OFFICIAL
MICROSOFT
LEARNING
PRODUCT
6424A Fundamentals of Windows Server 2008 Active Directory
®
®
Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.
BETA COURSEWARE. EXPIRES 4/30/2008
ii
Fundamentals of Windows Server® 2008 Active Directory®
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Internet Explorer, MSDN, MS-DOS, Outlook, PowerPoint, Excel, SharePoint, SQL Server, Visio, Windows, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Technical Reviewer: Ronald Bigras
Product Number: 6424A Part Number : N/A Released: 11/2008
BETA COURSEWARE. EXPIRES 4/30/2008
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS COURSEWARE – BLENDED LEARNING COURSE - STUDENT EDITION These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the licensed content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft •
updates,
•
supplements,
•
Internet-based services, and
•
support services
for this licensed content, unless other terms accompany those items. If so, those terms apply. By using the licensed content, you accept these terms. If you do not accept them, do not use the licensed content. If you comply with these license terms, you have the rights below.
1. OVERVIEW. Licensed Content. The licensed content includes software, printed materials, academic materials (online and electronic), and associated media. License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS. a. Licensed Device. The licensed device is the device on which you use the licensed content. You may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license terms will apply to your use of those third party programs, unless other terms accompany those programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS. a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal training use. If you wish to use these media elements or templates for any other purpose, go to www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers, labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not make any modifications to the academic materials and you may not print any book (either
BETA COURSEWARE. EXPIRES 4/30/2008
electronic or print version) in its entirety. If you reproduce any academic materials, you agree that:
• The use of the academic materials will be only for your personal reference or training use • You will not republish or post the academic materials on any network computer or broadcast in any media;
• You will include the academic material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below: Form of Notice: © 2007 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
c. Distributable Code. The licensed content may contain code that you are permitted to distribute in programs you develop if you comply with the terms below.
i.
Right to Use and Distribute. The code and text files listed below are “Distributable Code.” •
REDIST.TXT Files. You may copy and distribute the object code form of code listed in REDIST.TXT files.
•
Sample Code. You may modify, copy, and distribute the source and object code form of code marked as “sample.”
•
Third Party Distribution. You may permit distributors of your programs to copy and distribute the Distributable Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must •
add significant primary functionality to it in your programs;
•
require distributors and external end users to agree to terms that protect it at least as much as this agreement;
•
display your valid copyright notice on your programs; and
•
indemnify, defend, and hold harmless Microsoft from any claims, including attorneys’ fees, related to the distribution or use of your programs.
BETA COURSEWARE. EXPIRES 4/30/2008
iii. Distribution Restrictions. You may not •
alter any copyright, trademark or patent notice in the Distributable Code;
•
use Microsoft’s trademarks in your programs’ names or in a way that suggests your programs come from or are endorsed by Microsoft;
•
distribute Distributable Code to run on a platform other than the Windows platform;
•
include Distributable Code in malicious, deceptive or unlawful programs; or
•
modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that •
the code be disclosed or distributed in source code form; or
•
others have the right to modify it.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the licensed
content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The licensed content is licensed, not sold. This agreement only gives you some
rights to use the licensed content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the licensed content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the licensed content that only allow you to use it in certain ways. You may not •
disclose the results of any benchmark tests of the licensed content to any third party without Microsoft’s prior written approval;
•
work around any technical limitations in the licensed content;
•
reverse engineer, decompile or disassemble the licensed content, except and only to the extent that applicable law expressly permits, despite this limitation;
•
make more copies of the licensed content than specified in this agreement or allowed by applicable law, despite this limitation;
•
publish the licensed content for others to copy;
•
rent, lease or lend the licensed content; or
•
use the licensed content for commercial licensed content hosting services.
•
Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
6. BACKUP COPY. You may make one backup copy of the licensed content. You may use it only to reinstall the licensed content.
7. TRANSFER TO ANOTHER DEVICE. You may uninstall the licensed content and install it on another device for your use. You may not do so to share this license between devices.
8. TRANSFER TO A THIRD PARTY. The first user of the licensed content may transfer it and this
agreement directly to a third party. Before the transfer, that party must agree that this agreement
BETA COURSEWARE. EXPIRES 4/30/2008
applies to the transfer and use of the licensed content. The first user must uninstall the licensed content before transferring it separately from the device. The first user may not retain any copies.
9. EXPORT RESTRICTIONS. The licensed content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply to the licensed content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.
10. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or licensed content marked as “NFR” or “Not for Resale.”
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of these license terms. Upon any termination of this agreement, you must destroy all copies of the licensed content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the licensed content and support services.
13. APPLICABLE LAW. a. United States. If you acquired the licensed content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the licensed content in any other country, the laws of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the licensed content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED “AS-IS.” YOU BEAR
THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
BETA COURSEWARE. EXPIRES 4/30/2008
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER
FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to •
anything related to the licensed content, software, services, content (including code) on third party Internet sites, or third party programs; and
•
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this licensed content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. Cette limitation concerne: •
tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et
•
les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
BETA COURSEWARE. EXPIRES 4/30/2008
BETA COURSEWARE. EXPIRES 4/30/2008
Fundamentals of Windows Server® 2008 Active Directory®
ix
Contents Module 1: Exploring Windows Server® 2008 Active Directory® Roles Lesson 1: Overview of Active Directory Domain Services Lesson 2: Overview of AD LDS Lesson 3: Overview of Active Directory Certificate Services Lesson 4: Overview of AD RMS Lesson 5: Overview of AD FS Lab: Exploring Windows Server 2008 Active Directory Server Roles
1-3 1-8 1-14 1-24 1-31 1-37
Module 2: Introduction to Active Directory® Domain Services Lesson 1: Overview of Active Directory Domain Services Lesson 2: Overview of AD DS Logical Components Lesson 3: Overview of AD DS Physical Components Lab: Exploring AD DS Components and Tools
2-3 2-11 2-22 2-32
Module 3: Introduction to Active Directory® Lightweight Directory Services Lesson 1: Active Directory® Lightweight Directory Services Overview Lesson 2: Implementing and Administering AD LDS Lesson 3: Implementing AD LDS Replication Lesson 4: Comparing AD DS and AD LDS Lab: Exploring Configuring AD LDS
3-3 3-8 3-16 3-22 3-26
Module 4: Introduction to Active Directory® Certificate Services Lesson 1: Overview of Active Directory Certificate Services Lesson 2: Understanding Active Directory Certificate Services Certificates Lesson 3: Implementing Certificate Enrollment and Revocation Lab: Exploring Active Directory Certificate Services
4-3 4-10 4-16 4-25
BETA COURSEWARE. EXPIRES 4/30/2008
x
Fundamentals of Windows Server® 2008 Active Directory®
Module 5: Introduction to Active Directory® Rights Management Services Lesson 1: AD RMS Overview Lesson 2: Understanding AD RMS Lesson 3: Managing AD RMS Lab: Exploring Active Directory Rights Management Services
5-3 5-7 5-16 5-23
Module 6: Introduction to Active Directory Federation Services Lesson 1: AD FS Overview Lesson 2: AD FS Deployment Scenarios Lesson 3: Configuring AD FS Components Lab: Exploring Active Directory Federation Services
6-3 6-10 6-20 6-29
Module 7: Creating Active Directory Domain Services User and Computer Objects Lesson 1: Managing User Accounts Lesson 2: Creating Computer Accounts Lesson 3: Using Queries to Locate Objects in Active Directory Lab: Creating AD DS User and Computer Accounts
7-3 7-12 7-19 7-25
Module 8: Creating Active Directory Domain Services Groups and Organizational Units Lesson 1: Introduction to AD DS Groups Lesson 2: Managing Group Accounts Lesson 3: Creating Organizational Units Lab: Creating an OU Infrastructure
8-3 8-15 8-21 8-28
Module 9: Managing Access to Resources Lesson 1: Managing Access Overview Lesson 2: Assigning Permissions to Shared Resources Lesson 3: Managing NTFS File and Folder Permissions Lesson 4: Determining Effective Permission Lab: Managing Access to Resources
9-3 9-12 9-21 9-28 9-38
BETA COURSEWARE. EXPIRES 4/30/2008
About This Course
i
About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description The purpose of this 3-day course is to provide Active Directory Technology Specialists with an introduction to Active Directory server roles in Windows Server 2008. The course is intended for entry level students who want to get familiar with the Active Directory server roles and their basic functionality. This course provides an overview of all of the Active Directory server roles, and provides additional information for configuring Active Directory Domain Services.
Audience This course is intended for any IT Professional (for example, DSTs, SA, Generalists) who is new to Active Directory and wants to become familiar with Active Directory concepts. The audience is interested in basic concepts and does not want to get too deep into Active Directory services and configuration.
Student Prerequisites This course requires that you meet the following prerequisites: •
Basic understanding of networking. For example, how TCP/IP functions, addressing, name resolution (DNS/WINS), and connection methods (wired, wireless, VPN), NET+ or equivalent knowledge (WIS foundation (6420) or equivalent).
•
Basic understanding of network operating systems. For example, Windows 2000, Windows XP, Windows Server 2003 etc.
•
Basic knowledge of server hardware. A+ or equivalent knowledge (Not required but expected).
Course Objectives After completing this course, students will be able to: •
Understand how the Active Directory server roles are used in an enterprise environment and how AD DS integrates with other AD DS roles.
•
Describe the reasons for deploying AD DS and describe the AD DS components.
BETA COURSEWARE. EXPIRES 4/30/2008
ii
About This Course
•
Describe how AD LDS works and configure AD LDS components.
•
Describe how AD CS works and implement AD CS certificate enrollment.
•
Describe how AD RMS works and configure AD RMS settings.
•
Describe how AD FS works and how to configure AD FS components.
•
Configure AD DS user and computer accounts.
•
Configure AD DS group accounts and organizational units.
•
Manage access to shared resources in an AD DS environment.
Course Outline This section provides an outline of the course: Module 1: Explains how the Active Directory server roles are used in an enterprise environment and how AD DS integrates with other AD DS roles. Module 2: Describes the reasons for deploying AD DS and describes AD DS components. Module 3: Describes how AD LDS works and how to configure AD LDS components. Module 4: Describes how AD CS works and how to implement AD CS certificate enrollment. Module 5: Describes how AD RMS works and how to configure AD RMS settings. Module 6: Describes how AD FS works and how to configure AD FS components. Module 7: Explains how to configure AD DS user and computer accounts. Module 8: Explains how to configure AD DS group accounts and organizational units. Module 9: Explains how to manage access to shared resources in an AD DS environment
BETA COURSEWARE. EXPIRES 4/30/2008
About This Course
iii
Course Materials The following materials are included with your kit: •
Course handbook. The Course handbook contains the material covered in class. It is meant to be used in conjunction with the Course Companion CD.
•
Course Companion CD. The Course Companion CD contains the full course content, including expanded content for each topic pages, full lab exercises and answer keys, topical and categorized resources and Web links. It is meant to be used both inside and outside the class.
Note: To access the full course content, insert the Course Companion CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
•
Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to
[email protected]. To inquire about the Microsoft Certification Program, send e-mail to
[email protected].
BETA COURSEWARE. EXPIRES 4/30/2008
iv
About This Course
Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website. 2. Under Navigation, click Master Status. For each virtual machine that is running, point to the virtual machine name, and, in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.
The following table shows the role of each virtual machine that this course uses: Virtual machine
Role
6424A-NYC-DC1
Domain controller in the WoodgroveBank.com domain
6424A-NYC-CL1
Client computer in the WoodgroveBank.com domain
6424A-LON-DC1
Domain controller in the EMEA.WoodgroveBank.com domain
6424A-NYC-SRV1
Member server in the WoodgroveBank.com domain Additional Active Directory server roles installed
6424A-CHI-DC1
Domain controller in the NorthwindTraders.com domain
BETA COURSEWARE. EXPIRES 4/30/2008
About This Course
v
Software Configuration The following software is installed on each virtual machine: •
Windows Server 2008 Enterprise; Windows Vista
Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. This course requires a computer that meets or exceeds hardware level 5, which specifies a 2.4–gigahertz (minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16 megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.
BETA COURSEWARE. EXPIRES 4/30/2008
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-1
Module 1 Exploring Windows Server 2008 Active Directory® Roles Contents: Lesson 1: Overview of Active Directory Domain Services
1-3
Lesson 2: Overview of AD LDS
1-8
Lesson 3: Overview of Active Directory Certificate Services
1-14
Lesson 4: Overview of AD RMS
1-24
Lesson 5: Overview of AD FS
1-31
Lab: Exploring Windows Server 2008 Active Directory Server Roles
1-37
BETA COURSEWARE. EXPIRES 4/30/2008
1-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
Windows Server® 2008 provides a rich platform for five Active Directory® server roles. This module describes the fundamental concepts of these five server roles.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-3
Lesson 1
Overview of Active Directory Domain Services
AD DS provides a directory service that uses a centralized management and authentication service for a network. AD DS provides the core services for all of the other Active Directory server roles. This lesson provides an overview of how AD DS provides this functionality.
BETA COURSEWARE. EXPIRES 4/30/2008
1-4
Fundamentals of Windows Server® 2008 Active Directory®
What is a Directory Service?
Key Points A network directory service: •
Provides information about user objects, computers and services (such as an email address).
•
Stores this information in a secure database and provides the tools for managing and searching the directory.
•
Allows you to manage all network user accounts and resources in single location and apply policies to the directory objects to ensure that all are managed consistently.
Additional Reading •
Deciding Between Workgroups and Domains
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-5
What is AD DS?
Key Points Active Directory Domain Services (AD DS) is a centralized directory for user and computer management and authentication. It provides authentication services for a Windows Server 2008 network. The directory contains user objects, group objects, computer objects as well as service information. This allows the service to provide information about these objects as well as provide authentication and managing access to network resources.
Additional Reading •
Deciding Between Workgroups and Domains
BETA COURSEWARE. EXPIRES 4/30/2008
1-6
Fundamentals of Windows Server® 2008 Active Directory®
How Does AD DS Work?
Key Points AD DS provides the following for a Windows Server 2008 network: •
Stores user and computer objects
•
Authenticates user and computer objects
•
Stores group information
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-7
AD DS Integration with other Active Directory Server Roles
Key Points Many of the other Windows Server 2008 server roles integrate with AD DS. Server roles, such as the following, rely on AD DS: •
Active Directory Federation Services (AD FS)
•
Active Directory Rights Management Services (AD RMS)
•
Active Directory Certificate Services (AD CS)
BETA COURSEWARE. EXPIRES 4/30/2008
1-8
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 2
Overview of AD LDS
Active Directory Lightweight Directory Services (AD LDS) is an Active Directory Server role that provides Lightweight Directory Access Protocol (LDAP) compliant directory and services. When you configure AD LDS, you are able to use it to provide authentication and directory services for custom written, third-party and other enterprise applications. This lesson provides an overview of LDAP and AD LDS.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-9
What is LDAP?
Key Points Lightweight Directory Access Protocol (LDAP) is a standardized client/server TCP/IP based protocol that has been in use for over 15 years and is leveraged by a large number of applications and solutions. The LDAP standards define consistent ways for naming and storing directory objects. LDAP also provides methods for accessing, searching, and modifying information that is stored in a directory.
BETA COURSEWARE. EXPIRES 4/30/2008
1-10
Fundamentals of Windows Server® 2008 Active Directory®
Additional Reading •
MSDN section on LDAP
•
RFC’s that address LDAP: •
"X.500 Lightweight Directory Access Protocol" (made obsolete by RFC 1777)
•
"A String Representation of LDAP Search Filters" (made obsolete by RFC 1960)
•
"Lightweight Directory Access Protocol"
•
"The String Representation of Standard Attribute Syntaxes"
•
"String Representation of Distinguished Names"
•
"An LDAP URL Format" (made obsolete by RFC 2255)
•
"A String Representation of LDAP Search Filters" (made obsolete by RFC 2254
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-11
What is AD LDS?
Key Points Active Directory Lightweight Directory Services (AD LDS) is an LDAP directory service.
Usage AD LDS is used: •
For applications that cannot or should not use AD DS.
•
To address scenarios where access to AD DS is not recommended due to security concerns.
BETA COURSEWARE. EXPIRES 4/30/2008
1-12
Fundamentals of Windows Server® 2008 Active Directory®
Flexibility AD LDS does not have the restrictions of AD DS. •
You can run multiple instances on a single computer.
•
It does not require a DNS infrastructure.
•
It is easily modified to meet application needs.
Additional Reading •
Windows Server 2008 Future Resources
•
Windows Server 2003 Active Directory Application Mode
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-13
AD LDS Implementation Examples
Key Points Many applications require user authentication and lookup, but do not require the overhead or complexity of running AD DS. These applications can leverage AD LDS to store and retrieve this information. AD LDS can store: •
User information
•
Application configuration information
Additional Reading •
Active Directory Lightweight Directory Services
BETA COURSEWARE. EXPIRES 4/30/2008
1-14
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 3
Overview of Active Directory Certificate Services
One of the most common ways to provide security in the enterprise and on the Internet is to use digital certificates. Digital certificates provide security in many scenarios, including securing Web sites and e-mail. Active Directory Certificate Services (AD CS) enables the distribution and management of digital certificates. This lesson explains digital certificates, public key infrastructure and implementation scenarios for AD CS.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-15
Discussion: What Are Digital Certificates Used For?
Key Points Digital certificates are used to encrypt information for many different purposes. They are also used to authenticate users and computers in different ways. Consider the different ways that digital certificates are used for encryption and authentication. Also, consider the different applications that would support the use of certificates.
BETA COURSEWARE. EXPIRES 4/30/2008
1-16
Fundamentals of Windows Server® 2008 Active Directory®
What is a Public Key Infrastructure (PKI)?
Key Points A Public Key Infrastructure (PKI) enables an organization to distribute digital certificates to users and computers.
Components A PKI consists of several interrelated objects, applications, and services. •
Certification authorities (CA). Issues and manages certificates to users, computers, and services. Each certificate issued by the CA is signed with the digital certificate of the CA.
•
Certificate revocation lists. A list of certificates that have been revoked or removed from the CA before its expiration period.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-17
•
Certificate and CA management tools. Provide both Graphical User Interface (GUI) and command-line tools to manage issued certificates, publish CA certificates and Certificate Revocation Lists (CRLs), configure CAs, import and export certificates and keys, and recover archived private keys.
•
Digital certificates. Digital certificates are electronic credentials associated with a public key and a private key that are used to authenticate users.
BETA COURSEWARE. EXPIRES 4/30/2008
1-18
Fundamentals of Windows Server® 2008 Active Directory®
What Is AD CS?
Key Points Active Directory Certificate Services (AD CS) is the Microsoft implementation of a PKI. AD CS provides a fully functional PKI for a Windows Server network. These services can also be extended to non-Windows-based devices. AD CS provides all of the basic PKI services such as tools for management and revocation services.
Additional Reading •
Active Directory Certificate Services
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-19
AD CS Implementation Examples
Key Points AD CS can be used for a variety of scenarios including the following: •
SSL certificates for internal Web sites. By using SSL with an internal Web site, you can ensure that all client authentication traffic and all access to the Web site are encrypted.
•
Smartcards with certificates issued from the AD CS Certification Authority for domain authentication. Smartcards provide a second level for authentication security by providing two-factor authentication.
•
Encrypting File System (EFS) certificates for domain joined computers. By using EFS certificates, users can encrypt files on their hard disks while enabling administrators to centrally manage the certificates.
BETA COURSEWARE. EXPIRES 4/30/2008
1-20
Fundamentals of Windows Server® 2008 Active Directory®
•
Certificates for routers to establish IP security (IPSec) communication. AD CS can issue the certificates required to implement IPSec - an option for enabling remote access or virtual private networks.
•
Certificates for users to encrypt and sign e-mail messages. To encrypt email, users need to be issued certificates.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-21
How Does AD CS Work?
Key Points In an auto-enrollment scenario: 1.
The user or computer account is authenticated.
2.
The CA retrieves the certificate policies from AD DS.
3.
If the user has the appropriate permissions and the policies are configured to allow auto-enrollment, the certificate is generated and stored in AD DS.
When manual enrollment is used: 1.
The certificate request is created on a computer and then forwarded to the CA.
2.
On the CA, the certificate is put into a pending status until an administrator reviews and approves the request.
3.
Once approved, the certificate can be downloaded and installed on the appropriate device.
BETA COURSEWARE. EXPIRES 4/30/2008
1-22
Fundamentals of Windows Server® 2008 Active Directory®
Additional Reading •
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-23
AD DS and AD CS Integration
Key Points Automatically generated certificates Computers and user objects can have certificates generated from AD CS if the users and computers have appropriate permissions and the certificate policy is configured to allow auto-enrollment.
Certificates stored in AD DS The user or computer certificate is stored with the user account or computer account. These certificates are then replicated to all of the AD DS servers resulting in resilient and redundant storage of certificate information.
Certificate policies Certificate policies that govern how certificates are generated and what settings these certificates have can also be stored and applied from AD DS.
BETA COURSEWARE. EXPIRES 4/30/2008
1-24
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 4
Overview of AD RMS
By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information even after the information has been shared between users. AD RMS does this through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information (such as financial reports, product specifications, customer data, and confidential e-mail messages) from intentional or accidental unauthorized use.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-25
What is an Enterprise Rights Management Solution?
Key Points A rights management solution is used to protect information stored in documents, e-mail messages and Web sites from unauthorized viewing, modification or use. Features typically include: •
Helping protect sensitive information from being accessed or shared with unauthorized users. A rights management solution can be used to prevent users from forwarding or copying content to other unauthorized users.
•
Helping ensure that data content is protected and tamper-resistant. A rights management solution uses encryption and digital signatures to protect data from unauthorized access and modification.
•
Controlling when data will expire based on time requirements, even when that information is sent over the Internet to other individuals. This helps to ensure that the most current information is available.
BETA COURSEWARE. EXPIRES 4/30/2008
1-26
Fundamentals of Windows Server® 2008 Active Directory®
What is AD RMS?
Key Points Active Directory Rights Management Services (AD RMS) is the Windows Server 2008 implementation of an enterprise rights management solution. RMS helps protect information by: •
Providing the tools to distribute client certificates to trusted users.
