Beruflich Dokumente
Kultur Dokumente
6424A
Fundamentals of Windows Server
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Excel, Internet Explorer, MSDN, MS-DOS, Outlook, PowerPoint, Excel,
SharePoint, SQL Server, Visio, Windows, Windows NT, Windows PowerShell, Windows Server, and
Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Released: 11/2008
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel .
Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune
autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de
contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus
ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres
droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les
lois de votre pays si celles-ci ne le permettent pas.
Contents
Module 1: Exploring Windows Server 2008 Active Directory Roles
Lesson 1: Overview of Active Directory Domain Services 1-3
Lesson 2: Overview of AD LDS 1-8
Lesson 3: Overview of Active Directory Certificate Services 1-14
Lesson 4: Overview of AD RMS 1-24
Lesson 5: Overview of AD FS 1-31
Lab: Exploring Windows Server 2008 Active Directory Server Roles 1-37
Course Description
The purpose of this 3-day course is to provide Active Directory Technology
Specialists with an introduction to Active Directory server roles in Windows
Server 2008. The course is intended for entry level students who want to get
familiar with the Active Directory server roles and their basic functionality. This
course provides an overview of all of the Active Directory server roles, and provides
additional information for configuring Active Directory Domain Services.
Audience
This course is intended for any IT Professional (for example, DSTs, SA,
Generalists) who is new to Active Directory and wants to become familiar with
Active Directory concepts. The audience is interested in basic concepts and does
not want to get too deep into Active Directory services and configuration.
Student Prerequisites
This course requires that you meet the following prerequisites:
Basic understanding of networking. For example, how TCP/IP functions,
addressing, name resolution (DNS/WINS), and connection methods (wired,
wireless, VPN), NET+ or equivalent knowledge (WIS foundation (6420) or
equivalent).
Basic understanding of network operating systems. For example, Windows
2000, Windows XP, Windows Server 2003 etc.
Basic knowledge of server hardware. A+ or equivalent knowledge (Not
required but expected).
Course Objectives
After completing this course, students will be able to:
Understand how the Active Directory server roles are used in an enterprise
environment and how AD DS integrates with other AD DS roles.
Describe the reasons for deploying AD DS and describe the AD DS
components.
Course Outline
This section provides an outline of the course:
Module 1: Explains how the Active Directory server roles are used in an enterprise
environment and how AD DS integrates with other AD DS roles.
Module 2: Describes the reasons for deploying AD DS and describes AD DS
components.
Module 3: Describes how AD LDS works and how to configure AD LDS
components.
Module 4: Describes how AD CS works and how to implement AD CS certificate
enrollment.
Module 5: Describes how AD RMS works and how to configure AD RMS settings.
Module 6: Describes how AD FS works and how to configure AD FS components.
Module 7: Explains how to configure AD DS user and computer accounts.
Module 8: Explains how to configure AD DS group accounts and organizational
units.
Module 9: Explains how to manage access to shared resources in an AD DS
environment
Course Materials
The following materials are included with your kit:
Course handbook. The Course handbook contains the material covered in class.
It is meant to be used in conjunction with the Course Companion CD.
Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps: 1. On the host computer, click Start, point to All Programs,
point to Microsoft Virtual Server, and then click Virtual Server Administration
Website. 2. Under Navigation, click Master Status. For each virtual machine that is
running, point to the virtual machine name, and, in the context menu, click Turn off
Virtual Machine and Discard Undo Disks. Click OK.
The following table shows the role of each virtual machine that this course uses:
Software Configuration
The following software is installed on each virtual machine:
Windows Server 2008 Enterprise; Windows Vista
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Module 1
Exploring Windows Server 2008 Active
Directory Roles
Contents:
Lesson 1: Overview of Active Directory Domain Services 1-3
Lesson 2: Overview of AD LDS 1-8
Lesson 3: Overview of Active Directory Certificate Services 1-14
Lesson 4: Overview of AD RMS 1-24
Lesson 5: Overview of AD FS 1-31
Lab: Exploring Windows Server 2008 Active Directory Server Roles 1-37
Module Overview
Windows Server 2008 provides a rich platform for five Active Directory server
roles. This module describes the fundamental concepts of these five server roles.
Lesson 1
Overview of Active Directory Domain Services
Key Points
A network directory service:
Provides information about user objects, computers and services (such as an e-
mail address).
Stores this information in a secure database and provides the tools for
managing and searching the directory.
Allows you to manage all network user accounts and resources in single
location and apply policies to the directory objects to ensure that all are
managed consistently.
Additional Reading
Deciding Between Workgroups and Domains
What is AD DS?
Key Points
Active Directory Domain Services (AD DS) is a centralized directory for user and
computer management and authentication. It provides authentication services for a
Windows Server 2008 network. The directory contains user objects, group objects,
computer objects as well as service information. This allows the service to provide
information about these objects as well as provide authentication and managing
access to network resources.
Additional Reading
Deciding Between Workgroups and Domains
Key Points
AD DS provides the following for a Windows Server 2008 network:
Stores user and computer objects
Authenticates user and computer objects
Stores group information
Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server
roles, such as the following, rely on AD DS:
Active Directory Federation Services (AD FS)
Active Directory Rights Management Services (AD RMS)
Active Directory Certificate Services (AD CS)
Lesson 2
Overview of AD LDS
What is LDAP?
Key Points
Lightweight Directory Access Protocol (LDAP) is a standardized client/server
TCP/IP based protocol that has been in use for over 15 years and is leveraged by a
large number of applications and solutions.
The LDAP standards define consistent ways for naming and storing directory
objects. LDAP also provides methods for accessing, searching, and modifying
information that is stored in a directory.
Additional Reading
MSDN section on LDAP
RFCs that address LDAP:
"X.500 Lightweight Directory Access Protocol" (made obsolete by RFC
1777)
"A String Representation of LDAP Search Filters" (made obsolete by RFC
1960)
"Lightweight Directory Access Protocol"
"The String Representation of Standard Attribute Syntaxes"
"String Representation of Distinguished Names"
"An LDAP URL Format" (made obsolete by RFC 2255)
"A String Representation of LDAP Search Filters" (made obsolete by RFC
2254
What is AD LDS?
Key Points
Active Directory Lightweight Directory Services (AD LDS) is an LDAP directory
service.
Usage
AD LDS is used:
For applications that cannot or should not use AD DS.
To address scenarios where access to AD DS is not recommended due to
security concerns.
Flexibility
AD LDS does not have the restrictions of AD DS.
You can run multiple instances on a single computer.
It does not require a DNS infrastructure.
It is easily modified to meet application needs.
Additional Reading
Windows Server 2008 Future Resources
Windows Server 2003 Active Directory Application Mode
Key Points
Many applications require user authentication and lookup, but do not require the
overhead or complexity of running AD DS. These applications can leverage AD
LDS to store and retrieve this information.
AD LDS can store:
User information
Application configuration information
Additional Reading
Active Directory Lightweight Directory Services
Lesson 3
Overview of Active Directory Certificate
Services
One of the most common ways to provide security in the enterprise and on the
Internet is to use digital certificates. Digital certificates provide security in many
scenarios, including securing Web sites and e-mail. Active Directory Certificate
Services (AD CS) enables the distribution and management of digital certificates.
This lesson explains digital certificates, public key infrastructure and
implementation scenarios for AD CS.
Key Points
Digital certificates are used to encrypt information for many different purposes.
They are also used to authenticate users and computers in different ways. Consider
the different ways that digital certificates are used for encryption and
authentication. Also, consider the different applications that would support the
use of certificates.
Key Points
A Public Key Infrastructure (PKI) enables an organization to distribute digital
certificates to users and computers.
Components
A PKI consists of several interrelated objects, applications, and services.
Certification authorities (CA). Issues and manages certificates to users,
computers, and services. Each certificate issued by the CA is signed with the
digital certificate of the CA.
Certificate revocation lists. A list of certificates that have been revoked or
removed from the CA before its expiration period.
What Is AD CS?
Key Points
Active Directory Certificate Services (AD CS) is the Microsoft implementation of a
PKI. AD CS provides a fully functional PKI for a Windows Server network. These
services can also be extended to non-Windows-based devices. AD CS provides all
of the basic PKI services such as tools for management and revocation services.
Additional Reading
Active Directory Certificate Services
AD CS Implementation Examples
Key Points
AD CS can be used for a variety of scenarios including the following:
SSL certificates for internal Web sites. By using SSL with an internal Web
site, you can ensure that all client authentication traffic and all access to the
Web site are encrypted.
Smartcards with certificates issued from the AD CS Certification Authority
for domain authentication. Smartcards provide a second level for
authentication security by providing two-factor authentication.
Encrypting File System (EFS) certificates for domain joined computers. By
using EFS certificates, users can encrypt files on their hard disks while
enabling administrators to centrally manage the certificates.
Key Points
In an auto-enrollment scenario:
1. The user or computer account is authenticated.
2. The CA retrieves the certificate policies from AD DS.
3. If the user has the appropriate permissions and the policies are configured to
allow auto-enrollment, the certificate is generated and stored in AD DS.
Additional Reading
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key
Infrastructure
AD DS and AD CS Integration
Key Points
Certificates stored in AD DS
The user or computer certificate is stored with the user account or computer
account. These certificates are then replicated to all of the AD DS servers resulting
in resilient and redundant storage of certificate information.
Certificate policies
Certificate policies that govern how certificates are generated and what settings
these certificates have can also be stored and applied from AD DS.
Lesson 4
Overview of AD RMS
By using Active Directory Rights Management Services (AD RMS) and the AD RMS
client, you can augment an organization's security strategy by protecting
information even after the information has been shared between users. AD RMS
does this through persistent usage policies, which remain with the information, no
matter where it is moved. You can use AD RMS to help prevent sensitive
information (such as financial reports, product specifications, customer data, and
confidential e-mail messages) from intentional or accidental unauthorized use.
Key Points
A rights management solution is used to protect information stored in documents,
e-mail messages and Web sites from unauthorized viewing, modification or use.
Features typically include:
Helping protect sensitive information from being accessed or shared with
unauthorized users. A rights management solution can be used to prevent
users from forwarding or copying content to other unauthorized users.
Helping ensure that data content is protected and tamper-resistant. A rights
management solution uses encryption and digital signatures to protect data
from unauthorized access and modification.
Controlling when data will expire based on time requirements, even when
that information is sent over the Internet to other individuals. This helps to
ensure that the most current information is available.
What is AD RMS?
Key Points
Active Directory Rights Management Services (AD RMS) is the Windows Server
2008 implementation of an enterprise rights management solution.
RMS helps protect information by:
Providing the tools to distribute client certificates to trusted users.
Enforcing content access policies.
Providing centralized management.
Additional Reading
Windows Rights Management Services
How It Works: Windows Rights Management Services
Active Directory Rights Management Services Overview
Key Points
You can deploy AD RMS to protect content sent in an e-mail message.
1. The content creator can apply a security policy to protect the content of the
message.
2. The AD RMS server encrypts the content and applies the permissions assigned
by the content creator.
3. When the content consumer receives the message, the client e-mail software
requests permission from the AD RMS server before the user can view the
message.
4. The client software will receive specific parameters for what the user can do
with the message from the AD RMS server and then will grant the user the
appropriate usage rights.
