cna 122 chapter 6

active directory replication
the transfer of information between all domain controllers to make sure they have consistent and up-to-date information
application directory partition
a directory partition that applications and services use to store information that benefits from automatic active directory replication and security.
assigned application
an application package made available to users via group policy and places a shortcut to the application in the start screen. the application is installed automatically if a user tries to run it or opens a document associated with it. if the application applies to a computer account the application is installed the next time windows boots.
attribute value
information stored in each attribute
authentication
a process that confirms a user’s identity, and the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.
built-in-user accounts
user accounts created by windows automatically during installation.
child domains
domains that =share at least the top-level and second-level domain name structure s an existing domain in the forest;also called “subdomains”
configuration partition
a directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.
directory partition
a section of n active directory database stored on a domain controllers hard drive. these section are managed by different processes and replicated to other domain controllers in an active directory network.
directory service
a database that stores information about a computer network and includes features for retrieving and managing that information
directory services restore mode (dsrm)
a boot mode used to perform restore operations on active directory if it becomes corrupted or parts of it are deleted accidentally.
domain
the core structural unit of active directory; contains OU’s and represents administrative, security, and policy boundaries.
domain directory partition
a directory partition that contains all objects in a domain, including users, groups, computers, OU’s and so forth
domain user account
an user account created in active directory that provides a single logon for users to access all resources in the domain for which they have been authorized.
extension
an item in a gpo that allows an administrator to configure a policy setting.
flexible single master operation (fsmo) roles
specialized domain controller tasks that handle operations that can affect the entire domain or forest. only one domain controller can be assigned a particular FSMO.
forest
a collection of one or more active directory trees. a forest can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains.
forest root domain
the first domain created in a new forest
fully qualified domain name (FQDN)
a domain name that includes all parts of the name, including the top-level domain.
global catalog partition
a directory partition that stores the global catalog, which is a partial replica of all objects in the forest. it contains the most commonly accessed object attributes to facilitate object searches and user logons across domains.
gpo scope
the object affected by a gpo linked to a site, domain or OU
group policy object (gpo)
a list of settings that administrators use to configure user and computer operating environments remotely through active directory
install from media (ifm)
an option when installing a dc in an existing domain, much of the active directory database contents are copied to the new dc from media created from and existing dc.
intersite replication
active directory replication that occurs between 2 or more sites.
intrasite replication
active directory replication between domain controllers in the same site
knowledge consistency checker (KCC)
a process that runs on every domain controller to determine the replication topology.
lightweight directory access protocol (LDAP)
a protocol that runs over tcp/ip and is designed to facilitate access to directory services and directory objects. it’s based on a suite of protocols called x.500, developed by the international telecommunication union.
local user account
an user account defined on a local computer that’s authorized to access resources only on that computer. local user accounts are mainly used on stank-alone computers or in a workgroup network with computers that aren’t part of an active directory domain.
multimaster replication
the process for replicating active directory objects; changes to the database can occur on any domain controller and are propagated, or replicated, to all other domain controllers.
object
a grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or ou.
operations master
a domain controller with sole responsibility for certain domain or forest-wide functions.
organizational unit (ou)
an active directory container used to organize a network’s users and resources into logical administrative units
permissions
setting that define which resources users can access and what level of access they have to resources.
published application
an application package made available via group policy for users to install by using programs and features in control panel.the application is installed automatically if a user tries to run it or opens a document associated with it.
relative idntifier (rid)
the part of a sid that’s unique for each active directory object.
replication partner
a domain controller configured to replicate with another domain controller.
right
a setting that specifies what types of action a user can perform on a computer or network.
schema
information that defines the type, organization, and structure of data stored in the active directory, such as user or computer accounts.
schema attributes
a category of schema information that defines what type of information is stored in each object.
schema classes
a category of schema information that defines the types of objects that can be stored in active directory, such as user or computer accounts.
schema directory partition
a directory partition containing the information needed to define active directory objects and object attributes for all domains in the forest.
security identifier
a numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an rid.
site
a physical location in which domain controllers communicate and replicate information regularly.
sysvol folder
a shared fodler that stores information from active directory that’s replicated to other domain controllers.
tree
a grouping of domains that share a common naming structure.
trust relationship
an arrangement that defines whether and how security principals from one domain can access network resources in another domain.
user prinicipal name
a user logon name that follows the format [email protected] users can use upn’s to log on to their own domain from a computer that’s a member of a different domain.
active directory offers what features to make it flexible?
hierarchical organization, centralized but distributed database, scalability, security, flexibility, policy-based administration.
what are the 2 aspects of active directory structure?
physical structure, logical structure
each domain controller contains a full replica of the objects that make up the domain and is responsible for what functions?
storing a copy of the domain data and replicating changes to that data to all domain controller in the domain, providing data search and retrieval functions for users attempting to locate objects in the directory, and providing authentication and authorization services for users who log on to the domain and attempt to access network resources.
what are the 4 organizing components of active directory?
organizational units, domains, trees, forests
what is active directory service commonly referred to as?
active directory domain services (AD DS)
there are 3 options to specify capabilites for the dc what are they?
domain name system (dns) server, global catalog, read only domain controller
for the first dc in a new domain, this should be installed unless you will be using an existing —– server for the domain.
