koorio.com
海量文库 文档专家
当前位置:首页 >> IT/计算机 >>

Windows,server2008目录服务Module 6 Configuring ActiveDirectory Objects and Trusts_图文

Module 6: Configuring Active Directory Objects and Trusts

Module Overview
? Configuring Active Directory Objects ? Strategies for Using Groups ? Automating AD DS Object Management ? Delegating Administrative Access to AD DS Objects ? Configuring AD DS Trusts

Lesson 1: Configuring Active Directory Objects
? Types of AD DS Objects ? Demonstration: Configuring AD DS User Accounts ? AD DS Group Types ? AD DS Group Scopes ? Default AD DS Groups ? AD DS Special Identities ? Discussion: Using Default Groups and Special Identities ? Demonstration: Configuring AD DS Group Accounts ? Demonstration: Configuring Additional AD DS Objects

Types of AD DS Objects
User accounts ? Enables a single sign-on for a user ? Provides access to resources Computer accounts ? Enables authentication and auditing of computer access to resources

InetOrgPerson
? Similar to a user account ? Used for compatibility with other directory services

Organizational Unit
? Used to group similar objects for administration

Group accounts ? Helps simplify administration

Printers
? Used to simplify the process of locating and connecting to printers

Shared folders
? Used to simplify the process of locating and connecting to shared folders

Demonstration: Configuring AD DS User Accounts
In this demonstration, you will see how to configure AD DS user accounts

AD DS Group Types

Distribution groups Used only with e-mail applications Not security-enabled

Security groups Used to assign rights and permissions to groups of users and computers Used most effectively when nested

The functional level determines the type of groups that you can create

AD DS Group Scopes
Group scope Group members can include
? Universal groups, global groups,

Can be used to assign permissions
In the same domain

Domain Local

and other domain local groups from its own domain ? Accounts from any trusted domain
? Users, groups, and computers

Global Universal

from its own domain
? Users, groups,

In any trusted domain In any trusted domain On the local computer

and computers as members from any trusted domain and computers as members from any trusted domain

Local

? Users, groups,

Default AD DS Groups

Default groups are designed to manage shared resources and delegate specific domain-wide administrative roles Performance monitor users Pre-Windows 2000 compatible access Print operators Remote Desktop users Replicator Server operators Users

Account operators Administrators Backup operators Incoming forest trust builders Network configuration operators Performance log users

AD DS Special Identities

Designed to provide access to resources without administrative or user interaction Interactive Local system Network Self Service Terminal Server users Other organization This organization

Anonymous logon Authenticated users Batch Creator group Creator owner Dialup Everyone

Discussion: Using Default Groups and Special Identities
Using the scenario, answer the questions in your workbook

Demonstration: Configuring AD DS Group Accounts
In this demonstration, you will see how to configure AD DS group accounts

Demonstration: Configuring Additional AD DS Objects
In this demonstration, you will see how to configure additional AD DS objects

Lesson 2: Strategies for Using Groups
? Options for Assigning Access to Resources ? Using Account Groups to Assign Access to Resources ? Using Account Groups and Resource Groups ? Discussion: Using Groups in a Single-Domain or Multiple-

Domain Environment

Options for Assigning Access to Resources
When assigning access to resources:
? Plan for the lowest level of permissions ? Keep the plan as simple as possible ? Document the plan

Options include:
? Adding user accounts to the ACL on the resource ? Adding user accounts to groups, and adding the groups to the ACL on the resource ? Adding user accounts to account groups, adding the account groups to resource groups, and adding the resource groups to the ACL on the resource

Using Account Groups to Assign Access to Resources

User Accounts

Account Groups

Permissions

Using Account Groups and Resource Groups

User Accounts

Account Groups

Resource Groups

Permissions

Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment
Using the scenarios, answer the questions in your workbooks

Lesson 3: Automating AD DS Object Management
? Tools for Automating AD DS Object Management ? Configuring AD DS Objects Using Command-Line Tools ? Managing User Objects with LDIFDE ? Managing User Objects with CSVDE ? What Is Windows PowerShell? ? Windows PowerShell Cmdlets ? Demonstration: Configuring Active Directory Objects Using

Windows PowerShell

Tools for Automating AD DS Object Management
Active Directory Users and Computers Directory Service Tools ? Dsadd ? Dsmod ? Dsrm

Csvde and Ldifde Tools

Windows PowerShell

Configuring AD DS Objects Using Command Line Tools
Command line tools: ? Dsadd ? Dsmod ? Dsrm ? Dsget ? net user ? Net group ? Net computer

Managing User Objects with LDIFDE

? LDIFDE.exe

import

export filename.ldf

Active Directory

Managing User Objects with CSVDE

? CSVDE.exe

import

export filename.csv

Active Directory

What Is Windows PowerShell?
Windows PowerShell is a scripting and command line technology that you can use to manage AD DS and other Windows components

Windows PowerShell features include: ? Powerful single line cmdlets ? Aliases ? Variables ? Pipelining ? Scripting support ? Access to all cmd.exe commands

Windows PowerShell Cmdlets
Windows PowerShell cmdlets all use the same syntax

Verb
Get

Noun
Date

Parameters Example
Get-Date

Start

Service

W3SVC

Start-Service W3SVC

Results from one cmdlet can be pipelined to another

? Get-Service W3svc | format-list
? Get-Service | sort-object name ? Get-Service |where-object {$_.status –eq “running”} | sort-object name

