Professional Documents
Culture Documents
Video 1 Welcome To Windows Server 2008 Active Directory
Video 1 Welcome To Windows Server 2008 Active Directory
In this video:
2007, MCSA, MCDBA, MCT, A+, Net+, CIW, and a few others 2 Year Tour of Duty as an Inner City High School Teacher in Chicago Launched a couple hundred careers
Casual Training Method that teaches real skills first Scenario-Based Training to answer the question "Why does
this change my life?"
9/24/2008
Whats on the hit parade for this one, Coach? Can we dance to it?
2. What is Active Directory? 3. The First Two Domain Controllers 4. Setting Up Remote Desktop on Your Personal Vista Client 5. Creating Organizational Units, User and Computer Accounts, and Groups 6. Sharing Stuff On Servers 7. Get Your Control Freak On! 8. How to Make Your Boss Mad and then Fix it Really Fast
9. Make Your Life Easier with Computer Policies and Preferences 10.How to Push Software Onto a Lot of Machines Without Getting Up From Your Desk 11. Whats My P@ssw0rd again? 12.Passing the Buck 13.Creating Backup Solutions BEFORE Stuff Blows Up
14.Reducing Single Points of Failure 15.Monitoring , Auditing, and Defragging 16.Creating the Chicago Location 17.How To Give People Access to Stuff Thats 790 Miles Away 18.Creating The Dallas Branch Office 19.Bringing an OU and Users Back from the Dead
9/24/2008
20. What Do You Do When A Domain Controller Blows Up? 21. Get Your Old Domain Controllers Up To Date 22. Connecting the Continents 23. Certification: Its Really Not That Scary 24.DNS Stuff 25.Active Directory Certificate Services 101 26.Active Directory Lightweight Directory Services 101 27.Active Directory Rights Management 101
Heres the story about a man named Hank You are the newly hired Systems Administrator for a new startup company called Globomantics, a stock brokerage. Hank Richards, our Founder and CEO, is a rough and tumble Texan who isnt the most tech savvy individual, but knows the value of having good people who know the ropes when it comes to computers. Youll have the rare opportunity to build out the corporate network, specifically Active Directory, for Globomantics, including: The Main Office in New York The Chicago Office The Dallas Branch Office And melding networks with a small company in Tokyo, Verde Petra, which Hank will buy out.
9/24/2008
9/24/2008
In this video:
Active Directory is the Brain of a Windows Server Network. Its a database that keeps track of a huge amount of stuff and gives us a
centralized way to manage all our network machines, users, and resources. Services (i.e. Email, etc.) Users and Groups
We say that these items are Objects in the Active Directory Database
As a matter of fact.
Every time you log in to a corporate network, youre using Active Directory Hold up, let me check the Active Directory Database to see if you get access!
Domain Controller
Ok, I see your User Account, its valid, and it has these permissions. Here ya go!
9/24/2008
Think of it as the Boss of your network. You may have multiple Domain Controllers that all have
copies of the same Active Directory database.
Domain Controller Domain Controller Domain Controller
What is a Domain?
Train Signal, Inc. Coach Culbertson
CL1.globomantics.com
CL2.globomantics.com
What is a Domain?
Train Signal, Inc. Coach Culbertson
globomantics.com
(Forest Root)
Na.globomantics.com
A Forest is comprised of ALL the Domains in your Enterprise. Your Forest may only have one domain!
9/24/2008
What is a Domain?
Train Signal, Inc. Coach Culbertson
Users are also part of the namespace. Example: Your email address is part of a domain
namespace: hrichardson@globomantics.com Note: Email-like logins are also called User Principle Names when used to log into a Server 2008 network.
Servers need jobs, too. A Server Role is a major job that a Server can perform. Its recommended that a Server not have too many Roles
A Domain Controller usually has only two Roles: Active Directory Domain Services DNS
What is DNS?
Train Signal, Inc. Coach Culbertson
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Define briefly what Active Directory is Describe what three primary types of Objects that
Active Directory provides
Define what a Domain Controller is Describe a Forest Describe a Domain Define briefly what a Server Role is
In this video:
Building the Brain of the Globomantics Network Quick Server 2008 Requirements and Editions Check The Bare Metal Installation Process The Initial Configuration Task List Installation of Active Directory Domain Services Setting up a Second Domain Controller Can We Talk? Replication Testing
9/24/2008
Were setting up two almost identical DCs for fault tolerance and better performance. If one crashes, we have another!
globomantics.com
Forest Root Domain
9/24/2008
Hardware Requirements:
http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx
Component
Requirement
Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor) Recommended: 2 GHz or faster Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-Based Systems Minimum: 512 MB RAM just to install Recommended: 2 GB RAM or greater Coach Says: As much as you can get!
Processor
Memory
Minimum: 10 GB Available Disk Recommended: 40 GB or greater Space Note: Computers with more than BFO: Blinding Flash of the Obvious16 GB of RAM will require more disk space for paging, hibernation, and dump files DVD-ROM drive Other BFO Stuff Super VGA (800 600) or higher resolution monitor Keyboard and Microsoft Mouse or compatible pointing device, NIC
Which Edition of Server 2K8 should we use for our first two DCs?
http://www.microsoft.com/windowsserver2008/en/us/editions.aspx
Edition Description Price Max. Ram for 32-bit 4 GB 64GB 64GB 4GB N/A Max. Ram for 64-bit 32GB 2TB 2TB 32GB 2TB When to use
Does almost everything Does it all All that and a bag of chips Just a Web Server (IIS 7.0) For high-end web/application servers
$999 w/5 CALs $3999 w/25 CALs $2999 PER PROCESSOR $469 $2,999
Small to medium environments, File and Print Servers, less intensive applications Large environments, clustering For massive environments includes unlimited virtualization licenses! You dont need me to explain this. Really, you dont. When you need to run super powered databases or high end applications. Only has Application Server Role.
And the winner for Globomantics Edition for the first 2 DCs is...
10
9/24/2008
The Initial Task Configuration list is sheer hedonistic convenience. It groups together all the common tasks that you have to set up in one convenient place. We will need to:
Configure Time Zone info Configure the network settings for 192.168.5.2 and an initial DNS server. Rename the computer to NYDC1-2K8 and reboot Configure Automatic Updates and Feedback Configure Remote Desktop (Optional) Turn off the ICT from coming back because its annoying after set-up.
