Week 7, Oct 22 Midterm Oct 29 Exam will be open book Study guide info Ch 3: basics of Active Directory Ch 4: GPO 4-1 through 4-8, but not security templates (4-9 -- end) Ch 5: NTFS, pp 149-156 Today's problems starting up winserver01: * wireless doesn't work under winserver2003; used wireless hub * at first it couldn't ping the hub, at 10.20.0.200. * Connected to the Internet; after ~10 minutes it started working * need to disable DHCPD on winserver01 DNS forwarder *was* set up correctly on winserver01: 147.126.65.47 (ulam2) 147.126.68.1 (loyola) Need to fix designated DNS server on wireless hub! Had to move DHCP back to winserver01: WHY?? Because server DNS has to be able to resolve names like laptop5.csed430.cs.luc.edu and the only way that can happen is if the server handed them out. Sigh. ================================================================== group policy objects: what if you have more than one? See: http://technet2.microsoft.com/WindowsServer/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true Order of processing (effectively the *reverse* order of precedence; last applied is highest precedence): local machine site domain OU according to nesting Multiple GPOs can be linked to a single OU. "The GPO with the lowest link order is processed last, and therefore has the highest precedence." So, Default Domain Policy should have link order 2, and the Local Policy should have link order 1. Editing a GPO v applying it, either locally or remotely! ===================== GPUPDATE gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot] Remote rebooting: shutdown \\computername /l /a /r /t:xx "msg" /y /c /l local machine /a cancel shutdown in progress (during wait time) /r restart instead of turn off /t:13 wait 13 seconds /y answer "yes" to all questions /c quit all running programs ================================================================== More demos, continuing with AD 5. Publishing a shared folder under AD loopback policy: USER policy depends on which computer they're logged into. defer 6. Delegation of control * for everything to LabAdmins group * for password resets to LabTutors group =================================================== Blocking v No_Override Block Blocks parent, unless NO_OVerride is set No_Override: prevents OU admin from changing domain-wide settings =================================================== Microsoft __Common Scenarios__ document. Look at CommonScenarios examples in some detail what are scenarios? how are they implemented? Note base "highly managed" and "lightly managed" GPOs. Two implementation strategies: 1. Two OUs (per machine and per user) Highly managed ^ | AppStation 2. Single OU, with two GPOs linked to it Setting password policies: history: recommended value 24 max age: MS recommends 42. Schools should probably choose a value related to the school year min age: MS recommends 2. This has a rather dire consequence: you can't change if someone else has it! min len: MS recommends 8. THis is probably too short. Encourage looong passwords. complexity rules: Note password policies apply to entire domain. Can't be different for different OUs http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx A little bit about sites: * a site consists of one or more SUBNETs connected by fast links * links between sites do not have to be fast * by having a domain controller in each site, users log in through the closest, fastest DC (that is, the one belonging to their site) =================================================================== 4. Machine name: CSED430DEMO 5. Admin password: demosthenes 6. Not on a domain (initially) =================================================================== ===================== Ad-hoc network notes: choose ssid choose key assign IP addrs disable firewall for ping allow file sharing ====================================== Networking: csed 430 infra Why I can't use wireless on winserver1 How I use access point configuring access point ip addresses Continued problems from valhal: can't connect as both Owner and pld Owner connection is unavailable when I log in as pld This stuff with network connections being attached to a user is WEIRD DHCP Have DHCP server running on winserver1 Note need to "authorize" ======================================================================================== ======================================================================================== Demos: 1. Switch to using DHCP. You have to do this, because DHCP hands out more than IP addrs. See below. 2. adding everyone to the DOMAIN System control panel option PROBLEM 1: is DHCP working at all? PROBLEM 2: domain addition failed because *DNS* wasn't working. It turned out that it *was*, on winserver, but (a) DHCP wasn't configured to let anybody know (b) actually, it couldn't possibly be configured since we're not on the Internet My DNS config is a little weird. I'm *not* on the internet! So what is it doing? Anyway, I need this info: domain: csed430.cs.luc.edu admin acct: administrator password: demosthenes Then I reboot. step 1: I now get the cntl-alt-delete login screen. PROBLEM 3: my wireless network connection no longer exists. Sigh. I need to enable automatic wireless reconnection. So I have to log on as local user, "owner", maybe no password Once I'm on, I can log in as administrator/demosthenes joe/joe: regular user peter2/peter2: student user kyle/kyle: kiosk user. WARNING!!! gpupdate forces GPO settings in AD to propagate. Try logging on to peter2 account in Multi(user) Kiosk(user) settings in place. Demo: create a new OU, AppUserOU. Put alice into it. Demo: removing a computer from a domain