Introduction to Active Directory Infrastructure in Windows Server 2012

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again as you know I am Eli the computer guy and today's class is introduction to Active Directory infrastructure in Windows Server 2012 so we are going to be talking about the critical infrastructure within a Windows Server 2012 environment now I want to make sure and I'm going to bang this into your guys's heads today that you understand we are talking about the Windows environment we're talking about the sis and min environment so today we're going to be talking about domain controllers client computers DNS DHCP sites replication those types of things now when I'm talking about this type of Windows Server infrastructure I am NOT not not talking about Cisco equipment I'm talking about routers I'm not talking about modems I'm not talking about switches I'm not talking about any of that right now we are simply in the Microsoft Windows Server 2012 world we're not worrying about Cisco equipment as far as we are concerned today the data networking components are already set up they're already functioning they are not our responsibility so a lot of times when people start talking about infrastructure you assume that we're talking about routers or switches or modems or add trans or any of that kind of stuff today we are not talking about that we are weird we feel that the data networking layer is solid it's secure it is not our responsibility we're only talking about the Windows Server 2012 Active Directory infrastructure now this class again as I talked about with all classes I'm pulling a lot of information out of this Windows Server 2012 unleashed by Samms again I'm going to put a lot of time and effort into creating this learning track for you for Windows Server 2012 but to put it frankly this is a lot of material right now it is is you're in your best interest to go out and pick up a copy of either the SAMS version of this book or some other vendors version of the Windows Server 2012 book because there's a lot of information in these that I simply cannot go over unless I literally sit here and read into a camera for hours on it and I'm just not going to do that pick one of these up for about $60 at Barnes & Noble so basically we are going to be talking about the Active Directory infrastructure today so remember I talked about Active Directory before what is Active Directory Active Directory are the security services for a Microsoft Windows network Active Directory is the server service that allows you to create things like user accounts allows you to create things like computer accounts allows permissions allows security it ties users and computers together that is what Active Directory does so make sure you remember that as we're as we're going forward in the track again the big thing what makes Microsoft Windows environments so good so wonderful so great is this Active Directory security that allows you to easily administer hundreds or thousands of servers and and thousands tens of thousands or hundreds of thousands of client computers again when we're thinking about things like Active Directory you've got to get at you've got to get out of your mindset of thinking about five computers or ten computers or a big company being a hundred computers we're talking about companies that have 300 thousand employees how do you administer those systems how do you secure those systems with Active Directory you are able to do it relatively easily so today we're going to be talking about that infrastructure so uh this is going to be a big whiteboard class we don't have any practical stuff yet it's all going to be on the whiteboard so let's go over the whiteboard now so I can start explaining to you guys how this stuff and Active Directory works so we're talking about the infrastructure we're talking about the different computers and servers we are going to be using in this Microsoft Windows server environment now the one thing one of the things that really confuses people when you start dealing with Microsoft servers is so any different types of servers are built into the Windows server operating system you can get very confused and not realize that they're all are individual things so if you buy Server 2012 you know you go to newegg.com and you by the OEM version or whatever oops I've got these stink bugs around here they're just horrible sorry about that but you go to let's say newegg.com and you pay it by $600 version of Windows Server 2012 when you get that operating system it is going to have Active Directory built in but it's also going to have something called iis Internet Information Services built in it will also have routing and remote access allows you to create a VPN server all of that is built in to the package so one of the things when you're thinking about such as Active Directory is you have to separate out what all of these different components and server services are and really just focus on whatever it is you are working on at the moment so we're talking about Active Directory today so in Active Directory we talked about before is we have these things called DC's or domain controllers these are the Active Directory servers these are the servers that hold the database with all the information about the computers and the users on the network those are called DC's you then have client computers so client computers are the Windows 8 computers Windows 7 computers Windows XP Pro Windows Vista Business Edition these are the computers that connect to the DC and become members of the domain so this is a domain controller so the domain is all the computers and all the the servers on the network that are part of this one logical domain so all of the security policies all the user groups all that you add client computers and servers to the domain by connecting them to the domain controller that's what creates the domain now since we're now in 2012 we like redundancy right so back in the day way back