Active Directory Arabic Book 2008

Eng.
Basem Hamed
basemhamed@egyptnetriders.com
01001582348
1Page
- :

Egypt NetRiders | Press
2Page
01001582348
Eng.Basem Hamed
About:About Author:Eng.Basem Hamed

Network and Information Security Engineer
Working in Egypt NetRiders Company
Specializing in Microsoft Networks
Interested in Cisco and Juniper
Editor inCiscawy Blog
Certified:MCSE, MCITP EA
CCNA, CCNA Sec, CCNP R&S
CEH, CISM
JNCIA _ JUNOS
RHCE
CWNA
01001582348
About Company;Egypt NetRiders
Integrated Network Solutions. Specialized in Networks and Information Security

Solutions
As a specialized company we focus on Networks and Information Security Solutions.
We provide Two Basic Services:
- Training courses in Network companies like Cisco, Juniper , Microsoft and CompTIA
- Network Solutions like Analysis of Huge Networks, Design Network Topologies and
Network Security.
0507487156 _ 01150505639
http://www.egyptnetriders.com/
FB/EgyptNetRiders
Twitter/EgyptNetRiders
http://ciscawy.com/blog/
This Book is Powered By:-
Eng.Basem Hamed
01001582348
3Page
Index
1st Book ..5
INTRO ... 6
Preparing to Install Active Directory . 7
Haw to join a physical computer to domain? . .. 14
Types of AD DS Objects ... .. 16
Different between computer and user Account!! . . .. 17
Computer account . . . ... 17
User account . . . . 18
Groups VS Organization unit . . . 23
Groups .. .25
Group Type 25
Forest, Tree, domain .. 31
Additional domain . . . .. 33
"RODC" . . .. .. 38
Child Domain . . ....50
Tree Root . . .. 54
Active Directory Partition . . . .. 59
FSMO Roles . . . . . 64
Active Directory Sites and Replications . . .. . 70
Trust .. .. ...77
Group Policy .. .. ..79
Deploy Software .. .. .. 87
Restricted Groups .. .. .... 91
Security in Group Policy . . .. 93
Group Policy Template .. .. ...104
Backup & Restore .... .. ...... 110
2ND Book .. .. . .... 119
Active Directory Certification Authority . .. 120
Certification.. .. . . 121
Installing Certification Services .. .. . .. . . 122
KRA .. .. . . 154
Active Directory Rights Management Services .. .. ...176
Active Directory Federation Service .. .. ... 195
Install Federation Service . .. .. ... 212
Active Directory Lightweight Directory Services .. .. . .229
Resources .. .. .. .. .. ..242
Eng.Basem Hamed
01001582348
4Page
Course 6425A Configuring and Troubleshooting Windows Server 2008 Active

Directory Domain Services
Course 6426A Configuring and Troubleshooting Identity and Access Solutions with
Windows Server 2008 Active Directory
Course 6425A Configuring and Troubleshooting

Windows Server 2008 Active Directory Domain
Services
Active Diverter

Eng.Basem Hamed
01001582348
5Page
INTRO
,,
-:
Workgroup VS. Domain
-:Workgroup

-:Domain
Workgroup Domain

Domain Join Domain

Security and Centralize Administration
Domain
. Windows Server Family
. RedHat
Windows Server

Windows Server Family
Windows Server NT Windows Server 2008 R2
Windows Server 2012
Windows Server
Configuring and Troubleshooting Active Directory
6Page
01001582348
Eng.Basem Hamed
Preparing to Install Active Directory

2002
Minimum requirements Windows server 2008
Start run oobe-:
7Page

ip subnet mask
01001582348
Eng.Basem Hamed
Active Directory Recommended

ip dns
-:
run dcpromo Active Directory
dcpromo Error msg
active directory domain service binaries

Server manager Roles add role
Eng.Basem Hamed
01001582348
2Page
Server role Active directory domain service
Next install Finish

Domain Controller
Run dcpromo
Errors
Child domain Advanced mode
Domain
Forest, Tree, Domain, Child
Eng.Basem Hamed
01001582348
9Page
FQDN

check Domain Forest
Forest Function Level

2003 2000 2003
2000 2003 2002 2002
Forest functional level
Provides a means of enabling additional forest-wide Active Directory features, remove
outdated backward compatibility in an environment, and improve Active Directory
performance and security.
upgrade 2003 2002 raise Domain
2002
10Page
01001582348
Eng.Basem Hamed
Machine - dns
Domain Controller
DNS IP IP Machine
Global Catalog (GC)
Any Domains Objects Attributes ( GC)
trusted domains
A partition of the data store called the global catalog (also known as The partial attribute
set) contains information about every object in the directory.
Can be used to locate objects in the directory. Programmatic interfaces such as Active
Directory Services Interface (ADSI) and protocols such as LDAP can be used to read and
manipulate the data store
By-default (GC) Domain
Domain
Forest Domain Search
Eng.Basem Hamed
01001582348
11Page
yes dns ad by-default
Restore mode Backp

Domain

Requirements
-:
12Page
01001582348
Eng.Basem Hamed
Domain
login name
13Page
01001582348
Eng.Basem Hamed
?Haw to join a physical computer to domain

7
XP Vista Domain Server 2008
IP Range Domain Controller
IP DNS Domain Controller
R.click on my computer properties
Workgroup Change setting

Change
Domain Domain
Administrator
14Page
01001582348
Eng.Basem Hamed
Domain
Restart
15Page
01001582348
Eng.Basem Hamed
Types of AD DS Objects
Attribute Object
User accounts
Enables a single sign-on for a user
Provides access to resources
Computer accounts
Enables authentication and auditing of computer access to resources
InetOrgPerson
Similar to a user account
Used for compatibility with other directory services
Organizational Unit
Used to group similar objects for administration
Applying group policies
Group accounts
Helps simplify administration and applying permissions
Printers
Used to simplify the process of locating and connecting to printers
Shared folders
Used to simplify the process of locating and connecting to shared folders
Start administrative tools active directory user and computer
R.click on domain new
Eng.Basem Hamed
01001582348
16Page
Different between computer and user Account!!

