CMPE 351 Network Administration Reviewer PDF

CMPE 351 Network Administration Command-Line and Scripting Objectives: To able to know some command-line; To be able to apply some command-line; To be able to apply some basic scripting; To be able to know the types of account and groups.. Common Command-Line oDsadd – adds objects oDsmod – modifies objects oDsquery – runs queries according to criteria oDsmove – moves a single object to a new location oDsrm – deletes an object Common Command-Line oDsget – displays selected attributes oCsvde – imports or exports AD data by using comma-separated format oLdifde – creates, modifies and deletes objects Common Command-Line o%systemroot%\sysvol – to verify if sysvol folder was created oNet share – to verify if necessary shared folders were created o%systemroot%\ntds – to verify if database and log files were created oNtds.dit – directory database file oEdb.* - transaction logs and checkpoint files ores*.log – reserved log files Common Command-Line Creating Organizational Unit oDsadd ou “Distinguished Name” Creating User oDsadd user “Distinguished Name” oDsadd user “Distinguished Name” –fn “FirstName” –ln “LastName” –disabled no Creating Computer o Dsadd computer “Distinguished Name” Common Command-Line Modifying Organizational Unit oDsmod ou “Distinguished Name” –desc “Description” Modifying User oDsmod user “Distinguished Name” –fn “FirstName” –ln “LastName” –disabled yes Modifying Computer o Dsmod computer “Distinguished Name” –desc “Description” Common Command-Line Removing Organizational Unit oDsrm ou “Distinguished Name” Removing User oDsrm user “Distinguished Name” Removing Computer o Dsrm computer “Distinguished Name” Common Command-Line Ldifde command oLdifde –i –k –f file.ldf –b Username Domain Password -i – import mode -k – ignores errors -f – specifies the filename -b – specifies username, domain name and password Common Command-Line oLdifde –i –k –f file.ldf –b Username Domain Password File.ldf Dn: OU=Faculty, DC=PUP, DC=EDU Changetype: add objectClass: organizationalUnit Common Command-Line oCreating OU using Windows Script File.vbs Set objDom=GetObject(“LDAP://dc=PUP, dc=EDU”) Set objOU = objDom.Create(“OrganizationalUnit”, “ou=Faculty”) objOU.SetInfo Run: wscript file.vbs Creating Accounts o Csvde command Create a csvde file 1. Attribute line – it specifies the name of each attribute Dn, objectClass, sAMAccountName, userPrincipalName, displayName, userAccountControl Creating Accounts o Csvde command Create a csvde file 1. Attribute line – it specifies the name of each attribute Dn, objectClass, sAMAccountName, userPrincipalName, displayName, userAccountControl 2. User account line – it specifies the value of each attribute Cn=Jorly, ou=Faculty, dc=PUP, dc=EDU, user, ovpajabera, [email protected], Jorly Pajabera, 512(enable, 514- disable) Creating Accounts o Csvde command Run csvde file Csvde –i –f filename.csv –b Username Domain Password Creating Accounts o Windows Script Create userfile.vbs Set objOU=GetObject(“LDAP://ou=faculty, dc=pup, dc=edu”) Set objUser=objOU.create(“User”, “cn=Jorly”) objUser.Put “sAMAccountName”, “Jorly” objUser.Put “givenName”, “Jorly” objUser.Put “initials”, “V” objUser.Put “sn”, “Pajabera” objUser.Put “displayName”, “Jorly V Pajabera” objUser.Put “department”, “CPE” objUser.Put “company”, “PUP-CEA” objUser.SetInfo objUser.AccountDisabled = False objUser.ChangePassword “”, “P@ssw0rd” objUser.SetInfo Run: wscript.exe userfile CMPE 351 Network Administration Domains and Group Policy Objectives: To able to define what is domain, tree and forest; To be able to understand how parent and child domain created; To be able to know how trust relationship works in the forest; To be able to manage trust in the forest; Objectives: To able to define system policy and group policy; To be able to know the features of group policy; To be able to understand the group policy objects; To be able to apply the group policy elements; To be able to know account policies. Domains and Trusts Domains are structured into trees and forests. A domain tree is a collection of related domains. A domain forest is a collection of related domain trees. A domain “tree”, there’s a possibility of child domains that hang off the master/parent domain. These child domains can be thought of as branches. Once your infrastructure grows beyond a single domain, trust relationships come into play. A trust relationship allows one domain to trust objects in another for authentication and for access to resources. Domains and Trusts In a Windows 2000 or later domain forest, all trust relationships are transitive and bidirectional. In a transitive example, if A trusts B and B trusts C, then A also trusts C. The same logic applies to Windows domains. A transitive trust is one that flows from one domain to another and then to another. So if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. Domains and Trusts Raise the domain functional level: A Windows Server 2008 domain can function in one of three modes: ▪Windows 2000 Native ▪Windows Server 2003 ▪Windows Server 2008 Domains and Trusts Raise forest functional level: Windows Server 2008 supports three forest functional levels, each offering increasing levels of capability, although the Windows Server 2008 forest functional level doesn’t actually add additional features. These levels include Windows 2000, Windows