active directory network
TRANSCRIPT
-
7/24/2019 Active Directory network
1/52
Introduction of Network
NETWORK:
A network is a collection of computers connected together.
NETWORKIN:
It is a process of communication !etween the interconnected de"ices !asicall# to
share the network resources.
$enefits of Networking:
%. &hare resources.
i' (ata
ii' )ardware
*. &hare &+W
,. &haring of license
Network is a collection of computers connected together to get !enefited from
networking.
Networking:Networking is a process of communication among s#stems.
T#pes of Networks
%'-ocal Area Network -AN':
stems connected within the same geographical area is called -AN. A -AN can
span * kilometers.
/omponents of -AN:
%. NI/ Network Interface /ard'
*. /a!le 0 /o a1ial2 cat3 or cat4
,. )u!s or &witches.
*'5etropolitan Area Networking:
5AN is a com!ination of -ANs or WAN& located and connected within the same
cit#.
http://system-administration-material.blogspot.com/2008/06/introduction-of-network.htmlhttp://system-administration-material.blogspot.com/2008/06/types-of-networks.htmlhttp://system-administration-material.blogspot.com/2008/06/introduction-of-network.htmlhttp://system-administration-material.blogspot.com/2008/06/types-of-networks.html -
7/24/2019 Active Directory network
2/52
/omponents of 5AN:
%. Router
*. $router $router is a com!ination of !ridge or router'
,. AT5 &witches
6. (&- connecti"it# (&- 0 (igital &u!scri!er -ink' e1: &tar ca!les.
,' Wide Area Networking WAN':
Interconnection of -ANs or 5ANs located within the same geographical area or
different area it depends on telecommunication ser"ices.
/omponents of WAN: &ame as 5AN:
Network (e"ices
)u!s2 &witches2 Routers and NI/s.
)7$:
)u! is a centrali8ed de"ice pro"ides communication among s#stems when we
ha"e more that * computers we need to ha"e a de"ice called hu! to interconnect.
(isad"antage of a )u!:
%'When we want to transfer some data from one s#stem to another s#stem.*'If our network has *6 s#stems the data packet instead of !eing sent onl# to the
destined s#stem it is !eing send to all the network participants. i.e. *6 s#stems.'
,')u!s follow !roadcasting
&WIT/):
%'It is an ad"anced "ersion o"er a )u!.
*'The main !enefit of switch is 7nicast. (ata packets are transmitted onl# to the
target computer instead of all.
,'&witch maintains a ta!le called 5IT 5ac Information Ta!le.' which is
generated as soon as we turn on the switch2 which acts like an inde1 ta!le andeas# the process of finding the networked s#stem. 5IT contains the port no2 I9
address and 5A/ address.
5A/: 5edia Access /ontrol': It is an address !urnt in the NI/ !# the
manufacturer.
5A/ address is of 6 !its in the farm of )e1a decimal.
http://system-administration-material.blogspot.com/2008/06/network-devices.htmlhttp://system-administration-material.blogspot.com/2008/06/network-devices.html -
7/24/2019 Active Directory network
3/52
E"er# NI/ has its own uni;ue 5A/ address.
5A/ address determines the ph#sical location of a s#stem.
RO7TER:
Router is a de"ice connects two different networks.
/lass A network with /lass / network etc.
Routing is a process of communication !etween two different networks.
Topolog#
The wa# of ca!ling is called topolog#.
The architecture of a network is called topolog#
There are * Topologies :
%' Network Topologies
*' -ogi"al Topologies
Network Topologies:
E.g.: $us2 &tar2 Ring2 and 5esh Topologies.
$us Topolog#:
/omponents of $us Topolog#:
%. /o
-
7/24/2019 Active Directory network
4/52
hu! or a switch2 it uses cat3+4 ca!les.
It uses connecters called Recommend >ack' < R>63
&tar topolog# offers faster data transfer or processing.
Ring Topolog#:
Ring topolog# is useful when we want redundanc# fault tolerance' we go with
this t#pe of topolog#.
Ring topolog# uses a de"ice called 5&A7. 5ulti &tation Access 7nit'
It is a unit inside which a logical ring is formed. This ring ensures the a"aila!ilit#
of Network. The a"aila!ilit# of ring ensures a"aila!ilit# of network.
It was !asicall# implemented in I$5 networks.
-ogical Topologies:
There are * t#pes:
%'Work roup*'(omain
Workgroup peer to peer':
% /ollection of computers connected together to share the resources.
* No ser"ers are used.
, Onl# /lient O& is mostl# used.
6 An# O+& like2 (O&2 ?32 ?2 workstation2 win *@@@ pro2 and 9 pro can !e
configured as work
-
7/24/2019 Active Directory network
5/52
%. (esktop O.&.: (O&2 ?32 WK&2 ?2 *k 9rof.2 9
-
7/24/2019 Active Directory network
6/52
** 9rocessor: 9entium B,,5)8
*, )(( free space %.3$
*6 &59: 46 processors
I9
-
7/24/2019 Active Directory network
7/52
/lass E: 7sed for E1perimentation.
The first four !its of first octet are reser"ed as %%%%'
The first !it of first octet is called as priorit# !it which determines the class of
N+W
@.@.@.@. Are reser"ed as N+W I(.
*33.*33.*33.*33 is reser"ed as !roadcast I(.
%*B.@.@.% Is reser"ed as loop !ack I(
Implementing+/onfiguring T/9+I9:
On (esktop
Right click on m# network places
-
7/24/2019 Active Directory network
8/52
9urpose of A.(.:
%. 9ro"ides user logon authentication ser"ices.
*. To organi8e and manage user A+/s2 computers2 groups and n+w resources.
,. Ena!les authori8ed users to easil# locate n+w resources.
=eatures of A.(.:
%. =ull# integrated securit# s#stem with the help of Ker!eros.
*. Eas# administration using group polic#.