when I started doing computers and technology back in 1999 we didn't have a lot of redundancy we used to have something called PD C's and BDCs and they were a real pain in the butt well now we simply have what are called domain controllers so one of the questions that you have is if we're dealing with an environment that has thousands tens of thousands or hundreds of thousands of users do you really want to rely on one single DC or domain controller to do all of the authentication for all of those different computers and users and servers on the network well no you don't because if one DC fails one domain controller fails it means basically your entire network stops working that's not a good idea so what you can do now in the server 2012 world and actually this goes all the way back to the server 2000 world is you can add multiple domain controllers to the domain so I can have let's say four different DC's here and if one fails or if one is getting hammered too hard by too many users you can have fault tolerance and load balancing off of all of these different domain controllers this is called clustering because again what is the domain controller doing the domain controller houses the database for all of the computers and users so when you have databases you can do clustering which means you combine multiple servers into one cluster so that if there's a problem with one DC or domain controller the other 3 or 4 or 20 DCs are working just fine and all of your computers cancel all your users can log on to the network and get all the services that they need so this is the important thing so domain controllers are what deal you know when you sit down at a computer and you log in to the network to the domain you're connecting to the DC the client computer has to be added to the domain and then once it is when you log in you'll be directed to the domain controller and hopefully on your network you have multiple domain controllers and this is a cluster of the domain controllers now one of the issues that's going to be coming up it is what what you have to be thinking about is okay so if we got for DC's here we've got four domain controllers now what happens if we have all these users and user one connects to the first domain controller and let's say he can't is his password and user two connects to the fourth domain controller and he changes this password well now you're thinking well there's there there's there's four different domain controllers here how does domain controller one know that password got changed on domain controller four and vice versa well this happens through replication strategies so replication strategies or replication is how data is copied between all of these domain controllers so the important thing when you're dealing with clusters and we are dealing with domain controllers is that they all have the same information that they all can be used because if information gets changed on the first domain controller but it never gets changed on the fourth then if somebody goes to login you're going to be having problems so this is replication and so whenever you have multiple domain controllers on on your your your your company will either land or win on the company network they have to be able to replicate the data out to all the other domain controllers so that they all have the same information so once we start talking about the replication we start talking about sites so sites are where in the the Active Directory consoles you combine different domain controllers and say that they are at a particular site so let's say you have a corporate office and at that corporate office you've got let's say ten domain controllers to make sure that everybody can access the domain controllers when they log in in the morning so you're going to your headquarters office let's say there's 50,000 users there so I don't know let's let's just spit ball and say you have ten Active Directory domain controllers on that local Network now when you do replication strategies right since they're all on that land they're probably connected with gigabit uh network connectivity they can replicate data very quickly amongst themselves so what you would do is you would create that as let's say a headquarters site so you would tie those domain controllers and call them a single site because they can replicate the data very quickly right well the question that happens well what if you have multiple what are called satellite offices so here you've got 50,000 users but then let's say you have these offices out in the out all over the country and they all have a hundred users well one of the issues is one of the things that you don't think about is when you go to log into a domain so you sit at your computer you type in your username and credentials and that connects to the domain controller and then your access control key is given back to you that isn't very much data that doesn't seem like very much data but when you have lots of people hundreds of people or thousands of people all trying to connect to domain controllers that can eat up a lot of bandwidth right because you're logging in your log information is sent to the domain controller and then the domain controller sends you information back on the land the local area network that doesn't seem like any big deal but if you're dealing with internet connections that login process can start to take up a lot of bandwidth and so many times what you do is at these remote sites you put in their own domain controllers DCs so that when the users here log in they log into the local domain controller versus having to send all that information over the network so what you're going to have is you're going to have a domain controller generally at every satellite office that you're dealing with well the question then is what do we do because if this is a domain controller just like this is a domain controller and there's all of these changes happening how do we make sure that these the domain