Chapter 4
User Principal Name (UPN)
For user account objects, the global catalog also stores a unique name that users can use to log into their domain from any computer in the forest. This name is called a user Principle Name (uPN) and uses the format username@domainname.
Dynamic updates
If the IP configuration of your server is set to use an existing DNS server that can create service records to store the location of Active Directory services using the dynamic update feature of DNS, t
Logging in as Local user
If you log into the system with a local user account, the rights and permissions assigned to your local user account are applied, and you must authenticate to other computers on the network in order to access their shared resources using a peer-to-peer networking mode
Configuring Sites and Replication
If your domain spans multiple physical locations, it's important to configure sites to control Active Directory replication within your domain. Sites can also be used to control the replication of schema and forest configuration to other domains within the
realm trust
If your organization has a UNIX Kerberos realm, you can create a _____________________________ between an Active Directory domain and the Kerberos realm.
local group accounts
In a workgroup environment, recall that local group accounts are used to simplify the assignment of rights and permissions to multiple local user accounts on a system.
Read-Only Domain Controller (RODC)
In addition to large office locations, many organizations contain smaller branch office locations. Often, these branch office locations do not have dedicated IT staff or the physical security features found in large offices, such as security guards and secure server closets. To provide secure domain authentication within these branch offices, you can install a Read-only Domain Controller (RODC). Because RODCs contain a read-only copy of the Active Directory database for the domain, the creation and management of objects (such as user accounts) must be performed on a domain controller within a larger office and replicated to the RODC in the branch office. . Because security is the primary concern within branch offices, when user account objects are replicated to a RODC, the password attribute is only included for users that you specify.
Managing FSMO Roles
In an organization that has multiple domain controllers spanning several domains, it's important to know which domain controllers hold the forest-wide and domain-wide FSMO roles. The easiest way to view all of the FSMO roles held by domain controllers within your forest is to use the netdom query fsmo command from Windows PowerShell or a Windows Command Prompt window. You should ensure that FSMO roles are held by domain controllers that are highly visible on the network. For fault tolerance in the event of a domain controller failure, you should also ensure that a single domain controller does not hold all of the available FSMO roles within a forest or domain. To move a forest-wide FSMO role, you must be a member of the Enterprise Admins group. To move a domain-wide FSMO role, you must be a member of the Domain Admins group.
Configuring Global Catalog and UGMC
It is important to ensure that each site has at least one copy of the global catalog to provide fast logon and object search. Configuring two or more copies of the global catalog in a site will ensure that the global catalog is available in the event of a domain controller failure. However, configuring too many global catalog servers within a site could impact the bandwidth of your Internet connection as global catalog is replicated forest-wide and does not adhere to site link restrictions. Thus, you may need to add or remove the global catalog from existing domain controllers following installation.
domain local groups - group scope
Objects located within any domain in the forest Domain local security groups can be assigned permissions to resources or added as a member to another group in the same domain, but can contain objects from any domain in the forest
Universal - Group Scope
Objects located within any domain in the forest Universal security groups can be assigned permissions to resources or added as a member to another group within any domain in the forest. They can contain any object in the forest Universal groups can be used to simplify the assignment of permissions to all users within an organization that are part of a job role.
Global - Group Scope
Objects located within the same domain as the global group Global security groups may be assigned permissions to resources or added as a member to another group in any domain within the forest. However, they can only contain objects from the same domain in which they were create
Creating Trust Relationships
Prior to creating an external, forest, or realm trust to another organization, you must first ensure that the DNS servers within your organization can resolve the DNS records for the target organization, and vice versa. The most common way to do this is by configuring a conditional forwarder on your organization's DNS servers to forward DNS resolution requests for the other organization's domains to the other organization's DNS servers. The other organization will also need to create a conditional forwarder on their DNS servers for the domains within your organization as well.
Address—User Objects
Provides information about the account holder's street address, post office box, city, state or province, postal code, and country or region.
Account—User Objects
Provides information about the logon name, domain name, and account options, such as requiring the user to change her or his password at next logon, and account expiration date, if one applies.
