2008 R2 ADS Vocabulary - Session 2 Flashcards
DNS is a network service
which is used to resolve computer names to Internet Protocol (IP) addresses
The DNS server stores DNS records in the form of
of a distributed database
The DNS server receives queries that contain system names
, and resolves these queries to IP addresses using a process known as name resolution.
In Windows Server networks, the DNS server service can be integrated with
AD DS role.
, DNS data is stored in and replicated through the
Active Directory (AD), providing AD DS with a mechanism to easily locate domain controllers and ensuring secure multi-master replication of zone data.
When a Windows-based Dynamic Host Configuration Protocol (DHCP) service is implemented in the network, it automatically
directs all DHCP clients and servers to register their names and corresponding IP addresses with the DNS server.
(DHCP)
Dynamic Host Configuration Protocol
A DNS zone represents
one or more contiguous DNS domains of the DNS namespace. It is used to delegate authority and to facilitate the administration of data associated with a namespace.
A server known as the (DNS) authoritative server is used to
store all the information relating to a particular zone. The same DNS server can be authoritative for a number of DNS zones.
The procedure for transferring data from an authoritative server to a secondary server is known as
a zone transfer.
Windows Server 2008 R2 supports the following types of DNS zones
- Primary zone
- Secondary zone
- AD integrated zones
- Stub zone
New features of the DNS server in Windows Server 2008 R2 include support for the following:
- The DNAME Resource Record
- Read-Only Domain Controllers (RODC5)
- Use of Internet Protocol version 6 (IPv6)
- The GlobalNames Zone
Other key features of the Windows Server 2008 R2 DNS server are as follows:
- Integration with Microsoft Networking Services such as WINS, AD DS, and DHCP
- RFC-Compliant Dynamic Updates (clients add their own records to DNS)
- DNS zones that are integrated with AD DS support secure dynamic updates
- Global Query Block List
Advanced DNS Features
Forwarding
Root hints
Server scavenging
Forwarding (DNS)
• The DNS server first tries to resolve a DNS client’s query using the data available in the local network. If no such data exists locally,
, the server forwards the query to a DNS server in an external network. You can configure a DNS server to forward all the queries it receives from client machines, instead of performing the name resolution itself.
• Forwarders are responsible for handling all the
External traffic in a network because they forward all queries that need to be resolved to external DNS servers
All the DNS servers in a network forward unresolved queries
to forwarders.
• Conditional forwarders are forwarders configured
to forward queries for specific domain names to external DNS servers. You use conditional forwarders to resolve queries between two organizations.
Root hints
are queries that enable a server to respond to requests from servers of unknown domains or domains higher than the server that receives the request.
• A DNS server used as a forwarder is automatically located by other servers in the local network. However, you need to use root hints
to resolve the names of external DNS servers through the Internet root servers.
• A file named—————- implements root hints for the DNS server service.
Cache.dns
Cache.dns is stored on the server
in the following location:%
systemroot%\System32\Dns.
The DNS and resource records for the host are also a part of the
Cache.dns file
• In a private network, you can use records that are similar to the Cache.dns file to point to
to internal root DNS servers.
Server scavenging
• In Windows Server 2008 R2, the server scavenging feature is used to
to remove old records from the zone data on a DNS server.
Scavenging removes stale records (records that have exceeded their refresh periods) from the zone data.
• The DNS server stamps all records with the date and time at which they are added, and uses a process known as aging to determine whether a record exceeds the refresh time period specified for it.
• You can configure server settings to periodically repeat scavenging to
free the zones from stale data
A DNS lookup is a process for
converting the IP address of a computer into its host domain name, and vice versa
A forward lookup zone is used to
to resolve domain names to their IP addresses.
A reverse lookup zone is used to
to identify the domain name corresponding to an IP address.
In a reverse lookup query,
a client sends a request to a DNS server for a pointer (PTR) resource record that corresponds to the IP address of a host.
• You can add a forward lookup zone using
the DNS Manager or the dnscmd command-line utility.
