|
1
|
- Herb Martin
- LearnQuick.Com
- http://LearnQuick.Com
|
|
2
|
- Exam 70-210 Windows 2000 Professional
- Exam 70-215 Windows 2000 Server
- Exam 70-216 Network
Administration
- Exam 70-217 Active Directory Administration
- Exam 70-219 Active Directory Design
- Exam 70-220 Windows 2000 Security Design
- Exam 70-221 Windows 2000 Network Design
|
|
3
|
- Herb Martin
- LearnQuick.Com
- http://LearnQuick.Com
|
|
4
|
- SYLVAN PROMETRIC
1-800-755-EXAM or 1-800-755-3926
http://www.2Test.Com to register online
- VUE 1-800-837-8734 or 1 800 TEST REG
http://www.vue.com/testing/index.html
- Microsoft MCP site http://www.Microsoft.Com/MCP
|
|
5
|
- Microsoft Certified Professional
Exam 70-217
- Implementing & Administering a Microsoft® Windows® 2000
Directory Services Infrastructure
- 110 minutes, 45 questions, passing 665/1000
|
|
6
|
- Microsoft Certified Professional
Exam 70-219
- Designing a Microsoft® Windows® 2000
Directory Services Infrastructure
- 240 minutes, 4 testlets/40 questions, passing 613/1000
|
|
7
|
- Supported users range from 200-26,000+
- Physical locations range from 5-150+
|
|
8
|
- File and print
- Database and Messaging
- Proxy server or firewall
- Dial-in server
- Desktop management
- Web hosting
|
|
9
|
- Individual offices to the corporate network
- Users at remote locations to the corporate network
- Corporate networks to the Internet
|
|
10
|
- Windows 2000 Active Directory components
- DNS for Active Directory
- Active Directory security solutions
- Manage and optimize the desktop environment using Group Policy
- Configure and Troubleshoot Active Directory
- DNS for Active Directory
- Change and Configuration Management
- Manage and Optimize Active Directory Components
- Active Directory Security
|
|
11
|
- Meeting Business and Technical Requirements
- Unified directory services such as Active Directory and Windows NT
domains
- Connectivity between and within systems, system components, and
applications
- Data replication such as directory replication and database replication
|
|
12
|
- Configure Active Directory
- DNS for Active Directory
- Change and Configuration Management
- Manage Active Directory Components
- Active Directory Security
|
|
13
|
- Analyzing Business Requirements
- Analyzing Technical Requirements
- Designing a Directory Service Architecture
- Designing Service Locations
|
|
14
|
|
|
15
|
- An accounts database—and more
- Hierarchical directory of domain information
- Contains: Users, Groups,
Organizational Units, Computers
- …and other objects
- Extensible store
|
|
16
|
- Purpose is to authenticate and share resources
- Single accounts database (Active Directory)
- All machines and users have an account
- Access to Domain resources requires domain authentication
|
|
17
|
- Any DC can accept changes
- All DCs replicate changes to the others
- No one DC is “in charge”
- No PDC or BDCs, just DCs
|
|
18
|
- Had no structure
- The (Domain) Administrator had authority over everything
- Users needing authority over a subset, needed to be Admins
- No delegation
|
|
19
|
- Create MORE domains
- Use explicit trusts for cross-domain access
|
|
20
|
- Structural Component of a Domain
- Can be nested
- Can be used to delegate authority and control
- Group Policy can be linked to OUs
|
|
21
|
- Domains are TRIANGLES
- Domains are SECURITY boundaries
- OU’s are CIRCLES
- Are merely administrative convenience containers
|
|
22
|
|
|
23
|
- Users will NOT navigate the OU hierarchy
- Do NOT automatically think ‘business units’
- Think primarily about administration
- Child OU’s can override earlier Group Policies
- …but earlier Group Policies can be marked no override
|
|
24
|
- REQUIRES: NTFS drive
- REQUIRES: Dynamic DNS configured
on network
- REQUIRES: TCP/IP on DCs (and on
Active Directory clients)
|
|
25
|
- DNS name
- Public or Private Name
- Child of a Public (registered domain)
|
|
26
|
- Registered Internet name: LearnQuick.Com
- Child of Registered name: Corp.LearnQuick.Com
- Completely private name: LearnQuick.local
|
|
27
|
- FIRST (root) domain name cannot be changed!!!