controllers have the same information that replication goes on well what we've done is we turn the headquarters into one site we then turn these remote offices into their own sites so let's say this is the Baltimore site and this is the Philly site and this is the Washington DC site so however many domain controllers we have at these sites we combine them to create their own site within the Active Directory configurations so we have the 8 headquarters site and all of the computers are all this the Active Directory servers on this site are connected to that site at a headquarter site then at every remote office we create them as their own site and any domain controllers that are there we add them to that site for it within the Active Directory environment and then what we say is we we tell it what the replication strategy will be so if you are at the headquarters site within within the site on this land the replication will generally happen in real time or almost real time all of these servers will be replicating to each other and they will all be completely in sync generally within a couple minutes of each other well if you're having to send data over the internet connection and you don't want to bog down the internet connection with all that replication what you can do is you can set a time or a replication strategy so when will the data replicate will it replicate every five minutes or every one hour or once a day so you can say that once a day at 1 a.m. in the morning the data will replicate out all to all of these different sites so generally if you're dealing with some sites were not a lot of changes happen this will work a okay so this is the idea of sites and with in Active Directory you can figure these different sites and you say you know what servers what Active Directory servers are in the sites and then what you'll be doing is you'll be saying what the replication strategy is to replicate the data between all of these Active Directory servers now these connections here are called site links so the connection between the headquarter site and the DC site is called a site link the connection between the headquarters site and the Philadelphia site is a site link this is called a site link so it's how the sites connect together now the next thing with the sites is that there is something called a site link break head this is important because remember with all of this Active Directory synchronization going on we have to try to make sure that there's a greatest possibility that the synchronization will happen that if there's a single point of failure and let's say the network that the synchronization will still will still go on so with these Active Directory Sites you can make them what are called bridge heads what that means is if these sites are connected through the network to each other as well as to the headquarter office if something happens and the connection to the headquarters office fails what a bridge head allows is so the synchronization can go from the baltimore office then to the philly office and then back up to the headquarters office basically what the bridge heads allows is it allows for redundancy so if one connection fails it can use another the servers can use different servers on the network to try to be able to do the replication in the future so so some of this gets a little fuzzy but basically this is the idea with sites so you have sites then you have site links then you have bridge heads so to allow like I say if if one one link in this connection fales they can still do all of this replication so that's the basic idea with site site links and site link bridgeheads now one of you some of the other things that you have to think about is let's say you have the headquarters office here and you have these other remote offices now generally the domain controllers will be what are called read write what read write means is if I go to log in to a domain controller I will be able to put my username and password it will go to the domain controller it will check to see if I user name and password are correct and if they're correct it will allow me access to the domain that is called a read the reason it's a read is because you are giving the server your username and password that have already been created and all it is doing is verifying that the username and password are are correct so that's a read well then you have what is called a write so a write with the domain controller means that you can make changes to that particular domain controller so let's say you want to change your password so you log in with a domain controller then you say I want to change my password and you change the password when you change the password then what it's doing is that's writing that new password to the database on that domain controller so if you want to be able to add users if you want to change passwords if you want to change user names basically the domain controller has to be both read and write so one of the things you can do from a security perspective is you have these remote sites and all these remote sites have their domain controllers but what's the big problem well here you have the headquarters building and in the headquarters building you've got a lot of security right headquarters building got armed guards you got you got barbed wire fences you've got a geek with like knives I can slice you in half if you try to try to try to hack their systems right in the headquarters you've got a lot of security the most secure place in any company is going to be the headquarters building no matter how sad that security may actually be in the real world now the problem is out at the remote sites is always going to be the worst level of secure right because you've got a hundred users if you got a thousand users you got five users and frankly management to see levels the CEO and so forth when they look at these remote offices they don't want to pay a lot of money for security so the problem is is if you have