc=YourSuffix”
– Make it easy: add in a %1 for GroupName, add in a %2 for
OUName, save it as a batch script. You know the drill.
•Join Users to Groups in Active Directory Users and Computers
by Control-Clicking on a bunch of Users, right-click on any one
of the selected, and select Add to Group.
How to Create Groups
Train Signal, Inc.
Coach Culbertson
The Difference between OU’s and Groups
•Your user accounts are created and living happily in their OU’s. Now, you
need to create Groups to prepare for providing access to different
resources.
•You’ll add 4 Groups for Users in the NYUsers OU and 2 Groups for
Computers in the NYComputers OU.
Globomantics Group Structure
User Groups Computer Groups
SalesUsers StandardComputers
SalesManagers ITComputers
OpsUsers
OpsManagers
9/24/2008
25
Train Signal, Inc.
Coach Culbertson
Globomantics Group Structure
•Based on the original Excel sheet Hank sent
you, you’ll add the appropriate users to the
appropriate groups.
•Also, you’ll add your Vista machine, CL1-NY-
VIS, to the ITComputers Group, and CL2-NY-
VIS to the StandardComputers Group for
testing.
And then..
Train Signal, Inc.
Coach Culbertson
Terms You Should Know
•User Account – An Active Directory Object that allows
Users to access network resources.
•Computer Account—An Active Directory Object that allows
AD to have a security relationship with a computer, and
allows you to control what that computer does on the
network.
•Organizational Unit—An Active Directory Object that
provides a place for User Accounts, Computer Accounts,
and Groups to live. Also provides control over what those
computers and users can and can’t do.
•Group- An Active Directory Object that allows or denies
access to network resources (like folders and printers) for
Users and Computers.
Here’s some IT vocabulary you need to know:
Train Signal, Inc.
Coach Culbertson
Terms You Should Know
•Batch Script—A text file containing commands
that has a .bat as the suffix to the file name.
•Distinguished Name—The name of an Object as it
appears in the Active Directory Database.
Here’s some IT vocabulary you need to know:
9/24/2008
26
Train Signal, Inc.
Coach Culbertson
So now we have this
This is what our network looks like now
globomantics.comForest Root Domain
2 Computer Accounts
4 Groups for Users
2 Groups for Computers
The Domain Administrator
Account is already created
NY-DC2-2K8
NY-DC1-2K8
Train Signal, Inc.
Coach Culbertson
What We Covered
�Create Organizational Units and Groups In Active Directory
Users and Groups
�Create User Accounts :
– In Active Directory Users and Groups
– Using the dsadd command line option
– Using a batch script
�Create a bunch of User Accounts using a Batch Script made
with Coach’s Excel Sheet User Batch Script Creator
�Add a Computer Account by joining a Vista client to the
Domain.
�Manually Create a Computer Account (which is a bad idea).
After viewing this video, you should be able to:
Train Signal, Inc.
Coach Culbertson
What We Covered
�Add Users and Computers to Groups using Active
Directory Users and Computers.
�Move Active Directory Objects to different OU’s
Now that we have some OU’s, User Accounts and
Groups, we’ll start using those OU’s and Groups in
the next two videos to provide control over your
network!
After viewing this video, you should be able to:
9/24/2008
27
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 6
Sharing Stuff On Servers
Setting up Shared Folders and Printers, Mapping
Drives, and Wrestling with Permissions
Train Signal, Inc.
Coach Culbertson
Sharing Stuff on Servers
•Setting up a Member Server
•Creating Shared Folders
•NTFS Vs. Share Level Permissions
•Mapping a Shared Drive
•Creating and Sharing a Printer
In this video:
Train Signal, Inc.
Coach Culbertson
Setting Up A Member Server
• We set up User Accounts and added them to Groups so that we could control
who had access to what shared folders and printers.
• Now we need to create the Shared Folders and Printers for each of the
different departments. Here’s what we’ll be building:
Time to add another Server
NY-MEM1-2K8
IP: 192.168.5.4
512MB RAM
2 GHz 32-bit CPU
2- 120GB HDD’s
Gigabit NIC
32-Bit Server 2K8 Standard Edition
MEM1 will be joining the
Globomantics Domain.
SalesDocs
Mapped as S:
SalesManagers
Shared
GeneralOps
Mapped as O:
OpsManagers
Shared
SalesLaser
OpsLaser
ManagersInkjet
NEW SERVER!
9/24/2008
28
Train Signal, Inc.
Coach Culbertson
Setting Up A Member Server
•It’s best practice not to share
folders for everyday work on a
Domain Controller—it already has
enough work to do.
•On our new Server, we’ll be
preparing the second HDD for File
and Folder sharing by formatting
and partitioning our second HDD
into two 60GB partitions, one for
Ops, one for Sales.
•We’ll also need to ensure that File
Sharing is enabled on MEM1 as
well.
First, we build another Server
NY-MEM1-2K8
IP: 192.168.5.4
512MB RAM
2 GHz 32-bit CPU
2- 120GB HDD’s
Gigabit NIC
32-Bit Server 2K8 Standard Edition
MEM1 will be joining the
Globomantics Domain.
Train Signal, Inc.
Coach Culbertson
Creating Shared Folders
You can create and share Folders using Windows
Explorer, but there’s a new Share and Storage
Management MMC that gives us a more
comprehensive experience.
Next up: Making the actual Folders
SalesDocs
On E:
SalesManagers
On E:
GeneralOps
On F:
OpsManagers
On F:
Here’s the folders we’ll create:
Train Signal, Inc.
Coach Culbertson
Creating Shared Folders
•Full Control—Do I really need to
explain this?
•Change—Able to add files, delete files,
add folders, and delete folders all in
the parent Folder, but can’t change
the Folder itself.
•Read — A user can’t add or delete
anything in the Folder, just read
what’s there.
•You can Deny or Allow these three
types of Share Permissions.
•Permissions can be set for whole
Groups or for individual User Accounts
•Deny is always Strongest!!!! Use
sparingly!
We can set up Share Level Permissions while we’re creating the folders
9/24/2008
29
Train Signal, Inc.
Coach Culbertson
Creating Shared Folders
Share Level Permissions only work at the Folder Level. All files in the Folder
inherit the permissions from the Folder.
Share Permissions—Folder Level Only
Share Permissions: Full Control
to all members of SalesUsers and
SalesManagers
SalesDocs
All Sales staff get Full Control
over All Files in SalesDocs
Train Signal, Inc.
Coach Culbertson
Creating Shared Folders
Here’s the Permissions to set on the individual Folders that you’ll be
creating on MEM1:
SalesDocs
On E:
Read and Change for
SalesUsers and Sales Managers
Read-Only for OpsUsers and OpsManagers
SalesManagers
On E:
Read and Change for
only SalesManagers
Deny all for Sales Users
Deny All for Ops Users
Read Only for OpsManagers
GeneralOps
On F:
Change and Read for
OpsUsers and OpsManagers
Read-Only for SalesUsers and
SalesManagers
OpsManagers
On F:
Read and Change for
only Ops Managers
Deny All for OpsUsers and
SalesUsers
Read-Only for SalesManagers
Train Signal, Inc.
Coach Culbertson
Creating Shared Folders
• We want SalesManagers to have access to everything the SalesUsers do, but
not vice versa.
• We can make the SalesManagers group a member of the SalesUsers Groups.
A Good Idea That Could Go Very Wrong
SalesDocs folder
Mapped as S:
SalesManagers folder
Shared
SalesUsers Group
SalesManagers Group
The SalesManagers as a
Member of the SalesUsers
has access to SalesDocs. But
SalesUsers will NOT have
access to the SalesManagers
folder.
9/24/2008
30
Train Signal, Inc.
Coach Culbertson
Share Level VS. NTFS Permissions
• If we Deny Access to SalesUsers and SalesManagers is a member of the
SalesUsers Group, then SalesManagers is also Denied Access.
• Sometimes making Groups members of other Groups is a good idea,
sometimes it’s not.
Be careful not to block access from other Groups that need it!
SalesDocs folder
Mapped as S:
SalesManagers folder
SalesUsers Denied Access
SalesUsers Group
SalesManagers Group
Because SalesManagers is
a member of SalesUsers, if
SalesUsers is denied access,
SalesManagers will be, too,
as Deny overrides everything
else. So this is a bad idea—
this time!
Train Signal, Inc.
Coach Culbertson
Handbook
Share Level VS. NTFS Permissions
• We can use NTFS Permissions on individual Files and Folders inside the Shared
Folder
Let’s control access to individual Files now.
Sales Training
PowerPointSales
Reports
Folder
Sales Budget
Coach’s Suggestion: Always start out with the
least restrictive Share Level Permissions and then
get more restrictive inside the folder with NTFS
Permissions
Share (SMB) Permissions:
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
SalesDocs:
SalesUsers can have NTFS Read-Only Permissions
to these three files and this one folder....
...but Read and Change
Share Permissions on all
the rest of the files in
SalesDocs
Train Signal, Inc.
Coach Culbertson
Share Level VS. NTFS Permissions
• When you create Files and Folders inside of Folders (Parent Folder), those new
Files and Folders initially inherit the permissions from the Parent folder.
Let’s Talk Inheritance (and no, you’re getting any money on this one)
Parent Folder
“Child”FolderFile (Child)
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
9/24/2008
31
Train Signal, Inc.
Coach Culbertson
Share Level VS. NTFS Permissions
But you can Block Inheritance of Permissions with NTFS Permissions for
Folders AND Files for really specific control of who gets to do what inside
that folder!
Parent Folder
“Child”FolderFile (Child)
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
Read Only Permissions for SalesUsers
Full Control for SalesManagersRead Only Permissions for SalesUsers
Full Control for SalesManagers
Train Signal, Inc.
Coach Culbertson
Share Level VS. NTFS Permissions
•Hank has emailed you three files that SalesManagers
will need Full Control over, but SalesUsers should
have Read-Only Access to.
•You’ve put them in the SalesDocs folder already, but
now you need to apply appropriate NTFS permissions
to the files so that SalesUsers can’t change them.
•Hank also wants a SalesReports folder that members
of SalesManagers have Full Control over, but
SalesUsers can also Read-Only.
•Make it all happen with NTFS Permissions. (Hint: Block
Inheritance and Use Inheritance!)
Hank’s Files and the Sales Reports Folder
Train Signal, Inc.
Coach Culbertson
Share Level VS. NTFS Permissions
•Share Level Permissions work at the folder level.
•NTFS Permissions work at the Folder AND at the File Level.
•Documents inside Shared Folders inherit the Permissions (Share Level or NTFS!) of the Folder unless you stop the inheritance directly and apply new Permissions.
•When you move Shared folders, you lose the Share Level Permissions
•When you move Folders and Files that have NTFS Permissions, they may keep their Permissions OR inherit Permissions of a folder they go live in.
Here’s the Rules you need to remember
9/24/2008
32
Train Signal, Inc.
Coach Culbertson
Mapping a Shared Drive
•Most “Shared Drives” or “Mapped Drives” are just Shared Folders that we assign a Drive Letter to so they’re easier to find.
•You’ll map your two main department folders as below:
•Make sure that Hank’s account can access both Mapped Drives
Making Stuff Easier to Find
SalesDocs
Mapped as S:GeneralOps
Mapped as O:
Train Signal, Inc.
Coach Culbertson
Creating and Sharing Printers
•A Printer is software.
•A Print Device is hardware.
•You need to have a Printer in order to use a
Print Device.
•Once you have Printers, you can use them
to control who has access to which Print
Device
The Difference Between Printers and Print Devices
Train Signal, Inc.
Coach Culbertson
Creating and Sharing Printers
•You have three print devices- two Laser and one Inkjet.
•You will create a Printer for each of the devices, and then
assign Permissions as displayed below:
Here’s What You’re Going to Build Next
SalesLaser
•SalesUsers can Print
•SalesManagers can Print
and Manage
•Ops Groups can’t access
OpsLaser
•OpsUsers can Print
•OpsManagers can Print
and Manage
•Sales Groups can’t access
ManagersInkjet
•SalesManagers can Print
•OpsManagers can Print
•Users Groups can’t access
•Only SuperCoach can manage
9/24/2008
33
Train Signal, Inc.
Coach Culbertson
What Globomantics.com looks like now
globomantics.comForest Root Domain
2 Computer Accounts
4 Groups for Users
2 Groups for Computers
SuperCoach Administrator
NY-MEM1-2K8
NY-DC1-2K8 NY-DC2-2K8
SalesDocs
Mapped as S:
SalesManagers
Shared
GeneralOps
Mapped as O:
OpsManagers
Shared
SalesLaser
OpsLaser
ManagersInkjet
CL1-NY-VIS
CL2-NY-VIS
Train Signal, Inc.