11
9/24/2008
Passwords
Its a good idea to change the name of your Domain Administrator account and its password for security,
When you create a domain on your first Server, the Local Administrator Password becomes the Domain Administrator Password for all the machines in your domain!
globomantics.com
Forest Root Domain The first password you create is the Local Administrator only for this one Server!
globomantics.com
Forest Root Domain
NY-DC1-2K8 IP:192.168.5.2
NY-DC2-2K8 IP:192.168.5.3
1. Install Server 2K8 Bare Metal. 2. Configure the basic stuff using the ICT. 3. Install the AD DS Role. 4. Run DCPromo
12
9/24/2008
When we run DCPromo this time, we will be adding a Domain Controller to the domain we just
created, globomantics.com.
1. Install Server 2K8 Bare Metal. 2. Configure the basic stuff using the ICT. 3. Install the AD DS Role binaries. 4. Run DCPromo
DCs need to be able to talk and keep duplicate records in their respective
databases. When something changes in the domain, those changes have to be communicated and recorded. Hey, the admin just added three OUs, four user accounts, and renamed one of the old user accounts.
Great, Ill record your changes, too.
Got it, Ill record those changed in my copy of the Active Directory database. Heres the changes Ive received.
The easiest way to check replication: 1. Create a new Organizational Unit in Active Directory Users and Computers on either DC. 2. Go to the command line and type repadmin /syncall. 3. Check the other DCs Active Directory Users and Computers to see if the Organizational Unit also shows up there as well. If it does, your DCs are now BFFs. You might need to hit F5 to Refresh the screen to see the new items in the Server Manager
Best Friends Forever!
13
9/24/2008
globomantics.com
Forest Root Domain
NY-DC1-2K8 IP:192.168.5.2
NY-DC2-2K8 IP:192.168.5.3
Bare Metal InstallationInstalling an OS on a clean hard drive. Upgrade InstallationInstalling Server 2008 on a machine already running
Server 2003.
NTDS.ditThe database file for Active Directory. SysvolThe shared folder that stores the server copy of the domain's public
files that must be shared for common access and replication throughout a domain ReplicationThe process of exchanging and recording changes in Active Directory between Domain Controllers.
14
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
What We Covered
Train Signal, Inc. Coach Culbertson
Use the Initial Configuration Task List to: Configure Time and Date Rename a Machine Configure a Static IP Address and DNS for Networking Configure Automatic Updates and Feedback Install Active Directory Domain Services Role. Run the DCPromo Wizard to promote a server to Domain Controller Status for both a first and second domain controller.
What We Covered
Train Signal, Inc. Coach Culbertson
Verify if two Domain Controllers are replicating. Force two Domain Controllers to replicate using repadmin /syncall.
Now that our first two DCs are up, in the next video well start adding User Accounts for Globomantics, organizing them according to departments, and more!
15
9/24/2008
In this video:
Time to set up our Vista Client so we can access the servers remotely
16
9/24/2008
Why get out of your comfy office chair to go do Server stuff when you can do it from your desk?
globomantics.com
Forest Root Domain
NY-DC2-2K8 IP:192.168.5.3
17
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Join a Vista Client to a Domain Create Remote Desktop Shortcuts Log in to a Server using Remote Desktop
In this video:
The DCs Are Up and Running...Now What?- Part 2 Whats an OU Again? How About Some Users! Creating a Whole Bunch of Users at Once Give Me Some Computer Accounts! The Difference Between OUs and Groups
18
9/24/2008
2 Computer Accounts
(the other 23 are on back order)
And they all live together in one big shoeI mean Domain
NY-DC1-2K8 NY-DC2-2K8
globomantics.com
Forest Root Domain
2 Computer Accounts (the other 23 are on back order) The Domain Administrator Account is already created
19
9/24/2008
Whats an OU Again?
Train Signal, Inc. Coach Culbertson
OUs help to keep your Objects organized, but also are used to control what
your Users can and cant do (among other things).
You can also pass the buck by delegating control over OUs.
Whats an OU Again?
Train Signal, Inc. Coach Culbertson
Whats an OU Again?
Train Signal, Inc. Coach Culbertson
Well start off building a few OUs so our User and Computer Accounts will have a place to live
ChildOU
ChildOU
Keep your OUs for Users and OUs for Computers Separate! You can create OUs:
Geographically By Function (Departments, etc.) Keep It Simple, Sysadmin! and a billion other ways! But remember to KISS as much as youre able to!
20
9/24/2008
Well, you do want people to log in and use your network, right?
Are you serious? Are we going to right click for these 25 users?
Introducing....DSADD!
This is called the Dsadd is a command-line option that will allow you to create users with Distinguished
the keyboard.
Name
dsadd user cn=UserName, ou=OUName, dc=YourDomain, dc=YourSuffix Heres what it would look like in real life: dsadd user cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics, dc=com Then we add some switches for First Name, Last Name, Password, and Must Change Password when the user first logs in: dsadd user cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics, dc=com -fn Hank ln Richardson pwd P@ssw0rd mustchpwd yes
21
9/24/2008
Open Up Notepad and Type: dsadd user cn=%1, ou=OUName, dc=YourDomain, dc=YourSuffix fn %2 ln %3 pwd P@ssw0rd mustchpwd yes Save it as addOUName.bat in a convenient place. Open up a command line, navigate to the directory where the script lives, and type: addOUName tmiller Tonia Miller
Replaces %1 Replaces %2 Replaces %3
You can create a Batch Script for mass population using Excel. Its even included with this course! Man, that Coach is a great guy!
Keeping track of your computers is a really really good idea (and you dont really have a choice)
22
9/24/2008
So....
You have exactly two Vista machines (since all the rest are on backorder) to use to test out your Active Directory. The first one is already joined (CL1-NY-VIS), since its the one that youll be using as your day-to-day machine to access the Servers remotely. Join your other machine to the Domain and then move them to the NYComputers OU. Youll be using it to test the rest of our network functionality as you proceed.
Hey! Arent our Accounts Already in OUs? Arent they grouped? No. Heres the difference: OUs keep your objects organized and are used to control what users and computers can and cant do. Groups are Active Directory Objects that allow you to provide and deny access to resources like printers and folders en masse. Groups live in OUs.
23
9/24/2008
Sales Printer
Your user accounts are created and living happily in their OUs. Now, you
need to create Groups to prepare for providing access to different resources. Youll add 4 Groups for Users in the NYUsers OU and 2 Groups for Computers in the NYComputers OU.
24
9/24/2008
And then..
