Active Directory - Quang Van Liem - 10112010

VIN I HC M H NI
KHOA CNG NGH TIN HC
BI TP LN
Mn: Qun tr mng
ti (06):
Gii thiu v cc thao tc qun tr vi Active Directory trong Windows
Server 2008
Sinh vien thc hien:
Qung Vn Lim
Lp: 08B6
Active Directory Windows Server 2008
Giao vien hng dan: inh Tun Long
H Ni - 2010
Trang 2
MC LC
I. Gii thiu v Active Directory (DC)...............................................................................................................4
1.1 Active Directory l g ?.............................................................................................................................4
1.2 Ti sao cn thc thi Active Directory?......................................................................................................5
1.3 Nhng n v c bn ca Active Directory..............................................................................................5
1.3.1 Directory.............................................................................................................................................5
1.3.2 Domain...............................................................................................................................................6
1.3.3 Domain Controller..............................................................................................................................6
1.3.4 Forest..................................................................................................................................................7
1.3.5 Organizational unit.............................................................................................................................7
1.3.6 Object (i tng)..............................................................................................................................7
1.3.7 Schema...............................................................................................................................................7
1.3.8 Site......................................................................................................................................................8
1.3.9 Tree (cy)...........................................................................................................................................8
1.3.10 Trust..................................................................................................................................................8
1.3.11 Infrastructure Master v Global Catalog..........................................................................................8
1.3.12 LDAP................................................................................................................................................9
1.3.13 S qun l Group Policiy...............................................................................................................10
1.4 Cc dch v ca Active Directory...........................................................................................................12
1.4.1 Active Directory Domain Services (AD DS)...................................................................................12
1.4.2 Active Directory Federation Services (AD FS)...............................................................................13
1.4.3 Active Directory Lightweight Directory Services (AD LDS)..........................................................14
1.4.4 Active Directory Rights Management Services (AD RMS)............................................................15
1.4.5 Active Directory Certificate Services (AD CS)...............................................................................15
II. Cc thao tc qun tr vi Active Directory...................................................................................................16
1.5 Ci t v cc thao tc qun tr vi Active Directory Domain Services ...............................................16
1.5.1 Cc bc chun b ci t................................................................................................................16
1.5.2 Ci t dch v Active Directory Domain Services.........................................................................23
1.5.3 Ci t domain u tin (Domain chnh).........................................................................................29
1.5.4 Thm mt DC khc vo Domain......................................................................................................40
1.5.5 Thm mt domain da trn domain chnh tn ti......................................................................43
1.5.6 H DC xung client..........................................................................................................................46
1.5.7 Qun l User, Group v Organizational Unit (OU).........................................................................46
1.5.8 Kt ni my Client vo Domain...................................................................................................64
1.6 Ci t v cc thao tc qun tr vi Active Directory Federation Services (AD FS)..............................71
1.6.1 Cc tc v cn thc hin trc khi ci t ADFS...........................................................................71
1.6.2 Ci t role ADFS v cu hnh certificate........................................................................................72
1.6.3 Cu hnh web server........................................................................................................................77
1.6.4 Cu hnh federation server.............................................................................................................125
1.6.5 Truy cp ng dng t my client...................................................................................................125
Trang 3
I.
Gii thiu v Active Directory (DC)

1.1 Active Directory l g ?
Active Directory l mt dch v th mc (directory service) c

ng k bn quyn bi Microsoft, n l mt phn khng th thiu trong
kin trc Windows. Ging nh cc dch v th mc khc, chng hn nh
Novell Directory Services (NDS), Active Directory l mt h thng chun
v tp trung, dng t ng ha vic qun l mng d liu ngi dng,
bo mt v cc ngun ti nguyn c phn phi, cho php tng tc vi
cc th mc khc. Thm vo , Active Directory c thit k c bit
cho cc mi trng kt ni mng c phn b theo mt kiu no .
Ni cch khc Active Directory l mt c s d liu vi cc chc nng
nh:
Lu tr thng tin v ti khon ngi dng v cc ti nguyn
mng my tnh.
Xc nh tnh hp l ca ngi truy cp ti nguyn mng.
Lu tr thng tin mng my tnh nh l cc i tng trong
mt cu trc phn cp.
Ngoi ra n cn cung cp:
S qun l tp trung
Cc kh nng tm kim nng cao.
y quyn i din
Vi ngi dng hoc qun tr vin, Active Directory cung cp mt
khung nhn mang tnh cu trc t d dng truy cp v qun l tt
c cc ti nguyn trong mng.
Trang 4
1.2
Ti sao cn thc thi Active Directory?
C mt s l do l gii cho cu hi trn. Microsoft Active Directory

c xem nh l mt bc tin trin ng k so vi Windows NT Server
4.0 domain hay thm ch cc mng my ch standalone. Active Directory
c mt c ch qun tr tp trung trn ton b mng. N cng cung cp
kh nng d phng v t ng chuyn i d phng khi hai hoc nhiu
domain controller c trin khai trong mt domain.
Active Directory s t ng qun l s truyn thng gia cc domain
controller bo m mng c duy tr. Ngi dng c th truy cp vo
tt c ti nguyn trn mng thng qua c ch ng nhp mt ln. Tt c
cc ti nguyn trong mng c bo v bi mt c ch bo mt kh
mnh, c ch bo mt ny c th kim tra nhn dng ngi dng v
quyn hn ca mi truy cp i vi ti nguyn.
Active Directory cho php tng cp, h cp cc domain controller v
cc my ch thnh vin mt cch d dng. Cc h thng c th c
qun l v c bo v thng qua cc chnh sch nhm Group Policies.
y l mt m hnh t chc c th bc linh hot, cho php qun l d
dng v y nhim trch nhim qun tr. Quan trng nht vn l Active
Directory c kh nng qun l hng triu i tng bn trong mt min.
1.3
Nhng n v c bn ca Active Directory
1.3.1 Directory
L mt kho lu tr duy nht bit thng tin v ngi dng v cc

ti nguyn trong mt t chc. Active Directory l mt loi th mc cha
cc thuc tnh v thng tin lin lc cho mt lot cc ngun ti nguyn
trong mng ngi dng v cc qun tr vin cng c th tm thy
chng d dng.
Trang 5
1.3.2 Domain
L n v chc nng nng ct ca cu trc logic Avtive Directory. N

l phng tin quy nh tp hp nhng ngi dng, my tnh, ti
nguyn, chia s c nhng quy tc bo mt ging nhau t gip cho vic
qun l cc truy cp vo cc server d dng hn. Domain p ng 3 chc
nng chnh nh sau:
- ng vai tr nh mt khu vc qun tr (administrative boundary) cc
i tng, l tp hp cc nh ngha qun tr cho cc i tng chia s
nh: c chung 1 c s d liu th mc, cc chnh sch bo mt, cc quan
h y quyn, chnh sch bo mt, cc quan h y quyn vi cc domain
khc.
- Gip chng ta qun l bo mt cc ti nguyn chia s.
- Cung cp cc server d phng lm chc nng iu khin vng (domain
Controller), ng thi m bo cc thng tin trn cc server ny c
ng b vi nhau
1.3.3 Domain Controller
Mt domain controller gi cc thng tin bo mt v c s d liu i

tng directory cho mt domain c th v c trch nhim xc thc cc i
tng trong phm vi kim sot ca h. Nhiu domain controller c th
c lin kt vi mt domain nht nh, v mi domain controller gi vai
tr qut nh trong domain, tt c cc domain controller trong mt min
l bnh ng v quyn lc. iu cho thy s ci tin so vi cc nhn chnh
v d phng c phn cng cho domain controller trong Windows NT.
Trang 6
1.3.4 Forest
Forest l mt b phn cha ng logic ln nht trong Active