•
Enforcing content access policies.
•
Providing centralized management.
Note: RMS-enabled applications are required to use AD RMS.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-27
Additional Reading •
Windows Rights Management Services
•
How It Works: Windows Rights Management Services
•
Active Directory Rights Management Services Overview
BETA COURSEWARE. EXPIRES 4/30/2008
1-28
Fundamentals of Windows Server® 2008 Active Directory®
AD RMS Implementation Examples
Key Points You can deploy AD RMS to protect content sent in an e-mail message. 1.
The content creator can apply a security policy to protect the content of the message.
2.
The AD RMS server encrypts the content and applies the permissions assigned by the content creator.
3.
When the content consumer receives the message, the client e-mail software requests permission from the AD RMS server before the user can view the message.
4.
The client software will receive specific parameters for what the user can do with the message from the AD RMS server and then will grant the user the appropriate usage rights.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-29
Additional Reading •
Deploying Active Directory Rights Management Services in an Extranet Stepby-Step Guide
BETA COURSEWARE. EXPIRES 4/30/2008
1-30
Fundamentals of Windows Server® 2008 Active Directory®
AD DS and AD RMS Integration
Key Points AD RMS integrates with AD DS in three key areas: •
All AD RMS users must have an AD DS user account. Before a user can apply a RMS policy to content, or before a consumer can access content, they must be authenticated by AD DS.
•
AD DS provides the e-mail addresses to obtain rights for content. All users must be configured with an e-mail address, even if the organization has not deployed an e-mail server.
•
AD RMS services are registered as service connection points in AD DS to enable clients to locate the AD RMS servers. When a RMS aware client tries to locate an AD RMS server to protect or consume content, the client will connect to AD DS. The service connection point in AD DS provides the client with the information regarding the AD RMS server that it should use.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-31
Lesson 5
Overview of AD FS
Active Directory Federation Services (AD FS) enables the extension of AD DS authentication to other organizations. When you deploy Active Directory Federation Services, you can enable federated trusts between two organizations so that the user accounts that have authenticated in one organization will be trusted to access an application in the other organization. This can provide single sign-on between the organizations for accessing Web applications. This lesson provides an overview of how AD FS can be used.
BETA COURSEWARE. EXPIRES 4/30/2008
1-32
Fundamentals of Windows Server® 2008 Active Directory®
What is AD FS?
Key Points Enables a trust relationship Active Directory Federation Services (AD FS) allows you to configure a federated trust relationship between two organizations. •
The account partner organization contains and manages the user accounts.
•
The resource partner organization maintains a Web based application.
Provides access to applications After users in the account organization are authenticated by AD DS in their organization, the account can be used to access applications across the federation trust.
Provides single sign-on AD FS can also provide single sign-on (SSO) for separate Web-based applications.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-33
How AD FS Traffic Flows in a B2B Federation Scenario
Key Points AD FS allows for users in a trusted directory to access a Web-based application in the partner domain using user credentials from the local directory.
Benefits •
Reduces the management overhead for administrators since only one account has to be administered.
•
The end users only need to remember one set of user credentials.
BETA COURSEWARE. EXPIRES 4/30/2008
1-34
Fundamentals of Windows Server® 2008 Active Directory®
How Does AD FS Work?
Key Points The B2B AD FS authentication scenario follows these basic steps: 1.
A client computer connects to a Web application in a different organization.
2.
The Web application redirects the Web client to the resource federation server.
3.
The resource partner AD FS server responds to the client requesting that it obtain a security token from the AD FS server in the account partner organization.
4.
The client requests the security token from the account partner’s AD FS server and passes the token back to the Web application
5.
The client can now gain access to the Web application.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-35
AD DS and AD FS Integration
Key Points AD FS is integrated with AD DS in the following ways: •
AD FS requires a directory service like AD DS or AD LDS to store all user accounts.
•
AD FS enables the account partner in the federation trust to manage all user accounts.
•
Resource partners may also use AD DS to restrict access to the Web applications.
•
AD FS also extends some AD DS functionality to applications located in a perimeter network.
BETA COURSEWARE. EXPIRES 4/30/2008
1-36
Fundamentals of Windows Server® 2008 Active Directory®
Summary of the Active Directory Server Roles
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-37
Lab: Exploring Windows Server 2008 Active Directory Server Roles
BETA COURSEWARE. EXPIRES 4/30/2008
1-38
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 1: Planning Active Directory Server Role Implementations Scenario 1 Woodgrove Bank is partnering with Tailspin Toys. Tailspin Toys employees need to be able to access an online application to complete wire transfers to toy suppliers. You must identify a solution to provide access for the Tailspin Toys employees to the Web application.
Scenario 2 Tailspin Toys has recently experienced a situation that caused information about the company’s new projects to be posted on the Internet. The executive team has mandated that a solution be created to protect confidential data from being emailed or printed so that it can be used outside of the company. You must identify a solution to meet the new executive requirements.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-39
Scenario 3 Woodgrove Bank has been put under new regulatory restrictions that require all employees to logon to their computers with two factor authentication. These regulations also require that all e-mail is encrypted and authenticated. You must identify a solution to meet these new regulations.
Scenario 4 Tailspin Toys is developing a Web application that will include user accounts from the corporate directory. The corporate policy forbids the schema changes that are required for the Web application to function. You must identify a solution to provide a user directory as well as changes in the schema.
BETA COURSEWARE. EXPIRES 4/30/2008
1-40
Fundamentals of Windows Server® 2008 Active Directory®
The main tasks for this exercise are as follows: 1.
Review each of the scenarios and determine which of the Active Directory server roles are required for each scenario.
2.
Make some basic decisions about Active Directory server placement.
f Task 1: Review the four scenarios and determine which of the Active Directory Server roles will assist in providing the required solution.
f Task 2: Determine the location where each of the server roles would be placed.
Result: At the end of this exercise, you will have practiced decision making about Active Directory server roles and placement.
BETA COURSEWARE. EXPIRES 4/30/2008
Exploring Windows Server 2008 Active Directory® Roles
1-41
Exercise 2: Understanding Active Directory Server Role Integration with AD DS Scenarios Please see the above 4 scenarios from Exercise 1. The main tasks for this exercise are as follows: 1.
The student will review each of the scenarios and determine how the server roles are integrated with Active Directory Domain Service in each scenario.
2.
The instructor will then lead a class discussion reviewing the answers provided by students for both exercises.
f Task 1: How does the selected Active Directory role integrate with AD DS in each scenario?
f Task 2: What might happen if the AD DS integration stopped working?
Result: At the end of this exercise, you will have (1) described how the Active Directory server roles integrate with AD DS, and (2) postulated the results of integration failure.
BETA COURSEWARE. EXPIRES 4/30/2008
1-42
Fundamentals of Windows Server® 2008 Active Directory®
Module Review and Takeaways
Review Questions 1.
You have been tasked with deploying a solution to provide two-factor authentication for users on workstations located at your company. Which two Active Directory server roles would you need to deploy to provide a centrally managed two-factor authentication solution?
2.
In what way does AD CS rely on AD DS?
3.
What are some ways that certificates generated by AD CS can be used for encryption?
4.
What are some reasons for deploying AD LDS instead of AD DS?
5.
What are some of the basic functions that AD RMS provides?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-1
Module 2 Introduction to Active Directory® Domain Services Contents: Lesson 1: Overview of Active Directory Domain Services
2-3
Lesson 2: Overview of AD DS Logical Components
2-11
Lesson 3: Overview of AD DS Physical Components
2-22
Lab: Exploring AD DS Components and Tools
2-32
BETA COURSEWARE. EXPIRES 4/30/2008
2-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
Windows Server 2008 Active Directory Domain Services (AD DS) is a Microsoft® Windows®-based directory service. As a directory service, AD DS stores information about objects on a network and makes this information available to users and network administrators. Additionally, AD DS can be used to ensure that only authorized users have access to network resources.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-3
Lesson 1
Overview of Active Directory® Domain Services
AD DS stores information about objects on a network and makes this information available to users and network administrators. AD DS also enables network users to access resources anywhere on the network using a single logon process. AD DS also provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
BETA COURSEWARE. EXPIRES 4/30/2008
2-4
Fundamentals of Windows Server® 2008 Active Directory®
Why Deploy Active Directory Domain Services?
Key Points The primary reasons for deploying AD DS are as follows: •
Centralized directory – simplifies network administration by allowing management of all accounts in a single directory.
•
Single sign-on access – most organizations have multiple servers offering a variety of services to users. Without some type of common directory service, each of these servers would require a separate logon for user authentication and authorization.
•
Integrated security – AD DS works with Windows Server 2008 to check the security permissions associated with each person. AD DS can accommodate users logging on from workstations using Windows NT, 98, 2000, XP, and Vista.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-5
•
Scalability –AD DS can be easily configured to add additional servers and users within the same building as well as servers and users in other buildings and regions. Once added, scheduled AD DS replication of user and computer directory information between various locations will continue to give users consistent access to servers and applications.
•
Common management interface – The Microsoft Management Console (MMC) provides network administrators and technicians with consistent user interface for all tasks related to maintenance and deployment of AD DS, as well as all other Microsoft Windows Server 2008 services.
Additional reading •
Active Directory on a Windows Server 2003 Network
BETA COURSEWARE. EXPIRES 4/30/2008
2-6
Fundamentals of Windows Server® 2008 Active Directory®
What is Authentication?
Key Points Authentication simply refers to the process of verifying that a user is who they claim to be. Authentication, including single sign-on, is a two-part process: interactive logon and network authentication.
Interactive logon Interactive logon confirms the user’s identification on a specific computer by using either a domain account or a local computer.
Network authentication Network authentication confirms the user's identification to any network service that the user is attempting to access.
Additional reading •
Logon and Authentication Technologies
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-7
What is Authorization?
Key Points Authorization is the second step in the process of gaining access to network resources. Authorization, which happens after authentication, is based on the security token that is granted to the user account when they log on to the network.
Terminology Terminology
Description
Security Identifier (SID)
A unique security identifier created with the user account.
Security Token
A security token is granted to the user account for a logon session. The system uses the token to control access to securable objects.
Discretionary access control list (DACL)
One type of ACL (Access Control List). Defines which users and groups (based on the user or group SID) have access to the object and defines the level of access granted to the user or group.
BETA COURSEWARE. EXPIRES 4/30/2008
2-8
Fundamentals of Windows Server® 2008 Active Directory®
Authorization process When the user tries to access a network resource, the client computer presents the security token to the server hosting the resource. The SID stored in the security token is compared to the security descriptor stored in the DACL. The user’s request to access the resource is granted if a match is found between the DACL on the resource and SIDs in the security token.
Additional reading •
Authorization and Access Control Technologies
•
Security Identifiers
•
Tools to Manage Security Principals
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-9
Using AD DS to Centralize Network Management
Key Points The largest cost of owning computers is the cost in managing and maintaining them. If systems were maintained individually, the cost would quickly become unacceptably high. AD DS provides a way to automate computer management using centrally applied settings. This allows for the most efficient use of IT administrative resources.
Additional reading •
Group Policies
BETA COURSEWARE. EXPIRES 4/30/2008
2-10
Fundamentals of Windows Server® 2008 Active Directory®
Overview of AD DS Components
Key Points When an organization implements AD DS, several physical and logical components are created. AD DS is composed of both physical and logical components.
Additional reading •
What Are Domains and Forests?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-11
Lesson 2
Overview of AD DS Logical Components
As an AD DS administrator, you will spend most of your time working with the logical components that make up AD DS. During the implementation of AD DS, your organization will have configured various AD DS components such as domains, sites and organizational units. You will be working with these components as you create and manage user accounts or computer accounts.
BETA COURSEWARE. EXPIRES 4/30/2008
2-12
Fundamentals of Windows Server® 2008 Active Directory®
What Is the AD DS Schema?
Key Points The AD DS schema defines every type of object that can be stored in the directory. Before an object can be created in AD, it must first be defined in the schema. The schema also enforces a number of rules regarding the creation of objects in the database. These rules define the information that can be stored with each object and the data type of that information.
Additional reading •
What Is the Active Directory Schema?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-13
What Is a Domain?
Key Points A domain is a logical grouping of AD DS objects, and the most basic building block in the AD DS model. Each domain must have at least one domain controller installed. In fact, you create a domain by installing the first domain controller in the domain, and you remove a domain by removing the last domain controller in the domain.
Additional reading •
What Are Domains and Forests?
BETA COURSEWARE. EXPIRES 4/30/2008
2-14
Fundamentals of Windows Server® 2008 Active Directory®
What Are AD DS Trusts?
Key Points Domains can allow secure access to shared resources outside of their boundaries using authenticated connections called trusts. Trusts enable users to: •
Access resources in domains other than the domain where their user account is configured.
•
Log on to computers that are members of domains other than the domain where the user account is configured.
Additional reading •
Trusts
•
How Domains and Forests Work
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-15
What Is a Domain Tree?
Key Points A domain tree is a hierarchy of domains in AD DS. The first domain created is the root domain. As subsequent domains are added to the domain tree, they are created as child domains under the root domain. Within a domain tree, all domains share a common or contiguous namespace. For example, if the root domain is WoodgroveBank.com, the child domains would use names such as EMEA.WoodgroveBank.com.
Additional reading •
What Are Domains and Forests?
BETA COURSEWARE. EXPIRES 4/30/2008
2-16
Fundamentals of Windows Server® 2008 Active Directory®
What Is a Forest?
Key Points A forest is a collection of one or more domain trees. All domains and domain trees exist within an Active Directory forest.
Additional reading •
What Are Domains and Forests?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-17
What Is an Organizational Unit?
Key Points Organizational units (OUs) are Active Directory containers into which you can place users, groups, computers, and other OUs. OUs are designed to make AD DS easier to administer.
Additional reading •
Organizational Units
BETA COURSEWARE. EXPIRES 4/30/2008
2-18
Fundamentals of Windows Server® 2008 Active Directory®
Discussion: Scenarios for Implementing AD DS Logical Components
Questions For each scenario, describe how AD DS logical components (Domain, OUs) could be deployed in these organizations. Scenario 1: Contoso Inc. has a single office with 20 employees and a single business unit. The business owner manages all AD DS administrative tasks. Scenario 2: NorthWind Traders has a single office. The organization has two business units which are administered separately but all AD DS management tasks will be managed by the same administrative team. The organization also needs to assign different policies to managers and to each business unit as well as to the computers used by each of these groups.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-19
Scenario 3: Coho Vineyards has two separate business units located in two offices in different countries. Each office has about 10,000 users. Each office has multiple departments and all of the departments need different policies applied to them. Each office also has a separate team of administrators that must be able to manage all of the user and computer accounts in their office, but should not be able to manage any objects in the other office. One team of administrators at the head office should be able to manage all user accounts, computer accounts and servers in both offices. Scenario 4: Woodgrove Bank has multiple locations deployed in different countries around the world. Because of the privacy requirements in the different countries, the offices in each country must be managed by a different group of administrators and the administrators must not be able to modify any objects in other countries. No group of administrators should be able to access objects in other countries.
BETA COURSEWARE. EXPIRES 4/30/2008
2-20
Fundamentals of Windows Server® 2008 Active Directory®
What Are AD DS Objects?
Key Points AD DS objects are entities created on AD DS domain controllers. AD DS objects all fall into one or more categories, such as resources (e.g.: printers), services (e.g. email, shared folders) and users (both individuals and groups). Each category of object has a set of defined attributes which exist in the Active Directory schema. This makes creating and administering new instances of a particular type of object very efficient.
Additional reading •
Active Directory Users and Computers Help
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-21
Demonstration: Tools for Managing the AD DS Logical Component
Questions 1.
What is the basis of the OU organization at Woodgrove Bank?
2.
You need to manage an AD DS domain controller from your computer running Windows Vista, but you do not have the administration tools installed on the computer. How could you manage the domain controller?
BETA COURSEWARE. EXPIRES 4/30/2008
2-22
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 3
Overview of AD DS Physical Components
AD DS information is stored in a single database on the domain controller’s hard disk. If a domain or forest has more than one domain controller, the AD DS data is replicated regularly to each domain controller. This lesson describes the physical components that make up AD DS and provides an overview of how replication works.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-23
What Are AD DS Domain Controllers?
Key Points A domain controller is a server in an AD DS domain that provides directory services. All domain controllers (except Read Only Domain Controllers) contain a writable copy of the AD DS database and allow administrators access to manage user accounts and other network resources. Domain controllers are also involved in authenticating users and authorizing access to network resources in the domain. Domain controllers also participate in the replication of the AD DS database where changes made on the domain controller are replicated to other domain controllers within their domain.
Additional reading •
Domain Controller Roles
BETA COURSEWARE. EXPIRES 4/30/2008
2-24
Fundamentals of Windows Server® 2008 Active Directory®
Overview of DNS and AD DS
Key Points AD DS relies entirely on the Domain Name System (DNS) to locate resources on a network. Therefore, all AD DS domains must be DNS domain names. Without a reliable DNS infrastructure, domain controllers on your network will not be able to replicate with each other, workstations will not be able to log on to the network, and Microsoft Exchange Servers will not be able to send e-mail.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-25
What Are Global Catalog Servers?
Key Points The global catalog server is a domain controller, as such it stores a full copy of all objects in the directory for its host domain; but additionally it stores a partial copy of all objects for all other domains in the forest. That partial catalog of objects used in other domains is commonly used in search operations. Storing information about objects in other domains provides users with efficient searches without affecting network performance and unnecessary referrals to other domain controllers.
Additional reading •
What Is the Global Catalog?
BETA COURSEWARE. EXPIRES 4/30/2008
2-26
Fundamentals of Windows Server® 2008 Active Directory®
What Is the AD DS Data Store?
Key Points All the data in AD DS is stored in a single file on the domain controller. The location for this file, named Ntds.dit, can be set during the domain controller promotion process. The default location for the database and database log files is %SystemRoot%\Ntds. The AD DS data store contains database files and file processes that store and manage directory information for users, services, and applications.
Additional reading •
What is a Data Store?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-27
What Is AD DS Replication?
Key Points AD DS replication refers to the process by which the directory data is synchronized between domain controllers in a forest. AD DS uses a multi-master replication model. This means that the AD DS information can be modified on each domain controller which will then send its most current directory information to other domain controllers during replication schedules.
Additional reading •
What Is the Active Directory Replication Model?
BETA COURSEWARE. EXPIRES 4/30/2008
2-28
Fundamentals of Windows Server® 2008 Active Directory®
What Are Sites?
Key Points A site is defined as an area of the network where all domain controllers are connected by a fast, inexpensive, and reliable network connection. A site is a specific AD DS organizational entity used to manage network traffic. You can also use sites to assign group policy settings. If all user or computers in a company location require the same configuration, you can assign a Group Policy object at the site level.
Additional reading •
Active Directory Sites and Services
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-29
Discussion: Scenarios for Implementing AD DS Physical Components
Questions Question: For each scenario, describe how AD DS physical components could be deployed in these organizations. Scenario 1: Contoso Inc. has a single office with 20 employees and a single business unit. The business owner manages all AD DS administrative tasks. Scenario 2: NorthWind Traders has a head office with about 250 workers. The organization also has a small branch office with 25 users that is connected to the head office through a slow and unreliable network connection. The organization has two business units which are administered separately but all AD DS management tasks will be managed by the same administrative team.
BETA COURSEWARE. EXPIRES 4/30/2008
2-30
Fundamentals of Windows Server® 2008 Active Directory®
Scenario 3: Coho Vineyards has two separate business units located in two offices in different countries. Each office has about 10,000 users. The offices are connected by a high speed and reliable network connection that is not heavily utilized during business hours. Scenario 4: Woodgrove Bank has multiple locations deployed in different countries around the world. In all countries, the company has a single data center located in a central city. In addition, the company has numerous small branch offices with 5-100 users. The branch offices are connected to the main office through a variety of WAN connections.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-31
Demonstration: Tools for Managing the AD DS Physical Components
Questions 1.
You need to determine which site a workstation is located in. How would you do this?
2.
You run the Repadmin /showrepls command and notice several errors between domain controllers located in different sites. What would you do to resolve the errors?
BETA COURSEWARE. EXPIRES 4/30/2008
2-32
Fundamentals of Windows Server® 2008 Active Directory®
Lab: Exploring AD DS Components and Tools
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank also has strategic partnerships with other organizations, including Fabrikam, Inc and NorthWind Traders. Woodgrove Bank has deployed AD DS. As the new AD DS administrator, you must install the AD DS management tools on your Windows Vista workstation and then examine the AD DS environment at Woodgrove Bank.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-33
Exercise 1: Installing the AD DS Management Tools In this exercise you will install the AD DS management tools on a Windows Vista computer. The main tasks are as follows: 1.
Start the 6424A-NYC-DC1 virtual machine and log on as Administrator.
2.
Start the 6424A-NYC-CL1 virtual machine and log on as Claudia.
3.
Start the 6424A-LON-DC1 virtual machine and log on as Administrator.
4.
Install the Windows Server 2008 administration tools on Windows Vista.
f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as administrator •
Start 6424A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.
f Task 2: Start the 6424A-NYC-CL1 virtual machine and log on as Claudia •
Start 6424A-NYC-CL1 and log on as Claudia using the password Pa$$w0rd.
f Task 3: Start the 6424A-LON-DC1 virtual machine and log on as administrator •
Start 6424A-LON-DC1 and log on as Administrator using the password Pa$$w0rd.
f Task 4: Install the Windows Server 2008 administration tools on Windows Vista
Result: At the end of this exercise, you will have installed the Windows Server 2008 administration tools on Windows Vista.
BETA COURSEWARE. EXPIRES 4/30/2008
2-34
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 2: Examining the AD DS Logical Components In this exercise you will use the AD DS management tools to examine the AD DS logical components. The main tasks are as follows: 1.
Open Active Directory Users and Computers to examine the logical components of Woodgrove Bank AD DS.
2.
Open Active Directory Domains and Trusts to examine the logical components of Woodgrove Bank AD DS.
3.
In Active Directory Users and Computers, change the domain that you are administering.
f Task 1: Open Active Directory Users and Computers to examine the logical components of Woodgrove Bank AD DS. 1.
