Windows Server 2012 Managing Active Directory Domain

Editor's Notes

• #2: Presentation: 90 minutes Lab: 60 minutes After completing this module, students will be able to: Manage user accounts with graphical tools. Manage groups with graphical tools. Manage computer accounts. Delegate permission to perform Active Directory® Domain Services (AD DS) administration. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20410B_03.pptx. Important: It is recommended that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance.
• #4: One way to approach this lesson’s content is to make the demonstrations your focus. Start the demonstrations, and then discuss the content in the topics as you proceed. This might take a couple of practices before you can perform the demonstrations without reference to the notes pages, but it makes the lesson a more engaging experience for the students.
• #5: Consider demonstrating each tool as you discuss it.
• #6: Consider performing a demonstration of creating a user account, by using the steps that the student handbook provides. Discussion Prompt Ask your students about their user account naming strategies.
• #7: Consider opening users’ accounts and viewing their account properties as you discuss this content with your students.
• #8: Consider demonstrating this procedure while you discuss the content with your students.
• #9: Discussion Prompt When discussing the content that precedes the demonstration steps, students might be interested in discussing how to communicate a password change to users. Ask your students how they currently achieve this, and have them think about other methods. Possible solutions include sending a text to their cell phones, sending an email, making a telephone call, and so on. Windows PowerShell If appropriate, consider mentioning to your students that they can also use Windows PowerShell® commands to perform common user administration task, such as resetting a user’s password by using the Set‑ADAccountPassword command. For example, the following command will reset Amy‘s password: Set ADAccountPassword –identity ‘cn=amy, ou=IT, dc=contoso, dc=com’ –Reset –NewPassword (ConvertTo SecureString –AsPlainText “Pa$$w0rd2” –Force) To unlock a user account by using Windows PowerShell, you can use the following command: Unlock ADAccount –identity ‘cn=amy strand, ou=IT, dc=contoso, dc=com’ To disable or enable a user account with Windows PowerShell, type the following cmdlets at a Windows PowerShell prompt: Enable ADAccount –identity <name> Disable ADAccount –identity <name>
• #10: Preparation Steps Start the required virtual machine, 20410B‑LON‑DC1. Demonstration Steps Open the Active Directory Users Administrative Center Sign in to LON‑DC1 as Adatum\Administrator with the password Pa$$w0rd. On LON‑DC1, in the Server Manager, click Tools. Click Active Directory Administrative Center. In the Active Directory Administrative Center, expand Adatum (local), and then click Managers. Delete a user account In Managers, right‑click Ed Meadows, and then click Delete. In the Delete Confirmation dialog box, click Yes. Create a new user account In the Action pane, click New, and then click User. In the Create User: dialog box, in the Full name box, type Ed Meadows. In the User UPN logon box, type Ed. In the Password and Confirm password boxes, type Pa$$w0rd, and then click OK. Move the user account Right‑click Ed Meadows, and then click Move. Click the IT organizational unit (OU), and then click OK. In the navigation pane, click Adatum (local). In the results pane, double‑click IT. Verify that Ed Meadow’s account is listed. Leave the virtual machine running for the next demonstration.
• #11: Some students that are new to Windows Server often have difficulty grasping the concept of groups within groups. Consider using your whiteboard for this lesson, and drawing three domains as triangles. Add a file resource to each domain, and then ask your students to consider how any file permissions would be required if each domain hosted 100 users that each needed access to the three file resources in your three domains. Then group the three sets of 100 users, and repeat the question. Then group the groups. This elegantly demonstrates the benefit of nesting groups. Now all you need to do is to explain the particulars of the types and scopes in Windows Server. As with lesson 1, consider making the demonstration the focus of this lesson.
• #12: You can use distribution groups to send messages to collections of users, but only with messaging applications such as Microsoft Exchange Server. Stress that distribution lists are not assigned a security identifier (SID), so they cannot be listed in discretionary access control lists (DACLs). You use security groups to assign rights and permissions to groups of users and groups of computers. A security group is assigned a SID, which determines the permissions of a user whenever a user who is a member of a security group tries to access a network resource.