,. &cala!le to an# si8e n+w
6. =le1i!le install+uninstall'
3. E1tensi!le modif# the schema'
New features in *@@,
4. Rename computer name D (omain names.B. /ross 0forest trust relationship.
. &ite
-
7/24/2019 Active Directory network
9/52
&tep%: on *@@, machine
&tart Run dcpromone1tne1t
&elect domain controller for a new domain
(omain in a new forest ne1t&pecif# the domain name E1: 8oom.com'
Net !ios name do nothing'Ne1t
data!asene1t
s"olne1t
&elect middle onene1t
9ro"ide pwdne1t
Restart < when it prompts
After installing A.(. :
o to
&tartprograms administration tools
We should notice 3 options like A(7/2 A((T2 A(&&2 (/&92 and (&9
Remo"al of Acti"e (irector#
&afe remo"al of A.(.:
&tart run dcpromo
=orceful remo"al of A.(:.
&tart run dcpromo +forceremo"al
Tools used for Acti"e (irector#
Acti"e (irector# (omains and Trusts:
% Implementing trusts
* Raising domain+forest functional le"els
, Adding user logon suffi1es
Acti"e (irector# &ites and &er"ices:
http://system-administration-material.blogspot.com/2008/06/removal-of-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/tools-used-for-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/tools-used-for-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/removal-of-active-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/tools-used-for-active-directory.html -
7/24/2019 Active Directory network
10/52
*3 /onfiguring intrasite+intersite replication
*4 /onfiguring glo!al catalog
*B /reation of sites2 site links2 su!nets.
* &cheduling replication
Acti"e (irector# 7sers and /omputers:
*? 5anaging users+groups
,@ 5anaging computers.
,% 5anaging O7s
,* 5anaging roup 9olic# (omain -e"el'
,, 5anaging Operations masters.
,6 Raising domain functional le"el.
(omain controller securit# polic#:
% &et account2 audit and password policies
* &et user rights
, 9ermissions or policies 9ertains onl# to the (/ where #ou set.
(omain securit# polic#:
6 &et account2 audit and password policies
3 &et user rights
4 9ermissions or policies 9ertain to the (/ as well as to all the domains within.
Additional (omain /ontroller
Re;uirements:
(./.
&tatic .9.
(N&
&tand
-
7/24/2019 Active Directory network
11/52
&tep*: start run dcpromone1tne1tselect A(/ for an e1isting domain
, &pecif# administratorLs name D pwd.
,? (omain name of (/ eg.8oom.com'
6@ $rowse the domain
6% Ne1tne1t restore pwd.
A(/ is a !ack up for (/
6* A(/ maintains a !ack up cop# of A.(.2 which will !e in read onl# format.
6, A(/s pro"ide fault tolerance D load !alancing
66 There can !e an# no. of A(/s for a (/.
63 A(/s should !e placed and maintained offsite awa# from the (/.
64 A(/ maintains same domain name.
Gerif#ing whether the ser"er is configured as (/ or A(/.
6B &tartruncmdnet accounts
6 =or (/ we will find Mprimar#H
6? =or A(/ we will find M$ackupH
Acti"e (irector# /omponent
-ogical &tructure 9h#sical &tructure:
(omains sites
Trees (omain /ontrollers
=orest
Organi8ational 7nit
A.(. /omponents:
% -ogical structure is useful for organi8ing the network.
* -ogical components cannot !e seen
, 9h#sical structure is useful for representing our organi8ation for de"elopingthe organi8ational structure.
6 It reflects the organi8ation mirrors'
3 9h#sical structure can !e seen. E1. &ite 0 India2 7&2 7K etc.
TREE:
A tree is a group of domains which share contiguous name space.
http://system-administration-material.blogspot.com/2008/06/active-directory-component.htmlhttp://system-administration-material.blogspot.com/2008/06/active-directory-component.htmlhttp://system-administration-material.blogspot.com/2008/06/active-directory-component.html -
7/24/2019 Active Directory network
12/52
If more than one domain e1its we can com!ine the multiple domains into
hierarchical tree structures.
The first domain created is the root domain of the first tree.
Additional domains in the same domain tree are child domains.
A domain immediatel# a!o"e another domain in the same domain tree is its
parent.
=ORE&T:
5ultiple domain trees within a single forest do not form a contiguous
namespace. i.e. the# ha"e non
-
7/24/2019 Active Directory network
13/52
9ractcal &teps for &ite
Implementing sites:
=orceful replication:
On (/
&tart programs admin tools A(&& e1pand sites default first siteser"ers
E1pand (/ ser"er NT(& settings right click on automaticall# generated
replicate nowok.
Repeat the same for (/ D A(/
/reating a site:
Open A(&&Right click on sitesNew site&ite name e.g. 7K2 7&'&elect default site linkOk
5o"ing A(/ into another site:
&elect A(/Right click on A(/&elect mo"e&elect site.
/reating a &ite link:
E1pand inter site transportsRight click on I9&elect new site link
-ink name e1. -ink 7& 07K'
&cheduling a site link:
E1pand inter site transportI9(ou!le click on site link/hange schedule
/lick on replication not a"aila!leset the timingsclick on replication a"aila!le.
NT(&.(IT :
K//: Knowledge /onsistenc# /hecker':
It is a ser"ice of A.(.2 which is responsi!le for intimating2 or updating the
changes made either in (/ or A(/.
Acti"e (irector# is sa"ed in a file called NT(&.(IT
/:windowsntdsntds.dit
NT(&.(IT < New Technolog# (irector# &er"ices. (irector# Information Tree
It is a file logicall# di"ided into four partitions.
http://system-administration-material.blogspot.com/2008/06/practcal-steps-for-site.htmlhttp://system-administration-material.blogspot.com/2008/06/ntdsdit-new-technology-directory.htmlhttp://system-administration-material.blogspot.com/2008/06/practcal-steps-for-site.htmlhttp://system-administration-material.blogspot.com/2008/06/ntdsdit-new-technology-directory.html -
7/24/2019 Active Directory network
14/52
%. &chema partition
*. /onfiguration partition
,. (omain partition
6. Application partition
It is a set of rules schema defines A(2 it is of * parts classes D attri!utes.Ad is constructed with the help of classes and attri!utes.