Additional Reading
Deploying Active Directory Rights Management Services in an Extranet Step-
by-Step Guide
Key Points
AD RMS integrates with AD DS in three key areas:
All AD RMS users must have an AD DS user account. Before a user can apply
a RMS policy to content, or before a consumer can access content, they must
be authenticated by AD DS.
AD DS provides the e-mail addresses to obtain rights for content. All users
must be configured with an e-mail address, even if the organization has not
deployed an e-mail server.
AD RMS services are registered as service connection points in AD DS to
enable clients to locate the AD RMS servers. When a RMS aware client tries
to locate an AD RMS server to protect or consume content, the client will
connect to AD DS. The service connection point in AD DS provides the client
with the information regarding the AD RMS server that it should use.
Lesson 5
Overview of AD FS
What is AD FS?
Key Points
Key Points
AD FS allows for users in a trusted directory to access a Web-based application in
the partner domain using user credentials from the local directory.
Benefits
Reduces the management overhead for administrators since only one account
has to be administered.
The end users only need to remember one set of user credentials.
Key Points
The B2B AD FS authentication scenario follows these basic steps:
1. A client computer connects to a Web application in a different organization.
2. The Web application redirects the Web client to the resource federation server.
3. The resource partner AD FS server responds to the client requesting that it
obtain a security token from the AD FS server in the account partner
organization.
4. The client requests the security token from the account partners AD FS server
and passes the token back to the Web application
5. The client can now gain access to the Web application.
AD DS and AD FS Integration
Key Points
AD FS is integrated with AD DS in the following ways:
AD FS requires a directory service like AD DS or AD LDS to store all user
accounts.
AD FS enables the account partner in the federation trust to manage all user
accounts.
Resource partners may also use AD DS to restrict access to the Web
applications.
AD FS also extends some AD DS functionality to applications located in a
perimeter network.
Scenario 2
Tailspin Toys has recently experienced a situation that caused information about
the companys new projects to be posted on the Internet. The executive team has
mandated that a solution be created to protect confidential data from being e-
mailed or printed so that it can be used outside of the company. You must identify
a solution to meet the new executive requirements.
Scenario 3
Woodgrove Bank has been put under new regulatory restrictions that require all
employees to logon to their computers with two factor authentication. These
regulations also require that all e-mail is encrypted and authenticated. You must
identify a solution to meet these new regulations.
Scenario 4
Tailspin Toys is developing a Web application that will include user accounts from
the corporate directory. The corporate policy forbids the schema changes that are
required for the Web application to function. You must identify a solution to
provide a user directory as well as changes in the schema.
f Task 1: Review the four scenarios and determine which of the Active
Directory Server roles will assist in providing the required solution.
f Task 2: Determine the location where each of the server roles would
be placed.
Result: At the end of this exercise, you will have practiced decision making about
Active Directory server roles and placement.
f Task 1: How does the selected Active Directory role integrate with AD
DS in each scenario?
Result: At the end of this exercise, you will have (1) described how the Active
Directory server roles integrate with AD DS, and (2) postulated the results of
integration failure.
Review Questions
1. You have been tasked with deploying a solution to provide two-factor
authentication for users on workstations located at your company. Which two
Active Directory server roles would you need to deploy to provide a centrally
managed two-factor authentication solution?
2. In what way does AD CS rely on AD DS?
3. What are some ways that certificates generated by AD CS can be used for
encryption?
4. What are some reasons for deploying AD LDS instead of AD DS?
5. What are some of the basic functions that AD RMS provides?
Module 2
Introduction to Active Directory Domain
Services
Contents:
Lesson 1: Overview of Active Directory Domain Services 2-3
Lesson 2: Overview of AD DS Logical Components 2-11
Lesson 3: Overview of AD DS Physical Components 2-22
Lab: Exploring AD DS Components and Tools 2-32
Module Overview
Windows Server 2008 Active Directory Domain Services (AD DS) is a Microsoft
Windows-based directory service. As a directory service, AD DS stores
information about objects on a network and makes this information available to
users and network administrators. Additionally, AD DS can be used to ensure that
only authorized users have access to network resources.
Lesson 1
Overview of Active Directory Domain
Services
Key Points
The primary reasons for deploying AD DS are as follows:
Centralized directory simplifies network administration by allowing
management of all accounts in a single directory.
Single sign-on access most organizations have multiple servers offering a
variety of services to users. Without some type of common directory service,
each of these servers would require a separate logon for user authentication
and authorization.
Integrated security AD DS works with Windows Server 2008 to check the
security permissions associated with each person. AD DS can accommodate
users logging on from workstations using Windows NT, 98, 2000, XP, and
Vista.
Additional reading
Active Directory on a Windows Server 2003 Network
What is Authentication?
Key Points
Authentication simply refers to the process of verifying that a user is who they
claim to be. Authentication, including single sign-on, is a two-part process:
interactive logon and network authentication.
Interactive logon
Interactive logon confirms the users identification on a specific computer by using
either a domain account or a local computer.
Network authentication
Network authentication confirms the user's identification to any network service
that the user is attempting to access.
Additional reading
Logon and Authentication Technologies
What is Authorization?
Key Points
Authorization is the second step in the process of gaining access to network
resources. Authorization, which happens after authentication, is based on the
security token that is granted to the user account when they log on to the network.
Terminology
Terminology Description
Security Identifier (SID) A unique security identifier created with the user account.
Security Token A security token is granted to the user account for a logon
session. The system uses the token to control access to
securable objects.
Discretionary access One type of ACL (Access Control List). Defines which users
control list (DACL) and groups (based on the user or group SID) have access to
the object and defines the level of access granted to the
user or group.
Authorization process
When the user tries to access a network resource, the client computer presents the
security token to the server hosting the resource. The SID stored in the security
token is compared to the security descriptor stored in the DACL. The users
request to access the resource is granted if a match is found between the DACL on
the resource and SIDs in the security token.
Additional reading
Authorization and Access Control Technologies
Security Identifiers
Tools to Manage Security Principals
Key Points
The largest cost of owning computers is the cost in managing and maintaining
them. If systems were maintained individually, the cost would quickly become
unacceptably high. AD DS provides a way to automate computer management
using centrally applied settings. This allows for the most efficient use of IT
administrative resources.
Additional reading
Group Policies
Overview of AD DS Components
Key Points
When an organization implements AD DS, several physical and logical
components are created. AD DS is composed of both physical and logical
components.
Additional reading
What Are Domains and Forests?
Lesson 2
Overview of AD DS Logical Components
As an AD DS administrator, you will spend most of your time working with the
logical components that make up AD DS. During the implementation of AD DS,
your organization will have configured various AD DS components such as
domains, sites and organizational units. You will be working with these
components as you create and manage user accounts or computer accounts.
Key Points
The AD DS schema defines every type of object that can be stored in the directory.
Before an object can be created in AD, it must first be defined in the schema. The
schema also enforces a number of rules regarding the creation of objects in the
database. These rules define the information that can be stored with each object
and the data type of that information.
Additional reading
What Is the Active Directory Schema?
What Is a Domain?
Key Points
A domain is a logical grouping of AD DS objects, and the most basic building block
in the AD DS model.
Each domain must have at least one domain controller installed. In fact, you create
a domain by installing the first domain controller in the domain, and you remove a
domain by removing the last domain controller in the domain.
Additional reading
What Are Domains and Forests?
Key Points
Domains can allow secure access to shared resources outside of their boundaries
using authenticated connections called trusts.
Trusts enable users to:
Access resources in domains other than the domain where their user account
is configured.
Log on to computers that are members of domains other than the domain
where the user account is configured.
Additional reading
Trusts
How Domains and Forests Work
Key Points
A domain tree is a hierarchy of domains in AD DS. The first domain created is the
root domain. As subsequent domains are added to the domain tree, they are
created as child domains under the root domain.
Within a domain tree, all domains share a common or contiguous namespace. For
example, if the root domain is WoodgroveBank.com, the child domains would use
names such as EMEA.WoodgroveBank.com.
Additional reading
What Are Domains and Forests?
What Is a Forest?
Key Points
A forest is a collection of one or more domain trees. All domains and domain trees
exist within an Active Directory forest.
Additional reading
What Are Domains and Forests?
Key Points
Organizational units (OUs) are Active Directory containers into which you can
place users, groups, computers, and other OUs. OUs are designed to make AD DS
easier to administer.
Additional reading
Organizational Units
Questions
For each scenario, describe how AD DS logical components (Domain, OUs) could
be deployed in these organizations.
Scenario 1: Contoso Inc. has a single office with 20 employees and a single
business unit. The business owner manages all AD DS administrative tasks.
Scenario 2: NorthWind Traders has a single office. The organization has two
business units which are administered separately but all AD DS management tasks
will be managed by the same administrative team. The organization also needs to
assign different policies to managers and to each business unit as well as to the
computers used by each of these groups.
Scenario 3: Coho Vineyards has two separate business units located in two offices
in different countries. Each office has about 10,000 users. Each office has multiple
departments and all of the departments need different policies applied to them.
Each office also has a separate team of administrators that must be able to manage
all of the user and computer accounts in their office, but should not be able to
manage any objects in the other office. One team of administrators at the head
office should be able to manage all user accounts, computer accounts and servers
in both offices.
Scenario 4: Woodgrove Bank has multiple locations deployed in different
countries around the world. Because of the privacy requirements in the different
countries, the offices in each country must be managed by a different group of
administrators and the administrators must not be able to modify any objects in
other countries. No group of administrators should be able to access objects in
other countries.
Key Points
AD DS objects are entities created on AD DS domain controllers. AD DS objects all
fall into one or more categories, such as resources (e.g.: printers), services (e.g. e-
mail, shared folders) and users (both individuals and groups).
Each category of object has a set of defined attributes which exist in the Active
Directory schema. This makes creating and administering new instances of a
particular type of object very efficient.
Additional reading
Active Directory Users and Computers Help
Questions
Lesson 3
Overview of AD DS Physical Components
Key Points
A domain controller is a server in an AD DS domain that provides directory
services. All domain controllers (except Read Only Domain Controllers) contain a
writable copy of the AD DS database and allow administrators access to manage
user accounts and other network resources. Domain controllers are also involved
in authenticating users and authorizing access to network resources in the domain.
Domain controllers also participate in the replication of the AD DS database where
changes made on the domain controller are replicated to other domain controllers
within their domain.
Additional reading
Domain Controller Roles
Key Points
AD DS relies entirely on the Domain Name System (DNS) to locate resources on a
network. Therefore, all AD DS domains must be DNS domain names. Without a
reliable DNS infrastructure, domain controllers on your network will not be able to
replicate with each other, workstations will not be able to log on to the network,
and Microsoft Exchange Servers will not be able to send e-mail.
Key Points
The global catalog server is a domain controller, as such it stores a full copy of all
objects in the directory for its host domain; but additionally it stores a partial copy
of all objects for all other domains in the forest. That partial catalog of objects used in
other domains is commonly used in search operations. Storing information about
objects in other domains provides users with efficient searches without affecting
network performance and unnecessary referrals to other domain controllers.
Additional reading
What Is the Global Catalog?