On NYC-CL1, open Active Directory Users and Computers as an administrator.
2.
What domain are you administering?
3.
What are the three types of objects listed under the domain? How can you tell the difference?
4.
Expand the NYC OU, and then click BranchManagers. What design was used to create the OU structure at WoodgroveBank.com?
5.
Examine the BranchManagers OU properties. Review the configuration options that can be configured for an OU.
6.
Examine the properties for the NYC_BranchManagersGG group. What is the group type and scope?
7.
Click the Members and Member of tabs and review the information.
8.
Double-click Doris Krieger and review the configuration options for a user account.
9.
In the console tree pane, click Computers. In the details pane, double-click NYC-CL1 and review the configuration options for a computer account.
10. Leave Active Directory Users and Computers open.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-35
f Task 2: Open Active Directory Domains and Trusts to examine the logical components of Woodgrove Bank AD DS. 1.
On NYC-CL1, open Active Directory Domains and Trusts as an administrator.
2.
What domains are listed as child domains in the WoodgroveBank.com forest?
3.
Access the Trusts tab on the WoodgroveBank.com Properties. What type of trust is created between WoodgroveBank.com and EMEA.WoodgroveBank.com?
4.
What type of trust is created between EMEA.WoodgroveBank.com and WoodgroveBank.com?
5.
Close Active Directory Domains and Trusts.
f Task 3: In Active Directory Users and Computers, change the domain that you are administering. 1.
In Active Directory Users and Computers, change the domain to administer EMEA.WoodgroveBank.com.
2.
Verify that you can connect to the EMEA.WoodgroveBank.com domain. Why can you connect to the domain without providing authentication credentials?
3.
Change the domain controller so that you are administering LONDC1.EMEA.WoodgroveBank.com and click OK.
4.
Verify that you can connect to the LON-DC1.WoodgroveBank.com domain controller. What domain is displayed in Active Directory Users and Computers?
5.
Close Active Directory Users and Computers
Result: At the end of this exercise, you will have explored the WoodgroveBank.com AD DS environment by using the AD DS management tools.
BETA COURSEWARE. EXPIRES 4/30/2008
2-36
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 3: Examining the AD DS Physical Components In this exercise you will use the AD DS management tools to examine the AD DS physical components. The main tasks are as follows: 1.
Enable Remote Desktop connections on NYC-DC1.
2.
Connect to NYC-DC1 using Remote Desktop.
3.
Use Active Directory Users and Computers to examine the Domain Controllers in the WoodgroveBank.com domain.
4.
Log off from Remote Desktop and shut down all virtual machines.
f Task 1: Enable Remote Desktop connections on NYC-DC1. 1.
On NYC-DC1, click Start, and then open Server Manager.
2.
In Server Manager, configure Remote Desktop to allow connections only from computers running Remote Desktop with Network Level Authentication (more secure). What limitation does this selection place on the remote desktop connections?
3.
Which users have Remote Desktop access by default?
f Task 2: Connect to NYC-DC1 using Remote Desktop. 1.
On NYC-CL1, start a Remote Desktop Connection.
2.
Connect to NYC-DC1 using Administrator as the User name and Pa$$w0rd as the password. Click OK.
f Task 3: Use Active Directory Users and Computers to examine the Domain Controllers in the WoodgroveBank.com domain. 1.
In the Remote Desktop connection, open Active Directory Users and Computers.
2.
How many domain controllers are deployed in the domain? What is different about each domain controller?
3.
Close Active Directory Users and Computers.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-37
f Task 4: Use Active Directory Sites and Services to examine the Domain Controllers in the WoodgroveBank.com domain. 1.
In the Remote Desktop connection, open Active Directory Sites and Services.
2.
How many sites are listed in the forest? What is the site or sites called?
3.
Verify that the same domain controllers are listed in the Default-First-SiteName as were listed in Active Directory Users and Computers.
4.
Expand NYC-DC1, right-click NTDS Settings, and click Properties. Verify that NYC-DC1 is configured as global catalog server.
5.
On the Connections tab, examine the replication connections on the domain controller.
f Task 5: Log off Remote Desktop and shut down all virtual machines. 1.
In the Remote Desktop connection, click Start, and then click Log off.
2.
Shut down all virtual machines and delete changes.
Result: At the end of this exercise, you will have examined the AD DS physical properties in the WoodgroveBank.com domain.
BETA COURSEWARE. EXPIRES 4/30/2008
2-38
Fundamentals of Windows Server® 2008 Active Directory®
Module Review and Takeaways
Review Questions 1.
You have just installed a new domain controller in your domain. What two tools could you use to verify that the domain controller has been added to the domain?
2.
You want to group all of the users in branch office together so that you can assign permissions to a shared folder to all of the users in the branch office. What type of AD DS object should you create?
3.
What are the differences between a domain, domain tree and forest?
4.
What feature makes it easy and fast to search a forest for user phone numbers?
5.
What is the relationship between a domain and a site?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Domain Services
2-39
Summary of Active Directory Domain Services AD DS provides a directory service for organizations that enables them to provide secure access to network resources and centralized administration. AD DS enables users to be authenticated, and then authorizes the user to access network resources based on that network authentication. AD DS is composed of logical and physical components. Logical components such as domains, forests and OUs are used to group objects together for administrative purposes. Physical components such as domain controllers and sites are deployed to provide a consistent experience for users throughout the AD DS environment.
BETA COURSEWARE. EXPIRES 4/30/2008
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-1
Module 3 Introduction to Active Directory® Lightweight Directory Services Contents: Lesson 1: Active Directory® Lightweight Directory Services Overview
3-3
Lesson 2: Implementing and Administering AD LDS
3-8
Lesson 3: Implementing AD LDS Replication
3-16
Lesson 4: Comparing AD DS and AD LDS
3-22
Lab: Exploring Configuring AD LDS
3-26
BETA COURSEWARE. EXPIRES 4/30/2008
3-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
Windows Server 2008 Active Directory® Lightweight Directory Services (AD LDS) role is a Lightweight Directory Access Protocol (LDAP) directory service. It provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for Active Directory® Domain Services (AD DS).
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-3
Lesson 1
Active Directory® Lightweight Directory Services Overview
Active Directory® Lightweight Directory Services (AD LDS) is designed to provide a directory service for applications. These applications may require a directory service to provide authentication services, or may be configured to store application configuration services in an external directory. AD LDS provides a simple but flexible solution for these situations.
BETA COURSEWARE. EXPIRES 4/30/2008
3-4
Fundamentals of Windows Server® 2008 Active Directory®
How Active Directory Lightweight Directory Services Works
Key Points AD LDS provides a hierarchical file-based directory store using the Extensible Storage Engine (ESE) for file storage. AD LDS stores data, by default in: %Program Files%\Microsoft ADAM\[AD LDS Instance name]\data\adamntds.dit. This directory store is then accessed with the TCP/IP-based LDAP protocol by applications.
Additional Reading •
AD LDS Help File
•
Windows 2008 Active Directory Components (upper left box)
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-5
AD LDS Administration Tools
Key Points There are a variety of administration tools available for AD LDS. The table on the slide lists the tools and their functions.
Additional Reading •
AD LDS Help File
BETA COURSEWARE. EXPIRES 4/30/2008
3-6
Fundamentals of Windows Server® 2008 Active Directory®
What is the AD LDS Schema?
Key Points In order for an object type to be created in the directory, it first has to be defined in the schema. The schema definition includes object classes and attributes. •
An object class represents a category of objects that share a set of common characteristics (e.g., users, printers, or application programs).
•
An attribute describes one part of an object class. The definition for each object class contains a list of the attributes that can be used to describe instances of the class. The list of attributes for a class is divided into mandatory and optional attributes.
Additional Reading •
AD LDS Help File
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-7
Demonstration: Modifying the AD LDS Schema
Questions 1.
What tools can you use to modify the AD LDS schema?
2.
Under what circumstances might you need to change the schema in AD LDS?
BETA COURSEWARE. EXPIRES 4/30/2008
3-8
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 2
Implementing and Administering AD LDS
Active Directory® Lightweight Directory Services (AD LDS) is a server role that is installed on a Windows Server 2008 computer by using Server Manager. After installing the server role, you can configure AD LDS by using the Active Directory® Lightweight Directory Services Wizard. Then multiple administrative utilities can be leveraged to configure AD LDS to work for your implementation.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-9
What is an AD LDS Instance?
Key Points An AD LDS instance is a single running copy of the AD LDS directory service. An instance contains all of the essential components needed for running AD LDS (i.e., a communication interface, directory service and data store). The data store for each instance has all three partitions required for AD LDS. Each instance is bound to separate TCP/IP ports on the server.
Additional Reading •
AD LDS Help File
BETA COURSEWARE. EXPIRES 4/30/2008
3-10
Fundamentals of Windows Server® 2008 Active Directory®
What is an AD LDS Application Partition?
Key Points The AD LDS application partition is where the applications store data. Unlike the schema and configuration partitions, the application partition does not store AD LDS configuration or definition information.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-11
Demonstration: Configuring AD LDS Instances and Application Partitions
Questions 1.
What tool do you use to configure AD LDS instances?
2.
What tool do you use to create application partitions?
3.
Consider a scenario where you need to install two different copies of the same application on two different servers. Both applications will use AD LDS on one server, but the information from the two applications should not be combined. How would you configure instances and application partitions in AD LDS?
BETA COURSEWARE. EXPIRES 4/30/2008
3-12
Fundamentals of Windows Server® 2008 Active Directory®
AD LDS Users and Groups
Key Points A set of four default groups is created when an AD LDS instance is created. AD LDS also enables the use of Windows security principals for authentication and access control. You can use ADSIEdit or LDP to create and modify the users and groups in the configuration partition and in a specific application partition.
Additional Reading •
AD LDS Help File: •
"Understanding AD LDS Users and Groups"
•
"Add or Remove Members to or from an AD LDS Group"
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-13
How Does Access Control Work in AD LDS?
Key Points AD LDS provides access control which: 1.
Authenticates the identity of all users. Authentication against AD LDS can be done with users created in AD LDS as well as Windows local and AD DS security principals.
2.
Uses Access control lists (ACLs) to determine if the user has permissions to access specific objects. You can use the Dsacles utility to view or modify the ACLs of a particular object.
Additional Reading •
AD LDS Help File: " Working with Authentication and Access Control"
BETA COURSEWARE. EXPIRES 4/30/2008
3-14
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Configuring Users, Groups and Access Control
Questions 1.
Which tools can be used to administer users and groups?
2.
Which tool is used to administer access control?
3.
Consider a scenario where you have deployed an application that uses AD LDS. The application requires that all users have read access to the application data, but only advanced users in the application should be able to modify the application data. All of the users have accounts in your AD DS domain. How would you configure permissions?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-15
Additional Reading •
AD LDS Help File: •
"Disable or Enable an AD LDS User"
•
"Add an AD LDS User to the Directory"
•
"Add or Remove Members to or from an AD LDS Group"
•
"View or Set Permissions on a Directory Object"
BETA COURSEWARE. EXPIRES 4/30/2008
3-16
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 3
Implementing AD LDS Replication
AD LDS uses replication to provide high availability and load balancing for directory services. By implementing replication between AD LDS instances, you can provide copies of the directory information on multiple servers. This lesson describes the reasons for replicating data, how replication works and how to configure replication.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-17
How AD LDS Replication Works
Key Points AD LDS allows multiple replicas of an instance to be created on separate servers. These servers can be in separate locations. AD LDS uses multimaster replication to ensure that each of the replicas has the same information.
Additional Reading •
AD LDS Help File, " Understanding AD LDS Replication and Configuration Sets"
BETA COURSEWARE. EXPIRES 4/30/2008
3-18
Fundamentals of Windows Server® 2008 Active Directory®
Why Implement AD LDS Replication?
Key Points There are three main reasons that you would use AD LDS replication: high availability, load balancing and geographic limitations. •
High availability. Creating multiple replicas for high availability allows for a replica to be down for maintenance or updates while other replicas are still online servicing the application.
•
Load balancing. You can configure the application to load balance between replicas when a single server computer is not able to handle all of the requests.
•
Geographic limitations. When multiple sites host an application where they use an LDS server in a single office, the application may respond slowly. Using replicas at each of the sites can improve the application performance.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-19
Demonstration: Configuring AD LDS Replication
Questions 1.
What tool do you use to configure replication?
2.
Consider a scenario where your organization has two locations and the same application that uses AD LDS is configured in both locations. The applications should have access to the same information and the information should be as current as possible. In one of the locations, another application is also using AD LDS, but that application information should not be replicated between office locations. The applications use the same schema. How would you configure AD LDS replication?
BETA COURSEWARE. EXPIRES 4/30/2008
3-20
Fundamentals of Windows Server® 2008 Active Directory®
Discussion: Scenarios for Implementing AD LDS
Questions For each scenario, describe how AD LDS could be deployed in these organizations. Scenario 1: Woodgrove Bank has deployed a Web application that uses AD LDS to store user information and preferences. This application is deployed only at the corporate head office in New York. Customers use the Web application 24 hours per day, and it is critical that the application is available when users want access. The bank has deployed 4 load balanced Web servers hosting the application. How would you configure AD LDS to support this scenario? Scenario 2: Contoso Inc has deployed a Web based order system that uses AD LDS for customers. To ensure that network failures do not affect the order system availability, the organization has deployed servers hosting the application in three company locations. The available network bandwidth between the company locations is limited. How would you configure AD LDS to support this scenario?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-21
Scenario 3: NorthWind Traders is deploying several internal applications that use AD LDS as a directory service. All of the applications include an installation file that makes schema changes in AD LDS when the application is installed. NorthWind Traders has 5 company locations, and users in all 5 companies will be accessing the applications. All servers hosting the applications are installed the company headquarters at Bangalore. How would you configure AD LDS to support this scenario?
BETA COURSEWARE. EXPIRES 4/30/2008
3-22
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 4
Comparing AD DS and AD LDS
AD DS and AD LDS have a number of similarities in both features and usage. However, there are also some very important differences that make each suitable for specific tasks. This lesson compares AD DS and AD LDS.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-23
Similarities between AD DS and AD LDS
Key Points AD LDS and AD DS are similar in the following ways. Both AD DS and AD LDS: •
Are LDAP compliant directories that support LDAP client connections.
•
Use multimaster replication for data distribution.
•
Support delegating administration to partitions or organizational units (OUs) by group, role or user.
•
Use the Extensible Storage Engine (ESE) for the database store.
BETA COURSEWARE. EXPIRES 4/30/2008
3-24
Fundamentals of Windows Server® 2008 Active Directory®
Differences between AD DS and AD LDS
Key Points AD DS and AD LDS are each designed for their own specific and unique purpose; as such, they have several differences. AD DS is meant for enterprise service authentication and administration whereas AD LDS is meant to provide a robust, easy to implement foundation for other applications to leverage for authentication and data storage.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-25
Integrating AD DS and AD LDS
Key Points Many organizations may want to use the data stored in AD DS for custom applications. These custom applications may require specific schema attributes to function, which means that most organizations do not want these applications to store their schema or configuration information in Active Directory®. By integrating AD DS and AD LDS you can synchronize data between the two directories rather than extending the schema of AD DS.
Additional Reading •
AD LDS Help File: •
"Synchronize with Active Directory Domain Services"
•
"Import the User Classes That Are Supplied with AD LDS"
BETA COURSEWARE. EXPIRES 4/30/2008
3-26
Fundamentals of Windows Server® 2008 Active Directory®
Lab: Exploring Configuring AD LDS
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD LDS to implement directory services for various applications in the organization. You need to configure the AD LDS server role in preparation for deploying the applications.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-27
Exercise 1: Configuring AD LDS Instances and Application Partitions In this exercise you will use the AD LDS Setup Wizard to configure an AD LDS instance and an application partition. The main tasks are as follows: 1.
Start the 6424A-NYC-SRV1 virtual machine and log on as administrator.
2.
Use Server Manager to add the AD LDS role to the server.
3.
Use AD LDS Wizard to create an AD LDS instance named Woodgrove.
4.
Use LDP to create an application partition named “CN=Partition2,DC=Woodgrove”.
f Task 1: Start the 6424A-NYC-SRV1 virtual machine and log on as administrator •
Start 6424A-NYC-DC1 and log on as administrator using the password Pa$$w0rd.
f Task 2: Use Server Manager to add the AD LDS role to the server •
Add the AD LDS Role using Server Manager.
BETA COURSEWARE. EXPIRES 4/30/2008
3-28
Fundamentals of Windows Server® 2008 Active Directory®
f Task 3: Use AD LDS Wizard to create and AD LDS instance named Woodgrove 1.
In the content pane under the Advanced Tools section, click AD LDS Setup Wizard.
2.
Create an application partition named “Partition1” during the setup process.
3.
Select the MS-User.LDF schema to import
f Task 4: Use LDP to create application partition named “CN=Partition2,DC=Woodgrove”
Result: At the end of this exercise, you will have configured an AD LDS instance and an application partition.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-29
Exercise 2: Configuring AD LDS Access Control In this exercise you will use ADSIEdit to configure user accounts, groups and configure access control. You will then test access control. The main tasks are as follows: 1.
Log on to 6424A-NYC-SRV1 as administrator.
2.
Open ADSIEdit and connect to the created instance.
3.
Create a container with the distinguished name “CN=Users, CN=Partition1,DC=Woodgrove”.
4.
Create User1 in the created container of the application partition.
5.
Create Group1 in the Roles container of the application partition and add User1 into Group1.
6.
Use Dsacls to give User1 and Group1 permissions to view the application partition.
7.
Use ADSIEdit to connect to the instance and verify permissions.
f Task 1: Log on to 6424A-NYC-SRV1 as Administrator f Task 2: Open ADSIEdit and connect to the created instance •
Use ADSIEdit and connect to “\\NYC-SRV1\ CN=Partition1,DC=Woodgrove”.
f Task 3: Create a container with the distinguished name “CN=Users, CN=Partition1,DC=Woodgrove” •
Use ADSIEdit to create CN=Users, CN=Partition1,DC=Woodgrove
f Task 4: Create User1 in the created container of the application partition
f Task 5: Create Group1 in the Roles container of the application partition and add User1 into Group1
BETA COURSEWARE. EXPIRES 4/30/2008
3-30
Fundamentals of Windows Server® 2008 Active Directory®
f Task 6: Use Dsacls to give User1 and Group1 permissions to view the application partition
f Task 7: Use ADSIEdit to connect to the instance and verify permissions
Result: At the end of this exercise, you will have configured user accounts, groups and access control, and tested the access control.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-31
Exercise 3: Configuring AD LDS Replication In this exercise you will use the AD LDS Setup Wizard to configure a second replica of an AD LDS application partition. You will then verify replication. The main tasks are as follows: 1.
Login to 6424A-NYC-DC1 as administrator.
2.
Run AD LDS Wizard and create a replica of WoodgroveApp1.
3.
Use ADSI Edit to connect to Partition1 on NYC-DC1 and verify data.
4.
Use ADSI Edit to connect to Partition1 and create CN=User2, CN=Partition1,DC=Woodgrove.
f Task 1: Login to 6424A-NYC-DC1 as Administrator •
Log on as administrator using the password Pa$$w0rd.
f Task 2: Run AD LDS Wizard and create a replica of WoodgroveApp1 •
Run AD LDS Wizard and create a replica of WoodgroveApp1 from NYCSRV1.
f Task 3: Use ADSI Edit to connect to Partition1 on NYC-DC1 and verify data •
Open ADSIEdit on NYC-DC1 and bind to the local replica.
BETA COURSEWARE. EXPIRES 4/30/2008
3-32
Fundamentals of Windows Server® 2008 Active Directory®
f Task 4: Use ADSI Edit to connect to Partition1 and create CN=User2, CN=Partition1,DC=Woodgrove •
Login to NYC-SRV1 and use ADSIEdit to connect to CN=Partition1,DC=Woodgrove
f Task 5: Verify replication of new object to NYC-SRV1
Result: At the end of this exercise, you will have configured a second replica of an AD LDS application partition and verified replication.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Lightweight Directory Services
3-33
Module Review and Takeaways
Review Questions 1.
What are the three core partition types in an AD LDS instance?
2.
What ways are AD DS and AD LDS similar?
3.
What tools are used to administer AD LDS and what are each used for?
4.
What are some reasons for deploying multiple AD LDS replicas?
5.
How would you configure AD LDS if two applications required schema attributes that conflict with each other?
BETA COURSEWARE. EXPIRES 4/30/2008
3-34
Fundamentals of Windows Server® 2008 Active Directory®
Summary of Active Directory® Lightweight Directory Services Windows Server 2008 Active Directory® Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP) directory service. It provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for AD DS. AD LDS can have multiple writable replicas of the data on several servers. Having multiple writable copies eliminates the single point of failure. Replication provides high availability, allows for load balancing and better serves geographically dispersed application access. AD LDS and AD DS are similar in that they both use an ESE database, allow LDAP client connections, leverage multimaster replication and allow delegated administration. They provide different functionality as AD DS is an enterprise directory for administration and management and AD LDS is a lightweight customizable solution for applications to use for authentication and data storage.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-1
Module 4 Introduction to Active Directory® Certificate Services Contents: Lesson 1: Overview of Active Directory Certificate Services (AD CS)
4-3
Lesson 2: Understanding AD CS Certificates
4-10
Lesson 3: Implementing Certificate Enrollment and Revocation
4-16
Lab: Exploring Active Directory Certificate Services
4-25
BETA COURSEWARE. EXPIRES 4/30/2008
4-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
One of the most important components in a network security plan is the use of digital certificates. Digital certificates can be used to secure network traffic, secure Web sites and secure AD DS authentication. Active Directory Certificate Services (AD CS) provides the tools and services to create and manage these digital certificates. Furthermore, the integration of AD CS with AD DS provides organizations with a cost-effective, efficient, and secure way to manage the distribution and use of certificates.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-3
Lesson 1
Overview of Active Directory Certificate Services (AD CS)
Many network security components require the digital certificates that are issued by a certification authority (CA). When you implement a CA, you have several options for how to design and configure the CA. This lesson describes some of these options when deploying a CA such as AD CS.
