Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Title: windows server 2008 r2
Description: Welcome to Windows Server 2008 Active Directory.........
Description: Welcome to Windows Server 2008 Active Directory.........
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
9/24/2008
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•About Your Instructor and Train
Signal
•Overall Scope of the Course
•What’s Covered in this Course
•The Globomantics Scenario
•What We’ll Build in this Course
About Your Instructor and Train Signal
Train Signal, Inc
...
Coach Culbertson
What’s on the hit parade for this one, Coach? Can we dance to it?
2
...
The First Two Domain Controllers
4
...
Creating Organizational Units, User and
Computer Accounts, and Groups
6
...
Get Your Control Freak On!
8
...
Coach Culbertson
9
...
How to Push Software Onto a Lot of
Machines Without Getting Up From
Your Desk
11
...
Passing the Buck
13
...
Coach Culbertson
14
...
Monitoring , Auditing, and
Defragging
16
...
How To Give People Access to Stuff
That’s 790 Miles Away
18
...
Bringing an OU and Users Back from
the Dead
2
9/24/2008
What’s Covered in this Course
Train Signal, Inc
...
What Do You Do When A Domain Controller
Blows Up?
21
...
Connecting the Continents
23
...
DNS Stuff
25
...
Active Directory Lightweight Directory
Services 101
27
...
Coach Culbertson
Here’s the story about a man named Hank…
You are the newly hired Systems Administrator for a new startup
company called Globomantics, a stock brokerage
...
You’ll have the rare opportunity to build out the corporate network,
specifically Active Directory, for Globomantics, including:
–The Main Office in New York
–The Chicago Office
–The Dallas Branch Office
–And melding networks with a small company in Tokyo, Verde
Petra, which Hank will buy out
...
Coach Culbertson
We’ll start with this…
3
9/24/2008
What We’ll Build in this Course
Train Signal, Inc
...
Coach Culbertson
Are You Ready?
C’mon, Let’s Go!
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•What is Active Directory and Why
Should I Care?
•What is a Domain Controller?
•What is a Domain?
•What is a Server Role?
•What is DNS?
What is Active Directory and Why Should I Care?
Train Signal, Inc
...
• It’s a database that keeps track of a huge amount of stuff and gives us a
centralized way to manage all our network machines, users, and resources
...
e
...
)
Users and
Groups
We say that
these items are
Objects in the
Active Directory
Database
Resources
(Printers, Shared Folders, etc
...
Coach Culbertson
As a matter of fact…
...
Here ya go!
Domain Controller
Active Directory
Database
5
9/24/2008
What is a Domain Controller?
Train Signal, Inc
...
•Think of it as the Boss of your network
...
Domain Controller
Domain Controller
Active Directory
Database
Active Directory
Database
Domain Controller
Active Directory
Database
What is a Domain?
Train Signal, Inc
...
• The machines are all named with part of a Domain name like
globomantics
...
CL1
...
com
CL2
...
com
Globomantics
...
globomantics
...
globomantics
...
Coach Culbertson
You’ll often see Domains represented like this:
globomantics
...
globomantics
...
Your Forest
may only have one
domain!
6
9/24/2008
What is a Domain?
Train Signal, Inc
...
”
•Example: Your email address is part of a domain
namespace:
– hrichardson@globomantics
...
What is a Server Role?
Train Signal, Inc
...
•A Server Role is a major job that a Server can perform
...
Coach Culbertson
Domain Name Services are your friend
•DNS is a service provided by a Server that allows you
to find other computers in your network
...
•Without DNS, Active Directory will not work
...
•In Server 2008, it’s recommended that you integrate
DNS with Active Directory to make your IT life easier
...
Coach Culbertson
After watching this video, you should be able to:
•Define briefly what Active Directory is
•Describe what three primary types of Objects that
Active Directory provides
•Describe what happens when you log in to an
Active Directory network
•Define what a Domain Controller is
•Describe a Forest
•Describe a Domain
•Define briefly what a Server Role is
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•
Building the Brain of the Globomantics Network
•
Quick Server 2008 Requirements and Editions Check
•
The Bare Metal Installation Process
•
The Initial Configuration Task List
•
Installation of Active Directory Domain Services
•
Setting up a Second Domain Controller
•
Can We Talk? Replication Testing
8
9/24/2008
Building the Brain of the Globomantics Network
Train Signal, Inc
...
Here’s your
hardware and what we’re going to build
...
168
...
2
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
Computer Name: NY-DC2-2K8
IP:192
...
5
...
com
This Domain Controller
will join the Domain
globomantics
...
If one crashes, we have another!
Building the Brain of the Globomantics Network
Train Signal, Inc
...
com
Forest Root Domain
New York Site
NY-DC1-2K8
IP:192
...
5
...
168
...
3
The Big Picture
Train Signal, Inc
...
com
New York Site
na
...
com
Chicago Site
asia
...
com
Tokyo Site
9
9/24/2008
Quick Server 2008 Editions and Requirements Check
Train Signal, Inc
...
microsoft
...
aspx
Component
Requirement
Processor
Minimum: 1 GHz (x86 processor) or 1
...
Coach Culbertson
Which Edition of Server 2K8 should we use for our first two DC’s?
http://www
...
com/windowsserver2008/en/us/editions
...
Ram for
32-bit
Max
...
0)
$469
4GB
32GB
You don’t need me to explain this
...
Itanium
For high-end
web/application
servers
$2,999
N/A
2TB
When you need to run super powered
databases or high end applications
...
Quick Server 2008 Editions and Requirements Check
Train Signal, Inc
...
Enterprise Edition 64-bit!
• We select Enterprise 64-bit for it’s ability to handle up to 2TB of Memory and
complete set of features for future growth (and we have the $$$)
...
10
9/24/2008
The Bare Metal Installation Process
Train Signal, Inc
...
•Bare Metal is the simplest installation possible (and is
recommended by Microsoft as the preferred method) —
pop in the DVD and boot up!
•For Globomantics, we’ll be doing two bare metal
installations of Server 2008 64-bit Enterprise edition
...
Our hardware
is set up and plugged in to the power and the network
switch, so let’s go!
The Initial Configuration Task List
Train Signal, Inc
...
It groups
together all the common tasks
that you have to set up in one
convenient place
...
168
...
2 and
an initial DNS server
...
Installation of Active Directory Domain Services
Train Signal, Inc
...
Installing the AD DS Role
...
Running DCPromo
...
• Installing the AD DS Role is done from Server Manager using
Add Roles
...
11
9/24/2008
Building the Brain of the Globomantics Network
Train Signal, Inc
...
com
Forest Root Domain
The first password you create
is the Local Administrator only
for this one Server!
NY-DC1-2K8
IP:192
...
5
...
Coach Culbertson
So we now have a functional DC and Domain!
globomantics
...
168
...
2
New York Site
NY-DC2-2K8
IP:192
...
5
...
Coach Culbertson
Everything we’ve just done again, only faster this time
Computer Name: NY-DC1-2K8
IP: 192
...
5
...
com
Internet T-1 connection
Computer Name: NY-DC2-2K8
IP:192
...
5
...
com
• We now need to set up our second DC, so here we go again:
1
...
”
2
...
3
...
4
...
Coach Culbertson
Everything we’ve just done again, only faster this time
Computer Name: NY-DC1-2K8
IP: 192
...
5
...
168
...
3
3GHz 64-bit CPU
4GB RAM
2 – 120GB HDD’s
Gigabit NIC
Network Switch
This Domain Controller
will join the Domain
globomantics
...
com
• We now need to set up our second DC, so here we go again:
1
...
”
2
...
3
...
4
...
com
...
Coach Culbertson
Our new DC’s need to be friends
• DC’s need to be able to talk and keep duplicate records in their respective
databases
...
Hey, the admin just added three
OU’s, four user accounts, and
renamed one of the old user
accounts
...
Here’s the changes I’ve
received
...
NY-DC1-2K8
Network Switch
NY-DC2-2K8
Replication: Can we talk?
Train Signal, Inc
...
Create a new Organizational Unit in Active Directory Users and
Computers on either DC
...
Go to the command line and type repadmin /syncall
...
Check the other DC’s Active Directory Users and Computers to see if
the Organizational Unit also shows up there as well
...
You might need to hit F5 to Refresh the screen to see the new items in
the Server Manager
Best Friends Forever!
13
9/24/2008
Building the Brain of the Globomantics Network
Train Signal, Inc
...
com
Forest Root Domain
NY-DC1-2K8
IP:192
...
5
...
168
...
3
Terms You Should Know
Train Signal, Inc
...
• Upgrade Installation—Installing Server 2008 on a machine already running
Server 2003
...
• DCPromo
...
Terms You Should Know
Train Signal, Inc
...
dit—The database file for Active Directory
...