Key Points
All the data in AD DS is stored in a single file on the domain controller. The
location for this file, named Ntds.dit, can be set during the domain controller
promotion process. The default location for the database and database log files is
%SystemRoot%\Ntds. The AD DS data store contains database files and file
processes that store and manage directory information for users, services, and
applications.
Additional reading
What is a Data Store?
What Is AD DS Replication?
Key Points
AD DS replication refers to the process by which the directory data is synchronized
between domain controllers in a forest. AD DS uses a multi-master replication
model. This means that the AD DS information can be modified on each domain
controller which will then send its most current directory information to other
domain controllers during replication schedules.
Additional reading
What Is the Active Directory Replication Model?
Key Points
A site is defined as an area of the network where all domain controllers are
connected by a fast, inexpensive, and reliable network connection. A site is a
specific AD DS organizational entity used to manage network traffic.
You can also use sites to assign group policy settings. If all user or computers in a
company location require the same configuration, you can assign a Group Policy
object at the site level.
Additional reading
Active Directory Sites and Services
Questions
Scenario 3: Coho Vineyards has two separate business units located in two offices
in different countries. Each office has about 10,000 users. The offices are
connected by a high speed and reliable network connection that is not heavily
utilized during business hours.
Scenario 4: Woodgrove Bank has multiple locations deployed in different
countries around the world. In all countries, the company has a single data center
located in a central city. In addition, the company has numerous small branch
offices with 5-100 users. The branch offices are connected to the main office
through a variety of WAN connections.
Questions
1. You need to determine which site a workstation is located in. How would you
do this?
2. You run the Repadmin /showrepls command and notice several errors
between domain controllers located in different sites. What would you do to
resolve the errors?
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank also has strategic partnerships with other
organizations, including Fabrikam, Inc and NorthWind Traders. Woodgrove Bank
has deployed AD DS.
As the new AD DS administrator, you must install the AD DS management tools on
your Windows Vista workstation and then examine the AD DS environment at
Woodgrove Bank.
Result: At the end of this exercise, you will have installed the Windows Server 2008
administration tools on Windows Vista.
Result: At the end of this exercise, you will have explored the WoodgroveBank.com
AD DS environment by using the AD DS management tools.
f Task 4: Use Active Directory Sites and Services to examine the Domain
Controllers in the WoodgroveBank.com domain.
1. In the Remote Desktop connection, open Active Directory Sites and Services.
2. How many sites are listed in the forest? What is the site or sites called?
3. Verify that the same domain controllers are listed in the Default-First-Site-
Name as were listed in Active Directory Users and Computers.
4. Expand NYC-DC1, right-click NTDS Settings, and click Properties. Verify that
NYC-DC1 is configured as global catalog server.
5. On the Connections tab, examine the replication connections on the domain
controller.
f Task 5: Log off Remote Desktop and shut down all virtual machines.
1. In the Remote Desktop connection, click Start, and then click Log off.
2. Shut down all virtual machines and delete changes.
Result: At the end of this exercise, you will have examined the AD DS physical
properties in the WoodgroveBank.com domain.
Review Questions
1. You have just installed a new domain controller in your domain. What two
tools could you use to verify that the domain controller has been added to the
domain?
2. You want to group all of the users in branch office together so that you can
assign permissions to a shared folder to all of the users in the branch office.
What type of AD DS object should you create?
3. What are the differences between a domain, domain tree and forest?
4. What feature makes it easy and fast to search a forest for user phone numbers?
5. What is the relationship between a domain and a site?
Module 3
Introduction to Active Directory Lightweight
Directory Services
Contents:
Lesson 1: Active Directory Lightweight Directory Services Overview 3-3
Lesson 2: Implementing and Administering AD LDS 3-8
Lesson 3: Implementing AD LDS Replication 3-16
Lesson 4: Comparing AD DS and AD LDS 3-22
Lab: Exploring Configuring AD LDS 3-26
Module Overview
Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS)
role is a Lightweight Directory Access Protocol (LDAP) directory service. It
provides data storage and retrieval for directory-enabled applications, without the
dependencies that are required for Active Directory Domain Services (AD DS).
Lesson 1
Active Directory Lightweight Directory
Services Overview
Key Points
AD LDS provides a hierarchical file-based directory store using the Extensible
Storage Engine (ESE) for file storage. AD LDS stores data, by default in: %Program
Files%\Microsoft ADAM\[AD LDS Instance name]\data\adamntds.dit. This
directory store is then accessed with the TCP/IP-based LDAP protocol by
applications.
Additional Reading
AD LDS Help File
Windows 2008 Active Directory Components (upper left box)
Key Points
There are a variety of administration tools available for AD LDS. The table on the
slide lists the tools and their functions.
Additional Reading
AD LDS Help File
Key Points
In order for an object type to be created in the directory, it first has to be defined in
the schema. The schema definition includes object classes and attributes.
An object class represents a category of objects that share a set of common
characteristics (e.g., users, printers, or application programs).
An attribute describes one part of an object class. The definition for each
object class contains a list of the attributes that can be used to describe
instances of the class. The list of attributes for a class is divided into mandatory
and optional attributes.
Additional Reading
AD LDS Help File
Questions
Lesson 2
Implementing and Administering AD LDS
Active Directory Lightweight Directory Services (AD LDS) is a server role that is
installed on a Windows Server 2008 computer by using Server Manager. After
installing the server role, you can configure AD LDS by using the Active Directory
Lightweight Directory Services Wizard. Then multiple administrative utilities can
be leveraged to configure AD LDS to work for your implementation.
Key Points
An AD LDS instance is a single running copy of the AD LDS directory service. An
instance contains all of the essential components needed for running AD LDS (i.e.,
a communication interface, directory service and data store). The data store for
each instance has all three partitions required for AD LDS. Each instance is bound
to separate TCP/IP ports on the server.
Additional Reading
AD LDS Help File
Key Points
The AD LDS application partition is where the applications store data. Unlike the
schema and configuration partitions, the application partition does not store AD
LDS configuration or definition information.
Questions
Key Points
A set of four default groups is created when an AD LDS instance is created.
AD LDS also enables the use of Windows security principals for authentication and
access control.
You can use ADSIEdit or LDP to create and modify the users and groups in the
configuration partition and in a specific application partition.
Additional Reading
AD LDS Help File:
"Understanding AD LDS Users and Groups"
"Add or Remove Members to or from an AD LDS Group"
Key Points
AD LDS provides access control which:
1. Authenticates the identity of all users. Authentication against AD LDS can be
done with users created in AD LDS as well as Windows local and AD DS
security principals.
2. Uses Access control lists (ACLs) to determine if the user has permissions to
access specific objects. You can use the Dsacles utility to view or modify the
ACLs of a particular object.
Additional Reading
AD LDS Help File: " Working with Authentication and Access Control"
Questions
Additional Reading
AD LDS Help File:
"Disable or Enable an AD LDS User"
"Add an AD LDS User to the Directory"
"Add or Remove Members to or from an AD LDS Group"
"View or Set Permissions on a Directory Object"
Lesson 3
Implementing AD LDS Replication
AD LDS uses replication to provide high availability and load balancing for
directory services. By implementing replication between AD LDS instances, you
can provide copies of the directory information on multiple servers. This lesson
describes the reasons for replicating data, how replication works and how to
configure replication.
Key Points
AD LDS allows multiple replicas of an instance to be created on separate servers.
These servers can be in separate locations. AD LDS uses multimaster replication to
ensure that each of the replicas has the same information.
Additional Reading
AD LDS Help File, " Understanding AD LDS Replication and Configuration
Sets"
Key Points
There are three main reasons that you would use AD LDS replication: high
availability, load balancing and geographic limitations.
High availability. Creating multiple replicas for high availability allows for a
replica to be down for maintenance or updates while other replicas are still
online servicing the application.
Load balancing. You can configure the application to load balance between
replicas when a single server computer is not able to handle all of the requests.
Geographic limitations. When multiple sites host an application where they
use an LDS server in a single office, the application may respond slowly. Using
replicas at each of the sites can improve the application performance.
Questions
Questions
For each scenario, describe how AD LDS could be deployed in these organizations.
Scenario 1: Woodgrove Bank has deployed a Web application that uses AD LDS to
store user information and preferences. This application is deployed only at the
corporate head office in New York. Customers use the Web application 24 hours
per day, and it is critical that the application is available when users want access.
The bank has deployed 4 load balanced Web servers hosting the application. How
would you configure AD LDS to support this scenario?
Scenario 2: Contoso Inc has deployed a Web based order system that uses AD
LDS for customers. To ensure that network failures do not affect the order system
availability, the organization has deployed servers hosting the application in three
company locations. The available network bandwidth between the company
locations is limited. How would you configure AD LDS to support this scenario?
Lesson 4
Comparing AD DS and AD LDS
Key Points
AD LDS and AD DS are similar in the following ways. Both AD DS and AD LDS:
Are LDAP compliant directories that support LDAP client connections.
Use multimaster replication for data distribution.
Support delegating administration to partitions or organizational units (OUs)
by group, role or user.
Use the Extensible Storage Engine (ESE) for the database store.
Key Points
AD DS and AD LDS are each designed for their own specific and unique purpose;
as such, they have several differences. AD DS is meant for enterprise service
authentication and administration whereas AD LDS is meant to provide a robust,
easy to implement foundation for other applications to leverage for authentication
and data storage.
Key Points
Many organizations may want to use the data stored in AD DS for custom
applications. These custom applications may require specific schema attributes to
function, which means that most organizations do not want these applications to
store their schema or configuration information in Active Directory. By integrating
AD DS and AD LDS you can synchronize data between the two directories rather
than extending the schema of AD DS.
Additional Reading
AD LDS Help File:
"Synchronize with Active Directory Domain Services"
"Import the User Classes That Are Supplied with AD LDS"
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has deployed AD LDS to implement
directory services for various applications in the organization. You need to
configure the AD LDS server role in preparation for deploying the applications.
f Task 2: Use Server Manager to add the AD LDS role to the server
Add the AD LDS Role using Server Manager.
Result: At the end of this exercise, you will have configured an AD LDS instance and
an application partition.
f Task 6: Use Dsacls to give User1 and Group1 permissions to view the
application partition
Result: At the end of this exercise, you will have configured user accounts, groups
and access control, and tested the access control.
Result: At the end of this exercise, you will have configured a second replica of an
AD LDS application partition and verified replication.
Review Questions
1. What are the three core partition types in an AD LDS instance?
2. What ways are AD DS and AD LDS similar?
3. What tools are used to administer AD LDS and what are each used for?
4. What are some reasons for deploying multiple AD LDS replicas?
5. How would you configure AD LDS if two applications required schema
attributes that conflict with each other?
Module 4
Introduction to Active Directory Certificate
Services
Contents:
Lesson 1: Overview of Active Directory Certificate Services (AD CS) 4-3
Lesson 2: Understanding AD CS Certificates 4-10
Lesson 3: Implementing Certificate Enrollment and Revocation 4-16
Lab: Exploring Active Directory Certificate Services 4-25
Module Overview
One of the most important components in a network security plan is the use of
digital certificates. Digital certificates can be used to secure network traffic, secure
Web sites and secure AD DS authentication. Active Directory Certificate Services
(AD CS) provides the tools and services to create and manage these digital
certificates. Furthermore, the integration of AD CS with AD DS provides
organizations with a cost-effective, efficient, and secure way to manage the
distribution and use of certificates.
