Presentation on theme: "Windows 2008 Active Directory Configuration Microsoft Test: 70-640 Mark McCoy MCSE, CNE, CISSP."— Presentation transcript:
Windows 2008 Active Directory Configuration Microsoft Test: 70-640 Mark McCoy MCSE, CNE, CISSP
Agenda Introductions MS 70-640 Test Objectives Certification Text Study Group/Certification Schedule Week 1 Assignment Week 1 Discussion – Ch 1 & 2 Questions & Answers Week 1 Homework Assignment
Introductions Me Name: Mark McCoy Email: firstname.lastname@example.org@neb.rr.com Phone: 402-317-0507 WWW: www.realmccoysystems.comwww.realmccoysystems.com Blog/Questions: realmccoysystems.Wordpress.com You Who Are You? Why are you attending this Group? What is your Career Goal?
MS 70-640 Test Objectives http://www.microsoft.com/learning/en/us/exa ms/70-640.aspx http://www.microsoft.com/learning/en/us/exa ms/70-640.aspx Configuring the Active Directory infrastructure (25 percent) Creating and maintaining Active Directory objects (24 percent) Configuring Domain Name System (DNS) for Active Directory (16 percent) Maintaining the Active Directory environment (13 percent) Configuring Active Directory Certificate Services (13 percent) Configuring additional Active Directory server roles (9 percent)
Study Group Certification Schedule The Group will meet three Saturdays a Month (the fourth Saturday will be for the IT Professionals Club Meeting) We will meet after the IT Professionals Club on the fourth Saturday to stay on Schedule We should plan to complete 70-640 test preparation prior to June 15 to provide an opportunity to take the test before June 30,
Week 1 Assignment Read and be prepared to discuss Chapters 1 and 2 of the text
Chapter 1 – Overview of Active Directory The Windows NT 4 Domain Construct (the Roots of The Active Directory Tree and Forest) The Benefits of Active Directory The Logical Structure of Active Directory Understanding Active Directory Objects Windows 2008 Server Roles Identity and Access (IDA) in Active Directory Exam Essentials
The Windows NT 4 Domain Construct The NT 4 Domain was used to organize users and secure resources The NT4 Domain utilized a FLAT security Database called a Security Access Manager (SAM) Database The SAM Database was stored on Primary Domain Controller (PDC), Read/Write copy of the SAM, and copied to a Backup Domain Controller (BDC), Read- Only Copy of the SAM, for redundancy The Domain constituted a Single Administrative Unit Windows NT4 utilized both User Domains and Resource Domains due to limitations on the number of objects a single domain could account for
The Benefits of Active Directory Active Directory implements a Hierarchical Structure of Logical as well as Physical Objects, which can, and often do, mimic the Organizational Structure The Security Database is now stored on multiple Read/Write Domain Controllers Active Directory implements a multi-master domain controller, not PDCs or BDCs, but only Domain Controllers, each with the same rights Active Directory can store Millions of Objects, thereby eliminating the need for separate User and Resource Domains Active Directory implements a Distributed, but Centralized Security Database Active Directory is actually a database, which can be extended (extensible), has a Schema (design), and can be queried for information The Domain Concept has been maintained and serves as a Security Boundary within the database
The Logical Structure of Active Directory Data Store The term data store is used to refer to the actual structure that contains the information stored within Active Directory. The data store is implemented as a set of files that resides within the file system of a domain controller. Schema Structure or design of the Active Directory database Attributes - things that describe an object Classes – a Category of Objects Global Catalog A database that contains all of the information pertaining to objects within all domains in the Active Directory environment Replication The process of copying the Active Directory Database, to include objects, permissions, logical structure, etc, from one Domain Controller to another Domains, Trees, Forests Domain – The Basic Unit (Security Boundary) of Active Directory Tree – One or more domains in CONTIGUOUS name space Forest – A collection of Domains that may NOT be contiguous Hierarchical Structure The Active Directory Structure is Hierarchical as opposed to flat Inheritance By default permissions and policies within the domain flow down the hierarchy Trust Relationships One Domain/Forest must Trust the Other in order to grant permissions from one Domain/Forest to the Other Trusts are Transitive (If A trusts B, and B trusts C, it is implied A trusts C)
Understanding Active Directory Objects GUID and SID Each object in Active Directory has a globally unique identifier (GUID) or security identifier (SID) Organization Organization (O) is the company or root-level domain Domain Component Domain component (DC) is a portion of the hierarchical path Common Names Common name (CN) specifies the names of objects in the directory Organizational Unit A logical grouping of User Accounts and Resources User Accounts (Common Names – CN) Users within Active Directory Computer Accounts Workstations or Servers in Active Directory Distinguished Names The Full Name of an Object Starting from the Root of the Domain Relative names The Name of an Object from a Particular point within the Domain
