View
221
Download
3
Category
Tags:
Preview:
Citation preview
Welcome to this evening’s TechNet Event
We would like to bring your attention to the key elements of the TechNet programme; the central information andcommunity resource for IT professionals in the UK:
• FREE bi-weekly technical newsletter• FREE regular technical events hosted across the UK• FREE weekly UK & US led technical webcasts• FREE comprehensive technical web site• Monthly CD / DVD subscription with the latest technical tools & resources • FREE quarterly technical magazine
To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break
New Features of Windows Server 2003 Active Directory - Scenario Based
John Howard, IT Pro Evangelist, Microsoft UKJohn Howard, IT Pro Evangelist, Microsoft UK
What we will cover:
• Active Directory Administration
• Forest Trusts
• Active Directory in Small and Remote Offices
• Group Policy Management Console
• Software Restriction Policies
Prerequisite Knowledge
• Familiarity with NT 4.0• Familiarity with NT 4.0 Domains• Familiarity with Windows 2000• Familiarity with Active Directory• Experience supporting Microsoft Networks• Experience supporting end-users
Level 200Level 200
Agenda
• Simplifying Management
• Connecting Forests
• Connecting Small Offices
• Managing Group Policies
Simplifying ManagementGoals
• Make every-day tasks easier
• Make the UI friendlier
• Easier to locate objects– Users and groups you manage
• Make automation easier– Provide tools that make scripting easier– Automate repetitive tasks
Simplified ManagementDrag and Drop
• Drag and drop is now supported– Active Directory Users and Computers– Active Directory Sites and Services
• Friendlier UI– Works like other administrative tools
• Drag and drop users into:– New containers or OUs– Groups
Simplified ManagementDrag and Drop Scenarios
• Scenarios:– Updating accounts
• Adding users or groups to groups• Moving a server to a new site
• Benefits:– Don’t need to open user properties– Fewer clicks accomplish the same task– Operates like other standard tools
Simplified ManagementSaved Queries
• A query saved in the Active Directory Users and Computers– Accessed like a folder
• Only displays a specific set of objects based on the query
• Example – define queries to display accounts based on: – User\Group name or description– Account and password status– Days since last logon
Simplified ManagementCreating Saved Queries• Create in Active Directory Users and
Computers• New Query:
– Define Query Root – Start of search– Search users, printers, shares, etc.– Define variables
• Queries can be exported– Import into other AD Users and Computers
consoles
Simplified ManagementSaved Queries Scenarios
• Scenarios:– Display users and groups you manage– Display user accounts:
• That are disabled • That haven’t been logged onto in 120 days• That have non expiring passwords
• Benefits:– Perform tasks from the Saved Queries folder– You don’t have to navigate through the domain,
OU, and container hierarchy to locate objects
Simplified ManagementCommand Line Tools
• Automate common or repetitive administrative tasks– Add/remove accounts – Query for account properties– Move and modify
• Run from the command line or through scripts
Simplified ManagementActive Directory Tools
• DSAdd: – Adds AD object such as user, group, OU, etc.