Coach Culbertson
Terms You Need To Know
•Member Server—A Server that is not a Domain Controller
but is joined to the domain and has a particular job/Role
•Share Permissions—Permissions that only apply at the
Folder level and are inherited by all the files inside (unless
NTFS permissions are applied!)
•NTFS Permissions—Permissions that apply to both Folders
AND Files.
•Partition—A section of a Hard Drive
•SMB—Server Message Block—A Protocol used for Share
Permissions on a Folder
•Mapped Drive—Usually a Shared Folder that has been
assigned a Drive Letter so that it can be found easily.
Here’s the Critical Jargon from this video:
Train Signal, Inc.
Coach Culbertson
What We Covered
•Partition and format a Hard Drive on Server 2K8 via Disk Management
•Create Shared Folders and assign Share Permissions to Groups via the Share and Storage Management MMC.
•Describe the differences between Share and NTFS Permissions.
•Assign NTFS Permissions to Files and Folders
•Map Shared “Drives”
•Create and Assign Share Permissions to Printers
After viewing this video, you should be able to:
9/24/2008
34
Train Signal, Inc.
Coach Culbertson
Coming Up Next
In the next video, we’ll start using our OU’s
to apply Group Policy in order to make sure
our users can’t break stuff (or, at least, less
stuff)!
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 7
Get Your Control Freak On!
Starting to Control What Your Users Can and
Can’t Do Through Group Policy
Train Signal, Inc.
Coach Culbertson
Get Your Control Freak On!
•What are we building today,
Coach?
•What is Group Policy?
•Setting Up Coach’s Fave Four
Policies
In this video:
9/24/2008
35
Train Signal, Inc.
Coach Culbertson
What Are We Building Today, Coach?
Good news! The other 23 desktop machines finally came in and your
new assistant Jamie has set them all up and joined them all to the
domain. Now, we need to start thinking about locking down what users
can and can’t do on their desktop machines.
You want to ensure that:
•All desktop wallpaper is the same on every machine
•Users cannot access the Display Control Panel
•Users cannot install software
•Users cannot attach Removable Drives (USB sticks, MP3 players,
etc.)
In order to make this happen efficiently, we’ll use Group Policy Objects
in Active Directory to make this happen.
We’re locking down the Desktops!
Train Signal, Inc.
Coach Culbertson
What’s a Group Policy Object?
• A Group Policy Object
(GPO) contains Settings
that can be configured to
control what’s happening
with Users and Computers.
• There are literally
thousands of different
Settings that can be
configured inside of each
GPO.
• GPO’s are used with
Containers (Domains, Sites,
and OU’s), but are not
applied to Groups (but
Groups can play a part!)
Group Policy Objects give you control over what Users and Computers
can do, but a lot more!
Then why is it called Group Policy?????
Train Signal, Inc.
Coach Culbertson
What’s a Group Policy Object
• Every Windows computer has a Local Group Policy to control what can be done
on it and what is restricted, but you don’t want to go around to all the
computers in your Domain and configure all the settings manually.
• You’ll want to join the rest of the world and administer Group Policy from
Active Directory.
Local Vs. Domain
You can configure each computer
separately using Local Policy...
...or configure all your machines at once
from the comfort of your desk!
Because there’s nothing like going to
25 separate machines and making 26
modifications on each one (ugh!)
9/24/2008
36
Train Signal, Inc.
Coach Culbertson
What’s a Group Policy Object?
• We can create a Group Policy Object easily, but then we have to link it to the
appropriate Container (usually an OU) before it takes effect on the Users
and/or Computers.
• A single GPO can be linked to multiple Containers so you can re-use it over and
over.
Creating and Linking GPO’s
Links are Active Directory Objects, too!
Train Signal, Inc.
Coach Culbertson
What is a Group Policy Object?
GPO’s can be linked at different levels
At the Domain Level,
everything in the Domain is
affected
At the OU level, everything in
the OU is affected
We normally don’t apply
GPO’s at the Site level, but we
can.
Train Signal, Inc.
Coach Culbertson
What is a Group Policy Object?
•Group Policy has two sides: Users and Computers.
•While you can configure settings for both sides in any one GPO, we
generally don’t (this is why we separate Users and Computers into
separate OU’s.
...and for two different kinds of objects
•Each side of Group
Policy has Policies
and *NEW*
Preferences
• Generally, we
create separate
GPO’s for Users and
Computers
9/24/2008
37
Train Signal, Inc.
Coach Culbertson
What is a Group Policy Object?
Group Policy Settings are applied in a very specific
order:
Local Computer Policy���� Site Policy����Domain Policy����OU Policy
Remember it this way: L-S-D-OU
Also: The Last One Wins
All you GPO’s, get in the right order!
Train Signal, Inc.
Coach Culbertson
Setting Up Coach’s Fave Four Policies
•You need to ensure that User Accounts are restricted in the
following fashion:
•All desktop wallpaper is the same on every machine
and cannot be changed
•Users cannot access the Display Control Panel
•Users cannot install software
•Users cannot attach Removable Drives (USB sticks,
MP3 players, etc.)
• You’ll create a single Group Policy Object with these
settings on the User side, apply it to the NYUsers OU, and
then test it out with the LBinga account
Here we go...
Train Signal, Inc.
Coach Culbertson
Terms You Should Know
•Group Policy Object—An Active Directory Object that allows you, the
Administrator, to control what Users can do on computers via Settings
(or Policies). A.K.A: GPO
• Link—An Active Directory Object that allows a GPO to affect a
particular Container (like an entire Domain or just an OU)
• L-S-D-OU—The Processing Order in which GPO’s are applied
•GPMC—The Group Policy Management Console, where we do all the
Group Policy work.
• Local Computer Policy—The Group Policy that resides on a local
Computer that only affects that particular computer.
And now, Vocabulary!
9/24/2008
38
Train Signal, Inc.
Coach Culbertson
What We Covered
•Create and Link a Group Policy Object to an OU
•Apply Settings in a GPO to lock down the User’s ability to:
– Change the Desktop (i.e. set the Wallpaper and make
sure the User can’t change it)
– Use the Display Control Panel
– Attach a USB drive or other Removable Storage Device
– Install Software (remember: UAC for Vista!)
•Describe the order in which Group Policy Objects are
processed in.
•Describe what Containers you can Link a GPO to
After Watching This Video, You Should Be Able To:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 8
How to Make Your Boss Mad
and then Fix it Really Fast
Setting up your Organizational Units for Better
Group Policy Implementation, Security Filtering for
GPO’s using Groups, and Making Your Boss Happy
Again.
Train Signal, Inc.
Coach Culbertson
How to Make Your Boss Mad and then Fix it Really Fast
•What Are We Building Today,
Coach?
•Hank is ANGRY!
•A Little Reorganization
In this video:
9/24/2008
39
Train Signal, Inc.
Coach Culbertson
What Are We Building Today, Coach?
Our Active Directory Structure from our last episode...
5 Groups for Users
SuperCoach Administrator
25 Computer Accounts
StandardComputers
ITComputers
L
i
n
k
Train Signal, Inc.
Coach Culbertson
What Are We Building Today, Coach?
...and how it will look after this one!
SuperCoach Administrator
Executives
hrichardson
SaleManagers SalesUsers
OpsManagersOpsUsers
25 Computer Accounts
StandardComputers
ITComputers
L
i
n
k
ITUsers
Train Signal, Inc.
Coach Culbertson
Hank is ANGRY!
Hank is really mad that he can’t set a
picture of his favorite horse as the
Desktop Wallpaper, and he’s threatening
to fire you if you don’t get it fixed fast.
You need to make sure Hank’s user
account is exempted from the Desktop
Lockdown policy you just set up.
Also, your assistant Jamie doesn’t like
being locked down either—fix it!
Uh-Oh...
9/24/2008
40
Train Signal, Inc.
Coach Culbertson
A Little Reorganization
•Since GPO’s are applied at the OU level, we may need to
separate out Users and/or computers into separate OU’s for
different rights and restrictions.
•Since the Globomantics OU structure is very basic, we have
some options:
– We can separate our users into separate OU’s and apply
different GPO’s to each
– We can separate our users into separate OU’s inside of
NYUsers and Block Inheritance for certain OU’s for a
particular Group Policy Object.
– We can use Security Filtering to exempt certain User
Accounts and/or Groups from having a GPO applied to
them.
Sometimes we may need to reorganize a bit...
Train Signal, Inc.
Coach Culbertson
A Little Reorganization
Option 1: We can separate out our Users into Child OU’s and Link
Separate GPO’s to each OU
Link
Link
Link
Each GPO has
settings
appropriate for
each department.
Train Signal, Inc.
Coach Culbertson
A Little Reorganization
Option 2: We can separate our users into separate OU’s inside of
NYUsers and Block Inheritance for certain OU’s for a particular Group
Policy Object.
Link
All Users in Executives will NOT get the settings
from DesktopLockdown....
...unless DesktopLockdown is “Enforced”
ENFORCED!
Enforced
DesktopLockdown
Breaks Through!
Inherited!
Inherited!
9/24/2008
41
Train Signal, Inc.
Coach Culbertson
A Little Reorganization
Option 3: We can use Security Filtering to exempt certain User Accounts
and/or Groups from having a GPO applied to them.
SalesManagers Group OpsManagers Group
ITUsers Group Executives Group
SalesUsers Group OpsUsers Group
Link
If we use Security Permissions
to Deny the Read and Apply
Group Policy permissions,
these two groups can be
exempt from the policy—even
if the Policy is Enforced!
Train Signal, Inc.
Coach Culbertson
A Little Reorganization
• We can still use DesktopLockdown for all our users, but we’ll use Security
Filtering and the Delegation Tab in the GPMC to exempt the Executives and
ITUsers Groups from having it applied.
• In order to use Group Policy more efficiently in the future, we should break our
users out into separate OU’s.
We’ll fix it using a combination of techniques
Link
All other users will be
affected by DesktopLockdown
through Inheritance!
Deny Read and Apply
DesktopLockdown
Group Policy
Executives Group
ITUsers Group
Deny Read and Apply
DesktopLockdown
Group Policy
Train Signal, Inc.
Coach Culbertson
Terms You Should Know
•Security Filtering—Using Security Permissions on a Group
Policy Object to determine which Users or Groups in an OU
get affected by its settings.
•Enforce—A property of a Group Policy object that breaks
through Block Inheritance and overrides any other
conflicting GPO’s
•Group Policy Inheritance—Similar to Folder Inheritance,
Users and Computers inherit Group Policy settings through
OU’s.
Look, it’s more vocabulary!
9/24/2008
42
Train Signal, Inc.
Coach Culbertson
What We Covered
•Rearrange Users, Groups, and Organizational Units.
•Use the GPMC to apply Security Filtering to include
and exempt Groups from Group Policy
•Block Inheritance of Policies for an OU.
•Use the GPMC to see what Group Policy Objects
are being inherited by an Organizational Unit.
•Make your boss happy by ensuring that his/her
account is not locked down, but everyone else’s is.
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 9
Make Your Life Easier with
Computer Policies and
Preferences
Locking down Machines at the Computer Level
and Mapping Drives with Group Policy Preferences
Train Signal, Inc.
Coach Culbertson
Make Your Life Easier with Computer Policies and Preferences
•The Computer Side of Group
Policy
•Mapping Network Drives with
Preferences
In this video:
9/24/2008
43
Train Signal, Inc.
Coach Culbertson
The Computer Side of Group Policy
Hank is seriously thinking about implementing the
“hoteling” concept, in which users don’t have
regular machines. Instead, he wants his sales reps
out in the field doing “house calls.” You need to
make sure that all the machines have a standard
policy no matter who’s at them, with the exception
of your machine, Jamie’s machine, and Hank’s
machine.
Oh, and by the way...
Train Signal, Inc.
Coach Culbertson
The Computer Side of Group Policy
Now that you have set up your User Policies, it’s time to further lock down the
computers themselves. You’ll separate out your computers into two OU’s,
Standard and Privileged, then create a new GPO to apply to only the
StandardComputers.
And now for something not so different...
Link
Will have no GPO
Linked
CL4 through CL25
CL1 through CL3
CL2-NY-VIS
We’ll leave CL2 in
the Standard OU
for testing, but
move it later.
Train Signal, Inc.
Coach Culbertson
The Computer Side of Group Policy
User Policy follows the user to whatever computer that User logs into.
And now time for another BFO!
Computer Policy stays with the computer no matter who logs on to it.
LBinga
CL3-NY-VIS
CL4-NY-VIS
CL5-NY-VIS
CL6-NY-VIS
CL3-NY-VIS
LBinga
hrichardson
JOwens
JOwens
9/24/2008
44
Train Signal, Inc.
