Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Global Catalog Servers contain a partial replica for every object in Active Directory. A Global Catalog Server is used to find objects in any domain in the forest. Any Domain Controller can be made into a Global Catalog Server. This video looks at how to remove or make a Domain Controller into a Global Catalog Server and also the reasons why and where you should put Global Catalog Servers. Global Catalog Servers are used to find objects in any domain in the forest but it should be remembered that this does not give the user access to that object. Unless the user has the correct permissions they will not be able to access resources in other domains. Global Catalog Servers also contain information about groups that span across domains and services that work at the forest level. How to change a Domain Controller to a Global Catalog Server 04:18 Using the admin tool Active Directory Users and Computers to navigate to the computer account for your Domain Controller. By default this will be located in the Domain Controllers OU. Open the properties for the Domain Controller and select the button NTDS settings. Deselect or select the tickbox Global Catalog. Windows will do the rest. Reasons to deploy Global Catalog Servers Reason 1 Domain Controllers generate a security token for a user when they first login. If the user is in a group that spans multi--domains, that Domain Controller will need to contact a Global Catalog to get information about that group. Reason 2 If a user logs in using a Universal Principal Name (UPN), that is, they log in using a user name in the form of [email protected], a Domain Controller will need to access a Global Catalog Server before the log in is completed. Reason 3 Global Catalog Servers work as an index to the forest. If you perform any searches on the forest you will need to contact a Global Catalog Server. Reason 4 Microsoft recommends that any network that is separated by a Wide Area Network have a Global Catalog Server deployed at that location. This will ensure that users can log on if the Wide Area Network is down. In order for a computer to contact a Global Catalog Server, ports 389 (LDAP) and 3267 (Global Catalog) need to be opened. If these ports are not open then the user will not be able to use the remote Global Catalog Server. Reason 5 Some software requires a Global Catalog Server in order to run. Exchange is a big user of the Global Catalog Server. If you have a decent amount of Exchange users on your network, you should consider deploying a Global Catalog Server close to these users. Reasons not to deploy a Global Catalog Server Global Catalog Servers put more load on the server in the form of searches and lookups from the client. Global Catalogs need to keep their index up to date. This requires more network bandwidth. In order to store the Global Catalog Server, you are required to have additional hard disk space on your server.
Views: 169603 itfreetraining
Info Level: Intermediate Presenter: Eli the Computer Guy Date Created: February 25, 2013 Length of Class: 38:56 Tracks Windows Server 2012 Prerequisites Introduction to Windows Server 2012 Purpose of Class This class teaches students the basic concepts in building out Active Directory Infrastructure for Windows Server 2012. Class Notes DC's or Domain Controllers are the server that control the Active Directory Service Domains are made up of Domain Controllers and Member PC's and Servers. There can be multiple Domain Controllers in a Domain for fault Tolerance and Load Balancing. DC's keep data synchronized through replication. The schedule for replication is called the "replication strategy". DC's can be grouped into Sites. Sites are comprised of Domain Controllers located at the same geographic location. Sites are used to reduce bandwidth consumption used due to Replication. DC's are normally set to be Read/ Write. For security purposes you can make DC's Read only. Read Only DC's are used at Remote Offices to lessen the danger of Hacking. Sites are connected through Site Links Sites can Replicate Through Site Link Bridges. Site Link Bridges are kind of like routers for replication. Global Catalog Servers store searchable Indexes of the Active Directory database. There should be at least one Global catalog server at each site. It is best to use Microsoft's built in DNS Server on a Windows Server 2012 network. You can use a Unix DNS Server, but... WINS (Windows Internet Naming Service) was Microsoft's attempt to compete with DNS. You will rarely ever see it, but if you have very old legacy systems you may need to create a WINS server. Using Microsoft's DHCP Server is usually the best bet on a Windows Domain. Using Windows DNS and DHCP allow for multiple servers for fault tolerance and increased security.
Views: 580684 Eli the Computer Guy
Active Directory has forests and trees which are ways of representing multiple domains. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos.This video looks at how domains sharing the same namespace are considered a tree. Domains in separate namespaces are considered separate trees in the same forest. Tree When you have multiple domains in the same namespace (e.g., ITFreeTraining.com, west.ITFreeTraining.com, and sales.ITFreeTraining.com), they are considered to be in the same tree. The tree also supports multiple levels of domains. For example, you could have west.sales.ITFreeTraining.com and east.ITFreeTraining.com in the same tree. Forest A forest is a collection of one or more domains which may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored. The schema defines the database for the whole forest but it should be remembered that each domain in the forest has its own copy of the database based on the schema. Trusts Parent and child domains are automatically linked by a trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access. Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access. Global Catalog In order for users to find resources in any domain in the forest (remember that each domain has a separate database), Domain Controllers can be made into Global Catalog Servers. A Global Catalog Server contains partial information about every object in the forest. Using this information, the user can conduct searches.
Views: 230542 itfreetraining
Support NLB Solutions - https://www.patreon.com/NLBSolutions In this video I am going to show you an issue with my Active Directory replication between my two DCs and how I managed to resolve it. Tips and tricks for demoting a DC: 1. Always try graceful removal 1st, if you are not able to gracefully remove the DC proceed with Force Removal. 2. If you are performing a Forceful removal disconnect your DC in order to prevent corruption on your working DC. 3. Perform matadata cleanup from AD Users and Computers, DNS and AD Sites and Services when possible. If not you can proceed with ntdsutil /metadatacleanup. 4. After promotion leave the DCs to "talk" to each other in order to replicate all AD info.
Views: 122936 NLB Solutions
В данном видео рассмотрим где находится настройка того какой из контроллеров домена является хранителем Global Catalog а какой нет.
