Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
103 Cards in this Set
- Front
- Back
|
Understand Active Directory basic concepts
Install and configure Active Directory Implement Active Directory containers |
Create and manage user accounts
Configure and use security groups Describe and implement new Active Directory features |
|
|
Active Directory Basics
|
Directory service that houses information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information
|
|
|
Directory service
|
Responsible for providing a central listing of resources and ways to quickly find and access specific resources and for providing a way to manage network resources
|
|
|
Windows Server 2008 uses
|
Active Directory to manage accounts, groups, and many more network management services
|
|
|
Domain controllers (DCs)
|
Servers that have the AD DS server role installed
Contain writable copies of information in Active Directory |
|
|
Domain controllers (DCs)
|
Servers that have the AD DS server role installed
Contain writable copies of information in Active Directory |
|
|
Member servers
|
Servers on a network managed by Active Directory that do not have Active Directory installed
|
|
|
Domain
|
Container that holds information about all network resources that are grouped within it
Every resource is called an object |
|
|
Multimaster replication
|
Each DC is equal to every other DC in that it contains the full range of information that composes Active Directory
Active Directory is built to make replication efficient |
|
|
Schema
|
Active Directory schema
Defines the objects and the information pertaining to those objects that can be stored in Active Directory User account One class of object in Active Directory that is defined through schema elements unique to that class |
|
|
Global Catalog
|
Global catalog
Stores information about every object within a forest Store a full replica of every object within its own domain and a partial replica of each object within every domain in the forest |
|
|
The first DC configured in a forest becomes
|
the global catalog server
|
|
|
The global catalog server enables
|
forest-wide searches of data
|
|
|
Namespace
Active Directory uses Domain Name System (DNS) |
There must be a DNS server on the network that Active Directory can access
|
|
|
Namespace
|
A logical area on a network that contains directory services and named objects
Has the ability to perform name resolution |
|
|
Active Directory depends on one or more
|
DNS servers
|
|
|
Active Directory employs two kinds of namespaces:
|
contiguous and disjointed
|
|
|
Containers in Active Directory
|
Active Directory has a treelike structure
The hierarchical elements, or containers, of Active Directory include forests, trees, domains, organizational units (OUs), and sites Active Directory has a treelike structure The hierarchical elements, or containers, of Active Directory include forests, trees, domains, organizational units (OUs), and sites |
|
|
Forest
|
Consists of one or more Active Directory trees that are in a common relationship
|
|
|
Forests have the following characteristics:
|
The trees can use a disjointed namespace
All trees use the same schema All trees use the same global catalog Domains enable administration of commonly associated objects, such as accounts and other resources, within a forest Two-way transitive trusts are automatically configured between domains within a single forest |
|
|
Tree
|
Contains one or more domains that are in a common relationship
|
|
|
Tree has the following characteristics:
|
Domains are represented in a contiguous namespace and can be in a hierarchy
Two-way trust relationships exist between parent domains and child domains All domains in a single tree use the same schema for all types of common objects All domains use the same global catalog |
|
|
Domain
|
Microsoft views a domain as a logical partition within an Active Directory forest
|
|
|
A domain is a grouping of objects that typically exists as a primary container within Active Directory
|
a grouping of objects that typically exists as a primary container within Active Directory
|
|
|
The basic functions of a domain are as follows:
|
To provide an Active Directory ‘‘partition’’ in which to house objects that have a common relationship, particularly in terms of management and security
To establish a set of information to be replicated from one DC to another To expedite management of a set of objects |
|
|
Organizational unit (OU)
|
Offers a way to achieve more flexibility in managing the resources associated with a business unit, department, or division
Than is possible through domain administration alone |
|
|
An OU is a grouping of related objects within a domain
|
OUs allow the grouping of objects so that they can be administered using the same group policies
|
|
|
OUs can be nested within
|
OUs
|
|
|
Site
|
A TCP/IP-based concept (container) within Active Directory that is linked to IP subnets
|
|
|
A site has the following functions:
|
Reflects one or more interconnected subnets