- Name is PERMANENT
- Can never be changed
- Serious issue if you sell the DNS name
|
|
28
|
- Easy to understand
- One name for internal and external use
- Security issue though
- May be difficult for internal users to connect to external corporate
resources
|
|
29
|
- Simple to understand
- austin.LearnQuick.Com privately—LearnQuick.Com publicly
|
|
30
|
- May be difficult for internal users to understand
- More complex Proxy configuration
- Duplication efforts in managing resources
- Example: LearnQuick.local
|
|
31
|
- Run DCPromo to create a Domain Controller (DC)
- …from command line or from Configure Your Server
- Machine becomes a DC (domain controller)
- (Run DCPromo again to REMOVE Active Directory)
|
|
32
|
- Default is left most DNS tag
- LearnQuick.Com == LearnQuick
- You can ALTER the default
- Important if:
Name exceeds 15 characters OR
Domains have that part in common
south.Europe.MyCompany.Com
south.Africa.MyCompany.Com
|
|
33
|
- 1st DC creates new Domain, new Tree, or new Forest
- Tree is domain hierarchy sharing a common DNS hierarchy
- Forest is a grouping of Trees with NON-contiguous DNS names
|
|
34
|
- \\toro\examsw2k\cs\AD\DCPromoWizDCTypeFC.gif
|
|
35
|
- First in Forest (creates new domain, tree, & forest)
- First in Tree (creates new domain & tree)
- First in Domain (creates new domain)
- Or additional DC in existing domain
|
|
36
|
- \\toro\examsw2k\cm\visiodrw\ForestTree.vsd
|
|
37
|
|
|
38
|
- Domain trusts (2-way, automatic, transitive)
- External trusts (1-way, manual, non-transitive)
- Short-Cut trusts (2-way, manual, transitive)
|
|
39
|
- Trusts provide access to resources located in the trusting domain
Trus’ting à TrusTEd
Resources (tings) à Users (Ted & Ed)
- In WinNT all trusts were explicit, one way, non-transitive
- This is still available in Win2000
- Win2000 provides automatic, 2-way, transitive trusts within a forest
|
|
40
|
- Parent and Child trust each other automatically
- Original Forest-Root domain has a
2-way trust with other Tree-Root domains (within the forest)
- Automatic trusts are transitive throughout a Forest
|
|
41
|
- Automatic trusts are transitive throughout forest
- If AàBàC then effectively AàC
- ChildßTRUSTSàParent…ßTRUSTSàRoot
[ ßTRUSTSà1st Root ]
ßTRUSTSàOther RootßTRUSTSàChild…
- Effectively, ALL domains within the forest trust each other
|
|
42
|
|
|
43
|
|
|
44
|
- Full Control by other administrators
Decentralized network administration
- Mirror existing WinNT domain structure
- Massive numbers of objects
- Replication efficiency—usually NOT a problem though
- BEST REASON: Different SecurityàAccount Policies
Password, Lockout, Kerberos policies
Only Security Account Policies are DOMAIN Specific!
|
|
45
|
- Because the DNS domain names are NOT contiguous
- Example: LearnQuick.Com and
MCSE2000Help.Com
|
|
46
|
- Need 3 locations to manage DIFFERENT password policies
- All domains will use the same DNS base name (same starting point)
- Required: 1 Domain for each such
policy
- Perhaps, need all three to be children of root domain
- Answer: 4 domains (or maybe 3), 1
Forest, 1 Tree
|
|
47
|
- Company was merged from 3 companies
- Each company has its own DNS name hierarchy
- There are three different DNS names
- Answer: 3 Trees within 1 Forest
- How many domains? At least 3 (1
for each tree root)
|
|
48
|
- Separate Forests provide complete autonomy
- …or different Schemas
- Two companies want to work together
- Joint venture
- Neither wants to be subordinate to the other
- Answer: 3 Forests (1 for each
company, 1 for the join venture)
- How many trees and domains? (At least 3D, 3T)
|
|
49
|
- You own additional DNS names for marketing
- You do not want or need corresponding Win2000 Domains
- …then you do NOT need extra trees
- Use Trees when DNS names are non-contiguous
- …AND names need to be Win2000 domains TOO
|
|
50
|
- Company uses LearnQuick.Com for internal DNS
- Company owns 32 DNS names for external use
- Answer: 1 Tree
- (Those marketing DNS names will NOT be Win2000 domain trees)
|
|
51
|
- Database and Logs
- May require 1GB to install
- NTDS (NT Directory Services)
|
|
52
|
- \\toro\examsw2k\cs\AD\ADDatabaseandLogLocationsFC.gif
|
|
53
|
- (Plays the role that NetLogon played in WinNT)
- Contains Scripts and Policy Files that are not directly in Active
Directory
- Replicated to ALL DCs within the domain
|
|
54
|
- \\toro\examsw2k\cs\AD\ADSharedSysVolFC.gif
|
|
55
|
- \\toro\examsw2k\cs\AD\ADRestoreModeAdminPwordFC.gif
|
|
56
|
- A site is a collection of well-connected subnets
- Declares that machines on those nets are LOCAL to each other