Views: 1888 Михаил Мастаков
Lightweight Directory Services is a lightweight version of Active Directory Domain Services. This video provides an introduction to Lightweight Directory Services and what it can and cannot do. Download the PDF handout http://itfreetraining.com/handouts/adlds/adlds-intro.pdf AD LDS Active Directory Lightweight Directory Services (AD LDS) was originally a downloadable add-on to Windows Server called Active Directory Application Mode (ADAM). In Windows Server 2008 this became an additional role included in the operating system. AD LDS uses the same code as AD DS and thus provides some of the same functionality. As you will see, it provides a lot of the same functionality but is also flexible enough to offer additional options that are not possible using AD DS. AD LDS Example In this example, a user needs to access a web server. This web server has been placed on a perimeter network and separated from the internet and the internal network by a firewall. The web server needs to be able to authenticate users, however for security reasons the company does not want to place a Domain Controller on the perimeter network. Rather than install a Domain Controller on the perimeter network, another option is to install AD LDS on the web server. Since it uses the same code base as a Domain Controller, it is able to authenticate users the same way a Domain Controller would. In order to achieve this, the user's database is replicated from a Domain Controller on the commercial network to the perimeter network. AD LDS also allows you to choose which data you want to replicate, for example, you could choose to replicate the user data but not the group data. AD LDS also supports additional data to be added. This means additional data can be added that the web server can be accessed through AD LDS which means this additional data does not need to be added to AD DS. This solution helps keep Active Directory secure and also help prevents extra data being added to the database. Differences between AD LDS and AD DS AD LDS is designed more to run software rather than to run domains so it not a replacement for AD DS. It can run on a computer that is in a workgroup, does not require DNS and also can run on client operating systems like Windows 7 and 8. For this reason, it is a good choice for application support and for testing. For example, a developer can have their own install running on their client operating system and thus be able to make whatever changes they want, something that is not possible using a production domain. AD LDS supports multiple instances as well, so the administrator is free to create as many local copies as they wish. AD LDS does not support domain features like group policy, global catalog support and the ability to manage workstations. For this reason it cannot be used as a replacement for Domain Controllers. Even though these domain features are not available, AD LDS does support sites and replication. This means AD LDS installation can replicate data between each other and also with Domain Controllers, however support of trusts is not supported so this limits an AD LDS instance to working with only the one domain. Differences between Directory Services and Databases A directory service and a database fundamentally work differently. For this reason they tend to be used for different types of applications. Directory Services are hierarchical based, allowing security to be applied to an object. If you want to add additional objects you need to change the schema. Changes to the schema cannot be undone after they have been made. Since Directory Services is hierarchical in nature, it can perform fast searches, for example looking up a person in the Directory Service would be quite fast. Directory Services can be modified in multiple locations at the same time. If multiple changes are made at the same time, the last write performed will overwrite any previous writes. A relational database in comparison offers faster write times than a directory service as the data is stored in rows and column rather than a hierarchy. Data is locked before it is updated so there is no chance that data will be changed in two locations at the same time. A relational database does not have a schema so changes to the layout of the data can be changed at any time. This include the ability to reverse changes later on which is not possible with a Directory Service. For the rest of the descrption please see http://itfreetraining.com/adlds#intro See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 731 -741 "Active Directory Lightweight Directory Services Overview" http://technet.microsoft.com/en-us/library/hh831593.aspx
Views: 76752 itfreetraining
Step by Step video tutorial on Server 2012 Setup Active Directory Domain Services Role AD DS http://www.avoiderrors.net/?p=12830
Views: 2767 AvoidErrors
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Active Directory allows you to model your physical network topology using sites. This video looks at how to create sites in Active Directory. Creating sites allows you to control how data is replicated in your organization. Demonstration 04:05 Sites Definition Microsoft defines a site as a group of well-connected networks. Advantages of sites 1) Sites automatically direct users to the closest resource. 2) Schedules can be configured that allow the administrator to control when replication will occur. Site design Multiple networks can be combined together regardless of which IP address ranges they use. If you have two networks separated by a high speed networking device, you may want to combine these networks together. Usually networks that are separated by a Wide Area Network will be put into different sites. You could also place different networks into different sites for security reasons. For example, if you had a secure network holding your intellectual property separated by a firewall, you may decide to put this network in its own site to reduce the amount of traffic travelling between the networks. Less traffic travelling between the networks means fewer rules that have to be created on the firewall between the networks. Protect objects from accidental deletion A lot of objects in Active Directory have the option to protect the object from accidental deletion. The tick box for this will be found in the properties for the object on the object tab. If the option is ticked and an attempt to delete the object or move the object is made, an access denied message will be displayed. To perform either of these actions, the tickbox needs to be cleared first. Demonstration To create or change the site configuration, open Active Directory Sites and Services from administrative tools under the start menu. When you first install Active Directory, a site will be created called Default-First-Site-Name. This site can be renamed to another site, deleted when no longer required, or simply not used. Under the site container, the Domain Controller/s for that site will be listed. When you promote a server to a Domain Controller, the wizard will look at the IP address of the server and suggest a site in which to put the Domain Controller or you can choose your own. For this reason, the Domain Controller should be put into the correct site when it is promoted assuming the site existed. If you need to physically move the Domain Controller or it has been put into the wrong site, you can move the Domain Controller object to another site at any time. To create a new site, right click sites and select new site. The network address will then need to be entered (either the IPv4 or IPv6 network address).
Views: 124886 itfreetraining
Active Directory has five operations master roles otherwise known as FSMO roles. Check out http://itfreetraining.com for more of our always free training videos. These roles are assigned to one Domain Controller to ensure changes happen in only one location at a time. This ensures that the Active Directory database is kept consistent. This video goes through the five operations master roles. At the forest level, there is the Schema Master and Domain Naming Master. At the domain level, the 3 other operational roles are Infrastructure Master, PDC Emulator and RID Master. Schema Master 01:32 Domain Naming Master 03:01 RID Master 03:53 PDC Emulator 07:06 Infrastructure Master 11:03 Schema Master (Forest Wide) The Schema Master determines the structure and thus what can be stored in Active Directory. It contains details of every object that can be created and the attributes for that object. For example, if you want to add an attribute to every user in the forest (such as a field with the user's pay grade in it), you would add an attribute to the schema to accommodate this change. It is important to think carefully before making changes to the schema as changes to the schema can't be reversed but they can be disabled. If you want to test changes to the schema, create a new forest and make your changes there so the production environment is not affected. Domain Naming Master (Forest Wide) The Domain Naming Master is responsible for ensuring that two domains in the forest do not have the same name. Relative ID Master (RID Master) This master role allocates RID pools. A RID is a sequential number that is added to the end of a SID. A SID, or security identifier, is required for every Active Directory object. An example of a SID is shown here: S-1-5-21-1345645567-543223678-2053447642-1340. The RID is the last part of the SID, in this case 1340. The RID Master allocates a pool or block of RIDs to a Domain Controller. The Domain Controller uses the RID pool when Active Directory objects are created. The Domain Controller will request a new RID pool before it runs out. However, keep in mind that if you create a lot of Active Directory objects at once, the RID Master will need to be online to allocate new RID pools. If the Domain Controller runs out of RIDs and can't contact the RID Master, no objects in Active Directory can be created on that Domain Controller. PDC (Primary Domain Controller) Emulator Originally the PDC Emulator provided a bridge between Windows NT4 Domain Controllers and Windows Server 2000 Domain Controllers. Even if you do not have any NT4 Domain Controllers on your network, it still provides some services. The PDC Emulator forms the root of the time sync hierarchy in your domain. All other Domain Controllers will sync their time from this Domain Controller. Your clients and servers will in turn sync their time from their local Domain Controller. You should configure the PDC to sync its time from an external time source to ensure that it is accurate. When a user enters in a wrong password, the PDC Emulator may be contacted to find out if this password is in fact an updated password. Password changes are replicated to the PDC Emulator first and thus it is considered the final authority on correct and incorrect passwords. The PDC Emulator is contacted when changes to DFS (Distributed File System) are made. This can be switched off if the load on the PDC Emulator becomes too great. Infrastructure Master The Infrastructure Master is responsible for ensuring that objects that use multiple domain references are kept up to date and consistent. When you are in a single domain you don't need to worry about this. In a multiple domain environment with Windows Server 2000/2003 Domain Controllers, you must ensure that the Domain Controller that is holding the Infrastructure Master role is not a Global Catalog Server or all of the Domain Controllers will be Global Catalog Servers. If the Domain Controller is a Global Catalog Server this can cause objects in the domain not to update correctly. If you only have Windows Server 2008 Domain Controllers, you don't need to worry about whether the Infrastructure Master is on a Global Catalog Server or not.
