MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) Chapter 1 Designing Active Directory Domain Services.

Slides:



Advertisements
Similar presentations
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
Advertisements

Chapter 6 Introducing Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2008
Chapter 7 WORKING WITH GROUPS.
Hands-On Microsoft Windows Server 2008
Vikram Thakur Introduction to Active Directory Structure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.
Active Directory Implementation Class 4
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services
Overview of Active Directory Domain Services Lesson 1.
Nassau Community College
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Directory services Unit objectives
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Chapter 4 Introduction to Active Directory and Account Management
Windows Server 2008 Chapter 4 Last Update
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Working with domains and Active Directory
Chapter 7: WORKING WITH GROUPS
Designing Active Directory for Security
Active Directory Boundaries - Purpose Replication Boundaries Security Boundaries.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 4 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
Module 7 Active Directory and Account Management.
Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Module 1: Implementing Active Directory ® Domain Services.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Active Directory Infrastructure Microsoft Windows 2003 Active Directory Infrastructure MCSE Exam
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 1: Introduction to Active Directory
Logical and Physical Network Design 1. Active Directory Objects Objects Represent Network Resources (Users,Groups,Computers,Printers) Attributes Store.
11 UPGRADING AND MIGRATING TO WINDOWS SERVER 2003 Chapter 12.
Module 8: Planning for Windows Server 2008 Active Directory Services.
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Active Directory Replication (Part 1) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Overview of Active Directory Domain Services
(ITI310) SESSIONS 6-7-8: Active Directory.
Examining a Windows NT Infrastructure (2)
Network Administration
Implementing Active Directory
Presentation transcript:

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) Chapter 1 Designing Active Directory Domain Services

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 2 Learning Objectives Create a virtual lab for testing different forest and domain designs Plan for different domain and forest functional levels Design Active Directory Domain Services domains and forests Design trusts and implement a forest trust

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 3 Learning Objectives (cont’d.) Prepare forests and domains for Windows Server 2008 Create and use an alternative UPN Understand different tools used to migrate Active Directory objects

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 4 The Active Directory..service is a distributed database that stores and manages information about network resources, as well as application- specific data from directory-enabled applications. Active Directory allows administrators to organize objects of a network (such as users, computers, and devices) into a hierarchical collection of containers known as the logical structure. The top-level logical container in this hierarchy is the forest. Within a forest are domain containers, and within domains are organizational units. Forest Root Domain Trees and Child Domains Domain Names

Basic Review of Active Directory Domain Services Active Directory domain –Administrative boundary –Holds a database of objects MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 5 Figure 1-1 A two-tree, four-domain forest Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 6 Active Directory Tree One or more domains with common namespace –Includes top-level name (.com) and second-level name (Cengage) Multiple trees within a forest allowed Tree domains in the same forest –All domains share the same schema and global catalog

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 7 Active Directory Forest Includes one or more trees –Comprised of one or more domains –A single root domain is a forest Considered a security boundary Forest Enterprise Admins group –Can administer any domain in the forest –Cannot administer domains in other forests Common schema and common global catalog –Shared by all forest domains Built-in trust relationships with every other forest domain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 8 Schema Defines creatable Active Directory objects –User, computer, group Each has specific properties defined by the schema If object not defined in the schema: –Object cannot be added to Active Directory Schema modification –ADPrep: Active Directory preparation tool

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 9 Trusts When second or subsequent domain added to a forest: –Trust relationships automatically added to the parent domain –Allows child domain users access to parent domain resources Parent domain users can be granted access to child domain resources Trusts within a forest: transitive trusts Each time that you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain..

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 10 Global Catalog Listing of all forest objects Single-domain forest: includes all domain objects (all forest objects) Multi-domain forest: includes all objects from each forest domain –Includes subset of object properties Hosted on a domain controller –At least one GC server required for each domain Lightweight Directory Access Protocol (LDAP) –Used to query GC Active Directory information

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 11 Organizational Units Used within a domain to organize objects Reasons for creating Organizational Unit (OU) –Use Group Policy to manage users and computers –Delegate permissions to administrators to manage a group of user and computer objects Used to organize objects –Easier for administrators to manage them

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 12 Group Policy Automates domain user and computer management and administration Settings created once in Group Policy object (GPO) –Linked to a site, domain, or OU Becomes the GPO’s scope GPO settings apply to all users and computers in the GPO scope Group Policy Management Console (GPMC) –Primary tool for managing Group Policy –Two default Group Policies created in each domain Default Domain Group Policy Default Domain Controller Group Policy