Lesson 1
Overview of Active Directory Certificate
Services (AD CS)
Many network security components require the digital certificates that are issued
by a certification authority (CA). When you implement a CA, you have several
options for how to design and configure the CA. This lesson describes some of
these options when deploying a CA such as AD CS.
Key Points
The certification authority (CA) is the entity entrusted to issue certificates to
individuals, computers, or organizations.
The CA performs the following functions:
Verifies the identity of the certificate requestor.
Issues certificates to requesting users, computers and services.
Manages certificate revocation.
Additional reading
Public Key Infrastructure
Key Points
Certification authorities can be chained together in hierarchies. A hierarchy is
created when one CA trusts another. The root CA is the one that is trusted by all the
other CAs in the hierarchy. The subordinate CAs are those that trust the root CA. A
trust is created when a subordinate server is issued a certificate from a server
higher in the hierarchy.
Additional reading
Active Directory Certificate Services Help File: Public Key Infrastructures
Key Points
You can configure a certification authority for your company using an internal
private CA such as AD CS, or you can leverage an external third-party CA.
Additional reading
Certification Authority Trust Model:
Key Points
As with other Active Directory server roles, AD CS can be tightly integrated with
AD DS. There are two main types of servers running AD CS, stand-alone and
enterprise.
Stand-alone CAs
Stand-alone CAs can be installed on a server that is either joined to an Active
Directory domain or even in a workgroup. Stand-alone CAs do not depend on the
use of AD DS.
Enterprise CAs
Enterprise CAs must be:
Installed on a domain joined server
Integrated with AD DS.
Additional reading
Active Directory Certificate Services Help File:
Enterprise Certification Authorities
Stand-Alone Certification Authorities
Questions
Lesson 2
Understanding AD CS Certificates
Key Points
The public key is able to be distributed to all clients that request it. The public
keys provide:
Information about the subject of the certificate
Information about the validity of the certificate
Information about the applications and services that can use the certificate
A way to identify the holder of the certificate
The private key is usually only stored on the computer from which the original
certificate request was made.
Additional reading
X.509 Technical Supplement
Key Points
The public key and the private key are a mathematically matched pair of numbers.
When one of the keys is used to encrypt the data the other key is used to decrypt
the data. The key that encrypts that data cannot be used to decrypt the data; this is
an asymmetrical key process. Both keys are required to complete an encryption or
authorization process.
Additional reading
How Encrypting File System Works
Questions
Key Points
Certificate templates are used by AD CS enterprise CAs to define what type of
certificates can be issued by the CAs.
Default templates
When you install AD CS, several default templates are created. Some of the default
certificate templates are:
Basic Encrypting File System (EFS)
Key Recovery Agent (for a user that can recover special private keys)
Router (for encryption of router communications)
Smart card log on (certificates used for smart card log on)
Web Server for Secure Sockets Layer (SSL)
Additional reading
Active Directory Certificate Services Help:
Default Certificate Templates
Managing Certificate Templates
Lesson 3
Implementing Certificate Enrollment and
Revocation
When you deploy AD CS, one of the primary issues that you need to address is
how you will distribute and revoke certificates. This lesson describes what
certificate enrollment is and how to administer and automate the enrollment
process. This lesson also discusses certificate revocation, why it is important and
how to revoke certificates.
Key Points
AD CS provides three main options for enrolling or creating certificates. These
options are: using the built-in Web site on the CA, manual enrollment or auto-
enrollment.
Web enrollment
If Internet Information Services (IIS) is installed on the AD CS CA, you can enable
a Web site on the CA, through which users can obtain certificates. This method is
good for issuing certificates when auto-enrollment cannot be used.
Manual enrollment
Manual or offline enrollment is used when the requestor cannot communicate
directly with the CA or if the device does not support auto-enrollment.
Auto-enrollment
Auto-enrollment is used for AD DS domain joined machines. The auto-enrollment
process allows an administrator to define permissions and configuration of a
certificate template so that the requestor can automatically request, retrieve and
renew certificates without having any end user interaction.
Questions
Key Points
Regardless of whether you use Web enrollment, offline or auto-enrollment, there
are four basic steps (outlined in the slide) of the enrollment process. The auto-
enrollment process takes each of the steps without any user or administrative
interaction.
Questions
1. When was the private key generated for the Web server?
2. Why does Web enrollment require an administrator to approve the certificate
requests?
Key Points
Auto-enrollment enables organizations to automatically deploy certificates to users
and computers. The auto-enrollment feature allows organizations to manage all
aspects of the certificate life cycle, including certificate enrollment, certificate
renewal, and certificate revocation.
Key Points
Certificate revocation is when a certificate is invalidated before the expiration
period. You would need to revoke a certificate before its expiration if:
The certificate was no longer needed.
The computer where the private key was stored on or the CA was
compromised and no longer secure.
A new certificate was generated.
Additional reading
Active Directory Certificate Services Help:
Creating a Revocation Configuration
Question
Other than the CA MMC, where would you be able to tell if a certificate is valid?
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has implemented Windows Server 2008
and is planning on using AD CS to issue certificates for internal network users,
computers and servers. The AD CS Server role has been deployed. Your task is to
ensure that the Web enrollment and manual processes for managing certificates
are working.
f Task 3: Using the Certificates snap-in, verify that the user certificate
was successfully installed
1. Run the mmc.exe command and add the Certificates snap-in associated the
current user account.
2. Click Certificates Current User, click Personal and then click the
Certificates node to verify that the user certificate is installed.
Result: At the end of this exercise, you will have requested a certificate using Web
enrollment.
3. In the request certificate dialog box, type the following information for each
field below:
Common name: NYC-SRV1
Organization: Woodgrove Bank
Organizational Unit: Corporate
City/locality: New York
State: New York
Country/region: US
4. Specify a file name for the certificate request. Type
C:\Users\Administrator\Documents\NYC-SRV.txt and click Finish.
f Task 4: Install the issued certificate on the Web server and verify the
certificate is valid
1. On NYC-SRV1 open IIS Manager.
2. Using the Server Certificates management module, in the Action pane, click
Complete Certificate Request.
3. Use the certificate response that was downloaded in the previous step:
C:\Users\Administrator\Download\certnew
f Task 6: Using Internet Explorer, verify that the Web certificate has
been revoked
Use Internet Explorer, go to https://NYC-SRV1 and verify that the certificate
has been revoked.
Result: At the end of this exercise, you will have requested and approved a
certificate for a Web server. You will have also revoked the certificate, published the
revoked certificate and verified that the certificate has been revoked.
Review Questions
1. What are some reasons that a certificate would need to be revoked?
2. What types of enrollment can be done with NDES?
3. Which editions of Windows Server 2008 support the advanced integration
features of AD CS and AD DS?
4. In order to enable auto-enrollment what must be true of the client computers
AD DS configuration?
Module 5
Introduction to Active Directory Rights
Management Services
Contents:
Lesson 1: AD RMS Overview 5-3
Lesson 2: Understanding AD RMS 5-7
Lesson 3: Managing AD RMS 5-16
Lab: Exploring Active Directory Rights Management Services 5-23
Module Overview
In the Windows Server 2008 operating system, you can restrict access to digital
information by configuring shared folders or Web sites with shared folders.
However, these features do not protect or restrict what users can do with content
to which they have access. In recent years, helping to protect digital information
from theft and improper use has become a priority in many enterprises. Active
Directory Rights Management Services (AD RMS) provides a method for helping
to protect documents from improper use by establishing and enforcing persistent
use rights for documents. AD RMS can be used to protect content even after it is
distributed to other people.
Lesson 1
AD RMS Overview
Overview of AD RMS
Key Points
Active Directory Rights Management Services (AD RMS) is an information
protection technology that works with AD RMS-enabled applications to help
safeguard digital information from unauthorized use. There are compelling reasons
to invest in rights management to protect an enterprises intellectual property, to
address new governmental regulations, or to better track and control access to
company data.
Key Points
AD RMS has three main functions:
Creation of rights-protected content
Licensing and distributing these rights-protected resources
Consuming the rights-protected resources
Additional Reading
Windows Server 2008 Component Posters (download Windows Server 2008
Active Directory Components.pdf )
Key Points
A number of enterprise-level options are available for rights-protected content.
Using the options will largely depend on what type of data the company needs to
protect.
Lesson 2
Understanding AD RMS
AD RMS Components
Key Points
There are a number of components that interact when using AD RMS. It is
important to have a clear understanding of each of the components:
Author. The user or service that generates the rights-protected document.
AD RMS-enabled applications. Specific applications are enabled for and can
interact with AD RMS. These applications can be used by the author to create
and help protect content. They can be used by recipients to read protected
content and apply the appropriate rights to them.
Recipient. The user or service that accesses the rights-protected document.
AD RMS Server. The server that has the AD RMS server role installed on it.
This server is responsible for providing the licenses to control access to
content. When the first AD RMS server is installed, an AD RMS root cluster is
created. Other AD RMS servers can be added to the cluster.
Key Points
AD RMS uses certificates and licenses to authenticate and authorize users to assign
permissions and to view protected content.
Additional Reading
About Active Directory Rights Management Services
Active Directory Rights Management Services Overview
Key Points
The AD RMS components interact as described below to generate the rights-
protected content.
1. The first time a user tries to rights-protect content using AD RMS, the client
application will request a rights account certificate (RAC) and client licensor
certificate (CLC) from the AD RMS server.
2. The author now creates content using an AD RMS-enabled application. The
author can create the file and then specify user rights. At this time, the policy
license containing the user policies is generated.
3. The application now generates the content key and encrypts the content with
it.
4. The rights-protected content can now be sent to the content recipient.
Additional Reading
Windows Server 2008 Component Posters (download Windows Server 2008
Active Directory Components.pdf")
Key Points
The process for consuming the protected content is as follows:
1. The recipient receives the file and opens it using an AD RMS-enabled
application or browser. If no account certificate is stored on the current
computer for the recipient, the client application requests a certificate, and the
AD RMS cluster will issue one. If this is the first time that a user accesses
rights-protected content on the computer, a RAC is also issued to the user.
2. The application sends a request for a use license to the AD RMS cluster that
issued the publishing license. However, if the file was published offline a
request is sent to the server that issued the CLC. The request includes both the
RAC and the publishing license for file.
3. The AD RMS cluster confirms or denies that the recipient is authorized. If the
user is authorized the cluster checks for a named user, and then creates a use
license for the user. The cluster then decrypts the content key using private
key of the cluster and re-encrypts the content key with the public key of the
recipient and then adds the encrypted session key to the use license. This
ensures that only the intended recipient can access the file.
4. The AD RMS cluster then sends the generated use license to the recipients
computer.
5. The application examines both the license and the recipients account
certificate to determine whether any certificate in either chain of trust requires
a revocation list. The user is then granted access as specified by the content
author.
Questions
Lesson 3
Managing AD RMS
Managing AD RMS includes installing the AD RMS role and creating policies and
templates. This lesson provides an overview of installing AD RMS as well as
managing the policies and templates that control how AD RMS functions.
Key Points
Installing the AD RMS role requires completion of some preliminary tasks for the
installation to be successful.