• #13: Use the table to describe group scopes. Consider drawing a diagram with several domains that shows where you can create groups, and the implications of each group scope.
• #14: Use this animated slide to explain the example in the student notes. You will need to click four times to see all the stages in this slide, which are: Identities Global groups Domain local groups Assigned resource access Alternatively, draw an illustration on the whiteboard by using the following guidelines to illustrate the advantage of group nesting: 1. Draw three domain objects, each containing five users. Draw a file object in one of the three domains. Question: How many file permissions would you need to create to assign permissions on this file for each user? Answer: You would need to create fifteen file permissions. 2. Draw a circle around the five users in each domain, explaining that the circles represent global groups. Question: How many permissions on the file would you need to assign at the global group level? Answer: You would need to assign three permissions. 3. Draw a circle adjacent to the file. Draw arrows from your global groups to this circle, indicating that you have added these groups to a local group in the resource holding domain. Question: How many permissions must you assign to the local group? Answer: You must assign one permission to the local group.
• #15: Show your students the groups mentioned on the slide as you discuss them.
• #16: Show your students the groups that are mentioned on the slide, as you discuss them.
• #17: Preparation Steps The required virtual machine, 20410B‑LON‑DC1 should already be running after the preceding demonstration. Demonstration Steps Create a new group On LON‑DC1, switch to Active Directory Administrative Center. In the Tasks list, under IT, point to New, and then click Group. In the Create Group dialog box, in the Group name box, type IT Managers. Add members to the group Scroll down, and under Members, click Add. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples): box, type April; Don; , click Check Names, and then click OK. In the Create Group: IT Managers dialog box, click OK. Add a user to the group In the details pane, right‑click Ed Meadows. Click Add to group. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type IT Managers, click Check Names, and then click OK.
• #18: Change the group type and scope In the details pane, double‑click IT Managers. In the IT Managers dialog box, under Group scope, click Universal. Under Group type, click Distribution, and then click OK. Modify the group’s Managed By property In the details pane, double‑click IT Managers. In the details pane under Managed By, click Edit. In the Select Groups dialog box, in the Enter the object names to select (examples) box, type Ed Meadows, click Check Names, and then click OK. Select the Manager can update membership list check box, and then click OK. Leave the virtual machine running for the next demonstration.
• #19: There are no demonstrations within this lesson. As you work your way through the content, consider performing small, impromptu demonstrations to help reinforce the content.
• #20: Consider opening Active Directory Users and Computers or Active Directory Administrative Center and demonstrating the default location for computer objects.
• #21: Emphasize the best practice of creating custom OUs for computer objects, rather than relying on the default Computers container. Help students understand just enough about delegation (assigning permissions to OUs) and about configuration (linking GPOs to OUs) to understand how they might choose to design OU branches for clients and servers. Later modules go into more detail about Group Policy and delegation, and their impact on OU design. Do not go into too much detail here, but rather use the opportunity to introduce students to these concepts.
• #22: Consider demonstrating the process of delegating control over computer creation and deletion.
• #23: Explain to students that the secure channel between a computer and a domain controller is used for all communication with the domain, including authentication of a user logon to the computer. The secure channel is established when the computer authenticates to the domain by using its user name and password. Like users, computers have logon names and passwords. If the computer is unable to log on successfully, the secure channel is not established. The effect is similar to when a user enters the wrong user name or password. In both circumstances, the user is not able to authenticate to the domain. There are several scenarios during which the secure channel can be broken. Three of them are listed on the slide. What is not listed on the slide is Administrator errors in AD DS. These can include dangerous Active Directory actions, such as rolling back a domain controller that is running a snapshot. You should mention that there are several ways for an administrator to damage AD DS (manually, automatically, intentionally, or accidentally), and damage might become apparent with broken secure channels. Discussion Prompt Ask students: What scenarios have you encountered in which you identified that the secure channel was broken? How did you know the secure channel was broken? After students have shared their experiences, ask the question a slightly different way: What scenarios have caused you to remove a computer from the domain, and then rejoin it to the domain? This is a very common technique that administrators use to reset a secure channel. They often do not realize what they are actually doing when they remove the computer and then rejoin the domain. If students have not already mentioned the logon message that states, “The trust relationship between the workstation and the primary domain failed,” ask the students the following question: Have you ever tried to log on to the domain and received a message telling you that the computer could not talk to the domain? What messages did you receive? Help students delineate messages such as “A domain controller is not available,” which is typically the result of networking connectivity problems, from messages that mention trust with the domain or otherwise indicate problems with the secure channel. With these setups, move on to the next slide.
