Module 3: Administering Active Directory v
Module Strategy
Use the following strategy to present this module:
?? Introduction to Administering Active Directory
In this topic, you will introduce the concept of centralized management and
decentralized administration in Active Directory. Emphasize that centralized
management allows you to access network resources from a single location,
and decentralized administration allows you to delegate administrative
control of portions of your network. Do not spend too much time explaining
these concepts because they were covered earlier in the course.
?? Managing Active Directory Objects
In this topic, you will introduce organizing Active Directory objects by
using OUs. Explain the planning factors involved in creating an OU and
why each of the given planning factors is important. Demonstrate how to
create an OU by using Active Directory Users and Computers. Illustrate
how to move objects within a domain. Point out to students how
permissions are affected when you move objects.
?? Publishing Resources in Active Directory
In this topic, you will introduce publishing resources. Emphasize that
resources should be published in Active Directory if the information is
important to the users. Explain how to publish shared folders. Demonstrate
how to publish a shared folder in Active Directory and how to add a
description and keywords to the published shared folder. Show students
some examples of meaningful descriptive words and keywords. Illustrate
how to publish printers. Emphasize that Microsoft® Windows® 2000
automatically publishes a printer in Active Directory. You need to manually
publish a printer in Active Directory only if the printer is on a computer that
is not running Windows 2000.
?? Locating Objects in Active Directory
In this topic, you will introduce how the global catalog locates objects in
Active Directory. Provide examples when telling students about the
attributes for objects contained in the global catalog. Illustrate how to
perform a basic search operation by using the Find command in Active
Directory Users and Computers. Emphasize that you can administer objects
from the Results box once they have been located. Demonstrate how to
perform an advanced search operation by using the Find command in
Active Directory Users and Computers. Explain to students that different
objects have different attributes available to search for in an advanced
search operation. Demonstrate how to search Active Directory to locate
objects by using Windows Explorer. Emphasize that this technique of
locating objects is for users and that you can search for only specific types
of objects by using Search and My Network Places.
?? Lab A: Managing, Publishing, and Locating Objects in Active Directory
Prepare students for the lab in which they will create an OU structure based
on a scenario, move Active Directory objects within a domain, publish
shared folders and printers in Active Directory, search for objects in Active
Directory, and connect to objects in Active Directory search results. Make
sure that students run the command file for the lab and tell them that they
will work with their partners’ computers. After students have completed the
lab, ask them if they have any questions concerning the lab.
vi Module 3: Administering Active Directory
?? Controlling Access to Objects
In this topic, you will introduce the purpose of Active Directory
permissions. Tell students that only an administrator or the owner of an
object can assign permissions for the object. Demonstrate how to set
permissions for objects and attributes of objects. Demonstrate how to view
special permissions by using the Access Control Settings dialog box.
Explain how to prevent inheritance of permissions. Emphasize that when
you prevent inheritance, Windows 2000 prompts you to either assign new
permissions to the object or copy the previously inherited permissions.
?? Delegating Administrative Control
In this topic, you will introduce the purpose of delegating administrative
control of objects. Explain that you can decentralize administration by
delegating specific tasks to other administrators. Delegation of
administrative control at the OU level enables you to easily track
permissions. Demonstrate how to assign permissions at the OU level by
using the Delegation of Control wizard. Explain all of the options that are
available under Predefined tasks and Custom task. Emphasize that you
normally select delegation tasks from a predefined list, but that you can
customize delegation tasks. Explain guidelines for delegating administrative
control of objects.
?? Lab B: Delegating Administrative Control in Active Directory
Prepare students for the lab in which they will review Active Directory
permissions and delegate administrative control by using the Delegation of
Control wizard. Make sure that students run the command file for the lab.
After students have completed the lab, ask them if they have any questions
concerning the lab.
?? Best Practices
Present best practices for administering Active Directory. Emphasize the
reason for each best practice.
Module 3: Administering Active Directory vii
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 1558A, Advanced Administration
for Windows 2000.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
The labs in this module require that the Log on locally right on domain
controllers be assigned to the Everyone group. To prepare student computers to
meet this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Assign the right manually.
Setup Requirement 2
The labs in this module require a South OU and a North OU. To prepare student
computers to meet this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the OUs manually.
