Dynamic Host Configuration Protocol (DHCP)

Questions and Answers

What primary benefit does DHCP provide in network administration?

• Manually assigning static IP addresses to each network device.
• Filtering network traffic based on content.
• Providing a secure channel for encrypting network communications.
• Automatically leasing IP addresses to devices, reducing administrative overhead. (correct)

Upon installation, a DHCP server provides which of the following?

• A database, service to listen and respond to requests and an administrative console. (correct)
• Antivirus software and malware protection.
• A tool for intrusion detection.
• A firewall to protect against unauthorized access.

When configuring a new scope on a DHCP server, what is an authorization?

• A permission granting users the ability to request IP addresses.
• A setting that limits the duration of IP address leases.
• A security measure ensuring only authorized DHCP servers operate on the network. (correct)
• A process that encrypts all DHCP communications for enhanced security.

Which of the following is a characteristic of a user account?

It acts as a security principal with a SID for assigning permissions. (D)

Where can a user account be stored to enable logon to a domain and be assigned permissions to resources anywhere in the domain?

Active Directory. (C)

Which parameter of the New-ADUser PowerShell cmdlet specifies the user's logon name?

-SAMAccountName (B)

What happens if the -Enabled parameter is not specified when creating a new user account with the New-ADUser cmdlet?

The account is disabled by default. (C)

What is the character limit typically enforced on the sAMAccountName?

20 characters. (D)

What attribute must be unique within an Organizational Unit (OU) such that the relative distinguished name is unique?

common name (cn) (B)

Among the account attributes, which setting dictates when a user is permitted to log on to the system?

Logon Hours (A)

What are common tasks associated with user account management?

Renaming, resetting passwords, and unlocking user accounts. (A)

In Active Directory Users and Computers, how can you view all available attributes for a user?

By clicking the 'View' menu and selecting 'Advanced Features', then using the 'Attribute Editor' tab in the user's properties. (A)

When modifying attributes for multiple users at once in Active Directory, what should you consider?

Certain attributes, such as the street address, are not copied when using templates. (B)

When using PowerShell to modify a user's attributes, which cmdlet is used to retrieve the existing attributes of an object?

Get-ADUser (B)

With regards to creating users with templates, which user attribute is not copied?

Street address (B)

What is the purpose of using CSVDE and what type of files can it edit?

To export and import user information using comma-separated value files, editable with text editors. (C)

When exporting user data using CSVDE, which command line argument specifies an LDAP query to filter the exported users?

-r (C)

What limitation exists when importing users with CSVDE concerning passwords?

Passwords cannot be imported; user accounts are created as disabled. (C)

What distinguishes LDIFDE from CSVDE in terms of functionality?

LDIFDE can modify or remove existing users, while CSVDE can only create new ones. (B)

When importing users using Windows PowerShell with a CSV file, what cmdlet is employed to create new Active Directory user accounts?

New-ADUser (B)

What are the advantages of managed service accounts over standard user accounts for running services?

No password management and no SPN manangement is required for managed service accounts. (C)

What administrative overhead is reduced by using managed service accounts?

Managing the service account password. (B)

How would you start the process of creating a managed service account?

New-ADServiceAccount powershell command. (C)

After creating a managed service account, what step ensures it is active on the intended host server?

Running the Install-ADServiceAccount cmdlet targeting the specific service account. (B)

What action is essential after you install a managed service account on a host server?

Associating the service account with its intended service. (B)

If you need a tool to manage Active Directory objects or set up dynamic hosts, what are some of the options?

DHCP Management Console and Active Directory Users and Computers snap-in. (B)

What parameter facilitates the designation of an OU in the New-ADUser command, determining where the newly created user object will reside within Active Directory?

-Path (B)

Which of the following statements best illustrates how DHCP handles IP address allocation?

DHCP provides IP addresses on a lease basis, with automatic renewal at specified intervals. (B)

Which of the following attributes is critical for user authentication and is always required for any user account?

User logon name (userPrincipalName) (C)

Flashcards

DHCP

A very common infrastructure role that automatically provides IP addresses to networked devices.