Views: 124869 itfreetraining
https://marvel-it.icu/iaddswse-implementing-ad-domain-services-on-a-windows-server-environment/6-2-configure-the-global-catalog-gc-umgc-examine-directory-partitions-ad-dns-zones-ws-2012 Welcome back with Active Directory Replication and the role of Sites in our domain network! Before we see the main role of Sites (replications), let's take a look at things benefited as designed. [00:05] According to part 1, you now have a domain network structure in physic: we divided it into subnets/sites, designated appropriate Domain Controllers, etc. Sites were born to serve the "replication" purpose of Active Directory. And one of the most important services is Global Catalog, which provides a central repository of domain information for the forest by storing partial replicas of all domain directory partitions. http://bit.ly/how-gc-TN-AD [00:13] So, servers which run these services must be reached all the time, also, they must synchronize with each other efficiently. That why we configure it in conjunction with Sites. The first domain controller in a forest is automatically designated as a Global Catalog. Thereafter, a domain controller can be designated as a Global Catalog in the NTDS Settings Properties dialog box in Active Directory Sites and Services. http://bit.ly/gc-server-tn [00:21] This DC's type is Global Catalog. [00:28] We can enable/disable it here. [00:39] Universal Group Membership is a part of domain login, and it is not stored on all domain controllers. So, we can take advance of GC servers to incorporate with Site's distributive designs, turn them into endpoints to provide resilient/fault-tolerant authentications by caching this membership info. http://bit.ly/config-ugm-AD-TN [00:55] Let's enable Universal Group Membership Caching. [00:59] In the Refresh cache from the list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK. (the Master in the replication model). http://bit.ly/when-not-ad-ugm You may wonder why with just some configurations at this Active Directory Sites and Services, the client can know which servers are sharing the same Site to contact? That's DNS with the help of "Locator" (The Windows Server 2003 or later domain controller locator, implemented in the Net Logon service, enables a client to locate a domain controller). [01:12] During a search for a domain controller, the Locator attempts to find a domain controller in the site closest to the client. When DNS is used, the Locator searches first for a site-specific DNS record before it begins to search for a DNS record that is not site-specific (thereby preferentially locating a domain controller in that site). http://bit.ly/how-dns-support-AD [01:19] Let's see these records by open DNS Manager. [01:31] Let's examine _tcp records of the Default site. [01:42] In addition to that, if these DNS zones are AD-integrated one, they will be stored in Active Directory database (its raw format is just an LDAP database) as well instead of plain text zone files, thus taking advantage of AD automatic replication and removing the need for primary/secondary DNS servers. http://bit.ly/AD-DNS-zone-where http://bit.ly/ad-dns-zone-loc From this "simple" LDAP database, tools/consoles represent records in meaningful ways: - DNS Manager help configure AD-integrated zones, records, etc. (System container) - Active Directory Schema console to configure: class and attribute definitions for all existing and possible Active Directory objects. (Schema partition) - Active Directory Users and Computers to manage: users, computers, groups, and other objects of the domain. (Domain partition) And so on. In this case, we will use ADSI Edit to view them all in the raw form to have an overview of "directory namespace" about it is divided into "directory partitions" to serve the management/ eplication /sync purpose. [02:01] Open ADSI Edit then connects to a well-known Naming Context firstly. http://bit.ly/adsi-edit-ad-plan [02:32] Now connect to the Microsoft DNS container where AD-integrated DNS zones are residing as mentioned. [03:00] Oops, make sure you have experience with this tool as well as how to manipulating LDAP database like Active Directory. Take a look as LDAP Namespace Structure: http://bit.ly/LDAP-namespace [03:18] Let's examine these LDAP records. [03:35] This is the DNS zone SnoOpy.com as we saw in DNS Manager and its record in the flat format, they have no transparent structure at all. So far, with episode 1, we know the benefits of Sites in replication operations, latency reducing, traffic optimizations, etc. And now, with part 2, we understand the key that participates in the sync/replication process: Global Catalog; a genius feature can ... [SHAZAM] http://shazam.marvel-it.icu/s=eab6b99b&f=6wkzRypD http://marvel-it.icu Do not forget to LIKE, SHARE, SUBSCRIBE and feel free to ask me questions or discuss with everyone :]
Views: 0 Marvel Thang
This video looks at the different group types available in Active Directory. These include Local, Domain Local, Global, and Universal. The video also covers membership requirements which can be used in each of the different groups and converting between different groups. Finally, this video looks at distribution vs security groups. Demonstration 14:35 Distribution Group Any group in Active Directory can be created as either a distribution group or a security group. Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can't be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID's for any security groups of which they are a member. Security Group A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations. Local Group Local groups exist only on the computer on which they were created. A local group can have as a member any user or computer account as well as any other type of valid group. Domain Local Group Domain Local groups can only be used in the domain in which they were created. A Domain Local group allows membership from any other group as well as any user or computer. Domain Local groups from other domains cannot be used as members because they are limited in their use outside of the domain in which they were created. Universal groups can only be used as members when the Universal group exists in the same forest as the Domain Local group. Global Group Global groups have the most restrictive membership requirements, only allowing users, computers, and other Global groups from the same domain to be used as members. However, Global groups can be used as members of any other group, including other forest and external domains. This means a Global group has the most restrictive membership requirements of all the groups but is the most flexible when being used as members of other groups. Universal Group The Universal group is replicated via the global catalog server. For this reason, it is available to any domain in the forest but not to other forests or external domains. Since the Universal group is available forest wide, it does not allow Domain Local groups to be members even when the Universal group has been created in the same domain as the Domain Local group. Summary of Groups' Membership 1) Users and computers can go into any group in any domain and any forest or external domain if the group supports it. 2) Local and Domain Local groups allow the same membership requirements. 3) Universal, Domain Local and Local groups have the least strict membership requirements allowing any valid group with appropriate scope to be a member. 4) Global groups can contain only users, computers and other Global groups from the same domain only. 5) Global groups can be used everywhere, any domain, forest or external domain. 6) Universal groups are available only in the same forest since they are replicated using the global catalog. Since they are forest wide, Domain Local groups can't be members since the Domain Local scope is limited to the domain in which they were created. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/70-640/group-types References "MCTS 70-640 Configuring Windows Server 2008 Active Directory" pg 145-152 "Active Directory Users, Computers, and Groups" http://technet.microsoft.com/en-us/library/bb727067.aspx
Views: 93933 itfreetraining
Active Directory basic tutorial video explains the fundamentals of Active Directory, gives an insight into the Active Directory objects and enumerates the benefits of using Active Directory Domain Services. ADManager Plus is a simple, easy-to-use Windows Active Directory Management and Reporting Solution that helps AD Administrators and Help Desk Technicians with their day-to-day activities. With a centralized and Intuitive web-based UI, the software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects, delegates Role-based access to Help Desk Technicians, and generates an exhaustive list of AD Reports, some of which are an essential requirement to satisfy Compliance Audits. https://www.manageengine.com/products/ad-manager/
Views: 65841 ManageEngine ADSolutions
This Video by Jagvinder Thind Explains What is Active Directory Schema in Hindi. Active directory training in Hindi
Views: 63732 JagvinderThind
This video demonstrates how to add a second domain controller to a new Active Directory domain. It is important to ensure that DNS is set up properly for everything to work correctly, so DNS is stressed as well.
