active directory arabic book 2008

8/16/2019 Active Directory Arabic Book 2008

1/242

Eng.Basem Hamed | [email protected] | 01001582348©

Page1


2/242


Page2

: -م مة

ا اذ جا او تا ج ا ع ا ل

اط ال ك ب ح وم وجد اد

اذاكة

ا

غ

ات

ج

ل

لا

او

و ا و ك ا اح و اوا

كو ج

رج

ذا

ن

وان

جاخا

ا

زكه

وان

وكإي ا رك وات شك ا ارز و زدة اي ا ل

ال

ذا

خا

ح

ب

ا

و

ات

ج

او

كا

ا

ادئ

أ

و

ش

ك

ان

ادي

ح

اس

او

اه

و

اس

ا

اد غ ا ا واارا ان م ف

ج ات وخص ل و دوري ك ق ل

ات

ارز

ا

ك

جه

طا

ا

ون

كب

اول

ذا

ن

Egypt NetRiders | Press


3/242


Page3

About:-

About Author:-

Eng.Basem Hamed

Network and Information Security Engineer

Working in Egypt NetRiders Company Specializing in Microsoft Networks

Interested in Cisco and Juniper

Editor inCiscawy Blog

Certified:-

MCSE, MCITP EA

CCNA, CCNA Sec, CCNP R&S

CEH, CISM

JNCIA _ JUNOS

RHCE

CWNA

01001582348

About Company;-

Egypt NetRiders

Integrated Network Solutions. Specialized in Networks and Information SecuritySolutions

As a specialized company we focus on Networks and Information Security Solutions.

We provide Two Basic Services:

- Training courses in Network companies like Cisco, Juniper , Microsoft and CompTIA

- Network Solutions like Analysis of Huge Networks, Design Network Topologies and

Network Security.

0507487156 _ 01150505639

http://www.egyptnetriders.com/

FB/EgyptNetRidersTwitter/EgyptNetRiders

http://ciscawy.com/blog/

This Book is Powered By:-

http://www.egyptnetriders.com/http://ciscawy.com/blog/http://ciscawy.com/blog/http://ciscawy.com/blog/http://www.egyptnetriders.com/http://www.egyptnetriders.com/


4/242


Page4

Index

1st Book ………………………… …………………………………………..……5

INTRO ……………………………………… ..………….… …… …………… 6

Preparing to Install Active Directory ………………… ………… ……… ……. 7

Haw to join a physical computer to domain? ……… ……………….…… ….. 14 Types of AD DS Objects ………………………… ………………... …… ….. 16

Different between computer and user Account!! … ……… . .… ………… ….. 17

Computer account …………. . …………………… …………………. …… ... 17

User account ……………… …………. . .………………………………… … . 18

Groups VS Organization unit ……. . .…………………………………… … … 23

Groups ……… ………… ………………… …… …… …………… …… ….. .25

Group Type……………………… ……… ………………… ……… …… … 25

Forest, Tree, domain ………… ………… ……… ……………… … ……….. 31

Additional domain …… . . .…………… ………… ……… ……………… ….. 33

"RODC" ……………………… ……… ……. . .……………………………. .. 38

Child Domain …………. . ……… ……… ……… …………………………....50

Tree Root …………………. .…… ……… ……………… ………………….. 54 Active Directory Partition …. . …… … ……… ……………………… . ….…. 59 FSMO Roles …………………. . .………… ………… …… ………….…… . 64 Active Directory Sites and Replications ……. . ..… … ………… ………….… 70 Trust ………………………………….. .. .……………………………………..…77

Group Policy ……………………….. .. .………………………………………….79

Deploy Software …………….. .. .……………………………….…………… 87

Restricted Groups ……………….. .. .……………………………..…………. 91

Security in Group Policy ……………. . .. …………………………………… 93

Group Policy Template ……………….. .. .……………………..……………104

Backup & Restore …………………..…….. .. .…………………..……………... 110 2

ND Book ………………………………….. .. .………… …………………..….. 119

Active Directory Certification Authority …………… .… … …… …………….. 120

Certification……………………………….. .. .…………… … ……………. 121

Installing Certification Services ……….. .. .……………… ………….. . . … 122

KRA …………………………………….. .. .…… ……………………….… 154

Active Directory Rights Management Services ……… …….. .. ..……………….176

Active Directory Federation Service ………………… .. .. .………………….. …195

Install Federation Service ……………… .…… … …….. .. .…………….. …212

Active Directory Lightweight Directory Services …… ….. .. .… ……………….229 Resources …………………………………….. .. .. .. ..… ………………..………242


5/242


Page5

ا

اب

ا

ا لوا Course 6425A Configuring and Troubleshooting Windows Server

® 2008 ActiveDirectory® Domain Services

او

Course 6426A Configuring and Troubleshooting Identity and Access Solutions with

Windows Server® 2008 Active Directory®

وا ا و وا ث

Active Diverter ا

ا

ات

اواو

ا

Course 6425A Configuring and Troubleshooting

Windows Server ® 2008 Active Directory

®Domain

Services


6/242


Page6

INTRO

ا

ات

ا

او

,,اب

ت

:و

ا

ان

-

Workgroup VS. Domain

Workgroup:- او

ا

ا

و

اه

ان

و

ا

ا

او

ه

و و ا وا تا و يا

اداره

او ا ا ها تا اا ا ا وا

Domain:-ا

ت

ا

ب

ا

Workgroupا

ا

Domain

م

و

ات

و

ااو

اداره

ا

ا

ت

و

ن ها DomainوJoin Domain ا

او

او

اه

ا

و

Security and Centralize Administration

ا

م

ا

ات

إي

Domainو

و

و

Windows Server Family. هد RedHat .