%. &chema:
-ogical partition in A( data!ase MtemplateH for A( data!ase.
=orms the data!ase structures in which data is stored.
E1tensi!le
(#namic
9rotect !# A/- Access /ontrol -ists' (A/-s and &A/-s (irector#Dstem
A/-s'
One schema for A( forest.
/ollection of o!ects is called class.
9iece of information a!out the o!ect is called attri!ute.
*. /onfiguration 9artition:
-ogical partition in A( data!ase.
% MmapH of A( implementation
* /ontains information used for replication logon searches.
, (omains6 Trust relationships
3 &itesD site links
4 &u!nets
B (omain controller locations.
,. (omain 9artition:
% -ogical partition in A( data!ase.
* /ollections of users2 computers2 groups etc.
, 7nits of replication.
6 (omain controllers in a domain replicate with each other and contain a fullcop# of the domain partition for their domain.
3 (/s do not replicate domain partition information for other domains
6. Application 9artition:
% It is a newl# added partition in win*@@,. It can !e added or remo"ed
-
7/24/2019 Active Directory network
15/52
* It can !e replicated onl# to the specified (/s.
, 7seful when we are using A( integrated ser"ices like (N&2 TA9I ser"ices etc..
=&5O Roles:
=le1i!le &ingle 5aster Operations Roles :
=orest wide 5aster Operation:
%. &chema master *.(omain Naming master
(omain wide master operation:
,. 9(/ emulator
6. RI( master
3. Infrastructure master
%.&chema 5aster:
Responsi!le for o"erall management of the entire schema in a forest.
The first (/ installed acts as a schema master in the entire forest.
There can !e onl# one schema master in the entire forest
*.(omain Naming 5aster:
Responsi!le for addition +remo"al of domains.It maintains the uni;ueness of domain names.
There can !e onl# one (N5 in the entire forest.
,. 9(/ emulator:
9(/ pro"ides !ackward compati!ilit# for e1isting NT $(/s and workstations.
If it is running in mi1ed mode'
9(/ updates the password changes made !# the users.
It is also responsi!le for s#nchroni8ing the time.
There can !e onl# one 9(/ emulator per domain.
6. RI( master:
Responsi!le for assigning uni;ue I(s to the o!ects created in the domain.
There can !e onl# one RI( master per domain
&I( 0 &ecurit# Identifier it maintains a access control list. It is di"ided into two
parts.
%. (I( (omain Identifier'
http://system-administration-material.blogspot.com/2008/06/fsmo-roles-flexible-single-master.htmlhttp://system-administration-material.blogspot.com/2008/06/fsmo-roles-flexible-single-master.html -
7/24/2019 Active Directory network
16/52
*. RI( Relati"e Identifier'
=or knowing the &I( of the user
&tartruncmd whoami +user.
3. Infrastructure master:
Responsi!le for maintaining the updates made to the user D group mem!ership.
It also maintains uni"ersal group mem!ership.
There can !e onl# one infrastructure master per domain
The term fle1i!ilit# means we can transfer an# of the 3 roles from (/ to A(/.
Transfer of RO-E&
We can transfer the roles for some temporar# maintenance issues on to A(/ and
again we can transfer !ack the roles onto (/.
We can transfer the roles in two wa#s
%. /ommand mode
*. raphical mode
Transfer of roles through command:
On (/
o to command prompt and t#pe ntdsutil
T#pe: roles
/onnections
/onnect to ser"er name of A(/ e1.s#s*'
C
Transfer schema master
Transfer RI( master
Transfer infrastructure master
Transfer 9(/CC
E1it
Transferring roles using 7I:
On (/
Register the schema
http://system-administration-material.blogspot.com/2008/06/transfer-of-roles.htmlhttp://system-administration-material.blogspot.com/2008/06/transfer-of-roles.html -
7/24/2019 Active Directory network
17/52
=or registering schema
&tart run regs"r,* schmmgmt.dll
Transferring schema master
On (c&tartRunmmcclick on file select add+remo"e snap in
&elect A.(.&chemaaddcloseok
=rom console root
E1pand console root
Right click A( &chema
/hange domain controller
&pecif# name
Ok
Right click A( schema
&elect operations master
/lick on changePes ok file e1it need not to sa"e'
Transferring (omain naming master:
On (/
&tartpadmin tools A((Tright click on A((T
/onnect to domain controller
&elect A(/
Ok
Right click on A((TOperations master
/lick on change#esok close
Transferring (omain wide master operations:
&tart padmin tools A(7/
Right click on A(7/
/onnect to (/
&elect A(/ ok
Right click on (omain name
&elect operations master/hange#es
&elect 9(/ change#esselect infrastructurechangecloseclose.
lo!al /atalog
http://system-administration-material.blogspot.com/2008/06/global-catalog.htmlhttp://system-administration-material.blogspot.com/2008/06/global-catalog.html -
7/24/2019 Active Directory network
18/52
It is a ser"ice responsi!le for maintaining information a!out the o!ects and
ser"ing the re;uests made !# the users !# pro"iding the location of the o!ect.
lo!al /atalog runs on the port num!er ,*4.
All t#pes of ;ueries are first heard on this port num!er and forward the ;uer# toport no.,? -(A9Ls'.
5aintains the complete information a!out the o!ects within the same domain
and partial information a!out other domains.
/ communicates to infrastructure master.
If (/ D A(/ are located in the same location onl# one / is enough.
If the (/DA(/ are located remotel# to a"oid network traffic we need to
configure A(/ as /
Infrastructure master contacts glo!al catalog for o!taining the updates a!out
user D group mem!ership and uni"ersal group mem!ership.
The primar# functions of /
To maintain uni"ersal group mem!ership information2 to easil# locate the
o!ects with in the A(.:
/onfiguring a lo!al catalog ser"er.
Either on A(/ or on /hild (/
&tart programadmin tools A(&&
e1pand sites default first siteser"er
On NT(& right click properties
check the !o1 lo!al /atalog.