Directory Domain Services v bao gm tt c cc domain thc phm vi
hot ng ca n, tt c u lin kt vi nhau thng qua y thc bc cu
c xy dng t ng. Bng cch ny, tt c cc domain trong mt
forest t ng y thc cc domain khc trong forest.
Cc Forest khng b hn ch theo a l hoc topo mng. Mt forest
c th gm nhiu min, mi min li chia s mt lc chung. Cc
thnh vin min ca cng mt forest thm ch khng cn c kt ni LAN
hoc WAN gia chng. Mi mt mng ring cng c th l mt gia nh
ca nhiu forest c lp. Ni chung, mt forest nn c s dng cho mi
mt thc th. Mc d vy, vn cn n cc forest b sung cho vic thc
hin test v nghin cu cc mc ch bn ngoi forest tham gia sn xut
1.3.5 Organizational unit
Nhm cc mc trong domain no . Chng to nn mt kin trc

phn cp cho domain v to cu trc t chc ca Active Directory theo
cc iu kin t chc v a l.
1.3.6 Object (i tng)
Trong Active Directory Domain Services, mt object c th l mt

phn ca direcrory, c th l mt user, mt group, mt th mc chia s,
mt my in, mt lin h, v thm ch l c mt organizational units.
Object l thc th duy nht trong directory ca bn m c th qun l
trc tip.
1.3.7 Schema
Cc schema trong Active Directory Domain Services l cu trc thc

t ca cc c s d liu cc trng. Cc loi thng tin khc nhau c
lu trong Active Directory Domain Services c gi l thuc tnh.
Schema ca Active Directory Domain Services cng h tr chun theo lp,
Trang 7
hoc kiu ca object. Lp m t mt object v cc ti sn lin quan c

yu cu to ra mt phin bn ca i tng. V d cc i tng user
l minh ha ca lp user.
1.3.8 Site
L tp hp cc my tnh cc v tr a l khc nhau, c kt ni ti

thiu qua mt lin kt. Site thng c dng xc nh cch iu
khin domain c cp nht lin tc. Active Directory Domain Services s
la chn phng php ca n phn phi cc bn cp nht (mt qu
trnh gi l ti to li) da vo cch bn cu hnh mt site gi cho s
lu thng qua mt lin kt WAN l tn km nht.
1.3.9 Tree (cy)
Cy l mt tp hp cc domain m bt u t mt gc duy nht v

r nhnh ra ngoi vi, domain con. Cy c th c lin kt vi nhau trong
forest. V cy cng chia s mt DNS tn min khng gian lin tc.
1.3.10 Trust
Trust trong Active Directory Domain Services l mt phng php

giao tip an ton gia cc domain, tree, forest. Cng ging nh chng
tng lm vic trong Windows NT, trust cho php ngi dng trong mt
Active Directory Domain Services domain phi xc thc iu khin
min khc trong vng khc, domain khc trong directory. Trust ch c th
i theo mt chiu (t A n B, khng th t B n A), bc cu ( A trust B
v B trust C, do A trust C), hoc lin kt ngang (A n C v B n D).
1.3.11 Infrastructure Master v Global Catalog
Mt thnh phn chnh khc bn trong Active Directory l

Infrastructure Master. Infrastructure Master (IM) l mt domain-wide
FSMO (Flexible Single Master of Operations) c vai tr p tr trong qu
trnh t ng sa li (phantom) bn trong c s d liu Active
Directory.
Trang 8
Phantom c to ra trn cc DC, n yu cu mt s tham chiu

cho c s d liu gia mt i tng bn trong c s d liu ring v
mt i tng t min bn trong forest. V d c th bt gp khi bn b
sung thm mt ngi dng no t mt min vo mt nhm bn trong
min khc c cng forest. Phantom s b mt hiu lc khi chng khng
cha d liu mi cp nht, iu ny xut hin v nhng thay i c
thc hin cho i tng bn ngoi m Phantom th hin, v d nh khi
i tng mc tiu c t li tn, chuyn i u gia cc min, hay
v xa. Infrastructure Master c kh nng nh v v khc phc mt s
phantom. Bt c thay i no xy ra do qu trnh sa li u c to
bn sao n tt c cc DC cn li bn trong min.
Infrastructure Master i khi b ln ln vi Global Catalog (GC), y
l thnh phn duy tr mt copy ch cho php c i vi cc domain nm
trong mt forest, c s dng cho lu tr nhm ph dng v qu trnh
ng nhp, Do GC lu bn copy khng hon chnh ca tt c cc i
tng bn trong forest nn chng c th to cc tham chiu cho gia
min khng c nhu cu phantom.
1.3.12 LDAP
LDAP (Lightweight Directory Access Protocol) l mt phn ca Active

Directory, n l mt giao thc phn mm cho php nh v cc t chc, c
nhn hoc cc ti nguyn khc nh file v thit b trong mng, d mng
ca bn l mng Internet cng cng hay mng ni b trong cng ty.
Trong mt mng, mt th mc s cho bn bit c ni ct tr d
liu g . Trong cc mng TCP/IP (gm c c Internet), domain name
system (DNS) l mt h thng th mc c s dng gn lin tn min
vi mt a ch mng c th (v tr duy nht trong mng). Mc d vy,
Trang 9
bn c th khng bit tn min nhng LDAP cho php bn tm kim

nhng c th m khng cn bit chng c nh v u.
Th mc LDAP c t chc theo mt kin trc cy n gin gm c
cc mc di y:
Th mc gc c cc nhnh con
Country, mi Country li c cc nhnh con
Organizations, mi Organization li c cc nhnh con
Organizational units (cc n v, phng ban,), OU c cc
nhnh
Individuals (c th, gm c ngi, file v ti nguyn chia s,
chng hn nh printer)
Mt th mc LDAP c th c phn phi gia nhiu my ch. Mi
my ch c th c mt phin bn sao ca th mc tng th v c ng
b theo chu k.
Cc qun tr vin cn phi hiu LDAP khi tm kim cc thng tin
trong Active Directory, cn to cc truy vn LDAP hu dng khi tm kim
cc thng tin c lu trong c s d liu Active Directory.
1.3.13 S qun l Group Policiy
Khi ni n Active Directory chc chn chng ta phi cp n

Group Policy. Cc qun tr vin c th s dng Group Policy trong Active
Directory nh ngha cc thit lp ngi dng v my tnh trong ton
mng. Thit lp ny c cu hnh v c lu trong Group Policy Objects
(GPOs), cc thnh phn ny sau s c kt hp vi cc i tng
Active Directory, gm c cc domain v site. y chnh l c ch ch yu
cho vic p dng cc thay i cho my tnh v ngi dng trong mi
trng Windows.
Trang 10
Thng qua qun l Group Policy, cc qun tr vin c th cu hnh

ton cc cc thit lp desktop trn cc my tnh ngi dng, hn ch
hoc cho php truy cp i vi cc file hoc th mc no bn trong
mng.
Thm vo chng ta cng cm phi hiu GPO c s dng nh
th no. Group Policy Object c p dng theo th t sau: Cc chnh
sch my ni b c s dng trc, sau l cc chnh sch site, chnh
sch min, chnh sch c s dng cho cc OU ring. mt thi im
no , mt i tng ngi dng hoc my tnh ch c th thuc v mt
site hoc mt min, v vy chng s ch nhn cc GPO lin kt vi site
hoc min .
Cc GPO c phn chia thnh hai phn ring bit: Group Policy
Template (GPT) v Group Policy Container (GPC). Group Policy Template
c trch nhim lu cc thit lp c to bn trong GPO. N lu cc thit
lp trong mt cu trc th mc v cc file ln. p dng cc thit lp
ny thnh cng i vi tt c cc i tng ngi dng v my tnh, GPT
phi c to bn sao cho tt c cc DC bn trong min.
Group Policy Container l mt phn ca GPO v c lu trong
Active Directory trn cc DC trong min. GPC c trch nhim gi tham
chiu cho Client Side Extensions (CSEs), ng dn n GPT, ng dn
n cc gi ci t v nhng kha cnh tham chiu khc ca GPO. GPC
khng cha nhiu thng tin c lin quan n GPO tng ng vi n, tuy
nhin n l mt thnh phn cn thit ca Group Policy. Khi cc chnh sch
ci t phn mm c cu hnh, GPC s gip gi cc lin kt bn trong
GPO. Bn cnh n cng gi cc lin kt quan h khc v cc ng
dn c lu trong cc thuc tnh i tng. Bit c cu trc ca GPC
Trang 11
v cch truy cp cc thng tin n c lu trong cc thuc tnh s rt cn

thit khi bn cn kim tra mt vn no c lin quan n GP.
1.4
Cc dch v ca Active Directory
1.4.1 Active Directory Domain Services (AD DS)
Active Directory Domain Services (AD DS), trc y c bit ti

vi tn gi Active Directory Directory Services, l mt khu vc tp
trung thng tin cu hnh, cc yu cu xc thc v thng tin v tt c
nhng i tng c lu tr trong phm vi h thng ca bn. Dng
Active Directory, bn c th qun l mt cch hiu qu cc ngi dng,
my tnh, nhm lm vic, my in, ng dng v cc i tng khc theo
th mc t mt khu vc tp trung v bo mt. Nhng tnh nng nng cao
i vi AD DS trong Windows Server 2008 bao gm:
Auditing: Nhng thay i c thc hin i vi cc i tng

trong Active Directory c th c lu li bn bit c nhng
thay i din ra i vi i tng , cng nh cc gi tr mi v
gi tr c ca nhng thuc tnh thay i.
Fine-Grained Passwords: C th cu hnh cc chnh sch v

mt khu cho cc nhm phn bit nm trong domain. Mi ti
khon trong phm vi domain s khng cn phi s dng cng mt
chnh sch v mt khu na.
Read-Only Domain Controller: L mt Domain Controller vi c

s d liu Active Directory dng ch c. Dch v ny gip bn
tm bo mt c i vi nhng ni m bo mt cha c m
bo cao , chng hn nh cc vn phng. Read-Only Domain
Controller khng cho php cc domain controller cp thp hn
thc hin nhng thay i ln Active Directory. S dng ReadOnly Domain Controllers (RODCs) khng cho nhng thay i din
Trang 12
ra ti khu vc chi nhnh c th gy hi hoc nh sp AD forest

ca bn thng qua qu trnh sao chp. Nh c RODC, cng khng
cn thit phi s dng mt site trung gian cho cc domain
controller ti vn phng chi nhnh, hoc khng cn gi a ci t
v ngi qun tr domain ti khu vc vn phng chi nhnh.
Restartable Active Directory Domain Services: c im ny

gip bn khi ng li AD DS trong khi vn gi nguyn trng thi
hot ng ca Domain Controller, gip bn hon thnh nhng
thao tc offline mt cch nhanh chng
Database Mounting Tool: Mt snapshot trong c s d liu

Active Directory c th c a vo bng cng c ny. iu ny
cho php ngi qun tr domain quan st cc i tng nm trong
snapshot xc nh nhng yu cu lin quan ti vic khi phc
khi cn thit.
1.4.2 Active Directory Federation Services (AD FS)
Active Directory Federation Services (AD FS) l mt gii php cho

php ngi dng truy cp cc ng dng web ch cn mt ln ng nhp
cho d ngi dng v ng dng nm trong cc mng hoc t chc hon
ton khc nhau.
Thng thng khi mt ng dng thuc mt mng v ngi dng thuc
mt mng khc, ngi dng c yu cu nhp mt ti khon th hai
truy cp ng dng (ng nhp th cp).
Vi ADFS ngi dng khng cn c yu cu ng nhp th cp bng ti
khon th hai ny na bi mi quan h tin cy c thit lp gia cc
mng. Trong mi trng lin on (federated), mi t chc tip tc qun
l cc ti khon ring ca mnh nhng mi t chc vn c th bo v ng
Trang 13
dng v tha nhn ti khon truy cp t cc t chc khc.

Qu trnh xc thc mt mng trong khi truy cp ti nguyn ca mt mng
khc m khng bt ngi dng phi ng nhp th cp gi l single signon (SSO). ADFS h tr gii php SSO trn nn web trong mt phin lm
vic ca ngi dng.
i vi ADFS c hai loi t chc:
- T chc ti nguyn (resource organization): l t chc ang s hu v
qun l ti nguyn c th c truy cp t cc i tc tin cy.
- T chc ti khon (account organization): l t chc ang s hu v
qun l ti khon c th truy cp ti nguyn t cc t chc ti nguyn
trn.
1.4.3
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Lightweight Directory Service (AD LDS), trc y

c bit n vi tn gi Active Directory Application Mode, c th c
s dng em ti cc dch v th mc hoc cc ng dng theo th mc.
Thay v s dng c s d liu AD DA ca t chc, bn c th s dng AD
LDS lu tr d liu. AD LDS c th s dng kt hp vi AD DS
mang ti cho bn mt khu vc tp trung dnh cho cc ti khon bo mt
(AD DS) v mt khu vc khc h tr cu hnh ng dng v d liu th
mc (AD LDS). S dng AD LDS, bn c th: gim bt cc chi ph lin
quan ti vic sao chp Active Directory; khng cn m rng lc
Active Directory h tr ng dng; v c th phn vng cu trc th
mc sao cho dch v AD LDS ch c trin khai ti nhng my ch cn
h tr cc ng dng theo th mc. Nhng c tnh nng cao i vi AD
LDS trong Windows Server 2008 bao gm:
Trang 14
Ci t t Media Generation: Kh nng to cc phng tin
ci t cho AD LDS bng Ntdsutil.exe hoc Dsdbutil.exe.
Kim ton: Kim tra nhng gi tr thay i trong phm v
dch v th mc.
Database Mounting Tool: Cho php bn xem d liu trong
phm vi cc snapshot ca file c s d liu.
Active Directory Sites and Services Support: Cho php
bn s dng cc Active Directory Sites and Services qun l vic

sao li nhng thay i d liu ca AD LDS.
Dynamic List of LDIF files: Vi c tnh ny, bn c th lin
kt cc file LDIF ty bin vi cc file LDIF mc nh hin c c

dng thit lp AD LDS trn mt my ch.
Recursive Linked-Attribute Queries: Cc truy vn LDAP c
th theo nhng ng dn c cu trc mng li ca thuc tnh

xc nh cc tnh cht b xung ca thuc tnh, nh l thnh vin
nhm.
1.4.4
Active Directory Rights Management Services (AD RMS)
L dch v c dng kt hp vi cc ng dng h tr AD RMS

