System Administration and IT Infrastructure Services. Week 4: Directory Services

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

When you create an Active Directory domain, what's the name of the default user account?

Administrator; The default user in an AD domain is Administrator.

When you log into a website that uses a directory service, what command authenticates your username and password?

Bind; When you log into a website that uses a directory service, the website will use LDAP to check if that user account is in the user directories and that the password is valid. If it's valid, then you'll be granted access into that account.

What's does the LDAP Bind operation do exactly?

authenticates a client to the directory server; A client authenticates to a directory server using the Bind operation. This could either be: (1) an anonymous bind; (2) a simple bind, where the password is sent in plaintext; or (3) an SASL bind, which involves a secure challenge-response authentication scheme.

What roles does a directory server play in centralized management? Check all that apply.

authorization centralized authentication accounting; A directory server offers a centralized mechanism for handling authentication, authorization, and accounting. This is much more convenient and secure, compared to a bunch of disconnected local systems

What's the difference between a policy and a preference?

A policy is enforced by AD, while a preference can be modified by a local user; Policies are settings that are enforced and reapplied regularly by AD, while preferences are defaults for various settings, but can be modified by users.

What does a directory server provide?

a lookup service for an organization; A directory service allows members of an organization to lookup information about the organization, like network resources and their addresses.

How does a client discover the address of a domain controller?

It makes a DNS query, asking for the SRV record for the domain; The client will make a DNS query, asking for the SRV record for the domain. The SRV record contains address information for domain controllers for that domain.

Which of the following are authentication types supported by the LDAP Bind operation? Check all that apply.

anonymous; Bind operations support three different mechanisms for authentication: (1) Anonymous, which doesn't actually authenticate at all, and allows anyone to query the server; (2) Simple, which involves sending the password in plaintext; and (3) SASL, or Simple Authentication and Security Layer, which involves a secure challenge-response authentication mechanism. simple SASL

In Active Directory, a Domain Controller functions as which of the following? Check all that apply.

A Kerberos authentication server A DNS server A server that holds a replica of the Active Directory database

Which component of an LDAP entry contains the unique entry name?

Distinguished Name; The distinguished name, or DN, is the unique entry for an LDAP record.

The following command is typed into PowerShell: Add-Computer -DomainName 'mywebsite.com' -Server 'dc2'. What does this command do?

Joins a computer to the domain my website.com using Domain Controller 2; We can join computers to the domain from PowerShell. Now, our new computer will use this Active Directory domain for authentication, and we can use Group Policy to manage this machine

Select the right order of enforcement of GPOs:

Site -> Domain -> OU; When GPOs collide, they're applied according to site first and domain second. Then, any OUs are applied from least specific to most specific.

Which of the following could prevent you from logging into a domain-joined computer? Check all that apply.

You're unable to reach the domain controller; If the machine is unable to reach the domain controller for whatever reason, it wouldn't be able to authenticate against AD. Since AD authentication relies on Kerberos for encryption, authentication against AD will depend on the time being synchronized to within five minutes of the server and client. And of course, if the user account is locked, you won't be able to authenticate to the account or log into the computer. the user account is locked the are time and date are incorrect

Directory services store information in a heirarchical structure. Which statements about Organizational Units (OUs) of a directory service hierarchy are true? Check all that apply.

A sub-member OUs inherit the characteristics of their parent OU.; Any changes made to the higher-level users' OU would affect all sub-OUs. Specific files within an OU, or container, are called "objects"; Objects are particular data-points with any given Organizational Unit (container), for example, user information. Changes can be made to one sub-OU without affecting other sub-Us within the same parent; For example, we could enforce stricter password requirements for employees organized under one particular OU than another.

Which of these are components of an LDAP entry? Check all that apply.

Common Name; The Common Name contains a descriptor of the object, like the full name for a user account. A Distinguished Name is the unique name for the entry, and includes the attributes and values associated with the entry. Distinguished Name

Which of these are common reasons a group policy doesn't take effect correctly? Check all that apply.

Kerberos may have issues with the UTC time on the clock; Kerberos, the authentication protocol that AD uses, is sensitive to time differences. If the domain controller and computer don't agree on the UTC time (usually to within five minutes), then the authentication attempt will fail. Fast Logon Optimization may delay GPO changes from taking effect; Fast Logon Optimization means the group policy engine applies policy settings to the local machine that may sacrifice the immediate application of some types of policies in order to make logon faster. It can mean that some GPO changes take much longer to be automatically applied than you might expect. Replication failure may occur; Replication failure is one reason that a GPO might fail to apply as expected. Changes have to be replicated out to other domain controllers. If replication fails, then different computers on your network can have different ideas about the state of directory objects, like Group Policy Objects.

To manage OpenLDAP policies over Command Line Interface (CLI), a certain type of file is needed. What is this type of file called?