Views: 73076 Patrick Hornung
How To Manage Global Catalog Servers in Active Directory Quick & Simple. See documented video and more on http://www.arondmessaging.ro/
Views: 8396 AMTC
You can find an updated version of this video here: https://youtu.be/i9I5poSokow. Active Directory stores all information and settings for deployment in a central database. It allows administrators to assign policies, as well as deploy and update software. Active Directory networks can vary from a small installation with a few computers, users, and printers, to tens of thousands of users, many different network domains, and large server farms spanning many geographical locations. ADManager Plus is an easy-to-use Windows Active Directory management and reporting solution that helps AD administrators and help desk technicians with their day-to-day activities. With a centralized and intuitive web-based UI, ADManager Plus handles a variety of complex tasks like bulk management of user accounts and other AD objects, delegating role-based access to help desk technicians, and generating an exhaustive list of AD reports, some of which are an essential requirement for satisfying compliance audits.
Views: 501115 ManageEngine
Click to Subscribe: https://goo.gl/r5bxTv Website: http://www.techvastvlogger.com Facebook:https://www.facebook.com/techvastvlogger/ Twitter: https://twitter.com/techvastvlogger Instagram: https://www.instagram.com/techvastvlogger
Views: 3330 TechVastVlogger
ADCS (Active Directory Certificate Services ) install or configured in windows server 2008 R2
Views: 23694 naveen MCITP
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. To install Active Directory you need to promote your first server to a Domain Controller. This video looks at the process of using DCPromo as well as the prerequisites required. The video also discusses DNS requirements for Active Directory. DNS is required by Active Directory in order to operate. Demo Network Setup 01:49 Demo DCPromo 04:47 Prerequisites Server must have an IPv4 and/or IPv6 static address. DNS infrastructure (either Microsoft or 3rd party). Microsoft DNS can be installed when promoting the server. If you install DNS during the install, set the DNS server to 127.0.0.1 The Active Directory Domain Services role needs to be installed in order for the server to be promoted to a Domain Controller. This can be done through the server manager or when using DCPromo. When you are ready to promote your server to a Domain Controller, run the command DCPromo. This will install the Active Directory binaries if required and run the wizard. If you already have an existing forest you can choose to add this server to an existing forest. If you do not have any Domain Controllers on your network you need to create a new forest. The forest and domain functional levels affect only Domain Controllers. The domain functional level will determine which Domain Controller you can add to that domain. For example, if the domain functional level was set to Windows Server 2003, you would only be able to have Windows Server 2003 Domain Controllers and above in the domain. The forest level affects which domain levels you can have. If the forest level was set to Windows Server 2008, then only domains that have a functional level of Windows Server 2008 could be added to the forest. The higher the forest and domain levels, the more features of Active Directory that are available. If you are not sure what levels to configure, set the forest and domain functional levels low. You can always raise the functional levels but you can't lower them. The wizard will ask you for a recovery password. This will be used if you need to perform certain operations in Active Directory later on. For example, if you need to perform restore operations later on you can only perform these in Active Directory Recovery Mode which requires this password. For day to day activities this password is not required. Once the server has been promoted to a Domain Controller, the local users and groups will no longer be accessible for security reasons. If you need to configure access to a resource on the server (for example, you needed to share a folder), you will need to use a domain user. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for are always free training videos. This is only one video from the many free courses available on YouTube.
Views: 129413 itfreetraining
In this video, Sybex Author and StormWind Instructor William Panek will teach you the 5 Operation Master Roles and what each Role does. You will also learn how to transfer the roles and also check to see which roles are on which Domain Controllers. Please make sure to subscribe to the channel and let me know if there are any other videos that you would like to see.
Views: 9136 William Panek
This video looks at how to add a child domain to an existing domain in Active Directory. Child domains can access resources from the parent and also from any other domain in the forest. This video will look at adding the east domain to the existing domain. Demonstration at 04:35 Things to consider before adding a child domain The more domains that you have in your forest, the harder it will be to administer your network. When possible, you should attempt to reduce the number of domains in your forest. Sometimes due to company needs or security reasons, extra domains may be created. It should be remembered that in Windows Server 2008 there have been a number of improvements and features which in previous versions of Windows would have required additional domains. These are: 1) Active Directory could previously only have one password policy per domain. If your domain functional level is Windows Server 2008 or higher, you can support multiple password policies for the same domain. 2) With Windows NT the database was limited to 40 MB, which was around 40,000 objects. Because of this multiple domains may have been required, whereas Active Directory now only requires one. New domains may also be created due to different business unit requirements. In a lot of cases you can separate departments and even companies using organization units inside Active Directory; however, dealing with things like different company budgets is not as simple. If the companies have different IT support staff, they will probably want different domains. Demonstration Creating a new domain or adding a domain controller to an existing domain is all done using DCPromo. 1) When asked, select the option at the top existing forest. Under this, select the option, "create a new domain in an existing forest." This will create the first domain controller in your new domain in the existing forest. 2) You will next be asked for the credentials for a user to add the domain to the existing forest. This needs to be a user in the enterprise administrators group; however, the user does not need to be in the root domain: they can be located in any domain in the forest. 3) Next you need to enter in the name of the parent domain of the child domain. If you are creating a new tree, enter in the new namespace. DCPromo will understand this is a new tree rather than a child domain. 4) Once the relevant details are entered, a Domain Naming Master will be contacted to see if this domain already exists. If the Doman Naming Master can't be contacted DCPromo will fail. 5) Once the Domain Naming Master has been contacted and it has been confirmed this domain does not already exist, you will be asked for the domain functional level. What is available will be determined by what the current forest functional level is. 6) Next you need to select the site where the domain controller will be. If no sites have been created, you can use "default first site name" for the site. 7) Next you can decide if the domain controller is a DNS server and/or a global catalog server. Even if you are creating a completely separate domain you can use a DNS server or even a 3rd party DNS system like UNIX. 8) The wizard will ask you where to put the database, log file and SysVol folder. In most cases leave this on the default. 9) The next screen will ask for an Active Directory recovery password. This is used in certain recovery situations including restoring deleted objects. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.