• You can add a reverse lookup zone using the
DNS Manager or the dnscmd command-line utility
• During the creation of either of these zones, you also specify whether
the zone is AD integrated and its replication scope.
If the zone is AD integrated then you can also
configure secure dynamic updates.
Forwarders and Root Hints
You can reduce the workload on a DNS server by configuring it to answer requests related to local hosts and to forward requests for external domain names to an external DNS server. A DNS server that forwards queries for external resolution is known as a forwarder.
Two types of queries are processed by DNS forwarding servers
- Recursive Queries
* Iterative Queries
• Recursive Queries
are sent by the DNS client to the DNS server. In a recursive query, either the DNS client receives an error message such as “sorry, name not found” or it receives an exact answer for the IP address that it sends to the DNS server. If the DNS server is able to resolve the client query, it sends the resolved IP address to the client. If it cannot resolve a recursive query, it changes the recursive query to an iterative query by searching its list of forwarders and sending iterative queries to each of them.
• Iterative Queries are queries
where the DNS server is asked either to resolve a query or to make a best guess referral to a DNS server that may be able to resolve it.
Conditional forwarding means
the DNS server forwards queries to different forwarders according to the specific domain names that must be resolved.
When the DNS server receives a query, it first
searches its zone data and cache to resolve the query. If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:
If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:
- If it finds a matching condition, the query is forwarded to the IP address of the forwarder corresponding to the domain name.
- If no matching condition is found, the DNS server attempts to resolve the query using standard recursion.
- Root hints are used by a DNS server to resolve queries if forwarders are unavailable to it. In some DNS environments, root hints are used in place of forwarders. The difference is that a DNS server using forwarding will request recursion, whereas a DNS server using root hints will attempt to resolve a query recursively itself.
Configuring Root Hints
on a DNS server, first open the DNS Manager and then select the root hints tab in server properties. This tab allows you to add a new root hint, remove a root hint, edit an existing root hint, or copy root hints from another server.
Server Aging and Scavenging
Unmanaged decayed resource records can result in problems such as the following:
• Unnecessarily long zone transfers
• Degradation of the performance and response time of the DNS server
• Possible IP conflicts
Configure aging and scavenging for a DNS server using the
DNS Manager console or the command line.
Aging and scavenging are disabled by
default
To use the aging and scavenging features,
enable the operations on the zone, at the DNS server, or manually by individual record.
The scavenging and aging operations use the
the timestamps on resource records to determine when the records must be removed.
A DNS server sets the data time value to start scavenging on a per zone basis when
- Users enable dynamic updates for the zone
- A primary zone that is enabled to use scavenging is loaded by a DNS server
- A DNS server starts
- A zone resumes its service after it has been paused
- The administrator manually activates the Scavenge stale resource records function
When setting aging and scavenging properties, you need to specify the
duration for which the server must not refresh its records. This prevents unnecessary updates to existing records, thereby reducing replication traffic.
You also need to set the refresh interval at which the server must refresh its records. The refresh interval is the (DNS Scavenging)
period needed between when a no-refresh interval expires and when a record is considered stale.
Configuring Zone Delegation
Zone delegation involves
delegating authority for a particular subdomain to a different zone, either on the same DNS server or on another DNS server. It is what enables you to divide a DNS server into one or more zones. New zones can be distributed and replicated on other DNS servers to meet the requirements of an organization.
In addition, zone delegation helps
distribute the load of traffic among various servers, improves DNS name resolution performance, and creates a fault tolerant environment.
Zone delegation is configured using the
DNS Manager console.
Round Robin and Recursion
Using the DNS Round Robin technique, a DNS server
rotates the DNS records for each incoming DNS request so that successive visitors are directed to different web servers. This option is enabled by default in Windows Server 2008 R2.
Although Round Robin DNS is easy to implement, it has some drawbacks:
- It does not offer any failover functionality
- It does not control the order in which connections are rotated
- Attackers may exploit the process of DNS recursion to damage a network using an amplifier attack
CONFIGURE ZONES
A zone is a
contiguous portion of a domain of the DNS namespace
There are three types of zones:
primary, secondary, and stub.