Windows 2008 Server Roles Server Manager (New in 2008) Server Manager is a Microsoft Management Console (MMC) snap-in that allows an administrator to view information about server configuration Active Directory Certificate Services Used to provide HTTPS, Secure FTP, etc Services Public Key Encryption Active Directory Domain Services Becoming a Domain Controller Can now configure a Read-Only Domain Controller Active Directory Federation Services Single Sign-on across multiple platforms Organizations can set up trust relationships with other trusted organizations so a user's digital identity and access rights can be accepted without a secondary password Active Directory Lightweight Directory Services This type of service allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires Active Directory Rights Management Services Active Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization. This access can be used to secure email messages, internal websites, and documents
Identity and Access (IDA) in Active Directory Users may have to access resources on different types of hardware, software, and devices. Many of these systems and devices do not always communicate with each other, it is not unusual for users to have multiple identities on multiple systems. IDA Provides a means to manage Identity and Access on Multiple Systems IDA solutions can be categorized into five distinct areas: Directory services Strong authentication Federated Identities Information protection Identity Lifecycle Management
Chapter 1 Exam Essentials Understand the problems that Active Directory is designed to solve. The creation of a single, centralized directory service can make network operations and management much simpler. Active Directory solves many shortcomings in Windows NT's domain model. Understand Active Directory design goals. Active Directory should be structured to mirror an organization's logical structure. Understand the factors that you should take into account, including business units, geographic structure, and future business requirements. Understand Windows Server 2008 server roles. Understand what the five Active Directory Windows Server 2008 server rolesAD CS, AD DS, AD FS, AD LDS, and AD RMSdo for an organization and its users. Understand identity and access (IDA) solutions. Understand how IDA can help organizations solve the problems associated with multiple usernames and passwords. Understand how the Active Directory Windows Server 2008 server roles work with and affect IDA.
Chapter 2 – Domain Name System (16% of Test) Introducing DNS Introducing DNS Zones New Functionality in Windows Server 2008 DNS Introducing DNS Record Types Configuring DNS Monitoring and Troubleshooting DNS Exam Essentials
Introducing DNS The Domain Name System (DNS): A service designed to resolve Internet Protocol (IP) addresses to hostnames DNS Roles: DNS Server: Provides DNS Service DNS Client: Requests DNS Service Resolver: Software Process to Determine IP Address from Host Address Dynamic versus Non-Dynamic DNS Dynamic DNS (RFC 2136) allows clients to update DNS Entry automatically (via DHCP Server) In Non-Dynamic DNS, the client systems do not have the ability to update to DNS. Updates must be made manually Non-Secure Dynamic DNS Computers that are not part of Active Directory can Dynamically Update DNS Entry Secure Dynamic DNS Only members of the Active Directory Domain can dynamically update their DNS Entry DNS Queries Iterative: Client Queries DNS Servers in turn until IP address is found Recursive: Client makes request of his local DNS Server. The DNS Server performs the remaining queries. Inverse Queries: Use pointer records (IP Address) to find the Host
Introducing DNS Zones Primary Zones The primary zone is responsible for maintaining all of the records for the DNS zone.primary zone All record updates occur on the primary zone. Secondary Zones Secondary zones are non-editable copies of the DNS database. Used for load balancing (also referred to as load sharing)load balancing A secondary zone gets its database from a primary zone. Active Directory Integrated Zones All Zone Information is maintained in Active Directory Zone Information is replicated with that of Active Directory Zone information is more secure Stub Zones Only contain the IP Address of the Primary Zone DNS Server Stub zones work a lot like secondary zonesthe database is a non-editable copy of a primary zone. The stub zone's database contains only the information necessary (three record types) to identify the authoritative DNS servers for a zone Zone Transfers Full Zone Transfer – AXZR Incremental Transfer – IXFR Replication Active Directory Integrated Zone Transfers are part of the Replication Process
New Functionality in Windows Server 2008 DNS Background zone loading If an organization had to restart a DNS server with an extremely large Active Directory Integrated DNS zones database in the past, it could take hours for DNS data to be retrieved from Active Directory. During this time, the DNS server was unable to service any client requests. To address this issue, Microsoft Windows Server 2008 DNS has implemented background zone loading. As the DNS restarts, the Active Directory zone data populates the database in the background This allows the DNS server to service client requests for data from other zones almost immediately after a restart. Support for TCP/IP version 6 (IPv6) IP Version 6 is a 128 bit Hexadecimal Number Four Sets of 32 Bits Read-only domain controllers Functions as a Domain Controller to support Logon Authentication and resource location, but is read-only GlobalName zone Intended to assist in the transition from WINS resolution to DNS These use single-label names (DNS names that do not contain a suffix such as.com,.net, etc.) the same way WINS does. GlobalName zones are not intended to support peer-to-peer networks and workstation name resolution, nor do they support dynamic DNS updates.