Additional Reading
Windows Server Active Directory Rights Management Services Step-by-Step
Guide
AD RMS Help File: Installing an AD RMS Cluster
Question
Key Points
Exclusion polices can be configured to:
Exclude specific users from viewing rights-protected content.
To exclude certain versions of Microsoft Windows, lockboxes or applications
that are known to have compatibility or security issues.
Questions
Key Points
Rights policy templates provide a manageable way for organizations to establish
different rules for protecting different types of information. For example, an
organization might create rights policy templates for their employees that assign
separate usage rights and conditions for company confidential, classified, and
private data. AD RMS-enabled applications can use these templates, providing a
simple, consistent way for workers to apply predefined policies to information.
Question
What is the difference between content expiration and use license expiration?
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has implemented Windows Server 2008
and is planning on using AD RMS to help provide enhanced content security for e-
mails and documents distributed within the organization. The AD RMS server role
has been deployed. Your task is to ensure that AD RMS is working and to ensure
that the AD RMS configuration can be modified if required.
f Task 4: Open Active Directory Users and Computers and assign e-mail
addresses for Dana Birkby, Manish Gupta, Byarne Riis and the
NYC_MarketingGG global group
1. Locate the following users in the Marketing OU inside the NYC OU and assign
the indicated e-mail addresses:
Dana Birkby: Dana@woodgrovebank.com
Manish Gupta: Manish@woodgrovebank.com
Byarne Riis: Byarne@woodgrovebank.com
2. Modify the properties of the NYC_MarketingGG group to assign an e-mail
address of NYCMarketingGG@woodgrovebank.com.
f Task 6: Log on as Manish and ensure that the Office Word document
has restrictions assigned
1. Log on to 6424A-NYC-SRV1 as Manish using the password Pa$$w0rd.
2. Open C:\Users\Public\Public Documents\Confidential in Microsoft Office
Word 2007.
3. Click View Permission in the Information bar.
4. In the My Permission window, verify that the user you are logged on as has
permissions to View, Edit, Copy and Save this document.
5. Close Word and log off
f Task 7: Log on as Bjarne and ensure that the Word document has
restrictions assigned
1. Log on to 6424A-NYC-SRV1 as Bjarne using the password Pa$$w0rd.
2. Open C:\Users\Public\Public Documents\Confidential in Word.
3. Click View Permission in the Information bar.
4. In the My Permission window, verify that the user you are logged on as has
permissions to View and Print this document.
5. Close Word and log off
Result: At the end of this exercise, you will have configured three user accounts with
e-mail addresses and used one of the user accounts to protect a document that is
stored on a shared folder. You will have also verified that the restrictions applied to
the document were enforced.
Result: At the end of this exercise, you will have modified the AD RMS configuration
by configuring an exclusion policy and by creating a custom rights policy template
for the Marketing department. You will have also verified that these modifications
were implemented correctly.
Review Questions
1 When might an administrator choose to exclude a specific user or group?
2. What is the difference between an exclusion list and a revocation list?
3. When is a SQL Server required to be deployed to support AD RMS?
4. When must AD RMS be installed in relation to the configuration of AD FS if it
is to be used to access AD RMS content?
5. What is the difference between the online and offline publishing process?
Module 6
Introduction to Active Directory Federation
Services
Contents:
Lesson 1: AD FS Overview 6-3
Lesson 2: AD FS Deployment Scenarios 6-10
Lesson 3: Configuring AD FS Components 6-20
Lab: Exploring Active Directory Federation Services 6-29
Module Overview
Lesson 1
AD FS Overview
Key Points
Identity federation is a means by which organizations can enable user access to
resources between different organizations or between different server platforms.
One of the goals of an identity federation solution is to allow companies to manage
their own directories while still securely exchanging authentication and
authorization information between organizations.
Key Points
AD FS has been designed to meet the needs of several common scenarios. The
main scenarios are as follows.
Additional reading
ADFS Help File: Understanding Federation Designs
Benefits of Deploying AD FS
Key Points
Leveraging AD FS in an enterprise benefits both administrators and users in the
following ways.
Regulatory compliance
AD FS enables application access to business partners or Internet users but does so
in such a way that both organizations still maintain strict control over all data.
Lesson 2
AD FS Deployment Scenarios
Key Points
A federation trust is a relationship created between two organizations within AD
FS. This relationship allows for accounts to be authenticated in one organization,
and used to access resources in the other organization.
Account Partner
An account partner is the organizational partner in the trust relationship that hosts
and manages the user accounts used in the relationship.
Resource Partner
The resource partner physically houses the Web servers that host one or more
Web-based applications. The resource partner trusts the account partner to
authenticate users. Therefore, when it makes authorization decisions, the resource
partner accepts security tokens that are produced by the account partner.
Additional reading
AD FS Help:
Understanding Federation Trusts
Understanding AF FS Terminology
Key Points
AD FS has six main components that provide the functionality.
Additional reading
AD FS Help:
Understanding AD FS Terminology
Understanding AD FS Role Services
Key Points
The AD FS Federated Web business-to-business (B2B) scenario involves secure
communication that often spans multiple firewalls, perimeter networks, and name
resolution servers, in addition to the entire Internet routing infrastructure.
An example scenario
An online retailer and manufacturing company could deploy AD FS using a B2B
scenario. The online retailer, as the resource partner, would install a Web server
with the AD FS Web agent installed, the resource federation proxy and the
resource federation service. The manufacturing company, as the account partner,
would install and configure an account federation server to use the internal AD DS
domain and an account federation proxy so that the account federation server
would not need to be directly exposed to the Internet. The federation trust would
then be created from the online retailer to the manufacturer. Once this solution is
installed and configured, users at the manufacturer can log on to the retailers Web
site.
Additional reading
AD FS Help:
Understanding Federation Trusts
Understanding AF FS Terminology
Key Points
The following steps describe the flow of communication in a B2B scenario.
1. The employee uses their Web browser to open the application on the Web
server using an SSL/TLS session.
2. Since the Web browser does not have a token to present to the Web server, the
Web browser is redirected to the default logon URL at the resource Federation
Server. The resource Federation Server determines the users home
organization.
3. The Web browser is redirected to the logon page for the Federation Server at
the users home organization (in this case, the account partner Federation
Server). The office employee authenticates by using his currently logged-on
desktop session credentials through Windows integrated authentication or by
being asked to provide credentials by their Federation Server. The account
Federation Service and the Active Directory account information are used to
validate the office employee's credentials and obtain attributes for building a
Security Assertion Markup Language (SAML) security token. The security
token is stored as a cookie in the Web browser.
4. The Web browser is redirected to the Federation Server at the resource
partner. The Web browser presents the security token to the resource
Federation Server. The Federation Server checks the security token, and then
issues a security token that can be used to access the Web server.
5. The Web browser is redirected to the Web server where it presents the security
token issued by the resource Federation Server. The Web server evaluates the
security token, and if acceptable, it creates an authentication token that is
written to the browser and then used to access the application.
Additional reading
AD FS Help: Understanding Federation Designs
Key Points
In the Web single sign-on scenario, an organization deploys a Web application in a
perimeter network. This Web application may need to be available to the following
different groups of people.
Employees who are on the internal network.
Employees who are outside the office and accessing the application through
the Internet.
Non-employees who are accessing the application from the Internet.
Additional reading
AD FS Help: Understanding Federation Designs
Key Points
By integrating AD FS with Active Directory Rights Management Services (AD RMS),
enterprises can leverage their established federated trust relationships to extend
the AD RMS functionality outside the organization. For example, an organization
that is planning to deploy AD RMS can set up a federation trust with another
organization by using AD FS. The organizations can then leverage this relationship
to share rights-protected content across the two organizations without requiring a
deployment of AD RMS in both organizations.
Lesson 3
Configuring AD FS Components
The previous lesson discussed the overall design of an AD FS solution and the
components that are used to construct the solution. This lesson provides an
overview of configuring the AD FS components as well as managing trust policies
and Web agents.
Key Points
In order to implement the Federation Service, Federation Service Proxy and AD FS
Web Agent Roles, the requirements listed on the slide must be met.
Additional reading
AD FS Help: Requirements for AD FS
Key Points
To configure the Federation Service or federation server farm you use the AD FS
Microsoft Management Console (MMC) snap-in, which is installed when you
install the Federation Service server role. You can also use the snap-in to manage
the trust policy that is associated with your Federation Service.
Additional reading
AD FS Help: Add a resource partner
Key Points
Trust policies are the configuration settings that define the federated trust and how
the federated trust works.
When configuring the resource partner trust policy, you need to configure the
following options:
Token Lifetime. This defines how long a Security Assertion Markup Language
(SAML) token will stay valid. The default value is 600 minutes (10 hours); the
minimum value is one minute.
Federation Service URI. This is a case sensitive string that uniquely identifies a
Federation Service. This URI also identifies the federation server farm
membership of the federation server.
Federation Service endpoint URL. This is the single location, or "public URL,"
that is used to contact all federation servers in a server farm.
Use Windows trust relationship for this partner. This option is used when an
Active Directory forest trust is in place and should be used.
When configuring the account partner trust policy, configure the same options as
above plus the following:
Location for a certificate to verify the resource partner. This is the location on
the file system that the certificate is stored. This certificate is used to verify that
the resource partner is valid.
How resource accounts are created.
Questions
Key Points
The AD FS Web Agent consumes security tokens and then either allows or denies a
user access to a Web application. Authorization to use the Web application
requires a relationship between the AD FS Web Agent and a resource Federation
Service so that it can direct the user to the Federation Service as needed.
Once the Web server is properly configured with the prerequisite applications and
certificates, the AD FS Web Agents role services can be installed. You can install the
Web agents by installing the AD FS server role and choosing to install either the
claims-aware agent or the Windows token-based agent.
Additional reading
Claims-aware Applications
Windows NT token-based applications
Question
After configuring the Web Proxy Agent in IIS Manager what else needs to be done
to allow the application to use AD FS?
Key Points
An AD FS claim is a statement made about a user that is understood by both
partners in an AD FS federation scenario. This statement may be, for example, the
name, identity, group membership, privilege, or capability of the user and is
provided for authorization purposes in an application. The claims are transferred
between federation partners to properly authenticate and authorize users.
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has established a strategic partnership
with Contoso Inc. Users at Woodgrove Bank must be able to access an application
located at Contoso Inc. For security reasons, the organizations cannot implement a
trust between the company domains. The organizations have decided to deploy AD
FS to provide the required access to the application. You must configure the AD FS
servers at Woodgrove Bank to enable access to the application. Administrators at
Contoso Inc. will be responsible for configuring their servers.
Result: At the end of this exercise, you will have made decisions on the placement of
AD FS components. You will have also determined some basic configuration
information for each component.
f Task 2: On the RED-SRV1, configure the trust policy for the Federation
Service in Contoso Inc
Display name: Contoso Inc
Federation Service URI: urn:federation:contosoinc
Federation Service endpoint: https://adfsresource.contoso.com/adfs/ls/
f Task 3: Create a group claim named Woodgrove App Claim for the
claims-aware application
Result: At the end of this exercise, you will have configured the AD FS components
for the resource partner.
Review Questions
1. After defining a Web application in the AD FS Management tool what also
must be done to have an application begin to authenticate AD FS tokens?
