Add to collection(s) Add to saved
  1. No category
Uploaded by padavala naveen kumar

mcsx

advertisement 
Active Directory Domain Services
Active Directory Users and Computers
Active Directory Domain and trusts
Active Directory sites and services
Active Directory PowerShell Module
Additional command line tools and snap-ins
1. Active Directory Domains and Trust:a. Implementing Trusts
b. Raising Domain/forest function levels
c. Adding user login suffix
2. Active Directory Sites and Services:1. Configuring Intersite/Intrasite replication
2.Configuring Global Catalog
3.Creation of sites and site links
4. Scheduling replication
3. Active Directory Users and computers
1.Managing users
2.
3.
4.
5.
Managing group policies(Domain Level)
Managing computes
Managing Operation Master
Raising Domain function level.
4. Domain Controller Security Policies:1.Set account, audit and password policies
2.Set User rights
3.Permissions or Policies pretrains to the DC only
5. Domain Security Policy:1. Ser user account, audit and password policies
2. Ser user rights.
3.Permissions or Policies pretrains to the DC only
KCC:- Knowledge Consistency Checker- it is AD service which is responsible for intimating or updating
the changes made on DC or ADC.
Active Directory saved under C:\windows\NTDS\ntds.dit
NTDS.DIT --New Technology Directory Services. Dictionary Information Tree.
It is a file logically divided into Four partitions
1. Schema partition
2. Application Partition
3. Domain Partition
4. Configuration partition
Trust Relationship: Trust is a process of enabling resources of one domain to be
accessed by another domain.
Flexible Single Master Operation ROLES:There are 5 FSMO roles.
Forest level Roles:


Schema Master
Domain naming Master
Domain level Roles: PDC emulator
 RID master
 Infrastructure Master
Flexible means we can transfer
Roles from one DC to another DC
Schema Master:- (Keep tracking and identifies various components of Active Directory.
It is responsible for overall management of entire schema in the forest.
The Fist DC installed acts as schema master for entire forest.
There can be only one Schema master in one Forest.
How to move the Schema Master: Run Cmd in admin mode on your new server
 Type regsev32 schmmgmt.dll and hit enter.

Close command prompt.
Add active Directory Schema from MMC console:1. Open a MMC console on your new Windows Server 2012 R2 computer.
2. Click File > Add/Remove Snap-in...
In the Add or Remove Snap-ins window, select Active Directory
Schema and click the Add > button
Change the Schema Master:3. In the same MMC console, right click Active Directory Schema and select Change
4.
5.
6.
7.
8.
9.
10.
11.
Active Directory Domain Controller... in the sub menu.
In the Change Directory Server window, select This Domain Controller or AD LDS
instance.
Select your new 2012 R2 Windows Server.
Click OK to continue.
A warning will appear stating that the Active Directory Schema snap-in in not
connected. Click OK to continue.
Hover over the Active Directory Schema folder in the folder tree to ensure the new
Windows Server 2012 R2 computer is shown.
Now right click Active Directory Schema and select Operations Master... in the sub
menu.
In the Change Schema Master window, click Change to transfer the schema master
role to the 2012 R2 Windows Server.
When asked if you are sure you wish to transfer the schema master role to a different
computer, click Yes.
Once the schema master is successfully transferred, click OK to continue.
Click Close to close the Change Schema Master window.
In the MMC, click File > Exit.
12.
13.
14.
15. When asked to save the console, click No.
Once completed, open the Active Directory Users and Computers console to verify that
the Active Directory database successfully replicated to your new Windows Server 2012
R2 computer. Be aware that the database replication may take some time depending on
the number of objects in Active Directory.
Schema Master:- (Keep tracking and identifies various components of Active Directory.
It is responsible for overall management of entire schema in the forest.
The Fist DC installed acts as schema master for entire forest.
There can be only one Schema master in one Forest.
How to move the Schema Master: Run Cmd in admin mode on your new server
 Type regsev32 schmmgmt.dll and hit enter.