(AD RMS enable application), nhm bo v d liu quan trng ( bo co
ti chnh,thng tin khch hng,n hng,s sch k khai k ton .v..v.)
trc nhng i tng ngi dng khng c php (unauthorized
users).Vi AD RMS, bn c th xc nh nhng ai c th thc hin cc
thao tc nh xem, chnh sa, in n, trn d liu ca mnh.
1.4.5
Active Directory Certificate Services (AD CS)
L mt dch v c dng sinh ra v qun l cc certificate trn

nhng h thng s dng cng ngh public key. Bn c th s dng AD CS
to ra cc my ch chng thc CA ( Certification Authorities). Cc CA
Trang 15
c tc dng nhn yu cu v chng thc, sau x l v gi cc chng

thc v li cho i tng gi yu cu. Nhng tnh nng nng cao
i vi AD CS trong Windows Server 2008 bao gm:
Enrollment Agent Templates: C th gn cc delegated

enrollment agent theo mi template
Integrated Simple Certificate Enrollment Protocol

(SCEP): Cc chng nhn c th c cp ti thit b
mng, chng hn cc b nh tuyn.
Online Responder: C th gi li cc mc Certificate

Revocation List (CRL) ti ngi yu cu nh mt p ng
chng nhn n nht thay v ton b CLR. iu ny gip
gim bt tng lu lng mng c s dng khi cc my
trm thm nh cc chng ch.
Enterprise PKI (PKI View): Mt cng c qun l mi

cho AD CS, cng c ny cho php ngi qun tr
Certificate Services qun l cc phn cp Certification
Authority (CA) xc nh tnh trng tng th ca cc CA
v d dng khc phc li.
II.
Cc thao tc qun tr vi Active Directory

1.5 Ci t v cc thao tc qun tr vi Active Directory Domain
Services
1.5.1
Cc bc chun b ci t
Yu cu v phn cng
Dung lng cng cn trng ti thiu 250M v nh dang
NTFS
Quyn qun tr
Trang 16
Bn phi chc chn rng bn c quyn ci t dch v m

bn sp tin hnh ci t
Khi ci t Active Directory trn Windows Server 2008, nn ci
t DNS trc vi cc thit lp chun.
a ch IP t l a ch tnh v a DNS l a ca chnh my
mnh.
To Zone trong DNS v thit lp Dynamic Update cho Zone
y l mt yu cu bt buc trong Active Directory c kh
nng t ng Update cc thit lp ca mnh vo trong DNS.
1.5.1.1
t a ch IP cho my ch
Vo card mng thit lp a ch IP cho my ch vi a ch Static l

192.168.1.1, DNS cng l 192.168.1.1
Hnh 1.1
Trang 17

1.5.1.2
Ci t v cu hnh DNS
Chn Start Server Manager Roles DNS Server

Chut phi ti mc Forward Lookup Zone chn New zone
Chn Next ti ca s k tip v Chn Primary Zone ti ca s k
Trong ca s k bn c th chn mt trong 3 ty chn sau:

1. To all DNS server in this forest: p dng vi tt c DNS server
trong foresr ny
Trang 18
2. To all DNS server in this domain: p dng vi tt c DNS server

trong domain
3. To all domain controllers in this domain: p dng ti tt c cc
domain controller trong domain ny
Sau chn Next tip tc
Trnh ci t yu cu bn nhp tn cho zone mi. Nhp tn v chn

Next
Trang 19
Trong ca s k bn chn Allow both nonsecure and secure dynamic

update y l bt buc khi ci t Active Directory s t ng ghi cc
Record vo DNS
Trang 20
Nhn Next v kt thc qu trnh to Zone mi trong DNS. Cng vic

ca bn cha kt thc, bn vo DNS chn Zone va to ra s thy hai
Record l SOA v NS.
Cn phi chnh sa hai Record ny qu trnh ci t chun Active
Directory, nhp p vo SOA Record chnh li bng cch thm vo phn
ui cc Record tn Zone va to ra
Chnh li NS Record bng cch tng t.

To ra mt Record kim tra xem h thng DNS hot ng
chun hay cha. y ti to ra mt Host A record l Server01.fithou.net
a ch IP l 192.168.1.11.
Chut phi vo vnexperts.net Zone chn Host A record
Trang 21
Kim tra hot ng ca DNS bng cch vo run g CMD trong ca s ny

chn:
Ping server01.fithou.net nu c reply l thnh cng.
1.5.1.3
ch
Nu mun b sung server ny vo mt forest tn ti trn

Windows Server 2000,Windows Server 2003 bn phi cp nht
thng tin v forest bng lnh
adprep /forestprep
Trang 22
Nu mun b sung server ny vo mt domain tn ti trn

Windows Server 2000,Windows Server 2003, bn phi cp nhp
thng tin v domain v group policy bng lnh adprep
/domainprep /gpprep
Nu mun ci t mt Read-Only Domain Controller, bn phi chun
b forest bng lnh adprep /rodcprep
1.5.2
Ci t dch v Active Directory Domain Services
Windows Server 2003, ci t thm cc dch v nh DHCP,DNS

vo Add/Remove Windows Components . Windows Server 2008
c thay th bng cng c qun tr Server Manager vi cc Roles v
Features.V mc nh Windows Server 2008 cha ci t cc dch v nn
bn phi ci t dch v AD DS trc khi ln Domain Controller. Cc bc
ci t c th c trnh by di y:
Vo Server Manager Roles Add Roles

Nhn Next tip tc
Trang 23
Tch vo Active Directory Domain Services v nhn Next tip tc

trong bc tip
Trang 24
Nhn Next.Ti bng Active Directory Domain Services gii thiu cho
bn v dch v ny v mt s lu khi ci t trong phn Things to
Note
Trang 25
Chn Next tip tc.Ti bng Confirm Installation Selections s

yu cu bn xc nhn ln cui trc khi ci t.Chn Install
Trang 26
i cho n khi hon tt qu trnh ci t dch v Active Directory

Domain Services
Trang 27
Chn Close hon tt
Trang 28
1.5.3
Ci t domain u tin (Domain chnh)
Cc domain u tin trong vic ci t Active Directory Domain

Services l c bit v mt vi l do: N s tr thnh domain controller
u tin cho domain mi v domain ny s tr thnh gc ca ton b
forest.
Cc bc ci t c th c th hin chi tit di y:
Vo Run g dcpromo v chn OK
Trang 29
i trong vi giy h thng kim tra ci t dch v AD DS

cha. Ti bng Welcome to the Active Directory Domain Services
Installation Wizard chn Next
Ti bng Operating System Compability s cho bn bit v tnh tng

thch ca Windows Server 2008. Nhn Next tip tc
Trang 30
Ti bng Choose a Deployment Configuration chn Create a new

domain in a new forest to mt domain mi trn mt forest mi v
nhn Next tip tc
Trang 31
Ti bng Name the Forest Root Domain.Ti FQDN of the forest

root domain g tn domain vo.Sau chn Next v ch vi giy h
thng kim tra tn domain s dng cha (v d: fithou.net).
Trang 32
Ti bng Set Forest Functional Level, nn chn phin bn Windows