BETA COURSEWARE. EXPIRES 4/30/2008
4-4
Fundamentals of Windows Server® 2008 Active Directory®
What is a Certification Authority?
Key Points The certification authority (CA) is the entity entrusted to issue certificates to individuals, computers, or organizations. The CA performs the following functions: •
Verifies the identity of the certificate requestor.
•
Issues certificates to requesting users, computers and services.
•
Manages certificate revocation.
Additional reading •
Public Key Infrastructure
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-5
How CA Hierarchies Work
Key Points Certification authorities can be chained together in hierarchies. A hierarchy is created when one CA trusts another. The root CA is the one that is trusted by all the other CAs in the hierarchy. The subordinate CAs are those that trust the root CA. A trust is created when a subordinate server is issued a certificate from a server higher in the hierarchy.
Additional reading •
Active Directory Certificate Services Help File: Public Key Infrastructures
BETA COURSEWARE. EXPIRES 4/30/2008
4-6
Fundamentals of Windows Server® 2008 Active Directory®
Options for Implementing Certification Authorities
Key Points You can configure a certification authority for your company using an internal private CA such as AD CS, or you can leverage an external third-party CA.
Additional reading •
Certification Authority Trust Model:
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-7
Options for Integrating AD CS and AD DS
Key Points As with other Active Directory server roles, AD CS can be tightly integrated with AD DS. There are two main types of servers running AD CS, stand-alone and enterprise.
Stand-alone CAs Stand-alone CAs can be installed on a server that is either joined to an Active Directory domain or even in a workgroup. Stand-alone CAs do not depend on the use of AD DS.
Enterprise CAs Enterprise CAs must be: •
Installed on a domain joined server
•
Integrated with AD DS.
BETA COURSEWARE. EXPIRES 4/30/2008
4-8
Fundamentals of Windows Server® 2008 Active Directory®
Additional reading •
Active Directory Certificate Services Help File: •
Enterprise Certification Authorities
•
Stand-Alone Certification Authorities
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-9
Demonstration: Tools for Managing AD CS
Questions 1.
Which tools should be used to manage the CA settings?
2.
You need to determine which certificates have been issued to your user account while using a particular computer. How would you do this?
BETA COURSEWARE. EXPIRES 4/30/2008
4-10
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 2
Understanding AD CS Certificates
The digital certificates issues by AD CS CAs are distributed to network clients. These certificates are then used by a variety of applications to provide security. This lesson describes what certificates are, how they are used, and how to use certificate templates to generate certificates.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-11
What are Digital Certificates?
Key Points The public key is able to be distributed to all clients that request it. The public keys provide: •
Information about the subject of the certificate
•
Information about the validity of the certificate
•
Information about the applications and services that can use the certificate
•
A way to identify the holder of the certificate
The private key is usually only stored on the computer from which the original certificate request was made.
Additional reading •
X.509 Technical Supplement
BETA COURSEWARE. EXPIRES 4/30/2008
4-12
Fundamentals of Windows Server® 2008 Active Directory®
How Public Keys and Private Keys Work
Key Points The public key and the private key are a mathematically matched pair of numbers. When one of the keys is used to encrypt the data the other key is used to decrypt the data. The key that encrypts that data cannot be used to decrypt the data; this is an asymmetrical key process. Both keys are required to complete an encryption or authorization process.
Additional reading •
How Encrypting File System Works
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-13
Demonstration: Using Certificates to Secure Data
Questions 1.
In order to encrypt a file, what must a user already have?
2.
In this case, what was used to encrypt the file?
BETA COURSEWARE. EXPIRES 4/30/2008
4-14
Fundamentals of Windows Server® 2008 Active Directory®
What are Certificate Templates?
Key Points Certificate templates are used by AD CS enterprise CAs to define what type of certificates can be issued by the CAs.
Default templates When you install AD CS, several default templates are created. Some of the default certificate templates are: •
Basic Encrypting File System (EFS)
•
Key Recovery Agent (for a user that can recover special private keys)
•
Router (for encryption of router communications)
•
Smart card log on (certificates used for smart card log on)
•
Web Server for Secure Sockets Layer (SSL)
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-15
Additional reading •
Active Directory Certificate Services Help: •
Default Certificate Templates
•
Managing Certificate Templates
BETA COURSEWARE. EXPIRES 4/30/2008
4-16
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 3
Implementing Certificate Enrollment and Revocation
When you deploy AD CS, one of the primary issues that you need to address is how you will distribute and revoke certificates. This lesson describes what certificate enrollment is and how to administer and automate the enrollment process. This lesson also discusses certificate revocation, why it is important and how to revoke certificates.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-17
Options for Implementing Certificate Enrollment
Key Points AD CS provides three main options for enrolling or creating certificates. These options are: using the built-in Web site on the CA, manual enrollment or autoenrollment.
Web enrollment If Internet Information Services (IIS) is installed on the AD CS CA, you can enable a Web site on the CA, through which users can obtain certificates. This method is good for issuing certificates when auto-enrollment cannot be used.
Manual enrollment Manual or offline enrollment is used when the requestor cannot communicate directly with the CA or if the device does not support auto-enrollment.
BETA COURSEWARE. EXPIRES 4/30/2008
4-18
Fundamentals of Windows Server® 2008 Active Directory®
Auto-enrollment Auto-enrollment is used for AD DS domain joined machines. The auto-enrollment process allows an administrator to define permissions and configuration of a certificate template so that the requestor can automatically request, retrieve and renew certificates without having any end user interaction.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-19
Demonstration: Using Web Enrollment to Obtain Certificates
Questions 1.
In what ways can the certificate request be generated?
2.
In this demonstration, what did the CA use to determine whether the certificate request should be approved?
BETA COURSEWARE. EXPIRES 4/30/2008
4-20
Fundamentals of Windows Server® 2008 Active Directory®
Administering Certificate Enrollment
Key Points Regardless of whether you use Web enrollment, offline or auto-enrollment, there are four basic steps (outlined in the slide) of the enrollment process. The autoenrollment process takes each of the steps without any user or administrative interaction.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-21
Demonstration: Administering Certificate Requests
Questions 1.
When was the private key generated for the Web server?
2.
Why does Web enrollment require an administrator to approve the certificate requests?
BETA COURSEWARE. EXPIRES 4/30/2008
4-22
Fundamentals of Windows Server® 2008 Active Directory®
Options for Automating Certificate Enrollment
Key Points Auto-enrollment enables organizations to automatically deploy certificates to users and computers. The auto-enrollment feature allows organizations to manage all aspects of the certificate life cycle, including certificate enrollment, certificate renewal, and certificate revocation.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-23
What is Certificate Revocation?
Key Points Certificate revocation is when a certificate is invalidated before the expiration period. You would need to revoke a certificate before its expiration if: •
The certificate was no longer needed.
•
The computer where the private key was stored on or the CA was compromised and no longer secure.
•
A new certificate was generated.
Additional reading •
Active Directory Certificate Services Help: •
Creating a Revocation Configuration
BETA COURSEWARE. EXPIRES 4/30/2008
4-24
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Revoking Certificates
Question Other than the CA MMC, where would you be able to tell if a certificate is valid?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-25
Lab: Exploring Active Directory Certificate Services
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has implemented Windows Server 2008 and is planning on using AD CS to issue certificates for internal network users, computers and servers. The AD CS Server role has been deployed. Your task is to ensure that the Web enrollment and manual processes for managing certificates are working.
BETA COURSEWARE. EXPIRES 4/30/2008
4-26
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 1: Requesting Certificates Using Web Enrollment In this exercise you will request a certificate for a user account using Web enrollment. You will view the certificate in the Certificates snap-in and verify the certificate has been issued by using the CA management tool. You will then use the certificate to encrypt data using EFS. The main tasks are as follows: 1.
Start the 6424A-NYC-DC1 virtual machine and log on as Administrator.
2.
Open Internet Explorer®, go to https://NYC-SRV1/CertSrv/Default.asp, and then generate a user certificate for Administrator.
3.
Using the Certificates snap-in, verify that the user certificate was successfully installed.
4.
Use the Certification Authority Console to verify the certificate was created.
f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as Administrator 1.
Open the Virtual Server Remote Control Client and then double-click 6424ANYC-DC1.
2.
In Virtual Server Remote Control Client, double-click 6424A-NYC-SRV1.
3.
Log on to 6424A-NYC-SRV1 as Administrator using the password Pa$$w0rd.
f Task 2: Open Internet Explorer, go to https://NYCSRV1/CertSrv/Default.asp and generate a user certificate for Administrator 1.
In Internet Explorer, go to https://NYC-DC1/CertSrv/Default.aspx and request a user certificate.
2.
Once the certificate is generated, install the certificate.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-27
f Task 3: Using the Certificates snap-in, verify that the user certificate was successfully installed 1.
Run the mmc.exe command and add the Certificates snap-in associated the current user account.
2.
Click Certificates – Current User, click Personal and then click the Certificates node to verify that the user certificate is installed.
f Task 4: Use the Certification Authority Console to verify the certificate was created •
Verify that the user certificate is located in the Issued Certificates text box of the Certification Authority console.
Result: At the end of this exercise, you will have requested a certificate using Web enrollment.
BETA COURSEWARE. EXPIRES 4/30/2008
4-28
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 2: Managing Certificate Requests and Revocation In this exercise you will request a certificate for a Web server and then use the CA management tool to approve the certificate. After verifying the certificate installation, you will revoke the certificate and publish the revoked certificate. You will then verify that the certificate has been revoked. The main tasks are as follows: 1.
Log on to 6424A-NYC-SRV1 as Administrator.
2.
Open IIS Manager to create a certificate request.
3.
Use Web Enrollment to generate the Web server certificate using the certificate request.
4.
Install the issued certificate on the Web server and verify the certificate is valid.
5.
Revoke the NYC-SRV1 certificate using the Certificate Authority snap-in.
6.
Using Internet Explorer, verify that the Web certificate has been revoked.
f Task 1: Log on to 6424A-NYC-SRV1 as Administrator •
Start 6424A-NYC-SRV1 and log on as Administrator using the password Pa$$w0rd.
f Task 2: Open IIS Manager to create a certificate request 1.
On NYC-SRV1 open Internet Information Services (IIS) Manager.
2.
Using the Server Certificates management module, in the Action pane, click Create Certificate Request.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
3.
4.
4-29
In the request certificate dialog box, type the following information for each field below: •
Common name: NYC-SRV1
•
Organization: Woodgrove Bank
•
Organizational Unit: Corporate
•
City/locality: New York
•
State: New York
•
Country/region: US
Specify a file name for the certificate request. Type C:\Users\Administrator\Documents\NYC-SRV.txt and click Finish.
f Task 3: Use Web Enrollment to generate the Web server certificate using the certificate request 1.
On NYC-SRV1 open Internet Explorer and go to https://NYCDC1/CertSrv/Default.aspx to request a new certificate.
2.
On the Request a Certificate page, click advanced certificate request.
3.
Use Notepad to paste the contents of C:\Users\Administrator\Documents\NYC-SRV.txt into the certificate request.
4.
Download the issued certificate to C:\Users\Administrator\Download\certnew.cer
5.
Close Internet Explorer.
f Task 4: Install the issued certificate on the Web server and verify the certificate is valid 1.
On NYC-SRV1 open IIS Manager.
2.
Using the Server Certificates management module, in the Action pane, click Complete Certificate Request.
3.
Use the certificate response that was downloaded in the previous step: C:\Users\Administrator\Download\certnew
BETA COURSEWARE. EXPIRES 4/30/2008
4-30
Fundamentals of Windows Server® 2008 Active Directory®
4.
In the Friendly name text box, type NYC-SRV1 SSL
5.
Bind this new certificate to the default Web site.
6.
Open Internet Explorer and go to https://NYC-SRV1 to verify that the certificate is working.
f Task 5: Revoke the NYC-SRV1 certificate using the Certificate Authority snap-in 1.
Open the Certification Authority console on NYC-DC1 and revoke the Web server certificate.
2.
Publish the certification revocation list.
f Task 6: Using Internet Explorer, verify that the Web certificate has been revoked •
Use Internet Explorer, go to https://NYC-SRV1 and verify that the certificate has been revoked.
Result: At the end of this exercise, you will have requested and approved a certificate for a Web server. You will have also revoked the certificate, published the revoked certificate and verified that the certificate has been revoked.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory® Certificate Services
4-31
Module Review and Takeaways
Review Questions 1.
What are some reasons that a certificate would need to be revoked?
2.
What types of enrollment can be done with NDES?
3.
Which editions of Windows Server 2008 support the advanced integration features of AD CS and AD DS?
4.
In order to enable auto-enrollment what must be true of the client computer’s AD DS configuration?
BETA COURSEWARE. EXPIRES 4/30/2008
4-32
Fundamentals of Windows Server® 2008 Active Directory®
Summary of Active Directory Certificate Services Active Directory Certificate Services (AD CS) provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. It gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates. Digital certificates have two main parts the public and the private key. These two keys are used in the asymmetrical encryption and decryption process. Since the public key should be easily obtained and both keys are required for the process, it is extremely important to protect the private key. AD CS certification authorities can be arranged in a hierarchy to improve security, redundancy or flexibility. It also has templates that can be configured to define how certificates are enrolled and what options the certificates have when they are created. Certificates can be requested automatically through an auto-enrollment process on domain joined computers, or certificates can be manually requested using the CA Enrollment Web site or the CA MMC.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-1
Module 5 Introduction to Active Directory Rights Management Services Contents: Lesson 1: AD RMS Overview
5-3
Lesson 2: Understanding AD RMS
5-7
Lesson 3: Managing AD RMS
5-16
Lab: Exploring Active Directory Rights Management Services
5-23
BETA COURSEWARE. EXPIRES 4/30/2008
5-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
In the Windows Server® 2008 operating system, you can restrict access to digital information by configuring shared folders or Web sites with shared folders. However, these features do not protect or restrict what users can do with content to which they have access. In recent years, helping to protect digital information from theft and improper use has become a priority in many enterprises. Active Directory® Rights Management Services (AD RMS) provides a method for helping to protect documents from improper use by establishing and enforcing persistent use rights for documents. AD RMS can be used to protect content even after it is distributed to other people.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-3
Lesson 1
AD RMS Overview
An enterprise can benefit in a number of ways from deploying Active Directory Rights Management Services (AD RMS). In order to benefit fully from a deployment, you need to understand how AD RMS works and options for using AD RMS. This lesson describes some of these benefits and the options for deploying AD RMS.
BETA COURSEWARE. EXPIRES 4/30/2008
5-4
Fundamentals of Windows Server® 2008 Active Directory®
Overview of AD RMS
Key Points Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. There are compelling reasons to invest in rights management to protect an enterprises’ intellectual property, to address new governmental regulations, or to better track and control access to company data.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-5
How AD RMS Works
Key Points AD RMS has three main functions: •
Creation of rights-protected content
•
Licensing and distributing these rights-protected resources
•
Consuming the rights-protected resources
Additional Reading •
Windows Server 2008 Component Posters (download “Windows Server 2008 Active Directory Components.pdf “)
BETA COURSEWARE. EXPIRES 4/30/2008
5-6
Fundamentals of Windows Server® 2008 Active Directory®
Options for Using AD RMS
Key Points A number of enterprise-level options are available for rights-protected content. Using the options will largely depend on what type of data the company needs to protect.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-7
Lesson 2
Understanding AD RMS
AD RMS requires a number of components to be in place before you can use it to help protect content. This lesson discusses the major components of AD RMS and also provides more detail on how AD RMS helps you to secure your content.
BETA COURSEWARE. EXPIRES 4/30/2008
5-8
Fundamentals of Windows Server® 2008 Active Directory®
AD RMS Components
Key Points There are a number of components that interact when using AD RMS. It is important to have a clear understanding of each of the components: •
Author. The user or service that generates the rights-protected document.
•
AD RMS-enabled applications. Specific applications are enabled for and can interact with AD RMS. These applications can be used by the author to create and help protect content. They can be used by recipients to read protected content and apply the appropriate rights to them.
•
Recipient. The user or service that accesses the rights-protected document.
•
AD RMS Server. The server that has the AD RMS server role installed on it. This server is responsible for providing the licenses to control access to content. When the first AD RMS server is installed, an AD RMS root cluster is created. Other AD RMS servers can be added to the cluster.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-9
•
Database server. AD RMS requires a database service. This service can be provided by the Windows Internal Database feature deployed on the same server as the AD RMS server. The database service can also be provided by Microsoft SQL Server installed on another computer. The database is used to store configuration and other AD RMS related information.
•
Active Directory Domain Services. This is used to authenticate both the authors and the recipients so that the appropriate rights are applied to the content.
BETA COURSEWARE. EXPIRES 4/30/2008
5-10
Fundamentals of Windows Server® 2008 Active Directory®
AD RMS Certificates and Licenses
Key Points AD RMS uses certificates and licenses to authenticate and authorize users to assign permissions and to view protected content.
Additional Reading •
About Active Directory Rights Management Services
•
Active Directory Rights Management Services Overview
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-11
How AD RMS Protects Content
Key Points The AD RMS components interact as described below to generate the rightsprotected content. 1.
The first time a user tries to rights-protect content using AD RMS, the client application will request a rights account certificate (RAC) and client licensor certificate (CLC) from the AD RMS server.
2.
The author now creates content using an AD RMS-enabled application. The author can create the file and then specify user rights. At this time, the policy license containing the user policies is generated.
3.
The application now generates the content key and encrypts the content with it.
4.
The rights-protected content can now be sent to the content recipient.
BETA COURSEWARE. EXPIRES 4/30/2008
5-12
Fundamentals of Windows Server® 2008 Active Directory®
Additional Reading •
Windows Server 2008 Component Posters (download “Windows Server 2008 Active Directory Components.pdf")
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-13
How AD RMS Restricts Access to Data
Key Points The process for consuming the protected content is as follows: 1.
The recipient receives the file and opens it using an AD RMS-enabled application or browser. If no account certificate is stored on the current computer for the recipient, the client application requests a certificate, and the AD RMS cluster will issue one. If this is the first time that a user accesses rights-protected content on the computer, a RAC is also issued to the user.
2.
The application sends a request for a use license to the AD RMS cluster that issued the publishing license. However, if the file was published offline a request is sent to the server that issued the CLC. The request includes both the RAC and the publishing license for file.
BETA COURSEWARE. EXPIRES 4/30/2008
5-14
Fundamentals of Windows Server® 2008 Active Directory®
3.
The AD RMS cluster confirms or denies that the recipient is authorized. If the user is authorized the cluster checks for a named user, and then creates a use license for the user. The cluster then decrypts the content key using private key of the cluster and re-encrypts the content key with the public key of the recipient and then adds the encrypted session key to the use license. This ensures that only the intended recipient can access the file.
4.
The AD RMS cluster then sends the generated use license to the recipient’s computer.
5.
The application examines both the license and the recipient’s account certificate to determine whether any certificate in either chain of trust requires a revocation list. The user is then granted access as specified by the content author.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-15
Demonstration: How AD RMS Works?
Questions 1.
At what point in the demonstration was the policy license created?
2.
What would happen in the demonstration if the content consumer did not have any permissions assigned to the content?
BETA COURSEWARE. EXPIRES 4/30/2008
5-16
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 3
Managing AD RMS
Managing AD RMS includes installing the AD RMS role and creating policies and templates. This lesson provides an overview of installing AD RMS as well as managing the policies and templates that control how AD RMS functions.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-17
AD RMS Server Role Installation Overview
Key Points Installing the AD RMS role requires completion of some preliminary tasks for the installation to be successful.
Additional Reading •
Windows Server Active Directory Rights Management Services Step-by-Step Guide
•
AD RMS Help File: “Installing an AD RMS Cluster”
BETA COURSEWARE. EXPIRES 4/30/2008
5-18
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: AD RMS Management Console
Question When AD RMS management console is opened on one of the AD RMS servers in the cluster, what will be configured from the console?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-19
What are Exclusion Policies?
Key Points Exclusion polices can be configured to: •
Exclude specific users from viewing rights-protected content.
•
To exclude certain versions of Microsoft Windows®, lockboxes or applications that are known to have compatibility or security issues.
BETA COURSEWARE. EXPIRES 4/30/2008
5-20
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Configuring Exclusion Policies
Questions 1.
When might an administrator choose to exclude a specific lockbox version?
2.
What customization can be done for the versions of Windows that can be excluded?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-21
What are Rights Policy Templates?
Key Points Rights policy templates provide a manageable way for organizations to establish different rules for protecting different types of information. For example, an organization might create rights policy templates for their employees that assign separate usage rights and conditions for company confidential, classified, and private data. AD RMS-enabled applications can use these templates, providing a simple, consistent way for workers to apply predefined policies to information.
BETA COURSEWARE. EXPIRES 4/30/2008
5-22
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Configuring Rights Policy Templates
Question What is the difference between content expiration and use license expiration?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-23
Lab: Exploring Active Directory Rights Managements Services
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has implemented Windows Server 2008 and is planning on using AD RMS to help provide enhanced content security for emails and documents distributed within the organization. The AD RMS server role has been deployed. Your task is to ensure that AD RMS is working and to ensure that the AD RMS configuration can be modified if required.
BETA COURSEWARE. EXPIRES 4/30/2008
5-24
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 1: Verifying AD RMS Functionality In this exercise you will configure two user accounts with e-mail addresses. You will then use one of the user accounts to protect a document that is stored on a shared folder. And then you will log on as the other user account and verify that the restrictions applied to the document are enforced. The main tasks are as follows: 1.
Start the 6424A-NYC-DC1 virtual computer and log on as Administrator.
2.
Start the 6424A-NYC-SVR1 virtual computer and log on as Administrator.
3.
Start the 6424A-NYC-CL1 virtual computer.
4.
Open Active Directory Users and Computers and assign e-mail addresses for Dana Birkby, Manish Gupta, Byarne Riis and the NYC_MarketingGG global group.
5.
Log on as Dana and create and protect a Word document.
6.
Log on as Manish and ensure that the Word document has restrictions assigned.
7.
