CIS 4280 Exam II (Part 4), exam 3 networking

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Any default Universal Groups? What can a Universal group contain? Where are Universal groups stored?

Enterprise Admins; Can contain user accounts, global groups, and universal groups from any domain in the forest; stored in the Global Catalog

How is it set up so that an Enterprise Admins can perform administrative tasks on any domain in the forest?

Exists only on domain controllers in the root domain of Active Directory.

Explain and list the Operations Masters (FSMO) - which ones are forest-wide? which are domain-wide? Explain the function of one of Schema Master and the Domain Naming masters

Flexible Single Master Operations (FSMO) Roles These are: Schema master Domain naming master Controls the addition or removal of domains in a forest. Infrastructure master Relative identifier (RID) master Primary domain controller (PDC) emulator. Special roles, for example the RID Master, are called single-master operations They can be performed only on one domain controller. they are used to remove conflicts occurring if critical operations were allowed on multiple machines simultaneously The schema master and domain naming master are forest-wide roles. Therefore there can be only one schema master and one domain naming master in the forest.

Explain a GPO and how it is stored (GPC, GPT - list the path where the GPTs are stored and the relevance of this)

GPOs are stored in the Group Policy Container (GPC) and the Group Policy Template (GPT). The GPC (seen only in Advanced View) has attributes such as: Status (enabled/disabled) Version List of components that have settings The GPT contains all the files associated with a GPO. For example, the files for the Administrative Templates settings for the User and Computer configurations The GPT is located in the %systemroot%\SYSVOL\sysvol\domain-name folder Contents of this folder are automatically replicated. The GPO itself is just a virtual storage location for Group Policy settings. Each GPO is assigned a globally unique identifier (GUID).

Group Type and Scope with examples

Group Type: Security groups & Distribution groups Scope: Domain Local, Global, & Universal

List the five Registry subtrees

HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_USERS HKEY_CURRENT_CONFIG

Explain policy refresh procedures

How do policy settings get applied to client computers (policy refresh) Domain controllers replicate policy information just like other data in the directory database. Client computers check for new policies every 90 minutes, plus or minus a random offset of 30 minutes (so that all computers will not check simultaneously). The policy is then downloaded to the client computer. A user does not need to log off and log on to have new policy settings take effect. Therefore a user cannot avoid new policy settings by never logging off. Domain controllers refresh policy information every five minutes. Can manually force a policy refresh using the Gpupdate command (2000 uses a Secedit command) See Gpupdate syntax and examples

For which entities can you create a GPO?

If multiple GPOs exist for an entity (container), e.g. an OU, the GPOs higher in the list are processed last which means if there are conflicting settings in two GPOs, the setting in the higher priority policy will take precedence.

Explain the replication model and the KCC - scenario

In intra-site replication, the Knowledge Consistency Checker (KCC) creates and maintains the replication topology. KCC is a service - part of the Local Security Authority Service (LSA) service It creates a topology that links the server objects in a bidirectional ring via connection objects. This allows for some redundancy. If there is a large number of domain controllers, the KCC will create additional connections so that no domain controller is more than three hops from another domain controller. This reduces the replication time

Describe intra-site and inter-site replication. Relate to urgent replication

Intra-site replication When a change occurs to the Active Directory database, the domain controller waits a configurable amount of time and then sends a notification message to its replication partners This time period is five minutes by default and is configurable. -Some types of updates trigger urgent, that is immediate, replication. Changes to password policy for the domain. An account that has just become locked out. Changes to the account lockout policy, for example the number of failed attempts that would lock out an account. Inter-site replication Create Site Links between sites These are logical transitive connections They mirror the communication links (WAN / common carrier services) between the geographic locations Note they are not the physical link, e.g. T3 line. They are objects in the directory database

Describe Delegating Control - give examples of Common and Custom tasks

It allows you, the administrator, to share the administrative load without making users full-blown administrators for the domain. Using the Delegation of Control wizard is easier than delegating control by manually assigning Active Directory Permissions! You can delegate common tasks for the whole organizational unit, for example create, delete, and manage accounts in the organizational unit. You can also create custom tasks. These can be applied to the whole organizational unit or to specific objects within the organizational unit, for example group objects, user objects, properties with an object, etc. Examples of custom tasks are: Full Control, Write, Read Employee ID, Write Employee ID, etc. Compare/Contrast the Pyramid and Flat OU structures in terms of: delegating control group policy assignment

Explain local groups, where created, limitations? Explain the default Local Groups.

On non-domain controller computers; Used to control access to resources on a single computer, e.g. a member server;

Explain inheritance and options to control it.

