Windows Server Administration/Active Directory

From Wikiversity
Jump to navigation Jump to search

This lesson covers Active Directory. Activities include creating and managing domains, user accounts, and groups.

Objectives and Skills[edit | edit source]

Objectives and skills for the Understanding Active Directory portion of Windows Server Administration Fundamentals certification include:[1]

  • Understand accounts and groups: domain accounts; local accounts; user profiles; group types; group scopes; group nesting; AGDLP
  • Understand organizational units and containers: purpose of organizational units; purpose of containers; delegation; default
  • Understand Active Directory infrastructure: domain controllers; forests; operation masters roles; domain vs. workgroup; child domains; trusts; functional levels; namespace; sites; replication

Readings[edit | edit source]

  1. Wikipedia: Windows domain
  2. Wikipedia: Active Directory
  3. Active Directory: Guide to Terminology, Definitions & Fundamentals!
  4. Wikipedia: Organizational Unit
  5. Wikipedia: AGDLP
  6. Microsoft: Forests - basic explanation
  7. Active Directory Forest – What is AD Forest?
  8. Microsoft: Domain Trees

Multimedia[edit | edit source]

  1. YouTube: Learn Microsoft Active Directory
  2. YouTube: Setting up Active Directory in Windows Server 2019 (Step By Step Guide)
  3. YouTube: Windows Active Directory Users and Groups
  4. YouTube: Active Directory forest and trees

Activities[edit | edit source]

  1. Review How to Setup a New Active Directory 2016 or 2019 Forest/Domain. Add the Active Directory Domain Services role and create a new forest.
  2. Review How to Add a Child Domain on Windows Server 2016. If you have a second server available, add the Active Directory Domain Services role and add a child domain to the forest. This should be the same steps if using Windows Server 2019.
  3. Review Wikipedia: Organizational unit (computing). Create organizational units.
  4. Review How to Delegate Control in Active Directory Users and Computers. Delegate control of an organizational unit.
  5. Review Security Account Manager. Create user accounts in the organizational units.
  6. Review Naming Conventions in Active Directory. Create global groups to organize user accounts. Add users to the groups. Create domain local groups to organize resources. Add global groups to the domain local groups. Add the domain local groups to resources.

Lesson Summary[edit | edit source]

  • Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. An AD domain controller authenticates and authorizes all users and computers in a Windows domain network, assigning and enforcing security policies for all computers and installing or updating software.[2]
  • A schema defines the types of objects and the characteristics and information that the objects represent which can be stored in an Active Directory database.[3]
  • A forest is a collection of one or more trees that share a common global catalog, directory schema, logical structure, and directory configuration.[4]
  • A tree is a collection of one or more domains in a contiguous namespace, linked in a transitive trust hierarchy.[5]
  • A domain is defined as a logical group of objects (computers, users, devices) that share the same Active Directory database.[6]
  • Domains are identified by their DNS name structure, the namespace used for Active Directory.[7]
  • Trusts allow users in one domain to access resources in another domain.[8]
  • Trusts between a parent and child domain are automatically created when the child domain is created.[9]
  • Domain controllers are servers that have the Active Directory Domain Services role installed and host an Active Directory database for a given domain.[10]
  • Sites are collections of well-connected subnets in a given geographic location.[11]
  • Replication copies changes on one domain controller to all other domain controllers hosting the same Active Directory database (meaning within in the same domain).[12]
  • The Knowledge Consistency Checker (KCC) service creates a replication topology of site links using the defined sites to manage traffic.[13]
  • Intrasite replication is frequent and automatic as a result of change notification, which triggers domain controllers to begin a pull replication cycle.[14]
  • Intersite replication intervals are typically less frequent and based on elapsed time rather than change notification.[15]
  • Although most domain changes can be made on any domain controller, certain operations are supported only on a single server. These servers are designated operation masters (originally Flexible Single Master Operations or FSMOs). The operation master roles are Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master.[16]
  • The functional level of a domain or forest controls which advanced features are available in the forest or domain. Separate functional levels are available for Windows Server 2016 and 2019. Forests and domains should be set to the highest functional level all domain controllers support.[17]
  • Containers are used to group Active Directory objects for administrative purposes. The default containers include the domain itself, Builtin, Users, Computers, and Domain Controllers.[18]
  • Organizational Units (OUs) are object containers that support both administrative delegation and the application of Group Policy objects and are used to provide an administrative hierarchy to a domain.[19]
  • In a domain, the Active Directory database is used to authenticate users and computers for all computers and users in the domain. The alternative configuration is a workgroup, in which each computer is responsible for authenticating its own users.[20]
  • Domain accounts are stored in the Active Directory database and available to all computers in the domain. Local accounts are stored in the Security Account Manager (SAM) database on each local computer and available only to that computer.[21]
  • Active Directory supports two types of user groups: distribution groups and security groups. Distribution groups are used for email applications such as with Microsoft Exchange. Security groups are used to group user accounts for applied rights and permissions.[22]
  • Active Directory groups may be created with Universal, Global, or Domain Local scope. Universal groups can contain any account in the forest and can be assigned to any resource in the forest. Global groups can contain any account in the domain and can be assigned to any resource in the forest. Domain local groups can contain any account in the forest and can be assigned to any resource in the domain.[23]
  • Universal groups can contain other universal groups and global groups from the forest. Global groups can contain other global groups from the same domain. Domain local groups can contain universal and global groups from the forest and other domain local groups from the same domain.[24]
  • The Microsoft-recommended approach to account and resource management is to use global groups to organize users and domain local groups to organize resources. That is, to place accounts into global groups, place global groups into domain local groups, and give domain local groups permissions to access resources, also referred to as AGDLP.[25]