Log on as Bjarne and ensure that the Word document has restrictions assigned.
f Task 1: Start the 6424A-NYC-DC1 virtual computer and log on as Administrator •
Log on to 6424A-NYC-DC1 as Administrator using the password Pa$$w0rd.
f Task 2: Start the 6424A-NYC-SVR1 virtual computer and log on as Administrator •
Log on to 6424A-NYC-SVR1 as Administrator using the password Pa$$w0rd.
f Task 3: Start the 6424A-NYC-CL1 virtual computer •
Start the 6424A-NYC-CL1 virtual computer.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-25
f Task 4: Open Active Directory Users and Computers and assign e-mail addresses for Dana Birkby, Manish Gupta, Byarne Riis and the NYC_MarketingGG global group 1.
2.
Locate the following users in the Marketing OU inside the NYC OU and assign the indicated e-mail addresses: •
Dana Birkby:
[email protected]
•
Manish Gupta:
[email protected]
•
Byarne Riis:
[email protected]
Modify the properties of the NYC_MarketingGG group to assign an e-mail address of
[email protected].
f Task 5: Log on as Dana and create and protect a Word document 1.
Log on to 6424A-NYC-SRV1 as Dana using the password Pa$$w0rd.
2.
Create a new document with the text "This is a protected document" and save it as C:\Users\Public\Public Documents\Confidential.
3.
Protect the document using the Restricted Access. Assign change permission to Manish and Read and Print access to Everyone.
4.
Save the document.
5.
Close Word.
f Task 6: Log on as Manish and ensure that the Office Word document has restrictions assigned 1.
Log on to 6424A-NYC-SRV1 as Manish using the password Pa$$w0rd.
2.
Open C:\Users\Public\Public Documents\Confidential in Microsoft Office Word 2007.
3.
Click View Permission in the Information bar.
4.
In the My Permission window, verify that the user you are logged on as has permissions to View, Edit, Copy and Save this document.
5.
Close Word and log off
BETA COURSEWARE. EXPIRES 4/30/2008
5-26
Fundamentals of Windows Server® 2008 Active Directory®
f Task 7: Log on as Bjarne and ensure that the Word document has restrictions assigned 1.
Log on to 6424A-NYC-SRV1 as Bjarne using the password Pa$$w0rd.
2.
Open C:\Users\Public\Public Documents\Confidential in Word.
3.
Click View Permission in the Information bar.
4.
In the My Permission window, verify that the user you are logged on as has permissions to View and Print this document.
5.
Close Word and log off
Result: At the end of this exercise, you will have configured three user accounts with e-mail addresses and used one of the user accounts to protect a document that is stored on a shared folder. You will have also verified that the restrictions applied to the document were enforced.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-27
Exercise 2: Customizing the AD RMS Configuration In this exercise you will modify the AD RMS configuration by configuring an exclusion policy and by creating a custom rights policy template for the Marketing department. You will then verify that these modifications were implemented correctly. The main tasks are as follows: 1.
Create an AD RMS rights policy templates shared folder.
2.
Open Active Directory Rights Management Console and create an additional rights management template called Marketing Projects.
3.
Create an exemption to prohibit Recipient 1 from opening content created with the Marketing Template.
4.
Protect the Word document with the Marketing rights template.
5.
Attempt to open the rights-protected Word document with the excluded user
f Task 1: Create an AD RMS rights policy templates shared folder 1.
On NYC-SVR1, create a new folder named C:\ADRMSTemplates.
2.
Share the folder, granting modify permissions to the ADRMSService account and read permission to Domain Users.
f Task 2: Open Active Directory Rights Management Console and create an additional rights management template called Marketing Projects 1.
On NYC-SVR1, enable the export of AD RMS templates using the \\NYCSVR1\ADRMSTemplates shared folder.
2.
Create a rights management template with the following information: •
Name: Marketing Project
•
Description: Woodgrove Bank Marketing Department
•
Expires after the following duration (days): 14
•
[email protected] should have Edit permissions.
•
The Anyone special group should have View permissions.
BETA COURSEWARE. EXPIRES 4/30/2008
5-28
Fundamentals of Windows Server® 2008 Active Directory®
f Task 3: Create an exemption to prohibit Manish from opening AD RMS protected content 1.
Enable User Exclusion.
2.
Add
[email protected] as an exclusion.
f Task 4: Protect an Office Word document with the Marketing rights template 1.
Log on to 6424A-NYC-CL1 as Dana using the password Pa$$w0rd.
2.
Open the Registry editor and expand the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
3.
Create a new Expandable String Value, with the name AdminTemplatePath.
4.
Assign the value \\NYC-SVR1\ADRMSTemplates to AdminTemplatePath.
5.
Create a new document with the text "This is a Marketing protected document" and save it as C:\Users\Public\Public Documents\MktgConfidential
6.
Protect the content using the Marketing Project template.
7.
In the Information bar, click View Permission.
8.
Save the document.
9.
Log off of NYC-SVR1.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-29
f Task 5: Attempt to open the protected Word document with the excluded user 1.
Log on to 6424A-NYC-SVR1 as Manish using the password Pa$$w0rd.
2.
Open C:\Users\Public\Public Documents\MktgConfidential in Word.
3.
Verify that you cannot open this document.
Result: At the end of this exercise, you will have modified the AD RMS configuration by configuring an exclusion policy and by creating a custom rights policy template for the Marketing department. You will have also verified that these modifications were implemented correctly.
BETA COURSEWARE. EXPIRES 4/30/2008
5-30
Fundamentals of Windows Server® 2008 Active Directory®
Module Review and Takeaways
Review Questions 1
When might an administrator choose to exclude a specific user or group?
2.
What is the difference between an exclusion list and a revocation list?
3.
When is a SQL Server required to be deployed to support AD RMS?
4.
When must AD RMS be installed in relation to the configuration of AD FS if it is to be used to access AD RMS content?
5.
What is the difference between the online and offline publishing process?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Rights Management Services
5-31
Summary of Active Directory Rights Management Services An enterprise can benefit in a number of ways from deploying AD RMS. AD RMS can be used to restrict access to an organization intellectual property, limit actions that can be taken on content and limit the risk of content being taken outside of the organization. This functionality is available in various client applications such as Word, Outlook, Excel spreadsheet software and Internet Explorer. From within these AD RMS-enabled applications, AD RMS can restrict the ability to print, e-mail, or modify the content. AD RMS leverages certificates and licenses to help protect content. The author creates the content and configures the rights that will be given for the content based on the templates created on the AD RMS cluster. The AD RMS cluster provides the certificates and licensing needed for the client applications to properly rights-protect content. The recipient of the content obtains appropriate licenses and certificates in order to consume the content. With AD RMS you can customize the rights policy templates and exclusion policies. The rights policy templates allow for customizing what authors and recipients are allowed to do with protected content. The exclusion policies are for excluding specific users, groups, or lockbox and Windows versions from being able to receive certificates from the AD RMS server. Exclusion policies are helpful when one of these groups needs to be excluded from accessing content due to possible security issues, such as a group already given access that must now be denied access to content.
BETA COURSEWARE. EXPIRES 4/30/2008
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-1
Module 6 Introduction to Active Directory Federation Services Contents: Lesson 1: AD FS Overview
6-3
Lesson 2: AD FS Deployment Scenarios
6-10
Lesson 3: Configuring AD FS Components
6-20
Lab: Exploring Active Directory Federation Services
6-29
BETA COURSEWARE. EXPIRES 4/30/2008
6-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
In many organizations, online transactions have replaced traditional paper-based transactions as the primary method of doing business. However, securing access to the Web sites that host the online transactions can be difficult. Active Directory® Federation Services (AD FS) provides one solution to this issue. AD FS can be used to provide browser-based clients (internal or external to your network) with seamless, single sign-on access to Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-3
Lesson 1
AD FS Overview
An organization can benefit in a number of ways from deploying AD FS. In order to benefit fully from a deployment, you need to understand identify federation and the scenarios supported by AD FS. This lesson describes some of these benefits and the options for deploying AD FS.
BETA COURSEWARE. EXPIRES 4/30/2008
6-4
Fundamentals of Windows Server® 2008 Active Directory®
What Is Identity Federation?
Key Points Identity federation is a means by which organizations can enable user access to resources between different organizations or between different server platforms. One of the goals of an identity federation solution is to allow companies to manage their own directories while still securely exchanging authentication and authorization information between organizations.
Example scenario of an identity federation An identity federation could exist where a sales representative updates an internal forecast by pulling information from a supplier's database that is hosted on the supplier's network.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-5
Responsibilities would be assigned in the following ways: •
The administrator of the domain for the sales representative is responsible for ensuring that the appropriate sales representatives are members of the group needing access to the supplier’s database.
•
The administrator of the database is responsible for ensuring that the partner’s employees only have access to the data they require.
BETA COURSEWARE. EXPIRES 4/30/2008
6-6
Fundamentals of Windows Server® 2008 Active Directory®
What are the Identity Federation Scenarios?
Key Points AD FS has been designed to meet the needs of several common scenarios. The main scenarios are as follows.
Federation for business-to-business This design allows a business to provide single sign-on (SSO) to a Web-based application for a business partner or other business unit that has a separate forest. Users can be authenticated within the partner organization, and use that authentication to gain the right level of access to the Web application.
Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario In this scenario, organizations might create information portals to provide consolidated information to external users by integrating different back-end systems.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-7
Federation within an organization across multiple Web applications One organization may have several Web applications running on different servers and located on both the internal and perimeter networks. By using AD FS, you can reduce the number of times a user must log on across Web applications.
Additional reading •
ADFS Help File: Understanding Federation Designs
BETA COURSEWARE. EXPIRES 4/30/2008
6-8
Fundamentals of Windows Server® 2008 Active Directory®
Benefits of Deploying AD FS
Key Points Leveraging AD FS in an enterprise benefits both administrators and users in the following ways.
Security and control over authentication You can implement policies to control which users are allowed to authenticate across the federated trust. This provides more control than an Active Directory forest trust, since all user accounts can authenticate anywhere in either forest even if they do not have access to resources.
Regulatory compliance AD FS enables application access to business partners or Internet users but does so in such a way that both organizations still maintain strict control over all data.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-9
Interoperability with heterogeneous systems AD FS is based on the Web Services model, which presumes that enterprise systems are written in different languages with different programming models and accessed from many different types of devices. AD FS employs the federation specification of WS-*, called WS-Federation. WS-Federation makes it possible for environments that do not use the Windows identity model to federate with Windows environments.
Works with AD DS or AD LDS AD FS in Windows Server 2008 can use both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) as its directory.
Extends AD DS to the Internet AD FS provides an extension of AD DS infrastructure by extending AD DS to provide access to resources that are offered by trusted partners across the Internet.
BETA COURSEWARE. EXPIRES 4/30/2008
6-10
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 2
AD FS Deployment Scenarios
As mentioned earlier AD FS was designed to meet the requirements of various scenarios. This lesson discusses how these scenarios function as well as the components that make up the scenarios.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-11
What Is a Federation Trust?
Key Points A federation trust is a relationship created between two organizations within AD FS. This relationship allows for accounts to be authenticated in one organization, and used to access resources in the other organization.
Account Partner An account partner is the organizational partner in the trust relationship that hosts and manages the user accounts used in the relationship.
Resource Partner The resource partner physically houses the Web servers that host one or more Web-based applications. The resource partner trusts the account partner to authenticate users. Therefore, when it makes authorization decisions, the resource partner accepts security tokens that are produced by the account partner.
BETA COURSEWARE. EXPIRES 4/30/2008
6-12
Fundamentals of Windows Server® 2008 Active Directory®
Additional reading AD FS Help: •
Understanding Federation Trusts
•
Understanding AF FS Terminology
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-13
What are the AD FS Components?
Key Points AD FS has six main components that provide the functionality.
Additional reading AD FS Help: •
Understanding AD FS Terminology
•
Understanding AD FS Role Services
BETA COURSEWARE. EXPIRES 4/30/2008
6-14
Fundamentals of Windows Server® 2008 Active Directory®
How AD FS Provides Identity Federation in a B2B Scenario
Key Points The AD FS Federated Web business-to-business (B2B) scenario involves secure communication that often spans multiple firewalls, perimeter networks, and name resolution servers, in addition to the entire Internet routing infrastructure.
An example scenario An online retailer and manufacturing company could deploy AD FS using a B2B scenario. The online retailer, as the resource partner, would install a Web server with the AD FS Web agent installed, the resource federation proxy and the resource federation service. The manufacturing company, as the account partner, would install and configure an account federation server to use the internal AD DS domain and an account federation proxy so that the account federation server would not need to be directly exposed to the Internet. The federation trust would then be created from the online retailer to the manufacturer. Once this solution is installed and configured, users at the manufacturer can log on to the retailers Web site.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-15
Additional reading AD FS Help: •
Understanding Federation Trusts
•
Understanding AF FS Terminology
BETA COURSEWARE. EXPIRES 4/30/2008
6-16
Fundamentals of Windows Server® 2008 Active Directory®
How AD FS Traffic Flows in a B2B Federation Scenario
Key Points The following steps describe the flow of communication in a B2B scenario. 1.
The employee uses their Web browser to open the application on the Web server using an SSL/TLS session.
2.
Since the Web browser does not have a token to present to the Web server, the Web browser is redirected to the default logon URL at the resource Federation Server. The resource Federation Server determines the user’s home organization.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-17
3.
The Web browser is redirected to the logon page for the Federation Server at the user’s home organization (in this case, the account partner Federation Server). The office employee authenticates by using his currently logged-on desktop session credentials through Windows integrated authentication or by being asked to provide credentials by their Federation Server. The account Federation Service and the Active Directory account information are used to validate the office employee's credentials and obtain attributes for building a Security Assertion Markup Language (SAML) security token. The security token is stored as a cookie in the Web browser.
4.
The Web browser is redirected to the Federation Server at the resource partner. The Web browser presents the security token to the resource Federation Server. The Federation Server checks the security token, and then issues a security token that can be used to access the Web server.
5.
The Web browser is redirected to the Web server where it presents the security token issued by the resource Federation Server. The Web server evaluates the security token, and if acceptable, it creates an authentication token that is written to the browser and then used to access the application.
Additional reading •
AD FS Help: Understanding Federation Designs
BETA COURSEWARE. EXPIRES 4/30/2008
6-18
Fundamentals of Windows Server® 2008 Active Directory®
How AD FS Provides Web Single Sign-On
Key Points In the Web single sign-on scenario, an organization deploys a Web application in a perimeter network. This Web application may need to be available to the following different groups of people. •
Employees who are on the internal network.
•
Employees who are outside the office and accessing the application through the Internet.
•
Non-employees who are accessing the application from the Internet.
Additional reading •
AD FS Help: Understanding Federation Designs
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-19
Integrating AD FS and AD RMS
Key Points By integrating AD FS with Active Directory Rights Management Services (AD RMS), enterprises can leverage their established federated trust relationships to extend the AD RMS functionality outside the organization. For example, an organization that is planning to deploy AD RMS can set up a federation trust with another organization by using AD FS. The organizations can then leverage this relationship to share rights-protected content across the two organizations without requiring a deployment of AD RMS in both organizations.
BETA COURSEWARE. EXPIRES 4/30/2008
6-20
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 3
Configuring AD FS Components
The previous lesson discussed the overall design of an AD FS solution and the components that are used to construct the solution. This lesson provides an overview of configuring the AD FS components as well as managing trust policies and Web agents.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-21
AD FS Server Role Implementation Overview
Key Points In order to implement the Federation Service, Federation Service Proxy and AD FS Web Agent Roles, the requirements listed on the slide must be met.
Additional reading •
AD FS Help: Requirements for AD FS
BETA COURSEWARE. EXPIRES 4/30/2008
6-22
Fundamentals of Windows Server® 2008 Active Directory®
Federation Service Configuration Options
Key Points To configure the Federation Service or federation server farm you use the AD FS Microsoft Management Console (MMC) snap-in, which is installed when you install the Federation Service server role. You can also use the snap-in to manage the trust policy that is associated with your Federation Service.
Additional reading •
AD FS Help: Add a resource partner
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-23
What are AD FS Trust Policies?
Key Points Trust policies are the configuration settings that define the federated trust and how the federated trust works. When configuring the resource partner trust policy, you need to configure the following options: •
Token Lifetime. This defines how long a Security Assertion Markup Language (SAML) token will stay valid. The default value is 600 minutes (10 hours); the minimum value is one minute.
•
Federation Service URI. This is a case sensitive string that uniquely identifies a Federation Service. This URI also identifies the federation server farm membership of the federation server.
•
Federation Service endpoint URL. This is the single location, or "public URL," that is used to contact all federation servers in a server farm.
•
Use Windows trust relationship for this partner. This option is used when an Active Directory forest trust is in place and should be used.
BETA COURSEWARE. EXPIRES 4/30/2008
6-24
Fundamentals of Windows Server® 2008 Active Directory®
When configuring the account partner trust policy, configure the same options as above plus the following: •
Location for a certificate to verify the resource partner. This is the location on the file system that the certificate is stored. This certificate is used to verify that the resource partner is valid.
•
How resource accounts are created.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-25
Demonstration: Configuring the Federation Services for an Account Partner
Questions 1.
What types of account stores can be defined to an account partner?
2.
When using multiple account stores, how would you configure a specific store to be queried as the primary source and the other accounts stores to be used only if the first one does not return a positive result?
BETA COURSEWARE. EXPIRES 4/30/2008
6-26
Fundamentals of Windows Server® 2008 Active Directory®
AD FS Web Proxy Agent Configuration Options
Key Points The AD FS Web Agent consumes security tokens and then either allows or denies a user access to a Web application. Authorization to use the Web application requires a relationship between the AD FS Web Agent and a resource Federation Service so that it can direct the user to the Federation Service as needed. Once the Web server is properly configured with the prerequisite applications and certificates, the AD FS Web Agents role services can be installed. You can install the Web agents by installing the AD FS server role and choosing to install either the claims-aware agent or the Windows token-based agent.
Additional reading •
Claims-aware Applications
•
Windows NT token-based applications
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-27
Demonstration: Configuring the Web Proxy Agent
Question After configuring the Web Proxy Agent in IIS Manager what else needs to be done to allow the application to use AD FS?
BETA COURSEWARE. EXPIRES 4/30/2008
6-28
Fundamentals of Windows Server® 2008 Active Directory®
What are AD FS Claims?
Key Points An AD FS claim is a statement made about a user that is understood by both partners in an AD FS federation scenario. This statement may be, for example, the name, identity, group membership, privilege, or capability of the user and is provided for authorization purposes in an application. The claims are transferred between federation partners to properly authenticate and authorize users.
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-29
Lab: Exploring Active Directory Federation Services
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has established a strategic partnership with Contoso Inc. Users at Woodgrove Bank must be able to access an application located at Contoso Inc. For security reasons, the organizations cannot implement a trust between the company domains. The organizations have decided to deploy AD FS to provide the required access to the application. You must configure the AD FS servers at Woodgrove Bank to enable access to the application. Administrators at Contoso Inc. will be responsible for configuring their servers.
BETA COURSEWARE. EXPIRES 4/30/2008
6-30
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 1: Implementing the AD FS Components (Discussion) This is a discussion based lab exercise. In this exercise, you will be provided with a network diagram. During the discussion, you will add labels to the diagram to describe where each of the AD FS components must be deployed. You will also add some basic configuration information for each component to the diagram.
f Task 1: Identify each organization on the network diagram below. Which organization will be the account partner and which organization will be the resource partner?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-31
f Task 2: Identify the following components on the network diagram: •
Account Federation Server
•
AD FS-enabled Web Server
•
Resource Federation Server
•
AD DS
f Task 3: Identify the direction of the federation trust
Result: At the end of this exercise, you will have made decisions on the placement of AD FS components. You will have also determined some basic configuration information for each component.
BETA COURSEWARE. EXPIRES 4/30/2008
6-32
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 2: Configuring the AD FS Resource Partner Organization In this exercise you will configure the AD FS components for the resource partner. The main tasks are as follows: •
Start 6424A-NYC-SRV1 and 6424A-RED-SRV1 and then log on as Administrator using the password Pa$$w0rd
•
On the RED-SRV1, configure the trust policy for the Federation Service in Contoso Inc.
•
Create a group claim named Woodgrove App Claim for the claims-aware application.
•
Add and enable an AD DS account store.
•
Add, enable and configure a claims-aware application.
•
Add, enable and configure an account partner.
•
Create an incoming group claim named ClaimAppMapping with the Woodgrove App Claim as the organization group claim for the claims-aware application.
f Task 1: Start 6424A-NYC-SRV1 and 6424A-RED-SRV1 and then log on as Administrator using the password Pa$$w0rd 1.
Start 6424A-NYC-SRV1
2.
Start 6424A-RED-SRV1 and log on as Administrator using the password Pa$$w0rd.
f Task 2: On the RED-SRV1, configure the trust policy for the Federation Service in Contoso Inc •
Display name: Contoso Inc
•
Federation Service URI: urn:federation:contosoinc
•
Federation Service endpoint: https://adfsresource.contoso.com/adfs/ls/
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-33
f Task 3: Create a group claim named Woodgrove App Claim for the claims-aware application
f Task 4: Add and enable an AD DS account store f Task 5: Add, enable and configure a claims-aware application •
Display name: Claims-aware Application
•
Application URL: https://adfsweb.contoso.com/claimapp/
•
Accepted Identity Claims: User principal name (UPN)
f Task 6: Add, enable and configure an account partner •
Display name: Woodgrove
•
In Federation Service URI: urn:federation:woodgrove
•
In Federation Service endpoint URL: https://adfsaccount.woodgrove.com/adfs/ls/
•
Account Partner Verification Certificate page was exported from the Woodgrove Federation Servers and named C:\certificates\ Woodgrove.cer
•
Set the federation Scenario to: Federated Web SSO
•
Set the Account Partner Identity Claims to: UPN Claim
•
Set the accepted UPN Suffixes to: woodgrove.com
f Task 7: Create an incoming group claim named ClaimAppMapping with the Woodgrove App Claim as the organization group claim for the claims-aware application
Result: At the end of this exercise, you will have configured the AD FS components for the resource partner.
