2412 Identity with Windows Server 2016
User properties include what 8 categories?
-Account -Organization -Member of -Password Settings -Profile -Policy -Silo -Extensions
User accounts can be created by using: - - - -
-Active Directory Users and Computers -Active Directory Administrative Center -Windows PowerShell -Directory command line tool dsadd
To clone a source domain controller:
-Add the domain controller to the Cloneable Domain Controllers group -Verify app and service compatibility -Create a DCCloneConfig.xml file -Export it once, and then create as many clones as needed -Start the clones
User accounts - - -
-Allow or deny access to sign into computers -Grant access to processes and services -Manage access to network resources
Important Special Identities include: (6)
-Anonymous Logon -Authenticated Users -Everyone -Interactive -Network -Creator Owner
A computer account begins its lifecycle when you create it and join it to your domain. Thereafter, day-to-day administrative tasks include:
-Configuring computer properties -Moving the computer between OUs -Managing the computer itself -Renaming, resetting, disabling, enabling, and eventually deleting the computer object
Considerations for naming users include: - -
-Naming formats -UPN suffixes
What are some of the terms that are used for single master operations in AD DS
-Operations master (or operations master role) -Single master role -Flexible single master operations (FSMO)
Transferring a FSMO role is:
-Planned -Done with the latest data -Performed through snap-ins, Windows PowerShell, or ntdsutil.exe
You might clone domain controllers for:
-Rapid deployment -Private clouds -Recover strategies
three scenarios in which a secure channel might be broken
-Reinstalling a computer, even with the same name, generates a new SID and password -Restoring a computer from an old backup or rolling back a computer to an old snapshot -the computer and domain disagreeing about what the password is
Computers, like users, are security principals, in that:
-They have an account with logon name and password that Windows Server Changes automatically on a periodic basis. -They authenticate with the domain -They can belong to groups and have access to resources, and you can configure them by using Group Policy
Carefully manage the default groups that provide administrative privileges, because these groups: - -
-Typically have broader privileges than are necessary for most delegated environments -Often apply protection to their members
Seizing a FSMO role is:
-Unplanned and a last resort -Done with incomplete or out-of-date data -Performed through Windows PowerShell or ntdsutil.exe
Sometimes you need to install additional domain controllers in your Windows Server 2016 domain, for reasons such as:
-You need additional resources at a site because the existing domain controllers are overworked -You are opening a new remote office that requires you to deploy one or more domain controllers -You are creating an off-site disaster recover location
Best practices for domain controller virtualization
-avoid single points of failure -use the time services -use virtualization technology with the virtual machine generation identifier feature -avoid or disable checkpoints -be aware of improving security -consider taking advantage of cloning in your deployment or recovery strategy -start a maximum number of 10 new clones ad the same time -consider using virtualization technologies that allow virtual machine guests to move between sites -adjust your naming strategy to allow for domain controller clones
divide OUs - -
-by administration -to facilitate configuration with group policy
Options for resetting the secure channel: (6)
-nltest -netdom -Active Directory Users and Computers -Active Directory Administrative Center -Windows PowerShell -dsmod
What is a global catalog?
...
What are three things you can do with a user account?
1. Allow or deny users permissions to sign in to computers 2. Grant users access to processes and servers 3. Manage users' access to network resources
Steps to installing a domain controller on a Server Core installation of Windows Server 2016 using Server Manager:
1. Install the AD DS role 2. Run the Active Directory Domain Services Configuration Wizard
Steps to installing a domain controller on a Server Core installation of Windows Server 2016 using Windows PowerShell
1. Install the files by running the command: Install-WindowsFeature AD-Domain-Services 2. Install the domain controller role by running the command Install-ADDSDomainController
AD DS sign-in process
1. The user account is authenticated to the domain controller 2. The domain controller returns a TGT back to client 3. The client uses the TGT to apply for access to the workstation 4. The domain controller grants access to the workstation 5. The client uses the TGT to apply for access to the server 6. The domain controller returns access to the server
List the AD DS sign-in process steps in order
1. The user account is authenticated to the domain controller 2. The domain controller returns a TGT back to the client 3. The client uses the TGT to apply for access to the workstation 4. The domain controller grants access to the workstation 5. The client uses the TGT to apply for access to the server 6. The domain controller returns access to the server
The results of DNS queries for domain controllers are returned in this order:
1. same site 2. next closest site 3. a random list
What is an SRV record?