Reflects the physical aspect of the network Is used for DC replication Is used to enable a client to access the DC that is physically closest Is composed of only two types of objects, servers and configuration objects |
|
|
Active Directory Guidelines
|
Above all, keep Active Directory as simple as possible
Plan its structure before you implement it Implement the least number of domains possible With one domain being the ideal and building from there Implement only one domain on most small networks Use OUs to reflect the organization’s structure Create only the number of OUs that are absolutely necessary |
|
|
User Account Management
Default accounts: |
Administrator and Guest
|
|
|
Accounts can be set up in two general environments:
|
Accounts that are set up through a stand-alone server that does not have Active Directory installed
Accounts that are set up in a domain when Active Directory is installed |
|
|
Q. Security Group Management
One of the best ways to manage accounts is |
A. by grouping accounts that have similar characteristics
|
|
|
Q. Scope of influence (or scope)
|
A. The reach of a group for gaining access to resources in Active Directory
|
|
|
Q. Types of groups:
|
A. Local
Domain local Global Universal |
|
|
Q. Security Group Management (continued)
All of these groups can be used for security or distribution groups |
A. Security groups
Distribution groups |
|
|
Q. Security groups
|
A. Used to enable access to resources on a stand-alone server or in Active Directory
|
|
|
Q. Distribution groups
|
A. Used for e-mail or telephone lists, to provide quick, mass distribution of information
|
|
|
Q. Implementing Local Groups
Implementing Local Groups |
A. Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain
|
|
|
Q. Instead of installing Active Directory, you can divide accounts into local groups
|
A. Each group would be given different security access based on the resources at the server
|
|
|
Q. Implementing Domain Local Groups
Domain local security group Used when |
A. Active Directory is deployed
|
|
|
Q. Typically used to manage resources in a
|
A. domain and to give global groups from the same and other domains access to those resources
|
|
|
Q. The scope of a domain local group is
|
A. the domain in which the group exists
|
|
|
Q. The typical purpose of a domain local group is
|
A. to provide access to resources
|
|
|
Q. You grant access to servers, folders, shared folders, and printers to a
|
A. domain local group
|
|
|
Q. Implementing Global Groups
Global security group Intended to contain user accounts from a |
A. single domain
|
|
|
Q. Can also be set up as a member of a ...
|
A. domain local group in the same or another domain
|
|
|
Q. A global group can contain
|
A. user accounts and other global groups from the domain in which it was created
|
|
|
Q. A global group can be converted to a universal group
|
A. As long as it is not nested in another global group or in a universal group
|
|
|
Q. Implementing Universal Groups
Universal security groups |
A. Provide a means to span domains and trees
|
|
|
Q. Universal group membership can include user accounts from any domain, global groups from any domain, and other universal groups from any domain
|
A. Universal groups are offered to provide an easy means to access any resource in a tree
Or among trees in a forest |
|
|
Q. Properties of Groups
You can configure the properties of a specific group |
A. By double-clicking that group in the Local Users and Groups tool for a stand-alone (nondomain) or member server
Or in the Active Directory Users and Computers tool for DC servers in a domain |
|
|
Q. Properties are configured using the following tabs:
|
A. General
Members Member Of Managed By |
|
|
Q. Implementing User Profiles
A local user profile is .. |
A. is automatically created at the local computer when you log on with an account for the first time
|
|
|
Q. The profile can be modified to consist of desktop settings that are
|
A. customized for one or more clients who log on locally
|
|
|
Q. User profiles advantages
|
A. Multiple users can use the same computer and maintain their own customized setting
Profiles can be stored on a network server so they are available to users regardless of the computer they use to log on (roaming profile) Profiles can be made mandatory so users have the same settings each time they log on (mandatory profile) |
|
|
Q. What’s New in Windows Server 2008 Active Directory
Five new features deserve particular mention: |
A. Restart capability
Read-Only Domain Controller Auditing improvements Multiple password and account lockout policies in a single domain Active Directory Lightweight Directory Services role |
|
|
Q. Restart Capability
Windows Server 2008 provides the option ... |
A. to stop Active Directory Domain Services
Without taking down the computer |
|
|
Q. Restart Capability
After your work is done on Active Directory, you simply |
A. restart Active Directory Domain Services
|
|
|
Q.
|
A.
|
|
|
Q.
|
A.
|
|
|
Q.
|
A.
