Section 6 and further Flashcards

1
Q

Connecting on prem to Azure ADD

A

Domain name must be available, DNS must be accessible online.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Seamless SSO

A

Users logging in on prem also get logged on through the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Create new DNS database

Add this to your domains

See where this is located via a user

A

DNS > Forward Lookup Zones > zone = abccorp.com > finish

Tools > AD Domains and Trusts > Right click AD Domains and trust > properties > add abccorp.com > ok

AD Users and Computers > right click your user > properties > account > drop down box with logon name suffix > you’ll see domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Sync your domain with Microsoft 365 admin center

A

admin.microsoft.com > show all > settings > domains > Domain name = abccorp.com > Create a text record with one of the values

From local server
DNS > right click abccorp.com > other new records > TXT > create > Don’t worry about record name, add MS=ms3298638 in text and that’s it.

This needs to be internet facing
TXT record - generic record
MX record - mail exchange record
GoDaddy - put in creds and it will just fill everything out for you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Make your domain the primary domain on microsoft365

A

portal.microsoft.com
or
admin.microsoft.com?

Show all > settings > domains > Click domain > set as default

Now if got to Users > active users > add users > it will be primary domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If users added ahead of time, before domain was connected, etc

Do via powershell and via microsoft365

A

admin.microsoft.com

Users > Active Users > click user > manage username > drop down domain for upn > if user has office365 liscence their email with exchange online will get updated

Licenses and Apps > give the user whatever stuff you want like office 365 E5

connect-msolserver <- connect to microsoft365

set-msoluserprincipalname -userprincipalname bobjones@examlaprcactice0920.onmicrosoft.com -newuserprincipalname bobjones@examlabpractice.com

get-msoluser

You’ll need to refresh on Microsoft365

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Look up what records you need to link up with microsoft365

A

Lookup external domain name system records for office 365

DNS > right click examlabpractice.com >

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the two options for authentication with the hybrid identity model?

A

Managed Authentication - Azure AD will handle the authentication process by using a locally-stored hashed version for the password or sends the creds to an on-premise software agent to be authenticated by on-premise AD DS
(Azure gets copy of encrypted creds, so it has what it needs)

Federated Authentication - Azure AD redirects the client computer requesting authentication to another identity provider.
(Federated server can go to an ADFS AD federated server on premist that handles it or it could be authenticated by someone else)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the two types of managed authentication?

A

Password hash Synchronization (PHS)
- Azure does Authentication itself
(recommended) Even if contact with lost connection to domain, you can still log in

Pass-Through Authentication (PTA)
- Azure AD has AD DS perform authentication and they don’t know the passwords.
If we lose our domain people authenticating via cloud won’t be able to login

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is PHS

A

Password Hash Synchronization

You sync your ADDS user accounts with Microsoft 365 and manager your users on-premise. Hashes of user passwords are synced from your AD DS to Azure AD so that the users have the same password on-premise and in the cloud. This is the simplest way to enable authentication for AD DS identities in Azure AD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is PTA

A

Pass-through authentication

This provides a simple password validation for Azure AD authentication services using a softward agent running on one or more on-premises servers to validate users. You sync ADDS user accounts with Microsoft 365 and manage users on premise
Agent is installed on computer that communicates with AzureAD and authenticates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is federated authentication

A

Large Organization

3rd party authentication.

AD DS identities are synced with Microsoft 364 and user accounts are managed on-premises.

Same password on-premises and in cloud, they don’t have to sign in again to user Microsoft 365

Supports smartcard-based authentication or 3rd party multi factor authentication and is typically required when organizations have authentication requirement not natively supported by Azure AD.

If Azure can’t connect with your federated server then everyone outside can’t logon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What to do before syncing to the cloud

A

IDFix - for Cleanup

Azure AD Connect Helath - Health of the environment

Look back 100 days of errors

Remove object that are un-needed
service accounts, groups, etc

Sync failover and disaster recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If the Azure AD Connect Sync Server goes offline what happens and what is a solution?

A

There can only be one sync server

Changes to on-premises cannot be updated in the cloud and can result in access issues for users.

Deploy Azure AD Connect Server in staging mode. - Allows admins to promote the staging server to production by a simple config switch. It sits passive until other server goes down.
OR
Use Virtualization - if Azure AD connect is deployed in a VM, admins can leverage their virtualization stack to live migrate or quickly redeploy the VM and resume sync

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Where can you enable staging mode?

A

At the end of the Microsoft Azure Active Directory Connect menu, on Configure, click the box.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a Source Anchor

VIDEO 55

A

Attribute that on-premises and Azure AD have, it’s also called immutableID.

Links objects in Azure AD with objects on-premises. For instance, my account on premises is actually different than the account on Azure, technically. This makes them linked/look the same.

Using ms-DS-consistencyguid as source anchor allows easier migration of object across forest and domains, which is common in AD Domain consolidation/cleanup, mergers, acquisitions, and divestitures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Seamless SSO?

A

Eliminates unnecessary prompts when users are signed in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Create a group for who get synced first

A

Server Manager > ADUC > RIght click IT OU > New group > Cloud Admins > add someone to it > add administrator and whoever else.

