Module 5 enhancing file and print servers with active directory

Describe the purpose of groups, the types of groups that are stored in Active Directory, and the group scopes that are used to assign permissions to a group.. Overview Introduction to

Contents

Overview 1

Multimedia: Concepts of Microsoft

Windows 2000 Active Directory 2

Introduction to Active Directory 4

Enhancing File Servers with Active

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, BackOffice, MS-DOS, PowerPoint, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead and Instructional Designer: Rick Selby

Project Revision Leads: Red Johnston; Jaswinder Singh Lamba (NIIT [USA] Inc.)

Revision Development: NIIT (USA) Inc

Instructional Designers: Victoria Fodale (ComputerPREP, Inc); Barbara Pelletier (S&T OnSite) Program Manager: Rodney Miller

Testing Leads: Sid Benavente, Keith Cotton

Testing Developer: Greg Stemp (S&T OnSite)

Courseware Test Engineers: Jeff Clark; Jim Toland (ComputerPREP, Inc)

Graphic Artist: Julie Stone (Independent Contractor)

Editing Manager: Lynette Skinner

Editor: Kelly Baker (Write Stuff)

Copy Editor: Kathy Toney (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aquent Partners)

Online Support: Eric Brandt (S&T OnSite)

Multimedia Development: Kelly Renner (Entex)

Compact Disc and Lab Testing: Data Dimensions, Inc

Production Support: Irene Barnett (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Gerry Lang

Group Product Manager: Robert Stewart

Simulations and interactive exercises were built by using Macromedia Authorware

Instructor Notes

This module provides an introduction to the Active Directory™ directory service in Microsoft® Windows® 2000 It outlines the purpose and structure of Active Directory and also identifies the benefits of Active Directory integration with file and print servers

At the end of this module, students will be able to:

Describe the purpose and structure of Active Directory

Integrate Active Directory with a file server

Integrate Active Directory with a print server

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 1594B_05.ppt

Multimedia presentation, Concepts of Microsoft Windows 2000 Active

Directory

Preparation

To prepare for this module, you should:

Read all the materials for this module

View the multimedia presentation

Presentation:

45 Minutes

Lab:

0 Minutes

Module Strategy

Use the following strategy to present this module:

Introduction to Active Directory This topic provides an overview of Active Directory in Windows 2000

Show the multimedia presentation, Concepts of Microsoft Windows 2000

Active Directory, and briefly discuss the questions on the presentation

Reinforce the key points of the presentation by explaining the purpose of Active Directory Describe the logical structure of Active Directory and how it provides more efficient organization of a network Identify the types

of user accounts, the guidelines for naming user accounts, and how to create

a user account Describe the purpose of groups, the types of groups that are stored in Active Directory, and the group scopes that are used to assign permissions to a group Finally, explain how to create groups in Active Directory

Enhancing File Servers with Active Directory This topic provides information about the tasks that are necessary for integrating file servers with Active Directory Explain to students that they must publish shared folders in Active Directory to integrate a file server with Active Directory Describe the procedure for creating a fault-tolerant Distributed file system (Dfs) root to ensure that users have uninterrupted access to all shared folders Next, explain how to create additional replicas

of a fault-tolerant Dfs root and multiple replicas of links to provide uninterrupted access to shared folders Finally, identify the steps that are necessary for configuring replication among links

Enhancing Print Servers with Active Directory This topic provides information about the tasks that are necessary for integrating print servers with Active Directory Describe the process of publishing a printer in Active Directory Then, explain the guidelines for establishing printer locations in Active Directory, and the process for locating printers

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

This module does not include any labs, and as a result, there are no lab requirements for replication or customization

Overview

Introduction to Active Directory

Enhancing File Servers with Active Directory

Enhancing Print Servers with Active Directory

The Active Directory™ directory service provides the structure necessary for organizing, managing, and controlling network resources efficiently in a Microsoft® Windows® 2000 network Active Directory also provides benefits to file and print servers by publishing shared folders and printers Publishing these resources in Active Directory enables users to locate them easily regardless of where they are located within the network

At the end of this module, you will be able to:

Describe the purpose and structure of Active Directory

Integrate Active Directory with a file server

Integrate Active Directory with a print server

In this module, you will learn

about the purpose and

structure of Active Directory,

in addition to the benefits of

Active Directory integration

with file and print servers

Multimedia: Concepts of Microsoft Windows 2000 Active Directory

This multimedia presentation describes basic Active Directory concepts, including topics such as organizational units (OUs), trees, forests, Domain Name System (DNS) naming conventions, and sites

As you view the presentation, try to answer the following questions:

1 What is the function and purpose of an OU?

An OU is a logical container that you use to organize resources You can use OUs to create a hierarchy that duplicates the structure of an organization or of an administrative model

2 For what type of organization is a network of multiple domains useful?

A network of multiple domains is useful for organizations that use a decentralized administrative model Multiple domains are also useful in multinational organizations that require local administration to be performed in different languages

Ask students to read the

questions in the student

workbook and identify

answers to the questions as

they view the multimedia

presentation

After the presentation,

review the questions and

answers

Start this presentation from

the instructor computer To

view the presentation, open

the Web pageon the

Trainer Materials compact

disc, click Multimedia

Presentations, and then

click the title of the

presentation

The estimated time to

complete this presentation is

seven minutes

Tell students that a copy of

the presentation is included

on the Student Materials

compact disc

3 If you add a domain named brazil as a first-level link in a tree named nwtraders.msft, what will the full DNS name of the new domain be?

Introduction to Active Directory

Active Directory Structure

Creating User Accounts

Creating Groups

Active Directory stores information about network objects and provides a hierarchical structure that makes it easier to organize domains and resources This makes it easier for users to locate network resources, such as files and printers

Active Directory also organizes the directory into sections that permit storage of

a very large number of objects As a result, Active Directory can expand as an organization grows This allows the network to grow from a single server network with a few hundred objects to a network with thousands of servers and millions of objects

For more information about Active Directory, see Active Directory

Architecture under Additional Reading on the Web page on the Student

Materials compact disc

Active Directory is the

directory service for a

Windows 2000 network It

provides a consistent way to

name, describe, locate,

access, manage, and

secure information about

network resources

Note

Active Directory Structure

Domain Domain

The Active Directory Structure Contains Domains, OUs, Trees, and Forests

Transitive Trust Relationships Are Established Between Domains

The logical structure of Active Directory is flexible and provides a method for designing a directory hierarchy that makes sense to both its users and to those who manage it

Structural Components

You can use the Active Directory structure components to organize your network more efficiently These components include:

Domains A domain is a collection of computers defined by an administrator

that share a common directory database The core unit of the logical structure in Active Directory is the domain

Organizational Units (OUs) An OU is a container object that you use to

organize objects within a domain An OU contains objects, such as user accounts, groups, computers, and other OUs

Trees A tree consists of multiple Windows 2000 domains The first domain

in a tree is called a root domain When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain The name

of the child domain is combined with the name of the parent domain to form its DNS name Therefore, domains in a tree form a contiguous namespace

Forests A forest consists of a group of trees that do not form a contiguous

namespace By default, the name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest Transitive trust relationships are automatically configured between domains in a tree, and between the trees in a forest

Slide Objective

To illustrate the logical

structure of Active Directory

Describe the logical

structure of Active Directory

and explain how its

components provide more

efficient organization of a

network

Trust Relationships

A trust relationship, or trust, is established between domains to enable users in one domain to be authenticated by a domain controller in the other domain By default, all trust relationships between domains in a Windows 2000 forest are transitive Transitive trusts are always two-way, which means that both domains

in a relationship trust each other The two domains in the trust relationship do not bound Transitive trusts Therefore, transitive trusts flow upwards in a domain tree When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain

In a two-way transitive trust relationship, domain A trusts domain B, and domain B trusts domain A This means that users in one domain can be authenticated by a domain controller in another domain

In a two-way transitive trust relationship, if domain A trusts domain B and domain B trusts domain C, then domain A automatically has a transitive trust relationship with domain C As a result, a transitive trust is automatically established between all domains in a tree or forest

