Scribd
Upload
97 views67 pages

CEA242 Module 4 - Introduction To Active Directoty and Account Management

Uploaded by

Hasheem Qassim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
97 views67 pages

CEA242 Module 4 - Introduction To Active Directoty and Account Management

Uploaded by

Hasheem Qassim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 67

Introduction to

Active
Directory and
Account
Management
Module 4

CEA242 : Server Operating


System Administration
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 1
Learning Objectives (1 of 3)

After completing this module you should be able to:


• Create and manage local user and group accounts
• Install and explain the purpose of Active Directory
• Outline the purpose of Active Directory objects, forests, trees, and
trusts
• Describe the different types of Active Directory groups and their
use within a forest
• Identify the features available within different domain and forest
functional levels
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 2
Learning Objectives (2 of 3)

After completing this module you should be able to:


• Describe how sites can be used to control Active Directory
replication
• Outline the function of the Active Directory global catalog and
UGMC
• Identify the different FSMO roles available within a domain and
forest
• Describe scenarios in which Azure Active Directory can be used
within an organization
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 3
Learning Objectives (3 of 3)

After completing this module you should be able to:


• Use Active Directory Domains and Trusts to raise functional levels
and create trust relationships
• View and raise functional levels using command line utilities
• Use Active Directory Sites and Services to manage sites and
global catalog
• Use Active Directory Users and Computers to create and manage
OU, user, group, and computer objects

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 4
Working with Local Users and Groups
(1 of 7)
• Local user account authentication
− Must provide valid user name and password
• Local user account assigned rights to the operating system
− Examples: change system time or shut down the system
• Local user account granted access to resources
− Based on the resource’s Access Control List (ACL)
• Local group accounts
− Simplify assigning rights and permissions to multiple local user accounts
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 5
Working with Local Users and Groups
(2 of 7)
• Security Accounts Manager (SAM) Registry database
− Stores local user and group accounts
• Local user accounts used to authenticate users following workgroup installation
− Administrator and Guest
• Local group accounts for assigning rights and permissions following system
installation
− Administrators, Guests, and Users

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 6
Working with Local Users and Groups
(3 of 7)
• To create local user and group accounts
− Use the Local Users and Groups MMC snap-in
• To create a new local user account
− Select the Users folder from Local Users and Groups MMC snap-in
▪ Choose appropriate user’s tasks after installation
• To create a new local group account
− Select the Groups folder from Local Users and Groups MMC snap-in

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 7
Working with Local Users and Groups
(4 of 7)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 8
Working with Local Users and Groups
(5 of 7)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 9
Working with Local Users and Groups
(6 of 7)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 10
Working with Local Users and Groups
(7 of 7)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 11
Active Directory Basics

• Options for logging into an Active Directory domain computer


− Local user account
− Domain user account
▪ Encrypted token and domain group account issued to the computer
• Domain user, group, and computer accounts stored as objects in a database
− Active Directory database conforms to ITU X.500 standard
• Lightweight Directory Access Protocol (LDAP) provides quick access
• Active Directory Group Policy provides advantageous features
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 12
Active Directory Objects

• Active Directory schema


− All available object types (classes) and associated properties (attributes)
− Schema can be extended
• Leaf objects represent a user account, group account, or computer account
• Container objects within the Active Directory database
− Group leaf objects for ease of administration and Group Policy application
− Domains, organizational units (OUs), sites

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 13
Active Directory Forests, Trees, and Trusts
(1 of 4)
• Active Directory forests
− Provide for multiple domains within the same organization
− Forest root domain: first domain in a forest
• Using additional domain controllers
− Add them to the forest root domain
− Configure them to host an Active Directory database for another domain
within the same forest
• Active Directory tree has parent and child domains

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 14
Active Directory Forests, Trees, and Trusts
(2 of 4)
• Trust relationship (trust)
− Allows users to access resources within other domains
− Requires access within the resource’s ACL
− Trust relationships represented by arrow symbols in tree diagram
• Transitive property minimizes number of trust relationships needed
• Other types of trusts
− Shortcut trust speeds up resource access
− External trust, forest trust, realm trust
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 15
Active Directory Forests, Trees, and Trusts
(3 of 4)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 16
Active Directory Forests, Trees, and Trusts
(4 of 4)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 17
Active Directory Groups (1 of 2)

• Two main types of group accounts


− Distribution groups and security groups
• Group scopes
− Organize rights and permissions assignments across multiple domains
− Use a combination within a forest to organize the assignment of permissions
− Global scope
− Domain local scope
− Universal scope

