微軟活動目錄介紹

1、微軟活動目錄介紹Introduction to Active Directory Domain ServicesModule Overview Overview of AD DS Overview of AD DS Logical Components Overview of AD DS Physical ComponentsLesson 1: Overview of AD DSWhy Deploy AD DS? What is Authentication? What is Authorization? Using AD DS to Centralize Network Management

2、Overview of AD DS Components Why Deploy AD DS?AD DS features include:Centralized directory Single sign-on access Integrated security Scalability AD DS provides a centralized system for managing users, computers, and other resources on a networkCommon management interface What is Authentication?Authe

3、ntication includes two components:Interactive logon grants access to the local computerNetwork authentication grants access to network resourcesAuthentication is the process of verifying a users identity on a networkWhat is Authorization?Security principals are issued security identifiers (SIDs) whe

4、n the account is createdUser accounts are issued security tokens during authentication that include the users SID and all related group SIDsShared resources on a network include access control lists (ACL) that define who can access the resourceAuthorization is a process of verifying that an authenti

5、cated user has permission to perform an actionThe security token is compared against the DACL on the resource and access is granted or deniedUsing AD DS to Centralize Network ManagementAD DS centralizes network management by providing:Single location and set of tools for managing user and group acco

6、unts Single location for assigning access to shared network resources Directory service for AD DS enabled applications Options for configuring security policies that apply to all users and computers Group policies to manage user desktops and security settings Overview of AD DS ComponentsPhysical Com

7、ponentsLogical ComponentsData storeDomain controllers Global catalog serverRead-Only Domain Controller (RODC)PartitionsSchemaDomainsDomain treesForestsSitesOrganizational units (OUs)AD DS is composed of both physical and logical componentsLesson 2: Overview of AD DS Logical Components What is the AD

8、 DS Schema? What is a Domain? What are AD DS Trusts? What is a Domain Tree? What is a Forest? What is an OU? What are AD DS Objects? Demonstration: Tools for Managing the AD DS Logical ComponentsWhat is the AD DS Schema?Object TypesFunctionExamplesClass ObjectDefines what new objects can be created

9、in the directory User classComputer class Attribute ObjectDefines what information can be stored for each object class Display name The AD DS Schema:Defines every type of object that can be stored in AD DSEnforces rules regarding object creation and configurationWhat is a Domain?Domains provide:An a

10、dministrative boundary for applying policies to groups of objectsA replication boundary for replicating data between domain controllersAn authentication and authorization boundary that provides a way to limit the scope of access to resourcesDomains are logical directory components used to group and

11、manage the AD DS objects in an organizationWoodgroveBWhat are AD DS Trusts?Types of TrustsDescriptionDiagramDirectionalThe trust direction flows from trusted domain to the trusting domainTransitiveThe trust relationship is extended beyond a two-domain trust to include other trusted domainsTrusts pro

12、vide a mechanism for users to gain access to resources in another domainAll domains in a forest trust all other domains in the forestTrusts can extend outside the forestAccessTRUSTTrust & AccessWhat is a Domain Tree?All domains in the domain tree:Have a contiguous namespace with the parent domainCan

13、 have additional child domains added to the namespaceHave a two-way transitive trust with other domains in the treeA domain tree is a hierarchy of domains in AD DSWoodgroveBNA.WoodgroveBEMEA.WoodgroveBWhat is a Forest?Forests:Share a common schemaShare a common configuration partitionShare a common

14、global catalog to enable searchingA forest is a collection of one or more domain treesEnable trusts between all domains in the forestShare the Enterprise Admins and Schema Admins groupsWhat is an OU?OUs are used to:Represent your organization hierarchically and logicallyManage a collection of object

15、s in a consistent wayDelegate permissions to administer groups of objectsOUs are Active Directory containers that can contain users, groups, computers, and other OUsApply policiesWhat are AD DS Objects?ObjectDescriptionUserEnables network resource access for a userInetOrgPerson Similar to a user acc

16、ount Used for compatibility with other directory services ContactsUsed primarily to assign e-mail addresses to external users Does not enable network accessGroupsUsed to simplify the administration of access control ComputersEnables authentication and auditing of computer access to resources Printer

17、sUsed to simplify the process of locating and connecting to printers Shared foldersEnables users to search for shared folders based on properties Lesson 3: Overview of AD DS Physical ComponentsWhat are AD DS Domain Controllers? Overview of DNS and AD DS What are Global Catalog Servers? What is the A

18、D DS Data Store?What is AD DS Replication? What are Sites? Demonstration: Tools for Managing the AD DS Physical Components What are AD DS Domain Controllers?Domain controllers:Host a copy of the AD DS directory storeProvide authentication and authorization servicesReplicate updates to other domain c

19、ontrollers in the domain and forestA domain controller is a server with the AD DS server role installedAllow administrative access to manage user accounts and network resourcesWindows Server 2008 AD DS supports RODCsOverview of DNS and AD DSAD DS domain controller records must be registered in DNS t