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 13 Site Group of well-connected computers or well- connected subnets Example: –Rooms within a single building Connected with a 1-Gb local area network (LAN) –Second building well connected with a 1-Gb LAN –Two buildings linked together with a 256-Kb connection –Each building considered a site –Two buildings not well connected to each other

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 14 Creating a Learning Environment Lab 60 mins Use Microsoft’s Virtual PC Assume knowledge of Windows Server 2008 installation and how to run DCpromo Microsoft Virtual PC free download at: – Search for “Microsoft Virtual PC SP1” Activity 1-1: Creating a Virtual PC Environment Activity 1-2: Promoting DC1 to a Domain Controller

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 15 Figure 1-2 Starting the Virtual PC console Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 16 Figure 1-3 Configuring the virtual machine network adapter to Local only Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 17 Activity 1-2 Promoting DC1 to a Domain Controller Lab Time 25 minutes

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 18 Understanding Domain and Forest Functional Levels Functional level applied –Dictates available capabilities within domains and forest As functional levels rise: –More capabilities added Cannot raise levels –Until all domain controllers running specific versions of Windows Server Can only raise forest functional level –When all domains have reached the same level

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 19 Understanding Domain and Forest Functional Levels (cont’d.) Can only raise domain functional level –When all domain controllers running the appropriate versions of Windows Server Design plan steps –Verify all domain controllers running at least Windows Server 2003 –Raise domain functional levels of each domain in each forest to at least Windows Server 2003 –Raise forest functional level of each forest to at least Windows Server 2003

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 20 Domain Functional Level Provide different capabilities Domain functional levels: –Windows Server 2000 Native –Windows Server 2003 –Windows Server 2008 –Windows Server 2008 R2 Key concept –Domain functional levels directly related to the domain controllers in the domain Default domain functional level –Windows Server 2000 Native

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 21 Table 1-1 Domain Functional Level Features

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 22 Domain Functional Level (cont’d.) Servers running older server operating systems cannot be promoted to domain controllers –Once domain functional level raised Windows Server 2008 significant addition –Fine-grained password and account lockout policies Activity 1-3: Raising the Domain Functional Level

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 23 Figure 1-4 Raising the domain functional level in Active Directory Users and Computers Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 24 Forest Functional Level Capabilities Apply to all domains in the forest –Can be applied when all domains have been raised Cannot raise forest functional level –Until all domains raised Example: forest functional level of Windows Server 2008 –Indicates every domain and domain controller in the forest must be running at least Windows Server 2008 Active Directory Domains and Trusts –Used to raise forest functional level

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 25 Table 1-2 Forest Functional Level Features

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 26 Activity 1-4 Raising the Forest Functional Level 15 Minutes

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 27 Forest Functional Level Capabilities (cont’d.) Activity 1-4: Raising the Forest Functional Level Figure 1-5 Raising the forest functional level in Active Directory Domains and Trusts Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 28 Designing Active Directory Domains and Forests Involves determining forest and domain structure –Logical structure of Active Directory Primary questions –How many forests needed? –How many domains needed? Single-domain forest (Should be considered first) –Works for the majority of Active Directory designs –Compared with multiple domains and multiple forests Easier to manage and maintain Reduces potential problems

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 29 Autonomy vs. Isolation Requirements –Determined by business needs –Implemented by creating one or more forests Important points –Autonomy Provides independent, but not exclusive resource control –Isolation Provides independent and exclusive resource control

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 30 Autonomy Independence achieved by: –Creating separate domains within a forest Does not provide exclusive control Service autonomy –Organization independently manages the service Manages a child domain within a forest Data autonomy –Organization independently manages the data Store all objects in an Organizational Unit (OU) Use the Delegation of Control Wizard

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 31 Isolation Achieved by creating a separate forest –Resource sharing still allowed Summary –If part of an organization needs autonomy: Delegated control over an OU can provide data autonomy A separate domain in the forest can provide service autonomy –If complete isolation required: Design must include a separate forest

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 32 Creating a Separate Forest for a Separate Schema If extensive schema changes required for a specific company department or branch –Create a separate forest for this group Provides isolation for the group Limits schema complexities for most of the other users Schema changes used by the specific group –Not seen in the primary forest One-way forest trust used for access to resources in the forest used by the majority of the users

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 33 Identifying Bandwidth Requirements for a Forest Replication within a well-connected site –Rarely a problem Replication occurring over a wide area network (WAN) –Bandwidth consumption raises concerns Create two separate forests to eliminate the replication traffic Replication between domains in a forest –Less extensive and does not include all domain controllers (Only to DCs with GC on them)