م

ا

اب

ا

Windows Server ام

و

Windows Server Family

ا NTWindows Server وWindows Server 2008 R2 و

ا

راا

و

و

Windows Server 2012

رت

ة

ك

Windows Server و

دة

وأ

اب

وا Configuring and Troubleshooting Active Directory


7/242


Page7

Preparing to Install Active Directory

وز

إا

200

وه

Minimum requirements

Windows server 2008

م ارد زوا او وا ه

ه

:-Start run oobe

ذ زا هدا وا

ا

ip ز

subnet mask


8/242


Page

Recommendedا ا زا ن نا و Active Directoryا أ ا

dnsا

ون

ip

اص

:اادات

ه

ا

-ا

م

Active Directory

dcpromoا

run

Error msgا

و

dcpromo

ا م ا ه active directory domain service binariesRoles add roleServer manager


9/242


Page9

Server role Active directory domain service

Nextinstall Finish

از

ا

ه

ا

Domain Controller

ا

ده

م

ذ

dcpromo

Run

ر

أي

ا

Errors

ا

م

Advanced mode

اا

Child domain

ا

ر

Domainه

ر

ا

Forest, Tree, Domain, Child


10/242


Page10

ا

ار

FQDNؤ

او

ش

ا

ن

ا

ا

ره

او

ا

ا

ن

ذ

و

ذ

check ا

ا

ش

ا

ود

م

Domainا

Forest

ا

اForest Function Level

وز

ا

اس

را

ا

2003ك

ن

2000و

2003

200و ع 200ن ا ا2003او2000و اذا ات Forest functional level

Provides a means of enabling additional forest-wide Active Directory features, remove

outdated backward compatibility in an environment, and improve Active Directory

performance and security.

ا

اا

ا

و

upgrade

2003ا

200

raiseا

Domainا

راو

200


11/242


Page11

ا ع dnsا ط ا – را و-ا ناMachine اا

دور

Domain Controller

ان

دا

Machineا

اادات

و

IPا

IP

اص

DNS

ا اذ و(GC)Global Catalog ا

ي

(GC)ا

Attributesا

Objectsا

ى

اى

Domainsرا

ى

اى

Any

trusted domains

A partition of the data store called the global catalog (also known as The partial attributeset) contains information about every object in the directory.

Can be used to locate objects in the directory. Programmatic interfaces such as ActiveDirectory Services Interface (ADSI) and protocols such as LDAP can be used to read andmanipulate the data store

وا

Domain اره ار ا (GC)By-default ار ا ان ن

اي

Domainرا

ا

ا

ا

ع

Searchا

Domainا

Forestـ


12/242


Page12

ر

yesا

ع

ا

ن

شش

ا

و

dnsوا

adو

by-default

ا

و

ة

ا

م

Restore modeا

اؤذ

ا

رع

Backpث

اذا

ا

Domain

اص

و

ا

ا

اذا

ا

ا

و

Requirementsاوا

ا

ه

:-


13/242


Page13

ا

ادت

اظ

اردت

اذا

Domain

ا

از

اده

login name


14/242


Page14

Haw to join a physical computer to domain?

7ا ز م ووز

ا

ا

ووز

م

ي

XPا

او

Vista

ان

Domain Server 2008

زا ا IPا Rangeا داDomain Controller

ن

ان

ا

و

IPا

DNS

اص

Domain Controller

ذ

R.click on my computer properties

زا

ان

Workgroup

Change settingر

Change

ا

ا

و

Domainا

ا

Domain

اص

ا

اور

و

ا

دا

ر

Administrator


15/242


Page15

ا

ر

ذ

Domain

ا

از

م

Restartاي

ه


16/242


Page16

Types of AD DS Objects

Object

Attribute ه

ا

User accounts

• Enables a single sign-on for a user

•

Provides access to resources

Computer accounts

• Enables authentication and auditing of computer access to resources

InetOrgPerson

• Similar to a user account

• Used for compatibility with other directory services

Organizational Unit

Used to group similar objects for administration

Applying group policies

Group accounts

Helps simplify administration and applying permissions

Printers

Used to simplify the process of locating and connecting to printers

Shared folders

Used to simplify the process of locating and connecting to shared folders

Start administrative tools active directory user and computer

R.click on domain new


17/242


Page17

Different between computer and user Account!!

-:اق اي ا ان اــUser Account

ا

د

ن

ان

ش

و

ا

س

ي

Usersد

و

Computers

د

ق

ن

ان

ش

User Computer ن نا ش وComputer User "م"Computer account

اد

ا

و

س

دي

User Account

How to create each of them?

Start administrative tools active directory user and computer

R.click on domain new

Computer account

2000

م نا ا نComputer Accountا م ذ ز يJoin toDomain

اار

ا

2003

از

م

ان

د

ا

ان

و

Joinا

ب

ا

Container

اص

Computer

User Account


18/242


Page1

ا

User Account

ا

ن

ان

ش

Logon nameا

Full name

ا

Full name

Startاز

ا

م

ا

ا

ا

ه

اور

ن

ان

و

ا ا User نا و را وا ر نا User نا اها د رو ا

ا

ا

اور

م

ن

دا

ا را اAccount Disable

م

ه

ات

ا

رج

ام

ا

ن

اذا

او

,,

م

ب

ا

د

ح

ن

ا

ه

ا

ا

اي

Hackersاب

ا

ن

ش

ا

او

اب

ا

اام

ا

س

و

ا

ام

100User Accountاا

ه

ام

ان

!!

