Active Directory’s scalability and integration capabilities result from its use of industry standards for naming formats and directory functions, specifically the Lightweight Directory Access Protocol (LDAP). Since the introduction of LDAP, this protocol has become an industry standard that enables data exchange between directory services and applications. A Windows Server 2008 computer that has been configured with the Active Directory DS role is referred to as a domain controller (DC). A domain controller is a server that stores the Active Directory database and authenticates users with the network during logon. A zone transfer is the process of replicating DNS information from one DNS server to another. Resultant Set of Policy (RSoP) is the sum of the policies applied to a user or computer after all filters, security group permissions, and inheritance settings, such as Block Policy Inheritance and Enforce, have finished processing. Forward lookup zones are necessary for computer hostname–to–IP address mappings, which are used for name resolution by a variety of services. For example, when a user requests access to a server based on its hostname, the request is passed to a DNS server to resolve the hostname to an IP address. Most queries are based on forward lookups. The schmmgmt.dll DLL is not registered by default in Windows Server 2008 and needs to be added manually to run the Schema Management MMC snap-in. Replication within Active Directory will occur when an object is added or removed from Active Directory, the value of an attribute has changed, or the name of an object has changed. Cross-forest trust relationships were introduced in Windows Server 2003; they allow you to create two-way transitive trusts between separate forests. Repadmin is a command-line tool used to manually create a replication topology if site link bridging is disabled if the network is not fully routed. The Domain Naming Master role has the authority to manage the creation and deletion of domains, domain trees, and application data partitions in the forest. When any of these is created, the Domain Naming Master ensures that the name assigned is unique to the forest. Domain local and global group memberships are stored at the domain level; universal group memberships are stored in the global catalog. The Active Directory Domains and Trusts console must be used to move the Domain Naming Master FSMO role. The CSVDE command-line utility allows an administrator to import or export Active Directory objects. It uses a .csv file that is based on a header record, which describes each part of the data. A header record is simply the first line of the text file that uses proper attribute names. A strong password has the following characteristics: at least eight characters in length; contains uppercase and lowercase letters, numbers, and non-alphabetic characters; at least one character from each of the previous character types; and differs significantly from other previously used passwords. Enrollment agent certificates are generated by the enterprise CA and are used to generate a smart card logon certificate for users in the organization. Because these enrollment agent certificates can generate smart cards with authentication credentials for anyone in the organization, you should make sure strong security policies are in place for issuing enrollment agent certificates. The Default Domain Policy is linked to the domain, and its settings affect all users and computers in the domain. The service special identity group is used by the system to allow permission to protected system files for services to function properly. It includes all security principals: users, groups, or computers that are currently logged on as a service. Offline file storage works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible. The Group Policy templates (GPT) folder structure is located in the shared SYSVOL folder on a domain controller. The path to the default GPT structure for the cohowinery domain is %systemroot%\sysvol\sysvol\cohowinery\Policies\. Replace %systemroot% with the folder location for the operating system files. The Audit Policy section of GPO Local Policies allows administrators to log successful and failed security events such as logon events, account access, and object access. Auditing can be used to track user activities and system activities. First introduced in Windows Server 2003 and Windows XP operating systems, the options in the Software Restriction Policies node provide organizations greater control in preventing potentially dangerous applications from running. Software restriction policies are designed to identify software and control its execution. In addition, administrators can control who will be affected by the policies. Resultant Set of Policy (RSoP) is the sum of the policies applied to a user or computer after all filters, security group permissions, and inheritance settings, such as Block Policy Inheritance and Enforce, have finished processing. The Group Policy Results feature in Group Policy Management is equivalent to the Logging mode within the Resultant Set of Policy MMC snap-in. Rather than simulating policy effects, such as the Group Policy Modeling Wizard, Group Policy Results obtains RSoP information from the client computer to show the actual effects that policies have on the client computer and user environment. The new Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft’s larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing public key certificates that can be used by any security system that relies on a PKI for authentication or authorization. The Comma-Separated Value Directory Exchange (CSVDE) command-line utility is used to import or export Active Directory information from a comma-separated value (.csv) file. These files can be created in any text editor. This command-line utility only imports or exports new objects; it cannot modify or delete existing objects. Offline defragmentation is a manual process that defragments the Active Directory database in addition to reducing its size. Performing an offline defragmentation is not considered to be a regular maintenance task. You should only perform an offline defragmentation if you need to recover a significant amount of disk space. The Reliability and Performance Monitor uses categories to organize the items that can be monitored, which are referred to as performance objects. At the top of the domain hierarchy are the root name servers, which are the highest-level DNS servers in the entire namespace. They maintain information about the top-level domains. Account organizations contain the user accounts that are accessing the resources controlled by resource organizations, similar to a trusted domain in a traditional Windows trust relationship. Enrollment agents are used to request certificates on behalf of a user, computer, or service if self-enrollment is not practical or is otherwise an undesirable solution for reasons of security, auditing, and so on. An enrollment agent typically consists of a dedicated workstation that is used to install certificates onto smart cards, thus preconfiguring a smart card for each person’s use. The CA issues and manages certificates for individuals, computers, and organizations. Multiple CAs can be linked to form a public key infrastructure. PKI requires you to install Active Directory Certificate Services in your Windows Server 2008 environment. Active Directory Certificate Services is a server role available in Windows Server 2008 that allows you to create and administer PKI certificates for your users, computers, and applications. Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. It allows administrators to create queries based on hardware, software, operating systems, and services. These queries can be used to gather data or determine where items, such as GPOs, will be applied. RSoP uses information that is part of the Common Information Management Object Model (CIMOM) database. The CIMOM database is used through WMI and contains information that is gathered when a computer starts and becomes part of the network. This information includes hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, scripts, Folder Redirection settings, and Security settings. The basic logging level setting records slightly more detailed information than the lowest level. Use this setting if Minimal logging is not producing sufficient error messages to allow you to troubleshoot a particular issue. The Active Directory Federation Services (AD FS) role allows administrators to configure Single Sign-On (SSO) for Web-based applications across multiple organizations without requiring users to remember multiple usernames and passwords. This enables you to configure Internet-facing business-to-business (B2B) applications between organizations. An enterprise CA integrates with an Active Directory domain. It can use certificate templates to allow autoenrollment of digital certificates, as well as store the certificates themselves within the Active Directory database. You can use an enterprise CA as both a root and a subordinate CA in any PKI infrastructure. The Windows Server 2003 functional level allows Windows Server 2003 and Windows 2008 domain controllers only. It does not allow the presence of Windows 2000 domain controllers. If the domains within a forest are separated by slow WAN links and this tree-walking process takes an exceedingly long time to allow user authentication across domains, you can configure a shortcut trust along a commonly used “trust path.” Authorization is the process of confirming that an authenticated user has the correct permissions to access one or more network resources. Windows Script Host (WSH) supports Microsoft VBScript and JScript engines. It has the flexibility of running scripts from a Windows interface or a command prompt. WSH is built into Windows 98, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. It provides a robust scripting method that supports a multitude of administrative tasks including creating Active Directory objects, mapping drives, connecting to printers, modifying environment variables, and modifying registry keys. Software restriction policies can specify software that you wish to run on computers. Also, it can prevent applications from running that might pose a security risk to the computer or organization. Application directory partitions are used to separate forest-wide DNS information from domain-wide DNS information to control the scope of replication of different types of DNS data. Simple Mail Transport Protocol (SMTP) is an alternative solution for intersite replication when a direct or reliable IP connection is not available. SMTP, a member of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, is the standard protocol used for message transfer, such as email. The global catalog holds a subset of forest-wide Active Directory objects and acts as a central repository by holding a complete copy of all objects from the host server’s local domain with a partial copy of all objects from other domains within the same forest, called the partial attribute set (PAS). This partial copy of forest-wide data includes a subset of each object’s attributes. The attributes included in this subset are necessary to provide functionality such as logon, object searches, and universal group memberships. The global catalog has four main functions in an Active Directory environment. These are facilitating searches for objects in the forest, resolving user principal names (UPNs), maintaining universal group membership information, and maintaining a copy of all objects in the domain. All default groups are security groups. Active Directory does not include any default distribution groups. A strong password can be simply defined as a password that follows guidelines that make it difficult for a potential hacker to determine the user’s password. Configuring strong passwords on a Windows Server 2008 network is a combination of creating a minimum required password length, a password history, requiring multiple types of characters within a password, and setting a minimum password age. The Windows Settings folder located under the Computer Configuration node in the Group Policy Management Editor contains security settings and scripts that apply to all users who log on to Active Directory from that specific computer. This means that the settings are computer specific. An advanced technique, called security group filtering, will allow you to apply GPO settings to only one or more users or groups within a container by selectively granting the “Apply Group Policy” permission to one or more users or security groups. The available period that each background refreshes process can be set to ranges from 0 to 64,800 minutes (45 days). If you set the refresh interval to zero, the system attempts to update the policy every 7 seconds. This can cause a significant amount of traffic and overhead on a production network and should be avoided except in a lab or test environment. When implementing multiple rule types, rules are applied in the following order: hash rules, certificate rules, network zone rules, and path rules. By default, the Software Restriction Policies area has an Unrestricted value in the Default Security Level setting. The Group Policy Management MMC snap-in is a tool for managing Windows Server 2008, Windows Server 2003, and Windows 2000 Active Directory domains. The Group Policy Management MMC provides a single access point to all aspects of Group Policy that were previously spread across other tools such as Active Directory Users and Computers, Active Directory Sites and Services, Resultant Set of Policy (RSoP), and the Group Policy Management Editor. Logging mode queries existing policies in the hierarchy that are linked to sites, domains, domain controllers, and OUs. This mode is useful for documenting and understanding how combined policies are affecting users and computers. The results are returned in an MMC window that can be saved for later reference. Active Directory writes the transaction to the Transaction log file. The default log file is named edb.log. The log file allows the transaction to be stored until it can be written to the actual database. Configuring Active Directory diagnostic event logging requires that you edit the registry. The following key contains the additional areas that can be logged into the Directory Service log: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. The three columns that can be modified in the host table are IP address, host name, and comments. Cross-forest trusts are new to Windows Server 2008, and they are only available when the forest functionality is set to Windows Server 2008. They must be manually created and maintained. Priority is a mechanism to set up load balancing between multiple servers that are advertising the same SRV records. Clients will always use the record with the lower-numbered priority first. Read-Only Domain Controllers also offer a feature that has been a top request of Active Directory administrators since the early days of Windows 2000: Admin Role Separation. This means that it is now possible to configure a user as the local administrator of a specific RODC without making the user a Domain Admins with far-reaching authority over all domain controllers in your entire domain and full access to your Active Directory domain data. After you establish a manual trust, you can verify the trust using either Active Directory Domains and Trusts or the netdom command-line tool that is used to create, delete, verify, and reset trust relationships from the Windows Server 2008 command line. The default replication frequency for a new site link is 180 minutes, but it can be configured to take place as frequently as every 15 minutes and as infrequently as once per week. The ISTG automatically assigns one server in each site as the bridgehead server unless you override this by establishing a list of preferred bridgehead servers. The advantage of administratively assigning a preferred bridgehead server list is that you can determine which servers have the best processing power for handling replication traffic. Using the Delegation of Control Wizard, you utilize a simple interface to delegate permissions for domains, OUs, or containers. The interface allows you to specify to which users or groups you want to delegate management permissions and the specific tasks you wish them to be able to perform. A security identifier (SID) is used to uniquely identify an object throughout the Active Directory domain. Part of the SID identifies the domain to which the object belongs, and the other part is the RID. Three types of user accounts can be created and configured in Windows Server 2008. They are local accounts, domain accounts, and built-in user accounts. Distribution Groups are nonsecurity-related groups created for the distribution of information to one or more persons. Universal groups, like global groups, are used to organize users according to their resource access needs. They can be used to organize users to facilitate access to any resource located in any domain in the forest through the use of domain local groups. Universal groups are used to consolidate groups and accounts that either span multiple domains or the entire forest. When configuring certificate services, you can specify a location for the certification database. This defaults to C:\Windows\system32\CertLog. The content of each nonlocal GPO is actually stored in two locations. One of these is the Group Policy container (GPC), an Active Directory object that stores the properties of the GPO. The account management events policy setting is set to audit successes in the Default Domain Controllers GPO. This setting triggers an event that is written based on changes to account properties and group properties. Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling. Software categories allow published applications to be organized within specific groupings for easy navigation. What type of rule can be applied to allow only Windows Installer packages to be installed if they come from a trusted area of the network? Network zone rules apply only to Windows Installer packages that attempt to install from a specified zone such as a local computer, a local intranet, trusted sites, restricted sites, or the Internet. This type of rule can be applied to allow only Windows Installer packages to be installed if they come from a trusted area of the network. The WMI Filtering method uses filters written in the WMI Query Language (WQL) to control GPO application, which is similar to structured query language (SQL). The Reliability and Performance Monitor is a tool located within the Administrative Tools folder. Reliability and Performance Monitor in Windows Server 2008 allows you to collect real-time information on your local computer or from a specific computer to which you have permissions. This information can be viewed in a number of different formats that include charts, graphs, and histograms. What in the event log is indicated by a red circle with an X on it? In the Type field of any of the log files in Event Viewer, you should monitor and filter events that indicate a warning or stop error. A warning is indicated by a yellow triangle with an exclamation mark, and a stop error is indicated by a red circle with an X on it. If you find yourself in a position in which you need to restore an object or container within Active Directory that has been inadvertently deleted, you will need to perform an authoritative restore. A normal restore will not be sufficient in this case because a normal restore will allow post-restore updates to be replicated into the restored DC. When the Internet was established in 1969 as an experimental wide area network (WAN) named ARPANET by the United States Defense Advanced Research Project Agency (ARPA), system administrators assigned single-word friendly names to their computers. These friendly names, called host names, represented the computer’s IP address in applications and other references.
Posted on: Mon, 14 Apr 2014 23:47:57 +0000
Trending Topics
Recently Viewed Topics
© 2015