Upload
anonymous-m3op7uej8
View
226
Download
0
Embed Size (px)
Citation preview
7/27/2019 W2K8 AD Configuration
1/25
Windows 2008 Active DirectoryConfigurationMicrosoft Test: 70-640
Mark McCoy
MCSE, CNE, CISSP
7/27/2019 W2K8 AD Configuration
2/25
AgendaIntroductionsMS 70-640 Test ObjectivesCertification TextStudy Group/Certification Schedule Week 1 Assignment
Week 1 Discussion Ch 1 & 2Questions & AnswersWeek 1 Homework Assignment
7/27/2019 W2K8 AD Configuration
3/25
IntroductionsMeName: Mark McCoyEmail: [email protected]
Phone: 402-317-0507WWW: www.realmccoysystems.com Blog/Questions: realmccoysystems.Wordpress.com
YouWho Are You?Why are you attending this Group?What is your Career Goal?
mailto:[email protected]://www.realmccoysystems.com/http://www.realmccoysystems.com/mailto:[email protected]7/27/2019 W2K8 AD Configuration
4/25
MS 70-640 Test Objectiveshttp://www.microsoft.com/learning/en/us/exams/70-640.aspx
Configuring the Active Directory infrastructure (25 percent)Creating and maintaining Active Directory objects (24percent)Configuring Domain Name System (DNS) for Active Directory(16 percent)Maintaining the Active Directory environment (13 percent)Configuring Active Directory Certificate Services (13 percent)Configuring additional Active Directory server roles (9percent)
http://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspx7/27/2019 W2K8 AD Configuration
5/25
70-640 Certification textMCTS: Windows Server 2008 ActiveDirectory Configuration (Exam 70-
640)by Will Panek and JamesChellis Sybex 2008 Virtual Library Link:http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192
http://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=Will%20Panekhttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/books.asp?imprintid=6http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/books.asp?imprintid=6http://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=Will%20Panek7/27/2019 W2K8 AD Configuration
6/25
Study Group Certification
Schedule The Group will meet three Saturdays a Month(the fourth Saturday will be for the ITProfessionals Club Meeting)We will meet after the IT Professionals Clubon the fourth Saturday to stay on ScheduleWe should plan to complete 70-640 test
preparation prior to June 15 to provide anopportunity to take the test before June 30,
7/27/2019 W2K8 AD Configuration
7/25
Week 1 AssignmentRead and be prepared to discussChapters 1 and 2 of the text
7/27/2019 W2K8 AD Configuration
8/25
Chapter 1 Overview of
Active DirectoryThe Windows NT 4 Domain Construct (the
Roots of The Active Directory Tree andForest)The Benefits of Active DirectoryThe Logical Structure of Active DirectoryUnderstanding Active Directory ObjectsWindows 2008 Server RolesIdentity and Access (IDA) in Active DirectoryExam Essentials
7/27/2019 W2K8 AD Configuration
9/25
The Windows NT 4 Domain
ConstructThe NT 4 Domain was used to organize users andsecure resourcesThe NT4 Domain utilized a FLAT security Database
called a Security Access Manager (SAM) DatabaseThe SAM Database was stored on Primary DomainController (PDC), Read/Write copy of the SAM, andcopied to a Backup Domain Controller (BDC), Read-Only Copy of the SAM, for redundancy
The Domain constituted a Single Administrative UnitWindows NT4 utilized both User Domains and Resource Domains due to limitations on the numberof objects a single domain could account for
7/27/2019 W2K8 AD Configuration
10/25
The Benefits of Active
Directory Active Directory implements a Hierarchical Structure of Logical as wellas Physical Objects, which can, and often do, mimic the OrganizationalStructureThe Security Database is now stored on multiple Read/Write DomainControllers
Active Directory implements a multi -master domain controller, notPDCs or BDCs, but only Domain Controllers, each with the same
rights Active Directory can store Millions of Objects, thereby eliminating theneed for separate User and Resource Domains
Active Directory implements a Distributed, but Centralized SecurityDatabase Active Directory is actually a database, which can be extended(extensible), has a Schema (design), and can be queried forinformationThe Domain Concept has been maintained and serves as a SecurityBoundary within the database
7/27/2019 W2K8 AD Configuration
11/25
The Logical Structure of Active
DirectoryData StoreThe term data store is used to refer to the actual structure that contains the information storedwithin Active Directory.The data store is implemented as a set of files that resides within the file system of a domaincontroller.