Installing /hild (omain
Re;uirements:
9arent (/
5em!er ser"er or stand alone ser"er
&tatic I9
(N&
NT=& "olume with *3@ 5$ of free )(( space
http://system-administration-material.blogspot.com/2008/06/installing-child-domain.htmlhttp://system-administration-material.blogspot.com/2008/06/installing-child-domain.html -
7/24/2019 Active Directory network
19/52
On 5em!er &er"er or stand alone machine specif# the ser"erLs (N&.
&tart rundcpromone1tne1tne1t
domain controller for a new domainne1t
/hild (omain in an e1isting treespecif# the parent domainLs administratorLs name D pwd.
&pecif# the child namene1tnet!ios name
ne1t data!ase folder ne1ts"olne1trestart.
New (omain Tree in E1isting =orest
Re;uirements:
=orest initial domain controller or root domain controller'On mem!er ser"er or stand
-
7/24/2019 Active Directory network
20/52
*. =orest =unctional -e"el:
a' Windows *@@@ mi1ed
!' Interimc' Windows *@@, ser"er.
%.a.' Windows *@@@ mi1ed:
$# default when we install *@@@ or *@@, o+s it gets installed in win *@@@ mi1ed
mode.
This mode supports older "ersions of win*@@,. We can add NT2 *@@@ fla"ors in
*@@, networks.
%.!.'Windows *@@@ nati"e:
It supports onl# *@@@ and *@@,2 Nati"e mode can ha"e *@@@D*@@, fla"ors onl#.
%.c'Interim:
This mode can ha"e NT and *@@,. 7seful when we upgrade NT to *@@,
%.d'Windows *@@, ser"er:
This mode supports onl# *@@, ser"er famil#.
We canLt oin NT+*@@@ domains
T#pes of Trusts:
Trust relationships in Windows ser"er*@@,:
(efault two wa# transiti"e Ker!eros trusts intra forest'
&hortcut 0 one or two awa# transiti"e Ker!eros trusts intraforest'Reduce authentication re;uests
=orest
-
7/24/2019 Active Directory network
21/52
Realm 0 one or two wa# non
-
7/24/2019 Active Directory network
22/52
Raising (omain =unctional in !oth the machines:
&tartprogramadmin toolsA((Tright click on (omain
raise (omain =unctional -e"elselect win *@@,click on raiseokok
Raising =orest =unctional -e"el:
&tartpA((Tright click on A((T
raise forest functional le"elselect win*@@,raiseok.
5em!er &er"er
A ser"er2 which is a part of (/2 is called 5em!er &er"er.
&er"er like WINNT2 *@@@ and *@@, can !e configured as 5em!er &er"er.
&er"er2 which is part of the (omain2 is called 5em!er &er"er.
5em!er &er"ers are used
-oad !alancing
-oad sharing form (/s
A mem!er ser"er can !e configured as an# of the following
ser"ers.
%' Application ser"ice oracle+&C-'
*' 5ail ser"er
,' =ile ser"er
6' 9rint ser"er
3' (N& ser"er
4' ()/9 se"erB' We! ser"er
' RI& ser"er
?' RA& ser"er
%@'T.&.
/onfiguring a mem!er ser"er :
http://system-administration-material.blogspot.com/2008/06/member-server.htmlhttp://system-administration-material.blogspot.com/2008/06/member-server.html -
7/24/2019 Active Directory network
23/52
Re;uirements:
(/
&tand alone ser"er *@@, fla"or
On &tand
-
7/24/2019 Active Directory network
24/52
These can !e created on the -ocal machines where the client works. E1. *@@@
prof. 9 prof.
/reating a (omain 7ser Accounts :
On (/&tart 9rogramsAdmin tools
A(7/e1pand domain namee1.I$5.com'
Right click on usersnewuser
suppl# name Dpwd.
7ser must change pwd at ne1t logon
ne1tfinish
/reating a (omain 7ser A+/ through command prompt:
&tartrun
cmd dsadd user cnQusername2cnQusers2dcQi!m2dcQcom 0pwd 8oom%*,
=or remo"ing:
dsrm user cnQusernameSS.
/reating a local user Account in 5em!er &er"er:
On mem!er ser"er -og on to local user a+c
Right click on m# computer
5anageE1pand local users Right click on users.
New user &uppl# the user nameDpwd
/lick on create
-og off
-og in as user
/reating a -ocal user a+c from command mode:
On mem!er ser"er
-ogin as administrator
o to command promptNet user username
9assword
E1: net user u% 8oom%*, +add
If we want to delete.. +del
Editing 9olocies
http://system-administration-material.blogspot.com/2008/06/editing-account-polocy-and-local-polocy.htmlhttp://system-administration-material.blogspot.com/2008/06/editing-account-polocy-and-local-polocy.html -
7/24/2019 Active Directory network
25/52
7ser right assignments -ogon locall# allowing logon locall# right to a normal
user.':
On (/
/reate a user a+c in A(7/Allowing him to logon
&tart programsadmin tools(/&9
e1pand local policiesuser rights
(+/ allow logon locall#add the user.
&tartrungpupdate.
Gerif#:
On (/ logon as a user
(isa!ling password comple1it# polic#:
&tart programsadmin toolsdomain securit# polic#
e1pand a+c policiespassword polic#
(ou!le click on p+w must meet comple1it# re;uirements.
&elect disa!led
Appl# ok
5inimum pwd length do it as @ characters'
/lose
=or refreshing polic#
&tart runcmdgpupdate
9assword policies: Enforce password histor# *6 pwds remem!ered'
5a1imum p+w age
5inimum pwd age
9wd must meet comple1it# re;uirements
&tore pwds using re"ersi!le encr#ption.
Re
-
7/24/2019 Active Directory network
26/52
In order to make a resource to !e a"aila!le o"er the network and to !e accessed
!# network users we need to implement sharing.
The moment we create a share on a ser"er2 ser"er acts like a file ser"er.