these domain controllers sitting at these remote offices with read/write ability what happens if a hacker can get into this office hack into the domain controller at the office make changes and if you have read/write ability so they're able to write to this domain controller well whatever the replication strategy happens that information will get replicated throughout the network and now because they were able to compromise your your one little remote site of CEO didn't get it didn't care about they are named now able to sit at their computer and hack into the headquarter system the reason being is because they hacked in to let's say the domain controller here for this one site let's say they gave themselves a user account with a VPN access well that user account with VPN access now gets replicated out to all the other servers on the network so now the hacker can sit at home use the VPN access to create a VPN connection with the headquarters and now try to do all kinds of hacking so the problem is is a lot of people put readwrite domain controllers at all of the remote offices so if a hacker gets in and they're able to write to that local domain controller and then that information gets replicated out throughout the network so one of the things that you can do with the Active Directory infrastructure is you can create read only domain controllers so you put read only domain controllers at these these satellite offices so when users go to login all of their credentials are stored at these read only domain controllers so they're able to log in but if somebody tries to hack in and make any modifications to the domain controller they're not able to because the domain controller is in read-only mode so you simply can't make any modifications to it so that's one of the things think about when you're thinking about this Active Directory infrastructure is you have read/write domain controllers but then at the satellite offices you can have read only domain controllers the other thing that you have to be thinking about with domain controllers is something called global catalogs global catalogs are basically indexes of the all the data stored within the domain controllers so the user accounts and the computer accounts because again remember we're talking about Active Directory what are we talking about we are talking about a database database controls and holds information right so the question about you know what computers on the network what users are on the network how you access those computers and users that's all stored within the database if you just simply dump that database if you just have that database with no indexes it will take forever for any computer on the network to be able to find any information so whenever you're dealing with any kind of database you always create something called indexes these allow you to search the database very very quickly in a Microsoft Active Directory world the indexes are called the global catalog so what happens is at every single site you should have one of these global catalogs again this is something that you just set up on the Active Directory server and what it does is it indexes the Active Directory information so that when users go to search for something that they're able to find it very quickly so global catalog is you have to have that installed on at least one server per site that you're dealing with now when we're talking about Active Directory infrastructure so we've talked about the domain controllers we've talked about the the client computers the member computers we talked about sites site links site link break heads global catalogs one of the things to remember is again in the Microsoft world windows world Microsoft likes to control everything and if Microsoft can't control everything you can have a lot of weird problems so part of the whole Active Directory infrastructure that you should have that you should make uh Windows Microsoft B calf control over is DNS domain name services server so basically your you guys are probably used to DNS maybe you go up onto the internet and you change something for your website or on your local network at home you make a few modifications well Microsoft Windows Server 2012 DNS basically visit this is lightyears ahead of the DNS that you're dealing with when you're dealing with your little Linksys router home the DNS for Windows Server 2012 does a lot more than that little Linksys DNS a server that you have sitting at your house and so you should have Microsoft take care of DNS for your network when the important things is remember what is DNS do DNS max names fully qualified domain names to IP addresses so if you're worried about security you want to try to make sure that nobody can hack your DNS and cause all kinds of problems on your network start pointing users to incorrect servers and all that so with Windows Server 2012 DNS they have things like reverse DNS that Maps IP addresses to two names so normally when you're dealing with DNS you map the name the fully qualified domain name to an IP address well with Microsoft Server 2012 you also map the IP address to the domain name to make sure that everything matches with the DNS or something called dynamic DNS what that means is when a DHCP address is given out by Microsoft Server 2012 server that DNS is automatically updated so when you're dealing with Active Directory theoretically you can use a different DNS server but I would highly suggest that you use Microsoft's DNS server now there is something when you read the book you're going to see something that frankly I haven't seen in the real world for a long long long long long time but you you should realize that it might exist something called a wins server so so remember way back when when Microsoft was trying to take over the world well DNS is is the open source standard that everybody went with for mapping domain names names to IP addresses well way back in the 90s Microsoft wanted to try to control mapping names to