,,,,

ا

ا

ك

run cmdا

د

ا

users

dsadd user "cn=ahmed,ou=it,dc=ciscawy,dc=com"

dsadd domain services

cn canonical name

ا

زر

ا

ا

ahmedا

ouا

itا

Domainا

ا

Ciscawy

ا

ا

ا

اا

اذا

و

User Accountن

Disabled

و

ور

ه

ا م ا ا ئش رواUser Accountا cmd


19/242


20/242


Page20

User Templates:- ا

ا

م

ان

Attributeا

ا

Users

د

شئ

ا

ا

ا

Domain

م

ان

و

ا

ه

User م

ـ

R.click on user copy

ا

و

اور

و

ا

وم

Attributeد

ن

Security Identifier:-

أ

دو

و

ص

ر

رة

UIDب

ي

إ

و

أ

أي

ب

ا

ا

أن

,اص

ا

ز

أو

)ا

(ا

ى

Unique,

اب

ا

راو

اات

ون

.

م

ا

User

Domain ا

ث

ا

ن

وان

د

SID

ا

ا

ى

ن

دة

و

: S-1-5-32-1045337234-12924708993-5683276719-19000

ا

SID

ا

:-Run cmd whoami/user

Types of Users

Power user Under Administrator Account

Guest user By-default Disabled

Limited user Do What Created For ا

User Principal NameUPN

ا

ان

را

ا

ه

م

ا

ا

Domain

اص

ا

و

Logon

اص

User ا

ن

ا

Domainا

او

ا

Start administrative tools active directory domains and trust

http://www.wiki.networkset.net/index.php?title=User_identifier&action=edit&redlink=1http://www.wiki.networkset.net/index.php?title=User_identifier&action=edit&redlink=1


21/242


Page21

Start administrative tools active directory users and computers

ا

د

User ا

Domainوز

اص

از

7ا

upnا

زر

اص

@


22/242


Page22

ا

ا

ان

Domainا

ا

ـ

ا

وه

Security Wise ا

ن

ان

و

Domainأ

ا

ـا

Foot Printingا

,, ا

ا

Domain

اا

و

اص

ا

ا

ا

ت

ا

ر

ا

Domain

اص


23/242


24/242


Page24

ه

وه

م

Protect Container from Accidental Deletion

ع

.

ا

اه

ه

ن

ان

و

OU

م

ان

ا

اي

Protected

ون

ا

OUا

ا

م

ش

ن

Domain

ن

ان

!!

ا

,,

ان

ا

ا

ب

:

ان

اردت

ذا

-Tap View Advanced feature

R.click on OU that you want to delete properties

ر

object tap

ا

وف

protect..

ذ


25/242


Page25

GROUPS

اPermissions اض تRead, write, full control

Start administrative tools active directory user and computer R.click new

Group

ت

ان

ا

ا

اوب

ا

permissions

ر

م

EditR.click on it Properties Security tap

Addا

ا

Group

و

Check nameاوب

ا

ر

ا

ت

ا

ن

واذا

User وا

ت

Groupا

ا

ا

ا

ن

,,اي

ت

User

Most Restrictive

(Deny over write allow)


26/242


Page26

: -ااع اوب

Distribution group

ز

ا

را

م

email –

ن

اذا

mail server او

exchangeز

وب

م

ا

و

ت

ا

ج

و

اع

ا

Domainاو

ر

ا security group

Security group

ا م policyا وrolesا

را م نا ا email و ا ج ا ن وا

Domain

م

ان

واح

ا را أر اذا وemailك ن ادdelay

بوا يgroup scope

Access = PermissionMembers

اي

Domain د

Member permissions can be

assigned in any trusted

domain

ي

ا

Domain

Contain user from the same

domain only

Global Group

ا

ات

Domainاا


assigned only within the

same domain

اي

ي

Domain

Contain users from any domain

Domain Local


27/242


Page27

اي

ات

Domain

Permission on any trusted

domain

اي

ي

Domain

Contain user from any domain

Saved-in Global Catalog

Universal

"blog.ciscawy.com"child domainا

ه

ان

ض

)

ث

(

ا

Domain

ا

3 groupsا

ا

م

child domain

shared folder

R.click on shared folder properties security tap Edit

ا مLocationوا رDomainاCiscawy.com

advancedا

م

objectاده


28/242


Page2

ا

globalوا

universalا

و

domain localا

domain local

ااخDomainات ال


assigned only within the

same domain

ي اي

Domain

Contain users from any

domain

Domain Local

ا

Domain

ع

!!

اص

Global convert to Universal convert to domain local

شاNESTED ا

او

Being a Member:-

1-Member of OR Nest of

MEMBER OFTYPE

Universal

Domain local

Global

Global

Only Domain Local Domain Local

Universal

Domain Local

Universal

Double click on any Groupور

Member of

Add

...