• DSGet– Displays attributes of an AD object
• DSMod – Modifies an existing AD object
• DSMove– Moves or renames an AD object
• DSQuery– Queries and lists AD objects
• DSRM– Deletes AD objects
Simplified ManagementCommand Line Tools Scenarios
• Scenarios:– Create scripts that helpdesk can use
• Perform complex tasks without error– Make bulk changes rapidly
• Add users to groups etc.• Move entire department to new OU
– Run reports• Query for expired accounts• Document user group memberships
• Benefits:– No need to manually perform repetitive tasks– Perform complex tasks without error
Simpler Active Directory Simpler Active Directory Administration Administration
Drag and Drop ManagementDrag and Drop Management
Saved QueriesSaved Queries
Command Line ToolsCommand Line Tools
demonstrationdemonstration
Agenda
• Simplifying Management
• Connecting Forests
• Connecting Small Offices
• Managing Group Policies
Connecting ForestsGoals
• Need a way to allow forest-to-forest connectivity
• Many companies have separate forests– Independent business units– Acquisitions or mergers– Business partners
• Forest trusts allow these forests to share resources
Connecting ForestsForest Trusts
• New trust type• Allows all domains in one forest to trust all
domains in another forest– Trust between domains both forests is transitive – Can be one-way or two-way trusts
• Trusts between forests are NOT transitive– Forest A trusts forest B– Forest A trusts forest C– Forest C does not trust forest B transitively
Connecting ForestsForest Trusts Graphic
IntranetIntranet
Division B ForestDivision B Forest
Division C ForestDivision C Forest
Division A ForestDivision A Forest
UsersUsers
TrustTrust
Connecting ForestsNamespaces and Forest Trusts
• Forests publish namespaces• Namespaces are UPN suffixes
– WorldWideImporters.com– Streetmarket.net
• Namespaces used to determine where trusted accounts come from– Logon with a UPN logon when accessing
resources in a trusted forest– Example: user@worldwideimporters.com
• Forests are trusted to be authoritative for published namespaces
Connecting ForestsCreating Forest Trusts
• Create in Active Directory Domains and Trusts:– Use the New Trust Wizard– Confirm incoming and outgoing trust– Can confirm both sides of the trust
• Prerequisites– Both forests must be at Windows Server
2003 forest functional level
Connecting ForestsForest Trust Scenarios• Scenarios:
– Large, decentralized organization• Government, military, conglomerates
– Organizations that are partnering– Organizations that must remain legally separate– Mergers and acquisitions
• Benefits:– Simplifies access to resources in both forests– Single sign-on
Forest TrustsForest Trusts
Create a Forest TrustCreate a Forest Trust
Access Forest ResourcesAccess Forest Resources
demonstrationdemonstration
Agenda
• Simplifying Management
• Connecting Forests
• Connecting Small Offices
• Managing Group Policies
Connecting Small OfficesGoals
• Address issues common to small offices– Low speed WAN links– Low amount of available bandwidth– No local Global Catalog server
• Make it easier to configure domain controllers
• Make is easier for users to logon
128K
Connecting Small Offices Create Domain Controller from Replica
Option for creating additional DCs Option for creating additional DCs in sites connected via slow linksin sites connected via slow links
• Back up system state on DC and copy to CD• Restore data on system that will become new DC
– Run “DCPromo /adv”
• Decreases initial replication of domain data
Large SiteLarge Site
Branch OfficeBranch Office
Connecting Small OfficesDC from Media Scenarios
• Scenarios:– DC needed at remote office– Useful for low bandwidth sites
• Benefits:– Allows Active Directory data to be restored
rather than replicated across network
Connecting Small OfficesUniversal Group Membership Caching
128K128KUniv G
roups
Large OfficeLarge Office
GCGC GCGC
Query
Branch OfficeBranch Office
DCDC
Universal Group 1
Universal Group 2
Logon is faster because group memberships are cached locally!