Server 2003, and Windows Server 2008. Domains and Trusts For example, when all domain controllers in a domain are running Windows Server 2008, and each domain has been raised to the Windows Server 2008 functional mode, you can raise the functional level for that domain forest to Windows Server 2008. Domains and Trusts Add UPN suffixes: In a Windows 2000 or later domain, users can log on with the UPN associated with their accounts. A UPN takes the form user@upnsuffix, such as [email protected]. Users can also log on with the pre-Windows 2000 user logon name, such as username. Domains and Trusts Add UPN suffixes: The UPN suffix generally identifies the domain in which the account resides, but it can be the domain DNS name, the DNS name of another domain in the forest, or an alternative suffix created by the domain administrator solely for the purpose of logon. Domains and Trusts Manage domain trust: There are several tasks you can perform with the console, including verifying or removing a trust and creating shortcut, realm, and external trusts. Manage forest trust: You can accomplish several tasks related to forest trust, including creating a forest trust and managing routing for specific name suffixes. Working at the Domains and Trusts Level Raising the forest functional level Working at the Domains and Trusts Level Managing trusts One of the key tasks you’ll perform with the Active Directory Domains And Trusts Console is managing trust relationships between domains and forests. For example, you can verify the trust relationships that exist between domains. To do so, click the domain that contains the trust you want to verify and choose Action, then Properties. Click the Trusts tab and click the trust you want to verify. Click Properties to open the properties for the trust. Working at the Domains and Trusts Level Managing trusts Working at the Domains and Trusts Level Managing trusts Working at the Domains and Trusts Level Managing trusts: Shortcut trust: This is a trust between two non-adjacent domains in the same forest. Shortcut trusts can help improve logon time. Shortcut trusts can be one-way or two-way and are transitive. Realm trust: A realm trust enables you to create a trust between a non-Windows Kerberos realm and a Windows Server domain. Realm trusts can be one-way or two-way, transitive or non-transitive. Working at the Domains and Trusts Level Managing trusts: External trust: This type of trust connects a Windows Server domain with a Windows NT domain or a domain in another forest for which there is no forest trust. External trusts can be one-way or two-way and are non-transitive. Forest trust: Use this trust type to enable resource sharing between forests. Forest trusts can be one-way or two-way and are transitive. Working at the Domains and Trusts Level Managing trusts Group Policy One of the advantages for organizations with Windows 2000 and the AD was the introduction of Group Policy, which ﬁnally offered a comprehensive and reliable method of performing conﬁguration in a persistent manner on servers and computers within an organization. Prior to the Group Policy feature, system policies were limited in their abilities and application. Group Policy Features Unlike system policies with the single capability to write Registry keys, Group Policy can do a lot more, including the following: Deploy applications on a per-user or per-machine basis with granularity. These deployed applications can be self- healing if deployed using Microsoft Installer Format (MSI ﬁles). However, older style, non-MSI applications can also be deployed with a bit of ZAP. Group Policy Features Logon/logoff/machine startup/machine shutdown scripts. Notice this is not just computer startup and user logon. Scripts at logoff and shutdown, which has long been a feature missing from the Windows capabilities. Ability to redirect folders such as My Documents to network-based locations. Group Policy Features Conﬁguration of local machine policies, including audit and security settings, in addition to rights on the machine. Conﬁguration of certiﬁcate, IP Security (IPsec) policies, and so on. Group Policy Features Environment and Internet Explorer conﬁguration, such as setting the Internet Explorer home page to the corporate Web page. Capability to set the membership of local groups; for example, setting who the members of the local Administrators group are on machines to which the Group Policy is applied and ensuring other people are not members. Group Policy Features Software restrictions that can prohibit certain applications from running; no more annoying ofﬁce applications sidetracking the sales team from Solitaire. Group Policy Objects (GPOs) The main component in Group Policy is a Group Policy Object (GPO), which is a deﬁned set of policies that describes a particular set of conﬁgurations. For example, a GPO might be created that is responsible for locking down the desktop (such as disabling the Run dialog and setting the Internet Explorer start page). For now just think of a GPO as a collection of deﬁned settings from all those possible within Group Policy (which is a lot). On its own, however, a GPO does nothing; it’s just a collection of settings that exist within the AD. Group Policy Objects (GPOs) A Group Policy is broken down into two major sections: user and computer settings. Within those major