1 / 46

Module 3: Configuring Active Directory Objects and Trusts

Module 3: Configuring Active Directory Objects and Trusts. Module Overview. Configuring Active Directory Objects Strategies for Using Groups Automating AD DS Object Management Delegating Administrative Access to AD DS Objects Configuring AD DS Trusts.

bowie
Download Presentation

Module 3: Configuring Active Directory Objects and Trusts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 3: Configuring Active Directory Objects and Trusts

  2. Module Overview • Configuring Active Directory Objects • Strategies for Using Groups • Automating AD DS Object Management • Delegating Administrative Access to AD DS Objects • Configuring AD DS Trusts

  3. Lesson 1: Configuring Active Directory Objects • Types of AD DS Objects • Demonstration: Configuring AD DS User Accounts • AD DS Group Types • AD DS Group Scopes • Default AD DS Groups • AD DS Special Identities • Discussion: Using Default Groups and Special Identities • Demonstration: Configuring AD DS Group Accounts • Demonstration: Configuring Additional AD DS Objects

  4. Types of AD DS Objects User accounts InetOrgPerson • Enables a single sign-on for a user • Provides access to resources • Similar to a user account • Used for compatibility with other directory services Computer accounts Organizational Unit • Enables authentication and auditing of computer access to resources • Used to group similar objects for administration Group accounts Printers • Helps simplify administration • Used to simplify the process of locating and connecting to printers Shared folders • Used to simplify the process of locating and connecting to shared folders

  5. Demonstration: Configuring AD DS User Accounts In this demonstration, you will see how to configure AD DS user accounts

  6. AD DS Group Types Distributiongroups • Used only with e-mail applications • Not security-enabled Securitygroups • Used to assign rights and permissions to groups of users and computers • Used most effectively when nested • The functional level determines the type of groups that you can create

  7. AD DS Group Scopes Group scope Can be used to assign permissions Group members can include Domain Local • Universal groups, global groups, and other domain local groups from its own domain • Accounts from any trusted domain In the same domain Global In any trusted domain • Users, groups, and computers from its own domain Universal • Users, groups,and computers as members from any trusted domain In any trusted domain Local • Users, groups,and computers as members from any trusted domain On the local computer

  8. Default AD DS Groups Default groups are designed to manage shared resources and delegate specific domain-wide administrative roles • Account operators • Administrators • Backup operators • Incoming forest trust builders • Network configuration operators • Performance log users • Performance monitor users • Pre-Windows 2000 compatible access • Print operators • Remote Desktop users • Replicator • Server operators • Users

  9. AD DS Special Identities Designed to provide access to resources without administrative or user interaction • Anonymous logon • Authenticated users • Batch • Creator group • Creator owner • Dialup • Everyone • Interactive • Local system • Network • Self • Service • Terminal Server users • Other organization • This organization

  10. Discussion: Using Default Groups and Special Identities Using the scenario, answer the questions in your workbook

  11. Demonstration: Configuring AD DS Group Accounts In this demonstration, you will see how to configure AD DS group accounts

  12. Demonstration: Configuring Additional AD DS Objects In this demonstration, you will see how to configure additional AD DS objects

  13. Lesson 2: Strategies for Using Groups • Options for Assigning Access to Resources • Using Account Groups to Assign Access to Resources • Using Account Groups and Resource Groups • Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment

  14. When assigning access to resources: Options include: Options for Assigning Access to Resources • Plan for the lowest level of permissions • Keep the plan as simple as possible • Document the plan • Adding user accounts to the ACL on the resource • Adding user accounts to groups, and adding the groups to the ACL on the resource • Adding user accounts to account groups, adding the account groups to resource groups, and adding the resource groups to the ACL on the resource

  15. Using Account Groups to Assign Access to Resources Permissions User Accounts Account Groups

  16. Using Account Groups and Resource Groups User Accounts Account Groups Resource Groups Permissions

  17. Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Using the scenarios, answer the questions in your workbooks

  18. Lesson 3: Automating AD DS Object Management • Tools for Automating AD DS Object Management • Configuring AD DS Objects Using Command-Line Tools • Managing User Objects with LDIFDE • Managing User Objects with CSVDE • What Is Windows PowerShell? • Windows PowerShell Cmdlets • Demonstration: Configuring Active Directory Objects Using Windows PowerShell

  19. Tools for Automating AD DS Object Management Active Directory Users and Computers Directory Service Tools • Dsadd • Dsmod • Dsrm Csvde and Ldifde Tools Windows PowerShell

  20. Command line tools: Configuring AD DS Objects Using Command Line Tools • Dsadd • Dsmod • Dsrm • Dsget • net user • Net group • Net computer

  21. Managing User Objects with LDIFDE • LDIFDE.exe filename.ldf Active Directory import export

  22. Managing User Objects with CSVDE • CSVDE.exe filename.csv Active Directory import export

  23. What Is Windows PowerShell? Windows PowerShell is a scripting and command line technology that you can use to manage AD DS and other Windows components Windows PowerShell features include: • Powerful single line cmdlets • Aliases • Variables • Pipelining • Scripting support • Access to all cmd.exe commands

