Presentation on theme: "Windows 2008 Active Directory Configuration Microsoft Test:"— Presentation transcript:
1Windows 2008 Active Directory Configuration Microsoft Test: 70-640 Mark McCoyMCSE, CNE, CISSP
2Agenda Introductions MS 70-640 Test Objectives Certification Text Study Group/Certification “Schedule”Week 1 AssignmentWeek 1 Discussion – Ch 1 & 2Questions & AnswersWeek 1 Homework Assignment
3Introductions Me You Name: Mark McCoy Phone:WWW:Blog/Questions: realmccoysystems.Wordpress.comYouWho Are You?Why are you attending this Group?What is your Career Goal?
4MS Test ObjectivesConfiguring the Active Directory infrastructure (25 percent)Creating and maintaining Active Directory objects (24 percent)Configuring Domain Name System (DNS) for Active Directory (16 percent)Maintaining the Active Directory environment (13 percent)Configuring Active Directory Certificate Services (13 percent)Configuring additional Active Directory server roles (9 percent)
6Study Group Certification “Schedule” The Group will meet three Saturdays a Month (the fourth Saturday will be for the IT Professionals Club Meeting)We will meet after the IT Professionals Club on the fourth Saturday to stay on ScheduleWe should plan to complete test preparation prior to June 15 to provide an opportunity to take the test before June 30,
7Week 1 AssignmentRead and be prepared to discuss Chapter’s 1 and 2 of the text
8Chapter 1 – Overview of Active Directory The Windows NT 4 Domain Construct (the “Roots” of The Active Directory Tree and Forest)The Benefits of Active DirectoryThe Logical Structure of Active DirectoryUnderstanding Active Directory ObjectsWindows 2008 Server RolesIdentity and Access (IDA) in Active DirectoryExam Essentials
9The Windows NT 4 Domain Construct The NT 4 Domain was used to organize users and secure resourcesThe NT4 Domain utilized a FLAT security Database called a Security Access Manager (SAM) DatabaseThe SAM Database was stored on Primary Domain Controller (PDC), Read/Write copy of the SAM, and copied to a Backup Domain Controller (BDC), Read-Only Copy of the SAM, for redundancyThe Domain constituted a Single Administrative UnitWindows NT4 utilized both “User Domains” and “Resource Domains” due to limitations on the number of objects a single domain could account for
10The Benefits of Active Directory Active Directory implements a Hierarchical Structure of Logical as well as Physical Objects, which can, and often do, mimic the Organizational StructureThe Security Database is now stored on multiple Read/Write Domain ControllersActive Directory implements a “multi-master” domain controller, not PDC’s or BDC’s, but only Domain Controllers, each with the same “rights”Active Directory can store Millions of Objects, thereby eliminating the need for separate User and Resource DomainsActive Directory implements a “Distributed, but Centralized” Security DatabaseActive Directory is actually a database, which can be extended (extensible), has a Schema (design), and can be queried for informationThe Domain Concept has been maintained and serves as a Security Boundary within the database
11The Logical Structure of Active Directory Data StoreThe term data store is used to refer to the actual structure that contains the information stored within Active Directory.The data store is implemented as a set of files that resides within the file system of a domain controller.SchemaStructure or design of the Active Directory databaseAttributes - things that describe an objectClasses – a “Category” of ObjectsGlobal CatalogA database that contains all of the information pertaining to objects within all domains in the Active Directory environmentReplicationThe process of copying the Active Directory Database, to include objects, permissions, logical structure, etc, from one Domain Controller to anotherDomains, Trees, ForestsDomain – The Basic Unit (Security Boundary) of Active DirectoryTree – One or more domains in CONTIGUOUS name spaceForest – A collection of Domains that may NOT be contiguousHierarchical StructureThe Active Directory Structure is Hierarchical as opposed to flatInheritanceBy default permissions and policies within the domain flow down the hierarchyTrust RelationshipsOne Domain/Forest must Trust the Other in order to grant permissions from one Domain/Forest to the OtherTrusts are Transitive (If A trusts B, and B trusts C, it is implied A trusts C)
12Understanding Active Directory Objects GUID and SIDEach object in Active Directory has a globally unique identifier (GUID) or security identifier (SID)OrganizationOrganization (O) is the company or root-level domainDomain ComponentDomain component (DC) is a portion of the hierarchical pathCommon NamesCommon name (CN) specifies the names of objects in the directoryOrganizational UnitA logical grouping of User Accounts and ResourcesUser Accounts (Common Names – CN)Users within Active DirectoryComputer AccountsWorkstations or Servers in Active DirectoryDistinguished NamesThe Full Name of an Object Starting from the Root of the DomainRelative namesThe Name of an Object from a Particular point within the Domain
