Active Directory is a system which offers centralized control of your computers. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for the rest of our always free training videos. This video looks at what Active Directory is and why you would use it. The video explains the difference between a workgroup and a domain so you can better understand when you would want to deploy Active Directory. Terminology used in the video Workgroup A workgroup is a network setup in which each computer on the network keeps its own store of user names and passwords. In order to access another computer on the network, you need to know a username and password on that computer. This does not scale well. The user will be prompted for a username and password when he or she accesses another computer when the passwords are not in sync. HomeGroup Available only in a pure Windows 7 network. HomeGroup provides a simple way to share files and printers in a network. HomeGroup allows Windows 7 computers to be grouped together to share each other's resources using just one centralized password. Domain A domain is a logical group of computers that share the same Active Directory database. A domain allows you to manage a group of computers rather than one by one. This is done through the central use of usernames and passwords and the configuration of computers using group policy. Domain Controller A Domain Controller is a Windows Server that has Active Directory Services roles configured on it by using a process called promotion. The Domain Controller holds a writeable copy of the Active Directory database. Each domain has at least one Domain Controller but more should be added for redundancy. Active Directory Database Active Directory uses a database to hold objects like users and settings. The database uses multi-master replication and thus can have multiple copies of the database stored in multiple locations around the world. Each of these copies is writeable. Active Directory automatically fixes any replication conflicts that may occur by using a last writer wins system. That is, the latest update of any object is used when there is a replication conflict. Domain Links Active Directory supports multiple domains to be linked together by using a trust. Each domain has a separate Active Directory database but resources can be shared between the different domains.
Views: 501000 itfreetraining
Active Directory has forests and trees which are ways of representing multiple domains. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos.This video looks at how domains sharing the same namespace are considered a tree. Domains in separate namespaces are considered separate trees in the same forest. Tree When you have multiple domains in the same namespace (e.g., ITFreeTraining.com, west.ITFreeTraining.com, and sales.ITFreeTraining.com), they are considered to be in the same tree. The tree also supports multiple levels of domains. For example, you could have west.sales.ITFreeTraining.com and east.ITFreeTraining.com in the same tree. Forest A forest is a collection of one or more domains which may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored. The schema defines the database for the whole forest but it should be remembered that each domain in the forest has its own copy of the database based on the schema. Trusts Parent and child domains are automatically linked by a trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access. Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access. Global Catalog In order for users to find resources in any domain in the forest (remember that each domain has a separate database), Domain Controllers can be made into Global Catalog Servers. A Global Catalog Server contains partial information about every object in the forest. Using this information, the user can conduct searches.
Views: 225214 itfreetraining
Active Directory has five operations master roles otherwise known as FSMO roles. Check out http://itfreetraining.com for more of our always free training videos. These roles are assigned to one Domain Controller to ensure changes happen in only one location at a time. This ensures that the Active Directory database is kept consistent. This video goes through the five operations master roles. At the forest level, there is the Schema Master and Domain Naming Master. At the domain level, the 3 other operational roles are Infrastructure Master, PDC Emulator and RID Master. Schema Master 01:32 Domain Naming Master 03:01 RID Master 03:53 PDC Emulator 07:06 Infrastructure Master 11:03 Schema Master (Forest Wide) The Schema Master determines the structure and thus what can be stored in Active Directory. It contains details of every object that can be created and the attributes for that object. For example, if you want to add an attribute to every user in the forest (such as a field with the user's pay grade in it), you would add an attribute to the schema to accommodate this change. It is important to think carefully before making changes to the schema as changes to the schema can't be reversed but they can be disabled. If you want to test changes to the schema, create a new forest and make your changes there so the production environment is not affected. Domain Naming Master (Forest Wide) The Domain Naming Master is responsible for ensuring that two domains in the forest do not have the same name. Relative ID Master (RID Master) This master role allocates RID pools. A RID is a sequential number that is added to the end of a SID. A SID, or security identifier, is required for every Active Directory object. An example of a SID is shown here: S-1-5-21-1345645567-543223678-2053447642-1340. The RID is the last part of the SID, in this case 1340. The RID Master allocates a pool or block of RIDs to a Domain Controller. The Domain Controller uses the RID pool when Active Directory objects are created. The Domain Controller will request a new RID pool before it runs out. However, keep in mind that if you create a lot of Active Directory objects at once, the RID Master will need to be online to allocate new RID pools. If the Domain Controller runs out of RIDs and can't contact the RID Master, no objects in Active Directory can be created on that Domain Controller. PDC (Primary Domain Controller) Emulator Originally the PDC Emulator provided a bridge between Windows NT4 Domain Controllers and Windows Server 2000 Domain Controllers. Even if you do not have any NT4 Domain Controllers on your network, it still provides some services. The PDC Emulator forms the root of the time sync hierarchy in your domain. All other Domain Controllers will sync their time from this Domain Controller. Your clients and servers will in turn sync their time from their local Domain Controller. You should configure the PDC to sync its time from an external time source to ensure that it is accurate. When a user enters in a wrong password, the PDC Emulator may be contacted to find out if this password is in fact an updated password. Password changes are replicated to the PDC Emulator first and thus it is considered the final authority on correct and incorrect passwords. The PDC Emulator is contacted when changes to DFS (Distributed File System) are made. This can be switched off if the load on the PDC Emulator becomes too great. Infrastructure Master The Infrastructure Master is responsible for ensuring that objects that use multiple domain references are kept up to date and consistent. When you are in a single domain you don't need to worry about this. In a multiple domain environment with Windows Server 2000/2003 Domain Controllers, you must ensure that the Domain Controller that is holding the Infrastructure Master role is not a Global Catalog Server or all of the Domain Controllers will be Global Catalog Servers. If the Domain Controller is a Global Catalog Server this can cause objects in the domain not to update correctly. If you only have Windows Server 2008 Domain Controllers, you don't need to worry about whether the Infrastructure Master is on a Global Catalog Server or not.
Views: 121890 itfreetraining
This video will look at how DNS forwarding works and how conditional forwarding works. Forwarding is when a DNS request is forwarded from one DNS server to another. Conditional forwarding is when a condition is applied to which DNS requests are forwarding and which are not. Download Handout http://ITFreeTraining.com/Handouts/DNS/DNSForwarding.pdf DNS Forwarding DNS forwarding is the process of forwarding a DNS request from one DNS server to another. The most common example of this is when a company forwards its internal DNS server to its ISP's DNS server. Since the ISP DNS server will receive a lot more resolve requests than the internal DNS server, there is a higher possibility that when a client asks for a DNS hostname to be resolved, the DNS server may have resolved the DNS name previously and have it stored in the DNS cache, meaning the hostname will not need to be resolved again. DNS Forwarding In some companies, they may want to prevent their internal DNS servers accessed by not having them directly accessible on the internet. To do this, a DMZ is created with a DNS server that has access to the internet. The company then uses another DNS server on their internal network. This internal DNS server forwards requests to the DMZ DNS server which forwards DNS requests to the ISP's DNS server. This means the internal DNS server does not access the internet directly and thus helps protect it. If the DMZ DNS server was to be attacked, the DNS records on the internal DNS would be protected. Conditional Forwarding Conditional forwarding is only performed if a condition is met. In this example, DNS requests for the other domain are forwarded to the other company's DNS server. All other DNS requests are forwarded directly to the ISP's DNS server. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.
Views: 47880 itfreetraining
This video will look at the different types of virtualization available on the market referred to as type 1 and type 2. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Understanding how these types work will give you a better understanding of which one you should use to meet your needs. Access the rest of the course: http://ITFreeTraining.com/hyperv Download the PDF handout: http://ITFreeTraining.com/handouts/hyperv/types.pdf Type 1 & Type 2 Virtualization 00:11 Type 2 was the first virtualization system to be developed. It is designed to run on an existing operating system. The virtual machines running in the virtualization solution connect to a hypervisor which translate the instructions into operating system instructions which are then handled by the operating system. Since the operating system is needed to access the hardware, this is slower than if the virtual machines had a direct route to the hardware. The advantage of type 2 is they do not require any special hardware in order to run. With Type 1 virtualization, the operating system and any virtual machines run through the same hypervisor. This makes it faster than type 2. In order for type 1 to work, special hardware requirements are required. For example, the CPU and BIOS need to support virtualization. Type 1 & Type 2 Virtualization Examples 01:34 Type 1: Hyper-V and vSphere. The advantage of Hyper-V is that it can be run on the same computer running Windows. vSphere, in contrast, requires a dedicated computer that can only be used to run vSphere. Microsoft has also supplied a Hyper-V standalone version if you want to run Hyper-V on a dedicated computer. Type2: Microsoft Virtual PC, Microsoft Virtual Server, VMWare Workstation and VirtualBox. The advantage of these is that they can be installed on Windows and do not require special hardware. Hyper-V 02:20 Hyper-V is sometimes mistaken for a Type 2 virtualization solution. This is because unless you are using the stand-alone version, you require an operating system. Without the Hyper-V role installed, the operating system uses a HAL (Hardware Abstraction Layer) to access the hardware. When Hyper-V is installed, the HAL is replaced by a Hypervisor and the operating system and virtual machines access the hardware through the hypervisor. So essentially the hypervisor is a HAL with additional features required for virtual machines. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References “Installing and Configuring Windows Server 2012 R2 Exam Ref 70-410” pg 132 - 133 “Hypervisor” http://en.wikipedia.org/wiki/Hypervisor
Views: 29211 itfreetraining
The partition table on a drive determines the structure of the data and this video will look at the MBR and GPT partition tables. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. In some cases the operating system will choose the partition table for you, however having an understanding of the partition tables will help you understand what features each has as well as any compatibility problems that may occur due to the choice of partition table. Download the PDF handout http://ITFreeTraining.com/handouts/se... Partition Tables Before data can be stored on a device like a hard disk, a partition table needs to be created. This partition table defines where the data can be stored on the device. For example, if you had a 3 terabyte hard disk, you could create 2 partition tables. One partition could be 1 terabyte in size while the other could be 2 Terabytes in size. The partition table essentially determines which part of the hard disk can be used for what. There are two different partition types available. These are MBR (Master Boot Record) and GPT (GUID Partition Table). MBR is the older style that offers more compatibility while GPT is newer and offers more features, most notably, it supports larger devices. In some cases, GPT may require particular hardware in order to run. Master Boot Record (MBR) MBR has been around since the first PC's were released. For this reason it should work on all computers, meaning it has great compatibility with existing hardware. MBR is limited to 4 primary partitions. To increase the number of partitions that could be created on a single drive, one of the MBR partitions could be converted into an extended partition. This extended partition contains configuration allowing additional partitions to be created. In DOS days, there could only be 26 partitions on one hard disk: 3 primary partitions and one extended partition that contained 23 additional partitions. This was a limitation due to each drive requiring a drive letter and thus a limit of 26 letters in the alphabet. In later operating systems more than 26 partitions could be created using extended partitions. The biggest limitation of MBR is that it can only use 2 Terabytes of space. If you have a drive bigger than 2 Terabytes, MBR can be used, but any space after 2 Terabytes will not be useable and thus will be wasted. GUID Partition Table (GPT) The GPT partition table supports 128 primary partitions and thus does not require any extended partitions. The main advantage of the partition table is it supports drives in the Zettabyte size. 1 ZB = 1 000 000 000 000 000 000 000 bytes or 10 to power of 21 bytes or 1 billion terabytes. In order to boot an operating system for a GPT partition, you require a hard disk that supports "Unified Extensible Firmware Interface" or UEFI. This was designed to be a replacement for the older system called "Basic Input/Output System" or BIOS. The operating system also needs to support booting. For Windows this means Windows XP and Windows 2003 64 bit editions or above. For Linux most distributions should support both 32bit and 64bit operating systems. It is matter of checking the distribution to ensure it does. All modern Linux distributions should support this. If the hardware or operating system does not support booting, it is possible that the operating system will still be able to read the drive as a data drive. Every Windows operating system including and after Windows Vista and Windows Server 2003 SP1 will support GPT as a data drive. Converting between the two If your hard disk is less than 2 terabytes, use MBR. This will offer you the most compatibility. If you do need to change between the two, most likely GPT to MBR, Windows can convert the drive; however, it will first need to have all the partitions removed thus erasing all the data on the drive. Third-party software is available for Windows which can convert the partition table without losing the data. Otherwise there is Linux software which can perform the conversion. Before converting the partition table, make sure that you back up all data on the drive. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Installing and Configuring Windows Server 2012 Exam Ref 70-410" pg 42 - 43 "GUID Partition Table" http://en.wikipedia.org/wiki/GUID_Par... "http://en.wikipedia.org/wiki/Partitio..." http://en.wikipedia.org/wiki/Partitio... "Extended boot record" http://en.wikipedia.org/wiki/Extended...
Views: 244491 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Active Directory allows you to model your physical network topology using sites. This video looks at how to create sites in Active Directory. Creating sites allows you to control how data is replicated in your organization. Demonstration 04:05 Sites Definition Microsoft defines a site as a group of well-connected networks. Advantages of sites 1) Sites automatically direct users to the closest resource. 2) Schedules can be configured that allow the administrator to control when replication will occur. Site design Multiple networks can be combined together regardless of which IP address ranges they use. If you have two networks separated by a high speed networking device, you may want to combine these networks together. Usually networks that are separated by a Wide Area Network will be put into different sites. You could also place different networks into different sites for security reasons. For example, if you had a secure network holding your intellectual property separated by a firewall, you may decide to put this network in its own site to reduce the amount of traffic travelling between the networks. Less traffic travelling between the networks means fewer rules that have to be created on the firewall between the networks. Protect objects from accidental deletion A lot of objects in Active Directory have the option to protect the object from accidental deletion. The tick box for this will be found in the properties for the object on the object tab. If the option is ticked and an attempt to delete the object or move the object is made, an access denied message will be displayed. To perform either of these actions, the tickbox needs to be cleared first. Demonstration To create or change the site configuration, open Active Directory Sites and Services from administrative tools under the start menu. When you first install Active Directory, a site will be created called Default-First-Site-Name. This site can be renamed to another site, deleted when no longer required, or simply not used. Under the site container, the Domain Controller/s for that site will be listed. When you promote a server to a Domain Controller, the wizard will look at the IP address of the server and suggest a site in which to put the Domain Controller or you can choose your own. For this reason, the Domain Controller should be put into the correct site when it is promoted assuming the site existed. If you need to physically move the Domain Controller or it has been put into the wrong site, you can move the Domain Controller object to another site at any time. To create a new site, right click sites and select new site. The network address will then need to be entered (either the IPv4 or IPv6 network address).