LDIF files; LDIF stands for LDAP Data Interchange Format, and is a form of notation. An LDIF file is just a text file that lists attributes and values that describe something in LDIF notation.

Which of these are advantages of centralized management using directory services? Check all that apply.

Role-based Access Control (RBAC) can organize user groups centrally; In most organizations, access to computer and network resources is based on your role in the organization. If you or another person change roles in the company, then all you have to do is change the user groups that you're a part of, not the rights that you have to directly access resources. Access and authorization are managed in one place; Creating user accounts and granting access to resources can be done all in one place using centralized management! configuration management is centralized; Having access to configuration management in one place allows us to set up printers, configure software, or mount network filesystems without having to do it separately on each computer!

What are Group Policy Objects?

Settings for computers and user accounts in AD; GPOs are objects in AD that hold settings and preferences, which can be applied to user accounts or computer accounts. GPOs allow for centralized management of accounts and computers.

With a brand new AD domain, what do you need to change before you can target groups of users and machines with GPOs?

You need to place users and computers into new OUs; Since GPOs can only be applied to sites, domains, and OUs, and because the default users and computers groups in AD are not OUs, GPOs cannot target these groups directly. In order to target specific groups of users or computers, new OUs need to be created, and users or accounts need to be added to them.

Joining a computer to an AD domain provides which of the following advantages? Check all that apply.

centralized authentication; Active Directory can be used to centrally manage computers that are joined to it by pushing Group Policy Objects. Computers joined to a domain will also authenticate, using Active Directory user accounts instead of local accounts, providing centralized authentication, too. centralized management with GPOs

What's the difference between changing a password and resetting a password?

changing a password required the previous password; When changing a password, the previous password must be supplied first. When resetting the password, an administrator is able to override this and set the password without knowledge of the previous one.

True or false: Machines in the Domain Controllers group are also members of the Domain Computers group.

false; While Domain Controllers are technically computers, they're not included in the Domain Computers group. The Domain Computers group holds all computers joined to a domain for an organization, except for the Domain Controllers, which belong in the DC group.

True or false: Joining a computer to Active Directory involves joining the computer to a workgroup.

false;Joining a computer to Active Directory means binding it, or joining it, to the domain. An AD computer account is then created for it. A workgroup is a collection of standalone computers, not joined to an AD domain.

How is an Organizational Unit different from a normal container? its not; its just a different name for a container it can hold other objects it can only hold other containers it can hold additional containers

it can hold other objects; An Organizational Unit is a special type of container that can hold other containers and ordinary objects.

What's the most popular directory services protocol used today?

lightweight directory access protocol; LDAP is the most popular and widely used directory access protocol today.

What is Active Directory? Check all that apply.

microsoft's implementation of a directory server; Active Directory is Microsoft's Windows-specific implementation of a directory server. It's fully LDAP compatible, so it works with any LDAP-supported client, though it has some features unique to the Windows ecosystem. an LDAP-compatible directory server

What benefits does replication provide? Check all that apply.

redundancy; Directory server replication grants you redundancy by having multiple copies of the database being served by multiple servers. The added servers that provide lookup services also reduce the latency for clients querying the service. decreased latency

Which of these are examples of centralized management? Check all that apply

role-based access control; Role-based access control makes it easier to administer access rights by changing role membership and allowing for inheritance to grant permissions (instead of granting each permission individually for each user account). Centralized configuration management is an easier way to manage configurations for services and hardware. By centralizing this, it becomes easier to push changes to multiple systems at once. centralized configuration management

In what way are security groups different from distribution groups?

security groups can be used to provide access to resources, while distribution groups are only used for email communication; Distribution groups can only be used for email communication, while security groups can be used to provide access to resources to members of the group.

What can we use to determine what policies will be applied for a given machine? gpupdate control panel a test domain an RSOP report

test domain; Not quite. A test domain could be useful for testing the outcome and behavior of group policy configuration options; it wouldn't be a good way to figure out the overall list of policies that would be applied, though.

Which of these statements are true about Domain Controllers (DCs)? Check all that apply.

the default OU called Domain Controllers contains all Domain Controllers in the domain; Default user groups exist. The Domain Controllers user group contains all Domain Controllers in the domain. Delegation can be used in Active Directory; Just like you can set NTFS DACLs to give accounts permission in the file system, you can set Access Control Lists on Active Directory objects.


Kaugnay na mga set ng pag-aaral

Chapter 37- Partnerships and Limited Liability Partnerships

View Set

Product Liability and Warranties

View Set

Chapter 7 - Ethical Decision Making

View Set

Chapter 7 Skeletal System Assignment

View Set

Quiz 5 GOVT-2306-73743, Quiz 6 GOVT-2306-73743, Quiz 7 GOVT-2306-73743, Quiz 8 GOVT-2306-73743

View Set