SchemaStructure or design of the Active Directory database
Attributes - things that describe an objectClasses a Category of Objects Global Catalog
A database that contains all of the information pertaining to objects within all domains in the ActiveDirectory environment
ReplicationThe process of copying the Active Directory Database, to include objects, permissions, logicalstructure, etc, from one Domain Controller to another
Domains, Trees, ForestsDomain The Basic Unit (Security Boundary) of Active DirectoryTree One or more domains in CONTIGUOUS name spaceForest A collection of Domains that may NOT be contiguous
Hierarchical StructureThe Active Directory Structure is Hierarchical as opposed to flat
InheritanceBy default permissions and policies within the domain flow down the hierarchy
Trust RelationshipsOne Domain/Forest must Trust the Other in order to grant permissions from one Domain/Forest to the OtherTrusts are Transitive (If A trusts B, and B trusts C, it is implied A trusts C)
7/27/2019 W2K8 AD Configuration
12/25
Understanding Active
Directory ObjectsGUID and SID
Each object in Active Directory has a globally unique identifier (GUID) orsecurity identifier (SID)
OrganizationOrganization (O) is the company or root-level domain
Domain ComponentDomain component (DC) is a portion of the hierarchical path
Common NamesCommon name (CN) specifies the names of objects in the directory
Organizational Unit A logical grouping of User Accounts and Resources
User Accounts (Common Names CN)Users within Active DirectoryComputer Accounts
Workstations or Servers in Active DirectoryDistinguished Names
The Full Name of an Object Starting from the Root of the DomainRelative names
The Name of an Object from a Particular point within the Domain
7/27/2019 W2K8 AD Configuration
13/25
Windows 2008 Server RolesServer Manager (New in 2008)Server Manager is a Microsoft Management Console (MMC) snap-in that allows anadministrator to view information about server configuration
Active Directory Certificate ServicesUsed to provide HTTPS, Secure FTP, etc ServicesPublic Key Encryption
Active Directory Domain Services Becoming a Domain Controller Can now configure a Read -Only Domain Controller
Active Directory Federation ServicesSingle Sign-on across multiple platformsOrganizations can set up trust relationships with other trusted organizations so a user'sdigital identity and access rights can be accepted without a secondary password
Active Directory Lightweight Directory ServicesThis type of service allows directory-enabled applications to store and retrieve datawithout needing the dependencies AD DS requires
Active Directory Rights Management Services Active Directory Rights Management Services (AD RMS), included with MicrosoftWindows Server 2008, allows administrators or users to determine what access (open,read, modify, etc.) they give to other users in an organization. This access can be usedto secure email messages, internal websites, and documents
7/27/2019 W2K8 AD Configuration
14/25
Identity and Access (IDA) in
Active DirectoryUsers may have to access resources on different types of hardware, software, and devices.Many of these systems and devices do not always communicatewith each other, it is not unusual for users to have multipleidentities on multiple systems.IDA Provides a means to manage Identity and Access onMultiple SystemsIDA solutions can be categorized into five distinct areas:
Directory servicesStrong authenticationFederated IdentitiesInformation protectionIdentity Lifecycle Management
7/27/2019 W2K8 AD Configuration
15/25
Chapter 1 Exam EssentialsUnderstand the problems that Active Directory is designed tosolve.
The creation of a single, centralized directory service can make network operations and management much simpler. Active Directory solves manyshortcomings in Windows NT's domain model.
Understand Active Directory design goals. Active Directory should be structured to mirror an organization's logicalstructure. Understand the factors that you should take into account,including business units, geographic structure, and future businessrequirements.
Understand Windows Server 2008 server roles. Understand what the five Active Directory Windows Server 2008 serverroles AD CS, AD DS, AD FS, AD LDS, and AD RMS do for an organizationand its users.
Understand identity and access (IDA) solutions. Understand how IDA can help organizations solve the problems associatedwith multiple usernames and passwords. Understand how the ActiveDirectory Windows Server 2008 server roles work with and affect IDA.
7/27/2019 W2K8 AD Configuration
16/25
Chapter 2 Domain NameSystem (16% of Test)
Introducing DNSIntroducing DNS Zones
New Functionality in Windows Server 2008DNSIntroducing DNS Record Types
Configuring DNSMonitoring and Troubleshooting DNSExam Essentials
7/27/2019 W2K8 AD Configuration
17/25
Introducing DNSThe Domain Name System (DNS):
A service designed to resolve Internet Protocol (IP) addresses to hostnamesDNS Roles:
DNS Server: Provides DNS ServiceDNS Client: Requests DNS ServiceResolver: Software Process to Determine IP Address from Host Address
Dynamic versus Non-Dynamic DNSDynamic DNS (RFC 2136) allows clients to update DNS Entry automatically (via DHCPServer)In Non-Dynamic DNS, the client systems do not have the ability to update to DNS.Updates must be made manuallyNon-Secure Dynamic DNS
Computers that are not part of Active Directory can Dynamically Update DNSEntry
Secure Dynamic DNSOnly members of the Active Directory Domain can dynamically update their DNSEntry
DNS QueriesIterative: Client Queries DNS Servers in turn until IP address is found Recursive: Client makes request of his local DNS Server. The DNS Server performs theremaining queries.Inverse Queries: Use pointer records (IP Address) to find the Host
7/27/2019 W2K8 AD Configuration
18/25
Introducing DNS ZonesPrimary Zones
The primary zone is responsible for maintaining all of the records for the DNS zone. All record updates occur on the primary zone.
Secondary ZonesSecondary zones are non-editable copies of the DNS database.