25
9/24/2008
globomantics.com
Forest Root Domain
NY-DC1-2K8
NY-DC2-2K8
What We Covered
Train Signal, Inc. Coach Culbertson
Create Organizational Units and Groups In Active Directory Users and Groups Create User Accounts : In Active Directory Users and Groups Using the dsadd command line option Using a batch script Create a bunch of User Accounts using a Batch Script made with Coachs Excel Sheet User Batch Script Creator Add a Computer Account by joining a Vista client to the Domain. Manually Create a Computer Account (which is a bad idea).
What We Covered
Train Signal, Inc. Coach Culbertson
Add Users and Computers to Groups using Active Directory Users and Computers. Move Active Directory Objects to different OUs Now that we have some OUs, User Accounts and Groups, well start using those OUs and Groups in the next two videos to provide control over your network!
26
9/24/2008
In this video:
Setting up a Member Server Creating Shared Folders NTFS Vs. Share Level Permissions Mapping a Shared Drive Creating and Sharing a Printer
We set up User Accounts and added them to Groups so that we could control
who had access to what shared folders and printers.
Now we need to create the Shared Folders and Printers for each of the
different departments. Heres what well be building: NEW SERVER! NY-MEM1-2K8 IP: 192.168.5.4 512MB RAM 2 GHz 32-bit CPU 2- 120GB HDDs Gigabit NIC 32-Bit Server 2K8 Standard Edition MEM1 will be joining the Globomantics Domain. SalesDocs Mapped as S: SalesManagers Shared GeneralOps Mapped as O: OpsManagers Shared OpsLaser
SalesLaser
ManagersInkjet
27
9/24/2008
NY-MEM1-2K8 IP: 192.168.5.4 512MB RAM 2 GHz 32-bit CPU 2- 120GB HDDs Gigabit NIC 32-Bit Server 2K8 Standard Edition MEM1 will be joining the Globomantics Domain.
SalesManagers On E:
GeneralOps On F:
OpsManagers On F:
We can set up Share Level Permissions while were creating the folders
28
9/24/2008
All Sales staff get Full Control over All Files in SalesDocs
Heres the Permissions to set on the individual Folders that youll be creating on MEM1:
SalesDocs On E: Read and Change for SalesUsers and Sales Managers Read-Only for OpsUsers and OpsManagers SalesManagers On E: Read and Change for only SalesManagers Deny all for Sales Users Deny All for Ops Users Read Only for OpsManagers OpsManagers On F: Read and Change for only Ops Managers Deny All for OpsUsers and SalesUsers Read-Only for SalesManagers
GeneralOps On F: Change and Read for OpsUsers and OpsManagers Read-Only for SalesUsers and SalesManagers
SalesUsers Group
The SalesManagers as a Member of the SalesUsers has access to SalesDocs. But SalesUsers will NOT have access to the SalesManagers folder. SalesManagers Group
29
9/24/2008
Be careful not to block access from other Groups that need it!
SalesUsers Group
SalesManagers Group
Because SalesManagers is a member of SalesUsers, if SalesUsers is denied access, SalesManagers will be, too, as Deny overrides everything else. So this is a bad idea this time!
We can use NTFS Permissions on individual Files and Folders inside the Shared
Folder SalesDocs: Handbook Sales Budget Sales Training Sales Reports PowerPoint Folder
SalesUsers can have NTFS Read-Only Permissions to these three files and this one folder.... ...but Read and Change Share Permissions on all the rest of the files in SalesDocs Coachs Suggestion: Always start out with the least restrictive Share Level Permissions and then get more restrictive inside the folder with NTFS Permissions
Share (SMB) Permissions: Read and Change Permissions to all members of SalesUsers and SalesManagers
Lets Talk Inheritance (and no, youre getting any money on this one)
When you create Files and Folders inside of Folders (Parent Folder), those new
Files and Folders initially inherit the permissions from the Parent folder. Parent Folder Read and Change Permissions to all members of SalesUsers and SalesManagers
ChildFolder
File (Child)
30
9/24/2008
But you can Block Inheritance of Permissions with NTFS Permissions for Folders AND Files for really specific control of who gets to do what inside that folder!
Parent Folder Read and Change Permissions to all members of SalesUsers and SalesManagers
ChildFolder
File (Child)
Share Level Permissions work at the folder level. NTFS Permissions work at the Folder AND at the File Level. Documents inside Shared Folders inherit the
Permissions (Share Level or NTFS!) of the Folder unless you stop the inheritance directly and apply new Permissions. When you move Shared folders, you lose the Share Level Permissions When you move Folders and Files that have NTFS Permissions, they may keep their Permissions OR inherit Permissions of a folder they go live in.
31
9/24/2008
A Printer is software. A Print Device is hardware. You need to have a Printer in order to use a
Print Device.
You have three print devices- two Laser and one Inkjet. You will create a Printer for each of the devices, and then
assign Permissions as displayed below:
SalesLaser
OpsLaser
ManagersInkjet
SalesUsers can Print SalesManagers can Print and Manage Ops Groups cant access
OpsUsers can Print OpsManagers can Print and Manage Sales Groups cant access
SalesManagers can Print OpsManagers can Print Users Groups cant access Only SuperCoach can manage
32
9/24/2008
globomantics.com
Forest Root Domain
NY-DC1-2K8 NY-DC2-2K8
2 Computer Accounts SuperCoach Administrator SalesDocs Mapped as S: SalesManagers Shared 2 Groups for Computers SalesLaser
OpsLaser
CL1-NY-VIS NY-MEM1-2K8
CL2-NY-VIS
What We Covered
Train Signal, Inc. Coach Culbertson
33
9/24/2008
Coming Up Next
Train Signal, Inc. Coach Culbertson
In the next video, well start using our OUs to apply Group Policy in order to make sure our users cant break stuff (or, at least, less stuff)!
In this video:
34
9/24/2008
Were locking down the Desktops! Good news! The other 23 desktop machines finally came in and your new assistant Jamie has set them all up and joined them all to the domain. Now, we need to start thinking about locking down what users can and cant do on their desktop machines. You want to ensure that: All desktop wallpaper is the same on every machine Users cannot access the Display Control Panel Users cannot install software Users cannot attach Removable Drives (USB sticks, MP3 players, etc.) In order to make this happen efficiently, well use Group Policy Objects in Active Directory to make this happen.
Group Policy Objects give you control over what Users and Computers can do, but a lot more!