20、o enable other domain controllers and client computers to locate the domain controllersAD DS domain names must be DNS domain namesDNS Domain NameAD DS requires a DNS infrastructureDNSDNS zones can be stored in AD DS as Active Directory integrated zonesDNS ZoneWhat are Global Catalog Servers?The glob

21、al catalog:Contains a copy of all AD DS objects in a forest that includes only some of the attributes for each object in the forestImproves efficiency of object searches by avoiding unnecessary referrals to domain controllersRequired for users to log on to a domainGlobal catalog servers are domain c

22、ontrollers that also store a copy of the global catalogWhat is the AD DS Data Store?The AD DS data store:Consists of the Ntds.dit file Is stored by default in the %SystemRoot%NTDS folder on all domain controllersIs accessible only through the domain controller processes and protocolsThe AD DS data s

23、tore contains the database files and processes that store and manage directory information for users, services, and applicationsWhat is AD DS Replication?AD DS replication:Ensures that all domain controllers have the same informationUses a multimaster replication modelCan be managed by creating AD D

24、S sitesAD DS replication copies all updates of the AD DS database to all other domain controllers in a domain or forestThe AD DS replication topology is created automatically as new domain controllers are added to the domainWhat are Sites?Sites are:Associated with IP subnetsUsed to manage replicatio

25、n trafficUsed to manage client logon trafficAn AD DS site is used to represent a network segment where all domain controllers are connected by a fast and reliable network connectionUsed by site aware applications such as Distributed File Systems (DFS) or Exchange Server 2007Used to assign group poli

26、cy objects to all users and computers in a company locationDemonstrationTools for Managing the AD DS Physical & Logical Components ComponentsIn this demonstration, you will see tools used for managing the AD DS physical components & Logical Components Module 2: Implementing Active Directory Domain S

27、ervicesModule Overview Installing Active Directory Domain Services Configuring AD DS Domain Controller Roles Lesson 1: Installing Active Directory Domain Services Requirements for Installing AD DSWhat Are Domain and Forest Functional Levels?AD DS Installation ProcessRequirements for Installing AD DS

28、 Local Administrator permissions to install the first domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest Administrator permissions TCP/IP must be configured

29、, including DNS client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller Network configuration A computer running Windows Server 2008 (Web Server edition not supported) Minimum disk space of 250 MB and a partition formatted with NTFS f

30、ile systemServer requirements to install AD DS What Are Domain and Forest Functional Levels?Functional levels: Determine the AD DS features available in a domain or forest Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported Domain Contro

31、ller Operating SystemsWindows 2000Windows 2000 native Windows Server 2003Windows Server2003 Windows Server 2008Windows Server 2008 ForestsDomainWindows Server 2008 Windows Server 2003Windows 2000 ServerWindows Server 2008 Windows Server 2003Windows Server 2008 Supported functional levels:AD DS Insta

32、llation Process Install the Active Directory Domain Services role using the Server Manager 1 Choose the deployment configuration 3 Select the additional domain controller features 4 Run the Active Directory Domain Services Installation Wizard 2 Select the location for the database, log files, and SY

33、SVOL folder 5 Configure the Directory Services Restore Mode Administrator Password 6DemonstrationVerifying the AD DS InstallationIn this demonstration, you will see how to verify the AD DS installationLesson 2: Configuring AD DS Domain Controller Roles What Are Global Catalog Servers?Modifying the G

34、lobal Catalog Demonstration: Configuring Global Catalog ServersWhat Are Operations Master Roles?Demonstration: Managing Operation Master Roles How Windows Time Service Works What Are Global Catalog Servers?DomainDomainDomainDomainDomainDomainDomainGlobal Catalog ServerGlobal CatalogResultQueryModify

35、ing the Global CatalogfirstNamelastNameemail addressaccountExpiresdistinguishedNameCommon AttributesGlobal Catalog ServerCreate additionalattributes Add only the additional attributes to which you query or frequently referdepartmentfirstNamelastNameemail addressaccountExpiresdistinguishedNameChanged

36、 AttributesDemonstration: Configuring Global Catalog ServersIn this demonstration, you will see how to:Configure global catalog servers using Active Directory Sites and ServicesConfigure a domain controller on Server Core as a global catalog serverAdd attributes to the global catalog serverWhat Are

37、Operations Master Roles?RoleDescriptionSchema Master One per forest Performs all updates to the Active Directory schema Domain Naming Master One per forest Manages adding and removing all domains and directory partitions RID Master One per domain Allocates blocks of RIDs to each domain controller in

38、 the domain PDC Emulator One per domain Minimizes replication latency for password changes Synchronizes time on all domain controllers in the domainInfrastructure Master One per domain Updates object references in its domain that point to the object in another domain Demonstration: Managing Operatio

39、ns Master RolesIn this demonstration, you will see how to:Determine which server holds an operations master roleMove an operations master roleSeize an operations master role Module 3: Creating Active Directory Domain Services User and Computer ObjectsModule Overview Managing User Accounts Creating C

40、omputer Accounts Lesson 1: Managing User Accounts What Is a User Account? Names Associated with Domain User Accounts User Account Password Options Tools for Configuring User Accounts Demonstration: Configuring User Accounts Demonstration: Renaming a User Account What Is a User Account Template? Demo