14
9/24/2008
What We Covered
Train Signal, Inc
...
Describe basic differences between versions of Server 2008
...
Perform a Bare Metal Installation of Server 2008
...
Coach Culbertson
After viewing this video, you should be able to:
Use the Initial Configuration Task List to:
Configure Time and Date
Rename a Machine
Configure a Static IP Address and DNS for
Networking
Configure Automatic Updates and Feedback
Install Active Directory Domain Services Role
...
What We Covered
Train Signal, Inc
...
Force two Domain Controllers to replicate using
repadmin /syncall
...
Coach Culbertson
Video 4
Setting Up Remote Desktop
on Your Personal Vista Client
Because you don’t want to have to go into
the Server Room every time you need to do
something
Setting up Remote Desktop on Your Vista Client
Train Signal, Inc
...
Now What?
•Why Remote Desktop Is
Just Great
The DC’s Are Up And Running
...
Coach Culbertson
Time to set up our Vista Client so we can access the servers remotely
• You have a Vista machine
that you’ll be using for
everyday tasks, and you can
use Remote Desktop to
administer Servers without
having to be right at the
machine
...
16
9/24/2008
Your mission: Add the Client
Train Signal, Inc
...
•You first need to rename the client machine
to fit the Globomantics naming convention
...
•Then you’ll join the client to the
Globomantics Domain
...
Coach Culbertson
Why get out of your comfy office chair to go do Server stuff
when you can do it from your desk?
• Once we have Remote
Desktop set up, you can
access your Servers just like
you’re at the machine
...
• You’re going to create 2
Remote Desktop shortcuts
on the Desktop so you can
get to DC1 and DC2 easily
...
Coach Culbertson
This is what our network looks like:
globomantics
...
168
...
2
NY-DC2-2K8
IP:192
...
5
...
Coach Culbertson
After viewing this video, you should be able to:
Join a Vista Client to a Domain
Create Remote Desktop
Shortcuts
Log in to a Server using Remote
Desktop
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•The DC’s Are Up and Running
...
Now What?—Part 2
Train Signal, Inc
...
e
...
•We have the “Brain” of the Globomantics network,
but it’s not particularly usable yet
...
• We’ll be accessing DC1 via Remote Desktop to add
in all of our objects, and let replication add them to
DC2
...
Now What?
Train Signal, Inc
...
Now What?
Train Signal, Inc
...
com
Forest Root Domain
4 Groups for Users
2 Computer Accounts
(the other 23 are on back order)
The Domain Administrator
Account is already created
2 Groups for Computers
19
9/24/2008
What’s an OU Again?
Train Signal, Inc
...
User Group
User Account
Computer Group
Computer Account
• OU’s help to keep your Objects organized, but also are used to control what
your Users can and can’t do (among other things)
...
What’s an OU Again?
Train Signal, Inc
...
– Right-click on the Domain icon, Select New, and then Organizational
Unit
...
Open up Notepad
2
...
3
...
bat somewhere convenient
...
Open up a Command Line box, navigate to the directory where you
saved it, and type addou WhateverNameYouWant
What’s an OU Again?
Train Signal, Inc
...
)
Keep It Simple, Sysadmin!
and a billion other ways!
But remember to KISS as much as you’re able to!
20
9/24/2008
How About Some Users!
Train Signal, Inc
...
Yep, I found it, Hold up there,
Billy,
and it’s all good
...
NY-DC2-2K8
Request to log on sent
Time to make some money!
Give me access to stuff!
Access granted
Stock Broker Billy
logs in with his User Name
and Password
Stock Broker Billy’s User Account
How About Some Users!
Train Signal, Inc
...
Here they are:
Hank
Melanie
Joshua
Bill
Steve
Frieda
William
Michael
George
Jennifer
Bradley
Caroline
Paula
Richardson
Halal
Hartson
Altman
Singer
Smith
Switzer
Barber
Gibbs
Owens
Stewart
Tooley
Turk
Christina
Michael
Lance
Bill
Carol
Shirley
Jerry
Alana
Erin
Todd
Chika
Rivena
Kim
Winger
Huntt
Binga
Mosher
Reagan
Thomas
Watts
Childs
Rose
Booth
Briscoll
Martin
Neff
•Are you serious? Are we going to right click for these 25 users?
How About Some Users!
Train Signal, Inc
...
DSADD!
This is called
the
• Dsadd is a command-line option that will allow you to create users with
Distinguished
the keyboard
...
Coach Culbertson
Let’s Do It Fast And Easy!
Open Up Notepad and Type:
dsadd user “cn=%1, ou=OUName, dc=YourDomain,
dc=YourSuffix” –fn %2 –ln %3 –pwd P@ssw0rd
–mustchpwd yes
– Save it as addOUName
...
– Open up a command line, navigate to the
directory where the script lives, and type:
addOUName tmiller Tonia Miller
Replaces %1
Replaces %2
Replaces %3
Creating a Whole Bunch of Users At Once
Train Signal, Inc
...
• It’s even included with this course! Man, that Coach is a great guy!
Who Let The Computers In Here?
Train Signal, Inc
...
A computer without an Account in
AD can’t access the network—it’s a security thing
...
• After Joining the Domain, you’ll have to move your Computer
Accounts to the appropriate OU
...
22
9/24/2008
Who let the Computers In Here?
Train Signal, Inc
...
You have exactly two Vista machines (since all
the rest are on backorder) to use to test out
your Active Directory
...
Join your other machine to the Domain and
then move them to the NYComputers OU
...
The Difference between OU’s and Groups
Train Signal, Inc
...
Here’s the difference:
– OU’s keep your objects organized and are used
to control what users and computers can and
can’t do
...
– Groups live in OU’s
...
Coach Culbertson
OU’s can be used to control what a User Can Do
Yes, All these users
can:
• Save docs to their
desktops
• Lock or Hide the
Taskbar
No, these users may
not:
• Change the Desktop
Wallpaper
• Install Software
23
9/24/2008
The Difference Between OU’s and Groups
Train Signal, Inc
...
Coach Culbertson
How to Create Groups
•Create Groups either from Active Directory Users and
Computers (again the whole Right-Click in an OU thing) or from
the command line:
– dsadd group “cn=GroupName, ou=OUName,
dc=YourDomain, dc=YourSuffix”
– Make it easy: add in a %1 for GroupName, add in a %2 for
OUName, save it as a batch script
...
•Join Users to Groups in Active Directory Users and Computers
by Control-Clicking on a bunch of Users, right-click on any one
of the selected, and select Add to Group
...
Coach Culbertson
Globomantics Group Structure
• Your user accounts are created and living happily in their OU’s
...
• You’ll add 4 Groups for Users in the NYUsers OU and 2 Groups for
Computers in the NYComputers OU
...
Coach Culbertson
And then
...
•Also, you’ll add your Vista machine, CL1-NYVIS, to the ITComputers Group, and CL2-NYVIS to the StandardComputers Group for
testing
...
Coach Culbertson
Here’s some IT vocabulary you need to know:
•User Account – An Active Directory Object that allows
Users to access network resources
...
•Organizational Unit—An Active Directory Object that
provides a place for User Accounts, Computer Accounts,
and Groups to live
...
•Group- An Active Directory Object that allows or denies
access to network resources (like folders and printers) for
Users and Computers
...
Coach Culbertson
Here’s some IT vocabulary you need to know:
•Batch Script—A text file containing commands
that has a
...
•Distinguished Name—The name of an Object as it
appears in the Active Directory Database
...
Coach Culbertson
This is what our network looks like now
globomantics
...
Coach Culbertson
After viewing this video, you should be able to:
Create Organizational Units and Groups In Active Directory
Users and Groups
Create User Accounts :
– In Active Directory Users and Groups
– Using the dsadd command line option
– Using a batch script
Create a bunch of User Accounts using a Batch Script made
with Coach’s Excel Sheet User Batch Script Creator
Add a Computer Account by joining a Vista client to the
Domain
...
What We Covered
Train Signal, Inc
...
Move Active Directory Objects to different OU’s
Now that we have some OU’s, User Accounts and
Groups, we’ll start using those OU’s and Groups in
the next two videos to provide control over your
network!
26
9/24/2008
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•Setting up a Member Server
•Creating Shared Folders
•NTFS Vs
...
Coach Culbertson
Time to add another Server
• We set up User Accounts and added them to Groups so that we could control
who had access to what shared folders and printers
...
Here’s what we’ll be building:
NEW SERVER!
NY-MEM1-2K8
IP: 192
...
5
...
SalesDocs
Mapped as S:
SalesLaser
SalesManagers
Shared
GeneralOps
Mapped as O:
OpsManagers
Shared
OpsLaser
ManagersInkjet
27
9/24/2008
Setting Up A Member Server
Train Signal, Inc
...
168
...
