Section 4

Question 1

What is a trust

Answer 1

Allows to share resources and communicate.

For instance if you’re in one domain and want to log into a server in another one in your tree, the two domains need a trust.

Question 2

What is an initial trust that is created for domains in a forest?

What are other types of trusts?

Answer 2

Two way transitive trust
Transitive - If A trusts B and B trusts C then C and A trust each other.

One way directional trust - Domain B trusts Domain A so Domain A clients can access Domain B servers.
This is often represented by a single arrow going from Domain B to A

Shortcut trust - transitive but it’s slowed down.
Clients/servers in Japan and Australia, they are on opposite sides of the forest, so Japan will have to authenticate vi it’s parent, then with the other forest parent, and with Australia, then the opposite for Australia. What this does is cut out all the middle men and they go straight to authenticating with each other.

Realm Trust - Unix/Linux Realm (kerberos)

Forest Trust - Two companies just merged and have established their own forests setup. Our DNS and their DNS need to see each other. This can be transitive or one way.

Question 3

Set up a trust like you would if two forests merged.

Answer 3

If you’re setting this up like the scenario with the merging company forests then you would need to make sure they can see each other via DNS.

DNS > Click Domain > Conditional Forwarders > type in DNS Domain then click and add in IP. Now when you type anything in with that domain name, DNS will transfer to their server to be resolved.

Server Manager > Tools > Trusts > Right click domain > properties > trust > Trusted (ed at end of arrow head) trusted means that domain trusts me > New Trust > Next > add domain name (prepareforexamsnow.com) > next > Trust with a windows domain >

Question 4

What is Default First Site?

What is a site?

What is KCC?

Name two types of replication, what do they do?

Which server is in charge of replicating between sites?

What are the connections between sites called?

Answer 4

Default first site - First site that everything is thrown into.

Site - object in AD that represents physical geographic location. Used to help control replication amongst your DCs.
Ovals normally symbolize these.

KCC - Knowledge Consistency Checker - On DCs, communicate with each other. Ping each other and see latency to see how far they are from each other.
This creates a Ring known as Intra-Site Replication.
Every 15 mins it checks if they’re all communicating.

Intra-Site Replication - quickly replicating DCs. “I’ve got a change for you, do you need it?” Replicates every 15 seconds

When you create new sites, the KCCs replicate for the site and create a Bridge Head Server

Bridge Head Server - Replicates between sites every 180 minutes. This is known as Inter Site Replication

Inter-Site Replication - replicates every 180 mins or every 3 hours

Site Links - connections between sites

Question 5

What do you need in order to make a site link?

Why must you associate subnets with sites

Answer 5

Name - Something like Dallas-5mb-NewYork

Cost - default cost is 100, change this however you want for replication to work how you want. The Lower the better for your path.

Each site must associate it’s subnet so clients will know what site to authenticate with

Question 6

What is Site Link Bridging?

Answer 6

Site Link Bridging - on by default, All bridge head servers can communicate with each other.

You can allow these sites here to replicate, but disable bridging for slower sites. These will have their own 3 hour time limit. These can only replicate with their parent instead of it happening all at once with the rest of your Bridge Heads.

Question 7

Create 3 sites
New York
Dallas
Birmingham

Move your Domain controllers to New York

Create your site links - 5mb, 2mp, 512mb (remember this was from a card earlier)

Give the crappy links a high cost

If you don’t want replication occuring during peak business hours, what do you do?

Add a subnet to your Site

Look at your sites in DNS

Answer 7

Active Directory Sites and Services > Right Click Sites > New Site > Name it New York > Click the Defualtipsitelink (Represents connection between sites) > ok

Do this for Dallas and Birmingham

Click Servers folder > Drag a server to a site.

Click inter-Site Transports drop down list > Right click IP > new site link > Name Dallas-5mb-NewYork and then add Dallas and NewYork.

NewYork–2mbBirm add those two

Birm-512K-Dallas add those two

Right click your site and just change your cost.

Right click your site > click the schedule button

Right click the Subnet folder > new subnet > enter subnet > select site it belongs to.

DNS > find sites lol

Question 8

Manually replicate your two servers

Run tests to make sure everything is running properly on AD.

Make repairs to these

Run only one test and send it to a file

Answer 8

AD Sites and Services >under NYC-DC1 there is NTDS Settings object, kcc has generated this connection to nyc-svr1, click that > Right click the automatically generated kcc server thing and click replicate now

If you want nyc-svr1 to replicate from nyc-dc1 you would click the NYC-svr1 and right click the object in there and replicate.

