Professional Documents
Culture Documents
BI TP LN
Mn: Qun tr mng
ti (06):
Gii thiu v cc thao tc qun tr vi Active Directory trong Windows
Server 2008
Qung Vn Lim
Lp: 08B6
H Ni - 2010
Trang 2
MC LC
I. Gii thiu v Active Directory (DC)...............................................................................................................4
1.1 Active Directory l g ?.............................................................................................................................4
1.2 Ti sao cn thc thi Active Directory?......................................................................................................5
1.3 Nhng n v c bn ca Active Directory..............................................................................................5
1.3.1 Directory.............................................................................................................................................5
1.3.2 Domain...............................................................................................................................................6
1.3.3 Domain Controller..............................................................................................................................6
1.3.4 Forest..................................................................................................................................................7
1.3.5 Organizational unit.............................................................................................................................7
1.3.6 Object (i tng)..............................................................................................................................7
1.3.7 Schema...............................................................................................................................................7
1.3.8 Site......................................................................................................................................................8
1.3.9 Tree (cy)...........................................................................................................................................8
1.3.10 Trust..................................................................................................................................................8
1.3.11 Infrastructure Master v Global Catalog..........................................................................................8
1.3.12 LDAP................................................................................................................................................9
1.3.13 S qun l Group Policiy...............................................................................................................10
1.4 Cc dch v ca Active Directory...........................................................................................................12
1.4.1 Active Directory Domain Services (AD DS)...................................................................................12
1.4.2 Active Directory Federation Services (AD FS)...............................................................................13
1.4.3 Active Directory Lightweight Directory Services (AD LDS)..........................................................14
1.4.4 Active Directory Rights Management Services (AD RMS)............................................................15
1.4.5 Active Directory Certificate Services (AD CS)...............................................................................15
II. Cc thao tc qun tr vi Active Directory...................................................................................................16
1.5 Ci t v cc thao tc qun tr vi Active Directory Domain Services ...............................................16
1.5.1 Cc bc chun b ci t................................................................................................................16
1.5.2 Ci t dch v Active Directory Domain Services.........................................................................23
1.5.3 Ci t domain u tin (Domain chnh).........................................................................................29
1.5.4 Thm mt DC khc vo Domain......................................................................................................40
1.5.5 Thm mt domain da trn domain chnh tn ti......................................................................43
1.5.6 H DC xung client..........................................................................................................................46
1.5.7 Qun l User, Group v Organizational Unit (OU).........................................................................46
1.5.8 Kt ni my Client vo Domain...................................................................................................64
1.6 Ci t v cc thao tc qun tr vi Active Directory Federation Services (AD FS)..............................71
1.6.1 Cc tc v cn thc hin trc khi ci t ADFS...........................................................................71
1.6.2 Ci t role ADFS v cu hnh certificate........................................................................................72
1.6.3 Cu hnh web server........................................................................................................................77
1.6.4 Cu hnh federation server.............................................................................................................125
1.6.5 Truy cp ng dng t my client...................................................................................................125
Trang 3
I.
Trang 4
1.2
1.3.1 Directory
Trang 5
1.3.2 Domain
Trang 6
1.3.4 Forest
Trang 7
Trang 8
1.3.12 LDAP
Trang 9
Th mc gc c cc nhnh con
nhnh
chng hn nh printer)
Mt th mc LDAP c th c phn phi gia nhiu my ch. Mi
my ch c th c mt phin bn sao ca th mc tng th v c ng
b theo chu k.
Cc qun tr vin cn phi hiu LDAP khi tm kim cc thng tin
trong Active Directory, cn to cc truy vn LDAP hu dng khi tm kim
cc thng tin c lu trong c s d liu Active Directory.
Trang 10
Trang 11
Trang 12
Trang 13
Trang 14
dch v th mc.
Trang 15
II.
Cc bc chun b ci t
Yu cu v phn cng
Dung lng cng cn trng ti thiu 250M v nh dang
NTFS
Quyn qun tr
Trang 16
t a ch IP cho my ch
Hnh 1.1
Trang 17
Ci t v cu hnh DNS
Trang 18
Trang 19
Trang 20
Trang 21
1.5.1.3
ch
Trang 22
Trang 23
Trang 24
Nhn Next.Ti bng Active Directory Domain Services gii thiu cho
bn v dch v ny v mt s lu khi ci t trong phn Things to
Note
Trang 25
Trang 26
Trang 27
Trang 28
1.5.3
Trang 29
Trang 30
Trang 31
Trang 32
Trang 33
Trang 34
Chn Next. Ti bng Location for Database, Log File, and SYSVOL
cho php bn thit lp ng dn ca database, log file v sysvol. Hy
mc nh trong C:\Windows
Trang 35
Trang 36
Trang 37
Trang 38
Trang 39
1.5.4
Trang 40
Trang 41
Bc 3: t a ch IP
Trang 42
1.5.5
fithou.net
Trang 43
Trang 44
Trang 45
1.5.6
H DC xung client
1.5.7
1.5.7.1
1.5.7.1.1
To mi user
Trang 46
Trang 47
Cc k t thng : a,b,c,d,e..
2.
Cc k t in hoa : A,B,C,D,E.
3.
Cc ch s : 1,2,3,4,5.
4.
Cc k t c bit : @,!,$,&,#....
Trang 48
bng tip theo l thng tin v user chun b c to. Chn Finish
hon tt.
