Tải bản đầy đủ - 0 (trang)
Chapter 11. Exam 70-294 Study Guide

Chapter 11. Exam 70-294 Study Guide

Tải bản đầy đủ - 0trang

groups,userauthentication,andorganizationalunits.Also

coverscreatingorganizationalunits.



PlanningandImplementingGroupPolicy

DesignedtotestyourknowledgeofusingGroupPolicyto

configureuserandcomputerenvironments.Alsocoversthe

automationfeaturesofGroupPolicy.



ManagingandMaintainingGroupPolicy

DesignedtotestyourknowledgeoftroubleshootingGroup

PolicyandusingResultantSetofPolicy(RSoP).Alsocovers

maintaininginstalledsoftwareusingGroupPolicy.

Thesectionsofthischapteraredesignedtoreinforceyour

knowledgeofthesetopics.Ideally,youwillreviewthischapter

asthoroughlyasyouwouldyourcoursenotesinpreparationfor

acollegeprofessor'sfinalexam.Thatmeansmultiplereadings

ofthechapter,committingtomemorykeyconcepts,and

performinganynecessaryoutsidereadingsiftherearetopics

youhavedifficultywith.

Aspartofyourpreparation,Irecommendcreatingatest

environmentthatcreatesaforestrootdomainandachild

domainwithfourserversrunningWindowsServer2003.Inthe

forestrootdomain,installtwodomaincontrollerstohandlethe

forestandparentdomainroles.Inachilddomain,installtwo

domaincontrollerstohandlechilddomainroles.This

configurationshouldhelpensurethatyoucanpracticeallthe

managementandmaintenancetasksmeasuredbytheexam.

Ifyouareunabletousefoursystemsfortesting,youcanuse

twoseparateconfigurationsoftwosystemsforpreparation.In

thefirstconfiguration,youshouldinstallaforestrootdomain



controllerandadomaincontrollerinachilddomain.Inthe

secondconfiguration,youshouldinstalltwodomaincontrollers

inthesamedomain.



11.1.PlanninganActiveDirectoryForestand

DomainStructure

ActiveDirectorydirectoryserviceisusedwhencomputersare

organizedintodomains.Theconfigurationofanorganization's

ActiveDirectoryinfrastructureiscriticallyimportanttoensure

properdomainoperations.ActiveDirectoryhasphysicaland

logicalcomponents.



11.1.1.UnderstandingActiveDirectory

InfrastructureandPartitions

ActiveDirectoryinfrastructureisbuiltaroundthreekey

structures:



Domains

Logicalgroupingsofobjectsthatallowcentralized

managementandcontrol.Everyorganizationhasatleast

onedomain,whichisimplementedwhenActiveDirectoryis

installedonthefirstdomaincontrollerinthatdomain.



Domaintrees

Groupsofdomainsthatsharethesamenamespace.Every

domaintreehasarootdomain,whichisatthetopofthe

domaintree.Domainsinadomaintreehavetwo-way

transitivetrustsbetweenthem.



Forests

Groupsofdomaintreesthataregroupedtogethertoshare

resources.Everyforesthasaforestrootdomain,whichis

thefirstdomaincreatedintheforest.Domaintreesina

foresthavetwo-waytransitivetrustsbetweenthem.

Forestsanddomainsareconsideredtobethelogical

componentsofActiveDirectory.Uselogicalcomponentsto

organizeaccountsandresources.EstablishActiveDirectory

infrastructurebycreatingtheforestrootdomain,andthen

addinganyotherdomainsthatareneededasnecessary.

ActiveDirectoryrepresentsdatastoredinthedatabaseas

objects.Objectshaveseveraltypesofnamesassociatedwith

them:



Commonname(CN)

ThenameassignedwhentheobjectiscreatedwiththeCN=

designator.Forexample,theuseraccountforWilliamR.

Stanekiscreatedasauserobjectandhasthecommon

nameofCN=WilliamR.Stanek.



Distinguishedname(DN)

Describesitsplaceinthedirectoryaccordingtotheseriesof

containersinwhichitisstored.Notwoobjectsinthe

directoryhavethesamedistinguishedname.Mostobjects

arecontainedwithinOrganizationalUnit(OU)containersor

withinadefaultcontainer(CN).Asanexample,the

EngineeringOUintheWilliamStanek.comdomainwould

haveadistinguishednameof

OU=engineering,DC=williamstanek,DC=com.



