Section 2 - Chapter 12 Flashcards
2003 Domain Functional Level Features
Hint: DDS
Domain Controller Rename - netdom
Default User And Computer Redirection
Selective authentication
lastLogonTimestamp Attribute
userPassword Attribute
Authorization Manager Policies
Constrained Delegation
2008 Domain Functional Level Features
Hint: FAD LA
Fine Grained Password Policies
Advanced Encrtpyion Services (Kerberos)
DFS-R Replication of Sysvol
Last Interactive Logon Info
Access Based Enumeration (ABE) of Domain DFS Namespaces
Raising The Domain Functional Level
AD D&T - rc Domain, Raise Domain Functional Level
AD U&C - rc Domain, Raise the Domain Functional Level
Must be a member of Domain Admins
PDC Emulator Operations Master must be accessible
2003 Forest Functional Level Features
Hint: FDR L
Forest Trusts
Domain Rename
RODCs
Linked Value Replication
Improved KCC algorithms and scalability
Conversion of inetOrgPerson objects to user objects
Support for dynamicObject auxiliary class
Support for application basic groups and LDAP query groups
Deactivation and redefinition of attributes and object classes
2008 R2 Forest Functional Level Features
AD Recycle Bin
Raising the Forest Functional Level
AD D&T - rc Root Node, Raise Forest Functional Level
Domain Characteristics
Single Domain Partition - rep’d to all DCs
Single Kerberos policy
Single DNS namespace
Moving Objects Between Domains and Forests
Inter-Forest - preserves the source domain, and clones accounts into the target domain
Non destructive, provides for rollback
Intra-forest - moves objects from the source domain to the target domain
Decommission after migration
Active Directory Migration Tool (ADMT)
Console or command line admt.exe
Can script
Can simulate to evaluate before move
sIDHistory - attribute loaded with SID in source domain
ADMT - Security translation
Security translation - replace source SID with target SID, re-mapping ACLs
Can translate: File and Folder Permissions Printer Permissions Share Permissions Registry Permissions User Rights Local Profiles Group Memberships
ADMT - Global Groups
Inter-forest - migrate global groups first, then users
Intra-forest - create global group as a universal group in the target, move users, then change group scope back to global
ADMT - Migration Concerns
Password Migration - can migrate but cannot verify policy, when they expire a new compliant password must be created
Service Accounts - must be updated with new service account identity - automatic
Objects that cannot be migrated - some builtin groups such as Domain Admins or Domain Local Admins
Domain Trusts Parties
The trusting domain has resources, it extends the trust to the authentication services, it is the outgoing trust
The trusted domain authenticates the users, it is the incoming trust
Manual Trusts
Shortcut trusts - creates trusts between child domains in the forest trust path, one way or two way, transitive
External Trusts - a trust between a domain in your forest and one not in your forest, creates a foreign security principal object for each security principal in the trusted domain, one way, non transitive
Realm Trusts - establishes a trust with UNIX, one way, non transitive, account mapping system creates proxy accounts managed thru AD U&C
Forest Trust - trust between the forest root domains of two forests
Trust Domain Quarantine
Trusts use SID filtering to quarantine users without original SID
If users have been migrated and have sIDHistory attribute must disable
netdom trust trustingDN/domain:trustedDN /quarantine:no or yes