-:
Computers Users User Account

" "User Computer Computer User
User Account Computer account
How to create each of them?
R.click on domain new
Computer account
2000
Join to Computer Account
Domain
Container Join 2003
Computer
User Account
Eng.Basem Hamed
01001582348
17Page
User Account
Logon name Full name
Full name Start

User User

Account Disable
,,

Hackers

User Account 100 !!
,,,,
run cmd users
"dsadd user "cn=ahmed,ou=it,dc=ciscawy,dc=com
dsadd domain services
cn canonical name
ahmed ou it Domain Ciscawy
User Account Disabled
User Account cmd
12Page
01001582348
Eng.Basem Hamed
dsadd user "cn=ahmed,ou=it,dc=ciscawy,dc=com" pwd p@ssword
dsadd ou "ou=sales,dc=ciscawy,dc=com"
Ciscawy Domain sales ou
DS commands :The following DS commands are

Supported in Windows Server 2008 R2:
DSadd Creates an object in the directory.
DSget Returns specified attributes of an object.
DSmod Modifies specified attributes of an object.
DSmove Moves an object to a new container or OU.
DSrm
Removes an object, all objects in the subtree beneath a container object, or
both.
DSQuery Performs a query based on parameters provided at the command line and
returns a list of matching objects
OU Group User
create cmd paste
-: dsadd
dsadd Windows Server Help and Support

Eng.Basem Hamed
01001582348
19Page
-: User Templates
Attribute Users
Domain
User R.click on user copy
Attribute
-: Security Identifier
UID
() ,
,Unique
.
User Domain SID
: S-1-5-32-1045337234-12924708993-5683276719-19000
SID
Run cmd whoami/user-:
Types of Users
Power user Under Administrator Account
Guest user By-default Disabled
Limited user Do What Created For
UPN User Principal Name

Domain
Logon User Domain
Start administrative tools active directory domains and trust
20Page
01001582348
Eng.Basem Hamed
Start administrative tools active directory users and computers
Domain User
@ upn 7
Eng.Basem Hamed
01001582348
21Page
Domain
Security Wise Domain
Foot Printing ,, Domain

Domain
22Page
01001582348
Eng.Basem Hamed
Groups VS Organization unit

Restrictions
Permissions Policies
-:
- :Groups read, write...
Shared folders
-:
O.U
Group policy
Ou . Organization unit
o Domain
o Active Directory
o OU Monitor
& Troubleshoot Domain
o
o Group policy User ( Computer )
23Page
01001582348
Eng.Basem Hamed
Protect Container from Accidental Deletion

.
OU Protected
OU Domain
,, !!
-:
Tap View Advanced feature
R.click on OU that you want to delete properties

object tap
protect ..
24Page
01001582348
Eng.Basem Hamed
GROUPS
Permissions
Read, write, full control
Start administrative tools active directory user and computer R.click new
Group
permissions
R.click on it Properties Security tap Edit
Check name Group Add

User ,, Group User
Most Restrictive
)Deny over write allow(
Eng.Basem Hamed
01001582348
25Page
-:
Distribution group

email mail server exchange
Domain
security group
Security group

policy roles
email
Domain
email delay
group scope
Members
Access = Permission

Domain
Domain
Member permissions can be
Contain user from the same
assigned in any trusted
domain only
domain

Domain
Domain
Contain users from any domain Member permissions can be

assigned only within the
same domain
26Page
01001582348
Global Group
Domain Local
Eng.Basem Hamed
Universal

Domain
Contain user from any domain
Saved-in Global Catalog
Domain
Permission on any trusted
domain
( ) child domain "blog.ciscawy.com"

3 groups Domain
shared folder child domain
R.click on shared folder properties security tap Edit
Ciscawy.com Domain Location
object advanced
Eng.Basem Hamed
01001582348
27Page
domain local domain local universal global

Domain
Domain
Domain Local
Contain users from any
Member permissions can be
domain
assigned only within the
same domain
!! Domain
Global convert to Universal convert to domain local
NESTED
-: Being a Member
Member of OR Nest of
TYPE
Global
Domain Local
Universal
-1
MEMBER OF
Universal
Domain local
Global
Only Domain Local
Universal
Domain Local
Add Member of Double click on any Group
Domain local ...
Eng.Basem Hamed
01001582348
22Page
Find now Advanced

Domain local
Groups
Member in OR Nest in
TYPE
Global
Domain Local
Universal
-2
MEMBER IN
Global
Universal
Domain local
Global
Universal
Global
Add Member of Double click on any Group
Universal ...
Eng.Basem Hamed
01001582348
29Page
Find now Advanced

Global Universal
Groups
Eng.Basem Hamed
01001582348
30Page
Forest , Tree , domain

Domain
Windows Server2002
Domain dcpromo Domain -:
Domain Forest
DNS Forest
The Primary Domain First Root Domain
Global Catalog by default
default first site name
DNS Server
-:
Additional domain Domain ,
Load Balance Domain
Read Only Domain Controller Domain

Child domain Sub Domain Domain

Domain Enterprise Administrator
New Tree
Domain
Oracle & Sun Tree
Domain Enterprise Administrator
31Page
01001582348
Eng.Basem Hamed
. Child , Additional , Tree ,. Domain o

Domain Controller machine Domain o
Database Active Directory o

Forest Many Trees many Different Domains
Forest many Different Domains
Eng.Basem Hamed
01001582348
32Page
Additional domain
Domain
Domain users 500
Load Balance Domain Additional
Object
Users Domain
Machine ,, Machine Domain
-: TCP / IP
DNS IP Domain Domain Start Administrative tools DNS

Zone Transfer Domain
( Domain )
R.Click on Domain Properties
33Page
01001582348
Eng.Basem Hamed
Zone Transfer tap Allow transfer Only this domain EDIT
additional domain machine IP

Ok ok
Additional Machine
Run cmd dcpromo
Next
Eng.Basem Hamed
01001582348
34Page
Forest Existing Forest
administrator credential Domain

Next Next
Eng.Basem Hamed
01001582348
35Page
DNS Server Global Catalog .. Domain

( Read-Only Domain Controller )
Restore mode
Installation Domain Domain

Domain

Start Administrative tools Active directory Users and Computer ..
Object Additional Domain
Refresh Domain Object
Two Domains Load
Balancing
Start Administrative tools DNS
36Page
01001582348
Eng.Basem Hamed
Double Click on Kerberos
Priority Weight

37Page
01001582348
Eng.Basem Hamed
Read Only Domain Controller

"RODC"
Additional domain
Domain RODC

Passwords Domain
IT
Domain
Provide valuable support for branch office scenarios by authenticating users in the branch
office.
RODCs reduce the security risk associated with placing a domain controller in a less
secure site.
You can configure which credentials an RODC will cache.
You can also delegate administration of the RODC without granting permissions to other
domain controllers or to the domain.
ciscawy.com Domain Machine
Start Administrative tools Active directory users and computers
R.click on Domain Controllers Rre-create Read Only Domain Account
Eng.Basem Hamed
01001582348
32Page
User RODC
My Current Logged Enterprise Admin
RODC
39Page
01001582348
Eng.Basem Hamed
RODC DNS & GC
User Group Logon RODC

Database
User rodc
40Page
01001582348
Eng.Basem Hamed
Finish
rodc icon
RODC machine
TCP/IP
Domain IP Gateway
Start run dcpromo
Eng.Basem Hamed
01001582348
41Page
Next Next
Forest
Credential
42Page
01001582348
Eng.Basem Hamed
Next Install
Icon RODC
RODC ,, RODC
Domain
Users cache Domain
Delay
Object Rodc
Enterprise Administrator
RODC
43Page
01001582348
Eng.Basem Hamed
object NEW
New Enterprise Administrator