If a two-way transitive trust exists between two domains, you can assign permissions to the resources in one domain to user and group accounts in the other domain, and vice versa

Active Directory also supports non-transitive trusts Most non-transitive trusts need to be explicitly created For example, if you want to allow an external business partner to have access to resources in a particular domain while working on a joint project, you can create a one-way, non-transitive trust between the internal and external domains Creating a one-way, non-transitive trust will enable users in the external domain to be authenticated by a domain controller in the internal domain A non-transitive trust does not flow to any other domain in the forest

When you upgrade from Windows NT® to Windows 2000, existing trusts are retained Trusts between Windows NT domains and Windows 2000

domains are non-transitive

Domain Modes

By default, Active Directory domains run in a mode called mixed mode to

provide support for domain controllers that are running either Windows 2000 or Windows NT You can operate your domain in mixed mode indefinitely, which allows you to upgrade domain controllers running Windows NT on a schedule that meets the needs of your organization

If your network does not have any domain controllers running Windows NT, or when all of your domain controllers have been upgraded to Windows 2000, you can convert the domain from mixed mode to native mode

Note

Key Point

The operating system on the

domain controllers

determines the mode that

your domain can use

In a native mode domain, all domain controllers run Windows 2000 However,

member servers and client computers do not need to be upgraded to Windows 2000 before you convert a domain to native mode Converting Active Directory to native mode makes extra functionality available, such as group nesting and the universal group scope, which are new features in

Windows 2000

After you convert a domain to native mode you cannot change it back to mixed mode

Important

Creating User Accounts

Domain Controller Local Computer

A user account provides a user with the ability to log on to a local computer to gain access to resources on that computer, or to log on to a domain to gain access to shared network resources

Windows 2000 provides two types of user accounts: local user accounts and

domain user accounts With a local user account, a user can log on to a specific

computer to gain access to resources on that computer With a domain user account, a user can log on to the domain to gain access to network resources Windows 2000 also provides the built-in user accounts:

Administrator account The Administrator account is used for initial logon

The Administrator account is also used for configuring the computer It has the most extensive rights and permissions The Administrator account is a member of the Administrators local group You cannot remove this account from the Administrators group In addition, you cannot delete or disable the Administrator account

Guest account The Guest account can be used by people for whom an

account has not been created By default, the Guest account is disabled This account is a member of the Guests group by default

Create domain user accounts when you are using Active Directory

to enhance file or print server functionality This allows a user to access shared resources across a network

The types of user accounts

that you can create in

Windows 2000 are domain

user accounts and local

user accounts

Windows 2000 provides

built-in user accounts to aid

in performing administrative

tasks or to allow users to

gain access to resources

Key Points

Domain user accounts allow

users to log on to a domain

to gain access to network

resources

Local user accounts allow

users to log on only to the

local computer and to

access resources on it

Delivery Tip

There are two slides in this

topic Use the first slide to

introduce local and domain

user accounts Use the

second slide to explain

creating a domain user

account

Important

Naming Conventions

Naming conventions establish how user accounts are identified in a domain A consistent naming convention will help you and your users remember user logon names and locate them in lists In an existing network that supports a large number of users, it is a good practice to adhere to the naming convention already in use

Consider the following guidelines for naming conventions:

User logon names for domain user accounts must be unique to Active Directory

User logon names can contain up to 20 uppercase or lowercase characters (the field accepts more than 20 characters, but Windows 2000 recognizes only 20), except for the following:

“ / \ [ ] : ; | = , + * ? < >

If you have a large number of users, your naming convention for logon names should accommodate employees with duplicate names

Creating a Domain User Account

A domain user account is always created on a domain controller and then replicated to all other domain controllers automatically When you create the domain user account, you must select the folder in which to create the new account You can create the domain user account in the default Users folder or

in a separate folder that has been created to hold domain user accounts

To create a domain user account:

1 Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers

2 Expand the domain, right-click the container in which the user account will

be created, point to New, and then click User

The following table describes the domain user account options that you can configure