Domain local


29/242


30/242


Page30

Advanced

Find now

ا

ان

Universalا

و

Globalا

ا

ا

و

Groupsوا

ود


31/242


Page31

قاForest , Tree , domain

زDomainا وا توا ث

ا

وأ

اا

200Windows Server ا

ا

واا

Domain

dcpromoا

ه

د

Domain:

ه

-

وا

Domainا

Forest

ا

روا DNSا ا ا ا Forest

The Primary Domainأو

Root DomainFirst

نGlobal Catalog by default

default first site name

ا ن DNS Serverا ان: ما خ -

Additional domainا

ا

Domainو

ا

اذا

,

ت

اا

ز

اا

را

Load Balanceا

ك

ن

اذا

Domainا

Read Only Domain Controllerا

ا

Domainاوو

ا ه

ا

Child domainا

را

ااذا

DomainSub Domainراو

ا

ا

ا

Domainا

ا

Enterprise Administrator

New Treeا

ي

ا

م

ان

واردت

اي

شو

ش

ث

اذا

ا

ن

ان

را

و

ا

ا

ا

ا

ا

Domain

اص

– ش

ث

Oracle & Sun – ا

ا

ه

Tree

ا

ن

و

ه

ا Domainا اEnterprise Administrator


32/242


Page32

oا

Domain

ن

أ

ا

ا

اي

اق

Child , Additional , Tree ,…..o

و

Domainا

machine

ا

Domain Controller

oا

ا

Active Directoryا

Database

ا

ات

ه

ف

ا Forest Many Trees many Different Domains

Forest many Different Domains


33/242


Page33

Additional domain

ا

Domainا

اض

ا

Domainا

د

زاد

اذا

ا

users

500ه

ؤ

او

ما يأLoad Balanceا Domainاو اAdditional

اي

ام

Objectا

ا

ا ه

اا

م Users Domainبو ا

Machine

و

,,

Machineا

Domainا

ا تادااTCP / IP:-

-ا

ن

ان

DNSا

IP

اص

Domainا

ا

Domain

م

ا

Start Administrative tools DNS

م

Zone Transfer

ان

ن

و

Domainوا

م

ان

(Domain)ا

وب

R.Click on Domain Properties


34/242


Page34

ر

Zone Transfer tap Allow transfer Only this domain EDIT

ا

IP

اص

machineاا

دور

additional domain

Ok ok

ا Machineا رو م اAdditionalRun cmd dcpromo

Next


35/242


Page35

Forestن ا يExisting Forestر او ار

ا

ا

Domainوا

ا

credentialا

administrator

Next Next


36/242


Page36

ا

ن

DNS Server وا

Global Catalog..رأ

ن

ان

و

Domain

ا

ار

ان

اا

ه

و

Read-Only Domain Controller )

ف

(

ا

ا

دي

Restore mode

ا

زي

ا

اره

ان

Installation

خ

و

ه

Domainا

ا

Domainإهرا

ا

و اDomain

اص

ا

ان

ا

اده

..Start Administrative tools Active directory Users and Computer اي

Objectا

Additional Domain

Refreshا

Domainا

ان

ا

Objectد

ا

أ

ن

ان

اردت

اذا

Two Domainsوا

ا

ا

ع

او

Load

Balancing

وم

أي

Start Administrative tools DNS


37/242


Page37

ا

اا

وا

Double Click on Kerberos

ا

اي

م

Priorityا

او

Weight

وا

ن

و

وب

ا

ن

ا

ه

ا

ا


38/242


Page3

Read Only Domain Controller

"RODC"

ا

ه

Additional domain

ا مRODCا ه ا Domainا

ااق

اي

ث

ن

اور

ت

م

ا

ا

اا

ا

ااع

ع

م

Domainا صاPasswords

ا

وع

اي

ن

اذا

ا

م

IT

ام

ا

ه

ش

ا

از

و

Domain ا روا تو تا ه ا

Provide valuable support for branch office scenarios by authenticating users in the branch

office.

RODCs reduce the security risk associated with placing a domain controller in a less

secure site.

You can configure which credentials an RODC will cache.

You can also delegate administration of the RODC without granting permissions to other

domain controllers or to the domain.

ا

Machineا

ا

Domainا

ciscawy.com

Start Administrative tools Active directory users and computers

R.click on Domain Controllers Rre-create Read Only Domain Account


39/242


Page39

ا

User ا

ا

ت

ا

RODC

يز My Current Logged اد ا نEnterprise Admin

ا

م

ا

از

ا

دا

RODC


40/242


Page40

RODCا

وك

ا

DNS & GC

ا رUser ا واGroup ا تا ن اLogonا RODC اورواا

Database

ا

User اrodc


41/242


Page41

ا وFinish

شrodc ا ا iconان

ا machineاها RODC

TCP/IPاادات ال

ا

Gatewayا

IP

اص

Domainا

Start run dcpromo


42/242


Page42

Next Next

ا

ا

Forest

ا

او

Credentialا

اادات

ا

ا

زر

ا


43/242


Page43

Next Install

ا

ان

ا

اده

Icon

ا

RODCت

ا

م

RODCا

ت

ا

م

ان

م

اي

اراد

اذا

,,ور

RODC

ا

Domain

ا

ا

ا

ا حا وUserscacheا ا ا روا Domain ا

و

اك

Delay

يا م ن Objectا Rodcا ح

ا

Enterprise Administrator ا

ا

زر

ا

RODCاادا

ا

اي


44/242


45/242


Page45

ا

ور

Domainا

read only

ا

ا

ان

اي

Domainاي

ان

و

ا ه

objectا

ا

وان

Domain

o

ث

Replicationا

Domainوا

ا

RODC

oيا ما نا يأObjectا Domainا ث اRODC

ح ا RODCا نDomain ا نا ا ح ا!!