19
Q

Describe how the Password Hash Sync works

A

Server running AD > Azure AD Connect installed on server maybe this is a different server > AD Connect creates password hashes and send to AzureAD and can communicate with it > Users can authenticate with Azure AD and he can access Micrsoft365.

Microsoft will monitor passwords to see if they’re on the dark web

20
Q

How does pass-through Authentication work?

A

On Prem ADDS > Azure AD Connect Server > PTA agents (two of them), should be installed on two different servers, they can be on any type of server, like a file server >

Authentication Agents pull from Azure AD constantly. Nothing’s actually coming in, so no ports are open, so no DMZ or anything needed. They’re waiting for user authentication from the cloud.

21
Q

How does Federated Authentication work?

A

On premise ADDS > Azure AD connect > Need two ADFS (Active Directory Federation servers) > Tell Azure AD connect about the two servers > We don’t want the ADFS exposed online so use two Federated proxy servers port 443. FIrewall between everything and these, then between those and online.

Federation servers give users an access token to authenticate with azure AD.

User tries to authenticate with Azure AD > Azure AD tells the computer to go to federated proxy > federated proxy will talk to federation server and it will talk to ADDS which will verify creds and get back with Federation Server which creates access token > Federated proxy > User > User is then authenticated with Azure AD > AzureAD generates an access token the allows user to access their cloud products like microsoft 365

REMEMBER THAT AZURE AD CONNECT IS JUST THERE TO TRANSLATE BETWEEN AZURE AD AND YOUR DOMAIN. DIFFERENT PROTOCOLS ARE USED ON A LOCAL DOMAIN RATHER THAN AZURE AD, LIKE LDAP AND KERBEROS AREN’T USED IN AZURE AD.

22
Q

Cleanup AD DS before using Azure AD Connect

A

Azure AD won’t allow invalid characters like no spaces

Server Manager > tool > ADUC > create new user Sam Jones and make a space in the UPN.

On windows 10 > google search download idfix > grab from github > ClickOnce Launch > run > Install
From IDFIX > query (this will locate problem users > Action should be edit > Apply > rerun query to confirm

23
Q

Download Azure AD Connect

After you’re finished go to Azure Active Directory Connect Health

A

portal.azure.com

Entrai ID AD

Azure AD connect/entra id connect

Download

Agree to terms
Customize
Don’t choose any of these options
Install

You have your sign in options
choose Password Hash Sync
enable single sign-on
enter global AD creds
AD Forest account - account that create syncronization (has to be global admin)
GAMESHARKS\administrator
password

Domain and OU Filtering - information and users that you want synced.
Sync selected domains and OUs > drop down to IT like we set up earlier (you can sync the rest later)

Optional Features
Azure ad app and attribute filtering -
This syncs attributes from the cloud to on premises.
Password writeback - change password on cloud and it reflect back to on premises.
Directory extension attribute sync - attributes from inside are synced out.

Directory Extensions -
Select what you want to sync

Staging - sets everything up but doesn’t sync. Primary server you wouldn’t want staging mode, you do this on another server for redundancy.

Now on portal.azure.com
Look up Users and it will show the synced users.
Entra-id Connect, will show sync status enabled

Click Azure Active Directory Connect Health

Click for Sync errors
Click for Sync Services to see if healthy
AD DS services < - any problem with syncing with AD Services < you have to install on domain controlled to get this though

24
Q

Edit group policy object for password

A

Server Manager > Tools > Group Policy MGMT console > Group Policy Objects > Right click Default Domain Policy > edit > computer configuration > policies > Windows Settings > Security Settings > Account Policies > Password policies.

Look at options

Minimum Password length audit policies > gives warning messages

Reversable encryption - old > dos computers couldn’t store passwords that were encrypted so passwords wouldn’t be encrypted on their machines. It should be turned off ALWAYS.

ACCOUNT LOCKOUT POLICY
When accounts locked out due to attempts
duration < - how long they’re locked out
threshold <- how many times failed
Lockout counter after <- counter between each bad password before it is viewed as one duration.

25
Q

GPOs are judged on what order they are in. GPOs at the top are what is followed. Show What GPOs are followed for your domain and what precedence they have

A

Server Manager > Group Policy MGMT > Click domain > click Group Policy Objects

These GPOs are linked to objects.
For instance, if we drop down the Domain name we’ll find Default DomainPolicy is linked to it.

26
Q

Make a fine grained password policy and describe what it is

A

It is a password policy for a group rather than a domain.

Server Manager > tools ADAC > Click domain > system folder > password settings container > new > create here.

At the bottom you can add which group it applies to.

Password requirements will need to be set on premise even on hybrid environment. From what I understand you can change password requirements from the cloud but they don’t take affect for hybrid users.

27
Q

What is Group Policy for?

A

Settings, parameters, features, deploying software (old)

Help control environment

“We need to disable/enable features”

Group Policy Object contains these
Can be applied to different areas/resources based on users/computers primarily.