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 18
Active Directory Groups (2 of 2)

Table: 4-1
Active Directory group
scopes
Group scope Allowed members Domains that can access the group

Global Objects located within the same domain Any domain in the forest
as the global group
Domain local Objects located within any domain in the Only the domain where the local group
forest resides
Universal Objects located within any domain in the Any domain in the forest
forest

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 19
Domain and Forest Functional Levels (1 of 3)

• Microsoft NT4 Server single sign-on implementation


− Primary domain controller (PDC) and backup domain controllers (BDCs)
• Windows 2000 Server Active Directory required backward compatibility
• New Windows Server versions introduce additional Active Directory features
• Domain functional levels
− Allow backward compatibility to older versions of Active Directory
• Active Directory forest functional level
− Defines minimum domain functional level for each domain within the forest
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 20
Domain and Forest Functional Levels (2 of 3)

Table: 4-2 Windows Server 2019


domain functional levels
Functional level New Active Directory features provided

Windows Server 2008 Distributed File System (DFS) replication between


domain controllers, Advanced Encryption Standard (AES)
security for Kerberos authentication, and enhanced user
account password policies
Windows Server 2008 R2 Service Principle Name (SPN) identification for network
services
Windows Server 2012 Compound authentication, which creates Kerberos tickets
with additional information used by other services, and
Kerberos armoring, which creates a secure channel for
authentication that is protected against network attacks
Windows Server 2012 R2 Additional encryption technologies for Kerberos
authentication, as well as the ability to create
authentication policies
Windows Server 2016 Additional Kerberos authentication features

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 21
Domain and Forest Functional Levels (3 of 3)

Table: 4-3 Windows Server 2019


forest functional levels
Functional level New Active Directory features provided

Windows Server 2008 No additional features beyond those within the Windows
Server 2008 domain functional level
Windows Server 2008 R2 The ability to create and use the Active directory Recycle
Bin to recover deleted objects
Windows Server 2012 No additional features beyond those within the Windows
Server 2012 domain functional level
Windows Server 2012 R2 No additional features beyond those within the Windows
Server 2012 R2 domain functional level
Windows Server 2016 The ability to use the Microsoft Identity Manager (MIM) to
restrict malicious access to Active Directory using
Privilege Access Management (PAM)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 22
Sites and Active Directory Replication

• Active Directory database


− Schema partition
− Configuration partition
− Domain partition
• Control Active Directory replication bandwidth usage
− Site object (site) represents a physical location in an organization
▪ Associated with one or more subnet objects representing IP networks
containing domain controllers
▪ Connected to other site objects using site link objects
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 23
Global Catalog

• Global catalog provides a list of all object names in a forest


− Stored on at least one domain controller in the forest
− Required to complete authentication process and log in to the domain
▪ Cached credentials might provide access if global catalog not available
• User Principle Name (UPN) is a unique name in the global catalog
− Users can use it to log in to their domain from any computer in the forest
• Global catalog updates
− Issue might be resolved with Universal Group Membership Caching (UGMC)
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 24
FSMO Roles (1 of 3)

• Flexible Single Master Operations (FSMO) functions


− Functions that must be coordinated from a single domain controller
• Domain controller configuration
− To hold a single FSMO role
− To hold all FSMO roles for its domain or forest
• Five FSMO roles available within Active Directory
− First domain controller installed within the forest root domain contains all five
• Problem if domain controller holding an FSMO role becomes unavailable
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 25
FSMO Roles (2 of 3)
Table: 4-4 Active Directory
FSMO roles
FSMO Role Number per Domain or Forest Function

Schema Master 1 per forest Must be contacted in order to modify the Active
Directory schema. Any schema changes are then
replicated by the Schema Master to all other domain
controllers in the forest.
Domain Naming Master 1 per forest Must be contacted in order to add or remove
domains and trust relationships within the forest.
Any changes to the domain and trust configuration
of the forest are then replicated by the Domain
Naming Master to all other domain controllers in the
forest. For best performance, the domain controller
that holds the Domain Naming Master should also
hold a copy of the global catalog.
PDC Emulator 1 per domain In legacy Active Directory domains, this role
emulated a Windows NT4 PDC for backward
compatibility. However, in modern Active Directory
domains, the PDC Emulator coordinates user
password changes and sends time information to
each computer within the domain.