Views: 122600 itfreetraining
This video provides an overview of Group Policy. Explaining the basic of how Group Policy works and what can be achieved using Group Policy. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Download the pdf handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gpintroduction.pdf What is Group Policy Group Policy is a system that allows central control of your client computers. Using Group Policy you can control the user experience. This includes configuring settings for the user and also settings that affect the computer as a whole. Group Policy can also be used to deploy and configure software. Text Based Config Files Before systems like Group Policy were developed, settings were often kept in text files like ini files. In order to make changes to the ini file, software would rewrite the whole file each time a change was made. Text files were not designed for multiple user environments and don't support rolling back of changes. Registry Microsoft introduced the registry to replace text files like ini files. Editing a single value in the registry is a lot easier than editing a single value in a text file. The problem with the registry is that once a change is made, the changes are permanent until overwritten by another value. Group Policy Group Policy allows changes to be rolled back when they no longer apply. This means that the effects of Group Policy will be reversed when they no longer are being applied. This means users and computers can be moved around Active Directory and thus the Group Policy for these objects may change. Since Group Policy reverses any previously made changes, the administrator does not need to worry about what settings were previously applied. Group Policy Mechanics Group Policy is created and stored on a Domain Controller. Group Policy is downloaded from the Domain Controller to the local computer and applied. For this reason Group Policy is a client driven technology. It is up to the client to download Group Policy and apply it. Group Policy is applied by Client Side Extensions (CSE). Each operating system improves and adds CSE's, meaning new clients can process some Group Policy settings that the older clients may not be able to process. For a list of all the CSE's installed on a system, refer the following registry setting. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Group Policy Example A single Group Policy is divided in two parts called Computer Configuration and User Configuration. Settings that are configured under computer configuration affect the whole computer. Settings configured under user configuration affect only the user that is currently logged in. The user and computer configuration is divided into two parts called Polices and Preferences. Preferences was a late edition to Windows Server 2008. Microsoft purchased another product called Policy Maker and added this product to Group Policy. The essential different between the two is that Group Policy is mandatory while preferences can often be overwritten by the user. Polices are divide into 3 parts, Software settings, Windows Settings and Administrative Templates. Software settings, like installations, are done in here. Windows Settings are more broad stroke settings having an effect on how the computer operates at a low level rather than specific functions. Administrative templates contain the bulk of the Group Policy settings. Summary Group Policy settings are stored in Active Directory. They are client driven and thus the client is responsible for downloading the group Policy settings and applying them. Group Policy settings are applied to the client by software called client side extensions. If a particular Group Policy settings require a particular client side extension and if that client side extension is not available, the Group policy settings will not be applied to that computer or user. Group Policy itself is divided primarily into two halves, user configuration and computer configuration. Computer configuration is applied when the computer starts up, while user configuration is applied when the user logs into the computer. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg. 250-251, 254 "Group Policy "http://en.wikipedia.org/wiki/Group_Policy
Views: 112303 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Covers the different features and system requirements of each Windows 7 edition http://ITFreetraining.com free course Windows 7 has 6 different editions. This video will help you understand the different features that each edition has so that you can make the right choice on deciding which edition of windows 7 is right for you. The editions that Windows 7 comes in are starter, home basic, home premium, professional, enterprise and ultimate edition. Next Video Performing a clean install of Windows 7 http://www.youtube.com/watch?v=dGNfbjmegOA
Views: 160511 itfreetraining
Loopback processing allows the administrator to apply user Group Policy settings based on where the computer accounts are located rather than basing it on the user account. This is an invaluable setting to use when deploying kiosk computers where you do not want the user settings to be applied. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/group-policy-loopback-processing.pdf Loopback Processing Loopback processing changes the algorithm used to apply Group Policy to a computer. This allows the administrator to effectively ignore or merge the user configuration that would be normally applied to the computer. Group Policy Normal Processing Group Policy is divided into two halves, Computer Configuration and User Configuration. Group Policy loopback processing changes the way these two halves are applied and where the settings are obtained from. Without Loopback Processing enabled, when the computer starts up, Computer Configuration from Group Policy is applied. This is applied based on where the computer account is located in Active Directory. User configuration is applied when a user logs in based on where the user account is located in Active Directory. Group Policy Loopback Processing (Replace) When Computer Configuration is applied to the computer, there is a setting in computer configuration that will enable Group Policy Loopback Processing for replace mode. When enabled, this will change how user configuration is applied. Instead of user configuration being applied based on where the user account is in Active Directory, user settings are applied based on where the computer account is located in Active Directory. Demonstration Loopback processing is configured via the following setting. Computer Configuration\Polices\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode This setting can be configured for merge or replace mode. Merge mode is explained below. Group Policy Loopback Merge When Merge mode is enabled, Group Policy is first applied like it would be normally. That is, the computer configuration based on where the computer account is located in Active Directory and user configuration based on where the user account is located in Active Directory is applied. The difference is that an extra step is added. The extra step applies user configuration based on where the computer account is located in Active Directory. This is often used for Remote Desktop Services where you want the user to have their user settings applied, but want the option to override or add additional settings as required. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 294 -- 295 "Loopback processing of Group Policy" http://support.microsoft.com/kb/231287 "Group Policy Loopback Processing" http://timstechnoblog.blogspot.com.au/2012/01/group-policy-loopback-processing.html
Views: 79582 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Active Directory utilizes two main standards. These are the X.500 standard and LDAP. This video looks at how the X.500 standard is used to store the Active Directory objects in the database. It also looks at how LDAP is used to access this data and the formatting LDAP uses. NTDS.DIT The Active Directory Database by default is stored in c:\windows\NTDS\ntds.dit. This file is based on the X.500 standard. Originally Active Directory was called NT Directory Services and this is where the file got its name. Each domain in Active Directory will have a separate database. Domain Controllers hold the copy of the database in the ntds.dit file and replicate changes to each other. If you have more than one domain, then each separate domain will have its own copy of the ntds.dit file. Organization Units In order to organize objects in Active Directory more easily, objects in Active Directory can be organized into Organization Units, also known as OUs. These OUs are like folders on your hard disk. LDAP Syntax LDAP uses a syntax that refers to the most significant part first followed by less significant or precise parts afterwards. This is the opposite of other systems, like filenames or paths. The main syntax of any LDAP command is like this example: CN=Joe, OU=Users, DC=ITFreeTraining, DC=Com. When an object can be defined uniquely, like in this example, it is called the distinguished name. Canonical Name (CN) This is the name of the object in Active Directory that you want to access. For example, if you wanted to access a user called Joe, you would use CN=Joe. Organization Unit (OU) Organization units in Active Directory are used to sort objects into different areas or folders. If you have multiple OUs, then start with the lowest in the tree and expand downwards. For example if a user was in Users\Acounts\Payable you would use OU=Users, OU=Accounts, OU=Payable. Domain Component (DC) This is the domain in which the object is located. For example DC=ITFreeTraining, DC=com.
Views: 152864 itfreetraining
Certificates are used to prove identity and used for creating secure communication. Check out http://itfreetraining.com for more of our always free training videos. This video looks at how a certificate works, what is a certificate and how they are used for identification and secure communication. Download the PDF handout http://itfreetraining.com/Handouts/Certificates/WhatAreCertificates.pdf What is a certificate? A certificate is an electronic document that contains data fields. When compared to a traditional paper certificate there are some similarities between an electronic certificate and a physical certificate. Digital certificates like a physical certificate are issued by an authority. For example, a university may issue a certificate to a student to show that they have completed the necessary work in order to graduate. The next question is, would you trust a physically certificate? Digital certificates work the same way. They are issued from an authority and the question becomes would you trust the authority that issued the certificate? Electronic certificates also contain other fields like who or what the certificate was issued to, how long it is valid, the public key and the digital signature. If a digital certificate is presented to a user or computer, the user or computer is able to check the certificate to ensure the person using it should be using it. Also the certificate contains a digital signature which allows the certificate to be checked to make sure it has not been modified. Digital Signature A digital signature provides a method for a certificate to be checked to ensure it has not been modified. In order to do this, a hash value is created for the certificate. To generate a hash value the certificate is put through a function to create a single value. Hash functions are designed so different certificates will not produce the same value, however the hash value cannot be used to generate the original certificate. The same principal applies to a person's fingerprints. They can be used to identify a person, however using a finger print you could not work out the features of a person like what color hair they have. When a certificate is created, the hash value for that certificate is also created. Using a function involving the private key, a digital signature is created and added to the certificate. Digital Signature Example When a certificate is used, in order to check the certificate has not been changed, the following is done: The computer generates the hash value for the certificate. Next, the digital signature is put through a function using the public key which should result in the same hash value. If both values match, the certificate has not been modified. This prevents a 3rd party taking a certificate, changing the values in the certificate and using the certificate. Trust Model Certificates work off a trust model. An example of a trust model in computers is that a computer may have a sticker on it indicating which operating systems it will run. The consumer, seeing this sticker, must trust that the manufacture would not put this sticker on the laptop unless it will run that operating system. The customer must also trust the creator of that operating system would not allow a computer manufacturer to put a sticker on a computer that would not run that operating system. Certificate Trust Model Certificates are generally deployed in a hierarchy. At the top is the root certificate authority. This can be an internal Certificate Authority or an external authority like VeriSign. When an authority like VeriSign issues a certificate, they will perform a number of checks on the individual purchasing the certificate to ensure that they are a valid business. When a certificate is used it can be checked to see which authority issued that certificate. In order for the certificate to be used, the computer must trust the authority that it was issued from. Authorities like VeriSign are trusted by default on most operating systems. Certificate Error If a certificate is presented to the computer and it is not trusted, the computer will generate an error asking if the users want to trust the certificate. It is up to the user to decide if they believe the certificate is valid. Certificate Hierarchy Certificates use a hierarchy. At the top is the root CA, below these are subordinate CA's. Any level can issue certificates to subordinate CA's or direct to users, computers or devices. If the user, computer or device trusts the root CA, then any certificate that is issued by any CA in the hierarchy will automatically be trusted and thus used by the client. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 771-775 "Public key certificate" http://en.wikipedia.org/wiki/Public_key_certificate
Views: 501115 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video will look at the 3 different CALs that are available in Windows Server 2012. These are user, device and RDS. This video looks at how many you need in order to make sure your network is compliant and what these CALs allow you to do and not do. http://ITFreeTraining.com/handouts/server/cals.pdf What is a CAL? A CAL is a Client Access License which is required for a user or computer to use features on a Windows Server, like file shares or printing. Services like unauthenticated internet access do not require a CAL. If you however use a 3rd party system to authenticate users before they connect to the web server you would need to purchase a CAL. Types of CALs There are 3 basic CALs available for Windows Server 2012. There are other features CALs that are available for products like SQL Server, but these are not covered in this video. The CALs covered in this video are user, device and Remote Desktop. User: Required for a user to access a Windows Server. Device: Required for a device to access a Windows Server. Remote Desktop: Required for each user or device that uses Remote Desktop Services. Does not include remote desktop connection for administrator performing administration work on the server. Each server supports 2 remote desktop connection for administration only. User CAL A user CAL is associated with a user. Once the user has a CAL, it is associated with the user, and that user is free to access any Windows Server on the network using any device. If you have more users than devices on your network you should purchase user CALs. Device CALs Device CALs are associated with a devices like a computer or device like a tablet. Once a device CAL is associated with that device, any number of users can login to that device and access Windows Server. The users that use this device do not require a user CAL. Device CALs are a good choice when you have more users on your network than devices. Remote Desktop CALs This CAL is also referred to as an additive CAL as once you add the CAL to Windows Server it activates additional functionality. Unlike the other CALs, remote desktop CALs need to be activated before they can be used. User and Device CALs rely on the administrator to check that they have enough CALs on the network to cover the number of users and devices they have. Functionality on the Windows Server is not gained or lost if the Administrator does not have the correct number of user and device CALs. Remote Desktop CALs come in 3 different types. These are user, device and external connector. User: Like a standard User CAL, a remote desktop user CAL allows the one user to connect to the remote desktop server using any device. Device: A device CAL allows any device to connect up and use Remote Desktop Service. Any user is free to login to this device and use it. External Connector: This allows multiple users from a 3rd party to connect to a single Remote Desktop Server. New CALs support older OSs The CAL that you purchase can be used with any operating system before it. For example, if you are running Windows Server 2008 on your network and need additional CALs, you should purchase Windows Server 2012 CALs as these will work with Windows Server 2008 and will work when you upgrade your Servers to Windows Server 2012. Microsoft also allows CALs to be updated to newer operating systems as required. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Client Access Licenses and Management Licenses" http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx "Newegg TV: Microsoft Windows Server 2012 CALs Interview" http://www.youtube.com/watch?v=9dYDeDNIUt0