4
512MB RAM
2 GHz 32-bit CPU
2- 120GB HDD’s
Gigabit NIC
32-Bit Server 2K8 Standard Edition
MEM1 will be joining the
Globomantics Domain
...
•On our new Server, we’ll be
preparing the second HDD for File
and Folder sharing by formatting
and partitioning our second HDD
into two 60GB partitions, one for
Ops, one for Sales
...
Creating Shared Folders
Train Signal, Inc
...
Here’s the folders we’ll create:
SalesDocs
On E:
SalesManagers
On E:
GeneralOps
On F:
OpsManagers
On F:
Creating Shared Folders
Train Signal, Inc
...
• Read — A user can’t add or delete
anything in the Folder, just read
what’s there
...
• Permissions can be set for whole
Groups or for individual User Accounts
• Deny is always Strongest!!!! Use
sparingly!
28
9/24/2008
Creating Shared Folders
Train Signal, Inc
...
All files in the Folder
inherit the permissions from the Folder
...
Coach Culbertson
Here’s the Permissions to set on the individual Folders that you’ll be
creating on MEM1:
SalesDocs
On E:
Read and Change for
SalesUsers and Sales Managers
Read-Only for OpsUsers and OpsManagers
GeneralOps
On F:
Change and Read for
OpsUsers and OpsManagers
Read-Only for SalesUsers and
SalesManagers
SalesManagers
On E:
Read and Change for
only SalesManagers
Deny all for Sales Users
Deny All for Ops Users
Read Only for OpsManagers
OpsManagers
On F:
Read and Change for
only Ops Managers
Deny All for OpsUsers and
SalesUsers
Read-Only for SalesManagers
Creating Shared Folders
Train Signal, Inc
...
• We can make the SalesManagers group a member of the SalesUsers Groups
...
But
SalesUsers will NOT have
access to the SalesManagers
folder
...
NTFS Permissions
Train Signal, Inc
...
• Sometimes making Groups members of other Groups is a good idea,
sometimes it’s not
...
So this is a bad idea—
this time!
Share Level VS
...
Coach Culbertson
Let’s control access to individual Files now
...
...
NTFS Permissions
Train Signal, Inc
...
Parent Folder Read and Change Permissions to
all members of SalesUsers and
SalesManagers
“Child”Folder
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
File (Child)
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
30
9/24/2008
Share Level VS
...
Coach Culbertson
But you can Block Inheritance of Permissions with NTFS Permissions for
Folders AND Files for really specific control of who gets to do what inside
that folder!
Parent Folder
Read and Change Permissions to
all members of SalesUsers and
SalesManagers
File (Child)
“Child”Folder
Read Only Permissions for SalesUsers
Full Control for SalesManagers
Read Only Permissions for SalesUsers
Full Control for SalesManagers
Share Level VS
...
Coach Culbertson
Hank’s Files and the Sales Reports Folder
•Hank has emailed you three files that SalesManagers
will need Full Control over, but SalesUsers should
have Read-Only Access to
...
•Hank also wants a SalesReports folder that members
of SalesManagers have Full Control over, but
SalesUsers can also Read-Only
...
(Hint: Block
Inheritance and Use Inheritance!)
Share Level VS
...
Coach Culbertson
Here’s the Rules you need to remember
•Share Level Permissions work at the folder level
...
•Documents inside Shared Folders inherit the
Permissions (Share Level or NTFS!) of the Folder unless
you stop the inheritance directly and apply new
Permissions
...
31
9/24/2008
Mapping a Shared Drive
Train Signal, Inc
...
•You’ll map your two main department folders as below:
SalesDocs
Mapped as S:
GeneralOps
Mapped as O:
•Make sure that Hank’s account can access both Mapped
Drives
Creating and Sharing Printers
Train Signal, Inc
...
•A Print Device is hardware
...
•Once you have Printers, you can use them
to control who has access to which Print
Device
Creating and Sharing Printers
Train Signal, Inc
...
•You will create a Printer for each of the devices, and then
assign Permissions as displayed below:
SalesLaser
•SalesUsers can Print
•SalesManagers can Print
and Manage
•Ops Groups can’t access
OpsLaser
•OpsUsers can Print
•OpsManagers can Print
and Manage
•Sales Groups can’t access
ManagersInkjet
•SalesManagers can Print
•OpsManagers can Print
•Users Groups can’t access
•Only SuperCoach can manage
32
9/24/2008
What Globomantics
...
Coach Culbertson
globomantics
...
Coach Culbertson
Here’s the Critical Jargon from this video:
•Member Server—A Server that is not a Domain Controller
but is joined to the domain and has a particular job/Role
•Share Permissions—Permissions that only apply at the
Folder level and are inherited by all the files inside (unless
NTFS permissions are applied!)
•NTFS Permissions—Permissions that apply to both Folders
AND Files
...
What We Covered
Train Signal, Inc
...
•Describe the differences between Share and NTFS
Permissions
...
Coach Culbertson
In the next video, we’ll start using our OU’s
to apply Group Policy in order to make sure
our users can’t break stuff (or, at least, less
stuff)!
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•What are we building today,
Coach?
•What is Group Policy?
•Setting Up Coach’s Fave Four
Policies
34
9/24/2008
What Are We Building Today, Coach?
Train Signal, Inc
...
Now, we need to start thinking about locking down what users
can and can’t do on their desktop machines
...
)
In order to make this happen efficiently, we’ll use Group Policy Objects
in Active Directory to make this happen
...
Coach Culbertson
Group Policy Objects give you control over what Users and Computers
can do, but a lot more!
• A Group Policy Object
(GPO) contains Settings
that can be configured to
control what’s happening
with Users and Computers
...
• GPO’s are used with
Containers (Domains, Sites,
and OU’s), but are not
applied to Groups (but
Groups can play a part!)
Then why is it called Group Policy?????
What’s a Group Policy Object
Train Signal, Inc
...
Domain
• Every Windows computer has a Local Group Policy to control what can be done
on it and what is restricted, but you don’t want to go around to all the
computers in your Domain and configure all the settings manually
...
You can configure each computer
separately using Local Policy
...
or configure all your machines at once
from the comfort of your desk!
Because there’s nothing like going to
25 separate machines and making 26
modifications on each one (ugh!)
35
9/24/2008
What’s a Group Policy Object?
Train Signal, Inc
...
• A single GPO can be linked to multiple Containers so you can re-use it over and
over
...
Coach Culbertson
GPO’s can be linked at different levels
At the Domain Level,
everything in the Domain is
affected
At the OU level, everything in
the OU is affected
We normally don’t apply
GPO’s at the Site level, but we
can
...
Coach Culbertson
...
• While you can configure settings for both sides in any one GPO, we
generally don’t (this is why we separate Users and Computers into
separate OU’s
...
Coach Culbertson
All you GPO’s, get in the right order!
Group Policy Settings are applied in a very specific
order:
Local Computer Policy
Site Policy
Domain Policy
OU Policy
Remember it this way: L-S-D-OU
Also: The Last One Wins
Setting Up Coach’s Fave Four Policies
Train Signal, Inc
...
•You need to ensure that User Accounts are restricted in the
following fashion:
•All desktop wallpaper is the same on every machine
and cannot be changed
•Users cannot access the Display Control Panel
•Users cannot install software
•Users cannot attach Removable Drives (USB sticks,
MP3 players, etc
...
Coach Culbertson
And now, Vocabulary!
• Group Policy Object—An Active Directory Object that allows you, the
Administrator, to control what Users can do on computers via Settings
(or Policies)
...
K
...
• Local Computer Policy—The Group Policy that resides on a local
Computer that only affects that particular computer
...
Coach Culbertson
After Watching This Video, You Should Be Able To:
•Create and Link a Group Policy Object to an OU
•Apply Settings in a GPO to lock down the User’s ability to:
– Change the Desktop (i
...
set the Wallpaper and make
sure the User can’t change it)
– Use the Display Control Panel
– Attach a USB drive or other Removable Storage Device
– Install Software (remember: UAC for Vista!)
•Describe the order in which Group Policy Objects are
processed in
...
Coach Culbertson
Video 8
How to Make Your Boss Mad
and then Fix it Really Fast
Setting up your Organizational Units for Better
Group Policy Implementation, Security Filtering for
GPO’s using Groups, and Making Your Boss Happy
Again
...
Coach Culbertson
In this video:
•What Are We Building Today,
Coach?
•Hank is ANGRY!
•A Little Reorganization
38
9/24/2008
What Are We Building Today, Coach?
Train Signal, Inc
...
L
i
n
k
5 Groups for Users
25 Computer Accounts
SuperCoach Administrator
StandardComputers
ITComputers
What Are We Building Today, Coach?
Train Signal, Inc
...
and how it will look after this one!