One can block policy inheritance for a domain or OU This prevents GPOs linked to higher-level containers (sites, domains, or OUs) from being automatically inherited by the child-level object Example: block inheritance at an OU level. GPOs set at higher levels (site, domain, and higher-level OUs) are blocked Block inheritance only at domain and OU level By default, GPOs applied to parent domains have no effect on objects in domains lower in the domain hierarchy - as inheritance is blocked by default Controlling inheritance The Block Inheritance option applies to all policies from parent containers. So fairly drastic. Consider using security filtering to change the scope of a GPO instead of blocking GPOs The No Override option Enforces the GPO even if blocked at a lower-level Also sets the precedence level for this GPO to the highest level, so that it is processed last Use for company-critical policies No Override is set on a per-GPO basis.

Correlation between domains and sites?

One domain could be associated with three sites. One site could have multiple domains.

What is the difference between User Rights and Permissions? Give examples.

Permissions allow a group (or user) to access a resource: Example- Read permission to a file. User Rights allow a group (or user) to perform a task on the system: Examples- Shut Down the System, Log on Locally

Explain Microsoft's strategy for assigning permissions using groups

Place users in global groups, insert global groups in domain local groups, and then assign permissions to domain local groups.

AD Components - Replication Explain purpose. Also differences between these components and Forest, Tree, Domain, OU

Previously we examined objects such as forests, trees, domains, and OUs that are used to organize other objects into a meaningful fashion for a company. Here we will look at objects relating to replication. These are 1) sites; and 2) domain controllers

What are recommendations re domain controllers and global catalog servers per site?

Recommended that you have at least one domain controller per site and each site have a global catalog server

Explain the Registry (what, how many in a domain? etc.)

Registry A centralized configuration database Unique to each computer It stores data about device drivers, network interface cards, protocols, users, applications, etc. Viewed and edited by Registry Editors Control Panel and Group Policies also modify Registry settings Structure Tree-structured database, like folder and file system Consists of 5 subtrees HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_USERS HKEY_CURRENT_CONFIG Subtree contains keys HKEY_LOCAL_MACHINE\Hardware Keys contain subkeys HKEY_LOCAL_MACHINE\Hardware\Devicemap Subkeys may contain more subkeys HKEY_LOCAL_MACHINE\Hardware\Devicemap\Scsi Etc. Subkey at bottom of tree contains value entries Value entry has 3 parts: Name Data type Value (data value) Example: TileWallpaper: REG_SZ: 0 Meaning? The bitmap used for wallpaper is not tiled Value entries contain the configuration data Subtrees, keys, subkeys are used to organize the configuration data

Describe schema - extensible?

Schema is extensible New definitions can be added to the Active Directory schema. Note that items you add to the schema cannot be removed In 2012 you can deactivate items that are no longer needed An administrator might want to extend the User object class schema by adding an attribute, for example, chess rating.

Addendum: Explain and draw the different domain models. Note the advantages of each. Most common?

Single-Domain Model Simplicity Central administration (as indeed is the goal of a directory service in general but here with just one domain it seems more centralized - one Administrators and Domain Admins group Multiple-Domain Model Decentralized administration because of politics or geography With the Japan example in the text could we have one domain and someone in Japan be in Domain Admins? Remember sites are AD objects for replication across geographic locations Multiple Tree in a Single Forest Model Multiple DNS namespaces can be integrated into one forest as separate tress Relate to DNS zones later Federated-Forests Model Needed because of: mergers special security requirements as in civilian versus military parts of an organization' Rem: what object is a security boundary Empty-Root Domain Model Separate schema from users Schema master role (FSMO) in empty forest Can be integrated into other domain models Flexibility Can rename/add domains without renaming forest Placeholder Domain Model Unoccupied root with subdomains for users, etc. Separate schema from users Each grouping of users at same level for a warm fuzzy feeling all around

List replication protocols

The choices are Remote procedure call (RPC) over IP and Simple Mail Transfer Protocol. RPC over IP is default for both Intra-site and Inter-site replication uses authentication and encryption SMTP requires a certification authority and it cannot replicate domain partitions Monitoring replication Dcdiag Repadmin Replmon

Why is a domain called the core unit of AD?

The core unit of the "logical" structure of Active Directory. An administrative boundary An administrator can administer their domain only by default [EXC: Enterprise Admins] Each domain has its own security policy, for example policies relating to passwords. A Windows 2012 domain is a unit of replication. The system uses a multi-master replication model. Each domain controller can accept changes to objects and these changes are replicated to the other domain controllers in the domain.