Views: 191265 itfreetraining
This video will look at what happens to a user access when share and NTFS permissions are used together. Check out http://itfreetraining.com for more of our always free training videos. Using these effectively together can greatly improve the security of your network while still allowing the user to access what they need to. Download the PDF Handout: http://ITFreeTraining.com/handouts/server/share-ntfs.pdf Share and NTFS Permissions When you create a file share, you are able to configure 3 basic permissions on the share. Full control gives the user’s read/write/delete, the ability to take ownership and change permissions. Change allows the user to read/write/delete, and read allows the user to read. NTFS has five basic permissions. Full control has the same effect as share full control and read has the same effect and the read share permission. The modify permission in NTFS is the same and the change permission in share permission. If you have configured different shares and NTFS permissions, the important point to remember is that that most restrictive permission will always win. Consider some examples. 1) If the share permission was set to read, and the NTFS set to full control, the user, when accessing the share, would get the permission read. 2) If the share had full control and the NTFS permissions were set to read, the user would once again only have read permission since the most restrictive permission will always win. 3) If the share permission was set to change and the NTFS permission was set to full control, the user would get modify access. Modify access is essentially the change permission. Since the change permission was the most restrictive permission, the user will have read/write/delete which is change or modify access. 4) If the share permission was set to full control and the NTFS permission was set to modify, the user would get modify access. Modify access is essentially the change permission. Since the change permission was the most restrictive permission, the user will have read/write/delete which is change or modify access. The choice of which permission to use comes down to the choice of the individual administrator. Some administrators configure the share permissions with full control and then subtract permissions using NTFS. Others will configure security at the share level. The important point to remember is that NTFS permission allows granular control while share permissions are a broad stroke approach. Demonstration DepData will be configured to allow full control at the share level. Permissions will be subtracted at the folder level using NTFS. 1) Right click the folder DepData and select properties. 2) Select the tab sharing and the press the button advanced sharing. 3) From the advanced sharing dialog press the button at the bottom permissions. 4) This will show that everyone has full control to the share. 5) Next select the security tab and notice what permissions have been configured. The users have been configured with modify access. This essentially means that a user accessing the share will lose full control access that was granted at the share level and be left with modify access. However, users like administrators that have been granted full control will be allow to have this access since at the share level it has been configured with full control. Depdata2 will be configured to share permission for user. 1) Right click the folder DepData2 and select properties. 2) Select the tab sharing and then press the button advanced sharing. 3) From the advanced sharing dialog press the button at the bottom permissions. 4) In this case, the everyone permission has been added with change access. Also notice the second entry for administrators gives administrators full control. In this example there are only two groups so this is not that difficult for the administrator to configure this. However, if there were more groups, this becomes more work to keep up to date. 5) Next select the security tab and notice what permissions have been configured. Notice that users and administrators have been configured with full control. However, the user will only get change access because this was what was configured at the folder level. You can see that if an administrator forgot to configure NTFS permissions, the user would not get any additional access as the share permission acts as a safety net to prevent the user getting more permissions then they should have. 6) Using this method, it is also possible to remove user access. For example, if you want the user to only have read access to a file or folder you would only need to modify the NTFS permission to remove the write access for that user. Description too long for YouTube. Please see following link for rest of the description: http://itfreetraining.com/server#share-ntfs
Views: 40688 itfreetraining
This video will look at how to configure DNS forwarding and conditional forwarding on Windows Servers. Forwarding allows all DNS requests to be forwarded to a particular server and conditional forwarding allows you to configure certain DNS queries to be sent to a particular DNS server. http://itfreetraining.com/handouts/dns/dnsforwardingdemo.pdf Demonstration Setting up forwarding To change the forwarding settings, open DNS manager. This can be run from the tools menu from server manager or running DNS from administrative tools in the control panel. The forwarding settings are located in the properties for the DNS server. To access these, right click on the server in DNS manager and select properties. If you do not have your DNS server listed, you will need to add it by right clicking DNS and selecting the option connect to DNS server. From the properties of the DNS server, select the forwarders tab. On the forwarders tab, press the button edit and then add the addresses of the DNS servers that you want to forward DNS requests to. Setting up conditional forwarding To configure conditional forwarders, first open DNS manager from the tools menu in server Manager or run DNS from Administrative tools. From DNS manager, right click Conditional forwarders and select the option New Conditional Forwarder. In the New Conditional Forwarder window, enter in the DNS domain that you want to forward DNS requests for and then add the DNS server that can answer DNS requests for that DNS domain. When you create the conditional forwarder, you also have the option to store that conditional forwarder in Active Directory. If you decide to tick this option, the conditional forwarder configuration can be replicated to all domains in the forest or only to DNS server in the current domain. It should be remembered that only DNS servers that are running on Domain Controllers will be able to access this information if you decide to use this feature. Clear local cache If you are having problems resolving an address or it is being resolved to the wrong address, it may be that the local computer has stored the result in the local cache. To remove this information, run the following command. Ipconfig /flushdns See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References None
Views: 41690 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video looks at how the two different parts of Group Policy Replication work. Understanding how these two systems work will help you understand how to troubleshoot Group Policy problems when they occur. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gpreplication.pdf Group Policy Object A single Group Policy is made up of two parts. These are Group Policy Container (GPC) and Group Policy template (GPT). Since group Policy is made up of two parts this is why it is referred to as a Group Policy Object (GPO). The Group Policy Container is stored in the Active Directory database and thus replicated with Active Directory replication. The Group Policy Template is the file part of Group Policy and is stored in the SysVol folder. A SysVol folder is present on every Domain Controller. The SysVol folder is replicated using FRS or DFS-R. DFS-R is only available in Windows Server 2008 and above. It is possible for these two systems two become out of sync with each other for a brief previous of time while replication is occurring. Demonstration If you want to see the current versions status of a particular Group Policy Object, select the Group Policy in Group Policy management and select the details tab. On this tab is listed the User version and the computer version of both in Active Directory and the SysVol folder. Both the Active Directory and SysVol values should be the same value if replication is working correctly. On this tab is the unique ID for the Group Policy, this number is used to identify the Group Policy. If you browse the SysVol folder, for example \\ITFreeTraining.local\SysVol\ITFreeTraining.local\Polices, this contains all the files for Group Policy. The directories used to store the Group Policy is the same Unique ID that was listed on the detail tab in Group Policy Management console. Inside any of these directory is a file called GPT.INI. This file contains the version number for the Group Policy. The number is a 32bit value. If you entered the number into Windows Calculator, the first 16 bits the user version and the last 16bits is the computer version. To view the Group Policy Container in Active Directory Users and Computers and make sure advanced features is ticked under the view menu. The Group Policy Container can be found under System\Polices. The Group Policy is listed under folders by the Unique ID just like they were in the SysVol folder. If you want to see the version, open the properties for one of the folders, select the attribute editor and locate the VersionNumber attribute. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 260-262 "Group Policy Collection" http://technet.microsoft.com/en-us/library/cc779838(v=ws.10).aspx "Understanding the GPO version number" http://blogs.technet.com/b/grouppolicy/archive/2007/12/14/understanding-the-gpo-version-number.aspx
Views: 30981 itfreetraining
In this video, we will look at Shadow Copies which in Windows is a service that provides the ability for Windows to back up open files and restore files to a certain degree. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Access the rest of the course: http://ITFreeTraining.com/server Download Handout: http://ITFreeTraining.com/handouts/server/shadow-copies.pdf Shadow Copies 0:12 – Shadow Copies was first introduced in Windows XP. It works by creating a snapshot of the drive. The main aim was to allow backup software like NT Backup to be able to backup open files. The initial release of Shadow Copies only allowed for a temporary snap shot for the purpose of backing up the files. Later versions of Windows allow files to be restored from the snapshot. However, Shadow Copies should not be considered a replacement for regular backups. This is because snapshot records can and will change. If a file has not changed, the file is not included in the snapshot. If the user were to later delete a file that were not in the Shadow Copy storage, the only way to recover the file is to restore the file from the regular backup. Snapshots also operate under space restrictions imposed by the amount allocated to them and the number of snapshots that have already been created. When a storage area is full, the oldest backup is deleted. We’re going to take a closer look now. Consider that you have a data drive. Once Shadow Copies is enabled, it will allocate a storage area. The administrator can exercise control over how large the storage area for Shadow Copies really is; there is however, a minimum size it must be and that is 300 megabytes. When a Shadow Copy runs, it will store recently changed files. Looking at files on the drive, let’s consider that some have had changes made to them. When the Shadow Copy service runs next, these files will be copied to the Shadow Copy data store. Now consider that another file has changed after the first Shadow Copy has run. Nothing will change in the Shadow Copy storage area until another Shadow Copy is run. The Shadow Copy service will then copy the changed file to the storage area. The process keeps repeating; each time files are changed and the next time the Shadow Copy service runs, the changed files are copied to the storage area. The storage area is quite efficient at storing changes made to the files, rather than the whole complete file itself. So if you were to keep changing the same files, all the time, the storage area will be able to hold a lot of changes. At some point, the storage area will become full. When this occurs, the oldest Shadow Copy in the area is deleted when the next Shadow Copy service runs. Furthermore, Shadow Copies will only store up to 64 changes to the file, after this limit has been reached, the oldest version will be deleted to make room for the new one. Shadow Copies vs Backups 2:43 – The next point we’ll discuss is that Shadow Copies are not replacements for regular backups. The administrator does not have control over which files are removed from the Shadow Copy storage. If the file you want is within the Shadow Copy storage area, that is excellent and you can restore the file, however if it has been removed, there is no way to restore it. If you want to make sure it is always available, you will need to store that file in some kind of backup solution. This concludes the video on Shadow Copies. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References “Installing and Configuring Windows Server 2012 R2 Exam Ref 70-410” pg 76 "Configuring New Offline Files Features for Windows 7 Computers Step-by-Step Guide " https://technet.microsoft.com/en-us/l... "Windows Vista I/O technologies" http://en.wikipedia.org/wiki/Windows_... "File Sharing and Offline Files Enhancements" https://technet.microsoft.com/en-us/l... "Enable the Always Offline Mode to Provide Faster Access to Files" https://technet.microsoft.com/en-au/l...
Views: 18603 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Global Catalog Servers contain a partial replica for every object in Active Directory. A Global Catalog Server is used to find objects in any domain in the forest. Any Domain Controller can be made into a Global Catalog Server. This video looks at how to remove or make a Domain Controller into a Global Catalog Server and also the reasons why and where you should put Global Catalog Servers. Global Catalog Servers are used to find objects in any domain in the forest but it should be remembered that this does not give the user access to that object. Unless the user has the correct permissions they will not be able to access resources in other domains. Global Catalog Servers also contain information about groups that span across domains and services that work at the forest level. How to change a Domain Controller to a Global Catalog Server 04:18 Using the admin tool Active Directory Users and Computers to navigate to the computer account for your Domain Controller. By default this will be located in the Domain Controllers OU. Open the properties for the Domain Controller and select the button NTDS settings. Deselect or select the tickbox Global Catalog. Windows will do the rest. Reasons to deploy Global Catalog Servers Reason 1 Domain Controllers generate a security token for a user when they first login. If the user is in a group that spans multi--domains, that Domain Controller will need to contact a Global Catalog to get information about that group. Reason 2 If a user logs in using a Universal Principal Name (UPN), that is, they log in using a user name in the form of [email protected], a Domain Controller will need to access a Global Catalog Server before the log in is completed. Reason 3 Global Catalog Servers work as an index to the forest. If you perform any searches on the forest you will need to contact a Global Catalog Server. Reason 4 Microsoft recommends that any network that is separated by a Wide Area Network have a Global Catalog Server deployed at that location. This will ensure that users can log on if the Wide Area Network is down. In order for a computer to contact a Global Catalog Server, ports 389 (LDAP) and 3267 (Global Catalog) need to be opened. If these ports are not open then the user will not be able to use the remote Global Catalog Server. Reason 5 Some software requires a Global Catalog Server in order to run. Exchange is a big user of the Global Catalog Server. If you have a decent amount of Exchange users on your network, you should consider deploying a Global Catalog Server close to these users. Reasons not to deploy a Global Catalog Server Global Catalog Servers put more load on the server in the form of searches and lookups from the client. Global Catalogs need to keep their index up to date. This requires more network bandwidth. In order to store the Global Catalog Server, you are required to have additional hard disk space on your server.