Key Terms[edit | edit source]

access control
The selective restriction of access to a place or resource.[26]
authentication
The act of confirming the truth of an attribute of a datum or entity, such as a person's identity.[27]
authorization
The function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular.[28]
Kerberos
A computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.[29]
Lightweight Directory Access Protocol (LDAP)
An application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[30]
member server
A server that is a member of an Active Directory domain and is not a domain controller.[31]
multi-master replication
A method of database replication which allows data to be stored by a group of computers, and updated by any member of the group.[32]
resource
An object that security principals may be authorized to access, such as files, folders, and printers.[33]
Samba
A free software re-implementation of the SMB/CIFS networking protocol that is included with most Unix and Linux operating systems and allows them to connect with Microsoft Windows file and print services.[34]
security principals
An entity that can be authenticated by a computer system or network, such as users, groups, and computers.[35]

Review Questions[edit | edit source]

Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. Active Directory (AD) is a directory service implemented by Microsoft for _____. An AD _____ authenticates and authorizes all _____ and _____ in a _____ network, assigning and enforcing _____ for all _____ and installing or updating _____.
    Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. An AD domain controller authenticates and authorizes all users and computers in a Windows domain network, assigning and enforcing security policies for all computers and installing or updating software.
  2. A schema defines the _____ which can be stored in an Active Directory database.
    A schema defines the types of objects and the characteristics and information that the objects represent which can be stored in an Active Directory database.
  3. A forest is a _____ that share a common _____, _____, _____, and _____.
    A forest is a collection of one or more trees that share a common global catalog, directory schema, logical structure, and directory configuration.
  4. A tree is a _____ in a _____, linked in a _____ hierarchy.
    A tree is a collection of one or more domains in a contiguous namespace, linked in a transitive trust hierarchy.
  5. A domain is defined as a _____ that share the same _____.
    A domain is defined as a logical group of objects (computers, users, devices) that share the same Active Directory database.
  6. Domains are identified by their _____, the _____ used for Active Directory.
    Domains are identified by their DNS name structure, the namespace used for Active Directory.
  7. Trusts allow users in _____ to _____.
    Trusts allow users in one domain to access resources in another domain.
  8. Trusts between a parent and child domain are _____.
    Trusts between a parent and child domain are automatically created when the child domain is created.
  9. Domain controllers are servers that have _____ and host _____.
    Domain controllers are servers that have the Active Directory Domain Services role installed and host an Active Directory database for a given domain.
  10. Sites are _____ in a _____.
    Sites are collections of well-connected subnets in a given geographic location.
  11. Replication copies _____ to _____ hosting _____.
    Replication copies changes on one domain controller to all other domain controllers hosting the same Active Directory database (meaning within in the same domain).
  12. The Knowledge Consistency Checker (KCC) service creates _____ of _____ using _____ to _____.
    The Knowledge Consistency Checker (KCC) service creates a replication topology of site links using the defined sites to manage traffic.
  13. Intrasite replication is _____ and _____ as a result of _____, which triggers domain controllers to begin a _____ replication cycle.
    Intrasite replication is frequent and automatic as a result of change notification, which triggers domain controllers to begin a pull replication cycle.
  14. Intersite replication intervals are typically _____ and based on _____ rather than _____.
    Intersite replication intervals are typically less frequent and based on elapsed time rather than change notification.
  15. Although most domain changes can be made on any domain controller, certain operations are supported only on a single server. These servers are designated _____ (originally _____ or _____). The _____ roles are _____, _____, _____, _____, and _____.