sections, each has three child groupings of policy elements: Software Settings. Used for the deployment of software. Windows Settings. Used for conﬁguration of scripts, policies, restriction of group membership, and software deployment. Administrative Templates. The adm(x)-based settings, which chieﬂy rely on settings made to the Registry of the target machines. Using Group Policy Objects For a GPO to be useful, it has to be linked to a speciﬁc container of user/computer objects; this is the ﬁrst big change from system policies. With system policies, the ntconﬁg.pol sat in the netlogon folder of the domain controllers and was read by everyone, with some limited control of applications via user/group/computer speciﬁc settings. But that was ugly. GPOs can be linked at three levels (and another, but more on that in a second): an Active Directory Site, a domain, and an organizational unit. Using Group Policy Objects The linking of a GPO to one or more containers deﬁnes its scope of management—in other words, the users and/or computers that the GPO has an effect on. GPOs contain settings that affect the computer and user objects within the AD. You can apply a GPO to a site, domain, or OU, not just to security groups. An object in the AD can only exist in one place. Using Group Policy Objects The policies are applied in the following order: 1. The site-linked GPOs—for example, the GPOs linked to Dallas. 2. Next, the domain-linked GPOs would be applied for savilltech.net. 3. The GPOs linked at the Savilltech OU would be applied. 4. The GPOs linked at the IT OU would be applied. 5. Finally, GPOs linked at Users would be applied for the user, and the GPOs linked at Computers would be applied for the computer. Local Policy There is a fourth level of Group Policy. Each computer has a local GPO. However, this is more typically locally managed on the computer and is overwritten by any domain-based policies. These settings are applied ﬁrst, which means ANY setting applied via the Active Directory Group Policy overrides a local setting. The way to remember the order of application of policy is LSDOU: Local -> Site -> Domain -> Organizational Unit Local Policy Software Deployment Although more sophisticated solutions exist for software deployment, such as System Center Conﬁguration Manager and even System Center Essentials, Group Policy is still a great way to deploy software in the absence of a better solution. Group Policy has two types of software deployment: Assigned Published Local Policy Assigned When software is assigned, if the assignment is to a user, the software is installed when the user logs on to the computer; upon ﬁrst execution, the software installation is ﬁnalized. If software is assigned to a computer, then the software is installed when the computer starts, and it is available to any users of the computer. Once again, the ﬁrst time the software is used, the installation is considered ﬁnalized. The time to ﬁnalize an installation should be minimal (seconds) but depends on the application. Local Policy Published When software is published to a user, the software is displayed in the Add or Remove Programs control panel applet for manually triggered installation. You cannot publish software to a computer. Local Policy Software Restrictions In addition to helping deploy software, Group Policy can also be used to stop other software from being executed. Software Restriction policies are available for both User and Computer conﬁgurations and are found under Windows Settings, Security Settings, Software Restrictions. If you deploy software restrictions by computer, it stops anyone on the computer from running the restricted software; setting the restrictions by user conﬁguration stops only speciﬁc users. Account Policy Account Policies are a critical area of configuration that is often overlooked and misconfigured. To enforce a certain password standard, use account policies which are defined in the default Domain Policy and are broken into three areas: Password Policy Account Lockout Policy Kerberos Policy Account Policy Password Policy allows the configuration of six key aspects of password: Enforce password history. Keeps track of the last 0 to 24 passwords, depending on the configuration. A user cannot change his password to any password stored in the password history. Maximum password age. The maximum age a password can be before it must be changed. A user is prompted when his password is about to expire and when a password has expired up to 42 days. Account Policy Minimum password age. The amount of time a password must be set before it can be changed. This enable to use the same password repeatedly. By default, user can change his password 25 times. Minimum password length. The minimum number of characters the password must be. By default, it must have 7 characters. Account Policy Password must meet complexity requirements. These are: Not contain user’s account name Be at least 6 characters in length Contain uppercase, lowercase, number and special characters Store passwords using reversible encryption. Disabled by default. But is required if Challenge-Handshake Authentication Protocol (CHAP) is used. Account Policy Account Lockout Policy defines what you do if a password for an account is incorrect. Account lockout duration. The amount of time an account is locked out in minutes. By