Q&As. Windows Server Active Directory. Configuring. Pass Microsoft Exam with % Guarantee. Free Download Real Questions & Answers PDF. Server Active Directory Domain Services, and it can assist you in your preparation for Exam TS: Windows Server. Active. Register for Exam and view official preparation materials to get hands-on experience with Windows Server Active Directory.
- Skills measured
- Windows Server 2008 Active Directory, Configuring
- Exasm 70-640: TS: Windows Server 2008 Active Directory, Configuring Exam
- Installing & Configuring Active Directory - Windows Server 2008 R2
Log In Sign Up. Petra Alin-Nicolae. Contents at a Glance 1 Installation. In this chapter, you will begin your exploration of Windows Server Active Directory by installing the Active Directory Domain Services role and creating a domain con- troller in a new Active Directory forest.
You will find that Windows Server continues the evolution of Active Directory by enhancing many of the concepts and features with which you are familiar from your experience with Active Directory. This chapter focuses on the creation of a new Active Directory forest with a single domain in a single domain controller. The practice exercises in this chapter will guide you through the creation of a domain named contoso. You will need at least MB of RAM, 10 GB of free hard disk space, and an x86 processor with a minimum clock speed of 1GHz or an x64 processor with a min- imum clock speed of 1.
Alternatively, you can use virtual machines that meet the same requirements. Real World Dan Holme Domain controllers perform identity and access management functions that are criti- cal to the integrity and security of a Windows enterprise.
Therefore, most organiza- tions choose to dedicate the role of domain controller, meaning that a domain controller does not provide other functions such as file and print servers. In previous versions of Windows, however, when you promote a server to a domain controller, other services continue to be available whether or not they are in use.
These additional unnecessary services increase the need to apply patches and security updates and expose the domain controller to additional susceptibility to attack. Windows Server addresses these concerns through its role-based architecture, so that a server begins its life as a fairly lean installation of Windows to which roles and their associ- ated services and features are added.
Additionally, the new Server Core installation of Windows Server provides a minimal installation of Windows that even forgoes a graphical user interface GUI in favor of a command prompt.
In this chapter, you will gain firsthand experience with these important characteristics of Windows Server domain controllers.
These changes to the architecture and feature set of Windows Server domain controllers will help you and other enterprises further improve the secu- rity, stability, and manageability of your identity and access management infrastructure.
You will also explore Server Manager, the tool with which you can configure server roles, and the improved Active Directory Domain Services Installation Wizard.
Windows Server 2008 Active Directory, Configuring
Estimated lesson time: 60 minutes Active Directory, Identity and Access As mentioned in the introductions to the chapter and this lesson, Active Directory provides the IDA solution for enterprise networks running Windows. IDA is necessary to maintain the security of enterprise resources such as files, e-mail, applications, and databases.
For example, a user will open documents from a shared folder on a server. The document will be secured with permissions on an access control list ACL.
Computers, groups, services, and other objects also perform actions on the network, and they must be represented by identities. Among the information stored about an identity are properties that uniquely identify the object, such as a user name or a security identifier SIDand the password for the identity. The identity store is, therefore, one component of an IDA infrastructure.
The Active Directory data store, also known as the directory, is an identity store. The directory itself is hosted on and managed by a domain controller—a server performing the AD DS role. To validate the identity, the user provides secrets known only to the user and the IDA infrastructure. Those secrets are compared to the information in the identity store in a process called authentication.
When a user or computer logs on to the domain, Kerberos authenticates its creden- tials and issues a package of information called a ticket granting ticket TGT. Before the user connects to the server to request the document, a Kerberos request is sent to a domain controller along with the TGT that identifies the authenticated user. The domain controller issues the user another package of information called a service ticket that identifies the authenticated user to the server.
The user presents the service ticket to the server, which accepts the service ticket as proof that the user has been authenticated. These Kerberos transactions result in a single network logon. After the user or computer has initially logged on and has been granted a TGT, the user is authenticated within the entire domain and can be granted service tickets that identify the user to any service.
All of this ticket activity is managed by the Kerberos clients and services built into Windows and is transparent to the user.
Access to confidential informa- tion must be managed according to the policies of the enterprise. The ACL on the document reflects a security policy composed of permissions that specify access levels for particular identities.
The security subsystem of the server in this example is perform- ing the access control functionality in the IDA infrastructure.
With the release of Windows ServerMicrosoft has consolidated a number of previously separate components into an integrated IDA platform.
Active Directory itself now includes five technol- ogies, each of which can be identified with a keyword that identifies the purpose of the tech- nology, as shown in Figure AD DS pro- vides authentication and authorization services in a network and supports object man- agement through Group Policy.