A Service record (SRV record) is a specification of data in the DNS defining the location (ie hostname and port number) of servers for specified services.
What is SYSVOL
A shared folder that contains Group Policy Objects and scripts
describe this cmdlet: Add-ADPrincipalGroupMembership
Adds group membership to objects
describe this cmdlet: Add-ADGroupMember
Adds members to groups
Benefit and risk of performing an in-place upgrade to Windows Server 2016
Benefit: Except for the Prerequisite checks, all the files and programs stay in place, and no additional work is required Risk: it might leave obsolete files and dynamic-link libraries (DLLs)
Benefit and risk of Introducing a new server running Windows Server 2016 and promoting it to be a domain controller
Benefit: The new server has no obsolete files and settings Risk: It might require additional work to migrate administrators' files and settings
Account Operators Group location
Built-in container of each domain
Administrators Group location:
Built-in container of each domain
Backup Operators Group location
Built-in container of each domain
Print Operators Group location
Built-in container of each domain
Server Operators Group location
Built-in container of each domain
The Active Directory Schema consists of which two items
Classes and Attributes
What is the fastest way to deploy domain controllers in a virtualized environment?
Cloning is the fastest way to deploy multiple computers that are identically configured, especially when those computers run in a virtualized environment such as Hyper-V
Clients find domain controllers through _______ lookup
DNS
describe this cmdlet: Disable-ADAccount
Disables a user account
describe this cmdlet: Get-ADGroup
Displays properties of groups
Kind of group that cannot be given permissions
Distribution Groups
Kind of group that is not security enabled (no SID)
Distribution Groups
Kind of group that is only used with email applications
Distribution Groups
________________ have the same membership possibilities but can be given permission to resources anywhere in the domain
Domain local groups
What are the two Forest FSMOs?
Domain naming master Schema master
Logical components
Domains, Partitions, Sites, Containers, Schema, Domain trees, Forests, OUs
describe this cmdlet: Enable-ADAccount
Enables a user account
What does FSMO stand for?
Flexible single master operations
What are the five FSMOs?
Forest: -Domain naming master -Schema master Domain: -RID master -Infrastructure master -PDC emulator master
PowerShell command to show installed Windows Features
Get-WindowsFeature -ComputerName (name of server)
What is a partial, read-only, searchable copy of all the objects in an AD forest?
Global catalog
Physical components
Global catalog servers, Domain controllers, Data stores, RODCs
_________________ can only contain users, computers, and other global groups from the same domain and can be given permission to resources in the domain or any trusted domain
Global groups
PowerShell command to Install AD DS
Install-WindowsFeature -Name AD-Domain-Services -ComputerName (name of server)
What is a benefit of a global catalog?
It speeds up searches for objects that might be stored on domain controllers in a different domain in the forest.
____________________ can contain users, computers, global groups, domain local groups and universal groups from the same domain, domains in the same forest and other trusted domain and can be given permissions to resources on the local computer only
Local groups
describe this cmdlet: Set-ADGroup
Modifies properties of groups
describe this cmdlet: Set-ADAccountExpiration
Modifies the expiration date of a user account
PowerShell command to seize a FSMO role?
Move-ADDirectoryServerOperationsMasterRole -Identity "<servername>" -OperationsMasterRole <rolenamelist> -Force
You need to install a domain controller by installing from media. What should you do?