BETA COURSEWARE. EXPIRES 4/30/2008
6-34
Fundamentals of Windows Server® 2008 Active Directory®
Module Review and Takeaways
Review Questions 1.
After defining a Web application in the AD FS Management tool what also must be done to have an application begin to authenticate AD FS tokens?
2.
Where are certificates used in an AD FS deployment?
3.
Why would a Federation Service Proxy role server be needed?
4.
Can the Web Proxy agent be installed on an older version of Windows Server?
BETA COURSEWARE. EXPIRES 4/30/2008
Introduction to Active Directory Federation Services
6-35
Summary of Active Directory Federation Services The AD FS server role can be used to create a highly extensible, Internet-scalable, and secured identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. It can be used to provide browser-based clients (internal or external to your network) with seamless, single sign-on access to one or more protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations. Several standard scenarios are addressed with AD FS. Federation for B2B which allows a business to provide single sign on (SSO) for a business partner or other business unit that has a separate domain. Also, federation for business-toconsumer or business-to-employee in a Web single sign-on scenario which allows a business that has a perimeter network domain to provide authentication for internal user accounts. The last scenario is federation within an organization across multiple Web applications.
BETA COURSEWARE. EXPIRES 4/30/2008
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-1
Module 7 Creating Active Directory Domain Services User and Computer Objects Contents: Lesson 1: Managing User Accounts
7-3
Lesson 2: Creating Computer Accounts
7-12
Lesson 3: Using Queries to Locate Objects in Active Directory
7-19
Lab: Creating AD DS User and Computer Accounts
7-25
BETA COURSEWARE. EXPIRES 4/30/2008
7-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
One of your functions as an Active Directory® Domain Services (AD DS) administrator is to manage user and computer accounts. These accounts are AD DS objects that individuals use to log on to the network and access resources. In this module, you will learn about modifying user and computer accounts on computers running the Windows Server® 2008 operating system in a networked environment.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-3
Lesson 1
Managing User Accounts
In AD DS for Windows Server 2008, all users that require access to network resources must be configured with a user account. With this user account, users can be authenticated to the AD DS domain and granted access to network resources. As the AD DS administrator, you will need to know how to create and configure user accounts.
BETA COURSEWARE. EXPIRES 4/30/2008
7-4
Fundamentals of Windows Server® 2008 Active Directory®
What Is a User Account?
Key Points A user account is an object that contains all of the information that defines a user in Windows Server 2008. The account can be either a local or a domain account. A user account includes the user name and password as well as group memberships.
Usage With a user account, you can: •
Allow users to log on to a computer based on their user account identity.
•
Grant users access to processes and services for a specific security context.
•
Manage users access to resources such as AD DS objects and their properties, shared folders, files, directories, and printer queues.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-5
Names Associated with Domain User Accounts
Key Points When creating a user account, an administrator types a user logon name. User logon names must be unique in the domain in which the user account is created.
Names generated by Active Directory When a user account is created using Active Directory Users and Computers, Active AD DS also creates: •
An LDAP distinguished name
•
An LDA-relative distinguished name.
•
A SID and global unique identifier (GUID)
Additional reading •
Object Names
BETA COURSEWARE. EXPIRES 4/30/2008
7-6
Fundamentals of Windows Server® 2008 Active Directory®
User Account Password Options
Key Points As a systems administrator, you can manage user account password options. These options can be set when the user account is created or in the Properties dialog box of a user account.
Additional reading •
Microsoft Windows Server 2008 Help
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-7
Tools for Configuring User Accounts
Key Points A number of tools are available for creating and managing user accounts, including command-line and batch utilities. The most common tools for managing user and group accounts are Active Directory Users and Computers for managing domain accounts and User Accounts for managing local accounts on computers running the Windows Server 2008 or Windows Vista® operating system.
Additional reading •
Local accounts
•
Dsadd
BETA COURSEWARE. EXPIRES 4/30/2008
7-8
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Configuring User Accounts
Question When would you use a tool like DSAdd to create user accounts?
Additional reading •
Dsadd
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-9
Demonstration: Renaming a User Account
Questions 1.
Why are you prompted to change the additional names when you change the user name?
2.
Why would you rename a user name in AD DS when a user changes their name rather than deleting the account and creating a new account with the new name?
Additional reading •
Rename a User Account
BETA COURSEWARE. EXPIRES 4/30/2008
7-10
Fundamentals of Windows Server® 2008 Active Directory®
What Is a User Account Template?
Key Points A user account template is an account that has commonly used settings and properties already configured. You can use user account templates to simplify the process of creating domain user accounts.
Additional reading •
Copying User Accounts
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-11
Demonstration: Creating and Using a User Account Template
Questions 1.
Why are some fields not populated when you create a new user from a template?
2.
How could you make a template account easy to find in AD DS?
BETA COURSEWARE. EXPIRES 4/30/2008
7-12
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 2
Creating Computer Accounts
In AD DS, computers are security principals, just like users. This means that computers must have accounts and passwords. To be fully authenticated by AD DS, a user must have a valid user account, and the user must also log on to the domain from a computer that has a valid computer account. All computers running Microsoft Windows NT or later operating systems must have computer accounts in AD DS.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-13
What Is a Computer Account?
Key Points Computers access network resources to perform key tasks such as authenticating user log on, obtaining an IP address, and receiving security policies. To have full access to these network resources, computers must have valid accounts in AD DS. The two main functions of a computer account are performing security and management activities.
Additional reading •
Manage computers
BETA COURSEWARE. EXPIRES 4/30/2008
7-14
Fundamentals of Windows Server® 2008 Active Directory®
Options for Creating Computer Accounts
Key Points You can create computer accounts in AD DS by joining the computer to the domain, or by pre-staging computer accounts before joining the computer to the domain. Both administrators and users can join computers to the domain.
Adding computers to an AD DS domain If a computer is joined to a domain, the computer account is created in the Computers container by default. In most organizations, administrators will move the computer accounts to department specific OUs so that specific software and operating system configurations can be applied to the computers.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-15
Pre-staging computer accounts You can ensure that computer accounts are configured in the right AD DS container by pre-staging computer accounts. When you pre-stage a computer account, you create the computer in the domain before joining the computer to the domain. Organizations pre-stage computer accounts in order to automate the operating system and application installation by using tools such as Windows Deployment Services.
Additional reading •
Join a computer to a domain
•
Manage computers
BETA COURSEWARE. EXPIRES 4/30/2008
7-16
Fundamentals of Windows Server® 2008 Active Directory®
Managing Computer Accounts
Key Points The most commonly used properties for computer accounts in AD DS are the Location and Managed by properties. To maintain computers, you must find the physical location of the computers. •
The Location property can be used to document the computer’s physical location in your network.
•
The Managed By property lists the individual responsible for the computer. This information can be useful when you have a data center with servers for different departments and you need to perform maintenance on the server. You can call or send e-mail to the person who is responsible for the server before you perform maintenance on the server.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-17
Additional reading •
Manage computers
•
Computer Policies
BETA COURSEWARE. EXPIRES 4/30/2008
7-18
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Configuring Computer Accounts
Questions 1.
A user is taking a two month leave from work. No one else will be using the user’s computer, and you want to ensure that no one can log on to the computer while she is gone. However, you want to minimize the amount of effort required for the user to start using the computer when she comes back. How should you configure the computer account?
2.
You are prestaging 100 computer accounts for workstations that will be added to the domain over the next few weeks. You want to ensure that only members of the desktop support team can add the computers to the domain. What should you do?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-19
Lesson 3
Using Queries to Locate Objects in Active Directory
Some large organizations have thousands of user accounts in an AD DS domain. Even if these accounts are grouped into different OUs, it can still take some time to find a specific user in the domain. Windows Server 2008 provides several features in Active Directory Users and Computers that make it easier to locate these users.
BETA COURSEWARE. EXPIRES 4/30/2008
7-20
Fundamentals of Windows Server® 2008 Active Directory®
Options for Locating Objects in Active Directory
Key Points There are several options available in the Windows Server 2008 administration tools that can increase the efficiency of looking for user accounts in domains with many users.
To sort the order of objects in Active Directory Users and Computers To sort the order of the objects: 1.
View the user accounts in their container in Active Directory Users and Computers
2.
Click any of the column headings to sort the order of the objects (either ascending or descending).
You can also add more columns to the display and then sort the display based on the additional column.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-21
To search for objects in Active Directory Users and Computers Active Directory provides information about all objects on a network, including people, groups, computers, printers, shared folders, and OUs. It is easy to search for users, contacts, and groups by using the Find Users, Contacts, and Groups dialog box
Using a command line You can use the dsquery command to find users and computers in AD DS that match the specified search criteria.
Additional reading •
Search Active Directory
BETA COURSEWARE. EXPIRES 4/30/2008
7-22
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Searching Active Directory
Questions 1.
You need to update the phone number for a user. You have only been given the user’s first name and last name and you do not know which OU contains the object. What is the quickest way to locate the user account?
2.
You need to create a new user account and want to check if a user name is already in use in the domain. How could you do this?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-23
What Is a Saved Query?
Key Points Active Directory Users and Computers has a Saved Queries folder in which you can create, edit, save, and organize saved queries. Saved queries use predefined LDAP strings to search only the specified domain partition allowing you to focus searches to a single container object. You can also create a customized saved query that contains an LDAP search filter.
Additional reading •
Active Directory Users and Computers Help section
BETA COURSEWARE. EXPIRES 4/30/2008
7-24
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Using a Saved Query
Question You need to find all user accounts in your AD DS domain that are no longer active. How would you do this?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-25
Lab: Creating AD DS User and Computer Accounts
Scenario Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS for Windows Server 2008. As one of the network administrators, one of your primary tasks will be to create and manage user and computer accounts.
BETA COURSEWARE. EXPIRES 4/30/2008
7-26
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 1: Creating and Configuring User Accounts In this exercise you will create and configure user accounts. You will create a template and a user account based on the template. Lastly, you will create a saved query and verify its ability to return expected search results. The main tasks are as follows: 1.
Start the 6424A-NYC-DC1 virtual computer and log on as Administrator.
2.
Start the 6424A-NYC-CL1 virtual computer.
3.
Create a new user account.
4.
Modify Kerim Hanif’s user account properties.
5.
Create a template for the New York Customer Service department.
6.
Create a new user account based on the customer service template.
7.
Modify the user account properties for all customer service representatives in New York.
8.
Modify the user account properties for all Branch Managers.
9.
Create a saved query to find all investment users.
f Task 1: Start the 6424A-NYC-DC1 virtual computer and log on as Administrator •
Start 6424A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.
f Task 2: Start the 6424A-NYC-CL1 virtual computer •
Start 6424A-NYC-CL1. Do not log on.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-27
f Task 3: Create a new user account 1.
On NYC-DC1, open Active Directory Users and Computers.
2.
In the ITAdmins OU, create a new user with the following parameters: •
First name: Kerim
•
Last name: Hanif
•
Full name: Kerim Hanif
•
User logon name: Kerim
•
Password: Pa$$w0rd
3.
On NYC-CL1, verify that you can log on as Kerim, with a password of Pa$$w0rd. When prompted, change the password to Pa$$w0rd1.
4.
Log off from DEN-CL1.
f Task 4: Modify Kerim Hanif’s user account properties 1.
2.
Modify the user account properties for Kerim Hanif’s account as follows: •
Telephone number: 204-555-0100
•
Office: Downtown
•
E-mail:
[email protected]
•
Remote Access Permission : Allow access
•
Logon Hours. 8:00 A.M. and 5:00 P.M
Add Kerim to the ITAdmins_WoodgroveGG group.
BETA COURSEWARE. EXPIRES 4/30/2008
7-28
Fundamentals of Windows Server® 2008 Active Directory®
f Task 5: Create a template for the New York Customer Service department In the CustomerService OU, create and configure a user account with the property settings in the following table: Property
Value
First name
CustomerService
Last name
Template
Full name
CustomerService Template
User logon name
_ CustomerServiceTemplate
Password
Pa$$w0rd
Description
Customer Service Representative
Office
New York Main Office
Member Of
NYC_CustomerServiceGG
Department
Customer Service
Logon Hours
6:00 A.M – 6:00 P.M. Monday to Friday
Disable the account
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-29
f Task 6: Create a new user account based on the customer service template 1.
Copy the CustomerService Template and create a new user with the following parameters: •
First Name: Sunil
•
Last Name: Koduri
•
User Logon Name: Sunil
•
Password: Pa$$w0rd
2.
Enable the account.
3.
What values did not transfer from the template?
f Task 7: Modify the user account properties for all customer service representatives in New York 1.
In the CustomerService OU under the NYC OU, select all user accounts.
2.
Right-click the highlighted user accounts and click Properties.
3.
Fill in the following information:
4.
•
Description: Customer Service Representative
•
Office: New York Main Office
•
Department: Customer Service
View the properties of one of the user accounts in the OU to confirm that the Description, Office and Department attributes have been updated.
f Task 8: Modify the user account properties for all Branch Managers 1.
In Active Directory Users and Computers, search the WoodgroveBank.com domain.
2.
Use an advanced search and search for all user accounts that have a job title of Branch Manager.
3.
Select all of the user accounts located by the search, and add them to the BranchManagersGG group.
BETA COURSEWARE. EXPIRES 4/30/2008
7-30
Fundamentals of Windows Server® 2008 Active Directory®
f Task 9: Create a saved query to find all investment users 1.
In Active Directory Users and Computers, create a new saved query named Find_Investment_Users that will search for all users with a department attribute that starts with Investments.
2.
Verify that the query displays all the users in the Investment departments in each city.
Result: At the end of this exercise, you will have created and configured user accounts. You will have created a template and a user account based on the template. And you will have created a saved query and verified its ability to return expected search results.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-31
Exercise 2: Creating and Configuring Computer Accounts In this exercise you will create and configure computer accounts, delete a computer account and join a computer to an AD DS domain. The main tasks are as follows: 1.
Create a computer account by using Active Directory Users and Computers.
2.
Delete a computer account in AD DS.
3.
Join a computer to an AD DS domain
f Task 1: Create a computer account by using Active Directory Users and Computers 1.
On NYC-DC1, in Active Directory Users and Computers, create a new computer account named Vista1 in the Computers container.
2.
Configure the computer account settings so that Doris Krieger can join the computer to the domain.
f Task 2: Delete a computer account in AD DS 1.
In Active Directory Users and Computers delete the NYC-CL1 computer account.
2.
On NYC-CL1, attempt to log on as Axel with a password of Pa$$w0rd.
f Task 3: Join a computer to an AD DS domain 1.
On NYC-CL1, log on as a local Administrator with a password of Pa$$w0rd.
2.
Access the System control panel, and click Change settings.
3.
Change the computer name to NYC-CL2 and configure the computer to be a member of a Workgroup called WORKGROUP.
4.
Restart the computer.
5.
After the computer restarts, log on as Administrator with a password of Pa$$w0rd.
BETA COURSEWARE. EXPIRES 4/30/2008
7-32
Fundamentals of Windows Server® 2008 Active Directory®
6.
Access the System control panel, and click Change settings.
7.
Configure the computer to be a member of the WoodgroveBank.com domain.
8.
Use the administrator credentials to join the computer to the domain.
9.
Restart the computer.
10. On NYC-DC1, in Active Directory Users and Computers, verify that the NYCCL2 account was added to the domain. 11. On NYC-CL1, verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd.
Result: At the end of this exercise, you will have created and configured computer accounts, deleted a computer account and joined a computer to an AD DS domain.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory® Domain Services User and Computer Objects
7-33
Module Review and Takeaways
Review Questions 1.
You are responsible for managing accounts and access to resources for members of your group. A user in your group leaves the company, and you expect a replacement for that employee in a few days. What should you do with the previous user’s account?
2.
A user in your group must create a test lab with 24 computers that will be joined to the domain but the account must be created in a separate OU. What is the best way to do this?
3.
You are responsible for maintaining the servers in your organization. You want to enable other administrators in the organization to determine the physical location of each server without adding any additional administrative tasks or creating any additional documents. How can you do this?
BETA COURSEWARE. EXPIRES 4/30/2008
7-34
Fundamentals of Windows Server® 2008 Active Directory®
4.
To accelerate the process of creating new accounts when new employees enter your group, you create a series of account templates that you use to create new user accounts and groups. You are notified that a user with an account that was created by using one of the non-manager account templates has been accessing files that are restricted to the Managers group. What should you do?
5.
You are responsible for managing computer accounts for your group. A user reports that they cannot log on to the domain from a specific computer but can log on from other computers. What should you do?
6.
You have determined the best ways to search for Active Directory objects and documented your recommended search criteria. However, the administrators tell you that it is taking too long to create and then run the search. After further research, you determine that most of the systems administrators are searching for the same information. What can you do to accelerate the search process?
Considerations for Managing AD DS User and Computer Accounts When managing AD DS user and computer accounts, consider the following: •
If your organization typically creates large numbers of user accounts at the same time, explore using of LDIFDE, CSVDE or Windows PowerShell scripts to automate the process of creating the accounts. These tools can save a great deal of time when adding or modifying multiple accounts.
•
Consider delegating permissions to create and manage user accounts in your AD DS domain. You can delegate permissions at the domain or OU level.
•
At a minimum, you should retain the password complexity requirements in a Windows Server 2008 domain. Complex passwords are more difficult for users to remember, but they are also the most important first step in maintaining AD DS security.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-1
Module 8 Creating Active Directory Domain Services Groups and Organizational Units Contents: Lesson 1: Introduction to AD DS Groups
8-3
Lesson 2: Managing Group Accounts
8-15
Lesson 3: Creating OUs
8-21
Lab: Creating an OU Infrastructure
8-28
BETA COURSEWARE. EXPIRES 4/30/2008
8-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
One of the primary functions of a directory service like Active Directory® Domain Services (AD DS) is to provide authorization for access to network resources. Ultimately, all of this access to network resources is based on the individual user accounts. However, in most cases, you do not want to administer access to resources by using individual user accounts. In a large company this would result in a great deal of administrative effort. Because managing access to network resources using individual user accounts is unmanageable, you will need to learn to create group objects to manage large collections of users at one time. Another option for organizing collections of users is to create organizational units (OUs). You use an OU to group and organize objects for administrative purposes, such as delegating administrative rights and assigning policies to a collection of objects as a single unit.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-3
Lesson 1
Introduction to AD DS Groups
A group is a collection of user or computer accounts. You use groups to efficiently manage access to domain resources, which helps simplify network maintenance and administration. You can use groups separately, or you can place one group within another to further simplify administration. This lesson describes how to use and configure groups.
BETA COURSEWARE. EXPIRES 4/30/2008
8-4
Fundamentals of Windows Server® 2008 Active Directory®
What Are Groups?
Key Points Groups are a logical collection of similar objects—users, computers, or other groups —in AD DS. Groups can be made up according to their departments, locations and resources. An important administrative tool for simplifying administration, groups enable you to assign permissions for resources to multiple users or computers simultaneously, rather than on an individual basis.
Additional reading •
Active Directory Users and Computers Help: Understanding Group Accounts
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-5
What Are Global Groups?
Key Points A global group is a security or distribution group that can contain users, groups, and computers that are from the same domain as the global group. You can use global security groups to assign user rights, delegate authority to AD DS objects, or assign permissions to resources in any domain in the forest or any other trusting domain in another forest.
Additional reading •
Group Scope
•
Active Directory Users and Computers Help: Understanding Group Accounts
BETA COURSEWARE. EXPIRES 4/30/2008
8-6
Fundamentals of Windows Server® 2008 Active Directory®
What Are Universal Groups?
Key Points A universal group is a security or distribution group that can contain users, groups, and computers from any domain in its forest. You can use universal security groups to assign user rights and permissions to resources in any domain in the forest.
Additional reading •
Group Scope
•
Active Directory Users and Computers Help: Understanding Group Accounts
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-7
What Are Domain Local Groups?
Key Points A domain local group is a security or distribution group that can contain user accounts from the local domain, any domain in the forest, or any trusted domain. Domain local groups can also contain universal groups or global groups from any domain in the forest or any trusted domain, and domain local groups from the local domain. Groups with domain local scope help you define and manage access to resources within a single domain.
Additional reading •
Group Scope
•
Active Directory Users and Computers Help: Understanding Group Accounts
BETA COURSEWARE. EXPIRES 4/30/2008
8-8
Fundamentals of Windows Server® 2008 Active Directory®
What Are Local Groups?
Key Points A local group is a collection of user accounts or domain groups created on a member server of an AD DS domain or a stand-alone server. You can create local groups to grant permissions for resources residing on the local computer. Local groups can contain local or domain user accounts, computers, global groups, and universal groups.
Local groups cannot be created on domain controllers You cannot create local groups on AD DS domain controllers. Domain controllers do not have local users and groups, as the only security database located on a domain controller is the AD DS database.
Additional reading •
Understanding Local Users and Groups
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-9
Discussion: Identifying Group Usage
Questions For each scenario, determine the type and scope of groups that need to be created. Scenario 1: A. Datum is a large company with locations in five different cities in Canada. A. Datum has deployed a single Active Directory domain with five sites. The HR personnel in each office manage the HR responsibilities for that office, but all HR personnel must be able to access a shared folder at the company main office. All HR personnel should be able to change files in the HR shared folder, but only HR managers should be modify files in the HRPolicies folder located in the HR folder. Scenario 2: Tailspin Toys has two domains, one for the US and one for Europe. Both domains are in the same forest. In each domain, a group of administrators provide help desk support. The help desk support personnel for each domain must have local administrator permissions on all client computers in the domain. Also, all help desk personnel must be able to access a Help Desk Web site located in the Europe domain.
BETA COURSEWARE. EXPIRES 4/30/2008
8-10
Fundamentals of Windows Server® 2008 Active Directory®
Scenario 3: Trey Research has deployed a single domain. The company has three locations. Sales personnel frequently travel outside the company offices and must be able to access an internal Web site as well as shared folders on servers located in any of the three locations inside the company. Sales personnel use a VPN to get access to the network. Membership of the Sales group changes frequently. Scenario 4: A School of Fine Art has a single domain in one location. They want to ensure students using the learning lab computers can only print to the lab’s printer, and not the office printer.