Profile - User Objects
Provides options for legacy clients that do not support Group Policy.
encryption registry security
Recall that each computer account contains an encryption key that is used when the computer communicates with a domain controller. This same encryption key is also stored within the Windows Registry on the computer. To maintain security, the domain controller creates a new encryption key every 14 days and communicates this key to the client for use within the Windows Registry.
cached credentials
Recall that universal group membership is stored solely within the global catalog. Because authentication tokens list your group membership, domain controllers must contact a global catalog during the authentication process to determine your universal group membership. Consequently, if a global catalog cannot be contacted, you will not be able to complete the authentication process and log into the domain but may be able to use cached credentials to access your system. Cached credentials are a list of encrypted passwords stored within the Windows Registry for domain user accounts that have previously logged into the system. If a domain user has logged into a system previously, cached credentials allow that user to log in and access the local resources of the system if a domain controller or global catalog is not available
Legacy Clients
Recall that you can join legacy computers to an Active Directory domain, regardless of the domain and forest functional level. Computers running operating systems older than Windows 2000 use NetBIOS packets to locate domain controllers instead of service records within DNS. As a result, each Active Directory domain must have a NetBIOS name to allow these legacy clients to join and locate domain controllers to provide authentication. Because NetBIOS names can be up to 15 characters and cannot include period characters, the default NetBIOS name for your domain is taken from the first 15 characters of your domain name before the first period.
site link objects
Site objects are connected to other site objects using site link objects that contain attributes that specify when replication is allowed to occur. You can modify site link objects to specify that replication of Active Directory information between domain controllers in different sites only occurs at a specific timed interval or after working hours when Internet bandwidth is more readily available. Site link objects can also be used to control the replication of changes to the schema and configuration partitions within the forest. Large forests may have hundreds of sites that are interconnected with site link objects to form multiple paths from one site to another. In this case, you can lower the cost value on a site link object to encourage Active Directory to use a particular path for replication.
ntds.dit
The Active Directory database is stored in a database file called ntds.dit. Any changes to this file are first written to a transaction log file before they are applied to the ntds.dit file. This increases performance by allowing processes to quickly submit Active Directory changes to the transaction log without having to wait for confirmation that the change has been applied to the ntds.dit database.
Join computer to AD - domain user group
The Domain Admins group in Active Directory is added to the local Administrators group. This allows members of the Domain Admins group to log into and administer any system in the Active Directory domain.
schema partition
The ______________________ contains the Active Directory schema and must be identical on all domain controllers within the forest to ensure that Active Directory objects from any domain in the forest can be interpreted by any domain controller in the forest. If a change is made to the schema partition, such as the addition of a new object class or attribute, these changes are replicated to all other domain controllers within the forest.
configuration partition
The __________________________ stores the structure and layout of the forest, including the names of each domain and the trust relationships between them. As with the schema partition, each domain controller within the forest must share the same configuration partition. Thus, if you add or remove a domain or trust relationship, the configuration partition will be replicated to all other domain controllers in the forest.
Privilege Access Management (PAM)
The ability to use the Microsoft Identity Manager (MIM) to restrict malicious access to Active Directory using Privilege Access Management (PAM)
Domain partition
The largest section of the Active Directory database is the domain partition. It stores all objects within a particular domain, including users, computers, OUs, and groups. Because each Active Directory domain represents a single business unit that is managed separately, the domain partition is only replicated to other domain controllers within the same domain. When a change is made to the domain partition on a domain controller, such as the addition of a user object, that change is replicated to other domain controllers within the same domain only
Work with OU
The most common utility used to create and manage OUs within an Active Directory domain is the Active directory users and Computers tool
leaf objects
The objects within the Active Directory database that represent a user account, group account, or computer account are called_____________ .
two-way transitive features of trust
The two-way transitive features of trust relationships are derived from the Kerberos protocol. Because Windows NT4 does not use Kerberos, external trusts to a Windows NT4 domain must be one-way and non-transitive
AD Replication with SMTP
There are two protocols that can be used to perform Active Directory replication: IP and Simple Mail Transfer Protocol (SMTP). SMTP requires that you first configure an SMTP encryption certificate, and can only be used to replicate schema and configuration changes. As a result, there are no SMTP site links created by default.
Boot domain controller
To boot a domain controller to Directory Services Restore Mode, you can hold down the F8 key during the boot process and select Directory Services Repair Mode from the menu.
Installing Forest domain
To configure your server as the first domain controller for the first domain in a new forest,
Local users and Group
To create local user and group accounts, you can use the Local users and Groups MMC snap-in. You can open the MMC by executing the mmc.exe command within a Windows Run dialog box, Command Prompt, or PowerShell window.
AD Replication
To ensure that the Active Directory database is identical on each domain controller within a domain, objects are replicated between domain controllers when new objects are added to the Active Directory database or existing objects are modified or removed.