The DDNS is an important part of the AD because the domain controller of the AD
registers its service location resource records, which are used to locate AD domain controllers, in DNS to enable other computers in a forest or a domain to search for these records.
Dynamic Domain Name System
(DDNS)
(DDNS) is used
enables name resolution for computers with dynamic IP addresses (addresses that are assigned automatically through DHCP).
(SDDNS)
Secure Dynamic Domain Name System
(SDDNS) is used
only for zones that are integrated into AD, where only members of the domain can dynamically update DNS records.
Non-dynamic Domain Name System
System (NDDNS)
System (NDDNS)
In Windows Server 2008 R2, use a Non-dynamic Domain Name System (NDDNS) to work with existing DNS servers. In this system, database entries are
are static and must be created and updated manually.
Database entries in the DDNS take precedence over
those in the NDDNS.
To configure dynamic updates, choose one of three options:
- Allow Only Secure Dynamic Updates
- Allow Both Non-Secure and Secure Dynamic Updates
- Do Not Allow Dynamic Updates
Configuring DNS Zones
A DNS namespace can be divided into zones, each of which stores name information for one or more DNS domains. Forward lookup zones resolve names into IP addresses, and reverse lookup zones resolve IP addresses into names.
Initially, a zone has a single DNS domain name. You can add subdomains as members of the same zone, or add subdomains and delegate them to a new zone created for these subdomains.
You can configure a single DNS server to manage
one or multiple zones. You can also choose to partition domains across multiple zone files, distribute management of the domain across various groups, and make data replication more efficient.
A DNS server can host three types of zones:
Primary Zone
Secondary Zone
Stub Zone
Primary Zone
A primary zone is the main source of information relating to a zone and it is hosted by the master server.
Secondary Zone
A secondary zone is a read-only copy of the data in a primary zone and it is hosted on a separate server.
Stub Zone
A stub zone contains only resource records that are necessary to identify the authoritative DNS servers for a zone. It contains NS, SOA, and glue (A or AAAA) records.
DNS Integration with AD DS
When you use AD-integrated zone storage, the zone information is saved in the AD tree under a domain or application directory partition.
Advantages of integrating AD DS and DNS include the following:
- Automatic replication for new zones
- Streamlined administration
- Faster and more efficient replication
- Multi-master data replication
- Enhanced security
In the multi-master update model of the AD DS,
any primary DNS server for an AD-integrated zone can process requests from DNS clients to update the zone, as long as a domain controller is available on the network.
To secure standard or AD-integrated DNS zones, you can do the following:
- Allow only secure dynamic updates
- Configure the Discretionary Access Control List (DACL) for a zone
- Restrict zone transfers
- Ensure secure zone delegation
When clients make a request for a server using a hostname without an FQDN (\server5 or http://intranet) it can be challenging to provide consistent name resolution, especially in a multi-domain environment. The Global Name Zone (GNZ) solves this problem by being a
failover zone during lookup. If the name being requested is not the requested domain, the GNZ is checked. And since this domain can be replicated forest-wide, it can hold a consistent definition of servers that need to be available universally.
To create a GNZ
Create a new forward lookup zone in the DNS manager named GlobalNames
In an elevated command prompt run the following command: dnscmd /config /enableglobalnamessupport
For protection, the Global Query Block List can be defined to
to prevent dynamic update entries from being added to any zones that should not be (specifically rogue ISATAP and WPAD servers)
The DNS can be divided into zones that use zone transfers to replicate and synchronize copies of zone data on multiple DNS servers:
• Both primary and secondary DNS servers can perform zone transfers.
During a zone transfer, the primary server responds to a request from the secondary, or destination, server by
providing all the information required for a zone transfer.
A master DNS server can be used as
as primary and secondary DNS servers. If it is used as the primary DNS server for a transfer, the DNS server that hosts the primary zone directly performs the zone transfer.
If the master server is used as a secondary server, the zone transfer is
is performed by a read-only secondary zone file.
