Professional Documents
Culture Documents
51
MC LC
BUI 1: TRIN KHAI ACTIVE DIRECTORY DOMAIN SERVICES .................................................. 3 2. Cu hnh a ch ip ng trn my client. ........................................................................................... 54
2. Ci t dch v ADDS .......................................................................................................................... 6 1. Cu hnh DNS Server chnh (DNS Server Primary) ........................................................................... 58
3. Ci t Domain Controller (Ln Domain) ............................................................................................ 8 2. Cu hnh DNS Server ph (DNS Server Secondary).......................................................................... 65
4. Kim tra thng tin h thng ................................................................................................................ 14 3. ng b d liu gia DNS Server Primary v DNS Server Secondary ............................................. 68
III. Demote Domain Controller (H Domain) ................................................................................................. 15 4. Cu hnh TCP/IP trn my Client my Client phn gii c tn min ........................................ 70
IV. Join Client vo Domain ............................................................................................................................. 19 III. Thao tc vi cc record trn DNS Server .................................................................................................. 71
2. i tn my tnh v thit lp tn domain ............................................................................................ 19 I. Ci t cng c Group Policy Management Console (GPMC).................................................................... 74
3. Kim tra thng tin ............................................................................................................................... 22 II. c im ca cng c Group Policy Management Console (GPMC) ........................................................ 74
2. Thit lp thi gian user c php ng nhp vo domain ........................................................... 27 VI. Mt s thao tc m rng i vi GPO ...................................................................................................... 82
3. Thit t quyn ng nhp my tnh ca cc user .............................................................................. 28 BUI 8: WEB SERVER ............................................................................................................................... 89
2. a user vo group ............................................................................................................................. 32 III. Cu hnh DNS Server phn gii tn min cho Website ............................................................................. 97
III. Qun l Organizational Unit (OU) ............................................................................................................ 35 IV. Chy nhiu website trn mt server .......................................................................................................... 97
BUI 3: SAO LU V PHC HI WINDOWS SERVER 2008 ............................................................ 38 I. Gii thiu Windows Firewall with Advanced Security ............................................................................. 106
BUI 4: ROUTING AND REMOTE ACCESS ......................................................................................... 43 II. Firewall Rule............................................................................................................................................. 109
I. Ci t v kch hot dch v RRAS.............................................................................................................. 43 1. Gii thiu Firewall Rule ................................................................................................................... 109
1 2
BUI 1: TRIN KHAI ACTIVE DIRECTORY DOMAIN SERVICES Auditing : lu tr cc s kin lin quan n nhng i tng trong Active Directory.T
Active Directory Domain Services (AD DS) l mt dch v trn Windows Server 2008, s dng thng c th bit c i tng thay i nhng g.V gi tr hin tai v gi tr trc khi thay i
tin lu tr trong Active Directory qun l cc i tng users, group, computer. Cc i tng cng c h thng ghi nhn li.
ny c t chc theo mt cu trc phn cp.Gm c cc kiu : Password Policies c th c cu hnh cho nhng i tng ring bit trong mt domain.V
Active Directory forest ( forest l i tng c to ra t mt nhm gm 2 hay nhiu domain th bn s khng phi s dng chung mt chnh sch mt khu cho tt c cc ngi dng trong
tree c quan h tin cy vi nhau trust relationship) cng mt domain
Cc domain tree trong forest Read-Only Domain Controller l mt Domain Controller vi c s d liu Active Directory
Cc Organization Unit (OU) trong mi Domain dng read-only.Dch v ny gip bn tm bo mt c i vi nhng ni m bo mt cha
c m bo cao ,chng hn nh cc vn phng .Read-Only Domain Controller khng
cho php cc domain controller cp thp hn thc hin nhng thay i ln Active Directory
Restartable AD DS : c im ny gip bn khi ng li AD DS trong khi vn gi nguyn
trng thi hot ng ca Domain Controller,gip bn hon thnh nhng thao tc offline mt
cch nhanh chng
Active Directory Certificate Services (AD CS) l mt dch v c dng sinh ra v qun
l cc certificate trn nhng h thng s dng cng ngh public key .Bn c th s dng
ADCS to ra cc my ch chng thc CA ( Certification Authorities) .Cc CA c tc dng
nhn yu cu v chng thc,sau x l v gi cc chng thc v li cho i tng
gi yu cu.
