Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Modules :
1
MODULE1 : INTRODUCTION TO ACTIVE DIRECTORY
SERVICES
Workgroup
Win2000prof Win98
XP Win2003srv
NT SRV NT SRV
BDC BDC BDC
Stand-alone
Clients
2
PDC (Primary Domain Controller) : Primary Domain Controller can be only
one.
Stand-alone : Stand- alone are clients, if the machine is NT server and you want it
as client then during installation of NT server we select stand alone. NT client
cannot be converted into a Domain Controller, we have to re-install NT server again.
In NT 4.0 srv 40,000 a/c can be made (ie user/group/company) in one DC. At a time
4,000 users can log on in NT Srv. So we use BDC ie by 1 BDC its another 40,000
being added.
ADS Schema
ADS Schema contains definition of all objects such as computer,user, printer.
In win 2003 there is only one schema for entire forest.there are 2 types of
definition in the schema
1) Object class
2) Attributes
Object class describes the possible dir objects that can be created, each object
class is a collection of attributes
Attributes are defined separately from object class.Each attribute is defined once
and can be used in multiple object class
3
Note:- eg of object class is user and Attributes are the details of the users.
SCHEMA
Note:-
Few attributes are used by all object class like description and few
attributes are used by specific object only like first name, full name used by
users
MCSE.com
Sale
User 1
CN = Common Name
OU = Organizational Unit
DC = Domain Component
4
Active Directory Service Logical Structure
Cisco.com
Domain
ADS
Master DC
XP XP XP 2000/03 ser
Member Server
MCSE
Sale
HR
Mkt
Global Catalogs:-
The Root domain have Global catalog. When any information is send to
Global catalogue. Global catalog will send that information every where. After
receiving response, it will send that information back to domain where request had
been sent.
(Global catalogue) First time it will search for information and next time onwards it
will not search, if information is there. Otherwise it will search.
6
Active Directory Services Physical Structure
Domain controller
DC
Replication Additional DC
A Domain controller is a computer running win 2003 server, that stores replica of
the directory. Changes made on one DC are replicated to another DC on the same
Domain.
Site
A site consist of IP, sub-net. Site are connected by high speed link. Sites
control network traffic (on lease line) and work station log on traffic
Site 1
DC
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.pcbypaul.com/w
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYco
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1c
Site 2
Lease Line
DC
INCLUDEPICTURE "http://images.google.co.in
INCLUDEPICTU
INCLUDEPICTURE "htt
Site1 and site2 share a common DC so everytime some1 logs in it takes time to log in
from site 2. So to reduce time and traffic.
7
MODULE : IMPLEMENTING DNS TO SUPPORT ADS
Role of DNS
DNS ADS
Microsoft.com
Microsoft
1) A Dc in a domain or forest
2) A Dc in the same site of client computer
3) Dc configure as global catalogue server
8
DC1 DC2 MailSrv WebSrv Comp1 Comp2
DNS
SRV Record
C1 --- IP
C3 --- IP S1 -- DC -- Ldap
S1 --- IP S2 -- DC -- Ldap
S2 --- IP S3 -- HTTP
C2 --- IP S4 -- Web - MX
S3 --- IP
Note:-
SRV Records are special records specially made to store the information of the
server computers only. We add the computer name, IP add again in a different
folder but this time with more details like protocol, DC…..
SRV Records are created so that its easy for the DNS to provide the IP of the
server faster and not checking in all the other records where there are clients
also.
9
MODULE : CREATING WINS 2003 DOMAIN
Domain are the core administrative units. The 1st domain created is root
domain for the entire forest. Use DCPROMO to create and remove domain and
domain controller
Use Nslookup cmd to query the registered Srv records. As you give cmd Nslookup
(you get a reply) : ls –t srv domain name.
Domain name will be the same name given during installating DNS
eg:- MCSE. This means DNS is properly installed.
10
Ntds.dit file is where all the user information is stored. Its an important file.
Verify Shared Folder - Netlogon
- Sysvol
In DNS you get an option Active Directory Integrated Zone after installing ADS
1st Programs – administrative tools – AD user and comp – right click MCSE.com
– properties – group policy – select and edit – comp comfiguration – win setting –
security - a/c policy – password policy – change password –policy to not defined.
Once ADS is installed. No one can log in on the DC except the administrator
by Default Domain Policy. Therefore for others to log-on on DC changes have to be
made from 2 places
2nd Administrative tools – domain controller – security policy – local policy – user
rights assignment – allow log on locally – add everyone – apply – ok.