Close command prompt.
Add active Directory Schema from MMC console:-
1. Open a MMC console on your new Windows Server 2012 R2 computer.
2. Click File > Add/Remove Snap-in...
In the Add or Remove Snap-ins window, select Active Directory
Schema and click the Add > button
Change the Schema Master:3. In the same MMC console, right click Active Directory Schema and select Change
4.
5.
6.
7.
8.
9.
10.
11.
Active Directory Domain Controller... in the sub menu.
In the Change Directory Server window, select This Domain Controller or AD LDS
instance.
Select your new 2012 R2 Windows Server.
Click OK to continue.
A warning will appear stating that the Active Directory Schema snap-in in not
connected. Click OK to continue.
Hover over the Active Directory Schema folder in the folder tree to ensure the new
Windows Server 2012 R2 computer is shown.
Now right click Active Directory Schema and select Operations Master... in the sub
menu.
In the Change Schema Master window, click Change to transfer the schema master
role to the 2012 R2 Windows Server.
When asked if you are sure you wish to transfer the schema master role to a different
computer, click Yes.
Once the schema master is successfully transferred, click OK to continue.
Click Close to close the Change Schema Master window.
In the MMC, click File > Exit.
12.
13.
14.
15. When asked to save the console, click No.
Once completed, open the Active Directory Users and Computers console to verify that
the Active Directory database successfully replicated to your new Windows Server 2012
R2 computer. Be aware that the database replication may take some time depending on
the number of objects in Active Directory.
Global Catalog
It is a service, responsible for maintain information about objects and serving request made by the users
and providing the location of objects
Global catalog runs on the port no.3268
All types of queries are first heard on this port number and forward query to port no.389.
Maintain the complete information of objects within same domain and partial information of other
domains.
Global Catalog communicates to Infrastructure Master
If DC and ADC are located in the same location then one GC enough
If DC and ADC are located remotely, we must configure ADC as GC to avoid traffic.
Infrastructure master contacts the GC for obtaining updates about the users and group membership and
universal group membership
Primary Function:- To maintain the global group membership information, easily locate the objects in
AD.
Shared folders with security Groups
Create a User Ex:- Naveen
Create a security groups with Global scope Ex:- Helpdesk docs
Add the user to security group
Create another security group with domain-level Ex:- helpdesk docs_folder
Add security group to Domain level group
Create a folder and enable the share
Add the domain level security group to shared folder.
Then login as a user and try to access folder.
Profiles are used to provide the basic environments to user.
Basic Environment:1. Desktop Settings
2. Startup applications
3. Network conenctions
Profiles are3 types:1. Local profile
2. Roaming Profile
3. Mandatory Profile
Local profile:- It is a profile created for user and saved in local hard drive when user works
Profile will be saved when user logoff.
Local profile are limited to that machine only when they saved
A user with local profile will not be loaded with a network profile on another machine.
Roaming Profile:- It is a profile which is saved on shared folder on a server.
Hence available on entire network
So when a user login with his account his roaming profile will be loaded.
Creating a Roaming Profile:-
Creating a roaming profile:
On DC
Create a user A/C
Create a folder
And share it and give full control permission for everyone
Start >P>ADUC
Double click the user
Profile
Profile path ex: \\sys1\profile\username
Apply – ok
Move on to member server
Log in as user
My computer
Properties
Advanced-profile settings-you should notice “roaming profile”.
Mandatory Profile:- it is profile used to control the desktop environment settings. Especially, restricted
the users from saving the user data settings, configuration on desktop.
It is a type of Roaming profile but settings are not saved when a user logs off. Changes will be available
only for the session where user is active.
Creating a mandatory profile:
Open the profiles folder you’ve created for roaming
There will be a user folder
Take the ownership of the folder of the user
Right click on the folder properties
Security – ok – advanced
Owner – administrators
Replace owner on sub >apply – ok
Open the folder
Rename the file
Ntuser.dat to ntuser.man
Back
Give back the permission (ownership)
Folder
Properties
Security – advanced
Check the box Allow inheritable
Check - Replace permission entries on all
Apply – ok
Verifying:
Move on to client machine
Login as user
Make some desktop changes
Create a folder or delete a folder
For removing mandatory profile just rename ntuser.man to ntuser.dat
Questions and ANS