13Windows 2008 Server Roles Server Manager (New in 2008) Server Manager is a Microsoft Management Console (MMC) snap-in that allows an administrator to view information about server configurationActive Directory Certificate ServicesUsed to provide HTTPS, Secure FTP, etc ServicesPublic Key EncryptionActive Directory Domain Services“Becoming a Domain Controller”Can now configure a “Read-Only” Domain ControllerActive Directory Federation ServicesSingle Sign-on across multiple platformsOrganizations can set up trust relationships with other trusted organizations so a user's digital identity and access rights can be accepted without a secondary passwordActive Directory Lightweight Directory ServicesThis type of service allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requiresActive Directory Rights Management ServicesActive Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization. This access can be used to secure messages, internal websites, and documents
14Identity and Access (IDA) in Active Directory Users may have to access resources on different types of hardware, software, and devices.Many of these systems and devices do not always communicate with each other, it is not unusual for users to have multiple identities on multiple systems.IDA Provides a means to manage Identity and Access on Multiple SystemsIDA solutions can be categorized into five distinct areas:Directory servicesStrong authenticationFederated IdentitiesInformation protectionIdentity Lifecycle Management
15Chapter 1 Exam Essentials Understand the problems that Active Directory is designed to solve.The creation of a single, centralized directory service can make network operations and management much simpler. Active Directory solves many shortcomings in Windows NT's domain model.Understand Active Directory design goals.Active Directory should be structured to mirror an organization's logical structure. Understand the factors that you should take into account, including business units, geographic structure, and future business requirements.Understand Windows Server 2008 server roles.Understand what the five Active Directory Windows Server 2008 server roles—AD CS, AD DS, AD FS, AD LDS, and AD RMS—do for an organization and its users.Understand identity and access (IDA) solutions.Understand how IDA can help organizations solve the problems associated with multiple usernames and passwords. Understand how the Active Directory Windows Server 2008 server roles work with and affect IDA.
16Chapter 2 – Domain Name System (16% of Test) Introducing DNSIntroducing DNS ZonesNew Functionality in Windows Server 2008 DNSIntroducing DNS Record TypesConfiguring DNSMonitoring and Troubleshooting DNSExam Essentials
17Introducing DNS The Domain Name System (DNS): A service designed to resolve Internet Protocol (IP) addresses to hostnamesDNS Roles:DNS Server: Provides DNS ServiceDNS Client: Requests DNS ServiceResolver: Software Process to Determine IP Address from Host AddressDynamic versus Non-Dynamic DNSDynamic DNS (RFC 2136) allows clients to update DNS Entry automatically (via DHCP Server)In Non-Dynamic DNS, the client systems do not have the ability to update to DNS. Updates must be made manuallyNon-Secure Dynamic DNSComputers that are not part of Active Directory can Dynamically Update DNS EntrySecure Dynamic DNSOnly members of the Active Directory Domain can dynamically update their DNS EntryDNS QueriesIterative: Client Queries DNS Servers “in turn” until IP address is foundRecursive: Client makes request of his local DNS Server. The DNS Server performs the remaining queries.Inverse Queries: Use pointer records (IP Address) to find the Host
18Introducing DNS Zones Primary Zones The primary zone is responsible for maintaining all of the records for the DNS zone.All record updates occur on the primary zone.Secondary ZonesSecondary zones are non-editable copies of the DNS database.Used for load balancing (also referred to as load sharing)A secondary zone gets its database from a primary zone.Active Directory Integrated ZonesAll Zone Information is maintained in Active DirectoryZone Information is replicated with that of Active DirectoryZone information is more secureStub ZonesOnly contain the IP Address of the Primary Zone DNS ServerStub zones work a lot like secondary zones—the database is a non-editable copy of a primary zone.The stub zone's database contains only the information necessary (three record types) to identify the authoritative DNS servers for a zoneZone TransfersFull Zone Transfer – AXZRIncremental Transfer – IXFRReplicationActive Directory Integrated Zone Transfers are part of the Replication Process
19New Functionality in Windows Server 2008 DNS Background zone loadingIf an organization had to restart a DNS server with an extremely large Active Directory Integrated DNS zones database in the past, it could take hours for DNS data to be retrieved from Active Directory. During this time, the DNS server was unable to service any client requests.To address this issue, Microsoft Windows Server 2008 DNS has implemented background zone loading. As the DNS restarts, the Active Directory zone data populates the database in the background This allows the DNS server to service client requests for data from other zones almost immediately after a restart.Support for TCP/IP version 6 (IPv6)IP Version 6 is a 128 bit Hexadecimal NumberFour Sets of 32 BitsRead-only domain controllersFunctions as a Domain Controller to support Logon Authentication and resource location, but is read-onlyGlobalName zoneIntended to assist in the transition from WINS resolution to DNSThese use single-label names (DNS names that do not contain a suffix such as .com, .net, etc.) the same way WINS does.GlobalName zones are not intended to support peer-to-peer networks and workstation name resolution, nor do they support dynamic DNS updates.