2. Where are certificates used in an AD FS deployment?
3. Why would a Federation Service Proxy role server be needed?
4. Can the Web Proxy agent be installed on an older version of Windows Server?
Module 7
Creating Active Directory Domain Services User
and Computer Objects
Contents:
Lesson 1: Managing User Accounts 7-3
Lesson 2: Creating Computer Accounts 7-12
Lesson 3: Using Queries to Locate Objects in Active Directory 7-19
Lab: Creating AD DS User and Computer Accounts 7-25
Module Overview
Lesson 1
Managing User Accounts
In AD DS for Windows Server 2008, all users that require access to network
resources must be configured with a user account. With this user account, users
can be authenticated to the AD DS domain and granted access to network
resources. As the AD DS administrator, you will need to know how to create and
configure user accounts.
Key Points
A user account is an object that contains all of the information that defines a user
in Windows Server 2008. The account can be either a local or a domain account. A
user account includes the user name and password as well as group memberships.
Usage
With a user account, you can:
Allow users to log on to a computer based on their user account identity.
Grant users access to processes and services for a specific security context.
Manage users access to resources such as AD DS objects and their properties,
shared folders, files, directories, and printer queues.
Key Points
When creating a user account, an administrator types a user logon name. User
logon names must be unique in the domain in which the user account is created.
Additional reading
Object Names
Key Points
As a systems administrator, you can manage user account password options. These
options can be set when the user account is created or in the Properties dialog box
of a user account.
Additional reading
Microsoft Windows Server 2008 Help
Key Points
A number of tools are available for creating and managing user accounts, including
command-line and batch utilities. The most common tools for managing user and
group accounts are Active Directory Users and Computers for managing domain
accounts and User Accounts for managing local accounts on computers running
the Windows Server 2008 or Windows Vista operating system.
Additional reading
Local accounts
Dsadd
Question
When would you use a tool like DSAdd to create user accounts?
Additional reading
Dsadd
Questions
1. Why are you prompted to change the additional names when you change the
user name?
2. Why would you rename a user name in AD DS when a user changes their
name rather than deleting the account and creating a new account with the
new name?
Additional reading
Rename a User Account
Key Points
A user account template is an account that has commonly used settings and
properties already configured. You can use user account templates to simplify the
process of creating domain user accounts.
Additional reading
Copying User Accounts
Questions
1. Why are some fields not populated when you create a new user from a
template?
2. How could you make a template account easy to find in AD DS?
Lesson 2
Creating Computer Accounts
In AD DS, computers are security principals, just like users. This means that
computers must have accounts and passwords. To be fully authenticated by
AD DS, a user must have a valid user account, and the user must also log on to the
domain from a computer that has a valid computer account. All computers
running Microsoft Windows NT or later operating systems must have computer
accounts in AD DS.
Key Points
Computers access network resources to perform key tasks such as authenticating
user log on, obtaining an IP address, and receiving security policies. To have full
access to these network resources, computers must have valid accounts in AD DS.
The two main functions of a computer account are performing security and
management activities.
Additional reading
Manage computers
Key Points
You can create computer accounts in AD DS by joining the computer to the
domain, or by pre-staging computer accounts before joining the computer to the
domain. Both administrators and users can join computers to the domain.
Additional reading
Join a computer to a domain
Manage computers
Key Points
The most commonly used properties for computer accounts in AD DS are the
Location and Managed by properties. To maintain computers, you must find the
physical location of the computers.
The Location property can be used to document the computers physical
location in your network.
The Managed By property lists the individual responsible for the computer.
This information can be useful when you have a data center with servers for
different departments and you need to perform maintenance on the server.
You can call or send e-mail to the person who is responsible for the server
before you perform maintenance on the server.
Additional reading
Manage computers
Computer Policies
Questions
1. A user is taking a two month leave from work. No one else will be using the
users computer, and you want to ensure that no one can log on to the
computer while she is gone. However, you want to minimize the amount of
effort required for the user to start using the computer when she comes back.
How should you configure the computer account?
2. You are prestaging 100 computer accounts for workstations that will be added
to the domain over the next few weeks. You want to ensure that only members
of the desktop support team can add the computers to the domain. What
should you do?
Lesson 3
Using Queries to Locate Objects in Active
Directory
Key Points
There are several options available in the Windows Server 2008 administration
tools that can increase the efficiency of looking for user accounts in domains with
many users.
You can also add more columns to the display and then sort the display based on
the additional column.
Additional reading
Search Active Directory
Questions
1. You need to update the phone number for a user. You have only been given
the users first name and last name and you do not know which OU contains
the object. What is the quickest way to locate the user account?
2. You need to create a new user account and want to check if a user name is
already in use in the domain. How could you do this?
Key Points
Active Directory Users and Computers has a Saved Queries folder in which you
can create, edit, save, and organize saved queries. Saved queries use predefined
LDAP strings to search only the specified domain partition allowing you to focus
searches to a single container object. You can also create a customized saved query
that contains an LDAP search filter.
Additional reading
Active Directory Users and Computers Help section
Question
You need to find all user accounts in your AD DS domain that are no longer active.
How would you do this?
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has deployed AD DS for Windows
Server 2008. As one of the network administrators, one of your primary tasks will
be to create and manage user and computer accounts.
Property Value
First name CustomerService
Password Pa$$w0rd
Member Of NYC_CustomerServiceGG
f Task 7: Modify the user account properties for all customer service
representatives in New York
1. In the CustomerService OU under the NYC OU, select all user accounts.
2. Right-click the highlighted user accounts and click Properties.
3. Fill in the following information:
Description: Customer Service Representative
Office: New York Main Office
Department: Customer Service
4. View the properties of one of the user accounts in the OU to confirm that the
Description, Office and Department attributes have been updated.
f Task 8: Modify the user account properties for all Branch Managers
1. In Active Directory Users and Computers, search the WoodgroveBank.com
domain.
2. Use an advanced search and search for all user accounts that have a job title of
Branch Manager.
3. Select all of the user accounts located by the search, and add them to the
BranchManagersGG group.
Result: At the end of this exercise, you will have created and configured user
accounts. You will have created a template and a user account based on the
template. And you will have created a saved query and verified its ability to return
expected search results.
Result: At the end of this exercise, you will have created and configured computer
accounts, deleted a computer account and joined a computer to an AD DS domain.
Review Questions
1. You are responsible for managing accounts and access to resources for
members of your group. A user in your group leaves the company, and you
expect a replacement for that employee in a few days. What should you do
with the previous users account?
2. A user in your group must create a test lab with 24 computers that will be
joined to the domain but the account must be created in a separate OU. What
is the best way to do this?
3. You are responsible for maintaining the servers in your organization. You want
to enable other administrators in the organization to determine the physical
location of each server without adding any additional administrative tasks or
creating any additional documents. How can you do this?
4. To accelerate the process of creating new accounts when new employees enter
your group, you create a series of account templates that you use to create new
user accounts and groups. You are notified that a user with an account that
was created by using one of the non-manager account templates has been
accessing files that are restricted to the Managers group. What should you do?
5. You are responsible for managing computer accounts for your group. A user
reports that they cannot log on to the domain from a specific computer but
can log on from other computers. What should you do?
6. You have determined the best ways to search for Active Directory objects and
documented your recommended search criteria. However, the administrators
tell you that it is taking too long to create and then run the search. After further
research, you determine that most of the systems administrators are searching
for the same information. What can you do to accelerate the search process?
Module 8
Creating Active Directory Domain Services
Groups and Organizational Units
Contents:
Lesson 1: Introduction to AD DS Groups 8-3
Lesson 2: Managing Group Accounts 8-15
Lesson 3: Creating OUs 8-21
Lab: Creating an OU Infrastructure 8-28
Module Overview
One of the primary functions of a directory service like Active Directory Domain
Services (AD DS) is to provide authorization for access to network resources.
Ultimately, all of this access to network resources is based on the individual user
accounts. However, in most cases, you do not want to administer access to
resources by using individual user accounts. In a large company this would result
in a great deal of administrative effort. Because managing access to network
resources using individual user accounts is unmanageable, you will need to learn
to create group objects to manage large collections of users at one time.
Another option for organizing collections of users is to create organizational units
(OUs). You use an OU to group and organize objects for administrative purposes,
such as delegating administrative rights and assigning policies to a collection of
objects as a single unit.
Lesson 1
Introduction to AD DS Groups
Key Points
Groups are a logical collection of similar objectsusers, computers, or other groups
in AD DS. Groups can be made up according to their departments, locations and
resources. An important administrative tool for simplifying administration, groups
enable you to assign permissions for resources to multiple users or computers
simultaneously, rather than on an individual basis.
Additional reading
Active Directory Users and Computers Help: Understanding Group Accounts
Key Points
A global group is a security or distribution group that can contain users, groups,
and computers that are from the same domain as the global group. You can use
global security groups to assign user rights, delegate authority to AD DS objects, or
assign permissions to resources in any domain in the forest or any other trusting
domain in another forest.
Additional reading
Group Scope
Active Directory Users and Computers Help: Understanding Group Accounts
Key Points
A universal group is a security or distribution group that can contain users, groups,
and computers from any domain in its forest. You can use universal security
groups to assign user rights and permissions to resources in any domain in the
forest.
Additional reading
Group Scope
Active Directory Users and Computers Help: Understanding Group Accounts
Key Points
A domain local group is a security or distribution group that can contain user
accounts from the local domain, any domain in the forest, or any trusted domain.
Domain local groups can also contain universal groups or global groups from any
domain in the forest or any trusted domain, and domain local groups from the
local domain. Groups with domain local scope help you define and manage access
to resources within a single domain.
Additional reading
Group Scope
Active Directory Users and Computers Help: Understanding Group Accounts
Key Points
A local group is a collection of user accounts or domain groups created on a
member server of an AD DS domain or a stand-alone server. You can create local
groups to grant permissions for resources residing on the local computer. Local
groups can contain local or domain user accounts, computers, global groups, and
universal groups.
Additional reading
Understanding Local Users and Groups
Questions
For each scenario, determine the type and scope of groups that need to be created.
Scenario 1: A. Datum is a large company with locations in five different cities in
Canada. A. Datum has deployed a single Active Directory domain with five sites.
The HR personnel in each office manage the HR responsibilities for that office, but
all HR personnel must be able to access a shared folder at the company main
office. All HR personnel should be able to change files in the HR shared folder, but
only HR managers should be modify files in the HRPolicies folder located in the
HR folder.
Scenario 2: Tailspin Toys has two domains, one for the US and one for Europe.
Both domains are in the same forest. In each domain, a group of administrators
provide help desk support. The help desk support personnel for each domain
must have local administrator permissions on all client computers in the domain.
Also, all help desk personnel must be able to access a Help Desk Web site located
in the Europe domain.
Scenario 3: Trey Research has deployed a single domain. The company has three
locations. Sales personnel frequently travel outside the company offices and must
be able to access an internal Web site as well as shared folders on servers located
in any of the three locations inside the company. Sales personnel use a VPN to get
access to the network. Membership of the Sales group changes frequently.
Scenario 4: A School of Fine Art has a single domain in one location. They want to
ensure students using the learning lab computers can only print to the labs
printer, and not the office printer.