  24. Windows PowerShell Cmdlets Noun Verb Parameters Example Date Get-Date Get W3SVC Service Start-Service W3SVC Start • Get-Service W3svc | format-list • Get-Service | sort-object name • Get-Service |where-object {$_.status –eq “running”} | sort-object name Windows PowerShell cmdlets all use the same syntax Results from one cmdlet can be pipelined to another

  25. Demonstration: Configuring Active Directory Objects Using Windows PowerShell In this demonstration, you will see how to configure Active Directory Objects using Windows PowerShell

  26. Lab A: Configuring Active Directory Objects • Exercise 1: Configuring AD DS Objects • Exercise 2: Implementing an AD DS Group Strategy • Exercise 3: Automating the Management of AD DS Objects Logon information Estimated time: 40 minutes

  27. Lab A Review • How will the group strategies that you use in your organization compare with the strategy used in this lab? • Which of the options for automating AD DS object management will be most useful in your organization?

  28. Lesson 4: Delegating Administrative Access to AD DS Objects • Active Directory Object Permissions • Demonstration: Active Directory Domain Services Object Permission Inheritance • What Are Effective Permissions? • What Is Delegation of Control? • Discussion: Scenarios for Delegating Control • Demonstration: Configuring Delegation of Control

  29. Active Directory Object Permissions Active Directory permissions: • Include standard permissions and special permissions: • Standard permissions are the most frequently assigned permissions • Special permissions provide a finer degree of control for assigning access to objects • Can be allowed, implicitly denied, or explicitly denied • Can be set at the object level, or inherited from the parent object

  30. Demonstration: Active Directory Domain Services Object Permission Inheritance In this demonstration, you will see how permissions are inherited for AD DS objects

  31. What Are Effective Permissions? Effective permissions are the actual permissions that are granted to the specified user or group • Permissions are cumulative, including permissions assigned to the user account and the group account • Explicitly deny permissions override allow permissions • Explicitly allow permissions override explicit deny permissions • Object owners can always change permissions Object owners can always change permissions • Special identities are not used when this tool calculates special permissions

  32. What Is Delegation of Control? OU1 OU2 OU3 Admin1 Domain Admin2 Admin3 Assigns the responsibility of managing Active Directory objects to another user or group • Delegated administration: • Eases administration by distributing routine administrative tasks • Provides users or groups more control over local network resources • Eliminates the need for multiple administrative accounts

  33. Discussion: Scenarios for Delegating Control • What are the benefits of delegating administrative permissions? • How would you use delegation of control in your organization?

  34. Demonstration: Configuring Delegation of Control In this demonstration, you will see how to configure delegation of control

  35. Lesson 5: Configuring AD DS Trusts • What Are AD DS Trusts? • AD DS Trust Options • How Trusts Work Within a Forest • How Trusts Work Between Forests • Demonstration: Configuring Trusts • What Are Universal Principal Names? • What Are the Selective Authentication Settings? • Demonstration: Configuring Advanced Trust Settings

  36. What Are AD DS Trusts? Provide a mechanism for users to gain access to resources in another domain Trust characteristics: • Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains • Trust direction – the trust direction defines the account domain and the resource domain • Authentication protocol – the protocol that you use to establish and maintain the trust

  37. AD DS Trust Options Forest 1 Forest 2 Tree/Root Trust Forest Trust Parent/ChildTrust Forest (root) Forest (root) Domain D Domain B Domain Q Domain A Domain P Domain E Shortcut Trust External Trust Realm Trust Domain F Domain C Kerberos Realm

  38. How Trusts Work Within a Forest Forest Root Domain Tree One Tree Root Domain Domain 1 Domain A Domain 2 Tree Two Domain B Domain C

  39. How Trusts Work Between Forests 6 contoso.com 4 2 5 7 3 8 1 9 Forest 1 Forest 2 Forest trust Global catalog Global catalog WoodgroveBank.com Seattle Vancouver NA.Contoso.com EMEA.WoodgroveBank.com

  40. Demonstration: Configuring Trusts In this demonstration, you will see how to configure shortcut, external, and forest trusts

  41. What Are User Principal Names? • A UPN is a logon name that includes the user logon name and a domain suffix • The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name • Additional UPN domain suffixes can be added • UPNs must be unique in a forest UPN suffixes can be used for routing authentication requests between trusted forests: • UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests • You can manually enable or disable name suffix routing across trusts

  42. What Are the Selective Authentication Settings? Selective authentication: • Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer • Configured on the security descriptor of the computer object located in AD DS To configure selective authentication: • Configure the forest or external trust to use selective rather than domain-wide authentication • Configure the computer accounts for selective authentication

  43. Demonstration: Configuring Advanced Trust Settings In this demonstration, you will see how to configure advanced trust settings

  44. Lab B: Configuring Active Directory Delegation and Trusts • Exercise 1: Delegating Control of AD DS Objects • Exercise 2: Configuring AD DS Trusts Logon information Estimated time: 20 minutes

  45. Lab B Review • After the trusts are configured as described in the lab, what resources will users in Woodgrove Bank be able to access in the NorthwindTraders.com domain? • How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials?

  46. Module Review and Takeaways • Review questions • Considerations for configuring Active Directory objects • Tools

More Related