98-365 Ch4 Directory Services in Windows Server
Regardless of whether it is a security or universal group, try to understand the group scope as an extension option of
The group in the domain, forest, or tree domain
What is a domain in the context of domain name?
The logical naming system that governs the internet, including web servers and websites
What is kerberos?
Kerberos securely authenticates and proves identity between the users and servers on the network
What does lmhosts stands for?
LAN manager hosts
AD uses the following protocols and services:
LDAP (Lightweight directory Access Protocol Kerberos DNS (Domain Name System)
What is the AD DS role do?
Lets Sys Admins manage and store a network's information resources
What is LDAP?
Lightweight Directory Access Protocol used to access the directory services data
AD is managed through snaps-ins in ....
MMC (Microsoft Management)
What is Active Directory Domains and Trusts used for?
Manage domains, trusts, and relevant information
What is Active Directory Module for Windows Powershell used for?
Manage the Windows Server's directory services through cmdlets
What is Actice Directory Sites and Services used for?
Manage the replication and services between sites
What is Active Directory Users and Computers used for?
Manage users, coputers, and relevant information
What does a WINS server do?
Maps the IP addresses to NetBIOS names
What are the ForestWide operations Master Roles?
Master Schema Domain Naming Master
What do AGDLP and AGUDLP reference?
Microsoft's recommendation for effectively using group nesting when assigning permissions
What does NetBIOS stand for?
Network Basic Input/output System
Regardless of the number of tree domains in a forest, each domain can have its own
OU hierarchy
What is and old feature of DC in Windows NT?
One DC per domain was configured as the Primary Domain Controller (PDC), and all other DC acted as Backup Domain Controllers (BDC)
To ease the administration of objects, the AD Users and Computer console provides
Organizational Units (OU) and default containers
Unlike hosts, lmhosts file contains
The mapping of IP addresses to computer names, and is used for NetBIOS name resolution
What does the host file contain?
The mapping of IP addresses to host names, and is used for DNS name resolution
With transitive trust what happens when a new domain joins an existing tree?
The new domain automatically trusts all existing domains in the tree.
What is Active Directory Administrative Center used for?
The one stop-place that is used to manage windows Server's directory Services
What best represents a workgroup?
P2P network, where computers share resources without a central server
What are the 3 DNS zones?
Primary zone Secondary Zone Stub Zone
With DNS, what is the first server that your browser runs to resolve an address?
Recursive Resolver
What are the DomainWide operations master roles?
Relative Identifier (RID) Primary Domain Controller (PDC) Infrastructure Master
How is a forest setup in WS 2016?
Same as trees and domains, using the AD Domain Services Configuration wizard.Wh
What is the big reason why there are hidden containers?
Security
After a computer joins the domain, the ________ in the local computer trusts AD DS's authentication mechanisms.
Security Account Manager (SAM) Thus, the user is authenticated by a domain in a network, and not by the local SAM.
What is group nesting?
Since groups are objects too. Groups can be added to other groups, thus minimizing the number of individually assigned permissions to users or groups
what is FQDN
Fully qualified domain name
What is a global group?
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain.
Syntax for HOSTS entry
IP address FQDN hostname
Syntax for LMHOSTS entry
IP address FQDN hostname Extension
What is the DNS Stub zone?
In principle, it is a secondary zone with no editable primary copy of the database and contains sufficient information to identify the authoritative DNS.
who typically provides the Recursive Resolver?
Internet Service Provider (ISP)
What is DNS secondary Zone?
It acts as the backup of the primary zone and whenever the first one is unavailable, it resolves DNS queries
What is the non-authoritative DNS?
It holds the cached into that has been constituted by previous DNS lookups
What may be in a global group?
It includes accounts and global groups from the parent's global group domain
What may be in a universal group?
It includes accounts, global groups, and and universal groups for any domain in the forest where a universal group belongs
What is AD?
It is a ditributed database that stores objects in a hierarchical, structured, and secure format
What is a local user profile?
It is created when the user logs on to a computer for the first time and is stored on the local computer
What may be in a Domain local group?
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
How is DC configuration in WS 2016 different than Windwos NT?
There are no primary and backup concepts, instead numbers are used next to DCs to ID priorities
What is a security group?
These are explicitly used to assign permissions to a shared resource on a network
What is a distribution group?
These are particularly used to distribute email lists in an orginzations network
What is the DNS primary zone?
This stores the primary copy of the DNS database and maintains all the DNS zone records
How do you setup WINS?
Through the Server Manager using the add roles and features wizard
How is the DNS role added to WS 2016?
Through the server manager
What is one reason there are hidden containers by default?
To avoid AD users and computers console from looking messy
How are domains in a tree linked?
Transitive trust (A=B and B=C, than A=C)
Originally used in UNIX, what is the standard to identify a share in a computer network?
Universal Naming Convention (UNC)
What is a universal group?
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain.
What is DNS?