Active Directory Federation Services (AD FS) l mt dch v cung cp c ch ng nhp -
single sign-on(SSO) ,cho php bn ng nhp ch mt ln nhng c th dng nhiu ng dng
Web c quan h vi nhau
Active Directory Rights Management Services (ADRMS) l dch v c dng kt hp
vi cc ng dng h tr AD RMS (AD RMS enable application),nhm bo v d liu quan
trng ( bo co ti chnh,thng tin khch hng,n hng,s sch k khai k ton .v..v.) trc
nhng i tng ngi dng khng c php (unauthorized users).Vi AD RMS,bn c th
xc nh nhng ai c th thc hin cc thao tc nh xem,chnh sa,in n.trn d liu ca
mnh
Active Directory Lightweght Directory Services (AD LDS) l mt dch v th mc LDAP
(Lightweght Directory Access Protocol) trn Windows Server 2008.AD LDS cung cp mt
c ch nhm h tr cc ng dng directory-enabled ( s dng th mc lu tr d liu)
.Dch v ny c chc nng tng t nh AD DS,nhng khng i hi phi trin khai cc
domain hoc Domain Controller
3 4
(Mt ng dng directory enabled l ng dng khng dng c s d liu, file hoc cc cu trc lu II. CI T DOMAIN CONTROLLER (DC)
tr khc,m thay vo l th mc lu tr d liu ca mnh. Cc ng dng dng ny c th l h 1. Cu hnh TCP/IP
thng qun l quan h khch hng, h thng qun l nhn lc.) Cng nh Windows Server 2003, th Windows Server 2008 trc khi nng cp ln DC phi cu
I. CHUN BN TRC KHI CI T. hnh Preferred DNS v IP Loopback l 127.0.0.1 hoc v IP 192.168.1.1
1. Thit lp a ch IP cho card mng ca server hoc bn c th thit lp a ch IP ca cc
DNS Server trong h thng.Nu server ny l Domain Controller v DNS Server u tin,qu
trnh ci t AD DS s bao gm c vic ci t DNS Server
2. Nu mun b sung server ny vo mt forest tn ti trn Windows Server 2000,Windows
Server 2003 bn phi cp nht thng tin v forest bng lnh:
adprep /forestprep
adprep /rodcprep
2. Ci t dch v ADDS
Windows Server 2003, ci t thm cc dch v nh DHCP, DNS vo Add/Remove Windows
Components. Windows Server 2008 c thay th bng cng c qun tr Server Manager vi cc
Roles v Features.V mc nh Windows Server 2008 cha ci t cc dch v nn bn phi ci t
dch v AD DS trc khi ln Domain Controller.
5 6
Vo Server Manager Add Roles. Chn dch v Active Directory Domain Services Chn Next tip tc.Ti bng Confirm Installation Selections s yu cu bn xc nhn ln cui
trc khi ci t. Chn Install
i cho n khi hon tt qu trnh ci t dch v Active Directory Domain Services. Chn Close
Chn Next.Ti bng Active Directory Domain Services gii thiu cho bn v dch v ny v mt s hon tt
lu khi ci t trong phn Things to Note
Ti bng Welcome to the Active Directory Domain Services Installation Wizard chn Next
Ti bng Choose a Deployment Configuration chn Create a new domain in a new forest to
mt domain mi trn mt forest mi
Chn Next tip tc.Ti bng Name the Forest Root Domain.Ti FQDN of the forest root
domain g tn domain vo.Sau chn Next v ch vi giy h thng kim tra tn domain s
dng cha.
9 10
Chn Next.Ti bng Location for Database,Log File,and SYSVOL cho php bn thit lp ng dn
Ti bng Set Forest Functional Level,chn phin bn Windows Server 2008 tn dng ht tnh ca database, log file v sysvol. Hy mc nh trong C:\Windows
nng. Sau chn Next
Chn Next tip tc.Ti bng Directory Services Restore Mode Administrator Password,thit lp
password.Lu ,password ny khng phi l password ca ti khon Administrator trong domain v
Ti bng Additional Domain Controller Options, h thng kim tra xem th dch v DNS Server
password phi theo kiu phc tp complexity (gm cc k t a,A,@,1.). VD: pass@word1
c cha,v t ng nh du ci t DNS Server. Lu l bn khng th ci t Read-only domain
controller trn DC u tin ny
11 12
Sau khi ci t hon tt ,chn Finish kt thc
Chn Next.Ti bng Summary cho bn bit thng tin m bn thit lp trn.Nu ng v y
,chn Next thc hin vic ci t
13 14
Ti bng Welcome to Active Directory Domain Services Installation Wizard chn Next.
Ti bng Confirm Deletion.Chn Delete all application directory partitions on this Active Directory
domain controller. Chn Next.
Chn Next.Ti bng Summary, xem li thng tin thit lp Chn Next v i cho ti khi h thng
yu cu Restart thay i c hiu lc.
17 18
IV. Join Client vo Domain
1. Cu hnh TCP/IP
Sau khi trin khai thnh cng AD DS,to cc user,group v ou. Lc ny, cng vic tip theo l join
cc my trm (client) vo domain .C th l domain ict24h.net
Trc tin,thit lp IP cho my client
Mc Member of, chn Domain v nhp tn domain cn join vo. y l ict24h.net join client vo domain c.
19 20
3. Kim tra thng tin
Kim tra trn my Client
Kim tra bng cch nhp chut phi vo My Computer ,chn Properties . bng System properties
thy my client c join vo domain ict24h.net
Kim tra bn my DC
Vo Server Manager Roles Active Directory Domain Services Active Directory Users
and Computers ict24h.net Computers . thy my client c tn Dandoh hin din trn
domain.
21 22
BUI 2: QUN L USER, GROUP, OU
I. Qun l user
1. To user mi
Sau khi to mt Domain Controller.Tip theo l to user trn domain.
M Server Manager.Click Roles Active Directory Domain Services Active Directory Users
and Computers.Sau click vo domain. Nhp chut phi vo User v chn New User
Bn c th xem thng tin h iu hnh ca my client ny bng cch click p vo v xem ti tab
Operating system
Ti bng New Object User bn in y cc thng tin vo mc First name, Last name, Full
name.
Lu : ti mc User logon name.y chnh l tn ti khon ca bn dng ng nhp vo h
domain.V th phi nh chnh xc,v phi m bo tnh duy nht.
23 24
User must change password at next logon : bt buc user phi thay i password ln ng nhp k
tip
User cannot change password : user khng c quyn thay i password
Password never expires : password khng c thi hn qui nh
Account is disabled : v hiu ha ti khon.
Ta chn User must change password at next logon m bo tnh ring t cho user. Chn Next
tip tc. bng tip theo l thng tin v user chun b c to. Chn Finish kt thc
Chn Next tip tc. Xut hin bng thit lp password. y l mt khu ca bn ng vi tn ti
khon to trn,dng ng nhp vo domain.