On a writeable domain controller, run ntdsutil
Options to upgrade AD DS to Windows Server 2016
Perform an in-place upgrade from Windows Server 2008 or later to Windows Server 2016 Introduce a new server running Windows Server 2016 into the domain, and then promote it to be a domain controller (this is usually preferred)
What are the three Domain FSMOs?
RID master Infrastructure master PDC emulator master
describe this cmdlet: Set-ADAccountPassword
Resets the password of a user account
____________ can simplify group management
Restricted Groups
Which two of the following are all domain controllers except RODCs configured to store by default? SYSVOL folder GPC template Ntds.dit Global catalog
SYSVOL folder Ntds.dit
Kind of group that can also be email-enabled
Security Groups
Kind of group that can be given permissions
Security Groups
Kind of group that has a security principal with an SID
Security Groups
Servers are typically subdivided by ___________ _______
Server role
What is a domain controller
Servers that host AD DS database (Ntds.dit) and SYSVOL Host Kerberos authentication service and KDC to perform authentication
In the multimaster replication model, some operations must be _______ _______ _______
Single master operations
__________ Are groups for which membership is controlled by the operating system
Special identities
__________ can be used by the Windows Server operating system to provide access to resources based on the type of authentication or connection, not on the user account
Special identities
What is the name of the best practice for nesting groups?
The best practice for nesting groups is known as IGDLA, which is an acronym for the following: -Identities -Global groups -Domain-local groups -Access
What are some signs of a broken domain trust relationship? (3)
The most common signs of computer account problems are: -messages at sign in indicate that a domain controller cannot be contacted, that the computer account might be missing, that the password on the computer account is incorrect, or that the trust relationship (also the secure relationship) between the computer and the domain has been lost -error messages or events in the event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed. One such error is NETLOGON Event ID 3210: Failed to Authenticate, which appears in the computer's event log. -A computer account is missing in AD DS
What are the two main purposes of OUs?
The two main purposes of OUs are to provide a framework for the delegation of administration and to provide a structure that enables targeted GPO deployment.
What is a risk associated with performing an in-place upgrade from Windows Server 2008 to Windows Server 2016?
The upgrade might leave obsolete files and dynamic-link libraries (DLLs).
What does TGT stand for?
Ticket Granting Ticket
________________ can contain users, computers, global groups and other universal groups from the same domain or domains in the same forest and can be given permissions to any resource in the forest
Universal groups
describe this cmdlet: Unlock-ADAccount
Unlocks a user account after it has become locked after too many incorrect sign in attempts
Cert Publishers Group location
Users container of each domain
Domain Admins Group location
Users container of each domain
Enterprise Admins Group location:
Users container of the forest rood domain
Schema Admins Group location:
Users container of the forest root domain
Best practice is to create OUs for ______ ______
computer objects
describe this cmdlet: New-ADGroup
creates new groups
describe this cmdlet: New-ADUser
creates user accounts
describe this cmdlet: Remove-ADGroup
deletes group
describe this cmdlet: Remove-ADUser
deletes user accounts
describe this cmdlet: Get-ADGroupMember
displays membership of groups
You need to join a computer to a domain without communicating directly with an online domain controller. Which command-line tool should you use?
djoin is the command-line tool to perform an offline domain join
What can you use to configure user attributes?
dsmod - You can configure user attributes by using Active Directory Administrative Center, Active Directory Users and Computer, Windows PowerShell, or the tool.
Domain controllers ________ register their addresses with DNS
dynamically
What is this: djoin.exe /Provision /Domain <DomainName> /Machine <MachineName> /SaveFile <filepath>
how to create a domain join file
What is this: djoin.exe /requestODJ /LoadFile <filepath> /WindowsPath <path to the windows directory of the offline image>
how to import the domain join file
describe this cmdlet: Set-ADUser
modifies properties of user accounts
use ______________ to join computers to a domain when they cannot contact a domain controller
offline domain join
client computers are typically subdivided by ______
region
describe this cmdlet: Remove-ADGroupMember
removes members from groups