Welcome

Thank you for taking our training.

Exam number and title
70-640: TS: Windows Server 2008 Active Directory, Configuring

Core exam for the following track

Microsoft Certified Systems Engineer: Windows Server 2008 Application Platform Configuration

PowerPoint Presentations at:

carrieclasses.wikispaces.com

Course Companion CD Student.zip file

Collection 6425: Configure Windows 2008 Active Directory Domain Services

Course 6710 6719 at http://itacademy.microsoftelearning.com

Course Outline
Week #1: Introducing Active Directory Domain Services Week #2: Domain Controllers and Operations Masters

Week #3: Active Directory Administration and Manage computers

Week #4: Manage Users and Groups Week #5: Group Policies

Week #6: More Group Policies

Week #7: AD DS and DNS Integration Week #8: Configure Active Directory Sites and Replication

Week #9: Directory Service Continuity

Week #10: Manage multiple domains and trusts.

Week 1 Introduction and Install Active Directory

Introducing Active Directory, Identity, and Access Active Directory Components and Concepts

Extend IDA with Active Directory Services

Information Protection in a Nutshell

Its all about connecting users to the information they require

SECURELY!
IDA: Identity and Access
AAA: Authentication, Authorization, Accounting CIA: Confidentiality, Integrity, Availability ( & Authenticity)

Identity and Access (IDA)

Identity: user account Saved in an identity store

Resource: Shared Folder Secured with a security

(directory database)

descriptor

Security principal Represented uniquely by

Discretionary access control

list (DACL or ACL) or permissions)

the security identifier (SID)

Access control entries (ACEs

Authentication and Authorization

A user presents credentials that are authenticated using the information stored with the users identity The system creates a security token that represents the user with the users SID and all related group SIDs

A resources is secured with an access control list (ACL): permissions that pair a SID with a level of access

The users security token is compared with the ACL of the resource to authorize a requested level of access

Authentication
Authentication is the process that verifies a users identity

Credentials: at least two components required

Username
Secret, for example, password

Two types of authentication

Local (interactive) Logon authentication for logon to the local computer Remote (network) logon authentication for access to resources on another computer

Access Tokens

Users Access Token

User SID

Member Group SIDs Privileges (user rights)

Other access information

Security Descriptors, ACLs and ACEs

Security Descriptor
System ACL (SACL) Discretionary ACL (DACL or ACL)
ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask

Authorization
Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource

Three components required for authorization

Resource Access Request
System finds first ACE in the ACL that allows or denies the requested access level for any SID in the users token

Security Token

Users Access Token User SID Group SID

Security Descriptor
System ACL (SACL) Discretionary ACL (DACL or ACL)
ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask

List of user rights

Other access information

Stand-alone (Workgroup) Authentication

The identity store is the security accounts manager (SAM)

database on the Windows system

No shared identity store Multiple user accounts Management of passwords is challenging

Active Directory Domains: Trusted Identity Store

Centralized identity store

trusted by all domain members service

Centralized authentication
Hosted by a server

performing the role of an Active Directory Domain Services (AD DS) domain controller

Active Directory, Identity, and Access

An IDA infrastructure should

Store information about users, groups, computers and other identities Authenticate an identity

Kerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once.

Control access Provide an audit trail

Active Directory services

Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) Active Directory Certificate Services (AD CS) Active Directory Rights Management Services (AD RMS)

Active Directory Federation Services (AD FS)

Active Directory As a Database

Active Directory is a database

Schema Demo

Each record is an object

Users, groups, computers,

Each field is an attribute

Logon name, SID, password, description, membership,

Identities (security principals or accounts) AD DS is, in the end, a database and the services that support or use that database

Services: Kerberos, DNS, replication, etc.

Accessing the database

Windows tools, user interfaces, and components APIs (.NET, VBScript, Windows PowerShell) Lightweight Directory Access Protocol (LDAP)

Organizational Units
Containers

Users

Computers

Organizational Units

Containers that also support the management and configuration of objects using Group Policy Create OUs to

Delegate administrative permissions Apply Group Policy

Policy-Based Management
Active Directory provides a single point of management for

security and configuration through policies

Group Policy

Domain password and lockout policy Audit policy Configuration Applied to users or computers by scoping a GPO containing configuration settings

Fine-grained password and lockout policies

The Active Directory Data Store

%systemroot%\NTDS\ntds.dit Logical partitions

Domain naming context

Schema Configuration Global catalog (aka Partial Attribute Set) DNS (application partitions)

Schema Configuration *Domain* DNS PAS

SYSVOL

%systemroot%\SYSVOL Logon scripts Policies

NTDS.DIT

Domain Controllers
Servers that perform the AD DS role

Host the Active Directory database (NTDS.DIT) and SYSVOL

Replicated between domain controllers

Kerberos Key Distribution Center (KDC) service: authentication Other Active Directory services

Best practices

Available: at least two in a domain Secure: Server Core, Read-only domain controllers (RODCs)

Domain
Made up of one or more DCs All DCs replicate the Domain naming

context (Domain NC)

The domain is the context within which Users, Groups, Computers, and so on are created Replication boundary

