Contents Overview 1 Introduction to Administering Active Directory 2 Managing Active Directory Objects 3 Publishing Resources in Active Directory 7 Locating Objects in Active Directory 11 Lab A: Managing, Publishing, and Locating Objects in Active Directory 18 Controlling Access to Objects 29 Delegating Administrative Control 34 Lab B: Delegating Administrative Control in Active Directory 39 Best Practices 47 Review 48 Module 3: Adminis tering Active Directory Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ??1999 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead and Instructional Designer: Mark Johnson Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor) Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing: Data Dimensions, Inc. Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert St ewart Module 3: Administering Active Directory iii Introduction This module provides students with the knowledge and skills to administer Active Directory ™ directory service by managing Active Directory objects and by delegating administrative control of Active Directory objects. In the hands-on labs in this module, students will have a chance to manage, publish, and locate Active Directory objects and to assign Active Directory permissions. In the first lab, students will create an organizational unit (OU) structure based on a scenario and move Active Directory objects within a domain. Next, students will publish shared folders and printers in Active Directory. Then students will search for objects in Active Directory by using several methods, and use the search results to access objects. In the second lab, students will review Active Directory permissions and delegate administrative control by using the Delegation of Control wizard. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Materials To teach this module, you need the following materials: ?? Microsoft® PowerPoint® file 1558a_03.ppt Preparation To prepare for this module, you should: ?? Read all the materials for this module. ?? Complete the labs. ?? Study the review questions and prepare alternative answers to discuss. ?? Anticipate questions that students may ask. Write out the questions and provide the answers. ?? Read appendices A and B. ?? Read the white paper, Active Directory Technical Summary on the Student Materials compact disc. ?? Read the white paper, Microsoft Windows Active Directory: An Introduction to the Next Generation Directory Services on the Student Materials compact disc. ?? Read the white paper, Microsoft® Active Directory Service Interfaces: ADSI Open Interfaces for Managing and Using Directory Services on the Student Materials compact disc. ?? Read the technical walkthrough, Managing the Active Directory on the Student Materials compact disc. ?? Read the technical walkthrough, Using the Delegation of Control Wizard on the Student Materials compact disc. Presentation: 75 Minutes Labs: 75 Minutes iv Module 3: Administering Active Directory Instructor Setup for the Labs Perform the following setup on your instructor computers for the labs. Lab A: Managing, Publishing, and Locating Objects in Active Directory ??To prepare for the lab Ensure that the instructor domain contains a user account named Suzan Fine. This user account should have been created during classroom setup. Lab B: Delegating Administrative Control in Active Directory No setup required for the instructor computer. Module 3: Administering Active Directory v Module Strategy Use the following strategy to present this module: ?? Introduction to Administering Active Directory In this topic, you will introduce the concept of centralized management and decentralized administration in Active Directory. Emphasize that centralized management allows you to access network resources from a single location, and decentralized administration allows you to delegate administrative control of portions of your network. Do not spend too much time explaining these concepts because they were covered earlier in the course. ?? Managing Active Directory Objects In this topic, you will introduce organizing Active Directory objects by using OUs. Explain the planning factors involved in creating an OU and why each of the given planning factors is important. Demonstrate how to create an OU by using Active Directory Users and Computers. Illustrate how to move objects within a domain. Point out to students how permissions are affected when you move objects. ?? Publishing Resources in Active Directory In this topic, you will introduce publishing resources. Emphasize that resources should be published in Active Directory if the information is important to the users. Explain how to publish shared folders. Demonstrate how to publish a shared folder in Active Directory and how to add a description and keywords to the published shared folder. Show students some examples of meaningful descriptive words and keywords. Illustrate how to publish printers. Emphasize that Microsoft® Windows® 2000 automatically publishes a printer in Active Directory. You need to manually publish a printer in Active Directory only if the printer is on a computer that is not running Windows 2000. ?? Locating Objects in Active Directory In this topic, you will introduce how the global catalog locates objects in Active Directory. Provide examples when telling students about the attributes for objects contained in the global catalog. Illustrate how to perform a basic search operation by using the Find command in Active