Lu : Password phi tha mn cc chnh sch mc nh ca Windows Server 2008. Password t
nht l 8 k t v phi c cc thnh phn sau :
Cc k t thng : a,b,c,d,e..
Cc k t in hoa : A,B,C,D,E.
Cc ch s : 1,2,3,4,5.
Cc k t c bit : @,!,$,&,#....
VD: pass@word1
25 26
Tip theo, kim tra th xem user c to cha nu c to th s c tn user trong mc Users. Theo mc nh, user c php ng nhp 24/24. thit lp li, chuyn qua tab Account v chn
Double Click vo User kim tra thng tin chi tit ca user . Logon Hours Ti y bn c th thit lp thi gian ng nhp cho user.
Chn khong thi gian v click vo Logon Denied chn thi gian truy cp ca user.
27 28
Gii thch ngha cc mc trong tab Account:
- Unlock Account : khi bn mun m kha ti khon th chn ny
- Account Options : thit lp cc chnh sch v ti khon.
- Account Expire : thi gian mt account tn ti.Nu bn chn End of v chn thi gian
bn cnh th n thi gian account s ht hn v s mt.
xa user ,nhp chut phi vo user v chn Delete
Tab General: cho php bn in y v chi tit v thng tin ca user
II. Qun l Group
1. To group
to mt group mi. Nhp chut phi vo User v chn New Group.
29 30
Ti Group name g tn group.Sau chn OK
2. a user vo group
a user vo group ICT24H ,nhp chut phi vo group v chn Properties.Ti tab
Member.Chn Add..
Ti Enter the object name to select bn g tn user mun a vo group. (Lu tn user phi l tn
bn in ti mc User logon name phn to user.)
Sau khi g tn user bn chn Check Names kim tra.
Kim tra li group c to bng cch click vo User V kt qu l tn ti user ny trn domain
31 32
Ti s th g tn mt user khc.Chng hn Nguyen Van A sau chn Check Names kim tra.H
thng s thng bo An object name Nguyen Van A cannnot be found Tn Nguyen Van A
khng tn ti trn domain
tab Managed By ,bn c th cp quyn cho user c php qun l group bng cch chn Change
v g tn vo Name . Chn OK xc nhn
33 34
III. Qun l Organizational Unit (OU)
1. To OU
to mt OU trn domain ,nhp chut phi vo domain, chn New Organizational Unit
2. a Group vo OU
Tin hnh a group ICT24H vo OU Network. Nhp chut phi vo group ICT24H v chn Move
35 36
BUI 3: SAO LU V PHC HI WINDOWS SERVER 2008
Chn Windows Server Backup Features.Sau chn Next
Nu bn mun xa user, group hay OU th nhp chut phi ln i tng v chn Delete v chn Yes
37 38
Khi bng Getting started hin ra,chn Next
Sau khi ci t hon tt,ti bng Installation Results,chn Close hon tt qu trnh ci t thnh
phn Windows Server Backup
Tip tc nhn Next .Ti bng Specify backup time ,chn thi gian :
- Once a day : backup 1 ln trong ngy vo lc
- More than once a day : chn backup nhiu ln trong mt ngy.Bn chn thi gian cn backup
v chn Add .Nu mun xa thi gian th chn Remove.
41 42
BUI 4: ROUTING AND REMOTE ACCESS
I. Ci t v kch hot dch v RRAS
Vo Server Manager Add Roles Network Policy and Access Services - Next
Chn mc Routing and Remote Access Services v 2 mc con Remote Access Service v Routing
Next - Close
Sau khi ci xong vo Start Administrative Tools Routing and Remote Access Nhn chut phi
vo tn server chn Configure and Enable Routing and Remote Access kch hot
43 44
BUI 5: DHCP SERVER
DHCP (Dynamic Host Configuration Protocol) Server l my ch c dng cp pht a ch IP
ng cho cc my client trong h thng mng.Trn cc phin bn trc nh Windows Server 2000
hay Windows Server 2003 ,bn quen thuc vi chc nng ny.
V cch thc hot ng,DHCP Server s dng dch v cng tn lng nghe yu cu xin cp pht
a ch IP c gi t my client.Sau khi nhn yu cu,DHCP Server s chn ra mt a ch IP trong
dy a ch ca mnh v gi v cho my client.ng thi DHCP Server cng gi n my trm cc
thng tin lin quan n a ch IP nh subnet mask,a ch IP ca cc DNS Server,default gateway.
I. Ci t DHCP Server
Vo Server Manager Roles Add Roles. Ti bng Before You Begin chn Next.
Chn Next.Ti bng DHCP Server gii thiu v dch v DHCP Server,v c mt vi ch trc khi
ci t mc Thing to Note
Chn Next .Ti bng Select Network Connection Bindings ,chn a ch IP ca card mng s c
dng lng nghe yu cu gi t my client.
45 46
Chn Next.Ti bng Add or Edit DHCP Scopes chn Add.Ti y bn in cc thng tin IP vo .V
Chn Next.Ti bng Specify IPv4 DNS Server Settings nhp tn domain mc Parent domain v
nh chn Active this scope kch hot cc thit lp va ri.
nhp a ch IP ca DNS Server mc Preferred DNS Server IPv4 Address .Bn c th chn Validate
h thng kim tra v xc thc.
Nu bn mun thit lp tip dy IP DHCP Server cp pht th chn Add v tip tc nhp thng s
Chn Next.Ti bng Specify IPv4 WINS Server Settings chn WINS is not required for applications vo.
on this network.