Server 2008 tn dng ht tnh nng. Sau chn Next tip tc.
Trang 33
Ti bng Additional Domain Controller Options, h thng kim tra

xem th dch v DNS Server c cha, v t ng nh du ci t
DNS Server. Lu l bn khng th ci t Read-only domain controller
trn DC u tin ny. Sau nhn Next tip tc.
Lu : Bn c th nhn c mt cnh bo bn nu my ca bn
hin ti ang cu hnh s dng a ch IP ng. i vi kt qu tt
nht, cc my ch DNS nn s dng a ch IP tnh, do , n s cho bn
mt c hi s dng a ch IP tnh. Tip theo, bn c th nhn c
mt cnh bo v DNS khng th tm thy mt khu cp cao c thm
quyn. iu ny ch thch hp cho bn nu bn ang ci t mt b iu
khin domain trong mt mi trng hon ton c thit lp. V chng
ta ang ci t DNS t u trong tin trnh ny, chng ta c th b qua
n.
Trang 34
Chn Next. Ti bng Location for Database, Log File, and SYSVOL
cho php bn thit lp ng dn ca database, log file v sysvol. Hy
mc nh trong C:\Windows
Trang 35
Chn Next tip tc. Ti bng Directory Services Restore Mode

Administrator Password, thit lp password. Lu , password ny khng
phi l password ca ti khon Administrator trong domain v password
phi theo kiu complexity (gm cc k t a,A,@,1.). V d chn
password l pass@word1
Trang 36
Chn Next. Ti bng Summary cho bn bit thng tin m bn

thit lp trn. Nu ng v y , chn Next thc hin vic ci
t
Trang 37
i h thng ci t xong chn Finish kt thc qu trnh ci

t
Trang 38
Bn phi khi ng li server vic ci t c hiu lc
Kim tra h thng
Trang 39
1.5.4
Thm mt DC khc vo Domain
my ch Domain Controller mi hot ng vi chc nng tng

ng vi my ch Domain Controller u tin phi p ng:
Cung cp gii php tn min DNS cho cc my Client
Cung cp xc thc v cc d liu lin quan khc ti d liu Active
Directory.
My ch u tin cha ton b d liu DNS v cc thit lp khc
trn DNS. my ch th hai ny cng c kh nng p ng cc yu
cu DNS ca Client chng ta cn phi to mt bn sao bao gm d liu
DNS ging ht my ch u tin. Cc bc thc hin nh sau:
Bc 1: Cu hnh trn my ch dc1.fithou.net cho php my

khc to Secondary Zone t my ch ny.
Trang 40
Chn Start Server Manager Roles DNS Server

Chut phi ti mc Forward Lookup Zone Trong ca s DNS chn
forward lookup zone trong c Zone fithou.net to ra trong phn
1.5.1.2. Chut phi vo tab Zone Tranfers.
Chn Allow Zone Transfers c 3 options cho bn la chn:
1. to any server: cho tt c cc my tnh u ly c d liu DNS
2. Ch cho php my ch no trong NS record (mc nh khi nng cp
ln Domain Controller)
3. Ch cho php cc my ch di y
Sau khi la chn OK hon tt
Bc 2: to Secondary Zone t my ch khc chun b ci t

lm Domain Controller
Trang 41
Ci t dch v DNS nh vi DC u tin (1.5.1.2). Nhng ch khc

l chn Secondary Zone
Bc 3: t a ch IP
t a ch DNS l a ch DNS ca my ch dc1.fithou.net

192.168.1.11 v a ch IP ca chnh n l 192.168.1.12
Trang 42
Qu trnh ci t DC thc hin theo cc bc nh vi domain u tin ch

khc trong phn Domain Controller Type, bn chn: Additional domain
controller for an existing domain
1.5.5
Thm mt domain da trn domain chnh tn ti
Chun b mt my tnh ci Windows Server mi vi tn dc3 c a

ch 192.168.100.13. v my ch dc3 s l domain controller ca domain:
java.fithou.net
to ra mt Secondary Zone ca DNS trn my ch dc3 mi v t
a ch IP v DNS trc khi ci t Active Directory.
t a ch IP sao cho my tnh dc3 nhn bit c domain
fithou.net
Trang 43
Qu trnh ci t tip theo tng t nh i vi Domain u tin (1.5.3),

ch khc ca s Create a new domain bn bt buc phi chn Child
domain in an existing domain tree
V bc nhp tn Domain bn nhp tn Parent domain l: fithou.net, v
Child domain l: java.
Trang 44
cc bc tip theo thc hin tng t.

Kim tra: Chng ta c domain java.fithou.net
Trang 45
1.5.6
H DC xung client
Cc bc thc hin c th nh sau:

1. Vo Run, g dcpromo
2. Ti bng Welcome to Active Directory Domain Services
Installation Wizard chn Next.
3. Ti bng thng bo Global catalog server. Chn OK.
4. Ti bng Delete the Domain, chn Delete the domain because
is the last domain controller in the domain.
5. Chn Next. Ti bng Confirm Deletion. Chn Delete all
application directory partitions on this Active Directory
domain controller.
6. Chn Next. Ti bng Administrator Password. Nhp password
cho ti khon Administrator
7. Chn Next. Ti bng Summary, xem li thng tin thit lp
8. Chn Next v i cho ti khi h thng yu cu Restart thay i
c hiu lc.
1.5.7
Qun l User, Group v Organizational Unit (OU)
1.5.7.1
To User, Group v Organizational Unit
1.5.7.1.1
To mi user
Cc bc to user c th hin chi tit di y:

M Server Manager.Click Roles Active Directory Domain Services
Active Directory Users and Computers.Sau click vo domain.
Nhp chut phi vo User v chn New User
Trang 46
Ti bng New Object User bn in y cc thng tin vo mc

First name,Last name,Full name.
Lu : ti mc User logon name. y chnh l tn ti khon ca bn
dng ng nhp vo h domain. V th phi nh chnh xc, v phi
m bo tnh duy nht. Hon tt v chn Next tip tc.
Trang 47
Ti bng thit lp password. y l mt khu ca bn ng vi tn ti

khon to trn, dng ng nhp vo domain.
Lu l password phi tha mn cc chnh sch mc nh ca
Windows Server 2008. Password t nht l 7 k t v phi c cc thnh
phn sau:
1.
Cc k t thng : a,b,c,d,e..
2.
Cc k t in hoa : A,B,C,D,E.
3.
Cc ch s : 1,2,3,4,5.
4.
Cc k t c bit : @,!,$,&,#....
V d chn password l: hanoi1-vietnam

C 1 s ty chn i vi mt khu:
User must change password at next logon: Bt buc ngi dng phi
thay i mt khu trong ln ng nhp k tip.
User cannot change password: Ngi dng khng c php thay
i mt khu.
Passowrd never expires: Mt khu khng bao gi ht hn.
Trang 48
Acount is disabled: Ti khon cm s dng.

Hon tt v chn Next tip tc.
bng tip theo l thng tin v user chun b c to. Chn Finish
hon tt.
Tip theo, kim tra th user c to. Click p vo User v kim tra
Trang 49
1.5.7.1.2
To mi group
Cc bc to mi group c th hin chi tit di y:

Nhp chut phi vo User v chn New Group
Trang 50
Ti Group name g tn group.

