Tài liệu Module 1: Introduction to Advanced Administration of a Windows 2000 Network docx

Contents Administering a Windows 2000 Network 2 Delegating Administrative Control 8 Controlling Access to Active Directory Objects and Windows 2000 Resources 9 Demonstration: Examini

Contents

Administering a Windows 2000 Network 2

Delegating Administrative Control 8

Controlling Access to Active Directory

Objects and Windows 2000 Resources 9

Demonstration: Examining Access Tokens 18

Module 1: Introduction

to Advanced Administration of a Windows 2000 Network

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

? ? 1999 Microsoft Corporation All rights reserved

Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead and Instructional Designer: Mark Johnson Instructional Designers :Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor)

Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist : Julie Stone (Independent Contractor)

Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing : Data Dimensions, Inc

Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford

Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto

Group Product Manager: Robert Stewart

Introduction

This module provides students with an introduction to administering a Microsoft® Windows® 2000 network It provides a foundation for the course by presenting the concepts of centralized management and decentralized

administration through the use of Windows 2000 features This module also provides an overview of how users are granted access to Active Directory™directory service objects and other network resources in Windows 2000

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

?? Microsoft PowerPoint® file 1558A_01.ppt

Preparation

To prepare for this module, you should:

?? Read all the materials for this module

?? Study the review questions and prepare alternative answers to discuss

?? Anticipate questions that students may ask Write out the questions and provide the answers

?? Read the white paper, Introduction to IntelliMirror™ on the Student

Materials compact disc

?? Read the white paper, Introduction to Windows 2000 Change and Configuration Management on the Student Materials compact disc

?? Read the white paper, Windows 2000 Kerberos Authentication on the

Student Materials compact disc

?? Read the white paper, Windows 2000 Security—Default Access Control

Settings on the Student Materials compact disc

Presentation:

60 Minutes

iv Module 1: Introduction to Advanced Administration of a Windows 2000 Network

Demonstration

This section provides demonstration procedures that will not fit in the margin notes or are not appropriate for the student notes

Examining Access Tokens

??To view and compare the access tokens for the domain Administrator account and a user account

1 Log on to your domain as Administrator, click the Start button, point to Programs, point to Accessories, and then click Command Prompt

2 At the command prompt, run the mytoken program, which is located in the

root directory on the Trainer Materials compact disc

3 Start another command prompt, and using the runas command, run mytoken using a standard user account

4 Place the two command prompt windows side by side and compare the SID, Group ID, and user rights for the administrator account and the standard user account

5 Ask students whether the information is the same

Module Strategy

Use the following strategy to present this module:

?? Administering a Windows 2000 Network

In this topic, you will introduce administering a Windows 2000 network Explain the concepts of centralizing management and decentralizing administration Talk about the customization of the administrative tools by

an administrator to allow other administrators to perform specific tasks in the network Keep the presentation brief, as all the concepts will be taught in subsequent modules in the course

?? Delegating Administrative Control

In this topic, you will explain the purpose of delegating administrative control and the tools that simplify the task Emphasize that in

Windows 2000 you can delegate administrative control at an OU level This enables an administrator to distribute administrative tasks to other administrators

?? Controlling Access to Active Directory Objects and Windows 2000 Resources

In this topic, you will introduce controlling access to Active Directory and file system objects Explain the purpose of discretionary access control lists (DACLs) and how Windows 2000 assigns and manages resource security through permission inheritance Describe the logon process and briefly discuss the local, network, and secondary logon processes Describe the purpose and components of access tokens Emphasize that access tokens are permanently attached to each resource Explain how access token and DACLs are used to gain access to Windows 2000 resources Emphasize that the process of gaining access to Active Directory objects and network resources is identical to the process of gaining access to file system objects Demonstrate logging on as an administrator and using Mytoken.exe to see the access token of an administrator, and then demonstrate logging on as a user to see the access token of a user Compare the two access tokens and show students the difference between the SIDs, Group IDs, and the user rights in the two access tokens

Overview

?Administering a Windows 2000 Network

?Centralized Management

?Delegating Administrative Control

?Controlling Access to Active Directory Objects and Windows 2000 Resources

Microsoft® Windows® 2000 supports the management services that help you to centrally administer and organize servers, networks, and client systems in your organization Centralizing and organizing users and computers to provide a flexible administrative model reduces the total cost of ownership (TCO) of users and computers The Windows 2000 Active Directory™ directory service allows policy-based management for users and computers, authorization and authentication services, remote administration, and security features

At the end of this module, you will be able to:

?? Describe the methods of administering a Windows 2000 network

?? Describe how Windows 2000 enables centralized management of users, computers, and network resources

?? Describe how to delegate administrative control of Windows 2000 users, computers, and netw ork resources

?? Describe how you can use Windows 2000 to control access to Active Directory objects and network resources

