Chapter 1: Active Directory
SYSVOL folder
A shared folder that stores information from Active Directory that's replicated to other domain controllers.
Folder Redirection node
Admins can use to redirect users' profile folders to a network share.
Schema (objects and their attributes)
All domains in a forest share the same ____________. This is why some would like to operate w/ separate trusted forests.
Organizational Unit (OU)
An Active Directory container used to organize a network's users and resources into logical administrative units. Contains active directory objects (user accounts, groups, computer accounts, printers, shared folder, applications, servers, and domain controllers). Example: each department
directory service
An application that stores, organizes, and provides access to information in a directory.
Enterprise Admins
Can add or remove domains from th forest and have administrative access to every domain in the forest.
Policy-based QoS node
Can be used to prioritize and control outgoing network traffic from a computer.
Singe Schema Forestwide administrative accounts (schema admins & enterprise admins) Operations masters Global catalog Trusts b/w domains Replication b/w domains
Characteristics of a Forest
Active Directory forest
Collection of one or more trees. Can consist of single tree or several, each with a hierarchy of parent and child domains, each tree has a different naming structure.
Software settings Contains software installation extension, enables admin to install and manage applications remotely by assigning them to install automatically. Windows settings contains Name Resolution Policy node, scripts extension, security settings node, and policy-based QoS node. Admins can create scripts that run at computer startup or shutdown. Administrative Templates Contains Control Panel, Network, Printers, System, and Windows Components folders. Affects computer settings that apply to all logged-on users.
Configuration Node 3 folders
Saved Queries folder
Contains a list of Active Directory queries you can save to repeat Active Directory searches easily.
Bulletins folder
House default groups created by Windows and is mainly used to assign permission to users who have administrative responsibilities in the domain.
object
How all information in the active directory database is organized.
Network account object
Includes severs, domain controllers, file shares, printers, and so forth.
Security account object
Includes users, groups, and computer
attribute value
Information stored in each attribute (Mary)
Active Directory
Is a directory service based on standards for defining, storing, and accessing directory service objects.
Name Resolution Policy
Stores configuration settings for DNS security and DirectAccess.
User Folder
Stores two default users (Administrators and Guest) and several default groups.
Domain Controller (DC) features:
Storing a copy of the domain data and replicating changes to that data to all other domain controllers throughout the domain. Providing data search and retrieval functions for users attempting to locate objects in the directory. Providing authentication and authorization services for users who sign in to the domain and attempt to access network resources.
forest root domain
The first domain created in a new forest. Provides functions that facilitate and manage communication b/w domains in the forest as well as b/e forest. (If it's down, the entire Active Directory stops working).
OU Folder Domain
Three container objects
Domain Name System (DNS) server (install unless existing DNS server) Global Catalog (1st DC in a forest must be GC) Read only domain controller (RODC) disabled for 1st DC
Three options for domain controller capabilities
Default Domain Policy (linked to domain object and specifies default settings that affect all users and computers in the domain, such as password and logon requirements) Default Domain Controllers Policy (linked to the Domain controllers OU and specifies default policy settings for all domain controllers in the domain, pertain mainly to users rights assignments, specify the types of actions users can perform on a DC.
Two GPO's are created and linked to two containers when Active Directory installed.
To provide a common Active Directory environment in which all domains in all trees can communicate with one another and share information yet allow independent operation and administration of each domain.
What is the main purpose of a forest?
Child domains (sub-domains)
have the same second-level and top-level domain names as the parent domain.
Active Directory Objects
is a group of information that describes a network resource, such as a shared printer, an organizing structure, such as domain or OU; or an account, such as user, group, or computer.
OU (Organizational Unit)
is the primary container object for organizing and managing resources in a domain. Used to organize objects into logical administrative groups. Can use to apply policies that affect all objects in it. In ADUC represented by folder w/ book inside.
Active Directory Users and Computers (ADUC)
most popular GUI tool among administrators, has two panes.
DAP
required (OSI) Open Systems Interconnection protocol stack for accessing directory objects.
Top Node
shows the server and domain being managed.
Group Policy Object (GPO)
A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory. Can specify settings, deploy software, and configure a user's desktop. Can affect an entire domain, site, users or computers in an OU. Provides default security settings for all computer including domain controllers in the domain. Can be applied in four places: local computer, site, domain, and OU *Don't define any user specific policies.
Replication
Replicating important information b/w all domain controllers throughout the forest. Includes information stored in the global catalog, schema directory and configuration partitions.
Third node
Represents the domain and contains all the objects that make up the domain.
Policies Folder (under Computer Configuration & User Configuration nodes)
Settings applied are applied to users or computers and can't be overridden by users. Contains 3 folders (software settings, windows settings and administrative templates).
Active Directory Physical Structure
consist of sites and servers configured as domain controllers.
Lightweight Directory Access Protocol (LDAP)
created by the Internet Engineering Task Force (IETF), based on the X.500 Directory Access Protocol (DAP), but uses TCP/IP.
Schema
defined by active directory's contents and the functions it performs in your network. defines the type, organization, and structure of data stored in the active directory database and is shared by all domains in an active directory forest.
Network directory service
A database composed of records or objects describing users and available network resources, such as servers, printers, and applications, including features to add, modify and delete information.
