Chapter 1: Active Directory

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

SYSVOL folder

A shared folder that stores information from Active Directory that's replicated to other domain controllers.

Folder Redirection node

Admins can use to redirect users' profile folders to a network share.

Schema (objects and their attributes)

All domains in a forest share the same ____________. This is why some would like to operate w/ separate trusted forests.

Organizational Unit (OU)

An Active Directory container used to organize a network's users and resources into logical administrative units. Contains active directory objects (user accounts, groups, computer accounts, printers, shared folder, applications, servers, and domain controllers). Example: each department

directory service

An application that stores, organizes, and provides access to information in a directory.

Enterprise Admins

Can add or remove domains from th forest and have administrative access to every domain in the forest.

Policy-based QoS node

Can be used to prioritize and control outgoing network traffic from a computer.

Singe Schema Forestwide administrative accounts (schema admins & enterprise admins) Operations masters Global catalog Trusts b/w domains Replication b/w domains

Characteristics of a Forest

Active Directory forest

Collection of one or more trees. Can consist of single tree or several, each with a hierarchy of parent and child domains, each tree has a different naming structure.

Software settings Contains software installation extension, enables admin to install and manage applications remotely by assigning them to install automatically. Windows settings contains Name Resolution Policy node, scripts extension, security settings node, and policy-based QoS node. Admins can create scripts that run at computer startup or shutdown. Administrative Templates Contains Control Panel, Network, Printers, System, and Windows Components folders. Affects computer settings that apply to all logged-on users.

Configuration Node 3 folders

Saved Queries folder

Contains a list of Active Directory queries you can save to repeat Active Directory searches easily.

Bulletins folder

House default groups created by Windows and is mainly used to assign permission to users who have administrative responsibilities in the domain.

object

How all information in the active directory database is organized.

Network account object

Includes severs, domain controllers, file shares, printers, and so forth.

Security account object

Includes users, groups, and computer

attribute value

Information stored in each attribute (Mary)

Active Directory

Is a directory service based on standards for defining, storing, and accessing directory service objects.

Name Resolution Policy

Stores configuration settings for DNS security and DirectAccess.

User Folder

Stores two default users (Administrators and Guest) and several default groups.

Domain Controller (DC) features:

Storing a copy of the domain data and replicating changes to that data to all other domain controllers throughout the domain. Providing data search and retrieval functions for users attempting to locate objects in the directory. Providing authentication and authorization services for users who sign in to the domain and attempt to access network resources.

forest root domain

The first domain created in a new forest. Provides functions that facilitate and manage communication b/w domains in the forest as well as b/e forest. (If it's down, the entire Active Directory stops working).

OU Folder Domain

Three container objects

Domain Name System (DNS) server (install unless existing DNS server) Global Catalog (1st DC in a forest must be GC) Read only domain controller (RODC) disabled for 1st DC

Three options for domain controller capabilities

Default Domain Policy (linked to domain object and specifies default settings that affect all users and computers in the domain, such as password and logon requirements) Default Domain Controllers Policy (linked to the Domain controllers OU and specifies default policy settings for all domain controllers in the domain, pertain mainly to users rights assignments, specify the types of actions users can perform on a DC.

Two GPO's are created and linked to two containers when Active Directory installed.

To provide a common Active Directory environment in which all domains in all trees can communicate with one another and share information yet allow independent operation and administration of each domain.

What is the main purpose of a forest?

Child domains (sub-domains)

have the same second-level and top-level domain names as the parent domain.

Active Directory Objects

is a group of information that describes a network resource, such as a shared printer, an organizing structure, such as domain or OU; or an account, such as user, group, or computer.

OU (Organizational Unit)

is the primary container object for organizing and managing resources in a domain. Used to organize objects into logical administrative groups. Can use to apply policies that affect all objects in it. In ADUC represented by folder w/ book inside.

Active Directory Users and Computers (ADUC)

most popular GUI tool among administrators, has two panes.

DAP

required (OSI) Open Systems Interconnection protocol stack for accessing directory objects.

Top Node

shows the server and domain being managed.

Group Policy Object (GPO)

A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory. Can specify settings, deploy software, and configure a user's desktop. Can affect an entire domain, site, users or computers in an OU. Provides default security settings for all computer including domain controllers in the domain. Can be applied in four places: local computer, site, domain, and OU *Don't define any user specific policies.

Replication

Replicating important information b/w all domain controllers throughout the forest. Includes information stored in the global catalog, schema directory and configuration partitions.

Third node

Represents the domain and contains all the objects that make up the domain.

Policies Folder (under Computer Configuration & User Configuration nodes)

Settings applied are applied to users or computers and can't be overridden by users. Contains 3 folders (software settings, windows settings and administrative templates).

Active Directory Physical Structure

consist of sites and servers configured as domain controllers.

Lightweight Directory Access Protocol (LDAP)

created by the Internet Engineering Task Force (IETF), based on the X.500 Directory Access Protocol (DAP), but uses TCP/IP.

Schema

defined by active directory's contents and the functions it performs in your network. defines the type, organization, and structure of data stored in the active directory database and is shared by all domains in an active directory forest.

Network directory service

A database composed of records or objects describing users and available network resources, such as servers, printers, and applications, including features to add, modify and delete information.

Global Catalog Sever

Contains information about all objects in the forest. Facilitates domain and forestwide searches used to speed searching for objects across domains in the forest and Facilitates logon across domains allowing users to sign in to any domain in the forest using UPN (user principal name username@domain). W/o users could only sign in to computers on same domain. Holds universal group membership information and resolves user group membership rights and permissions.