Coach Culbertson
The Computer Side of Group Policy
Here are the policies we’ll set for the StandardComputers
through our new ComputerLockdown GPO:
– Turn off the Windows Sidebar (because it’s annoying)
– Turn off that Welcome screen that keeps popping up
(because it’s annoying, too)
– User Account Control – Really more as a safety Precaution
– Turn on Loopback Processing to ensure that whoever logs
on to the machine always gets this policy applied to them.
– Ensure that any Local Group Policies do not run (because
they may interfere with our Domain/OU policies—again a
precautionary measure)
And now to add our Policy Settings to ComputerLockdown
Train Signal, Inc.
Coach Culbertson
The Computer Side of Group Policy
Here’s how it works:
Loopback Processing- User Vs Computer Policy Showdown!
CL3-NY-VIS
LBinga
I have User
Settings, and I
travel with Lbinga
wherever he logs
in!
Oh yeah? Well I
have User
Loopback
Processing! My
User Settings
override or add to
your settings, even
though Lbinga’s
account isn’t even
in the OU I’m linked
to! Woo-Hoo!
I win!
Aw, man! Darn you
Loopback Processing!
Train Signal, Inc.
Coach Culbertson
Mapping Network Drives with Preferences
•Group Policy
Preferences allow us to
do a lot of useful tasks
that previously required
scripts.
•There are Preferences
for both User and
Computer sides of a
Group Policy Object.
•Better yet, they’re very
easy to set up and use!
We’ve done something old, now time for something new!
9/24/2008
45
Train Signal, Inc.
Coach Culbertson
Mapping Network Drives with Preferences
• Since we have Network Drives (i.e., Shared Folders) that we want everyone to
have access to, we can “map” those drives for our Users so that when they log
on, they’re already there in My Computer.
• We’ll create a new GPO just for the Mapped Drives and link it to the NYUsers
OU and let Inheritance push it down to the other Child OU’s inside of it.
Mapping Drives for Users just got a lot easier!
Inherited!
Inherited!
Link
Inherited!
Enforced!
(Just in case somebody
Blocks Inheritance later)
Train Signal, Inc.
Coach Culbertson
SuperCoach Administrator
hrichardson
Executives
OpsManagers
OpsUsers
SaleManagers
SalesUsers
ITUsers
Time to Wrap Up!
So now our Active Directory network looks like this:
StandardComputers
ITComputers
Link
L
i
n
k
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Enforce – A setting on a Group Policy Link that breaks through Block Inheritance and overrides any conflicting policies.
•Loopback Processing—A Group Policy setting that forces the application of a GPO regardless of who is logged in to a computer.
•Group Policy Preferences—Settings in a Group Policy Object that expand Group Policy’s ability to map drives for Users, place files and create folders on managed client machines, etc.
•Mapped Drive—A shortcut to a shared folder (or shared hard drive) on the network that shows up in My Computer.
More Big Words!
9/24/2008
46
Train Signal, Inc.
Coach Culbertson
What We Covered
•Create new OU’s and move appropriate Computer Accounts into
them.
•Create and Link a GPO object to an OU ( I know, we’ve already
done this)
•Use the Computer Side of Group Policy to:
– Turn off the Vista Sidebar and Welcome screen
– Set up Loopback Processing on Computers to ensure that
Settings applied to Computers replace/merge/override any
User settings from other GPO’s
– Ensure that UAC is enabled on Vista
– Ensure that Local Computer Policies DO NOT run on Vista
Machines in our network.
After viewing this video, you should be able to:
Train Signal, Inc.
Coach Culbertson
What We Covered
•Use Group Policy Preferences on the Users side of a Group
Policy Object to Map Drives (shared folders) for all users
•Enforce a Group Policy to ensure that it is applied even if a
Block Inheritance setting is applied to an OU
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 10
How to Push Software Onto a
Lot of Machines Without
Getting Up From Your Desk
Using Group Policy Objects to Install Software and
Adjusting Group Policy that affects Group Policy at
the Domain Level.
9/24/2008
47
Train Signal, Inc.
Coach Culbertson
How to Push Software Onto a Lot of Machines Without Getting Up
From Your Desk
•You Are Here: A Quick Look at
What We’ve Built
•Create a GPO for Software
Installation
•When does all this Group Policy
Stuff actually take effect?
In this video:
Train Signal, Inc.
Coach Culbertson
You Are Here: A Quick Look at What We’ve Built
Train Signal, Inc.
Coach Culbertson
Create a GPO For Software Installation
So Hank went to a basketball game last night and ended up sitting next
to a guy who works for a software company that produces a lightweight
PDF reader. Since you haven’t yet installed any PDF reading software,
Hank wants you to install the PDF reader from his new friend’s company
on all the client machines in the Globomantics network.
Do you:
A. Walk around with a CD or USB stick to every one of your 25 client
machines, log in with administrator account and install it manually?
B. Put the software on a Shared folder and provide instructions for all
employees on installing it when they figure out they need it?
C. Post the software on a Shared Folder and then create a Group Policy
Object that will install the software the next time the machine restarts?
Would you like to view PDF’s? Of course you would!
Do you really have that much time on your hands?
Are you insane? No no no! Users can’t install software anyway!
9/24/2008
48
Train Signal, Inc.
Coach Culbertson
Create a GPO For Software Installation
•An .msi file for installation
– Try to get an .msi version of a software package if at all possible.
– You can’t just install .exe files without repackaging them into .msi.
– There are several .msi packaging utilities out there if you need them.
– There is an alternative installation package called a Zap package—I don’t recommend it.
•A Shared folder for the software to live in that all your Users and Computers have at least Read access to.
•A new GPO linked to the appropriate OU.
What you need for a Software Installation GPO
Train Signal, Inc.
Coach Culbertson
Create a GPO For Software Installation
• If you set it up for specific Users
or User Groups, you can Publish
the software so they can install it
on demand.
•You can also Assign the software
so it installs on the next client
restart.
• If you set up the GPO on the
Computers side, you can’t
Publish—only Assign
•Use your best judgment based on
who needs the software and
when picking which side of a GPO
to use for Software Installs.
You can set up a Software Installation GPO for Users or Computers
Train Signal, Inc.
Coach Culbertson
Create a GPO For Software Installation
Hank’s new buddy has sent you the .msi file that you can use for your Software
Installation GPO. You decide to install it on every client computer since PDF’s are a
universal standard. So now all you have to do is:
1. Create a new Shared folder on NY-MEM1-2K8 named Software.
2. Create a folder inside Software named Foxit and put the Foxit .msi package there.
(Note: Always create new folders for each software package to make the process
nice and easy!
3. Create a new GPO and link it to the NYComputers OU. Name it FoxitInstall.
4. In the Computers section of the GPO, we’ll go to the Software Settings under
Policies to get to the Software Installation settings.
5. Create a new Package by right-clicking and selecting New����Package.
6. Select the .msi file and select any Options.
7. Run gpupdate /force from the Server (or wait for the Refresh Interval)
8. Have your users reboot their client machines.
So what now?
9/24/2008
49
Train Signal, Inc.
Coach Culbertson
When does all this Group Policy Stuff actually take effect?
• When a User logs into a machine (client or server, doesn’t matter), Windows checks for and applies any new GPO’s from Active Directory.
• When you run gpupdate /force, the new policy settings are pushed down right then and will either apply immediately or on the next logon, depending on what the settings are in the policy.
• For software installation GPO’s applied on the Computer side of the GPO, the installation happens at the next restart.
• For other User side GPO’s, it depends on what the Group Policy Refresh Interval is set at, and if Background Processing is enabled or disabled.
• Group Policy Refresh Intervals and Background Processing for Group Policy are usually set at the Default Domain Level Policy.
The Group Policy for Group Policy!?!?
Train Signal, Inc.
Coach Culbertson
Where We’re At Now
A new policy and a small domain level observation
New
Installation
Policy
Group
Policy
that
Controls
Group
Policy
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Group Policy Software Installation (GPSI) –
Function of Group Policy that allows installation of
software to computers with accounts within the
scope of the Group Policy object.
•MSI Package (.msi) –Microsoft Installer
•Publish (as an option in GPSI) – Option to make
software available to install on demand
•Assign (as an option in GPSI) --Option to install
software automatically on computer restart.
Time for more big words to impress your friends with!
9/24/2008
50
Train Signal, Inc.
Coach Culbertson
What We Covered
•Create a Software Installation GPO
•Describe the differences between using a
Software Installation GPO on the Computer side
and User side.
•Correctly select Assign, Publish, or Advanced
options for the Software Installation GPO.
•Set the Group Policy Refresh Interval on the
Default Domain Policy.
•Enable or Disable Background Policy Processing on
the Default Domain Policy.
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 11
What’s My P@ssw0rd again?
Domain Password Policies, Fine Grained Password
Policies, and a Little Password Management
Thrown In For Good Measure
Train Signal, Inc.
Coach Culbertson
What’s My P@ssw0rd again?
•The Default Domain Password Policy
•Letting Your Boss Use Whatever Password
He/She Wants
•A Little Password Management Goes a Long
Way
In this video:
9/24/2008
51
Train Signal, Inc.
Coach Culbertson
The Default Domain Password Policy
Passwords and users and security—oh my!
• Normally, the
Password Policy is
set for all users at
the Domain level.
• The default
settings are usually
good enough.
•Complexity
requirements are
enforced when
passwords are
changed or created.
Password Complexity Requirements: •Not contain the user's account name or parts of the user's full name that
exceed two consecutive characters
•Be at least six characters in length
•Contain characters from three of the following four categories:
•English uppercase characters (A through Z)
•English lowercase characters (a through z)
•Base 10 digits (0 through 9)
•Non-alphabetic characters (for example, !, $, #, %)
Train Signal, Inc.
Coach Culbertson
Letting Your Boss Use Whatever Password He/She Wants
Hank doesn’t like the fact that he has to use all these newfangled
password techniques with symbols and what not, and he doesn’t want
to have to think up a new password every 30 days. He wants to use the
names of his horses.
You’ll use a technique called Fine Grained Password Policies to exempt
Hank and the users that are part of the Executives group from the
Default Domain Password Policy Settings that you created, and then
reduce the complexity requirements and extend the expiration date so
that Hank and any other user placed in the Executives Group will only
have to update their passwords every 3 months.
You know Hank…
Train Signal, Inc.
Coach Culbertson
Letting Your Boss Use Whatever Password He/She Wants
• Normally you only have one Password Policy Setting in your entire domain, but by creating Password Setting Objects (PSO if you’re cool) , you can specify multiple password policies for individual users or for the Groups that users are part of.
• Your Domain Functional Level must be at a Server 2008 level (all your Domain Controllers must be Server 2008)
• We’ll need to go into ADSI Edit to create Password Policy objects, and link them to the User Account or Group they’ll apply to (i.e. for Globomantics, the Executives group)
Fine Grained Passwords—A Good Idea or Lousy Security?
9/24/2008
52
Train Signal, Inc.
Coach Culbertson
A Little Password Management Goes a Long Way
• Resetting Passwords is really easy:
– In AD Users and computers, find the
User Account that needs the password
reset.
– Right Click and Select Reset Password.
– Change to something easy to
communicate and then tell the user the
new password.
– Best Practice: Go back into the User
Account Properties and force the User
to change their password on the next
logon.
• *NEW* --In a Server 2008 environment, when
a password is reset, if a user has encrypted a
document, the user can STILL access the
document!
Everyone forgets passwords –be forgiving
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•ADSI Edit – A low level utility used for editing the Active Directory
Database directly rather than using the GUI tools (i.e. Server Manager,
etc.) .
•Fine Grained Password Policy – A feature of Server 2008 that allows an
override of the Domain Password Policy requirements.
•PSO –Password Settings Object—An Active Directory Object created in
ADSI Edit that allows for an alternative password policy to be applied
to a user or a group.
•Server 2008 Functional Level – An operating mode which requires that
all Domain Controllers in your network to be Server 2008. (Required
for Fine Grained Password Policy)
Walk the walk and talk the talk
Train Signal, Inc.
Coach Culbertson
What We Covered
•Alter the Default Domain Policy Password Settings to
increase or decrease password requirements and settings.
•Locate the Functional Level for a Domain in AD Users and
Computers.
•Create a PSO (Password Settings Object) by using ADSI Edit
to override the Domain Password Policy Settings for
specific users or groups.
•Reset a User’s password and force the user to change their
password on the next logon.
After viewing this video, you should be able to:
9/24/2008
53
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 12
Passing the Buck
Providing Permissions to an Account for
Administrative Tasks Without Giving Away
All Your Thunder
Train Signal, Inc.
