Microsoft Official Course

Chapter 1

Windows Server 2019

Introduction to Windows Server 2019

• Windows Server 2019

• Preparing and installing Server
• Selecting a suitable Windows Server 2019 edition.
• Hardware requirements
• installation options
Windows Server 2019 editions

• Windows Server 2019 Standard

• Windows Server 2019 Datacenter
Windows Server 2019 editions

• Windows Server 2019 Standard edition:

• is designed for physical server environments or virtualization.
• It provides many of the roles and features available for the
Windows Server 2019.
• This edition supports up to 64 sockets and up to 4 terabytes
(TB) of RAM
Windows Server 2019 editions

• Windows Server 2019 Datacenter edition:

• It designed for highly virtualized infrastructures, including
private cloud and hybrid cloud environments.
• It provides all of the roles and features available for the
Windows Server 2019.
• This edition supports up to 64 sockets, up to 640 processor
cores, and up to 4 TB of RAM.
• It includes unlimited Windows Server–based virtual machine
(Hyber-V).
• Microsoft Hyper-V Server 2019 Acts as a stand-alone
virtualization server for virtual Machines, including all the
new features around virtualization in Windows Server 2019.
• It supports domain joining and limited service features.
Windows Server 2019 – Hardware Requirements

• Windows Server 2019 has the following minimum

hardware requirements for Server installation:
Windows Server 2019 – Installation

• You can choose among the following installation :

• Windows Server 2019 - Core installation (PowerShell)

• Windows Server 2019 (Desktop Experience) -GUI
Windows Server 2019 – Installation
Microsoft Official Course
®

Chapter 2

Introduction to Active Directory Domain

Services
Module Overview

• Overview of AD DS
• Overview of Domain Controllers
• Installing a Domain Controller
Overview of AD DS

• Overview of AD DS
• AD DS Domains
• What are OUs?
• What Is an AD DS Forest?
• What Is the AD DS Schema?
Overview of AD DS

Active Directory: is a framework that manages several Windows server domains.it was
introduced by Microsoft for centralized domain management as database. This database
enables users to connect with network resources to get their work done. It can store
huge volumes of data as objects organized as forests, trees, and domains. It also
includes other services such as permission access rights management, Single Sign-On
(SSO).

Domain Controller: is a server computer that authenticates and validates user access
on a network. A domain controller is the server responsible for managing network and
identity security requests. It acts as a gatekeeper and authenticates whether the user is
authorized to access the resources in the domain.
Overview of AD DS

AD DS(Active Directory Domain Service) is composed of both physical and logical

components

Physical Components Logical Components

• Data store • Partitions

• Domain controllers • Schema

• Global catalog server • Domains

• Read-Only Domain • Domain trees

Controller (RODC)
• Forests

• Sites

• Organizational units (OUs)

Overview of AD DS

AD DS is composed of both physical and logical components

Physical Components

• Data store. Stores the AD DS information. This is a file on each domain controller.
• Domain controllers. Contain a copy of AD DS database.
• Global catalog servers. Host the global catalog, which is a partial, read-only copy of all the domain
naming contexts in the forest. A global catalog speeds up searches for objects that might be attached
to other domain controllers in the forest.
• Read-only domain controllers (RODCs): A special install of AD DS in a read-only form. This is
often used in Branch Offices where security and IT support are often less advanced than in the main
corporate centers.
Overview of AD DS

Logical Components

• Partitions: Various partitions exist in AD DS: domain directory, configuration directory, schema directory,
and application directory.
• Schema: Defines the list of attributes that all objects in the AD DS can have.
• Domains: Logical, administrative boundary for users and computers
• Domain Trees: Collection of domain controllers that share a common root domain.
• Forests: Collections of domains (Trees) that share a common AD DS.
• Sites: Collections of users, groups, computers as defined by their physical locations. Useful when you
plan administrative tasks such as replication of the AD DS.
• OUs: These are containers in AD DS, which provide a framework for delegating administrative rights and
also for linking Group Policy.
AD DS Domains

• AD DS requires one or more domain controllers

• All domain controllers hold a copy of the domain
database which is continually synchronized

• The domain is the context

within which Users, Groups,
and Computers are created
• “Replication boundary”
• An administrative center for
configuring and managing
objects
• Any domain controller can
authenticate any logon in
the domain
What are OUs?

• Organizational Units
• Objects
• Users
• Computers
• OUs
• Containers that can be used
to group objects within a
domain
• Create OUs to:
• Delegate administrative
permissions
• Apply Group Policy
Forest vs Tree?

• A Tree is a collection of one or more domains sharing a same namespace and is

linked in a transitive trust hierarchy.
• A forest is a collection of trees that share the same characteristics like a global
catalog, directory schema, directory configurations and logical structure.
Forest vs Tree?

Forest Root
Domain

google.com

google.com Tree Root

Domain

calendar.google.com
What Is the AD DS Schema?