DC
Win2000Srv
XP NT
11
win98 2000prof
Native mode
DC
Win2000Srv
win98 XP 2000prof NT
DC
Win2003Srv
12
Win 2003 SRV
DC
Win2003Srv
Once you change functional from lower to higher. You cannot revert the higher
functional level to lower functional level.
Use Active Dir Domain and trust to view and raise the function level
The default functional level in win 2003 is win 2000 Mixed level 1.
It is the most important tool for managing users and groups on the
domain. This tool contains the following options by default.
1) Built in
It is a container. It contains the default built-in securities group.
2) Computer
It is a container. It is a default location for the computer a/c for the domain
(ie the client comp are added here by default)
3) Domain Controller
It is an OU. It is a default location of domain controller computer a/c
5) Users
It is a container. It is default location of user a/c.
13
MCSE.com
Built-in
Computer
These 5 folders Domain Controller
are by default Foreign Security Principal
Users
Note:- you can assign group policies only to the OUs and not containers. You
can create OUs but not containers.
14
MODULE : SETTING UP AND ADMINISTRATIVE USER
AND GROUPS
Introduction:-
- Create user A/c for each person who regularly use the network
- Create multiple user a/c in a single batch processed – grouped user a/c
to manage user access to share resources
- Nest group with another group to reduce administration
Prefix Suffix
The suffix default to the name of root domain but it can be changed and
other can be added. Additional suffix are created from active directory
domain and trust. The 1st name is user principal name.
It is mainly used for pre win 2000 comp. a user selects the domain when
login on pre 2000
ADS
Import
Text file
----------
User
info..
15
Format for text file for Multiple user in a single batch process
CSVDE file
Comma Separate Value Dir Enchange
Using LDIFDE
DN = is description name
Object class = it’s a user or group
Samaccoutname = log on name
Userprinciplename =
Displayname = full name
Useraccountcontrol = enable or disable user
16
Intrduction to Group in Active Directory
1. Global Group
Membership
-Mixed Mode:User are from the same domain
-Native mode; Users a/c &global a/c are from the same domain
Native mode: Universal & Domain local groups in any domain and global
group in the same domain.
Membership
Mixed Mode:- user a/c &global groups from any domain
Native Mode :- User A/C ,Global Group & universal group from
any domain in the forest & any domain in
the forest and the domain in the forest and
domain local group from the same domain.
Permissions :Domain in which the domain local group exits(ie only the
same domain member can se)
17
3. Using Universal Group
Membership
Mixed mode: Not applicable (ie there is no universal group)
Native mode: User a/c Global group & other univesal group from
any domain in the forest.
Can be a member of:
Mixed mode: not applicable
Native mode:Domain local and universal group an any domain
Sales
Global Marketin
Local Group
g
HR By giving permission to
Hr5 local we indirectly give
permission to Sales & HR
After adding HR OU user users also.
Hr 5 can be denied
Rules
18
MODULE : PUBLISHING RESOURSE IN ADS
INTRODUCTION:-
We publish resourses
1. To create object in ADS that contains a required information &
provide a reference to the required information.
2. That do not exist in active directory .
3. That are static (fixed) & changed in frequently.
ADS
Publish
Publish
1) Any printer share by win 2000/03 based print server is published in ADS
it self.
2) Any printer is automatically removed from Activ directry when a print
server is removed from the network.
3) Each printserver is responsible for its printers being published in ADS.
ADS
Manually Automatically
Publish
Publish
19
MANAGING PUBLISHED PRINTER
To publish share folders on the ADS has to be done manually for any
operating system.
1) Creat & share the folder from the client.
2) On demand
Path : Active dir user & computer ->right click->container->new->shared
folder->specify the UNC path.
i.e. \\computer name\share folder name.
NOTE:- conainer can be any thing the comp name or group like sale
20
MODULE : DELEGATING ADMINISTRATIVE CONTROL
1) Implicit:-
Which a problem to perform an application is not explicitly assigned. It is
implicitly denied.
Eg. Sales have allow read permission to folder
Mkts is not added so it is not allowed.
21
2) Explicit:-
Permission can also be explicitly denied.
Sales-------allow read-----------\Data
Mkts--------Deny read----------\Data
i.e. mkts is added and then denyed read permission.
INTRODUCTION TO DELEGATION
(Administrator) MCSE
Sales - admin1
Hr - admin2
Mkts - admin3
NOTE:- Administrator has full control over all OU’s (sales ,hr, mkts) admin1 has
control only on sales parallaly admin2 on hr & admin3 on mkts.