Coach Culbertson
Passing the Buck
•Giving Someone Else The Ability to Reset
Passwords
•Adding Users to Built-In Groups That Have
Permissions to Do Stuff
•Installing RSAT to a Vista Client for Easy
Server Management
In this video:
Train Signal, Inc.
Coach Culbertson
Giving Someone Else The Ability to Reset Passwords
Planning ahead, you realize that as time goes on you won’t have all the
time in the world to do busy work like resetting passwords or altering
permissions on shared folders and such. Fortunately, you’ve got an
assistant—Jamie! In order to free up your time, you’ll provide
permissions for Jamie’s account to reset passwords and do other
Administrative tasks.
You’ve got two options:
–Use the Delegation of Control Wizard
–Add Jamie to one (or more) of the Built-In Groups so he can do
administrative tasks without having to be an Administrator.
Why should you have to do all the work?
9/24/2008
54
Train Signal, Inc.
Coach Culbertson
Giving Someone Else The Ability to Reset Passwords
Using the Delegation of Control Wizard
You’ll use this when you only
want a particular User or
Group to be able to do one or
two simple tasks, like *ahem*
resetting passwords.
Train Signal, Inc.
Coach Culbertson
Adding Users to Built-In Groups That Have Permissions to Do Stuff
• The Delegation Wizard can’t provide everything, so you’ll have to also use some
additional Groups to provide some more permissions to Jamie.
• The boys and girls at MS have created Groups that already have specific
permissions in the BuiltIn OU. Here’s some of them that are particularly useful:
Need…more…power…
Permissions/Abilities Administrators Account
Operators
Backup
Operators
Operators
Server
Operators
Create, delete, and manage user and
group accounts
X X
Read all user information X X X
Reset password for user accounts X X
Share directories X X
Create, delete, and manage printers X X X
Backup files and directories X X X
Restore files and directories X X X
Log on locally to the server X X X X X
Shut down the system X X X X X
Train Signal, Inc.
Coach Culbertson
Installing RSAT to a Vista Client for Easy Server Management
•So now that Jamie actually can do some administrative tasks, let’s
make it a little easier for him to get to the Servers without even having
to use Remote Desktop.
•The Remote Server Administration Tools for Vista is a collection of
MMC tools that allows you to administer most of the standard Server
tasks without having to use Remote Desktop or actually be at the
Server.
• It’s super easy to download and install, but you have to go into Control
Panel and enable it.
Giving Jamie the Remote Control for AD Users and Computers
9/24/2008
55
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Delegation of Control Wizard—A utility that allows an
administrator to grant busy-work tasks to other user
account.
•Built-In Groups—Groups that come as part of the default
Server 2008 installation that provide administrative
permissions for more tasks than what the Delegation of
Control Wizard can (sheer hedonistic convenience!).
•RSAT—Remote Server Administration Tools—A bunch of
Microsoft Management Consoles that come in Vista flavor
for easy remote management of Servers from your desk.
And now, big fancy words!
Train Signal, Inc.
Coach Culbertson
What We’ve Covered
•Use the Delegation of Control Wizard to provide
the ability for specific users to do small-scope
administrative tasks.
•Describe the differences between the 5 most
useful Built-In Groups.
•Add a User Account to a Built-In Group for higher
level administrative tasks.
•Install and Configure RSAT for VISTA
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 13
Creating Backup Solutions
BEFORE Stuff Blows Up
How to Use Windows Server Backup, WBADMIN,
and NTDSUTIL to Create Backup Media
9/24/2008
56
Train Signal, Inc.
Coach Culbertson
Creating Backup Solutions BEFORE Stuff Blows Up
•A Hour of Prevention Prevents an
Ounce of Pink Slip
•Your Three Built-In Backup Tools
•The Globomantics Backup Strategy
In this video:
Train Signal, Inc.
Coach Culbertson
A Hour of Prevention Prevents an Ounce of Pink Slip
So everything in the Globomantics network thus far is up and running smoothly,
and it’s time to seriously think about creating backup solutions before
everything blows up.
Eventually, you’ll be able to talk Hank into acquiring a third-party back-up
solution that has more power than the built-in tools in Server, but for now you’ll
have to make do with what you have.
You have three main tools built into Server 2008 for backup:
•Windows Server Backup—A GUI (Graphical User Interface) tool that creates
simple backups (replaces NTBackup).
•Wbadmin—A command line tool for creating and scheduling backups (also
available in Server Core!).
•Ntdsutil—An extremely powerful tool to do advanced backup operations (and a
lot more!) specifically for Active Directory files and database.
This video is really all about saving your job
Train Signal, Inc.
Coach Culbertson
Your Three Built-In Backup Tools
• Windows Server Backup is a
Feature that you must install
before using—it doesn’t install
automatically.
• It only:
– Backs up to a Shared
Folder (Network
Attached Storage) or to
DVD
– Backs up entire Volumes
– Overwrites previous
backups if you backup
to the same shared
folder over and over
• It’s great for simple backups
for small organizations
Windows Server Backup—Easy breezy backups, but with a few hitches!
9/24/2008
57
Train Signal, Inc.
Coach Culbertson
Your Three Built-In Backup Tools
• WBADMIN is a command line that provides
more power to your backup options:
– It can run a one-time backup
– It can schedule regular backups
– It can back up your System State which
includes all the guts of your DC:
• Registry
• Boot files
• System Files
• AD Directory Services database
• SYSVOL directory
– System State data can be restored using
WBADMIN or using the graphical
Windows Server Backup
WBADMIN —Stronger tools and More Options
Train Signal, Inc.
Coach Culbertson
Your Three Built-In Backup Tools
• NTDSUTIL is specifically for AD, and not so much
backing up your whole Server.
• In terms of creating Backup Media, it can create
IFM (Install From Media) media for faster creation
(or re-creation, as the case may be) of a Domain
Controller.
• It’s an interactive tool, providing different
commands depending on what Context it’s used in.
• When used in conjunction with media created by
Wbadmin or Windows Server Backup, it can allow
you to restore Active Directory Objects like entire
OU’s.
• It can also take Snapshots of your Active Directory
Database so you can see how your AD looks over
time!
NTDSUTIL – Super-Powered Utility for lots of operations with a funny name!
Train Signal, Inc.
Coach Culbertson
The Globomantics Backup Strategy
• Now that you’re familiar with the three built-in backup tools, we need a plan
for backup.
While we’re waiting on something else…
1. You’ll use Windows Server Back Up for
Nightly Backups to the Second Disk on
NY-DC2-2K8
2. …then create a System State
Backup on a weekly basis for
emergency restoration…
3. …and last but not least an IFM backup as an
additional emergency solution and for easy addition
of future Domain Controllers as well.
9/24/2008
58
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Windows Server Backup—The built-in GUI for doing simple
backups of entire Volumes
•WBADMIN—A command line for doing standard backups and
for creating System State backups
•NTDSUTIL—An Active Directory-specific interactive command
line tool for doing a lot of different and more powerful
maintenance tasks on your Active Directory. In terms of backup,
NTDSUTIL creates IFM media
• IFM—Install From Media –can be used to create (and recreate)
Domain Controllers quickly
•System State backup—Created by WBADMIN, it contains only
the guts of your AD that are absolutely necessary for faster
restoration of a DC.
For your viewing pleasure, some new words to review!
Train Signal, Inc.
Coach Culbertson
What We Covered
•Schedule a nightly backup of an entire Volume to
an attached disk using Windows Server Backup.
•Create a System State Backup of a Domain
Controller using Wbadmin.
•Create IFM Media using NTDSUTIL.
•Describe the differences between the three main
Backup and Maintenance tools in Server 2008.
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 14
Reducing Single Points of
Failure
Changing up the Operations Masters and
How to Add a Domain Controller with IFM
9/24/2008
59
Train Signal, Inc.
Coach Culbertson
Reducing Single Points Of Failure
•A Little Future Planning to Prevent
Major Problems
•What are Operations Masters?
•Restructuring the Globomantics DC’s a
Bit
–Adding a Domain Controller with
IFM
In this video
Train Signal, Inc.
Coach Culbertson
A Little Future Planning to Prevent Major Problems
• Right now, we only have 2 DC’s, both of which are Global Catalogs. Everything
seems fine and rolling right along, but there’s a lurking menace that we don’t
know about just yet!
So here we are…
Computer Name: NY-DC1-2K8 Computer Name: NY-DC2-2K8
Network Switch
If DC1 goes down, we will have major problems due to the fact that we have all of
our Operations Masters attached to it!
We can easily
reduce the risk of
SPOF issues by
giving this guy an
additional job or
two!
Train Signal, Inc.
Coach Culbertson
What are Operations Masters?
Operations Masters (used to be called FSMO’s –Flexible Single
Operations Masters) are specific jobs that a DC can do apart from all the
regular day-to-day stuff (any DC can do stuff like authenticating/logging
on, adding users, etc., these are special).
�The Forest Level Operations Masters
– Domain Naming—Responsible for adding and removing Domains
from inside your forest. Sits back and drinks coffee most of the
time until you need to add or remove a Domain.
– Schema—Handles all the database definitions. Also on coffee
break until you or an application you install needs to change the
Active Directory Schema.
These two can and should go on the same DC!
One of those hidden little elements that can cause big trouble!
9/24/2008
60
Train Signal, Inc.
Coach Culbertson
What are Operations Masters?
•The Domain Level Operations Masters
� PDC Emulator—This is the big one. PDC stands for Primary
Domain Controller. It handles password updates, Group Policy
Updates, time updates, and acts as the master Browser.
• Make all your Group Policy Changes on the Server that has
the PDC role for best performance!
� Relative Identifier (RID)—Provides Security Identifiers (also
known as SIDs) for new Users, Computers, and anything else that
gets added to your Active Directory. If the Server with this role
goes down, you may not be able to add any Users or Computers
to the Domain.
• SID—a unique identifier for an Object in Active Directory.
� Infrastructure Master—Keeps track of who’s in what Group.
Extremely vital if you have multiple Domains in your forest.
• The Infrastructure Master should be on a Server that is not a
Global Catalog, unless every single Domain Controller is also a
Global Catalog!
Train Signal, Inc.
Coach Culbertson
Restructuring the Globomantics DC’s a Bit
Let’s see if we can add a little more flexibility in our structure
Computer Name: NY-DC1-2K8
Global CatalogComputer Name: NY-DC2-2K8
Global CatalogNetwork Switch
Computer Name:
NY-DC3-2K8
Domain Naming
PDC Emulator
RID
Infrastructure
Schema Master
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Operations Master—An assignable role/job for a Domain
Controller that only one Domain Controller at a time can do.
•Security Identifier (SID)—A unique value assigned to an
object in Active Directory for identification in an Active
Directory based network. May be assigned by a Domain
Controller, but also may be created by an Operating System
in the case of Computer Accounts and simply used by AD.
Hey, look! Some more big words!
9/24/2008
61
Train Signal, Inc.
Coach Culbertson
What We Covered
•Describe the five Operations Masters
•Identify what Server has been assigned
what Operations Master.
•Change Operations Masters
•Create a Domain Controller using IFM
media
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 15
Stuff To Make Your Active
Directory Life Just a Little More
Predictable
Monitoring , Auditing, and Maintaining Your Active
Directory Database
Train Signal, Inc.
Coach Culbertson
Monitoring, Auditing, and Defragging
•Watching Your AD Stuff
•Your Monitoring Toolbox
•Watch Who’s Doing What To Your
Active Directory
•Defragging Your AD Database
In this video:
9/24/2008
62
Train Signal, Inc.
Coach Culbertson
Watching Your AD Stuff
Globomantics is ready to launch, and you have taken solid
precautions already to ensure that if your Domain
Controllers blow up, you have flexible options to get your
network back up and running in a short time.
Now you need to figure out how to watch your DC’s for any
impending doom, and maintain your Active Directory
database so you get optimum performance. There are a lot
of third party tools out there for such things, but for now
you need to rely on what’s built in to Server 2008.
And now, something else that lands squarely in your job description
Train Signal, Inc.
Coach Culbertson
Your Monitoring Toolbox
• Your tools for watching what’s going on:
– Task Manager—For real time
immediate gratification of observing
what’s going on in your Server
– Event Viewer—An easy way to view
logs that are created by the various
monitoring tools.
– Performance Monitor—A true classic,
Performance Monitor allows granular
tracking.
– Reliability Monitor—Watches and
tracks changes in your system over
time
– Data Collection Sets—Probably the
easiest way to keep track of what’s
going on in your system!
Hey, neat! Server 2008 has cool monitoring toys!
Train Signal, Inc.
Coach Culbertson
Watch Who’s Doing What to Your Active Directory
•Auditing Policies are optional settings in Group Policy for Domain
Controllers that allows you to keep detailed track of changes made
to your AD.