Exasm 70-640: TS: Windows Server 2008 Active Directory, Configuring Exam
AD DS also provides information management and sharing services, enabling users to find any component—file servers, printers, groups, and other users—by searching the directory. Because of this, AD DS is often referred to as a network operating system directory service.
AD DS is the primary Active Directory technology and should be deployed in every network that runs Windows Server operating systems. AD DS is covered in chapters 1 through It is commonly used by applications that require a directory store but do not require the information to be replicated as widely as to all domain controllers. AD LDS can also be used to provide authentication services in exposed net- works such as extranets. Certificates can be used to authenticate users and computers, provide Web-based authentication, support smart card authentication, and support applications, including secure wireless networks, virtual private networks VPNsInternet Protocol security IPSecEncrypting File System EFSdigital signa- tures, and more.
AD CS provides an efficient and secure way to issue and manage certif- icates. You can use AD CS to provide these services to external communities. If you do so, AD CS should be linked with an external, renowned CA that will prove to others you are who you say you are.
AD CS is designed to create trust in an untrustworthy world; as such, it must rely on proven processes that certify that each person or computer that obtains a certificate has been thoroughly verified and approved. AD CS is covered in Chapter Active Directory Rights Management Services AD RMS is an information-protection technology that enables you to implement persistent usage policy templates that define allowed and unauthorized use whether online, offline, inside, or outside the firewall.
For example, you could configure a template that allows users to read a document but not to print or copy its contents. By doing so, you can ensure the integrity of the data you generate, protect intellectual property, and control who can do what with the documents your organization produces.
In a federated environment, each organization maintains and manages its own identities, but each organization can also securely project and accept identities from other organizations. Users are authenticated in one network but can access resources in another—a process known as single sign-on SSO. AD FS supports partnerships because it allows different organizations to share access to extranet applications while relying on their own internal AD DS structures to provide the actual authentication process.
It normally resides in the perimeter network. AD FS is covered in Chapter AD RMS protects the integ- rity of information contained in documents. And AD FS supports partnerships by eliminating the need for federated environments to create multiple, separate identities for a single security principal.
Installing & Configuring Active Directory - Windows Server 2008 R2
It also provides the mech- anisms to support, manage, and configure resources in distributed network environments. A set of rules, the schema, defines the classes of objects and attributes that can be contained in the directory. The fact that Active Directory has user objects that include a user name and pass- word, for example, is because the schema defines the user object class, the two attributes, and the association between the object class and attributes.
Policy-based administration eases the management burden of even the largest, most complex networks by providing a single point at which to configure settings that are then deployed to multiple systems. Replication services distribute directory data across a network.
This includes both the data store itself as well as data required to implement policies and configuration, including logon scripts. There is even a separate partition of the data store named config- uration that maintains information about network configuration, topology, and services. Several components and technologies enable you to query Active Directory and locate objects in the data store. A partition of the data store called the global catalog also known as the partial attribute set contains information about every object in the directory.
It is a type of index that can be used to locate objects in the directory.
Within the database, application partitions can store data to support applications that require replicated data. The domain name system DNS service on a server running Windows Server can store its information in a database called an Active Directory integrated zone, which is maintained as an application partition in AD DS and rep- licated using Active Directory replication services.
Components of an Active Directory Infrastructure The first 13 chapters of this training kit will focus on the installation, configuration, and man- agement of AD DS. It is worthwhile to spend a few moments reviewing the components of an Active Directory infrastructure. The directory is a single file named Ntds. The database is divided into several partitions, including the schema, configuration, global catalog, and the domain naming context that contains the data about objects within a domain—the users, groups, and computers, for example.
Chapter 10 details the roles performed by DCs.
A domain is an administrative unit within which certain capabilities and charac- teristics are shared. Because all DCs maintain the same identity store, any DC can authenticate any identity in a domain. Additionally, a domain is a scope of administrative policies such as password complexity and account lockout policies.
Such policies con- figured in one domain affect all accounts in the domain and do not affect accounts in other domains. Changes can be made to objects in the Active Directory database by any domain controller and will replicate to all other domain controllers. Therefore, in net- works where replication of all data between domain controllers cannot be supported, it might be necessary to implement more than one domain to manage the replication of subsets of identities.
You will learn more about domains in Chapter The first domain installed in a forest is called the forest root domain. A forest contains a single definition of network configuration and a single instance of the directory schema. A forest is a single instance of the directory—no data is replicated by Active Directory outside the boundaries of the forest. Therefore, the forest defines a security boundary.
Chapter 12 will explore the concept of the forest further. If a domain is a subdomain of another domain, the two domains are considered a tree. For example, if the treyresearch.