Domain Read Only Domain
RODC
R.click on Domain Name Change Domain Controller
Eng.Basem Hamed
01001582348
44Page
Domain read only
Domain object Domain

o Replication Domain RODC
o Object Domain RODC
RODC Domain !!
, , DomainRead Only
Password Replication Cache RODC
RODC
Open domain controller's container R.click on RODC properties
45Page
01001582348
Eng.Basem Hamed
Add Password Replication Policy
allow deny
Allow
ok
Eng.Basem Hamed
01001582348
46Page
ahmed rodc allow deny

Read Only Domain Controller
Users Cache RODC
Domain
RODC
Advanced
prepopulate password
47Page
01001582348
Eng.Basem Hamed
-: Replication
Allowed RODC Password Replication
Advanced
Account has been Authenticated
Eng.Basem Hamed
01001582348
42Page
Prepopulate Password
,,
Two ahmed Read Only Domain Controller
Domain Domains
Eng.Basem Hamed
01001582348
49Page
Child Domain
o Domain Domain Sub-Domain
o Users ,,
Domain Domain Enterprise Administrator
Database
o Machine Domain
o Additional or RODC Object ,, !
Domain Database
o Enterprise Administrator
TCP/IP
Start run dcpromo

Advanced mode
50Page
01001582348
Eng.Basem Hamed
New Domain in an Existing Forest
Administrator Network Credential Forest
Eng.Basem Hamed
01001582348
51Page
Browse Domain Child Domain
Next Next
Global Catalog
DNS load Domain
Next Next
Domain Domain Child Database
Object
52Page
01001582348
Eng.Basem Hamed
Child domain Domain ,,
-:
Domain Domain Domain Forest
,,
R.click on domain Change Domain
Browse Domain
53Page
Domain Child New Tree Domain

Enterprise Administrator Domain
Child
Trust Domain Child - Two way -
Child Domain Child ,,
01001582348
Eng.Basem Hamed
New Tree Root

o
o
o
o
( )Domain

Domain Database Only One Enterprise
Administrator
Domain -:
A & B
UPN user@A.com , user@B.com
Domain Enterprise
Admin
TCP\IP New Tree

Start run dcpromo
54Page
01001582348
Eng.Basem Hamed
Create a new Domain Tree Root
o
o
o
o
55Page
Tree
Domain Child
Browse
Domain
Domain
01001582348
Eng.Basem Hamed
DNS & GC
Next Next
Eng.Basem Hamed
01001582348
56Page
Domain New TREE database
Object
-:
Domain Domain Domain Forest
,,
R.click on domain Change Domain
Browse Domain
57Page
Domain New TREE
01001582348
Eng.Basem Hamed
Trust Domain New TREE - Two way

Enterprise Administrator Child domain TREE ,,

52Page
01001582348
Eng.Basem Hamed
Active Directory Partition (Database)

Active Directory
Forest Partition -: Forest
Partition Domain -:Domain
Forest Level
1- Schema Partition
2- Configuration Partition
Domain Level
1- Domain Partition
2- Application Partition
Schema Partition
Attribute Object
Enterprise administrator ) not recommended(
failure
-: partition
Start administrative tools ADSI edit
-1
R.click Connect to
Eng.Basem Hamed
01001582348
59Page
Schema
Configuration Partition
-2
infrastructure
replication ip sites
-: Partition
Start administrative tools ADSI edit
R.click Connect to
Eng.Basem Hamed
01001582348
60Page

Start administrative tools Active Directory Sites and Services
Domain Partition
-3
Attribute & value Built-in Users and Computers.

-:
Active Directory User and Computers
Eng.Basem Hamed
01001582348
61Page
Application Partition
-4
Replication Software
DNS
Application partition Active Directory Integrated Zone
)Infra ( DNS Zones
Primary Zone Secondary Zone Stub Zone Active Directory Integrated Zone Start administrative tools DNS
Eng.Basem Hamed
01001582348
62Page
Change
DNS partition
Eng.Basem Hamed
01001582348
63Page
Five Operation Master Role

FSMO Roles
Flexible Single Master Operation
Domain roles

forest Role Forest Five roles
three role Domain Domain
Forest Level
1- Schema Master Role
2- Domain Name Master
Domain Level
1- Relative Identifier Master (RID)
2- Primary Domain Controller
Emulator (PDC)
3- Infrastructure Master
1- Schema Master Role

Forest
-: role
Start run regsvr32 schmmgmt.dll
Start run MMC

File add/remove snap in
OK add Active Directory Schema
Eng.Basem Hamed
01001582348
64Page
2- Domain Name Master

Domain ,, process
Unique Forest
Domain
-: Role
Active Directory Domain and Trust
65Page
01001582348
Eng.Basem Hamed
3- Relative Identifier Master (RID)

RID Pool
SID Computer User
Pool RID
Domain Migration
RID SID Replace
-: Role
R.click on domain Operation master
Eng.Basem Hamed
01001582348
66Page
4-Primary Domain Controller Emulator (PDC)

Date and Time
Domain Domain Master Browser

Group Policy
PDC Emulator
Windows NT PDC
-: Role
PDC Tap
Eng.Basem Hamed
01001582348
67Page
5- Infrastructure Master
Domain
responsible for updating references
-: Role
Infra Tap
!!! Domain Role

Domain Schema Role
Start run cmd
Eng.Basem Hamed
ntdsutil
activate instance ntds
role
connection
connect to server (server name)
quit
?

Domain
Seize schema master ()
01001582348
62Page
FSMO Roles
Start run cmd
dsquery server -hasfsmo schema
dsquery server -hasfsmo rid
dsquery server -hasfsmo pdc
Error Schema Role Domain
Domain Schema New Tree
Eng.Basem Hamed
01001582348
69Page
Active Directory Sites and Replications

Domains Sites and Replication
Additional , Child , Tree
,,
Replication
Site link Domains Domain

Domains Load Replication
Forest Domain
By-default Default first site name
Site Domain
Console
Start administrative tools Active Directory Sites and Services
Default First Site Name Servers

Sites Replication Updates
SMTP IP
SMTP
IP
Site Domains o
Site Domains
E-Mails o
Site
Domains
Sen , Ack , sen ack

SMTP
o
o
o
o
R.click on Sites New Site Site

Create additional sites when:
A part of the network is separated by a slow link.
A part of the network has enough users to warrant hosting domain controllers or other
services in that location.
Directory query traffic warrants a local domain controller.
You want to control service localization.
You want to control replication between domain controllers.
Eng.Basem Hamed
01001582348
70Page
Enter
Mansoura Default first site name
Dekernes Site
Site Server
Eng.Basem Hamed
01001582348
71Page
Site Domain Subnet
Site Subnet
Site Subnet
Eng.Basem Hamed
01001582348
72Page
Sites IP
!! ,,
Sites in the site link Sites Link