41、nstration: Creating and Using a User Account Template A user account can be stored:In AD DS (AD DS account)On the local computer (local account)What Is a User Account?Creating a user account also creates a Security ID (SID)A user account is an Active Directory Domain Services (AD DS) object that ena

42、bles authentication and access to local and network resourcesAD DS accounts enable log on to domains and provide access to shared network resourcesLocal accounts enable log on to a single computer and local resourcesNames Associated with Domain User AccountsNaming options for domain user accounts:Ob

43、ject NamesExampleUniqueness requirementUser logon nameGregory Must be unique within domain User logon name (pre-Microsoft Windows 2000)WoodgroveGregoryMust be unique within domainUser principal name (UPN) GregoryWoodgroveB Must be unique within forest LDAP distinguished name CN=Gregory,OU=IT,DC=Wood

44、groveBank,DC=comWill be globally unique, combining RDN, container name, and domain names Relative distinguished name (RDN) CN=Gregory Must be unique in OU User Account Password OptionsUser object passwords are a significant aspect of network security and can have options configured for:Password hist

45、ory LengthComplexityBy default, Windows Server 2008 domain passwords must meet three out of the following four complexity requirements:UppercaseLowercaseSpecial charactersNumbersTools for Configuring User Accounts AccountToolsLocal computer account Windows XP and Windows Vista: Control Panel User Ac

46、counts Domain account Windows Server 2003 and Windows Server 2008 GUI tool: Active Directory Users and ComputersCommand-line utilities: dsadd, Windows Powershell, CSVDE, LDIFDE Local and Domain accounts each have their own tools for creating and managing properties:Demonstration: Configuring User Ac

47、countsIn this demonstration, you will see how to create a new user account using Active Directory Users and ComputersDemonstration: Renaming a User AccountIn this demonstration, you will see how to rename user accountsWhat Is a User Account Template?User accounts templates take advantage of similari

48、ty between user accountsTo use user templates:Create several typical users reflecting various groups within your organizationCopy the user account most like the new account you want to createModify the attributes: names, e-mail address, logon name, etc.A user account template is an account with comm

49、on properties already configuredDemonstration: Creating and Using a User Account TemplateIn this demonstration, you will see how to create and use a User Account TemplateLesson 2: Creating Computer Accounts What Is a Computer Account? Options for Creating Computer Accounts Managing Computer Accounts

50、 Demonstration: Configuring Computer Accounts Computer accounts:What Is a Computer Account?Are required for authentication and auditingA computer account is an object in AD DS that identifies a computer in a domainEnable managing computer by using group policiesAre required for all computers running

51、 Windows NT or laterOptions for Creating Computer AccountsScenarioProcessAdding individual computers to a domain Add the computer to the domain through computer system properties.Account will be created by default in Computers container Creating multiple computer accounts in preparation for automati

52、ng an operating system and software deployment Create an OU for each department.Prestage new computer accounts in that OU by using a script or command line tool.Add the computer to the domainManaging Computer AccountsComputer management activities include:Adding computer accounts: provides computer

53、name and specifies management optionDisabling computer accounts: maintains account, but prevents log on from the accountResetting the computer account: removes the computers connection to domain (re-join necessary)Deleting computer accounts: removes computer from all domain servicesConfiguring group

54、 policies: manages software or computer desktop environmentsDemonstration: Configuring Computer Accounts In this demonstration, you will see how to:Pre-create a computer accountConfigure computer account settingsDisable and reset a computer accountModule 4: Creating Active Directory Domain Services

55、Groups and Organizational UnitsModule Overview Introduction to AD DS Groups Managing Group AccountsCreating Organizational Units Lesson 1: Introduction to AD DS Groups What Are Groups? Discussion: Identifying Group Usage Discussion: Strategies for Nesting AD DS GroupsAD DS Groups Review What Are Gro

56、ups? There are two types of groups: Distribution groupsUsed for e-mail distribution listsNot security enabledSecurity groupsSecurity enabledCan be used to assign permissionsCan also be e-mail-enabled with Exchange Server Groups are a logical collection of similar objects:DepartmentsLocationsResource

57、s Discussion: Identifying Group UsageFor each scenario, determine the type and scope of groups that must be created:Scenario 1: A. Datum has HR users spread throughout the domain in several different geographic locations, but require access to the same resources.Scenario 2: Tailspin Toys has two dom

58、ains one for the United States and one for Europe. You want to create a group that enables the centralized help desk to manage resources in both domains.Scenario 3: A. Datum has users in Sales that are geographically dispersed. They have requested a single unified group that will allow for all Sales

59、 users to access resources. Membership of the Sales group frequently changes.What Is Group Nesting? Benefits of using a nesting strategy in managing AD DS groups: Groups that are members of other groups reduce replicationNested groups provide for simplified managementNesting allows for groups to be

60、members of other groupsDiscussion: Strategies for Nesting AD DS GroupsExtend the previous discussion to consider the option of nesting groups. How would the group configuration change if group nesting is used for each scenario here? Scenario 1: A. Datum has HR users are spread throughout the domain