default, 30 minutes. Account lockout threshold. The number of incorrect password attempts before lockout. By the default, 5 attempts. Reset account lockout counter after. Configures the counter of incorrect passwords to be reset after a configured number of minutes. By default, 30 minutes. Account Policy Kerberos Policy The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed. Account Policy Kerberos Policy Enforce user logon restrictions. This policy setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Maximum lifetime for service ticket. This policy setting determines the maximum number of minutes that a granted session ticket can be used to access a particular service. Account Policy Kerberos Policy Maximum lifetime for user ticket. This policy setting determines the maximum amount of time (in hours) that a user’s ticket-granting ticket can be used. Maximum lifetime for user ticket renewal. This policy setting determines the period of time (in days) during which a user’s ticket-granting ticket can be renewed. Account Policy Kerberos Policy Maximum tolerance for computer clock synchronization. This policy setting determines the maximum time difference (in minutes) that the Kerberos V5 protocol tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. CMPE 351 Network Administration File, DNS, and DHCP Objectives: To able to know how to install File, DNS and DHCP servers; To be able to understand some terms in configuring File, DNS and DHCP servers; To be able to know how to configure File, DNS and DHCP servers; To be able to manage File, DNS and DHCP servers ; To be able to troubleshoot File, DNS and DHCP servers. File System Types FAT (File Allocation Table) It is a remnant from the MS-DOS days and was limited to filename restrictions until Long File Name (LFN) support added. FAT32 It is designed to address some of the size limitations of FAT as hard drives increase in size. File System Types NTFS (New Technology File System) It introduced metadata for objects on the file system, allowing many more file system capabilities, such as security configuration and auditing information. A subset of metadata for each file is stored in the master file table (MTF), to determine where to place new files and fragmentation. File Management File Ownership Selecting who can access a certain file, such as owner, everyone or administrator. File Permissions Who gains access to a file is determined by the security on files and folders not ownership. Full control: Modify, add move and delete files. Modify: View and modify files Read and execute: Executable files Read: View files Write: Write to a file. Domain Name Service Domain Name System(DNS) is now the name resolution system of choice in Windows. Without it, computers would have a very tough time communicating with each other. However, most Windows administrators still rely on the Windows Internet Name Service (WINS) for name resolution on local area networks. Domain Name Service Installation You can install a DNS server from the Control Panel or when promoting a member server to a domain controller (DC). During the promotion, if a DNS server is not found, you will have the option of installing it. Domain Name Service Installation Domain Name Service Domain Name Service Choose Add Roles and follow the wizard by selecting the DNS role. Domain Name Service DNS console and configuration After installing DNS, you can find the DNS console from Start | All Programs | Administrative Tools | DNS. Windows 2008 provides a wizard to help configure DNS. When configuring your DNS server, you must be familiar with the following concepts: Forward lookup zone Reverse lookup zone Zone types Domain Name Service A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse lookup zone allows a DNS server to discover the DNS name of the host. Basically, it is the exact opposite of a forward lookup zone. A reverse lookup zone is not required, but it is easy to configure and will allow for your Windows Server 2008 Server to have full DNS functionality. Domain Name Service When selecting a DNS zone type, you have the following options: Active Directory (AD) Integrated, Standard Primary, and Standard Secondary. AD Integrated stores the database information in AD and allows for secure updates to the database file. This option will appear only if AD is configured. If it is configured and you select this option, AD will store and replicate your zone files. Domain Name Service A Standard Primary zone stores the database in a text file. This text file can be shared with other DNS servers that store their information in a text file. Finally, a Standard Secondary zone simply creates a copy of the existing database from another DNS server. This is primarily used for load balancing. Domain Name Service To open the DNS server configuration tool: 1. Select DNS from the Administrative Tools folder to open the DNS console. 2. Highlight your computer name and choose Action | Configure a DNS Server... to launch the Configure DNS Server Wizard. 