Used for load balancing (also referred to as load sharing) A secondary zone gets its database from a primary zone. Active Directory Integrated Zones
All Zone Information is maintained in Active DirectoryZone Information is replicated with that of Active DirectoryZone information is more secure
Stub ZonesOnly contain the IP Address of the Primary Zone DNS ServerStub zones work a lot like secondary zones the database is a non-editable copy of aprimary zone.The stub zone's database contains only the information necessary (three record types)to identify the authoritative DNS servers for a zone
Zone TransfersFull Zone Transfer AXZR Incremental Transfer IXFR
Replication Active Directory Integrated Zone Transfers are part of the Replication Process
http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1235http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1211http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1211http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=12357/27/2019 W2K8 AD Configuration
19/25
New Functionality in WindowsServer 2008 DNS
Background zone loadingIf an organization had to restart a DNS server with an extremely large Active DirectoryIntegrated DNS zones database in the past, it could take hours for DNS data to beretrieved from Active Directory. During this time, the DNS server was unable to serviceany client requests.To address this issue, Microsoft Windows Server 2008 DNS has implementedbackground zone loading. As the DNS restarts, the Active Directory zone datapopulates the database in the background This allows the DNS server to service clientrequests for data from other zones almost immediately after a restart.
Support for TCP/IP version 6 (IPv6)IP Version 6 is a 128 bit Hexadecimal NumberFour Sets of 32 Bits
Read-only domain controllersFunctions as a Domain Controller to support Logon Authentication and resourcelocation, but is read-only
GlobalName zoneIntended to assist in the transition from WINS resolution to DNSThese use single-label names (DNS names that do not contain a suffix such as .com,.net, etc.) the same way WINS does.GlobalName zones are not intended to support peer-to-peer networks and workstationname resolution, nor do they support dynamic DNS updates.
7/27/2019 W2K8 AD Configuration
20/25
7/27/2019 W2K8 AD Configuration
21/25
Configuring DNSInstalling DNS Through Server ManagerLoad Balancing through Round Robin
You set up round robin load balancing by creating multiple resource recordswith the same hostname but different IP addresses for multiple computersIf round robin is enabled, when a client requests name resolution, the firstaddress entered in the database is returned to the resolver and is then sentto the end of the list. The next time a client attempts to resolve the name,the DNS server returns the second name in the database (which is now thefirst name) and then sends it to the end of the list, and so on.
Configuring a Caching-Only ServerSetting Zone Properties
SOA, Named Servers, WINS, Zone Transfers, Security, EtcConfiguring Dynamic UpdatesCreating Delegated DNS ZonesManually Creating Records
7/27/2019 W2K8 AD Configuration
22/25
Monitoring andTroubleshooting DNS
Monitoring DNS with the DNS Snap-InTroubleshooting DNS
Using NslookupWindows Server 2008. Windows Server 2008 gives you the ability to launch nslookup from theDNS snap-in.Using Nslookup on the Command Line
nslookup DNS_name_or_IP_address server_IP_address Using Nslookup in Interactive Mode Using Nslookup in Interactive Mode
Using DNSLintdnslint /d helps diagnose reasons that cause "lame delegation" and other related DNSproblems.dnslint /ql helps verify a user-defined set of DNS records on multiple DNS servers.dnslint /ad helps verify DNS records pertaining to Active Directory replication. Here is thesyntax for DNSLint:
Using Ipconfigipconfig /all Displays additional information about DNS, including the FQDN and the DNS suffixsearch list.ipconfig /flushdns Flushes and resets the DNS resolver cache. For more information about thisoption, see the section "Configuring DNS" earlier in this chapter.ipconfig /displaydns Displays the contents of the DNS resolver cache. For more informationabout this option, see "Configuring DNS" earlier in this chapter.ipconfig /registerdns
7/27/2019 W2K8 AD Configuration
23/25
Chapter 2 Exam EssentialsUnderstand the purpose of DNS.
Resolve Host name to IP AddressUnderstand the different parts of the DNS database
SOA, MX, Host, PTR, SVR, NS recordsKnow how DNS resolves names Understand the differences among DNS servers, clients,and resolvers Know how to install and configure DNS. Know how to create new forward and reverse lookup
zones. Know how to configure zones for dynamic updates Know how to delegate zones for DNS Understand the tools that are available for monitoringand troubleshooting DNS.
7/27/2019 W2K8 AD Configuration
24/25
Questions and Answers
7/27/2019 W2K8 AD Configuration
25/25
Week 2 Assignment/Homework
Week 2 Lab Preparation:Download Lab Softw are fromwww.DreamSpark.com
Download Windows 2008 Server ISO (FREE)Download Microsoft Virtual PC 2007 Install (FREE)
Get HD (those who havent gotten theirs yet)From IT Chair Can also use personal laptops
Week 2 Reading:Read Chapter 3: Planning and Installation of
Active DirectoryRead Chapter 4: Installing and Managing Treesand Forests
http://www.dreamspark.com/http://www.dreamspark.com/http://www.dreamspark.com/