Connecting Small OfficesUGMC Scenarios
• Scenarios:– Small or branch offices connected to a
Global Catalog server with a low speed WAN link
– Offices experiences slow logons due to Universal Group Membership processing
• Benefits:– Faster logon without a Global Catalog
server in the site
Enabling Active Directory Enabling Active Directory in Small and Remote Offices in Small and Remote Offices
Create a Domain Controller from Backup MediaCreate a Domain Controller from Backup Media
Enable UGMCEnable UGMC
demonstrationdemonstration
Agenda
• Simplifying Management
• Connecting Forests
• Connecting Small Offices
• Managing Group Policies
Managing Group Policies Goals • Problem: Group Policy is too hard
• Existing UI confusing and limited
• Core capabilities missing – Reporting of GPO settings– Backup/restore of GPOs– Import/export of GPOs
• Existing capabilities not scriptable
Managing Group Policies Group Policy Management Console (GPMC)
• What is the GPMC? – New admin tool for managing Group Policy:
• Set of scriptable objects for managing GP• MMC Snap-in, built on these objects
• Standalone Web release shortly after Windows Server 2003 RTM
• GPMC Design goals– Unify management of Group Policy– Address key deployment issues– Provide better UI for visualization– Enable programmatic access to GP
PolicyPolicy
PolicyPolicy
Managing Group Policies Copy and Import
PolicyPolicy
Division A ForestDivision A Forest
Division B ForestDivision B Forest
Forest TrustForest Trust
Copy PolicyCopy Policy
Import Policy
Import Policy
AdministratorAdministrator
Managing Group Policies Backup and Restore
• Backup / Export:– Transfers any live GPO to the file system– Backs up policy settings, ACLs, links to WMI
filters
• Restore:– Puts things back exactly as before– GPO must be in the same domain
• Scenario:– Restore a policy to return to original settings
Managing Group Policies Group Policy Modeling
• Group Policy Modeling Wizard– Replaces Resultant Set of Policies (RSoP) –
Planning Mode• Select user and computer OUs
– Or select specific accounts• Displays winning policy settings
– See effects of GPOs prior to deployment– Avoid conflicts and unexpected results
• View results in Web based report
Managing Group Policies GPMC Scenarios
• Centralized management of policies– Even across domain and forest boundaries
• Group Policy deployment planning
• Sharing and reusing GPOs across domain/forest boundaries
• Centralized GPO backup and restore
• All Group Policy Management tasks
Managing Group Policies GPMC Benefits
• A single tool for managing GPOs– Multiple domains and forests can be managed– Single tool for all policy management
• Plan with Group Policy Modeling– View effects of polices prior to deployment– Avoid policy conflicts or unexpected behavior
• Troubleshoot with Group Policy Results– Identify existing policy conflicts
• Share and reuse GPOs– Import and Copy GPOs across domains and forests
Managing Group Policies Software Restriction Policy Goals
• New feature of Group Policies• Allow or restrict access to software
– Set default to allow or disallow software– Create rules to bypass the default– Specify affected file extensions
• Prevent:– Viruses– Unapproved or non-standard applications– Any applications you wish to restrict
Managing Group Policies Software Restriction Policy Rules
• Certificate Rules– Verify digital certificate
• Hash Rules– Identifies software with unique hash
• Internet Zone Rules– Applies to Windows Installer packages
• Path Rules– Define specific path for software
Managing Group Policies Software Restriction Policies Scenarios
• Scenarios:– Prevent problematic file types (.vbs, etc)– Restrict access to non-standard software
• Benefits:– Helps prevent viruses and unstable or conflicting
software installations– Flexible rules structure– Consistent, automated deployment through Group
Policies
Group Policy Management Group Policy Management
GPMCGPMC
Modeling WizardModeling Wizard
Software Restriction PoliciesSoftware Restriction Policies
demonstrationdemonstration
Session Summary• Simpler Active Directory administration.• Access forest resources with Forest Trusts• Easier Active Directory installation in small or remote
offices • Streamline GPO deployment and administration with
the GPMC
For More Information…
• Visit TechNet at www.microsoft.com/technet• For additional information on books, courses and other
community resources that support this session visit
www.microsoft.com/technet/tnt1-124www.microsoft.com/technet/tnt1-124
What is TechNet?• Put the right answers at your fingertips
– The comprehensive collection of resources to help IT prosplan, deploy and manage Microsoft products successfully
Monthly updates delivered on DVD or CD The definitive resource to help you evaluate, deploy and
maintain Microsoft products
TechNet Subscription
Accessible at www.microsoft.com/technet Online resources and community Subscriber-only Online Services
TechNet Web Site
Biweekly e-newsletter Security updates, new resources, and special offers
TechNet Flash
Briefings on the latest Microsoft products and technologies Hands-on, “how to” information
TechNet Eventsand Webcasts
User GroupsManaged Newsgroups
TechNet Communities
Recommended