47 48
Chn Next.Ti bng Configure DHCPv6 Stateless Mode chn Disable DHCPv6 Stateless mode for
Chn Next.Ti bng Confirm Installation Selections l thng tin nhng thit lp trc khi ci t
this server .Nu mun cu hnh DHCP Server h tr DHCPv6 tng ng vi IPv6 th chn Enable
DHCP Server.
DHCPv6 Stateless mode for this server
Chn Next.Ti bng Authorize DHCP Server chn ti khon cp php cho DHCP Server trong
Chn Install tin hnh ci t.i cho qu trnh ci t hon tt. Ti bng Installation Results
Active Directory Services. y ti chn ti khon Administrator.
thy dch v DHCP c ci t hon tt Installation succeeded .Chn Close kt thc ci
t
49 50
II. Cu hnh DHCP Server
thay i gateway.Chn Scope Options.Ti khung bn phi,nhp chut phi vo 003 Router v
1. Cu hnh DHCP trn my server
chn Properties.
Vo Start Administrative Tools DHCP
Chn IPv4. Nhp chut phi vo Scope [192.168.0.50] ICT24H-DHCP v chn Properties.
Ti bng Scope Options bn c th thay i gateway bng cch chn Add v xa b bng cch chn
Remove. Sau chn OK.
Ti tab General bn c th thay i Scope name,thit lp li di IP v gii hn thi gian a ch IP tn
ti trn my client
51 52
2. Cu hnh a ch ip ng trn my client.
thay i tn min,vo Server Options v chn 015 DNS Domain Name v chn Properties. Chn Obtain an IP address automatically v Obtain DNS server address automatically
53 54
BUI 6: DNS SERVER
DNS (Domain Name System) Server l my ch c dng phn gii domain thnh a ch IP v
ngc li.V d ict24h.net 192.168.1.1
V cch thc hot ng,DNS Server lu tr mt c s d liu bao gm cc bn ghi DNS v dch v
lng nghe cc yu cu.Khi my client gi yu cu phn gii n,DNS Server tin hnh tra cu trong
c s d liu v gi kt qu tng ng v my client.
I. Ci t DNS Server
Vo Server Manager Roles Add Roles. Ti bng Select Server Roles .Chn DNS Server
Ipcongfig /release
Lnh xa cu hnh TCP/IP ng:
Ipcongfig /renew
Lnh ly cu hnh TCP/IP ng:
Chn Next.Ti bng DNS Server gii thiu v DNS Server cng nh mt s ch trc khi ci t
ti mc Thing to Note
55 56
Chn Next.Ti bng Confirm Installation Selections xc nhn vic ci t.
Chn Close hon tt ci t.
II. Cu hnh DNS Server
i vi DNS Server,thng thng bn nn xy dng ng thi hai h thng l DNS Server chnh
(Primary) v DNS Server d phng (Secondary) dng chung mt c s d liu.Vi phng php
ny,bn s hn ch kh nng dch v DNS b ngng khi c s c xy trn h thng.
1. Cu hnh DNS Server chnh (DNS Server Primary)
Vo Start Administrative Tools DNS. Nhp chut phi vo Forward Lookup Zones v chn
New Zone
Chn Install.i qu trnh ci t hon tt. Ti bng Welcome to the New Zone Wizard ,chn Next.
57 58
Ti bng Zone Type chn Primary zone cu hnh DNS Server chnh. Chn Next.Ti bng Zone File , mc nh
Chn Next.Ti bng Zone Name g tn domain vo. Chn Next.Ti bng Dynamic Update bn c th ngn chn hoc cho php DNS Server chp nhn
cc my client cp nht thng tin mt cch t ng.Ti s ngn chn m bo an ton cho h
thng,chn Do not allow dynamic updates .
59 60
Nhp chut phi vo Reverse Lookup Zones v chn New Zone. Ti bng Welcome to the New Zone
Wizard chn Next.
Chn Next.Ti bng Completing the New Zone Wizard bn xem li thng tin
Ti bng Zone Type chn Primary zone cu hnh chc nng reverse cho DNS Server chnh.
61 62
Chn Next.in Network ID v chn Next. Chn Next.Ti bng Dynamic Update chn Do not allow dynamic updates
63 64
2. Cu hnh DNS Server ph (DNS Server Secondary) Ti bng Zone Type chn Secondary Zone cu hnh DNS Server d phng.
cu hnh DNS Server Secondary cn mt my tnh khc DNS Server Primary v ci t
Windows Server 2008 v dch v DNS Server
Vo Start Administrative Tools DNS. Nhp chut phi vo Forward Lookup Zone v chn
New Zone
Chn Next.Ti bng Zone Name nhp tn domain nh DNS Server chnh.Trng hp ny l
Ti bng Welcome the New Zone Wizard chn Next. www.ict24h.net
65 66
3. ng b d liu gia DNS Server Primary v DNS Server Secondary
ng b d liu gia DNS Server chnh v DNS Server d phng ,bn cn cu hnh chc nng
Chn Next tip tc.Ti bng Master DNS Servers nhp a ch IP ca DNS Server chnh .i mt
Zone Transfers trn DNS Server chnh:
thi gian h thng kim tra
Ti DNS Server chnh .
Vo Start Administrative Tools DNS. Nhp chut phi vo tn zone v chn Properties.
Ti tab Zone Transfer ,chn Alow zone transfer .Chn only to servers listed on the Name Servers tab.