Views: 166556 itfreetraining
This free training course looks at Microsoft Hyper-V. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. It is updated as the technology changes to ensure that it is always up to date. Hyper-V Course This course uses the ITFreeTraining modular training system. This allows videos to be added and removed as required. New videos can be added for new features, old videos updated and improved. The web site allows you to select videos for a particular Microsoft certificate like 70-410 or for a particular operating system. This ensures that the information you require is available to you quickly and easily. Access the rest of the course http://ITFreeTraining.com/hyperv Download the PDF handout http://ITFreeTraining.com/handouts/hyperv/intro.pdf What is Hyper-V Hyper-V is free virtualization software from Microsoft. It is shipped in all versions of Windows after Windows 8 and Windows Server 2012. It is available as an update on Windows Server 2008. It works by creating a hypervisor between the hardware and the operating system and virtual machine. In order for the operating system or virtual machine to access that hardware it must go through the hypervisor. This creates a standard method for accessing hardware. There is other virtualization software on the market. Basic ones can be downloaded and used for free. Management Software Virtual machine software also comes with commercial management software. This software provides additional features for virtual machines like the ability to move the virtual machine between different servers. Also features like backing up the virtual machines and managing the load of the virtual machines can be performed. This is how companies like Microsoft make money when they give their virtual machine software away for free. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Hyper-V" http://en.wikipedia.org/wiki/Hyper-V
Views: 26160 itfreetraining
DNS has two query types called recursive and iterative. Check out http://itfreetraining.com for more of our always free training videos. This video looks at how these queries are used to resolve DNS requests and how you would configure them in your organization to get the results that you require. Download the PDF handout http://ITFreeTraining.com/handouts/dns/querry-types.pdf Recursive and Iterative Queries Recursive: This query is normally sent from a device on the network to a DNS server. This includes servers which also, when they require DNS names to be resolved, will send a recursive query to a DNS server. When a DNS server receives a recursive query, it will take responsibility to find an answer, even if this answer is, "there is no DNS name registered for that name". If the DNS server is configured to forward requests, it will simply forward the request to another DNS server to be resolved. If forwarding is not configured, the DNS server will contact other DNS servers. The first DNS server that will be contacted will be a root hints server assuming information is not available in the DNS server cache that may help resolve the request. This request will be an iterative query which is explained in more detail below. In this example, the root hints server will respond back with the IP Address of the .com servers. The DNS server will be able to send an iterative query to this server asking for the DNS server that can answer DNS requests for ITFreeTraining.com. Once the DNS server has the IP Address for one of these DNS servers, it can contact it and resolve the name ITFreeTraining.com Iterative: An Iterative query is a DNS request which states, "Give me the answer or give me any information that will help me find the answer". If the DNS server has no information that will assist, it will respond back stating that and will not attempt to contact other DNS servers to attempt to find out the answer. Root hints servers are configured to only respond to iterative queries. As the root hints servers are at the top of the DNS hierarchy, if these were to become overloaded with recursive queries, this would affect their ability to answer other DNS queries and thus this is why recursive queries are switched off on the root hints servers. Summary Recursion: Sent by clients on the network to DNS Servers. The DNS server that is configured to accept recursive queries, which is the default, will contact other DNS servers as required to find out the result. Iterative: Will respond back from its cache or zone files. It will not attempt to contact other DNS servers to find out the answer. If it knows another DNS server that may be able to assist with the name resolution it will return the IP Address of that DNS server. References "Domain Name System" http://en.wikipedia.org/wiki/Domain_Name_System "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 455 "Installing and Configuring Windows Server 2012 Exam Ref 70-410" pg 230
Views: 62217 itfreetraining
In order to find resources on the network, computers need a system to look up the location of resources. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video looks at the DNS records that contain information about resources and services on the network. The client can request these records from a DNS server in order to locate resources like web sites, Active Directory Domains and Mail Servers just to name a few. http://ITFreeTraining.com/handouts/dn... In this video This video will look at the following DNS records: Host (A and AAAA): Contains IP Addresses for IPv4 and IPv6 hosts Alias (CNAME): Works just like a shortcut for files except for DNS records. Mail Exchange (MX): Holds the address of mail servers for that domain. Service Record (SRV): Holds the address of services on the network. E.g. Active Directory DC's. Start of Authority (SOA): Contains information and configuration for a zone file. Name Server (NS): Contain the address of other DNS servers for that zone. Pointer (PTR): Reverse look up record allowing a hostname for an IP Address to be look up. Host (A and AAAA) The host record is used to store the address of a hostname. "A" is used for IPv4 and AAAA (Quad A) for IPv6. These can be created manually in DNS or if dynamic DNS is enabled and the client can register its hostname and thus its IP Address with the DNS server. Alias (CName) A canonical name or CName record provides an alias service in DNS. A CName effectively points to another A or Quad A record. When the client requests the hostname that is contained in the CName, they are given the IP Address that is contained in the A record or Quad A record. The advantage of a CName is that it can provide a simple name to the user rather than a more complex server name. For example, instead of having to remember FS27 for the local file server, a CName of FS could be used to point towards the server FS27. CName's can also be used to transparently redirect network traffic. For example, if you changed you mind and wanted to redirect the user to FS28 you would only need to change the CName record to point to FS28 rather than FS27. It should be remembered that the old record may exist in the client cache and may take some time to expire. Mail Exchange (MX) The mail exchange record contains a mail server that is able to process mail for that domain name. When a mail server wants to deliver mail, it will perform a DNS lookup asking the DNS server for an MX record for that DNS Domain name. The mail server will then attempt to deliver mail to that server. The mail server does not need to have the same DNS name as the mail that is being delivered, it simply needs to understand how to process mail for that DNS domain name. The MX record also has priority value that can be configured. If two or more MX Exchange records exist for the same DNS Doman name, the MX record with the lowest priority will be tried first. If this fails, the MX record with the next lowest value will be tried until the mail is delivered. Often large companies will have multiple mail severs for incoming mail. In some cases, these additional mail servers may be located on different sides of the globe in case there is a long network outage. Service Record (SRV) Service records allow clients on the network to find resources on the network. Active Directory creates a number of service records in DNS to allow clients to find resources like Domain Controllers. This is why Active Directory cannot operate without DNS. A single service record has a number of data fields associated with it. These include, service, target, port and priority. Service records are normally created automatically by applications assuming that your DNS server allows dynamic updates. Start of Authority (SOA) There is one start of authority record (SOA) for each zone. Even though the SOA is technically a DNS record, essentially modification of the SOA record is performed through the properties of the DNS zone. Looking at the data in the SOA record, you can configure options for the zone like the primary name server for that zone (DNS servers that hold the master records for the zone), the e-mail address of an administrator, serial number (Incremented each time a change is made in the DNS zone) and the refresh time for the zone (How often a secondary zone should query a master for changes). Video description to long for YouTube. For full description please see http://itfreetraining.com/70-642/dns-... See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 458 -- 459 "Installing and Configuring Windows Server 2012 Exam Ref 70-410" pg 236-237 "SRV record" http://en.wikipedia.org/wiki/SRV_record
Views: 195040 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. The DNS root hints servers are at the top of the resolving process for DNS names. In order for a DNS server to resolve a DNS name without the help of other DNS servers, e.g. forwarding the request to another DNS server, a root hint server needs to be contacted. There are a lot of root hints servers located around the globe for this task. This video looks at how to configure the root hints servers for DNS in Windows Server. PDF handout http://ITFreeTraining.com/handouts/dns/hints-demo.pdf Demonstration This demonstration uses "Remote Server Administration Tools" (RSAT) for Windows 8. You can perform the same steps using Windows servers by running the DNS management tools from there. 1) In order to open DNS Manager, open charms by moving the mouse to the top right and select search. In the search dialog enter in "dnsmgmt.msc". 2) When DNS Manager loads up, if a DNS server has not already been added to DNS Manager it will prompt you to add one. If you want to add an additional DNS server to DNS manager and thus manage multiple DNS servers at the same time, this can be done by right clicking DNS at the top and selecting the option connect to DNS server. 3) To configure the root hints on a DNS server, Right click the name of the DNS server in DNS manager and select the option properties. 4) In the properties of the DNS server, on the forwarders tab there is a tick box called "Use root hints if no forwarders are available". This option will be grayed out if no forwarders have been configured. If the forwarders cannot be contacted the DNS server will attempt to contact a root hint server. If your DNS server is behind a firewall and should not be connecting to the internet directly, then this option should be cleared. Remember this option forms a backup method if the forwarders are down and thus un-ticking the option will prevent DNS names from being resolved in this situation. You should only untick this option if you don't want the DNS server contacting the internet directly and you have reliable DNS forwarders and are prepared to accept that if the DNS forwarders are down then no DNS resolving will be possible. 5) On the advanced tab, there is an option called "Disable recursion (also disables forwarders)". If you tick this option the server will not use forwarders or root hints. If your DNS servers do not require one of these you should tick this option. Ticking this option helps secure the server from a potential denial of service attack. 6) On the root hints tab, this will show all the root hint servers that are currently configured. By default there will always be entries in here. The information shown here is found in "c:\Windows\System32\dns\CACHE.txt". 7) If you want to update the root hints from another server you can press the button copy from server. The defaults should work fine and you should not do this. Doing this can give your DNS server access to other DNS root hints servers which have recently been added to the internet. You need to then enter in a DNS server to copy it from. You can use any DNS server that you wish. Your ISP DNS server is a good choice or a public DNS server like google's which are 18.104.22.168 and 22.214.171.124. References "Root name server" http://en.wikipedia.org/wiki/Root_name_server
Views: 22232 itfreetraining
Check out http://itfreetraining.com or http://youtube.com/ITFreeTraining for more of our always free training videos. Active Directory has 5 operations master roles. These roles can be moved from Domain Controller to Domain Controller. Two are at the forest level and three are at the domain level. This video looks at how to move these operations roles from one Domain Controller to another. How To Points The 3 operations roles at the domain level are PDC Emulator, RID Master and Infrastructure Master. These can be transferred using active users and computers by right clicking the domain and selecting operations master. The 2 forest wide operations roles are Schema Master and Domain Naming Master. To install the Schema Master, run Regsvr32 schmmgmt.dll. Then access it by using the mmc to add the schema snap in. To move the Domain Naming Master role, run Active Directory domains and trusts and right click Active Directory domains and trusts.
Views: 83202 itfreetraining
Trusts in Active Directory create the pathways for authentication to occur. They are used to link Active Directory domains to each other and also link Active Directory domains to non Microsoft systems. Demonstration 08:56 In order to share resources between two domains, there must a trust or trusts connecting the two domains. Trusts do not provide access they only create a pathway to the destination. Think of trusts like roads: if you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won't be able get in unless you have the key. The same applies with trusts: you need the path to the resource via a trust and permission to access the resource. Trust direction (One-way or two) Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the other side. If the trust is one-way, the terminology used to describe the trust will usually be "Domain A trusts domain B." This means that domain A is the trusting domain and domain B will be the trusted domain. For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain. Transitive trusts A transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can thus access any other domain when there is a path of transitive trusts between that domain and the target domain. Non-transitive trust A non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C. Think of it like having to catch two buses to get to your destination but only having one bus ticket. Transitive and non-transitive trusts will work together. When using both, the pathway through the network will simply stop as soon as a non-transitive trust is travelled over. Due to a limit on the description size on YouTube, please see the following for the rest of the description: http://itfreetraining.com/70-640/active-directory-trusts See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.
Views: 110042 itfreetraining
This video will look at the two file sharing protocols SMB and NFS. SMB is the primary file sharing protocol developed for Windows computers and NFS is the primary file sharing protocol that was developed for UNIX based systems. Access the rest of the course http://ITFreeTraining.com/server Download the Handout http://ITFreeTraining.com/handouts/server/smb-nfs.pdf SMB (Server Message Block) 0:16 – Server Message Block or SMB was originally designed by IBM back in the 80’s. After its inception, Microsoft took the protocol and added some features to it. The additions included features such as LAN Manager. Services such as this allowed Windows systems to map shared drives and have this new share act as a local drive on the computer. For simplicity’s sake, I will skip the 3rd and 4th point but we will get back to those in a minute. With the release of Windows Vista, Microsoft also released SMB 2.0. This was a major revision of SMB which, besides adding additional features, reduced the “chattiness” of the protocol. In other words, it reduced the bandwidth used or data amount transmitted, over the network. SMB 3.0 was released with Windows 8 and Server 2008 R2. With more improvements and added functionality, SMB 3.0 was aimed towards increasing effectiveness in Datacenters. When mapping a share, Windows will automatically perform the negotiation and sort out what version of SMB to use. Now what were the points that we skipped? In the late 90’s Microsoft had attempted to rename SMB to CIFS or Common Internet File System. Unfortunately for Microsoft, this attempt was unsuccessful so they were skipped in order to avoid confusion. CIFS had additional features, but the name simply did not catch on and Microsoft simply went back to SMB in future versions. Due to this, CIFS is referred to as a dialect of SMB though you may hear CIFS and SMB used synonymously, but they are basically referring to Windows file sharing. Moving forward however, the term CIFS should really not be used as it is a relic of the past and it should only be considered SMB. NFS (Network File System) 2:04 – The next file system we will be examining is Network File System, or NFS. Originally developed by Sun in the late 80’s, NFS version 1 was used internally within Sun Microsystems and never released publically. It was Version 2 that was released to the public however. This provided basic file sharing capabilities and was used extensively within Unix based systems. As they released Version 3 in 1995, it was enhanced to add 64bit support and was able to handle files larger than 2 gigabytes. In 2000, Sun released version 4 of NFS with added performance along with security improvements. This allowed for security methods to be applied and utilized to authenticate users, e.g. Kerberos. These security measures made NFS version 4 much more secure when compared to previous revisions. In The Real World 2:56 - Now I want to ask you a question. In the real world, which protocol would you use? Windows shares support both SMB and NFS, or even both at the same time. It is merely a matter of configuring which one you need or configuring both if you need to utilize both. Ideally, you’ll want to use a native protocol when possible. For example, if you are connecting two Unix systems, it will be best to utilize NFS. If you are connecting two Windows systems, SMB would be the obvious choice. Even though both achieve the goal of file sharing, there are differences in the way Windows and Unix based systems handle file systems and the users that will be using the systems. Mixing the two can lead to compatibility problems. As NFS is good for host authentication, it makes connecting two servers together rather easy. This can be placed in the boot up configuration and the data would be available to the operating system without the need for a user to be logged in. You could even connect to another server based on the IP address alone. Conversely, Windows requires user authentication in order to connect to an SMB share and generally the user is required to be logged in. It is possible to circumvent this and you would do this for some services running on the local system, but it is, unfortunately, not as simple as NFS makes it. Windows is an excellent choice for using authentication. Until NFS version 4, this was something that NFS did not handle well and was prone to more security problems. If you are using a domain, then Windows handles user authentication very well. Ultimately, the decision will be made on what operating systems you are using and your software requirements. In future videos, we will discuss how Windows file sharing (SMB) works and also how to incorporate NFS using Windows Server. Unfortunately our description it too long for YouTube, please check out http://www.itfreetraining.com/server/#/smb-nfs for the full description, references and more!
