click below
click below
Normal Size Small Size show me how
Active Directory
cnit 242 exam 1
Term | Definition |
---|---|
what is the Active Directory (AD)? | -- Microsoft's network directory service --Contains the objects tracked and managed by the network --central repository of networked device info to query, update, and authenticate against |
AD usage | --used to retrieve information for authentication --used when users search for printers and contacts |
most important aspect of AD functionality | DEPENDENT ON DNS -cannot function in networked environment without properly configured and connected DNS server |
AD basics | •Workgroup • Domain • Active Directory Domain Services • Site • Replication • Objects • Schema • Group Policy • Organizational Units • Default Domain Policy • Forest • Global Catalog • Trust • Tree |
Workgroup | --no centralized management or control --1 or more computers on LAN that are NOT joined to a domain --no dependencies between computers ex: Joe uses computer 1 and 2, computers don't know that each Joe user is actually the same person |
Domain | -- collection of objects that share same database with Joe, if one user was created in central AD database and both computers were connected, then changes to this use by admin (password) would reflect on both machines |
Sites | -- represent physical structure of network -- a collection of well-connected subnets -used in AD to determine relative location of item in the directory ex: which server should a client authenticate against |
Replication | • any changes to the repository are extended out to connect domains -AD sites and services tool • Changes to user on domain controller A apply to domain controller B • On the same site, happen with 15 seconds • Across sites, between 15 to 180 minutes |
Objects | • Everything in AD is an object (user, device) • User Joe is an object • Change first name-change the object joe's first name attribute An object is an instance of a class |
Schema | --holds the classes for the objects you create -a bunch of templates used to create objects (defaults for user setup admins can use ADSIedit to create classes or edit available attributes |
Group Policy | --used to configure settings for users and computers --configure one or more settings in one group policy & apply to one or more users or computers by linking group policy to an organization unit |
Group policy example | You wish to enable remote desktop on each server • Enable remote desktop setting in the group policy and link it to the OU where the server resides, all computers in that OU will be enabled for remote desktop |
Group policy utility | Can link GPOs (group policy objects) to sites, domains, and OUs • Default policies: domain policy and domain controller policy |
OUs | • Used to organize objects in AD • Kind of container --Used to link GPOs --delegation of control |
what is a forest? | -- a single instance of active directory a forest can have one or multiple domains that share the same schema, can at smallest have on domain controller (DC) -also called a security boundary |
forests and transitive trusts? | --created when there are multiple domains within a forest made of multiple domain trees In an Active Directory transitive trust relationship, if domain A trusts domain B, and domain B trusts domain C, then domain A trusts domain C. |
AD Services & FSMO Roles (Flexible single master operator designated to single servers) | are services each hosted independently on a DC in an AD forest. |
Schema Master | scope: forest-wide The DC that is allowed to make changes to the schema (definitions of things in the database) – Only one in the entire forest |
Domain Naming Master | scope: forest-wide The DC responsible for the forest-wide namespace – MUST be on a DC that is also a Global Catalog Server |
PDC Emulator | scope: domain-wide Used for backward compatibility with Windows NT DCs & for propagating password changes quickly across all DC’s in the domain (not hours – but seconds) Should not be same machine as Global Catalog, ideally |
RID (Relative ID) master | scope: domain-wide -making sure that SIDs are unique within the domain – SID is long security id. All SIDs in a domain are the same up to the last 32 bits, called the RID. -RID master makes sure those 32 bits remain unique for each object in domain |
Infrastructure Master | scope: domain-wide Maintains references to objects located in another domain (phantoms) - |
Forest rules/policies | --in multi-domain forests, at least one DC must be configured as a global catalog server (ideally not on PDC em server) --in single-domain forests, all DCs should be global catalog servers to maintain full functionality of one DC should fail |
global catalog server | --lists all objects in directory |
AD users | -users created in specific domain and can authenticate against any DC in domain -Kerberos is default for authen and author -can be members of multiple groups, SID of each group is added to the user’s security token upon logon |
AD groups | 2 types --security groups have SIDs added to users' tokens and can be used in ACLs --distribution groups are organization only and not for access control (mainly for messaging) |
group scopes in AD | --A single group can be used across all computers within the domain in which the group resides. --You can also use groups outside of their native domain – depending on the group’s scope |
domain local group (DLG) | --intended to only be used in domain it was created in -stored and replicated to all DCs within domain DLG was created in -can contain universal domains from any domain and DLGs from same domain |
global group | default group scope in AD --can be used by computers within domain and by members of other domains in forest --stored and replicated to all DCs within domain DLG was created in |
universal group | --stored on DCs that are configured as global catalogs --replicated to domains across entire forest --can be used by all computers in forest and can contain members from any domain within the forest |
A location in a directory can be either absolute or relative. If a location is relative, the starting location is know as the ________________________. | context |
You can install Active Directory on Windows Server without having an existing DNS server or installing a new DNS server. True or False? | False: A DNS Server that supports dynamic updates is required to implement Active Directory |
The order of scale, from smallest to largest, in an Active Directory is: | Subnet, site, domain, forest |
The tool used to rename a domain is: | none, domains cannot be renamed |
File permissions can be directly assigned to organizational units (OU). True or False? | False, OUs are used to link group policy objects and don't implement access control policy/permissions |