AD and DNS
To ensure that your server can resolve Internet names, the DNS server installed will be configured to forward any requests it cannot resolve to the DNS server that was previously specified within your IP configuration.
bridgehead server
To minimize bandwidth, replication between sites only occurs between a single domain controller within each site called a bridgehead server. Although Active Directory automatically chooses the bridgehead server in each site, you can choose to manually specify the domain controller that you would like to use as the bridgehead server for each site.
Move Domain Controller
To move a domain controller from one site to another, you can right-click the associated server object within Active Directory Sites and Services, click Move, and select the target site.
Active Directory Domains and Trusts
To raise functional levels, you can click Active Directory Domains and Trusts from the Tools menu of Server Manager to open the Active directory domains and Trusts tool
Deploy Domain Controllers
To rapidly deploy several new domain controllers within the same domain, you can use Windows PowerShell to clone an existing domain controller virtual machine to create additional unique domain controller virtual machines. Search Virtualized Domain Controller Deployment and Configuration on docs.microsoft.com for more information.
Group Objects
To simplify the assignment of rights and permissions to users within your organization, you will need to create group objects and manage their membership. To create a group object within Active Directory Users and Computers, right-click the appropriate OU and click New, Group.
Primary Domain Controller (PDC)
A central domain controller in a Windows NT/pre-AD environment that has a readable and writable copy of the domain security database. There can be only one PDC. within each Windows NT4 domain stored a read-write copy of a SAM database that could authenticate users within the domain and issue tokens.
logon script
A logon script is a file of commands that are executed at logon, and a home folder is disk space on a particular server given to a user to store his or her files.
external trust
A one-way, nontransitive trust relationships to a Windows NT4 or Active Directory domain outside of your forest
Forest Trust
A two-way trust that is designed to share resources between the two forests. In a forest trust, users can be authenticated in either forest. to another Active Directory forest
AD and SSO
Active Directory can be used to provide centralized authentication (called single sign-on) to other computers on the network that are joined to an Active Directory domain.
backup domain controllers (BdCs)
Additional domain controllers were called backup domain controllers (BdCs) and obtained a read-only copy of the SAM database from the PDC so that they could authenticate users.
Raising Functional Levels
After all domain controllers within your domain have been raised to a common minimum operating system version, you can raise the domain functional level to unlock the features of Active Directory. Similarly, if all domains within the forest have been raised to a common minimum domain functional level, you can raise the forest functional level to match. You must be logged into your domain as a member of the Domain Admins group within Active Directory to raise a domain functional level. The Administrator user account within each domain is a member of the Domain Admins group by default. To raise the forest functional level, you must be a member of the Enterprise Admins group. The Administrator user account within the forest root domain is a member of the Enterprise Admins group by default.
Token
After the domain controller validates your user name and password, it issues your computer an encrypted token that lists your domain user account Tokens can only be decrypted by computers that participate in the same Active Directory domain and are destroyed when you log out of your system When you access a shared resource on another computer that is joined to your Active Directory domain, your token is automatically sent with the request to the target computer to verify your identity.
after populate domain controller
After you populate each site with domain controllers, Active Directory will create connection objects under each bridgehead server object (within the Servers folder) that represent the bridgehead servers in other domains. To override the restrictions placed within site link objects and replicate immediately to a bridgehead server in another site, you can right-click the connection object for the target bridgehead server and click Replicate Now.
organizational unit (ou)
An _______________________________ is similar to a folder on a filesystem. It can contain leaf objects or other OUs (called child ous) much like a folder on a filesystem can contain files or subdirectories.
Install a domain in existing domain
As with installing a new domain within an existing forest, before you install an additional domain controller within an existing domain, you must ensure that the DNS server listed within your server's IP configuration contains the appropriate service records for the existing Active Directory forest. In order to add a new domain controller to an existing domain, you must first authenticate as an existing user within the domain that is part of the Domain Admins group.
Read-Only Domain Controller (RODC)
Because each forest must have at least one global catalog, you cannot deselect Global Catalog (GC). Additionally, you cannot select the Read only domain controller (RODC) option because the first domain controller within a new domain must contain a read-write copy of the Active Directory database in order to create new objects. The configuration and use of Read-only domain Controllers (RodCs)
Install a domain in existing forest
Before you install a domain controller for a new domain within an existing forest, you must ensure that the DNS server listed within your server's IP configuration contains the appropriate service records for the existing Active Directory forest.
