ACTIVE
DIRECTORY FINAL EXAM REVIEW
Nesting
Is the process of adding groups to other groups. It is not a good idea to have too many layers
of groups within groups, it is too complicated. Keep them shallow, no more than 3 layers.
You can’t put local groups into anything other than local groups.
What are the use of Global groups and Domain local groups?
Global groups by definition are usually related to a geographic location. Once you have
assembled the users in this geographic location you add them to the Global Group. When
this is done, you add the Global Group to the Domain Local Group and then assign the
appropriate permissions. There are also 10 built-in global groups created when you install
Windows 2000 and they are: Domain Admins, Domain Guest, Domain Controllers,
Domain Computers, Domain Users,
Proxy, Certificate Publishers, and Group Policy Creator Owner groups.
Domain Local Groups are located where the resource is accessed. The Global groups are
added to the Domain Local Groups. There are 9 built-in Domain Local Groups and they are:
Account Operators, Replicator, Administrators, Print Operators, Server Operators, Backup
Operators, Pre-Windows 2000 Compatibility Users, Users.
What new groups exist for Win2K?
Group Scopes
When you create a group you must select a group type and a group scope. There are three types
of group scopes: global, domain, local and universal. NOTE: Security or distribution groups can
be changed.
Which Groups exist by default?
There are 19 built-in default groups, do not add in system groups as part of the built-in groups.
Group Types
Security and Distribution groups are two types of groups. Security groups have all the features
of Distribution groups. You can also use Security groups for nonsecurity-related purposes.
Distribution Groups are not used very often, and they are nonsecurity related. Usually used for
sending E-Mail messages to a group of users at the same time.
Good User and group Management Techniques
Create groups around the appropriate resources, and add users to groups. Use the AGULP rule.
Remove the Everyone group if necessary, and replace it with the authenticated users group.
Rename the Administrator account.
Do not surf the Web using the Administrators account, use the renamed account if necessary.
Only give the users what they need as far as permissions go.
Apply NTFS permissions before you permit the share.
Delegate Administrative control
Avoid the Deny permission, like the plague.
ACL
Access Control List is the mechanism for limiting access to certain items of information or certain
controls based on users' identity and their membership in various predefined groups. Access
control is typically used by system administrators for controlling user access to network resources
such as servers, directories, and files and is typically implemented by granting permissions to users
and groups for access to specific objects.
Data Folders, Application Folders
Data folders are backed up and the application folders are not usually backed up. In the
Application folder, remove the Everyone group, and replace with authenticated users. In the
Data, the Creator Owner = FC, and the Administrators modify Authenticated Users = Read.
NTFS Permission usage
It is a good idea to replace the Everyone group with the Authenticate Users.
Deny permissions only when necessary, loose it sparingly.
To simplify administration group files into application, data and home folders.
Assign permissions to the groups versus individual users.
Ensure that the Administrator has the Full Control for all of the resources, so you do not lock
yourself out of the system.
Permissions
With permissions for NTFS you can set the permissions at the file or folder level. The file
level security overrides the folder level security.
Permissions should also only be done at the user level. Special Permissions do not propogate
by default the the levels below it.
Denying Permissions
Be careful when using the Deny permissions, you will only use sparingly. If you have a user you
want to deny permission, you should put them into a group and deny that individual user.
(page 582)
The maximum share length for Windows 95 is 12 characters.
80
Port 80 is the HTTP port. 80 also represents the 2000 Share length.
255 (chapter 4)
Domain naming requirements cannot exceed 255 characters, and it is not case-sensitive,
256 is the maximum, one of the characters is the control character. This includes spaces
for the path name.
$ (hidden
Administrative share)
The $, signifies that the folder is shared. If you go into Computer Management you can view
all the shared folders. You will also see the Drives as shared out. When you go into Windows
Explorer, you do not see the $ visible, it is hidden to the user. In Windows 2000, by default the
Administrators and Server Operators can share folders. On a member server, only Power
Users can share by default.
Workgroup
First of all you should share out the folder and everyone who access to the network can
share the files, Power Users by default.
Domain
The domain you must have access to the network, and you must have permissions to access
the files. You must also have the folders shared.
Account Operators and Administrators by default.
How to Share
Click the share as, add the name. Consider the naming conventions, Professional shares = 10.
The consequences of stopping sharing midstream, is that users may loose some data.
DFS
Distributed File System is in Windows 2000 and allows system administrators to make it easy
for users to access and manage files that are physically distributed across the network. The
appearance of the file on the system is transparent to the users, they do not know where the file
is loading from. The root folder must be an empty folder.