Link
Cast 100 ,,
Site link Two Sites Cast

Cast 100 Balance Two Links
Replication Every Sites
Site
Different Sites 3
,, 15 15 , 30 , 45
Change Schedule
73Page
01001582348
Eng.Basem Hamed
Sites Site Link
OK
Schedule Replication time Cast
Bridge Head
Site Replication Domain o
SMTP IP Replication o
Properties Server R.click o
Eng.Basem Hamed
01001582348
74Page
Two Sites -: Domain

DNS
User Domain Site Authentication
Domain Child Sites

Domain Server Child Domain
Child Domain
Active Directory replication is:
MultiMate replication
Pull replication
Store-and-forward
75Page
01001582348
Eng.Basem Hamed
Partitioning of the data

Automatic
Attribute-level replication
Distinct control of intra site replication
Collision detection and management
Replication Transport Protocols

Directory Service remote Procedure call (DS-rPc) DS-RPC appears in the Active
Directory Sites And Services snap-in as IP. IP is used for all intrasite replication and is
the default, and preferred, protocol for intersite replication.
Inter-Site messagingSimple mail transport Protocol (iSm-SmtP) Also known
simply as SMTP, this protocol is used only when network connections between sites are
unreliable or are not always available.
The Intersite Topology Generator (ISTG) creates connection objects between Bridgehead
servers that share a site link
Within a site, domain controllers replicate quickly, using a topology generated by the
Knowledge Consistency Checker (KCC), which is adjusted dynamically to ensure effective
intersite replication
Replication :Intra Site Every 15 Second with 3S for Delay
Inter Site Evert 3 Hours
Eng.Basem Hamed
01001582348
76Page
Trust
Domains
:
. Two Way o
One Way o
Domains
Kerberos Authentication Protocol
Parent and Child
Default two ways in the same forest
Tree Root
Default two ways
Between Tree root domain and other Tree root domain
Shortcut Trust
One or Two way
Between Child in Tree and Child in other Tree
External Trust
One or Two way
Between any Domain in Forest and any other Domain in other Forest
Trust not inheriting
Forest Trust
One or Two way
Between Forest Root Domain in Forest and other Forest Root Domain in other Forest
Realm Trust
One or Two way
Between Microsoft Operating System and other Operating System likes Linux
Eng.Basem Hamed
01001582348
77Page
Forset Trast
New Tree Child Domain
Eng.Basem Hamed
01001582348
72Page
Group Policy
, , Restrictions
Policy Domain , Sites , OU Groups
Start administrative tools Group policy management
Policy ,
Deploy Software
Policy

Policy Policies
Policy

USB DVD Rom
Policy
Applications
Policy User and Computer Account
COMPUTER ACCOUNT
Policy Start Up
Assign Software
USER ACCOUNT
Policy Log on
Assign and Publish Software
Two Applied Policies

Domain Controller
Local Domain Policy
Local GPOs
%SystemRoot%\System32\GroupPolicy
Policy Not configured , Enabled , Disabled

Policy
79Page
01001582348
Eng.Basem Hamed
policy Domain Site OU
Policy Over write Domain
20Page
Block Inheritance
Domain !
Object Policy
Enforced
01001582348
Eng.Basem Hamed
Policies Server 90
Start Run Cmd gpupdate Group Policy
gpupdate /force
Computer User
Policies administrative template system group policy
Policy Refresh Interval

500kb/ps Slow link detection

WMI Filter
User Policy Import Troublshooting Windows Management Instrumentation (WMI) is a management infrastructure technology
that allows administrators to monitor and control managed objects in the network.
A WMI query is capable of filtering systems based on characteristics, including RAM,
processor speed, disk capacity, IP address; operating system version and service pack level,
installed applications, and printer properties.
Because WMI exposes almost every property of every object within a computer, the list of
attributes that can be used in a WMI query is virtually unlimited.
WMI queries are written using WMI Query Language (WQL).
R.click on WMI filter New
Eng.Basem Hamed
01001582348
21Page
Group Policy Result

DC Computer Account Policy
R.click Group Policy Result Wizard Next
Browse
Machine Logon User
Eng.Basem Hamed
01001582348
22Page
Next Next Finish

Policies
-
Group Policy Modeling

Group Policy Result
Troubleshoot Policies
Forest ,,
Policies Domains Forest
Policies SitesOU
R.click Group Policy Result Wizard Next
Domain
23Page
01001582348
Eng.Basem Hamed
Result User Computer Account - Container Domain Browse
Next
-
Site Policy
Next
-
24Page
Filter
01001582348
Eng.Basem Hamed
Next Next Finish

Policy
Policy OU
R.click OU
25Page
01001582348
Eng.Basem Hamed
Policy Domain Domain Forest

Domain Policies
Policy Loop Back Process

Computer configuration Policies Admin template System Group policy
Two Modes
Replace Policy Domain
Merge ,, Restriction
26Page
01001582348
Eng.Basem Hamed
Deploy Software
Group policy
Software Distribution Point Path

o
o
o
o
27Page
-: Extension .msi .zap

Shared folder
Package
User Computer
01001582348
Eng.Basem Hamed
Deploying
Assign
Publish
User
User Account
Computer
-:

Full

Partial
o OU Test
R.click OU
o R.click Policy Edit
o User Account
Policies Software Setting Software Installation
R.click New Package
o Shared Folder Package
22Page
01001582348
Eng.Basem Hamed
o Advanced Developing

o Publish
o gpupdate /force Run
o 7
OU Policy
Control Panel\Programs\Programs and Features
R.click Install
29Page
01001582348
Eng.Basem Hamed
Package R.click Deploy
Computer Account o
Policies Software Setting Software Installation
R.click New Package
Computer Account Publish
-: Advanced o
Upgrade Properties Package R.click
Software Upgrade Add
Eng.Basem Hamed
01001582348
90Page
Policy ,, Deploying
R.click on package all tasks remove
-: Policy User Computer

-: Policy
Restricted Groups
Policy OU ,, Features
Policy Group Restricted groupsComputer Configuration Policies Windows Setting Security Setting
Restriction Groups
R.click Add Group
91Page
01001582348
Eng.Basem Hamed
Group Browse
Eng.Basem Hamed
01001582348
92Page
Security in Group Policy

Group Policy
.. .. Icons ..
User

Computer Configuration Policies Windows Setting Security Setting

Account Policy Password Policy
Password
- :Enforce password history

Policy Policy

5 7
24
-: Maximum password age

42
93Page
01001582348
Eng.Basem Hamed
-: Minimum password age

992
-: Password must meet complexity requirements

-: Store passwords using reversible encryption

)Challenge-Handshake Authentication Protocol (CHAP

Account Policy Account Lockout Policy
-: Account lockout duration

30 By-default
Administrator
-: Account lockout threshold

5 3
Eng.Basem Hamed
01001582348
94Page
-: Reset account lockout counter after

30 By-default
Policies

Account Policy Kerberos Policy
kerberos Protocol
Eng.Basem Hamed
01001582348
95Page