Executives
L
i
n
k
SaleManagers
OpsUsers
SalesUsers
OpsManagers
ITUsers
hrichardson
25 Computer Accounts
StandardComputers
SuperCoach Administrator
ITComputers
Hank is ANGRY!
Train Signal, Inc
...
Hank is really mad that he can’t set a
picture of his favorite horse as the
Desktop Wallpaper, and he’s threatening
to fire you if you don’t get it fixed fast
...
Also, your assistant Jamie doesn’t like
being locked down either—fix it!
39
9/24/2008
A Little Reorganization
Train Signal, Inc
...
• Since GPO’s are applied at the OU level,
we may need to
separate out Users and/or computers into separate OU’s for
different rights and restrictions
...
– We can use Security Filtering to exempt certain User
Accounts and/or Groups from having a GPO applied to
them
...
Coach Culbertson
Option 1: We can separate out our Users into Child OU’s and Link
Separate GPO’s to each OU
Each GPO has
settings
appropriate for
each department
...
Coach Culbertson
Option 2: We can separate our users into separate OU’s inside of
NYUsers and Block Inheritance for certain OU’s for a particular Group
Policy Object
...
...
Coach Culbertson
Option 3: We can use Security Filtering to exempt certain User Accounts
and/or Groups from having a GPO applied to them
...
Coach Culbertson
We’ll fix it using a combination of techniques
• We can still use DesktopLockdown for all our users, but we’ll use Security
Filtering and the Delegation Tab in the GPMC to exempt the Executives and
ITUsers Groups from having it applied
...
Deny Read and Apply
DesktopLockdown
Group Policy
All other users will be
affected by DesktopLockdown
through Inheritance!
ITUsers Group
Deny Read and Apply
DesktopLockdown
Group Policy
Link
Executives Group
Terms You Should Know
Train Signal, Inc
...
•Enforce—A property of a Group Policy object that breaks
through Block Inheritance and overrides any other
conflicting GPO’s
•Group Policy Inheritance—Similar to Folder Inheritance,
Users and Computers inherit Group Policy settings through
OU’s
...
Coach Culbertson
After viewing this video, you should be able to:
•Rearrange Users, Groups, and Organizational Units
...
•Use the GPMC to see what Group Policy Objects
are being inherited by an Organizational Unit
...
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•The Computer Side of Group
Policy
•Mapping Network Drives with
Preferences
42
9/24/2008
The Computer Side of Group Policy
Train Signal, Inc
...
Hank is seriously thinking about implementing the
“hoteling” concept, in which users don’t have
regular machines
...
” You need to
make sure that all the machines have a standard
policy no matter who’s at them, with the exception
of your machine, Jamie’s machine, and Hank’s
machine
...
Coach Culbertson
And now for something not so different
...
You’ll separate out your computers into two OU’s,
Standard and Privileged, then create a new GPO to apply to only the
StandardComputers
...
CL4 through CL25
Will have no GPO
Linked
CL1 through CL3
The Computer Side of Group Policy
Train Signal, Inc
...
CL3-NY-VIS
CL4-NY-VIS
CL5-NY-VIS
LBinga
CL6-NY-VIS
Computer Policy stays with the computer no matter who logs on to it
...
Coach Culbertson
And now to add our Policy Settings to ComputerLockdown
Here are the policies we’ll set for the StandardComputers
through our new ComputerLockdown GPO:
– Turn off the Windows Sidebar (because it’s annoying)
– Turn off that Welcome screen that keeps popping up
(because it’s annoying, too)
– User Account Control – Really more as a safety Precaution
– Turn on Loopback Processing to ensure that whoever logs
on to the machine always gets this policy applied to them
...
Coach Culbertson
Loopback Processing- User Vs Computer Policy Showdown!
Here’s how it works:
I have User
Settings, and I
travel with Lbinga
wherever he logs
in!
LBinga
Aw, man! Darn you
Loopback Processing!
Oh yeah? Well I
have User
Loopback
Processing! My
User Settings
override or add to
your settings, even
though Lbinga’s
account isn’t even
in the OU I’m linked
to! Woo-Hoo!
I win!
CL3-NY-VIS
Mapping Network Drives with Preferences
Train Signal, Inc
...
•There are Preferences
for both User and
Computer sides of a
Group Policy Object
...
Coach Culbertson
Mapping Drives for Users just got a lot easier!
• Since we have Network Drives (i
...
, Shared Folders) that we want everyone to
have access to, we can “map” those drives for our Users so that when they log
on, they’re already there in My Computer
...
Inherited!
Link
Inherited!
Enforced!
(Just in case somebody
Blocks Inheritance later)
Inherited!
Time to Wrap Up!
Train Signal, Inc
...
Coach Culbertson
More Big Words!
•Enforce – A setting on a Group Policy Link that breaks
through Block Inheritance and overrides any conflicting
policies
...
•Group Policy Preferences—Settings in a Group Policy
Object that expand Group Policy’s ability to map drives for
Users, place files and create folders on managed client
machines, etc
...
45
9/24/2008
What We Covered
Train Signal, Inc
...
• Create and Link a GPO object to an OU ( I know, we’ve already
done this)
• Use the Computer Side of Group Policy to:
– Turn off the Vista Sidebar and Welcome screen
– Set up Loopback Processing on Computers to ensure that
Settings applied to Computers replace/merge/override any
User settings from other GPO’s
– Ensure that UAC is enabled on Vista
– Ensure that Local Computer Policies DO NOT run on Vista
Machines in our network
...
Coach Culbertson
After viewing this video, you should be able to:
•Use Group Policy Preferences on the Users side of a Group
Policy Object to Map Drives (shared folders) for all users
•Enforce a Group Policy to ensure that it is applied even if a
Block Inheritance setting is applied to an OU
Welcome to Train Signal
Train Signal, Inc
...
46
9/24/2008
How to Push Software Onto a Lot of Machines Without Getting Up
From Your Desk
Train Signal, Inc
...
Coach Culbertson
Create a GPO For Software Installation
Train Signal, Inc
...
Since you haven’t yet installed any PDF reading software,
Hank wants you to install the PDF reader from his new friend’s company
on all the client machines in the Globomantics network
...
Walk around with a CD or USB stick to every one of your 25 client
Do you really have that much time on your hands?
machines, log in with administrator account and install it manually?
B
...
Post the software on a Shared Folder and then create a Group Policy
Object that will install the software the next time the machine restarts?
47
9/24/2008
Create a GPO For Software Installation
Train Signal, Inc
...
msi file for installation
– Try to get an
...
– You can’t just install
...
msi
...
msi packaging utilities out there if
you need them
...
•A Shared folder for the software to live in that all your
Users and Computers have at least Read access to
...
Create a GPO For Software Installation
Train Signal, Inc
...
• You can also Assign the software
so it installs on the next client
restart
...
Create a GPO For Software Installation
Train Signal, Inc
...
msi file that you can use for your Software
Installation GPO
...
So now all you have to do is:
1
...
2
...
msi package there
...
Create a new GPO and link it to the NYComputers OU
...
4
...
5
...
6
...
msi file and select any Options
...
Run gpupdate /force from the Server (or wait for the Refresh Interval)
8
...
48
9/24/2008
When does all this Group Policy Stuff actually take effect?
Train Signal, Inc
...
• When you run gpupdate /force, the new
policy settings are pushed down right then
and will either apply immediately or on the
next logon, depending on what the settings
are in the policy
...
• For other User side GPO’s, it depends on what
the Group Policy Refresh Interval is set at, and
if Background Processing is enabled or
disabled
...
Where We’re At Now
Train Signal, Inc
...
Coach Culbertson
Time for more big words to impress your friends with!
•Group Policy Software Installation (GPSI) –
Function of Group Policy that allows installation of
software to computers with accounts within the
scope of the Group Policy object
...
msi) –Microsoft Installer
•Publish (as an option in GPSI) – Option to make
software available to install on demand
•Assign (as an option in GPSI) --Option to install
software automatically on computer restart
...
Coach Culbertson
After viewing this video, you should be able to:
•Create a Software Installation GPO
•Describe the differences between using a
Software Installation GPO on the Computer side
and User side
...
•Set the Group Policy Refresh Interval on the
Default Domain Policy
...
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•The Default Domain Password Policy
•Letting Your Boss Use Whatever Password
He/She Wants
•A Little Password Management Goes a Long
Way
50
9/24/2008
The Default Domain Password Policy
Train Signal, Inc
...
• The default
settings are usually
good enough
...
Password Complexity Requirements:
•Not contain the user's account name or parts of the user's full name that
exceed two consecutive characters
•Be at least six characters in length
•Contain characters from three of the following four categories:
•English uppercase characters (A through Z)
•English lowercase characters (a through z)
•Base 10 digits (0 through 9)
•Non-alphabetic characters (for example, !, $, #, %)
Letting Your Boss Use Whatever Password He/She Wants
Train Signal, Inc
...
