2412 Identity with Windows Server 2016

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

User properties include what 8 categories?

-Account -Organization -Member of -Password Settings -Profile -Policy -Silo -Extensions

User accounts can be created by using: - - - -

-Active Directory Users and Computers -Active Directory Administrative Center -Windows PowerShell -Directory command line tool dsadd

To clone a source domain controller:

-Add the domain controller to the Cloneable Domain Controllers group -Verify app and service compatibility -Create a DCCloneConfig.xml file -Export it once, and then create as many clones as needed -Start the clones

User accounts - - -

-Allow or deny access to sign into computers -Grant access to processes and services -Manage access to network resources

Important Special Identities include: (6)

-Anonymous Logon -Authenticated Users -Everyone -Interactive -Network -Creator Owner

A computer account begins its lifecycle when you create it and join it to your domain. Thereafter, day-to-day administrative tasks include:

-Configuring computer properties -Moving the computer between OUs -Managing the computer itself -Renaming, resetting, disabling, enabling, and eventually deleting the computer object

Considerations for naming users include: - -

-Naming formats -UPN suffixes

What are some of the terms that are used for single master operations in AD DS

-Operations master (or operations master role) -Single master role -Flexible single master operations (FSMO)

Transferring a FSMO role is:

-Planned -Done with the latest data -Performed through snap-ins, Windows PowerShell, or ntdsutil.exe

You might clone domain controllers for:

-Rapid deployment -Private clouds -Recover strategies

three scenarios in which a secure channel might be broken

-Reinstalling a computer, even with the same name, generates a new SID and password -Restoring a computer from an old backup or rolling back a computer to an old snapshot -the computer and domain disagreeing about what the password is

Computers, like users, are security principals, in that:

-They have an account with logon name and password that Windows Server Changes automatically on a periodic basis. -They authenticate with the domain -They can belong to groups and have access to resources, and you can configure them by using Group Policy

Carefully manage the default groups that provide administrative privileges, because these groups: - -

-Typically have broader privileges than are necessary for most delegated environments -Often apply protection to their members

Seizing a FSMO role is:

-Unplanned and a last resort -Done with incomplete or out-of-date data -Performed through Windows PowerShell or ntdsutil.exe

Sometimes you need to install additional domain controllers in your Windows Server 2016 domain, for reasons such as:

-You need additional resources at a site because the existing domain controllers are overworked -You are opening a new remote office that requires you to deploy one or more domain controllers -You are creating an off-site disaster recover location

Best practices for domain controller virtualization

-avoid single points of failure -use the time services -use virtualization technology with the virtual machine generation identifier feature -avoid or disable checkpoints -be aware of improving security -consider taking advantage of cloning in your deployment or recovery strategy -start a maximum number of 10 new clones ad the same time -consider using virtualization technologies that allow virtual machine guests to move between sites -adjust your naming strategy to allow for domain controller clones

divide OUs - -

-by administration -to facilitate configuration with group policy

Options for resetting the secure channel: (6)

-nltest -netdom -Active Directory Users and Computers -Active Directory Administrative Center -Windows PowerShell -dsmod

What is a global catalog?

...

What are three things you can do with a user account?

1. Allow or deny users permissions to sign in to computers 2. Grant users access to processes and servers 3. Manage users' access to network resources

Steps to installing a domain controller on a Server Core installation of Windows Server 2016 using Server Manager:

1. Install the AD DS role 2. Run the Active Directory Domain Services Configuration Wizard

Steps to installing a domain controller on a Server Core installation of Windows Server 2016 using Windows PowerShell

1. Install the files by running the command: Install-WindowsFeature AD-Domain-Services 2. Install the domain controller role by running the command Install-ADDSDomainController

AD DS sign-in process

1. The user account is authenticated to the domain controller 2. The domain controller returns a TGT back to client 3. The client uses the TGT to apply for access to the workstation 4. The domain controller grants access to the workstation 5. The client uses the TGT to apply for access to the server 6. The domain controller returns access to the server

List the AD DS sign-in process steps in order

1. The user account is authenticated to the domain controller 2. The domain controller returns a TGT back to the client 3. The client uses the TGT to apply for access to the workstation 4. The domain controller grants access to the workstation 5. The client uses the TGT to apply for access to the server 6. The domain controller returns access to the server

The results of DNS queries for domain controllers are returned in this order:

1. same site 2. next closest site 3. a random list

What is an SRV record?