- Replication works differently within a site
- Machines try to authenticate WITHIN their site
- Machines try to use servers WITHIN their site
|
|
57
|
- Local Ethernets are usually a single site
- No hard rule
- Probably multiple sites if less than 512Kbps connection
- Might include ‘client only’ physical locations in central site
If there are no DCs or Servers, this is most probably correct
|
|
58
|
- Knowledge Consistency Checker
- Automatically creates the replication topology
|
|
59
|
- Create sites
- Create subnets
- Create site links
- Create site link bridges
- Create connection objects
- Create GC (global catalog) servers
|
|
60
|
- Configure site link replication schedule (availability)
- Configure site link cost
- Configure site link replication frequency
- AD Bridges all site links by default
- KCC adds connections
|
|
61
|
- \\toro\examsw2k\cs\AD\ADSitesServicesConsoleFC.gif
|
|
62
|
- Not really ‘creating’ subnets
- Just adding the subnets to the
AD Sites configuration
- Once created, subnets will be used to describe sites
|
|
63
|
- \\toro\examsw2k\cs\AD\ADSitesServicesConsoleNewSiteFC.gif
|
|
64
|
- Manually created (just add subnets)
- Used to determine INTERSITE replication paths
- KCC uses site links to generate replication connections
|
|
65
|
- Schedule (available time windows)
- Frequency (how often)
- Cost (lower is preferred link)
|
|
66
|
- \\toro\examsw2k\cs\AD\ADSiteServicesSiteLinkFC.gif
|
|
67
|
|
|
68
|
- Bridging GROUPS Site Links
Should be called “Site Link Group”
- KCC automatically bridges all Site Links
- Seldom need to create Site Link Bridges
- If you enable MANUAL bridging,
you MUST create and manage
- Don’t do it (unless you must)
|
|
69
|
|
|
70
|
|
|
71
|
- Automatically created by KCC (usually)
- Can be manually created
- Can be manually configured
- Can ONLY set schedule
(not frequency or cost)
- Create only if REQUIRED and it must PERSIST (until deleted)
|
|
72
|
|
|
73
|
- Important in MULTI-domain forest
- First DC becomes a GC server by default
- YOU must configure others if needed
- Right-click on ServerName/NTDS Settingsà
Check Global Catalog box
|
|
74
|
- \\toro\examsw2k\cs\AD\ADSiteServicesRightClickNTDSGlobalCatFC.gif
|
|
75
|
- Forest wide information
- Contains PART of the information for every object of the forest
- Eliminates the replication of ALL data between different domains
- Serves as a sort of “forest-wide cache”
- Need AT LEAST one per site if more than one domain, especially in NATIVE
mode
- Need two (from any domain) for redundancy
|
|
76
|
- \\toro\examsw2k\cs\AD\ADSiteServicesSiteMoveFC.gif
|
|
77
|
- \\toro\examsw2k\cs\AD\ADSiteServicesSiteMove2FC.gif
|
|
78
|
- (Formerly known as FSMO)
- Schema Master 1 per Forest
Domain Naming Master 1 per Forest
- PDC Emulator 1 per Domain
RID Master 1 per Domain
Infrastructure Master 1 per Domain
|
|
79
|
- Holds the master copy of the Schema
- There is ONE shared schema for ENTIRE forest
- Only place to edit Schema
- If down has little effect until Schema changes are needed
- Users won’t notice if down
|
|
80
|
- Add new domains to forest
- Removes domains from forest
- If down has little effect unless adding/removing domains
- Users won’t notice if down
|
|
81
|
- Acts as PDC for WinNT BDCs
- Time master
- Domain Master Browser (NetBIOS)
- Password changes propagate here first
- Failed passwords are tried here before refusing logon
- If down, BDCs will not receive changes
…users may be inconvenienced if down
…fault tolerant password checking not available
|
|
82
|
- Each DC must give out UNIQUE IDs
- RID master assigns blocks of Relative IDs to each DC
- If down, no effect until a DC creates enough objects to exhaust supply
|
|
83
|
- Maintains reference to Group members from other domains
- Especially members of Universal groups in native mode
- Temporary loss is not usually visible
…unless recently moved a large number of accounts
- Keeps references to objects it ‘does not hold’
- Should NOT hold the GC
If it held the GC, it would hold all objects
|
|
84
|
- Use NTDSUtil or GUI tools to transfer operations master roles
- First connect to the DC that will assume role
- (NTDSUtil can seize roles but don’t do it – unless you MUST!)
|
|
85
|
- Active Directory Users and Computers
- PDC Emulator, Infrastructure Master, RID Master
- Right-click—Operations Masters
|
|
86
|
- Transfer Schema role in Active Directory Schema
- Transfer Domain Naming Master in
Active Directory Domains and Trusts
|
|
87
|
- Domain Naming Master is broken
- What should I do?
- When?
