Section 4 Flashcards
What is a trust
Allows to share resources and communicate.
For instance if you’re in one domain and want to log into a server in another one in your tree, the two domains need a trust.
What is an initial trust that is created for domains in a forest?
What are other types of trusts?
Two way transitive trust
Transitive - If A trusts B and B trusts C then C and A trust each other.
One way directional trust - Domain B trusts Domain A so Domain A clients can access Domain B servers.
This is often represented by a single arrow going from Domain B to A
Shortcut trust - transitive but it’s slowed down.
Clients/servers in Japan and Australia, they are on opposite sides of the forest, so Japan will have to authenticate vi it’s parent, then with the other forest parent, and with Australia, then the opposite for Australia. What this does is cut out all the middle men and they go straight to authenticating with each other.
Realm Trust - Unix/Linux Realm (kerberos)
Forest Trust - Two companies just merged and have established their own forests setup. Our DNS and their DNS need to see each other. This can be transitive or one way.
Set up a trust like you would if two forests merged.
If you’re setting this up like the scenario with the merging company forests then you would need to make sure they can see each other via DNS.
DNS > Click Domain > Conditional Forwarders > type in DNS Domain then click and add in IP. Now when you type anything in with that domain name, DNS will transfer to their server to be resolved.
Server Manager > Tools > Trusts > Right click domain > properties > trust > Trusted (ed at end of arrow head) trusted means that domain trusts me > New Trust > Next > add domain name (prepareforexamsnow.com) > next > Trust with a windows domain >
What is Default First Site?
What is a site?
What is KCC?
Name two types of replication, what do they do?
Which server is in charge of replicating between sites?
What are the connections between sites called?
Default first site - First site that everything is thrown into.
Site - object in AD that represents physical geographic location. Used to help control replication amongst your DCs.
Ovals normally symbolize these.
KCC - Knowledge Consistency Checker - On DCs, communicate with each other. Ping each other and see latency to see how far they are from each other.
This creates a Ring known as Intra-Site Replication.
Every 15 mins it checks if they’re all communicating.
Intra-Site Replication - quickly replicating DCs. “I’ve got a change for you, do you need it?” Replicates every 15 seconds
When you create new sites, the KCCs replicate for the site and create a Bridge Head Server
Bridge Head Server - Replicates between sites every 180 minutes. This is known as Inter Site Replication
Inter-Site Replication - replicates every 180 mins or every 3 hours
Site Links - connections between sites
What do you need in order to make a site link?
Why must you associate subnets with sites
Name - Something like Dallas-5mb-NewYork
Cost - default cost is 100, change this however you want for replication to work how you want. The Lower the better for your path.
Each site must associate it’s subnet so clients will know what site to authenticate with
What is Site Link Bridging?
Site Link Bridging - on by default, All bridge head servers can communicate with each other.
You can allow these sites here to replicate, but disable bridging for slower sites. These will have their own 3 hour time limit. These can only replicate with their parent instead of it happening all at once with the rest of your Bridge Heads.
Create 3 sites
New York
Dallas
Birmingham
Move your Domain controllers to New York
Create your site links - 5mb, 2mp, 512mb (remember this was from a card earlier)
Give the crappy links a high cost
If you don’t want replication occuring during peak business hours, what do you do?
Add a subnet to your Site
Look at your sites in DNS
Active Directory Sites and Services > Right Click Sites > New Site > Name it New York > Click the Defualtipsitelink (Represents connection between sites) > ok
Do this for Dallas and Birmingham
Click Servers folder > Drag a server to a site.
Click inter-Site Transports drop down list > Right click IP > new site link > Name Dallas-5mb-NewYork and then add Dallas and NewYork.
NewYork–2mbBirm add those two
Birm-512K-Dallas add those two
Right click your site and just change your cost.
Right click your site > click the schedule button
Right click the Subnet folder > new subnet > enter subnet > select site it belongs to.
DNS > find sites lol
Manually replicate your two servers
Run tests to make sure everything is running properly on AD.
Make repairs to these
Run only one test and send it to a file
AD Sites and Services >under NYC-DC1 there is NTDS Settings object, kcc has generated this connection to nyc-svr1, click that > Right click the automatically generated kcc server thing and click replicate now
If you want nyc-svr1 to replicate from nyc-dc1 you would click the NYC-svr1 and right click the object in there and replicate.
To do this via CMD line:
Shows replication setting
repadmin /showrepl
Shows switches you can run
repadmin ?
Runs test on AD to see any problems
dcdiag
dcidiag /fix
dcdiag /test:whatever
dcdiag > c:\test.txt
What is the global catalog
Subset of the domain partition, some of the info about the objects in the forest.
You want at least one per site.
Lots of these will cause a big replication load
Make your server a Global Catalog server
Server Manager > Tools > AD Sites and Services > Expand site file > Expand Servers > Expand Server > Right click NTDS Setting > properties > Click the global catalog check box.
What’s a good way to create your OUs for users based on?
What’s a good reason to user OUs?
Based on Sites you have created and you can put the users in where they belong respectively
You can also add an OU under site for users and computers
You could also do this via departments and then do users and computers within that.
Or you could combine these.
Good reasons for using OUs:
You can create GPOs for OUs. This will apply settings and what not and goes to all OUs child items/OUs
Delicate control - Admin in New York can just stay as just and Admin in New York. Admin doesn’t even technically have to be in the NY OU.