Additional reading
Active Directory Users and Computers Help: Understanding Group Accounts
Key Points
When using nesting, you add a group as a member of another group. You can use
nesting to consolidate group management. Nesting increases the member accounts
that are affected by a single action and reduces replication traffic caused by the
replication of changes in group membership.
Questions
Extend the previous discussion to consider the option of nesting groups. How
would the group configuration change if group nesting were used for each
Scenario below?
Scenario 1: A. Datum is a large company with locations in five different cities in
Canada. A. Datum has deployed a single Active Directory domain with five sites.
The HR personnel in each office manage the HR responsibilities for that office, but
all HR personnel must be able to access a shared folder at the company main
office. All HR personnel should be able to change files in the HR shared folder, but
only HR managers should be modify files in the HRPolicies folder located in the
HR folder. How can nested groups be used to simplify management?
Scenario 2: Tailspin Toys has two domains, one for the US and one for Europe.
Both domains are in the same forest. In each domain, a group of administrators
provide help desk support. The help desk support personnel for each domain
must have local administrator permissions on all client computers in the domain.
As well, all help desk personnel must be able to access a Help Desk Web site
located in the Europe domain.
Scenario 3: Trey Research has deployed a single domain. The company has three
locations. Sales personnel frequently travel outside the company offices and must
be able to access an internal Web site as well as shared folders on servers located
in any of the three locations inside the company. Sales personnel use a VPN to get
access to the network. Membership of the Sales group changes frequently.
Members of the Marketing and Finance departments need access to the same
shared folders as the Sales personnel.
AD DS Groups Review
Review questions
1. Why should you use a global group rather than a domain local group for the
users of a sales department in a multi-domain company?
2. How could you provide members of a Sales department that travel frequently
between domains in a multi-city company with access to printers on various
domains, which are managed with domain local groups?
Lesson 2
Managing Group Accounts
Key Points
A large organization might have many security and distribution groups. A
standardized naming convention can help you locate and identify groups more
easily. Keeping the names concise, using departmental, geographic, or project
names are all helpful ways to identify groups more easily.
Questions
1. Your organization requires a group that can be used to send e-mail to users in
multiple domains. The group will not be used to assign permissions. What
type of group should you create?
2. What would be some suitable names for the global group that contains
Woodgrove Banks Toronto-based marketing group?
Additional reading
Active Directory Users and Computers Help: Create a New Group
Questions
1. What would be an efficient way to add users from all sales OUs to a universal
group?
2. You have a domain local group called ManagerAccessDLG. This group is used
to assign access to all resources for Managers, and the
Managers_WoodgroveGG group has been added the ManagerAccessDLG
group. How would you give users from the Executives_WoodgroveGG group
quick access to the same resources as those accessible to the managers group?
Key Points
Use Active Directory Users and Computers to determine the membership status of
both users and groups. All user accounts have a Member Of attribute that lists all
of the groups that the user is a member of. All groups have a Members attribute
and a Member Of attribute. The Members attribute lists all user accounts or other
group accounts that are members of the group, while the Member Of tab indicates
into which groups the group has been added, or nested.
Additional reading
Active Directory Users and Computers Help: Finding a Group in Which a User
is a Member
Question
Why would you need to change a group type or scope? What additional actions
should you take if you are changing a group type or scope?
Lesson 3
Creating OUs
Another option for collecting several user and computer accounts for
administrative purposes is to create OUs. In this lesson, you will learn to create
OUs. You will also learn options for creating OU hierarchies and how to move
objects between OUs.
What Is an OU?
Key Points
An OU is an AD DS object contained in a domain. You can use OUs to organize
hundreds of thousands of objects in the directory into manageable units. OUs are
useful in grouping and organizing objects for administrative purposes, such as
delegating administrative rights and assigning policies to a collection of objects as a
single unit.
Additional reading
Active Directory Users and Computers Help: Understanding Organizational
Units
Reviewing Organizational Unit Design Concepts
Windows Server Glossary
Organizational Units
What Is an OU Hierarchy?
Key Points
AD DS OUs are used to create a hierarchical structure within a domain. By creating
an OU structure, you are grouping objects that can be administered as a unit.
An organizational hierarchy should logically represent an organizational structure.
That organization could be based on geographic, functional, resource-based, or
user classifications. Whatever the order, the hierarchy should make it possible to
administer AD DS resources as flexibly and effectively as possible. For example, if
all of the computers used by IT administrators need to be configured in a certain
way, you can group all of the computers in an OU, and assign a policy to manage
the computers in the OU.
OU Hierarchy Examples
Key Points
Organizations may deploy OU hierarchies using several different models.
Geographic OUs
If the organization has multiple locations and network management is
geographically distributed, you should use a location-based hierarchy. For
example, you might decide to create OUs for New York, Toronto and Miami in a
single domain.
Departmental OU
A Departmental OU is based only on the business functions of the organization,
without regard to geographical location or divisional barriers. This approach works
well for small organizations with a single location.
Resource OUs
Resource OUs are designed to manage resource objects (non-users such as client
computers, servers, or printers). This design is most useful when all resources of a
given type are managed in the same way. Resource based OUs can help facilitate
software installations or printer selections based on Group Policies.
Management-based OUs
Management-based OUs reflect the various administrative divisions within the
organization by mirroring the organizations structure in the OU structure.
Responsibilities to manage users and groups, when placed into nested
departmental OUs, can be delegated to managers of those departments.
Additional reading
Design Considerations for Organizational Unit Structure and Use of Group
Policy Objects
Questions
Additional reading
Active Directory Users and Computers Help: Create a New Organizational
Unit
Question
How would members in the Sales and Marketing OUs benefit from being
administered by a member of their own departments?
Additional reading
Active Directory Users and Computers Help: Moving a user account
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank is opening a new subsidiary in Vancouver,
and they need an OU design for the subsidiary. Woodgrove Bank has deployed
Windows Server 2008 Active Directory Domain Services, and one of your primary
tasks will be to create a new OU design and move users from current positions to
the new subsidiary.
f Task 2: Create three new groups by using Active Directory Users and
Computers
1. On NYC-DC1, open Active Directory Users and Computers.
2. In the WoodgroveBank.com domain, create a new group with the following
parameters:
Group Name: Van_BranchManagersGG
Scope: Global
Type: Security
3. Repeat step 2 to create three more groups with the same scope and type. The
two group names are as follows:
Van_CustomerServiceGG
Van_InvestmentsGG
3. Press ENTER
4. Use the Find command to locate the new group in the WoodgroveBank.com
OU.
Result: At the end of this exercise, you will have created three new groups using
Active Directory Users and Computers. You will have created one group using
Dsadd. You will have added users to the groups and inspected the results.
Scenario:
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have
the following departments:
Management
Customer Service
Marketing
Investments
Discussion questions:
1. Which approach to extending the organizational hierarchy of
WoodgroveBank.com is the most likely to be applied in the creation of the
new subsidiarys resources: Geographic, Organizational, or Functional? Why?
2. What would be the most logical way to further subdivide the subsidiarys
Organizational Unit (Geographic, Organizational, or Functional)?
3. What does the pattern of naming second level OUs in other centers suggest for
the new Vancouver OU?
4. What would be a simple but effective way of delegating administrative tasks
(such as adding users and computers to the domain, and changing user
properties such as password resets, and employee contact details) to certain
users within a department?
Result: At the end of this exercise, you will have discussed and determined how to
plan an OU hierarchy.
3. Press ENTER.
4. In Active Directory Users and Computers, refresh the WoodgroveBank.com
domain object, and note the presence of the new OU.
Note: There is a potential risk associated with the movement of security groups
from one OU into another. Group policies in effect in one OU may no longer be
applied in the new location. By default, AD DS notifies administrators of that risk
whenever a group is moved between OUs.
Note: There are several ways to move objects between OUs in Active Directory Users
and Computers. You can (1) use the Move command, (2) drag and drop the object
into a new OU, or (3) use the Cut and Paste commands.
f Task 6: Find and move users into the appropriate Vancouver OUs
Use Active Directory Users and Computers to find and move the following
users into the OUs listed below.
Result: At the end of this exercise, you will have created OUs using Active Directory
Users and Computers and using Dsadd.
Review Questions
1. You have just installed a new domain controller in your domain. What two
tools could you use to verify that the domain controller has been added to the
domain?
2. You want to group all of the users in branch office together so that you can
assign permissions to a shared folder to all of the users in the branch office.
What type of AD DS object should you create?
3. What are the differences between a domain, domain tree and forest?
4. What feature makes it easy and fast to search a forest for user phone numbers?
5. What is the relationship between a domain and a site?
Module 9
Managing Access to Resources
Contents:
Lesson 1: Managing Access Overview 9-3
Lesson 2: Assigning Permissions to Shared Resources 9-12
Lesson 3: Managing NTFS File and Folder Permissions 9-21
Lesson 4: Determining Effective Permission 9-28
Lab: Managing Access to Resources 9-38
Module Overview
One of the primary reasons for deploying Active Directory Domain Services (AD
DS) is to enable users to access shared resources on the network. The previous
modules introduced users and groups as the primary way to enable access to those
resources. This module describes how to configure shared folders to enable those
users and groups to gain access to the resources.
Specifically, this module helps you learn the skills and knowledge you will need to:
Understand how permissions enable resource access.
Manage access to files and folders by using shared folder permissions, NTFS
permissions, or special permissions.
Manage permissions inheritance.
Lesson 1
Managing Access Overview
Key Points
A security principal is an AD DS entity that can be authenticated by a Windows
operating system. Security principals include:
User and computer accounts.
A thread or process that runs in the security context of a user or computer
account.
Groups of the above accounts.
Additional reading
Windows Server Glossary
Key Points
An access token is a protected object that contains information about the identity
and privileges associated with a user account.
Additional reading
Windows Server Glossary
Access Tokens Technical Reference
Key Points
Permissions define the type of access that is granted to a security principal for an
object.
When you assign permissions, you can:
Explicitly apply permissions. When you explicitly apply permissions, you
access the shared resource object directly and configure permissions on that
object. You can explicitly apply permissions on folders or files.
Configure permission inheritance. When you configure permissions on a
folder, the permissions are inherited by default on all sub-folders or files in
that folder. You can accept the default permission inheritance or modify the
default behavior by blocking permission inheritance or by assigning explicit
permissions to lower level folders or files.
Additional reading
Windows Server Glossary
Key Points
The process of gaining access to an AD DS resource is called access control and it
is based on the verification of security principals.
All objects in AD DS, and all securable objects on a local computer or on the
network, have security descriptors assigned to them to help control access to the
objects. Security descriptors include information about who owns an object, who
can access it and in what way, and what types of access are audited.
Additional reading
MSDN Glossary
Questions
1. What is the role of access control lists (ACL) in granting access to resources in
an AD DS network?
2. How do discretionary access control lists (DACLs) differ from system access
control lists (SACLs)?
Lesson 2
Assigning Permissions to Shared Resources
Shared folders give users access to files and folders over a network. Users can
connect to the shared folder over the network to access the folders and files that
they contain. Shared folders can contain applications, public data, or a users
personal data. Using shared data folders provides a central location for users to
access common files and makes it easier to back up data contained in those files.