A Service record (SRV record) is a specification of data in the DNS defining the location (ie hostname and port number) of servers for specified services.

What is SYSVOL

A shared folder that contains Group Policy Objects and scripts

describe this cmdlet: Add-ADPrincipalGroupMembership

Adds group membership to objects

describe this cmdlet: Add-ADGroupMember

Adds members to groups

Benefit and risk of performing an in-place upgrade to Windows Server 2016

Benefit: Except for the Prerequisite checks, all the files and programs stay in place, and no additional work is required Risk: it might leave obsolete files and dynamic-link libraries (DLLs)

Benefit and risk of Introducing a new server running Windows Server 2016 and promoting it to be a domain controller

Benefit: The new server has no obsolete files and settings Risk: It might require additional work to migrate administrators' files and settings

Account Operators Group location

Built-in container of each domain

Administrators Group location:

Built-in container of each domain

Backup Operators Group location

Built-in container of each domain

Print Operators Group location

Built-in container of each domain

Server Operators Group location

Built-in container of each domain

The Active Directory Schema consists of which two items

Classes and Attributes

What is the fastest way to deploy domain controllers in a virtualized environment?

Cloning is the fastest way to deploy multiple computers that are identically configured, especially when those computers run in a virtualized environment such as Hyper-V

Clients find domain controllers through _______ lookup

DNS

describe this cmdlet: Disable-ADAccount

Disables a user account

describe this cmdlet: Get-ADGroup

Displays properties of groups

Kind of group that cannot be given permissions

Distribution Groups

Kind of group that is not security enabled (no SID)

Distribution Groups

Kind of group that is only used with email applications

Distribution Groups

________________ have the same membership possibilities but can be given permission to resources anywhere in the domain

Domain local groups

What are the two Forest FSMOs?

Domain naming master Schema master

Logical components

Domains, Partitions, Sites, Containers, Schema, Domain trees, Forests, OUs

describe this cmdlet: Enable-ADAccount

Enables a user account

What does FSMO stand for?

Flexible single master operations

What are the five FSMOs?

Forest: -Domain naming master -Schema master Domain: -RID master -Infrastructure master -PDC emulator master

PowerShell command to show installed Windows Features

Get-WindowsFeature -ComputerName (name of server)

What is a partial, read-only, searchable copy of all the objects in an AD forest?

Global catalog

Physical components

Global catalog servers, Domain controllers, Data stores, RODCs

_________________ can only contain users, computers, and other global groups from the same domain and can be given permission to resources in the domain or any trusted domain

Global groups

PowerShell command to Install AD DS

Install-WindowsFeature -Name AD-Domain-Services -ComputerName (name of server)

What is a benefit of a global catalog?

It speeds up searches for objects that might be stored on domain controllers in a different domain in the forest.

____________________ can contain users, computers, global groups, domain local groups and universal groups from the same domain, domains in the same forest and other trusted domain and can be given permissions to resources on the local computer only

Local groups

describe this cmdlet: Set-ADGroup

Modifies properties of groups

describe this cmdlet: Set-ADAccountExpiration

Modifies the expiration date of a user account

PowerShell command to seize a FSMO role?

Move-ADDirectoryServerOperationsMasterRole -Identity "<servername>" -OperationsMasterRole <rolenamelist> -Force

You need to install a domain controller by installing from media. What should you do?

On a writeable domain controller, run ntdsutil

Options to upgrade AD DS to Windows Server 2016

Perform an in-place upgrade from Windows Server 2008 or later to Windows Server 2016 Introduce a new server running Windows Server 2016 into the domain, and then promote it to be a domain controller (this is usually preferred)

What are the three Domain FSMOs?