DHCP Benefits

Ensuring every computer has a network IP address automatically, drawing from an administrator-defined pool.

DHCP Server Role

A central component that supplies IP address leases to requesting DHCP clients.

DHCP Role Contents

Consists of a database for IP address scopes and options, a service listening for requests, and an administrative console for setup.

User Account

Enables authentication and permission assignments and can be stored in Active Directory or the local SAM database.

New-ADUser

PowerShell command to create user accounts, including name, SAM account name, password, and enabling or disabling status.

User Name Attributes

Attributes like user logon name, UPN, and full name, each with specific uniqueness and formatting requirements.

Account Attributes

Settings that include logon hours, allowed computers, password options, account expiration, and delegation.

Account Management Tasks

Renaming, resetting passwords, unlocking accounts, enabling/disabling, moving, and deleting user accounts.

Access Attribute Editor

In Active Directory Users and Computers, access the attribute editor via the view menu and then advanced features.

Modifiable Attributes

Description, office, telephone number, UPN suffix, logon hours, and Computer restrictions.

PowerShell Attributes

PowerShell cmdLets like Get-ADUser and Set-ADUser allow attribute modification.

Account Settings

Account tab (logon hours, logon workstations, account options, and account expiration).

CSVDE Tool

A command-line utility to export and import user information in CSV format.

Ldifde

Command line utility for importing/exporting directory objects.

Windows PowerShell

Allows importing users using a CSV file and the New-ADUser command.

Managed Service Account

Automate password and SPN management. Reduces manual efforts.

Configure Service Accounts

New-ADServiceAccount creates accounts and Install-ADServiceAccount installs them.

Study Notes

Dynamic Host Configuration Protocol (DHCP)

• DHCP serves as a common infrastructure role, providing IP addresses which act as numeric "mailboxes" for networked devices
• DHCP automatically leases IP addresses, eliminating the need for manual configuration by administrators
• DHCP includes its own database, service, and administrative console

Benefits of DHCP

• Automatically ensures that every computer has a network IP address
• Allows administrators to specify a "pool" of addresses for assignment
• Computers without an IP address request one from the DHCP server
• Leased addresses are automatically renewed at specified intervals

DHCP Server Role

• DHCP clients request IP addresses from the DHCP server
• DHCP server supplies IP address leases
• An optional standby DHCP server can be used for high availability

DHCP Role Installation Components

• Database: Includes IP address scopes and scope options
• Service: Listens for requests and responds accordingly
• Administrative console: A GUI tool for setup

DHCP Administrative Console

• Before a DHCP server can issue IP addresses, a scope must be created and the server authorized
• A scope is a range of IP addresses assigned to computers requesting a dynamic IP address
• Authorization is a security measure to ensure that only authorized DHCP servers run on the network
• To add a new scope, click New Scope in the Action menu
• To authorize the DCHP server, navigate to the server node and click Authorize in the Action menu

User Accounts

• A user account enables authentication via login name and password
• A user account is a security principal with a security identifier (SID) that can be assigned permissions

User Account Storage

• Active Directory: Enables logon to the domain and assignment of permissions to resources anywhere in the domain, administered via Active Directory snap-ins and commands
• Local SAM database: Enables logon to the local computer and assignment of permissions to local resources, administered via the Local Users and Groups snap-in

Creating Users with PowerShell

• New-ADUser -Name [Parameters]: command for creating a user
• -Name: Specifies the name of the user to create, which also becomes the SAM Account name if no other parameters are provided
• [Parameters]: Various parameters to customize user creation
• -SAMAccountName: Specifies the name with which the user logs on
• -AccountPassword: Sets the account password
• -Enabled: Enables the account; disabled by default if not provided
• -Path: Specifies the location where the object should be created; defaults to the Users container
• Get-Help New-ADUser –detailed: Command to get explanations of the parameters that can be used

Name Attributes

• User logon name (pre-Windows 2000): sAMAccountName
• Should be unique in the domain
• Limited to 20 characters
• User logon name userPrincipalName (UPN)
• Consists of Name + @ + UPN suffix
• Must be unique in the forest
• Name or Full Name cn (common name)
• Unique in OU so that the relative distinguished name (RDN) is unique in OU, ensuring the object's distinguished name is unique in the forest
• Display name displayName
• Exchange global address list (GAL): Best if unique, but not technically required