• #24: A broken computer account manifests itself with a variety of symptoms, error messages, and event‑log entries. Mention that a user might be able to log on to a machine with a broken secure channel using cached credentials, but they will experience other strange behavior, because authentication cannot use Kerberos version 5 (V5) protocol without a functioning secure channel. Because NLTest.exe and NetDom.exe reset the secure channel without requiring a reboot, you should try those commands first. Only if you are not successful should you use the Reset Account command or DSMod.exe to reset the computer account. Resetting the secure channel requires the Reset Password permission on the computer object.
• #25: Consider starting the demonstration topic, and then discussing the content in the other three topics. Start the lesson by asking your students to consider at what point a single administrator is unable to manage a network by themselves, and how best to consider allocating administrative tasks to other administrators.
• #26: Consider demonstrating the process of viewing permissions.
• #27: Consider demonstrating the process of viewing effective permissions.
• #28: Preparation Steps The required virtual machine, 20410B‑LON‑DC1, should be running after the preceding demonstration. Demonstration Steps Delegate a standard task From Server Manager, click Tools, and then click Active Directory Users and Computers. In the navigation pane, right‑click IT, and then click Delegate Control. In the Delegation of Control Wizard, click Next. On the Users or Groups page, click Add. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type IT, and then click OK. On the Users or Groups page, click Next. On the Tasks to Delegate page, in the Delegate the following common tasks: list, select the Create, delete, and manage user accounts, Reset user passwords and force password change at next logon, and Read all user information check boxes, and then click Next. On the Completing the Delegation of Control Wizard page, click Finish. Delegate a custom task In the navigation pane, right‑click IT, and then click Delegate Control. In the Delegation of Control Wizard, click Next. On the Users or Groups page, click Add. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type IT, and then click OK.
• #29: On the Users or Groups page, click Next. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next. On the Active Directory Object Type page, click Only the following objects in the folder. In the list, select the Computer objects check box. Select the Create selected objects in this folder and the Delete selected objects in this folder check boxes, and then click Next. On the Permissions page, in the Permissions list, select the Full Control check box, and then click Next. On the Completing the Delegation of Control Wizard page, click Finish. View AD DS permissions resulting from these delegations On the View menu, click Advanced Features. In the navigation pane, right‑click IT, and then click Properties. In the IT Properties dialog box, click the Security tab. In the Security tab, click Advanced. In the Advanced Security Settings for IT dialog box, notice the Allow permissions that are assigned to IT (ADATUM\IT). These were created during the delegation process. Click Cancel twice, and then close all open windows except Server Manager. After the demonstration, revert all virtual machines.
• #30: Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind the students to complete the discussion questions after the last lab exercise. Exercise 1: Delegating Administration for a Branch Office A. Datum delegates management of each branch office to a specific group. This allows an employee who works onsite to be configured as an administrator when required. Each branch office has a branch administrators group that is able to perform full administration within the branch office OU. There is also a branch office help desk group that is able to manage users in the branch office OU, but not other objects. You need to create these groups for the new branch office and delegate permissions to the groups. Exercise 2: Creating and Configuring User Accounts in AD DS You have been a given a list of new users for the branch office, and you need to begin creating user accounts for them. Exercise 3: Managing Computer Objects in AD DS A workstation has lost its connectivity to the domain and cannot authenticate users properly. When users attempt to access resources from this workstation, access is denied. You need to reset the computer account to recreate the trust relationship between the client and the domain.