ا

ا

اور

اح

, ,

Domainا

Read Only

Password Replication

ا

اور

وث

Cacheا

RODC

اص

از

RODC


Open domain controller's containerR.click on RODC properties


46/242


Page46

ور

Password Replication Policy

و

Add

ازر

ا

ا

ا وار

denyاو

allow

ر

ا

ه

Allow

ا

و

ok


47/242


Page47

نا ahmedنا فاrodc عاallowاوdeny

ا ا نا ا ياRead Only Domain Controller

ا ر Users Cacheا ا روا RODC

ا

ا

ا

ا

م

ا

ض

Domain

ا ا روا نا يأRODC

ر

Advanced

prepopulate password


48/242


Page4

ا

Replication:-ا

ا

Allowed RODC Password Replication

ر

Advanced

ا

ر

Account has been Authenticated


49/242


Page49

Prepopulate Password

,,ا

ا

ا

اذا

Read Only Domain Controller ا

زر

ahmedا

او

Two

Domains Domainا ان ا ا ا


50/242


Page50

Child Domain

oؤ ي ن نا ضاDomainا DomainاSub-Domaino

ا

د

ا

ؤ

ن

Usersات

و

ا

وزادت

ام

ا

ه

,,Domain

ا

Domainا

ا

ن

ا


و

Database

o

ا ه

Machineا

Domainا

o

Additional or RODCاي

ام

Object!

,,

ا

ا

Domainو

شئ

Database

oا ا ن وEnterprise Administrator

TCP/IPاادات ال

Start run dcpromo

شا

ه

د

ا

م

اة

ه

Advanced mode


51/242


Page51

ا

ار

ر

New Domain in an Existing Forest

ا

ا

Forestوا

ا

Network Credential

ا

Administrator


52/242


Page52

Browseا

ور

Domainا

ا

م

Child Domainا

Next Next

ا

Global Catalog

و

را

ن

ا

ن

ان

ا

و

DNS

اياص

ث

loadا

Domainا

Next Next

ا

ان

ا

اده

Domainوا

ا

ChildDomain

Database

اي ما يا ث وObject يا


53/242


Page53

اص

ام

Child domainا

م

ان

Domainث

ا

,,ا

ا

-ض اظت اة:

ا Domainا ا نا اDomainيأوDomainا اForest

,,Start administrative tools active directory users and computers

R.click on domain Change Domain

ر

ا

Browseاي

ور

Domain

ان

م

ان

يا

ا

Domainن

ا

Childاو

New Treeا

ان

Domain

ا

ن

ان

Enterprise Administratorا

Enterprise Administrator ف وا ن Domainأن م ااو

ا

Child

ا عTrustا Domainاو اChildا نTwo way-د ا نا - نا يأا

اي

Enterprise Administratorاا

ا

ص

ما نا Child Domainا Child ؤ اذا ,, ا


54/242


Page54

New Tree Root

o( ش ن نا رأو يأ ش ؤ م ا ه مDomainا )ا

o

او

م

رادا

و

ا

ات

ه

ش

ن

اي

o

ن

ان

را

آ

أو

Domainا

Database

و

ا

Only One Enterprise

Administratoro

ا

ا

ش

Domain:

اص

-

ش

ك

ان

نض

A & B

و

ا ا اUPN صا[email protected],[email protected]

رادا

ون

اا

ا

ا

ان

را

Domain

او

Enterprise

Adminاو

ا تاداا IP\TCPـ ا داا ا New Tree

ذ

Start run dcpromo

mailto:[email protected]:[email protected]:[email protected]:[email protected]


55/242


Page55

ارة

ر

Create a new Domain Tree Root

oا

ا

ار

Tree

ا

ؤا

ا

او

اه

o نا ش ا ا نDomainا ث اChild را ك ا

م

Browse

o ا يا را Domainاo

را

Domain

ادارة

ا


56/242


Page56

ا

اا

ان

DNS & GC

Next Next


57/242


Page57

ا نا ا هدا Domainاو ا New TREE databaseو

يا ما يا ث وObject يا

-ض اظت اة:

ا

Domainا

ا

ان

ا

Domainوأي

Domainا

ا

Forest

,,


R.click on domain Change Domain

ر

ا

Browseاي

ور

Domain

ان


م

أن

ف

او

ن

ا

ا

Domainوا

ا

New TREE


58/242


Page5

ا عTrustا Domainاو ا New TREEا نTwo way-د ا نا -

ا

اي

ان

أي

Enterprise Administratorا

ا

اص

ما نا Child domainا TREE ؤ اذا ,, اه

ا

ا

ا


59/242


Page59

Active Directory Partition (Database)

ا تا هActive Directory

ا ي اForest:-ا ياإ Partition اوForest

ا

ي

ا

Domain:-

ان

اي

Domainا

Partition

اص

Domain LevelForest Level

1- Domain Partition1- Schema Partition

2- Application Partition2- Configuration Partition

1-Schema Partition ا تا يObjectاوAttribute ا( ت يا ن اي )Enterprise administratorان نnot recommendedا

وث

ا

ؤدي

ان

failure

ام

ا

ا

ن

partition:-Start administrative toolsADSI edit

R.click Connect to


60/242


Page60

ا

ور

Schema

2-Configuration Partition

ا

ا

ت

ي

infrastructureر

ا

ا تا sitesا وipا و صاreplication

ن

ا

Partition:-Start administrative toolsADSI edit

R.click Connect to


61/242


Page61

ن أ كوStart administrative tools Active Directory Sites and Services

3-Domain Partition

ا

ي

Built-in Users and Computers.