1000 (page 331)
The maximum number of Dfs links that you can assign to a Dfs root is 1000.
Replicas
By default, runs every 30 minutes for Dfs.
How to control OUs
An OU is an organization Unit, and they are a container where users are placed into. You can
have an OU within an OU. Delegation wizard. Apply the permission at the OU Level. Keep
the layering simple, and ensure one person within the OU has the Full Control of the OU.
Publishing Shares to AD
Shared resources in Active Directory are printer, folders, and files and makes it easy for users
to find these resources on the network. Printers are automatically published to Active Directory.
This can be done Start/Programs/Administrative Tools/Active Directory Users and Computers/
right Click on the container you want to share, and share the folder.
Publish to users only, not computers. Publish printer, done by default.
Orphaned Objects
Objects that are not moved are classified as orphaned
objects and are placed in an "orphan"
container in the LostAndFound Container in the source domain. You can see the LostAndFound
in the Advanced view for Active Directory Users and Computers. Orphaned objects cannot
move.
LostAndFound
The LostAndFound container is visible in the Active Directory Users and computers.
Movetree -- How it is used? (page
363)
The Movetree command-line utility is used to move Active Directory objects such as OUs,
users and groups between domains in a single forest, with some exceptions.
The Movetree utility is on the Support Tools on the CD-ROM.
Review the rules for moving the domains.
Movetree
Log Files?
There are three log files:
MOVETREE.ERR lists the errors encountered during the MOVETREE operation.
MOVETREE.LOG lists statistical results of the MOVETREE operation.
MOVETREE.CHK lists any potential errors or conflicts detected during the move
operation's pre-check phase (or test phase).
Delegation -- How to do it
You can delegate administrative control of objects by assigning permissions to the object to
allow users or groups of users to administer the objects.
· Assign a user the permissions, manually
· Use the Wizard, OU’s and containers.
How to backup AD
Use the system utility that is installed with Windows 2000, and you can use the Backup Wizard to
set up the parameters you want for backing up. You can select only the system state data, after
you select system state data, you need to provide the target destination and the backup medium
or file name.
You can also use the Scheduler for backing up the Active Directory, so you can select lulls on the
system.
Authoratative Restore of Active Directory
This restore is used if you do not want to replicate the changes that have been made since the last
backup. An Authoratative Restore is not the default method, the nonauthoratative method is.
Normally done in Safe Mode for restores.
Infrastructure master
(page 113)
The infrastructure master is responsible for updating the group-to-user references whenever the members
of groups are renamed or changed. At any time, there can be only one domain controller acting as the
infrastructure master in each domain.
The infrastructure master of the group's domain is responsible for updating the group so it knows the
new name or location of the member.
NOTE: Not the same as the PDC emulator, it handles logons, and if the PDC emulator is down you
will have users screaming that there is trouble.
Why is it a good idea when using Universal groups to place
users inside of global groups before
adding them to Universal groups?
(page 232)
a Universal.
Ten
10 minutes is the default for processing scripts.
How are GPOs applied? (page 394-412)
L S D O (local, site, domain. And OU), is the replication path.
GPOs are collections of group policy settings. Each Windows 2000 computer has a local GPO, and
may in addition be subject of any number of nonlocal (Active Directory-based) GPOs.
GPOs are applied to the appropriate groups. The Administrator has full Control of the GPOs.
Delegation of administration. Which control models exist? page 395 & 410
You can determine which administrative groups can administer (create, modify, delete) GPOs by
defining access permissions for each GPO. By assigning Read and Write permissions to a GPO
for an administrative group, the group can delegate control of the GPO. “Central” or distributed
control.
Creating, editing, and deleting GPOs.
Creating GPOs:
Determine the GPO you want to create. If you want to create a GPO lined to a domain or
an OU, open Active Directory Users and Computers. Otherwise, to create a GPO linked to
a site, open Active Directory Sites and Services.
Editing GPOs:
To edit A GPO or its settings, simply go into an existing GPO and edit it.
Deleting GPO:
If you delete a GPO, it is removed from Active Directory, and any sites, domains, or OUs to
which it is linked will no longer be affected by it. You may want to just remove the link before
deleting the GPO.
Monolithic vs Layered GPOs. Why use them?
Monolithic:
With a monolithic GPO approach, the goal is to use very few GPOs, (ideally only one) for any
given user or computer. All of the policy settings required for a given site, domain, or OU
should be implemented within a single GPO.
A change in the monolithic design involves more administration than the layered approach
because the settings may need to be changed in multiple GPOs, but logon times will be shorter.
