active_directory_imp_notes

8/8/2019 Active_directory_IMP_notes

http://slidepdf.com/reader/full/activedirectoryimpnotes 1/39

WINDOWS 2003 SERVER ROLES

File server

Print server

Application server

Mail server

Terminal Services server

Streaming media server

Remote Access/VPN server

Domain controller

Database server Web (IIS) server

DNS server

DHCP server

WINS server



Active Directory

What is Active Directory?

± LDAP Directory Service

± Works with and requires DNS ± Incorporated into Windows 2000 and XP

± Centrally Managed

± Extensible

± Interoperable



How Boot Files Function

BIOS reads the contentsof the MBR1

Boot sector program reads the

root directory and loadsWindows 2003 Loader

2

NTLDR loads basic memory configuration and switches to32-bit mode (protected mode)

3

NTLDR reads boot.ini and runs OS 4

NTLDR switches back to 16-bit mode, loads ntdetect.com5

NTLDR loads into memory,

reads the resource map that NTDETECT builds

6

NTLDR switches system back to protected mode7

NTLDR starts run process for NTOSKRNL8



Active Directory

Password Replication

± Password changes can happen on any DC

± When a password is changed on a DC itpushes that change immediately to the PDC

Emulator

± Before a server actually rejects a bad

password, it contacts the PDC Emulator andverifies it there

± This makes sure that a password change

does not deny access



Common DNS ProblemsOn Domain Members

UserEnv 1000 unable to determine

computer name or username

± Q261007 Group policies are not being applied

Unable to resolve to Internet

Unable to find and/or join domain ± Q247811

Logon delay while preparing network

connections



Common DNS ProblemsOn Domain Controller

Registration or deregistration of DNS

records fails

± Q259277

Replication between DCs fails because of

RPC error

± Q224544

Terminal Services unable to find Licensing

server

± Q261110



Common DNS ProblemsOn Domain Controller

Unable to DCPROMO second DC because

of DNS lookup failure

Unable to establish trust between domains

± Q224370

DC fails to register SRV records because of

incorrect FQDN

Unable to add DNS forwarders

± Q229840

More than 15 IP address on DC

± Q261197



Backup Types

Backup types include:

± Normal backup

± Incremental backup ± Differential backup

± Daily backup

± Copy backup



Normal/full backups All files that have been selected are backed up, regardless of thesetting of the archive attribute. When a file is backed up, the archive attribute is cleared.If the file is later modified, this attribute is set, which indicates that the file needs to bebacked up.

Copy backups All files that have been selected are backed up, regardless of the settingof the archive attribute. Unlike a normal backup, the archive attribute on files isn'tmodified. This allows you to perform other types of backups on the files at a later date.

Differential backups Designed to create backup copies of files that have changedsince the last normal backup. The presence of the archive attribute indicates that the filehas been modified and only files with this attribute are backed up. However, the archiveattribute on files isn't modified. This allows you to perform other types of backups on thefiles at a later date.

Incremental backups Designed to create backups of files that have changed since themost recent normal or incremental backup. The presence of the archive attributeindicates that the file has been modified and only files with this attribute are backed up.When a file is backed up, the archive attribute is cleared. If the file is later modified, thisattribute is set, which indicates that the file needs to be backed up.

Daily backups Designed to back up files using the modification date on the file itself. If a file has been modified on the same day as the backup, the file will be backed up. Thistechnique doesn't change the archive attributes of files.

Archive attribute A file classification that indicates whether the file has beenupdated since the last backup. A bit is set in the file directory to indicate the archivestatus. When a file is created or saved, the bit is turned on. When it is backed up, the bit

is turned off. See file attribute



Normal Backup

Default type of backup performed by

Backup utility

Backs up all selected files and folders andclears the archive attribute on each

This type of backup can be inefficient

because it does not take into account

whether files have changed



Incremental Backup

Backs up only files that have changed since last normal or incremental backup

Clears the archive attributes of the files

Reduces the size of backup jobs

Restore process is more complicated

± Normal backup and all incremental backups must be restored in order

The incremental back up only those files that have been created or changed since last incremental or normal backup. It also marksthe files as having been backed up. A combination of Normalbackups and Incremental backups is common, and also a verygood combination. It also requires the least amount if storagespace and is fast for backing up the data. The disadvantage of this is that it¶s time-consuming to recover files, simply becauseyou need the last normal backup set and all incremental backupsets, which can be stored on several backup drives or tapes