- Answer: Seize role, before adding
or removing a domain
|
|
88
|
- You have 4 domains
- Answer: 4 PDC emulators
- 1 PDC Emulator per domain
|
|
89
|
- You have one forest root domain
- Answer: 1 Schema master
- One per Forest
- The schema is COMMON to the entire forest
|
|
90
|
- You have three domains in a site
- At least ONE; domain does NOT matter
- 2 for fault tolerance
- You have 4 sites, how many GCs?
- At least 4 (1 per site)
|
|
91
|
- Same forest
- Answer: Automatic, Two-Way,
Transitive
|
|
92
|
- From user domain to parent to root…
to root to child to resource domain
|
|
93
|
- Multiple locations
- Names Changes
- Business Reorganizations
- Selling Internet names
- Security Account Policies
- Political Issues
|
|
94
|
- Usually together
- Move RID and PDC emulator if heavily loaded
- Infrastructure master should NOT hold the GC
|
|
95
|
- Domain Naming and Schema Master on same server
- Must always hold GC
(Domain Naming Master requires this)
- Remember you can have additional GCs
|
|
96
|
- Network connectivity? Ping,
IPConfig, NLTest, NetDiag, NetMon
- Name resolution working? Ping,
NSLookup, NBTStat, DNSCmd
- DC working? DCDiag, DSAStat,
NTDSUtil
- Authentication working? Event
Viewer
- Access control ok? Event Viewer,
DSACLS, NetDom, ClonePrincipal, SDCheck
|
|
97
|
- Check that the (DC) locator and secure channel are functioning
|
|
98
|
- Designed for comprehensive network testing without user intervention
- Have users run and send in the output
- TIP: Capture output, then search
for FAIL or WARN
|
|
99
|
- Compare Directory services information
- Objects and sizes
- Detect differences
|
|
100
|
- Checks status of domain controllers (across the Enterprise)
|
|
101
|
- View or modify the access control lists of directory objects
|
|
102
|
- time, query, move, /help
- Batch management of trusts, joining computers to domains
- Verifying trusts and secure channels
|
|
103
|
- Check ACL propagation and replication for specified objects in the
directory
|
|
104
|
- Check dynamic registration of DNS including Secure DNS update, as well
as deregistration of resource records
|
|
105
|
|
|
106
|
- If an OU has been deleted but…
- Objects were added (at another DC)
- These objects are now ‘orphaned’
- They can be found in the domain LostAndFoundContainer
|
|
107
|
- Delegate Administration
- Hide Objects
- Associate Group Policy
- OUs are really about making administration easier
|
|
108
|
- Centralized Administration Model (all in one OU)
- Users change business groups frequently (not as bad as domains)
- Not just because it matches the business model
- OUs don’t receive permissions (security Groups)
- Users don’t usually even see an OU
|
|
109
|
- With domain controller online
- Along with other system and data files
- Using batch file commands
- Use any removable media, network drive, or file
|
|
110
|
- \\toro\examsw2k\cs\AD\ADBackUpWizFC.gif
|
|
111
|
- ONLY Normal Backup (not incremental or differential)
- Must be LOCAL (not network)
- Must Backup “System State Data”
- Performed by Backup Operator or an Administrator
|
|
112
|
- \\toro\examsw2k\cs\AD\ADBackUpWizInProcessFC.gif
|
|
113
|
- System startup files
- Registry
- COM+ class registration database
- Certificate Services database (if installed)
- DNS service (if DNS installed)
- Cluster service (if Clustering installed)
- Active Directory (if a DC)
- File Replication service (AND SYSVOL if a DC)
|
|
114
|
- \\toro\examsw2k\cs\AD\\ADRestoreBackUpWizNOTF8.gif
|
|
115
|
- \\toro\examsw2k\cs\AD\ADBackUpWizFileNameFC.gif
|
|
116
|
- Please select an option:
Safe Mode
Safe Mode with
Networking
Safe Mode With Command
Prompt
Enable Boot
Logging
Enable VGA Mode
Last Known Good
Configuration
Directory Services
Restore Mode ßßß
Debugging Mode
Boot Normally
|
|
117
|
- Boot Choices press F8
- Choose: Directory Services
Restore Mode
- Must be Local Administrator
- NOT Active Directory Domain Administrator
- Active Directory is offline
- Age of restored data must be less than tombstone lifetime
(60 days default)
|
|
118
|
- Automatic, online
- Online Defragmentation:
Arranges and frees space WITHIN the DB
Does NOT reduce database file size
- Removing a GC does not reduce database size
|
|
119
|
- (Compacting the database)
- Reduces database size
- Most useful for significant decrease in size
- E.G, a global catalog server becomes a normal domain controller
|
|
120
|
- (Offline defragmentation)
- Must use “Directory Services Restore” Mode
- Use NTDSUtil “compact to” on database
- Archive original
- Use NTDSUtil to move database back
|
|
121
|
- Ntds.dit Active Directory database file
- Edb.chk Checkpoint file
- Edb*.log Transaction logs—10 MB each
- Res1.log & Res2.log Reserved transaction logs
- Located by default in %WinDir%\NTDS
|
|
122
|
- SysVol requires NTFS
- Best to place Logs and Database on separate physical drives
- DB best on array (read performance)
- Log on spare single disk (write performance)
|
|
123
|
- Boot in Active Directory Restore mode (F8)
- Requires LOCAL Administrator
(remember that password—from DCPromo!)
