vid1: Az ADDS

Question 1

LDAP port / DNS record format

Answer 1

389 / _ldap._tcp.

Question 2

FSMO

Answer 2

Flexible Single Master of Operation

Question 3

PAS

Answer 3

Partial Attribute Set - DCs can optionally be made Global Catalog servers which hold a PAS about every object in the forest, enabling search of the entire forest

Question 4

common cloud authentication protocols

Answer 4

• OAuth
• OAuth 2 (used by Azure AD)
• SAML
• WS-Federation

Question 5

MFA

Answer 5

Multi-factor authentication

• Something I know
• Something I have
• Something I am

Question 6

DC in Azure key considerations (7)

Answer 6

1. 2012+ so healing can take place
2. AD db and log on non-OS data disks, without caching
3. Assign a reserved IP address w/in Az configuration
4. Update vnet DNS to use Az DCs first
5. make at least one Az DC a GC
6. Configure Az DCs to not publish generic DNS records
7. If multiple Az DCs, use an Availability Set

Question 7

Federation pieces

Answer 7

• a Federation is created bt orgs out-of band (eg no direct communication bt orgs… no firewall ports, etc… all communication via web browser)
• Home STS (Security Token Service) generates token
• Resource STS and applications native to that federated org consume the token
• Result: users use home credential w/o exposing password to resource

Question 8

WS-Fed

Answer 8

the sign-in protocol that defines the process of redirects b/t federation servers and claims-aware applications

Question 9

OAuth

Answer 9

a type of sign-in protocol commonly used by applications

Question 10

authentication protocol is used to…

Answer 10

request user credentials such as Kerberos, NTLM, certificates, MFA, or form-based

Question 11

SAML

Answer 11

Security Assertion Markup Language - a type of token used with ADFS (but also sometimes a sign-in protocol)

Question 12

types of Federated Applications (3)

Answer 12

1. . Featured: supports federation and has APIs to create objects on the other side if req’d
2. others support federation but manual actions are req’d to complete the relationship
3. still others do not support federation, but use credential “stuffing” (netflix, hulu, etc)

Question 13

Azure AD Connect

Answer 13

enables replication of users and groups from AD to AzAD

Question 14

powershell: install ADDS

Answer 14

Install-WindowsFeature -Name ad-domain-services -IncludeAllSubFeature

Question 15

powershell: install domain forest

Answer 15

Install-ADDSForest -DomainName “domain.name”

Question 16

powershell: AD Connect Health from Core install

Answer 16

1. (run the installer: AdHealthAddsAgentSetup.exe )

2. Register-AzureADConnectHealthADDSAgent -Credential (Get-Credential)