Additional reading •
Active Directory Users and Computers Help: Understanding Group Accounts
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-11
What Is Group Nesting?
Key Points When using nesting, you add a group as a member of another group. You can use nesting to consolidate group management. Nesting increases the member accounts that are affected by a single action and reduces replication traffic caused by the replication of changes in group membership.
BETA COURSEWARE. EXPIRES 4/30/2008
8-12
Fundamentals of Windows Server® 2008 Active Directory®
Discussion: Strategies for Nesting AD DS Groups
Questions Extend the previous discussion to consider the option of nesting groups. How would the group configuration change if group nesting were used for each Scenario below? Scenario 1: A. Datum is a large company with locations in five different cities in Canada. A. Datum has deployed a single Active Directory domain with five sites. The HR personnel in each office manage the HR responsibilities for that office, but all HR personnel must be able to access a shared folder at the company main office. All HR personnel should be able to change files in the HR shared folder, but only HR managers should be modify files in the HRPolicies folder located in the HR folder. How can nested groups be used to simplify management?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-13
Scenario 2: Tailspin Toys has two domains, one for the US and one for Europe. Both domains are in the same forest. In each domain, a group of administrators provide help desk support. The help desk support personnel for each domain must have local administrator permissions on all client computers in the domain. As well, all help desk personnel must be able to access a Help Desk Web site located in the Europe domain. Scenario 3: Trey Research has deployed a single domain. The company has three locations. Sales personnel frequently travel outside the company offices and must be able to access an internal Web site as well as shared folders on servers located in any of the three locations inside the company. Sales personnel use a VPN to get access to the network. Membership of the Sales group changes frequently. Members of the Marketing and Finance departments need access to the same shared folders as the Sales personnel.
BETA COURSEWARE. EXPIRES 4/30/2008
8-14
Fundamentals of Windows Server® 2008 Active Directory®
AD DS Groups Review
Review questions 1.
Why should you use a global group rather than a domain local group for the users of a sales department in a multi-domain company?
2.
How could you provide members of a Sales department that travel frequently between domains in a multi-city company with access to printers on various domains, which are managed with domain local groups?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-15
Lesson 2
Managing Group Accounts
As an AD DS administrator, you will spend much of your time creating and administering groups. The administration tasks could include choosing group names, creating groups and adding members to groups. This lesson describes how to perform these tasks.
BETA COURSEWARE. EXPIRES 4/30/2008
8-16
Fundamentals of Windows Server® 2008 Active Directory®
Considerations for Naming Groups
Key Points A large organization might have many security and distribution groups. A standardized naming convention can help you locate and identify groups more easily. Keeping the names concise, using departmental, geographic, or project names are all helpful ways to identify groups more easily.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-17
Demonstration: Creating Groups
Questions 1.
Your organization requires a group that can be used to send e-mail to users in multiple domains. The group will not be used to assign permissions. What type of group should you create?
2.
What would be some suitable names for the global group that contains Woodgrove Bank’s Toronto-based marketing group?
Additional reading •
Active Directory Users and Computers Help: Create a New Group
BETA COURSEWARE. EXPIRES 4/30/2008
8-18
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Adding Members to Groups
Questions 1.
What would be an efficient way to add users from all sales OUs to a universal group?
2.
You have a domain local group called ManagerAccessDLG. This group is used to assign access to all resources for Managers, and the Managers_WoodgroveGG group has been added the ManagerAccessDLG group. How would you give users from the Executives_WoodgroveGG group quick access to the same resources as those accessible to the managers group?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-19
Identifying Group Membership
Key Points Use Active Directory Users and Computers to determine the membership status of both users and groups. All user accounts have a Member Of attribute that lists all of the groups that the user is a member of. All groups have a Members attribute and a Member Of attribute. The Members attribute lists all user accounts or other group accounts that are members of the group, while the Member Of tab indicates into which groups the group has been added, or nested.
Additional reading •
Active Directory Users and Computers Help: Finding a Group in Which a User is a Member
BETA COURSEWARE. EXPIRES 4/30/2008
8-20
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Modifying Group Scope and Type
Question Why would you need to change a group type or scope? What additional actions should you take if you are changing a group type or scope?
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-21
Lesson 3
Creating OUs
Another option for collecting several user and computer accounts for administrative purposes is to create OUs. In this lesson, you will learn to create OUs. You will also learn options for creating OU hierarchies and how to move objects between OUs.
BETA COURSEWARE. EXPIRES 4/30/2008
8-22
Fundamentals of Windows Server® 2008 Active Directory®
What Is an OU?
Key Points An OU is an AD DS object contained in a domain. You can use OUs to organize hundreds of thousands of objects in the directory into manageable units. OUs are useful in grouping and organizing objects for administrative purposes, such as delegating administrative rights and assigning policies to a collection of objects as a single unit.
Additional reading •
Active Directory Users and Computers Help: Understanding Organizational Units
•
Reviewing Organizational Unit Design Concepts
•
Windows Server Glossary
•
Organizational Units
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-23
What Is an OU Hierarchy?
Key Points AD DS OUs are used to create a hierarchical structure within a domain. By creating an OU structure, you are grouping objects that can be administered as a unit. An organizational hierarchy should logically represent an organizational structure. That organization could be based on geographic, functional, resource-based, or user classifications. Whatever the order, the hierarchy should make it possible to administer AD DS resources as flexibly and effectively as possible. For example, if all of the computers used by IT administrators need to be configured in a certain way, you can group all of the computers in an OU, and assign a policy to manage the computers in the OU.
BETA COURSEWARE. EXPIRES 4/30/2008
8-24
Fundamentals of Windows Server® 2008 Active Directory®
OU Hierarchy Examples
Key Points Organizations may deploy OU hierarchies using several different models.
Geographic OUs If the organization has multiple locations and network management is geographically distributed, you should use a location-based hierarchy. For example, you might decide to create OUs for New York, Toronto and Miami in a single domain.
Departmental OU A Departmental OU is based only on the business functions of the organization, without regard to geographical location or divisional barriers. This approach works well for small organizations with a single location.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-25
Resource OUs Resource OUs are designed to manage resource objects (non-users such as client computers, servers, or printers). This design is most useful when all resources of a given type are managed in the same way. Resource based OUs can help facilitate software installations or printer selections based on Group Policies.
Management-based OUs Management-based OUs reflect the various administrative divisions within the organization by mirroring the organization’s structure in the OU structure. Responsibilities to manage users and groups, when placed into nested departmental OUs, can be delegated to managers of those departments.
Additional reading •
Design Considerations for Organizational Unit Structure and Use of Group Policy Objects
BETA COURSEWARE. EXPIRES 4/30/2008
8-26
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Creating OUs
Questions 1.
What type of OU hierarchy has been implemented by this organization?
2.
Why would you locate user accounts and computer accounts into separate OUs?
Additional reading •
Active Directory Users and Computers Help: Create a New Organizational Unit
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-27
Demonstration: Moving Objects Between OUs
Question How would members in the Sales and Marketing OUs benefit from being administered by a member of their own departments?
Additional reading •
Active Directory Users and Computers Help: Moving a user account
BETA COURSEWARE. EXPIRES 4/30/2008
8-28
Fundamentals of Windows Server® 2008 Active Directory®
Lab: Creating an OU Infrastructure
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank is opening a new subsidiary in Vancouver, and they need an OU design for the subsidiary. Woodgrove Bank has deployed Windows Server 2008 Active Directory Domain Services, and one of your primary tasks will be to create a new OU design and move users from current positions to the new subsidiary.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-29
Exercise 1: Creating AD DS Groups In this exercise, you will create three new groups using Active Directory Users and Computers. You will create one group using Dsadd. You will add users to the groups and inspect the results. The main tasks are as follows: 1.
Start the 6424A-NYC-DC1 virtual computer and log on as Administrator
2.
Create three groups by using Active Directory Users and Computers
3.
Create one group by using a command-line directory service tool – Dsadd.
4.
Add users to the groups
5.
Inspect the results of adding users to groups.
6.
Log off from 6424A-NYC-DC1.
f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as administrator •
Start 6424A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.
f Task 2: Create three new groups by using Active Directory Users and Computers 1.
On NYC-DC1, open Active Directory Users and Computers.
2.
In the WoodgroveBank.com domain, create a new group with the following parameters:
3.
•
Group Name: Van_BranchManagersGG
•
Scope: Global
•
Type: Security
Repeat step 2 to create three more groups with the same scope and type. The two group names are as follows: •
Van_CustomerServiceGG
•
Van_InvestmentsGG
BETA COURSEWARE. EXPIRES 4/30/2008
8-30
Fundamentals of Windows Server® 2008 Active Directory®
f Task 3: Create a group by using the Dsadd command-line tool 1.
Open a command prompt window.
2.
Enter the following command:
dsadd group “cn=Van_MarketingGG,ou=Vancouver,dc=WoodgroveBank,dc=com” –samid Van_MarketingGG –secgrp yes –scope g
3.
Press ENTER
4.
Use the Find command to locate the new group in the WoodgroveBank.com OU.
f Task 4: Add members to the new groups 1.
In Active Directory Users and Computers, search the WoodgroveBank.com domain using the standard Search box to find the workers in the table below.
2.
Add each worker to the groups indicated in the table. Find
Add to group:
Neville Burdon
Van_BranchManagersGG
Suchitra Mohan
Van_BranchManagersGG
Anton Kirilov
Van_CustomerServiceGG
Shelley Dyck
Van_CustomerServiceGG
Barbara Moreland
Van_InvestmentsGG
Nate Sun
Van_InvestmentsGG
Yvonne McKay
Van_MarketingGG
Monika Buschmann
Van_MarketingGG
Bernard Duerr
Van_MarketingGG
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-31
f Task 5: Inspect the contents of the Vancouver groups 1.
In Active Directory Users and Computers, click WoodgroveBank.com. In the contents view area, right-click Van_BranchManagersGG and view its properties.
2.
Open the Members tab and observe that Neville Burdon, and Suchitra Mohan are now members.
f Task 6: Log off from 6424A-NYC-DC1 1.
In Active Directory Users and Computers, click File, and then click Exit.
2.
Click Start, point to the arrow icon, and click Log Off.
Result: At the end of this exercise, you will have created three new groups using Active Directory Users and Computers. You will have created one group using Dsadd. You will have added users to the groups and inspected the results.
BETA COURSEWARE. EXPIRES 4/30/2008
8-32
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 2: Planning an OU Hierarchy (Discussion) In this exercise you will discuss and determine how to plan an OU hierarchy.
Scenario: A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have the following departments: •
Management
•
Customer Service
•
Marketing
•
Investments
The OU hierarchy needs to support delegation of administrative tasks to users within that organizational unit.
Discussion questions: 1.
Which approach to extending the organizational hierarchy of WoodgroveBank.com is the most likely to be applied in the creation of the new subsidiary’s resources: Geographic, Organizational, or Functional? Why?
2.
What would be the most logical way to further subdivide the subsidiary’s Organizational Unit (Geographic, Organizational, or Functional)?
3.
What does the pattern of naming second level OUs in other centers suggest for the new Vancouver OU?
4.
What would be a simple but effective way of delegating administrative tasks (such as adding users and computers to the domain, and changing user properties such as password resets, and employee contact details) to certain users within a department?
Result: At the end of this exercise, you will have discussed and determined how to plan an OU hierarchy.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-33
Exercise 3: Creating an OU Hierarchy In this exercise you will use the output from the previous discussion to create an OU structure for the new Vancouver subsidiary of WoodgroveBank.com. You will also move users (see list below) from other subsidiaries into groups, and add groups to the appropriate OUs. Additionally, you will populate the groups with the members of the corresponding departments, and update the descriptions of the users that have been moved into the new subsidiary. The benefit of having OUs based on administrative units is in delegating administrative responsibilities to members of those units. You will create OUs in two different ways: •
Active Directory Users and Computers – a MMC snap-in.
•
Directory Service Tools: Dsadd – a command-line tool
The main tasks are as follows: 1.
Start the 6424A-NYC-DC1 virtual machine and log on as Administrator
2.
Create OUs by using Active Directory Users and Computers
3.
Create OUs by using Dsadd.
4.
Nest an OU inside another OU.
5.
Move groups into Vancouver OUs.
6.
Move users from other OUs into those of the new subsidiary
7.
Delegate control over an OU using the Delegation of Control Wizard
8.
Log off from 6424A-NYC-DC1.
f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as administrator •
Start 6424A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.
BETA COURSEWARE. EXPIRES 4/30/2008
8-34
Fundamentals of Windows Server® 2008 Active Directory®
f Task 2: Create OUs by using Active Directory Users and Computers 1.
At the root level of WoodgroveBank.com, create a new OU called Vancouver.
2.
Inside the Vancouver OU, create three OUs with the following names: •
BranchManagers
•
Investments
•
Marketing
f Task 3: Create an OU using the Directory Service Tool - Dsadd 1.
Click Start, click Run, and then type cmd to open a command-line window.
2.
Type the following command at the prompt:
dsadd ou “ou= Investments,dc=WoodgroveBank,dc=com” -desc “Marketing department” -d WoodgroveBank.com -u Administrator -p Pa$$w0rd
3.
Press ENTER.
4.
In Active Directory Users and Computers, refresh the WoodgroveBank.com domain object, and note the presence of the new OU.
f Task 4: Nest an OU inside another OU 1.
In Active Directory Users and Computers, refresh the object tree.
2.
Move the new Investments OU from WoodgroveBank.com domain level into the Vancouver OU. Click OK to dismiss the warning message.
Note: There is a potential risk associated with the movement of security groups from one OU into another. Group policies in effect in one OU may no longer be applied in the new location. By default, AD DS notifies administrators of that risk whenever a group is moved between OUs.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-35
f Task 5: Move groups created in Exercise 1 into the appropriate OUs 1.
In Active Directory Users and Groups, locate the remaining groups created in Exercise 1 for the new Vancouver subsidiary in the WoodgroveBank.com OU.
2.
Move the following groups into the following Vancouver OUs:
Note: There are several ways to move objects between OUs in Active Directory Users and Computers. You can (1) use the Move command, (2) drag and drop the object into a new OU, or (3) use the Cut and Paste commands.
•
Van_MarketingGG group to Vancouver\Marketing OU
•
Van_BranchManagersGG group to Vancouver\BranchManagers OU
•
Van_InvestmentsGG group to Vancouver\Investments OU
•
Van_CustomerServiceGG group to Vancouver\CustomerService OU
f Task 6: Find and move users into the appropriate Vancouver OUs •
Use Active Directory Users and Computers to find and move the following users into the OUs listed below. Find
Move to Vancouver OU:
Neville Burdon
BranchManagers
Suchitra Mohan
BranchManagers
Anton Kirilov
CustomerService
Shelley Dyck
CustomerService
Barbara Moreland
Investments
Nate Sun
Investments
Yvonne McKay
Marketing
Monika Buschmann
Marketing
Bernard Duerr
Marketing
BETA COURSEWARE. EXPIRES 4/30/2008
8-36
Fundamentals of Windows Server® 2008 Active Directory®
f Task 7: Delegate control over an OU 1.
In Active Directory Users and Computers, select the Vancouver\Marketing OU and open the Delegation of Control wizard.
2.
Add Yvonne McKay to the Selected users and groups list, and click Next.
3.
Delegate to her the following common tasks:
4.
•
Create, delete, and manage user accounts
•
Reset user passwords and force password change at next logon
•
Create, delete and manage groups
•
Modify the membership of a group
Click Next and then click Finish.
f Task 7: Test user rights by logging on from 6424A-NYC-CL1 1.
Using 6424A-NYC-CL1, log on with the account Yvonne McKay and the password Pa$$w0rd.
2.
Start Active Directory Users and Computers
3.
Reset the password of Monika Buschmann using the password Pa$$w0rd again. You should see the following message: Password for Monika Buschmann has been changed.
4.
Attempt to move a user from the Miami BranchManagers OU into the Vancouver BranchManagers OU. You should see the following message: Windows cannot move object [user name] because: Access denied.
f Task 8: Log off from 6424A-NYC-DC1 1.
In Active Directory Users and Computers, click File, and click Exit.
2.
Click Start, point to the arrow icon, and click Log Off.
Result: At the end of this exercise, you will have created OUs using Active Directory Users and Computers and using Dsadd.
BETA COURSEWARE. EXPIRES 4/30/2008
Creating Active Directory Domain Services Groups and Organizational Units
8-37
Module Review and Takeaways
Review Questions 1.
You have just installed a new domain controller in your domain. What two tools could you use to verify that the domain controller has been added to the domain?
2.
You want to group all of the users in branch office together so that you can assign permissions to a shared folder to all of the users in the branch office. What type of AD DS object should you create?
3.
What are the differences between a domain, domain tree and forest?
4.
What feature makes it easy and fast to search a forest for user phone numbers?
5.
What is the relationship between a domain and a site?
BETA COURSEWARE. EXPIRES 4/30/2008
8-38
Fundamentals of Windows Server® 2008 Active Directory®
Summary of Active Directory Domain Services AD DS provides a directory service for organizations that enables them to provide secure access to network resources and centralized administration. AD DS enables users to be authenticated, and then authorizes the user to access network resources based on that network authentication. AD DS is composed of logical and physical components. Logical components such as domains, forests and OUs are used to group objects together for administrative purposes. Physical components such as domain controllers and sites are deployed to provide a consistent experience for users throughout the AD DS environment.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-1
Module 9 Managing Access to Resources Contents: Lesson 1: Managing Access Overview
9-3
Lesson 2: Assigning Permissions to Shared Resources
9-12
Lesson 3: Managing NTFS File and Folder Permissions
9-21
Lesson 4: Determining Effective Permission
9-28
Lab: Managing Access to Resources
9-38
BETA COURSEWARE. EXPIRES 4/30/2008
9-2
Fundamentals of Windows Server® 2008 Active Directory®
Module Overview
One of the primary reasons for deploying Active Directory Domain Services (AD DS) is to enable users to access shared resources on the network. The previous modules introduced users and groups as the primary way to enable access to those resources. This module describes how to configure shared folders to enable those users and groups to gain access to the resources. Specifically, this module helps you learn the skills and knowledge you will need to: •
Understand how permissions enable resource access.
•
Manage access to files and folders by using shared folder permissions, NTFS permissions, or special permissions.
•
Manage permissions inheritance.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-3
Lesson 1
Managing Access Overview
In order to manage access to resources, you need to understand how Windows operating systems use security principals and security tokens to allow access to resources. Then you need to understand how permissions are applied to resources such as shared folders. This lesson provides the information you need to manage access to resources.
BETA COURSEWARE. EXPIRES 4/30/2008
9-4
Fundamentals of Windows Server® 2008 Active Directory®
What Are Security Principles?
Key Points A security principal is an AD DS entity that can be authenticated by a Windows operating system. Security principals include: •
User and computer accounts.
•
A thread or process that runs in the security context of a user or computer account.
•
Groups of the above accounts.
Every security principal is automatically assigned a security identifier (SID) when it is created. A SID is made up of two components: •
Domain identifier. The domain identifier is the same for all security principals created in the domain.
•
Relative identifier. The relative identifier is unique to each security principal created in the domain.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-5
Additional reading •
Windows Server Glossary
BETA COURSEWARE. EXPIRES 4/30/2008
9-6
Fundamentals of Windows Server® 2008 Active Directory®
What Are Access Tokens?
Key Points An access token is a protected object that contains information about the identity and privileges associated with a user account.
How access tokens are created When a user logs on, if authentication is successful, the logon process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token that includes the SIDs and a list of privileges assigned by local security policy to the user and to the user’s security groups.
How access tokens are used to verify the user’s privileges After LSA creates the primary access token, a copy of the access token is attached to every process and thread that executes on the user’s behalf. Whenever a thread or process interacts with a shared resource or tries to perform a system task that requires privileges, the operating system checks the access token associated with the thread to verify the user access to the resource.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-7
Additional reading •
Windows Server Glossary
•
Access Tokens Technical Reference
BETA COURSEWARE. EXPIRES 4/30/2008
9-8
Fundamentals of Windows Server® 2008 Active Directory®
What Are Permissions?
Key Points Permissions define the type of access that is granted to a security principal for an object. When you assign permissions, you can: •
Explicitly apply permissions. When you explicitly apply permissions, you access the shared resource object directly and configure permissions on that object. You can explicitly apply permissions on folders or files.
•
Configure permission inheritance. When you configure permissions on a folder, the permissions are inherited by default on all sub-folders or files in that folder. You can accept the default permission inheritance or modify the default behavior by blocking permission inheritance or by assigning explicit permissions to lower level folders or files.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
•
9-9
Accept implicitly applied permissions. If no permissions are explicitly assigned to an object for a particular user account and no inherited permissions apply to the user account, the user will be denied access to the object.
Additional reading •
Windows Server Glossary
BETA COURSEWARE. EXPIRES 4/30/2008
9-10
Fundamentals of Windows Server® 2008 Active Directory®
How Access Control Works
Key Points The process of gaining access to an AD DS resource is called access control and it is based on the verification of security principals. All objects in AD DS, and all securable objects on a local computer or on the network, have security descriptors assigned to them to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited.
Additional reading •
MSDN Glossary
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-11
Managing Access Review
Questions 1.
What is the role of access control lists (ACL) in granting access to resources in an AD DS network?
2.
How do discretionary access control lists (DACLs) differ from system access control lists (SACLs)?
BETA COURSEWARE. EXPIRES 4/30/2008
9-12
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 2
Assigning Permissions to Shared Resources
Shared folders give users access to files and folders over a network. Users can connect to the shared folder over the network to access the folders and files that they contain. Shared folders can contain applications, public data, or a user’s personal data. Using shared data folders provides a central location for users to access common files and makes it easier to back up data contained in those files.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-13
What Are Shared Folders?
Key Points When you share a folder, the folder is made accessible to multiple users simultaneously over the network. Once granted permission, users can access all of the files and subfolders in the shared folder. Most organizations deploy dedicated file servers to host shared folders. You can store files in shared folders according to categories or functions. For example, you can place shared files for the Sales department in one shared folder and shared files for executives in another.
BETA COURSEWARE. EXPIRES 4/30/2008
9-14
Fundamentals of Windows Server® 2008 Active Directory®
What Are Administrative Shared Folders?