- Restore the system state data
- Then Active Directory is updated through normal replication
|
|
124
|
- Starts with NON-Authoritative restore
- Reboot BACK to Active Directory Restore mode
- Then mark all or a portion as authoritative
- That portion takes precedence over other DCs
|
|
125
|
- Single objects, OU trees, or the whole directory
- (Must first do non-Authoritative restore)
- Must perform authoritative restore before bringing Active Directory
online
|
|
126
|
- NTDSUtil authoritative restore
restore Subtree OU=Marketing,DC=LearnQuick,DC=COM
|
|
127
|
- NTDSUtil authoritative restore
restore database
|
|
128
|
- Restore to two locations
- Perform Authoritative Restore
- Reboot normally
- Publish SYSVOL
- Copy extra SYSVOL over active SYSVOL
|
|
129
|
- Re-Install Win2000 Server
- Promote to DC
- Replicate Active Directory and SYSVOL normally
- …or Restore from Backup media
- Possible to restore to different hardware (video, net, disk)
|
|
130
|
- Authoritative restore - Authoritatively restore the DIT database
- Domain management - Prepare for new domain creation
- Files - Manage NTDS database files
- IPDeny List - Manage LDAP IP Deny List
- LDAP policies - Manage LDAP protocol policies
- Metadata cleanup - Clean up objects of
decommissioned servers
- Roles - Seize or Transfer NTDS role owner
- Security account management - Manage Security Account Database
(Duplicate SID Cleanup)
- Semantic database analysis - Semantic Checker (don’t use)
|
|
131
|
- Distributed Systems Guide
- Chapter 9—Active Directory Backup and Restore
|
|
132
|
|
|
133
|
- Usually Primary or Secondary
- Can be integrated with Active Directory
|
|
134
|
- DNS is NOT Active Directory
- DNS zones CAN be stored in Active Directory
- Active Directory requires DYNAMIC DNS (to operate)
|
|
135
|
- \\toro\examsw2k\cs\216\DNSNewZoneWizFC.gif
|
|
136
|
- Better security
- Better replication
- Multi-master dynamic registration
- Multi-master replication
|
|
137
|
- \\toro\examsw2k\cs\AD\ADDNSZonesRightClickFC.gif
|
|
138
|
- NTFS
- IP Infrastructure (servers and clients really)
- Dynamic DNS
|
|
139
|
- \\TORO\examsw2k\cs\AD\ADDNSZones.gif
|
|
140
|
- Active Directory DNS acts as primary
- AD Integrated DNS servers can have ‘ordinary’ secondary DNS servers
- Any Secondaries must support SRV records
|
|
141
|
- \\toro\examsw2k\cs\AD\ADDNSZonePropGenFC.gif
|
|
142
|
- Removes stale records
- Disabled by default
- Must be enabled on server AND zone
- Set Scavenging Period on the SERVER
- Set NoRefreshInterval AND RefreshInterval on ZONE
|
|
143
|
- Common to setup Internal as private name space
- Then use external as internal’s forwarder
- Internal DNS does NOT replicate to external DNS
- Internal users can resolve both internal-external names
- External visitors can only access external names
|
|
144
|
- Same as External—LearnQuick.com
- Different—
LearnQuick.local vs. LearnQuick.com
- Child—internal.LearnQuick.Com
- Internal PRIVATE name can
—and should be registered
- Firewall should separate
|
|
145
|
- (If using BIND instead of Win2000 DNS)
- BIND 4.9.7 (MINIMUM as secondary)
- BIND 8.1.2 MINIMUM to support Active Directory as the PRIMARY
- BIND 8.2 (TESTED)
- Berkeley Internet Name Domain (DNS Server)
|
|
146
|
|
|
147
|
- Create a Group Policy object (GPO)
- Link an existing GPO
- Delegate administration of Group Policy
- Group Policy inheritance
- Filter Group Policy settings with security group permissions
- Modify Group Policy
- Group Policy Objects are NOT profiles
|
|
148
|
- Local
- Site
- Domain
- OU (and all child OUs)
|
|
149
|
- Default Containers for upgraded (WinNT) objects
- Are not OUs
- Cannot have GPOs
- Merely for convenience
- Best Practice: Move these object
to real OUs
|
|
150
|
- But, earlier GPO can be marked
“NO OVERRIDE”
- Can also “Block Inheritance” at LATER level
- Block, avoids ALL previous GPOs in chain
- “NO OVERRIDE” takes precedence
over “Block Inheritance”
|
|
151
|
- Applied from Bottom of screen UP
- Top of list is last, gets to override
|
|
152
|
- Computers
- Users
- Both
- (Can also disable)
- Permissions can FILTER GPO application
- Without APPLY GPO, GPO does not apply to user or group!
|
|
153
|
- Can be LINKED to MANY containers
- You do NOT need to re-create GPO, just LINK where needed
|
|
154
|
- Create a Group Policy Object (GPO)
- Link GPO to the Domain container
- How about multiple domains in a tree?