&haring a resource:
On (/
Open m# computer
&elect an# dri"e
/reate a new folder
i"e name of the folder
Right click on the folder
&elect sharing and securit#
&hare this folder
Appl# ok
Accessing share resources from a client machine:
On client machine
Open m# network places
Entire network
5icrosoft windows n+w
(omain name e1. oom'
/omputer name
/reating a share through command line:
On (/
o to command prompt
md sharename
net share sharenameQc: share name
/onnecting to a share resource through a command prompt:
On mem!er ser"er
o to command prompt
net use 8:computernamesharename
5apping a dri"e connecting to the share from 7I':
On mem!er ser"er
Right click on m# computer
5ap network dri"e
&elect the dri"e letter
-
7/24/2019 Active Directory network
27/52
7ncheck or check reconnect logon
$rowse the share folder
/omputer nameshare nameokfinish.
9ermissions:
7sing permissions an administrator can either allow or den# access to a resource.
Resource can !e a network resource or local resource
9ermissions are of two t#pes:
%. &hare le"el
*. =ile s#stem or NT=&
&hare le"el permissions
&hare le"el permissions are applied o"er the network.
&hare le"el permissions are not applied on the local machine where the resource
is e1isting.
There are three t#pes of share le"el permissions
=ull control RW(O Read+Write+E1ecute+(elete+Ownership'
/hange RW(
Read R
9ractice:
On (/
/reate a share
/reate three users
&et permissions
&etting permissions:
/reate folder share right click on folder properties permission
Remo"e e"er#one
Add all the users whom #ou want to allow or den#.
Appl#ok.
Gerification:
5o"e on to client machine
-ogin as different users
Tr# to access the n+w resources.
-
7/24/2019 Active Directory network
28/52
*. NT=& permissions:
NT=& permissions are powerful permissions and the# offer file and folder le"el
securit#. NT=& permissions are useful for securing locall# a"aila!le resources.
NT=& =eatures:
=ile+folder le"el securit#
/ompress
Encr#ption
Cuotas
Reduced fragmentation
)ot fi1ing
Golume shadow cop# ser"ices
5ounting
&eparate rec#cle !in for each user
NT=& permissions:
=ull control RW(O
5odif# RW(
Read D E1ecute R
-ist folder contents -
Read R
Write RW
Implementing NT=& permissions:
On mem!er ser"er
-
7/24/2019 Active Directory network
29/52
-ogin as administrator on mem!er ser"er
/reate a folder
=older properties
&ecurit#
Ad"anced
-
7/24/2019 Active Directory network
30/52
9rofiles are used for pro"iding !asic user en"ironment needs
En"ironment needs can !e
(esktop settings
&tartup applications
N+w connecti"it#.
9rofile is responsi!le for pro"iding the initial desktop en"ironment needs with
the help of desktop folder2 fa"orites2 cookies2 m# documents2 start menu2 and
Internet settings2 n+w connections and etc.
When a user logs in for the first time the user will !e loaded with a default user
profile.
(efault user profile is located under
/:documents and settingsdefault user
T#pes of profiles:
%'-ocal profile
*'Roaming profile
,'5andator# profile
-ocal profile:
It is a profile loaded for the user and sa"ed in the local hard dri"e where the user
works.
And profile will !e sa"ed when a user logs off
-ocal profiles are limited onl# to the machine where the# are sa"ed.
A user with a local profile will not !e loaded with a network profile when he logs
on from another machine.
Gerif#ing the t#pe of the profile:
5# computer
9ropertiesAd"anced
7ser profile 0 settings
Roaming 9rofile:
It is a profile2 which is sa"ed in the shared folder on the ser"er. )ence a"aila!le
-
7/24/2019 Active Directory network
31/52
in the entire network.
Roaming profile is a n+w profile which is a"aila!le in the entire network. As a
result when a user logs in from an# machine in the n+w he will !e loaded with a
roaming.
/reating a roaming profile:
On (/
/reate a user A+/
/reate a folder
And share it and gi"e full control permission for e"er#one
&tart 9A(7/
(ou!le click the user
9rofile
9rofile path e1: s#s%profileusername
Appl# 0 ok
5o"e on to mem!er ser"er:
-og in as user
5# computer
9roperties
Ad"anced
-
7/24/2019 Active Directory network
32/52
Ntuser.dat to ntuser.man
$ack
i"e !ack the permission ownership'
=older
9roperties
&ecurit# 0 ad"anced/heck the !o1 Allow inherita!le
/heck < Replace permission entries on all
Appl# 0 ok.
Gerif#ing:
5o"e on to client machine
-ogin as user
5ake some desktop changes
/reate a folder or delete a folder
=or remo"ing mandator# profile ust rename ntuser.man to ntuser.dat
)ome folders:
)ome folders are separate folders where users sa"e their data and protect their
data from other users e"er# user can ha"e one home folder either on the ser"er
on the local machine.
If the home folder is in the ser"er an administrator can secure it and !ack
-
7/24/2019 Active Directory network
33/52
Appl# ok
Gerif#ing:
On client machine
-og in as userOpen m# computer
We should notice an e1tra dri"e letter
o to cmd prompt
We should not get the dri"e letter we ha"e assigned.
/reating a local home folder:
On 5em!er ser"er
-ogin as administrator
/reate a folder in an# dri"e
&hare it9ermissions
Remo"e e"er#one
Add administrator Du*
i"e full access
Appl# 0 ok
5o"e on to ser"er or (/
Open A(7/create a user
o to user properties9rofile
)ome folder
i"e local path
E1: E:u*home
Appl#
-
7/24/2019 Active Directory network
34/52
offline'
Implementing offline folders:
On ser"er client
Open m# computerTools
=older options
Offline files
/heck the !o1 ena!le offline files
Appl# 0 ok
Repeat same process on the client also
On ser"er
/reate a folder
&hare it
E"er#one full access
On the client machine
Access the share resources through the n+w places
Right click on the share resources
5ake a"aila!le offline
Ne1t
/heck the !o1 automaticall#
Ne1t 0 finish
On the client machine
Access the n+w share
(isa!ling NI/
Network places
9roperties
Right click on -ANselect disa!le
Open n+w places
We will notice another s#stem
Access the offline folder from ser"er
(o some modifications to that folderEna!le NI/.
