Chapter Two

Host Management

1
 Active Directory Domain Services
• Active Directory is a directory service, and it is the role of a
directory service to maintain information about enterprise
resources, including users, groups, and computers.

• A directory service is the software system that stores,

organizes and provides access to information in a directory.

• It helps administrators centralize creation of users and

groups, and specify roles and access levels for IT resources
across the company network.

• This greatly simplifies the task of administrators, as they

save the effort of managing administration for multiple
systems separately for each user.
2
 Windows server Basic Terminology

 Domain Controllers
• Domain controllers (DCs) host perform the identity and
access management in a Microsoft Windows enterprise.
• Any server that has AD(Active Directory) installed becomes
a DC. In a domain one domain act as the primary domain
controller while the other act as a backup domain controller.
 Functions of DC
• Store a complete copy of all the objects related to a single
domain. It also maintains the change made to the objects
and updates these changes on other DC in the same domain.
• Provides fault tolerance, Fault tolerance means if one DC is
offline, another can provide all the required function to AD.
• Manage all user interaction within a domain, such as
finding AD object and validating user authentication.
3
 Cont…

• Active Directory enables you to configure a domain and a

forest with a single domain controller.
• Roles Wizard in Server Manager is used to install Active
Directory Domain Services (AD DS).

• Then the Active Directory Domain Services Installation

Add Wizard is used to create the first DC in the forest.

• Additional domain controllers are used to, create a level of

fault tolerance in the event any one DC fails, or provide
authentication in remote sites.

E.g.: DBU.com

4
 Cont…
Domain
• A domain is a core administrative unit of a network
structure.
• It is a logical grouping of computers that share a common
directory database and security system.
• Object stored in a domain are considered vital to network.
• These object are resources needed by network user to
perform task. The object can be printer, document, database
or user.

• A domain act as a security boundary and allow access to

domain object.

5
 Cont…

Tree
• A tree is a hierarchical collection of one or more domain,
which is created by adding one or more child domain to an
.
DBU.c
existing parent domain
om

IT.DBU.co CS.DBU.c
m om

First-
year.CS.DBU.com

 Child Domain
• You may want to create a child domain and then delegate the
Domain Name System (DNS) namespace to a domain controller
located in this child domain for any the following reasons:
E.g. CS.DBU.com
6
 Cont…

 Understanding Active directory objects

• Active Directory is a directory service, to maintain information
about enterprise resources, including users, groups, and
computers.

• Resources are divided into OUs (organizational unit) to

facilitate manageability and visibility—that is, they can make it
easier to find objects
• A user requires an Active Directory user account to log on to a
computer or to a domain.

• The account establishes an identity for the user; the operating

system then uses this identity to authenticate the user and to
grant him or her authorization to access specific domain
resources.
7
 Cont….

 Organizational units (OUs) are administrative containers within

Active Directory that are used to collect objects that share
common requirements for administration, configuration, or
visibility.

 Groups are an important class of object because they are used to

collect users, computers, and other groups to create a single
point of management.
• The most straightforward and common use of a group is to grant
permissions to a shared folder.

 Users in a domain often share many similar properties.

• For example, all sales representatives can belong to the same
security groups, log on to the network during similar hours, and
have home folders
8
 Cont…

 Computer
• Similar with user object, computer are represented as account
and object in AD.
• A computer also logs on to a domain.
• The computer object contains a name appended with a dollar
sign, e,g COMP$, and password that is required when you
join the computer to a domain.
• Each computer that need to access network resource must have
a unique computer account in the network.

Forest
• A forest is collection of one or more independent domain tree.

9
 server installation

• Microsoft releases all of its operating systems in multiple

editions, which provides consumers with varying price
points and feature sets.
 Windows Server 2012 R2 Datacenter The Datacenter
edition is designed for large and powerful servers with up
to 64 processors and include fault-tolerance features such
as hot-add processor support.
 Windows Server 2012 R2 Standard The Standard edition
includes the full set of Windows Server 2012 R2 features
and differs from the Datacenter edition only in the number
of virtual machine (VM) instances permitted by the
license.
 Windows Server 2012 R2 Essentials The Essentials
edition includes nearly all the features in the Standard and
10
Datacenter editions; it does not include Server Core,
 Cont…

■ Windows Server 2012 R2 Foundation The Foundation edition is a

scaled-down version of the operating system; it is designed for small
businesses that require only basic server features, such as file and
print services and application support.
No virtualization rights, and is limited to 15 users.
• Installation requirements
• If your computer does not meet the following hardware
specifications, Windows Server 2012 R2 will not install correctly
(or possibly at all):
 1.4-GHz 64-bit processor
 512 MB RAM
 32 GB avalable disk space
 Super VGA (1024 x 768) or higher resolution monitor
 Keyboard and mouse (or other compatible pointing device)
 Internet access
11
 Choosing installation options

• Windows Server 2012 R2 provides installation options that

enable administrators to keep the unnecessary resources
installed on a server to a minimum.
 Using Server Core
• Windows Server 2012 R2 includes an installation option that
minimizes the user interface on a server.
• When you select the Windows Server Core installation option,
you will install a stripped-down version of the operating system.
• There is no Start menu, no desktop Explorer shell, no Microsoft
Management Console (MMC), and virtually no graphical
applications.
• All you see when you start the computer is a single window
with a command prompt.
12
 WHAT IS SERVER CORE?