Every Windows computer has a Local Group Policy to control what can be done
on it and what is restricted, but you dont want to go around to all the computers in your Domain and configure all the settings manually. Youll want to join the rest of the world and administer Group Policy from Active Directory. ...or configure all your machines at once from the comfort of your desk!
Because theres nothing like going to 25 separate machines and making 26 modifications on each one (ugh!)
35
9/24/2008
We can create a Group Policy Object easily, but then we have to link it to the
appropriate Container (usually an OU) before it takes effect on the Users and/or Computers. A single GPO can be linked to multiple Containers so you can re-use it over and over.
Group Policy has two sides: Users and Computers. While you can configure settings for both sides in any one GPO, we
generally dont (this is why we separate Users and Computers into separate OUs. Each side of Group Policy has Policies and *NEW* Preferences Generally, we create separate GPOs for Users and Computers
36
9/24/2008
Here we go...
Group Policy ObjectAn Active Directory Object that allows you, the
Administrator, to control what Users can do on computers via Settings (or Policies). A.K.A: GPO LinkAn Active Directory Object that allows a GPO to affect a particular Container (like an entire Domain or just an OU) L-S-D-OUThe Processing Order in which GPOs are applied GPMCThe Group Policy Management Console, where we do all the Group Policy work. Local Computer PolicyThe Group Policy that resides on a local Computer that only affects that particular computer.
37
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Create and Link a Group Policy Object to an OU Apply Settings in a GPO to lock down the Users ability to:
Change the Desktop (i.e. set the Wallpaper and make sure the User cant change it) Use the Display Control Panel Attach a USB drive or other Removable Storage Device Install Software (remember: UAC for Vista!) Describe the order in which Group Policy Objects are processed in. Describe what Containers you can Link a GPO to
Video 8 How to Make Your Boss Mad and then Fix it Really Fast
Setting up your Organizational Units for Better Group Policy Implementation, Security Filtering for GPOs using Groups, and Making Your Boss Happy Again.
How to Make Your Boss Mad and then Fix it Really Fast
Train Signal, Inc. Coach Culbertson
In this video:
38
9/24/2008
ITComputers
Executives
OpsUsers
OpsManagers
25 Computer Accounts
StandardComputers
SuperCoach Administrator
ITComputers
Hank is ANGRY!
Train Signal, Inc. Coach Culbertson
Uh-Oh...
Hank is really mad that he cant set a picture of his favorite horse as the Desktop Wallpaper, and hes threatening to fire you if you dont get it fixed fast. You need to make sure Hanks user account is exempted from the Desktop Lockdown policy you just set up. Also, your assistant Jamie doesnt like being locked down eitherfix it!
39
9/24/2008
A Little Reorganization
Train Signal, Inc. Coach Culbertson
we may need to separate out Users and/or computers into separate OUs for different rights and restrictions. Since the Globomantics OU structure is very basic, we have some options: We can separate our users into separate OUs and apply different GPOs to each We can separate our users into separate OUs inside of NYUsers and Block Inheritance for certain OUs for a particular Group Policy Object. We can use Security Filtering to exempt certain User Accounts and/or Groups from having a GPO applied to them.
A Little Reorganization
Train Signal, Inc. Coach Culbertson
Option 1: We can separate out our Users into Child OUs and Link Separate GPOs to each OU
Link
Link
Link
A Little Reorganization
Train Signal, Inc. Coach Culbertson
Option 2: We can separate our users into separate OUs inside of NYUsers and Block Inheritance for certain OUs for a particular Group Policy Object.
Inherited! ENFORCED! Link
Inherited!
All Users in Executives will NOT get the settings from DesktopLockdown.... ...unless DesktopLockdown is Enforced Enforced DesktopLockdown Breaks Through!
40
9/24/2008
A Little Reorganization
Train Signal, Inc. Coach Culbertson
Option 3: We can use Security Filtering to exempt certain User Accounts and/or Groups from having a GPO applied to them.
If we use Security Permissions to Deny the Read and Apply Group Policy permissions, these two groups can be exempt from the policyeven if the Policy is Enforced!
SalesUsers Group
OpsUsers Group
ITUsers Group
Executives Group
A Little Reorganization
Train Signal, Inc. Coach Culbertson
We can still use DesktopLockdown for all our users, but well use Security
Filtering and the Delegation Tab in the GPMC to exempt the Executives and ITUsers Groups from having it applied. In order to use Group Policy more efficiently in the future, we should break our users out into separate OUs.
Deny Read and Apply DesktopLockdown Group Policy
All other users will be affected by DesktopLockdown through Inheritance! ITUsers Group
Deny Read and Apply DesktopLockdown Group Policy
Link
Executives Group
41
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Rearrange Users, Groups, and Organizational Units. Use the GPMC to apply Security Filtering to include
and exempt Groups from Group Policy
Block Inheritance of Policies for an OU. Use the GPMC to see what Group Policy Objects
are being inherited by an Organizational Unit.
Video 9 Make Your Life Easier with Computer Policies and Preferences
Locking down Machines at the Computer Level and Mapping Drives with Group Policy Preferences
In this video:
42
9/24/2008
Hank is seriously thinking about implementing the hoteling concept, in which users dont have regular machines. Instead, he wants his sales reps out in the field doing house calls. You need to make sure that all the machines have a standard policy no matter whos at them, with the exception of your machine, Jamies machine, and Hanks machine.
CL2-NY-VIS
Well leave CL2 in the Standard OU for testing, but move it later.
Computer Policy stays with the computer no matter who logs on to it. LBinga hrichardson JOwens CL3-NY-VIS JOwens
43
9/24/2008
Here are the policies well set for the StandardComputers through our new ComputerLockdown GPO: Turn off the Windows Sidebar (because its annoying) Turn off that Welcome screen that keeps popping up (because its annoying, too) User Account Control Really more as a safety Precaution Turn on Loopback Processing to ensure that whoever logs on to the machine always gets this policy applied to them. Ensure that any Local Group Policies do not run (because they may interfere with our Domain/OU policiesagain a precautionary measure)
CL3-NY-VIS
Group Policy
Preferences allow us to do a lot of useful tasks that previously required scripts. There are Preferences for both User and Computer sides of a Group Policy Object. Better yet, theyre very easy to set up and use!
44
9/24/2008
Since we have Network Drives (i.e., Shared Folders) that we want everyone to
have access to, we can map those drives for our Users so that when they log on, theyre already there in My Computer. Well create a new GPO just for the Mapped Drives and link it to the NYUsers OU and let Inheritance push it down to the other Child OUs inside of it.