In this module, you will learn

about how Windows 2000

authenticates users during

the logon process and uses

DACLs to control access

to resources

Do not go into too much

detail about the concepts in

this module This module

sets the foundation for the

main concepts that will

be covered in the

following modules

2 Module 1: Introduction to Advanced Administration of a Windows 2000 Network

Administering a Windows 2000 Network

Centralize Management Delegate Administrative Delegate Administrative Control Control

Group Policy

Active Directory Active Directory Administrative Tools Administrative Tools

Customize Tools

Windows 2000 provides administrators with the methods and utilities to centralize the management of all desktop computers in an organization and decentralize administrative tasks:

?? Centralize management Active Directory and Group Policy allow

administrators to centrally manage large numbers of users, computers, printers, and network resources from one place Active Directory enables you to centrally organize network resources according to administrative requirements, while Group Policy enables you to specify settings and apply management policies to Active Directory organizational units (OUs) In addition, Group Policy enables you to define a policy for a user or computer once, and then use the operating system to reinforce it continually

?? Delegate administrative control Active Directory allows an administrator

with the proper authority to delegate a selected set of administrative privileges to appropriate individuals or groups within an organization This administrator can specify the specific privileges that these individuals have over different containers and objects in Active Directory

?? Customize tools Windows 2000 also provides you with the tools to match

administrative responsibilities and to delegate network administrative responsibilities to other administrators In this way, administrators can combine all of the tools needed for each administrative function into a single console

As an administrator, you can

take advantage of the

Windows 2000 Active

Directory and Group Policy

features to centrally manage

all computers in your

organization and to delegate

administrative control

Ask the students to explain

what Active Directory and

Group Policy are

Key Points

Active Directory and Group

Policy allow administrators

to centrally manage a large

tools for specific

administrative tasks and

distribute them to other

administrators

? Centralized Management

?Using Active Directory for Centralized Management

?Using Group Policy for Centralized Management

?Managing the User Environment

?Publishing Resources

Distributed systems often lead to time-consuming and redundant management tasks For example, for each user, an administrator must visit the desktop to perform tasks, such as configuring the operating system software to corporate standards, limiting the user’s ability to change the standard configuration, securing the desktop and important files from unauthorized users, and installing and configuring applications

As organizations add applications to their infrastructures and hire more personnel, they need to create user accounts, configure computers, apply administrative settings, and distribute software to the desktop appropriately The integration of Active Directory and Group Policy provides administrators with a utility that allows them to manage the entire network from a

Active Directory and Group

Policy enable the

centralized management of

Windows 2000

4 Module 1: Introduction to Advanced Administration of a Windows 2000 Network

Using Active Directory for Centralized Management

Active Directory:

? Is a Central Repository of Objects

? Contains Information About Objects

? Allows Administrators to Easily Locate Information

? Allows Administrators to Group Objects into OUs

? Uses Group Policy to Specify Policy-Based Settings

OU1 Domain

Computers Users OU2 Users

Printers

Computer1

User1

Printer1 User2

Domain OU2

Active Directory is the directory service for Windows 2000 Active Directory

stores information about network resources, such as computers and printers, and provides services that make this information available to users and applications Active Directory provides administrators with the capability to centrally manage resources because:

?? Active Directory is a central repository of objects Users, groups,

computers, printers, and files can be organized into OUs according to administrative need In addition, all servers, domains, and sites in the network are also represented as objects By representing all network resources as objects in a centralized database, Active Directory enables a single administrator to centrally manage and administer these resources

?? Active Directory contains attributes and information for each object The attributes hold data describing the resource that is identified by the directory object A user’s attributes might include the user’s first name, last name, and e-mail address, while a printer’s attributes might include whether it is capable of printing in color and the building and office in which it is located The attribute information facilitates searching in Active Directory and administering resources in the network

?? Active Directory allows administrators to easily locate information about objects By searching for selected attributes, you can find an object located anywhere in the Active Directory tree

?? Active Directory allows you to group objects with similar administrative and security requirements into OUs OUs provide multiple levels of administrative authority for both applying policy-based administration and delegating administrative control This simplifies the task of managing these objects and allows administrators to structure Active Directory to fit their needs

?? Active Directory uses Group Policy to provide administrators with the ability to specify policy-based settings for a site, domain, or OU Active Directory then enforces these policy-based settings for all of the users and computers within the container

Slide Objective

To explain the purpose of

using Active Directory to

regarding these objects, and

provides a single point of

access from which to

administer these objects

Key Points

Active Directory is a central

repository of objects

Administrators can use

search utilities to locate

objects and administer them

in Active Directory

Active Directory uses Group

Policy to provide

administrators with the

ability to specify

policy-based administrative

settings for a site, domain,

or OU that apply to all

objects in the container

Using Group Policy for Centralized Management

? Group Policy Enables Policy-Based Centralized Management

? Policy Set on a Container Affects All Users and Computers That it Contains

? Windows 2000 Continues to Apply Policy Settings to Users and Computers Even When Disconnected from the Network