(=& (istri!uted =ile stem'
(=& allows administrators to make it easier for users to access and manage file
http://system-administration-material.blogspot.com/2008/06/dfs-distributed-file-system.htmlhttp://system-administration-material.blogspot.com/2008/06/dfs-distributed-file-system.html -
7/24/2019 Active Directory network
35/52
that are ph#sicall# distri!uted across a network.
With (=&2 #ou can make files distri!uted across multiple ser"ers. It ma# appear
for users that files actuall# reside in one place computer' on the network.
$enefits of (=&
%. Easil# access:
7sers need not remem!er multiple locations form where the# get data ust !#
remem!ering one location the# get access to the data.
*. =all tolerance:
=or master (=& ser"er we can ha"e a replica Target' on another (=& ser"er.
With the master (=& ser"er face users can still continue accessing the data from
!ack up (=& Target'There is no interruption to accessing data.
,. -oad !alancing:
If all the (=& root ser"ers and targets are working fine it leads to load !alancing.
This is achie"ed !# specif#ing locations for separate users.
6. &ecurit#:
We can implement securit# !# using NT=& settings.
(=& Terminolog#:
%. (=& root
*. (=& links
,. (=& targets
6. (omain (=& root
3. &tand 0 alone (=& root
(omain (=& root:
It is a ser"er configura!le in the domain and offers fall tolerance and load
!alancing. It is a root ser"er2 which maintains links from other file ser"ers
Re;uirements:
(/ or 5em!er &er"er
-
7/24/2019 Active Directory network
36/52
&tand
-
7/24/2019 Active Directory network
37/52
/reate * folders.
&hare them D gi"e full control permission
On 5em!er &er"er also same process
On (/
&tart 9Admin tools(=&right click on (=&
New link-ink name e.g. erman#'
$rowse the share folder from (/
Ok
/reate all four links two from (/ D two from mem!er ser"er
Accessing the resources links':
Either on (/ or mem!er ser"er
domain name(=& root name
e1: 8oom.com(=& root
Implementing of (=& target:
On (c
Open (=s
Right click on (=s root
&elect new root target
$rowse ser"er name ne1t
$rowse folder to share
Ne1tfinish
Replication:
After configuring the target we can configure the replication !etween (=& root
and (=& target.
And this can !e scheduled.
T#pes of replication topologies:
Ring topolog#
)u! D spoke topolog#
5esh topolog#
/onfiguring replication !etween (=& root D target.
On (/
Open (=&
Right click on the (=& root
/onfigure replicationne1t
-
7/24/2019 Active Directory network
38/52
&elect topolog#
=inish
(isk Cuotas
It is a new feature of *@@@D@,
7sing this feature an administrator can restrict the users from using disk space.
i.e. an administrator can limit the si8e of the disk space usage.
Cuotas can !e implemented in two wa#s:
%'On computer !asis local machine'
*'7ser !asis network resource'
Cuotas can !e implemented onl# on NT=& "olumes.
Implementing D ;uota for a user user !asis' :
On mem!er ser"er
-ogin as administrator
Open m# computer
Right click on ( or E dri"e
9roperties
Cuota
/heck the !o1 ena!le ;uota management and
(en# disk space to users
/lick on ;uota entries ta!&elect ;uota
New ;uota entr#
&elect the user
&et limit disk space to the user in K$ or 5$ onl#'
Gerification
-ogin as user
Open the restricted or ;uota dri"e
Tr# to sa"e something
Implementing ;uota on computers
On mem!er ser"er
-ogin as admin
Open m# computer
E dri"e properties
http://system-administration-material.blogspot.com/2008/06/disk-quotas.htmlhttp://system-administration-material.blogspot.com/2008/06/disk-quotas.html -
7/24/2019 Active Directory network
39/52
Cuota
Ena!le ;uota management
(en# disk space to user
&elect limit disk space
&pecif# the limits in K$ or 5$
Appl# 0 ok
Organi8ational 7nits O7' :
It is a logical component of A(
It is a container o!ect
It can contain o!ects like users2 groups2 computers2 share folder2 printer2 and
contacts.
O7s are !asicall# used for di"iding a single domain into smaller portions for
efficient management and organi8ation of the resources
/reation of O7s:
On (/
&tart 9admin toolsA(7/
Right click on the domain
New
Organi8ational unit
i"e the name of the unit
(elegate /ontrol
7seful when an administrator to hando"er partial administration of the domain
to an assistant administrator delegate control can !e assigned to su! admins on
O7s or on domains.
Assigning (elegate control for su! administrator.
On (/
Open A(7/select domain controller right click'
New user
Right click on O7(elegate control
Ne1t 0 add the user weL"e created.
Ne1tselect as our wish
Ne1t 0 finish
Gerification:
http://system-administration-material.blogspot.com/2008/06/delegate-control.htmlhttp://system-administration-material.blogspot.com/2008/06/delegate-control.html -
7/24/2019 Active Directory network
40/52
5o"e on to mem!er ser"er
-ogin as su! administrator
&tart 0 run 0 dsa.msc
Tr# to create users in delegated O7
Taking !ack delegation of control from a 7ser:
On (/
Open A(7/
/lick on "iew
Ad"anced features
&elect the O7 which we want to take !ack control
Right click properties
&ecurit#
&elect the su! admin user
Remo"e 0 appl# 0 ok
roup 9oloc#
It is a feature of *@@@D@, with which an administrator can ha"e full control on
users and computers. 7sing group polic# we can implement securit#2 policies2
software deplo#ment2 folder redirection2 Internet e1plorer maintenance.
roup policies ena!le the users either to access or to !e denied of an o!ect.
roup polic# can !e implemented on computers Dusers.