Link
Inherited!
L i n k
ITUsers
SaleManagers
hrichardson
Executives OpsUsers
OpsManagers
ITComputers
SuperCoach Administrator
Link
StandardComputers
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
45
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
What We Covered
Train Signal, Inc. Coach Culbertson
Video 10 How to Push Software Onto a Lot of Machines Without Getting Up From Your Desk
Using Group Policy Objects to Install Software and Adjusting Group Policy that affects Group Policy at the Domain Level.
46
9/24/2008
How to Push Software Onto a Lot of Machines Without Getting Up From Your Desk
Train Signal, Inc. Coach Culbertson
In this video:
Would you like to view PDFs? Of course you would! So Hank went to a basketball game last night and ended up sitting next to a guy who works for a software company that produces a lightweight PDF reader. Since you havent yet installed any PDF reading software, Hank wants you to install the PDF reader from his new friends company on all the client machines in the Globomantics network. Do you: A. Walk around with a CD or USB stick to every one of your 25 client Do you really have that much time on your hands? machines, log in with administrator account and install it manually? B. Put the software on a Shared folder and provide instructions for all Are you insane? No no no! Users cant install software anyway! employees on installing it when they figure out they need it? C. Post the software on a Shared Folder and then create a Group Policy Object that will install the software the next time the machine restarts?
47
9/24/2008
So what now?
Hanks new buddy has sent you the .msi file that you can use for your Software Installation GPO. You decide to install it on every client computer since PDFs are a universal standard. So now all you have to do is: 1. Create a new Shared folder on NY-MEM1-2K8 named Software. 2. Create a folder inside Software named Foxit and put the Foxit .msi package there. (Note: Always create new folders for each software package to make the process nice and easy! 3. Create a new GPO and link it to the NYComputers OU. Name it FoxitInstall. 4. In the Computers section of the GPO, well go to the Software Settings under Policies to get to the Software Installation settings. 5. Create a new Package by right-clicking and selecting New Package. 6. Select the .msi file and select any Options. 7. Run gpupdate /force from the Server (or wait for the Refresh Interval) 8. Have your users reboot their client machines.
48
9/24/2008
When does all this Group Policy Stuff actually take effect?
Train Signal, Inc. Coach Culbertson
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
49
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
In this video:
The Default Domain Password Policy Letting Your Boss Use Whatever Password
He/She Wants
50
9/24/2008
Normally, the Password Policy is set for all users at the Domain level. The default settings are usually good enough. Complexity requirements are enforced when passwords are changed or created.
You know Hank Hank doesnt like the fact that he has to use all these newfangled password techniques with symbols and what not, and he doesnt want to have to think up a new password every 30 days. He wants to use the names of his horses. Youll use a technique called Fine Grained Password Policies to exempt Hank and the users that are part of the Executives group from the Default Domain Password Policy Settings that you created, and then reduce the complexity requirements and extend the expiration date so that Hank and any other user placed in the Executives Group will only have to update their passwords every 3 months.
51
9/24/2008
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
ADSI Edit A low level utility used for editing the Active Directory
Database directly rather than using the GUI tools (i.e. Server Manager, etc.) . Fine Grained Password Policy A feature of Server 2008 that allows an override of the Domain Password Policy requirements. PSO Password Settings ObjectAn Active Directory Object created in ADSI Edit that allows for an alternative password policy to be applied to a user or a group. Server 2008 Functional Level An operating mode which requires that all Domain Controllers in your network to be Server 2008. (Required for Fine Grained Password Policy)
What We Covered
Train Signal, Inc. Coach Culbertson
52
9/24/2008
In this video:
Why should you have to do all the work? Planning ahead, you realize that as time goes on you wont have all the time in the world to do busy work like resetting passwords or altering permissions on shared folders and such. Fortunately, youve got an assistantJamie! In order to free up your time, youll provide permissions for Jamies account to reset passwords and do other Administrative tasks. Youve got two options: Use the Delegation of Control Wizard Add Jamie to one (or more) of the Built-In Groups so he can do administrative tasks without having to be an Administrator.
53
9/24/2008
Youll use this when you only want a particular User or Group to be able to do one or two simple tasks, like *ahem* resetting passwords.
Needmorepower
The Delegation Wizard cant provide everything, so youll have to also use some
additional Groups to provide some more permissions to Jamie.
The boys and girls at MS have created Groups that already have specific
permissions in the BuiltIn OU. Heres some of them that are particularly useful:
Permissions/Abilities Administrators Account Operators X X X X X X X X X X X X X X X X X X X Backup Operators Print Operators Server Operators
Create, delete, and manage user and group accounts Read all user information Reset password for user accounts Share directories Create, delete, and manage printers Backup files and directories Restore files and directories Log on locally to the server Shut down the system
X X X X X X X X X
54
9/24/2008
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
55
9/24/2008
In this video:
56
9/24/2008
Now that youre familiar with the three built-in backup tools, we need a plan
for backup. 1. Youll use Windows Server Back Up for Nightly Backups to the Second Disk on NY-DC2-2K8 2. then create a System State Backup on a weekly basis for emergency restoration
3. and last but not least an IFM backup as an additional emergency solution and for easy addition of future Domain Controllers as well.
57
9/24/2008
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
What We Covered
Train Signal, Inc. Coach Culbertson
Create IFM Media using NTDSUTIL. Describe the differences between the three main
Backup and Maintenance tools in Server 2008.
58
9/24/2008
In this video
So here we are
Right now, we only have 2 DCs, both of which are Global Catalogs.
Everything seems fine and rolling right along, but theres a lurking menace that we dont know about just yet! Computer Name: NY-DC2-2K8 We can easily reduce the risk of SPOF issues by giving this guy an additional job or two!
Network Switch
If DC1 goes down, we will have major problems due to the fact that we have all of our Operations Masters attached to it!
One of those hidden little elements that can cause big trouble! Operations Masters (used to be called FSMOs Flexible Single Operations Masters) are specific jobs that a DC can do apart from all the regular day-to-day stuff (any DC can do stuff like authenticating/logging on, adding users, etc., these are special). The Forest Level Operations Masters Domain NamingResponsible for adding and removing Domains from inside your forest. Sits back and drinks coffee most of the time until you need to add or remove a Domain. SchemaHandles all the database definitions. Also on coffee break until you or an application you install needs to change the Active Directory Schema. These two can and should go on the same DC!