DNS
global catatlog
for the first dc in a forest, this check box is selected and disabled because the first dc in a new forest must alsow be a global catalog server.
read only domain controller
isn’t on by default, disabled for the first dc in the domain because it can’t be a rodc.
how many domain controllers does microsoft recommend at a minimum?
2 (for fault tolerance and load balancing)
there are 4 questions you ask before adding a new dc to an existing domain.
should you install dns?, should the dc be a global catalog server? should this be a read only domain controller? in which site should the dc be located?
reasons you should install dns
if you’re installing the second dc in a domain for fault tolerance, if it is in a remote site
should the dc be a global catalog server?
the first dc is always configured as a gc server, but when you’re installing additional dc’s in a domain, this setting is optional. in most cases it makes sense to make all your dc’s global catalog servers.
should this be a rodc?
branch offices , ( a rodc doesn’t store credentials, so if it is compromised, no passwords can be retrieved) if the dc isn’t at a branch office, there is no real advantage to making it a rodc.
add a child domain
add a domain that shares at least the top-level and second-level domain name structure as an existing domain in the forest.
add a new tree
add a domain with a seperate naming structure from any existing domains in the forest.
add-windowsfeature ad-domain-services
install active directory domain services role
-includemanagementtools
prepares server for promotion to a dc but you must enter another command to start the promotion process.
install-addsforest
create new dc in a new forest (must provide domain name)
install -addsdomaincontroller
adds dc to an existing domain
the procedure for using imf is…
select a sutiable dc, (must be a standard dc) , if you’re creating imf data for a rodc, you can use a rodc or a standard dc.,run ntdsutil command from an admin command prompt
ntdsutil
starts command-line program
activate instance ntds
sets the program focus on the active directory database.
ifm
sets program to ifm mode
create full path
creates ifm data for a writeable dc
create rodc path
creates ifm data for a rodc
create sysvol full path
creates ifm data for a writeable dc and includes the sysvol folder.
create sysvol rodc path
creates ifm data for a rodc and includes the sysvol folder
what is disabled by default when you instal active directory?
active directory recycle bin
active directory administrative center (adac)
central console for performing many active directory tasks
when active directory is installed, what 5 folders are created?
builtin, computers, foreignsecurityprincipals, managed service accounts, users.
builtin
mainly used to assign permissions to users who have administrative responsibilities in the domain
computers
default location for computer accounts created when a new computer or server becomes a domain member.
foreignsecurityprincipals
initially empty but later contains user accounts from other domains added as members of local domains groups
managed service accounts
added to the schema in server 2008 created specifically for services to access domain resources. in this account, the password is managed by the system, alleviating the admin of this task. it is empty initially.
users
stores 2 default users (admin and guest) and several default groups.
leaf object
dosen’t contain other objects and usually represents a security account, network resource, or GPO.
security account objects include?
users, groups, and computers
network resource objects include?
servers, domain controllers, file shares, printers, and so forth
how are GPO’s managed in active directory?
by the group policy MMC
what is the difference between permissions and right?
permissions define which resources users can ACCESS and what level of access they have, right specifies what types of actions a user can PERFORM on a computer or network.
other leaf objects include?
contact, printer, shared folder
where can the active directory recycle bin be enabled?
in the (ADAC)
can the recycle bin be disabled without reinstalling all domain controllers in the forest?
no
what must all dc’s in a forest be running to use the recycle bin?
windows server 2008 or later
there are 5 operations master roles also referred to as flexible single master operation (fsmo) roles in an active directory forest what are they? *****
schema master, infrastructure master, domain naming master, rid master, pdc emulator master
schema master ****
only one that can change the schema partition, responsible for replicating the schema directory partition to all other domain controllers in the forest when changes occur.
infrastructure master ****
responsible for ensuring that changes made to object names in one domain are updated in references to the objects in other domains.
domain naming master ****
manages adding, removing and renaming domains in the forest. there is only one per forest.
