Академический Документы
Профессиональный Документы
Культура Документы
An active directory is a directory structure used on Microsoft Windows based computers and servers to
store information and data about networks and domains. It is primarily used for online information
and was originally created in 1996 and first used with Windows 2000. What is LDAP?
Light weight Directory access Protocol. It͛s a communication protocol Whole ADS will work on it
c
c
AD Database is saved in u u .ou can see other files also in this folder. These are the
main files controlling the AD structure
÷ ntds.dit
÷ edb.log
÷ res1.log
÷ res2.log
÷ edb.chk
How to share AD folders
¦ ¦
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information
about the Active Directory schema, which in turn defines the different object classes and attributes
within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide
configuration information pertaining to the physical layout of Active Directory, as well as information
about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the
NC that contains the most commonly-accessed Active Directory data: the actual users, groups,
computers, and other objects that reside within a particular Active Directory domain.
"
#¦
!"
"
#
$%&'"(")!*&
c
%
¦$ #¦
With too many DCs are configured to become the GC servers, it will cause the replication overhead
between the DCs across the forest.
c &c
!
& $ %
&
$ '
)
/
!
)
p
c -¦¦
The Knowledge Consistency Checker (KCC) is a built-in process that runs on each domain controller
and regenerates the replication topology for all directory partitions that are contained on that domain
controller. The KCC runs at specified intervals of every 15 minutes by default and designates
replication routes between domain controllers that are most favorable connections that are available
at the time.
0
1
-)
) .
0
23 -
)
# !.
0
0 4
5554
3 55#
- 67!
.
c
¦
, c
%
/$
¦
(0
10
. How can you forcibly remove AD from a server and what do you do later Can I get user passwords
from the AD database?
Answere :-Demote the server using dcpromo /forceremoval, then remove the metadata from Active
directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you
should still be able to change them.
j
RDP
3389
j
!"
FTP-21,20 Telnet ± 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389 ,Dhcp :-68
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read
and write relationship that hosts copies of the Active Directory.
6"$ %
$ $
Security-related modifications are replicated within a site immediately. These changes include account
and individual user lockout policies, changes to password policies, changes to computer account
passwords, and modifications to the Local Security Authority (LSA).
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an
existing DC to update the directory and replicate from the DC the required portions of the directory. If
the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to
fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS
records. The Active Directory Installation Wizard verifies a proper configuration of the DNS
infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory
Installation Wizard.
Organizations that operate on radically different bases may require separate trees with distinct
namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations
merge or are acquired and naming continuity is desired. Organizations form partnerships and joint
ventures. While access to common resources is desired, a separately defined tree can enforce more
direct administrative and security restrictions.
Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active
Directory Users and Group Manager, Active Directory Replication (optional, available from the
Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
Structural class:
The structural class is important to the system administrator in that it is the only type from which new
Active Directory objects are created. Structural classes are developed from either the modification of
an existing structural type or the use of one or more abstract classes.
Abstract class:
Abstract classes are so named because they take the form of templates that actually create other
templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for
the defining objects.
Auxiliary class:
The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a
structural class, it provides a streamlined alternative by applying a combination of attributes with a
single include action.
88 class:
The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was
adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common
use for the development of objects in Windows Server 2003 environments.
78"
$ $9
Windows Server 2003 provides a command called Repadmin that provides the ability to delete
lingering objects in the Active Directory.
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest
or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000,
there was typically one GC on every site in order to prevent user logon failures across the network.
When an account is created, it is given a unique access number known as a security identifier (SID).
Every group to which the user belongs has an associated SID. The user and related group SIDs
together form the user account s security token, which determines access levels to objects
throughout the system and network. SIDs from the security token are mapped to the access control
list (ACL) of any object the user attempts to access.
7]!! '
!
No.
If you delete a user account and attempt to recreate it with the same user name and password, the
SID will be different.
76c
$$;
$
Credential Management feature of Windows Server 2003 provides a consistent single sign-on
experience for users. This can be useful for roaming users who move between computer systems. The
Credential Management feature provides a secure store of user credentials that includes passwords
and X.509 certificates.
"Save password as encrypted clear text" must be selected on User Properties Account Tab Options,
since the Macs only store their passwords that way.
45c c 455
Dial-in,
VPN,
dial-in with callback.
All the documents and environmental settings for the roaming user are stored locally on the system,
and, when the user logs off, all changes to the locally stored profile are copied to the shared server
folder. Therefore, the first time a roaming user logs on to a new system the logon process may take
some time, depending on how large his profile folder is.
c
Domain local groups assign access
permissions to global domain groups for local domain resources. Global groups provide access to resources in other
trusted domains. Universal groups grant access to resources in all trusted domains.
1.
c
Universal groups are allowed only in
native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be
promoted to Windows Server 2003 Active Directory.
2. c It¶s group policy inheritance model, where the policies are applied to ocal machines,
ites, omains and rganizational nits.
3. c
c ! If the ë file exist, it has the highest
priority among the numerous policies.
4. c
%SystemRoot%System32\GroupPolicy
5. c "#!"#$ Group policy template and group policy container.
6. c
"#!
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
7.
c
The computer settings take priority.
8.
c gponame±> User Configuration±> Windows Settings±> Remote Installation
Services±> Choice Options is your friend.
9. c
Microsoft NetMeeting policies
10. Ñ
Via group policy, security
settings for the group, then Software Restriction Policies.