roup 9olic# O!ect 9O' :
9O defines polices implemental for the o!ects. One group polic# o!ect can !e
linked with multiple o!ects like site2 domains2 (/s2 O7s2 etcS
The order in which the group polic# is applied. When user logs in
/omputer polic#
Eg: no shut down2 no time setting7ser profile
Eg. -ocal2 roaming2 mandator#
7ser polic# local computer'
&ite
http://system-administration-material.blogspot.com/2008/06/group-polocy.htmlhttp://system-administration-material.blogspot.com/2008/06/group-polocy.html -
7/24/2019 Active Directory network
41/52
(omain
O7
Implementing group polic# on O7:
Aim: (en# accessing /ontrol 9anel
On (/
Open A(7/
/reate an O7
/reate user within the O7
Right click properties
roup polic# new
&pecif# 9O name
Edit
E1pand user configuration
&elect administrati"e templates/ontrol panel
(ou!le click Mprohi!it access to control panelH
&elect ena!le
Appl# 0 ok
9olic# inheritance:
If we implement polic# on sites it applies to all the domains and O7s within that
site. All the domains D O7s within that site inherit polic# from its parent.
$lock polic# inheritance:
$lock polic# inheritance is useful for !locking the inheritance of the polic# from
its parent o!ect
Note:
%. 7seful when we ha"e to perform shorter administrati"e tasks.
*. When there is conflict !etween two policies applied to the same o!ect.
Implementing !lock polic# inheritance:
On (/
Open A(7/create an O7 and a child O7 within it.
/reate a user a+c in child O7
On the parent O7 den# control panel
&elect child O7 properties
roup polic#
-
7/24/2019 Active Directory network
42/52
/heck the !o1 !lock polic# inheritance
Gerification
5o"e client machine log in as user2 we ha"e created in child O7.
We should notice control panel.
No o"erride:
It is an option a"aila!le from group polic# useful when we want to o"erride all
the policies implemented on the child o!ects
Implementing o"erride
On (/
Open A(7/
&elect the parent O7We ha"e created
9roperties
roup polic#
Options select no o"er ride
Note: No o"er ride is opposite to !lock polic# inheritanceJ
Important group policies
7ser configuration
Administration templatesWindows components
Windows e1plorer
-
7/24/2019 Active Directory network
43/52
* Windows settings
, &ecurit# settings
*. 7ser configuration
6 &oftware setting3 Windows setting
4 Administrati"e templates
&oftware (eplo#ment
It is a feature of *@@@D@, can !e implemented through group policies either on
computers or users.
It is a process of spreading out the software re;uired onto the client machines
when a user starts the computer.
With the help of software deplo#ment we can install2 uninstall2 upgrade2 repair
and add patches Dser"ice packets.
&oftware deplo#ment is possi!le onl# when the software is with .msi e1tension.
msi 0 5icrosoft Installer'
5&I pro"ides the ser"ices like
Installation
7ninstallation
Roll !ack
Repair o"er the network.
&oftware deplo#ment is possi!le onl# with .msi or .8ap e1tension.
7sing WININ&TA---E *@@, software we can con"ert U.e1e files to U.msi files
&etup.e1e file cannot !e deplo#ed o"er the network !ut can !e con"erted to
setup.msi files with the help of the software Vwininstall le*@@,L. This is the
product of Geritas /ompan#.
Installing wininstall le*@@, software
On (/
Open ( or E dri"eApplication folder
(ou!le click on wininstallle.e1e
Ne1t 0 I accept 0 ne1t
9ro"ide email details 0 ne1t
Ne1t 0 ne1t 0 install 0 finish.
9hase 0 I
http://system-administration-material.blogspot.com/2008/06/software-deployment.htmlhttp://system-administration-material.blogspot.com/2008/06/software-deployment.html -
7/24/2019 Active Directory network
44/52
/on"erting .e1e to .msi !efore snap shot'
On (/
Open m# computer
&elect an# dri"e
/reate * folders with the names .e1e and .msi
And share them with full accessOpen ( or E dri"e
Open application folder
/op# acro!at Dretina
9aste it in the .e1e folder we ha"e created
On (/
&tart p wininstall le*@@,
Right click on that
Run disco"er ok 0 ne1t
&pecif# the name of the application e1. Acro!at'
/lick on the dotted ta!
$rowse .e1e folder from m# n+w placesOpen the folder and name the application e1. Acro!at.msi'
Open 0 ne1t < select / dri"e
Add the dri"es2 which we ha"e
Ne1t 0 finish
9hase 0 II
Installation
On (/
Open m# computerOpen e1e folder we ha"e created
Install acro!at software
In this phase II process comes up to .m1i
9hase 0 III
9erforming After snap shot
On (/
In wininstall le
Right click on wininstall le packagesRun disco"er 0 ok
9erform after snap shot
Ne1t
9
-
7/24/2019 Active Directory network
45/52
Registr#
&oftware
A"aila!le
. m1i .msi
/on"ersion 9rocess
9hase 0I !efore snap shot'
In this wininstall le scans the complete s#stem and the register and checks for
installed applications. And takes the snap shot of the current condition of the O&.
9hase< II Installation' :
In this phase we ha"e to install the software2 which we want to con"ert to .msi
9hase 0 III After snap shot' :
In this phase wininstall le compares two pre"ious states2 !efore snap shot
Dinstallation and takes another snap shot with installation.
Note: 7sing these three phases the 5icrosoft software installer can trou!le< shoot
or deplo# the software.
&oftware (eplo#ment
On (/
Open A(7/
/reate * O7s
/reate a user in each O7
&elect %st O7 properties
roup polic# new
Name the 9O e1. (eplo#'
Edit user configuration
&oftware settings
Right click s+w installationNew package
$rowse the msi s+w from m# n+w places
&elect .msi
&elect pu!lish
Ok
Gerification:
-
7/24/2019 Active Directory network
46/52
On mem!er ser"er
-ogin as user weL"e created in O7
Open control panel
We should notice the s+w weL"e deplo#ed
Add+remo"e program
Ok
T#pes of deplo#ment
%' 9u!lish
*' Assigned
,' Ad"anced
%' 9u!lish
If we use pu!lish software will !e a"aila!le in control panel and can !e installed
when the user wants. on demand'
*. Assigned
If we select assigned2 s+w gets installed on the client machine when a user opens
the application for the first time.