. A zone transfer can occur when
- The refresh interval has expired for a zone
- A notification to make changes in the zone file is sent by the primary server to a secondary server
- A secondary server queries the primary DNS server for a change in the zone
- A DNS console at a secondary server for the zone manually initiates a transfer from the primary server
A zone transfer may be either
- A full zone transfer
* An incremental zone transfer (IXFR)
IXFR are faster and create less traffic than full zone transfers, and they are used as the
standard transfer type in Windows Server 2008 R2.
A full zone transfer is required, for example,
when you configure a new secondary DNS server to store a copy of the zone data on a primary server.
The transferred zone has a version number and a refresh interval specified in SOA RR properties. This is to
to enable subsequent incremental transfers.
The following steps occur to complete an incremental zone transfer:
- A SOA query is sent to the primary server by the secondary server to renew the zone after the refresh interval expires.
- The primary server responds to the SOA query by sending a serial number that specifies the current state of the primary server’s zone data.
- The secondary server checks the serial number against its local serial number. If the sequence number in the response is greater than the local number then a zone transfer is required.
- The secondary server sends an IXFR or AXFR query to request a zone transfer to the primary server that has the current value of the zone.
- The primary server responds with a transfer according to the query the secondary server has sent - a full transfer, or if the zone has a history of recent changes, an incremental zone transfer.
Application Directory Partitions
DNS zones can be stored in
a domain or in application directory partitions of AD DS.
Application directory partitions store zone data and ensure that it is replicated with the required scope: for example
, to all DNS servers across a forest or to all domain controllers in a domain.
DNS-specific application directory partitions are created automatically in each domain of the forest when
when a DNS service or AD is installed or upgraded on a domain controller.
The following two DNS-specific application directory partitions are created when AD is installed or upgraded on a domain controller:
- ForestDNSZone
* DomainDNSZones
The Choose Zone Replication Scope dialog box enables you to choose from one of four zone replication scopes:
- To all DNS servers in this forest
- To all DNS servers in this domain
- To all domain controllers in this domain
- To all domain controllers in the scope of this directory partition
You can create a custom application directory domain partitions and enlist specific AD-integrated DNS servers to participate in custom replication by using the dnscmd command-line utility.
dnscmd /createdirectorypartition
dnscmd /EnlistDirectoryPartition
Custom Application Directory Partitions Create it then you need to change the replication scope of the DNS zones to enable them to
to use the new application directory partition for replication using dnscmd or the DNS management console.
Introducing Active Directory objects
In Active directory, administrators create and manage security principals such as users.
The roles of a user account are as follows:
Authenticate a User Identity
Provide Access to Domain Resources
Authenticate a User Identity
You can log on to several computers in the domain by using a user account that can be authenticated by a DC. You can enhance the security of the domain by not enabling multiple users to share a single account.
Provide Access to Domain Resources
When you are authenticated by the domain, you are allowed or denied access to the domain resources based on the permissions you are granted.
In AD computers also manage computer accounts to allow trusted access by the user accounts and group accounts (which are used to define more efficient access to resources) as well as Organizational Units (OUs) (which look and act like folders, allowing you to define the structure of AD) Use the following guidelines to design an OU delegation:
- Identify and create administrative groups to which rights need to be delegated
- Identify users or groups to which rights need to be delegated in the OU and place them in the administrative group
- Create objects that need to be controlled and place them in the OU
- In the administrative group, delegate administrative tasks to the OU
In Active Directory you can also create contact objects and create distribution groups which
cannot be assigned permissions but can be used as identity components for lookup. Creation of all these objects can be done in Active Directory Users and Computers.
Active Directory objects have Lightweight Directory Access Protocol (LDAP) standard distinguished names (DN). An example might be
“CN=John J. Anderson,OU=entAccounts,DC=easynomadtravel,DC=int” where “CN=John J. Anderson” represents the common name of the individual user account, “OU=entAccounts “ represents the organizational unit in which the user is held, and “DC=easynomadtravel,DC=int” represents the DNS name of the user’s domain.