Chn Next.Ti bng Completing the New Zone Wizard chn Finish hon tt.
y l ty chn bn thm vo DNS Server d phng
67 68
4. Cu hnh TCP/IP trn my Client my Client phn gii c tn min
Chuyn qua tab Name Servers v chn Add. G a ch IP ca DNS Server d phng vo v i h
thng xc thc.Sau chn OK hon tt.
Mt s lnh thng dng:
nslookup
Lnh kim tra cu hnh phn gii tn min:
69 70
III. Thao tc vi cc record trn DNS Server
Sau khi hon thnh nhim v ci t DNS Server .Bn cn to c s d liu cho server ny bng cch
b sung cc bn ghi DNS .Thng thng bn s tng tc vi ba loi ban ghi DNS ph bin l Host
(A), Alias (CNAME), Mail Exchanger (MX):
- Host (A): l bn ghi gm domain v a ch IP tng ng .V d ict24h.net 192.168.1.1
- Alias (CNAME): l bn ghi b danh,cho php nhiu domain cng nh x n mt a ch IP,v
d ict24h.net ict24h.com 192.168.1.1
- Mail Exchanger (MX): l bn ghi mail server
Nu bn mun to cc record khc.Nhp chut phi vo zone v chn Other New Records..
Chn OK.Bng New Host tip tc xut hin,chn Done kt thc to bn ghi.
To bn ghi Alias (CNAME).
to mt bn ghi Alias,nhp chut phi vo zone v chn New Alias (CNAME).
Tng t nh trn,in cc thng tin vo.
To bn ghi Host A (A or AAAA) Ti mc Fully qualified domain name (FQDN) for target host .Nu bn khng nh ,chn Browse
Vo Start Administrative Tools DNS. Nhp chut phi vo zone v chn New Host (A or tm tn my cn tht.
AAAA)
G tn host vo mc Name ,g a ch IP vo mc IP address.
Nu bn mun to ra mt bn ghi DNS phn gii ngc tng ng th nh du chn Create
associated pointer (PTR) record. Sau chn Add Host
71 72
BUI 7: GROUP POLICY (GP)
Group Policy (GP) trn Windows Server 2008 cho php bn nh ngha cu hnh trn cc nhm user
v computer ca h thng mng.Chng ta c th s dng GP to ra cc chnh sch v p dng cho
cc i tng trong Active Directory nh site,domain v OU
Nhng thit lp trn GP c t chc lu tr trong cc Group Policy Object (GPO) . tng tc vi
mt GPO ,bn s dng cng c Group Policy Management Console (GPMC) .GPMC cn gip bn
lin kt mt GPO n mt trong cc i tng site,domain hoc OU , t p dng cc chnh sch
ln cc nhm user v computer thuc v i tng .
Lu : Mt OU l i tng mc thp nht bn c th gn GPO.
I. Ci t cng c Group Policy Management Console (GPMC)
ci t GPMC vo Server Manager Features Add Features. Sau chn Group Policy
Management v ci t bnh thng . Nu bn ci t dch v ADDS, thnh phn GMPC s t
ng ci t vo h thng
II. c im ca cng c Group Policy Management Console (GPMC)
GMPC l cng c qun l GP a nng ,cho php bn tng tc vi tt c cc GPO,Windows
Management Instrumentation (WMI) filters v nhng i tng lin quan n GP trn h thng.
GMPC em n cho bn nhng kh nng :
Sau khi in thng tin y .Chn OK hon tt.
- Backup v Restore GPO
- Import v Copy GPO
- Tm kim cc GPO
- Group Policy Modeling cho php bn to mi trng gi lp trong qu trnh xy dng k
hoch trin khai GP trc khi bc vo giai on trin khai thc t
- Group Policy Results cho php bn thu thp thng tin v GP p dng cho cc i tng
c th ,trn c s ,gip bn gim st v x l cc s c xy ra khi trin khai
- Starter GPOs l thnh phn dng qun l cc Aministratives Templates
- Preferences bao gm hn 20 chc nng m rng ca GP ,cho php bn thc hin cc thit
lp lin quan n registry,ti khon cc b,dch v,file v th mc.
III. GPO c lp
bt u vi GPO,bn nn to ra cc GPO c lp (unlinked GPO) v trin khai th nghim trn
cc h thng o trc khi a vo p dng thc t.Ch khi no m bo rng cc GPO hot ng
Lu : V tn server,tn my client hay DNS Server ca cc bi lab l khng ging nhau.V vy cc
tt,bn mi a vo p dng trn cc i tng thuc h thng ca mnh (site,domain,OU) .
bn nn ch thay i cho ng. Mc ch thay i tn lin tc cc bn c th hiu v nm bt
to mt GPO c lp vo Start Administrative Tools Group Policy Management
nhanh hn.
Ti ca s GMPC,nhp chut phi ln mc Group Policy Objects v chn New
73 74
Click chut n mc Password Policy trong Computer Configuration Polices Windows
Settings Security Settings Account Policy Password Policy
C 6 mc, gii thch ngha tng mc:
- Enforce password history : s lng password bt buc phi lu tr
- Maximum password age : thi hn ti password ny tn ti.
- Minimum password age : thi hn ti thiu password ny tn ti
- Minimum password length : s k t ti thiu ca password
- Password must meet complexity requirements : password phi tha mn vic c cc k t
(a,A,@,1)
- Store passwords using reversible encryption: lu tr password,s dng phng thc m
ha.
Ti bng Name GPO nhp tn GPO v chn OK.
Bn c th thit lp bng cch click p vo tng dng v chn Define this policy setting sau nhp
thng tin thit lp v chn OK.