To do this via CMD line:

Shows replication setting
repadmin /showrepl

Shows switches you can run
repadmin ?

Runs test on AD to see any problems
dcdiag

dcidiag /fix

dcdiag /test:whatever

dcdiag > c:\test.txt

Question 9

What is the global catalog

Answer 9

Subset of the domain partition, some of the info about the objects in the forest.

You want at least one per site.

Lots of these will cause a big replication load

Question 10

Make your server a Global Catalog server

Answer 10

Server Manager > Tools > AD Sites and Services > Expand site file > Expand Servers > Expand Server > Right click NTDS Setting > properties > Click the global catalog check box.

Question 11

What’s a good way to create your OUs for users based on?

What’s a good reason to user OUs?

Answer 11

Based on Sites you have created and you can put the users in where they belong respectively

You can also add an OU under site for users and computers

You could also do this via departments and then do users and computers within that.

Or you could combine these.

Good reasons for using OUs:

You can create GPOs for OUs. This will apply settings and what not and goes to all OUs child items/OUs

Delicate control - Admin in New York can just stay as just and Admin in New York. Admin doesn’t even technically have to be in the NY OU.

To visually separate objects. Remember objects can only belong to one OU. If you delete one, all child OUs are deleted.

Question 12

Can users belong to multiple OUs?

Answer 12

No

Question 13

Create OUs

Answer 13

Server Manager > AD Users and Computers (aduc) > right click domain > new > create OU > sales (turn off the accidental deletion box) > done

Right Click OU > New User > do the thing

OR FROM ADAC

Server Manager > tools > Active Directory Admin Center > Click your domain > click OUs, right click like you would above. This looks different but everything will look different.

Question 14

What is UPN
What is a samaccount name

Answer 14

User Principle Name - it’s like the email
jcahoe@exampleserver.com

This is the user logon name you make when you create a user

Samaccount is more of a legacy windows thing humad/Jcahoe - it can only be 20 characters in length

Question 15

How to tell if an account is disabled

Answer 15

On the user Icon, the little black arrow will be pointing downward.

When employee leaves, disable the account, don’t delete it. That way if you need something from it you can open it back up.

Question 16

Disable, reset password, Unlock account

Adjust work hours for account

Change what computers a user can access

Change remote access settings

Change RDP settings

AD partition settings

Answer 16

Right click > reset password > unlock account

Double click user to view info > click account > highlight in blue when they can log on. Once they’re logged on though they stay on, even if after hours. Group policy can be made if they need to be booted at certain hours.

Account > Log on to > All computers means all computers but not servers, you have to be an admin to logon to a server.

click the following computers if you have specific computers they can get on.

dial in <- for remote access

Environment and Sessions <- RDP

COM+ < - AD partitions

Question 17

What is a distinguished name?

Answer 17

Name of object, Name of OU, Name of domain, Name com

This is how the AD Database stores things

CN=Danny Phantom,OU=Users,OU=Finance,DC=Gamesharks,DC=com

You can find this in ADAC when creating a user. or under Attibute editor in user properties

CN = common name

Question 18

Can you add and modify users via http?

Answer 18

yes, using Active Directory web services

Question 19

How do you delete an object that won’t allow you to delete it?

Answer 19

AD Users and Computer > view > advanced features > Go to your object and right click > object > turn off protect from accidental deletion.

Question 20

Give user control over the sales OU

Show what permissions users has over OU

Answer 20

Right click OU > delegate control > next > add user name > give certain rights and permissions > finish it

View > advanced features > Right click OU > click Security > click user name > advanced > click user name again > edit > Thers A lot here.

Delegate again

Question 21

Describe group types and group scopes

Answer 21

Group Type:

Distribution group - for email - email list.

Security group - Permissions and Email

Group Scope:
Global - (can be given rights to other domains) grouping users together, normally based on departments, management level, security clearance, etc.
Can only contain users from the domain where they were created but can be give rights to other domains. (remember OUs just visually sort things, this is different)

Domain Local - (this is a group per domain) Group of permissions that you can link to multiple groups.
So far this process is known as AGDLP - > accounts get access to global group > global groups added to Domain Local groups and domain local groups are given permissions to resources.

Universal - Used with Multiple domains. If you have a global group for sales in 6 domains. There are servers in 3 of the domains that all sales need access to. This allows you to create a single Universal group that you can link all the global groups to. This group will replicate to every domain. Next Link this to the DL (Domain Local Group) per domain.

DL groups per domain, You have your GGs that go into the UG and the UG goes into the the DL and the permissions go to the DL because technically they’re local permissions.