    Although most domain changes can be made on any domain controller, certain operations are supported only on a single server. These servers are designated operation masters (originally Flexible Single Master Operations or FSMOs). The operation master roles are Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master.
  16. The functional level of a domain or forest controls which _______ ________ are available in the forest or domain. Separate functional levels are available for _______ ________ _____ and _______ _______ _________. Forests and domains should be set to the ________ functional level all domain controllers support.
    The functional level of a domain or forest controls which advanced features are available in the forest or domain. Separate functional levels are available for Windows Server 2016 and Windows Server 2019. Forests and domains should be set to the highest functional level all domain controllers support.
  17. Containers are used to group _____ for _____. The default containers include _____, _____, _____, _____, and _____.
    Containers are used to group Active Directory objects for administrative purposes. The default containers include the domain itself, Builtin, Users, Computers, and Domain Controllers.
  18. Organizational Units (OUs) are object containers that support both _____ and _____ and are used to provide _____ to a domain.
    Organizational Units (OUs) are object containers that support both administrative delegation and the application of Group Policy objects and are used to provide an administrative hierarchy to a domain.
  19. In a domain, the Active Directory database is used to authenticate _____ for all computers and users in the domain. The alternative configuration is a _____, in which each computer is _____.
    In a domain, the Active Directory database is used to authenticate users and computers for all computers and users in the domain. The alternative configuration is a workgroup, in which each computer is responsible for authenticating its own users.
  20. Domain accounts are stored in _____ and available to all computers in the domain. Local accounts are stored in _____ on each local computer and available only to that computer.
    Domain accounts are stored in the Active Directory database and available to all computers in the domain. Local accounts are stored in the Security Account Manager (SAM) database on each local computer and available only to that computer.
  21. Active Directory supports two types of user groups: _____ and _____. _____ groups are used for email applications such as with Microsoft Exchange. _____ groups are used to group user accounts for _____.
    Active Directory supports two types of user groups: distribution groups and security groups. Distribution groups are used for email applications such as with Microsoft Exchange. Security groups are used to group user accounts for applied rights and permissions.
  22. Active Directory groups may be created with _____, _____, or _____ scope. _____ groups can contain any account in the forest and can be assigned to any resource in the forest. _____ groups can contain any account in the domain and can be assigned to any resource in the forest. _____ groups can contain any account in the forest and can be assigned to any resource in the domain.
    Active Directory groups may be created with Universal, Global, or Domain Local scope. Universal groups can contain any account in the forest and can be assigned to any resource in the forest. Global groups can contain any account in the domain and can be assigned to any resource in the forest. Domain local groups can contain any account in the forest and can be assigned to any resource in the domain.
  23. Universal groups can contain _____. Global groups can contain _____. Domain local groups can contain _____.
    Universal groups can contain other universal groups and global groups from the forest. Global groups can contain other global groups from the same domain. Domain local groups can contain universal and global groups from the forest and other domain local groups from the same domain.
  24. The Microsoft-recommended approach to account and resource management is to use global groups to _____ and domain local groups to organize _____. That is, to place accounts into _____, place _____ into _____, and give _____ permissions to access _____, also referred to as _____.
    The Microsoft-recommended approach to account and resource management is to use global groups to organize users and domain local groups to organize resources. That is, to place accounts into global groups, place global groups into domain local groups, and give domain local groups permissions to access resources, also referred to as AGDLP.

Flashcards[edit | edit source]

References[edit | edit source]

Type classification: this is a lesson resource.
Completion status: this resource is considered to be complete.