Views: 65815 itfreetraining
Concepts of Active Directory Domain Services (AD DS) which is most important for the domain environment. The video is about What are the forests, Trees & Child Domains? Comment below for further queries. Email: [email protected]
Views: 21115 Hadis Khan
Backup and Restore: Active Directory and Windows 2008
Views: 161479 Carly Salali
This video looks at how Domain Controllers in Active Directory replicate data between each other. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Domain Controllers can either replicate at the site level or between sites. A different approach is used for each because at the site level you want changes to happen quickly. Between sites replication may be reduced and may even be configured to happen only outside business hours. Demonstration 12:35 Intrasite replication This is replication that happens inside one site between the Domain Controllers in that site. Active Directory will automatically connect all the Domain Controllers together to form a ring. Each Domain Controller will have two incoming connections and two outgoing connections. This ensures some redundancy in the site if a Domain Controller were to become unavailable. Intrasite replication happens 15 seconds after a change is made to the Active Directory database. If there are more than 3 hops between Domain Controllers in the one site, then more connections will be made between the Doman Controllers until the hop count is less than 3 between all Domain Controllers. This ensures that a change will reach all Domain Controllers in the one site in less than a minute. Intersite replication Intersite replication is replication that happens between different sites in Active Directory. These connections are not made automatically and need to be made by an Administrator. Bridge Head Server In each site, a Domain Controller is selected to replicate changes from that site to another site. This Domain Controller is called a Bridge Head Server. The Bridge Head Server is selected automatically but you can also manually select a Domain Controller or Domain Controllers to be a Bridge Head Server in a site. If you do manually select the Bridge Head Server/s and all the Bridge Head Servers are down, replication will not occur form that site. Site Links A site link is created by an Administrator to link sites together. Site links can have a replication schedule applied to them to determine when replication occurs. Site Link Cost Each site link can have a cost associated with it. This is a numeric value that weights the site link. The site links with the lowest cost between two sites will be used. This allows you to configure Active Directory to use backup site links when the primary site link goes down. Site Transports Site links support two different transport protocols. These are RPC over IP and SMTP. SMTP does not support file replication and thus on most networks only RPC over IP will be used. SMTP could be used between domains in the forest as this kind of replication does not require file replication. RPC over IP is often referred to as just IP. Knowledge Consistency Checker (KCC) The KCC is responsible for creating connections between different Domain Controllers inside a site and between sites. It does this with information from the Active Directory database so, given the same data, it should always make the same decisions about which connection to create. The KCC runs every 15 minutes. Demonstration To create site links in Active Directory, open Active Directory Sites and Services from administrative tools under the start menu. Site links are under Inter-Site Transports. Under here are the two folders for IP and SMTP transports. Under IP there may be a site link called DEFAULTSITELINK. This is created automatically when Active Directory is installed. You can use this site link or create a new site link. If you do use this site link, it is recommended that you rename the site link to a more meaningful name. To create a new site link, right click IP or SMTP and select New Site Link. From the wizard you need to select which sites will use that site link. Microsoft recommends that you should not put more than 3 sites in the one site link. In the properties of the site link you can configure the schedule for the site link, how often replication will occur and also the cost that will be used with the site link. If you want to see the connections that have been created automatically or manually between different Domain Controllers, expand down until you reach NTDS. In here you will see all the incoming connections for that Domain Controller. To see the outgoing connections, you can open the properties for NTDS and select the connection tab. If you want to force the KCC to run, right click NTDS settings, select all tasks and then check replication Topology. To force a replication, right click a connection and select replicate now. Even through the connection is incoming only, this will replicate data in both directions. Command line To force the knowledge consistency checker to run, enter the following (without the site parameter this will only run on that Domain Controller): RepAdmin /KCC site:(Site name) To force a replication run the following: RepAdmin /SyncAll
Views: 189856 itfreetraining
ADMT is used to quickly move objects around in your forest. It is used during migrations or when you need to move users between domains during restructures or job changes. This video looks at how to install and use ADMT. Handout http://itfreetraining.com/Handouts/70-640/Part2/admt.pdf Installing ADMT Before installing ADMT, it is worth downloading the ADMT guide (see link below). The guide will show you which installs are supported. If you download the latest version of ADMT or SQL express you may have install problems and need to implement a workaround. Reading this guide will tell you which combination of software will work. http://www.microsoft.com/en-au/download/details.aspx?id=19188 Although possible, it is not recommended to install ADMT on a Domain Controller. The install itself may not work correctly and a workaround many need to be implemented in order to get ADMT to work correctly. Inter-Forest Migration This is when objects are being moved/copied between domains in different forests. The forest can be connected by any valid trust. Intra-Forest Migration This is when the objects are being moved/copied between domains that are in the same forest. Sid History A Sid is a unique number that every object in Active Directory has. When ADMT moves an object it essentially creates a new object in the target domain with the same properties. When a user is moved or copied, the user will have a different Sid than the old user. Because the new user has a different Sid, it will not be able to access any of the resources the old Sid had. Sid history allows Sid's for the old user to be stored with the new user. This essentially allows the new user to access resources that were assigned using the old Sid's. Demonstration In this demonstration ADMT 3.2 will be installed on Windows Server 2008 R2 with SQL Express 2008 SP1 providing the database support. We could not get SQL Express 2012 to work in this configuration and the ADMT guide recommended SQL Express 2008 SP1 to be used. If you run different version and have installation errors, search the Microsoft web site for the error. This may give you a workaround to get that configuration to work. Once ADMT is installed, it is matter of running the required wizard depending on what you want to migrate. When migrating groups, ADMT can be configured to put the user in the same groups that they had in the old domain. In order for this to work, the new domain needs to have those groups created with the same name as the old domain. If you want to migrate passwords between domains, you will need the Password Export Server to be installed in the other domain. Since the ADMT does not check the password policy of the new domain, the user will be asked to change their password when they login to the new domain. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory" pg 573 -- 576 "Active Directory Migration Tool (ADMT) Guide" http://www.microsoft.com/en-au/download/details.aspx?id=19188 "Active Directory Migration Tool (ADMT) Guide " http://www.microsoft.com/en-au/download/details.aspx?id=19188
Views: 173306 itfreetraining
In this tutorial, you will learn how to use facebook product catalogs to advertise your products and sell more on your e-commerce store. Links from the video: Facebook Catalog Setup Guide: https://developers.facebook.com/docs/marketing-api/dynamic-product-ads/product-catalog/#feed-format Facebook Pixel Setup Tutorial: https://www.youtube.com/watch?v=UOb5b280DH8 Custom Conversion Events with Facebook Pixel: https://www.youtube.com/watch?v=2fO-KzeEpns Reach me at: http://virenbaid.com/instagram
Views: 14811 Viren Baid
In this video I create a security group in Active Directory of the Microsoft Windows Server 2008 R2 operating system. I create a group named Sales and add a new user to the group. I then apply the security and sharing permissions on a shared object using the Sales group I created. Most of the time groups will be of the Global and Security type. This video is part of the Server 2008 R2 Series from Lecture Snippets. The materials need to complete the lessons on your own include a disk image of Microsoft Windows Server 2008, Microsoft Windows 7, and the free download from Virtualbox.org to run the virtual machines. For more information and a complete list of the lessons visit Lecture Snippets at http://lecturesnippets.com.
Views: 61780 Lecture Snippets
For the ADDS deployment demo look at minute 1:45 For the D.C. Cloning demo look at minute 18:50 This webcast is the first part of a series and is taken from a speech I held during the Windows Professional Conference 2012 in Milan. English dubber : Courtny This is and Italian event organized by OverNet Education and Microsoft. In the agenda we have • An overview of New And Updated Features • An explanation about Simplified Deployment • A Demo about Windows Server 2012 Domain Controller With GUI • An overview of what is new on Install From Media • An introduction to Virtualization-Safe Technology • An overview of Rapid Deployment and DC Cloning • A list of Steps for deploying a clone virtualized domain controller • A Demo about DC Cloning New And Updated Features In this picture we can see a list of new or updated features that are important from the directory services point of view. During this webcast (and the following ones) we will only talk about a limited number of features, Simplified Deployment, Virtualization Safe Technology, Rapid Deployment and Active Directory Platform Changes. Active Directory Domain Services (AD DS) deployment in Windows Server 2012 is simpler and faster than previous versions of Windows Server. The AD DS installation process is now built on Windows PowerShell and is integrated with Server Manager.