20Introducing DNS Record Types Start of Authority (SOA)What Server is responsible for the ZoneName Server (NS)Servers running DNS in the ZoneHost RecordWorkstation, Server, Printer on NetworkName to IP AddressAlias (canonical name (CNAME) )A “Second Name” for a Host on the NetworkPointer (PTR) RecordIP Address mapped to a Host nameMail Exchanger (MX)Name of the Mail ServerService Record (SVR)SRV records tie together the location of a service (like a domain controller) with information about how to contact the service.
21Configuring DNS Installing DNS Through Server Manager Load Balancing through Round RobinYou set up round robin load balancing by creating multiple resource records with the same hostname but different IP addresses for multiple computersIf round robin is enabled, when a client requests name resolution, the first address entered in the database is returned to the resolver and is then sent to the end of the list. The next time a client attempts to resolve the name, the DNS server returns the second name in the database (which is now the first name) and then sends it to the end of the list, and so on.Configuring a Caching-Only ServerSetting Zone PropertiesSOA, Named Servers, WINS, Zone Transfers, Security, EtcConfiguring Dynamic UpdatesCreating Delegated DNS ZonesManually Creating Records
22Monitoring and Troubleshooting DNS Monitoring DNS with the DNS Snap-InTroubleshooting DNSUsing NslookupWindows Server Windows Server 2008 gives you the ability to launch nslookup from the DNS snap-in.Using Nslookup on the Command Linenslookup DNS_name_or_IP_address server_IP_addressUsing Nslookup in Interactive Mode Using Nslookup in Interactive ModeUsing DNSLintdnslint /d helps diagnose reasons that cause "lame delegation" and other related DNS problems.dnslint /ql helps verify a user-defined set of DNS records on multiple DNS servers.dnslint /ad helps verify DNS records pertaining to Active Directory replication. Here is the syntax for DNSLint:Using Ipconfigipconfig /all Displays additional information about DNS, including the FQDN and the DNS suffix search list.ipconfig /flushdns Flushes and resets the DNS resolver cache. For more information about this option, see the section "Configuring DNS" earlier in this chapter.ipconfig /displaydns Displays the contents of the DNS resolver cache. For more information about this option, see "Configuring DNS" earlier in this chapter.ipconfig /registerdns
23Chapter 2 Exam Essentials Understand the purpose of DNS.Resolve Host name to IP AddressUnderstand the different parts of the DNS databaseSOA, MX, Host, PTR, SVR, NS recordsKnow how DNS resolves namesUnderstand the differences among DNS servers, clients, and resolversKnow how to install and configure DNS.Know how to create new forward and reverse lookup zones.Know how to configure zones for dynamic updatesKnow how to delegate zones for DNSUnderstand the tools that are available for monitoring and troubleshooting DNS.
25Week 2 Assignment/Homework Week 2 Lab Preparation:Download “Lab” Software fromDownload Windows 2008 Server ISO (FREE)Download Microsoft Virtual PC 2007 Install (FREE)Get HD (those who haven’t gotten theirs yet) From IT Chair – Can also use personal laptopsWeek 2 Reading:Read Chapter 3: Planning and Installation of Active DirectoryRead Chapter 4: Installing and Managing Trees and Forests