? Group Policy Provides Settings for Controlling Computer Services and Desktop Settings

Windows 2000 Enforces Continually

Windows 2000 Enforces Continually

Apply Group Policy Once

Apply Group Policy Once

Group Policy enables policy-based centralized management of a network Policy-based administration eases the management of even the most complex network by allowing you to apply a policy to an object once, and then to rely on Windows 2000 to continually enforce the policy throughout the network Group Policy utilizes Active Directory containers (sites, domains, and OUs) as administrative units A policy set on a container affects all users and computers that it contains In addition, administrative control of the Group Policy assigned

to a site, domain, or OU can be delegated to another administrator without your having to delegate control of the container itself

Windows 2000 applies policy settings to users and computers when the computer starts or when the user logs on It also refreshes policy settings at periodic intervals during the day Policy settings continue to apply even if the computer is disconnected from the network

Group Policy provides settings for controlling computer services and users’ desktop environments and capabilities Administrators can deploy applications and lock down user desktops for a group of users and computers by creating and applying a single Group Policy to a site, domain, or OU

Slide Objective

To explain the purpose of

using Group Policy to

centralize the management

of network resources

Lead-in

A policy affects all users in a

specific group Policy-based

management eases the task

of managing all types

of networks

Key Points

A policy set on an OU

affects all users and

computers in that OU

Windows 2000 refreshes

policy settings at periodic

intervals Users do not have

to log off for settings to be

applied, even when the

computer is disconnected

from the network

6 Module 1: Introduction to Advanced Administration of a Windows 2000 Network

Managing the User Environment

User Data

User/Computer Settings

User/Computer Settings

Software Deployment

Software Deployment

? Control and Lock Down What Users Can Do

? Centrally Manage Software Installation, Repairs, Updates, and Removal

? Configure User Data to Follow Users Whether They Are Online

or Offline

OU

OU

User1 Computer1 Computer1 Computer2 Computer2 User2

Group Policy Applied

to an OU

Group Policy allows you to control user’s data, personal computer settings, computing environment, and software Policies that follow the user enable administrators to provide users with consistent access to all of their information and software, regardless of whether they are working on the same computer You can use Group Policy to manage the user environment by:

?? Controlling and locking down what users can do when logged on to the network This ensures that users have access to the tools and information that they need but do not have access to anything that is not required for their jobs You can also restrict the applications and tools that are available

to users Limiting the scope of what a user can do ensures that no unnecessary time is spent troubleshooting operating system and application configuration problems

?? Centrally managing software installation (applications, service packs, and operating system updates), repairs, updates, and removal When you use Group Policy to install software, you can ensure that the same applications are available on any computer to which a user logs on You can also ensure that missing files and settings are repaired automatically whenever an application is invoked

?? Configuring user data to follow users whether they are online, connected to the network, or temporarily offline User data follows a user because, although the data is stored in specified network locations, it appears local to the user Offline files cache network data to the local computers so it is available when the user disconnects from the network

You can define different

Group Policy settings for

controlling users’ desktop

environments, and then

apply them consistently

across multiple computers

Key Points

Group Policy enables

administrators to control

user environments, install

software, and redirect user

data to a network location

Apply Group Policy to

containers (domains and

OUs) so that when new

users and computers are

added to these containers,

the Group Policy settings

automatically apply to the

new objects

Publishing Resources

Publishing Resources in Active Directory:

? Enables Users to Easily Locate and Gain Access to Resources

? Locates Resources Even if Their Physical Locations Change

? Enables Administering Multiple Shared Folders from a Single Location Through Dfs

Locate Manage DomainOU1

Shared Folder Printer Dfs Shared Folder

You can publish resources in Active Directory to enable users to easily locate and gain access to what the resources they need to perform their jobs

Another advantage of publishing resources in Active Directory is that you are able to locate the resources there even if their physical locations change Two common resources that are published in Active Directory are shared folders and printers that are on computers that are not running Windows 2000 Network printers can be published so that users can easily locate them based on their physical location and attributes Administrators can group printer objects in Active Directory based on administrative need, regardless of the printer’s physical location This can reduce the complexity of managing printer resources

As the size of the network grows, the shared files and folders can exist over many servers This makes resources very difficult for users to locate and for administrators to manage The Distributed file system (Dfs) provides a single point of reference for file system resources that may be located anywhere on the network

Slide Objective

To explain the purpose of

publishing shared resources

in Active Directory for

centralized management

Lead-in

With Windows 2000, you

can publish folders and

printers in Active Directory

This method of sharing

makes it very convenient for

administrators and users to

Users can easily locate

shared folders and printers

in a network when these

resources are published in