28
Q

What are the four different levels that a GPO can be applied to?

A

If ever a conflict, rules above local computer over rule it.

Local Computer - Not AD level

Site - object that represent location

Domain - Anyone logging on domain

OU - OUs and child OUs

29
Q

If there is a policy conflict, who wins out of the different GPO level?

A

Last policy applied is the one you get. So OU.

Site goes first
Domain second
OU third and that’s the one that sticks.

30
Q

What is block inheritance

A

When applied to a level, blocks all policies from above aside from password policies

31
Q

What is ENFORCED?

A

More powerful than block inheritance.

If you have ENFORCED turned onto DOMAIN, even if blockinheritance is on, the user will get what is dictates, even if there is a conflict at a lower level.
If Site and Domain both have ENFORCED on, and we had a wallpaper for Site called this and a wallpapaer for Domain called that, the computer would get the “this”wallpapaer”.

32
Q

Find the two default GPOs

Find where what they’re linked to in the drop down menu

A

Server Manager > tools > Group policy mgmt > Forest (expand) > Expand domain > Group Policy Objects >
Default Domain Controllers Policy
Default Domain Policy

Default Domain Controller Policy linked to Domain Controllers OU

Default Domain Policy linked to domain
You can tell by the shortcut symbol

33
Q

Create New Starter GPO to disable wallpapers and link it to another GPO

What are the Computer and User configs?

Who wins if there is a conflict?

A

Starter GPO is a template, you can get to it from the Starter GPOs you can right click that
Call it Starter Settings > Right click it > edit > User Configuration > Desktop > Click Desktop wallpaper and disable it

Server Manager > tools > Group policy mgmt > Forest (expand) > Expand domain > Right click Group Policy Objects > New > Call it Sales Desktop Settings > find your Starter Settings in Secure Starter GPO and select it.

Right click GPO > edit >
Computer Config > any computer settings
User Config > policies to a specific user

If conflict computer config wins.

34
Q

Describe some of the folders in Group Policy Management Editor

A

Folder Policies - when you want to force something like grey something at

Preferences - defaults, but people can change them.

Software Settings > take msi packages which pre-installs software

Windows Settings > security settings here

Admin Templates - policies that can be added or customized which are stored in ADMX files.
This has everything else.

35
Q

How do you apply a Group Policy?

A

Drag it over to the OU and drop it

36
Q

Enable block inheritence for an OU

If you block inheritance from the OU you won’t get domain policies you want, Let’s say you want your OU to block inheritance but not block it from Restrict Control

A

Right click IT > Block Inheritance

Right Click Restrict Control > Enforce

Remember Enforce overrides Block Inheritance

37
Q

Show who your GPO is applied to inside of the OU you put it in.

Say you wanted this policy applied to the Inside sales group rather than the sales group

A

Scope - where GPO is applied

Drop down your OU > Click your Group Policy

You’ll see the your OU is what’s linked to the GPO and Authenticated users are the group it applies to within that. So any authenticated user inside of that OU falls under these rules.

Add Inside Sales and remove authenticated users

38
Q

What is WMI Filtering

Where do you find it in the GPO and where do you make a new one?

A

Windows Management Instrumentation
This can be found by clicking on your GPO and going to the drop down at the bottom.

In Group Policy Mgmt > right click WMI Filters folder > new

39
Q

Where are GPOs stored?

What does the settings tab in the GPO do?

What does the Delegation tab do?

A

GPOs are stored inside you SYSVOL folder under domain > policies

Settings > Report of settings that are enabled in GPS

Delegation > permissions and who can control the GPO

40
Q

Show what settings a user might get in terms of GP policy

View all policies a user has from their client machine

A

Under Group Policy MGMT > Sites > Right click Group Policy Results > Group Policy Results Wizard

CMD > gpresult /h c:\test.html

41
Q

How long until GPO takes an affect

Update group policy for an OU

Update users GPO immediately

A

90 -120 mins on Computers and Server

Domain Controlers - 5 minutes

This is because min of 90 mins 30 min offset.
So each computer does 90 minutes then each computer chooses a time within 30 mins so they’re not all updating at the same time.

Right click GPO > group policy update > this only applies to computers not users.

CMD > gpupdate /force

Or a reboot or a user log off and log on

42
Q

Default Group Policy Preferences for computers, set sleep time to 10 mins

Deploy this preference if a battery is present, can you do this with policies?

A

Server Manager > Group Policy MGMT > ‘Expand domain > Gropu policy object > right click one > edit > Preferences > Power options > right click > power plan > Sleep after 10 mins

Common > item-level targeting > targeting > new item > battery present

Not really, unless you know WMI

43
Q

How Azure AD DS/ Entra ID DS handles group policy

Look at Entra ID GPOs and show more info about them

A

Resource groups > you’ll need it’s domain and server to rdp to > click server manager > manage > add roles and features > Features: Group POlicy Management > Remote Server Admin > Install

Tools > Group Policy MGMT > Click a GPO > list all
The most important part is at the bottom where it says:
Computer Configuration (Enabled)
User Configuration (Enabled)

44
Q
A