Sites provide AD with knowledge of the physical network upon which it is functioning. Sites and domains are independent concepts. A site can belong to multiple domains, and a domain can span many sites.
A site is directly related to a domain as far as intrasite and intersite replication is concerned, but a site is also indirectly related to the other elements in the forest with respect to the other naming contexts such as the GC, the schema, and so on. A site is also a logical container that is totally independent of the domain namespace. The Knowledge Consistency Checker KCC essentially sets up replication paths between the DCs in a site in such a way that at least two replication paths exist from one DC to another, and a DC is never more than three hops away from the origination of the replication.
This topology ensures that even if one DC is down, the replication continues to flow to the other DCs. Active Directory also enables you to define connection objects. These are essentially manually configured points of replication between domain controllers.
Site links connect two or more sites together. You need to do very little work to create site links because Active Directory automatically creates them when you create sites and add DCs to them. Site links are unidirectional, you need to establish them in two directions. Site link bridges : Breaking Active Directory into sites can reduce replication-related network traffic, but simply dividing Active Directory into sites is not enough. In order for sites to exchange Active Directory information, you must implement site links.
These links provide information to Windows Server , telling it which sites should be replicated and how often. When you link more than two sites using the same link transport, you are essentially causing them to be bridged. By forming a linked bridge, sites can communicate directly with each other. Synchronization vs. Replication is information exchange between heterogeneous directories, whereas synchronization is information exchange between the same or homogeneous directories for the purpose of keeping each replica current.
Without DNS, you are in the dark. What is a user? In a nutshell, the Windows Server security subsystem does not differentiate between a human and a device using its resources. All users are viewed as security principals, which at first are trusted.
User objects are derived from a single user class in Active Directory, which in turn derives from several parents. Machine accounts are thus derived from the User object. To obtain access to the User object, you need to reference its distinguished name DN in program or script code. The term local user is often used to describe two types of users: users local to machines that log on locally to the workstation service and users who are local to a network or domain.
In referring to generic users on the domain or users collectively, referring to these users as domain users or domain members makes more sense. You would be right to wonder why Microsoft provides us with both groups and organizational units OUs to manage. Groups, however, are a throwback to the Windows NT era.
Although groups may appear to be a redundant object next to OUs, they are a fact of Windows Server and are here to stay. They are also extremely powerful management objects. Specifically, you create and use groups to contain the access rights of User objects and other groups within a security boundary. You also use groups to contain User objects that share the same access rights to network objects, such as shares, folders, files, printers, and so on. Groups versus organizational units : The Group object is a sophisticated management container that can bestow all manner of control over the user accounts and other groups that it contains.
It can be used to contain a membership across organizational and multiple-domain boundaries. An organizational unit, on the other hand, belongs to a domain. Windows Server ships with tools to manage local logon accounts and Active Directory accounts. These tools are Users and Passwords and Local Users and Groups on standalone machines including workstations running Windows Server Professional and member servers and Active Directory Users and Computers on domain controllers.
A user account can be created in any part of the AD. Local accounts users are identical to network accounts in every way, but they are not stored in Active Directory. Local accounts are machine-specific objects. Local user accounts are restricted to the Access Control List of the local computer.
Hiding was not possible on Windows NT but was added to Windows If you have security fears, you can audit the activity of the Administrator to determine who or what is using the account and when.
The Guest account does not require a password, and you can grant it certain access and rights to resources on the computer. We believe that the Guest account on any domain should be relocated to an OU with a security and account policy that is appropriate for managing security risks.
You can leave the Guest account in the Users folder which is a domain folder and not an OU , but the security policy governing that account in the Users folder is inherited from the root domain. Therefore, if for any reason the default or root domain policy changes, it affects the Guest account without you being aware of it.
The Windows Group Policy technology which also includes account and security policy governs how all accounts can be configured on both standalone servers and in the Active Directory. The order of precedence for security and account policies, from the highest to the lowest, is as follows:. These objects have the total trust of the OS on first being installed. They are often referred to as security principals and trustees. Every other object that is not a security principal or that does not exist in AD within a security context is rejected by the security subsystem and thus cannot present for rights and access.