Views: 56934 itfreetraining
This video from ITFreeTraining will look at how to install Active Directory Federation Services. Check out http://itfreetraining.com for more of our always free training videos. The install requires a certificate. If you do not have certificate services installed, see our previous video on how to install Active Directory Certificate Services: https://www.youtube.com/watch?v=fpvvbeyr7ec Federation: http://ITFreeTraining.com/federation Download the PDF handout http://ITFreeTraining.com/handouts/federation/install-2012r2.pdf Demonstration installing Active Directory Federation Services role 00:42 To start the install, open Server Manager by selecting the shortcut in the quick launch bar. 00:50 From the Server manager home screen, select the option Add roles and features. 00:58 Skip the welcome screen and on installation type select Role-based or feature-based installationand press next. 01:04 On the select destination server screen, select the server that you wish to install the role on and press next. In this case the server ITADFS2012R2.ITFreeTraining.local was selected. 01:12 On the select server roles screen select the option Active Directory Federation Services and press next. 01:24 On the select features screen, no additional features are required so press next to continue. 01:30 The AD FS home screen contains information about AD FS, press next to continue. 01:40 At the confirm installation selection screen press install to install the role. Demonstration requesting and installing a certificate 02:04 To request a certificate from an Enterprise CA, right click the start menu and select run. Enter in the run box mmc and press ok. 02:30 For the certificate management, select Add/Remove snap-in from the file menu. 02:35 From the list of snap-ins select the certificate snap-in and press add. 02:44 You will then be prompted for the scope for the certificate snap-in. Since the certificate will be used by the server, the option for computer account needs to be selected and press next. 02:55 On the select computer screen leave it on the default option of Local computer and press finish and then o.k to complete the wizard. 03:05 If you open the Personal container, this will show all the certificates that are currently installed on that server. 03:13 Certificate is not present and needs to be requested. The default view is not the best view to request the certificate with. To change the view, right click on the container Personal and select options under the view menu. Refresh the view if the option is not present. 03:30 The default mode will be Logical certificate stores. Change this to Certificate purpose and press o.k. 03:45 Select the container Server Authentication, right click it and select the option Request New Certificate under all Tasks. 04:05 On the certificate enrollment wizard, press next to skip the welcome screen. 04:09 The Select Certificate Enrollment Policy screen will ask which enrollment policy you want to use. It is possible to create multiple enrollment policies, however in this case the default enroll policy Active Directory Enrollment Policy will be selected and next pressed. 04:56 The new screen will ask which template will be used to create the certificate. In previous videos the ADFS SSL Certificate template was created. In this case it will be selected and the button enroll pressed. Windows Server will now renew the certificate as required using auto enrollment. 05:30 To complete the wizard press finish and the certificate will be added to the container Server Authentication and MMC can be closed. Demonstration Configuration Active Directory Federation Services 05:38 To configure the Active Directory Federation Services role, select the exclamation mark at the top of Server Manager and select the option Configure the federation service on this server. 05:53 On the welcome screen of the configuration wizard there is an option to configure the farm options for the server. The default option Create the first federation server in a federation server farmwill create a new farm with only that Federation server in it. If you an existing Federation Server Farm and want to add this server to that Federation’s server farm, select the second option Add a federation server to a federation server farm. In previous versions of Active Directory Federations Servers, there was an option for stand-alone, in Windows Server 2012 R2 this option is no longer available. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/federation#/install See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References Windows Server 2012: Group Managed Service Accountshttp://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Views: 82432 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. There are a number of different options in Group Policy that allows you to target Group Policy to particular users and computers. This video looks at WMI filters and security that can be applied to target Group Policy settings that you configure. The video also looks at how you can disable parts of Group Policy to speed up the processing on your clients. Sorting by OU's One way of applying Group Policy is to sort the users and computers into different OU's. A typical way of doing this is to separate the users and computers into physical locations, departments and operating systems. The problem with this approach is that an administrator needs to sort these objects initially and when change occur. For example, if users change job titles and operating systems are upgraded. By using filters in Group Policy you can automate this process. Demonstration All the Group Policy filtering options are available from Group Policy Management Console. Once you select a Group Policy Object you can configure additional filtering options for it. User/Computer Configuring Enabling/Disabling If you select the details tab, the option GPO status allows you to enable or disable the GPO as well as only have the user or computer configuration enabled. If you are only using one part of the configuration for the GPO, it is worth while disabling the other configuration. Disabling configuration like this will speed up the processing of the GPO on the client. Security Filtering On the scope tab you can configure particular groups to be allowed the ability to apply the Group Policy object. Adding groups here effectively changes the permissions of the Group Policy Object giving that group access to apply the Group Policy. The same effect can be achieved by editing the security of the Group Policy Object directly, however Security Filtering does provide an easier interface if all you want to do is see who has the ability to apply the Group Policy or add or remove access. WMI Filter Windows Management Instrumentation (WMI) allows software to retrieve information about the client. For example, information about the operating system, hardware and software installed can be retrieved using WMI. Using WMI filters, you can target a Group Policy Object to particular characteristics of a computer. You can only assign one WMI filter per Group Policy Object, however you can make it as complex as you wish. Using WMI filters in your domain especially complex WMI filters this can slow down the time Group Policy takes to apply. To create a WMI query, Select WMI Filters in the left panel of Group Policy Management under your domain and paste in your WMI query. An example of a WMI query is listed below. Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3" Once you have a WMI query configured, you can assign one WMI filter to the Group Policy Object on the scope tab. A free WMI explorer. http://www.ks-soft.net/hostmon.eng/wmi/index.htm Delegation The delegation tab effectively shows some of permissions of the Group Policy Object. In order for the Group Policy to be applied to a client it requires read and apply group policy permissions. To gain access the security properties press the advanced button. If you want to prevent the group policy for being applied, select the deny option for apply group policy. Deny permissions should only be applied when necessary. In most cases there is another solution which does not require deny permissions. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 285 -- 291
Views: 53450 itfreetraining
This video looks at the theory of a claim provider trust. In order to have a trust in Federation Services a relying party trust and a claims provider trust need to be created. Download the PDF handout http://ITFreeTraining.com/handouts/federation/provider-trust.pdf Trusts in AD FS In the previous video, a relying party trust was created in the ITFreeTraining domain. The configuration in this trust is used to create claims. These claims are sent to the HighCostTraining domain’s Active Directory Federation Server. The claims provider trust is the configuration that is created on that server. This configuration determines what happens when a claim is presented to that server. It may seem that the claims provider trust should be on the ITFreeTraining side. However, when you consider that the claim has been created already, the next step is to create a set of rules that determine what to do when the claim arrives at the server. That is, the claims provider trust is, essentially, the configuration that is used when a claim is presented to that server. If you get confused where the claims provider trust needs to be created, work out which servers accept claims and the configuration needs to be created there. Claim Provider Trust The configuration for the claims provider trust is only one rule. In contrast to the relying party trust which is 3 rules. The rule decides what claims are accepted and also allows changes to the data in that claim to be made. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References “Understanding Key AD FS Concepts” http://technet.microsoft.com/en-us/library/ee913566.aspx
Views: 12509 itfreetraining
Windows has a comprehensive auditing feature allowing you to track files and object access. In this video and the next 2 videos, auditing is looked at for Active Directory and file and folders access. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/windowsauditing.pdf Coming Up This video: Auditing concepts Next video: Active Directory Auditing Video after this: File and Folder Auditing ACL's and Auditing An Access Control List or ACL defines the permissions of an object in Windows. The ACL is divided into two parts. These are the Direct Access Control List (DACL) and System Access Control List (SACL). The DACL is used for permissions like read and write. The SACL is used for auditing permissions like success and failure. Since two systems are used for permissions and auditing, this requires two sets of ACLS. This means that an object can be audited by the auditing system even though there may not be any read permissions defined for that object. Audit Example The SACL on an object will determine if this object is audited. However, if the results are recorded in the event viewer, this will be determined by the audit policy. If the audit policy is configured to record events of that audit type, these events will be recorded in the event viewer. Thus, in order for auditing to work, the SACL must be configured to audit events for that object and also the Audit Policy must be configured to allow auditing to occur. By having a system like this, it allows an administrator to quickly change what is audited without having to change the permissions of objects. As auditing puts more load on the system, many administrators will only use auditing when required. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 367 - 375 "Access Control Lists (Windows)" http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx "AD DS Auditing Step-by-Step Guide" http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
Views: 20482 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. NTFS allows permissions to be either configured on each file or folder or inherited from a parent folder. This video will look at both ways of configuring permissions and how the administrator can use them effectively to achieve the result that they require. Download the PDF Handout: http://ITFreeTraining.com/handouts/server/ntfs-explicit-inherited.pdf Explicit and inherited Explicit permissions are created when the object is first created. For example, if a hard disk is first formatted, permissions must be assigned to the root folder in order for the user to access data on the drive. Otherwise, explicit permissions can be created on an object manually at any time. Inherited permissions are permissions that are inherited from the parent. The advantage of this is that if the permissions assigned to the parent change, the object or objects inheriting the permissions will also change. Explicit and inherited Example When a hard disk is first formatted, explicit permissions will be assigned to the root folder. It is not possible to use inherited permissions because there is no folder above the root folder in which permissions can be inherited from. In this example, everyone has been given read & execute permission to the root folder. Also the administrators have been given full control. When the folder c:\Users is created, it will inherit the permissions from the folder above it which is c:\. So essentially the folder c:\users has the same permissions as the root folder. When the sub folder Joe is created, the explicit permission modify for the user Joe is added. This gives the user Joe the ability to read, write and delete files and folders in the folder c:\Users\Joe. If Joe were to create a sub folder called c:\Users\Joe\Docs this folder would inherit the permissions from the folder above and thus Joe would have the ability to read, write and delete files and folders in that sub folder. 1) To create a folder structure like the one in the example, open Windows Explorer, open a drive, in this case D, right click on the white space and select folder under the new menu. 2) When the folder is created it should be selected allowing the name of the folder to be changed to Users. 3) Open the folder and right click on the white space. Select the option Folder under new and rename the folder to Joe. 4) In order for Joe to read, write and delete to files and folders in this folder, he needs to be given additional access. To change the security of the folder, right click the folder and select the option properties. 5) From properties select the tab security and then press the edit button. 6) Press the add button and then enter in the username of Joe. Once Joe has been added, tick the option for modify. 7) Open the folder Joe and then create a folder called Docs. 8) Right click on the Docs folder, select properties and then select the security tab. This should show that the permissions have been inherited from the parent folder. Inherited permissions appear as gray ticks and explicit permissions have black ticks. 9) There are some cases you may need inherited permissions that need to be changed. To do this, open the properties of the file or folder, select the security tab and press the advanced button. On the advanced settings screen press the button at the bottom of the screen “Disable inheritance”. A dialog will be presented asking if you want to convert the existing permissions or remove all permission from the object. If you convert the permissions, this essentially copies the permissions being applied. If you remove the permission, all permissions will be removed and you will need to configure them from scratch. 10) To remove a permissions, press the edit button. Select the permission that you want to remove and then press the remove button. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References “Windows 101: Know the basics about NTFS permissions” http://www.techrepublic.com/article/windows-101-know-the-basics-about-ntfs-permissions/
Views: 27802 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Active Directory accounts are required for security for users and computers. An account contains a Security Identifier or SID to uniquely identify the account. The account also contains a password and the attributes associated with that account. This video looks at how accounts work and how they are used with security. Security Identifier (SID) A SID is used in security to identify a user or computer account. Short SID's like S-1-1-0 are used in local accounts. Regardless of which computer it is used on, whether in a domain or not, a short SID like this always represents the same thing. For example, S-1-1-0 will always mean everyone on any Windows system. Longer SID's like S-1-5-21-1218951425-845968048-208583963-2209 are used in a domain. Since a SID provides a unique way of representing a user, attributes of the user can change. For example, the user's first and last names are free to change at any time and do not affect which objects the SID has been used on. Account Management When you change the attributes of a user like their name, since the account is associated with the SID rather than their name, changing these attributes will not affect security or other systems. Some changes may be noticeable; for example, the folder the user profile is stored in will be stored under their old user name after the username is changed. If a person leaves the company, it is a common practice for the account to be disabled rather than deleted. Disabling the account preserves the SID, the security applied to that user, and any certificates associated with that user. When the user's replacement is hired, the account can simply be enabled and renamed to the new user. User Authentication Process When a user logs on to a network, an access token is generated for that user. Inside the access token is the user's SID. When this access token is presented to another system, the other system can read the user's SID from the access token. If the user is a member of any group, the SID for that group will also be placed inside the access token. Another system can look at this access token and also determine the group membership for that user. Any changes made to group membership for a user will require a new token to be created. For this to occur, the user must log off and log back on again to create a new token. User Naming Standards Before you start creating accounts in Active Directory, your company should come up with a standard for these accounts. For user accounts, you could use first initial dot last name. Whichever standard you come up with, it should be designed to reduce the number of people that will have the same username. For example, John Doe and Jane Doe will both have the username J.Doe using the standard first initial dot last name. Since Active Directory does not support two or more users having the same usernames, one of the usernames will need to change. A lot of administrators will add a number to the end of the username to ensure that it is unique in the organization. User Log On Standards Active Directory supports two Log On Standards for accessing the Domain. The first dates back to Windows NT and is the form of domain \ username. The second is just like an e-mail address in the form [email protected] Pre Windows 2000 Logon Name When creating a new account in Active Directory, a pre-Windows 2000 logon name will be configured that will match the username where possible. You are free to change the pre-Windows 2000 logon name but in most cases, it is best to keep it the same as the username. The pre-Windows 2000 logon name is limited to 20 characters. Very old clients like Windows NT will only use the pre-Windows 2000 logon name. Modern non-Microsoft systems should not need the pre-Windows 2000 logon, but if you are using a very old system it may require it. References "What Are Security Identifiers?" http://technet.microsoft.com/en-us/library/cc786606(WS.10).aspx "Security Identifier" http://en.wikipedia.org/wiki/Security_Identifier "Users Can Log On Using User Name or User Principal Name" http://support.microsoft.com/kb/243280 "SAM-Account-Name attribute" http://msdn.microsoft.com/en-us/library/ms679635.aspx "Active Directory Maximum Limits -- Scalability" http://technet.microsoft.com/en-us/library/cc756101.aspx