Attribute & value

:-Active Directory User and Computers


62/242


Page62

4-Application Partition

يا يSoftwareا ا ج تا هReplication

DNS

ه

ان

Application partition Active Directory Integrated Zone

اا عاDNS Zonesا سر ف(Infra)

-Primary Zone-Secondary Zone

-Stub Zone

-Active Directory Integrated Zone

Start

administrative tools

DNS


63/242


Page63

م

Change

ا

ن

ان

أي

partitionا

ا

DNS


64/242


65/242


Page65

دي

ا

و

Domain Name Master -2

م Domain م ا ه ,, ن أ processم ا

ا

ا

ان

Uniqueا

Forest

ا ر ا ا Domain

ا ه ن Role:-

ا

Active Directory Domain and Trust


66/242


Page66

Relative Identifier Master (RID)-3

ش

ارم

Poolا

RID

م

Userاو

Computer

ن

SID وف

ا

ر

RIDا

Pool

م Migration ا Domain ا ناو ث

ا

Replaceا

ر

ن

SIDا

و

RID

ا ه ن Role:-Start administrative toolsactive directory users and computers

R.click on domain Operation master


67/242


Page67

Primary Domain Controller Emulator (PDC)-4

ا

Date and Time

Domain Master Browser

ا

اض

Domain

اور

ت

اوت

ا

Group Policy

ا ا م ا و يا PDC Emulator رودا

Windows NT PDC

ا

ه

ن

Role:-Start administrative toolsactive directory users and computers


ا

ور

PDC Tap


68/242


Page6

Infrastructure Master -5

ا

Domain

responsible for updating references

ا

ه

ن

Role:-Start administrative toolsactive directory users and computers


ا

ور

Infra Tap

م RoleDomain!!! خ

– اغ اك – خSchema RoleDomainاو اخ ا ام الStart run cmd

ntdsutil

activate instance ntds

role

connection

connect to server (server name)

quit

?

دي

اوا

ا

ف

ن

يا ا نا ا يأDomain ا

Seize schema master


69/242


Page69

ا

أ

FSMO Roles

Start run cmd

dsquery server -hasfsmo schema dsquery server -hasfsmo rid

dsquery server -hasfsmo pdc

ا

Domainا

ا

Schema Roleر

ا

Error

ا

ا

اي

واذا

ا

New Treeا

أ

ان

Schemaا

ا

Domain


70/242


71/242


Page71

Enter

ا

ده

Default first site nameا

Mansoura

ا نا SiteاDekernes

اي

م

Serverا

ا

Siteا

http://www.facebook.com/l.php?u=http%3A%2F%2Fbing.com%2Fmaps%2Fdefault.aspx%3Fv%3D2%26pc%3DFACEBK%26mid%3D8100%26where1%3DMagless%2BElmadina%2BStreet%2B_%2BFront%2Bof%2BMisr%2BPharmacy%252C%2BDekernes%252C%2BEgypt%252C%2B35744%26FORM%3DFBKPL0%26name%3DEgypt%2BNetRiders%26mkt%3Den-US&h=BAQEA3taGhttp://www.facebook.com/l.php?u=http%3A%2F%2Fbing.com%2Fmaps%2Fdefault.aspx%3Fv%3D2%26pc%3DFACEBK%26mid%3D8100%26where1%3DMagless%2BElmadina%2BStreet%2B_%2BFront%2Bof%2BMisr%2BPharmacy%252C%2BDekernes%252C%2BEgypt%252C%2B35744%26FORM%3DFBKPL0%26name%3DEgypt%2BNetRiders%26mkt%3Den-US&h=BAQEA3taG


72/242


Page72

ان

Subnetا

Domain

Site

ا

او

Subnet

Site

وم

Subnet

Siteا


73/242


Page73

ا

ا

Sitesا

IP

!! ,,ا

ر

ان

ا

ا

-Sites in the site link

ا Sites وLink اد

Link او وا

-Cast

ن 100,, وا دو نا

نا ا وSite link ا اTwo Sitesا دو وا وCast اذا وا

اا

ا اذاوCast 100 مBalanceا Two Links

-Replication Every

ا ا و ياSites

ا Siteا تاذ ث

ا

ا

Different Sites

ن

3

أ

15أي

ا

اي

اوت

اي

و

,,15 , 30 , 45

-Change Schedule

ا

ده

وت

ده

ام

ا

وت

و

ا


74/242


Page74

Site Linkا Sites

OK ا

ذ

Castوا

Replication timeوا

Schedule

اBridge Head

oا

دا

Domainا

ا

ا

Replication

ر

Site

oا

ع

ور

Replicationا

IPا

أو

SMTP

oR.clickاي

Serverوار

Properties


75/242


Page75

ا

ا

ا

Two Sitesا

ا

Domain:-ا

م

DNS

و

User ن

Domain

Siteا

ا

Authentication

ChildDomainا ا Sitesا نا ا ذ ر نا ا وا

Domainا

ي

او

Server ن

ان

ا

Child Domain

ا

إ

ث

اي

ر

اذا

Child Domain ه

ان

ا

ره

Active Directory replication is:

MultiMate replication

Pull replication Store-and-forward


76/242


Page76

Partitioning of the data

Automatic

Attribute-level replication

Distinct control of intra site replication

Collision detection and management

Replication Transport Protocols Directory Service remote Procedure call (DS-rPc) DS-RPC appears in the Active

Directory Sites And Services snap-in as IP. IP is used for all intrasite replication and is

the default, and preferred, protocol for intersite replication.

Inter-Site messaging — Simple mail transport Protocol (iSm-SmtP) Also known

simply as SMTP, this protocol is used only when network connections between sites are

unreliable or are not always available.