Name and path of the directory file

The directory file, ntds.dit, is stored in the %systemroot%\ntds folder

Explain Organizational Units and three key advantages

The grouping of users into organizational units simplifies network administration. Organizational units allow an administrator to delegate administrative control to users for portions of the network while maintaining overall administrative control of a domain. Without organizational units, all users appear in a single list in Active Directory users and computers, By using organizational units, you subdivide the list into meaningful groupings, for example by department.

Processing order for GPOs

The local policy is processed first, then the site, domain, and organizational unit policies are processed next.

Explain the 4 directory partitions and where each is replicated

The schema partition stores information about the object classes and their associated attributes. This information is common to all domains in the forest and is replicated across the entire forest. The configuration partition stores information about the structure of the domains in the forest and the replication topology. This information is replicated across the forest. The domain partition stores information about all the objects in a domain. The information is domain-specific and is replicated between domain controllers in a domain. The application partition (new since 2003)

Explain the the four main objects in terms of replication and their interrelationship (as seen in Active Directory Sites and Services)

The schema partition stores information about the object classes and their associated attributes. This information is common to all domains in the forest and is replicated across the entire forest. The configuration partition stores information about the structure of the domains in the forest and the replication topology. This information is replicated across the forest. The domain partition stores information about all the objects in a domain. The information is domain-specific and is replicated between domain controllers in a domain. The application partition (new since 2003)

Explain the Secondary Logon feature and its value

The secondary logon capability in the Windows® 2000 operating system addresses this problem by providing a way to start applications in different security contexts without having to log off. This capability is provided using the Run as service.

Explain Forest Functional Levels (prerequisites and advantages/disadvantages)

These control the features available in a forest, i.e. the higher the functional level, the more functions/features available. These controls the features available in all domains in a forest

Explain Domain Functional Levels (prerequisites and advantages/disadvantages)

These control the features available in a specific domain, i.e. the higher the functional level, the more functions/features available. Different levels - these allow a company to migrate parts of their system at different rates (rolling upgrades)

Describe structure of a GPO (nodes, etc.)

These settings are therefore divided into two categories (nodes): Computer Configuration User Configuration

Operations masters and GPOs?

To create or change a GPO, the domain controller with the Primary domain controller (PDC) emulator operations master role (FSMO) should be available. If it is not, you will receive an error message and you will be allowed to select an alternative domain controller. Do not select another controller; instead boot the domain controller with the PDC emulator operations master role.

Explain Registry structure and terminology [subtree, key, subkey, value entry (value name, value type, value)]

Tree-structured database, like folder and file system Consists of 5 subtrees HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_USERS HKEY_CURRENT_CONFIG Subtree contains keys HKEY_LOCAL_MACHINE\Hardware Keys contain subkeys HKEY_LOCAL_MACHINE\Hardware\Devicemap Subkeys may contain more subkeys HKEY_LOCAL_MACHINE\Hardware\Devicemap\Scsi Etc. Subkey at bottom of tree contains value entries Value entry has 3 parts: Name Data type Value (data value) Example: TileWallpaper: REG_SZ: 0

Explain the key characteristics of Trees and Forests

Trees - A hierarchical structure of Window 2012 domains that share a contiguous DNS name space A forest consists of one or more trees

Explain with examples the four trusts that can be manually created

-Shortcut Reduces Kerberos authentication hops Can be one- or two-way (Partially) transitive, e.g. F --> B transitive down from the Trusted domain (B), i.e. F --> B --D How can users in F access E? How can they access A? -(Cross-)Forest can be one- or two-way Transitive, but this applies to the domain within these two forests, not to forests themselves Forest 1 trusts 2. Forest 2 trusts 3. Forest 1 does not trust Forest 3 -External Non-transitive can be one- or two-way Between domain in one forest and a domain in another forest Use if you want limited access but do not want to set a Forest trust In other words, you don't want all domains in one forest to access all domains in another forest -Realm Trust with a non-Windows entity, e.g. UNIX system, that uses Kerberos authentication Realm is a set of security principals in a non-Windows environment that uses Kerberos authentication Transitive or non-transitive (administrator's choice) can be one- or two-way Functional Levels

Explain a security boundary

A Forest is the fundamental security boundary within Active Directory in 2012 (In 2000 and 2003 a domain was considered the security boundary) As in no one else can manage your stuff

Explain Active Directory Domain Service and the directory database

A directory service stores information about objects such as users, groups, domain controllers, and printers.

How are domain controllers and clients placed into the site?

A domain controller is placed in a site during the installation of Active Directory if sites are defined. It stays there unless moved to another site by an administrator.

