Active Directory Domain Services

81 terms by bella_rose_DW 

Create a new folder

Advertisement Upgrade to remove ads

Microsoft Server 2008

Active Directory Domain Services (AD DS)

Windows Server 2008 service that provides a centralized authenication service for Microsoft Networks.

Active Directory Lightweight Directory Services (AD LDS)

Role that provides devlopers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema to support their applications.

Domain Controller (DC)

A server that stores the Active Directory database and authenicates users with the network during logon.

Replication

The process of keeping each domain controller in synch with changes that have been made elsewhere on the network.

Outbound replication

Occurs when a domain controller transmits replication information to other domain controllers on the network.

Inbound replication

occurs when a domain controller receives updates to the Active Directory database from other domain controllers on the network.

Major Benefits of AD Services

Centralized resource and security admin
Single logon for access to global resources
Fault tolerance and redundancy
Simplified resource location

Functional Levels

Designed to offer support for AD domain controllers running various supported operating systems by limiting functionality to specific software versions. As legacy DCs are decommissioned, administrators can modify the functional levels to expose new functionality within AD.

Server 2008 AD on DC - what tools are added to Adminstrative Tools folder?

AD Users and Computers
AD Domains and Trusts
AD Sites and Services
ADSI Edit

Fault Tolerant

The ability torespond geacefully to a software or hardware failure. Specifically, the network continues providing authenication services after the failure of a DC.

Read-Only Domain Controller (RODC)

Introduced in Windows Server 2008, a DC that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other DCs within AD.

ntds.dit

AD database information file stored on each DC.

Multimaster database

AD is one. It means that administrators can update the ntds.dit from any DC.

Loose Consistency

Individual DCs in an AD database may contain slightly different information, because it can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment.

Publish

An option that allows users to access network resources by searching the Active Directory database for the desired resource.

Container Object

An object that is used to organize other objects.

Leaf object

An object that does not contain other objects and usually refers to a resource such as a printer, folder, user, or group.

What are the Container Objects that are found in Server 2008?

Forests
Domain Trees
Domains
Organizational Units (OUs)

Forests

The largest container object with AD.
Defines the fundamental security boundary with AD - a user can access resources across an entire AD forest using a single logon/ password combination.

Partitions/Naming Contexts (NCs)

AD divided into these portions in order to improve the efficiency in accessing AD.

Minimum number of NCs on a DC. They are called?

three.
Schema NC
Configuration NC
Domain NC

Schema Naming Context

contains the rules and definitions that are used for creating and modifying object classes and attributes with AD.

Configuration Naming Context

contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest.

Domain Naming Context

consists of user, computer, and other resource information for a particular AD Domain.

Schema and Configuration NCs are replicated--

Forest-wide - shared by every domain and domain tree within the forest.

Domain Naming Context is replicated --

to each DC within a single domain.

Domain Tree

In AD, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship.

Forest -- Domain Tree --- Domains structure

Each AD forest can contain one or more Domain trees. Each Domain tree can contain one or more domains.

Domain

A grouping of objects in AD that can be managed together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.

Global catalog replication

Does not replicate to all DCs, it only replicates to DCs configured to hold the global catalog.

Forest Root Domain

the first domain created with an AD forest.

Organizational Units (OUs)

A container that represents a logical grouping of resources that have similar security or administrative guidelines.

OU structure

Modeled after company's Organizational chart, departments and/or resource needs. security settings of an OU is inherited by all child objects of the container.

delegation of control

Administration of an OU is tasked to a department supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords.

Name the objects that can be contained in an OU.

Users, Groups, Contacts
Printers,Shared folders
Computers, OUs, InetOrgPerson

What is the Fourth Partition type, first introduced in Windows Server 2003?

Application Partition.
Provides fine control in which administrators can direct where information is replicated to a domain or forest.

object

An element in AD that refers to a resource.

Attributes

Characteristics associated with an object class in AD that make the object class unique within the database.

Where are the attributes defined?

In the Schema, but the same attribute can be associated with more than one object class.

Schema

Master database that contains definitions of all objecta in the AD. It contains two components: object classes and attributes.

Name the Object classes automatically created when AD is installed.

Users, Groups
Computers, DCs
Printers

Common Attributes of all Object Classes

Unique Name
Globally Unique ID (GUID)128bitHexidecimal#
Require Object Attributes
Optional Object Attributes

Access Control Lists (ACLs)

Implemented by the administrator and used by the directory to keep track of which users and groups have permission to access specific objects and to what degree they can use or modify them.

Site

one or more IP subnets connect by fast links.
Usually means all computers that are connect via a single LAN.

Knowledge Consistency Checker (KCC)

An internal AD process that automatically creates and maintains the replication topology.

KCC operates under which snap-in?

The AD Sites and Services Snap-in located in the Administrator Tools folder on the DC or Administrative Workstation with Administrative Tools installed.