Account Policy Local Policy
Local Account Policies

Account Policy Local Policy Audit Policy
Server Error TShoot
Monitor Event Viewer Tool Start Administrative tools Event Viewer
Account Policy Local Policy Uesr Rights Assignment
.. Policies
Policy
Policies
Eng.Basem Hamed
01001582348
96Page

Account Policy Local Policy Security Options

-:
Accounts: Rename administrator account
Account Lock Interactive logon: Do not require CTRL+ALT+DEL
( )
Interactive logon: Message text for users attempting to log on
,
User configuration Admin Templete System Removable Storage Access

Removable Storage CD and DVD removable storage USB

Denies read access
Denies write access
Computer Configuration Policies Windows Setting Wireless Network Policy

Wireless
Viste 7 Windows XP
New Vista Wireless Network Policy

Connection Add
Eng.Basem Hamed
01001582348
97Page
-: Add Hock Peer to Peer

-: Infrastructure Switch
Ok
Security Tab
Authentication
WPA2-Enterprise
TKIP

Policy Going Throw
Network Permission
92Page
01001582348
Eng.Basem Hamed
Add SSID
SSID Access Point
Access Point Load Balance
Load
User
Windows Firewall
Computer Configuration Policies Windows Setting Windows Firewall and
Advanced Security
Role Filter
R.click New Role
99Page
01001582348
Eng.Basem Hamed
Port Role
IP Security
Computer Configuration Policies Windows Setting IP Security Policy
-:
Eng.Basem Hamed
01001582348
100Page
Secure
Secure
Secure

Secure Connection
Response
Require Security
Request Security
User Configuration Preferances Windows Setting

User Configuration Preferances Control Panal Setting

Device
Printer
Folder Options
Folder Options Windows Vista
101Page
01001582348
Eng.Basem Hamed
Option
Filter Policy
Administrative Tempelate R.click Filter option

Explain text Comments
Policy Setting Tittle
102Page
01001582348
Eng.Basem Hamed
Lab
User configuration Policies Admin template Network Connection
TCP/IP
RUN gpupdate /force
Policy
Control Panel\Network and Internet\Network and Sharing Center
Properties
Administrator
Eng.Basem Hamed
01001582348
103Page
Group Policy Template
Template Policies ,,
Import Group Policy
Policies Group Policy

Template Policies
Start run MMC
Security Template Add
R.click New Template
104Page
01001582348
Eng.Basem Hamed
Group Policy
Policy
Templete
Policy
105Page
01001582348
Eng.Basem Hamed
Saving
Templates Template
C:\Users\Administrator\Documents\Security\Templates

Security templates
Allow you to configure any of the following types of policies and settings:
Account Policies Specify password restrictions, account lockout policies, and Kerberos
policies.
Local Policies Configure audit policies, user rights assignments, and security Options
policies.
Event Log Policies Configure maximum event log sizes and rollover policies.
Restricted groups specify the users permitted to be members of specific groups.
System Services specify the startup types and permissions for system services.
Registry Permissions Set access control permissions for specific registry keys.
file System Permissions Specify access control permissions for NTFS files and folders
Eng.Basem Hamed
01001582348
106Page
-: Templete
o
o
o
o
o
Group Policy Management

Policy Temlete
Security Setting R.click Import Policy

gpupdate
Group Policy Object
Back up Policies Domain

107Page
01001582348
Eng.Basem Hamed
Shared Folder script

Computer Account
User and Computer Account script
USER ACCOUNT
Log on
Log off
COMPUTER ACCOUNT
Start up
Shut down
X Shared Folder
Group Policy Management
Policy Edit
User configuration Policies windows setting scripts
R.click on logon Properties

Browse Add
R.click New text
Eng.Basem Hamed
01001582348
102Page
.bat batch file

R.click Edit Run

Net use administrator p@ssw0rd
administrator
open ok
7 Policy
My Computer
Map Drive
109Page
01001582348
Eng.Basem Hamed
Backup & Restore

Domain Backup
Domain Infra

Critical volumes
Backup Drive
Critical volumes include:
The system volume: the volume that hosts the boot files
The boot volume: the volume that hosts the Windows operating system and the Registry
The volume that hosts the SYSVOL tree
The volume that hosts the AD DS database (Ntds.dit)
The volume that hosts the AD DS database log files
-: Backup
Backup
Backup
Domain Object
-: Backup
. Domain . .
Backup Drive -: Backup Server mgr Feature add feature Windows server backup Feature
Next Install Finish

Domain
Start administrative tools windows server backup
Eng.Basem Hamed
01001582348
110Page

-: Backup Schedule Backup Backup

Next
Custom
111Page
01001582348
Eng.Basem Hamed
Drive
Backup

112Page
01001582348
Eng.Basem Hamed
Show All Availabe Disks Disk Backup
Disk Formated Backup
Next Finish
-: Backup
Run cmd
? wbadmin
START BACKUP
ctrl+c
113Page
01001582348
Eng.Basem Hamed
-: Windows Server Backup

Backup Once
,, Backup
Schedule
Custom
\C:
Custom
114Page
01001582348
Eng.Basem Hamed
Shared Folder
Local
Clients
Disk
Next Backup
115Page
01001582348
Eng.Basem Hamed
Backup -: Restore
F8
Directory Services Restore Mode Recovery
116Page
01001582348
Eng.Basem Hamed
dcpromo

!!
Restore Domain Administrators
Database Domain
Domain ,, Authontication
Windows Server Backup

Recover
Next
117Page
01001582348
Eng.Basem Hamed

Recover
Database System
Recovery Disk
Next Recover

Backup

112Page
01001582348
Eng.Basem Hamed
Active Directory
Course 6426A
Configuring and Troubleshooting Identity and Access Solutions
with Windows Server 2008 Active Directory
-: 4
Active Directory Certification Authority
Active Directory Federation Service
Active Directory Light Weight Directory Service
Active Directory Rights Management Service
Eng.Basem Hamed
01001582348
119Page
Active Directory Certification Authority

Web Site E-mails

PKI Public Key Infrastructure
Digital Certification Certification Authority
Control Authentication
Is the combination of software, encryption technologies, processes, and services that
enable an organization to secure communication and business transactions
Relies on the exchange of digital certificates between authenticated users and trusted
resources
PKI

Encryption o
IP Sec o
Securing Web Site o
Smart Card o
Signing Drivers o
-:
Symmetric Key Encryption
AES, EDS, DES
Asymmetric Keys
Public and Private
RSA, DHA
MD5 Password HASH
Certification
Eng.Basem Hamed
01001582348
120Page
) ( Expire Digital Certification

) ( 5 Expire Certification Authority Server
Asymmetric Key
Certification Servers
Root CA o
Self Sign Certificate
Trusted Server
Physical Security & certification Issued Policy
Subordinate CA o
Root CA
load balancing, and fault tolerance
Root
Certification Authority
Enterprise CAs o
Domain
Stand-Alone CAs o
Workgroup
Cross Hierarchy