He wants to use the
names of his horses
...
Letting Your Boss Use Whatever Password He/She Wants
Train Signal, Inc
...
• Your Domain Functional Level must
be at a Server 2008 level (all your
Domain Controllers must be Server
2008)
• We’ll need to go into ADSI Edit to
create Password Policy objects, and
link them to the User Account or
Group they’ll apply to (i
...
for
Globomantics, the Executives
group)
51
9/24/2008
A Little Password Management Goes a Long Way
Train Signal, Inc
...
– Right Click and Select Reset Password
...
– Best Practice: Go back into the User
Account Properties and force the User
to change their password on the next
logon
...
Coach Culbertson
Walk the walk and talk the talk
• ADSI Edit – A low level utility used for editing the Active Directory
Database directly rather than using the GUI tools (i
...
Server Manager,
etc
...
• PSO –Password Settings Object—An Active Directory Object created in
ADSI Edit that allows for an alternative password policy to be applied
to a user or a group
...
(Required
for Fine Grained Password Policy)
What We Covered
Train Signal, Inc
...
•Locate the Functional Level for a Domain in AD Users and
Computers
...
•Reset a User’s password and force the user to change their
password on the next logon
...
Coach Culbertson
Video 12
Passing the Buck
Providing Permissions to an Account for
Administrative Tasks Without Giving Away
All Your Thunder
Passing the Buck
Train Signal, Inc
...
Coach Culbertson
Why should you have to do all the work?
Planning ahead, you realize that as time goes on you won’t have all the
time in the world to do busy work like resetting passwords or altering
permissions on shared folders and such
...
You’ve got two options:
–Use the Delegation of Control Wizard
–Add Jamie to one (or more) of the Built-In Groups so he can do
administrative tasks without having to be an Administrator
...
Coach Culbertson
Using the Delegation of Control Wizard
You’ll use this when you only
want a particular User or
Group to be able to do one or
two simple tasks, like *ahem*
resetting passwords
...
Coach Culbertson
Need…more…power…
• The Delegation Wizard can’t provide everything, so you’ll have to also use some
additional Groups to provide some more permissions to Jamie
...
Here’s some of them that are particularly useful:
Permissions/Abilities
Administrators
Account
Operators
Backup
Operators
Operators
Server
Operators
Create, delete, and manage user and
group accounts
X
X
Read all user information
X
X
Reset password for user accounts
X
X
Share directories
X
Create, delete, and manage printers
X
Backup files and directories
X
X
Restore files and directories
X
X
Log on locally to the server
X
X
X
X
X
Shut down the system
X
X
X
X
X
X
X
X
X
X
X
Installing RSAT to a Vista Client for Easy Server Management
Train Signal, Inc
...
• The Remote Server Administration Tools for Vista is a collection of
MMC tools that allows you to administer most of the standard Server
tasks without having to use Remote Desktop or actually be at the
Server
...
54
9/24/2008
Critical Vocabulary
Train Signal, Inc
...
•Built-In Groups—Groups that come as part of the default
Server 2008 installation that provide administrative
permissions for more tasks than what the Delegation of
Control Wizard can (sheer hedonistic convenience!)
...
What We’ve Covered
Train Signal, Inc
...
•Describe the differences between the 5 most
useful Built-In Groups
...
•Install and Configure RSAT for VISTA
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•A Hour of Prevention Prevents an
Ounce of Pink Slip
•Your Three Built-In Backup Tools
•The Globomantics Backup Strategy
A Hour of Prevention Prevents an Ounce of Pink Slip
Train Signal, Inc
...
Eventually, you’ll be able to talk Hank into acquiring a third-party back-up
solution that has more power than the built-in tools in Server, but for now you’ll
have to make do with what you have
...
•Wbadmin—A command line tool for creating and scheduling backups (also
available in Server Core!)
...
Your Three Built-In Backup Tools
Train Signal, Inc
...
• It only:
– Backs up to a Shared
Folder (Network
Attached Storage) or to
DVD
– Backs up entire Volumes
– Overwrites previous
backups if you backup
to the same shared
folder over and over
• It’s great for simple backups
for small organizations
56
9/24/2008
Your Three Built-In Backup Tools
Train Signal, Inc
...
Coach Culbertson
NTDSUTIL – Super-Powered Utility for lots of operations with a funny name!
• NTDSUTIL is specifically for AD, and not so much
backing up your whole Server
...
• It’s an interactive tool, providing different
commands depending on what Context it’s used in
...
• It can also take Snapshots of your Active Directory
Database so you can see how your AD looks over
time!
The Globomantics Backup Strategy
Train Signal, Inc
...
1
...
…then create a System State
Backup on a weekly basis for
emergency restoration…
3
...
57
9/24/2008
Critical Vocabulary
Train Signal, Inc
...
In terms of backup,
NTDSUTIL creates IFM media
• IFM—Install From Media –can be used to create (and recreate)
Domain Controllers quickly
• System State backup—Created by WBADMIN, it contains only
the guts of your AD that are absolutely necessary for faster
restoration of a DC
...
Coach Culbertson
After viewing this video, you should be able to:
•Schedule a nightly backup of an entire Volume to
an attached disk using Windows Server Backup
...
•Create IFM Media using NTDSUTIL
...
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video
•A Little Future Planning to Prevent
Major Problems
•What are Operations Masters?
•Restructuring the Globomantics DC’s a
Bit
–Adding a Domain Controller with
IFM
A Little Future Planning to Prevent Major Problems
Train Signal, Inc
...
Everything
seems fine and rolling right along, but there’s a lurking menace that we don’t
know about just yet!
Computer Name: NY-DC1-2K8
Computer Name: NY-DC2-2K8
Network Switch
We can easily
reduce the risk of
SPOF issues by
giving this guy an
additional job or
two!
If DC1 goes down, we will have major problems due to the fact that we have all of
our Operations Masters attached to it!
What are Operations Masters?
Train Signal, Inc
...
, these are special)
...
Sits back and drinks coffee most of the
time until you need to add or remove a Domain
...
Also on coffee
break until you or an application you install needs to change the
Active Directory Schema
...
Coach Culbertson
• The Domain Level Operations Masters
PDC Emulator—This is the big one
...
It handles password updates, Group Policy
Updates, time updates, and acts as the master Browser
...
If the Server with this role
goes down, you may not be able to add any Users or Computers
to the Domain
...
Infrastructure Master—Keeps track of who’s in what Group
...
• The Infrastructure Master should be on a Server that is not a
Global Catalog, unless every single Domain Controller is also a
Global Catalog!
Restructuring the Globomantics DC’s a Bit
Train Signal, Inc
...
Coach Culbertson
Hey, look! Some more big words!
•Operations Master—An assignable role/job for a Domain
Controller that only one Domain Controller at a time can do
...
May be assigned by a Domain
Controller, but also may be created by an Operating System
in the case of Computer Accounts and simply used by AD
...
Coach Culbertson
After viewing this video, you should be able to:
•Describe the five Operations Masters
•Identify what Server has been assigned
what Operations Master
...
Coach Culbertson
Video 15
Stuff To Make Your Active
Directory Life Just a Little More
Predictable
Monitoring , Auditing, and Maintaining Your Active
Directory Database
Monitoring, Auditing, and Defragging
Train Signal, Inc
...
Coach Culbertson
And now, something else that lands squarely in your job description
Globomantics is ready to launch, and you have taken solid
precautions already to ensure that if your Domain
Controllers blow up, you have flexible options to get your
network back up and running in a short time
...
There are a lot
of third party tools out there for such things, but for now
you need to rely on what’s built in to Server 2008
...
Coach Culbertson
Hey, neat! Server 2008 has cool monitoring toys!
• Your tools for watching what’s going on:
– Task Manager—For real time
immediate gratification of observing
what’s going on in your Server
– Event Viewer—An easy way to view
logs that are created by the various
monitoring tools
...
– Reliability Monitor—Watches and
tracks changes in your system over
time
– Data Collection Sets—Probably the
easiest way to keep track of what’s
going on in your system!
Watch Who’s Doing What to Your Active Directory
Train Signal, Inc
...
•Not only can it track changes, but also who made the change, what
the object was before the change, and what the object is now
...
Coach Culbertson
There’s two steps to setting this up- you can’t do one without the other!
To Set Up Auditing:
You have to enable an Auditing Policy
(specifically Audit Directory Service) on either
the Default Domain Controller Policy or on the
Default Domain Policy
...
Defragging Your AD Database
Train Signal, Inc
...