Explain Global Catalog Server - explain 2 key functions - what is universal group caching

A global catalog contains a subset of attributes for all objects in Active Directory plus all attributes for the objects in its domain They store the global catalog thus allowing users to find objects no matter where they are in the forest. They resolve UPNs when users log in at domain A and are members of Domain B

Explain GUID

A globally unique identifier (GUID) is a 128-bit number assigned to an object upon its creation. GUIDs are unique across domains . The GUID does not change even if you rename or move an object.

Explain a site - relate it to an internetwork

A site is defined as one or more well-connected Internet Protocol (IP) subnets.

Explain RODC (why use? main characteristics? how does it make the directory more secure? Explain groups involved)

A special form of a domain controller is the Read-Only Domain Controllers (RODC) Contains read-only copy of ntds.dit Only inbound replication Can control which passwords are stored or cached on these domain controllers Do this with two domain local groups Denied RODC Password Replication Group Contains Domain Admins and Enterprise Admins by default (+ other groups) Allowed RODC Password Replication Group Can also configure it so that passwords for groups of users are only cached on one particular RODC Therefore RoDCs good for branch offices which are sometimes less secure Now if the the domain controller is stolen or compromised, the damage is reduced

Relate GPOs to specific parts of the registry

Administrative Templates under Computer Configuration change settings in HKEY_LOCAL_MACHINE\Software\Policies. Administrative Templates under User Configuration change settings in HKEY_CURRENT_USER\Software\Policies.

Name the default site

Any domain controllers created before you create your site(s) are added to the default site, Default-First-Site-Name. After creating the site(s), you can then move domain controllers to the appropriate sites.

What is the difference between a group and an OU?

Assign permissions to groups NOT OUs

Explain Active Directory permissions (function; inheritance; examples; recommendations)

Used to secure objects and attributes Different set of possible permissions for different object classes, e.g. organizational unit and a domain object Permissions stored in Access Control Entries (ACEs) in the Access Control List (ACL) for an object --Example of using Active Directory permissions allow the help desk group to reset a user's password, in other words you can delegate administrative control by assigning Active Directory Permissions

Explain the Special Identity groups. Where are these located?

Users become members by performing activities on the network; Exist on all Windows 2012 computers; ie Authenticated Users, Creator Owner, Everyone, Network, Interactive

Disadvantages of the Users container

Users container in the console tree is not an organizational unit You cannot create organizational units within this container You cannot apply group policies to the Users container. For this reason, you should create OUs to house your users.

Explain AD Components (Forest, Tree, Domain, OU) in detail - purpose of these components?

Using Active Directory you can organize these users using Trees, Domains, and Organizational Units inside the Forest

Explain 3 specific tasks performed by these components

When and how replication occurs in Active Directory. It also determines how clients locate a domain controller for logon authentication - helps them locate the closest domain controller (service localization - client finds domain controller in their site). Lastly, it assists clients in locating local servers for AD-aware applications like Microsoft Distributed File System (DFS)

AD permissions necessary? Deny these permissions versus disable a GPO for a container?

You can use security filtering to change the scope of a GPO - e.g., use filtering so a GPO is not applied for a group(s) by denying the required permissions for a group Note that you do this for global groups

Active Directory Installation scenario

You install Active Directory Domain Services on a computer to make it a domain controller. Question: what are the two phases to creating a domain controller? Create a flowchart to represent the main choices you make when installing Active Directory This should allow you to see how the three domain controllers in the lab were installed.

Explain the key steps in setting up sites and related components

Create one or more sites. Add subnets to the site(s) Link sites using site links Move domain controllers to the appropriate sites if the controllers were set up before the sites were created.

How is it set up so that Domain Admins can perform administrative tasks on any computer in the domain?

Domain Admins (global group) is a default member of Administrators (domain local group)

Explain Domain Local versus Global versus Universal groups in terms of: o where the groups are located o default groups for this category (explain these) o what the group can contain o how the group is used in Microsoft's group strategy

Domain Local: Used to control access to resources in the system (assigned permissions); They can contain user accounts, global groups, and universal groups from any domain in the forest. Global Groups: Used to organize domain users; Default global groups located in Users container; Users are typically grouped based on job function. Universal Group: Can contain user accounts, global groups, and universal groups from any domain in the forest; stored in the Global Catalog; ie Enterprise Admins.


Ensembles d'études connexes

Utah Driver Handbook - Chapter 3

View Set

Telephone English- checking and clarifying information p.18-19

View Set

The Gilded Age Through The Roaring Twenties

View Set

Midterm 2 Review Questions CH.8-14

View Set

220-901 A+ Command Line Tools & Troubleshooting

View Set

Lesson 6: Annuities and Retirement Plans

View Set

ADP, ATP, and Cellular Respiration.

View Set