- Link GPO to EACH domain—there is no GP inheritance for Domains
|
|
155
|
- If hierarchical,
link to TOP OU
|
|
156
|
- Startup menu (logoff, shutdown)
- RegEdit restrictions
(prevent running RegEdit)
- Password policies (only at DOMAIN)
- Access to TaskMan and Start/Run
|
|
157
|
- Control user environments using administrative templates
- Assign script policies to users and computers
|
|
158
|
- Startup/shutdown (computer)
- Logon/Logoff (user)
- Bat, CMD, Console-VBS or JS etc.
- Kept in SysVol and replicated
|
|
159
|
- …by default
- Synchronous is really: SEQUENTIAL
Asynchronous is really: CONCURRENT
- Change to ‘asynchronous’ to allow user to gain control sooner
- Timeout is 600 seconds (can be changed)
|
|
160
|
- Publish or Assign
- Initial deployment
- Upgrades and patches
- Removal of software
|
|
161
|
- .MSI—Microsoft Installer
- .MSP—Patch files for upgrades ONLY
- .MST—transform, can modify MSI behavior
- Example:
.MST—can change dialog language
|
|
162
|
- Per user or Per computer
- Mnemonic: An Assignment is
REQUIRED
- Visible on Start menus
- Use when users MUST use software (e.g., anti-virus, email)
- When assigned to user, fully install on first use
- When assigned to computer, installs when safe (at startup)
|
|
163
|
- When user deletes application
- Removes from menus
- Assign can automatically repair
|
|
164
|
- \\toro\examsw2k\cs\AD\ADGroupPolSoftwareDeployPropsFC.gif
|
|
165
|
- \\toro\examsw2k\cs\AD\ADGroupPolSoftwareInstPropFC.gif
|
|
166
|
- Per user only (cannot publish to a machine)
- Available from Add/Remove Programs
- Mnemonics: Publish means
Advertise
- Users can READ the published papers
- (computer can’t read)
|
|
167
|
- Install on document activation
- Users clicks on (starts) associated document
|
|
168
|
- \\toro\examsw2k\cs\AD\ADAddRemoveProgsFC.gif
|
|
169
|
- Windows Installer Packages
- Maintain software by using Group Policy
- Configure deployment options
- Common problems during software deployment
|
|
170
|
- Operating system behavior
- Desktop behavior
- Security settings
- Computer startup and shutdown scripts
- Computer-assigned application options
- Application settings
|
|
171
|
- At startup
- At periodic intervals
|
|
172
|
- Operating system behavior
- Desktop settings
- Security settings
- Assigned and published applications
- Application settings
- Folder redirection options
- User logon and logoff scripts
|
|
173
|
- An administrator
- A Creator Owner
- A user with delegated access to the Group Policy object
|
|
174
|
- Covered in Server and Professional
|
|
175
|
- Authorization for RIS (done like DHCP)
- DHCP Server
- DNS Server
- Active Directory
- PXE Network Clients
…or RBFG.exe generated diskette
- User (installer) permissions on files
|
|
176
|
- Create a RIS boot disk
- Configure remote installation options
- Troubleshoot RIS problems
- Manage images for remote installations
- Can configure MULTILANGUAGE
multlng.OSC file
|
|
177
|
- Authorize a RIS server
(authorized like a DHCP server)
- Enable “respond to clients”
- Grant computer account creation rights OR…
- …Pre-stage RIS client computers for added security and load balancing
|
|
178
|
|
|
179
|
- Between domains—MoveTree
- Between OUs (within Domain)
- Between Forests—ClonePrincipal
|
|
180
|
- Native mode only (destination domain)
- Use MoveTree FROM RID Master
- MoveTree /start /s SrcSrv /d DstSrv /sdn SrcTree /ddn DstTree
- Source and Destination servers are DNS SERVER names
- Source and Destination trees are distinguished names
|
|
181
|
- movetree
/s toro.learnquick.com
/d ebi.MCSE2KHelp.com
/sdn OU=Marketing,DC=LearnQuick,DC=COM
/ddn OU=Sales,DC=MCSE2KHelp,DC=COM
(above is ALL one line)
|
|
182
|
- Right clickàMove
- Does NOT support drag ‘n drop
|
|
183
|
- An accessory script to ClonePrincipal
- Not directly related to Moving Users or OUs
|
|
184
|
- Active Directory Users and Computers
- Printers
- Shared Folders (File Shares)
|
|
185
|
- Active Directory Users and Computers
- Find any object in Active
Directory
- Use simple search or advanced—any attribute
|
|
186
|
- \\toro\examsw2k\cs\AD\ADFindUsersCompFC.gif
|
|
187
|
- \\toro\examsw2k\cs\AD\ADFindUsersCompResultFC.gif
|
|
188
|
- \\toro\examsw2k\cs\AD\ADFindUsersCompResultFC2.gif
