LEC5 Summarize.pdf

Full Transcript

LEC5 Summarize

Topic Key Points
Active Directory - AD is a distributed database that stores objects (users, computers, devices,
(AD) Overview services) in a hierarchical, secure format.
- Objects are uniquely identified by name and attributes.
- AD is divided into domains, trees, and forests.
Protocols & Services - LDAP: Accesses directory service data.
- Kerberos: Provides secure authentication between users and servers.
- DNS: Translates domain names to IP addresses
Management Tools - Active Directory Administrative Center: Manages directory services.
in MMC - Active Directory Users and Computers: Manages users and computers.
- Active Directory Domains and Trusts: Manages domain and trust
information.
- Active Directory Sites and Services: Manages replication between sites.
- Active Directory Module for PowerShell: Manages directory services via
cmdlets.
Domain Controller - A server that securely authenticates users.
(DC) - In Windows NT, used Primary and Backup Domain Controllers.
- In Windows Server 2019, DCs are prioritized (e.g., DC1, DC2) without a
primary/backup approach.
Domain - Logical group of users, computers, and services.
- Centralized network environment managed by a DC.
- Powered by the AD DS role.
Tree Domain - Comprised of one or more domains.
- Domains are linked through transitive trust relationships.
- New domains automatically trust existing domains in the tree.
Forest - Collection of tree domains.
- The root domain forms the forest.
- Set up using the Active Directory Domain Services Configuration Wizard.
Child Domain - A subdomain of a tree.
- Example: Programming.Dautti.local is a child domain of Dautti.local.
- Set up using the Active Directory Domain Services Configuration Wizard
Operations Master - Five master roles in AD DS:
Roles - Forest-wide roles: Schema Master, Domain Naming Master.
- Tree domain-wide roles: RID Master, PDC Emulator, Infrastructure
Master.
- These roles manage security, password updates, and domain object changes
Domain vs. - Domain: Uses a dedicated server for resource management (e.g., client-
Workgroup server network).
- Workgroup: Devices share resources equally without a dedicated server
(e.g., peer-to-peer network).
Trust Relationships - Trust between computers and DCs.
- Once a computer joins a domain, it uses Kerberos for authentication via the
DC.
Functional Levels - Forest Functional Level (FFL): Determines which Windows Server
versions can run across the forest.
- Domain Functional Level (DFL): Controls server versions and capabilities
within a specific domain.
- Windows Server 2019 requires at least Windows Server 2008 for DFL and
FFL.
Namespace - Domains and child domains share a contiguous namespace (e.g.,
Programming.Dautti.local).
Sites - Represents the physical topology of a network, whereas domains represent
the logical structure.
Replication - Synchronizes directory partitions across all Domain Controllers (DCs) in a
forest.
Schema - Defines objects, classes, and attributes in AD.
- Schema changes are synchronized across DCs through replication
Microsoft Passport - Password-free authentication based on FIDO standards.
- Uses two-factor authentication to access services.
DNS (Domain Name - Hierarchical system that organizes domain names and IP addresses.
System) - Zones and resource records are used to manage name resolution.

Topic Key Points
Hosts and Located in C:\Windows\system32\drivers\etc.
lmhosts Files Hosts: Maps IP addresses to hostnames (DNS resolution).
lmhosts: Maps IP addresses to computer names (NetBIOS resolution).
Entries are manually inserted, each on a separate line.
Hostnames A hostname is a unique identifier for a device in a network.
Often referred to as a domain name.
DNS Zones - Primary Zone: Stores primary DNS database with all records
- Secondary Zone: Backup of primary zone, used when primary zone is
unavailable.
Stub Zone: A secondary zone without an editable database, helps locate
authoritative DNS.
Authoritative DNS: Holds actual domain DNS records, configured manually or
dynamically.
- Non-Authoritative DNS: Contains cached DNS lookup information.
Windows - Automates NetBIOS name resolution by mapping IP addresses to NetBIOS
Internet Name names.
Service
(WINS)
 - Available in Windows Server 2019 and added through Server Manager.
Universal - Used to identify shared network resources, originally from Unix.
Naming - Follows the format: \\servername\folder.
Convention
(UNC)
Organizational - Used to organize AD objects for easier administration.
Units (OUs)
Default - Created when a server is promoted to a Domain Controller (DC).
Containers - Cannot be renamed, deleted, or associated with Group Policy Objects (GPOs).

Hidden - Hidden to maintain cleaner interface and enhance security.
Default - Can be revealed by enabling Advanced Features in the View menu of AD
Containers console.

Active Directory (AD) is a centralized system that manages users, groups, computers, and other
network objects in a Windows Server-based environment. The organization of these objects into
Organizational Units (OUs) and the use of groups facilitate efficient management of rights
and permissions. This overview explains key concepts related to delegating control, user and
computer accounts, user profiles, group types, and best practices for assigning permissions in AD.

Topic Key Points
Delegating - OUs organize AD objects. Permissions for users or groups are assigned by
Control to delegating control to an OU.
an OU - Users or groups must be moved into the appropriate OU before assigning
permissions.
Accounts - User and computer accounts are needed to access network services.
and Groups - Groups simplify the assignment of rights and permissions in AD.

Domain - Domain accounts are part of AD and are authenticated by AD.
Accounts - These accounts have access to services based on assigned permissions or group
memberships.
Local - Local accounts are created on individual computers and authenticated by the
Accounts Windows Security Account Manager (SAM).
- Local accounts can access local services and shared resources in peer-to-peer
networks if they have the necessary permissions
User - Local User Profile: Created when a user logs into a computer for the first time
Profiles and stored locally.
- Roaming User Profile: A local profile copied to a network share for access
from different devices.
- Mandatory User Profile: A profile that reverts to a default state after the user
logs off and is not saved.
Computer - Computer accounts identify devices in the AD domain.
Accounts - Computers use their unique names for communication after joining a domain.
- Managed using the Active Directory Users and Computers console.
Group - Security Groups: Assign permissions to shared network resources.
Types - Distribution Groups: Used for distributing emails within an organization.
Default - When a server is promoted to a domain controller (DC), default groups are
Groups created to manage AD objects efficiently.
Group - Domain Local Group: Includes accounts and groups from the same domain.
Scopes - Global Group: Contains accounts and groups from the same domain.
- Universal Group: Includes accounts and groups from any domain within the
forest.
Group - Group nesting minimizes the number of individually assigned permissions.
Nesting - Groups can be added to other groups for better permission management.
AGDLP - A method for assigning permissions using group nesting:
(Accounts, 1. Add user accounts to a Global Group.
Global, 2. Add the Global Group to a Domain Local Group.
Domain 3. Assign permissions to the Domain Local Group.
Local,
Permissions)
AGUDLP - Another method for assigning permissions using group
(Accounts, nesting:
Global, 1. Add user accounts to a Global Group.
Universal, 2. Add the Global Group to a Universal Group.
Domain 3. Add the Universal Group to a Domain Local Group.
Local, 4. Assign permissions to the Domain Local Group.
Permissions)