Global Catalog Sever
Contains information about all objects in the forest. Facilitates domain and forestwide searches used to speed searching for objects across domains in the forest and Facilitates logon across domains allowing users to sign in to any domain in the forest using UPN (user principal name username@domain). W/o users could only sign in to computers on same domain. Holds universal group membership information and resolves user group membership rights and permissions.
Security Settings node
Contains the lions share of policies that affect computer security (including account policies, user rights, wireless network policies, registry and file system permissions and network communication policies
Managed Service Accounts Folder
Created specifically for services to access domain resources, is added to the schema in Windows Server 2008 R2. The password is managed by the system, alleviating the admin of this task. This folder is initially empty.
Schema Attributes
Define what type of information is stored in each object, such as first name, last name, and password for a user account object
Default Domain Policy
Defines several account policies, such as password and account lockout settings.
Default Domain Controller Policy
Defines user rights assignment policies but no account policies
GPO scope
Defines which objects a GPO affects
Leaf domain
Doesn't contain other objects, and usually represent security account, network resource, or GPO.
Active Directory's hierarchical database
Enables administrators organize users and network resources to reflect organization of the environment in which its used.
Bulletin Computers Foreign Security Principals Managed Services Accounts Users *can delegate admin control on all folders but Bulletin folder. All objects in a folder a subject to group policies defined at the domain level. You can move objects from their default folders (ex: Bulletin) to OU's that you create
Five folders created when active directory installed? You can not create new folder objects, or apply group policies to folder policies to folder objects.
DNS server * Global catalog server * Forestwide administrative accounts ^ Operations masters ^ * can be installed on other DC's for fault tolerance ^ must reside on a DC in the forest root domain.
Functions of forest root domain
Active Directory tree
Grouping of domains that share a common naming structure. Consist of a parent domain and maybe one or more child domains
Schema Classes
defines what type of objects that can be stored in Active Directory (user & computer accounts)
Domain
Is active directory's core structural unit. Contains OU's and folder container objects, also leaf objects (user, groups, etc) & represents administrative, security, and policy boundaries. Each has a default GPO linked to it that can affect all objects in the domain. In ADUC is represented by three tower computers
Computers Folder
Is the default location for computer accounts created when a new computer or sever becomes a domain member.
Active Directory replication
Is the transfer of information among all domain controllers to make sure they have consistent and up to date information
Assigned Apllication
Made available as an icon in the Start screen the next time a user affected by the policy sign in to a computer in the domain.
Published Application
Made available via Group Policy for a user to install by using Programs and Features in Control Panel.
Allow separate administration and to define policy boundaries.
Main reason for using multiple domains
Universal Group
Only group that can contain accounts from other domains
Schema Admins
Only users that can make changes to the schema.
Four Organizing components of Active Directory:
Organizational units Domains Trees Forests
Active Directory Structure
Physical Structure Logical Structure
Computer Configuration (affect all computers in the container (and child containers), to which GPO is linked. GPO's linked to domain objects affect all computers in the domain (includes all computers in Domain Controller OU and the computer folder). User Configuration (affect domain users w/in the GPO's scope regardless of which computer the uses signs in to. Each node contains a policies and preference folder.
Two nodes of GPO in GPMC
Password Settings Object (PSO)
Used to apply different password policies for users or groups in a domain
Container Objects
Used to organize and manage users and resources in a network A way to group objects for applying policies
Group Policy Management Console (GPMC)
Used to view, create, and manage GPO's
Software settings Contains software installation extension, application packages can be assigned or published. Windows settings contains scripts extension, security settings node, and policy-based QoS node. Admins can create scripts that run at user sign in or sign out. And control what software users can run. Administrative Templates Settings in enable admin to tightly control users' computer and network environments. Example control panel can be hidden from users, items can be made available
User Configuration Node 3 folders
Hierarchical organization Centralized but distributed database Scalability Security Flexibility Policy-based administration
What are Active Directory features?
Need for differing account policies For differing policies for different business units, Password Settings Objects can be used. Need different names identities Replication control reduced by creating separate domains Need for internal versus external domains Need for tight security
Why choose a multi-domain?
Simplicity Don't need multiple identities, separate administration, or differing account policies Lower cost Easier management Easier to move users b/w OU's than different domains Easier access to resources
Why choose a single domain?
to control the frequency of Active Directory Domain replication and to assign policies based on physical location.
Why define multiple sites?
Domain Controller (DC)
a configured server/computer running Windows 2016 w/ Active Directory Domain Services role. Can service only one domain.
Active Directory site
a physical location in which domain controllers communicate and replicate information periodically. One or more IP subnets connected by high-speed LAN technology. Each physical location with a domain controller operating in a common domain connected to a WAN
X.500
a suite protocol developed by International Telecommunications Union (ITU), basis for structure and for how Active Directory objects are named and stored.
Directory Services Restore Mode (DSRM)
boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are accidentally deleted.
Active Directory Administrative Center (ADAC)
central console for performing active directory tasks (creating & managing user, group, and computer accounts; managing OU's: and connecting other domain controllers in the same or different domain and change domain's functional level and enable the Active Directory Recycle Bin. Built on powershell, can use Windows Powershell history pane.