Incremental Backup (continued)



Differential Backup

Backs up only files that have changed since last normal or incrementalbackup

Does not clear the archive attributes of those files

± A second differential backup will back up the same files since thefirst backup is not recorded by the archive attributes

R

educes the size of backup jobs compared tonormal backups but not incremental backups Restore process requires only the normal backup and the latest

differential backup

because differential backups does not mark files as having beenbacked up. A combination of differential backups and normal backupsis more time-consuming concerning the backup part then the

incremental + normal backups are. But on the other hand it is faster torestore data because all you need is the last normal backup and thelast differential backup.



Differential Backup (continued)



When you back up or restore the System State data, all of the System

State data that is relevant to your computer is backed up or restored. You

cannot back up or restore individual components of the System State

data because of dependencies among the System State components.

However, you can restore the System State data to an alternate location.

If you do this, only the registry files, SYSVOL directory files, Cluster database information files, and system boot files are restored to the

alternate location. Active Directory, the Certificate Services database, and

the COM+ Class Registration database are not restored if you designate

an alternate location when you restore the System State data.



Daily Backup and Copy Backup Daily Backup

± Backs up selected files or folders that were created or changedon the day of the backup

± The archive attribute is not changed

± The daily backup copies all the files that you have selected

that have been modified on the day, without marking the

files as having been backed up.

Copy Backup ± Exactly the same as a normal backup but doesn¶t change the

archive attribute

± Intended as a backup that will not interrupt other backupprocedures (perhaps an archival copy)

± A copy backup copies all the files you have selected, but

does not mark the files as having been backed up.This

backup type is useful when you must backup single files

between normal and incremental backups because it doesnot affect these operations



Using the Backup Utility

Commonly used to back up critical data

and operating system files

Can be used in two modes: Wizardmode and Advanced mode

Can be used to

± Back up System State data ± Restore Active Directory

± Access Automated System Restore feature



Using the Backup Utility

(continued)



ct v ty - : ac ng p es

and Folders Using the Backup

Utility Objective: To explore the use of Windows

Server 2003 Backup utility for backing up

files and folders

Start All Programs Accessories

System Tools Backup

Use Advanced Mode to back up thecontents of a folder



Activity 12-1 (continued)



ct v ty - : estor ng es

and Folders Using the Backup

Utility Objective: To use Backup utility to restore

previously backed up files

Start Run type ntbackup.exe

Advanced Mode

Follow directions to restore the files

backed up in Activity 12-1 to an alternatelocation

Verify that the files have been restored



Scheduling Backups

Backups can be scheduled to occur

without interaction from an administrator

Can schedule backups daily, weekly,monthly, predefined times, predefined

days



Scheduling Backups (continued)



ct v ty - : c e u ng

Backup Operations Using the

Backup Utility Objective: Use the Windows Server 2003

Backup utility to schedule a backup

Open the Backup utility and use the

Backup and Restore Wizard

Set the Schedule Job to Daily and select a

time

Confirm that the backup has been

scheduled

Confirm that the backup occurs as



Backing Up and Restoring

System State Data System State data includes:

± Registry (always)

± COM+ Class Registration database(always)

± Boot files (always)

± Certificate Services database (if installed)

± Active Directory (on domain controllers) ± SYSVOL directory (on domain controllers)

± Cluster service (if part of a cluster)

± IIS Metadirectory (if IIS is installed)

± System files (always)



Feature Highlights

Active Directory Functional Levels ± Determines what OS DCs can run

Forest

± Windows 2000 (NT/2000/2003) ± Default

± Windows Server 2003 interim (NT/2003)

± Windows Server 2003 (2003)

Domain

± Windows 2000 mixed (NT/2000/2003) ± Default

± Windows 2000 native (2000/2003)

± Windows Server 2003 interim (NT/2003)

± Windows Server 2003 (2003)