The Intersite Topology Generator (ISTG) creates connection objects between Bridgehead

servers that share a site link

Within a site, domain controllers replicate quickly, using a topology generated by the

Knowledge Consistency Checker (KCC), which is adjusted dynamically to ensure effective

intersite replication

Replication :-

Intra Site Every 15 Second with 3S for Delay

Inter Site Evert 3 Hours


77/242


Page77

Trust

ا

ا

ااع

دا

ا

Domains

ن

:

oTwo Way

ان

ان

اي

.ا

oOne Wayاع

ا

اادات

ا

ا

ا ا ت ا واDomainsKerberos Authentication Protocol

Parent and Child

Default two ways in the same forest

Tree Root

Default two ways

Between Tree root domain and other Tree root domain

Shortcut Trust

One or Two way

Between Child in Tree and Child in other Tree

External Trust

One or Two way

Between any Domain in Forest and any other Domain in other Forest

ثرا

Trust not inheriting

Forest Trust

One or Two way

Between Forest Root Domain in Forest and other Forest Root Domain in other Forest

Realm Trust

One or Two way

Between Microsoft Operating System and other Operating System likes Linux


78/242


79/242


80/242


Page0

ارث

ث

policyا

Domainا

Siteا

OU

ا

ان

أي

Policyا

ا

DomainOver write

ع

شئ

اي

ا

اارث

م

رض

اي

ث

اذا

Block Inheritance

ا نا Domainرز !

ا

اارث

Objectوك

Policyا

ا

او

ا

ئ

ا

ان

را

Enforced


81/242


Page1

90ا م دServer ا Policiesا ا نا و

ا

Group Policyا

gpupdateا

CmdStart Run

ا

ا

او

اي

واذا

gpupdate /force

ا

ي

User ا

او

Computer

م

Policies administrative template system group policy

Refresh Interval

اص

ا

ا

ادي

ت

Policy

ا

ا

و

ا

ت

او

ر

Slow link detectionن

و

ك

اد

ا

500kb/psان

ر

دو

WMI Filter

-ا

و

ا

Policyا

و

User

- وا Import-

وا

اا

ا

م

Troublshooting

Windows Management Instrumentation (WMI) is a management infrastructure technology

that allows administrators to monitor and control managed objects in the network.

A WMI query is capable of filtering systems based on characteristics, including RAM,

processor speed, disk capacity, IP address; operating system version and service pack level,

installed applications, and printer properties.

Because WMI exposes almost every property of every object within a computer, the list of

attributes that can be used in a WMI query is virtually unlimited.

WMI queries are written using WMI Query Language (WQL).

R.click on WMI filter New


82/242


Page2

Group Policy Result

-ا

ف

Policyا

ا

Computer Accountا

ا

ا

DC

ز

اي

او

R.click Group Policy Result Wizard Next

ا

او

دا

ا

ا

ار

Browse

وار

ا

ار

User

ا

Logonا

Machineدي


83/242


Page3

Next Next Finish

ا

ا

Policies

ا

ا

Group Policy Modeling

-ا

ه

Group Policy Resultا

رات

ك

ن

و

-او

او

ا

ا

اض

Troubleshoot

Policiesي

ا

ا

ا

Forest

اي

وث

,,ااو

اداره

-ا

Policies

ا

Domainsا

Forest

-ا

ا

Policiesا

ا

Sitesوا

OU

R.click Group Policy Result Wizard Next

اي

ر

Domain


84/242


Page4

-ا

إداره

Result

-ا

ي

ا

User ا

ي

او

Computer Account-

اي

ار

ا

Container ا

اد

Domain

Browse

ا

ا

ور

ا

Next

-

اي

ار

ا

Siteا

Policy

ا

Next

-

ا

ا

ر

Filter

و


85/242


Page5

Next Next Finish

ا

ه

ا ه

و

ا

اره

وه

Policy

م

ان

Policy

ه

واه

او

م

OU

ا

R.click ا

OUا


86/242


Page6

ا روPolicyا هد ForestاDomainدا او Domainا

ا

ان

ت

م

ن

إذا

Domainا

و

Policies

ا

ر ك

ا

ه

Policy

Loop Back Processام

ا

Computer configuration Policies Admin template System Group policy

Two Modes

Replaceا

Policy

ا

Domain

ام

ا

Merge

ا

ده

,,

د

Restrictionام


87/242


Page7

Deploy Software

ا

أاض

ي

Group policy

ا

ا

او

ت

او

ان

ا

-Software Distribution Point

ا

اا

ا

اده

ا

اا

د

Path

اص

-:

ا

ات

-oا ا داا ن نا Extensionن نا.msiوا.zapo

ا

و

ان

Shared folder

o

ا

او

ا

Packageo

ا

ب

أ

ار

User وا

Computer


88/242


Page

oyingDeplاع ا-

Publish Assign

ا مUser Account

: - ن

Fullا

ام

خ

Partialا ل ما خ

ا ب مUser او

Computer

أ

ا

ن

ار

ا

و

ا

ام

أ

o

OU

Testا

م

وو

R.click OUا

o R.click ا PolicyروEdit

oا

User Account

Policies Software SettingSoftware Installation

R.click New Package

oا

ر

ور

Shared Folder ا

اد

Package


89/242


Page9

oتارا ه و

o

ا

Advancedا

ت

Developingاو

اا

ا

ا ااد ه و م

oر

Publish

o

م

ا

gpupdate /forceا

Run

o

ووز

ز

7

ا عا ما ب مOUا ه اPolicy

م

Control Panel\Programs\Programs and Features

وم

ا

R.click ور

Install


90/242


Page90

ا

وأ

شا

ه

ا

ان

Deployا

R.click ا

Packageا

اع

ور

oا

Computer AccountPolicies Software SettingSoftware Installation

R.click New Package

ا

ان

Publish

ا

Computer Account

oا هذ ص Advanced:-R.click

ا

Packageور

Propertiesا

ور

Upgrade

وم

Addا

و

Upgrade

اص

Software

ا

و


91/242


Page91

Policyزف ا

ا

Deployingاران

ك

,,R.click on package all tasks remove

و

:-ا

Policyا

ب

ا

وف

Userا

و

Computer

ا

أ

:-ا

Policy ا

و

ا

ا

وك

Restricted Groups

-

ا

Policy

OU

ا

أن

را

او

أ

ا

م

ك

و

,,ده

Featuresأي

-ا

ه

ا

ان

رأ

أو

Policy

-

ام

و

Groupا

ا

و

Restricted groups

Computer Configuration Policies Windows Setting Security Setting

Restriction Groups

م

R.click Add Group


92/242


Page92

Browseا

و

Groupام

ب

اع


93/242


Page93

Security in Group Policy

ا

ام

اي

Group Policy

ا

ا

ا

..واوج

ا

اوت

ا

..اور

ت

ا

ده

ا

ا

Icons ..ا

ا

ان

ا

User

ا ا ثو


Account Policy Password Policy

ا

Password

Enforce password history:-

ا

ه

م

اور

ام

Policyا

ه

ه

د

ا

اام

Policy

ت اور اا

ام

ان

ا

م

5او

7ا

ا

اا

ور

ت

ا

24اا

ور

Maximum password age:-

اور

اا

ا

أو

اور

ه

او

ان

ض

42 او

اه

ه

ان

و

ام

ت


94/242


Page94

Minimum password age:-

ا

م

واوح

م

و

اور

اا

أ

99م

Password must meet complexity requirements:-

ااو

ه

اور

ن

ان

ا

ا

ب

Store passwords using reversible encryption:-

اور ا

وا

ا

وم

Challenge-Handshake Authentication Protocol (CHAP)


Account Policy Account Lockout Policy

ا

ووج

د

وت

Account lockout duration:-

ه

اب

اور

By-default30د

ا

اب

ان

ط

و

Administrator

Account lockout threshold:-

ا

ات

بد

ن

ان

3ا

5ا

و

ات


95/242


Page95

Reset account lockout counter after:-

ا

ام

و

اده

ا

اه

By-default30د

o ا وPoliciesا ت ا ها


Account Policy Kerberos Policy

ا

و

اور

ت

اص

و

kerberos Protocol


96/242


Page96


Account Policy Local Policy

ا

ا

Policiesا

Local Account

Computer Configuration Policies Windows Setting Security SettingAudit PolicyLocal PolicyAccount Policy

-وا

ا

ا

و

اا

ت

ما

اا

ا

ادوات

و

وج

ت اا او ا- Server ا Errorوأ اذا ثTShootا اا ا

ا

وث

و

ا

ن

ا

-ا

م

Event Viewer Toolا

ا

Monitor

Start Administrative tools Event Viewer


Uesr Rights AssignmentLocal PolicyAccount Policy

ا

Policiesاو

ر

إ

ا

اي

..

او

وا

م

Policy

ا

و

Policies

أن

ا

اي


97/242


Page97


Security OptionsLocal PolicyAccount Policy

ا

ب

ا

ارات

:ان

-Accounts: Rename administrator account

إده

Interactive logon: Do not require CTRL+ALT+DEL

أ

أي

Lock

Account

ه

ا

أي

ح

اب

)ا

ا

اي

(Interactive logon: Message text for users attempting to log on

ر

ا

ان

ا

,

أو

شئ

User configuration Admin Templete System Removable Storage Access

ا

ا

ا

USBأو

CD and DVD removable storageأي

او

Removable Storage

ا

را

ك

Denies read access ة ا يأDenies write access

و

ات

ا ة

Computer Configuration Policies Windows Setting Wireless Network Policy

Wirelessام ا ا ا

م

Windows XPاو

Viste – 7

م

New Vista Wireless Network Policy

شا

ه

م

Addا

ع

Connection


98/242


Page9

Add Hock :-

ا

ا

ز

م

Peer – to – Peer

Infrastructure:-ا

ه

Switch

اه

اا

ر

Ok

ر

Security Tab

ا

اع

ه

Authenticationا

وااع

ا ا اWPA2-Enterpriseااو ه

او

TKIP اوه

ا

ا

م

ا

ك

ارات

ا

ده

ات

ك

Policy

ا

Going Throw

ا

ر

Network Permission ق


99/242


Page99

و

Addا

و

SSID

ا

SSID

اص

ا

Access Pointا

اام

ا

ا

ا

ان

Access Point

وي

Load Balanceو

ا

وث

ث

Loadا

و

ا

ا ماا ا وUser Windows Firewall

Computer Configuration Policies Windows Setting Windows Firewall and

Advanced Security

أي

ا

Roleا

او

ا

Filter

R.click New Role


100/242


Page100

اي

ور

Role

او

ان

Portد

IP Security

Computer Configuration Policies Windows Setting IP Security Policy

:أاع

-


101/242


Page101

Responseلا ن نا Secureد لا م وا

Require Security ا

ن

ان

Secure

Request Security نا ا وا ضو نSecure اذاو م

ان

ا

ه

و

دي

ا

active directory arabic book 2008

Documents