Eng.Basem Hamed
01001582348
121Page
Installing Certification Services
Server Mgr Roles Add Role
AD Certification Services
Eng.Basem Hamed
01001582348
122Page
Web Enrollment
Website Certification User
Online Responder
) (Certification
Eng.Basem Hamed
01001582348
123Page
IIS
Domain Controller Enterprise

Web InterfaceMMC
Stand alone
124Page
01001582348
Eng.Basem Hamed
Server
Key
125Page
01001582348
Eng.Basem Hamed
Machine

Certification
126Page
01001582348
Eng.Basem Hamed
Install Finish

Sub-ordinate Server
Joined in Domain Machine
CS
Eng.Basem Hamed
01001582348
127Page
Certificate
Browse Root
Approve Administrator
CA
Start Administrative tools AD Certification Authority
Eng.Basem Hamed
01001582348
122Page
Revoked Certificates

Issued Certificates
Users Certificate Administrator
Self Sign Certificate
Pending Certificates
Administrator
.
Failed Certificates
Administrator
Certificate Templates
Users
Templates Users!!
R.click on Certificate Templates Manage
Server Manager R.click
129Page
01001582348
Eng.Basem Hamed
Template R.click Duplicate

Policies

Template
130Page
01001582348
Eng.Basem Hamed
!! Enrollment OK
R.click on Certificate Template New Certificate Template to Issue
OK
Certificate Template
Eng.Basem Hamed
01001582348
131Page
Certificate User
Web Server o
MMC o
Enroll & Autoenroll Cert Group Policy o
IIS
Start Administrative tools IIS
HTTP IIS
HTTPS Not Secure
Binding
Add
Eng.Basem Hamed
01001582348
132Page
Machine HTTPS
Connection HTTPS
Domain Certificate View
Web Server Internet Explorer

https:\\ca.ciscawy.com\certsrv
ca.ciscawy.com
User Credential
Eng.Basem Hamed
01001582348
133Page
!! CA
Run MMC
File Add/Remove Snap-in
Add Certification
Computer Account
Eng.Basem Hamed
01001582348
134Page
Personal o
User Certification
Trusted o
Site Servers
User Certification Export
All Tasks Export R.click
Eng.Basem Hamed
01001582348
135Page
Next Finish
Eng.Basem Hamed
01001582348
136Page
Trusted Root Users Certification

-: Trusted
Edit R.click Default Group Policy
Computer Configuration Policies Windows Setting Security Settings Public Key

Policy
Import Trusted Root R.click

Next
Certification
Eng.Basem Hamed
01001582348
137Page
Next Finish
Win-7
Site
Run MMC
File Add/Remove Snap-in
Add Certification
Eng.Basem Hamed
01001582348
132Page
Computer Account
Next Finish
Certificate
Group Policy Restart
Certificate

Credential
Eng.Basem Hamed
01001582348
139Page
Web Server
Request
Create and Submit request to CA
Server CA
140Page
01001582348
Eng.Basem Hamed
Submit

Download
141Page
01001582348
Eng.Basem Hamed
Save
MMC
User Account
142Page
01001582348
Eng.Basem Hamed
CA Server
Issued Certificate

Domain Controller 2
CA 3
User 4
Cert Revoke
R.click All Tasks Revoke
User Account
R.click Cert Template Manage
Duplicate R.click Cert
Eng.Basem Hamed
01001582348
143Page
Issuance Requirements
Cert Administrator
Eng.Basem Hamed
01001582348
144Page
Security
Users Computers Cert

Templates
Win-7
User
MMC Certification
145Page
01001582348
Eng.Basem Hamed
R.click All Tasks Request New Cert
AD Enrollment Policy
Cert

Show all templates Cert
Eng.Basem Hamed
01001582348
146Page
!! Personal
Server
Template Pending
R.click on it Issue
Windows 7

147Page
01001582348
Eng.Basem Hamed
Policies Group Policy

Edit R.click Default Group Policy
Computer Configuration Policies Windows Setting Security Settings Public Key

Policy
R.click on Cert Service Client Prop
Enabled
R.click Cert Template Manage
Eng.Basem Hamed
01001582348
142Page
Duplicate Template

Security
Autoenroll Enroll Authenticated
Eng.Basem Hamed
01001582348
149Page
Autoenroll Enroll Win-7 Computer
Cert D.click
Server Issued by
Eng.Basem Hamed
01001582348
150Page
Public Key
Domain R.click
Eng.Basem Hamed
01001582348
151Page
Administrator Issued
Permissions

152Page
01001582348
Eng.Basem Hamed
CRL Certificate Revocation List

Cert Sub-ordinate Revoke Administrator
Notification
Log Files
Eng.Basem Hamed
01001582348
153Page
KRA Key Recovery Agent
-:
Certification
Profile
User

Cert

User Account
Recover Cert
User Member of Domain Admin Group
CA Cert Template
R.click Manage
R.click Template KRA Duplicate
154Page
Security
User Full Control
01001582348
Eng.Basem Hamed
Authenticated Full Control

OK OK
User Template Duplicate
Request Handling
Private Key Cert Private Key
Eng.Basem Hamed
01001582348
155Page
Subject Name
Include E-mail
Enroll & Autoenroll Authenticated
Eng.Basem Hamed
01001582348
156Page
Issued Templates
User KRA
MMC Request Cert
Cert Root KRA Root
R.click Domain
View Cert
157Page
01001582348
Eng.Basem Hamed
Details Copy to File
Eng.Basem Hamed
01001582348
152Page
Next Next

Shared Folder
Win-7
Cert Shared Folder
Start Run MMC
Eng.Basem Hamed
01001582348
159Page
File Add\Remove Snap-in

R.click on Trusted Root All Tasks Import
Cert
Next Next
Eng.Basem Hamed
01001582348
160Page
Request New Cert R.click Personal
KRA
Eng.Basem Hamed
01001582348
161Page
NextFinish

Cert Administrator Issued Root CA

Server
CA
Issued Cert KRA
D.Click
Details
Copy to File
162Page
01001582348
Eng.Basem Hamed
Cryptographic Message
Cert
Eng.Basem Hamed
01001582348
163Page
Shared Shared Folder

Win-7
Cert Shared Folder
Start Run MMC

R.click on Personal All Tasks Import
Eng.Basem Hamed
01001582348
164Page
All Files
Next Finish
Two Certifications
Root KRA
KRA Cert D.Click
Details Copy to File
Eng.Basem Hamed
01001582348
165Page
Private Key
Key Cert Export Import
Eng.Basem Hamed
01001582348
166Page
Eng.Basem Hamed
01001582348
167Page