± To raise forest functionality, you must be a member of Enterprise Admins

± To raise domain functionality, you must be a member of Domain Admins or Enterprise Admins



Feature Highlights

Group Policy Many new settings (as in Windows XP Pro)

RSOP ± Resultant Set of Policy

Cross-Forest Support Modeling (calculate net effect of multiple GPOs)

WMI Filters

GPMC Coming Soon ± Enables ± Backup and restore of Group Policy objects (GPOs)

± Import/export and copy/paste of GPOs ± Reporting of GPO settings and Resultant Set of Policy (RSoP) data

± Use of templates for managed configurations

± All GPMC operations to be scripted

± Management of all sites and domains and multiple forests

± Drag-and-Drop support



TERMINAL SERVICES

TROUBLE

SHOOT

ING Terminal Services uses TCP and UDP

port number 3389.

Users must belong to the Administratorsor Remote Desktop Users group.



SECURING REMOTE

DE

SKTOP

Change the default RDP port 3389 ± HKEY_LOCAL_MACHINE\

System\

± CurrentControlSet\

» Control\TerminalServer\WinStations\RDP-

Tcp\PortNumber



CONFIGURING REMOTE

DESKTOP CONNECTION

The Windows Server 2003 distribution CD The

Systemroot \System32\Clients\Tsclient\Win

32 folder

Remote Desktop Connection client software can beinstalled from the following locations:Remote Desktop Connection client software can beinstalled from the following locations:



SUMMARY

Local user accounts are stored on the local system andcan provide users with access only to local resources.Domain user accounts are stored on Active Directorydomain controllers and can provide users with access toresources all over the network.

User objects include the properties related to theindividuals they represent.

A user object template is an object that is copied toproduce new users. If the template is not a ³real´ user, it

should be disabled. Only a subset of user properties iscopied from templates.

Windows Server 2003 includes command-line tools thatyou can use to create and manage Active Directoryobjects, including Csvde.exe, Dsadd.exe, and

Dsmod.exe.



A user profile is a collection of folders and data thatmake up the desktop environment for a specific user.

Windows Server 2003 generates an individual user profile for each person who logs on to the system. Local

user profiles are stored on the local drive, whereas aroaming user profile is stored on a network server.

A mandatory user profile is one that never changes,providing the same desktop configuration each time theuser logs on.

Auditing for authentication allows you to track logonactivity for the network.



A group is an object that consists of a list of users.

All permissions assigned to the group are inherited by its

members.

The domain functional level determines which grouptypes and scopes you can use, which groups can be

nested, and which group conversions you can perform.

Security groups can be assigned permissions, while

distribution groups are used for query containers, such

as e-mail distribution groups, and cannot be assigned

permissions to a resource.



Domain local groups are used for

assigning permissions to resources.

Global groups are used for gathering

together users with similar resource

requirements. Universal groups are used

primarily to grant access to related

resources in multiple domains. You can create domain groups in any

container or OU in the Active Directory

tree.



SUMMARY (continued)

Group nesting refers to the ability to make

one group a member of another group.

Command-line tools such as Dsadd.exe,Dsmod.exe, and Dsget.exe allow you to

automate group management tasks.



Volume Shadow Copy Technology

This is a new technology in Windows Server 2003 that did not exist in Windows 2000Server. This technology is used to create a copy of the original volume at the time abackup is initiated. Data is then backed up from the shadow copy instead of theoriginal volume. By doing this, all activity such as file changes, will not affect thebackup, because it is using the shadow copy instead, which is not changed. So withthis new feature users can access files during a backup, files are not skipped

because they were in use, files open appears to be closed. You should use Volume Shadow Copy, but you can disable it. The only time when

you want to disable it is when you don¶t have enough free disk space. As you canimagine you need as much extra disk space as the file you will backup uses. Thisconsumption of disk space is however temporarily and will be free when the backup iscompleted.

If sufficient temporary disk space is not available Windows Server 2003 cannotcomplete shadow copy and the backup will skip open files.

To use this feature you must use NTFS as file system. Volume Shadow Copy does not mean that you from now on can backup when the

server usage is high. You should always backup when it¶s low, for example at nightsand weekends.

active_directory_imp_notes

Documents