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 34 Identifying Domain Requirements Start the design with a single domain –Can handle more than 100,000 users Primary reason to create an additional domain –Provide service autonomy within a forest Additional reasons to create separate domains –Control replication traffic over WAN links –Protect root domain (and Enterprise Admins group) –Protect the root domain And the accounts and groups in it

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 35 Identifying Domain Requirements (cont’d.) Microsoft specific recommendations –Provide valid starting points Table 1-3 Maximum Users in a Domain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 36 Activity 1-5 Creating Forest Trust With Selective Authentication 40 Minutes Activity 1-6 Configuring DNS to Support the Forest Trust 30 Minutes

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 37 Understanding Trusts Trust relationships –Automatically created between domains in a forest –Created between individual domains in different forests or between forests –Can be one-way or two-way –Can be transitive or non-transitive

One-way and Two-way Trusts Users in Domain B (trusted domain) granted access to resources in Domain A (trusting domain) –Expressed as Domain A trusts Domain B If arrow points both ways (two one-way arrows): –Two-way trust relationship exists MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 38 Figure 1-6 Typical one-way trust relationship Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 39 Transitive and Non-Transitive Trusts Non-transitive trust –Creates an explicit trust relationship between two domains Not transferred to any other domains Transitive trust –Granted between several domains No explicit trust relationships created between the different domains

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 40 Figure 1-7 Transitive trusts in a forest Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 41 Transitive and Non-Transitive Trusts (cont’d.) Without transitive trusts: –Explicit trust relationships needed between each domain Managed in Active Directory Domains and Trusts Figure 1-8 Viewing a trust in Active Directory Domains and Trusts Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 42 Creating Trusts Between Forests Trust relationships between domains in two separate forests –External trust Non-transitive –Forest trust Transitive Forest trusts –Became available in Windows Server 2003 –Allows the creation of one transitive trust between all domains

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 43 Choosing the Authentication Method Forest-wide authentication –Windows automatically authenticates users in other forests Allowing resource access in the local forest –Still requires user access No restriction on which users granted access Selective authentication –Prevents automatic authentication of users in the other forests Allowed To Authenticate permission required

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 44 Figure 1-9 Choosing the trust authentication level Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 45 Choosing the Authentication Method (cont’d.) Forest-wide authentication –Any user can be authenticated –Only use if organization implicitly trusts the other organization Activity 1-5: Creating a Forest Trust with Selective Authentication Activity 1-6: Configuring DNS to Support the Forest Trust

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 46 Granting Access to Users in Another Forest Figure 1-11 Selecting users from another forest Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 47 Granting Access to Users in Another Forest (cont’d.) Once a forest trust created –Can grant access to resources in one domain to users in another domain Once the other domain selected as the location –Users in the other domain can be located and granted access to the resource Same procedure used for forest-wide authentication or selective authentication Selective authentication requires an additional step

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 48 Implementing Selective Authentication Implementing selective authentication on a forest trust –Requires the Allowed to Authenticate permission on each server or computer where access granted –Accomplished through Active Directory Users and Computers Activity 1-7: Granting the Allowed to Authenticate Permission

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 49 Figure 1-12 Granting Allowed to Authenticate permission to the Domain Admins group in a trusted domain Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 50 Using ADPrep Command-line tool available in the installation DVD Sources\ADPrep folder –Must be run with elevated permissions Needed if forest started with servers other than Windows Server 2008 Three major switches –/ForestPrep –/DomainPrep –/RODCPrep

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 51 Preparing the Forest ADPrep /ForestPrep command –Modifies forest schema –Run on server currently hosting the schema operations master role –Requires membership in each of the following groups Enterprise Admins group Schema Admins Group From the installation DVD run: –D:\Sources\ADPrep\ADPrep /ForestPrep –Provide time for replication

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 52 Preparing a Domain Run ADPrep /DomainPrep command after ADPrep /ForestPrep Run on server holding infrastructure operations master role –Must be Domain Admins group member –Need administrative permissions command prompt After command runs: –Can promote Windows Server 2008 and Windows Server 2008 R2 servers to domain controllers Can also run ADPrep /DomainPrep /GPPrep

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 53 Preparing for RODCs Run the ADPrep /RODCPrep command Required even if first domain controller in the forest created on a Windows Server 2008 or Windows Server 2008 R2 server Can be run on any domain controller in the forest Only needs to be run once Must be a member of the Enterprise Admins group: –To run this command

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 54 Migration Strategies Reasons for redesign: –Accommodate organization restructure –Reflect changes in the organization physical layout –Reduce organization complexity By reducing the number of domains or forests Factors affecting the upgrade or migration –Time constraints –Resource availability –Funding –Application compatibility