59
9/24/2008
Computer Name: NY-DC1-2K8 Global Catalog Network Switch Domain Naming Schema Master PDC Emulator RID Infrastructure
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
60
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Describe the five Operations Masters Identify what Server has been assigned
what Operations Master.
Video 15 Stuff To Make Your Active Directory Life Just a Little More Predictable
Monitoring , Auditing, and Maintaining Your Active Directory Database
In this video:
Watching Your AD Stuff Your Monitoring Toolbox Watch Whos Doing What To Your
Active Directory Defragging Your AD Database
61
9/24/2008
And now, something else that lands squarely in your job description
Globomantics is ready to launch, and you have taken solid precautions already to ensure that if your Domain Controllers blow up, you have flexible options to get your network back up and running in a short time. Now you need to figure out how to watch your DCs for any impending doom, and maintain your Active Directory database so you get optimum performance. There are a lot of third party tools out there for such things, but for now you need to rely on whats built in to Server 2008.
62
9/24/2008
Theres two steps to setting this up- you cant do one without the other!
To Set Up Auditing: You have to enable an Auditing Policy (specifically Audit Directory Service) on either the Default Domain Controller Policy or on the Default Domain Policy. Then, you have to turn on the Auditing component on the Object(s) you want to Audit.
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
63
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Use the Task Manager to watch performance in real time. Use the Event Viewer to see whats going on in your
machine.
What We Covered
Train Signal, Inc. Coach Culbertson
View the Results of your Auditing Policies in Event Viewer. Use NTDSUTIL to defragment your database and check for
integrity and consistency of the AD Database as a whole.
We have set up the New York office AD infrastructure and made plans for disaster recovery. In the next video, were going to expand to Chicago, and set up a child domain for the Chicago office by creating some more DCs!
64
9/24/2008
In this video:
All You Need Is LovI mean a DC! Adding a Site and Subnet Before
Jumping In Creating the Child Domain Making Sure Chicago Can Talk To New York
Its time to expand! In order to keep tabs on the Chicago stock exchange, Hank has decided to open up an office in downtown Chicago. To keep things more manageable, you decide that the best way to keep the Globomantics network a little more manageable for future growth is to separate out the Chicago office into its own child domain (sometimes called a subdomain). Theres good reason to break out Chicago into its own child domain: Less Network Traffic to suck up your bandwidth between Chicago and New York De-centralized management will allow you to delegate control over Chicago to an administrator (yet to be hiredor maybe well send Jamie!) thats actually in Chicago. Having a location-centric Active Directory structure can allow for easier tracking of stuff between locations.
In order to create the Chicago child domain, all we need is another DC!
Globomantics.com
Computer Name: NYDC1-2K8 Network Switch Computer Name: NYDC2-2K8
Na.globomantics.com
65
9/24/2008
Before we begin
Sites in AD represent the physical structure, or topology, of your network. Right now, we have only one Site defined in Globomantics.com, New York. We
first need to create the Chicago site in Active Directory Sites and Services.
In order to allow Active Directory the ability to track our machines by location,
well also create a Subnet Object as well, and assign that Subnet Object to Chicago. Once thats done, we can use the Location Attribute in Active Directory to track and find machines according to their IP address. Heres what we have and what were going to create: NY-DC1 NY-DC2 NY-DC3
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
What We Covered
Train Signal, Inc. Coach Culbertson
Create a new Site in Active Directory Create a new Subnet object in Active Directory Assign a Subnet Object to a Site Use DCPromo to create a new Child Domain in an
existing Forest
66
9/24/2008
Video 17 How To Give People Access to Stuff Thats 790 Miles Away
Creating Universal Groups, the AGUDLP Strategy, and Making Sure Your People Can Log In Anywhere In Your Enterprise
In this video:
Time For Some More Users! The Types of Groups Setting Up Your Groups for Access Between
Domains
Break out that Excel Script Maker again! Hank has sent you another 20 users to add to the Chicago office, so its time to make them quickly and easily with the Excel sheet script maker. Youll also create some OUs and Groups as well, similar to what you did with New York.
67
9/24/2008
Security Groups allow you to grant Permissions to resources There are Three Scopes of Security Groups :
Distribution Groups are basically Email lists, and arent used very often
Usable in any trusted Domain in your Forest Users can only come from the home Domain
Usable in any trusted Domain in your Forest Users can only come from ANY Domain
Usable in the Domain it lives in ONLY Users can only come from the home Domain
Now that we have multiple domains, we also have the challenge of making
sure that we can easily provide access to resources between them.
AGUDLP is a strategy that we can use to grant access in a more reusable way. Heres how it works:
Accounts go into Global Groups The Global Group becomes a member of a Universal Group The Universal Group becomes a member of a Domain Local Group
Permissions are then granted to the Domain Local Group to network resources
And now, heres what were going to do for our Globomantics Sales Team
The Sales team will need access to the Sales docs folder, as the sales program
will be pretty much the same throughout the company. Heres what well do to get them access to the SalesDocs folder over in New York:
In the na.globomantics domain, all the Chicago Sales User Accounts go into a Global Group called ChicagoSales Well create a Universal Group in the NA domain called AllSales and make ChicagoSales a member of AllSales In Globomantics.com (the New York domain), well create a Domain Local Group called SalesDocs and make AllSales a member of it.
On the NY-MEM1-2K8 File Server, well grant Permissions to the Domain Local Group SalesDocsAccess to the SalesDocs Folder
68
9/24/2008
Globomantics.com
Global Catalog Server
Na.globomantics.com
Global Catalog Server
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
Important Words
What We Covered
Train Signal, Inc. Coach Culbertson
69
9/24/2008
In this video:
Hanks Says There Will Be a Dallas Office The Dallas OU and Site Structure What is an Read Only Domain
Controller? Building an RODC for Dallas
And if Hanks says it Dallas is Hanks hometown. He has a ranch just outside of Dallas, and he doesnt want to have to fly out to New York or Chicago to do work. Thats not a problem, but he also wants a staff of 5 people in the not-yet created Dallas location. Hes already rented a little office 5 miles from his ranch, and theres basically a closet that if you ask really nicely you might be able to use it to hold the router and any servers. You decide that due to the lack of security in the office that using a Read Only Domain Controller is going to be the best option. But before we can build the RODC, we need to create an OU Structure for Dallas.