IP addresses and so they came up with wins which was a competitor DNS wins was when Windows Internet naming service and I don't know I saw a couple of the servers up and running way back when but it was way back when but something that you should realize is if you have very very very old legacy systems I'm talking really legacy systems like literally these things have been running since like 1996 that you may have to set up wins all you have to realize about wins is that it was Microsoft's like competitive version of DNS and that nobody uses it anymore but if you read the books and you learn about wins just realize it did exist and they only talk about it because maybe possibly slightly there's a chance that you have a computer on your network that was installed back in 1996 the final thing we're talking about this Active Directory infrastructure is you should have Microsoft server deal with a DHCP so DHCP is what gives out the IP addresses to all of the different computers on the network that used dynamic IP addresses again the reason that you should use Microsoft's is because it plays nice in the Microsoft environment if you use other DHCP servers you may have all kinds of problems the benefit of using Microsoft DNS and DHCP is not only will it play nicer with with the Windows Microsoft server environment but you can also have redundancy and fault tolerance so you can have multiple DNS servers and multiple DHCP servers just like you have multiple domain controllers and again if one of them fails or two of them fails or three of them fails or whatever as long as you still have one running the rest of the network will keep going again this is so thing that you really have to start thinking about once you start thinking about larger networks again we're talking about when we're talking about large networks we're not even talking about thousand users talking about 10,000 users a hundred thousand users you can't you can't rely that one DHCP server is just gonna be running 24 hours a day seven days a week forever and that it's never going to fail you always have to have some kind of redundancy so with the DHCP and the DNS fails that that you're not going to have any issues because again you know having ten users not being able to get on the network yeah sucks between ten thousand users not be able to get on the network then you have a catastrophe and then you're probably getting fired that happens in the real world so these are the basic concepts that you should understand for Active Directory infrastructure again we are not talking about Cisco or juniper or SonicWALL we're not talking about the data network layer of the network we are talking about the actual servers here so you have the domain controllers that house the database for all of the Active Directory information you can turn them into clusters so that they replicate the information so that you have fault tolerance and load balancing when you cluster them on a local area network you turn them into a site if you have domain controllers off on remote and remote sites you turn them into different sites so that the replication strategy you can determine how often the data should be replicated again the brickhead as we talked about so this is a site link so when you have two sites connected that's called a site link a break head is if you have multiple site links and then one fails that replication can go through a different route kind of think like site link break heads almost as like a routing protocol for replication of this Active Directory information then remember whenever you have these remote sites if you don't have good security of these remote sites you can put read only domain controllers there that means users can log in and get all their information but they can't write to that domain controller so it's a security thing then you have the global catalog this is the index of the of the Active Directory database you have these indexes to make it faster so when you're trying to search for something on the network if you don't have an index it will take a long time you have these indexes it will go route rather quickly and so every single site you should have one of those global catalogs then we talked about DNS again we will talk about DNS a lot more and DHCP the big thing to remember with DNS and DHCP in the Microsoft server environment is unless there's a really really good reason to use something else just use Microsoft's I'm telling you doing the stuff in the real world once you've decided to use Microsoft if you just stick with Microsoft Microsoft plays very well with Microsoft Microsoft doesn't always play well with other things if you don't use Microsoft Windows Server 2012 DNS and DHCP you could have problems in the future so I would say just use it one of the good points with using and again is you can have a fault tolerance to get a multiple DHCP service multiple DNS servers if one failed you still have that functionality on the network very good thing and the final thing is wins windows internet naming service you will probably see this in the books and it's archaic and it's legacy and then all the times I've been doing this I mean it's been the 90s since I thought Saul wins wins basically wins is one of those things that basically fail from day one but Microsoft was big and powerful enough that a few people went with it like way back twelve years ago but by now you should never see wins but there is a possibility that you could series so this is the idea of what we're dealing with with it the infrastructure so so yeah I mean that's that's it basically you you have to start grasping these concepts before we can really go in and start making configurations and making changes and in building domain controllers and all that because the big problem that I see with a lot of a lot of the new people is that they simply don't understand what is trying to be accomplished nobody sits down and really explains to them what the hell Active Directory is they