• When stuff gets deleted out of your Active Directory Database, the
Database file itself doesn’t get any smaller
...
dit file)
Integrity—checks database integrity
Semantic Database Analysis—An NTDSUTIL tool that analyzes
and checks your database for consistency
Critical Vocabulary
Train Signal, Inc
...
dit—The actual database file that holds your Active
Directory Objects
•Compact—The process of recovering disk space by
removing empty space and repositioning data on the disk
for optimum read time
...
63
9/24/2008
What We Covered
Train Signal, Inc
...
•Use the Event Viewer to see what‘s going on in your
machine
...
•Use the Performance Monitor if you have nothing else
better to do with your time
...
•Enable Auditing Policies for in the Default Domain
Controller GPO for Object and Account Access
What We Covered
Train Signal, Inc
...
•Use NTDSUTIL to defragment your database and check for
integrity and consistency of the AD Database as a whole
...
In the next video, we’re
going to expand to Chicago, and set up a child domain for
the Chicago office by creating some more DC’s!
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•All You Need Is Lov—I mean a DC!
•Adding a Site and Subnet Before
Jumping In
–Creating the Child Domain
–Making Sure Chicago Can Talk To
New York
All You Need Is Lov—I mean a DC!
Train Signal, Inc
...
To keep things more
manageable, you decide that the best way to keep the Globomantics
network a little more manageable for future growth is to separate out
the Chicago office into its’ own child domain (sometimes called a
subdomain)
...
–Having a location-centric Active Directory structure can allow for
easier tracking of stuff between locations
...
Coach Culbertson
In order to create the Chicago child domain, all we need is another DC!
Globomantics
...
globomantics
...
Coach Culbertson
Before we begin…
• Sites in AD represent the physical structure, or topology, of your network
...
com, New York
...
• In order to allow Active Directory the ability to track our machines by location,
we’ll also create a Subnet Object as well, and assign that Subnet Object to
Chicago
...
• Here’s what we have and what we’re going to create:
NY-DC1
NA-DC1
NY-DC2
Subnet
Object
NY-DC3
Critical Vocabulary
Train Signal, Inc
...
•Site—An Active Directory Object that represents
the major components of the physical topology of
a network
...
What We Covered
Train Signal, Inc
...
Coach Culbertson
Video 17
How To Give People Access to
Stuff That’s 790 Miles Away
Creating Universal Groups, the AGUDLP Strategy,
and Making Sure Your People Can Log In
Anywhere In Your Enterprise
Giving People Access to Stuff 790 Miles Away
Train Signal, Inc
...
Coach Culbertson
Break out that Excel Script Maker again!
Hank has sent you
another 20 users to
add to the Chicago
office, so it’s time to
make them quickly
and easily with the
Excel sheet script
maker
...
67
9/24/2008
The Types of Groups
Train Signal, Inc
...
Coach Culbertson
AGUDLP –Alphabet Soup anyone?
• Now that we have multiple domains, we also have the challenge of making
sure that we can easily provide access to resources between them
...
• Here’s how it works:
Accounts go into
Global Groups
The Global Group
becomes a member
of a Universal Group
The Universal Group
becomes a member of a
Domain Local Group
Permissions are then granted to
the Domain Local Group to
network resources
Setting Up Your Groups for Access Between Domains
Train Signal, Inc
...
Here’s what we’ll do to
get them access to the SalesDocs folder over in New York:
In the na
...
com (the
New York domain), we’ll
create a Domain Local Group
called SalesDocs and make
AllSales a member of it
...
Coach Culbertson
We got us a Global Catalog to check out!
• Hank is going to be bouncing back and forth between locations,
and you need to make sure that he and anyone else who’s
visiting either office can log in
...
com
Global
Catalog Server
As long as there’s a Global
Catalog at a Site, your users
can log in with an “email
address” style login, like
JOwens@globomantics
...
If there’s not a Global
Catalog, you’ll need to enable
Universal Group Caching on
the Site
...
globomantics
...
Coach Culbertson
Important Words
• Security Group—Group Object in Active Directory that allows you to
provide access to resources on the network
...
• Global Group—A Group usable in any trusted Domain in your forest
...
Can be a member of a
Universal Group
...
Users can only come from ANY Domain
...
• Domain Local—A Group usable only in the Domain it lives in
...
What We Covered
Train Signal, Inc
...
•Distinguish between Security and Distribution
Groups
...
•Ensure that Users can log in to another Domain by
either providing a Global Catalog at a Site or using
the Universal Site Caching setting on a Site
...
Coach Culbertson
Video 18
Creating The Dallas
Branch Office
Building a Read-Only Domain Controller for a
Less Secure Location
Creating the Dallas Branch Office
Train Signal, Inc
...
Coach Culbertson
And if Hanks says it…
Dallas is Hank’s hometown
...
That’s not a problem, but he also wants a staff of 5 people in the not-yet
created Dallas location
...
You decide that due to the lack of security in the office that using a Read
Only Domain Controller is going to be the best option
...
70
9/24/2008
The Dallas OU and Site Structure
Train Signal, Inc
...
•Then, we need to add
a Dallas site so we can
have a physical
representation of our
network
...
Coach Culbertson
For low-security locations with few users, an RODC is a happy thing
...
• The RODC downloads only the User Account information that it
needs—it does not upload anything to the writeable (or Full) Domain
Controllers
...
• Better yet, you can use the Server Core Installation to provide two
important advantages:
– You don’t need a super-duper box to run it
...
Building an RODC for Dallas
Train Signal, Inc
...
Coach Culbertson
New York, Chicago, Dallas…What’s next? Tokyo?
Zooming in on Dallas
Train Signal, Inc
...
Critical Vocabulary
Train Signal, Inc
...
•Server Core—A version of Server 2008 that only has a
command line interface and lesser operating requirements
that supports only 9 Server Roles
•UPN—User Principle Name—An email-style login name
that can be used to login across Domains when a Global
Catalog is present at the Site OR when the User is part of a
Universal Group and Universal Group Caching is enabled
on a Site
...
Coach Culbertson
After viewing this video, you should be able to:
• Install Server 2008 as a Server Core installation
...
• Install Active Directory Domain Services Role with the RODC
option
...
• Configure Universal Group Caching for a Site so you don’t
have to provide a Global Catalog for that Site
...
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•Okay, Who Killed Off The Ops Department?
•The Two Types of Restorations
– Use Windows Server Backup to do a NonAuthoritative Restoration
– Use NTDSUTIL and WBADMIN to do an
Authoritative Restoration
•How to Put Resurrected Users Back Into Groups
Using Backlinks
73
9/24/2008
Okay, Who Killed Off The Ops Department?
Train Signal, Inc
...
whoops?
Things are going well, until on a Tuesday morning the entire New York
Ops department can no longer log in
...
Aced, no
trace, nada, not there, here or anywhere
...
Brock did not report in this morning due to the fact that
he’s in police custody for *ahem* other chemically-related issues
...
You need to restore the Ops OU
for New York due to Brock’s drug-induced mayhem
...
Coach Culbertson
Oh, the choices, the choices! (Okay, there’s only 2)
• There are two options for doing restoration of an
OU:
– Non-Authoritative Restore: Most often done
using Windows Server Backup, you can
restore the entire Domain Controller
...
• What makes a Restore “Authoritative?”
– The Update Sequence Number in the AD
Database is increased by 10,000 so other
Domain Controllers know that the restored
object is the most recent
...
Coach Culbertson
And now, the secrets of how to do both
• To run a non-authoritative restore, just go to Windows Server Backup and click
Recover
...
You’re done (sort of-you may have problems with this type of restore)
...
Restart the DC into Domain Recovery Mode (hit F8 on the keyboard during
reboot to get this option)
2
...
/Administrator and the Domain Recovery Mode password you
set up when you ran DCPromo
3
...
Figure out which version you want to restore
...
Type wbadmin start systemstaterecovery –version:ID –backuptarget:
backuplocation
6
...
Type authoritative restore to get into the right NTDSUTIL Context
8
...
9
...
74
9/24/2008
How to Put Resurrected Users Back Into Groups Using Backlinks
Train Signal, Inc
...
)
• When you do an authoritative restore in a Server 2000 Functional Level Domain, you
end up losing Group memberships on your User Accounts
...
(no, you can’t, you don’t have that kind of time on your
hands)
• During the authoritative restore, at least one file called an LDIF file is created
...
• To restore group membership using backlinks:
1
...
2
...
3
...
4
...
Critical Vocabulary
Train Signal, Inc
...
• Non-Authoritative Restore—A simple restoration process that can be
accomplished either from Windows Server Backup or by using
Directory Restore Mode and WBADMIN (if you really want to)
• Update Sequence Number—A value in an Active Directory Object that
helps Domain Controllers know which objects need to be updated in
the Directory during replication
...
What We Covered
Train Signal, Inc
...