C mt s ty chn v phm vi ca nhm v kiu ca nhm, la chn ph
hp v nhn OK
Trang 51
Kim tra group c to thnh cng.
Trang 52
1.5.7.1.3To Organizational Unit (OU)
Cc bc to OU c th hin chi tit di y.

nhp chut phi vo tn domain, chn New Organizational Unit
G tn OU vo Name. Nu bn mun cho php thao tc xa c

thc hin trn OU ny th b chn vo mc Protect container from
accidental deletion
Trang 53
1.5.7.2
Thc hin cc nhim v qun tr thng dng(Performing

common administrative tasks)
1.5.7.2.1
Thit lp thi gian user c php ng
nhp vo domain.
Theo mc nh,user c php ng nhp 24/24. thit lp li ta

thc hin cc thao tc nh sau:
Nhp chut phi vo user va to v chn Properties
chuyn qua tab Account v chn Logon Hours
Chn khong thi gian v click vo Logon Denied chn thi gian
truy cp ca user, sau chn OK hon tt
Hnh di y th hin cho thit lp user ny ch truy cp c
vo 8h sng n 19h vo cc ngy th 2 cho n th 7.
Trang 54
1.5.7.2.2
Thit lp user ng nhp s dng my tnh
V l do bo mt, khng phi user no cng c ng nhp vo cc

my tnh mt cch ty . thit lp tnh ring t v ch nh my tnh
no user c php s dng thc hin theo cc bc sau:
Nhp chut phi vo user va to v chn Properties
Vo tab Account, chn Log On To
Chn The following computers
G tn my tnh m user c php ng nhp
Chn Add.
Nu bn mun b th click vo tn my tnh v chn Remove.
Hoc mun sa tn th click vo tn my tnh v chn Edit.
Kt thc chn OK xc nhn
Trang 55
Ti tab Account cn c cc mc :
Unlock Account: khi bn mun m kha ti khon th chn
ny
Account Options : thit lp cc chnh sch v ti khon.
Account Expire : thi gian mt account tn ti. Nu bn chn
End of v chn thi gian bn cnh th n thi gian
account s ht hn v s mt.
1.5.7.2.3 Thm user vo group
thm user vo group thc hin theo cc bc sau:
nhp chut phi vo group v chn Properties

Ti tab Member, chn Add
Ti Enter the object name to select bn g tn user mun a vo
group.Lu tn user phi l tn bn in ti mc User logon
name phn to user
Sau khi g tn user bn chn Check Names kim tra
Trang 56
Nu tn tn ti xut hin hp thoi sau v OK hon tt
Nu tn m bn nhp khng tn ti hp thoi sau xut hin.
Trang 57
thun tin hn bn c th s dng chc nng Advance tm kim.

1.5.7.2.4
Chn user qun l group
Thc hin theo cc bc sau:

nhp chut phi vo group v chn Properties
Chn tab Managed By
Chn nt change v g tn vo name. Chn OK hon tt.
Trang 58
1.5.7.2.5 a group vo OU
Thc hin theo cc bc sau:
Nhp chut phi vo tn group v chn Move

Chn tn OU v OK hon tt
Trang 59
1.5.7.2.6
Xa user, group hoc OU
Thao tc rt n gin: nhp chut phi ln i tng v chn Delete v

chn Yes
Trang 60

1.5.7.3
y quyn(Delegation)
Mt trong nhng tnh nng t nht ca Active Directory Domain

Services l kh nng y quyn. Ngi qun tr s thit lp cho mt s
user c php thc hin mt s qun qun tr no nh: to mi hoc
xa b user, to hoc xa group, thit lp li mt khu cho user
thc hin chc nng ny lm theo cc bc sau:
Kch chut phi vo tn domain chn Delegation of Control
Wizard v nhn Next ca s cho mng
Ti ca s Delegation of Control Wizard chn Add sau

nhp tn user, group hoc OU m bn mun y quyn Nhn
Check name sau OK v chn Next ti ca s Delegation
of Control Wizard tip tc
Trang 61
Trong hp thoai tip theo bn chn cc qun m bn mun y

qun cho cc i tng chn bc trc. Gm c cc qun
sau:
o Create, delete, and manage user accounts: To, hy v
qun l ti khon
o Reset user passwords and force password change at next
logon: Thit lp li mt khu v Chc nng thay i mt
khu vo ln ng nhp k tip
o Read all user information: Xem tt c thng tin v user
o Modify the membership of a group: Sa i cc thnh
vin trong mt nhm
o Join a computer to a domain: Kt ni my tnh vo
domain
o Manage Group Policy links: Qun l cc lin kt Group
Policy
o Generate Resultant Set of Policy (Planning): To cc
chnh sch
o Generate Resultant Set of Policy (Logging): To cc chn
sch ng nhp
o Create, delete, and manage inetOrgPerson accounts: To,
hy v qun l ti khon inetOrgPerson
Trang 62
o Reset inetOrgPerson passwords and force password

change at next logon: Thit lp li mt khu
inetOrgPerson v thay i mt khu trong ln ng nhp
k tip
o Read all inetOrgPerson information: Xem tt c cc thng
tin v inetOrgPerson
Sau khi chn c cc qun ph hp chn Next tip
tc
Chn Finish trong ca s tip theo: Cho bit tn cc i tng

v cc quyn c y qun.
Trang 63
1.5.8
Kt ni my Client vo Domain
Sau khi trin khai thnh cng Active Directory Domain Services,
to cc user, group v OU. Lc ny, cng vic tip theo l join cc my
trm (client) vo domain . y thc hin mt t vic kt ni my chy
h iu hnh Windows XP vo domain fithou.net
Cc bc c th c th hin sau y:
Trc tin, thit lp IP cho my XP
in a ch IP ca client cng lp mng vi IP ca server. trong
trng hp ny s dng lp C l 192.168.1.x .Ti mc Use the
following DNS server addresses in a ch IP ca DNS Server m
bn thit lp lc ci t DC .Trong trng hp ny l 192.168.1.1
Sau chn OK.
Trang 64
Nhp chut phi vo My Computer trn desktop v chn

Properties
Trn tab Computer Name, chn Change tip tc
Trang 65
Ti hp thoi Computer Name Changes Nhp tn my nh

du vo domain trong Member of v nhp tn domain. y l
fithou.net sau chn OK kt thc
Trang 66
V tnh bo mt, h thng s yu cu bn ng nhp vo domain ,

ng nhp vi
Username : Administrator
Sau khi ng nhp thnh cng xut hin thng bo sau. Nhn OK tip
tc
Trang 67
Tip theo h thng yu cu bn phi khi ng li my hon tt

chn OK
Trang 68
Sau khi khi ng li my. H thng yu cu ng nhp bn nhn t

hp Alt + Ctrl + Delete ng nhp vo my. Bn chon logon to
fithou.net ng nhp c vo domain
C th ng nhp vi bt k ti khon no khi tha mn ti khon

c ng nhp ti my ny v khong thi gian ny ( trnh by
mc 1.5.7.2.1 v 1.5.7.2.2)
Trang 69
Trong ln ng nhp u tin do chnh sch c ngi qun tr thit lp,

bn nhn c yu cu thay i mt khu
Nhp mt khu v OK hon tt vic ng nhp
Kim tra bn my DC.