• Server Core is not a separate product or edition. It is an

installation option included with the Windows Server 2012 R2
Standard edition and the Windows Server 2012 R2 Datacenter
edition.

• There are several advantages to running servers using Server Core:

■ Hardware resource conservation Server Core eliminates some of
the most memory-intensive and processor-intensive elements.

■ Reduced disk space Server Core requires less disk space for the
installed operating system elements, which maximizes the utilization
of the server’s storage resources.

13
 Cont…

■ Reduced patch frequency The graphical elements of

Windows Server 2012 R2 are among the most frequently
updated, so running Server Core reduces the number of
updates that administrators must apply.
• Fewer updates also mean fewer server restarts and less
downtime.
■ Reduced attack surface The less software there is running
on the computer, the fewer entrance points for attackers to
exploit.
• Server Core reduces the potential openings presented by the
operating system, increasing its overall security.

FIGURE 1-1 The default Server Core interface

14
 Window server 2012 installation(GUI)
1. Start the computer then insert the window server 2012 installation DVD in
to DVD drive.
2. Reboot the computer, installation wizard appears as shown.
3. Click next button. The install windows wizard now contain an installation now
button as shown.
4. Select the language for installation.

5. Click install now button to start installation of windows server 2012, then type your
product key for activation .

15
 Cont…

6. Select window server edition and click next button

7. Select type of window server installation. (costume or

upgrade)

16
 Migrating roles

• In addition to installing server we can migrate a server from one to

another.
• Migration is the preferred method of replacing an existing server with
one running Windows Server 2012 R2.
• Unlike an in-place upgrade, a migration copies vital information from
an existing server to a clean Windows Server 2012 R2 installation.
• By using the Windows Server Migration Tools and migration guides
supplied with Windows Server 2012 R2, you can migrate data between
servers under any of the following conditions:

 Between versions You can migrate data from any Windows Server
version from Windows Server 2003 SP2 to Windows Server 2012 R2.
• This includes migrations from one server running Windows Server 2012
R2 to another.

17
 Cont…

■ Between platforms You can migrate data from a 32-bit or

64-bit server to a 64-bit server running Windows Server 2012
R2.

■ Between editions You can migrate data between servers

running different Windows Server editions(Data center to
standard ).

■ Between physical and virtual instances You can migrate

data from a physical server to a virtual one, or the reverse.

■ Between installation options You can migrate data from one

server to another, even when one server is using the Server
Core installation option and the other is using the Server with a18
 Users and Group management

• Why Different Users?

– Users create data
• Privacy should be ensured
– Different privileges for different activities
• Administrators
• Regular Users
• Guests
• Why User Management?
– We must enforce policy based on the user or user role
• User management
– Creating, modifying and deleting users
– Granting and Revoking permissions to users
19
 Users managing
• Security policy should be in place
– To define what to share and
– How to share it.
• Local User Management
• No user management server
is used
• User accounts are created on
the host itself
• Each host is responsible for
managing its user
• Security policies are defined
(and enforced) for the users
created on the host
• Centralized User
Management
• Dedicated server(s) manage
user accounts
• User accounts are created on
the server
• The server manages the users
• Security policy is defined on
the server and is applied
universally
• Specific Protocol – LDAP is
used for communication 20
between hosts and the server
Managing Users

– You can create user accounts manually or by writing

scripts

 To create accounts manually, you use the Active

Directory Users and Computers console

 To script a user account, you need to be familiar with

at least one scripting language, such as VBScript or
Jscript
 We can also cerate user account using power shell

21
 Cont…

• It is very important to plan your user accounts before you

actually create them
• Parameters you need to consider while planning
– Naming conventions
– Password requirements
– Account options
• Naming conventions
– A good naming convention makes it easy for users to remember their
logon names
– Also provides for cases in which two users have the same name
• Password requirements
– Each user account will typically be assigned a password
– Passwords prevent unauthorized access to a domain or a computer
22
 Cont…
• Account options
– It is also important to consider certain properties before you
create user accounts
• Log On To option specifies the computers to which a user can log on
• Logon Hours section allows you to specify which hours of the day
and days of the week a user can log on
• Account Expires section allows you to predefine when a user account
will expire
• Active Directory Services Interfaces (ADSI)
– You can use ADSI to create scripts
– ADSI is a fully programmable automation object available for
administrators
• You can also create user accounts in batches from a .csv or an .ldif file using
the Csvde.exe or Ldifde.exe utilities

23
 Cont….

Local user accounts

– If you have administrative rights, you can use
the Local Users and Groups snap-in in the
Computer Management console
– From this console, you can create, delete, or
disable local user accounts on a local computer.

