Chapter 6 Terminology, Tools 4.2
____ password policies mean that you can now create more than one set of account policies within a domain.
Fine-grained
Attributes
In Active Directory Domain Services, the individual properties that combine to form an object.
Global Catalog
It stores a full replicate of every object within its own domain and a partial replica of each object within every domain in the forest
Distinguished Name
The "file path" given to objects in Active Directory for locating them without a GUI.
multimaster replication
The process for replicating Active Directory objects; changes to the database can occur on any domain controller and are propagated, or replicated, to all other domain controllers. object A grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or OU.
Active Directory replication
The transfer of information between all domain controllers to make sure they have consistent and up-to-date information.
Domain Local (group scope)
Membership ------------------------------ Domain local groups can contain members from any domain in the forest. These include: • Domain local groups in the same domain (in native mode only). • Global groups within the forest. • Universal groups within the forest (in native mode only). • Users and computers within the forest. ------------------------------ Resource Access • Domain local groups can be assigned permissions within a domain. • Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
A(n) ____ is a grouping of related objects within a domain, similar to the idea of having subfolders within a folder, and can be used to reflect the structure of the organization without having to completely restructure the domain(s) when that structure changes.
OU
Duplicating organizational divisions, assigning Group Policy settings, and delegating administration
Select the best reasons for using organizational units (OUs)?
built-in user accounts
User accounts created by Windows automatically during installation.
Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.
What is the primary difference between universal groups and global groups in Windows Server 2012?
Global to domain local; Universal to global
Which of the following group scope modifications are not permitted? (Choose all answers that are correct.)
To create a permanent container that cannot be moved or renamed
Which of the following is not a correct reason for creating an OU?
One of the group's members has the group set as its primary group.; You do not have the proper permissions for the container in which the group is located.
You are attempting to delete a global security group in the Active Directory Users and Computers console, and the console will not let you complete the task. Which of the following could possibly be causes for the failure? (Choose all answers that are correct.)
Delegation of control
You are planning an Active Directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in Active Directory. What feature will permit you to set up Active Directory to allow each manager to manage his or her own container but not any other containers?
Active Directory is a ____ that houses information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information.
directory service
1. A ____ usually is a higher-level representation of how a business, government, or school is organized, for example reflecting a geographical location or major division of that organization.
domain
The forest ____ refers to the Active Directory functions supported forest-wide.
functional level
The ____ stores information about every object within a forest.
global catalog
A ____ is intended to contain user accounts from a single domain and can also be set up as a member of a domain local group in the same or another domain.
global security group
In a ____, the user does not have permission to update the folder containing his profile.
mandatory user profile
Each kind of object in Active Directory is defined through the ____, which is like a small database of information associated with that object, including the object class and its attributes.
schema
A ____ is a TCP/IP-based concept (container) within Active Directory that is linked to IP subnets.
site
A ____ contains one or more domains that are in a common relationship.
tree
Like user accounts, there are both local and domain groups
• Local groups exist only on the local computer, and control access to local resources. • Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
To add or remove members of a group, use the following methods
• On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group. • On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.
forest root domain
The first domain created in a new forest.
AD LDS is installed as a server role via Server Manager.
True
OU
Which of the following is a container object within Active Directory?
Every resource in a domain is called a(n) ____.
object
fully qualified domain name (FQDN)
A domain name that includes all parts of the name, including the top-level domain.
SYSVOL folder
A shared folder that stores information from Active Directory that replicated to other domain controllers
domain user account
A user account created in Active Directory that provides a single logon for users to access all resources in the domain for which they have been authorized.
intersite replication
Active Directory replication that occurs between two or more sites.
assigned application
An application package made available to users via Group Policy and places a shortcut to the application in the Start screen. The application is installed automatically if a user tries to run it or opens a document associated with it. If the assigned application applies to a computer account, the application is installed the next time Windows boots. attribute value Information stored in each attribute. See also schema attributes.
published application
An application package made available via Group Policy for users to install by using Programs and Features in Control Panel. The application is installed automatically if a user tries to run it or opens a document associated with it.