The Contact object is a good example of an object that is not a security principal. You may create other nonsecurity objects and register them in Active Directory. If a user attempts to log on to Windows Server by way of the AD or the Local Security Authority LSA , the security system determines whether the user exists and whether the password provided matches the password stored in the relevant database. If the user is authenticated, Windows Server creates an access token for the user.
User account information is replicated to all domain controllers in the enterprise, even across slow WAN links. The security identifier SID is a unique value of variable length that is used to identify an account known as a trustee to the kernel to the security subsystem. Windows refers to the SID, rather than to the user or group name, in referencing these objects for security purposes. SIDs guarantee that the account and all its associated rights and permissions are unique.
If you delete an account and then recreate it under the same name, all rights and permissions of the deceased account are gone. This is because the old SID was deleted with the original account. The second part is called the relative ID RID , which refers to the actual object created and is thus relative to the domain. From the moment of logon, the SID is used in the access token to identify the user in all security-related actions and interactions.
RunAs enables you to execute applications, access resources, or load an environment, profile, and so on by using the credentials of another user account, without needing to log off from the account that you initially logged onto your computer with. Note: Whenever you rename an account, you are changing only the name property as you see it in the AD list. This is very different behavior from legacy NT account management, whereby the username and account name were the same thing.
Microsoft did not intend groups to function as tools of business administration. Enter the organizational unit OU. We have touched on OUs but we need to discuss them here briefly in the context of managing groups and users. Organizational units are created to provide hierarchical administrative delegation, organizational structuring, and for setting Group Policy. Groups are used for granting and denying users access to computer and network resources.
Global groups also traverse domain boundaries. A group can contain users and Global groups from other domains, both on a single domain tree and across a forest of domains.
OUs are valid only on a contiguous domain space in the domain in which they were created. This ensures protection and enables owners or managers of sensitive shares, files, and folders to lock down their resources securely. Guests: This is the built-in group that contains accounts for casual users or users who do not have accounts on the domain. Users in this group can usually log on without passwords, and they have very limited or controlled use of the system.
It is an ideal group for service-based systems. By admitting this object to a share, you implicitly open all doors to the object, even if the user is an account on an alien OS on a far-away planet. We believe that removing the Everyone group from your resource and using the Users group containing Domain Users is a better course.
Anytime that you get a call to get someone out of an open share, you can simply knock the person out of the Domain Users or Users group. Permissions belong to the objects that are the essence of the operating system, and are granted by both the file system over its objects and by the Active Directory over its respective objects.
The difference is that rights involve the capability to function, while permissions control access. A good example is the right to backup files and directories, which overrides any permission that denies access to a user. The Backup Operators group needs the capability to read and change reset the archive bit or overwrite during a restore the files that it is backing up, no matter what permissions the owner of the objects has. Group Policy governs change-control policy for many facets of the operating system, including the following:.
You can open the local GPO by running gpedit. The policy is created from various templates stored on the workstation or server. If an object is a member of a container that is associated linked to the GPO, that object falls under the influence of that GPO.
Group Policy is not applied directly to an individual security principal although you can attain such granular control by creating specific OUs. Instead, it is applied to collections of security principals. Security principals gather under one roof on a Windows Server network in three places: the site, the domain, and the organization unit. GPOs have more than security-related settings and more than registry-based settings.
Windows 9x and NT 4. Each node contains the policies for the respective security principal. Local GPO is first applied to the computer, and then any policy that is to be applied from the DC takes place after the user logs in. Group Policy application is successively applied. In other words, the last policy that is enabled for a setting is applied, so if a local policy is defined and a site policy undefines it, then the site policy setting wins.
One part of GP, however, always wins over local policy, and that is the security policy from the domain. You can create multiple GPOs for a container. The order of control application specifies that policy applied later overwrites policy applied earlier. The GPO settings are then applied to the object by default every 90 minutes. The refresh time can be changed, however.
GP can also be filtered out of the range of security principals residing in security groups. In other words, you can narrowly define which security group of users or computers is influenced by GP, irrespective of the relationships the group has with an OU. This is achieved by setting the discretionary access control list DACL permissions on the group.
Not only does the GPO take effect on the security principals much faster, but you can also restrict a specific security policy from creating AD links to GPOs.
The number-one rule of change-control policy engagement is this: Change control policy is enforced over the user by way of the computer. If a user has no control over her computer, she is no longer in a position to circumvent policy. Although the GPO is divided into two configuration nodes, user and computer, the computer configuration takes precedence.
RSoP enables you to obtain a report of all the GP settings that apply to a user and machine. To display all connections, each with the name of the program that opened the port, and without resolving names, run "netstat -anvb".
These records designate where services are located. For example, ftp can be located on one server while another server can host a Web server or Active Directory. Double-click Networking Services or select the item and click Details. Follow the remaining prompts to complete installation of the software. How the contents of a zone branch appear depends on whether the zone is for a Windows Server Active Directory domain or simply a DNS domain.
Each domain that you host for DNS requires a forward-lookup zone, a zone file, and associated records. You create the zone in the DNS console by using one of the following three options:. After you create a forward-lookup zone, you can begin populating it with resource records. Before doing so, however, first create any required reverse-lookup zones.
Creating the reverse-lookup zone s before creating the resource records enables DNS to automatically create the PTR records in the reverse-lookup zones for resource records that you create in the forward-lookup zones. Service Location, or SRV, records are another common resource record type that offers excellent flexibility if a domain contains multiple servers for specific services, such as multiple HTTP servers.
SRV records enable you to easily move a service from one host to another, and to designate certain hosts as primary for a given service and others as secondary for that same service. The NT File System NTFS enables you to secure the data within their files and the folders that contain those files while at the same time providing controlled access to authorized users.
NTFS does that on the following three security access levels:. The levels of access that you have to the folders and files are called permissions. Administrators, members of administrative groups Administrator, Domain Administrators, or groups delegated administrative rights , and the owners of objects can assign permissions and control access to these objects, and they can also encrypt the files.
Another means of understanding shares or sharepoints is by understanding ownership. Ownership is not a configuration setting or a mere value in the registry or Active Directory; it derives from the security services of the NTFS and the Win32 security system. The process created it, so that process owns it.
Only you and the processes that operate within your security context activated by the validation of your password can access that folder.
If Windows Server R2 is installed, the File Server Management console combines several file server-related management tools into a single interface and can generally replace the original File Server Management console filesvr. If Windows Server R2 is not installed, the main file-server management tool on Windows Server is also called the File Server Management console.
This console is a more dedicated management facility for file servers than is the Computer Management console introduced in Windows The easiest way to open the File Server Management console is to execute filesvr. Windows Server users connect to shared resources on the domain by looking them up in Active Directory or mapping them out by using logon scripts.
As you first create a share, the file system automatically gives read access to the Everyone group, unless you have taken steps to prevent that. If the contents of the files are sensitive, remove the Everyone group and assign access only to authorized users or groups. Establishing shares on remote computers is handled now by the File Server Management console. You can also create shares from Windows Explorer, the command line, and the Manage Your Server console as you set up your server in the file-server role.
You can also create shares from the Active Directory Users and Computers console. If your Computer Management console shortcut is missing, simply create a new one by linking to the compmgmt. The default access permission on a share is Full Control. This permission is assigned to the Everyone group, with read access, so if you create such a share and have your Guest account enabled and not governed by any domain policy, then every computer user has access to it.
Of course, you are a sensible administrator and are sure to follow our advice and make sure that your network is locked down. Share permissions do not provide protection from local access to a folder or its contents.
Therefore, use NTFS permissions to protect data from local access by unauthorized users. You can still connect to the share if you have access to it, but it does not appear on the browse list because nothing ending with the dollar sign appears in the browse list.
You can still contact it if you know the IP address. It is also used for locating logon scripts. This share is not automatically created in Windows Server Permissions are the means by which you control access to network objects. After shares, they are the second and third lines of defense in protecting data and network resources. File and folder permissions are controlled by NTFS. The EFS enables users and administrators to encrypt and protect the file system in situations where the system is subject to unauthorized physical access.
The print routers in Windows 95, 98 with the latest service packs , NT, , Me, and XP clients can receive the printer driver from the server every time they make a connection. Keep current and available the printer drivers for every make and model of printer you deploy. Printers can easily be located by browsing the printer servers, as is the case with legacy Windows NT printer servers. You can also publish printers in Active Directory.
Microsoft has hard-coded the share to be open to everyone. You can restrict access to printers via security permissions access control. In Windows Server R2, Microsoft has enabled the print administrator to set down policy and procedures for using printers. Remote Desktop for Administration mode does not need to be installed because it is built into all the Windows Server platforms.
For security reasons, however, it is disabled by default. To enable it, launch the System applet in the Control Panel; on the Remote tab of the System dialog box that appears, select the Allow Users to Connect Remotely to this Computer checkbox.
You also need to specify which accounts can use Remote Desktop. The Terminal Services Configuration enables you to manage connection protocols and settings on a local server. This utility changes the way that configuration files and registry entries are handled during the installation, which is critical for enabling shared access to the application.
Switches to the default execute mode. Run this command after installation of an application is completed. Home Last modified: IntelliMirror is really an umbrella term that refers to the following technologies and features: Offline folders.
Folder redirection. Roaming profiles. Application publishing and software installation and maintenance. LDAP consists of the following components, which in some shape or form are the foundations of all modern directories, including Active Directory: The data model.
The organization model. The security model. The functional model. The topological model. At least one domain controller in the forest domain must be the GC. Deployment Different types of W Servers: A Windows server can be a standalone server , which means that it is not joined to any domain and stands alone in its own workspace. A standalone server, for example, is an ideal bastion, and it can be used as a firewall or proxy server without needing to be part of a domain.
Standalone servers are not given domain accounts, nor are they authenticated on the domain. They can also be print servers and such, but their resources cannot be published in Active Directory, short of mapping them to IP addresses. Windows can be a member server , which means that it has an account in the domain. As long as it is a member server, you can access its resources via the authentication mechanisms of Windows NT and the NTLM authentication service see Chapter 3 or via Kerberos on a Windows network.
A domain controller loads the Active Directory support infrastructure. Configuration Although many system and operating properties still are controlled through the Control Panel, most administrative functions have moved to the Microsoft Management Console MMC.
Windows shares the root of each drive as a hidden share for administrative purposes. This share is used to support user logon, typically for storing user logon scripts and profiles. Users and groups What is a user? Windows groups come in two flavors: security group and distribution group: Security group.
Security groups, however, can now be mailed to. Distribution group. This group is not a security principal and is used only as a distribution list. You can store contacts and user accounts in the distribution group. Because contacts do not contain the overhead of user accounts, including contacts only in large groups makes more sense. Both group types have three scope types, Universal, Global, and Domain: Universal groups. The members can be groups of any of the three scope types, and they can come from any domain in the forest.
Members of Universal groups can be given access and permissions for any resource in any domain in the forest. Global groups. These groups can include members only from the originating domain. Original Title 1. Introduction to Windows Server Did you find this document useful? Is this content inappropriate? Report this Document. Description: ntroduction to Windows Server Flag for inappropriate content. Download now. Save Save 1. Introduction to Windows Server For Later.
Original Title: 1. Related titles. Carousel Previous Carousel Next. Microsoft Exchange Server Administration Guide. Jump to Page. Search inside document. Documents Similar To 1. Gaurang Basarkar. Amol Tambade. Shanavas Saidalavi. Joven Bulawit. Nitin Verma. Blas Diaz. Khalidox Solitaire. Animesh Prasad. Carlos Hurtado. Sergio Suarez. Gabriela Popescu.
Tushar Kanta Mahakul. Abhishek Aby. Popular in Computer Network. Joel Suarez.
0コメント