Key Points
When you share a folder, the folder is made accessible to multiple users
simultaneously over the network. Once granted permission, users can access all of
the files and subfolders in the shared folder.
Most organizations deploy dedicated file servers to host shared folders. You can
store files in shared folders according to categories or functions. For example, you
can place shared files for the Sales department in one shared folder and shared
files for executives in another.
Key Points
Windows Server 2008 automatically creates shared folders on Windows
computers that enable you to perform administrative tasks. These default
administrative shares have a dollar sign ($) at the end of the share name.
Appending the dollar sign at the end of the folder name hides the shared folder
from users who browse the network. Administrators can quickly administer files
and folders on remote servers by using these hidden shared folders.
Key Points
Shared folder permissions apply only to users who connect to the folder over the
network. They do not restrict access to users who access the folder at the computer
where the folder is stored. You can grant shared folder permissions to user
accounts, groups, and computer accounts.
Additional reading
Best Practices for Shared Folders
Key Points
In Windows Server 2008, the only groups that can create shared folders are the
Administrators, Server Operators, and Power Users groups. These groups are built-
in groups that are placed in the Groups folder in Computer Management or the
Built-In container in Active Directory Users and Groups.
Questions
Key Points
After you create a shared folder, users can access the folder across the network by
using multiple methods. Users can access a shared folder on another computer via:
The Network window (in Windows Server 2008 or Windows Vista).
My Network Places (in Windows Server 2003 or Windows XP).
The Map Network Drive feature.
Searching AD DS.
The Run command on the Start menu.
Additional reading
Glossary of Registry Terms
Question
What would happen if the user was editing the file and had not saved the changed
and then an administrator used the Close File feature?
Key Points
When managing access to shared folders, consider the following best practices
when granting permissions:
Use the most restrictive permissions possible. Do not grant more
permissions for a shared folder than the users legitimately require. For
example, if a user only needs to read a file, grant Read permission for the file to
the user or group to which the user belongs.
Avoid assigning permissions to individual users. Use groups whenever
possible. Because it is inefficient to maintain user accounts directly, avoid
granting permissions to individual users.
Remember that full control allows users to modify NTFS permissions. Add
groups to the full control permissions group with caution. Each change to
NTFS permissions could potentially affect security,
Use the Authenticated Users or the Domain Users group instead of the
Everyone group (if present) from the shared folders permissions list. Since
members of the Everyone group includes Guests, using the Authenticated or
Domain Users groups limits access to shared folders to only authenticated
users, and prevents users or viruses from accidentally deleting or damaging
data and application files.
Additional reading
Best practices for Shared Folders
Lesson 3
Managing NTFS File and Folder Permissions
Key Points
NTFS permissions are used to specify which users, groups, and computers can
access files and folders. NTFS permissions also dictate what users, groups, and
computers can do with the contents of the file or folder.
NTFS file permissions include:
Read. Read the file, attributes, permissions, and view owner.
Write. Write to the file, change attributes, view permissions, and view owner.
Read & Execute. Execute applications plus all Read permissions.
Modify. All the above permissions, plus ability to delete file.
Full Control. All the above permissions plus the ability to change permissions,
and take ownership of the file.
Key Points
NTFS permissions fall into two categories: standard and special. Standard
permissions are the most frequently assigned permissions. The permissions
described in the previous topic are standard permissions.
Special permissions provide you with a finer degree of control for assigning access
to objects.
Additional reading
Permissions for files and folders
Key Points
By default, permissions that you grant to a parent folder are inherited by the
subfolders and files that are contained in the parent folder.
A security principal that is inheriting permissions can have additional NTFS
permissions assigned, but the inherited permissions cannot be removed until
inheritance is blocked.
Additional reading
Windows Server Glossary
Questions
Key Points
When you copy or move a file or folder, the permissions might change, depending
on where you move the file or folder. It is important to understand the changes
that the permissions undergo when being copied or moved.
The following table lists the possible copy and move actions and describes how
Windows Server 2008 handles the permission state of a file or folder.
Action Result
Copy a file or folder within a volume Inherits permission state of the destination folder
Move a file or folder within a volume Retains original permission state of the source
Copy a file or folder between volumes Inherits permission state of the destination folder
Move a file or folder between volumes Inherits permission state of source file or folder
Lesson 4
Determining Effective Permission
You can assign user access to a shared folder by using shared folder permissions or
NTFS permissions. You can also assign permissions to individual user accounts or
group accounts. In order to determine what level of access the user actually has on
the network, you need to understand how effective permissions are determined,
and how you can view effective permissions.
Key Points
Windows Server 2008 provides a tool (Effective Permissions tool) that shows
effective permissions, which are cumulative permissions based on group
membership.
The following principles determine effective permissions:
Cumulative permissions are the combination of the highest NTFS
permissions granted to the user and all the groups that the user is a
member of. For example, if a user is a member of a group that has Read
permission and a member of a group that has Modify permission, the user has
Modify permission.
Explicit Deny permissions override equivalent Allow permissions.
However, an explicit Allow permission can override an inherited deny
permission. For example, if a user is explicitly denied write access to a folder
but explicitly allowed write access to a subfolder or a particular file, the explicit
Allow would override the inherited Deny.
In this discussion, you are presented with a scenario in which you are asked to
apply NTFS permissions. You and your classmates will discuss possible solutions
to the scenario.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the
slide shows folders and files on the NTFS partition.
Discussion questions:
1. The Users group has Write permission, and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?
2. The Users group has Read permission for Folder1. The Sales group has Write
permission for Folder2. What permissions does User1 have for File2?
3. The Users group has Modify permission for Folder1. File2 should be
accessible only to the Sales group, and they should only be able to read File2.
What do you do to ensure that the Sales group has only Read permission for
File2?
Questions
Additional reading
Effective Permissions Tool
Key Points
When allowing access to network resources on an NTFS volume, it is
recommended that you use the most restrictive NTFS permissions to control
access to folders and files, combined with the most restrictive shared folder
permissions that control network access.
In this discussion, you will determine effective NTFS and shared folder
permissions.
Scenario
The slide graphic illustrates two shared folders that contain folders or files that
have been assigned NTFS permissions. Look at each example and determine a
users effective permissions.
In the first example, the Users folder has been shared, and the Users group has the
shared folder permission Full Control. User1, User2, and User3 have been granted
the NTFS permission Full Control to only their folder. These users are all members
of the Users group.
Discussion questions:
1. Do members of the Users group have Full Control to all home folders in the
Users folder once they connect to the Users shared folder?
In the second example, the Data folder has been shared. The Sales group has
been granted the shared folder permission Read for the Data shared folder and
the NTFS permission Full Control for the Sales folder.
2. What are the Sales groups effective permissions when they access the Sales
folder by connecting to the Data shared folder?
Key Points
Here are several considerations to make administering permissions more
manageable:
1. Grant permissions to groups instead of users. Groups can always have
individuals added or deleted, while permissions on a case-by-case basis are
difficult to keep track of.
2. Use Deny permissions only when necessary. Because deny permissions are
inherited just like allow permissions, assigning deny permissions to a folder
can result in users not being able to access files lower in the folder structure.
Deny permissions should be assigned in the following situations:
To exclude a subset of a group that has Allow permissions.
To exclude one permission when you have already granted Full Control
permissions to a user or group.
3. Never deny the Everyone group access to an object. If you deny everyone
access to an object, you deny administrators access. Instead, it is
recommended that you remove the Everyone group, as long as you grant
permissions for the object to other users, groups, or computers.
4. Grant permissions to an object that is as high in the folder as possible so
that the security settings are propagated throughout the tree. For example,
rather than bringing groups representing all departments of the company
together into a Read folder, assign Domain Users (which is a default group
for all user accounts on the domain) to the share. In that way, you eliminate
the need to update department groups before new users get the shared folder.
5. Use NTFS permissions rather than shared permissions for fine-grained
access. Configuring both NTFS and shared folder permissions can be
complicated. Consider assigning the most restrictive permissions for a group
containing a large number of users at the shared folder level, and then using
NTFS permissions to assign more specific permissions.
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has deployed Windows Server 2008
Active Directory Domain Services. They have recently opened a new subsidiary in
Vancouver, British Columbia, Canada. As a network administrators assigned to the
new subsidiary, one of your primary tasks will be to create and manage access to
resources, including the shared folder implementation. For example, groups that
mirror the departmental organization of the bank need shared file storage areas.
There also need to be shared folders to allow files to be shared during special
projects between departments. Lastly, a drop box style folder will be needed for
reports from employees to managers.
Discussion questions:
1. The Woodgrove Bank Vancouver subsidiary has an organizational hierarchy,
as outlined by its OUs that supports the activities of its four departments:
Marketing, Investments, Management and Customer Service. Each department
has groups populated with the employees in that department. How could you
give each department separate file sharing spaces?
2. All members of the Vancouver subsidiary need to be able to read documents
posted by management regarding topics such as staffing, targets and
projections, and company news. To create a series of folders that will allow
this information to be available to all employees in the subsidiary, as well as
managers from other parts of the Woodgrove Bank, what sorts of groups
would be needed? What sorts of permissions would each require? What sorts
of folder structures might be needed?
3. A task force on reducing the subsidiarys carbon footprint is gathering a variety
of data from various departments. They plan to keep the information private
until they can publish a report. How can individuals from various departments
have contributing status while restricting access to those outside of their
project?
4. The branch managers require weekly reports from each department. These
reports should be stored where they alone can organize and read them.
Department heads should be able to drag/drop their reports onto the shared
folders, although they should not be able to open the shared folders.
Result: At the end of this exercise, you will have discussed and determined solutions
for a shared folder implementation.
3. Save the changes and close Active Directory Users and Computers.
4. Create a new folder in C:\, and name it SharedProjects.
5. Share the folder, adding the Van_SpecialProjectsGG group with Contribute
permission levels.
6. Click Share.
Result: At the end of this exercise, you will have created a shared folder
implementation.
f Task 2: Check the permissions for Company News and Drop Folder.
1. Once logged on as Neville, open the Company News volume and create a text
file. Name it News.txt.
2. Create a folder named News, and drag News.txt into it.
3. Close the Company News window.
4. Open the Drop Folder shared folder.
5. Create three folders with the following names:
Marketing
Investments
Customer Service
6. Close the Drop Folder window and log off.
Result: At the end of this exercise, you will have verified that the shared folder
implementation meets security requirements.
Review Questions
1. What is the role of access control lists (ACL) in granting access to resources on
an AD DS network?
2. How do discretionary access control lists (DACLs) differ from system access
control lists (SACLs)?
3. What happens to the shared folder configuration when you copy or move a
shared folder from one hard disk to another on the same server? What
happens to the shared folder configuration when you copy or move the shared
folder to another server?
4. You need to assign permissions to a shared folder so that all users in your
organization can read the contents of the folder. Which of these approaches
would be the best way to do this: accept the default permissions, assign read
permissions to the folder for the Domain Users group, or add groups
representing whole departments? How would this configuration change if your
organization had multiple domains?
5. How could you remove Write share permissions from a single file that is
located inside a folder that is inheriting Write permissions from shared folder
in which it is located?
6. When moving a folder within an NTFS partition, what permissions are
required over the source file or folder and over the destination folder?
7. What is the best way to create a shared folder between departments of users
who are situated on two different domains?