Chn OK.Tip theo l to user v computer trong OU ny.Nhp chut phi vo OU v chn New Trong bng Select GPO chn tn domain mc Look in this domain.ng thi chn GPO tng
User hoc chn Computer (Vic to User,Computer hng dn bui 1) ng mc Group Policy objects. Chn OK hon tt.
Ti to 3 user v 2 computer trong OU ICT24H Group.
77 78
Ti bng New GPO nhp tn GPO v chn OK
79 80
VI. Mt s thao tc m rng i vi GPO
Cng c GPMC cho php bn d dng thc hin cc thao tc nh :backup,restore,copy v import cc
GPO ang c trin khai.Kh nng ny l mt u im rt quan trng trong qu trnh qun l cc
GPO trn h thng mng,gip bn tit kim thi gian,ng thi tng tnh chnh xc v n nh ca
h thng
Backup GPO
backup cho tt c cc GPO nhp chut phi vo Group Policy Objects v chn Back Up All
Nu bn mun hy GPO khi OU ny ,click vo GPO .Ti khung bn phi,tab Scope ,nhp chut
phi vo OU v chn Delete Link (s)
Ti bng Backup Group Policy Objects .chn ng dn lu GPO mc Location v nhp ch thch
mc Description .
Thao tc trn ch l hy lin kt GPO n OU,nu bn mun xa GPO th nhp chut phi vo GPO
v chn Delete.
Lu : trc khi xa b GPO bn phi hy cc lin kt ca GPO vi OU trn domain .
81 82
Qun l Backup
Sau khi backup xong,bn c th qun l GPO bng chc nng Manage Backup
Nhp chut phi vo Group Policy Objects v chn Manage Backup
83 84
xa GPO backup,bn chn GPO v chn Delete
Restore GPO
Nu c backup th chc chn s c restore. restore mt GPO bn nhp chut phi vo GPO
Ti bng Backup location chn ng dn th mc backup
v chn Restore from Backup.
Ti bng Welcome to the Restore Group Policy Object Wizard chn Next.
Chn Next tip tc.Ti bng Backed up GPOs,chn GPO mun restore.
85 86
kim tra,click vo GPO ,ti khung bn phi, tab Settings.Xem li thi gian cng nh cc thit
lp.
87 88
BUI 8: WEB SERVER
Internet Information Services 7.0 (IIS 7.0) l mt trong 16 dch v my ch trn Windows Server
2008.Phin bn ny c Microsoft thit k li di dng module,va k tha u im ca nhng
phin bn trc,va tng cng tnh bo mt v n nh.Nhng im mi ng ch trong IIS 7.0
bao gm:
Nhng cng c qun tr mi.
- IIS 7.0 cung cp 2 cng c qun tr ,mt di dng ha v mt di dng dng lnh.Nhng
cng c qun tr ny cho php bn: Chn Add Required Features .
- Qun l tp trung IIS v ASP.NET
- Xem thng tin,chn on,trong bao gm cc thng tin real-time (thi gian thc)
- Thay i quyn trn cc i tng site v ng dng
- y quyn cu hnh cc i tng site v ng dng cho cc thnh vin khng c quyn qun
tr (non-administrator)
Thay i cch thc lu tr thng tin cu hnh
- IIS 7.0 lu tr thng tin cu hnh IIS v ASP.NET vo mt v tr,t cho php cu hnh IIS
v ASP.NET vi mt nh dng thng nht. D dng sao chp cc file cu hnh v ni dung
ca site hoc ng dng n mt my tnh khc
- D dng ch n on v khc phc s c nh vo thng tin real-time v h thng file log mc
chi tit
- IIS 7.0 c thit k di dng module,cho php bn b sung cng nh loi b cc thnh phn
t Web Server khi cn.
Kh nng tng thch cao.
IIS 7.0 c kh nng tng thch rt cao i vi cc ng dng trin khai trong cc phin bn IIS
trc.Khi trin khai IIS 7.0 bn c th chy cc ng dng ASP,hoc cc ng dng trn ASP.NET
1.1 v ASP.NET 2.0 c xy dng t trc m khng cn phi thay i m ngun
I. Ci t Web Server Chn Next tip tc.Ti bng Web Server (IIS) gii thiu v dch v IIS cng nh mt s lu
ci t dch v IIS 7.0 vo Server Manager Roles Add Roles. trc khi ci t mc Thing to Note.
Khi bn click vo Web Server (IIS) h thng s hin ra mt thng bo yu cu b sung mt s thnh
phn trc khi ci t dch v IIS
89 90
Chn Next.Ti bng Select Role Services la chn cc thnh phn cn thit cho Web Server.Khi la Chn Install ci t.i mt thi gian h thng ci t.Sau khi hon tt ci t chn Close
chn mt s thnh phn ,h thng s yu cu bn b sung thm mt s thnh phn nh.Chn Add
require..
qun l Web Server vo Start Administrator Tools Internet Information Services (IIS)
Chn Next d tip tc.Ti bng Confirm Installation Selections l nhng thng tin thit lp trc khi Manager.
ci t Web Server IIS . Giao din tng qut ca IIS Manager
91 92
in tn website vo mc Site name. mc Physical path chn th mc cha m ngun ca website
bng cch nhn vo nt ().
M trnh duyt web v g http://localhost hoc g localhost .Nu mn hnh xut hin nh hnh di
l bn ci t thnh cng IIS 7.0
II. Xut bn Website Chn OK.Lc ny xut hin mt thng bo cho bit port 80 c mt website khc s dng. l
Sau khi ci t xong dch v IIS 7.0 .By gi bn mun xut bn mt website. Default Web Site.Chn Yes.