Trusted identity source: Any DC can The domain is the maximum scope

authenticate any logon in the domain

(boundary) for certain administrative policies

Password Lockout

Replication
Multimaster replication

Objects and attributes in the database Contents of SYSVOL are replicated

Several components work to create an efficient and robust The Configuration partition of the database stores

replication topology and to replicate granular changes to AD information about sites, network topology, and replication
DC1 DC3

DC2

Sites
An Active Directory object that represents a well-

connected portion of your network

Associated with subnet objects representing IP subnets

Intrasite vs. intersite replication

Replication within a site occurs very quickly (15-45 seconds) Replication between sites can be managed

Service localization

Log on to a DC in your site

Site B

Site A

Tree
One or more domains in a single instance of AD DS that

share contiguous DNS namespace

treyresearch.net proseware.com

antarctica.treyresearch.net

Forest
A collection of one or more Active Directory domain trees First domain is the forest root domain

Single configuration and schema

replicated to all DCs in the forest

A security and replication boundary

The Global Catalog

Partial Attribute Set or

Global Catalog

Domain A PAS

Contains every object in

every domain in the forest attributes

Contains only selected A type of index Can be searched from

Domain B PAS

any domain

Very important for

many applications

Functional Level
Domain functional levels Forest functional levels

New functionality requires that domain controllers are

running a particular version of Windows

Windows 2000 Windows Server 2003 Windows Server 2008

Cannot raise functional level

while DCs are running previous versions of Windows previous versions of Windows after raising functional level

Cannot add DCs running

DNS and Application Partitions

Active Directory and DNS are tightly

integrated

One-to-one relationship between the DNS

domain name and the logical domain unit of Active Directory computers and services in the domain

Complete reliance on DNS to locate

Schema Configuration Domain DNS PAS

A domain controller acting as a DNS

server can store the zone data in Active Directory itselfin an application partition

Trust Relationships
Extends concept of trusted identity store to another domain Trusting domain (with the resource) trusts the identity store

and authentication services of the trusted domain

resources in, the trusting domain

A trusted user can authenticate to, and be given access to Within a forest, each domain trusts all other domains

Trust relationships can be established with external domains

Trusted domain

Trusting domain

Active Directory Lightweight Directory Services (AD LDS)

Standalone version of Active Directory

Used to support applications that require a directory store

Allow customization without impact to production Active Directory

Characteristics

A subset of AD DS functionality, sharing the same code

Schema, Configuration, and Application partitions Replication

Not dependent upon AD DS

Can use AD DS to authenticate Windows security principals

Can run multiple instances on a single server

Active Directory Certificate Services (AD CS)

Extends the concept of trust

A certificate from a trusted certificate authority (CA) proves identity

Trust can be extended beyond the boundaries of your enterprise, as long as clients trust the CA of the certificates you present

Creates a public key infrastructure (PKI)

Confidentiality, Integrity, Authenticity, Non-Repudiation

Many uses

Internal-only or external Secure Web sites (SSL)

VPN
Wireless authentication and encryption Smart card authentication

Integration with AD DS powerful, but not required

Active Directory Rights Management Services (AD RMS)

Ensures the integrity of information

Traditional model: ACL defines access. No restriction on use.

AD RMS: Ensures access is limited and defines use.

Examples

Limit access to specified individuals View e-mail but do not forward or print View and print document but cannot change or e-mail

Requires

AD RMS

IIS, Database (SQL Server or Windows Internal Database)

AD DS RMS enabled applications including Microsoft Office applications, Internet Explorer

Active Directory Federation Services (AD FS)

Extends the authority of AD DS to authenticate users Traditional trust

Two Windows domains

Numerous TCP ports open in firewalls Everyone from trusted domain is trusted

AD FS uses Web services technologies to implement trust

One AD DS/LDS directory; other side can be Active Directory or other platforms Port 443: transactions are secure and encrypted

Rules specifying which users from trusted domain are trusted

Uses

Business-to-business: partnership

Single sign-on

Install Windows Server 2008

Boot with installation media (DVD) Follow prompts and select the operating system to install

Server Manager and Role-Based Configuration of Windows Server 2008

Windows Server 2008 has minimal footprint Functionality is added as roles or features

Server Manager: role and feature configuration along with

the common administrative snap-ins for the server

Install and Configure a Domain Controller

Directory 1 Install the ActiveManager Domain Services role using the Server

2 Installation Wizard

Run the Active Directory Domain Services

3 Choose the deployment configuration

4 Select the additional domain controller features

5 SYSVOL folder
Select the location for the database, log files, and Configure the Directory Services Restore

6 Mode Administrator Password

Prepare to Create a New Forest with Windows Server 2008

Domains DNS name (e.g. contoso.com) Domains NetBIOS name (e.g. contoso)

Whether the new forest will need to support DCs running

previous versions of Windows (affects choice of functional level)

Details about how DNS will be implemented to support AD DS

Default: Creating domain controller adds DNS Server role as well

IP configuration for the DC

IPv4 and, optionally, IPv6

Username and password of an account in the servers Location for data store (ntds.dit) and SYSVOL

Administrators group. Account must have a password.

Default: %systemroot% (c:\windows)