Active Directory Foundations Flashcards
Schema Master
Performs updates to AD scheme.
Updates include ADPPREP /FORESTPREP, Microsoft exchange, and other applications that mud modify the Ad scheme.
Must be online when scheme updates are performed.
Generally placed on the forest root PDC.
Domain Naming Master
Responsible for naming domains.
Add and removes domains and application partitions to and from the AD forest.
Must be online when domains and application partitions in a forest are added or removed.
Generally placed on the forest root PDC.
PDC emulator
Manages password changes for computer and user accounts on replica domain controllers.
Consulted by replica domain controllers where service authentication requests have mismatched passwords.
Target D.C for GP updates.
Target D.C. for legacy applications that perform writable operations and for some admin tools.
Must be online and accessible at all times.
Generally places on higher-performance hardware in a reliable hub site alongside other DCs.
RID Master
Relative IDs.
SID = RID + Domain ID
Allocates and standby RID pools to replica DCs in the same domain.
Must be online for newly-promoted DCs to obtain a local RID pool or when existing DCs must update their current or standby RID pool application.
Generally placed on the forest root PDC.
Infrastructure Master
Updates cross-domain references and platforms/tombstones from the Global catalog.
A separate infrastructure Master is created for each application partitions including the default forest-wide and domain-wide application partitions.
Long list of numbers and translate SID into friendly name.
Maintain cross domain references.
Infrastructure Master Situation
In a single-domain forest, the infrastructure Master can be placed on any D.C.
In a multi-domain forest, the infrastructure Master is generally placed on a D.C. That is not a global catalog.
Except in the case where all DCs in the forest are Global catalogs. In this case the infrastructure Master can be placed on any D.C.
Promote a Domain Controller
Install the ADDS roles after DNS checks out for the domain.
Or power shell:
Install-WindowsFeature -Name ad-domain-services -IncludeManagementTools
DC Promotion Configuration
- add a domain controller to an existing domain.
- add a new domain to an existing forest.
- add new forest.
Then specify the domain information.
Tree domain
Gives you the ability to create a noncontiguous domain name.
Child domain
Contiguous naming for the domain.
Domain: company.pri
New domain in existing forest: taco.company.pri
New forest and domain configuration
Functional Level: define set of capabilities that existed at the time that that version of the OS was released. Certain types of activities at forest level.
Use highest functional level. May have to set the level below due to legacy applications.
Domain controller and DNS
Always install DNS before installing ADDS roles.
Directory Services Restore Mode or DSRM
Special password you enter once except when you need to perform a authoritative restore of AD database.
Look into 3rd party tools to recover AD.
DNS Delegation
Allow us to create appropriate delegation. To have the folder structure the srv records require.
Netbios Domain
“Company”
The word before the .pri.
(Company.pri)
15 characters or less.
Paths to Store AD DS database, log files, and Sysvol
Look into storing on other disk drives instead of all being on the C drive. Especially in production.
Remove a Domain controller from domain
Choose remove roles and features in server manager. Uncheck AD DS. Demote the domain controller to remove the records from the database.
May have to force the removal of a D.C. But clean removal is desired.
Power shell:
Install domain controller in remote location with a bad network.
Install from media. Snapshot of AD database on existing domain controller.
Open up command prompt:
Ntdsutil: activate instance ntds
ntdsutil: ifm
Ifm: create full c:\users\desktop
-creates a snapshot file.
Ntdsutil.dit file which contains the AD Database.
Go through typical domain controller addition settings.
Additional options. Choose to install from media.
After installation from media, due to being days behind prod, choose to replicate from a close location.
Install ADDS on server core
> powershell
> install-windowsfeature -name ad-domain-services
> install-addsdomaincontroller -domainname company.pri -credential (get-credential company\administrator)
- admin pass
- dsrm pass
Choose a configure as domain controller
Upgrade a domain controller
- Get healthy and ensure AD has no errors or logs.
- Test and verify the replication.
Extend the schema for your forest. ADPrep.
-ADPrep extends the schema with .ldf files in the exe.
- Upgrade DCs to new OS.
- Relocate FSMO roles if necessary
- Raise domain/forest functional level in domains and trusts
ADPrep for a domain controller upgrade
/forestprep - update forest info. Happens first.
/domainprep - happens once in each domain in that forest.
/rodcprep- update perms on rodcs
/gpprep
SRV Records
Allow clients to locate the different AD services and different AD servers to locate each other.
Dynamic DNS updates
Each D.C. Will automatically enter DNS records.
DNS registration issues
Ipconfig -registerdns on DCs missing records. Dynamic DNS has to be enabled
DNS not dynamic (unix DNS)
Windows\system32\config
Net logon.dns
Send this file to register D.C. in DNS.
Configure D.C. As global catalog
AD sites and services.
Sites are a geographic for a D.C.
NTDS settings on NTD database services. Double click properties and check global catalog.
Make all DCs GCs
Global Catalog
Propagate requests down to the DC at other sites. Requires enough bandwidth.
IAAS to get D.C. In Azure
Create VM in azure, and install adds.
Azure VM deployment
Make connection to VPN to get on internal network due to Azure being in the cloud.
Azure App that requires connectivity to corporate
Connect cloud D.C. To internal D.C. With a virtual network.
It is desirable for apps to leverage the existing corporate windows server AD DS and provide SSO.
Users will need to access all directly from internet.
AD domain
The boundary of authentication for a set of users and computers and the resources they use.
Create multiple domains with a tree domain with sub domains.
Forests
Forest trusts are used to connect other forests or domains.
Allows to access resources in other domain.
It’s possible to access resources in other forests from other sub domains.
Connect with trusts. You can bridge one AD to another with a trust.
AD Sites
Geographic sites that a domain extends to.
Defined by subnet configured on each site.
AD defines the geographic constraint.
May not coincide with actual different sites.
Changes to AD at sites, maybe need to slow down propagation to change in other locations. You can slow the network bandwidth usage.
Sites pull all of these sites together. May need to define the cost of the connection will be. Throttle down how much AD content is streaming on expensive connections.
Domain Controllers
The host of Active directory and contain the AD database. Each D.C. Has equal copy of AD database. Everyone has a shared vision of what that database is.
Minimum 2 DCs required for redundancy.
Global Catalogs
Provides a subset of the total AD domain database. Services the authentication of clients. GC can be installed about everywhere. Apply onto a D.C.
Organizational Units
Designed as a mechanism for the division of user and computer accounts for the purposes of IT and IT alone.