Lightweight Directory Access Protocol (LDAP)

Industry standard that enables data exchange between directory services and applications.

What defines the naming of all objects in the AD database?

LDAP standard and therfore, provides a directory that can be integrated with other directory services, such as Novell eDirectory, and AD-aware applications, such as MS Exchange.

Distinguished Name (DN)

Used by LDAP to refer to an object. The DN references an object in the AD directory structure using its entire hierarchical path, starting with the object itself and including all parent objects up to the root of the domain.

LDAP naming attributes defined

Cn=common name
Ou=Organizational unit name
Dc=Domain components, one for each part of the DNS name.

JSmith of the sales department of lucernepublishing.com - what is the DN?

cn=JSmith, ou=sales, dc=lucernepublishing, dc=com

User Principal Names (UPNs)

In Windows 2008, follows the format of username@lucernepublishing.com. Provides consistency between user log on name and user's email name.

Domain Name System (DNS)

The name resolution mechanism computers use for all Internet communications and for private networks that use the AD domain services included with MS Windows Server 2008 and earlier server versions.

What provides the translation of the host name to its IP Address?

DNS

What is a foundational requirement for AD?

DNS, the DC role cannot be installed onto a server unless that server can locate an appropriate DNS server on the same machine or somewhere on the network.

Locator Service

AD DNS provides direction for network clients that need to know which server performs what function.

SRV Records

The locator records within DNS that allow clients to locatw an AD domain controller or global catalog.

The ability to resolve SRV records allows clients to do what?

Authenticate into the AD.

What does dynamic updates permit the DNS clients to do?

To automatically register and update their information in the DNS database.

Forest and Domain Functional Levels

Designed to offer support for AD DCs running various supported operating systems. As you decommission legacy controllers, you can modify these functional levels to expose new functionality within AD.

Rolling Upgrades

Upgrade strategy based on functional levels that allows enterprises to migrate their AD DCs gradually, based on the need and desire for the new functionality.

How are changes to functional level performed?

An adminstrator makes the change manually. Note that once the change has taken place, it is not reversible. you will have to perform a domain- or forest-wide restore of the AD database to return yoyr network to the previous fun tional level.

What are the three domain functional levels supported in Windows Server 2008?

Windows 2000 Native
Windows Server 2003
Windows Server 2008

What is allowed in Windows 2000 Native domain functional level?

backward compatibility with MS Windows 2000
allows Windows 2000, Windows Server 2003, and Windows Server 2008 DCs.

What is allowed in Windows Server 2003 domain functional level?

Windiws Server 2003 and 2008 DCs only allowed.

What is allowed in Windows Server 2008 domain functional level?

No backward compatiability. Only Windows Server 2008 DCs supported.

Windows 2000 Native Domain Functional Level features

Install from Media
Application Directory Partitions
Drag-and-drop User Interface
Universal groups

Windows Server 2003 Domain Functional Level features

All listed in Windows 2000 Native
Replicated lastLogonTimestamp attribute
User password on inetOrgPerson
Domain rename

Windows Server 2008 Domain Functional Level features

All listed in Windows Server 2003
Improved SYSVOL replication
Improved encryption 4 authentication methods
Improved auditing of users logons
Multiple password policies per domain.
RODCs

Name the three forest functional levels

Windows 2000
Windows Server 2003
Windows Server 2008

What is the default forest functionality enabled when Windows Server 2008 DC is introduced into the network?

Windows 2000

Windows 2000 Forest Functional features

Install from Media
Universal Group Caching
Application Directory Partitions
Enchanced User Interface.

Windows Server 2003 Forest Functional features

All listed in Windows 2000
Improved replication of group objects
Improved ISTG functionality
Conversion to inetOrgPerson objects
Schema deactivations to attributes & classes
Dynamic Auxillary class objects
Domain renaming
Cross-forest trusts
All new domains at Windows Server 2003 domain functional level

Windows Server 2008 forest functional features

All listed in Windows Server 2003
All new domains at Windows Server 2008 domain functional level

Guidelines to raise the forest functional level

Log on as member -Enterprise Admins Group
Connect to DC with Schema Master Role.
Check that all DCs are running an OS supported by the targeted forest functional level
Raising the forest functional level irreversible.

trust relationship

Enables administration from a particular domain to grant access to their domain's resources to users in other domains.

describe the trust relationships in an AD forest

when a child domain is created it automatically receives a two-way transitive trust with its parent domain
and
when a new domain tree is created, the root domain in the new tree automatically receives a two-way trust with the root domain.

shortcut trust

A manually created no transitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path.

tree-walking

the trust path up a domain tree through the child domains and parent domains to the root domain and then down the other parent domain to the desired child domain"

external trust

A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest.

cross-forest trust

Transitive Trust type (one-way or two-way) that allows resources to be shared between AD forests.

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set