3. Click Next and choose to configure the following: forward lookup zone, forward and reverse lookup zone, root hints only. Domain Name Service Domain Name Service Select the appropriate radio button to install the desired Zone Type. Domain Name Service Domain Name Service Click Next and enter the information to identify the reverse lookup zone. Domain Name Service You can choose to create a new file or use an existing DNS file. Domain Name Service If you need to apply a DNS forwarder, you can apply it on the Forwarders window. Domain Name Service Managing DNS records There are various types of DNS records available. Many of them you will never use. We'll be looking at these commonly used DNS records: Start of Authority (SOA) Name Servers Host (A) Pointer (PTR) Canonical Name (CNAME) or Alias Mail Exchange (MX) Domain Name Service Start of Authority (SOA) record It is always first in any standard zone. The Start of Authority (SOA) tab allows you to make any adjustments necessary. You can change the primary server that holds the SOA record, and you can change the person responsible for managing the SOA. Finally, one of the most important features of Windows 2000 is that you can change your DNS server configuration without deleting your zones and having to re-create the wheel. Domain Name Service Host (A) records A Host (A) record maps a host name to an IP address. These records help you easily identify another server in a forward lookup zone. Host records improve query performance in multiple-zone environments, and you can also create a Pointer (PTR) record at the same time. A PTR record resolves an IP address to a host name. Domain Name Service Domain Name Service Pointer (PTR) records A Pointer (PTR) record creates the appropriate entry in the reverse lookup zone for reverse queries. You have the option of creating a PTR record when creating a Host record. If you did not choose to create your PTR record at that time, you can do it at any point. Domain Name Service Domain Name Service Canonical Name (CNAME) or Alias records A Canonical Name (CNAME) or Alias record allows a DNS server to have multiple names for a single host. For example, an Alias record can have several records that point to a single server in your environment. This is a common approach if you have both your Web server and your mail server running on the same machine. Domain Name Service Mail Exchange (MX) records Mail Exchange records help you identify mail servers within a zone in your DNS database. With this feature, you can prioritize which mail servers will receive the highest priority. Creating MX records will help you keep track of the location of all of your mail servers. Domain Name Service Other new records You can create many other types of records. For a complete description, choose Action | Other New Records from the DNS console. Select the record of your choice and view the description. Domain Name Service Domain Name Service Troubleshooting DNS servers When troubleshooting DNS servers, the nslookup utility will become your best friend. This utility is easy to use and very versatile. It's a command-line utility that is included within Windows 2008. With nslookup, you can perform query testing of your DNS servers. This information is useful in troubleshooting name resolution problems and debugging other server-related problems. You can access nslookup right from the DNS console. DHCP Dynamic Host Configuration Protocol (DHCP) is a core infrastructure service on any network that provides IP addressing and DNS server information to PC clients and any other device. DHCP is used so that you do not have to statically assign IP addresses to every device on your network and manage the issues that static IP addressing can create. More and more, DHCP is being expanded to fit into new network services like the Windows Health Service and Network Access Protection (NAP). DHCP: Installation 1. The Windows Server 2008 system already installed and configured with a static IP address. 2. Plan the network’s IP address range, the range of IP addresses you will want to hand out to your PC clients, your DNS server IP addresses, and your default gateway. 3. Plan for all subnets involved, what scopes you will want to define, and what exclusions you will want to create. DHCP: Installation 4. At Server Manager, click Add Roles. DHCP: Installation 5. At Add Roles Wizard, click Next and select DHCP Server and click Next. DHCP: Installation 6. At Select Network Connection Bindings and click Next. DHCP: Installation 7. Enter the Parent Domain, Primary DNS and Alternative DNS Server and click Next. DHCP: Installation 8. Enter the Scope Name, Starting and Ending IP address, Subnet Mask, Default Gateway and Type of Subnet and click OK. DHCP: Installation 9. Confirmed the Installation by clicking Install. DHCP: Management 1. To be able to check if the DHCP configuration is activated, click Administrative Tools and DHCP. DHCP: Management 2. The DHCP window will pop-up. DHCP: Management 3. Expand the IPv4 >> Scope >> Address Pool. It will show the Start, End, DNS and Gateway Addresses. DHCP: Management 4. Expand the Scope Option. It will show other Addresses. DHCP: Management 5. Check if the DHCP will give IP address to the client computer. 6. At Client computer command promt: Issue the command IPCONFIG /RELEASE, enter key. Then IPCONFIG /RENEW, enter key. 7. It will display the IP address, subnet mask, gateway and DNS given by the DHCP server. DHCP: Management 8. At DHCP server, Address Leases, it will display the IP address, Hostname, Lease Expiration and Type of IP address of the client computer.

CMPE 351 Network Administration Reviewer PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue