active_directory_imp_notes
TRANSCRIPT
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 1/39
WINDOWS 2003 SERVER ROLES
File server
Print server
Application server
Mail server
Terminal Services server
Streaming media server
Remote Access/VPN server
Domain controller
Database server Web (IIS) server
DNS server
DHCP server
WINS server
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 2/39
Active Directory
What is Active Directory?
± LDAP Directory Service
± Works with and requires DNS ± Incorporated into Windows 2000 and XP
± Centrally Managed
± Extensible
± Interoperable
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 3/39
How Boot Files Function
BIOS reads the contentsof the MBR1
Boot sector program reads the
root directory and loadsWindows 2003 Loader
2
NTLDR loads basic memory configuration and switches to32-bit mode (protected mode)
3
NTLDR reads boot.ini and runs OS 4
NTLDR switches back to 16-bit mode, loads ntdetect.com5
NTLDR loads into memory,
reads the resource map that NTDETECT builds
6
NTLDR switches system back to protected mode7
NTLDR starts run process for NTOSKRNL8
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 4/39
Active Directory
Password Replication
± Password changes can happen on any DC
± When a password is changed on a DC itpushes that change immediately to the PDC
Emulator
± Before a server actually rejects a bad
password, it contacts the PDC Emulator andverifies it there
± This makes sure that a password change
does not deny access
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 5/39
Common DNS ProblemsOn Domain Members
UserEnv 1000 unable to determine
computer name or username
± Q261007 Group policies are not being applied
Unable to resolve to Internet
Unable to find and/or join domain ± Q247811
Logon delay while preparing network
connections
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 6/39
Common DNS ProblemsOn Domain Controller
Registration or deregistration of DNS
records fails
± Q259277
Replication between DCs fails because of
RPC error
± Q224544
Terminal Services unable to find Licensing
server
± Q261110
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 7/39
Common DNS ProblemsOn Domain Controller
Unable to DCPROMO second DC because
of DNS lookup failure
Unable to establish trust between domains
± Q224370
DC fails to register SRV records because of
incorrect FQDN
Unable to add DNS forwarders
± Q229840
More than 15 IP address on DC
± Q261197
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 8/39
Backup Types
Backup types include:
± Normal backup
± Incremental backup ± Differential backup
± Daily backup
± Copy backup
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 9/39
Normal/full backups All files that have been selected are backed up, regardless of thesetting of the archive attribute. When a file is backed up, the archive attribute is cleared.If the file is later modified, this attribute is set, which indicates that the file needs to bebacked up.
Copy backups All files that have been selected are backed up, regardless of the settingof the archive attribute. Unlike a normal backup, the archive attribute on files isn'tmodified. This allows you to perform other types of backups on the files at a later date.
Differential backups Designed to create backup copies of files that have changedsince the last normal backup. The presence of the archive attribute indicates that the filehas been modified and only files with this attribute are backed up. However, the archiveattribute on files isn't modified. This allows you to perform other types of backups on thefiles at a later date.
Incremental backups Designed to create backups of files that have changed since themost recent normal or incremental backup. The presence of the archive attributeindicates that the file has been modified and only files with this attribute are backed up.When a file is backed up, the archive attribute is cleared. If the file is later modified, thisattribute is set, which indicates that the file needs to be backed up.
Daily backups Designed to back up files using the modification date on the file itself. If a file has been modified on the same day as the backup, the file will be backed up. Thistechnique doesn't change the archive attributes of files.
Archive attribute A file classification that indicates whether the file has beenupdated since the last backup. A bit is set in the file directory to indicate the archivestatus. When a file is created or saved, the bit is turned on. When it is backed up, the bit
is turned off. See file attribute
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 10/39
Normal Backup
Default type of backup performed by
Backup utility
Backs up all selected files and folders andclears the archive attribute on each
This type of backup can be inefficient
because it does not take into account
whether files have changed
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 11/39
Incremental Backup
Backs up only files that have changed since last normal or incremental backup
Clears the archive attributes of the files
Reduces the size of backup jobs
Restore process is more complicated
± Normal backup and all incremental backups must be restored in order
The incremental back up only those files that have been created or changed since last incremental or normal backup. It also marksthe files as having been backed up. A combination of Normalbackups and Incremental backups is common, and also a verygood combination. It also requires the least amount if storagespace and is fast for backing up the data. The disadvantage of this is that it¶s time-consuming to recover files, simply becauseyou need the last normal backup set and all incremental backupsets, which can be stored on several backup drives or tapes
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 12/39
Incremental Backup (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 13/39
Differential Backup
Backs up only files that have changed since last normal or incrementalbackup
Does not clear the archive attributes of those files
± A second differential backup will back up the same files since thefirst backup is not recorded by the archive attributes
R
educes the size of backup jobs compared tonormal backups but not incremental backups Restore process requires only the normal backup and the latest
differential backup
because differential backups does not mark files as having beenbacked up. A combination of differential backups and normal backupsis more time-consuming concerning the backup part then the
incremental + normal backups are. But on the other hand it is faster torestore data because all you need is the last normal backup and thelast differential backup.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 14/39
Differential Backup (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 15/39
When you back up or restore the System State data, all of the System
State data that is relevant to your computer is backed up or restored. You
cannot back up or restore individual components of the System State
data because of dependencies among the System State components.
However, you can restore the System State data to an alternate location.
If you do this, only the registry files, SYSVOL directory files, Cluster database information files, and system boot files are restored to the
alternate location. Active Directory, the Certificate Services database, and
the COM+ Class Registration database are not restored if you designate
an alternate location when you restore the System State data.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 16/39
Daily Backup and Copy Backup Daily Backup
± Backs up selected files or folders that were created or changedon the day of the backup
± The archive attribute is not changed
± The daily backup copies all the files that you have selected
that have been modified on the day, without marking the
files as having been backed up.
Copy Backup ± Exactly the same as a normal backup but doesn¶t change the
archive attribute
± Intended as a backup that will not interrupt other backupprocedures (perhaps an archival copy)
± A copy backup copies all the files you have selected, but
does not mark the files as having been backed up.This
backup type is useful when you must backup single files
between normal and incremental backups because it doesnot affect these operations
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 17/39
Using the Backup Utility
Commonly used to back up critical data
and operating system files
Can be used in two modes: Wizardmode and Advanced mode
Can be used to
± Back up System State data ± Restore Active Directory
± Access Automated System Restore feature
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 18/39
Using the Backup Utility
(continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 19/39
ct v ty - : ac ng p es
and Folders Using the Backup
Utility Objective: To explore the use of Windows
Server 2003 Backup utility for backing up
files and folders
Start All Programs Accessories
System Tools Backup
Use Advanced Mode to back up thecontents of a folder
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 20/39
Activity 12-1 (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 21/39
Activity 12-1 (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 22/39
ct v ty - : estor ng es
and Folders Using the Backup
Utility Objective: To use Backup utility to restore
previously backed up files
Start Run type ntbackup.exe
Advanced Mode
Follow directions to restore the files
backed up in Activity 12-1 to an alternatelocation
Verify that the files have been restored
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 23/39
Activity 12-2 (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 24/39
Scheduling Backups
Backups can be scheduled to occur
without interaction from an administrator
Can schedule backups daily, weekly,monthly, predefined times, predefined
days
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 25/39
Scheduling Backups (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 26/39
ct v ty - : c e u ng
Backup Operations Using the
Backup Utility Objective: Use the Windows Server 2003
Backup utility to schedule a backup
Open the Backup utility and use the
Backup and Restore Wizard
Set the Schedule Job to Daily and select a
time
Confirm that the backup has been
scheduled
Confirm that the backup occurs as
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 27/39
Activity 12-3 (continued)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 28/39
Backing Up and Restoring
System State Data System State data includes:
± Registry (always)
± COM+ Class Registration database(always)
± Boot files (always)
± Certificate Services database (if installed)
± Active Directory (on domain controllers) ± SYSVOL directory (on domain controllers)
± Cluster service (if part of a cluster)
± IIS Metadirectory (if IIS is installed)
± System files (always)
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 29/39
Feature Highlights
Active Directory Functional Levels ± Determines what OS DCs can run
Forest
± Windows 2000 (NT/2000/2003) ± Default
± Windows Server 2003 interim (NT/2003)
± Windows Server 2003 (2003)
Domain
± Windows 2000 mixed (NT/2000/2003) ± Default
± Windows 2000 native (2000/2003)
± Windows Server 2003 interim (NT/2003)
± Windows Server 2003 (2003)
± To raise forest functionality, you must be a member of Enterprise Admins
± To raise domain functionality, you must be a member of Domain Admins or Enterprise Admins
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 30/39
Feature Highlights
Group Policy Many new settings (as in Windows XP Pro)
RSOP ± Resultant Set of Policy
Cross-Forest Support Modeling (calculate net effect of multiple GPOs)
WMI Filters
GPMC Coming Soon ± Enables ± Backup and restore of Group Policy objects (GPOs)
± Import/export and copy/paste of GPOs ± Reporting of GPO settings and Resultant Set of Policy (RSoP) data
± Use of templates for managed configurations
± All GPMC operations to be scripted
± Management of all sites and domains and multiple forests
± Drag-and-Drop support
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 31/39
TERMINAL SERVICES
TROUBLE
SHOOT
ING Terminal Services uses TCP and UDP
port number 3389.