Vo Server Manager Roles Active Directory Domain Services
Active Directory Users and Computers ict24h.net
Computers . thy tn my my XP c tn MAY1 hin din trn
domain
Trang 70
1.6 Ci t v cc thao tc qun tr vi Active Directory Federation

Services (AD FS)
1.6.1
Cc tc v cn thc hin trc khi ci t ADFS
m phng trc quan ta thc hin trn bn my vi yu cu nh

sau:
Tn
computer
MAY1
ADFS client/server
role
Client
H iu hnh
IPv4/SM
DNS
- Windows XP SP2 192.168.1.2/24 - Preferred:

192.168.1.1
- Windows Vista
- Alternate:
192.168.1.13
DC1
Federation server and

domain controller
W2K8 Enterprise
192.168.1./24
192.168.1.1
WEB
Web server
W2K8 Enterprise
192.168.1.3/24 192.168.1.13
DC2
Federation server and

domain controller
W2K8 Enterprise
192.168.1.13/2 192.168.1.13
4
Cc tc v cn thc hin trc khi ci t ADFS:
Trang 71
Install AD DS ln my DC1, domain name fithou.net > dc1.fithou.net. Domain fithou.net ng vai tr resource
organization.
Install AD DS ln my DC2, domain name java.fithou.net > DC2.java.fithou.net. Domain java.fithou.net ng vai tr
account organization.
Trn my DC2:
o to security global group TreyClaimAppUsers
o to user u1, a u1 vo group TreyClaimAppUsers
Join my WEB vo domain 08b6.net ->WEB .08b6.net. Ci t

IIS.
Join my MAY1 vo domain fithou.net -> MAY1.fithou.net
1.6.2
Ci t role ADFS v cu hnh certificate

1.6.2.1 Ci t ADFS
Ln lt thc hin trn 2 my DC: DC1 v DC2. Sau khi ci

Federation Service, 2 my DC ny tr thnh federation server.
B1: M Server Manager -> Roles -> Add Roles -> Next
B2: Chn Active Directory Federation Services -> Next -> Next
Trang 72
B3: Chn Federation Service -> chn Add Required Role services ->
Next
B4: Chn Create a self-signed certificate for SSL encryption -> Next
B5: Chn Create a self-signed token-signing certificate -> Next
Trang 73
B6: Chn Create a new trust policy -> Next -> Next
B7: Chn Next -> Install -> Close
Trang 74
1.6.2.2 Cu hnh IIS (SSL) trn 2 federation server
Ln lt thc hin trn 2 my DC: DC1 v DC2.

B1: M IIS Manager -> DC2 -> Sites -> Default Web Site
B2: Double click SSL Settings
Trang 75
B3: Chn Require SSL, mc Client certificates chn Accept -> Apply
1.6.2.3 Ci t AD FS Web Agent
Thc hin trn my Web server (MAY2).

Trang 76
1.6.3
Cu hnh web server
Thc hin trn my Web server (WEB).

B3: Chn Claims-aware Agent -> Next -> Install -> Close
B4: Add thm role service Client Certificate Mapping Authentication vo

role Web Server (IIS)
Trang 77
2.4.
To, xut, v nhp certificate
1. To server authentication certificate cho web server (WEB)

Thc hin trn my Web server (WEB).
B1: M IIS Manager -> WEB
B2: Double click Server Certificates
Trang 78
B3: Trong phn Actions chn Create Self-Signed Certificate
B4: Nhp WEB -> OK
Trang 79
B5: Kim tra web server c certificate
2. Xut token-signing certificate ca account server (DC1) thnh

file
Thc hin trn my account server (DC1).
B1: M Active Directory Federation Services
B2: Right click Federation Service -> Properties
B3: Tab General -> click View
Trang 80
B4: Tab Details -> click Copy to File -> Next
Trang 81
B5: Click No, do not export the private key -> Next
Trang 82
B6: Click DER encoded binary X.509 (.CER) -> Next
Trang 83
B7: Nhp C:\dc1_ts.cer -> Next -> Finish -> OK -> OK -> OK
3. Xut server authentication certificate ca resource server

(DC2) thnh file
Thc hin trn my resource server (DC2).
B1: M IIS Manager -> DC2
B2: Double click Server Certificates
Trang 84
B3: Right click DC2.java.fithou.net -> Export
Trang 85
B4: Nhp C:\DC2.pfx vo mc Export to, nhp password v confirm

password -> OK
4. Nhp server authentication certificate ca resource server

(DC2) vo web server (WEB)
Thc hin trn my web server (WEB).
B1: Start -> Run -> mmc -> OK
B2: Click menu File -> Add/Remove Snap-in
B3: Click Certificates -> Add -> Computer account -> Next -> Local
computer -> Finish -> OK
Trang 86
B4: Certificates (Local Computer) -> Trusted Root Certification Authorities

-> Right click Certificates -> All Tasks -> Import -> Next
B5: Nhp \\dc2\c$\dc2.pfx -> Next
Trang 87
B6: Nhp password -> Next
B7: Next -> Finish -> OK
Trang 88
B8: Kim tra thy c certificate ca resource server (DC2)
3.
Cu hnh web server
Thc hin trn my web server (WEB).

3.1. Cu hnh IIS trn web server
Trang 89
B1: M IIS Manager -> WEB -> Sites -> Right click Default Web Site ->
Edit Bidings
B2: Click Add
B3: Mc Type chn https, mc SSL certificate chn WEB -> OK -> Close
Trang 90
B4: Double click SSL Settings
B5: Chn Require SSL, mc Client certificates chn Accept -> Apply
Trang 91
3.2. To v cu hnh ng dng

B1: To folder claimapp trong C:\inetpub\wwwroot. Chp 3 file ... vo
folder C:\inetpub\wwwroot\ claimapp
B2: M IIS Manager -> WEB -> Sites -> Right Default Web Site -> Add
Application
Trang 92
B3: Mc Alias nhp ClaimApp, mc Application pool chn Classic .NET

AppPool, mc Physical path chn C:\inetpub\wwwroot\claimapp -> OK
4.
Cu hnh federation server
4.1. Cu hnh federation service cho domain fithou.net (account

domain)
Thc hin trn my account server (DC1).
1. Cu hnh trust policy cho domain fithou.net
B1: M AD FS -> Federation Service -> right click Trust Policy ->
Properties
Trang 93
B2: Tab General, mc Federation Service URI, nhp urn:federation:fithou
B3: Tab Display Name, mc Display name for this trust policy, nhp dc1
-> OK
Trang 94
2. To group cho ng dng

B1: Federation Service -> Trust Policy -> My Organization -> right click
Organization Claims -> New -> Organization Claim
B2: Mc Claim name, nhp java.fithou.net ClaimApp Claim -> OK
Trang 95
B3: Xc nhn c java.fithou.net ClaimApp Claim
3. Thm v cu hnh AD DS account store

Thm AD DS account store
B1: Federation Service -> Trust Policy -> My Organization -> right click
Account Stores -> New -> Account Store -> Next
Trang 96
B2: Click Next
B3: Click Next -> Finish
Trang 97
B4: Xc nhn AD DS account store c thm vo
Cu hnh AD DS account store

B1: Federation Service -> Trust Policy -> My Organization -> Account
Stores -> right click Active Directory -> New -> Group Claim Extraction
Trang 98
B2: Click Add -> nhp TreyClaimAppUsers -> OK -> OK
B3: Xc nhn c group TreyClaimAppUsers
Trang 99
4.2. Cu hnh federation service cho domain java.fithou.net

(resource domain)
Thc hin trn my resource server (DC2).
1. Cu hnh trust policy cho domain java.fithou.net
B1: M AD FS -> Federation Service -> right click Trust Policy ->
Properties
B2: Tab General, mc Federation Service URI nhp

urn:federation:java.fithou
Trang 100
B3: Tab Display Name, mc Display name for this trust policy nhp dc2
-> OK
Trang 101
2. To group cho ng dng