RId master **** (relative identifier)
responsible for issuing unique pools of rid’s to each dc, therby guaranteeing unique sid’s (security identifier) throughout the domain.
an objects SID is composed of what?
domain identifier, which is the same for all objects in the domain, and a RID, which is unique for each object.
pdc emulator master ****
provides backward-compatibility with windows servers configured as windows nt backup domain controllers or member servers. manages password changes to help make sure users authentication occurs without lengthy delays.
get-addomain
view the domain
get-adforest
view the folder of the 2 forest-wide roles
trust relationship
defines whether and how security principals from one domain can access network resources in another domain.
when is configuring trust a must?
when your active directory environment includes 2 or more forests or when you want to integrate with other OS’s.
all domains in a forest share common characteristics what are they?
a single schema, forest-wide amin accounts, operations masters, global catalog, trusts between domains, replication between domains.
single schema
active directory objects and their attributes, can be changed by the admin or an application to best suit the organizations needs. all domains in a forest share the same schema.
forest-wide admin accounts
each forest has 2 groups with unique rights: schema admins and enterprise admins. schema admins are the only ones allowed to make changes to the schema and enterprise admins can add or remove domains from a forest and have admin access to every domain in the forest.
operations master
certain forest-wide operations can be performed only by a dc designated as the operations master.
global catalog
only one per forest, multiple dc’s can be designated as global catalog servers. they contain information about all objects in the forest, used to speed searching for objects across domains in the forest and to allow users to log on to any domain in the forest.
trusts between domains
allow users to log on to their home domains and access resources in domains throughout the forest without having to authenticate to each domain.
replication between domains
the forest structure facilitates replicating important information between all domain controllers throughout the forest. forest-wide replication includes information stored in the global catalog, schema directory, and configuration partitions.
the global catalog server has some vital functions what are they?
facilitates domain and forest-wide searches, facilitates logon across domains, holds universal group membership information.
the forest root domain handles what functions?
dns server, global catalog server, forest-wide admin accounts operations masters
can the dns server and global catalog server functions be installed on other servers in domains?
yes for fault tolerance
where does the forest-wide operations masters and forest-wide amin accounts reside?
only on a dc in the forest root domain
why do small and medium businesses choose a single domain?
simplicity, lower costs, easier management, easier access to resources.
why does using more than one domain make sense?
there is a need for differing account policies, need for different name identities, replication control, need for internal vs. external domains, need for tight security.
group policy object
list of setting admins use to configure user and computer operating environments remotely. can specify security settings, deploy software, and configure a user’s desktop.
do GPO’s apply to group objects?
NO! despite the name they do not apply to group objects.
you can link GPO’s to what?
sites, domains and OU’s (when linked they affect only user and computer accounts in the containers)
when active directory is installed, two GPO’s are created and linked to 2 containers, what are they?
default domain policy, default domain controllers policy
default domain policy
linked to the domain object and specifies default settings that affect all users and computers in the domain. the settings in this policy are related mainly to account policies. ( i.e. password and logon requirements and some network security policies)
default domain controllers policy
linked to the domain controllers OU and specifies the default policy settings for all domain controllers in the domain. pertain mainly to user rights assignments, which specify the types of actions users can perform on a dc
the default policies dont define any user-specific policies instead they are designed to provide what?
default security settings for all computers, including domain controllers, in the domain
each GPO has 2 main nodes in GPMC (group policy manangement console) what are they?
computer configuration, user configuration
computer configuration
used to set policies that apply to computers within the GPO’s scope. these policies are applied to a computer when the computer starts
user configuration
used to set policies that apply to all users within the GPO’s scope. user policies are applied when a user logs on to any computer in the domain.
each node contains 2 folders..
policies folder, preferences folder
policies folder
settings here are applied to users or computers and cant be overridden by users
preferences folder
settings here are applied to users or computers but are just preferences so the users can change them.
in the configuration node, there are 3 folders under policies folder they are?
software settings, windows settings, admin templates
software settings folder
contains an item called sofware installation, (enables admins to install and manage applications remotely.can be configures to start automatically. (this is called assigning the application to the computer.
windows settings folder
contains the Name Resolution Policy node, scripts extension, security settings node, and policy-based Qos node.
—-name resolution policy
stores configuration settings for dns security and directaccess. admins can use the scripts extension to create scripts that run at computer startup or shutdown
—-security settings node
contains the lions share of policies that affect computer security, including account policies, user rights wireless network policies, registry and file system permissions, and network communication policies among others.
—-policy based Qos node
can be used to prioritize and control outgoing network traffic from a computer.
admin templates folder
contains control panel, Network, printers, system adn windows components folders. the settings here affect computer settings that apply to all logged-on users.
do the policies configured in the computer configuration node affect all computers in the container to which the GPO is linked?
yes and all child containers
the computer configuration node contains these 3 folders.
(these differ from user configuration node policies)
software settings, windows settings, admin templates
software settings
also contains the software installation extension however, app packages configured here, can be assigned or published.
windows settings
contains 4 items scripts extension, security settings node, folder redirection node, and policy-based QoS node.
admin templates
contains a host of settings that enable admins to tightly control users computer and network environments.
gpo’s can be applied in 4 places.
local computer,site, domain, and OU. ( in this order too)
the last policy to be applied, is the last one to take precedence yes or no?
yes and also policies that arent defined or configured, are not applied at all