•Not only can it track changes, but also who made the change, what
the object was before the change, and what the object is now.
Time to play Big Brother!
9/24/2008
63
Train Signal, Inc.
Coach Culbertson
Watch Who’s Doing What to Your Active Directory
To Set Up Auditing:
�You have to enable an Auditing Policy
(specifically Audit Directory Service) on either
the Default Domain Controller Policy or on the
Default Domain Policy.
�Then, you have to turn on the Auditing
component on the Object(s) you want to
Audit.
There’s two steps to setting this up- you can’t do one without the other!
Train Signal, Inc.
Coach Culbertson
Defragging Your AD Database
•Running regular maintenance on the AD Database recaptures disk space, making the database file more efficient (and sometimes faster!), and checks for any weirdness that might occur.
•When stuff gets deleted out of your Active Directory Database, the Database file itself doesn’t get any smaller.
• It’s time to bust out the NTDSUTIL command again! Here’s some crucial commands:
� Activate Instance NTDS –Your beginning command
� Files– The “context” that makes the following commands available:
�Compact– Defrags the database (and creates a copy of the NTDS.dit file)
�Integrity—checks database integrity
�Semantic Database Analysis—An NTDSUTIL tool that analyzes and checks your database for consistency
Give your AD Database a tune-up!
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•NTDS.dit—The actual database file that holds your Active
Directory Objects
•Compact—The process of recovering disk space by
removing empty space and repositioning data on the disk
for optimum read time. (also known as defragging)
•Integrity—A database is said to have integrity when all of
the records hold exactly what they’re supposed to hold.
Maintain not just your AD, but your lexicon as well!
9/24/2008
64
Train Signal, Inc.
Coach Culbertson
What We Covered
•Use the Task Manager to watch performance in real time.
•Use the Event Viewer to see what‘s going on in your
machine.
•Use the Reliability Monitor to monitor changes in your DC
over time.
•Use the Performance Monitor if you have nothing else
better to do with your time.
•Use the Data Collection Sets to track Active Directory and
Domain Controller performance.
•Enable Auditing Policies for in the Default Domain
Controller GPO for Object and Account Access
After watching this video, you should be able to:
Train Signal, Inc.
Coach Culbertson
What We Covered
•View the Results of your Auditing Policies in Event Viewer.
•Use NTDSUTIL to defragment your database and check for
integrity and consistency of the AD Database as a whole.
We have set up the New York office AD infrastructure and
made plans for disaster recovery. In the next video, we’re
going to expand to Chicago, and set up a child domain for
the Chicago office by creating some more DC’s!
After watching this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 16
Creating the Chicago Location
Adding a Child Domain, Creating Sites and
Subnets, and Configuring Replication with the
Mother Ship
9/24/2008
65
Train Signal, Inc.
Coach Culbertson
Creating the Chicago Location
•All You Need Is Lov—I mean a DC!
•Adding a Site and Subnet Before
Jumping In
–Creating the Child Domain
–Making Sure Chicago Can Talk To
New York
In this video:
Train Signal, Inc.
Coach Culbertson
All You Need Is Lov—I mean a DC!
In order to keep tabs on the Chicago stock exchange, Hank has decided
to open up an office in downtown Chicago. To keep things more
manageable, you decide that the best way to keep the Globomantics
network a little more manageable for future growth is to separate out
the Chicago office into its’ own child domain (sometimes called a
subdomain).
There’s good reason to break out Chicago into it’s own child domain:
–Less Network Traffic to suck up your bandwidth between Chicago
and New York
–De-centralized management will allow you to delegate control
over Chicago to an administrator (yet to be hired—or maybe we’ll
send Jamie!) that’s actually in Chicago.
–Having a location-centric Active Directory structure can allow for
easier tracking of stuff between locations.
It’s time to expand!
Train Signal, Inc.
Coach Culbertson
All You Need Is Lov—I mean a DC!
In order to create the Chicago child domain, all we need is another DC!
Computer Name: NY-
DC1-2K8Computer Name: NY-
DC2-2K8Network Switch
Computer
Name:
NY-DC3-2K8
Globomantics.com
Computer Name:
NA-DC1-2K8
Global Catalog
DNSNa.globomantics.com
9/24/2008
66
Train Signal, Inc.
Coach Culbertson
Adding a Site and Subnet Before Jumping In
• Sites in AD represent the physical structure, or topology, of your network.
• Right now, we have only one Site defined in Globomantics.com, New York. We
first need to create the Chicago site in Active Directory Sites and Services.
• In order to allow Active Directory the ability to track our machines by location,
we’ll also create a Subnet Object as well, and assign that Subnet Object to
Chicago.
• Once that’s done, we can use the Location Attribute in Active Directory to track
and find machines according to their IP address.
• Here’s what we have and what we’re going to create:
Before we begin…
NY-DC1
NY-DC2
NY-DC3
NA-DC1
Subnet
Object
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Child Domain—A Subdomain that is part of the
main Forest useful for delegation of management,
location-based management, and saving
bandwidth over WAN links.
•Site—An Active Directory Object that represents
the major components of the physical topology of
a network.
•Subnet Object—An Active Directory Object that
allows AD to track machines based on IP Address.
Some words of wisdom…or at least some words that will help
Train Signal, Inc.
Coach Culbertson
What We Covered
•Create a new Site in Active Directory
•Create a new Subnet object in Active Directory
•Assign a Subnet Object to a Site
•Use DCPromo to create a new Child Domain in an
existing Forest
•Configure Replication between Domain
Controllers
After viewing this video, you should be able to:
9/24/2008
67
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 17
How To Give People Access to
Stuff That’s 790 Miles Away
Creating Universal Groups, the AGUDLP Strategy,
and Making Sure Your People Can Log In
Anywhere In Your Enterprise
Train Signal, Inc.
Coach Culbertson
Giving People Access to Stuff 790 Miles Away
•Time For Some More Users!
•The Types of Groups
•Setting Up Your Groups for Access Between
Domains
•Making Sure Your Users Can Log In
Anywhere in Your Enterprise
In this video:
Train Signal, Inc.
Coach Culbertson
Time for some more users!
Hank has sent you
another 20 users to
add to the Chicago
office, so it’s time to
make them quickly
and easily with the
Excel sheet script
maker.
You’ll also create
some OU’s and
Groups as well,
similar to what you
did with New York.
Break out that Excel Script Maker again!
9/24/2008
68
Train Signal, Inc.
Coach Culbertson
The Types of Groups
• There are two core types of Groups
What kind of Groups do we create?
Security Groups allow you to grant
Permissions to resourcesDistribution Groups are basically
Email lists, and aren’t used very often
There are Three Scopes of Security Groups :
Usable in any trusted
Domain in your Forest
Users can only come from
the home Domain
Usable in any trusted
Domain in your Forest
Users can only come from
ANY Domain
Usable in the Domain it
lives in ONLY
Users can only come from
the home Domain
Train Signal, Inc.
Coach Culbertson
Setting Up Your Groups for Access Between Domains
• Now that we have multiple domains, we also have the challenge of making
sure that we can easily provide access to resources between them.
• AGUDLP is a strategy that we can use to grant access in a more “reusable” way.
• Here’s how it works:
AGUDLP –Alphabet Soup anyone?
Accounts go into
Global Groups
The Global Group
becomes a member
of a Universal Group
The Universal Group
becomes a member of a
Domain Local Group
Permissions are then granted to
the Domain Local Group to
network resources
Train Signal, Inc.
Coach Culbertson
Setting Up Your Groups for Access Between Domains
• The Sales team will need access to the Sales docs folder, as the sales program
will be pretty much the same throughout the company. Here’s what we’ll do to
get them access to the SalesDocs folder over in New York:
And now, here’s what we’re going to do for our Globomantics Sales Team
In the na.globomantics
domain, all the Chicago Sales User Accounts go
into a Global Group called ChicagoSales
We’ll create a Universal
Group in the NA domain called AllSales and make
ChicagoSales a member of AllSales
In Globomantics.com (the
New York domain), we’ll create a Domain Local Group
called SalesDocs and make AllSales a member of it.
On the NY-MEM1-2K8 File Server, we’ll
grant Permissions to the Domain Local Group SalesDocsAccess to the SalesDocs
Folder
9/24/2008
69
Train Signal, Inc.
Coach Culbertson
Global
Catalog Server
Globomantics.com
Making Sure Your Users Can Log In Anywhere in Your Enterprise
•Hank is going to be bouncing back and forth between locations, and you need to make sure that he and anyone else who’s visiting either office can log in.
We got us a Global Catalog to check out!
As long as there’s a Global
Catalog at a Site, your users
can log in with an “email
address” style login, like
JOwens@globomantics.com.
If there’s not a Global
Catalog, you’ll need to enable
Universal Group Caching on
the Site. (It’s a check box—
super easy!)
Global
Catalog
Server
Na.globomantics.com
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Security Group—Group Object in Active Directory that allows you to
provide access to resources on the network.
•Distribution Group—Group Object in Active Directory that acts as an
email distribution list.
•Global Group—A Group usable in any trusted Domain in your forest.
Users can only come from the home Domain. Can be a member of a
Universal Group.
•Universal Group—A Group usable in any trusted Domain in your
Forest. Users can only come from ANY Domain. Can be a member of
Domain Local.
•Domain Local—A Group usable only in the Domain it lives in. Users can
only be from the Domain it lives in, but Universal Groups can be
Members of the Domain Local.
Important Words
Train Signal, Inc.
Coach Culbertson
What We Covered
•Distinguish between Global, Universal, and
Domain Local Groups.
•Distinguish between Security and Distribution
Groups.
•Utilize AGUDLP to provide access to resources
across Domains.
•Ensure that Users can log in to another Domain by
either providing a Global Catalog at a Site or using
the Universal Site Caching setting on a Site.
After viewing this video, you should be able to:
9/24/2008
70
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 18
Creating The Dallas
Branch Office
Building a Read-Only Domain Controller for a
Less Secure Location
Train Signal, Inc.
Coach Culbertson
Creating the Dallas Branch Office
•Hanks Says There Will Be a Dallas Office
•The Dallas OU and Site Structure
•What is an Read Only Domain
Controller?
•Building an RODC for Dallas
In this video:
Train Signal, Inc.
Coach Culbertson
Hanks Says There Will Be a Dallas Office
Dallas is Hank’s hometown. He has a ranch just outside of Dallas, and he
doesn’t want to have to fly out to New York or Chicago to do work.
That’s not a problem, but he also wants a staff of 5 people in the not-yet
created Dallas location. He’s already rented a little office 5 miles from
his ranch, and there’s basically a closet that if you ask really nicely you
might be able to use it to hold the router and any servers.
You decide that due to the lack of security in the office that using a Read
Only Domain Controller is going to be the best option. But before we can
build the RODC, we need to create an OU Structure for Dallas.
And if Hanks says it…
9/24/2008
71
Train Signal, Inc.
Coach Culbertson
The Dallas OU and Site Structure
•We first need to have
some OU’s for our
Dallas User Accounts
to live in.
•Then, we need to add
a Dallas site so we can
have a physical
representation of our
network.
Let’s keep it simple still…
Train Signal, Inc.
Coach Culbertson
What is an Read Only Domain Controller?
•An RODC allows Users that the Administrator allows to log in to a
particular location.
•The RODC downloads only the User Account information that it
needs—it does not upload anything to the writeable (or Full) Domain
Controllers.
•You don’t need to have a Global Catalog on the RODC—you can use
Universal Group Caching to cut down on replication traffic.
•Better yet, you can use the Server Core Installation to provide two
important advantages:
– You don’t need a super-duper box to run it.
– You can remotely administrate the Server Core functions using
MMC’s.
For low-security locations with few users, an RODC is a happy thing.
Train Signal, Inc.
Coach Culbertson
Building an RODC for Dallas
Computer Name: RODC-DAL-2K8
2GHz Single Core Processor
512MB RAM
1 Gigabit NIC
1- 120 GB HDD
Server Core Server 2008
32-bit Version
With Active Directory Domain Services-RODC
DNS Server
DHCP for the Dallas office will be configured at the Router
And now, here’s what we’re going to build
9/24/2008
72
Train Signal, Inc.
Coach Culbertson
So here’s what we’ve built so far…
New York, Chicago, Dallas…What’s next? Tokyo?
Train Signal, Inc.
Coach Culbertson
Zooming in on Dallas
Users from New York (like Hank) can still log in with their email-style login, more
commonly known as a UPN (User Principle Name) with the presence of a Global
Catalog OR by enabling Universal Group Caching and putting Users that you
want into a Universal Group.