Key Points Windows Server 2008 automatically creates shared folders on Windows computers that enable you to perform administrative tasks. These default administrative shares have a dollar sign ($) at the end of the share name. Appending the dollar sign at the end of the folder name hides the shared folder from users who browse the network. Administrators can quickly administer files and folders on remote servers by using these hidden shared folders.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-15
Shared Folder Permissions
Key Points Shared folder permissions apply only to users who connect to the folder over the network. They do not restrict access to users who access the folder at the computer where the folder is stored. You can grant shared folder permissions to user accounts, groups, and computer accounts.
Additional reading •
Best Practices for Shared Folders
BETA COURSEWARE. EXPIRES 4/30/2008
9-16
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Creating Shared Folders
Key Points In Windows Server 2008, the only groups that can create shared folders are the Administrators, Server Operators, and Power Users groups. These groups are builtin groups that are placed in the Groups folder in Computer Management or the Built-In container in Active Directory Users and Groups. Questions 1.
How do you apply sharing permissions to a folder?
2.
How would you begin to create a new shared folder using the Using Share and Storage Management MMC?
3.
Which tool would you use to create a new shared folder?
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-17
Connecting to Shared Folders
Key Points After you create a shared folder, users can access the folder across the network by using multiple methods. Users can access a shared folder on another computer via: •
The Network window (in Windows Server 2008 or Windows Vista).
•
My Network Places (in Windows Server 2003 or Windows XP).
•
The Map Network Drive feature.
•
Searching AD DS.
•
The Run command on the Start menu.
Additional reading •
Glossary of Registry Terms
BETA COURSEWARE. EXPIRES 4/30/2008
9-18
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Managing Shared Folders
Question What would happen if the user was editing the file and had not saved the changed and then an administrator used the Close File feature?
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-19
Considerations for Using Shared Folders
Key Points When managing access to shared folders, consider the following best practices when granting permissions: •
Use the most restrictive permissions possible. Do not grant more permissions for a shared folder than the users legitimately require. For example, if a user only needs to read a file, grant Read permission for the file to the user or group to which the user belongs.
•
Avoid assigning permissions to individual users. Use groups whenever possible. Because it is inefficient to maintain user accounts directly, avoid granting permissions to individual users.
BETA COURSEWARE. EXPIRES 4/30/2008
9-20
Fundamentals of Windows Server® 2008 Active Directory®
•
Remember that full control allows users to modify NTFS permissions. Add groups to the full control permissions group with caution. Each change to NTFS permissions could potentially affect security,
•
Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present) from the shared folder’s permissions list. Since members of the Everyone group includes Guests, using the Authenticated or Domain Users groups limits access to shared folders to only authenticated users, and prevents users or viruses from accidentally deleting or damaging data and application files.
Additional reading •
Best practices for Shared Folders
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-21
Lesson 3
Managing NTFS File and Folder Permissions
In addition to configuring access to shared folders by using shared folder permissions, you can also assign permissions by using NTFS permissions. The information in this lesson presents the skills and knowledge that you need to manage access to files and folders by using NTFS permissions.
BETA COURSEWARE. EXPIRES 4/30/2008
9-22
Fundamentals of Windows Server® 2008 Active Directory®
What Are NTFS Permissions?
Key Points NTFS permissions are used to specify which users, groups, and computers can access files and folders. NTFS permissions also dictate what users, groups, and computers can do with the contents of the file or folder. NTFS file permissions include: •
Read. Read the file, attributes, permissions, and view owner.
•
Write. Write to the file, change attributes, view permissions, and view owner.
•
Read & Execute. Execute applications plus all Read permissions.
•
Modify. All the above permissions, plus ability to delete file.
•
Full Control. All the above permissions plus the ability to change permissions, and take ownership of the file.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-23
There are six basic NTFS folder permissions: •
Read. Read files, folder and subfolders, permissions and view owner.
•
Write. Create new files and folders, view permissions, and owner, change folder attributes.
•
List Folder Contents. View files and subfolders.
•
Read & Execute. Execute applications plus all permissions of Read and List Folder Contents.
•
Modify. All the above permissions, plus ability to delete folder.
•
Full Control. All the above permissions plus the ability to change permission on the folder and take ownership.
BETA COURSEWARE. EXPIRES 4/30/2008
9-24
Fundamentals of Windows Server® 2008 Active Directory®
What Are Standard and Special Permissions?
Key Points NTFS permissions fall into two categories: standard and special. Standard permissions are the most frequently assigned permissions. The permissions described in the previous topic are standard permissions. Special permissions provide you with a finer degree of control for assigning access to objects.
Additional reading •
Permissions for files and folders
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-25
What Is NTFS Permissions Inheritance?
Key Points By default, permissions that you grant to a parent folder are inherited by the subfolders and files that are contained in the parent folder. A security principal that is inheriting permissions can have additional NTFS permissions assigned, but the inherited permissions cannot be removed until inheritance is blocked.
Blocking permission inheritance The folder on which you prevent permissions inheritance becomes the new parent folder, and the subfolders and files that are contained in it inherit the permissions assigned to it. Permissions can be inherited only from a direct parent.
Additional reading •
Windows Server Glossary
BETA COURSEWARE. EXPIRES 4/30/2008
9-26
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Configuring NTFS Permissions
Questions 1.
If you deny an NTFS permission to a group for a particular resource while allowing the same permission to another group for that resource, what will happen to the permissions of an individual who is a member of both groups?
2.
If a group added to a shared folder was given an NTFS permission of Allow for Write in a shared folder, and a Deny permission for Write in a nested folder, what would their effective permissions be in the two folders?
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-27
Effects on NTFS Permissions When Copying and Moving Files and Folders
Key Points When you copy or move a file or folder, the permissions might change, depending on where you move the file or folder. It is important to understand the changes that the permissions undergo when being copied or moved. The following table lists the possible copy and move actions and describes how Windows Server 2008 handles the permission state of a file or folder. Action
Result
Copy a file or folder within a volume
Inherits permission state of the destination folder
Move a file or folder within a volume
Retains original permission state of the source
Copy a file or folder between volumes
Inherits permission state of the destination folder
Move a file or folder between volumes
Inherits permission state of source file or folder
BETA COURSEWARE. EXPIRES 4/30/2008
9-28
Fundamentals of Windows Server® 2008 Active Directory®
Lesson 4
Determining Effective Permission
You can assign user access to a shared folder by using shared folder permissions or NTFS permissions. You can also assign permissions to individual user accounts or group accounts. In order to determine what level of access the user actually has on the network, you need to understand how effective permissions are determined, and how you can view effective permissions.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-29
What Are Effective NTFS Permissions?
Key Points Windows Server 2008 provides a tool (Effective Permissions tool) that shows effective permissions, which are cumulative permissions based on group membership. The following principles determine effective permissions: •
Cumulative permissions are the combination of the highest NTFS permissions granted to the user and all the groups that the user is a member of. For example, if a user is a member of a group that has Read permission and a member of a group that has Modify permission, the user has Modify permission.
•
Explicit Deny permissions override equivalent Allow permissions. However, an explicit Allow permission can override an inherited deny permission. For example, if a user is explicitly denied write access to a folder but explicitly allowed write access to a subfolder or a particular file, the explicit Allow would override the inherited Deny.
BETA COURSEWARE. EXPIRES 4/30/2008
9-30
Fundamentals of Windows Server® 2008 Active Directory®
•
Permissions can be applied to a user or a group. Assigning permissions to groups is preferred as it is more efficient than managing the permissions of many individuals.
•
NTFS file permissions take priority over folder permissions. For example, if a user has Modify permission to a folder but only has Read permission to certain files in that folder, the effective permission for those files will be Read.
•
Every object is owned in an NTFS volume or in Active Directory. The owner controls how permissions are set on the object and to whom permissions are granted. For example, a user can create a file in a folder where the user normally has Modify permission, but because that user created the file, the user will have the ability to change the permissions. The user could then grant himself or herself Full Control over the file.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-31
Discussion: Applying NTFS Permissions
In this discussion, you are presented with a scenario in which you are asked to apply NTFS permissions. You and your classmates will discuss possible solutions to the scenario.
Scenario User1 is a member of the Users group and the Sales group. The graphic on the slide shows folders and files on the NTFS partition.
Discussion questions: 1.
The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1?
2.
The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2?
3.
The Users group has Modify permission for Folder1. File2 should be accessible only to the Sales group, and they should only be able to read File2. What do you do to ensure that the Sales group has only Read permission for File2?
BETA COURSEWARE. EXPIRES 4/30/2008
9-32
Fundamentals of Windows Server® 2008 Active Directory®
Demonstration: Evaluating Effective Permissions
Questions 1.
After observing the Effective Permissions tool, what do grayed-out permissions items represent?
2.
Suppose you wanted to add/subtract effective permissions from a user. Which screen would you need to access?
3.
After setting the permissions of an individual to Write in the Edit Permissions screen, a return to the effective permissions tool reveals that the user almost has full permissions. Why might that be?
Additional reading •
Effective Permissions Tool
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-33
Effects of Combining Shared Folder and NTFS Permissions
Key Points When allowing access to network resources on an NTFS volume, it is recommended that you use the most restrictive NTFS permissions to control access to folders and files, combined with the most restrictive shared folder permissions that control network access.
BETA COURSEWARE. EXPIRES 4/30/2008
9-34
Fundamentals of Windows Server® 2008 Active Directory®
Discussion: Determining Effective NTFS and Shared Folder Permissions
In this discussion, you will determine effective NTFS and shared folder permissions.
Scenario The slide graphic illustrates two shared folders that contain folders or files that have been assigned NTFS permissions. Look at each example and determine a user’s effective permissions. In the first example, the Users folder has been shared, and the Users group has the shared folder permission Full Control. User1, User2, and User3 have been granted the NTFS permission Full Control to only their folder. These users are all members of the Users group.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-35
Discussion questions: 1.
Do members of the Users group have Full Control to all home folders in the Users folder once they connect to the Users shared folder? In the second example, the Data folder has been shared. The Sales group has been granted the shared folder permission Read for the Data shared folder and the NTFS permission Full Control for the Sales folder.
2.
What are the Sales group’s effective permissions when they access the Sales folder by connecting to the Data shared folder?
BETA COURSEWARE. EXPIRES 4/30/2008
9-36
Fundamentals of Windows Server® 2008 Active Directory®
Considerations for Implementing NTFS and Shared Folder Permissions
Key Points Here are several considerations to make administering permissions more manageable: 1.
Grant permissions to groups instead of users. Groups can always have individuals added or deleted, while permissions on a case-by-case basis are difficult to keep track of.
2.
Use Deny permissions only when necessary. Because deny permissions are inherited just like allow permissions, assigning deny permissions to a folder can result in users not being able to access files lower in the folder structure. Deny permissions should be assigned in the following situations: •
To exclude a subset of a group that has Allow permissions.
•
To exclude one permission when you have already granted Full Control permissions to a user or group.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-37
3.
Never deny the Everyone group access to an object. If you deny everyone access to an object, you deny administrators access. Instead, it is recommended that you remove the Everyone group, as long as you grant permissions for the object to other users, groups, or computers.
4.
Grant permissions to an object that is as high in the folder as possible so that the security settings are propagated throughout the tree. For example, rather than bringing groups representing all departments of the company together into a ‘Read’ folder, assign Domain Users (which is a default group for all user accounts on the domain) to the share. In that way, you eliminate the need to update department groups before new users get the shared folder.
5.
Use NTFS permissions rather than shared permissions for fine-grained access. Configuring both NTFS and shared folder permissions can be complicated. Consider assigning the most restrictive permissions for a group containing a large number of users at the shared folder level, and then using NTFS permissions to assign more specific permissions.
BETA COURSEWARE. EXPIRES 4/30/2008
9-38
Fundamentals of Windows Server® 2008 Active Directory®
Lab: Managing Access to Resources
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed Windows Server 2008 Active Directory Domain Services. They have recently opened a new subsidiary in Vancouver, British Columbia, Canada. As a network administrators assigned to the new subsidiary, one of your primary tasks will be to create and manage access to resources, including the shared folder implementation. For example, groups that mirror the departmental organization of the bank need shared file storage areas. There also need to be shared folders to allow files to be shared during special projects between departments. Lastly, a ‘drop box’ style folder will be needed for reports from employees to managers.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-39
Exercise 1: Planning a Shared Folder Implementation (Discussion) In this exercise, you will discuss and determine the best solutions for a shared folder implementation.
Discussion questions: 1.
The Woodgrove Bank Vancouver subsidiary has an organizational hierarchy, as outlined by its OUs that supports the activities of its four departments: Marketing, Investments, Management and Customer Service. Each department has groups populated with the employees in that department. How could you give each department separate file sharing spaces?
2.
All members of the Vancouver subsidiary need to be able to read documents posted by management regarding topics such as staffing, targets and projections, and company news. To create a series of folders that will allow this information to be available to all employees in the subsidiary, as well as managers from other parts of the Woodgrove Bank, what sorts of groups would be needed? What sorts of permissions would each require? What sorts of folder structures might be needed?
3.
A task force on reducing the subsidiary’s carbon footprint is gathering a variety of data from various departments. They plan to keep the information private until they can publish a report. How can individuals from various departments have contributing status while restricting access to those outside of their project?
4.
The branch managers require weekly reports from each department. These reports should be stored where they alone can organize and read them. Department heads should be able to drag/drop their reports onto the shared folders, although they should not be able to open the shared folders.
Result: At the end of this exercise, you will have discussed and determined solutions for a shared folder implementation.
BETA COURSEWARE. EXPIRES 4/30/2008
9-40
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 2: Implementing a Shared Folder Implementation In this exercise, you will create the shared folder implementation based on the discussion in the previous exercise. The main tasks are as follows: 1.
Start Virtual Machines NYC-DC1 and NYC-CL1. Log on to NYC-DC1 as Administrator.
2.
Create a series of folders.
3.
Set share permissions for the folders.
4.
Create a shared folder for all Domain Users, using Share and Storage Management MMC.
5.
Create a new group and shared folder for an inter-departmental project.
6.
Create a drop folder for weekly reports.
f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as administrator •
Start 6424A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.
•
Start 6424A-NYC-CL1. Do not log on.
f Task 2: Create four new folders by using Windows Explorer 1.
On NYC-DC1, open Windows Explorer.
2.
On the D: drive, create folders named: •
Marketing
•
Managers
•
Investments
•
CustomerService
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-41
f Task 3: Set share properties for the folder 1.
Right-click the Marketing folder, click Share…
2.
In File Sharing dialog box, type Van_MarketingGG.
3.
Click Add.
4.
Change the permission level to Contribute.
5.
Click Share.
6.
Repeat the process of creating shares for each of the remaining folders, assigning the groups and permissions.
f Task 4: Create another shared folder using Share and Storage Management MMC 1.
From the Start menu, in Administrative Tools, click Share and Storage Management to open.
2.
Click Provision Share Wizard.
3.
Click the Browse button. In the Browse Folder window, create a new folder named CompanyNews.
4.
Change no other settings, but click Next all the way through to the last screen of the wizard, and then click Close.
5.
In the Shares list of the Share and Storage Management MMC, right-click CompanyNews and click Properties.
6.
In the Permissions tab, click Share Permissions. Add the Domain Users group, and take note that their permission is set as Read.
7.
Also add the Van_BranchManagersGG group, and give them Full Control permissions.
8.
Finish the Permissions settings, and exit Share and Storage Management MMC.
BETA COURSEWARE. EXPIRES 4/30/2008
9-42
Fundamentals of Windows Server® 2008 Active Directory®
f Task 5: Create a new group and shared folder for an inter-department project 1.
Open Active Directory Users and Computers MMC.
2.
Click the Vancouver OU, and add a new global security group called Van_SpecialProjectGG. Expand the following Vancouver OUs, and use the Add to group… command to add the following users: Vancouver OUs:
Names:
Investment
Barbara Moreland
Marketing
Bernard Duerr
Branch Managers
Neville Burdon
Customer Service
Shelley Dyck
3.
Save the changes and close Active Directory Users and Computers.
4.
Create a new folder in C:\, and name it SharedProjects.
5.
Share the folder, adding the Van_SpecialProjectsGG group with Contribute permission levels.
6.
Click Share.
f Task 6: Create a drop folder for weekly reports 1.
Use Active Directory Users and Computers to create the following new global security groups in the Vancouver OU: Group Name:
Member:
Van_InvestHeadGG
Barbara Moreland
Van_CustServHeadGG
Shelley Dyck
Van_MarketHeadGG
Yvonne McKay
2.
Close Active Directory Users and Computers.
3.
In Windows Explorer in C:\, create a new folder named DropFolder.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-43
4.
Right-click the new folder, and click Properties.
5.
Click the Permissions tab and click Edit.
6.
Click Add, and type Van_BranchManagersGG, then click OK.
7.
In the Permissions dialog box for DropFolder, click Van_BranchManagersGG, and in the permissions list, in the Full Control category, click Allow.
8.
Add the Van_MarketHeadGG, Van_InvestHeadGG, and Van_CustServHeadGG groups.
9.
In the Permissions for… window, give each of these three groups an Allow for Write permission, clicking Apply after each assignment.
10. Click OK twice to close the standard properties window.
Result: At the end of this exercise, you will have created a shared folder implementation.
BETA COURSEWARE. EXPIRES 4/30/2008
9-44
Fundamentals of Windows Server® 2008 Active Directory®
Exercise 3: Evaluating the Shared Folder Implementation In this exercise, you will verify that the shared folder implementation meets the security requirements provided in the documentation. You will log on as some of the users to ensure that they have the required level of access. The main tasks are as follows: 1.
Log on as Neville. Create a file in Company News. Log off as Neville.
2.
Verify Neville’s access to: CompanyNews (read only) and DropFolder (write).
3.
Log on as Monika for Special Projects.
4.
Verify write permissions by creating a file in the Special Projects folder.
5.
Log off as Monika.
6.
Log on as Yvonne.
7.
Create a document in My Documents folder. Copy/Paste it into Drop Folder.
8.
Attempt to open the DropFolder volume.
9.
Log off as Yvonne.
10. Log on as Neville (a branch manager). 11. Open DropFolder and view Yvonne’s file. 12. Move the file to the Marketing folder. 13. Log off. 14. Log off from NYC-CL1 and NYC-CL1
f Task 1: Log on to NYC-CL1 as Neville. •
Log on to NYC-CL1 as Neville, with the password Pa$$w0rd.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-45
f Task 2: Check the permissions for Company News and Drop Folder. 1.
Once logged on as Neville, open the Company News volume and create a text file. Name it News.txt.
2.
Create a folder named News, and drag News.txt into it.
3.
Close the Company News window.
4.
Open the Drop Folder shared folder.
5.
Create three folders with the following names:
6.
•
Marketing
•
Investments
•
Customer Service
Close the Drop Folder window and log off.
f Task 3: Check permissions of inter-department share Special Projects 1.
Log on as Monika with the password Pa$$w0rd.
2.
Open the Special Project volume and create a text document.
3.
Attempt to open the Drop Folder.
4.
Attempt to open Company News. Open the News.txt file inside the News folder.
5.
Log off as Monika.
f Task 4: Check the permissions for drop-box users. 1.
Log on as Yvonne using the password Pa$$w0rd.
2.
Open the Documents folder, and create a file named Wk19_Marketing.xls.
3.
From the My Documents window, copy Wk19_Marketing.xls and paste it into the Drop Folder icon.
4.
Attempt to open the Drop Folder volume. Click OK to the error message.
5.
Log off as Yvonne.
BETA COURSEWARE. EXPIRES 4/30/2008
9-46
Fundamentals of Windows Server® 2008 Active Directory®
f Task 5: Check the contents of the Drop Folder as a manager. 1.
Log on as Neville (a branch manager)
2.
Open the Drop Folder again, and open the file created by Yvonne.
3.
Drag/drop it into the Marketing folder.
4.
Log off as Neville.
f Task 6: Close virtual machines 6424A-NYC-DC1 and 6424A-NYC-CL1. •
Close both machines, saving no changes.
Result: At the end of this exercise, you will have verified that the shared folder implementation meets security requirements.
BETA COURSEWARE. EXPIRES 4/30/2008
Managing Access to Resources
9-47
Module Review and Takeaways
Review Questions 1.
What is the role of access control lists (ACL) in granting access to resources on an AD DS network?
2.
How do discretionary access control lists (DACLs) differ from system access control lists (SACLs)?
3.
What happens to the shared folder configuration when you copy or move a shared folder from one hard disk to another on the same server? What happens to the shared folder configuration when you copy or move the shared folder to another server?
4.
You need to assign permissions to a shared folder so that all users in your organization can read the contents of the folder. Which of these approaches would be the best way to do this: accept the default permissions, assign read permissions to the folder for the Domain Users group, or add groups representing whole departments? How would this configuration change if your organization had multiple domains?
BETA COURSEWARE. EXPIRES 4/30/2008
9-48
Fundamentals of Windows Server® 2008 Active Directory®
5.
How could you remove Write share permissions from a single file that is located inside a folder that is inheriting Write permissions from shared folder in which it is located?
6.
When moving a folder within an NTFS partition, what permissions are required over the source file or folder and over the destination folder?
7.
What is the best way to create a shared folder between departments of users who are situated on two different domains?
Considerations for Managing Shared Folders and NTFS Permissions When managing AD DS shared folders and NTFS permissions, consider the following: •
Consider delegating permissions to create and manage shared folders in your AD DS domain. You can delegate permissions to groups in the NTFS security settings of the appropriate level of the shared folder hierarchy.
•
When allowing access to network resources on an NTFS volume, it is recommended that you use the most restrictive NTFS permissions to control access to folders and files, combined with the most restrictive shared folder permissions that control network access.
•
Document your shared folder and permissions configuration. The shared folder configuration can get very complicated over time as users or departments request new shared folders for a variety of reasons. Without documentation, it can be difficult to manage and troubleshoot file access issues.
•
All shared folders should be part of your regular backup process. The data stored in the shared folders is often critical to your organization so you need to ensure that you can recover it in the event of a server failure.
BETA COURSEWARE. EXPIRES 4/30/2008