Next Next

KRA Root CA
R.Click on Domain Prop
Archive the Key Recovery Agent
Eng.Basem Hamed
01001582348
162Page
Add
OK
Service
169Page
01001582348
Eng.Basem Hamed
Error Valid
Win-7
Start Run MMC
R.click on Personal All Tasks Request New Cert
User Cert
Enroll Next Finish
Eng.Basem Hamed
01001582348
170Page
Cert!!!
KRA Machine CA
Profile KRA Cert
CA Personal All Tasks Import
171Page
01001582348
Eng.Basem Hamed
Cert
Cert
D.click Cert User Issued
172Page
01001582348
Eng.Basem Hamed
Serial Number Details

Recovery Ctrl+C
Private Key Cert Import
R.Click Run as Administrator Run

Certutil getkey " Serial Numer For Cert that Copied" file name
Certutil getkey
Cert " "
Cert
Eng.Basem Hamed
01001582348
173Page
Certutil recoverkey

pfx. Cert

\C:
Shared Folder

Win-7 User Cert
Shared Folder Cert
Start Run MMC
R.click on Personal All Tasks Import
174Page
01001582348
Eng.Basem Hamed
Next Next Finish

SN
Recovery
175Page
01001582348
Eng.Basem Hamed
Active Directory Rights Management Services
Windows Server 2003 R2

Shared Folder Users
Access NTFS Permissions
User Copy Print Screen

User
Win-7 . Vista. XP Sp3
XP SP2 Rights Management Client
User E-mail Attributes

no password change or expiration
AD RMS Requirements :CA DC

SQL 2005 / 2008 Hosting
Office RMS aware application
Machine -:
CNAME DNS Domain Controller
CNAME
( )
Start Administrative tools Dns
Machine Domain A Record

R.click New CNAME
176Page
01001582348
Eng.Basem Hamed
A Record Browse
IIS Certification Service Domain Controller

CA
Eng.Basem Hamed
01001582348
177Page
Web Server Template CA

Server Manager AD SC Cert Template
RMS Computer Account Security

Enroll
Eng.Basem Hamed
01001582348
172Page
) ( Issue
Cert Export
R.click on Ciscawy-CA Properties
View Cert
Eng.Basem Hamed
01001582348
179Page
Copy to File Details
Eng.Basem Hamed
01001582348
120Page
Next Next
Shared Folder
Shared Folder Machine
Cert
Start run MMC
Cert Add
Eng.Basem Hamed
01001582348
121Page
Import All Tasks Personal R.click
Eng.Basem Hamed
01001582348
122Page
Next Next

Next
Request New Cert

Domain Machine Lab
Controller
Server Manager Roles Add Role

AD RMS
Eng.Basem Hamed
01001582348
123Page
IIS
Eng.Basem Hamed
01001582348
124Page
Cluster
Cluster Load Balancing
Server Cluster
DB Server
Windows Internal DB
125Page
01001582348
Eng.Basem Hamed
User
AD RMS key Error
126Page
01001582348
Eng.Basem Hamed

Default Web Site
Sites
HTTP or HTTPS
Machine
127Page
01001582348
Eng.Basem Hamed
Point
Eng.Basem Hamed
01001582348
122Page
Install Finish
RestartServer
Server Manager
AD RMS
Change Service Account User

129Page
01001582348
Eng.Basem Hamed
Rights Policy Template

Cerate Distributed Rights Policy
Policy
Add
Eng.Basem Hamed
01001582348
190Page
Add Users Groups Policy

Web Server
Policy
191Page
01001582348
Eng.Basem Hamed
Finish
Machine Shared Folder
Client Microsoft office 2007\2010
Win-7
Distributed Rights Policy User
Shared Folder Word

File Prepare Restrict policy Restrict Access
Eng.Basem Hamed
01001582348
192Page
RMS
User

Read
Change
More Option
E-mail Attributes
Basem Read
Shared Folder

Permission
Active Menu
193Page
01001582348
Eng.Basem Hamed
194Page
01001582348
Eng.Basem Hamed
Active Directory Federation Service
Windows Server 2008

Forest Trust
User A Access Web Server Application
,, B
Forests
o Forest Trust Authentication
o Federation Service Single Sign On
-: Federation Service
Authentication ( ) - ADLDS ADDS
AD Federation Service Terms -:

-: Resource Organization Forest Application
Account Organization Application
ADLDS ADDS
-: Federation Service
-: Claims Domain

-: Claim aware Accounts Forest
: Cookies Authentication
Re- Authentication Single Sign On
195Page
01001582348
Eng.Basem Hamed
Resource Proxy Web server External Client

Firewall a Federation Server
ADDS Federation Server B
Web Server Authentication
-: Scenario
4 Machines Netriders.com Ciscawy.com Forest Member of Netriders.com Web Server Machine Member of Ciscawy.com Client Machines
Ciscawy.com Forest DC.ciscawy.com

Netriders.com Foresf Resource.Netriders.com
Member of Netriders.com Web.Netriders.com
Member of Ciscawy.com Client Win-7.ciscawy.com
Eng.Basem Hamed
01001582348
196Page
Ciscawy.com Forest
Authentication Group User
Netriders.com Forest Conditional Forward DNS
IP Forest
Eng.Basem Hamed
01001582348
197Page
Netriders.com Forest
Ciscawy.com Conditional Forward
Federation
IIS
Eng.Basem Hamed
01001582348
192Page
Create Self Sign Certificate

Two Forest Certification
Eng.Basem Hamed
01001582348
199Page
Create Trusted Policy
IIS Next Install

Forest
IIS -:
Start run IIS

Default Web Site SSL Setting
200Page
01001582348
Eng.Basem Hamed
Apply Require SSL
Two Forest
-: Netriders.com Forest
Web Server Certificate Export
Start run IIS Server Certificates
Eng.Basem Hamed
01001582348
201Page
Export R.click Machine Resource

Password
Shared Folder
Netriders.com Member Machine
Web Server
Eng.Basem Hamed
01001582348
202Page
ACFS
Claim aware agent

Access Client
Eng.Basem Hamed
01001582348
203Page
IIS
Next
-:
Client Certificate mapping authentication
IIS management console

Eng.Basem Hamed
01001582348
204Page
Next Finish
Self Sign Certificate IIS Machine
Start run IIS Server Certificates
Create Self-Sign Certificate
Eng.Basem Hamed
01001582348
205Page
Default web site Sites

Binding
Eng.Basem Hamed
01001582348
206Page
Add
Type https
Certification Machine
OK
SSl Machine
207Page
01001582348
Eng.Basem Hamed
Apply Require SSL
-: Resource.Netriders.com Certification Import

Federation Server Web Server
Machine
Certificate
MMC
Start run MMC File add\remove snap in
Add Certificate
Eng.Basem Hamed
01001582348
202Page
Next Finish
Certificate Trusted Root
R.click All tasks Import
Eng.Basem Hamed
01001582348
209Page
Export
210Page
01001582348
Eng.Basem Hamed
Aware Application
IIS
R.click Default Web Site Add Application
Select Classic.net
C:\inetpub\wwwroot\claim
aware application
Machine web.config
211Page
01001582348
Eng.Basem Hamed
Federation Service
Ciscawy.com
Start administrative tools Active Directory Federation Service
Trust Policy
R.click on trust policy Properties
Eng.Basem Hamed
01001582348
212Page
un:federation:Ciscawy
Display Name
Forest Federation Authentication Group Claim