Views: 68258 itfreetraining
This video will look at how to correctly license Hyper-V. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Choice of Virtualization 00:13 The first point to understand with virtualization is that the type of virtualization solution that you use does not affect the licensing of the virtual machine. Microsoft licenses virtual machines independent of the virtualization solution that is used. For example, the administrator could use Hyper-V or another vendor like VMWare or VirtualBox. Access the rest of the course: http://ITFreeTraining.com/hyperv#licensing Download the PDF handout: http://ITFreeTraining.com/handouts/hyperv/licensing.pdf Licensing Datacenter Edition 00:50 If you purchase the Datacenter edition of Windows Server the administrator is free to run an unlimited number of virtual machines running Datacenter. If they run a different edition of Windows Server they will need to purchase additional licenses for those editions. Datacenter has all the features that Windows Server has to offer so the administrator, in most cases, should not have a need to run any other version of Windows. In order to get the best value out of Datacenter a computer needs to be purchased that has a lot of RAM and CPU’s in it. This means that Datacenter is generally an expensive option. Licensing Standard Edition 01:50 When you purchase Windows Server Standard edition you have the right to run 2 virtual machines running Windows Server. You are free to run any virtualization solution that you wish. If you choose to run Hyper-V virtualization solution you are limited to only being able to use the physical server to run the visualization solution. This essentially means that you can only install the Hyper-V role on the server. You are not able to install any additional roles or use the server for any other tasks like file sharing. Licensing Essentials/MultiPoint Edition 02:48 If you are running Windows Server Essentials or Multipoint Editions then the license gives you the choice of two options. You are able to install it on a physical machine or a virtual machine. You are not able to install it on a physical machine and then install the Hyper-V role and run a virtual machine. It is either one or the other. Windows Server 2012 R2 Hyper-V 03:20 This edition is a free edition from Microsoft. This edition is essentially Windows Server with only the Hyper-V role and basic administration functionality. It runs the core interface so it uses less resources than the full interface. Additional resources for CPU, memory and disk space are also saved because, since the editions have only the Hyper-V role, it has less software. This makes it more secure as there is less of a footprint that an attacker could potentially use. The administrator is able to join the server to the domain to manage it like any other server. However, if the administrator finds that they need more functionality later on they are not able to upgrade the install to Windows Server. They will instead need to perform a reinstall. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References “Installing and Configuring Windows Server 2012 Exam Ref 70-410” pg 136 “Hardware-assisted virtualization” http://en.wikipedia.org/wiki/Hardware-assisted_virtualization “Window Server 2012 Products and Editions Comparison” http://www.microsoft.com/en-au/download/details.aspx?id=38809 “Volume Licensing reference guide” http://download.microsoft.com/download/E/6/4/E64F72BF-55E9-4D85-9EFE-39605D7CE272/WindowsServer2012R2_Licensing_Guide.pdf “Hyper-V Server 2012 R2” http://technet.microsoft.com/en-us/evalcenter/dn205299.aspx
Views: 17779 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video will look at the DNS zones that are available in DNS. Once you complete watching this video you will understand zones, what zones files are available, and how you can use the different zones. Download Handout http://itfreetraining.com/handouts/dns/dnszones.pdf What is a DNS zone? A zone file contains the data for a portion of the DNS Name space. For this reason, zones allow different administrators to have control over that part of the DNS name space. Depending on what type of zone file that you create, this will determine what types of DNS records can be stored in that zone and if the data in that zone can be modified. In this video This video will look at the following zone types: Primary zone, Secondary zone, Active Directory integrated zone, Stub zone and reverse look up zone. Depending on what the needs of the administrator are, this will determine which zone file is used. Different zone files are used in different scenarios and the administrator needs to decide the correct zone file to use for that scenario. Primary zone For any domain name, there needs to be at least one primary zone. If the primary zone is stored in a text file, rather than a database like Active Directory, then this means that the server holding the primary zone text file is the only location where changes can be made to the zone data. If another zone file is asked to make changes to the zone, these changes will be forwarded to a DNS server that is holding a primary zone. This does mean that if the DNS server holding the primary server is not available, changes cannot be made. Active Directory Integrated Zone An Active Directory Integrated Zone is essentially a primary zone that has been moved from a text file stored on the computer into the Active Directory database. The advantage of this is that any Domain Controller that has the DNS role installed on it can access the Active Directory Integrated zone. Changes can also be made on any Domain Controller running DNS unlike text based primary zones which are limited to one server. Having the data stored in Active Directory means that the zone will use the same replication system that is used to replicate objects in Active Directory which is quite efficient. Active Directory Integrated Zones also allow the clients to use secure updates. Secure updates use the secure channel created when a computer is added to the domain and thus the computer must be a domain member. If you use a primary zone stored in a text file, and if you enable dynamic updates, you are also allowing none secure updates as well. Secondary Zones A secondary zone file is a copy of another zone that is read only. The copy can be any other zone stored on any other DNS server. For example, the zone file could be stored on Windows or a UNIX based system and copied from a primary or secondary zone. If you copy the data from a secondary zone, this would essentially be a copy of a copy so you may have delays waiting for the zone data to be copied from one server to the next server. Since the zone file is read only, changes cannot be made so these changes are passed onto a server holding a primary zone. Stub Zone A Stub Zone contains only the NS (Name Server) records from a zone. This NS records contain DNS servers that are considered to be authoritative for that zone. In other words, the DNS Servers are considered to be able to give the best answers for that zone. Since stub zones update the NS records, if there are changes to the NS records, these changes will updated automatically. If you use forwarding or conditional forwarding, and if changes are made, the DNS server would not be aware of these changes. The rest of the description is available at http://itfreetraining.com/dns/dns-zones References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 455-456 "Reverse lookup" http://technet.microsoft.com/en-us/library/cc784493(v=ws.10).aspx "Reverse DNS lookup" http://en.wikipedia.org/wiki/Reverse_DNS_lookup
Views: 97808 itfreetraining
AGDLP is a role based strategy that is designed to provide flexible resource management using groups. This video looks at how you can effectively use AGDLP in your company to manage permissions to your resources. Since AGDLP is designed for larger networks, it is generally used in networks that have more than 500 users. AGDLP can be used in multiple domain environments but is generally used in a single domain environment. Advantages of AGDLP Since AGDLP is a role base strategy for applying permissions, as a user changes their role in an organization, it is easy to change the permissions associated to that user by making them members of the appropriate groups. Since the users are being put into groups at the role level, this means that the administrator does not require knowledge of how the permissions were applied to the resource. Lastly, by looking at the users in the groups, you can quickly determine who has access to which resources in your domain. AGDLP ADDLP stands for the following. A for Accounts. G for Global Group. DL for Domain Local Group. P for Permissions. The basic way to use AGDLP is as follows: Accounts go into Global Groups; Global Groups go into Domain Local Groups; Domain Local Groups are than applied to Permissions. The advantage to using each group is as follows: Global Groups allow users from the same domain to be members. This means that when using multiple domains, you can be assured that only users and computers and other Global Groups from that domain are members. This means you can force administration to be divided up between domains. If you do not use Global Groups you could never be sure if an administrator from a domain is only adding users from that domain. Domain Local Groups can only be used in the domain that the group was created in. This helps with auditing. If the group could be used in other domains, you could never be sure that the group had been applied to resources outside your domain. AGDLP can be used in a single forest, single domain environment and also a multi domain environment. It provides a framework, but the administrator is free to decide themselves how best to implement group strategy given their business environment. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "AGDLP" http://en.wikipedia.org/wiki/AGDLP "Selecting a Resource Authorization Method" http://technet.microsoft.com/en-us/library/f29946d4-007c-475e-9ff0-5e144afbbbfb
Views: 46622 itfreetraining
Restricted Groups allows the administrator to configure local groups on client computer. For example, you could add a helpdesk support group to all clients on your desktop. This video looks at how to configure local groups on your client computer using Group Policy rather than visiting each computer to make the changes. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gprestrictedgroups.pdf A Common Problem Many companies want to give technicians administrator access to the clients they are supporting. The easiest way to do this is to add the technicians to the Domain Admins group, however this would give the technicians more access than they require. The best way to grant the technicians access to the client computers is to add the group to the local administrator group on the client computer. This way the technicians has only the access they required. This can be achieved manually or using scripts, however in a large environment you will want to use Group Policy to manage local groups as once setup, new computers are configured automatically. Demonstration To configure Restricted groups, go to the following settings, right click it an select add group. Computer Configuration\Polices\Windows Settings\Security Settings\Restricted Groups. There is two different procedures depending if you want to reset all the local group membership or if you want to add users or groups to what is already configured in the group. Resetting local group members Right click on Restricted groups and select the option add group. In this case enter in the local group that you want to reset. For example, administrators. In the next dialog, the top section says Members of this groups. Add whichever groups or users that you want to be a member of group. If you are resetting groups like the Administrators group, these groups may have members like Domain Admins, make sure you add these groups back in if you want to keep them. Note: The local administrator account will always be present, you cannot remove it. Adding to a local group Right click on Restricted groups and select the option add group. When asked to add a group when in the group that you want to add to local group. For example, ITFreeTraining\Helpdesk Administrators. In the next dialog, add the local group to the bottom part titled "This group is a member of". For example, to change the local administrators group add Administrators in the bottom part. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 319-324
Views: 62222 itfreetraining
This course goes through DNS or Domain Name System. This video provides an introduction to DNS, however the videos in this course are dynamic in nature. As DNS changes, videos are added or removed as required to make sure that you always have the most up to date information. For all the DNS videos see the following link. http://itfreetraining.com/dns Download the PDF handout http://ITFreeTraining.com/handouts/dns/what-is-dns.pdf What Is DNS DNS is a system that primarily maps a name to an IP Address. Although it can be used to do the reverse, it is primarily given a name and asked what the IP Address is for that name. This is the same principle that is used for a phone book. Given a name, a person is able to look up the phone number for that person using the phone book. Hosts File Before DNS, a hosts file was created on the local computer that contained a list of computer names and their IP Addresses. The problem with this approach is that all computers needed to have a copy of the same hosts file. With a few computers this was not too difficult, however as networks got bigger so did the hosts file, making it harder to keep up to date due to the size of the hosts file and the number of computers that the hosts file had to be copied to. Nowadays, DNS is the preferred way to look up computers on the internet, however the hosts file is still present on modern computers. Whenever possible you should use DNS rather than the hosts file however in some rare situations it may be necessary to use the hosts file. DNS (Domain Name System) DNS was first developed in 1983 to address the shortfalls of the hosts file. It is a distributed database based on a hierarchy design. This hierarchy design means that it is possible to have two computers on the internet with the same name. For example ws1.example.com and ws1.ITFreeTraining.com. The computers have the same hostname as ws1, however after this it is different. The full DNS address like ws1.example.com is referred to as the fully qualified domain name. Since the fully qualified domain name is different, it allows two computers to exist on the same network that have the same host name. DNS Namespace DNS Namespace can be divided up in to different parts. Each part can be stored on different DNS servers, which makes DNS a distributed system. This allows control of DNS to be divided up and distributed across the world. A DNS server does not need to hold all the data for a fully qualified domain. For example a DNS server may only hold data for the .com, .edu, .au etc part of the domain space. Other DNS servers may hold additional parts of the fully qualified Domain Name, for example Microsoft, ITFreeTraining, and Amazon. By these DNS servers working together, a fully qualified domain name can be resolved. This will be covered in more detail in later videos as well as other features of DNS. For the rest of the DNS videos please visit http://ITFreeTraining.com/dns See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References None
Views: 125497 itfreetraining
The DNS settings looked at in this video determine how long DNS records remain on the DNS server or in the DNS cache. Check out http://itfreetraining.com for more of our always free training videos. DNS supports automatic removal of DNS records from the database if the appropriate options have been configured. This video looks at how to configure those options and the effects this can have on your network if the settings are not managed correctly. Download the PDF handout http://ITFreeTraining.com/handouts/dns/aging.pdf Time To Live (TTL) Each DNS record has a time to live (TTL) setting. This value is configured by the DNS administrator. When a DNS record is stored in DNS cache, this DNS record can only be used for the time period stated in the time to live setting. When this expires, the DNS record must be obtained again. In the case of a work station, this means the working contacting a DNS server to obtain the DNS record again. In the case of a DNS server, the DNS server must obtain the DNS record again from another DNS server or from the authoritative DNS server for that DNS domain. This gives the administrator control over how long changes to a DNS records will take to have effect on the network. The lower the time to live setting is configured means changes to the DNS record will take less time to take effect on the network. This is because the DNS record will be discarded from the cache sooner and the DNS server will be forced to query a new copy of the DNS record. A lower setting does result in more DNS queries being sent to an authority DNS server which puts more load on the DNS server. A higher time to live setting means less queries to the authority DNS server, however this also means that changes to the DNS records take longer to take effect on the network. DNS Record Aging Each DNS record has a timestamp which indicates when the DNS record was created or when it was last updated. Dynamic updates allow a client to create their own DNS records on a DNS server. If dynamic updates are enabled, the client is able to update this timestamp. The DNS server, if configured, has the ability to go through and remove DNS records that have not been updated for a set time period. This has to be configured for the DNS server and is not configured by default. When a client starts up and dynamic updates are enabled on the DNS server, the client can request the timestamp to be updated. Depending on the settings on the DNS server will determine when and if the DNS client can update the DNS record. Timestamp Updating On a typical network, each time a client starts up that supports dynamic updates, it will attempt to register its DNS records in the DNS server. In most cases, even when using DHCP, the client will have the same IP address and computer name each day when it starts up. This is because DHCP has a lease time and these lease times generally are configured to span over several days. For this reason, typically the only change to the DNS record when the client attempts to update its DNS record is the timestamp. For this reason, if there are a lot of clients on the network, this means that there are a lot of DNS record changes where only the time stamp has changed. All these changes need to be replicated to the DNS server that is holding that zone file which, in a large company, can result in a lot of network traffic. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/dns#aging References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 482 "Time to live" http://en.wikipedia.org/wiki/Time_to_live "Understanding aging and scavenging" http://technet.microsoft.com/en-us/library/cc759204(WS.10).aspx "Set Aging and Scavenging Properties for the DNS Server" http://technet.microsoft.com/en-us/library/cc753217.aspx
Views: 35073 itfreetraining