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•RODC—Read Only Domain Controller—a Domain
Controller that only caches User Account information for
only a small amount of users for a particular location.
•Server Core—A version of Server 2008 that only has a
command line interface and lesser operating requirements
that supports only 9 Server Roles
•UPN—User Principle Name—An email-style login name
that can be used to login across Domains when a Global
Catalog is present at the Site OR when the User is part of a
Universal Group and Universal Group Caching is enabled
on a Site.
More words! More words!
9/24/2008
73
Train Signal, Inc.
Coach Culbertson
What We Covered
•Install Server 2008 as a Server Core installation.
•Use a configuration script to configure basic settings for your
Server Core Installation.
•Install Active Directory Domain Services Role with the RODC
option.
•Attach an MMC to a Server Core installation for management.
•Configure Universal Group Caching for a Site so you don’t
have to provide a Global Catalog for that Site.
•Setup which users can log in at that location
•Pre-Populate Passwords for Users that will be logging in at
the location for a faster login experience.
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 19
Bringing an OU and Users Back
from the Dead
How to Restore Individual Organizational Units
and User Accounts AFTER They’ve Been Deleted
Train Signal, Inc.
Coach Culbertson
Bringing an OU and Users Back From The Dead
•Okay, Who Killed Off The Ops Department?
•The Two Types of Restorations
– Use Windows Server Backup to do a Non-
Authoritative Restoration
– Use NTDSUTIL and WBADMIN to do an
Authoritative Restoration
•How to Put Resurrected Users Back Into Groups
Using Backlinks
In this video:
9/24/2008
74
Train Signal, Inc.
Coach Culbertson
Okay, Who Killed Off The Ops Department?
Things are going well, until on a Tuesday morning the entire New York
Ops department can no longer log in. When you go to see what’s
happening, you notice that the New York Ops OU is…gone. Aced, no
trace, nada, not there, here or anywhere.
When you check your Security log, you see that the account BSamson,
an account belonging to one of your new IT staff who had been given
Account Operator permissions, successfully deleted the entire OU last
night at 1AM. Brock did not report in this morning due to the fact that
he’s in police custody for *ahem* other chemically-related issues.
Fortunately, at midnight, a System State back-up of your entire Domain
Controller was successfully completed. You need to restore the Ops OU
for New York due to Brock’s drug-induced mayhem.
Ummm….whoops?
Train Signal, Inc.
Coach Culbertson
The Two Types of Restorations
• There are two options for doing restoration of an
OU:
– Non-Authoritative Restore: Most often done
using Windows Server Backup, you can
restore the entire Domain Controller.
– Authoritative Restore: Using WBADMIN and
NTDSUTIL, you can restore an OU, an
individual User Account, or any other AD
Object after doing a System State Restore
and mark it as Authoritative.
• What makes a Restore “Authoritative?”
– The Update Sequence Number in the AD
Database is increased by 10,000 so other
Domain Controllers know that the restored
object is the most recent.
Oh, the choices, the choices! (Okay, there’s only 2)
Train Signal, Inc.
Coach Culbertson
The Two Types of Restorations
• To run a non-authoritative restore, just go to Windows Server Backup and click Recover. Use the most recent backup file set that was created before the deletion. You’re done (sort of-you may have problems with this type of restore).
• To run an authoritative restore:
1. Restart the DC into Domain Recovery Mode (hit F8 on the keyboard during reboot to get this option)
2. Login with ./Administrator and the Domain Recovery Mode password you set up when you ran DCPromo
3. Type wbadmin get versions –backuptarget backuplocation, where backuplocation is the location where your back up files live
4. Figure out which version you want to restore.
5. Type wbadmin start systemstaterecovery –version:ID –backuptarget: backuplocation
6. After the restore, type ntdsutil activate instance NTDS
7. Type authoritative restore to get into the right NTDSUTIL Context
8. Type restore object “distinguishedName” for a single account or restore subtree “distinguishedName” if you’re restoring an entire OU.
9. Reboot normally.
And now, the secrets of how to do both
9/24/2008
75
Train Signal, Inc.
Coach Culbertson
How to Put Resurrected Users Back Into Groups Using Backlinks
• In a Server 2003 and Server 2008 Functional Domain/Forest NTDSUTIL uses what we call Linked Value Replication to restore Group Membership to restored Accounts (you can ignore this whole slide if you’re in a Server 2K3/2K8 Functional Level.)
• When you do an authoritative restore in a Server 2000 Functional Level Domain, you end up losing Group memberships on your User Accounts. Of course, you could go back and recreate them manually….(no, you can’t, you don’t have that kind of time on your hands)
• During the authoritative restore, at least one file called an LDIF file is created. You can use this file to restore group membership to all the users you restored quickly by using what are called Backlinks from the LDIF file.
• To restore group membership using backlinks:
1. After the Authoritative Restore is complete and the DC has been restarted normally, open a command prompt and type
repadmin /syncall DCNAME /a /d /A/P /q where DCNAME is the name of your Domain Controller that you just restored.
2. Change to the Directory where your LDIF files ended up.
3. Type ldifde –i-k-f filename where filename is the name of the LDIF file you need.
4. Rinse and repeat Step 3 for each file that was created by the NTDSUTIL restore process.
If for some strange reason your Server 2008 DC is running under a
Server 2000 Functional Level Domain…
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Authoritative Restore—A process in which objects or an entire
Directory can be restored and marked as “authoritative” by increasing
the Update Sequence Number by 10,000 to let all other DC’s know to
use this object in replication.
•Non-Authoritative Restore—A simple restoration process that can be
accomplished either from Windows Server Backup or by using
Directory Restore Mode and WBADMIN (if you really want to)
•Update Sequence Number—A value in an Active Directory Object that
helps Domain Controllers know which objects need to be updated in
the Directory during replication.
• Linked Value Replication (LVR) –A magical process available in a Server
2003 or 2008 Functional Level Domain that restores Group
Membership back to restored accounts automatically.
Just a few really big words
Train Signal, Inc.
Coach Culbertson
What We Covered
•Perform an Non-Authoritative Restore using
Windows Server Backup on a DC
•Perform an Authoritative Restore using Directory
Services Restore Mode, WBADMIN, and
NTDSUTIL.
•Restore Group Membership from Backlinks using
ldifde (if for some weird reason you’re not running
a Server 2003 or Server 2008 Domain Functional
Level)
After viewing this video, you should be able to:
9/24/2008
76
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 20
What Do You Do When A Domain
Controller Blows Up?
Strategies to Use When Recreating a Dead
Domain Controller
Train Signal, Inc.
Coach Culbertson
What Do You Do When A Domain Controller Blows Up?
•Uh-Oh
•Seizing Operations Masters for Quick
Restoration of Functionality
•Possible Solutions for Restoring
Domain Controllers
In this video:
Train Signal, Inc.
Coach Culbertson
Uh-Oh
NY-DC3 has blown up. Completely. It is a quivering mass of metal that screeches
and whines when it tries to start up. The absolute best way to describe the
current state of DC3 is this:
And…the inevitable happens
Now, you need to decide what to do with the DC. The good news is, you still have two
other Domain Controllers running so Users can still log in. The bad news is, DC-3 is (or
rather was) your Infrastructure Master. You need to get an Infrastructure Master back
online as fast as you can first, and then decide how to get NY-DC3 back.
9/24/2008
77
Train Signal, Inc.
Coach Culbertson
Seizing Operations Masters for Quick Restoration of Functionality
•The GUI:
– Try to move an Operations Master from the GUI like you would
normally.
•NTDSUTIL:
– You can also use NTDSUTIL to seize an Operations Master role
with the following operation:
1. Go into NTDSUTIL like normal, and don’t forget to type activate
instance NTDS as your first command.
2. Type roles to move into the Roles context.
3. Type help to get a list of the commands.
• To seize the Infrastructure Master, type seize infrastructure
master
How to seize an Operations Master Role When The Machine Doesn’t
Exist Anymore
Train Signal, Inc.
Coach Culbertson
Possible Solutions for Restoring Domain Controllers
• If the hardware and the Server 2008 Operating System is okay but
Active Directory has been trashed, you can just do a System State
Restore from the last backup.
• If your hardware is trashed, build a new Server 2008, install Windows
Server Backup, and do a Recovery of the last Full Backup of NY-DC3.
(Requires the Backup to be on a DVD or NAS)
• Last, if you don’t have access to a set of backup files (shame, shame!!),
since NY-DC3 is more of an auxiliary machine, you can
– Delete the NY-DC3 Computer Account from the Domain
Controllers OU.
– Build a brand new Server 2008 machine, install AD DS and run
DCPromo.
– Let replication do the job of restoring the Active Directory
database.
– Move the Infrastructure Master back to the new DC-3.
It all depends…
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Toast—What a Domain Controller smells like
when it blows up. Okay, in reality, it smells like
burning plastic and metal, but you get the point.
•That’s all. No new real words this time that you
haven’t already seen.
Hey, wait a minute….
9/24/2008
78
Train Signal, Inc.
Coach Culbertson
What We Covered
•Seize an Operations Master and thereby
transfer the functionality to a live Domain
Controller.
•Identify a methodology to restore a Domain
Controller to functional status.
After viewing this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 21
Get Your Old Domain
Controllers Up To Date
Upgrading a Server 2003 Machine to Server 2008
Train Signal, Inc.
Coach Culbertson
Get Your Old Domain Controllers Up To Date
•Hank just bought a company…in Tokyo!
•Advantages of the Server 2008 Domain
Functional Level
•The Upgrade Process
In this video:
9/24/2008
79
Train Signal, Inc.
Coach Culbertson
Hank just bought a company….in Tokyo!
Hank’s been on a spending spree, and bought a small
brokerage in Tokyo, Japan for the mere sum of $1.5 million.
The small company, Verde Petra, Inc. , is a 10-person shop
that focuses on the Asian markets. Their network is a simple
1 Domain Controller setup with 10 client machines, an
outsourced email solution, and a couple of network printers.
However, their Domain Controller is running a 32-bit edition
of Server 2003, and needs to be upgraded to Server 2008 to
take advantage of all the extras that a Server 2008
Functional Level provides. Before we do anything to
integrate, you need to prepare the Verde Petra Domain
Controller by upgrading it to Server 2008 Enterprise 32-bit.
…and now you have to integrate it into your network!
Train Signal, Inc.
Coach Culbertson
Advantages of the Server 2008 Domain Functional Level
•Distributed File System Replication
•Advanced Encryption Standard support for the Kerberos
protocol
•Last Interactive Logon Information
– GPO Found in Computer Configuration ����Policies ����
Administrative Templates ���� Windows Components ����
Windows Logon Options
Display information about previous logons during user
logon
•Fine-grained password policies
When you get a 2008 Functional Level, you also get these nifty bonus items!
Train Signal, Inc.
Coach Culbertson
The Upgrade Process
• Before you do anything, make sure your
hardware is up to spec.
• When Upgrading a Domain Controller, you’ll
need to grab some scripts off the Server 2008
disc and run adprep /FORESTPREP and adprep
/DOMAINPREP
• The rest of the upgrade process is simple—put
in the CD and click on the Upgrade option when
it comes up, and install as normal.
• NOTE: You cannot upgrade Server 2000 to Server
2008. You would have to first upgrade the Server
to 2003 and then to 2008.
Showtime!
9/24/2008
80
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
• Nope. No new words this round.
Words?
Train Signal, Inc.
Coach Culbertson
What We Covered
•Prepare a Server 2003 Domain
Controller for Upgrade to 2008 using
adprep
•Upgrade a Server 2003 DC to Server
2008
•Describe the advantages of running a
Server 2008 Functional Level
After watching this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 22
Connecting the Continents
How to connect two Active Directory Networks
For Fun and Profit (and by using Trusts and DNS)
9/24/2008
81
Train Signal, Inc.
Coach Culbertson
Connecting the Continents
•Tokyo is now a Server 2008 network--so now
what?
•Our Two Options To Connect Tokyo and New York
•What You Need for Active Directory Federation
Services
•What You Need for a Trust
•The Globomantics/Verde Petra Solution: Trusts
In this video:
Train Signal, Inc.
Coach Culbertson
Tokyo is now a Server 2008 network--so now what?
So you’ve got Tokyo up to date in terms of the OS and the Domain Functional Level. Now it’s time to make sure that Verde Petra becomes accessible to Globomantics and vice versa.
Hank ponied up for some nifty Virtual Private Network (VPN) technology that allows Tokyo and the New York office to have a direct connection. Eventually, you will want to combine the Verde Petra Domain with the Globomantics domain using the Active Directory Migration Tool, but what you need to do right now is get the two offices connected ASAP so they can share info in ways other than email.
Time to connect ‘em together!
