98-365 – Microsoft MTA Windows Server 2008 – Active Directory – things you need to know

  1. What to expect in this section

This section is really important. We are going to talk about Active Directory, something that you really need to know if you want to work with Microsoft services. We will set it up from scratch. Add a PC to the domain, discuss group permissions, and go over everything you need to know if you want to work with Active Directory.

  1. Active Directory Infrastructure

Windows Server. Active Directory, if you ask me. Can you name one topic that is really important? If I want to study for my MTA exam, I would say yes, Active Directory and everything that is related to that topic. That’s why we are going to spend a lot of time talking about Active Directory domain controllers. DNS will show you how to join a PC to the domain. It is really important. Let’s start with some basics. What are active directory domain services? It was first introduced with Windows Server 2000. Then there were Windows Server 2003 Active Directory, eight and twelve. Of course, Microsoft has changed a lot of things. They added and improved a lot of features.

The idea has been the same for the last twelve years, really. Active Directory domain services It’s a role that allows your server to store data and manage things like domains, user accounts, authentication directories, and things like that. And we have something that is called a domain controller. It’s a server that’s running Active Directory domain services. There is a video where we go through this process. We add a role for Active Directory Domain Services, and then we promote that server to be our domain controller. Let’s see that on a server. I am connected to Windows Server 2008. Let us proceed to Properties. Why not? And here we are going to see that this is a Windows Server box that I installed two days ago. And of course, there is a video where I show you how to do that. Please note that the domain is company dot local.

The full name is Windows Seven 2008 dot company dot local. If you want to manage Active Directory users and computers, the most important place for you to go is Administrative Tools, Active Directory Users and Computers. Again, if there is one thing that you want to master, you want to focus on that, so keep that in mind and spend a lot of time playing with the things you can find inside. First of all, we can see companylocal, and there are some predefined ones. We’ll talk about organisational units later on. For now, you can see that there are some objects inside as well. We have one computer that is joined to that domain. We’ve got one domain controller and a few groups and users. Here is our administrator, and there should be one user, my test user, Mike Holland. The top-level Active Directory container is called a forest, and the forest can consist of more than one domain. That’s what you can find. We have Active Directory, which is something you will find in many companies. There are a lot of features involved. We can have everything on one server. We can have Active Directory, DNS, DHCP, virtual private networks, file service, print service—everything on one box.

If that is not an option, many businesses opt for more redundancy and ensure that they can load balance. Especially if you have, like, 500 users. You don’t want to put everything on one server. It’s not possible. even though it can be one big server. Then you create virtual machines, and thanks to that, you can share the load. You can create well; you don’t have a choice. You can’t really put Microsoft Exchange on a server running Active Directory. It was possible a few years ago. Today it’s not. Still, you want to have a separate server for your files, printers, VPNs, and so on. Again, make sure that you understand. forest, a tree, and a domain. It’s very important. Check that picture, please. We have a domain forest. We have a domain tree. Yeah, that’s the domain, and all uses of that are inside objects that are inside. It is very important that you know how to identify a PC that has joined the domain. How do I do that? I will show you. There is a video where we go through this process in detail. We’ll start with properties. We right-click on the computer. Then we go to the advanced system settings. Please keep this company in mind locally. You can see that right away here. Now I am going to be asked for a username and password. Because this user is just an ordinary user, it’s not an administrator. That’s why, to access things like system settings, you have to be an administrator or be in a group like that. That should do the trick.

So the full name is PC, and there is only one company logo. You can change your computer name by going to Computer Name Change. Here you can change the name or say, “No, you’re not in the domain anymore.” You come up with a workgroup name if you do that. Make sure that you test your local account. At the moment that this PC is joined to the domain, it means that we are going to use an account or accounts that are in Active Directory on the server. If you change your mind and say, “Nah, I don’t want that PC to be on the domain anymore,” make sure that you have a valid local account the way I do that. Because yes, I have made that mistake two or three times. What I do every time I remove a PC from a domain is either create a new local account or reset the PC’s password. In the following video, you will see how to add a role to Active Directory, have domainServices join APC, and later, we will discuss groups, user permissions, and OUS. Thank you very much.

  1. Organizational Units, Accounts and Groups in Windows Server

Active Directory groups, users, and others Let’s start with an organisational unit, ou. It is just a container, and you can put things like users, groups, and computers inside. Please take note of and examine the image. That is a no. Inside, we have a user, a user, and a lot of groups. The same is here. That is a no. Ou, Ou, Ou, and inside you will find objects like users, groups, and computers. Let’s check that on a server. Okay, we’re connected. We proceed to the administrative tools. Inside, we will find Active Directory users and computers. Here are our Oust. Please do not call it a folder.