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 26
FSMO Roles (3 of 3)
Table: 4-4 Active Directory
FSMO roles
FSMO Role Number per Domain or Forest Function

RID Master 1 per domain Issues sequential ranges of Relative Identifiers


(RIDs) to domain controllers within the domain.
RIDs are used to create unique SIDs for newly
created objects in the domain. Because the RID
Master generates unique ranges of RIDs for each
domain controller, SIDs are guaranteed to be
unique amongst domain objects. When a domain
controller has exhausted its range of RIDs, it
contacts the RID Master to obtain another range.
Infrastructure Master 1 per domain Coordinates group membership, as well as the use
of GUIDs and DNs between the current domain and
other domains in the forest. Because the global
catalog provides similar functionality, the
Infrastructure Master should be placed on a domain
controller that does not contain the global catalog.

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 27
Azure Active Directory

• Active Directory service within the Microsoft Azure cloud


• Provides the same single sign-on features of Active Directory
• Designed to allow access to cloud applications
• Can be configured to trust an organization’s Active Directory forest
• Can be configured to mirror an organization’s Active Directory forest using a
synchronization service
• Can be used to replace an Active Directory forest within an organization
− If Internet connection is consistently robust
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 28
Installing Active Directory (1 of 3)

• Open Server Manager and select the Active Directory Domain Services role
• Progress through the Add Roles and Features Wizard
− Installs files necessary to create a domain controller, management tools, and
Windows PowerShell cmdlets
• Select Promote this server to a domain controller from the Add Roles and
Features Wizard

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 29
Installing Active Directory (2 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 30
Installing Active Directory (3 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 31
Installing a Forest Root Domain (1 of 5)

• Active Directory Domain Services Configuration Wizard


− Select Add a new forest and specify new root domain name
− Select domain controller options
▪ Specify domain and forest functional levels, domain controller
capabilities, and Directory Services Restore Mode (DSRM) password
− Select DNS to specify DNS delegation
− Select Additional Options to specify NetBIOS name
− Select Paths to specify for folders
− Review options and install
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 32
Installing a Forest Root Domain (2 of 5)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 33
Installing a Forest Root Domain (3 of 5)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 34
Installing a Forest Root Domain (4 of 5)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 35
Installing a Forest Root Domain (5 of 5)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 36
Installing a Domain within an Existing Forest
(1 of 2)
• Start the Active Directory Domain Services Configuration Wizard
− Select Add a new domain to an existing forest
− Adding a child domain
▪ Specify name of the parent domain and name of the new child domain
− Adding a new parent domain for a new tree
▪ Select Tree Domain and specify the name of the parent domain
− Authenticate as a user within a forest that is part of Enterprise Admins group
− Progress through Wizard as if configuring a new forest root domain

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 37
Installing a Domain within an Existing Forest
(2 of 2)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 38
Installing a Domain Controller within an
Existing Domain (1 of 2)
• Start the Active Directory Domain Services Configuration Wizard
− Select Add a domain controller to an existing domain
▪ Specify the existing domain name within the Domain text box
− Authenticate within the domain that is part of the Domain Admins group
▪ Click Change and supply credentials
− Progress through Wizard as if configuring a new forest root domain
▪ No need to set the forest or domain functional levels
▪ Can select where to obtain initial copy of Active Directory database

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 39
Installing a Domain Controller within an
Existing Domain (2 of 2)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 40
Raising Functional Levels (1 of 3)

• Use the Active Directory Domains and Trusts tool


− Select domain within the navigation pane
− Click More Actions, Raise Domain Functional Level from the Actions pane
− Select the appropriate functional level from the drop-down box, click Raise
• Can raise the forest functional level
− Select Active Directory Domains and Trusts within the navigation pane
− Click More Actions, Raise Forest Functional Level from the Actions pane
− Select appropriate functional level from the drop-down box and click Raise

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 41
Raising Functional Levels (2 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 42
Raising Functional Levels (3 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 43
Creating Trust Relationships (1 of 2)

• Use conditional forwarder to ensure DNS servers can resolve the DNS records
• Open the Active Directory Domains and Trusts tool
− Select the domain within the navigation pane
− Click More Actions, Properties from the Actions pane
• Domain window opens
− Select the Trusts tab and click New Trust to start the New Trust Wizard
− Choose options: external or forest; one-way outgoing or incoming or two-
way; transitive or non-transitive, etc.
− Select the trust and click Properties to validate or change trust settings
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 44
Creating Trust Relationships (2 of 2)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 45
Managing FSMO Roles