Tip theo, kim tra th user c to. Click p vo User v kim tra
Trang 49
1.5.7.1.2
To mi group
Trang 50
Trang 51
Trang 52
Trang 53
1.5.7.2
1.5.7.2.1
Thit lp thi gian user c php ng
nhp vo domain.
Chn khong thi gian v click vo Logon Denied chn thi gian
truy cp ca user, sau chn OK hon tt
Hnh di y th hin cho thit lp user ny ch truy cp c
vo 8h sng n 19h vo cc ngy th 2 cho n th 7.
Trang 54
1.5.7.2.2
Trang 55
Ti tab Account cn c cc mc :
Unlock Account: khi bn mun m kha ti khon th chn
ny
Account Options : thit lp cc chnh sch v ti khon.
Account Expire : thi gian mt account tn ti. Nu bn chn
End of v chn thi gian bn cnh th n thi gian
account s ht hn v s mt.
1.5.7.2.3 Thm user vo group
thm user vo group thc hin theo cc bc sau:
Trang 56
Trang 57
Trang 58
1.5.7.2.5 a group vo OU
Thc hin theo cc bc sau:
Trang 59
1.5.7.2.6
Trang 60
y quyn(Delegation)
Trang 61
Trang 62
Trang 63
1.5.8
Kt ni my Client vo Domain
Sau khi trin khai thnh cng Active Directory Domain Services,
to cc user, group v OU. Lc ny, cng vic tip theo l join cc my
trm (client) vo domain . y thc hin mt t vic kt ni my chy
h iu hnh Windows XP vo domain fithou.net
Cc bc c th c th hin sau y:
Trc tin, thit lp IP cho my XP
in a ch IP ca client cng lp mng vi IP ca server. trong
trng hp ny s dng lp C l 192.168.1.x .Ti mc Use the
following DNS server addresses in a ch IP ca DNS Server m
bn thit lp lc ci t DC .Trong trng hp ny l 192.168.1.1
Sau chn OK.
Trang 64
Trang 65
Trang 66
Sau khi ng nhp thnh cng xut hin thng bo sau. Nhn OK tip
tc
Trang 67
Trang 68
Trang 69
Trang 70
1.6.1
ADFS client/server
role
Client
H iu hnh
IPv4/SM
DNS
DC1
W2K8 Enterprise
192.168.1./24
192.168.1.1
WEB
Web server
W2K8 Enterprise
192.168.1.3/24 192.168.1.13
DC2
W2K8 Enterprise
192.168.1.13/2 192.168.1.13
4
Trang 71
Install AD DS ln my DC1, domain name fithou.net > dc1.fithou.net. Domain fithou.net ng vai tr resource
organization.
Install AD DS ln my DC2, domain name java.fithou.net > DC2.java.fithou.net. Domain java.fithou.net ng vai tr
account organization.
Trn my DC2:
o to security global group TreyClaimAppUsers
o to user u1, a u1 vo group TreyClaimAppUsers
1.6.2
Trang 72
B3: Chn Federation Service -> chn Add Required Role services ->
Next
B4: Chn Create a self-signed certificate for SSL encryption -> Next
Trang 73
B6: Chn Create a new trust policy -> Next -> Next
Trang 74
Trang 75
B3: Chn Require SSL, mc Client certificates chn Accept -> Apply
Trang 76
1.6.3
B3: Chn Claims-aware Agent -> Next -> Install -> Close
Trang 77
2.4.
Trang 78
Trang 79
Trang 80
Trang 81
B5: Click No, do not export the private key -> Next
Trang 82
Trang 83
B7: Nhp C:\dc1_ts.cer -> Next -> Finish -> OK -> OK -> OK
Trang 84
Trang 85
Trang 86
Trang 87
Trang 88
3.
Trang 89
B1: M IIS Manager -> WEB -> Sites -> Right click Default Web Site ->
Edit Bidings
B3: Mc Type chn https, mc SSL certificate chn WEB -> OK -> Close
Trang 90
B5: Chn Require SSL, mc Client certificates chn Accept -> Apply
Trang 91
Trang 92
4.
Trang 93
B3: Tab Display Name, mc Display name for this trust policy, nhp dc1
-> OK
Trang 94
Trang 95
Trang 96
Trang 97
Trang 98
Trang 99
Trang 100
B3: Tab Display Name, mc Display name for this trust policy nhp dc2
-> OK
Trang 101
Trang 102
B2: Next
Trang 103
Trang 104
Trang 105
Trang 106
Trang 107
Cu hnh ng dng
B1: Trong Applications -> Claims-aware Application -> right click fithou
ClaimApp Claim -> Enable
Trang 108
Trang 109
Trang 110
Trang 111
Trang 112
Trang 113
Trang 114
Trang 115
B1: ADFS -> Federation Service -> Trust Policy -> Partner Organizations
-> Account Partners -> right click dc1 -> New -> Incoming Group Claim
Mapping
Trang 116
Trang 117
Trang 118
Trang 119
Trang 120
B6: Chn Replace all UPN suffixes with the following v Nhp fithou.net
NEXT
Trang 121
Trang 122
5.
Trang 123
B2: M IE -> Tools -> Internet Options -> Security -> Local Intranet ->
Sites -> Advanced -> Add this Web site to the zone:
nhp https://dc1.fithou.net -> Add -> OK -> OK -> OK
Trang 124
1.6.4
1.6.5
Trang 125