A lot of people do that. Just say no. Okay? It’s not a folder. Even though it looks like a folder, it feels like one, and in a way, it works like a folder. It is an organisational unit. You can manage objects that are inside. You can create new OUs. You right-click, and a new Ou is created. Let’s call it Test 1, and it has been created. Let’s talk about groups now. It is really important to mention and discuss that, because everything is arranged around groups. When you think about Active Directory, we are going to talk about that in a moment. Groups are just a place where you can put user accounts for computers. You can group things. That is a good thing because it allows you to be flexible. It means that if you want to assign, I don’t know, a printer, you should assign it to a group. Thanks to that, if Mike leaves the HR department tomorrow, it will be very easy for you to move that user to another group.

You don’t have to touch any permissions. There are two main types of groups that you can find. It is a distribution group and a security group. Distribution groups? They are used to working with email services like Exchange. For instance, you want to send an email to a group. You create a distribution group if you want to work with permissions. For instance, you want to allow a group of users. They want to access a folder on a server. You create a security group. Let’s go to the server. That is Windows 7. We need a server. Here. We right-click “new and then here you can create a user or a group. Let’s start with a group. And please note that we have these two types of security and distribution. We’re going to talk about group scopes in a moment. Test one. Okay, now let’s create a user test. Test. This is a user logon name. Something that a user will use, will put, and then, of course, will use his password Now it all depends. Most companies have a policy in place that you have to follow. It will specify how a user-login name should be created. It is sometimes first name, last name. It can be just the first name. It is a small company. It’s not recommended because if you have Mike and you hire another Mike, then it’s a problem.

You can have a first name, a first letter, a surname, or whatever you want. Some businesses assign only a number, such as K or whatever. It all depends. Please check and make sure that you follow a policy if one is in place in your company. If you don’t have one, create one. Okay? Make sure you have something in place. It’s not a good idea to come up with an account name every time you create a new account. Don’t do that. Have something in place. Discuss that with a manager. It’s very important because they should be aware of it. They should accept that. Put that in writing. It will make your life much easier. Later on. Let’s say I will use “test.” Test the next password. If you leave that option checked, a user will have to change his or her password the first time they log in. Of course, you have to provide the password that you typed in here. It’s not recommended that you go for that option because it means that he can keep the same password forever. That’s not a good thing. You can disable an account. It means that this account is not available yet. Maybe Mike will join our company in three weeks.

You’re creating everything at the moment. You don’t want anyone to use that account tomorrow. You will enable it next week. That is an option you can go for. And then you finish. You have a new user who will go through the options that are inside. I want to start with groups because that’s what we are after here. Test is a member of the domain’s users by default. because it is a domain account. It makes sense to do it that way. Of course, you can say, “Well, now I want this guy to be a member of Test.” Because of this, test is a member of test one group, to which you apply. Then, of course, you can decide whether this group is allowed to do this or that. It’s very flexible. You should always follow it. You should assign permissions and everything to a group. And you should group users. Make sure that if it’s your job to deploy Active Directory, take a piece of paper and think about that. Ask a manager. Make sure that you’re aware of everything that is going on in this company. because it’s very easy for you to miss. For instance, a department that is in the basement And then you realize, Oh, what do you mean? There is an office downstairs. I didn’t know that. And it can ruin your Active Directory structure. It’s not easy to change it. We’ll specifically discuss group policy objects when we go. It’s not easy to change it. And it can be a major issue if users are placed in the incorrect groups and ous. It can be a nightmare to sort it out later on.

The last thing I want to discuss here is a rule that you should follow. We have an account, we put that in a group, then we can put that in a domain-local security group, and then we assign permissions. You should never assign permissions to a user directly. You should always create a group, and thanks to that, you can have this flexibility. You decide, okay? Mike is not a member of my test group anymore. He should be a member of HR group. Thanks to that, you don’t have to touch any permissions, printers, shares, or anything else. All you have to do is relocate Mike to a new location. If you’re curious, I recommend visiting Wiki, where you’ll find a really nice article describing this Microsoft approach. Go there and you can read what Microsoft recommends. You can read and learn a little more about things that you will see in the real world. You should follow the rules. In the next video, we’re going to talk about GPO group policy objects. We’ll see that in action as well. Thank you very much.