OU Defaults
By default, a new domain only has one OU called Domain Controllers that contains the computer accounts for the domain controllers within the domain. Other folders exist to organize the default objects within the domain
Domain trust default
By default, the first parent domain within each tree trusts the first parent domain within each other tree in the same forest with two-way transitive trust relationships. Moreover, each parent domain within a tree trusts their child domains using two-way transitive trust relationships. These default trust relationships (called internal trusts) allow users to access resources in any other domain within the forest that they have been granted permission to.the default trust relationships
Flexible Single Master Operations (FSMO)
Certain domain and forest functions must be coordinated from a single domain controller. These functions are called Flexible Single Master Operations (FSMo). A domain controller can be configured to hold a single FSMO role or all FSMO roles for its domain or forest The first domain controller installed within the forest root domain contains all five FSMO roles, including the two forest-wide FSMO roles and the three domain-wide FSMO roles.
Global Catalog
Which of the following does an Active Directory client use to locate objects in another domain? A system that replicates the information of every object in a tree and forest so that objects can be found and accessed from any domain. A single forest can contain an unlimited number of domains. Moreover, each domain can contain an unlimited number of objects. To ensure that you can locate objects quickly within different domains, a list of all object names in the forest (called the global catalog) is stored on at least one domain controller in the forest. The global catalog is similar to a telephone book. Whereas a telephone book allows you to quickly locate a telephone number, the global catalog allows you to quickly locate an object in a remote domain. To provide fast authentication and browsing of objects within remote domains, each site within Active Directory should contain at least one copy of the global catalog. The global catalog is updated when objects are added or removed within any domain in the forest, and these updates must be replicated to all other domain controllers that hold a copy of the global catalog.
Microsoft recommended approach to groups/forests
You can use the letters A, G, U, DL, and P to remember Microsoft's recommended approach to using group membership within a forest: Add users to Global groups based on job role. Then, add these global groups to Universal groups for forest-wide use. Finally, add the appropriate global and universal groups to Domain Local groups that are assigned Permissions to a resource.
group scopes
______________________ allow administrators to organize the assignment of rights and permissions across multiple domains: • Global • domain local • universal Each group scope places restrictions on the objects that the groups can contain as well as the domains within the forest that can access them.
Security Groups
________________________ are the default group type within Active Directory and can be assigned rights and permissions that apply to the members of the group
distribution groups
_________________________ are designed for use with an email system, such as Microsoft Exchange Server. When you send an email to a distribution group, the email system sends it to all of the user accounts that are members of the ____________________.
Security Accounts Manager (SAM)
a registry file/ active directory database where Windows local user group acocunts are stored
2018 Workgroups user
all additional local user accounts are added by default. This group allows you to log into the system and perform most non-administrative tasks Other default local group accounts are often used by applications or to provide specific rights and permissions.
Users - OU
contains the default Administrator and Guest domain user accounts (Guest is disabled by default as a security measure), as well as the default security groups within the domain (e.g., Domain Admins, Domain Users, and Domain Guests). For the forest root domain, this folder also contains the Schema Admins and Enterprise admin groups
ForeignSecurityPrincipals -OU
contains users, groups, and computers from other domains that are members of groups within the local domain
domain
domains are often used to represent a single business unit within an organization. domains share the same core domain name, we refer to them as the domain2.com tree. The domain2.com domain is called the parent domain within the tree, and the europe.domain2.com and asia.domain2.com domains are called child domains. A domain is created when at least one domain controller hosts the Active Directory database for that domain. If additional domain controllers are added to a domain, authentication requests will be distributed between the domain controllers to ensure greater performance. Furthermore, you should plan to have a minimum of two domain controllers within each domain to ensure that domain authentication can occur if a domain controller fails
Stolen RODC
in the event that a RODC is stolen, you can force Active Directory to reset the passwords for all user account objects that contain a password attribute on the RODC by deleting the RODC computer account itself.
Azure Active Directory
is an Active Directory service within the Microsoft Azure cloud. It provides the same single sign-on features of Active Directory, but is designed to allow access to cloud applications, such as Office 365. can be configured to trust an organization's Active Directory forest, or mirror it using a synchronization service. Moreover, a trust relationship can be configured to allow the student accounts within Azure Active Directory to access on-premises resources within the university forest. If an organization has a robust Internet connection within each site, Azure Active Directory can even be used to replace an Active Directory forest within an organization.
2019 Workgroups Guest
minimal set of rights and permissions to resources on the system (disabled by default as a security measure
Schema
schema stores a list of all available object types (called classes) and their associated properties (called attributes) You must be a member of the Schema Admins group within Active Directory to modify the Active Directory schema.