The Active Directory : Attributes and Object classes:

• Attributes • Classes
• objectSID • User
• SAMAccountName • Group
(Security Account Management) • Computer
• location • Site
• manager
• department
Overview of Domain Controllers

• What Is a Domain Controller?

• What Is the Global Catalog?
• The AD DS Logon Process
• What Are Operations Masters?
 What Is a Domain Controller?

. • Domain controllers: A domain controller is a type of server that processes requests for authentication
from users within a domain. Moreover, it stores information about users, authentication credentials and
security policies.
• What are the main functions of a domain controller?
o Domain controllers control access to domain resources by authenticating user identity through login
credentials, and by preventing unauthorized access to those resources.
o Domain controllers apply security policies to requests for access domain resources.
• What are the benefits of domain controller?
o Centralized management of domain controllers enables organizations to authenticate all directory
services requests using a centralized domain controller.
o Distributed and replicated domain controllers enforce security policies and prevent unauthorized
access across enterprise networks.
o Access to file servers and other network resources through domain controllers provides seamless
integration with directory services.
o Support for secured authentication and transport protocols in domain controllers improves
authentication process security.
What Is a Domain Controller?

Domain Controllers
• Servers that perform the AD DS role:
• Host the Active Directory database (NTDS.DIT) and SYSVOL (System
Volume) (replicated between domain controllers)
• stores information about users, authentication credentials and security
policies
• Processes requests for authentication from users within a domain
• Kerberos KDC service performs authentication
• Other Active Directory services
• NTDS: New Technology Directory Services
• DIT : Directory Information Tree
 What Is a Domain Controller?

• Best practices:
• Availability: Having multiple domain controllers in each domain provides
load balancing, but more importantly, it also provides recoverability if a
server failure occurs.
• Security: Server Core, RODC and BitLocker
• All domain controllers engage in authentication and authorization, thus
making it a redundant system with fewer fail-points.
• It is better putting domain controllers in remote.
• It is better increasing the number of domain controllers for redundancy
and performance.
Domain Controller Services
• Authentication is the process of verifying who user is, while
• Authorization is the process of verifying what specific applications, files, and data a user has access to.
Authentication Authorization

Determines whether users are who they claim Determines what users can and cannot access
to be

Challenges the user to validate credentials Verifies whether access is allowed through
(for example, through passwords, answers to policies and rules
security questions, or facial recognition)

Generally, transmits info through an ID Token Generally, transmits info through an Access
Token

Generally governed by the OpenID Connect Generally governed by the OAuth 2.0
(OIDC) protocol framework

Example: Employees in a company are Example: After an employee successfully

required to authenticate through the network authenticates, the system determines what
before accessing their company email information the employees are allowed to
access
Domain Controller Services

• OIDC (Open ID Connect Protocol): is one of the newest security protocols

and was designed to protect browser-based applications, APIs, and mobile
native applications. It delegates user authentication.
• Moreover, is an open authentication protocol that works on top of the OAuth
2.0 framework.
• allows individuals to use single sign-on (SSO) to access relying party sites
using OpenID Providers (OPs), such as an email provider or social network,
to authenticate their identities.

• OAuth2: is an authorization standard defining a framework for sharing

account information about a user between parties without revealing their
credentials. For example, if you want to share your contacts list with a
website so that it can send emails on your behalf and click on a “Sign In with
Google” button, then you’re using OAuth2.
Domain Controller Services

• Kerberos : is a protocol that facilitates mutual authentication and user

authorization for services , Kerberos uses shared key cryptography through
a ticket-based authentication system, where tickets are issued and encrypted,
and decrypted by a Key Distribution Center (KDC). It is used for single sign-
on purposes. It is one of the services used by Windows Server Active
Directory.
What Is the Global Catalog?
• Global catalog: The Global Catalog stores a partial
Schema replica of all objects in the forest, enabling efficient searches
across domains and providing universal group membership
Configuration
information during user authentication.
Domain A
▪ Hosts a partial attribute set for other domains in
Schema
the forest

Configuration
▪ Supports queries for objects throughout the
forest
Domain A Schema

Configuration
Domain B
Domain B
Global catalog
Server Schema

Configuration

Domain B
Installing a Domain Controller

• Installing a Domain Controller by Using a GUI

• If you want to show the desktop icons➔ Press Ctrl+R ➔ type desk.cpl ,5
Installing a Domain Controller
• Before deploying the Active Directory, do the following:
• Change Computer Name.
• IP address
• Password of Administrator: should be complex
• Change Time +3 ➔ Baghdad
Installing a Domain Controller

• Deployment Configuration section of the Active Directory

Domain Services Configuration Wizard
• Start menu ➔ Server Manger
 Installing a Domain Controller

• Add roles and features: once you click add role

• Then click next ➔ choose the default setting

• Then ➔ check Active directory domain ➔ then ➔ Next and follow the wizard.
Installing a Domain Controller
Installing a Domain Controller

• From the notification area you will find a message:

• Promote this server to a domain controller.
Installing a Domain Controller

• Chose add new forest : Choose name for your domain EX: Test.local