Local security database

24
 Cont…

 Creating a Domain User Account

• You use a domain user account to log on to a domain and
access network resources
– You use the Active Directory Users and Computers
console to create domain user accounts.

Domain user account 25

 Cont…

• Built-in user accounts are created by default during the

installation of Windows Server.
• Administrator built-in user account
– Used to perform administrative tasks
• Creating and managing user accounts
• Setting account properties
• Assigning permissions to user accounts to access resources
– Used to gain access to network resources
• Built-in Guest account
– Used to give users access to resources for a short
time
– Is disabled by default
26
 Setting User Account Properties

• Every user account you create has a set of default properties you can
configure
– Including personal information, logon settings, dial-in
settings, and Terminal Services settings for a user
– The personal properties you define for a domain user
account are useful when conducting user searches based on
very specific information
– Logon settings are used to specify the logon hours for a user
– Dial-in settings for a user account are used to specify if and
how a user can make a dial-connection from a remote
location
– Terminal Services properties provide the ability to connect
to a server from a remote location
27
 Cont…

• You can save a lot of time by filling out the common fields
shared between user accounts in a “template” account
– A template account is a disabled account that is
used as a model for creating other accounts
– After filling out the appropriate fields, you can
right-click the account and select Copy to create
a new account with most of your pre-defined
fields already filled in

28
 Maintaining User Accounts

• As a System/network administrator, you must maintain user

accounts based on the needs of your organization
• Typical user account maintenance tasks
– Modifying user accounts
– Resetting passwords
– Unlocking user accounts
• You can modify user accounts in many ways
– Rename a user account
– Disable or enable a user account
– Delete a user account
• To modify user accounts, you need at least the Write permission
for the user account 29
 Cont…

• You can reset passwords when a user’s password expires

before the user has a chance to change it
• In some cases, users might even forget their passwords
• You do not need to know the old password in order to reset
a password
• After the administrator or the user sets a password for a user
account, the password is not viewable to anyone, including
the administrator
• Windows Server can lock user accounts for users who violate
the account lockout policy
• In such cases, the user can either wait until the lockout
period expires (usually 30 minutes), or contact an
administrator to unlock the user account 30
 Cont…

• To unlock a user account

– Open the Account tab on the Properties dialog box for the user
account
– Clear the Account is locked out check box
– It is important to understand that the Account is locked out check
box will be active only when the system has locked out a user
account
• You cannot manually lock out a user account

Unlocking a locked out account

31
 Cont…

• Moving accounts within a domain

– You move an account within a domain to change
the OU or container in which the account is
currently located
• This allows different delegated permissions and
Group Policies to apply to the account
• Planning password policy
– You use Group Policy to set the Password policy
for your network
– Passwords should be memorable to your users,
yet be completely unrelated to them personally
– They should consist of uppercase and lowercase 32
 Group management

• Because managing access to network resources using

individual user accounts is unmanageable, you create group
objects to manage large collections of users at one time.
 Group Types
• When you create a new group object by using Active
Directory Users And Computers, you are given the choice
of creating a distribution group or a security group.
• The most commonly used type of group in Active Directory
is the security group.
 A security group is a security principal and can be used to
assign permissions to network resources.
 A distribution group you can send mail to the whole group
of users at one time, using distribution group.
33
 Group management

 Group Scope
In Windows Server Active Directory, you can create groups
with three different scopes:
I. Domain local,
II. Global, and
III. Universal.

• Nested groups are groups that are members of other groups.

34
 Group scope

Scope Group Membership Used to

Domain User accounts from any domain in the  To assign access to
local group forest resources only in the
Global groups or universal groups from local domain
any domain in the forest
 User accounts or global or universal
groups from any domain in a trusted
Forest
 Nested domain local groups from the
local domain

Global group  User accounts from the domain  To assign access to

where the group is created resources in all
 Nested global groups from the same domains in the forest,
domain or between trusted
forests
Universal  To assign access to
group  User accounts from any domain in resources in all
the forest domains in the forest
 Global groups from any domain in or between trusted
the forest forests
 Nested universal groups from any
35
domain in the forest
Group types and scope
Global Group
• Used to segregate objects based on business rules
• Replication
– Replicated to all domain controllers in the domain
• Membership
– Users and computers
– Other global group from the same domain only
• Availability
– Can be used by members of all domains in the forest
– Can be members of any domain local group or universal group in the
forest or trusted domain
• Domain Local groups
• Used to manage permissions to resources
• Replication
– Replicated to all domain controllers in the domain
• Membership
– Users, computers and global groups from any domain in the
forest
– Universal group from any domain in the forest
• Availability
– Can be members of any other domain local groups or
computer local groups
Universal groups
• Used to manage permissions to resources across multiple
domains
• Replication
– Replicated to all domain controllers in the forest
• Membership
– Users, global groups and other universal groups from any domain
in the forest
– Universal group from any domain in the forest
• Availability
– Can be members of a universal group or domain local groups
anywhere in the forest