B1: AD FS -> Federation Service -> Trust Policy -> My Organization ->
right click Organization Claims -> New -> Organization Claim
B2: Mc Claim name nhp fithou ClaimApp Claim -> OK
B3: Xc nhn c fithou ClaimApp Claim
Trang 102
3. Thm AD DS account store

right click Account Stores -> New -> Account Stores -> Next
B2: Next
Trang 103
B3: Next -> Finish
Trang 104
B4: Xc nhn AD DS account store c thm vo
4. Thm v cu hnh ng dng

Thm ng dng
right click Applications -> New -> Application -> Next
B2: Click Next
Trang 105
B3: Mc Application display name nhp Claims-aware Application. Mc

Application URL nhp https://web.java.fithou.net/claimapp/ -> Next
Trang 106
B4: Chn User principal name (UPN) -> Next
Trang 107
B6: Xc nhn ng dng c thm vo
Cu hnh ng dng
B1: Trong Applications -> Claims-aware Application -> right click fithou
ClaimApp Claim -> Enable
Trang 108
B2: Xc nhn ng dng c enable
4.3. Cu hnh federation trust

1. Xut trust policy t nn34
B1: AD FS -> Federation Service -> right click Trust Policy -> Export
Basic Partner Policy
Trang 109
B2: Click Browse -> nhp C:\dc1 -> Save -> OK
2. Nhp trust policy fithou vo java.fithou

B1: AD FS -> Federation Service -> Trust Policy -> Partner Organizations
-> righr click Account Partners -> New -> Account Partner -> Next
B2: Mc Partner interoperability policy file nhp \\dc1\c$\dc1.xml -> Next
Trang 110
B3: Click Next
Trang 111
B4: Click Next
B5: Click Next
Trang 112
B6: Click Next
B7: Nhp fithou.net -> Add -> Next
Trang 113
B8: Nhp fithou.net -> Add -> Next
Trang 114
B10: Account Partner c thm vo
3. To mt claim mapping trong java.fithou

My DC2
Trang 115
B1: ADFS -> Federation Service -> Trust Policy -> Partner Organizations
-> Account Partners -> right click dc1 -> New -> Incoming Group Claim
Mapping
B2: Mc Incoming group claim name nhp ClaimAppMapping -> OK
B3: ClaimAppMapping c thm vo
Trang 116
4. Xut partner policy t java.fithou

My DC2.
-> Account Partners -> right click dc1 -> Export Policy
B2: Click Browse -> nhp C:\dc2 -> Save -> OK
Trang 117
5. Nhp partner policy java.fithou sang fithou

My DC1.
-> right click Resource Partners -> New -> Resource Partner -> Next
B2: Click Yes -> mc Partner interoperability policy file

nhp \\dc2\c$\dc2.xml -> Next
Trang 118
B3: Click Next
Trang 119
B4: Click Next
B5: Click Next
Trang 120
B6: Chn Replace all UPN suffixes with the following v Nhp fithou.net
NEXT
B7: Click Next
Trang 121
B8: Mc Mapping chn java.fithou ClaimApp Claim -> Next
Trang 122
B10: Resource Partner c thm vo
5.
Truy cp ng dng t my client
5.1. Cu hnh IE tin cy server dc1.fithou.net

My client may1.fithou.net
B1: Logon u1
Trang 123
B2: M IE -> Tools -> Internet Options -> Security -> Local Intranet ->
Sites -> Advanced -> Add this Web site to the zone:
nhp https://dc1.fithou.net -> Add -> OK -> OK -> OK
5.2. Truy cp ng dng t client Windows XP

My client may1.fithou.net
B1: Logon u1
B2: M IE -> nhp https://web.java.fithou.net/claimapp -> mc Choose
your home realm chn dc1 -> Submit
B3: Xut hin ng dng SSO Sample
Trang 124
1.6.4
Cu hnh federation server
1.6.5
Truy cp ng dng t my client
Trang 125

Active Directory - Quang Van Liem - 10112010

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Directory - Quang Van Liem - 10112010

Uploaded by

Copyright:

Available Formats

VIN I HC M H NI

KHOA CNG NGH TIN HC

Sinh vien thc hien:

Active Directory Windows Server 2008

Giao vien hng dan: inh Tun Long

Active Directory Windows Server 2008

Active Directory Windows Server 2008

Gii thiu v Active Directory (DC)

Active Directory l mt dch v th mc (directory service) c

Active Directory Windows Server 2008

Ti sao cn thc thi Active Directory?

C mt s l do l gii cho cu hi trn. Microsoft Active Directory

Nhng n v c bn ca Active Directory

L mt kho lu tr duy nht bit thng tin v ngi dng v cc

Active Directory Windows Server 2008

L n v chc nng nng ct ca cu trc logic Avtive Directory. N

Mt domain controller gi cc thng tin bo mt v c s d liu i

Active Directory Windows Server 2008

Forest l mt b phn cha ng logic ln nht trong Active

Nhm cc mc trong domain no . Chng to nn mt kin trc

Trong Active Directory Domain Services, mt object c th l mt

Cc schema trong Active Directory Domain Services l cu trc thc

Active Directory Windows Server 2008

hoc kiu ca object. Lp m t mt object v cc ti sn lin quan c

L tp hp cc my tnh cc v tr a l khc nhau, c kt ni ti

Cy l mt tp hp cc domain m bt u t mt gc duy nht v

Trust trong Active Directory Domain Services l mt phng php

Mt thnh phn chnh khc bn trong Active Directory l

Active Directory Windows Server 2008

Phantom c to ra trn cc DC, n yu cu mt s tham chiu

LDAP (Lightweight Directory Access Protocol) l mt phn ca Active

Active Directory Windows Server 2008

bn c th khng bit tn min nhng LDAP cho php bn tm kim

Country, mi Country li c cc nhnh con

Organizations, mi Organization li c cc nhnh con

Organizational units (cc n v, phng ban,), OU c cc

Individuals (c th, gm c ngi, file v ti nguyn chia s,

1.3.13 S qun l Group Policiy

Khi ni n Active Directory chc chn chng ta phi cp n

Active Directory Windows Server 2008

Thng qua qun l Group Policy, cc qun tr vin c th cu hnh

Active Directory Windows Server 2008

v cch truy cp cc thng tin n c lu trong cc thuc tnh s rt cn

Cc dch v ca Active Directory

1.4.1 Active Directory Domain Services (AD DS)

Active Directory Domain Services (AD DS), trc y c bit ti

Auditing: Nhng thay i c thc hin i vi cc i tng

Fine-Grained Passwords: C th cu hnh cc chnh sch v

Read-Only Domain Controller: L mt Domain Controller vi c

Active Directory Windows Server 2008

ra ti khu vc chi nhnh c th gy hi hoc nh sp AD forest

Restartable Active Directory Domain Services: c im ny

Database Mounting Tool: Mt snapshot trong c s d liu

Active Directory Federation Services (AD FS) l mt gii php cho

Active Directory Windows Server 2008

dng v tha nhn ti khon truy cp t cc t chc khc.

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Lightweight Directory Service (AD LDS), trc y

Active Directory Windows Server 2008

Ci t t Media Generation: Kh nng to cc phng tin

ci t cho AD LDS bng Ntdsutil.exe hoc Dsdbutil.exe.

Kim ton: Kim tra nhng gi tr thay i trong phm v

Database Mounting Tool: Cho php bn xem d liu trong