Train Signal, Inc.
Coach Culbertson
Our Two Options To Connect Tokyo and New York
• *NEW* Active Directory Federation Services allows two separate Active
Directory networks to authenticate Users from either Domain for shared
folders and resources. It uses Port 443 (The SSL Port) for secure
transmissions.
• We can also create a Trust between the two Forests as well since we have
more or less a direct link via VPN between New York and Tokyo.
Actually, there’s more than two, but these are a good start.
globomantics
Na.
globomantics
VerdePetra.com
So the question is, do we use Active Directory
Federation Services or do we set up some Trust
Relationships between the two locations?
9/24/2008
82
Train Signal, Inc.
Coach Culbertson
What You Need for Active Directory Federation Services
• AD FS is an SSO (Single Sign-On) method of sharing information between two partner networks, usually through a Web Site or application like SharePoint Services or SharePoint Server.
• It uses Port 443, the SSL Port, and HTTPS to transfer info back and forth. It also uses cookies to keep track of authentication.
• Here’s what AD FS requires:
It’s not as easy as it sounds
AD DS ServerAD DS Server
AD FS ServerAD FS Server
Web Server (SharePoint)
w/ SSL Certificate
DMZ with
Federation
Proxy Server
DMZ with
Federation
Proxy ServerInternet
Train Signal, Inc.
Coach Culbertson
What You Need for a Trust
• A Trust allows Users from different networks to access information on another
network.
• As long as there’s a secure connection between the two networks (like our
VPN), all we really need is a DC on either side.
• Each Domain should be running at least Server 2003 Functional Level, and the
Forest Functional Level has to be at least Server 2003. (Server 2008 Preferred)
So much faster to set up…for small environments
AD DS Server
Running DNS
AD DS Server
Running DNS
DNS Must Be Configured Correctly on Both
To Forward Requests to the Other Domain
Train Signal, Inc.
Coach Culbertson
What You Need For a Trust
•External Trust—Allows separate Domains in separate
Forests to trust each other’s users without trusting every
Domain in a Forest.
•Forest Trust—Trusts between two Forest Root Domains
that can allow Users from any Domain inside of either
Forest to share Resources.
•Shortcut Trusts—Simply allows users to access resources in
a different Domain in the same Forest faster.
•Realm Trusts—Allows a Windows Active Directory Network
that uses Kerberos to trust a UNIX-based network that also
uses Kerberos to share resources.
The kinds of Trusts
9/24/2008
83
Train Signal, Inc.
Coach Culbertson
What You Need for a Trust
• Trusts can be one-way, two-way, and transitive
Trust Directions
A BOne Way Trust
Network A Trusts Network B. Users from Network B can access
allowed resources on A, but Users from A cannot access stuff on
Network B
Train Signal, Inc.
Coach Culbertson
What You Need for a Trust
Network A Trusts Network B. Users from either
network can access allowed resources on the other.
Trust Directions
A BTwo Way Trust
Train Signal, Inc.
Coach Culbertson
What You Need for a Trust
• Transitive Trusts
Trust Directions
A B C
If Domain A Trusts Domain B and the trust is transitive, and if C Trusts B, then A and C
also have a trust relationship
9/24/2008
84
Train Signal, Inc.
Coach Culbertson
The Globomantics/Verde Petra Solution: Trusts
Since Hank has already spent the big dollars buying out Verde Petra, your budget
is a little slim. Since AD Federation Services requires so much hardware, plus a
SharePoint implementation which you know nothing about, it doesn’t make
any sense to use Federation. Not to mention in the fact that eventually you
will be using the Active Directory Migration Tool to move all the users from
Tokyo into Globomantics, and removing the Verde Petra domain altogether
and replacing it with tk.globomantics.com.
But not today.
You’re going to implement the following Trust relationship strategy between
Globomantics and Verde Petra in order to get moving fast!
So here’s what you’re actually going to do:
Train Signal, Inc.
Coach Culbertson
The Globomantics/Verde Petra Solution: Trusts
• You’re going to implement a two-way forest trust, as well as an External trust
between Verde Petra and Na.Globomantics so that users will be able to access
stuff faster.
Here’s what it will look like!
globomantics
Na.
globomantics
VerdePetra.com
Two-Way Forest
Trust
We really don’t need an External Trust,
though, because the trust between Verde
Petra and Globomantics is Transitive!
Train Signal, Inc.
Coach Culbertson
The Globomantics/Verde Petra Solution: Trusts
• You need to ensure that the DNS Servers on both Networks are configured to
know about each other.
• Both DNS Servers are Active Directory Integrated, but a trust does not make it
so that either DNS server knows about the other one.
• You will set up a Stub Zone on each DNS Server, so that any DNS requests for
resources on the other network will be forwarded to the DNS Server in the
other network.
Before we do that, though…
Globomantics Server
Running DNS Verde Petra Server
Running DNSDude, I need
the Tokyo
Sales
Numbers
This request is for
Verde Petra. I
have a Stub Zone
that will tell you
which DNS Server
to about it.
Tokyo Sales
Numbers.xls
Mapped Drive
9/24/2008
85
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Active Directory Federation Services—A Server Role that allows
partner networks to share information across Domains using Single
Sign-On. Most often used to share intranet Web sites and applications
like SharePoint.
•Trusts– A relationship between Forests or Domains that allows sharing
of resources
•Stub Zone—A DNS Zone that simply provides information about
another Domain’s DNS servers.
•Conditional Forwarder—An entry in a DNS server that forwards on a
DNS request if the request meets a specific requirement, i.e. the
request is for information about a computer in another Domain.
•External Trust—Allows separate Domains in separate Forests to trust
each other’s users without trusting every Domain in a Forest.
Yowza! Lots-o-words this time!
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
•Forest Trust—Trusts between two Forest Root Domains that can
allow Users from any Domain inside of either Forest to share
Resources.
•Shortcut Trusts—Simply allows users to access resources in a
different Domain faster.
•Realm Trusts—Allows a Windows Active Directory Network that
uses Kerberos to trust a UNIX-based network that also uses
Kerberos to share resources.
•Transitive Trust—A trust property that allows for trusting of other
domains if the domain that is being trusted trusts other domains.
•Active Directory Migration Tool– A free download from Microsoft
that allows you to move Active Directory Objects (i.e. User
Accounts, etc.) between domains for consolidation.
And some more…
Train Signal, Inc.
Coach Culbertson
What We Covered
•Define the requirements and describe the use of Active
Directory Federation Services.
•Define the types and directions of Trusts.
•Create Stub Zones in a DNS Server in preparation for a
Trust.
•Implement a Two Way Transitive Forest Trust.
•Add A Universal Group from another Domain to a Domain
Local Group in a home Domain.
After viewing this video, you should be able to:
9/24/2008
86
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 23
Certification: It’s Really
Not That Scary
What it is, what to expect, and how to prepare
Train Signal, Inc.
Coach Culbertson
Certification: It’s Really Not That Scary
•The New Generation of Certifications
for Server 2008
•The Upgrade Paths for MCSA’s/MCSE’s
•How to Sign Up for a Microsoft Exam
•70-640 Exam Prep Tips
In this video:
Train Signal, Inc.
Coach Culbertson
The New Generation of Server 2008 Certifications
• The Three New Server
Certification Blocks for
Network Admins
– MCTS
– MCITP: Server
Administrator
– MCITP: Enterprise
Administrator
• There is no “MCSE 2008”
• There is no “MCSA 2008”
New Alphabet Soup for Everyone!
9/24/2008
87
Train Signal, Inc.
Coach Culbertson
The New Generation of Server 2008 Certifications
•MCTS - Take any one exam from a large selection
•MCITP: Server Administrator Exams (From Scratch - Three Exams)
– 70-640: TS Active Directory
– 70-642: TS Network Infrastructure
– 70-646 Pro: Server Administrator
•MCITP: Enterprise Administrator (From Scratch - Five Exams)
– 70-620: Vista
– 70-640: TS Active Directory
– 70-642: TS Network Infrastructure
– 70-643: TS Server 2008 Application Infrastructure, Configuring
– 70-647 Pro: Enterprise Administrator
What you need to take for each Credential
When you get multiple TS certs, you can
build a nifty logo using MS’s Logo Builder!
Train Signal, Inc.
Coach Culbertson
The Upgrade Paths for MCSA’s/MCSE’s
• Take Two Exams
– 70-648: Provides 2 Additional MCTS Certs
– 70-646: Provides MCITP
For an MCSA 2003 to Move Up To MCITP: Server Administrator
Train Signal, Inc.
Coach Culbertson
The Upgrade Paths for MCSA’s/MCSE’s
• Take 4 Tests:
– 70-648: Provides 2 MCTS
– 70-620 or 70-624: TS: Vista
– 70-643: TS: Applications Infrastructure
– 70-647: MCITP: Enterprise
For an MCSA 2003 to Upgrade to MCITP: Enterprise Administrator
9/24/2008
88
Train Signal, Inc.
Coach Culbertson
The Upgrade Paths for MCSA’s/MCSE’s
• Take Two Tests:
– 70-649: Provides 3 MCTS
– 70-646: MCITP: Server Administrator
For an MCSE 2003 to MCTIP: Server Administrator
Train Signal, Inc.
Coach Culbertson
The Upgrade Paths for MCSA’s/MCSE’s
• Take 3 Exams:
– 70-649: Provides 3 MCTS
– 70-620 or 70-624: TS: Vista
– 70-647: MCITP: Enterprise Administrator
For an MCSE 2003 to MCTIP: Enterprise Administrator
Train Signal, Inc.
Coach Culbertson
How to Sign Up for a Microsoft Exam
•Go to Prometric.com
–it’s easy!
• Prometric is the
exclusive provider of
Microsoft exams.
•Microsoft periodically
offers free Second
Shots – check the
Microsoft site first!
One Web Site To Sign Up For Them All!
9/24/2008
89
Train Signal, Inc.
Coach Culbertson
70-640 Exam Prep Tips
• I recommend:
• Take the Transcender Practice Exam Several Times—Look up the stuff that you
miss in this Video Course or in the Microsoft Press Book.
• Review this course at least twice
• Get some Virtual Machines and push buttons!
Prep
MCTS Self-Paced Training Kit (Exam 70-640): Configuring
Windows Server 2008 Active Directory from Microsoft Press
Train Signal, Inc.
Coach Culbertson
70-640 Exam Prep Tips
•Do not stay up all night studying –get good sleep!
•When you go in to the test center, leave your cell phone
and anything else in your car.
•Bring in only 2 forms of ID and your car keys. You must
have 2 forms of ID!!!
•Before taking the test, stop and breathe. Relax.
•During the test, do not forget to breathe.
•Mark Questions for Review the first time through if you
have to think too long about any one of them. You can go
back at the end of the test and answer them later.
On the day of the test…
Train Signal, Inc.
Coach Culbertson
70-640 Exam Prep Tips
•Know the material.
The Biggest Tip I Can Give You--
9/24/2008
90
Train Signal, Inc.
Coach Culbertson
What We Covered
•Describe the Requirements for MCTS and the MCITP
Tracks
•Describe the Upgrade Paths for MCSA’s\MCSE’s to
MCITP
•Sign up for an Exam on the Prometric Web Site
After watching this video, you should be able to:
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 24
DNS Stuff
A Primer On Domain Name Service and How It Fits
In With Active Directory
Train Signal, Inc.
Coach Culbertson
DNS Stuff
•A Quick Overview of DNS
•What Are DNS Zones Really?
•The Different Kinds of DNS Records
•Forwarders and Root Hints
•Global Name Zones: The WINS Killer
(Kind of)
In this video:
9/24/2008
91
Train Signal, Inc.
Coach Culbertson
A Quick Overview of DNS
•Domain Name Service (DNS) is a Server 2008 Role that’s
basically a big phone book allowing users and computers to
look up a Host’s IP Address by using a Host Name.
•The process of locating a computer via an IP address by
looking it up by name is called Name Resolution.
•When Computers (or hosts) get assigned IP Addresses by
DHCP or by an Administrator, they register their name and IP
address with a DNS Server.
•That computer can now be found through the process of
Name Resolution, and Active Directory can now find Users,
Computers, and other Hosts by working in conjunction with
the DNS Server.
Without DNS, a Domain Controller is a really expensive paperweight
Train Signal, Inc.
Coach Culbertson
What Are DNS Zones Really?
•A DNS Zone is basically a Text File or Database that Defines what
machines it knows about in the “namespace.”
•There are 4 basic types of Zones you need to know about:
– *RECOMMENDED FOR SERVER 2008*
Active Directory Integrated Zone : DNS Database is stored as an
Active Directory Object. No need for Secondary Zones if all your DNS
Servers are also DC’s.