To visually separate objects. Remember objects can only belong to one OU. If you delete one, all child OUs are deleted.
Can users belong to multiple OUs?
No
Create OUs
Server Manager > AD Users and Computers (aduc) > right click domain > new > create OU > sales (turn off the accidental deletion box) > done
Right Click OU > New User > do the thing
OR FROM ADAC
Server Manager > tools > Active Directory Admin Center > Click your domain > click OUs, right click like you would above. This looks different but everything will look different.
What is UPN
What is a samaccount name
User Principle Name - it’s like the email
jcahoe@exampleserver.com
This is the user logon name you make when you create a user
Samaccount is more of a legacy windows thing humad/Jcahoe - it can only be 20 characters in length
How to tell if an account is disabled
On the user Icon, the little black arrow will be pointing downward.
When employee leaves, disable the account, don’t delete it. That way if you need something from it you can open it back up.
Disable, reset password, Unlock account
Adjust work hours for account
Change what computers a user can access
Change remote access settings
Change RDP settings
AD partition settings
Right click > reset password > unlock account
Double click user to view info > click account > highlight in blue when they can log on. Once they’re logged on though they stay on, even if after hours. Group policy can be made if they need to be booted at certain hours.
Account > Log on to > All computers means all computers but not servers, you have to be an admin to logon to a server.
click the following computers if you have specific computers they can get on.
dial in <- for remote access
Environment and Sessions <- RDP
COM+ < - AD partitions
What is a distinguished name?
Name of object, Name of OU, Name of domain, Name com
This is how the AD Database stores things
CN=Danny Phantom,OU=Users,OU=Finance,DC=Gamesharks,DC=com
You can find this in ADAC when creating a user. or under Attibute editor in user properties
CN = common name
Can you add and modify users via http?
yes, using Active Directory web services
How do you delete an object that won’t allow you to delete it?
AD Users and Computer > view > advanced features > Go to your object and right click > object > turn off protect from accidental deletion.
Give user control over the sales OU
Show what permissions users has over OU
Right click OU > delegate control > next > add user name > give certain rights and permissions > finish it
View > advanced features > Right click OU > click Security > click user name > advanced > click user name again > edit > Thers A lot here.
Delegate again
Describe group types and group scopes
Group Type:
Distribution group - for email - email list.
Security group - Permissions and Email
Group Scope:
Global - (can be given rights to other domains) grouping users together, normally based on departments, management level, security clearance, etc.
Can only contain users from the domain where they were created but can be give rights to other domains. (remember OUs just visually sort things, this is different)
Domain Local - (this is a group per domain) Group of permissions that you can link to multiple groups.
So far this process is known as AGDLP - > accounts get access to global group > global groups added to Domain Local groups and domain local groups are given permissions to resources.
Universal - Used with Multiple domains. If you have a global group for sales in 6 domains. There are servers in 3 of the domains that all sales need access to. This allows you to create a single Universal group that you can link all the global groups to. This group will replicate to every domain. Next Link this to the DL (Domain Local Group) per domain.
DL groups per domain, You have your GGs that go into the UG and the UG goes into the the DL and the permissions go to the DL because technically they’re local permissions.
What is a SID
Group Type:
Distribution group - for email - email list.
Security group - Permissions and Email
Group Scope:
Global - (can be given rights to other domains) grouping users together, normally based on departments, management level, security clearance, etc.
Can only contain users from the domain where they were created but can be give rights to other domains. (remember OUs just visually sort things, this is different)
Domain Local - (this is a group per domain) Group of permissions that you can link to multiple groups.
So far this process is known as AGDLP - > accounts get access to group > groups belong to Domain Local groups and domain local groups are given permissions to resources.
Universal - Used with Multiple domains. If you have a global group for sales in 6 domains. There are servers in 3 of the domains that all sales need access to. This allows you to create a single Universal group that you can link all the global groups to. This group will replicate to every domain. Next Link this to the DL (Domain Local Group) per domain.
What are some default users/groups
Where are domain local groups located (local to each server)
Create groups:
inside sales, outside sales, sales support
Create a SalesDB folder in C:\
Give some permissions to inside sales to it.
Create a DL group so you don’t create to many SIDs and call it modify sales db
Remember you can do this all in sharing a folder as well.
Enterprise Admin <- most powerful. Anything you want in entire forest. Can’t do schema admin, but can add itself so it can.
Domain Admin <- Rights over this domain.
DNS Admin
Enterprise Key Admin <- access to key objects, forest objects. You can see this is universal.
Schema Admins
The Builtin folder
Tools > ADUC > Right click users > new > group >
Group Type - security
Group scope - Global
Group name - Inside sales
In file explorer create Sales DB folder > properties > security > edit > add > Inside Sales > check boxes to what you want. If we did this a bunch that would create bunch of SIDs.
Right click users > new > add group > Modify-Sales-DB and select Domain local radio button.
Add user to one of your sales groups.
Right click modify-sales-db > members > add outside sales
Back at the sales folder add the Modify-Sales-DB group.
Show groups not listed in AD on a folder, what are these called?
Describe a few groups found here
Right click folder > properties > security > edit >add > advanced > find now > see groups
These are called special groups, and people are already a part of these based on their descriptions.
Authenticated User - all users authenticated in domain. Peeps are already in this.
Interactive group - People logged on locally
Network - Everyone on network
Everyone - Authenticate or not. Even anonymous.