Question 22

What is a SID

Answer 22

Group Type:

Distribution group - for email - email list.

Security group - Permissions and Email

Group Scope:
Global - (can be given rights to other domains) grouping users together, normally based on departments, management level, security clearance, etc.
Can only contain users from the domain where they were created but can be give rights to other domains. (remember OUs just visually sort things, this is different)

Domain Local - (this is a group per domain) Group of permissions that you can link to multiple groups.
So far this process is known as AGDLP - > accounts get access to group > groups belong to Domain Local groups and domain local groups are given permissions to resources.

Universal - Used with Multiple domains. If you have a global group for sales in 6 domains. There are servers in 3 of the domains that all sales need access to. This allows you to create a single Universal group that you can link all the global groups to. This group will replicate to every domain. Next Link this to the DL (Domain Local Group) per domain.

Question 23

What are some default users/groups

Where are domain local groups located (local to each server)

Create groups:
inside sales, outside sales, sales support

Create a SalesDB folder in C:\

Give some permissions to inside sales to it.

Create a DL group so you don’t create to many SIDs and call it modify sales db

Remember you can do this all in sharing a folder as well.

Answer 23

Enterprise Admin <- most powerful. Anything you want in entire forest. Can’t do schema admin, but can add itself so it can.

Domain Admin <- Rights over this domain.

DNS Admin

Enterprise Key Admin <- access to key objects, forest objects. You can see this is universal.

Schema Admins

The Builtin folder

Tools > ADUC > Right click users > new > group >
Group Type - security
Group scope - Global
Group name - Inside sales

In file explorer create Sales DB folder > properties > security > edit > add > Inside Sales > check boxes to what you want. If we did this a bunch that would create bunch of SIDs.

Right click users > new > add group > Modify-Sales-DB and select Domain local radio button.

Add user to one of your sales groups.

Right click modify-sales-db > members > add outside sales

Back at the sales folder add the Modify-Sales-DB group.

Question 24

Show groups not listed in AD on a folder, what are these called?

Describe a few groups found here

Answer 24

Right click folder > properties > security > edit >add > advanced > find now > see groups

These are called special groups, and people are already a part of these based on their descriptions.

Authenticated User - all users authenticated in domain. Peeps are already in this.

Interactive group - People logged on locally

Network - Everyone on network

Everyone - Authenticate or not. Even anonymous.

Question 25

How are universal groups replicated

Answer 25

Universal Groups get replicated through Global Catalog’s only

Question 26

Describe how a user that’s in a Universal Group would authenticate with a DC that wasn’t a Global Catalog server

How could this cause problems?

What solution could you provide?

Answer 26

Contains the Universal Group List

User authenticates via Kerberos that builds a token so you can access everything in domain, but it will need universal groups. The DC will have to send a message checking with the Global Catalog for it and it will respond with the Universal Group List. DC can now build correct token.

Two sites in the Domain that are a decent distance away from each other. The Global Catalog being in one and the client being in the other.

Promote a server Near the client to Global Catalog. But if the company doesn’t want the extra replication we can Enable Universal Group Membership Caching (UGMC) Enabled on a per site basis. This means every 8 hours your DC will cache the Universal Group List.

Question 27

Turn on UGMC on a DC

Answer 27

Universal Group Membership Caching allows the Universal Group List to be cached every 8 hours on your DC.

Server Manager > AD Sites and Services > Click Site > Right Click NTDS Site Settings > Enable Universal Group MEmbership Caching (check the box) > Drop down box:
Default - closest Global Catalog Server
or
Just select the server you want.

Question 28

Via Powershell:

Create an OU named Research in the root of AD (directly found when you click the domain name)

What would you change with your path if you wanted to add it to the IT OU that you made in your domain?

Search for all uers and then Jsmith

Add a new user name bill johnson with a correct UPN a legacy windows server name, place him in the “research” OU, have it prompt you to enter a password and not show it, then enable the user.

Answer 28

You can just type ISE in normal powershell to get there btw

New-ADOrganizationalUnit -Name “Research” -Path “DC=examlabpractice,DC=com”

“OU-IT,DC=examlabpractic,DC=com”

Get-ADUser -Filter *
Get-ADUser -Filter Jsmith

New-ADUser -Name “Bill Johnson” -GivenName “Bill” -Surname “Johnson” -SamAccountName “BillJohnson” -UserPrincipalName “billjohnoson@examlabpractice.com” -Path “OU=Research,DC=examlabpractice,DC=com” -AccountPassword(Read-Host -ASSecureString “Input Password: “) -Enabled $true

Question 29

Create an group via powershell named ResearchandDev, Put it in the security group category and the Global group scope, the display name should be Reaserch and Development add to the research OU, then give a description

Try adding a member on your own.

Answer 29

New-ADGroup -Name “ResearchandDev” -SamAccountName “ResearchandDev” -GroupCategory Security -GroupScope “Global” -DisplayName “Research and Development” -Path “OU=Research,DC=examlabpractice,DC=com” -Description “This is the R and D group”

Question 30

Show the account a service is running under

You have a group of services for some sql databases that are communicating with each other. These will need to run under a single account. If you add a user and password for the service you’ll have to make it where it doesn’t change, but that could be bad if we have a disgruntled SQL admin. Make it to where AD is the only one that knows the password and will periodically be reset.

Answer 30

Services normally run under an account.

Double click service > Log on

Create a group managed service account
You’ll need a KDS root key (key distribution service - for Kerberos to grant to this account to reset it’s password and will delegate to computers to interact with account. It takes 10 hours for root key to take affect, make it to where it will take affect immediately on this server and replicate to others. - don’t do this in the real world just use -effectiveimmediately
POWERSHELL:
add-kdsrootkey -effectivetime ((Get_date).AddHours(-10))

In a production environment:
add-kdsrootkey -effectiveimmediately

New-ADServiceAccount -Name TestgMSA -DNSHostName testgmsa.examlabpractice.com -principalsallowedtodelegatetoaccount SQLServers
(you can use “Domain computers” instead of a created group named SQLServers that you store your SQL servers in for your lab. I believe this just puts them in the SQL group, or whatever you want)

This next step can be done if you’re on a member server without AD. This should add the account to the server.

Start > computer MGMT > service > double click service, add the account and leave the password blank.

add-windowsfeature rsat-ad-powershell
(remote server admin tools which include AD commands)
import-Module activedirectory
(this would install the commands)
install-adservice account -identity testgmsa

Question 31

Name three ways you can implement Azure DCs or Azure Just use Azure for your entire environment.

Answer 31

Host a DC from the cloud, Connect your premise via vpn gateway to Azure and have that DC be part of your on premise or use ExpressRoute to connect to Azure Directly. Or you can just host AD via cloud, this is known as AzureADDs

Question 32

Run AzureADDs

Answer 32

Portal.azure.com
All services
Search Azure Active directory domain services
Click Azure AD Domain Services
Create AD Domain service (blue button)
Create Resource Group
Give a good domain name you want
SKU - Standard (you can click a box for help with the pricing)

Forest Type - user (resource would be if you were going to create a trust relationship with a forest that was hosting the users instead)
NEXT
Make sure the subnet is unique and you aren’t using it on premise
NEXT
This is for users that will have admin privildges
NEXT
scoped - only syncs certain groups. - This connect Azure ADDS to Azure AD
NEXT
NEXT
NEXT
This can take over an hour

Hamburger Menu > resource Groups > AzureADDSRG > look at the resources > click on your examlabpractice.local

Question 33

Assign a virtual server to your Azure domain

Answer 33

Menu - Overview > AzureADDSRG > click “create” > choose windows server 2019 > Virtual MAchine name “ServerAADDSDemo”
username = elpadmin
NEXT
NEXT
assigned to the correct vnet and subnet
NEXT
Review and Create

Resource groups > AzureADDSRG > you’ll see AADDS-nsg which is a network security group object attached to subnet (this is packet filtering and controls traffic we’ll need RDP inbound) click it > Inbound security rule > Add >
Source Any (anywhere on internet)
Source port ranges * (any port)
Give name AllowRDP
Add

This would be better to do via VPN but whatever. Go to resource group AZUERADDSRG > you should see our machine pop up soon.
Click it
Connect
RDP
download RDP file, click it and we’re good to go.

Resources > click domain > click fix for the DNS issues

Go back in server > add it to the domain > Put in your Global Admin creds for you Azure AD environment (this won’t work because by default AzureAADDS does not have the ability to sync in password hashes from your AzureAD)

Do a password reset, and any users trying to do this will also need to do a password reset.

Click you profile on Azuer > password > reset password

For user password resets you will need self service password enabled on your tenent.

Portal.azure.com > menu > Azure Active Directory > password reset > select ALL

The domain will lock you out for 30 mins if you try to put pass in too many times.

Reboot, log back on > start > settings > search remote > select users that can remotely access the pc > put in your user.

Signout and sign back in > more choices jc@examlabpractice.com