Trust relationship
An arrangement that defines whether and how security principals from one domain can access network resources in another domain
extension
An item in a GPO that allows an administrator to configure a policy setting.
Install from media (IFM)
An option when installing a DC in an existing domain; much of the Active Directory database contents are copied to the new DC from media created from an existing DC.
Active Directory
Directory service that houses information about all network resources
domain
The core structural unit of Active Directory; contains OUs and represents administrative, security, and policy boundaries.
GPO scope
The objects affected by a GPO linked to a site, domain, or OU. Group Policy Object (GPO) A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory.
relative identifier (RID)
The part of a SID that's unique for each Active Directory object. See also security identifier (SID).
Site
a physical location in which domain controllers communicate and replicate informaiotn regularly
A ____ is one in which every child object contains the name of the parent object.
contiguous namespace
A ____ is typically used to enable one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers.
realm trust
Flexible Single Master Operation (FSMO)
roles Specialized domain controller tasks that handle operations that can affect the entire domain or forest. Only one domain controller can be assigned a particular FSMO. forest A collection of one or more Active Directory trees. A forest can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains.
A(n) ____ means that if A and B have a trust and B and C have a trust, A and C automatically have a trust as well.
transitive trust
In addition to the group scope, there are two types of groups
• Security • Distribution
schema classes
A category of schema information that defines the types of objects that can be stored in Active Directory, such as user or computer accounts.
directory service
A database that stores information about a computer network and includes features for retrieving and managing that information
schema directory partition
A directory partition containing the information needed to define Active Directory objects and object attributes for all domains in the forest
Trees
Collection of domains within an active directory that have a common relationship
Forest
Consists of one or more Active Directory trees that are in a common relationship
Organizational Unit
Grouping of related objects within a domain so that objects can be under the same group policies
schema
Information that defines the type, organization, and structure of data stored in the Active Directory database. schema attributes A category of schema information that defines what type of information is stored in each object.
Schema
Like the blueprint for active directory, it defines the attributes each type of object can possess, the type of data that can be stored in each attribute, and the object's place in the directory tree.
____ and user accounts enable an organization to delegate authority over objects, such as Active Directory containers, user accounts, groups, and applications.
Security Groups
Active Directory Domain Services (AD DS)
Server role in Active Directory that allows admins to manage and store information about resources from a network. Promotes server to domain controller.
Be aware of the following when managing groups
The basic best practices for user and group security are: • Create groups based on user access needs. • Assign user accounts to the appropriate groups. • Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network. After creating a group, you may need to convert the group's scope and/ or type. • Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access. • You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope. • If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.
Universal
Which of the following groups do you use to consolidate groups and accounts that either span multiple domains or the entire forest?
If information on one DC changes, such as the creation of an account, it is replicated to all other DCs in a process called ____.
multimaster replication
DNS is a TCP/IP-based name service that converts computer and domain host names to dotted decimal addresses and vice versa, through a process called ____.
name resolution
Adding object to the Member Of tab for a group makes the group a member of another group (if does not add members to the group).
• When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it: • Re-create the group, add all the original group members, and reassign any permissions granted to the group. • Restore the group from a recent backup.
Domain Controller
A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.
Directory Services Restore Mode (DSRM)
A boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally.
application directory partition
A directory partition that applications and services use to store information that benefits from automatic Active Directory replication and security.
domain directory partition
A directory partition that contains all objects in a domain, including users, groups, computers, OUs, and so forth.
configuration partition
A directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.
global catalog partition
A directory partition that stores the global catalog, which is a partial replica of all objects in the forest. It contains the most commonly accessed object attributes to facilitate object searches and user logons across domains.