Setup Requirement 3
The labs in this module require the
C:\MOC\Win1558A\Labfiles\Lab03\Documents folder, shared as Documents,
and the C:\MOC\Win1558A\Labfiles\Lab03\Documents2 folder, shared as
Documents2. To prepare student computers to meet this requirement, perform
one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the folders manually and share them.
Setup Requirement 4
The labs in this module require a Package Handling OU and a Human
Resources OU with several computer and user objects in it. To prepare student
computers to meet this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the OUs manually.
Important
viii Module 3: Administering Active Directory
Setup Requirement 5
The labs in this module require a printer called Laser Printer on each student
computer. To prepare student computers to meet this requirement, perform one
of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the printer manually.
Setup Requirement 6
The labs in this module require shortcuts to Active Directory Users and
Computers, Active Directory Sites and Services, and Active Directory Domains
and Trusts on the desktop for All Users. To prepare student computers to meet
this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the shortcuts manually and place them in
C:\Winnt\Profiles\All Users\Desktop.
Setup Requirement 7
The labs in this module require a regular user account for the student. To
prepare student computers to meet this requirement, create the user
account manually.
Setup Requirement 8
The labs in this module require the following user accounts in the default Users
container in Active Directory: User 1, User 2, User 3, User 4, User 5, and
User 6. To prepare student computers to meet this requirement, perform one of
the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the user accounts manually.
Setup Requirement 9
The labs in this module require the following computers in the default
Computers container in Active Directory: Computer 1, Computer 2,
Computer 3, Computer 4, Computer 5, and Computer 6. To prepare student
computers to meet this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd.
?? Create the computers manually.
Setup Requirement 10
The labs in this module require a Security1 OU and the Assistant1 and
Secretary1 user accounts in this OU. The labs also require a Security2 OU and
the Assistant2 and Secretary2 user accounts in this OU. To prepare student
computers to meet this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0302.cmd.
?? Create the OUs and user accounts manually.
Module 3: Administering Active Directory ix
Lab Results
Performing the labs in this module introduces the following configuration
changes:
?? Students move user accounts and computers to the North and South OUs.
?? Students move the Laser Printer printers to the North and South OUs.
?? Students change the Location attribute of the Laser Printer printer.
?? Students change the Active Directory permissions for the Security1 and
Security2 OUs.
You can run
C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab03Rm.cmd to remove most
configuration changes introduced during the course of the labs in the module.
Remove the Log on locally right from the Everyone group manually. Remove
the Laser Printer printer manually.
Important
Module 3: Administering Active Directory 1
Overview
? Introduction to Administering Active Directory
? Managing Active Directory Objects
? Publishing Resources in Active Directory
? Locating Objects in Active Directory
? Controlling Access to Objects
? Delegating Administrative Control
? Best Practices
Active Directory
™
directory service in Microsoft® Windows® 2000 provides
centralized management of enterprises. This means that information about the
enterprise is centrally stored and administrators are able to manage an
organization’s network from a single location. Active Directory supports the
delegation of administrative control over Active Directory objects. This enables
administrators to grant specific administrative permissions for objects, such as
user or computer accounts, to other users and administrators.
At the end of this module, you will be able to:
?? Identify the tasks involved in administering objects in Active Directory.
?? Manage Active Directory objects.
?? Publish resources in Active Directory.
?? Locate objects in Active Directory.
?? Control access to Active Directory objects.
?? Delegate administrative control of Active Directory objects.
?? Apply best practices for administering Active Directory.
Slide Objective
To provide an overview
of the module topics
and objectives.
Lead-in
In this module, you will learn
to administer Active
Directory by managing and
delegating administrative
control of Active
Directory objects.
2 Module 3: Administering Active Directory
Introduction to Administering Active Directory
Active Directory Allows Administrators to:
? Decentralize administration
by delegating administrative
control of resources
? Centralize management of
resources by administering
network resources from a
single location
Resources
Published
Published
Active Directory stores information about resources (such as user accounts,
computers, printers, and shared folders) on the network and makes it easy for
users and administrators to use, locate, and manage these resources.