Allobjectsinthedirectoryhaveparentsexceptfortherootof

thedirectorytree,whichisreferredtoastherootDSE.The

rootDSErepresentsthetopofthelogicalnamespacefora

directory.BelowtherootDSEistherootdomain,whichis

establishedwhenyoucreatethefirstdomaininanActive

Directoryforest.Onceestablished,theforestrootdomainnever

changes.

WhenyouinstallActiveDirectoryonthefirstdomaincontroller

inanewforest,threecontainersarecreatedbelowtherootDSE.

Thesecontainersareasfollows:



ForestRootDomaincontainer

Thecontainerforobjectsintheforestrootdomain.



Configurationcontainer

Thecontainerforthedefaultconfigurationandallpolicy

information.



Schemacontainer

Thecontainerforallobjectsclasses,attributes,and

syntaxes.

Theforestrootdomain,configuration,andschemacontainers

aredefinedwithinlike-namedpartitions:



ForestRootDomainpartition



StorestheForestRootDomaincontainer



Configurationpartition

StorestheConfigurationcontainer



Schemapartition

TheSchemacontainer

ActiveDirectoryusespartitionstologicallydivideupthe

directory.Partitionsarethelargestlogicalcategoryofobjectsin

thedirectory.Alldirectorypartitionsarecreatedasinstancesof

thedomainDNSobjectclass.

ActiveDirectoryseesdomainsasanothertypeofcontainer

object.Whenyoucreateanewdomain,youcreateanew

containerobjectinthedirectorytreewhichisstoredina

domaindirectorypartitionforthepurposesofmanagementand

replication.

ActiveDirectorypartitionsareusedtodistributethreegeneral

typesofdata:



Domain-widedata

Domain-widedataisreplicatedtoeverydomaincontroller

inadomain.Datainadomaindirectorypartitionis

replicatedtoeverydomaincontrollerinthedomainasa

writeablereplica.



Forest-widedata

Forest-widedataisreplicatedtoeverydomaincontrollerin

aforest.Theconfigurationpartitionisreplicatedasa

writablereplica.Theschemapartitionisreplicatedasa

read-onlyreplicaandtheonlywriteablereplicaisstoredon

adomaincontrollerwhichisdesignatedashavingthe

schemaoperationsmasterrole.



Applicationdata

Applicationpartitiondataisreplicatedonaforest-wide,

domain-wide,orotherbasistodomaincontrollersthathave

aparticularapplicationpartition.Domaincontrollersrunning

Windows2000orearlierversionsofWindowsdonot

recognizeuser-definedapplicationpartitions.Ifadomain

controllerdoesn'thaveanapplicationpartition,itdoesn't

receiveareplicaoftheapplicationpartition.Anothername

foranapplicationdatapartitionisanapplicationdirectory

partition.



Tip:Alldomaincontrollersstoreatleastonedomaindirectory

partitionandtwoforest-widedatapartitions.Ifadomain

controllerisalsoaDNSserverthatusesActiveDirectoryintegratedzones,theDNSdataisstoredinapplicationdata

partitions.Theseapplicationdatapartitionsare:

ForestDnsZonesandDomainDnsZones.

Inadditiontofullreplicaswhicharedistributedwithindomains,

ActiveDirectorydistributespartialreplicasofeverydomainin

theforesttospecialdomaincontrollersdesignatedasglobal

catalogservers.Thesepartialreplicascontaininformationon

everyobjectintheforestandareusedtofacilitatesearches

andqueries.Becauseonlyasubsetofanobject'sattributesare



stored,thedatareplicaissignificantlylessthanthetotalsizeof

allobjectdatastoredinalldomainsintheforest.Everydomain

musthaveatleastoneglobalcatalogserver.Bydefault,the

firstdomaincontrollerinstalledinadomainisconfiguredasa

globalcatalogserver.Theglobalcatalogcanbechangedand

additionalserverscanbedesignatedforhostingglobalcatalogs

asnecessary.



11.1.2.CreatingtheForestRootDomain

YoucreateaforestrootdomainwhenyouinstallActive

Directoryonthefirstdomaincontrollerinanewforest.Once

you'veestablishedtheforestrootdomain,youcanaddnew

domainstotheforest.Anydomainsthatarepartofadifferent

namespaceastheforestrootdomainestablisharootdomain

foranewdomaintree.

Aforestrootdomaincanbe:



Adedicatedroot

Usedasaplaceholdertostartthedirectory.Ithasno

accountsassociatedwithitotherthanthosecreatedwhen

theforestrootisinstalled,andthosethatareneededto

managetheforest.Itisnotusedtoassignaccessto

resources.



Anondedicatedroot

Usedasanormalpartofthedirectoryandhasaccounts

associatedwithit.Itisusedtoassignaccesstoresources.