  1. Let’s see that in action – Active Directory and Domain Controlles – Lab

It’s time to make COVID the most important lab in our training. We are going to enable Deploy Active Directory under domain control. Of course, we’ll be using the same Windows Seven 2008. It is time to log in. We go to the start. That is why I wanted to launch Start. You navigate to Administration Tools. And here you have the server manager. Windows was really nice and opened it for us. What we need to do is add a new role. We click “Add roles” just to see. Here we go. What we want to do We want active directory domain services here. It was absolutely fine. We click “Install,” and that should finish in a couple of minutes. We are done. Please note this message. It’s really important to do DC Promo now because we want to make that PC our domain controller. DC Promo. Let’s go for that option. See what’s available. We want to create a new domain and a new forest. Why is this the first time we are running this wizard at the moment? That’s why we need to go with that option now. A very important question What is your domain name? I like to use local companies. This message indicates Microsoft. They’re telling you, “Well, we don’t really trust you.” We want to make sure that there is no domain like that available. It’s okay. Netbias.

In most cases, you’re okay now. It’s the level that you go for. It all depends on whether your network contains any old services. It is beyond our discussion. However, please note that if you go for Windows Seven 2008, you are not going to be allowed to add Windows Seven 2003, 2000, and so on. For our lab, it does not really matter now. It is really important to have a DNS server. DC Promo allows you to add DNS to the same box. And it is a good idea to do that. Of course, there’s a chance your network has a dedicated DNS server. You can, of course, uncheck that option. In our case, we want to keep everything on one server. I’m okay with the paths. Of course, you could change it. Most people leave it now. It is a question that says, “Well, what if something goes wrong with your Active Directory domain control?” You need a password to recover. And here, of course, you can specify a password that you want. It should be a strong password. We are ready. It’s time to reboot. We’re almost ready. Let’s try to log in. Please note that it Domain administrator. It’s no longer just administrator; it’s domain. We don’t have local accounts anymore. Really. It is a domain account. Here we have to create a domain account for A user if we want him to log in and, for instance, download some files, use updates, and so on. Now it’s time to verify.

Make sure that everything is in place. The easiest way to do that is to go to Tools and make sure that we have active directory users and computers. The most important snap-in is the most important place for you to manage accounts, computers, domains, and so on. Looks good. Let’s get rid of that thing. Yeah, we have domain control. There are no computers yet. In a moment, we’ll add Windows Seven. Here we have users, and that is our administrator, as well as some predefined groups that we can use. Or you can create your own groups if you want. Now let’s check the DNS. We have a DNS snap-in. That’s always a good sign. Yeah, it looks good. To verify it, let’s type “ip config all.” I’m pretty sure the DNS has changed; that’s loopback, and it points to itself. That’s fine. We can type nslookup. Before we do that, let me just clear the screen. Host name is a command that allows you to confirm the name of a server or PC that you are currently connected to. And now I type Nslookup to connect to my DNS server. The way it works is that I can verify names and IP addresses, and so on. As a result, I can type Windows Seven 2008.

And it was reported. Yes, there is an entry like that, and it is 1921-6811. It looks like our DNS server is absolutely fine. It’s time to add our PC to the domain. Before we do that, we have to fix our DNS settings and point them to the domain controller. It’s very important to do it. And we point to one, which serves as our domain controller. I always like to check that. We can see the domain controller. We can try to ping it. Looks good. Let me change the size. Yeah, that’s better. Okay, again, NS. Check to see if we can connect to Windows 7 2008. We specify company logs. That is 1921-6811. Looks good. We’re ready to add that PC to the domain. The way we do that is we right-click on computer, we go to properties, we go to change, and here we can specify the domain. In our case, the company is local. We need a username and password that, in most cases, are assigned by an administrator or someone that is allowed to join a PC to the domain. Local administrators can do that as well. It’s beyond our discussion. We know it is an account that exists on the domain controller.

If we’re lucky, we’ll see a message saying, “Yeah, welcome to Company Local.” We have to reboot your PC. Yeah, that’s it. If you want to log in, you need a username and password. Let’s create a new OUI and call it Users One. And here’s what we’re going to do. We’ll create a new user, Mike Holland. And it’s just Mike’s password. In most cases, what you do is create a well-known password in your company. For example, suppose it’s welcome 99. Welcome 99. Then you leave that user’s password must be changed at the next login. Yeah. Mike is there.

Let’s check the computer to see if it’s there, because here we go. PC 1 is visible because it was added to the domain. Windows Seven is still booting up. Let’s give it a moment. Let’s login now. It is not PC One, admin. It’s company, Mike. That’s what we specified and welcomed. 99. And now you have to specify a new password. It has to be a strong password. In most cases, there is a password policy that requires you to use a strong password. You cannot repeat the same password. It is a good thing to have a policy like that. Later on, we’ll go over how GPO can be customized. We are done. We know how to join a PC to the domain. We know how to create a new user and login to a Windows 7 PC using a domain account. Thank you very much.