|
|
189
|
- Files and Folders
- Computers
- Printers
- People
- …or Internet resources
|
|
190
|
- \\toro\examsw2k\cs\AD\ADFindUsingExplorerFC.gif
|
|
191
|
- \\toro\examsw2k\cs\AD\ADUsersRightClickFC.gif
|
|
192
|
- ADSI
Active Directory Services Interface
- Windows Scripting Host
CScript—console & WScript—windowed
- Both VBScript and JScript
- Other languages such as Perl, TCL, REXX, and Python
|
|
193
|
- Interoperable
- Standard directory access protocols (LDAP)
- Programming interfaces (APIs)
—such as ADSI and LDAP
- Migration tools for IMPORT/EXPORT
LDIFDE (ldap)
CSVDE (comma separated)
|
|
194
|
- Permissions (ACLs and ACEs like files)
- Delegation of control
|
|
195
|
- Delegate common tasks
- Create a custom task to delegate
|
|
196
|
- Create, delete, and manage user accounts
- Reset passwords on user accounts
- Read all user information
- Create, delete, and manage groups
- Modify the membership of a group
- Manage Group Policy Links
|
|
197
|
- When All DCs are running Win2000 you can switch to Native
- Switch using Active Directory Users and Computer
- One way change—cannot go back
- Native mode has NOTHING to do with older clients, just DCs
|
|
198
|
- Universal Groups become available
- Group type conversion is enabled
- Domain Local Groups
(instead of ordinary local groups)
- Group nesting is enabled
(e.g., global in global)
- Moving users and groups into domain is enabled
|
|
199
|
- User AccountsàGlobalàUniversalà
Domain LocalàResource
Permissions
- Place permissions on resource for Domain Local groups
- Put Universal groups into Domain Locals (NATIVE mode only)
- Put Global groups into Universals
- Put Users into Globals
|
|
200
|
- Only available in NATIVE mode
- Native mode also allows group nesting
GlobalsàGlobals
UniversalsàUniversals
- Universals should NOT contain users
|
|
201
|
- Users AccountsàGàL
àResource
Permissions
- Users AccountsàGàUàDL
àResource
Permissions
|
|
202
|
- Visible THROUGHOUT the entire Forest
- Can contain Users, Global Groups, or Universal groups from the entire
forest
- Can be added to Local Groups
|
|
203
|
- Do NOT add users to Universal Groups even though it is technically legal
- Universal Groups should SELDOM change
- Put users into Global Groups,
add Global Groups to the Universal Groups
- Add Universal Groups to Domain Local Groups
- Assign Permissions to the Domain Local
|
|
204
|
- MUST be in native mode
- If the group will contain users, probably choose Global
- If group includes Global groups, probably choose Universal
- If group includes Universal groups, cannot be Global
|
|
205
|
- Think of OUs like directories
- Think of Users like files
- NOT really true, but easy way to think about it
- Grant (or delegate) permissions on OUs
- …to local Admins who will create and manage Users
|
|
206
|
- \examsw2k\cs\AD\ADComputersRightClickFC.gif
|
|
207
|
- Applies to Computers and to Users
- May be selectively enabled/disabled (improves performance too)
- LocalàSiteàDomainàOU (all OUs in hierarchy)
|
|
208
|
- Use Sparingly
- - Routine use of these features
makes it troubleshooting difficult to troubleshoot policy
- If conflicting, No Override WINS
- …No Override from HIGHER authority cannot be blocked
|
|
209
|
- Blocks Group Policy objects from
higher in the Active Directory
…higher in the hierarchy of sites, domains, and organizational
units
- Does not block GPOs that have No Override enabled
- Block Policy inheritance ACTUALLY set on sites, domains, and OUs
…NOT set on individual Group Policy objects
- (Same GPO can link to various sites, domains, or OUs)
|
|
210
|
- Prevents subsequent modifications of active policy
- Prevents Block Inheritance
- No Override ACTUALLY set on sites, domains, and OUs
- …NOT set on individual Group Policy objects
- (Same GPO can link to various sites, domains, or OUs)
|
|
211
|
- Install Software (Publish or Assign)
- Windows Settings (Scripts and Security)
|
|
212
|
- \\toro\examsw2k\cs\AD\ADDCRightClickPropandGroupPolFC.gif
|
|
213
|
- \\toro\examsw2k\cs\AD\ADGroupPolExampleFC.gif
|
|
214
|
- \\toro\examsw2k\cs\AD\ADGroupPolLinksDiagBoxFC.gif
|
|
215
|
- Local DC—same LAN—same site
- Also true for DNS and WINS or ‘referral’ services