70
9/24/2008
And now, heres what were going to build Computer Name: RODC-DAL-2K8 2GHz Single Core Processor 512MB RAM 1 Gigabit NIC 1- 120 GB HDD Server Core Server 2008 32-bit Version With Active Directory Domain ServicesRODC DNS Server DHCP for the Dallas office will be configured at the Router
71
9/24/2008
Zooming in on Dallas
Train Signal, Inc. Coach Culbertson
Users from New York (like Hank) can still log in with their email-style login, more commonly known as a UPN (User Principle Name) with the presence of a Global Catalog OR by enabling Universal Group Caching and putting Users that you want into a Universal Group.
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
72
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
Install Server 2008 as a Server Core installation. Use a configuration script to configure basic settings for your
Server Core Installation.
Attach an MMC to a Server Core installation for management. Configure Universal Group Caching for a Site so you dont
have to provide a Global Catalog for that Site.
Setup which users can log in at that location Pre-Populate Passwords for Users that will be logging in at
the location for a faster login experience.
In this video:
Okay, Who Killed Off The Ops Department? The Two Types of Restorations
Use Windows Server Backup to do a NonAuthoritative Restoration Use NTDSUTIL and WBADMIN to do an Authoritative Restoration How to Put Resurrected Users Back Into Groups Using Backlinks
73
9/24/2008
Ummm.whoops? Things are going well, until on a Tuesday morning the entire New York Ops department can no longer log in. When you go to see whats happening, you notice that the New York Ops OU isgone. Aced, no trace, nada, not there, here or anywhere. When you check your Security log, you see that the account BSamson, an account belonging to one of your new IT staff who had been given Account Operator permissions, successfully deleted the entire OU last night at 1AM. Brock did not report in this morning due to the fact that hes in police custody for *ahem* other chemically-related issues. Fortunately, at midnight, a System State back-up of your entire Domain Controller was successfully completed. You need to restore the Ops OU for New York due to Brocks drug-induced mayhem.
74
9/24/2008
If for some strange reason your Server 2008 DC is running under a Server 2000 Functional Level Domain
In a Server 2003 and Server 2008 Functional Domain/Forest NTDSUTIL uses what we
When you do an authoritative restore in a Server 2000 Functional Level Domain, you
call Linked Value Replication to restore Group Membership to restored Accounts (you can ignore this whole slide if youre in a Server 2K3/2K8 Functional Level.)
end up losing Group memberships on your User Accounts. Of course, you could go back and recreate them manually.(no, you cant, you dont have that kind of time on your hands) During the authoritative restore, at least one file called an LDIF file is created. You can use this file to restore group membership to all the users you restored quickly by using what are called Backlinks from the LDIF file. To restore group membership using backlinks: 1. After the Authoritative Restore is complete and the DC has been restarted normally, open a command prompt and type repadmin /syncall DCNAME /a /d /A/P /q where DCNAME is the name of your Domain Controller that you just restored. 2. Change to the Directory where your LDIF files ended up. 3. Type ldifde i-k-f filename where filename is the name of the LDIF file you need. 4. Rinse and repeat Step 3 for each file that was created by the NTDSUTIL restore process.
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
What We Covered
Train Signal, Inc. Coach Culbertson
75
9/24/2008
In this video:
Uh-Oh
Train Signal, Inc. Coach Culbertson
Now, you need to decide what to do with the DC. The good news is, you still have two other Domain Controllers running so Users can still log in. The bad news is, DC-3 is (or rather was) your Infrastructure Master. You need to get an Infrastructure Master back online as fast as you can first, and then decide how to get NY-DC3 back.
76
9/24/2008
How to seize an Operations Master Role When The Machine Doesnt Exist Anymore
The GUI:
Try to move an Operations Master from the GUI like you would normally. NTDSUTIL: You can also use NTDSUTIL to seize an Operations Master role with the following operation: 1. Go into NTDSUTIL like normal, and dont forget to type activate instance NTDS as your first command. 2. Type roles to move into the Roles context. 3. Type help to get a list of the commands. To seize the Infrastructure Master, type seize infrastructure master
It all depends If the hardware and the Server 2008 Operating System is okay but Active Directory has been trashed, you can just do a System State Restore from the last backup. If your hardware is trashed, build a new Server 2008, install Windows Server Backup, and do a Recovery of the last Full Backup of NY-DC3. (Requires the Backup to be on a DVD or NAS) Last, if you dont have access to a set of backup files (shame, shame!!), since NY-DC3 is more of an auxiliary machine, you can Delete the NY-DC3 Computer Account from the Domain Controllers OU. Build a brand new Server 2008 machine, install AD DS and run DCPromo. Let replication do the job of restoring the Active Directory database. Move the Infrastructure Master back to the new DC-3.
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
77
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
In this video:
Hank just bought a companyin Tokyo! Advantages of the Server 2008 Domain
Functional Level The Upgrade Process
78
9/24/2008
Hanks been on a spending spree, and bought a small brokerage in Tokyo, Japan for the mere sum of $1.5 million. The small company, Verde Petra, Inc. , is a 10-person shop that focuses on the Asian markets. Their network is a simple 1 Domain Controller setup with 10 client machines, an outsourced email solution, and a couple of network printers. However, their Domain Controller is running a 32-bit edition of Server 2003, and needs to be upgraded to Server 2008 to take advantage of all the extras that a Server 2008 Functional Level provides. Before we do anything to integrate, you need to prepare the Verde Petra Domain Controller by upgrading it to Server 2008 Enterprise 32-bit.
When you get a 2008 Functional Level, you also get these nifty bonus items!
Distributed File System Replication Advanced Encryption Standard support for the Kerberos
protocol
Showtime!
79
9/24/2008
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
Words?
What We Covered
Train Signal, Inc. Coach Culbertson
80
9/24/2008
In this video:
Our Two Options To Connect Tokyo and New York What You Need for Active Directory Federation
Services
What You Need for a Trust The Globomantics/Verde Petra Solution: Trusts
So youve got Tokyo up to date in terms of the OS and the Domain Functional Level. Now its time to make sure that Verde Petra becomes accessible to Globomantics and vice versa. Hank ponied up for some nifty Virtual Private Network (VPN) technology that allows Tokyo and the New York office to have a direct connection. Eventually, you will want to combine the Verde Petra Domain with the Globomantics domain using the Active Directory Migration Tool, but what you need to do right now is get the two offices connected ASAP so they can share info in ways other than email.
Actually, theres more than two, but these are a good start.
globomantics
VerdePetra.com
Na. globomantics
So the question is, do we use Active Directory Federation Services or do we set up some Trust Relationships between the two locations?