Users must belong to the Administratorsor Remote Desktop Users group.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 32/39
SECURING REMOTE
DE
SKTOP
Change the default RDP port 3389 ± HKEY_LOCAL_MACHINE\
System\
± CurrentControlSet\
» Control\TerminalServer\WinStations\RDP-
Tcp\PortNumber
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 33/39
CONFIGURING REMOTE
DESKTOP CONNECTION
The Windows Server 2003 distribution CD The
Systemroot \System32\Clients\Tsclient\Win
32 folder
Remote Desktop Connection client software can beinstalled from the following locations:Remote Desktop Connection client software can beinstalled from the following locations:
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 34/39
SUMMARY
Local user accounts are stored on the local system andcan provide users with access only to local resources.Domain user accounts are stored on Active Directorydomain controllers and can provide users with access toresources all over the network.
User objects include the properties related to theindividuals they represent.
A user object template is an object that is copied toproduce new users. If the template is not a ³real´ user, it
should be disabled. Only a subset of user properties iscopied from templates.
Windows Server 2003 includes command-line tools thatyou can use to create and manage Active Directoryobjects, including Csvde.exe, Dsadd.exe, and
Dsmod.exe.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 35/39
A user profile is a collection of folders and data thatmake up the desktop environment for a specific user.
Windows Server 2003 generates an individual user profile for each person who logs on to the system. Local
user profiles are stored on the local drive, whereas aroaming user profile is stored on a network server.
A mandatory user profile is one that never changes,providing the same desktop configuration each time theuser logs on.
Auditing for authentication allows you to track logonactivity for the network.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 36/39
A group is an object that consists of a list of users.
All permissions assigned to the group are inherited by its
members.
The domain functional level determines which grouptypes and scopes you can use, which groups can be
nested, and which group conversions you can perform.
Security groups can be assigned permissions, while
distribution groups are used for query containers, such
as e-mail distribution groups, and cannot be assigned
permissions to a resource.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 37/39
Domain local groups are used for
assigning permissions to resources.
Global groups are used for gathering
together users with similar resource
requirements. Universal groups are used
primarily to grant access to related
resources in multiple domains. You can create domain groups in any
container or OU in the Active Directory
tree.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 38/39
SUMMARY (continued)
Group nesting refers to the ability to make
one group a member of another group.
Command-line tools such as Dsadd.exe,Dsmod.exe, and Dsget.exe allow you to
automate group management tasks.
8/8/2019 Active_directory_IMP_notes
http://slidepdf.com/reader/full/activedirectoryimpnotes 39/39
Volume Shadow Copy Technology
This is a new technology in Windows Server 2003 that did not exist in Windows 2000Server. This technology is used to create a copy of the original volume at the time abackup is initiated. Data is then backed up from the shadow copy instead of theoriginal volume. By doing this, all activity such as file changes, will not affect thebackup, because it is using the shadow copy instead, which is not changed. So withthis new feature users can access files during a backup, files are not skipped
because they were in use, files open appears to be closed. You should use Volume Shadow Copy, but you can disable it. The only time when
you want to disable it is when you don¶t have enough free disk space. As you canimagine you need as much extra disk space as the file you will backup uses. Thisconsumption of disk space is however temporarily and will be free when the backup iscompleted.
If sufficient temporary disk space is not available Windows Server 2003 cannotcomplete shadow copy and the backup will skip open files.
To use this feature you must use NTFS as file system. Volume Shadow Copy does not mean that you from now on can backup when the
server usage is high. You should always backup when it¶s low, for example at nightsand weekends.