Layered GPOs:
With the layered GPO approach, the goal is to include a specific policy setting in as few GPOs
as possible. Therefore, editing is not as difficult, and Administration is simplified. Better in larger
organizations.
Folder Redirection (page 459)
There are some rules for folder redirection:
Incorporating %username% into fully qualified UNC paths. This allows users to chare their own
folders. For example, \\server\share\%username%\My Documents.
Having My Pictures follow My Documents. This is advisable unless there is a compelling reason
not to, such as file share scalability.
Policy removal considerations. Review the guidelines for this.
Accepting defaults. Usually accept the default Folder Redirection settings.
Who cannot participate in software installation through
AD? (regular
users)
Usually, Administrators only have permissions for software installation, unless you have assigned
this tasks to an assistant. Terminal Server Clients cannot install software (p456)
Publishing vs Assigning (page 428)
Publish software that users might find useful to perform their jobs. Assign required or
mandatory software to users or to computers.
NOTE: You cannot publish a computer only users.
Categories -- How do they help users (438)
You can organize assigned and published applications into logical categories to make it easier
for users to locate the appropriate application from within Add/Remove programs in Control
Panel. Windows 2000 does not ship with any predefined categories.
The categories you establish are per domain, not per GPO. You only need to define them
once for the whole domain. EASIER for End users.
Public Key Policies (page 465)
The public key policies area is used to configure encrypted data recovery agents, domain
roots, and trusted certificate authorities.
IP Security Policies (page 465)
The IP Security policies area is used to configure network Internet Protocol (IP) security.
Delivery is not guaranteed.
Privileges (page 493 and the
charts)
Privileges specify allowable user actions on the network, and they can be assigned to a user.
A list of them are as follows:
What information and settings do security templates hold? (page 499)
A security template is a physical representation of a security configuration, a single file where a
group of security settings is stored. Each template is saved as a text-based .inf file. With the
exceptions of IP Security and Public Key policies, all security attributes can be contained in a
security template.
.evt
It is the extension the Event Logs are saved in. .EVT format hold binary information.
.csv
Comma delimited format.
.tsv
Tab-Sep value.
.aas files
Application assignment files .aas files, which contain instructions associated with the assignment
or publication of a package.
.msp files (page 429)
Patch .msp files which are used for bug fixes, service packs, and similar files.
.mst Files (page 435-436)
Modifications (.mst) files are applied to Windows Installer package (which have the .msi extension)
in order specified by the administrator. This order must be determined before the application is
assigned or published.
Security Templates (page 499)
Security Templates are stored as .inf files
You can import (apply) a security template file to a local or nonlocal GPO. Any computer or
user accounts in the site, domain, or OU to which the GPO is applied will receive the security
template settings. Importing a security template to a GPO eases domain administration by
configuring security for multiple computers at once.
Policies
Policies are set to groups or OUs, and they state the permissions for that group or OU.
Account Policies/Security Policies/ Kerberos Policy NT Configuration is .pol. Make with
Pol edit, cannot merge with NT files.
Audit Policies-- How to use them effectively? (page 467)
An audit policy defines the categories of events that Windows 2000 records in the security log
on each computer. The security log allows you to track the events that you specify. Track
success or failure or both, do not choose all. Audit randomly if you have time.
Performance Monitor
Allows you to monitor the performance the system in relation to the current workload. You can
also establish a baseline to use for comparison to determine if you need to upgrade or not.
The logs are in Bar/graph/chart format. Monitor the system remotely, do not monitor on the server.
The four key things to monitor are: Processor, memory, disk and NICs. On the Windows 2000,
see NTDS system.
Logs that exist for Performance Monitor
You can refer the logs for the Performance Monitor, and review the detailed data about the
resources used by specific components of the operating system and by server programs that
have been designed to collect performance data.
Data is collected in comma-separated or tab-separated format for easy import to spreadsheet
programs. A binary log-file format is also provided for circular logging or for logging instances
such as threads or processes that may begin after the log starts collecting data.
Performance has counter logs, trace logs, and alerts. When the system is at its max. it alerts you
by for example showing Notepad. Trace log shows the CPU and memory usage, and you need
parsing tool.
Which support tools exist on the W2K CD for maintaining AD?
(p540)
You can install the Support Tools for Active Directory and they are:
Movetree. Move objects from one domain to another.
NTDSUtil. Repair, check, compact, move and dump the directory.
LDP. Allows LDAP operations to be performed against Active Directory. This tool has a
graphical user interface. GUI.
REPLmon. Displays replication topology. Has a GUI interface.