Active Directory allows administrators to:
?? Centralize management by administering most network resources from a
single location. There is a single location for resource information that can
be accessed from anywhere in the network. Centralizing the location of this
information allows you to configure enterprise-wide resource access, and to
choose whether you want to have a centralized or a decentralized model of
management. By using administrative utilities, administrators can manage
user accounts and groups, physical resources (such as computers and
printers), shared folders, and organizational units (OUs). They can also
publish and locate these resources in Active Directory, and control access to
resources throughout the network.
?? Decentralize administration by delegating administrative control of user
accounts, computers, printers and other network resources to other
administrators. By delegating administrative control, appropriate individuals
in an organization can be given the responsibility for administering and
managing network resources. Distributing administrative and management
responsibilities decentralizes administration and decreases an
administrator’s workload.
Active Directory Service Interfaces (ADSI) is the primary and
recommended application programming interface (API) for Active Directory.
You can create applications that use ADSI to gain access to Active Directory.
These applications can automate tasks or present a customized user interface.
You can use ADSI with many popular programming languages. For
information on ADSI, see appendix A, “Active Directory Service Interfaces,”
on the course 1558A, Advanced Administration for Microsoft Windows 2000,
Student Materials compact disc.
Slide Objective
To identify the tasks
involved in administering
objects in Active Directory.
Lead-in
Windows 2000 uses Active
Directory to make it easy for
you to use, locate, and
manage network resources.
Ask students what
centralized and
decentralized administration
of network resources
means. Emphasize that
centralized management
allows you to access
network resources from a
single location, and that
decentralized administration
allows you to delegate
administration of portions of
your network.
Do not spend too much time
explaining these concepts,
because they were covered
earlier in the course.
Key Point
Because Active Directory is
a central repository of
objects and object
information, it enables
centralized management
and decentralized
administration of
network resources.
Note
Module 3: Administering Active Directory 3
? Managing Active Directory Objects
? Organizing Active Directory Objects
? Creating Organizational Units
? Moving Objects
Organizing objects into OUs allows you to group network resources for easier
administration and delegation of control. Before creating OUs, you need to plan
an OU structure for your organization. After creating OUs, you can populate
them with user accounts, groups, computers, and other OUs by creating them in
the OU itself, or by moving existing objects from other OUs.
Slide Objective
To introduce the topics
related to managing Active
Directory objects.
Lead-in
Active Directory provides
administrators with a way to
centrally organize and
manage network resources.
4 Module 3: Administering Active Directory
Organizing Active Directory Objects
? Use OUs to Define Administrative Boundaries
? Set Up an OU Hierarchy to Group Active Directory Objects for
Simplified Administration
? Use an OU Hierarchy to Create an Administrative Model
Domain
Domain
OU1
OU1
OU3
OU3
OU2
OU2
User1
User1
Computer1
Computer1
Printer1
Printer1
User2
User2
Active Directory
Active Directory
Active Directory
OU2
Computer1
User1
Printer1
User2
OU1
OU3
You can use OUs to define administrative boundaries within your domain. OUs
that hold and organize Active Directory objects are similar to folders that hold
and organize other folders and files.
Setting up an OU hierarchy allows you to group Active Directory objects for
simplified administration, for example, to easily delegate administrative control
over a number of user accounts, groups, or other resources. You delegate
administrative control by assigning specific permissions to other individuals
and groups for OUs and the objects that they contain.
You can use an OU hierarchy to create an administrative model that can be
scaled to any size. A user can be granted administrative authority for all OUs in
a domain, or a single OU. An administrator of an OU does not need to have
administrative authority for any other OUs in the domain. For example, in your
company, there may be one administrator who is responsible for all user
accounts, and a different administrator who is responsible for all printers. In this
case, you would create an OU for user accounts and a different OU for printers.
Slide Objective
To explain how to organize
Active Directory objects by
using OUs.
Lead-in
You can use OUs to define
administrative boundaries
within Active Directory.
Key Points
You create OUs for objects
that have similar
administrative and security
requirements.
A user can be granted
administrative authority for
all OUs in a domain, or for a
single OU.
The administrator of an OU
does not need to have
administrative authority for
any other OUs in
the domain.
Không có nhận xét nào:
Đăng nhận xét