M IIS Manager. Nhp chut phi vo Sites khung bn tri v chn Add Web Site
93 94
Lc ny bn phi ngng trng thi hot ng ca Default Web Site bng cch chn click vo Default
Web Site v chn Stop khung bn phi.ng thi chn website ca bn v chn Start
95 96
III. Cu hnh DNS Server phn gii tn min cho Website
Bn cng c th vo trnh duyt g a ch IP hin ln website. lm c iu ny bn cn phi
cu hnh DNS Server .
S dng Web Server lm DNS Server .To mt DNS Server Primary, sau to Forward Lookup
Zone. To cc DNS Record Host v Alias.(Xem li bi thc hnh bui thc hnh v DNS Server)
Tip theo vo IIS Manager.Nhp chut phi vo Sites chn Add a Website.
in thng tin vo .Lu ti mc Host name g a ch IP theo cc bn ghi m bn thit lp
trn.Trng hp ny l 192.168.1.4 Chn OK hon tt
97 98
Vo Server Manager Roles Web Server (IIS) Add Roles Services (ging vi vic ci t
Management Service.)
Ti bng Select Role Services chn FTP Publishing Service.Lc ny h thng yu cu bn b sung
cc thnh phn cn thit .Chn Add Required Role Services
99 100
Lc ny IIS 6.0 Manager hin ln.i vi thnh phn FTP c tch hp sn trn Windows Server
2008 bn phi s dng IIS 6.0 qun l.Nu mun qun l FTP trn IIS 7.0 bn phi ci t FTP
7.0 .Bi vit ny c thc hin trn Vmware Workstation nn s s dng IIS 6.0
Ti IIS 6.0 Manager,nhp chut phi ln FTP Site v chn New FTP Site Ti bng FTP Site Description,g tn vo.
101 102
Chn Next tip tc.Ti bng FTP User Isolation chn ch hn ch. tng tnh bo mt ti s Chn Next.Ti bng FTP Site Access Permissions thit lp quyn truy cp, y ti s chn Read
chn Isolate users .y l ch ch c quyn cao nht mi c ng nhp vo qun l. ch tng tnh bo mt cho FTP site.(ch c quyn c)
u tin th tt c user u c th s dng v ch cui ch c nhng user c set quyn trong
Active Directory mi c s dng.
Chn Next.Ti bng FTP Site Home Directory ,chn ng dn n th mc cha ni dung ca FTP
site.
103 104
BUI 9: WINDOWS FIREWALL
I. Gii thiu Windows Firewall with Advanced Security
Windows Firewall with Advanced Security trn Windows Server 2008 l mt s kt hp gia
personal firewall (host firewall) v Ipsec,cho php bn cu hnh lc cc kt ni vo v ra trn h
thng. Khng ging nh nhng firewall cc phin bn Windows trc ch s dng Windows
Firewall trong Control Panel thc hin cc thao tc cu hnh mc gii hn. Trong Windows
Server 2008 b sung mt thnh phn mi c tn gi l Windows Firewall with Advance Security.
Cng c ny cho php bn d dng thc hin cc thao tc cu hnh a dng v cao cp trn
firewall,nhng im mi ng ch l :
- iu khin kt ni ra vo trn h thng (inbound v outbound)
- Tch hp cht ch vi Server Manager.Khi bn s dng Server Manager ci t dch
v,firewall s c cu hnh mt cch t ng ph hp vi cc dch v va ci t.
- Nhng ci tin trong qun l v cu hnh cc chnh sch trn IPsec.ng thi ,IPsec cng
c thay bng mt khi nim mi , l Connection Security Rules.
Tham kho thm: Kch hot kh nng qun tr iis 7.0 t xa (Tm trn goolgle)
- Nhng ci tin trong hot ng gim st cc chnh sch trn firewall v IPsec (Connection
Security Rules)
Windows Firewall with Advance Security s dng hai loi rule cu hnh :
- Firewall rules : dng xc nh kt ni no c cho php hoc b cm
- Connection Security rules : phc v cho mc ch bo mt ng truyn gia my tnh ny
vi cc my tnh khc
Sau khi hon thnh vic xy dng cc rule,bn s da vo cc firewall profile p dng rule cho
my tnh.Firewall profile l khi nim dng ch v tr m my tnh kt ni.Trn Windows Server
2008 c ba loi firewall profile sau:
- Domain : p dng khi mt my tnh c kt ni vo domain
- Private : p dng khi mt my tnh tr thnh thnh vin ca mng ni b nhng cha kt
ni vo domain.
- Public : p dng khi mt my tnh kt ni vo cc h thng mng cng cng,chng hn
nh Internet.
m Windows Firewall with Advance Security vo Start Administrative Tools Windows
Firewall with Advance Security
105 106
- Inbound connections : iu khin cc kt ni n my tnh ny .Gi tr mc nh l
Block(default) s kha tt c cc kt ni khng tha mn mt trong cc rule c nh
ngha trn firewall.Ngoi ra cn c 2 ty chn khc l Allow v Block all connections.Allow
l cho php tt c cc kt ni n v Block all connections chn cc kt ni n.
- Outbound connections : iu khin cc my tnh i ra t my tnh ny.Gi tr mc nh l
Allow(default),cho php thc hin cc kt ni n nhng h thng khc.Nu s dng ty chn
Block,bn s cm my tnh ny thit lp cc kt ni trong mng.Do ,bn nn gi nguyn
gi tr mc nh m bo my tnh ca mnh c th lm vic tt.
- Settings : chn Customize thc hin mt s thit lp b sung cho firewall.