Directory Users and Computers. Emphasize that you can administer objects from the Results box once they have been located. Demonstrate how to perform an advanced search operation by using the Find command in Active Directory Users and Computers. Explain to students that different objects have different attributes available to search for in an advanced search operation. Demonstrate how to search Active Directory to locate objects by using Windows Explorer. Emphasize that this technique of locating objects is for users and that you can search for only specific types of objects by using Search and My Network Places. ?? Lab A: Managing, Publishing, and Locating Objects in Active Directory Prepare students for the lab in which they will create an OU structure based on a scenario, move Active Directory objects within a domain, publish shared folders and printers in Active Directory, search for objects in Active Directory, and connect to objects in Active Directory search results. Make sure that students run the command file for the lab and tell them that they will work with their partners’ computers. After students have completed the lab, ask them if they have any questions concerning the lab. vi Module 3: Administering Active Directory ?? Controlling Access to Objects In this topic, you will introduce the purpose of Active Directory permissions. Tell students that only an administrator or the owner of an object can assign permissions for the object. Demonstrate how to set permissions for objects and attributes of objects. Demonstrate how to view special permissions by using the Access Control Settings dialog box. Explain how to prevent inheritance of permissions. Emphasize that when you prevent inheritance, Windows 2000 prompts you to either assign new permissions to the object or copy the previously inherited permissions. ?? Delegating Administrative Control In this topic, you will introduce the purpose of delegating administrative control of objects. Explain that you can decentralize administration by delegating specific tasks to other administrators. Delegation of administrative control at the OU level enables you to easily track permissions. Demonstrate how to assign permissions at the OU level by using the Delegation of Control wizard. Explain all of the options that are available under Predefined tasks and Custom task. Emphasize that you normally select delegation tasks from a predefined list, but that you can customize delegation tasks. Explain guidelines for delegating administrative control of objects. ?? Lab B: Delegating Administrative Control in Active Directory Prepare students for the lab in which they will review Active Directory permissions and delegate administrative control by using the Delegation of Control wizard. Make sure that students run the command file for the lab. After students have completed the lab, ask them if they have any questions concerning the lab. ?? Best Practices Present best practices for administering Active Directory. Emphasize the reason for each best practice. Module 3: Administering Active Directory vii Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1558A, Advanced Administration for Windows 2000. Lab Setup The following list describes the setup requirements for the labs in this module. Setup Requirement 1 The labs in this module require that the Log on locally right on domain controllers be assigned to the Everyone group. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Assign the right manually. Setup Requirement 2 The labs in this module require a South OU and a North OU. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the OUs manually. Setup Requirement 3 The labs in this module require the C:\MOC\Win1558A\Labfiles\Lab03\Documents folder, shared as Documents, and the C:\MOC\Win1558A\Labfiles\Lab03\Documents2 folder, shared as Documents2. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the folders manually and share them. Setup Requirement 4 The labs in this module require a Package Handling OU and a Human Resources OU with several computer and user objects in it. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the OUs manually. Important viii Module 3: Administering Active Directory Setup Requirement 5 The labs in this module require a printer called Laser Printer on each student computer. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the printer manually. Setup Requirement 6 The labs in this module require shortcuts to Active Directory Users and Computers, Active Directory Sites and Services, and Active Directory Domains and Trusts on the desktop for All Users. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the shortcuts manually and place them in C:\Winnt\Profiles\All Users\Desktop. Setup Requirement 7 The labs in this module require a regular user account for the student. To prepare student computers to meet this requirement, create the user account manually. Setup Requirement 8 The labs in this module require the following user accounts in the default Users container in Active Directory: User 1, User 2, User 3, User 4, User 5, and User 6. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the user accounts manually. Setup Requirement 9 The labs in this module require the following computers in the default Computers container in Active Directory: Computer 1, Computer 2, Computer 3, Computer 4, Computer 5, and Computer 6. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0301.cmd. ?? Create the computers manually. Setup Requirement 10 The labs in this module require a Security1 OU and the Assistant1 and Secretary1 user accounts in this OU. The labs also require a Security2 OU and the Assistant2 and Secretary2 user accounts in this OU. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab0302.cmd. ?? Create the OUs and user accounts manually. Module 3: Administering Active Directory ix Lab Results Performing the labs in this module introduces the following configuration changes: ?? Students move user accounts and computers to the North and South OUs. ?? Students move the Laser Printer printers to the North and South OUs. ?? Students change the Location attribute of the Laser Printer printer. ?? Students change the Active Directory permissions for the Security1 and Security2 OUs. You can run C:\MOC\Win1558A\Labfiles\Lab03\Setup\Lab03Rm.cmd to remove most configuration changes introduced during the course of the labs in the module. Remove the Log on locally right from the Everyone group manually. Remove the Laser Printer printer manually. Important [...]... in Active Directory ?? Control access to Active Directory objects ?? Delegate administrative control of Active Directory objects ?? Apply best practices for administering Active Directory 2 Module 3: Administering Active Directory Introduction to Administering Active Directory Active Directory Allows Administrators to: Slide Objective To identify the tasks involved in administering objects in Active. .. other OUs 4 Module 3: Administering Active Directory Organizing Active Directory Objects Slide Objective To explain how to organize Active Directory objects by using OUs Lead-in ? Use OUs to Define Administrative Boundaries ? Set Up an OU Hierarchy to Group Active Directory Objects for Simplified Administration Use an OU Hierarchy to Create an Administrative Model ? Active Directory Active Directory. . .Module 3: Administering Active Directory 1 Overview Slide Objective To provide an overview of the module topics and objectives ? ? Publishing Resources in Active Directory ? Locating Objects in Active Directory ? Controlling Access to Objects ? Delegating Administrative Control ? In this module, you will learn to administer Active Directory by managing and delegating administrative control of Active. .. that Active Directory Users and Computers displays 18 Module 3: Administering Active Directory Lab A: Managing, Publishing, and Locating Objects in Active Directory Slide Objective To introduce the lab Lead-in In this lab, you will create an OU structure based on a scenario, move Active Directory objects within a domain, publish shared folders and printers in Active Directory, search for objects in Active. .. from Active Directory and then used the UNC path to connect to the shared folder Because you changed the UNC path in Active Directory, Windows Explorer can connect to the new shared folder 8 Close all Windows Explorer windows Do not close Active Directory Users and Computers Module 3: Administering Active Directory 25 Exercise 4 Publishing Printers in Active Directory Scenario You are responsible for administering. .. add more than one keyword for a shared folder 10 Module 3: Administering Active Directory Publishing Printers Slide Objective Server1 To describe how to publish printers Active Directory Printer Publish to Active to Active Directory Directory Lead-in By default, computers running Windows 2000 that belong to a domain publish all shared printers in Active Directory You publish printers that are on a computer... automatically published in Active Directory However, you can publish these shared printers in Active Directory by performing the following steps: 1 In Active Directory Users and Computers, right-click the OU where you want to publish the printer 2 Point to New, and then click Printer 3 Type the UNC name of the printer that you want to publish in Active Directory Module 3: Administering Active Directory 11 ? Locating... Microsoft Windows 2000, Student Materials compact disc Module 3: Administering Active Directory 3 ? Managing Active Directory Objects Slide Objective To introduce the topics related to managing Active Directory objects Lead-in Active Directory provides administrators with a way to centrally organize and manage network resources ? Organizing Active Directory Objects ? Creating Organizational Units ? Moving... Microsoft Windows 2000, Student Materials compact disc Module 3: Administering Active Directory 7 ? Publishing Resources in Active Directory Slide Objective To introduce the topics related to publishing objects in Active Directory Lead-in To enable you to locate resources centrally, you publish resources in Active Directory by adding Active Directory objects that point to the location of the resource... objects in Active Directory ?? Connect to objects in Active Directory search results Prerequisites Before working on this lab, you must have: ?? Knowledge about how to move objects in Active Directory ?? Experience connecting to shared folders and shared printers ?? Knowledge of Active Directory objects and object attributes ?? Experience creating and editing Ac tive Directory objects Module 3: Administering . Introduction to Administering Active Directory 2 Managing Active Directory Objects 3 Publishing Resources in Active Directory 7 Locating Objects in Active Directory. Active Directory 1 Overview ? Introduction to Administering Active Directory ? Managing Active Directory Objects ? Publishing Resources in Active Directory ?