,. Ad"anced:
It is useful when we want to upgrades s+w2 install ser"ice packs or patches etcS
=older Redirection
It is useful when we ha"e implemented mandator# profile for users as a result
the# cannot sa"e an#thing on the desktop2 unknowingl# if the# sa"e2 that sa"ed
desktop contents should !e sa"ed in another location we call it as folder
redirection. 7sers do not lose their data'
Implementing folder redirection:
On (//reate a roaming profile for a user
And con"ert it into mandator#
Note: create a new O7 at first and create a user in that and make that user
profile as mandator#.
On (/
Open A(7/
http://system-administration-material.blogspot.com/2008/06/folder-redirection.htmlhttp://system-administration-material.blogspot.com/2008/06/folder-redirection.html -
7/24/2019 Active Directory network
47/52
Right click on O7 weL"e created
roup polic#
New 9O name edit
7ser configuration
Windows settings
=older redirectionOn desktop right click
9roperties
&elect the settings as !asic
$rowse share folder from n+w places
Ok.
/reate a folder
&hare it
E"er# one full access
Gerification
On mem!er ser"er
-ogin as user weL"e created in O7
&a"e something on the desktop
E1: sa"e some folders properties
We should notice the location should !e 7N/ path 7ni"ersal Naming
/on"ention'
-ogoff Dlogin
&cripts
&cripts are useful to automate administrati"e tasks2 which are routine. We can
ha"e startup and shutdown scripts2 administrati"e scripts2 login D logoff scripts
Implementing scripts using group polic#:
On (/
/reate a folder in ( or E dri"e'
&hare it with full control
&tart
-
7/24/2019 Active Directory network
48/52
Edit
7ser configuration
Windows settings
&cripts
(ou!le click on logon
Add$rowse the script weL"e sa"e in the share folder from n+w places
Ok
Gerification:
5o"e on to mem!er ser"er
-og in as a userWe should notice a welcome message
$ackup
It is a process of protecting user data or s#stem state data on to separate storage
de"ices.
NT supported onl# one t#pe of storage media2 i.e. tapes.
*@@@D@, supports tapes2 floppies2 )((& )ard (isk (ri"es'2 8ip floppies2 R&(
Remote &torage (e"ices'
$ack up utilities:
The default !ackup utilit# pro"ided !# NT2 *@@@2 *@@,.
NT!ackup utilit# /omes along with the O&. 9ro"ides minimum !enefits couldha"e optimum !enefits.
There are some third part utilities
% Geritas < $ackupE1ec
* Geritas < =oundation suite for 7NI fla"ors'
, Geritas < "olume manager
6 Ti"oli storage manager I$5'
3 Net!ack up
&tarting !ack up utilit#:
On (/
Or mem!er ser"er
&tart
Run 0 nt!ackup or' start programs accessoriess#stem tools!ackup
http://system-administration-material.blogspot.com/2008/06/backup.htmlhttp://system-administration-material.blogspot.com/2008/06/backup.html -
7/24/2019 Active Directory network
49/52
$acking up a folder:
/reate a folder in ( dri"e and a file in that
&tart < run 0 nt!ackup 0 click on ad"anced mode
$ack up
Ne1t&elect *nd option !ackup selected files.'
E1pand m# computer from ( dri"e select the folder #ouL"e created
Ne1t
&elect the destination to sa"e the !ack up
Ne1t 0 select the t#pe of !ack up e1. Normal'
/heck the !o1 disa!les "olume shadow cop#
Ne1t 0 finish
Gerif#ing
(elete the !acked up folder
Restoring the !acked up folder:
&tart 0 run 0 nt!ackup'
Ad"anced 0 restore 0 ne1t
&elect the !acked
-
7/24/2019 Active Directory network
50/52
up. /op# is used !etween normal !ackup and incremental !ackup.
,. Incremental !ackup:
$acks up all selected files D folders which are changed since !ackup marks the
files as ha"ing !een !acked up. Remo"es the archi"e !it after !ack up.
6. (ifferential !ackup:
$acks up all selected files D folders. After !ackup does not remo"e the archi"e
!it. It !acks up all the files changed since normal !ack up.
3. (ail# !ackup:
It !acks up all selected files D folders created or changed during the da# after
!acked up does not remo"e the archi"e !it.
Recommended !ackup strateg#:
%. If we select incremental !ack up it is faster and restoration is slower. I.e. more
num!er of tapes ha"e to !e restored
*. If we go with differential !ackup2 !ackup is slow2 !ut restoration is fast i.e.2
ust !# restoring * tapes.
stem state data:
/omponents of &&(:
%* A(
%, $oot files
%6 stem files
%3 &er"ices
%4 Registr#
%B /ominf
% /luster info
%? I.I.&.
&&( is a data store if we want to !ackup complete A( we can !ack up s#stemstate data from !ackup utilit#.
Taking a !ack up of s#stem state data:
&tart < run 0 nt!ackup 0 click on ad"anced mode
0 !ackup 0 ne1t
-
7/24/2019 Active Directory network
51/52
create a folder &&(' in this folder create a file with filename .!kf
0 ne1t 0 ad"anced < ne1t
Restoration
There are two t#pes of restoration:
%'Non
-
7/24/2019 Active Directory network
52/52
Tom!stone:
It is an o!ect deleted from A( !ut not remo"ed. It remains in the A( for ?@
da#s.
9ractice:
On (/
Open A(7/
/reate O7 D users
$ack up &&(check the 7&N "alues of user
(elete the user%
Restart the s#stem in (&R5 mode
$# pressing =
Open !ackup utilit#
Restore &&((o not restart
&tart run ntdsutil
Authoritati"e restore
Restore su!tree cnQu%2ouQIndia2dcQ8oom2dcQcom
Pes or'
Restore data!ase
C
C
E1it