Used to translate domain names into IP addresses
What is needed to access network resources
User and Computer accounts
To automate NetBIOS name resolution, you can use
Windows Internet Name Service (WINS)
Unlike domain accounts, the local account exists in a computer where that account has been created, and as such, it is authenticated by
Windows SAM
IS a group considered an object within AD
YES
Default containers are unique because
You cannot rename, delete, create new ones, or associate Group Policy Objects (GPOs) with these containers
In a windows server-based network, both users and computer accounts reside in
a centralized directory
Each DNS zone represents...
a root domain or multiple domains, and sub-domains
Before a computer joins a domain, it must have
a unique name within a network
What do group scopes do?
allow you to use groups in different ways to assign permissions. The scope of a group determines from where in the network you can assign permissions to the group.
Where are the hosts and lmhosts stored?
c:\Windows\system32\drivers\etc
From the perspective of network service access, domains are usually?
centralized network environments where athentication is governed by a DC
In AD, a group is a
collection of AD objects
In AD, what identifies a computer in a domain?
computer account
Knowing that OUs facilitate the organization of AD objects, whenever you want to GRANT PERMISSIONs to a certain user, or group of users, in the AD then the choice is
delegation of control to an OU
A hostname is often called a
domain name
What is the run command to open Active Directory Domains and Trusts?
domain.msc
What is the Universal Naming Convention format?
double backslash \\ to precede the name of the server
What is the run command to open Active Directory Users and Computers?
dsa.msc
What is the run command to open Active Directory Administrative center?
dsac.exe
What is the run command to open Active Directory Sites and Services?
dssite.msc
How is the tree domain configured?
during the promote this server to a domain controller process (same as to just adding a domain)
The authenticaion mechanism for each tree domain trusts the authentication mechanism for other trusted tree domains within a ____.
forest
In centralized environments, what is used for the process of assigning rights and permissions.
groups
Not all default containers are needed for a sys admin day-to-dayjob. Because of that, there are
hidden containers
What allows the existence of DNS zones?
its hierarchical structure
A domain name consists of one or more parts, called _______, and are seperated by points.
labels
As with computer networks, in AD DS there are physical and logcal topologies. Thus a domain represents the ___________ topology of an AD DS infrastructure. The site actually represents the _____________ of the computer network
logical topology Physical location
In both hosts and lmhosts, entires are added by
manually and should be kept on individual lines
A server not acting as a DC in a network is known as a
member server
What run command opens MMC?
mmc.exe
Often, organizations create OUs to mirror their
organizational buisness structure
DNS has a tree structure (hierarchial) where each branch represents the ________ and each leaf has zero or more _______.
root zone resource records
AD stores objects and these are identified by their names and attributes. That means that it is actully the _______ which is a component stored in the directory.
schema
It is replication that synchronizes the _____ among all the domain ontrollers in the forest.
schema
DNS is maintained in a database that uses distributed clients/server architecture where network nodes represent the?
servers name
NetBIOS names are the names that are used when you connect to a
shared folder or printer
Where should local accounts NOT be created?
the DC
The functional level determines
the available AD DS capabilities and which version of Windows server you can run
In AD DS infrastructure, replication is..
the process that synchronizes the common directory paritiion among all domain controllers in the forest
The domain account exists in the AD and as such, it is authenticated by
the same entity (AD on the same server)
It is required that prior to assigning permissions to a user, or group of users, the need
to be placed into an OU
What objects that are contained in an OU
users, groups, computers, and other OUs
What are the MMC snap-ins?
-Active Directory Administrative Center -Active Directory Users and Computers -Active Directory Domains and Trusts -Active Directory Sites and Services -Active Directory Module for Windows Powershell
How does AGDLP nesting work?
-Add the accounts to global group -Add the Global group scope to Domain Local group -To Domain Local Group assign Permissions
How does AGUDLP nesting work?
-Add the accounts to global group -Add the Global group to Universal group -Add Universal group to Domain Local group -To Domain Local group assign Permissions
What are the logical divisions of AD infrastructure?
-Forests -Trees -Domain
What can a local account access?
-Local services based on the access that is granted to the account -The local account can access shared resources in a P2P network
What are the types of User Profiles?
-Local user profile -Roaming user profile -Mandatory user profile
Each AD object is uniquely identified by
-Name -attributes
What is NetBIOS?
-OSI Session Layer 5 Protocol and a service that allows applications on computers to communicate with one another over a LAN -Not a protocol but uses TCP/IP -Results in each computer having not just a unique IP but a unique host Name.
What are the 2 types of groups?
-Security Groups -Distribution Groups
When adding the DNS role, either
-add it as a seperate role -or, alongside AD DS
What files are used for name resolution?
-hosts -lmhosts
AD's objects typically represent
-users -computers -peripheral devices -network services
Since the Master Schema and Domain Naming Master are part of the forest, how many are there total?
1
What is a Mandatory user profile?
A kind of roaming profile where a user logs off and no changes in a profile are saved.
What is a Roaming user profile?