RID master Infrastructure master PDC emulator master

describe this cmdlet: Set-ADAccountPassword

Resets the password of a user account

____________ can simplify group management

Restricted Groups

Which two of the following are all domain controllers except RODCs configured to store by default? SYSVOL folder GPC template Ntds.dit Global catalog

SYSVOL folder Ntds.dit

Kind of group that can also be email-enabled

Security Groups

Kind of group that can be given permissions

Security Groups

Kind of group that has a security principal with an SID

Security Groups

Servers are typically subdivided by ___________ _______

Server role

What is a domain controller

Servers that host AD DS database (Ntds.dit) and SYSVOL Host Kerberos authentication service and KDC to perform authentication

In the multimaster replication model, some operations must be _______ _______ _______

Single master operations

__________ Are groups for which membership is controlled by the operating system

Special identities

__________ can be used by the Windows Server operating system to provide access to resources based on the type of authentication or connection, not on the user account

Special identities

What is the name of the best practice for nesting groups?

The best practice for nesting groups is known as IGDLA, which is an acronym for the following: -Identities -Global groups -Domain-local groups -Access

What are some signs of a broken domain trust relationship? (3)

The most common signs of computer account problems are: -messages at sign in indicate that a domain controller cannot be contacted, that the computer account might be missing, that the password on the computer account is incorrect, or that the trust relationship (also the secure relationship) between the computer and the domain has been lost -error messages or events in the event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed. One such error is NETLOGON Event ID 3210: Failed to Authenticate, which appears in the computer's event log. -A computer account is missing in AD DS

What are the two main purposes of OUs?

The two main purposes of OUs are to provide a framework for the delegation of administration and to provide a structure that enables targeted GPO deployment.

What is a risk associated with performing an in-place upgrade from Windows Server 2008 to Windows Server 2016?

The upgrade might leave obsolete files and dynamic-link libraries (DLLs).

What does TGT stand for?

Ticket Granting Ticket

________________ can contain users, computers, global groups and other universal groups from the same domain or domains in the same forest and can be given permissions to any resource in the forest

Universal groups

describe this cmdlet: Unlock-ADAccount

Unlocks a user account after it has become locked after too many incorrect sign in attempts

Cert Publishers Group location

Users container of each domain

Domain Admins Group location

Users container of each domain

Enterprise Admins Group location:

Users container of the forest rood domain

Schema Admins Group location:

Users container of the forest root domain

Best practice is to create OUs for ______ ______

computer objects

describe this cmdlet: New-ADGroup

creates new groups

describe this cmdlet: New-ADUser

creates user accounts

describe this cmdlet: Remove-ADGroup

deletes group

describe this cmdlet: Remove-ADUser

deletes user accounts

describe this cmdlet: Get-ADGroupMember

displays membership of groups

You need to join a computer to a domain without communicating directly with an online domain controller. Which command-line tool should you use?

djoin is the command-line tool to perform an offline domain join

What can you use to configure user attributes?

dsmod - You can configure user attributes by using Active Directory Administrative Center, Active Directory Users and Computer, Windows PowerShell, or the tool.

Domain controllers ________ register their addresses with DNS

dynamically

What is this: djoin.exe /Provision /Domain <DomainName> /Machine <MachineName> /SaveFile <filepath>

how to create a domain join file

What is this: djoin.exe /requestODJ /LoadFile <filepath> /WindowsPath <path to the windows directory of the offline image>

how to import the domain join file

describe this cmdlet: Set-ADUser

modifies properties of user accounts

use ______________ to join computers to a domain when they cannot contact a domain controller

offline domain join

client computers are typically subdivided by ______

region

describe this cmdlet: Remove-ADGroupMember

removes members from groups


Ensembles d'études connexes

HIST 2110 Chapter 4 Review Questions

View Set

Les moyens de transport & demander son chemin

View Set

Ch 9: Behavioral Finance and Technical Analysis

View Set

Unit 4: Industrial Revolution (part 2)

View Set

Science Test: Nebular Theory, Sun, Moon

View Set

Unit 4: Chapter 10 (Nervous System I)

View Set

Tutorial: Possessive adjectives Watch the following tutorial and complete the activities.

View Set

Angles Relationships Formed by a Transversal

View Set