Security Settings node

Contains the lions share of policies that affect computer security (including account policies, user rights, wireless network policies, registry and file system permissions and network communication policies

Managed Service Accounts Folder

Created specifically for services to access domain resources, is added to the schema in Windows Server 2008 R2. The password is managed by the system, alleviating the admin of this task. This folder is initially empty.

Schema Attributes

Define what type of information is stored in each object, such as first name, last name, and password for a user account object

Default Domain Policy

Defines several account policies, such as password and account lockout settings.

Default Domain Controller Policy

Defines user rights assignment policies but no account policies

GPO scope

Defines which objects a GPO affects

Leaf domain

Doesn't contain other objects, and usually represent security account, network resource, or GPO.

Active Directory's hierarchical database

Enables administrators organize users and network resources to reflect organization of the environment in which its used.

Bulletin Computers Foreign Security Principals Managed Services Accounts Users *can delegate admin control on all folders but Bulletin folder. All objects in a folder a subject to group policies defined at the domain level. You can move objects from their default folders (ex: Bulletin) to OU's that you create

Five folders created when active directory installed? You can not create new folder objects, or apply group policies to folder policies to folder objects.

DNS server * Global catalog server * Forestwide administrative accounts ^ Operations masters ^ * can be installed on other DC's for fault tolerance ^ must reside on a DC in the forest root domain.

Functions of forest root domain

Active Directory tree

Grouping of domains that share a common naming structure. Consist of a parent domain and maybe one or more child domains

Schema Classes

defines what type of objects that can be stored in Active Directory (user & computer accounts)

Domain

Is active directory's core structural unit. Contains OU's and folder container objects, also leaf objects (user, groups, etc) & represents administrative, security, and policy boundaries. Each has a default GPO linked to it that can affect all objects in the domain. In ADUC is represented by three tower computers

Computers Folder

Is the default location for computer accounts created when a new computer or sever becomes a domain member.

Active Directory replication

Is the transfer of information among all domain controllers to make sure they have consistent and up to date information

Assigned Apllication

Made available as an icon in the Start screen the next time a user affected by the policy sign in to a computer in the domain.

Published Application

Made available via Group Policy for a user to install by using Programs and Features in Control Panel.

Allow separate administration and to define policy boundaries.

Main reason for using multiple domains

Universal Group

Only group that can contain accounts from other domains

Schema Admins

Only users that can make changes to the schema.

Four Organizing components of Active Directory:

Organizational units Domains Trees Forests

Active Directory Structure

Physical Structure Logical Structure

Computer Configuration (affect all computers in the container (and child containers), to which GPO is linked. GPO's linked to domain objects affect all computers in the domain (includes all computers in Domain Controller OU and the computer folder). User Configuration (affect domain users w/in the GPO's scope regardless of which computer the uses signs in to. Each node contains a policies and preference folder.

Two nodes of GPO in GPMC

Password Settings Object (PSO)

Used to apply different password policies for users or groups in a domain

Container Objects

Used to organize and manage users and resources in a network A way to group objects for applying policies

Group Policy Management Console (GPMC)

Used to view, create, and manage GPO's

Software settings Contains software installation extension, application packages can be assigned or published. Windows settings contains scripts extension, security settings node, and policy-based QoS node. Admins can create scripts that run at user sign in or sign out. And control what software users can run. Administrative Templates Settings in enable admin to tightly control users' computer and network environments. Example control panel can be hidden from users, items can be made available

User Configuration Node 3 folders

Hierarchical organization Centralized but distributed database Scalability Security Flexibility Policy-based administration

What are Active Directory features?

Need for differing account policies For differing policies for different business units, Password Settings Objects can be used. Need different names identities Replication control reduced by creating separate domains Need for internal versus external domains Need for tight security

Why choose a multi-domain?

Simplicity Don't need multiple identities, separate administration, or differing account policies Lower cost Easier management Easier to move users b/w OU's than different domains Easier access to resources

Why choose a single domain?

to control the frequency of Active Directory Domain replication and to assign policies based on physical location.

Why define multiple sites?

Domain Controller (DC)

a configured server/computer running Windows 2016 w/ Active Directory Domain Services role. Can service only one domain.

Active Directory site

a physical location in which domain controllers communicate and replicate information periodically. One or more IP subnets connected by high-speed LAN technology. Each physical location with a domain controller operating in a common domain connected to a WAN

X.500

a suite protocol developed by International Telecommunications Union (ITU), basis for structure and for how Active Directory objects are named and stored.

Directory Services Restore Mode (DSRM)

boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are accidentally deleted.

Active Directory Administrative Center (ADAC)

central console for performing active directory tasks (creating & managing user, group, and computer accounts; managing OU's: and connecting other domain controllers in the same or different domain and change domain's functional level and enable the Active Directory Recycle Bin. Built on powershell, can use Windows Powershell history pane.


Ensembles d'études connexes

Structure of the Eyeball - Chambers and Fluids

View Set

Jensen Ch. 22: Neurological and Mental Status

View Set

HIUS 3490 From Motown to Hip-Hop Exam #1, Key Terms

View Set

Imperialism in China (European Spheres of Influence)

View Set

Maternal Child Nursing Rasmussen Mod 2

View Set

毗斯迦山旧约第5部分—先知书概览

View Set