What is an active directory:- Active Directory is a centralized database where it contains information
about users, groups, computer and ou and so on. It enables authentication and authorization for a
client in domain. It is used to manage centralized network.
In which location store active directory file? c:/Windows/NTDS/ntds.dit
What is the file name which Active Directory store? ntds.dit
Which protocol is used by active directory? LDAP(lightweight directory access protocol)
How many partitions in Active Directory?
Schema Partition
Configuration Partition
Domain partition
Application partition
 How to check FSMO roles in windows server?
Ans:- Netdom query or net domain query fsmo
 How many files are created in NTDS folder? Brief Describe
Ntds.dit- New technology directory service. Directory information tree
Edb.chk--- the checkpoint file
Edb.log the transaction files
Res1.log and Res2.log - Reserved Transaction logs
 What is a SYSVOL folder?
SysVol means system Volume. It contains all information and shared folder copy of domain and also
group Policy Security.
 What is the logical and physical structure of AD?
Logical Structure:- Domain, Tree, forests and OU
Physical Structure: Domain controller and site
 How to take a back of AD?
Ans:- System states where all the AD file and information store. Utility for back up ntbackup and
wbadmin
 What is stand of DC, CDC, ADC and RODC?
Ans:- Domain controller, Child domain controller, Additional domain controller and Read only domain
controller
 What is object and example of distinguished name?
Ans:- Objects are located within active directory domains according to hierarchical path, which includes
labels of the Active Directory domain name and each level of container objects. The full path to object is
defined by the distinguished name(also know as DN). The name of the object it self, separates from the
path to the object, is defined by the relative distinguished name.
example:- CN= Smith, OU=sales, dc=ABC, DC=com

What is OU?
OU stands for organization unit. It is a collection of users and groups and it gives platform to apply group
policy on users and groups.
 Why do we create OU?
It helps to manage user and group according to department and give us platform to implement group
policy according to department. It makes easy to find out user belong which department.
 What is domain?
Domain is collection of computer, user and group and so on in a network. These objects share a
common directory database, security policies and security relationships with other domains. After
installing Active directory domain service for using centralized security in a domain object .
 What is distinguish between domain and domain controller?
Ans:- Domain controller:- it is used to denote a computer within the domain that controls the rest
of the computers within domain. From the domain controller, a network administrator can access
network computers, create or delete accounts, or manage privileges and security.
 What is Forest?
Ans:- Forest is a collection of Tree in a domain that share a common global catalog, directory schema,
logical structure and directory configuration. At the top forest represents the security boundary within
user, group and other objects are accessible.
 What is a Tree?
Ans:- Tree is a collection of domains which use contiguous name hierarchical in Domain(such as
abc.com>it.abc.com> south.it.abc.com)
 What is different between Role transfer and Seizing?
Ans:- When primary domain controller is going into maintain task and another servicing then FSMO role
transfer task perform with DC to ADC.
Whereas DC dead and it's not usable for future In that case Seize task perform on ADC to become DC.
 How to recover deleted AD users?
Ans:- 2012:- open Run and type dsac.exe then active directory administrative center appear. Click on
domain (abs.com) and click on OU you see the deleted users then recover it
2008:- LDAP is used to restore deleted users.
GPO :We can create a GPO under group policy objects and drag them to respective OU or right click on OU
select create new GPO or link existing group policy
How to stop domain policy to particular single OU:Right click on OU and select block inheritance or right click on OU and create new GPO to allow make
changes.
If we enable the enforcement on GPO, remaining polices are not applicable.
After enabled enforcement, GP applies only users which are added at security filtering.
How to deny the GPO for particular users
Create a security group
Add the users to in Member tab
Go to GPO
Select GP
Go to delegation tab
Click on advanced
Add group to there
And select DENY at apply group policy
How to turn of the windows side bar:Go to GPO
Create a new group policy
Right click and edit
Go to computer configuration
Windows componenets
Windows side bar
Enable the windows side bar
Loop back mode
1. Merge mode
2. Replace mode
Merge Mode:Computer configuration
User configuration
Comptuer's user configuration
Replace Mode:Computer Configuration
Computer's user configuration
How to enable Loopback:Edit GPO
Computer Configuration
Policies
Administrative Template
System
Group policy
User group Policy loopback processing Mode
Enable it
Select the mode either Merge or replace
Deploying Applications to the desktop
Assigning software:1. You can assign a program distribution to users or computers
2. If you assign a program to a user, it is installed when the user logs on to the computer. When the
user first runs the program, the installation is completed.
3. If you assign a program to a computer, it is installed when the computer starts, it is available to all
users who log on to the computer. When a user first runs the program , the installation is
completed.
Publishing Software:1. You can publish a program to users
2. When the user logs on to computer, the published program is displayed in the Add/remove
programs dialog box and it can be installed from there.
Active Directory- is a centralized database where it contains the information about objects like users,
groups, printers and computer, etc.,
Dc - A server where AD installed is called DC(Domain Controller)
Functions of AD:- Its provide single point administration means manage, organize and control
resources.
Purpose of AD:- 1. Provide User logon authentication services.
2. To organize, manage and control user accounts, groups, computers and network resources.
3. Enables authorized users to easily access network resources.
Features of AD:Fully integrated security system with help of Kerberos.
Flexible(install/uninstall)
Scalable to any size network
Extensible (modify schema)
Easy administration with group policy.
New Features:

Data Duplications - makes it possible to store more file data in less space on the volume.
Software Inventory Logging - collects licensing data about software installed on a Windows Server,
and provides remote access to the data so it can be aggregated easily by a datacenter.
 Windows PowerShell- Windows powerShell is a tasked based command line shell scripting.
Power shell version V4.
Evolution of LDAP:
Earlier we had no database standard. ITU & OSI introduced X-500 approved in 1988.
LDAP:- light Weight Directory access protocol. Is used for querying and providing communications
among the object in AD.
Port No:- 389
ADC- Additional Domain Controller(it is a backup server of main DC and it's READ ONLY)
We must specify prefer DNS as server ip
Run DC promo> next> next> select ADC for an existing server
Enter Admin user's password
Enter Domain name of DC
Browse the Domain
Next>next Restore Password.
 ADC is a backup copy of AD. Which will be in the READ ONLY format
 ADC provides fault Tolerance and load balancing.
 There can be no.of ADC for a DC.
 ADC should be maintained and placed at offsite away from the DC.
 ADC maintains same domain name.
VERYFING WHETHER IT IS A DC OR ADC:Open cmd and run as an administrator
Type net accounts
 For DC we will find PRIMARY
 For ADS we will find BACKUP
Active Directory Components:Logical components:Domain:- Domain is a server where AD
installed
Trees:- is a group of domains which shares contiguous name space. If more than one domain exists we
can combine multiple domains into hierarchical tree structure. The first created domain is the root
domain of First Tree, Additional are child domains. A domain immedaitely above the another domain in
the same tree is called Parent domain
Forest:- is a multiple domain trees in a single forest do not form a contiguous name space because they
have non-contiguous name space. Trees in a forest do not share the domain name space.
The forest which doesn't have a single root domain is called forest root domain.
Two forest wide predefined groups are - Enterprise Administrators and Schema Administrators reside in
the domain.
Organization Units:- It is a container that can be used to group most other object classes together for
administrative purpose.
Technically. The object class of choice for building these hierarchies is the class organizational Unit.
PHYSICAL COMPONENTS:Site:- Site is a combination of TCP/IP, subnets, connected with highspeed links. Sites provide
replications
They are:

Intra-site Replication:- It is a replication within the same site. It offers full time replication between
DC and ADC when they are within the same site.
 Inter-site Replication:- It is a replication between two different sites. It is implemented when site are
away from each other.
It requires a site link. Site link is a logical connection b/w sites, which can be created or scheduled.
Site link offers communication only at schedule intervals.
Related documents
Develop Worksheet 16 Name ________________________ Period______ Directory Structure
Develop Worksheet 16 Name ________________________ Period______ Directory Structure
Download
advertisement