Delegatoin allows to
To delegate:
Steps: Right click OUDelegate controladd user or groupselect the
permission to delegate.
Removing delegation
Steps: Go o Active dir user & computer view select advance feature
right click on OUpropertiessecurityselect the user&
remove.
22
MODULE : IMPIMENTING GROUP POLICY
Introduction:-
Type of GP settings
1. Administrative templates : registry based GP settings
2. Security settings for local domain & network security.
3. Software Installation : setting for central management of software
installation.
4. Scripts: start up ,shut down,log on ,log off.
5. RIS: settings that control the options available to user when runnings the
client installation used by RIS.
6. IE maintainance: settings to administrator to Microsoft IE(Internet
expolorer)
7. Folder redirection:setting for storing of user older on a network server.
23
• G P setting for users
Specify OS behaviour desktop behaviour ,security setting assign
&publish application object ,user log on & log off scripts &folder redirection
GP setting for computer apply when the machine starts & during the periodic
refresh cycle ( 90 min )
GP setting for the user applies when the user logs on on the computer
Linking GPO
• Sites
• Domain
• OU’s
Mcse.com
Later you wants give control hr also so you don’t have to create new a new policy
again for no control instead we go to sales and we add no control policy to it.
(1) The sales department people don’t have right for control panel
• Start
• Administrator tools
• Active directory users & computer
• Click plus sign (Domain name)
24
• Sales (properties)
• Group policy
• New (Give any name) (NO control)
• Double Click that given name
• User configuration
• Administrative templates
• Control panel
• Prohibit access to control panel
• Enable
• Ok
• Close
• Close
BLOCK INHERITANCE
If an OU requires some settings but those settings are disabled by the Parent Group
Policy Inheritance.
Enable Block Policy Inheritance on the whole domain, but the sales want access to
run so we block Policy Inheritance i.e. no policy from the parents come to the child.
25
Applying Policy to whole domain
-Start
-Programme
-Administrative Tools
-Active Directory Users & Comps
-Microsoft.com (Domain name)
-Right click Properties
-Group Policy
-New –Name
-Double click name
-User configuration
-Administrative Templates
-Start Menu & Task bar
-Remove Run from Start Menu
-Properties
-Enable OK close window
-OK (in Group Policy)
This option is mainly used on the parent (Domain /OU) so that the GPO is
forced on the child OU even if the child OU is enabled with Group OU is enabled
with Group Policy Inheritance (Blocked)
You can filter the GPO in case you do not want the policies to be applied to a user
under an OU.
Folder Redirection
In folder Redirection. A user saves his data in my documents on comp2 Later
if he logs-in on any other PC he can find the same date on my documents of that
PC(Its like personal My Documents)
26
In Folder Redirection we create a shared folder in any PC eg COMP10 when ever a user sitting
on any PC saves his data in My Documents it gets saved in the shared folders in COMP10 the
user can access to this data from my documents on any PC
Group Policy supports diff. Types of folders to Redirct.
My Documents
Start Menu
Desktop
Application Data
Advantages :
1. Data is always available to user irrespective of the computer loged-in.
2. Data is centrally stored for use fo management.(In some other pc)
3. Network Traffic is generated only when user gain access to files.
4. Files are not saved on the client computer.
PATH:-- GPO
User Configuration
Windows Setting
Folder Redirection
My Documents
PATH
On DC
Create a new folder XYZ
Share the folder & give full permission
Active Dir user & Comp
Ritht Click on domain(Microsoft.com)
Properties
Group Policy
Edit
User Configuration
Windows Setting
Folder Redirection
Right Click on My Documents
Properties
27
Folder Redirection provides 2 option
1. Basic- Redirection all user data to one Location(ie save data of all user in 1
folder)
2. Advance- Redirection various group data to diff location (ie save data group
wise in diff folders)
Intoduction -
In windows 2003 you can use group policy to manage deployment software
development centrally.
The Task used for deploying software installation & maintaince are :
1) Preparation :
Prepare the files that enable the applications to deploy the applications to
deploy for the Group policy , copy the windows installation package file to a
Distribution point.
2) Deployment :
Create a GPO that install the software on the client computer and link
that GPO to the proper ADS container (OU).
3) Maintainance :
Deploy software is upgraded with the new version or redeployed with
service files and patch files..