Distribution
A distribution group is used to maintain a list of users and is typically used for sending e-mails to all groups members. Distribution groups cannot be used for assigning permissions.
What is a Group
A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with group instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all permissions assigned to the group on any shared resources.
Domains
A logical grouping of network resources and devices that are administered as a single unit.
Security Identifier (SID)
A numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an RID. See also relative identifier)
authentication
A process that confirms a user's identity, and the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.
Lightweight Directory Access Protocol (LDAP)
A protocol that runs over TCP/IP and is designed to facilitate access to directory services and directory objects. It's based on a suite of protocols called X.500, developed by the International Telecommunication Union.
directory partition
A section of an Active Directory database stored on a domain controller's hard drive. These sections are managed by different processes and replicated to other domain controllers in an Active Directory network.
right
A setting that specifies what types of actions a user can perform on a computer or network.
local user account
A user account defined on a local computer that's authorized to access resources only on that computer. Local user accounts are mainly used on stand-alone computers or in a workgroup network with computers that aren't part of an Active Directory domain.
User Principal Name (UPN)
A user logon name that follows the format username@domain. Uers can use UPNs to log on to their own domain from a computer that's a member of a different domain
intrasite replication
Active Directory replication between domain controllers in the same site.
organizational unit (OU)
An Active Directory container used to organize a network's users and resources into logical administrative units. permissions Settings that define which resources users can access and what level of access they have to resources.
Domain User
An account that can access ADDS or network-based resources, such as shared folders and printers within a specified domain.
Local User
An account that can access only resources on the local computer and does not reside inside of the domain.
child domains
Domains that share at least the top-level and second-level domain name structure as an existing domain in the forest; also called "subdomains."
Groups are security principals, meaning you assign access permissions to a resource based on membership to a group. OUs are for organization and for assigning Group Policy settings.
Generally, how do groups differ from OUs?
Active Directory groups
Have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.
Group Policy
Hierarchical infrastructure that allows specific configurations for users and computers by the network administrator
cn=amy,ou=sales,dc=central,dc=cohowinery,dc=com
If the user named Amy is located in the sales OU of the central.cohowinery.com domain, what is the correct syntax for referencing this user in a command line utility?
Read-Only Domain Controller (RODC)
In Active Directory Domain Services, a domain controller that supports only incoming replication traffic. It cannot be modified but can be used for authentication.
Users; Computers; Global groups
In a domain running at the Windows Server 2012 domain functional level, which of the following security principals can members of a global group? (Choose all answers that are correct.)
Global (Group Scope)
Membership ----------------------------- Global groups can contain members within the same domain. These include: • Global groups in the same domain (in native mode only). • Users and computers within the same domain. Use global groups to group users and computers within the domain who have similar access needs. ----------------------------- Resource Access • Global groups can be assigned permissions to resources anywhere in the forest. • Create global groups to organize users (e.g., Sales or Development).
Universal (Group Scope)
Membership ------------------------------ Universal groups can contain members from any domain in the forest. These include: • Universal groups within the forest. • Global groups within the forest. • Users and computers within the forest. ------------------------------ Resource Access • Universal groups can be assigned permissions to resources anywhere in the forest. • Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
Container
Pre-built container objects used to organize objects in Active Directory. Does NOT allow for delegation of control or the ability to link GPOs.
replication partner
A domain controller configured to replicate with another domain controller.
operations master
A domain controller with sole responsibility for certain domain or forest-wide functions.
A ____ is different from normal DCs in that you cannot use it to update information in Active Directory and it does not replicate to regular DCs.
Read-Only Domain Controller
Tree
A grouping of domains that share a common naming strucutre
Knowledge Consistency Checker (KCC)
A process that runs on every domain controller to determine the replication topology.
Security
A security group is one that can be used to manage rights and permissions. • Group members get the permissions that are granted to the group. • A security group represents an object with a security identifier (SID), which through the member attribute, collects other object, such as users, computers, contacts, and other groups.