Option Description First name The user’s first name An entry is required either for the first

name or the last name

Last name The user’s last name An entry is required either for the last

name or the first name

Full Name The user’s complete name This name must be unique within

the folder where you create the user account Windows 2000

completes this option if you enter information in First name or Last name Windows 2000 displays this name in the folder

where the user account is located in Active Directory

Initials The user’s initials

User logon name

The user’s unique logon name, based on the naming conventions This is required and must be unique within Active Directory

User logon name (pre- Windows 2000)

The user’s unique logon name that is used to log on from versions of Windows other than Windows 2000 This is required and must be unique within the domain

Delivery Tip

Describe how to create a

domain user account

Key Points

The User logon name

option defaults to the

domain in which you are

creating the domain user

account You can select any

domain in which you have

permissions to create

domain user accounts

Creating Groups

Group Types

Security Groups Used to assign permissions

Can be used as an e-mail distribution list

Used to assign permissions Can be used as an e-mail distribution list

Distribution Groups Cannot be used to assign permissions

Can be used as an e-mail distribution list

Cannot be used to assign permissions Can be used as an e-mail distribution list

Used to assign permissions to resources located in the domain in which the group is created

Universal Group Used to assign permissions to related resources in multiple domainsUsed to assign permissions to related resources in multiple domains

Groups simplify administration by allowing you to assign permissions to a group at one time, rather than at multiple times to individual users Active Directory provides support for different types of groups and group scopes The

scope determines whether the group spans multiple domains, or is limited to a

single domain There are two group types in Active Directory: security groups and distribution groups Each type of group supports the group scopes: global, domain local, and universal

Group Types

The group type determines the tasks that you manage with the group Both types of groups are stored in Active Directory, which allows you to use them anywhere in your network Windows 2000 includes the following group types:

Security groups Use security groups for security-related purposes, such as

assigning permissions to gain access to resources You can also use them to send e-mail messages to multiple users Sending an e-mail message to a group sends the message to all members of the group Therefore, security groups share the capabilities of distribution groups

Distribution groups Applications use distribution groups as lists for

nonsecurity related functions, such as sending e-mail messages to groups of users The primary purpose of this type of group is to gather related objects, rather than assign permissions Even though security groups have all the capabilities of distribution groups, you should create security groups only for security-related purposes The membership of distribution groups can be modified by users without affecting permissions or user rights For this reason, security groups should only be used for assigning permissions and rights to resources, and distribution groups should be used for messaging and groupware applications

Slide Objective

To highlight the group types

and group scopes in

Windows 2000

Lead-in

Windows 2000 provides two

types of groups—security

and distribution Each type

of group has a scope

attribute that identifies the

range in which the group

can be applied on the

network Windows 2000

provides three scope

types—global, domain local,

and universal

Delivery Tip

There are two slides in this

topic Use the first slide to

explain group types and

group scopes Use the

second slide to explain

developing group strategies

Delivery Tip

Describe the group types in

Active Directory, and explain

their purpose

For Your Information

If Microsoft Exchange

Server is upgraded to Active

Directory, the distribution

lists defined in Microsoft

Exchange Server are

converted to distributions

groups

Group Scopes

The scope of a group determines the domains from which you can add members

to the group, the domains in which you can use the group to assign permissions, and the domains in which you can nest the group within other groups The group scopes in Windows 2000 include:

Global groups Organize users who share similar network access

requirements You can use a global group to assign permissions to gain access to resources that are located in any domain

Global groups have limited membership A global group can only have user accounts and global groups from its domain as members Global groups can

be made members of universal groups and domain local groups in other domains

Domain local groups Assign permissions to resources You can use a

domain local group to assign access permissions to resources that are located in the same domain where you create the domain local group Domain local groups have open membership You can add the following members to a local group: User accounts, groups with global scope, groups with universal scope, and groups with domain local scopes

Domain local groups are available for use only on domain controllers when the domain is in mixed mode, but available for use on member servers when the domain is in native mode

Universal groups Assign permissions to related resources in multiple

domains You can use a universal group to assign access permissions to resources that are located in any domain

Universal groups have open membership You can add global groups and user accounts from any domain to groups with universal scope

Security groups with a universal group scope are only available when the domain is in native mode

Delivery Tip

Describe the group scopes

in Active Directory, and

explain their purpose

Note

Note