Views: 1268 Lync2013
This video looks at how DNS data is stored in Active Directory Integrated zones and how it is replicated about the domain or forest. Once you have finished watching this video you will understand how this DNS data is stored in Active Directory and how you can configure the replication of this data at the domain and forest level. Download the PDF handout http://ITFreeTraining.com/handouts/dns/dns-adpartitions.pdf Active Directory Partitions The Active Directory database may be hierarchy in nature but essentially it is a database stored in a single file name NTDS.DIT. Like a drive that may be divided in multiple parts, the Active Directory database is divided in multiple partitions. This is done for organization and replications needs. For example, certain partitions are configured to be replicated at the domain level while other partitions are configured to be replicated at the forest level. Application Directory Partitions This partition is used to store data from applications. This is different from the other partitions as there can be as many or few as required. Since Microsoft DNS server has data that needs to be stored and replicated around the domain or forest, this is a good choice for an application partition. DNS uses application partitions to store the data from Active Directory Integrated zones. Once stored in the application partition, like any other partition in the Active Directory database it is replicated to the required Domain Controllers using the Active Directory replication system. Demonstration Active Directory Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that allows modification for the objects and attributes in Active Directory. 1) The ADSIEdit tool is a tool that allows the administrator to see the data stored in the Active Directory database. Unlike other Active Directory tools, this provides a raw method and thus if you use this tool to make changes, changes should be made very carefully. ADSIEdit is found in Administrative Tools under the start menu or in the control panel. If you are using a client operating system like Windows 8, you will need to install remote server administration tools (RAST). 2) To connect to an Active Directory database, right click ADSIEdit and select the option connect to. There are a lot of different options in here. Under the option "select a well known naming context" you can select common partitions, for example Default naming context, configuration, RootDSE and schema. In this particular case I will connect to the configuration partition that contains forest wide configuration information for Active Directory. This partition itself does not contain any DNS data, however it does list the application partitions that are currently being used and thus gives us a better understanding of DNS stored data in Active Directory. 3) To see what partitions are currently configured in Active Directory, expand down through configuration down to partitions. 4) In the partition container there should be entries for the standard partition types Enterprise Configuration, Enterprise Schema and a domain partitions which will be named after your domain. If you have multiple domains, there will be one partition for each domain. Unlike the other partitions which will have a friendly name associated with it, each application partition will have a unique id associated with it in the form of a random appearing string of characters. Description to long for youtube. Please see the following link for the rest of the description. http://itfreetraining.com/dns#adpartitions See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "How to create and apply a custom application directory partition on an Active Directory integrated DNS zone in Windows Server 2003" http://support.microsoft.com/kb/884116 "Repadmin /syncall" http://technet.microsoft.com/en-us/library/cc835086(v=ws.10).aspx http://itfreetraining.com/handouts/dns/dnscreatepartition.zip
Views: 38376 itfreetraining
Like domain functional levels the forest functional level determines which additional features in Active Directory will be available. In order to raise your forest functional level all domains in the forest must be at the corresponding forest level or higher. This video looks at the features that are available at each forest level and how to raise the forest level. Raise forest functional demo 16:04 When looking at an existing network with multiple domains, these domains may have been put in place originally due to limitations in Active Directory. Previously Active Directory was not able to support more than one password policy per domain and even though quite high there were some limits to how many users could be put into certain groups. Given these limits may have meant that more domains were created then what would be required now days. When rasing your domain and forest functional level consider if any domains can be combined together. Doing so will reduce the complexity of your network and make it easier to support. Forest Level Listed below are all the different forest levels and the features that each forest level adds. Remember that to raise the functional level of your forest all domains in that forest must be at that forest level or higher. In other words, the level you can raise the forest level will be determined by the domain in the forest with the lowest domain functional level. Windows 2000 native Basic Active Directory features Windows Server 2003 Forest Trust: Allows a trust relationship between two forests. A forest trust allows resources to be shared between the forests. Rename Domains: This allows you to change a domain name. Link Value Replication: This means that only changes to group membership are replicated. Without link value replication, if a group is changed in two locations at once, the record with the newest time stamp is used replacing all others records and thus all changes in those records are lost. Using link value replication also reduces the amount of data that is sent over the network during replication. Improved Knowledge Consistency Checker (KCC): The KCC is responsible for creating replication links between sites. With this forest functional level the KCC improved particularly working with large deployments. Dynamic Auxiliary Class: Allows Active Directory objects to be created and have an expire time added to the object. Convert INetOrgPerson to user: Allows an INetOrgPerson object to be converted to a user object and reverse. The INetOrgPerson object is used when importing or exporting users from Active Directory to anther 3rd party directory system. Being able to convert a user object in Active Directory to an INetOrgPerson object makes the process of exporting and importing users with Active Directory a lot easier. Window Server 2008 RODC: This forest level is required if you want to start using Windows Server 2008 Read Only Domain Controllers in Active Directory. Deactivation of attributes: Once you make a change to the schema of Active Directory it can't be delete. Deactivation allows you to deactivate attributes in the Schema that are no longer required. Window Server 2008 No new features are added to Active Directory with this forest functional level. Window Server 2008 R2 Active Directory Recycle bin: Allows deleted objects in Active Directory to be resorted. Rasing the Forest Function Level To raise a forest functional level, run Active Directory Domains and Trusts from administrative tools from the start menu. Right click the root of the tree and select raise forest functional level. From the dialog box select the forest functional level that you want and press raise. Remember that the process can't be reversed once done and there may be a delay while replication occurs before the changes take effect. See http://itfreetraining.com or http://youtube.com/ITFreeTraining for our always free training videos. This is only one video of the completely free course for the 70-640 exam available for free on you tube.