- Also true for DFS—server local to site is preferred
|
|
216
|
- Performance
- Fault tolerance
- Manageability
|
|
217
|
- Operations masters
- Global catalog servers
- Domain controllers
- DNS servers
|
|
218
|
- Replication—INTERSITE replication and bridgehead servers
- Up-to-date data (latency)—schedules and frequency of connections
- Bandwidth usage—Intersite replication is COMPRESSED
|
|
219
|
- RPC-IP – well-connected networks intraSite or intersite
- SMTP – asynchronous, certificate required, crosses poor links OR
firewall filters
INTERdomain–requires multiple domains
|
|
220
|
|
|
221
|
- Compressed
- RPC-IP or SMTP
SMTP (only for different domains)
- No NOTIFICATION—
uses Pull SCHEDULES
|
|
222
|
- NOT Compressed
- RPC
- Logical Ring with ‘extra edges’
- Extra edges or connections ensure no more than 3 DC hops
- Notification based & Pull
|
|
223
|
- Changes at DC cause notification of partner DCs
- DC notifies (2) other DCs which PULL changes
- Replicates to other DCs
- Other DCs notify additional DCs until all are up to date
|
|
224
|
- During available times at periodic intervals only
- Bridgehead DC from site requests changes from Bridgehead DC at other site
- (Bridgehead DC then shares changes using Intrasite replication)
|
|
225
|
- Intrasite RPC—well connected LANs
(or PERHAPS T1/T3)
- Intersite RPC—reliable WANS especially lower speed WANS
…but including many higher
speed (T1 or even T3)
- SMTP—unreliable WANS between DIFFERENT domains OR FILTERED WANS
(e.g., firewalls filtering RPC)
Might even be the reason for CREATING a domain
|
|
226
|
- Mainly to control the time or amount of replication
Usually WANS are relatively expensive or restricted
- If same site, any (or all) DCs can replicate at any time
- If same site, no compression
- If different site, only Bridgehead servers replicate
- If different site, replication is compressed
|
|
227
|
- Mainly for unreliable connections
- Perhaps dial-up (intermittent)
- VERY long distance (Foreign public telephone networks)
- High latency (perhaps satellites)
- Not connected at the same time window
- SMTP uses store and forward features of email
|
|
228
|
|
|
229
|
- Apply security policies by using Group Policy
- Using “Security Templates” (.inf files) with “Security Configuration and
Analysis” MMC
- SecEdit—command line version of tool
- Implement an audit policy
|
|
230
|
- Account Policies Password and account lockout policies
- Local Policies Auditing, user rights and security options policies
- Event Log Event Log settings and Event Viewer
- Restricted Groups Restricted Groups
- System Services System service settings
- Registry Registry security settings
- File System File security settings
- Public Key Policies Certificates and Recovery Agents
- IPSec Policies IPSec Admin for secure communication
|
|
231
|
- Audit Policy
- User Rights Assignment
- Security Options
|
|
232
|
- How to detect if someone is deleting files?
Audit file access success AND on Files
- How to detect if someone is modifying accounts?
Success for “Account Management”
(or even failure)
- Can SEARCH for “Account Management”
in Event Viewer
|
|
233
|
- Use SecEdit or…
Security Configuration and Analysis (GUI)
- Both manage: Security Templates (.inf files)
- Export from correct machine
- Import to other machine(s) or Import in Group Policy (perhaps to DC
policy)
|
|
234
|
- Export with SecEdit or
Security Configuration and Analysis
- Import to (new or existing) Domain Controller Policy
- …or import to each DC local policy
|
|
235
|
- /configure (from a stored template)
- /refreshpolicy (machine_policy or user_policy)
- /export
- /analyze
- ( /validate )
|
|
236
|
|
|
237
|
|
|
238
|
- Mirror Administrative model
- Delegate or ease Administrative control
- Map existing resource domains
- Link different Administrative policy (GPO)
- Mirror geographic and company structure
|
|
239
|
- Schema can ONLY be changed at the Schema Master
- Schema can ONLY be changed by Schema Admins
- Schema changes must be enabled on the Schema Master
- Note: Enterprise and Domain
Admins are NOT Schema Admins
|
|
240
|
- Schema should be changed with great care
- Additions cannot be removed
- Generally change using programs that add new functionality
|
Notes