Trusted Policy My Organization Organization Claim
R.click New Organization Claim
Eng.Basem Hamed
01001582348
213Page
Ciscawy.com Federation Service ADDS Account Store

Trusted Policy My Organization Account Store
R.click New Account Store
Account
AD Account
Eng.Basem Hamed
01001582348
214Page
Finish
Group Claim Group
Add
Eng.Basem Hamed
01001582348
215Page
ok Group
Netriders.com
Trust Policy
R.click on trust policy Properties
un:federation:Netriders
Eng.Basem Hamed
01001582348
216Page
Display Name
Application Authorization Decision Group Claim
Ciscawy.com
Web Server Authentication
Trusted Policy My Organization Organization Claim
R.click New Organization Claim
ADDS Account Store

) (
Application
Trusted Policy My Organization Application
R.click New Application
Eng.Basem Hamed
01001582348
217Page
Claims-aware application
Web Server
Eng.Basem Hamed
01001582348
212Page
/https://web.netriders.com/claimapp
Web Server Machine web.netriders.com
Next Finish
-: Trust
Netriders.com Ciscawy.com Policy Emport
Ciscawy.com
R.click on Trust Policy Export Basic Policy
Eng.Basem Hamed
01001582348
219Page
Folder
Folder Share
Netriders.com
Forest
Policy
Account Partner R.click New Account Partner
Account Ciscawy
Eng.Basem Hamed
01001582348
220Page
Browse Policy
221Page
01001582348
Eng.Basem Hamed
SSO
Eng.Basem Hamed
01001582348
222Page
Forest
Next Finish
R.click New Incoming Group
Simple claim aware application
Eng.Basem Hamed
01001582348
223Page
Ciscawy.com Netriders.com Policy Export

Netriders.com
R.click on Trust Policy Export Basic Policy
Folder
Folder Share
Eng.Basem Hamed
01001582348
224Page
Ciscawy.com
Forest

Partner Organization Resource Partner New
Resource Netrider
Eng.Basem Hamed
01001582348
225Page
Eng.Basem Hamed
01001582348
226Page
Next Finish
) (IIS Restart
Client
Start run
https://web.netriders.com/claimapp
Web Server
Eng.Basem Hamed
01001582348
227Page
Continue
Domain ! Ciscawy Submit
Credential User
222Page
01001582348
Eng.Basem Hamed
Active Directory Lightweight Directory Services
Windows Server 2008

Application Forest
Active Directory
Active Directory Database

Machine Active Directory
Database
Stand alone ADDS
ADAM Active Directory Application Made Windows Server 2003
LDS Machine
LDAP Application Active Directory
Reboot
Machine 3 Partitions
ADDS
Schema Configuration Application - Object Attribute User
229Page
01001582348
Eng.Basem Hamed
AD Lightweight Directory Services

Next Install
Eng.Basem Hamed
01001582348
230Page
Click here to create new AD LDS instance
Unique Instance

Eng.Basem Hamed
01001582348
231Page
Machine DS LDAP Port

LDAP Port 389 Port
Application Partition
232Page
01001582348
Eng.Basem Hamed
Partition Domain
Install
Default User This Account
233Page
01001582348
Eng.Basem Hamed
-: LDS
Start Administrative Tools ADSI Edit
Eng.Basem Hamed
01001582348
234Page
R.click on ADSI Connect to
Port Machine Computer

Partition
OK LDAP Port
New Object R.click

Object
Server Object
Eng.Basem Hamed
01001582348
235Page
Replication Instance LDS 1 LDS 2

Replication Workgroup Domain
AD LDS Machine Joined Machine Domain
AD Frame Work
Port Number User Firewall
Replication 15

Instance
A replica instance
236Page
01001582348
Eng.Basem Hamed

Server
LDAP Port Number Domain Controller
Browse Domain
237Page
01001582348
Eng.Basem Hamed
Port
Instance
Eng.Basem Hamed
01001582348
232Page
Server AD LDS Install

Start Administrative Tools ADSI Edit
R.click on ADSI Connect to
Eng.Basem Hamed
01001582348
239Page
Objects
-: Replication
Active Directory Sites and Services
Machine : Port number
Eng.Basem Hamed
01001582348
240Page
Online

Site
Site LDS

Site Servers
Sites and Services
241Page
01001582348
Eng.Basem Hamed
-:
Tecknet
70-640 TS Windows Server 2008 Active Directory, Configuring 2ND.pdf
Power Point
70-640 Server 2008 Active Directories PPT

Eng.Basem Hamed
01001582348
242Page

Active Directory Arabic Book 2008

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Active Directory Arabic Book 2008

Transféré par

Droits d'auteur :

Formats disponibles

Eng.

About:About Author:Eng.Basem Hamed

About Company;Egypt NetRiders

Integrated Network Solutions. Specialized in Networks and Information Security

This Book is Powered By:-

Course 6425A Configuring and Troubleshooting Windows Server 2008 Active

Course 6425A Configuring and Troubleshooting

Preparing to Install Active Directory

Start run oobe-:

Active Directory Recommended

dcpromo Error msg

active directory domain service binaries

Server role Active directory domain service

Next install Finish

Child domain Advanced mode

Forest Function Level

yes dns ad by-default

Restore mode Backp

?Haw to join a physical computer to domain

R.click on my computer properties

Workgroup Change setting

Different between computer and user Account!!

dsadd user "cn=ahmed,ou=it,dc=ciscawy,dc=com" pwd p@ssword

DS commands :The following DS commands are

Guest user By-default Disabled

Limited user Do What Created For

UPN User Principal Name

Start administrative tools active directory users and computers

Groups VS Organization unit

Protect Container from Accidental Deletion

R.click on OU that you want to delete properties

Check name Group Add

Contain users from any domain Member permissions can be

( ) child domain "blog.ciscawy.com"

Ciscawy.com Domain Location

domain local domain local universal global

Find now Advanced

Find now Advanced

Forest , Tree , domain

Child domain Sub Domain Domain

. Child , Additional , Tree ,. Domain o

DNS IP Domain Domain Start Administrative tools DNS

R.Click on Domain Properties

Zone Transfer tap Allow transfer Only this domain EDIT

additional domain machine IP

Forest Existing Forest

administrator credential Domain

DNS Server Global Catalog .. Domain

Installation Domain Domain

Double Click on Kerberos

Read Only Domain Controller

RODC DNS & GC

User Group Logon RODC

Start run dcpromo

New Enterprise Administrator

Domain read only

Domain object Domain

Add Password Replication Policy

ahmed rodc allow deny

Start run dcpromo

New Domain in an Existing Forest

Administrator Network Credential Forest

Browse Domain Child Domain

Domain Domain Child Database