Views: 68440 itfreetraining
This video provides an overview of Group Policy. Explaining the basic of how Group Policy works and what can be achieved using Group Policy. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Download the pdf handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gpintroduction.pdf What is Group Policy Group Policy is a system that allows central control of your client computers. Using Group Policy you can control the user experience. This includes configuring settings for the user and also settings that affect the computer as a whole. Group Policy can also be used to deploy and configure software. Text Based Config Files Before systems like Group Policy were developed, settings were often kept in text files like ini files. In order to make changes to the ini file, software would rewrite the whole file each time a change was made. Text files were not designed for multiple user environments and don't support rolling back of changes. Registry Microsoft introduced the registry to replace text files like ini files. Editing a single value in the registry is a lot easier than editing a single value in a text file. The problem with the registry is that once a change is made, the changes are permanent until overwritten by another value. Group Policy Group Policy allows changes to be rolled back when they no longer apply. This means that the effects of Group Policy will be reversed when they no longer are being applied. This means users and computers can be moved around Active Directory and thus the Group Policy for these objects may change. Since Group Policy reverses any previously made changes, the administrator does not need to worry about what settings were previously applied. Group Policy Mechanics Group Policy is created and stored on a Domain Controller. Group Policy is downloaded from the Domain Controller to the local computer and applied. For this reason Group Policy is a client driven technology. It is up to the client to download Group Policy and apply it. Group Policy is applied by Client Side Extensions (CSE). Each operating system improves and adds CSE's, meaning new clients can process some Group Policy settings that the older clients may not be able to process. For a list of all the CSE's installed on a system, refer the following registry setting. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Group Policy Example A single Group Policy is divided in two parts called Computer Configuration and User Configuration. Settings that are configured under computer configuration affect the whole computer. Settings configured under user configuration affect only the user that is currently logged in. The user and computer configuration is divided into two parts called Polices and Preferences. Preferences was a late edition to Windows Server 2008. Microsoft purchased another product called Policy Maker and added this product to Group Policy. The essential different between the two is that Group Policy is mandatory while preferences can often be overwritten by the user. Polices are divide into 3 parts, Software settings, Windows Settings and Administrative Templates. Software settings, like installations, are done in here. Windows Settings are more broad stroke settings having an effect on how the computer operates at a low level rather than specific functions. Administrative templates contain the bulk of the Group Policy settings. Summary Group Policy settings are stored in Active Directory. They are client driven and thus the client is responsible for downloading the group Policy settings and applying them. Group Policy settings are applied to the client by software called client side extensions. If a particular Group Policy settings require a particular client side extension and if that client side extension is not available, the Group policy settings will not be applied to that computer or user. Group Policy itself is divided primarily into two halves, user configuration and computer configuration. Computer configuration is applied when the computer starts up, while user configuration is applied when the user logs into the computer. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg. 250-251, 254 "Group Policy "http://en.wikipedia.org/wiki/Group_Policy
Views: 116341 itfreetraining
Whoops! You deleted the wrong thing in Active Directory and need to recover. Do you choose an Authoritative or Non-Authorative restore? In this video, Doug Bassett explains the difference. There are two types of systems in the IT industry, those that have failed and those that will fail. There are also two types of administrators, those that have deleted important data and those that will delete important data. In this excerpt of our Windows Server 2008 R2 Administration class, Senior Technical Instructor Doug Bassett explains the type of Active Directory restore you would use in each of these situations. This is an example of the real-world, online HD certification training done at Stormwind.com. If you have any questions, feel free to email our Senior Technical Instructor Doug Bassett at [email protected] We look forward to seeing you in class soon. stormwind.com
Views: 14610 StormWind Studios
Hello Everyone !! Today I will show how to setup a Domain Controller in windows server 2012 R2. In simple words, A Domain Controller is a server that is running a version of the Windows Server operating system and has Active Directory Domain Services installed. So, now what is Active Directory Domain Services or AD DS. Active Directory Domain Services is Microsoft’s implementation of a directory service that provides centralized authentication and authorization services. AD DS in Windows Server provides a powerful directory service to centrally store and manage security principals, such as users, groups, and computers, and it offers centralized and secure access to network resources. Open Server Manager. Click on Dashboard. Now click on Add Roles and features. Click next. Select Role based or featured based installation. Click next. Choose Select the server from the server pool. Select your server and then click next. Now the server roles will be shown. Select Active Directory Domain Services. Click Add features. Then select DNS server. Click Add features. Here we are only going to add Active Directory Domain Services and DNS Server. We will leave the other roles for now. So then click Next. Then all the features will be listed. Check them properly. After reviewing them Click Next. Then again Click Next. Again Click Next. Then click Install. This will take some time. Now as you see that the installation of the features has completed. Great. Still we need to configure some more things. So close the window. You will see a yellow mark on a flag on the top right of the server manager. Click on the flag. Click promote this server as a Domain Controller. Then Active Directory Domain Services Configuration Wizard will open. Here Select the deployment operation. To create a new Active Directory forest, click Add a new forest. You must provide a valid root domain name; the name cannot be single-labeled (for example, the name must be example.com or similar and not just example) and must use allowed DNS domain naming requirements. Windows does not permit computer names that exceed 15 characters, and you cannot specify a DNS host name that differs from the NETBIOS host name. Type the domain name. I gave www.testdomaincontroller.com. Click next. Now you need to select the Functional Level for the Forest and Domain. By default it will show the operating system of the server. Here it is Windows Server 2012 R2. By default the Global Catalog and DNS Server will be checked for the capabilities. Then type the password for the Directory service Restore mode. Confirm the password. Then click Next. A warning message will show up but don't worry. Everything will be taken care of. Hit Next. Then it will ask for NetBios Name. You can use the same domain name without www or .com for the Netbios but it should not be more than 15 characters. I cannot give the same name as Domain Controller as it exceeds 15 characters. So i gave the name testnetbios. Click next. Now the location of the ADDS database, log files and SYSVOL will be shown. By default it should be under Windows folder. Sysvol is a special folder for storing domain public files like logon script, GPO templates etc. Click next. Now review the options properly like NetBios name, Forest and Domain Functional Level DNS server. Click next. Now it will check the perquisites. If everything goes fine a message will be shown on top and it will give the option to install. Click Install. It will take some time for the installation process. Once it is completed the server will reboot automatically.You Domain Controller has been installed.Click on tools and it will show all the roles which we installed , Active Directory and DNS. The Active Directory and DNS has been successfully installed in the New Domain Controller. Step by step Tutorial for [Active Directory] [Domain Controller] [DNS SERVER] [AD DS]
Views: 386 Rajdeep Biswas
Using User Management Resource Administrator to search Active Directory global catalog for all display names.
Views: 1041 advancedtoolware
In this video for Objective 5.3 Creating and Managing Organizational Units and Groups we will learn the differences between OUs and Groups. Organizational Units are often confused with Security Groups, because we are organizing users or computers into OUs or groups. So the act of putting the objects into the various containers seem to be similar, but OUs and Groups are not the same and cannot be used for the same purposes. We start by examining what OUs cannot be used for, which is ACLs on a file or folder. They are not security principals like a security group. I demonstrate by creating a folder and trying add an OU as an ACL. It simply does not exist, because they are not used for security on ACLs. We then create a group and add members. We then go back to the folder and apply the security of the group. We then ask the question, “Why are we organizing users into folder… If we can’t use them for security?”. Which is a valid question, but OUs are used for a very different purpose. Which is apply policies from GPO (Group Policy Objects) and allowing delegation of an OU to an average user. We then open the GPMC or the Group Policy Management Console and examine the structure of the OUs, which is along identical to the domain structure. We then create a GPO and link it to an OU. Lastly we discuss delegation of an OU to an average use for purposes of password resets. I use the example of an office manager being able to reset his or her employee’s passwords with an administrator. We also discuss the “Principal of Least Privilege”, which state only to give the user the necessary privileges they need to perform their duties. We then examine the permissions that were applied to the OU during the Delegation Wizard. Introduction – 0:10 Explanation of the structure – 0:43 Explanation of OU types – 1:15 What OUs cannot do – 2:10 Creating a group – 3:04 Adding a group on an ACL – 3:45 What OUs are used for – 4:30 Opening Group Policy Management Console – 4:50 Creating a GPO and linking it – 5:20 Delegation of an OU – 5:56 Examining the permissions on an OU – 7:15