Access Control List (ACL).
the resource lists for your local user account within
Site object, subnet objects,
to control replication within an organization using objects within Active Directory. A site object (or site) represents a physical location in your organization and may be associated with one or more subnet objects that represent IP networks that contain domain controllers.
disjointed namespace.
Different trees in the same forest do not share the same DNS domain name, and are said to have a __________________ ___________________
Role Seizure
you can force another domain controller to assume the FSMO role. This process is called role seizure. If the domain controller that originally held the FSMO role becomes available again, it will receive notice that the role has been seized and automatically forfeit the role.
prestaging
you can pre-create computer accounts for computers within the appropriate OUs prior to joining the computer to the domain (a process called prestaging). This eliminates the need to move the computer account after the computer joins the domain.
Logging in as Domain User
your user name and password are authenticated by a domain controller on the network. Each domain controller has a centralized copy of the Active Directory database that contains domain user accounts. After the domain controller validates your user name and password, it issues your computer an encrypted token that lists your domain user account,
objects
Domain user, group, and computer accounts are stored as objects
contiguous namespace
Domains within the same tree share the same DNS domain name, and are said to have a ____________________________________
domain functional levels
Each version of Windows Server since Windows 2000 contains additional Active Directory features that are unavailable in previous versions. However, it is impractical for most organizations to upgrade or replace all domain controllers with new ones each time a new version of Windows Server is released. Thus, each Active Directory domain contains domain functional levels to allow backward compatibility to older versions of Active Directory. Domain functional levels only apply to the domain controllers that host the Active Directory database for a domain. A domain at the Windows Server 2016 domain functional level can still contain clients and other servers that are running legacy operating systems such as Windows XP or Windows NT4 Server. Each domain in a forest can operate at a different functional level
General—User Objects
Enables you to enter or modify personal information about the account holder that includes the first name, last name, and name as it is displayed in the console, description of the user or account, office location, telephone number, email address, and webpage.
Member Server
A Windows Server system that is joined to an Active Directory domain but is not a domain controller and does not hold a copy of the Active Directory database
standalone server
A Windows Server system that is part of a workgroup is often called
User Objects
Before a user is able to log into an Active Directory domain, you must create a domain user account object for them in the appropriate OU.
forest functional level
Some Active Directory features require that all domains within the forest be at a minimum domain functional level. As a result, an Active Directory forest maintains a forest functional level that defines the minimum domain functional level required for each domain within the forest. In order to raise your forest functional level, you must ensure that all domains are first raised to the same domain functional level.
Shortcut trust
To speed up resource access, you can manually create a ___________________________ directly between the asia.domain2.com and domain1.com domains.
Powershell and groups
Windows PowerShell can also create groups and manage their membership. For example, to create a Marketing-G global security group within the Marketing OU under the domainX.com domain, you can run the New-ADGroup -Path "OU=Marketing,DC=domainX,DC=com" -Name "Marketing-G" -GroupScope Global -GroupCategory Security command. To add group members to the Marketing-G group, you can run the Add-ADGroupMember -Identity Marketing-G command, and specify group members when prompted.
Using the Active Directory Administrative Center
Windows Server 2019 contains another graphical Active Directory management tool called the Active directory Administrative Center, Like Active Directory Users and Computers, this tool can be used to create and manage OU, user, group, and computer objects. uses a minimal color interface that is similar to the one provided by Server Manager. As a result, many administrators prefer using the Active Directory Users and Computers tool for object management.
forests
______________ are used to provide for multiple domains within the same organization. the first domain in a _______________ is called the ______________ root domain.
Trust relationships, trusts
___________________________ (often referred to as _______________ ) allow users to access resources within other domains that they have been granted access to within the resource's ACL.
2019 Workgroups Admin
assigned administrative rights as well as permissions to most resources on the system In addition to Administrator and Guest, you may also see additional local user accounts that are used by applications on the system.
forest wide authentication)
authenticate remote users prior to accessing a resource across the trust (forest wide authentication), or authenticate remote users only after determining that the resource is accessible by the user (selective authentication).
Join computer to AD - computer account
computer account is created for your computer within the Active Directory database. This computer account contains an encryption key that is used to encrypt the communication between your computer and the domain controllers in the domain during the authentication process.
Computers -OU
contains computer accounts for computers that join the Active Directory domain. Normally, these accounts are moved to the appropriate OU afterward
Builtin (OU)
contains domain local security groups that were previously local groups within the SAM database on the computer that was promoted to become the first domain controller in the domain (e.g., Administrators, Users, and Guests)
Managed Service Accounts - OU
contains user accounts within Active Directory that represent one or more services on a compute