A local profile copied and stored to a network share
What is a hostname
A logical element that is assigned to a device. IT is unique and ued to ID the device in a computer network
What is a domain?
A logical grouping od users, computers, peripherals, network services, and SECURITY SETTINGS.
What is a domain controller?
A server that is responsible for securely authenticating requests for accessing resources in your organizations domain
What is a replication topology?
A set of communication paths through which the domain controllers replication date travels
In the windows server-based networks, the domain is powered by the
AD DS role
Groups are managed through
AD Users and Computers
What is a tree?
AD structure comprised of one or more domains.
What is AGDLP?
Accounts, Global, Domain Local, Permissions
What is AGUDLP?
Accounts, Global, Universal, Domain Local, Permissions
How do you start the setup up of Domain Services?
Add the AD DS role to the server
When are default containers created?
After promoting the server to a domain controller
How is a child domain setup?
Almost the identical steps for setting up the tree doman using the AD DC Config wizard.
What does the recursive resolver do?
Contact root servers scattered throughout the globe and contain the information about top level domains.
All the tree domains share a common namepace within a forest. This is known as
Contiguous namespace (Forest = AF.afcent, All trees wil be XXXX.afcent)
What as a whole consititutes a tree domain?
A child domain located under a Parent domain.
What are the steps when you try to go to www.example.com
1. Browser makes request to internet to access the website 2. The first server your browser runs into is the Recursive Resolver 3. The recursive resolver will contact the root server which contains info about top-level domains 4. The top-level domain will provide the DNS info to the Recursive resolver 5. The recursive resolver will contact the DNS for example.com and through the domain name server's local DNS, locate the IP 6. Then that IP address is provided to your browser by the recursive revolver to access the web server content, via it newly accustomed IP address
What the simple users for some default containers?
1. COMPUTERS - for upgraded computer accounts 2. DOMAIN CONTROLLERS - for domain controllers 3. FOREIGN SECURITY PRINCIPALS - for security identifiers (SID) 4. KEYS - for key objects 5. LOSTANDFOUND - for orphaned objects 6. MANAGED SERVICE ACCOUNTS - for MSA 7. USERS - for upgraded user accounts
What are the 3 group scopes in AD?
1. Domain Local Groups 2. Global Group 3. Universal Group
What are the steps to create a domain account?
1. From Windows Admin Tools open the AD Users and Computers console 2. Right-click the Users container and select New | User 3. Enter the users required information and click NEXT 4. Provide a temporary password, confirm, and click next 5. Click Finish to close the New Object / User window
What are the steps to create a local account on WS 2016?
1. From Windows Admin tools, open the computer management console 2. Expand system tools / local users and groups, right-click the Users container and select New | User 3. Enter the user's required information and hit create
After creating the root domain in a forest, that DC AD DS automatically assigns 5 master operation roles, which are
1. Master Schema 2. Domain Naming Master 3. Relative Identifier (RID) 4. Primary Domain Controller (PDC) 5. Infrastructure Master 1 & 2 are ForestWide operations master roles 3-5 are DomainWide operatins master roles
What is the first set of steps to add AD DS role in Windows Server 2016?
1. Open Server Manager 2. Within WELCOME TO SERVER MANAGER section, click Add roles and features 3. With the Add roles and features Wizard open, click NEXT 4. Select the Role-based or Feature-based install option, and click NEXT 5. With the Select a server from the server pool option checked, click NEXT 6. Select the AD DS role, then click NEXT 7. Click Add features button whenn the Add features that are required for AD DS window is displayed. click, NEXT 8. Accept the defauly settings in the Select features step, click NEXT 9. Take time to read the AD DS definitaion and things to note regarding AD DS install 10. Confirm install slections for AD DS role, then click INSTALL
What is the last set of steps to complete AD DS role install in WS 2016?
11. Either hit close, or wait until the install progress reaches its end 12. Click close to close the add roles and features wizard 13. In Notifications, click Promote this serer to a Domain Controller 14. In the AD DS config wizard, select Add a new forest option, then enter ROOT domain name, click NEXT 15. Accept the defaults for the Forest and Domain functional levels and enter the DIRECTORY SERVICES RESTORE MODE (DSRM) password, click NEXT 16. If you have an exisiting DNS server on your network, then manually create a delegation for that DNS server to enable reliable name resolution from outside of your domain. OTHERWISE, no action is required. click NEXT 17. Either accept the default NetBIOS entry, or change it accordingly. click, NEXT 18. Either accept the default paths, or change them accordingly, click NEXT 19. Review your options, click NEXT 20. Since prereqs are met, click INSTALL 21. The server will restart to complete promoting itself to DC
What is the authoritative DNS?
A DNS server that holds the DNS records of the actual domain
What is a forest in AD?
A collection of trees.
The AD DS namespace is jointly related to the _______________, because the DNS namespace can be divided into zones that store information about domains.
DNS namespace
What is a Domain local group?
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
How do you make hidden containers visable?
Enable advance features option from the view menu