Views: 15473 NetworkedMinds
Windows Server 2012 Core Active Directory Install (powershell)
Views: 7608 Engin Kosova
Author and talk show host Robert McMillen explains how to change the operations masters in Windows Server 2012 using Active Directory Users and Computers
Views: 2743 Robert McMillen
Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available. This video looks at which domain functional levels are available and how to raise the domain functional level to get access to these features. The next video in this free series looks at the forest functional levels. Raising the domain function level demo 17:46 The different domain functional levels and the features you get from the functional level are listed below. Windows 2000 native * Gives basic Active Directory functionality Windows Server 2003 * Allows the computer name of a domain controller to be changed. * Adds last login time stamp to each user account * Adds UserPassword to iNetOrgPerson object. This is used when migrating from a 3rd party directory service. It allows the 3rd party password to be stored in Active Directory. * Constrained delegation. Delegation is when credentials are passed from one system to another; e.g., an administrator connects to a computer and then attempts to have that computer connect to a file share on another computer using the administrator's credentials. Delegation is disabled by default in Active Directory. Windows Server 2003 domain functional level allows you to determine which services are delegated and which are not and to which computers. You could, for example, trust delegation only for file sharing to only a particular server. Before this domain functional level delegation was to everything or nothing. * Selected authentication for forests. When using multiple forests this feature allows the administrator to configure which users from the trusted forest can have access to which services in the forest that they would normally have access to by default. A user from another forest needs to have access to resources in the either forest like any other user through permissions like NTFS so selected authentication does not change that. The difference with selected authentication is that you can configure which services they can use which would normally be available to everyone. For example, a domain controller will by default authenticate any user from either forest. With selected authentication you can configure which domain controllers will be allowed to authenticate users from the other forest. * Adds support to store authorization policies in Active Directory. Windows Server 2008 * DFS for replication of SysVol share. * Advanced Encryption System (AES) for Kerberos * Additional last login details. Adds attributes like number of failed login attempts. * Fine-grained password. Allows multiple password policies to be defined in the same domain. Windows Server 2008 R2 * Authentication Mechanism Assurance. Adds details to the Kerberos ticket about how it was authenticated, e.g., if a SmartCard was used to authenticate the user. * Automatic SPN (Service Principal Names) management. Allows services account password to be managed by Active Directory. Mixed or Interim domain functional levels that are mixed or interim have been upgraded from an NT4 domain and may have some domain controllers that are still NT4. Once you have removed all of the NT4 domain controllers, raise the domain functional level to one of the domain functional levels listed above. Rasing the Domain Function Level In order to raise the domain functional level, you need to ensure that all of the domain controllers in your domain are at that domain functional level or higher. For example, if you had 3 Windows Server 2008 DC's, 4 Windows Server 2003 DC's and 1 Windows 2000 DC the highest domain functional level that you could go to would be Windows 2000 native. If you upgrade the Windows Server 2000 domain controller to Windows Server 2003, you could raise the domain functional level to Windows Server 2003. Remember also that once you raise your domain functional level you will not be able to add any down level domain controllers to the domain. For example, if you raise the domain functional level to Windows Server 2008, you would not be able to add any domain controllers for Windows 2000 and Windows 2003. Regardless of the domain functional level you can add any Windows client operating system or server to the domain of any operating system level. Raising the domain functional level is a one way process and can't be reversed once complete. Raising the domain functional level To raise the functional level, open Active Directory User and Computer and right click on your domain and select raise domain functional level. Select the domain functional level that you want and select raise. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. Keywords: "Domain Functional Levels" "Active Directory" 70-640 MCITP MCTS ITFreeTraining
Views: 89760 itfreetraining
Here we discussed about Understanding Active Directory PART 2 ACID Property of a Database Active Directory Sites and Services Active Directory Replication Domain Controller Global Catalog Server Logical and Physical Components of Active Directory FSMO Roles Domain Functional Level Forest Functional Level Installing Active Directory (Windows Server 2012)
Views: 4418 ashwinadm
This video will look at the concepts you need to understand in order to use Auditing in Windows. Once you understand the concepts of Auditing, the next two videos will look at Auditing for the file system and objects in Active Directory. Where to audit? Before you start setting up your network for auditing, it is important to locate the best place to audit. For example, if a user accesses the network via a VPN and the VPN server is a read only Domain Controller, the logon event will be stored in the read only Domain Controllers event log. Likewise, if the user accesses a file server, a logon event will not be stored on the file server, however an event will be stored on the file server indicating that a connection was made to that file server. So when auditing the network it is important to understand that you are auditing the correct locations to get the right information. You may also need to audit multiple servers in order to obtain the information that you are after. Demonstration There are 7 auditing settings in Group Policy found under the following location. Computer Configuration\Polices\Windows Settings/Local Polices\Audit Policy To configure a setting, it is just a matter of opening the setting, ticking "Define these policy settings" enabling it and then selecting which settings you want to audit, that is success and failure. Audit Policy Settings By default, some auditing settings are configured to audit success events and thus you will have some audit events in the event log even if you do not configure auditing. Audit account logon events: Audits an event when authentication occurs. For a domain account, this will happen on a Domain Controller. For a local account, this will happen on the computer that the local account is stored on. Audit Account Management: Auditing when a user performs account management using tools like Active Directory Users and Computers to perform actions like resetting passwords. Audit Directory Service Audit: Audit any changes to Active Directory Accounts. Includes changes not made with management tools. Audit Logon Events: This records when a user connects or disconnects from a server. For example, when connecting a map drive to a file server the user needs to logon to the server before the file share can be accessed. This event also records access being denied due to the account being locked. In contrast to Audit Account Logon Event, an event is only recorded when the user is authenticated. Audit Object Access: This will audit non Active Directory objects, this includes file and folders. Audit Policy Change: Audits changes to settings like user rights assignment, auditing and trust polices. For example, if you changed a setting and gave a user the" take ownership" right, this setting would record the user rights assignment change in the event log. Audit Privilege Use: This setting records when privileges are used. An example of a privileges is changing the system time. Audit Process Tracking: This setting tracks the start and termination of processes in Windows. This setting generates a lot of events so should only be enabled in special circumstances. Audit System Events: This records events like system start up, shutdown and changes to the system time. Windows Server 2008 Auditing Change Before Windows Server 2008, auditing could only track that a value has changed. It would not tell you what the value was before the change. Windows Server 2008 allows the value of an object before the change to be recorded in the event viewer. This means you can effectively know the value was changed and what the value was before the change. Due to compatibility reasons the option is not enabled by default, in order to enable it run the following command. auditpol /set /subcategory:"Directory service changes" /success:enable Demonstration Before auditing can occur in Windows Server 2008 to record changes to Active Directory objects, the following command needs to run. This only needs to be run once for all Windows Server 2008 installs as it makes a change in Active Directory. auditpol /set /subcategory:"Directory service changes" /success:enable When an object is changed, different events are recorded so it is important to find all the events that are related to changes. For example, when changing an object, this will often log an event for deleting the previous value and then adding a new value. When trying to understand what has been changed, look at a few events around the event that you are interested in case there are multiple events generated for that value change. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 367-375 "Access Control Lists (Windows)" http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx "AD DS Auditing Step-by-Step Guide" http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
Views: 36533 itfreetraining
A quicky and a way super easy way of finding which GC a particular Exchange Server's Hub Transport is using for it's transporting of hubs business. A global catalog (GC) is a component of Active Directory that enables a quick retrieval of the location of existing objects in various domains and/or forests.
Views: 1123 MrMvmain
By Eng Mohamed Elshair , 3By Eng Mohamed Elshair, AD DC windows server 2012, AD DC domains, What Are Ous?, What Is An AD DS Forest?, What Is An AD DS schema?, What Is An NTDS, data store, domain controllers, global catalog server 2012, Read-Only Domain Controllers (RODC),
Views: 1 Srour