•Restore Group Membership from Backlinks using
ldifde (if for some weird reason you’re not running
a Server 2003 or Server 2008 Domain Functional
Level)
75
9/24/2008
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•Uh-Oh
•Seizing Operations Masters for Quick
Restoration of Functionality
•Possible Solutions for Restoring
Domain Controllers
Uh-Oh
Train Signal, Inc
...
Completely
...
The absolute best way to describe the
current state of DC3 is this:
Now, you need to decide what to do with the DC
...
The bad news is, DC-3 is (or
rather was) your Infrastructure Master
...
76
9/24/2008
Seizing Operations Masters for Quick Restoration of Functionality
Train Signal, Inc
...
• NTDSUTIL:
– You can also use NTDSUTIL to seize an Operations Master role
with the following operation:
1
...
2
...
3
...
• To seize the Infrastructure Master, type seize infrastructure
master
Possible Solutions for Restoring Domain Controllers
Train Signal, Inc
...
• If your hardware is trashed, build a new Server 2008, install Windows
Server Backup, and do a Recovery of the last Full Backup of NY-DC3
...
– Build a brand new Server 2008 machine, install AD DS and run
DCPromo
...
– Move the Infrastructure Master back to the new DC-3
...
Coach Culbertson
Hey, wait a minute…
...
Okay, in reality, it smells like
burning plastic and metal, but you get the point
...
No new real words this time that you
haven’t already seen
...
Coach Culbertson
After viewing this video, you should be able to:
•Seize an Operations Master and thereby
transfer the functionality to a live Domain
Controller
...
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•Hank just bought a company…in Tokyo!
•Advantages of the Server 2008 Domain
Functional Level
•The Upgrade Process
78
9/24/2008
Hank just bought a company…
...
Coach Culbertson
…and now you have to integrate it into your network!
Hank’s been on a spending spree, and bought a small
brokerage in Tokyo, Japan for the mere sum of $1
...
The small company, Verde Petra, Inc
...
Their network is a simple
1 Domain Controller setup with 10 client machines, an
outsourced email solution, and a couple of network printers
...
Before we do anything to
integrate, you need to prepare the Verde Petra Domain
Controller by upgrading it to Server 2008 Enterprise 32-bit
...
Coach Culbertson
When you get a 2008 Functional Level, you also get these nifty bonus items!
•Distributed File System Replication
•Advanced Encryption Standard support for the Kerberos
protocol
•Last Interactive Logon Information
– GPO Found in Computer Configuration Policies
Administrative Templates Windows Components
Windows Logon Options
Display information about previous logons during user
logon
•Fine-grained password policies
The Upgrade Process
Train Signal, Inc
...
• When Upgrading a Domain Controller, you’ll
need to grab some scripts off the Server 2008
disc and run adprep /FORESTPREP and adprep
/DOMAINPREP
• The rest of the upgrade process is simple—put
in the CD and click on the Upgrade option when
it comes up, and install as normal
...
You would have to first upgrade the Server
to 2003 and then to 2008
...
Coach Culbertson
Words?
• Nope
...
What We Covered
Train Signal, Inc
...
Coach Culbertson
Video 22
Connecting the Continents
How to connect two Active Directory Networks
For Fun and Profit (and by using Trusts and DNS)
80
9/24/2008
Connecting the Continents
Train Signal, Inc
...
Coach Culbertson
Time to connect ‘em together!
So you’ve got Tokyo up to date in terms of the OS and the
Domain Functional Level
...
Hank ponied up for some nifty Virtual Private Network
(VPN) technology that allows Tokyo and the New York office
to have a direct connection
...
Our Two Options To Connect Tokyo and New York
Train Signal, Inc
...
globomantics
Na
...
com
So the question is, do we use Active Directory
Federation Services or do we set up some Trust
Relationships between the two locations?
• *NEW* Active Directory Federation Services allows two separate Active
Directory networks to authenticate Users from either Domain for shared
folders and resources
...
• We can also create a Trust between the two Forests as well since we have
more or less a direct link via VPN between New York and Tokyo
...
Coach Culbertson
It’s not as easy as it sounds
• AD FS is an SSO (Single Sign-On) method of sharing information between two partner
networks, usually through a Web Site or application like SharePoint Services or
SharePoint Server
...
It also uses
cookies to keep track of authentication
...
Coach Culbertson
So much faster to set up…for small environments
• A Trust allows Users from different networks to access information on another
network
...
• Each Domain should be running at least Server 2003 Functional Level, and the
Forest Functional Level has to be at least Server 2003
...
Coach Culbertson
The kinds of Trusts
•External Trust—Allows separate Domains in separate
Forests to trust each other’s users without trusting every
Domain in a Forest
...
•Shortcut Trusts—Simply allows users to access resources in
a different Domain in the same Forest faster
...
82
9/24/2008
What You Need for a Trust
Train Signal, Inc
...
Users from Network B can access
allowed resources on A, but Users from A cannot access stuff on
Network B
What You Need for a Trust
Train Signal, Inc
...
Users from either
network can access allowed resources on the other
...
Coach Culbertson
Trust Directions
• Transitive Trusts
A
B
C
If Domain A Trusts Domain B and the trust is transitive, and if C Trusts B, then A and C
also have a trust relationship
83
9/24/2008
The Globomantics/Verde Petra Solution: Trusts
Train Signal, Inc
...
Since AD Federation Services requires so much hardware, plus a
SharePoint implementation which you know nothing about, it doesn’t make
any sense to use Federation
...
globomantics
...
But not today
...
Coach Culbertson
Here’s what it will look like!
• You’re going to implement a two-way forest trust, as well as an External trust
between Verde Petra and Na
...
Two-Way Forest
globomantics
Na
...
com
We really don’t need an External Trust,
though, because the trust between Verde
Petra and Globomantics is Transitive!
The Globomantics/Verde Petra Solution: Trusts
Train Signal, Inc
...
• Both DNS Servers are Active Directory Integrated, but a trust does not make it
so that either DNS server knows about the other one
...
Dude, I need
the Tokyo
Sales
Numbers
Globomantics Server
Running DNS
This request is for
Verde Petra
...
Tokyo Sales
Numbers
...
Coach Culbertson
Yowza! Lots-o-words this time!
• Active Directory Federation Services—A Server Role that allows
partner networks to share information across Domains using Single
Sign-On
...
• Trusts– A relationship between Forests or Domains that allows sharing
of resources
• Stub Zone—A DNS Zone that simply provides information about
another Domain’s DNS servers
...
e
...
• External Trust—Allows separate Domains in separate Forests to trust
each other’s users without trusting every Domain in a Forest
...
Coach Culbertson
And some more…
• Forest Trust—Trusts between two Forest Root Domains that can
allow Users from any Domain inside of either Forest to share
Resources
...
• Realm Trusts—Allows a Windows Active Directory Network that
uses Kerberos to trust a UNIX-based network that also uses
Kerberos to share resources
...
• Active Directory Migration Tool– A free download from Microsoft
that allows you to move Active Directory Objects (i
...
User
Accounts, etc
...
What We Covered
Train Signal, Inc
...
•Define the types and directions of Trusts
...
•Implement a Two Way Transitive Forest Trust
...
85
9/24/2008
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•The New Generation of Certifications
for Server 2008
•The Upgrade Paths for MCSA’s/MCSE’s
•How to Sign Up for a Microsoft Exam
•70-640 Exam Prep Tips
The New Generation of Server 2008 Certifications
Train Signal, Inc
...
Coach Culbertson
What you need to take for each Credential
• MCTS - Take any one exam from a large selection
When you get multiple TS certs, you can
build a nifty logo using MS’s Logo Builder!
• MCITP: Server Administrator Exams (From Scratch - Three Exams)
– 70-640: TS Active Directory
– 70-642: TS Network Infrastructure
– 70-646 Pro: Server Administrator
• MCITP: Enterprise Administrator (From Scratch - Five Exams)
– 70-620: Vista
– 70-640: TS Active Directory
– 70-642: TS Network Infrastructure
– 70-643: TS Server 2008 Application Infrastructure, Configuring
– 70-647 Pro: Enterprise Administrator
The Upgrade Paths for MCSA’s/MCSE’s
Train Signal, Inc
...
Coach Culbertson
For an MCSA 2003 to Upgrade to MCITP: Enterprise Administrator
• Take 4 Tests:
–
–
–
–
70-648: Provides 2 MCTS
70-620 or 70-624: TS: Vista
70-643: TS: Applications Infrastructure
70-647: MCITP: Enterprise
87
9/24/2008
The Upgrade Paths for MCSA’s/MCSE’s
Train Signal, Inc
...
Coach Culbertson
For an MCSE 2003 to MCTIP: Enterprise Administrator
• Take 3 Exams:
– 70-649: Provides 3 MCTS
– 70-620 or 70-624: TS: Vista
– 70-647: MCITP: Enterprise Administrator
How to Sign Up for a Microsoft Exam
Train Signal, Inc
...
com
–it’s easy!