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 55 Active Directory Migration Tool (ADMT) Migrates objects from one domain to another –Within the same forest or between different forests Objects commonly migrated: –Users, computers, groups Current ADMT version: version 3.1 –Free copy available at Microsoft’s download site ADMT source: where accounts migrating from ADMT destination: where accounts migrating to

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 56 ADMT Versions Needed for Different Functional Levels Functional level required for target domain: –Windows Server 2000 Native –Windows Server 2003 –Windows Server 2008 ADMT 3.1 or > Cannot migrate objects from Windows 2000 mixed domain functional level –Must remove or upgrade NT 4.0 domain controllers Then raise the domain functional level –Can also use ADMT v3.0 to migrate objects from NT 4.0 domains

Interforest and Intraforest Migration Interforest migration –Objects migrated between domains in separate forests Intraforest migration –Objects migrated between domains in the same forest MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 57 Table 1-4 Comparison of Interforest and Intraforest Migrations

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 58 Understanding and Using SID History Security identifier (SID) –Uniquely identifies a domain/forest object –Created when object created –Grants access to any objects in the domain Discretionary Access Control List (DACL) –Controls access to any domain resource

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 59 Figure 1-13 Viewing SIDs in a DACL Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 60 Understanding and Using SID History (cont’d.) Implementing SID history –Allows importing of the original SID when importing the account –Users retain access to data and resources ADMT supports SID history retention –Account can support multiple SIDs Included in SID history

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 61 Using SID Filtering Used when SID history presents security risk –If attacker obtains SID history data: Attacker can assign these SIDs to the SID history attributed to accounts he creates in his own domain New accounts have access to resources based on the SIDs listed in SID history Also referred to as SID filter quarantining Risk prevention –Blocks the use of any SIDs not originating in the same domain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 62 Using SID Filtering (cont’d.) Disable SID filtering –Run Netdom command on the trusting domain Requires command prompt with elevated permissions Requires Domain Admins or Enterprise Admins group account member Netdom trust /domain: /quarantine:No /userD: /passwordD: –Use only after careful consideration

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 63 Figure 1-14 One-way trust between Cengage and CT Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 64 Using SID Filtering (cont’d.) Activity 1-8: Verifying SID Filtering Status Figure 1-15 Disabling SID filtering Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 65 Using Alternative UPN Suffixes User Principal Name (UPN) –Allows a user to log on with an account that looks like an address May create alternative UPN suffixes –Assign these to users in the domain Activity 1-9: Creating an Alternative UPN Suffix

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 66 Figure 1-16 Creating an alternative UPN suffix Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 67 Figure 1-17 Assigning an alternative UPN suffix to a user account Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 68 Installing the ADMT Install and run ADMT v3.1 on a Windows Server 2008 domain controller –In the target domain –Previous ADMT versions on this domain controller Should be uninstalled first Activity 1-10: Installing ADMT 20 minutes

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 69 Enabling SID History for ADMT Steps: –Create a domain local group in the source domain Named netBiOSDomainName$$$ –Modify registry of the PDC emulator on the source domain Create a DWord value of TcpipClientSupport in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\C ontrol\LSA subkey Set the value to one

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 70 Enabling SID History for ADMT (cont’d.) Steps (cont’d.) –Enable Success and Failure for Account Management in the Default Domain Controller Policy Both the source and target domains –Install and configure the Password Export Server (PES) service tool

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 71 Running ADMT After installing ADMT v3.1 –Migration process can begin Requires trust relationship between target and forest domains Trust examples: –Trust between two domains in the same forest Can be a direct parent-child trust or a transitive trust –External trust between two domains in different forests –Forest trust between two separate forests Activity 1-11: Running a Test Migration with ADMT

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 72 Figure 1-18 Selecting Group Account Migration Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 73 Figure 1-19 Completing the source and target domain selections Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 74 Figure 1-20 Successfully migrating a group Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 75 Activity 11-1 Running A Test Migration With ADMT 30 Minutes

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 76 Summary Active Directory basics –Tree, forest, schema, trusts, global catalog, Organizational Unit, Group Policy, site Domain and forest functional levels –Dictate available features Design considerations –Autonomy and isolation, separate forests, bandwidth requirements, domain requirements Active Directory Preparation (ADPrep) tool

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 77 Summary (cont’d.) Trusts –One-way and two-way trusts, transitive and non- transitive trusts, trusts between forests Authentication methods –Forest-wide and selective authentication Migration considerations –Active Directory Migration Tool (ADMT) –Interforest and intraforest migration –SID history and SID filtering Using the Netdom command

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.