KCC
Knowledge Consistency Checker. A built-in service that runs on all domains controllers and
automatically establishes connections between individual machines in the same site. These are
known as Windows 2000 Directory Services connection objects. An administrator may
establish additional connection objects or remove connection objects. At any point where
replication within a site becomes impossible or has a single point of failure, the KCC will set in
and establish as many new connection objects as necessary to resume Active Directory
replication. KCC
cannot be disabled.
Controlling Shares
You can access the Shared folders by rightclicking My computer and selecting Manage,
or open computer Management snap-in from the Main Menu.
Open the Shared folders and you can see what folders are shared and their locations, you can
stop sharing also, and you can disconnect a user from a shared folder.
What is required to use RIS? (page
562)
· DHCP
· Active Directory
· DNS
· PXE
· Client boot disk
(when RIS is installed these additional services are added to the server):
BINL (boot Information Negotiation Layer)
TFTPD (trivial File transfer Protocol Daemon. No logon required.
SIS. (single Instance Store). Service responsible for reducing disk space requirements
on the volumes used for storing RIS installation images.
Know the load sequence steps 1-8 page 587 for the exam.
How do you install using RIS? (page
558)
A RIS client connects to the network starts and during the power up the DHCP process is
started (remember DORA). The user is prompted to press F12 to initiate the install.
BINL must check the Active Directory for the existence for a prestaged client computer,
checks the GUID.
CIW prompts the user to log onto the network. Once the user logs on, the RIS server checks
AD for the user account and the CIW verifies the logon. CIW warns the user that it will reformat
the disk.Once the user confirms the install, it begins.
To install on a client computer, you type this in at the run
command:
\\server_name\share_name\REMINST\Admin\I386\RIPrep.exe
Follow along with the directions prompted by the Wizard.
What can be set up when using RIS?
You can set up an answer file to make life easier for the user and yourself.
Also, determine which partition the installation will be placed on, should be NTFS.
Determine the location of the source files, CD, copies files.
GPO, set-up client options.
The hardware must be the same, see the HAL, both should be the same size otherwise it will
indeed write over other information.
Training for the user is important to ensure that everything is working okay.
What is prestaging? (page 663)
To determine a specific client computer network account identification for the purpose of
identifying and routing a client computer during the network service boot request.
Finding RIS clients?
Click Start/Programs/Administrative Tools/Active Directory Users and Computers. Right
click on Forest.com/Properties, and if you have the RIS installed you should have a new tab
called show clients.
RBFG (possibly ch 15)
The utility RBFG.EXE is used to create a remote boot disk. You can run this utility from the
command prompt by typing:
\\servername\REMINST\Admin\I386\RBFG.exe
Troubleshooting RIS
Unsure if you have the correct PXE ROM version. Check the version when the install starts.
Check connectivity.
Use the
the DHCP server is authorized and working. Use the Ipconfig utility at the command prompt
and ensure that the DNS server is working properly.
ADDITIONAL EXAM REVIEW NOTES:
Planning a Site Structure
Recall that a site is part of the Active Directory physical structure and is a combination of one
or more Internet Protocol (IP) subnets connected by a highly reliable and fast network
connection. A single domain can include multiple sites, and single site can include multiple
omains or parts of multiple domains.
Optimizing Directory Replication
When planning sites, consider where the domain controller and the network connections
between the domain controllers will be located. Because each domain controller must
participate in directory replication with the other domain controllers in its domain, configure
sites so that replication occurs at times and intervals that will not interfere with network
performance. Consider establishing a bridgehead server to provide criteria for choosing
which domain controller should be preferred as the recipient for inter-site replication.
Installation of Active Directory:
You must have DNS running accurately
You can install at the Command Prompt by typing dcpromo.exe, or you can run
Configure your Server on the Administrative Tools menu, Start Menu.
You need 1GB extra storage for Active Directory to be Installed.
To remove Active Directory, just run DCPROMO again and it will uninstall it.
Domain mode:
Mixed and Native. Native is only offered with Windows 2000 Server.
Domain-Wide Operations Master Roles
Every domain in the forest must have the following roles:
1. Relative ID master
2. Primary domain controller (PDC) emulator
3. Infrastructure master
IP Addressing:
There are 4 classes: A to E:
Class Range and Description
A 1-126 (127*, can’t use, the loop back)
B 128-191
C 192-223
D 224-239 (Mulitcast)
E 240-247 (Experimental)
Lookup Queries
DNS name servers resolve forward and reverse lookup queries. A forward lookup query
resolves a name to an IP address. A reverse lookup query resolves an IP address to a
name. A name server can only resolve a query for a zone for which it has authority.