Whenworkingwithforests,keepthefollowinginmind:



Alldomaincontrollerssharethesameconfiguration

containerthatisusedtostorethedefaultconfigurationand

policyinformation.

Alldomainsinaforesttrustalltheotherdomainsinthat

forest.Therearetwo-waytransitivetrustsbetweenall

domainsinaforest.

Alldomainsinaforesthavethesameglobalcatalog.The

globalcatalogstoresapartialreplicaofallobjectsinthe

forest.

Alldomaincontrollersinaforesthavethesameschema.A

singleschemamasterisdesignatedfortheforest.

Alldomainsintheforesthavethesametop-level

administrators.ThesearethemembersoftheEnterprise

AdminsandSchemaAdminsgroups.



11.1.3.CreatingaChildDomain

Usedomainstologicallygroupobjectsforcentralmanagement

andcontrol.Afteryoucreatetheforestrootdomain,youcan

createadditionaldomainstodivideaforestintosmaller

components.

Domainssetthereplicationboundaryforthedomaindirectory

partitionandfordomainpolicyinformation.Whenyoumake

changestothedomaindirectorypartitionortodomainpolicy

informationonadomaincontrollerinadomain,thechanges

arereplicatedautomaticallytotheotherdomaincontrollersin

thedomain.Incontrast,forestdirectorypartitions,likethe

schemaandconfigurationpartitions,arereplicatedthroughout

aforest.



Domainboundariesarealsoboundariesforresourceaccessand

administration.Usersmustbegrantedpermissiontoaccess

resourcesinanotherdomain.Administratorsofadomaincan

onlymanageresourcesinthatdomainbydefault.

GroupPolicysettingsthatapplytoonedomainareindependent

fromthoseappliedtootherdomains.Thisallowsyouto

configurepoliciesindifferentwaysfordifferentdomains.



11.1.4.CreatingApplicationDataPartitions

Whilesomethird-partyvendorsprovidetoolsforcreating

applicationpartitionsthatmayberequiredbytheirsoftware,

youcancreateapplicationpartitionsthatmayberequired

yourselfusingActiveDirectoryServicesInterfaces(ADSI):

Ldp.exe,andNtdstutil.exe.Tomanuallycreateanapplication

partitionusingNtdsutil.exe,followthesesteps:

1. Typentdsutilatacommandprompt.

2. Atthentdsutil:prompt,typedomainmanagement.

3. TypecreatencAppPartitionNameDomainController,where

AppPartitionNameisthedistinguishednameoftheapplication

partitiontocreateandDomainControlleristhefullyqualified

domainnameofthedomaincontrolleronwhichtocreate

thepartition,suchas:



createncdc=appdata1,dc=domain,dc=localengsvr52.domain.loc



4. ntdsutilthencreatestheapplicationpartition.

Ifyouneedtodeleteanapplicationpartition,youdeletenc.The

syntaxfordeletencisthesameasforcreatenc.Whenyou

removeanapplicationpartition,anydatacontainedinthe



partitionislost.

Youmayalsoneedtocreateandremoveanapplication

directorypartitionreplica.Thisisaninstanceofapartitionon

anotherdomaincontroller,whichiscreatedfordataaccessor

redundancy.Tomanuallycreateanapplicationpartitionreplica

usingNtdsutil.exe,followthesesteps:

1. Typentdsutilatacommandprompt.

2. Atthentdsutil:prompt,typedomainmanagement.

3. TypeaddncreplicaAppPartitionNameDomainController,where

AppPartitionNameisthedistinguishednameoftheapplication

partitionforwhichyouwanttocreateareplicaandisthe

fullyqualifieddomainnameofthedomaincontrolleron

whichtocreatethepartitionreplica,suchas:



addncreplicadc=appdata1,dc=domain,dc=localengsvr84.domai



4. nTDsutilthencreatestheapplicationpartitionreplica.

Ifyouneedtodeleteanapplicationpartition,youuseremovenc

replica.Thesyntaxforremovencreplicaisthesameasforaddnc

replica.Whenyouremoveanapplicationpartitionreplica,any

datacontainedinthereplicaislost.



11.1.5.InstallingandConfiguringanActive

DirectoryDomainController

ActiveDirectoryworksinconcertwithDNS.DNSserversmust

beinstalledonthenetworkpriortoinstallingActiveDirectory

andpromotingserverstobedomaincontrollers.Todesignatea

serverasadomaincontroller,usetheActiveDirectory



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 11. Exam 70-294 Study Guide

Tải bản đầy đủ ngay(0 tr)

×