Account Attributes

• Common parameters for user accounts include
• Logon Hours
• Log On To
• User must change password at next logon
• User cannot change password
• Password never expires
• Account is disabled
• Store password by using reversible encryption
• Smart Card is required for interactive logon
• Account is trusted for delegation
• Account expires

User Account Management Tasks

• Renaming user accounts
• Resetting user passwords
• Unlocking user accounts
• Disabling or enabling user accounts
• Moving user accounts
• Deleting user accounts

Viewing User Attributes

• The Attribute Editor tab can be utilzed for viewing
• In Active Directory Users and Computers, click the View menu, and then select Advanced Features to view

Procedure for Modifying Attributes For Multiple Users

• Select multiple users by holding CTRL and clicking
• Right-click any of the selected users
• Click Properties to access parameters

Attributes That Can Be Modified

• General: Description, Office, Telephone Number, Fax, Web page, E-mail
• Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, Account expires
• Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, Country/region
• Profile: Profile path, Logon script, Home folder
• Organization: Job Title, Department, Company, Manager

Modifying With Powershell

• Get-AdUser retrieves attributes of objects
• Command line: Get-ADUser UserDN... [-parameter value]
• UserDN distinguishedName of the user
• Parameter for attributes: Name of attribute
• Value: Value for attribute or use * for all attributes
• Set-ADUser modifies specified attributes
• Command line: Set-ADUser UserDN [-parameter value]
• UserDN distinguishedName of the user
• Parameter value for specific attributes: Attribute and value to be modified
• Example using both together:
• Get-ADUser Tony.Krijnen | Set-ADUser -office "Stockholm"

User Creation Via Templates

• General tab with no properties copied
• Address tab to copy P.O. box, city, state or province, ZIP or postal code, and country or region. -The street address itself will not be coped
• Account tab with logon hours, logon workstations, account options, and account expiration copied over.
• Profile tab copies profile path, logon script, home drive, and home folder path
• Organization tab that copies department, company, and the user's manager
• Member Of

Exporting and Importing Users

CSV (Comma-Separated Value Text Files)

• Can be edited with simple text editors such as Notepad, or more advanced programs such as Microsoft Office or Excel
• Has an export application know as CSVDE.exe
• csvde -f filename -d RootDN -p SearchScope -r Filter -1 ListOfAttributes
• RootDN: The domain in which to start the export. (default = domain)
• SearchScope: Scope of export (Base, OneLevel, Subtree)
• Filter: Filter of which users need to be exported (LDAP query language)
• ListOfAttributes: Use the LDAP name

Importing Users with CSVDE

• csvde -i -f filename [-k]
• -I import-default mode is export
• -K Continue past errors (such as Object Already Exists)
• It cannot import passwords, so users are created as disabled
• Cannot modify existing users

LDIFDE

• LDAP Data Interchange Format File
• Has an export program LDIFDE.exe
• ldifde [-i] [-f filename] [-k]
• -I import-default mode is export
• -K Continue past errors (such as Object Already Exists)
• Cannot import passwords, so users are created as disabled
• Can modify or remove existing users

Importing and Exporting Users with Powershell

• To import you must use Import-CSV and New-ADUser command lines
• Import-CSV Users.csv | foreach {New-ADUser -SamAccountName $.SamAccountName -Name $.Name -Surname $.Surname -GivenName $.GivenName -Path "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" -AccountPassword (ConvertTo-SecureString -AsPlainText $_.SamAccountName -Force) -Enabled $true}

Challenges of Standard User Accounts for Services

• Extra administration to manage the service account password

Managed Service Account

• Automates password and SPN management for service accounts used by services and applications

Steps to Configuring and Administering These Accounts

• Create a managed service account:
• New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]
• Install a managed service account on the host server:
• Install-ADServiceAccount -Identity <ADServiceAccount>
• Associate the service account with the intended service