4) Removal :
TO remove software that is no longer required remove the software packages
from GPO.
a) Resilient Application :
If a critical file is deleted or become currupt the application will return to the
installation source and get a new copy of the file.
b) Clean Removal :
Applications are uninstalled without leaving an orphaned files.
28
Assigning Software :
you assign software to make sure that users have all the applications
that they need , installed on their computer. The next time the user
logon , the newly installed software is advertised on their desktop.
Note : Assigned software are installed from Start -> Program->
Publishing software :
When u publish software it becomes avalaible to
user to install on their computer. Publish software are not advertised on the
desktop,
Published software are available in control-panel - > Add/Remove Program-
-> New Program
Removing Software :
When u remove the assigned or published software , you can remove
completely from all computer or do not allow new installation for new users.
Path :
Group Policy
Computer configuration
Software settings
Software installation
New
Package.
29
MODULE : CREATING AND MANAGING TREES AND
FOREST
Introduction :
Tree :
Trees are heirarchical arrangement of windows 2003 domains.
that share an contiguous name space.
MCSE.com
New Domain
New Tree
New Forest
New Domain
New Domain Child Domain
Child Domain In a Tree
In a Tree
HR.MCSE.com Sales.MCSE.com
FOREST :
The first domain created in the forest is called Forest root. The name of the forest
root domain is used to refer to the entire forest.
DCPROMP
* Domain controller type - DC for a New Domain
30
* Create a New DC - Domain in a new forest
DCPROMP
* Domain controller type - DC for a New Domain
* Create a New DC - Child Domain in an existing Domain tree.
* Network Crenditials - specify Domain user name and passowrd.
DCPROMP
* Domain controller type - DC for a New Domain
* Create a New DC - Domain Tree in a new existing forest.
* Network Crenditials - specify Domain user name and passowrd
DCPROMP
* Domain controller type - Additional DC for an existing domain
* Network Crenditials - specify Domain user name and passowrd
• Master Dc Installed
• Win 2003 server. Static Ip
• DNS server
• NTFS volume
• Administrator password of master DC
31
The DC keep talking (Replicate within them self’s)
DC
Addional DC
Replication Latency
It is a time needed for a change made to replicate from DC & to be received
by another DC.
The default Replication latency is 5 min.
Replication Conflict
There are types of confects
• Attributes value (i.e. User tel no , inf. etc )
• Add or remove object under a deleted container
E.g. Other Admin has deleted container mkt & we are creating user
under Mkt at same time.
• Sibling name
E.g. other admin is creating s1 in sales & we are creating s1 in Mkt at the
same time on other pc.
32
Active Directory Services Sites
SITE
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p
DC
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p
SITE
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p
DC
DC
INCLUDEPICTURE "http://images.google.co.in/i
INCLUDEPICTUR
INCLUDEPICTURE "http
DC
33
Replication Protocol
2. Member Site: Two or more site that will be connected through the site
link.
5. Replication Interval: This is the time how long the replication will
occur.
34
An Operation Master is a Domain Controller that performs specific role in
windows 2003 Active Directory and may control a specific set of directory
changes.
1. Schema Master
2. Domain Naming Master
3. PDC Emulator
4. RID Master
5. Infrastructure Master
DC Infrastructure Master
Child DC Child
DC
Domain-wide Role
PDC Emulator
RID Master
Infrastructure Master
35
Schema Master:
It controls all updates to the schema. Replicate Domain
Controller to all domains in the forest.
36
PDC Emulator:
Acts as a PDC to support Wndows NT BDCs and Pre-Windows
2000-based client computer. Updates password changes from
Pre-windows 2000- based client computer. Prevent the
possibilities of overwriting GPOs.
RID Master:
Relative Identifier Master allocatesblocks of RIDs to each
domain controller in the domain.Whenever a domain
controller creates a new security principle, such as a user,
group, or computer object, it assigns the object a unique
Securty Identifier (SID). Prevent object duplication if object
move from one domain controller to another.
Infrastructure Master:
Infrastructure Masterupdates references to object and group
membership from other domain.
Down
Additional DC
If the master DC is crashed or down you can make the additional DC as the
master DC by seizing the Operation Master Roles.
Note:- Once you seize the OM roles on the additional DC and make it as master
DC then you can not bring up the original matser DC, you have to re-install
the original master DC.
37
Steps to Seize the OM Roles
38
o Move Active Directory Database
39
The Files in Active Directory
40
Restore Active Directory Service Database
41
Moving Active Directory Database
42