This video will look at the features and functionality that is available in the 4 editions of Windows Server 2012. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. The video covers the basic features and licenses for each edition of Windows Server 2012 so that you can make the correct decision of which Windows Server 2012 edition to purchase. Download the PDF handout http://itfreetraining.com/handouts/se... Windows 2012 Editions Windows 2012 comes in 4 editions, reduced from 7 in Windows Server 2012. These are Foundation, Essentials, Standard and Datacenter. If you compare these to the Windows Server 2008 editions, there is a direct equivalent edition from Foundation to Foundation and Datacenter to Datacenter. The Windows Server 2012 Essentials edition feature wise is most equivalent to the Standard and Web edition of Windows Server 2008. The Standard Edition is equivalent to the enterprise edition of Windows Server 2008. Itanium and 32bit support has been dropped in Windows Server 2012. There is no longer a separate Itanium edition and 32bit editions. The HPC (High Performance Computing) Server edition has also been dropped, but this can be downloaded and installed as a free optional extra for the Standard and Datacenter edition. One of the major differences between Windows Server 2008 and Windows Server 2012 is that you can switch between the full GUI interface and the core interface. Previously in Windows Server 2008, the only way that you could achieve this was to reinstall the operating system. This means you could essentially setup the operating system using the full GUI interface which is a lot easier than using the command line and remove the full core when you have finished configuring the server. If you were using the core interface, you could also add the full GUI interface in later on if you realized that you need additional features, for example you need to use Remote Desktop Services. Foundation The Foundation edition is the cheapest of the Windows Server 2012 editions and thus has the least amount of features. It is targeted toward the small business and thus includes basic file and printing services. The install is limited to 15 users and, unlike the other editions of Windows Server, it defaults to a simple dashboard rather than the server manager. The dashboard is a number of quick links to commonly used configuration options. The last difference is that the install requires a physical computer and a network card to be present. You cannot install Foundation edition into a virtual machine or a computer that does not have a working network card and a device driver available for that network card during the install. Essentials Essentials edition is the same feature wise as the Foundation edition. The main difference between the two is that Essentials supports 25 users rather than 15 users. It can also be installed on a virtual machine and defaults to Server Manager rather than the dashboard found in the Foundation edition. Standard/Datacenter The Standard and Datacenter editions of Windows Server 2012 contains all the features of Windows. The two differences between the 2 editions is that the standard edition supports 2 virtual instances while the Datacenter edition supports any number of virtual instances and Datacenter is not available via retail channels. In this case, a virtual instance means that you can run an additional virtual copy of Windows Server 2012 at no extra cost. For example, you could run 2 standard Virtual Windows Server 2012 instances with a standard Windows Server 2012 license. When both virtual instances are in use, the physical install of Windows Server 2012 standard can only be used to manage the server. This is covered in more detail in the Windows Server 2012 licensing video. The biggest change between the Standard/Datacenter and Foundation/Essentials edition is the way users are licensed. Both the Standard/Datacenter editions do not allow users to use the server unless additional licenses called CALS (Client Access License) are purchased. CAL's are covered in more detail in a later video. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/2012/2012ed... References "Installing and Configuring Windows Server 2012 Exam Ref 70-410" pg 1-6
Views: 229103 itfreetraining
The NSLookup tool is a great tool for troubleshooting DNS problems. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video looks at how to use NSLookup in Windows, however it also available in Linux. NSLookup allows you to control which DNS servers you contact and which DNS records are resolved giving you a real world picture of what is happening with DNS on your network. Download the PDF handout http://ITFreeTraining.com/handouts/dns/nslookup.pdf Demonstration 1. To open NSLookup, open a command prompt from the start menu. 2. To look at the name server records for a particular website, enter in NSLookup followed by the web address. For example, NSLookup google.com 3. If when running the command you have the line "Non-authoritative answer:" in the response, this means the result has been obtained from a DNS server that has either cached the results or has an unauthoritative copy rather than from a DNS server that is consider an authoritative DNS server. NSLookup Non-authoritative answer When querying a DNS server, a DNS server will first attempt to resolve the request from its cache. If it is not able to do this it will attempt to resolve the query itself. If the DNS server is configured for forwarding, the query will be forwarded to another DNS server, for example the ISP's DNS server and that DNS server will then answer the query from its cache or attempt to resolve it itself. In any DNS zone, there will be DNS records that state which DNS servers are considered to hold authoritative DNS records for that DNS zone. These can be primary or secondary zones. The point to remember is the administrator for that DNS zone has made a decision that these DNS servers should be considered authoritative or contain up-to-date DNS records. For example, a company, if they had permission to do so, could create a secondary zone from another DNS zone. However, it would be up to the company to make sure this secondary zone was keep up to date. If the company was a 3rd party company there is no guarantee that this would occur. For this reason, an administrator should not make a DNS server like this an authoritative DNS server. When an NSLookup returns a DNS record, it will indicate if this is a non- authoritative result with the text "Non-authoritative answer". The important point to remember is that even when forwarding is used you can still get an authoritative answer if the DNS server had to contact an authoritative DNS server in order to obtain an answer. The results shown for NSLookup are based on where the result came from, not which DNS servers were used in the process. Demonstration NSLookup Interactive If you run NSLookup without any parameters, this will launch NSLookup into interactive mode. The mode allows you to run multi commands one after the other. 1. If you enter in a domain name by itself, this will show all the name server records for ITFreeTraining. This is essentially a list of DNS servers that are considered to hold authoritative data for that DNS zone. 2. To list the DNS records for a DNS name, run the command "ls" followed by the DNS name. For example, ls ITFreeTraining.local 3. Most DNS servers will be configured to not allow a list of the DNS records held on that DNS server to be displayed. When you attempt to query the DNS records, you may get an answer back saying query refused. 4. On Microsoft DNS Server, to configure the DNS server to allow DNS records to be listed, run DNS Manager from Administrative Tools or under Tools in Server Manager. In order to configure the zone transfer properties, right click on the zone and select properties. 5. To allow DNS records to be listed using ls in NSLookup, zone transfers needs to be enabled on the computer that is asking for that information. This is done on the "Zone Transfers" tab. Once the tick box "Allow zone transfers" is ticked, the administrator is able to select which DNS server zone transfers will be allow or they can choose the option "To any server". If they select the option, "Only to servers listed on the Name Servers tab" this will only allow zone transfers to servers that are list on the tab "Name Servers". 6. The ls command also supports a number of switches. The --a switch will show only canonical names or aliases. The --d switch will list all DNS records. The "--t TYPE" will allow you to specify the type of DNS record that you want to list. Valid types are A, CNAME, MX, NS and PTR. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/dns#nslookup See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Using NSlookup.exe" http://support.microsoft.com/kb/200525
Views: 49320 itfreetraining
This video from ITFreeTraining will look at claims that are used with Federation Services. Check out http://itfreetraining.com for more of our always free training videos. By the end of the video you will understand what are claims and what protocols are used with claims. Download the PDF handout http://ITFreeTraining.com/handouts/federation/claims.pdf Claims A claim essentially is a statement made by one party about another party. This is provided by an Identity Provider. Services like Facebook are able to create a claim about a user which holds some information about the user. For example, the user can then use their Facebook login to access other sites. Let's consider an example of a shopping center that allows free parking for those people that have travelled a long distance to shop there. In order to get their free parking, all they need to do is show their driver's license which has their address on it. The identity provider in this case would be the institution that issues driver's licenses. The user would be the person wanting free parking. The service would be the shopping center who has made the decision to allow free parking for people outside the area. Security Token Claims are generally packaged inside a security token. This allows the details of the claim to be checked to ensure they have not been changed. When working with Federation Services you may hear the term security token and claim used interchangeable. Essentially they are referring to the claim which may be packaged in a security token. Fictional Example In this example, a person is given a voucher to a cinema in order to obtain a movie ticket. The movie ticket can then be used to enter a cinema to see a movie. Federation Services often work in a simple way. Token Example In some cases you will hear wording to the effect that a server consumes claims. When Federation Services are setup like this, the following generally happens. The Federation Server will issue a claim to the user. The user will then give this claim to another Federation Server. Once this Federation Server is able to verify that claim is valid, the Federation Server will destroy the claim and create a new claim. The new claim is free to change the information in the old claim and add to it. For example, it may add which servers the user is allowed to access. This kind of information is subject to change and thus the original server creating this claim does not know this information when the first claim is created. Protocols There are a lot of different protocols that make Federation Services work. Federation Services is also very customizable so even though there are some key protocols to make the system work, depending on how it is configured will determine which protocols will be used. For example, there are a number of different protocols that can be used to create a security token. WS-Trust In order for Federation Services to exchange information between different Federation Services there needs to be a common protocol between the systems. The WS-Trust protocol is designed to allow the Federation Services to communicate with each other and exchange information like security tokens. There are a number of different versions of the protocol so it is a matter of making sure that both sides are using the same protocol. SAML (Security Assertion Markup Language) SAML is one of the protocols that can be used to create security tokens. It is an open standard for authentication but can be used to create tokens. Once the token is created, it is transported to the other server using WS-Trust. It is possible to use other protocols however this one is the most common. What the server will accept and not accept is referred to as an endpoint. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/federation#claims See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Web Services Description Language" http://en.wikipedia.org/wiki/Web_Services_Description_Language "WS-Trust and WS-Federation" "WS-Trust" http://en.wikipedia.org/wiki/WS-Trust
Views: 22620 itfreetraining
This video looks at the different group types available in Active Directory. These include Local, Domain Local, Global, and Universal. The video also covers membership requirements which can be used in each of the different groups and converting between different groups. Finally, this video looks at distribution vs security groups. Demonstration 14:35 Distribution Group Any group in Active Directory can be created as either a distribution group or a security group. Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can't be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID's for any security groups of which they are a member. Security Group A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations. Local Group Local groups exist only on the computer on which they were created. A local group can have as a member any user or computer account as well as any other type of valid group. Domain Local Group Domain Local groups can only be used in the domain in which they were created. A Domain Local group allows membership from any other group as well as any user or computer. Domain Local groups from other domains cannot be used as members because they are limited in their use outside of the domain in which they were created. Universal groups can only be used as members when the Universal group exists in the same forest as the Domain Local group. Global Group Global groups have the most restrictive membership requirements, only allowing users, computers, and other Global groups from the same domain to be used as members. However, Global groups can be used as members of any other group, including other forest and external domains. This means a Global group has the most restrictive membership requirements of all the groups but is the most flexible when being used as members of other groups. Universal Group The Universal group is replicated via the global catalog server. For this reason, it is available to any domain in the forest but not to other forests or external domains. Since the Universal group is available forest wide, it does not allow Domain Local groups to be members even when the Universal group has been created in the same domain as the Domain Local group. Summary of Groups' Membership 1) Users and computers can go into any group in any domain and any forest or external domain if the group supports it. 2) Local and Domain Local groups allow the same membership requirements. 3) Universal, Domain Local and Local groups have the least strict membership requirements allowing any valid group with appropriate scope to be a member. 4) Global groups can contain only users, computers and other Global groups from the same domain only. 5) Global groups can be used everywhere, any domain, forest or external domain. 6) Universal groups are available only in the same forest since they are replicated using the global catalog. Since they are forest wide, Domain Local groups can't be members since the Domain Local scope is limited to the domain in which they were created. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/70-640/group-types References "MCTS 70-640 Configuring Windows Server 2008 Active Directory" pg 145-152 "Active Directory Users, Computers, and Groups" http://technet.microsoft.com/en-us/library/bb727067.aspx
Views: 92013 itfreetraining
In Active Directory there are five operations master roles known as FSMO roles. This video looks at which Domain Controllers you should put these roles on and also which Domain Controllers you should make into Global Catalog Servers. There are five operations master roles. The Schema and Domain Naming Masters are forest wide so there will only one of each of these roles regardless of how many domains you have in your forest. The PDC Emulator, RID Master and Infrastructure Master are domain wide. There will always be 3 operations master roles per domain, one of each. When considering where to put the operations master roles, you should consider the availability of the operations role and what effect not having the operations master role available during an outage will have on your network. Schema Master (Forest wide) The Schema Master is generally found in the root domain in a multiple domain environment. On most networks it will not be used that often. For this reason availability is not a big issue so for ease of administration it will often be put on the same Domain Controller that has the Domain Naming Master. The Schema Master operations master role is not affected whether the Domain Controller is a Global Catalog Server or not. Domain Naming Master (Forest wide) The Domain Naming Master is required when domains are added or removed from the forest. It does require Global Catalog calls when domains are added or removed. For this reason it is recommended to make it a Global Catalog Server. However, this will not affect operations if it is not. PDC Emulator The PDC Emulator has the final say on authentication. For this reason the PDC Emulator will generally be placed on the network with the most users. The PDC Emulator can be made a Global Catalog Server; however, administrators will often remove the Global Catalog from the PDC Emulator if performance on the PDC Emulator becomes a problem. RID Master The RID Master allocates blocks of RIDs. For this reason it does not have to be on the fastest Domain Controller or on the fastest link. Domain Controllers will request RIDs before they run out. The PDC Emulator generally uses more RIDs than other Domain Controllers on the network and thus a lot of administrators will place the RID operations master role on the same Domain Controller that is holding the PDC Emulator. Whether the Domain Controller is a Global Catalog Server or not does not affect the operation of the RID Master. Infrastructure Master The Infrastructure Master role tracks references in multi-domain environments. In a single domain network the Infrastructure operations master role is not that important. In a multi-domain environment the role of the Infrastructure Master becomes more important. The choice of whether to make this a Global Catalog Server or not can affect its ability to keep cross domain reference up to date. If you have Windows Server 2000 or 2003 Domain Controllers on your network, you need to ensure the Infrastructure Master is not a Global Catalog Server or all your Domain Controllers on the network will become Global Catalog Servers. In a pure Windows Server 2008 environment, it does not matter whether you make the Domain Controller a Global Catalog Server or not. Disadvantages of making a Domain Controller a Global Catalog Server Making a Domain Controller a Global Catalog Server will increase the amount of hard disk space that it requires and also the amount of network bandwidth that it will use. Nowadays it is not as big of a concern as it was when Windows Server 2000 came out. Global Catalog Servers are also used by clients to perform searches and to look up objects. This can increase the load on the Domain Controller. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for are always free training videos. This is only one video from the many free courses available on YouTube.