Searching for different objects can be done using the
Active Directory object search interface, the saved query interface, or the dsquery.exe command-line utility.
Active Directory user and computer objects are security principals, but they are also securables
– they have an associated ACL
. Users can be delegated permission to manage objects that reside in an OU, including other users. By default, object permission applied at the OU level are
are inherited by any hosted objects – this inheritance can be filtered, and specific permission can also be applied to override any inherited permissions.
A deny setting always takes precedence over
over an allow permission, unless an allow permission is specifically set.
The Delegation of Control Wizard is used to semi-automate the process of
delegating permissions and permission sets to users.
Automate creation of Active Directory objects
To create a new user account you can
can copy another user account using the ADUC interface. Many properties, such as group membership, will be copied to the new account. A dedicated account could be created specifically as a blueprint for new user accounts.
The DS suite of command line tools can be deployed to manage user, computer, group and OU objects –
object can be created, deleted, moved and copied and their associated attribute values can be modified, including the user account password
The DS suite of command line tools
- Dsadd – create a new Active Directory object
- Dsget – returns Active Directory object attribute values
- Dsmod – modifies Active Directory object attribute values
- Dsmove – moves an Active Directory object within the directory
- Dsrm – removes an Active Directory object
- Dsquery – searches for Active Directory objects and returns a result set
The CSVDE command utility can be deployed to import
a comma-delimited text file – a *.cve file – of user and computer accounts and their properties – it cannot be used to modify existing objects and their properties.
CSVDE can also export
Active Directory details – the default mode.
C: \ > csvde –f sk-newusers.cve
The LDIFDE utility can be used for
adding, modifying, and removing user and computer accounts (the modifying and deleting is specified by importing an .Idf file with modify commands) – a *.ldf is used to provided the object detail. LDIFDE supports importing user passwords, and operates in export mode by default.
• C: \ > Idifde –f c:\myADdata\myLDlFmods.ldf
Windows PowerShell cmdlets can be used to
automate the creation of user and compute account PS C:> New-ADUser –Name “Jack B. Yeats” –SAMAccountName jbyeats
The netdom.exe command can use used to
to create a domain computer account and join a computer to a domain. NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
Computers joined to a domain from system properties without an explicit /OU path will appear in the default Computers container of AD unless
unless the redircmp.exe command has been used to specify an alternate container.
C:>redircmp
In a Windows 7 – Server 2008 R2 environment, you can deploy an offline domain join using
djoin.exe
• djoin /provision /domain /machine /machineou
• /savefile offblob.txt
Maintain Active Directory accounts
Active Directory user accounts can be renamed, locked/unlocked, moved, disabled and deleted
Active Directory user account passwords can be reset by
an administrator at any time, or changed by a user.
Maintain Active Directory accounts
Administrators can manage these propreties in the
in the ADUC mmc or with DS commands or PowerShell.
The Active Directory user account Accounts properties allow an administrator to limit a user in the following ways:
- allowable domain log on period for an individual user
- allowable computers to log on to
- allowable dates before an account is expired
- other various defined allowable account settings (allowed log on without smart card, etc)
An Active Directory user accounts has an associated list
of attributes can be managed directly using the Users and Computers console, or using command-line utilities.
The attribute values of multiple user accounts can be alter at the
same time using the Users and Computers console (ctrl or shift clicking), dsquery piped to dsmod, or Windows PowerShell cmdlets – the list of configurable attributes is limited to certain attributes.
Users Accounts have many important security related properties on the “account” tab:
User Must Change Password at Next Logon
User Cannot Change Password
Password Never Expires
Store Passwords by Using Reversible Encryption
Account is Disabled
Smart Card is Required for Interactive Logon
User Must Change Password at Next Logon
The “User must change password at next logon” option will force a user to change the password the next time they log on to the network. You can activate this option to ensure that no one except the user knows the password.
User Cannot Change Password
The “User cannot change password” option prevents users from changing their passwords. You will need to enable this option when you want to maintain control over specific user accounts.