- Logging : chn Customize thay i cc thit lp mc nh ca h thng file log
tab Private Profile v tab Public Profile tng t nh Domain Profile.y l cc thit lp dnh
cho nhng my tnh khng thuc domain.
bng Windows Firewall with Advance Security on Local Computer cung cp thng tin v cc
tab IPsec Settings :
firewall profile nh Domain,Private v Public.y l nhng thit lp mc nh.
khung bn tri c cc chc nng chnh nh Inbound Rules,Outbound Rules,Connection Security
Rules v Monitoring .
khung Action bn phi l Import Policy,Export Policy a cc chnh sch vo v a ra.
Chng ta s kho st mt s thuc tnh mc nh ca Windows Firewall with Advance Security.
khung Actions bn phi chn Properties.
107 108
- IPsec exemptions gip bn d dng tm kim v khc phc s c trong h thng mng s
dng IPsec.Nu thay i gi tr mc nh thnh Yes ,bn s d dng s dng cng c nh
Ping,Tracert. d tm nguyn nhn v x l s c.
II. Firewall Rule
1. Gii thiu Firewall Rule
Windows Firewall with Advance Security bao gm 2 loi firewall rule l Inbound Rules v
Outbound Rules.Cc firewall rule ny cho php bn to ra cc rule nhm iu khin cc kt ni n
v i t my tnh chy h iu hnh Windows Server 2008
Trong mn hnh lm vic ca Windows Firewall with Advance Security,click chn Inbound
Rules.Bn s thy xut hin mt danh sch firewall rule trn h thng,trong khung gia.
Bn cng c th sp xp v xem tng loi firewall rule p dng cho firewall profile bng cch nhp
chut phi vo Inbound Rules hoc Outbound Rules v ,lc theo cc iu kin nh Profile
,State,Group .Sau chn Filter by Nu mun xem chi tit ca mt firewall rule ,click p vo
rule
109 110
Bn xem v thay i trng thi ca firewall rule bng cch nh du hoc b chn mc Enabled.ng v Only allow connections from these users.Sau s dng chc nng Add b sung user v
thi mc Action,chn mt trong 3 ch Allow the connections,Allow only secure connections compute tng ng.
v Block the connections cho php hoc chn kt ni tng ng.
Tab Programs and Services Lu : xc thc user v computer,bn cn thit lp Allow only secure connections mc Action
bn c th thc hin cc thao tc nhm cho php hoc cm truy cp n cc dch v hoc ng dng ca tab General.ng thi user v computer phi thuc domain v IPsec phi c cu hnh trn
c ci t trn h thng. thit lp ng dng hoc dch v c th,s dng cc chc nng Browse cc h thng tham gia vo qu trnh xc thc.
hoc Settings. Trn tab Protocols and Ports,thit lp giao thc v port m firewall rule s p dng.
- Protocol type : bn chn mt giao thc tng ng trong danh sch nh UDP,TCP,ICMP
- Protocol number : bn nn s dng gi tr mc nh ca h thng .Tt nhin bn cng c th
Tab Users and Computers
in gi tr thch hp vi giao thc ca mnh
Bn c th thit lp nhm user hoc computer m firewall rule ny s p dng.vic ny c thc
hin bng cch nh du chn vo mt trong hai mc Only allow connection from these computers
111 112
- Local port : bn thit lp port ca server ng vi firewall rule.Nu to mt inbound rule,port
ny s c my ch dng lng nghe cc yu cu truy cp n.Nu to mt outbound
rule,port ny s c server s dng thit lp kt ni n cc my tnh khc.
- Remote port: bn thit lp port ca my tnh khc m firewall rule ny s p dng (remote
machine).Nu to mt outbound rule ,y s l port trn mt my tnh xa m server ny s
kt ni n (destination port).Nu to mt inbound rule,y chnh l port m my tnh xa s
dng kt ni n server ny.(source port)
- Internet Control Message Protocol (ICMP) settings : nu bn mun thit lp trn giao thc
ICMP, chn Customize .
Tab Scope
Cho php bn thit lp cc gi tr trong mc Local IP address v Remote IP addess firewall rule
ny p dng.
Tab Advance
113 114
Bn c th thit lp cc profile v cc loi kt ni (interface type) s s dng trong firewall rule Nhp chut phi vo Inbound Rules v chn New Rule. Ti bng Rule Type chn Custom chnh
ny.Bn c th thit lp tt c cc profile hoc mt s profile ph hp.Nu mun cu hnh cc loi c cc ty chn.
kt ni ny chn Customize mc Interface type v la chn tng ng.
Chn Next tip tc.Ti bng Program bn c th chn All Program p dng cho tt c chng
trnh hoc chn chng trnh c th nu chn This program path.Sau chn Browse v ti chng
trnh .
Chn Next tip tc.Ti bng Protocol and Ports,chn giao thc ph hp mc Protocol
type.ng thi 2 mc Local port v Remote port,chn cc port ph hp v in gi tr port tng
2. To mt firewall rule
ng ngay di.
To mt firewall rule cho Inbound.(Vi outbound bn lm tng t)
115 116
Chn Next tip tc.Ti bng Scope chn kt ni ph hp.(V nh ngha Local v Remote c Chn Next tip tc.Ti bng Profile chn kiu profile bn mun p dng rule.
cp phn trn.)
Chn Next tip tc.Ti bng Action,chn Allow the Connection cho php kt ni n. Allow Chn Next.Ti bng Name g tn rule v nhp thng tin ch thch v rule mc Descripton
117 118
Chn Finish kt thc. Lc ny xut hin Inbound rule mi .
119