• Command to view all FSMO roles held by domain controllers within your forest
− netdom query fsmo command

• Other commands show domain controllers holding the forest-wide and domain-
wide FSMO roles
• Fault tolerance may require movement of FSMO roles from one domain
controller to another
− Move one or multiple FSMO roles from one domain controller to another
− If source domain controller offline, add the -Force option to the command
▪ Move-ADDirectoryServerOperationMasterRole
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 46
Configuring Sites and Replication (1 of 6)

• Configuring sites
− Open Active Directory Sites and Services tool
− Right-click Default-First-Site-Name and rename
− Right-click Sites folder to create additional sites
− Supply site name and select the appropriate site link
− Specify appropriate IP network and select the associated site
• Two protocols perform Active Directory replication
− IP and Simple Mail Transfer Protocol (SMTP)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 47
Configuring Sites and Replication (2 of 6)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 48
Configuring Sites and Replication (3 of 6)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 49
Configuring Sites and Replication (4 of 6)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 50
Configuring Sites and Replication (5 of 6)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 51
Configuring Sites and Replication (6 of 6)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 52
Configuring Global Catalog and UGMC
(1 of 3)
• Configure a domain controller to host a copy of the global catalog
• Open Active Directory Sites and Services and click Properties
− Right-click NTDS Settings under the server object for the domain controller
− Select the Global Catalog option to place a copy of the global catalog on the
domain controller
• UGMC can host a copy of the global catalog if replication concerns exist
− Allows universal groups to be cached on domain controllers within the site
− Allows fast logon

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 53
Configuring Global Catalog and UGMC
(2 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 54
Configuring Global Catalog and UGMC
(3 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 55
Working with Organizational Units (1 of 3)

• Open the Active Directory Users and Computers tool


− New domain only has one OU called Domain Controllers by default
− Other folders exist to organize the default objects within the domain
− Create an OU
▪ Right-click folder/domain object under which to create the OU
▪ Click New, Organizational Unit
▪ New window opens; supply the name of the OU
▪ Verify Protect container from accidental deletion option

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 56
Working with Organizational Units (2 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 57
Working with Organizational Units (3 of 3)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 58
Working with User Objects (1 of 4)

• Prior to a user logging in to an Active Directory domain:


− Create a domain user account object for the user in the appropriate OU
▪ Within Active Directory Users and Computers
▪ Right-click the appropriate OU, click New, then click User
▪ Opens the New Object – User wizard; supply appropriate information
▪ Supply the new user password, account options
▪ Create user object
▪ Add the appropriate user attributes
▪ Perform other common user management functions
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 59
Working with User Objects (2 of 4)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 60
Working with User Objects (3 of 4)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 61
Working with User Objects (4 of 4)

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 62
Working with Group Objects

• Group objects simplify the assignment of rights and permissions to users


• Create a group object using the New Object – Group window
− Within Active Directory Users and Computers
− Right-click the appropriate OU and click New, Group
− Supply the group type, scope, and name
• Manage group membership
− Within Active Directory Users and Computers
− Click Properties and highlight the Members tab
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 63
Working with Computer Objects

• Two ways to move a computer account object to an OU


− Open Active Directory Users and Computers
▪ Right-click the computer account within the Computers folder
▪ Click Move and select the target OU
− Open Active Directory Users and Computers (prestage computer accounts)
▪ Right-click the appropriate OU, and click New, Computer
• Encryption key within computer accounts needed for communication
• Handle computers joined to an Active Directory domain with hardware failure
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 64
Using the Active Directory Administrative
Center

Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 65
Read-Only Domain Controllers

• Contains a read-only copy of the Active Directory database for the domain
• Object creation and management replicated from large office
− Primary concern during replication is security
− Replicate password attributes for users within the branch office only
• Install RODC using Active Directory Domain Services Configuration Wizard
• Can prestage a RODC computer account using the Active Directory Domain
Services Installation Wizard
• Can delete RODC if stolen and reset computer account for stolen computers
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 66
Summary

• Convenient to log on to a system joined to an Active Directory domain


• Domain and forest function levels specify features and support
• Trust relationships assists with access
• Active Directory group scopes organize forest resource permission assignments
• Configure site links to control replication between domain controllers
• Active Directory database contains three partitions
• Azure Active Directory provides the same single sign-on features
• RODCs provide authentication within smaller branch offices
Eckert/triOS College, Hands-On Microsoft Windows Server, 3rd Edition. ©2021 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part. 67

You might also like