Views: 44217 itfreetraining
ADMT is used to quickly move objects around in your forest. It is used during migrations or when you need to move users between domains during restructures or job changes. This video looks at how to install and use ADMT. Handout http://itfreetraining.com/Handouts/70-640/Part2/admt.pdf Installing ADMT Before installing ADMT, it is worth downloading the ADMT guide (see link below). The guide will show you which installs are supported. If you download the latest version of ADMT or SQL express you may have install problems and need to implement a workaround. Reading this guide will tell you which combination of software will work. http://www.microsoft.com/en-au/download/details.aspx?id=19188 Although possible, it is not recommended to install ADMT on a Domain Controller. The install itself may not work correctly and a workaround many need to be implemented in order to get ADMT to work correctly. Inter-Forest Migration This is when objects are being moved/copied between domains in different forests. The forest can be connected by any valid trust. Intra-Forest Migration This is when the objects are being moved/copied between domains that are in the same forest. Sid History A Sid is a unique number that every object in Active Directory has. When ADMT moves an object it essentially creates a new object in the target domain with the same properties. When a user is moved or copied, the user will have a different Sid than the old user. Because the new user has a different Sid, it will not be able to access any of the resources the old Sid had. Sid history allows Sid's for the old user to be stored with the new user. This essentially allows the new user to access resources that were assigned using the old Sid's. Demonstration In this demonstration ADMT 3.2 will be installed on Windows Server 2008 R2 with SQL Express 2008 SP1 providing the database support. We could not get SQL Express 2012 to work in this configuration and the ADMT guide recommended SQL Express 2008 SP1 to be used. If you run different version and have installation errors, search the Microsoft web site for the error. This may give you a workaround to get that configuration to work. Once ADMT is installed, it is matter of running the required wizard depending on what you want to migrate. When migrating groups, ADMT can be configured to put the user in the same groups that they had in the old domain. In order for this to work, the new domain needs to have those groups created with the same name as the old domain. If you want to migrate passwords between domains, you will need the Password Export Server to be installed in the other domain. Since the ADMT does not check the password policy of the new domain, the user will be asked to change their password when they login to the new domain. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory" pg 573 -- 576 "Active Directory Migration Tool (ADMT) Guide" http://www.microsoft.com/en-au/download/details.aspx?id=19188 "Active Directory Migration Tool (ADMT) Guide " http://www.microsoft.com/en-au/download/details.aspx?id=19188
Views: 169963 itfreetraining
Group Policy has over 3000 settings. This video looks at how to perform the basic configuration of Group Policy and how to find a setting that you require. Download the PDF handout for this video from http://ITFreeTraining.com/Handouts/70-640/Part3/Configuring_Group_Policy.pdf Download subtitles. Can be enabled in the video. http://ITFreeTraining.com/Handouts/70-640/Part3/Configuring_Group_Policy.srt Demonstration Interface Group Policy Management is done via the Group Policy Management Tool. This is found under administrative tools under the start menu. When a domain is created, two Group Polices will be created with it. These are the Default Domain Policy and the Default Domain Controllers Policy. It is important to understand that when Group Policy is created it is stored under Group Policy Objects. If you want to apply this Group Policy Object to an OU it must be linked. A single Group Policy can be linked as many times as required. If it is not linked to any OU's, it will not have any effect on any computers in the domain until it is linked. If you want to create a Group Policy Object and link it in one step, you can achieve this by right clicking on an OU and selecting the option "Create a GPO in the domain, and link it here". Demonstration GPO Editor Each Group Policy is divided into two parts, computer and user configuration. These sections are further sub divided into two more sections called Polices and Preferences. Later videos will look at the other sections, this video will look at the Administrative Templates under polices. This contains the majority of the Group Policy settings. Since there are so many settings under Administrative Templates there is an option to filter the setting. This is done by right clicking on Administrative Templates on any folder found under Administrative Templates and selecting the option "Filter On". Once the filter has been enabled, by right clicking any folder under Administrative Templates and selecting the option "Filter Options" you can configure which settings you want to look for. When configuring group policy settings, it is a good idea to read the help text associated with that Group Policy setting. Particular Group Policy settings require certain operating systems in order to work. Also Group Policy settings many rely on other Group Policy settings to be configured. Reading the help text will help you configure Group Policy correctly in order to meet your needs. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 250-253 "Administrative Templates in Server 2008 R2 Group Policy Objects (GPO)"http://www.petri.co.il/administrative-templates-for-group-policy-objects.htm
Views: 83270 itfreetraining
DNS Delegation is the process of dividing up different parts of the DNS name space. This name space can be independently managed. This video looks at how to divide up DNS so different parts can be stored on different servers and managed independently. Download the PDF handout http://ITFreeTraining.com/handouts/dns/windows-delegation.pdf What is DNS Delegation? DNS Delegation allows the DNS namespace to be expanded. For example additional sub domains can be created like east and west. These can then be stored on different DNS servers. This allows that part of the DNS namespace to be managed by different people, for example, by different IT administrators. Dividing up the namespace can also be done for performance reasons. Having the DNS namespace on multiple servers and can give faster name resolution and also allows for better fault toleration. Demonstration 1) To create a new DNS delegation, open Server Manager. If your DNS server is not present in Server Manager, right click "All Servers" and add the DNS server. It is possible to add a DNS server using its IP Address. However, if that DNS server is not part of the domain or trust relationship does not exist, Server Manager will not be able to create a connection to it. 2) Launch DNS Manager by right clicking a server in the server manager if DNS installed on it and selecting the option "DNS Manager". It is also possible to run DNS Manager by selecting the tools menu and selecting DNS Manager from the list. 3) To add additional DNS Servers, right click DNS at the top of the DNS Manager and select the option "Connect to DNS Server". When prompted, enter in the DNS server address or its IP Address. 4) To create a new namespace. Right click the Forward Lookup Zone that you want to create the DNS zone in and select the option new zone. Creating the zone is the same process as creating a standard DNS zone. 5) Once a zone has been created, a DNS delegation needs to be created in the zone above it telling it where this new zone is. To do this, right click on the zone and select the option New Delegation. 6) The delegation wizard will ask for the name of the delegated DNS zone and also the name of the DNS server that is an authoritative DNS server for that DNS name. If the DNS server does not resolve, the IP Address for the DNS server can be used instead. Once this is done, the DNS server will pass DNS requests to the other DNS server. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Understanding Zone Delegation" http://technet.microsoft.com/en-us/library/cc771640.aspx
Views: 35523 itfreetraining
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video looks at forwarding events from one computer to another using source initiated subscription. Source initiated subscription is when the computer that has events to transfer determines when to transfer these events to the collecting computer. The previous video looked at collector initiated subscription, which is when the collecting computer contacts the forwarding computer at regular intervals to see if it has events that it needs to transfer. Previous Video on event forwarding using collector initiated subscriptions http://www.youtube.com/watch?v=sZj_9e3AHFk Demo configuring the forwarding computer 01:56 Demo configuring the collector 05:24 Configuring the collector computer To configure the collector computer to receive events from the forwarding computer, run the following two commands: WinRM QuickConfig WECUtil QC Answer y to all the questions. WinRM will configure the WinRM service and the firewall. WECUtil will configure the service that is used to collect events sent from the forwarder. The next step is to configure a subscription on the collector computer. This is done inside the event viewer on the collector computer. Right click on subscriptions in the event viewer and select create subscription. Make sure that source computer initiated is selected. The rest of the options determine which events will be transferred from the forwarding computer. The subscription in this case acts like a filter determining which events to collect and which events to ignore. Configuring the forwarding computer Run the following command on the forwarding computer: WinRm QuickConfig Answer y to both questions. This will configure the service and also the firewall settings. Group Policy The forwarding computer needs to be configured with the address of the server to which the events are forwarded. This can be done with the following group policy setting: Computer configuration-Administrative templates-Windows components-Event forwarding-Configure the server address, refresh interval, and issue certificate authority of a target subscription manager. The syntax is as follows when using the default protocol HTTP and default port: Server=HTTP://FQDN Use the full URL when using HTTPS or different ports: Server=HTTPS://FQDN:5986/wsman/SubscriptionManager/WEC FQDN is the fully qualified domain name, for example, ITFreeTraining.com WECUtil command line WECutil supports a number of different command line options which are listed below. WECUtil ES Lists the subscriptions. The name of the subscription can be used in later commands. WECUtil GS (Subscription name) /f:XML This outputs the subscription configuration. If you want XML format add /f:XML. (Greater than sign) filename can also be added to direct the output to a file. WECUtil CS (Filename) This will create a new subscription using the configuration in the filename.
Views: 30219 itfreetraining
PKI (Public Key Infrastructure) is a hierarchy of Certificate Authorities. This video looks at 3 different types of hierarchies that can be used to issue certificates. Download Handout http://itfreetraining.com/Handouts/Certificates/PKIHierarchy.pdf Considerations When deploying Certificate Authorities (CA's) you should consider the size of your company, geographic distribution and the number of certificates that are required. Before a certificate can be used it needs to be checked that it has not been revoked. This can be done via a CA or online responder. When deploying CA's consider WAN links the users may need to travel over when obtaining new certificates and also checking that an existing certificate is still valid. Single-Tier Hierarchy This means that there is one CA on the network. This is suited for small networks. Having one server does mean less administration; however, it does not provide any fault tolerance. In order to issue certificates, the server must be online. The CA contains private keys and when there is only one CA on the network the server cannot be taken offline in order to protect these keys. If an attacker was to obtain these private keys, they could effectively create their own certificates or decrypt any traffic encrypted with any existing certificate. Two-Tier Hierarchy This contains two levels of CA's. One Root CA and any number of child CA's. In order to improve security, the root CA is usually taken offline after the child CA's have been issued a certificate. The root CA only ever needs to be brought back online if another child CA is added to the network or a child CA needs to renew its certificate. Having a second level provides redundancy as multiple CA's can be created to issue certificates. Different CA's at the second level can be used for different reasons. For example, one CA may be for internal clients while another CA could be used for external customers or business partners. Three-Tier Hierarchy A three tier hierarchy adds another layer of CA's to the hierarchy. This improves security as the first 2 levels can be taken offline when not required. They can be brought back online only when new CA's need to be added to the network. Validity Period The validity period is how long a certificate is valid for before it cannot be used. The root CA certificate is the top of the hierarchy. Once the root CA certificate expires, all certificates in the hierarchy expire with it. For this reason, the root CA normally has a very high validly period like 20 years. A rule of thumb is that subordinate CA's have half the value of their parent CA. If they have the same validly period, this would mean that after the CA has been online for a day, it would be issuing certificates that expire after its parent CA. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.
Views: 26140 itfreetraining
This video will look at how multiple disks can be combined together to form the one volume and how basic and dynamic disks work. Dynamic disks are required in most cases when combining disks together. Access the rest of the course http://ITFreeTraining.com/server Download the PDF handout http://ITFreeTraining.com/handouts/server/basic-dynamic.pdf Basic and Dynamic Disks Basic disks have been around since the MS-DOS days and thus have the most compatibility. Dynamic Disks were introduced in Windows 2000 and thus have good compatibility in Windows. Compatibility may become a problem if you use a dynamic disk in Linux. Dynamic disks are supported in Linux however support is dependent on the distribution. Additional packages may need to be installed and the distribution may not support booting from a dynamic disk. Dynamic disks also offer additional features over basic disks. For example, they add a signature to the disk so that if the disk is moved from one computer to another Windows will detect the disk has been moved. Basic disks cannot be combined with other disks and thus features are limited to one disk. For example, an existing volume can be resized on a basic disk. In order to do this there must be contiguous space free at the end of the volume. If this is not there, the disk will need to be defragmented. Basic disks also support booting where dynamic disks only support booting when configured in certain ways. If you want to combine multiple disks together you require dynamic disks. Windows supports a one way conversion between basic and dynamic disks. Dynamic Disk Support Dynamic disks are supported in all Windows Server editions after Windows Server 2000. Client operating systems between XP and 7 require the high business level operating system but after that, all operating systems support dynamic disks. Combining Multiple Disks Dynamic disks allow multiple drives or the space from multiple drives to be combined together in order to create one volume. There are a number of different configurations supported. Spanned volume: A spanned volume combines the space from multiple drives together to form the one volume. This allows you to combine unused space into one volume, however it does not offer redundancy if a drive fails nor does it offer speed improvements. It also does not support booting. Mirrored Volume: This is when two disks have the same data on them. This allows the operating system to continue running if one disk fails. Unlike other dynamic disk configurations, mirrored volumes support booting of the operating system. Striped Volume: This volume takes disks of the same size and combines them together to form the one disk. The data is evenly distributed across the disks. It offers excellent read and write performance however does not offer any redundancy. It also does not support booting. RAID-5: This configuration requires 3 or more drives with the same amount of free space. The drives are combined into one volume. One drive is lost to parity, which is extra data, that means that volume will still keep running if one drive is lost. This volume gives fast read performance but slow write performance. It is available only in Server operating systems and does not support booting the operating system. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References “Installing and Configuring Windows Server 2012 Exam Ref 70-410” pg 44 “Basic and Dynamic Disks” http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx “Logical Disk Manager” http://en.wikipedia.org/wiki/Logical_Disk_Manager “What are basic and dynamic disks?” http://windows.microsoft.com/en-au/windows-vista/what-are-basic-and-dynamic-disks
Views: 27328 itfreetraining