Demonstration: Configuring Active Directory Objects Using Windows PowerShell
In this demonstration, you will see how to configure Active Directory Objects using Windows PowerShell

Lab A: Configuring Active Directory Objects
? Exercise 1: Configuring AD DS Objects ? Exercise 2: Implementing an AD DS Group Strategy ? Exercise 3: Automating the Management of AD DS Objects

Logon information

Virtual machines User name Password

6425A-NYC-DC1, 6425A-NYC-DC2, 6425A-NYC-CL1 Administrator Pa$$w0rd

Estimated time: 40 minutes

Lab A Review
? How will the group strategies that you use in your

organization compare with the strategy used in this lab?
? Which of the options for automating AD DS object

management will be most useful in your organization?

Lesson 4: Delegating Administrative Access to AD DS Objects
? Active Directory Object Permissions ? Demonstration: Active Directory Domain Services Object

Permission Inheritance
? What Are Effective Permissions? ? What Is Delegation of Control? ? Discussion: Scenarios for Delegating Control ? Demonstration: Configuring Delegation of Control

Active Directory Object Permissions
Active Directory permissions:
? Include standard permissions and special permissions: Standard permissions are the most frequently assigned permissions Special permissions provide a finer degree of control for assigning access to objects ? Can be allowed, implicitly denied, or

explicitly denied
? Can be set at the object level, or inherited from the parent

object

Demonstration: Active Directory Domain Services Object Permission Inheritance
In this demonstration, you will see how permissions are inherited for AD DS objects

What Are Effective Permissions?
Effective permissions are the actual permissions that are granted to the specified user or group ? Permissions are cumulative, including permissions assigned to the user account and the group account ? Explicitly deny permissions override allow permissions ? Explicitly allow permissions override explicit deny permissions ? Object owners can always change permissions

Object owners can always change permissions ? Special identities are not used when this tool calculates special permissions

What Is Delegation of Control?
Assigns the responsibility of managing Active Directory objects to another user or group

? Delegated administration:
Eases administration by distributing routine administrative tasks Provides users or groups more control over local network resources Eliminates the need for multiple administrative accounts
OU1 Admin1

OU2

OU3

Admin2

Domain

Admin3

Discussion: Scenarios for Delegating Control
? What are the benefits of delegating administrative

permissions?
? How would you use delegation of control in your

organization?

Demonstration: Configuring Delegation of Control
In this demonstration, you will see how to configure delegation of control

Lesson 5: Configuring AD DS Trusts
? What Are AD DS Trusts? ? AD DS Trust Options ? How Trusts Work Within a Forest ? How Trusts Work Between Forests ? Demonstration: Configuring Trusts ? What Are Universal Principal Names? ? What Are the Selective Authentication Settings? ? Demonstration: Configuring Advanced Trust Settings

What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources in another domain

Trust characteristics: ? Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains ? Trust direction – the trust direction defines the account domain and the resource domain ? Authentication protocol – the protocol that you use to establish and maintain the trust

AD DS Trust Options

Tree/Root Trust Parent/Child Trust

Forest Trust

Shortcut Trust Realm Trust External Trust

How Trusts Work Within a Forest

Forest Root Domain

Tree One Tree Root Domain Domain 1

Domain A Domain 2 Tree Two

Domain B

Domain C

How Trusts Work Between Forests

Forest trust
Global catalog
WoodgroveBank. com

6
contoso.com

Global catalog

2 3 1
Vancouver
EMEA.WoodgroveBank.com

4 5 7 8 9
NA.Contoso.com Seattle

Demonstration: Configuring Trusts
In this demonstration, you will see how to configure shortcut, external, and forest trusts

What Are User Principal Names?
? A UPN is a logon name that includes the user logon name and a domain suffix ? The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name ? Additional UPN domain suffixes can be added ? UPNs must be unique in a forest

UPN suffixes can be used for routing authentication requests between trusted forests:

? UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests ? You can manually enable or disable name suffix routing across trusts

What Are the Selective Authentication Settings?

Selective authentication:
? Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer ? Configured on the security descriptor of the computer object located in AD DS

To configure selective authentication:
? Configure the forest or external trust to use selective rather than domain-wide authentication ? Configure the computer accounts for selective authentication

Demonstration: Configuring Advanced Trust Settings
In this demonstration, you will see how to configure advanced trust settings

Lab B: Configuring Active Directory Delegation and Trusts
? Exercise 1: Delegating Control of AD DS Objects ? Exercise 2: Configuring AD DS Trusts

Logon information

6425A-VAN-DC1, Virtual machines 6425A-NYC-DC2 6425A-NYC-SVR1 User name Password Administrator Pa$$w0rd

Estimated time: 20 minutes

Lab B Review
? After the trusts are configured as described in the lab,

what resources will users in Woodgrove Bank be able to access in the NorthwindTraders.com domain?
? How would you configure a forest trust with another

organization if the organization does not provide you with their administrator credentials?

Module Review and Takeaways
? Review questions ? Considerations for configuring Active Directory objects ? Tools


网站首页 | 网站地图
All rights reserved Powered by 酷我资料网 koorio.com
copyright ©right 2014-2019。
文档资料库内容来自网络,如有侵犯请联系客服。3088529994@qq.com