Introducing DNS Record Types Start of Authority (SOA) What Server is responsible for the Zone Name Server (NS) Servers running DNS in the Zone Host Record Workstation, Server, Printer on Network Name to IP Address Alias (canonical name (CNAME) ) A Second Name for a Host on the Network Pointer (PTR) Record IP Address mapped to a Host name Mail Exchanger (MX) Name of the Mail Server Service Record (SVR) SRV records tie together the location of a service (like a domain controller) with information about how to contact the service.
Configuring DNS Installing DNS Through Server Manager Load Balancing through Round Robin You set up round robin load balancing by creating multiple resource records with the same hostname but different IP addresses for multiple computers If round robin is enabled, when a client requests name resolution, the first address entered in the database is returned to the resolver and is then sent to the end of the list. The next time a client attempts to resolve the name, the DNS server returns the second name in the database (which is now the first name) and then sends it to the end of the list, and so on. Configuring a Caching-Only Server Setting Zone Properties SOA, Named Servers, WINS, Zone Transfers, Security, Etc Configuring Dynamic Updates Creating Delegated DNS Zones Manually Creating Records
Monitoring and Troubleshooting DNS Monitoring DNS with the DNS Snap-In Troubleshooting DNS Using Nslookup Windows Server 2008. Windows Server 2008 gives you the ability to launch nslookup from the DNS snap-in. Using Nslookup on the Command Line nslookup DNS_name_or_IP_address server_IP_address Using Nslookup in Interactive Mode Using Nslookup in Interactive Mode Using DNSLint dnslint /d helps diagnose reasons that cause "lame delegation" and other related DNS problems. dnslint /ql helps verify a user-defined set of DNS records on multiple DNS servers. dnslint /ad helps verify DNS records pertaining to Active Directory replication. Here is the syntax for DNSLint: Using Ipconfig ipconfig /all Displays additional information about DNS, including the FQDN and the DNS suffix search list. ipconfig /flushdns Flushes and resets the DNS resolver cache. For more information about this option, see the section "Configuring DNS" earlier in this chapter. ipconfig /displaydns Displays the contents of the DNS resolver cache. For more information about this option, see "Configuring DNS" earlier in this chapter.ipconfig /registerdns
Chapter 2 Exam Essentials Understand the purpose of DNS. Resolve Host name to IP Address Understand the different parts of the DNS database SOA, MX, Host, PTR, SVR, NS records Know how DNS resolves names Understand the differences among DNS servers, clients, and resolvers Know how to install and configure DNS. Know how to create new forward and reverse lookup zones. Know how to configure zones for dynamic updates Know how to delegate zones for DNS Understand the tools that are available for monitoring and troubleshooting DNS.
Questions and Answers
Week 2 Assignment/Homework Week 2 Lab Preparation: Download Lab Software from www.DreamSpark.com www.DreamSpark.com Download Windows 2008 Server ISO (FREE) Download Microsoft Virtual PC 2007 Install (FREE) Get HD (those who havent gotten theirs yet) From IT Chair – Can also use personal laptops Week 2 Reading: Read Chapter 3: Planning and Installation of Active Directory Read Chapter 4: Installing and Managing Trees and Forests