81
9/24/2008
AD DS Server
Internet
AD DS Server
AD FS Server
As long as theres a secure connection between the two networks (like our
VPN), all we really need is a DC on either side.
Each Domain should be running at least Server 2003 Functional Level, and the
Forest Functional Level has to be at least Server 2003. (Server 2008 Preferred) AD DS Server Running DNS DNS Must Be Configured Correctly on Both To Forward Requests to the Other Domain AD DS Server Running DNS
82
9/24/2008
Trust Directions
Network A Trusts Network B. Users from Network B can access allowed resources on A, but Users from A cannot access stuff on Network B
Trust Directions
Trust Directions
Transitive Trusts
If Domain A Trusts Domain B and the trust is transitive, and if C Trusts B, then A and C also have a trust relationship
83
9/24/2008
Na. globomantics
We really dont need an External Trust, though, because the trust between Verde Petra and Globomantics is Transitive!
You need to ensure that the DNS Servers on both Networks are configured to
know about each other.
Both DNS Servers are Active Directory Integrated, but a trust does not make it
so that either DNS server knows about the other one.
You will set up a Stub Zone on each DNS Server, so that any DNS requests for
resources on the other network will be forwarded to the DNS Server in the other network. Globomantics Server Running DNS This request is for Verde Petra. I have a Stub Zone that will tell you which DNS Server to about it. Tokyo Sales Numbers.xls Verde Petra Server Running DNS
Mapped Drive
84
9/24/2008
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
What We Covered
Train Signal, Inc. Coach Culbertson
Define the types and directions of Trusts. Create Stub Zones in a DNS Server in preparation for a
Trust.
Implement a Two Way Transitive Forest Trust. Add A Universal Group from another Domain to a Domain
Local Group in a home Domain.
85
9/24/2008
In this video:
86
9/24/2008
What you need to take for each Credential MCTS - Take any one exam from a large selection
When you get multiple TS certs, you can build a nifty logo using MSs Logo Builder!
Take 4 Tests:
70-648: Provides 2 MCTS 70-620 or 70-624: TS: Vista 70-643: TS: Applications Infrastructure 70-647: MCITP: Enterprise
87
9/24/2008
Take 3 Exams:
70-649: Provides 3 MCTS 70-620 or 70-624: TS: Vista 70-647: MCITP: Enterprise Administrator
Go to Prometric.com
its easy!
Prometric is the
exclusive provider of Microsoft exams. Microsoft periodically offers free Second Shots check the Microsoft site first!
88
9/24/2008
Prep
I recommend:
MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory from Microsoft Press
Take the Transcender Practice Exam Several TimesLook up the stuff that you
miss in this Video Course or in the Microsoft Press Book.
Review this course at least twice Get some Virtual Machines and push buttons!
Do not stay up all night studying get good sleep! When you go in to the test center, leave your cell phone
and anything else in your car.
Before taking the test, stop and breathe. Relax. During the test, do not forget to breathe. Mark Questions for Review the first time through if you
have to think too long about any one of them. You can go back at the end of the test and answer them later.
89
9/24/2008
What We Covered
Train Signal, Inc. Coach Culbertson
DNS Stuff
Train Signal, Inc. Coach Culbertson
In this video:
A Quick Overview of DNS What Are DNS Zones Really? The Different Kinds of DNS Records Forwarders and Root Hints Global Name Zones: The WINS Killer
(Kind of)
90
9/24/2008
91
9/24/2008
PTR (Pointer): A Record in a Reverse Zone SOA (Start of authority): The Beginning Record of a Zone SRV (Service Locator): For Servers and Service Providing
Hosts
NS (Name Server): A Record that points to a DNS Server. MX (Mail Exchanger): For Email Servers CNAME (Alias): A nickname record that allows for
multiple names for the same machine.
If the DNS Server doesnt know where a host is, it has to call out
92
9/24/2008
WINS is an older technology that allows you to use NetBIOS for Name
Resolution.
Global Name Zones are a NEW feature of Server 2008 for Single Label
Name Resolution.
Critical Vocabulary
Train Signal, Inc. Coach Culbertson
Oh boy, here we go
93
9/24/2008
In this video:
Lets Talk Security Lions and Tigers and Keys and Certificates,
Oh My!
94
9/24/2008
Your Buddies
Public Key Public Key
Public Key
Public Key
Private Key
You
Respect My Authori-tay!
Train Signal, Inc. Coach Culbertson
Certificate Authority (CA) servers that generate certificates are called root CAs. Certificates are generated from one of these three types of Certificate and then passed on to users, devices, other servers and so on. Certificate Authorities also can provide verification of a Users or Organizations Identity with Online Responder Services.
95
9/24/2008
Respect My Authori-tay!
Train Signal, Inc. Coach Culbertson
Multiple Tiers Provide Multiple Levels of Protection Usually youll have more than one machine actually Server 2008 doing Certificate Services Standalone work. Certificate Authority With a Standalone CA, youll create Certificates and then pass them off to Issuing Servers. Then youll take the Standalone offline.
done manually with a Standalone CA. You cant just have it autoenroll users.
Respect My Authori-tay!
Train Signal, Inc. Coach Culbertson
stays online all the time and is integrated with Active Directory. Enterprise CAs can assign certificates automatically to users in AD using Autoenrollment. At least a second tier is still a good idea, and you may have more depending on your security needs.
96
9/24/2008
Quick Summary
Train Signal, Inc. Coach Culbertson
AD CS in a Nutshell
In this video:
97
9/24/2008
What is AD LDS?
Train Signal, Inc. Coach Culbertson
You can have multiple Instances of LDS running on the same AD LDS Server, all
with their own unique Schema definitions.
You could have multiple instances of LDS running for multiple applications, all
instances being customized for the unique application requirements.
98
9/24/2008
Quick Summary
Train Signal, Inc. Coach Culbertson
AD LDS in a Nutshell
Youll only need it for applications that require it. You dont need AD DS for it, although it can work with AD
DS.
Most of the tools you would use for AD LDS are command
line based, but theres a few that have a GUI, like ADSI Edit and Ldp.exe.
In this video:
What is Rights
Management? Some Additional Notes About RMS
99
9/24/2008
SQL Server
Active Directory
RMS Server
Bubba
Sergio
The Rights assigned to the File travel along with the File. If somebody isnt on the list of users who can open a file, they
cant get into the file.
Quick Summary
Train Signal, Inc. Coach Culbertson
RMS in a Nutshell
100