|
|
|
Q. Security Group Management
One of the best ways to manage accounts is... |
by grouping accounts that have similar characteristics
|
|
|
Q. Scope of influence (or scope)
|
The reach of a group for gaining access to resources in Active Directory
|
|
|
Q. Types of groups:
|
Local
Domain local Global Universal |
|
|
Q. All of these groups can be used for security or distribution groups
|
Security groups
Used to enable access to resources on a stand-alone server or in Active Directory Distribution groups Used for e-mail or telephone lists, to provide quick, mass distribution of information |
|
|
Q. Local security group
Used to manage resources on a stand-alone computer that is |
not part of a domain and on member servers in a domain
|
|
|
Q. Instead of installing Active Directory, you can divide accounts into local groups
|
Each group would be given different security access based on the resources at the server
|
|
|
Q. Implementing Domain Local Groups
Domain local security group |
Used when Active Directory is deployed
Typically used to manage resources in a domain and to give global groups from the same and other domains access to those resources |
|
|
Q. The scope of a domain local group is the domain in which the group exists
|
The typical purpose of a domain local group is to provide access to resources
You grant access to servers, folders, shared folders, and printers to a domain local group |
|
|
Q. Global security group
|
Intended to contain user accounts from a single domain
Can also be set up as a member of a domain local group in the same or another domain |
|
|
Q. A global group can
|
contain user accounts and other global groups from the domain in which it was created
|
|
|
Q. A global group can
|
be converted to a universal group
As long as it is not nested in another global group or in a universal group |
|
|
Q. Universal security groups
Provide a means to span domains and trees |
Universal group membership can include user accounts from any domain, global groups from any domain, and other universal groups from any domain
Universal groups are offered to provide an easy means to access any resource in a tree Or among trees in a forest |
|
|
Q. Properties of Groups
You can configure the properties of a specific group |
By double-clicking that group in the Local Users and Groups tool for a stand-alone (nondomain) or member server
Or in the Active Directory Users and Computers tool for DC servers in a domain |
|
|
Q. Properties are configured using the following tabs:
|
General
Members Member Of Managed By |
|
|
Q. Implementing User Profiles
A local user profile is automatically created at the local computer when you log on with an account for the first time |
The profile can be modified to consist of desktop settings that are customized for one or more clients who log on locally
|
|
|
Q. User profiles advantages
|
Multiple users can use the same computer and maintain their own customized setting
Profiles can be stored on a network server so they are available to users regardless of the computer they use to log on (roaming profile) Profiles can be made mandatory so users have the same settings each time they log on (mandatory profile) |
|
|
Q. What’s New in Windows Server 2008 Active Directory
Five new features deserve particular mention: |
Restart capability
Read-Only Domain Controller Auditing improvements Multiple password and account lockout policies in a single domain Active Directory Lightweight Directory Services role |
|
|
Q. Restart Capability
|
Windows Server 2008 provides the option to stop Active Directory Domain Services
Without taking down the computer After your work is done on Active Directory, you simply restart Active Directory Domain Services |
|
|
Q. Read-Only Domain Controller
Read-Only Domain Controller (RODC) |
Read-Only Domain Controller (RODC)
|
|
|
Q. An RODC can still function as
|
a Key Distribution Center for the Kerberos authentication method
|
|
|
Q. The purpose of having an RODC is for better ...
|
security at branch locations
Where physical security measures might not be as strong as at a central office |
|
|
Q. An RODC can also be
|
configured as a DNS server
|
|
|
Q. Auditing Improvements
Server administrators can now create an audit trail of many types of changes that might be made in ... |
Active Directory, including when:
There are attribute changes to the schema Objects are moved, such as user accounts moved from one OU to a different one New objects are created, such as a new OU A container or object is deleted and then brought back, even if it is moved to a different location than where it was originally located |
|
|
Q. Multiple Password and Account Lockout Policies in a Single Domain
- You can set up multiple password and account lockout security requirements |
And associate them with a security group or user
|
|
|
Q. You can also associate them with an OU by creating a ‘‘global shadow security group’’
|
A group that can be mapped to an OU
This process is called setting up ‘‘fine-grained password policies’’ |
|
|
Q. Active Directory Lightweight Directory Services (AD LDS) role
|
Targeted for servers that manage user applications
Enables the applications to store configuration and vital data in a central database |
|
|
AD LDS is more forgiving than AD DS
|
If you make a mistake in a modification the mistake in most circumstances does not affect how users access their accounts and resources in a domain
|
|
|
Q. AD LDS is installed as a server role via Server Manager
|
server role via Server Manager
|
|
|
Q. Summary
Active Directory (or AD DS) is |
a directory service to house information about network resources
|
|
|
Q. Servers housing Active Directory are called
|
domain controllers (DCs)
|
|
|
Q. The most basic component of Active Directory is
|
an object
|
|
|
Q. The global catalog stores information about every object, replicates key Active Directory elements, and is used to
|
authenticate user accounts when they log on
|
|
|
Q. A namespace consists of using the Domain Name System for resolving computer and domain names to
|
IP addresses and vice versa
|
|
|
Q. Active Directory is a hierarchy of logical containers:
|
forests, trees, domains, and organizational units
|
|
|
Q. You can delegate management of many Active Directory containers to
|
specific types of administrators
|
|
|
Q. User accounts enable
|
individual users to access specific resources
|
|
|
On a stand-alone or member server, you can create
|
local security groups to help manage user accounts
|
|
|
Q. User profiles are tools for
|
customizing accounts
|
|
|
Q. The ability to stop and restart Active Directory without taking down a DC is
|
new to Windows Server 2008
|
|
|
Q. Three additional new features include new Active Directory auditing capabilities,
|
fine-grained password policies, and the Active Directory Lightweight Directory Services role
|