Password Never Expires
The “Password never expires” option prevents the expiry of user passwords. It is recommended that you do not set this option and that you enforce regular password changes for your user accounts.
Store Passwords by Using Reversible Encryption
The “Store passwords by using reversible encryption” option is necessary to support applications that require knowledge of the password of the user account for authentication purposes. This option will enable you to log on to a Windows network from a Mac-based network by using an Apple computer.
Account is Disabled
The “Account is disabled” setting prevents a user from logging on to the network.
Smart Card is Required for Interactive Logon
The “Smart card is required for interactive logon” option requires you to use a smart card to interactively log on to the network. You need to have a smart card reader attached to your computer and a valid personal identification number (PIN) for your smart card. When you enable this option, your user account password is set to a random and complex value, and the “Password never expires” account option is enabled.
Account is Sensitive and Cannot be Delegated
The “Account is sensitive and cannot be delegated” option can be used if
a guest account or temporary account should not be assigned for delegation by another account.
Active Directory security groups are deployed to
to manage access to Active Directory environment resources like folder, files and printers and to provide email group distribution.
Active Directory distribution groups are for
email only.
Both group types (AD Security and distribution Groups) support the three available defined scopes –
domain local, global, or universal. A group can be converted from group type to another if needed.
For the greatest degree of flexibility to add more users to a group in any domain in the forest and to apply a group to a resource on any server in the domain, the recommended practice is to
to follow the AGDLP (IGDLA) and AGUDLP (IGUDLA) methods of group nesting.
Global groups have
limited membership (can only contain users and other global groups from its parent domain). However, the Global group has unlimited visibility (can be seen, used, given permissions, and nested in domain local groups in all domains in the forest or trusting forests or domains)
The Domain Local group has
unlimited membership (can include security principals (user, computer and group) from anywhere within its forest and from an external forest where external trust exists.) However, the Domain Local group has limited visibility. (It can only be seen on servers within the parent domain, and can only be nested within other Domain local groups (and almost never is))
Universal groups are used in
multi-domain forests and can contain global groups from any domain in the forest. They have unlimited membership and unlimited visibility. The typical use of a Universal group would be to condense the same Global group from multiple domains into a single referenced entity
Universal Example :
3 domains have Global Groups called Sales. Each domain also has a Domain Local group called SalesReportReaders. Without Universal groups there would have to be 3 globals nested in each domain local. If there was a change, such as a new domain with a Sales global group in the future, all three of the domains would need to update their Domain Local group. With a Universal Group, all the Sales Globals can be nested in the Universal, and the Universal can be nested in the Domain Locals. As long as the new domain is also nested in the new Universal as well, business continuity is maintained. )One note: Universal Groups are replicated within a forest in the global catalog, so changes to the content of a universal group should be minimized (ie: avoid adding individual users, add groups)
Group creation and attribute manipulation can be performed using command-line tools such as
DSadd, DSMod, CSVDE, LDIFDE, PowerShell (New-ADGroup, Add-ADGroupMember)
Shadow Group : The term Shadow group is simply a term for
a group that has the same membership as the contents of an organizational unit. There is no unscripted way to create a Shadow group.
Default groups and special identities are automatically created when a root domain controller is installed in a forest and during the creation of any further child or forest domains –
they are scoped mainly at the domain level, and are design to ease the management of Active Directory, and to simplify resource access.
• Anonymous logon
a user that gains access with a user name or password. Usually associated with remote
access, in Server 2008 and 2008 R2, this user type is not a member of the Everyone special identity group
• Authenticated users
– a user that has a valid name and password, and is authenticated to work on the network
• Everyone —
on Windows 2003+ system all authenticated Users and Domain guests Note: The domain guest account is usually turned off
• Interactive —
a user account that is connect directly to the local computer, or via remote desktop connection
• Network
— a user that is currently connected to a resource on this computer that is connecting from another network computer
• Creator Owner
The user that created a particular object
• Self —
a placeholder for you the current user