• Prometric is the
exclusive provider of
Microsoft exams
...
Coach Culbertson
Prep
• I recommend:
MCTS Self-Paced Training Kit (Exam 70-640): Configuring
Windows Server 2008 Active Directory from Microsoft Press
• Take the Transcender Practice Exam Several Times—Look up the stuff that you
miss in this Video Course or in the Microsoft Press Book
...
Coach Culbertson
On the day of the test…
•Do not stay up all night studying –get good sleep!
•When you go in to the test center, leave your cell phone
and anything else in your car
...
You must
have 2 forms of ID!!!
•Before taking the test, stop and breathe
...
•During the test, do not forget to breathe
...
You can go
back at the end of the test and answer them later
...
Coach Culbertson
The Biggest Tip I Can Give You--
•Know the material
...
Coach Culbertson
After watching this video, you should be able to:
•Describe the Requirements for MCTS and the MCITP
Tracks
•Describe the Upgrade Paths for MCSA’s\MCSE’s to
MCITP
•Sign up for an Exam on the Prometric Web Site
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•A Quick Overview of DNS
•What Are DNS Zones Really?
•The Different Kinds of DNS Records
•Forwarders and Root Hints
•Global Name Zones: The WINS Killer
(Kind of)
90
9/24/2008
A Quick Overview of DNS
Train Signal, Inc
...
• The process of locating a computer via an IP address by
looking it up by name is called Name Resolution
...
• That computer can now be found through the process of
Name Resolution, and Active Directory can now find Users,
Computers, and other Hosts by working in conjunction with
the DNS Server
...
Coach Culbertson
Big words for simple concepts
• A DNS Zone is basically a Text File or Database that Defines what
machines it knows about in the “namespace
...
No need for Secondary Zones if all your DNS
Servers are also DC’s
...
– Secondary: A Read Only Copy of a Primary Zone
...
– Stub: Only contains information about other DNS Servers
...
Coach Culbertson
Why an Active Directory Integrated Zone?
•Let Active Directory manage a lot of the DNS stuff
for you!
•AD Integrated Zones allow for:
– Zone Transfers during AD Replication
– Multimaster Replication
– Secure Dynamic Updates
– Backwards compatible to Secondary Zones (if
you have any in your network)
91
9/24/2008
What Are DNS Zones Really?
Train Signal, Inc
...
•Stub Zones: Remember these from the Connecting
Continents Video?
•Conditional Forwarders: Used in place of Stub
Zones to forward DNS requests about other
Domains
...
Coach Culbertson
What lives in a DNS Zone?
•A (Host): Name and IP Address of a Host (Computer,
Network Printer, PDA, etc
...
•MX (Mail Exchanger): For Email Servers
•CNAME (Alias): A “nickname” record that allows for
multiple names for the same machine
...
Coach Culbertson
If the DNS Server doesn’t know where a host is, it has to call out
•Root Hints allow your DNS Server to communicate with
Name Servers on the Internet
...
– You need two DNS Servers for this—One on the inside
of your network perimeter that doesn’t use Root Hints
and one on the perimeter that does
...
92
9/24/2008
Global Name Zones: The WINS Killer (Kind of)
Train Signal, Inc
...
• Most WINS server technology is being replaced by DNS for speed,
reliability, and security
...
• Use it for easy access intranet websites, and a potential replacement
for WINS if you have older network-aware software applications still
running that require WINS (Especially if you’re rolling over to IPv6!)
• WINS is still available on Server 2008 as a Feature (not a Role) if you
need it
...
Coach Culbertson
To create a Global Name Zone:
•On your Primary DNS Server, run this command to prepare
your DNS for Global Names:
dnscmd /config /enableglobalnamesupport 1
•Then create a new Forward Lookup Zone called GlobalNames
...
Critical Vocabulary
Train Signal, Inc
...
Coach Culbertson
Video 25
AD Certificate Services 101
A Primer on Active Directory Certificate Services
and Public Key Infrastructure
AD Certificate Services 101
Train Signal, Inc
...
Your
Certificate Has Been Revoked
...
Coach Culbertson
In times such as these…
•Security in networks is a huge area, but a good place to
start is by using Certificate Services as a way to:
– Encrypt Data Files
– Encrypt Remote Communications
– Secure Email
– Secure Logons with Smart Cards
– Secure Servers with Network Access Protection
(requires Certificates)
– Protect Data from Tampering
94
9/24/2008
Lions and Tigers and Keys and Certificates, Oh My!
Train Signal, Inc
...
• A Certificate is generated by a Certificate Authority (that’ s a CA if
you’re cool) using a Private Key, which part of a whole Public Key
Infrastructure
Lions and Tigers and Keys and Certificates, Oh My!
Train Signal, Inc
...
Coach Culbertson
The Certificates have to come from somewhere
Server 2008
Standalone
Certificate Authority
Server 2008
Enterprise
Certificate Authority
(Integrated into
Active Directory)
Third Party
Certificate
Authority
(i
...
VeriSign,
etc
...
”
•Certificates are generated from one of these three types of
Certificate and then passed on to users, devices, other
servers and so on
...
95
9/24/2008
Respect My Authori-tay!
Train Signal, Inc
...
Certificate Authority
• With a Standalone CA,
you’ll create Certificates
and then pass them off to
Issuing Servers
...
• Pretty much all the work is
Server 2008
Subordinate
Certificate
Issuer
Server 2008
Subordinate
Certificate
Issuer
Server 2008
Subordinate
Certificate
Issuer
done manually with a
Standalone CA
...
Respect My Authori-tay!
Train Signal, Inc
...
• Enterprise CA’s can assign
certificates automatically
to users in AD using
Autoenrollment
...
I’m Sorry, Dave, I Can’t Do That
...
Train Signal, Inc
...
• An Online Responder (OR) can be used in place of a
Certificate Authority server
...
It’s much faster and efficient
...
96
9/24/2008
Quick Summary
Train Signal, Inc
...
•You need at least one Root CA to create certificates, and
will probably have other subordinate servers issue them
out to protect your Root CA from getting abused
...
•The new Network Device Enrollment Service (NDSE) allows
you to include switches and routers in your PKI as well
...
Coach Culbertson
Video 26
Active Directory Lightweight
Directory Services 101
A Primer on AD LDS
Active Directory Lightweight Directory Services 101
Train Signal, Inc
...
Coach Culbertson
And why in the world would you ever need it?
•Active Directory Lightweight Directory Services
(formerly known as ADAM—Active Directory
Applications Mode) is a Server Role that provides
LDAP services
...
•It usually lives on a server separate from your AD DS
(sometimes the same server as your Application), and
can also be installed on Server Core!
What might it look like on a network?
Train Signal, Inc
...
Coach Culbertson
Think of it as a Copy in RAM
• An “Instance” of LDS is just a running copy of AD LDS that uses a particular
“store” of data
...
• You could have multiple instances of LDS running for multiple applications, all
instances being customized for the unique application requirements
...
exe
NTDSUTIL—Command Line
LDIFDE—Command Line
DSDBUTIL—Command Line
DSACLS—Command Line
98
9/24/2008
Quick Summary
Train Signal, Inc
...
•You’ll only need it for applications that require it
...
•When you install AD LDS, you need to also create an
Instance of LDS (a running copy)
•Most of the tools you would use for AD LDS are command
line based, but there’s a few that have a GUI, like ADSI Edit
and Ldp
...
Welcome to Train Signal
Train Signal, Inc
...
Coach Culbertson
In this video:
•What is Rights
Management?
•Some Additional Notes
About RMS
99
9/24/2008
What is Rights Management?
Train Signal, Inc
...
Bubba receives a “client licensor
certificate” the first time he
rights-protect a Word 2007 file he’s
created
...
Then Bubba defines a set of usage rights
and rules for his file
...
Bubba emails the file or puts it on a share
4
...
Word
2007 calls to the RMS server which
validates the user and issues
a “use license
...
Word 2007 opens the file and
enforces whatever rights Bubba put
on it
...
Coach Culbertson
Some stuff you’ll want to know
• The application that creates the file must be RMS-aware (Office
2007 is a good example
...
• If somebody isn’t on the list of users who can open a file, they
can’t get into the file
...
• AD RMS in Server 2008 supports AD Federation Services, and it
can be used with SharePoint deployments as well
...
Quick Summary
Train Signal, Inc
...
•The Author of a document sets up who gets to do what on
a Document, and they do that from inside of the RMSaware App (like Word 2007 or Excel 2007) based on Users
and Groups from Active Directory
...
•It works with AD FS and SharePoint
...
100
Title: windows server 2008 r2
Description: Welcome to Windows Server 2008 Active Directory.........
Description: Welcome to Windows Server 2008 Active Directory.........