If a name server cannot resolve the query, it passes the query to other name servers that
can resolve the query. The name server caches the query results to reduce the DNS traffic
on the network.
DNS Zones
Primary – 5 times it will try to contact the Primary one.
Secondary – It will try once if the Primary is not available, and it will immediately go and
look for the Primary again. Frequently used Resource Record Types for DNS:
· SOA *
· A (address or host records)
· NS *
· SRV
· PTR (pointer for reverse lookup)
· MX Mail exchanger
When a name server receives a query result the following
actions take place:
The name server caches the query result for a specified amount of time, referred to as Time to Live (TTL).
NOTE: The zone that provided the query results specifies the TTL. TTL is configured using the
DNS console. The default TL value is 60 minutes.
Once the name server caches the query result, TTL starts counting down from its original value.
When TTL expires, the name server deletes the query result from its cache.
Zone Type
There are three types on zones that you can configure:
Active Directory-integrated. An Active Directory-integrated zone is the master copy of new
zone. The zone uses Active Directory to store and replicate zone files.
Standard primary. A standard primary zone is the master copy of a new zone stored in a
standard text file. You administer and maintain a primary zone on the computer on which you
create the zone.
Standard secondary. A standard secondary zone is a replica of an existing zone. Secondary
zones are read-only and are stored in standard text files. A primary zone must be configured to
create a secondary zone. When creating a secondary zone, you must specify the DNS server,
called the master server. That will transfer zone information to the name server containing the
standard secondary zone. You create a secondary zone to provide redundancy and to reduce
the load on the name server containing the primary zone database file.
Remote Install Server Components
When RIS is installed, these additional services are added to the server:
Boot Information Negotiation Layer (BINL). The BINL service is added during the RIS
installation process and provides overall management of the RIS environment. Allows
User LOGON.
Trivial File Transfer Protocol Daemon (TFTPD). This server-side TFTP service is
responsible for hosting specific file download request made by the client computer.
Trivial File Transfer Protocol Daemon (TFTPD) does not require logon, that is why
it is called trivial.
· TFTPD uses UDP Protocol
· FTP uses TCP Protocols
TERMINOLOGY
BINL. Boot Information Negotiation Layer, added to the RIS installation process and
provides user logons.
TFTPD. Trivial File Transfer Protocol Daemon. Does not require user to logon
.
CIW. Part of the installation option, the CIW warns the users that the installation will
eformat his or her hard disk and previously stored information will be deleted, and then
prompts the user to start the Remote OS Installation. (page 558)
PXE. Uses existing TCP/IP for companies along with DHCP to discover RIS servers
on the network. Remember DORA, Discover, Offer, Request and Acknowledge Process.
RIS. Must be installed on NTFS, does not work on FAT.
RIPrep Image format. Allows a network administrator to clone a standard desktop
configuration, complete with OS configurations, desktop customizations, and locally installed
applications.
PXE uses TCP/IP and DHCP to access the network (remember DORA). But, be careful,
everything is sent clear text, so do this type of install locally, not over a WAN link.
The user logs in and then presses F12 to start, ensure you send it to the proper machine.
*** See the diagram on page 557, may be on the exam ***
RIS Server and Client
Requirements *
IMPORTANT *
BOOK: Server hardware
minimum requirements:
MICROSOFT WEB SITE:
Server hardware minimum requirements:
· Pentium III MHz processor or faster
· 256MB of RAM minimum
· 5GB hard drive minimum.
· 100 Mbps or Fibre Optic.
· NTFS File System
· Active Directory Installed and working
· DNS Working
· DHCP installed and working
IMPORTANT: A separate partition from the system’s boot partition is required to install the RIS.
RIS cannot be installed on the same drive as the system volume. The volume you choose to install
RIS onto must be formatted with the Windows NT file system (NTFS). RIS only supports PCI.
You must authorize the RIS server for it to work, in the DHCP snap-in.
Remote Boot ROM Load Sequence (see page 590)
Client computer displays the message DHCP which indicates that the client is requesting an IP address
from the DHCP server.
When the client receives and IP address from the DHCP server, the message may change to BINL.
This means that the client has successfully leased an IP address. The client then changes to TFTP
or prompts the user to press F12. This indicates that the client has contacted the RIS server and is
waiting to receive the first image file, CIW.
At this point, the client should have downloaded and displayed the CIW Welcome screen.
How do I replicate all of the OS installation images currently located on one RIS server to other RIS
servers on the network for consistency across all client installations?
Can I have RIS server and another vendor remote boot server on the network at the same time?
If so, what are the implications?