– Primary: Used in a Standalone DNS Server, it acts as a Master
DNS Server that records and reads info.
– Secondary: A Read Only Copy of a Primary Zone. Must copy Zone
Files from a DNS Server that has a Primary Zone.
– Stub: Only contains information about other DNS Servers.
Big words for simple concepts
Train Signal, Inc.
Coach Culbertson
What Are DNS Zones Really?
•Let Active Directory manage a lot of the DNS stuff
for you!
•AD Integrated Zones allow for:
– Zone Transfers during AD Replication
– Multimaster Replication
– Secure Dynamic Updates
– Backwards compatible to Secondary Zones (if
you have any in your network)
Why an Active Directory Integrated Zone?
9/24/2008
92
Train Signal, Inc.
Coach Culbertson
What Are DNS Zones Really?
•Forward Lookup Zones: Looks up a Host IP Address
by name
•Reverse Lookup Zones: Looks up a Host Name by
IP Address—Used mostly for security and error
checking.
•Stub Zones: Remember these from the Connecting
Continents Video?
•Conditional Forwarders: Used in place of Stub
Zones to forward DNS requests about other
Domains.
And some more Zones
Train Signal, Inc.
Coach Culbertson
The Different Kinds of DNS Records
•A (Host): Name and IP Address of a Host (Computer,
Network Printer, PDA, etc.)
•PTR (Pointer): A Record in a Reverse Zone
•SOA (Start of authority): The Beginning Record of a Zone
•SRV (Service Locator): For Servers and Service Providing
Hosts
•NS (Name Server): A Record that points to a DNS Server.
•MX (Mail Exchanger): For Email Servers
•CNAME (Alias): A “nickname” record that allows for
multiple names for the same machine.
What lives in a DNS Zone?
Train Signal, Inc.
Coach Culbertson
Forwarders and Root Hints
•Root Hints allow your DNS Server to communicate with
Name Servers on the Internet.
•A Forwarder can act in the place of root hints if your
security requirements are higher.
– You need two DNS Servers for this—One on the inside
of your network perimeter that doesn’t use Root Hints
and one on the perimeter that does.
– Internet DNS requests are forwarded out to the
Perimeter DNS Server by the internal DNS and then
brought back in.
If the DNS Server doesn’t know where a host is, it has to call out
9/24/2008
93
Train Signal, Inc.
Coach Culbertson
Global Name Zones: The WINS Killer (Kind of)
•WINS is an older technology that allows you to use NetBIOS for Name
Resolution.
•Most WINS server technology is being replaced by DNS for speed,
reliability, and security.
•Global Name Zones are a NEW feature of Server 2008 for Single Label
Name Resolution.
•Use it for easy access intranet websites, and a potential replacement
for WINS if you have older network-aware software applications still
running that require WINS (Especially if you’re rolling over to IPv6!)
•WINS is still available on Server 2008 as a Feature (not a Role) if you
need it.
Can we replace WINS? Sometimes…
Train Signal, Inc.
Coach Culbertson
Global Name Zones: The WINS Killer (Kind of)
•On your Primary DNS Server, run this command to prepare
your DNS for Global Names:
dnscmd /config /enableglobalnamesupport 1
•Then create a new Forward Lookup Zone called GlobalNames.
•Add CNAME Records for any Web Site or machine you want
to have Single Label Resolution for.
To create a Global Name Zone:
Train Signal, Inc.
Coach Culbertson
Critical Vocabulary
Oh boy, here we go…
9/24/2008
94
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 25
AD Certificate Services 101
A Primer on Active Directory Certificate Services
and Public Key Infrastructure
Train Signal, Inc.
Coach Culbertson
AD Certificate Services 101
•Let’s Talk Security
•Lions and Tigers and Keys and Certificates,
Oh My!
•Respect My Authori-tay!
•I’m Sorry, Dave, I Can’t Do That. Your
Certificate Has Been Revoked.
In this video:
Train Signal, Inc.
Coach Culbertson
Let’s Talk Security
•Security in networks is a huge area, but a good place to
start is by using Certificate Services as a way to:
– Encrypt Data Files
– Encrypt Remote Communications
– Secure Email
– Secure Logons with Smart Cards
– Secure Servers with Network Access Protection
(requires Certificates)
– Protect Data from Tampering
In times such as these…
9/24/2008
95
Train Signal, Inc.
Coach Culbertson
Lions and Tigers and Keys and Certificates, Oh My!
•A Certificate is a file that contains
– A Public Key for Encryption
– A Digital Signature for Identity Verification
– A name, which can refer to a person, a computer or an
organization
– A validity period
– The location of a revocation center (usually a URL)
• It’s used to both encrypt files and communications as well as prove
identity.
•A Certificate is generated by a Certificate Authority (that’ s a CA if
you’re cool) using a Private Key, which part of a whole Public Key
Infrastructure
So, that’s neat and all, but what is a Certificate?!?!?
Train Signal, Inc.
Coach Culbertson
Lions and Tigers and Keys and Certificates, Oh My!
Let’s Illustrate The Key Thing…
Public Key
Private Key
Your Buddies
You
Public KeyPublic Key
Public Key
Train Signal, Inc.
Coach Culbertson
Respect My Authori-tay!
•Certificate Authority (CA) servers that generate certificates
are called “root CA’s.”
•Certificates are generated from one of these three types of
Certificate and then passed on to users, devices, other
servers and so on.
•Certificate Authorities also can provide verification of a
User’s or Organization’s Identity with Online Responder
Services.
The Certificates have to come from somewhere
Server 2008
Standalone
Certificate Authority
Server 2008
Enterprise
Certificate Authority
(Integrated into
Active Directory)
Third Party
Certificate
Authority
(i.e. VeriSign,
etc.)
9/24/2008
96
Train Signal, Inc.
Coach Culbertson
Respect My Authori-tay!
•Usually you’ll have more
than one machine actually
doing Certificate Services
work.
•With a Standalone CA,
you’ll create Certificates
and then pass them off to
Issuing Servers. Then you’ll
take the Standalone offline.
•Pretty much all the work is
done manually with a
Standalone CA. You can’t
just have it autoenroll
users.
Multiple Tiers Provide Multiple Levels of Protection
Server 2008
Standalone
Certificate Authority
Server 2008
Subordinate
Certificate
Issuer
Server 2008
Subordinate
Certificate
Issuer
Server 2008
Subordinate
Certificate
Issuer
Train Signal, Inc.
Coach Culbertson
Respect My Authori-tay!
•With an Enterprise CA, it
stays online all the time
and is integrated with
Active Directory.
•Enterprise CA’s can assign
certificates automatically
to users in AD using
Autoenrollment.
•At least a second tier is still
a good idea, and you may
have more depending on
your security needs.
Enterprise CA’s stay online, and need to be highly available
Server 2008
Enterprise
Certificate Authority
Server 2008
Subordinate
Certificate
Issuer
Server 2008
Subordinate
Certificate
Issuer
Server 2008
Subordinate
Certificate
Issuer
Train Signal, Inc.
Coach Culbertson
I’m Sorry, Dave, I Can’t Do That. Your Certificate Has Been Revoked.
•When a certificate is presented by a user when attempting to
access an encrypted file or whatever has been secured, the
certificate is checked against a Certificate Revocation List
(RCL) by a Certificate Authority to make sure it hasn’t been
revoked.
•An Online Responder (OR) can be used in place of a
Certificate Authority server. An Online Responder (*new* in
Server 2008) doesn’t need to check the certificate against an
entire RCL, and instead just checks to see if the certificate is
valid. It’s much faster and efficient.
•Network Device Enrollment Service (NDES) allows you to
include routers and switches in your PKI hierarchy if you
really think you need it.
CRL’s, NDES’s, and OR’s—Could I vague it up even more?
9/24/2008
97
Train Signal, Inc.
Coach Culbertson
Quick Summary
•AD Certificate Services allow you to secure just about
anything in your network.
•You need at least one Root CA to create certificates, and
will probably have other subordinate servers issue them
out to protect your Root CA from getting abused.
•Certificate Revocation Lists allow for validation of
certificates by CA severs when they’re used, but the new
Online Responder service available in AD CS as of Server
2008 is faster and more efficient.
•The new Network Device Enrollment Service (NDSE) allows
you to include switches and routers in your PKI as well.
AD CS in a Nutshell
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 26
Active Directory Lightweight
Directory Services 101
A Primer on AD LDS
Train Signal, Inc.
Coach Culbertson
Active Directory Lightweight Directory Services 101
•What is AD LDS?
•What might it look like on a
network?
•What is an Instance of AD LDS?
In this video:
9/24/2008
98
Train Signal, Inc.
Coach Culbertson
What is AD LDS?
•Active Directory Lightweight Directory Services
(formerly known as ADAM—Active Directory
Applications Mode) is a Server Role that provides
LDAP services.
•You’ll only need it if you’re installing Applications, like
network-aware commercial apps and Open Source
Web apps that rely on LDAP to authenticate users and
provide permissions to aspects of the specific
Application.
•It usually lives on a server separate from your AD DS
(sometimes the same server as your Application), and
can also be installed on Server Core!
And why in the world would you ever need it?
Train Signal, Inc.
Coach Culbertson
What might it look like on a network?
Oh, maybe something like this:
Domain Controller
(AD DS)
AD LDS Server
Running an AD LDS
Instance
Server Running Network Aware
Application
Train Signal, Inc.
Coach Culbertson
What is an Instance of AD LDS?
• An “Instance” of LDS is just a running copy of AD LDS that uses a particular
“store” of data.
• You can have multiple Instances of LDS running on the same AD LDS Server, all
with their own unique Schema definitions.
• You could have multiple instances of LDS running for multiple applications, all
instances being customized for the unique application requirements.
• Management Tools for LDS:
– ADSI Edit
– Event Viewer
– Ldp.exe
– NTDSUTIL—Command Line
– LDIFDE—Command Line
– DSDBUTIL—Command Line
– DSACLS—Command Line
Think of it as a Copy in RAM
9/24/2008
99
Train Signal, Inc.
Coach Culbertson
Quick Summary
•Active Directory Lightweight Directory Services is a Server
Role that allows LDAP services.
•You’ll only need it for applications that require it.
•You don’t need AD DS for it, although it can work with AD
DS.
•When you install AD LDS, you need to also create an
Instance of LDS (a running copy)
•Most of the tools you would use for AD LDS are command
line based, but there’s a few that have a GUI, like ADSI Edit
and Ldp.exe.
AD LDS in a Nutshell
Welcome to Train SignalTrain Signal, Inc.
Coach Culbertson
Video 27
AD Rights Management 101
A Primer on Digital Rights Management in Server
2008
Train Signal, Inc.
Coach Culbertson
AD Rights Management 101
•What is Rights
Management?
•Some Additional Notes
About RMS
In this video:
9/24/2008
100
Train Signal, Inc.
Coach Culbertson
What is Rights Management?
Here’s what happens with AD RMS
BubbaSergio
RMS Server
SQL
ServerActive
Directory
2. Then Bubba defines a set of usage rights
and rules for his file. Word 2007 creates a “publishing license” and encrypts the
file
3. Bubba emails the file or puts it on a share
4. Sergio clicks the file to open. Word
2007 calls to the RMS server which validates the user and issues
a “use license.”
5. Word 2007 opens the file and
enforces whatever rights Bubba put on it.
1. Bubba receives a “client licensor
certificate” the first time he rights-protect a Word 2007 file he’s
created.
Train Signal, Inc.
Coach Culbertson
Some Additional Notes About RMS
•The application that creates the file must be RMS-aware (Office 2007 is a good example.)
•The Rights assigned to the File travel along with the File.
• If somebody isn’t on the list of users who can open a file, they can’t get into the file.
•The Certificates that are used in RMS are not dependent on AD Certificate Services—they’re created and issued by the RMS Server, not a Certificate Authority.
•AD RMS in Server 2008 supports AD Federation Services, and it can be used with SharePoint deployments as well.
•There’s fantastic Reporting Tools built into the AD RMS in Server 2008 for auditing who’s accessed the document, who failed to access a document, etc.
Some stuff you’ll want to know
Train Signal, Inc.
Coach Culbertson
Quick Summary
•Rights Management Service requires an RMS Server, a SQL
Server, and a AD DS Domain Controller, and an RMS-aware
application (Office 2007).
•The Author of a document sets up who gets to do what on
a Document, and they do that from inside of the RMS-
aware App (like Word 2007 or Excel 2007) based on Users
and Groups from Active Directory.
•You don’t need a separate AD Certificate Services system
for RMS.
•It works with AD FS and SharePoint.
•There’s seriously cool tools to audit who’s had access to
the protected files.
RMS in a Nutshell
Recommended