just rush in to creating organizational units and sites and doing all this stuff replication strategy but but you as a student you're still you're like but but what's a site what ah again really for you guys to go forward and learn you know whether it's Windows Server or whether it's Cisco I really want you guys to take the time and energy to try to figure out what the end result is supposed to be don't worry about the configurations don't worry about the servers don't worry about any of that try to understand what is supposed to be accomplished and then when you understand what is supposed to happen and why then pick up the book and figure out the configurations and take the classes to learn what to do again what I see is way too many people they know how to create organizational units and sites and replication strategies and all that stuff but they have no idea why anybody would use it in the real world and therefore it's really really hard to learn especially for like certification tests if you want to go out and get certified if you don't really grasp why it is you're doing whatever it is you're doing it's very difficult to remember what you're supposed to do because you don't really have a context for it and it's yeah it's a bit of a mess again I I real I'm not I'm not getting paid a dime by sams I really should be getting paid but I'm not but you guys really do the further we go into this you need to pick up a book whether it's Sam's or whether it's something else because there's just there's a lot there's just so much information that that I am NOT going to be able to get to now one of the things as I do these classes I publish them to YouTube as soon as I'm finished and then I immediately start getting feedback now one of the pieces of feedback that I've gotten from from a lot of you guys is there's this thought that um what was it somebody said that Microsoft is becoming more irrelevant and therefore I should be teaching you guys Linux instead of Microsoft and other people asked me about well Microsoft isn't the only provider of Active Directory or directory services there's open LDAP and edirectory and even samba4 and all kinds of stuff so why don't I teach you guys that well the reason that I'm teaching you guys Windows Server 2012 and Windows and Microsoft Active Directory is the because this is what is used predominantly in the real world I really want you guys to understand that you guys most of you guys are going out and you're going to try to get hired for jobs when when companies hire you they want to hire people that are skilled in the technologies that they have not in technology that they don't have so if you go out and you start asking mid-sized to large companies what runs their systems what runs their network dollars to doughnuts it's going to be Microsoft server whether it's Server 2012 or whether it's Server 2008 or 2003 or Active Directory all the way back to 2000 now tell you guys 9 times out of 10 it's going to be Microsoft that runs their Active Directory environment it's not going to be some before so with you guys trying to go out and get jobs the thing is if you go and you get your MCSA or your mcse or your mcitp you get certified in Microsoft then you can also learn like samba4 and open LDAP and so if you go into a company and you say I've got my mcse plus I am an expert as samba4 that will be considered a bonus and it will be much more likely that you will get a job if you walk in you just say I'm an expert at samba4 yeah how many companies how many companies just run samba4 so so that's one of the big things I know I've getting a lot of pushback and awe should just be teaching you guys Linux but I'm telling you like it or hate it I'm not here on the morals it is a Microsoft world you understand Microsoft you get certified in Microsoft you are far more likely to get a job you can be an expert at samba4 and open LDAP and just simply how many of those jobs are out there I'm not saying that there's no jobs out there I'm not saying it's impossible to get a job but when you're going out you're putting out resumes you need to put food on the table you need to pay your mortgage I'm telling you Microsoft is the one that is more likely to get you a paycheck at the end of the day than the other stuff so so whether or not like you guys like it that's just one one of the things for the real world it's what I try to try to give you guys here is is even if you hate Microsoft even if you never want to use Microsoft even if you're you're totally just you just believe in Linux and you think the entire world should be on Linux well learn Microsoft so you can get a job so you can get into a company and then once you're in the company then you can start trying to move them in the Linux way but but you can only move companies if you've actually been hired for them if you get what I'm saying yeah so as you know I'm Eli the computer guy this was introduction to Active Directory infrastructure on Windows Server 2012 again this is the fourth or fifth class in this track we're going to be having many more and pretty soon we're going to be really getting in the nuts and the bolts of how to configure Windows servers but again you have to understand what's going on so make sure you understand these last few classes that I've taught and if you don't grasp what I've told you go out and get a book and make sure you understand what sites are make sure you understand what organizational units are make sure you understand the concept behind Active Directory because if you understand those things when we go in to do the configurations it will be a lot easier because you'll understand what's what's supposed to be happening so as always I enjoy teaching this class and I look for to see you the next one

Info

Channel: Eli the Computer Guy

Views: 712,496

Rating: undefined out of 5

Keywords: Eli, the, Computer, Guy

Id: hxgz7MR7MGQ

Channel Id: undefined

Length: 38min 55sec (2335 seconds)

Published: Mon Feb 25 2013