FINAL EXAM NOTES

 

 

 

How to backup AD

 

Use the system utility that is installed with Windows 2000, and you can use the Backup

Wizard to set up the parameters you want for backing up.    You can select only the system

state data, after you select system state data, you need to provide the target destination

and the backup medium or file name.

 

You can also use the Scheduler for backing up the Active Directory, so you can select lulls

on the system.

 

 

 

Authoratative Restore of Active Directory

 

This restore is used if you do not want to replicate the changes that have been made

since the last backup.  An Authoratative Restore is not the default method, the

nonauthoratative method is.  Normally done in Safe Mode for restores.

 

 

 

Infrastructure master   (page 113)

 

The infrastructure master is responsible for updating the group-to-user references whenever

the members of groups are renamed or changed.  At any time, there can be only one

domain controller acting as the infrastructure master in each domain.

 

The infrastructure master of the group's domain is responsible for updating the group so

it knows the new name or location of the member.

 

 

 

Why is it a good idea when using Universal groups to place

users inside of global groups before adding them to

Universal groups?  (page 232)

 

This is another level of OUs.  AGULP.  Not sure? 

Universal groups cannot be created in Mixed mode.

 

 

 

How are GPOs applied?  (page 394-412)

 

GPOs are collections of group policy settings.  Each Windows 2000 computer has a

local GPO, and may in addition be subject of any number of nonlocal (Active

Directory-based) GPOs.

 

GPOs are applied to the appropriate groups.  The Administrator has full Control

of the GPOs.

 

 

 

 

Delegation of administration.  Which control models exist?  page 395

 

You can determine which administrative groups can administer (create, modify, delete)

GPOs by defining access permissions for each GPO.  By assigning Read and Write

permissions to a GPO for an administrative group, the group can delegate control of

the GPO.

 

 

 

Creating, editing, and deleting GPOs.

 

Creating GPOs:

 

Determine the GPO you want to create.  If you want to create a GPO lined to a domain

or an OU, open Active Directory Users and Computers.  Otherwise, to create a GPO

linked to a site, open Active Directory Sites and Services.

 

 

Editing GPOs:

 

To edit A GPO or its settings, simply go into an existing GPO and edit it.

 

 

Deleting GPO:

 

If you delete a GPO, it is removed from Active Directory, and any sites, domains, or

OUs to which it is linked will no longer be affected by it.  You may want to just remove

the link before deleting the GPO.

 

 

Monolithic vs Layered GPOs.  Why use them?

 

Monolithic:

 

With a monolithic GPO approach, the goal is to use very few GPOs, (ideally only one)

for any given user or computer.  All of the policy settings required for a given site,

domain, or OU should be implemented within a single GPO.

 

A change in the monolithic design involves more administration than the layered

approach because the settings may need to be changed in multiple GPOs, but logon

times will be shorter.

 

Layered GPOs:

 

With the layered GPO approach, the goal is to include a specific policy setting in as

few GPOs as possible.  Therefore, editing is not as difficult, and Administration is

simplified.

 

 

 

Folder Redirection  (page 459)

 

There are some rules for folder redirection:

 

•   Incorporating %username% into fully qualified UNC paths.  This allows

            users to chare their own folders.  For example, \\server\share\%username%\My Documents.

•   Having My Pictures follow My Documents.  This is advisable unless there is a

compelling reason not to, such as file share scalability.

•   Policy removal considerations.  Review the guidelines for this.
•   Accepting defaults.  Usually accept the default Folder Redirection settings.

 

 

Who cannot participate in software installation through AD?  (regular users)

 

Usually, Administrators only have permissions for software installation, unless you have

assigned this tasks to an assistant.

 

 

 

Publishing vs Assigning

 

Publishing is only related to computers, and Assigning is for users and computers.

 

 

 

Public Key Policies (page 465)

 

The public key policies area is used to configure encrypted data recovery agents,

domain roots, and trusted certificate authorities.

 

 

 

IP Security Policies (page 465)

 

The IP Security policies area is used to configure network Internet Protocol (IP) security.

 

 

Privileges  (page 493 and the charts)

 

Privileges specify allowable user actions on the network, and they can be assigned

to a user.  A list of them are as follows:

 

·                   Act as part of the Operating System

·                   Add Workstations to Domains

·                   Back Up Files And Directories

·                   Bypass Traverse Checking

·                   Change The System Time

·                   Create a Token Object

·                   Create Permanent Shared Objects

·                   Debug Programs

·                   Enable Computer and User Accounts to be Trusted for Delegation

·                   Force Shutdown From a Remote System

·                   Generate Security Audits

·                   Increase Quotas

·                   Increase Scheduling Priority

·                   Load and Unload Device Drivers

·                   Lock Pages in Memory

·                   Manage Auditing and Security Logs

·                   Modify Firmware Environment Values

·                   Profile Single Process

·                   Profile System Performance

·                   Remove Computer From Docking Station

·                   Replace A Process Level Token

·                   Restore Files And Directories

·                   Shut Down The System

·                   Synchronize Directory Service Data

·                   Take Ownership Of Files or Other Objects.

 

 

What information and settings do security templates hold? (page 499)

 

A security template is a physical representation of a security configuration, a single

file where a group of security settings is stored.  Each template is saved as a text-based

.inf file.  With the exceptions of IP Security and Public Key policies, all security

attributes can be contained in a security template.

 

 

.evt 

 

It is the extension the Event Logs are saved in.

 

 

 

Security Templates (page 499)

 

You can import (apply) a security template file to a local or nonlocal GPO.  Any computer

or user accounts in the site, domain, or OU to which the GPO is applied will receive the

security template settings.  Importing a security template to a GPO eases domain

administration by configuring security for multiple computers at once.

 

 

 

Policies 

 

Policies are set to groups or OUs, and they state the permissions for that group or OU.

 

 

 

Audit Policies-- How to use them effectively?  (page 467)

 

An audit policy defines the categories of events t he Windows 2000 records in the

security log on each computer.  The security log allows you to track the events that

you specify.

 

 

 

KCC

 

Knoweledge Consistency Checker.