• #32: Question What are the options for modifying the attributes of new and existing users? Answer To modify attributes of new and existing users, you can select multiple users and then open the Properties dialog box, you can use the DSMod command, or you can create a user account based on a user account template. Alternatively, you can use the set‑ADUser Windows PowerShell command. Question What types of objects can be members of global groups? Answer Global groups can include as members users and other roles (global groups) from the same domain. Question What types of objects can be members of domain local groups? Answer Domain local groups can contain roles (global groups) and individual users from any trusted domain in the same forest or an external forest, and other domain local groups in the same domain. Finally, domain local groups can contain universal groups from anywhere in the forest. Question What are the two credentials that are necessary for any computer to join a domain? Answer The necessary credentials are the local credentials that are in the local Administrators group of the computer, and domain credentials that have permissions to join a computer to the computer account.
• #33: Review Questions Point students to the appropriate section in the course so that they are able to answer the questions that this section presents. Question A company with branches in multiple cities has members of a sales team that travel frequently between domains. Each of these domains has their own printers that are managed by using domain local groups. How can you provide these members with access to the various domains printers? Answer You can create a group with domain local scope, and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope receive access to the new printer automatically. Question You are responsible for managing accounts and access to resources for your group members. A user in your group transfers to another department within the company. What should you do with the user’s account? Answer Although your company might have a Human Resources representative with AD DS permissions to move user accounts, the best solution is to move the user account into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department are enforced. If applying the correct Group Policies is important, the user’s account should be disabled until somebody with appropriate security permissions can move it into the new OU.
• #34: Question What is the main difference between the Computers container and an OU? Answer You cannot create an OU within a Computers container, so you cannot subdivide the Computers OU. In addition, you cannot link a GPO to a container. Because of this, as a best practice you should move the newly created computer account from the Computers container to an OU. Question When should you reset a computer account? Why is it better to reset the computer account rather than to disjoin and then rejoin it to the domain? Answer You should reset a computer account when the computer is no longer able to authenticate to the domain. That can happen if the operating system is reinstalled, if the computer is restored from backup, or if the password is out of the synchronization interval. It is better to reset the computer account because if you disjoin the computer from a domain and then rejoin it, you risk losing the computer account completely, which results in the computer’s SID being lost, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be recreated. Question A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS; however, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this?
• #35: Answer The best way to do this is to create a new global security group and then add the project members to the group. Create a new OU outside your department’s OU, and then assign full control of the OU to the project manager. Add the global group to the new OU, and then add resources to the OU such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it; however, you should delete it if there is no immediate need for it. Question You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server–based infrastructure. You have to find a method for joining new Windows 8‑based computers to a domain during the installation process, without intervention of a user or an administrator. What is the best way to do this? Answer The best way to do this is to provision the computer accounts to AD DS by using the djoin tool with the /provision switch, and then use an unattended setup to perform the installation. By using a tool such as Windows System Image Manager, you can perform an unattended domain join during an operating system installation by providing information in an Unattend.xml file that is relevant to the domain join. Tools
• #36: Best Practices Best Practices for User Account Management Do not let users share user accounts. Always create a user account for each individual, even if that person will not be with your organization for long. Educate users about the importance of password security. Ensure that you choose a naming strategy for user accounts that enables you to identify the user to whom the account relates. Also ensure that your naming strategy uses unique names within your domain. Best Practices for Group Management When managing access to resources, try to use both domain local group and role groups. Use universal groups only when necessary because they add weight to replication traffic. Use Windows PowerShell with Active Directory Module for batch jobs on groups. Avoid adding users to built‑in and default groups. Best Practices Related to Computer Account Management Always provision a computer account before joining computers to a domain, and then place them in appropriate OU. Redirect the default computer container to another location. Reset the computer account, instead of disjoining and rejoining. Integrate the Offline Domain Join functionality with unattended installations.