11.
%
c A
text file can be used to add applications using the Software Installer, rather than the Windows Installer.
12. c
c
The former has
fewer privileges and will probably require user intervention. Plus, it uses .zap files.
13. c
c
&''(
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP
properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.
14. Ñ
)
90 minutes give or take.
15. c
Y It¶s now
.
16.
. Make sure you check å
among the options when creating the policy.
17. c ** +
The user can view and modify user preferences that are not stored
in maintained portions of the Registry. If the group policy is removed or changed, the user preference will
persist in the Registry.
18. Ñ !,&''' You can¶t.
19. Ñ &''(User Configuration - Administrative Templates -
System - Group Policy - enable - Enforce Show Policies Only.
20. c
%
It helps to reconcile desktop settings, applications, and stored files for
users, particularly those who move between workstations or those who must periodically work offline.
21. c -
./! !. FAT and FAT32
provide no security over locally logged-on users. Only native NTFS provides extensive permission control
on both remote and local files.
22. Ñ./! !.
They don¶t, both have support for
sharing.
23. Y
Y
!.. Same as Read & Execute, but
not inherited by files within a folder. However, newly created subfolders will inherit this permission.
24.
$
It is possible for a user to navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user can¶t drill down the file/folder tree
using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The
best way to start would be to type the full path of a file into Run« window.
25. .
/
Permissive, if at
least one group has Allow permission for the file/folder, user will have the same permission.
26. .
Restrictive, if at
least one group has Deny permission for the file/folder, user will be denied access, regardless of other
group permissions.
27. c
c
&''( Admin$, Drive$, IPC$,
NETLOGON, print$ and SYSVOL.
28. c
0
.1
.2
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a
shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to
other domain controllers. Thus, redundant root nodes may include multiple connections to the same data
residing in different shared folders.
29. c
. 0
c34
. Use
the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
30. c
0
.
/
In
Partition Knowledge Table, which is then replicated to other domain controllers.
31. $
05
.
Yes.
32. c
. Two users opening the redundant copies of the
file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one
file will be propagated through DFS.
33.
%
$
0
.. Yeah, you can¶t. Install a
standalone one.
34.
6
Symmetric.
35. Ñc&''(
0
Time
stamp is attached to the initial client request, encrypted with the shared key.
36. c
c&''(
RSA Data Security¶s Message
Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit
hash.
37. c
0
c&''(
Windows
Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to
exchange CA certificates with third-party certificate authorities.
38. c
/
Unlimited.
Remember, though, that it¶s the Administrator account, not any account that¶s part of the Administrators
group.
39.
0 c
!%7 A cracker
would launch a dictionary attack by hashing every imaginable term used for password and then compare
the hashes.
40. c
&''(
More
restrictive in Windows Server 2003.
41. Ñ
*
#
Ñ
+
* User¶s last 6 passwords.
Ñow do you iew eplication p ope ties fo AD?
>
/
8
3?/
?/
c at a e sites c at a e t ey used fo ?
- )
!.#$%)
!
1
!
1
ame some OU design conside ations?
@
" )
"
!
?
!A
?
!A
!
@
A
@
A
B
@
$$
! $
$)$C6'5 ,
7 c at a e FMSO Roles? List t em.
D
D
! !D38
'3
/
#;
%
!
C Logical Diag am of Actie Di ecto y ?, c at is t e diffe ence between c ild domain
& additional domain Se e ?
4 !1
!
3
8! 2!
'
)
3BDE2 ' ! %!
BDE2 !
28!)!!
;
3 1
!
DE2
11 ! F
! 2 !
' DE2
11 ' ! F
' !
6 c at a e Actie Di ecto y G oups?
A
)*
)
4
!
#
) !
A
)
+
%
!
!!
!
!1
) !
G oup Types
GSecu ity g oups@ 3 !
3
) !
! ) !
)
GDist ibution g oups)
!
! <
;
) !
)
)
"
)
)
5 G oup Scopes
A
) !
) ))
!
!
) ) ! -.
1
A
) ) !
-.
!
GDomain Local G oup@
,
,
!
!
!
)
)
)!
H )
)
) ) !
GGlobal G oup@ !
)
)
)
-1
!
! .
)
!
A)
)
)
! )
@
)
)
!
)
2
)
A)
!
4#%/M
#%/-# %
/
1
.
! %
! ,)
!%
-%.
!
<
%
!
) !
)23
9
3/K
23M
3/K
23
)
23
#1
O
P?3
) PP
/#1
2 /
PP
-3/K.
2 )
!!
+
>
!!
) >
+
1
)
+
+
!
+
!
!
+
+
! !!
%
+
)
+
!
!
7 9
% 23
23 M
A
I
!$!
J"
C 42M
2-2 1
D
8!
1
6 9
! 2
4
55M
D)
)
1
#
! 2
9
!
)
M
#13
1/
/
/
/
)
!
!
/1
!
!
)
! ;
) !
!!
%
3
;
)%
* #1:
4
M
4
!23 M
3
)
+
4
!M
>
! !
!
! !
1 DE2
%
M
4
!3/K
M
7 > !
!
1
23
+
9 !
!
)
! 3/K
+
4 1 !! M
C 4! !
) !
!
23
!
M
6
"
4!
1 ) 1
! M
<
!
23
<
+
+
1
+
/
)
1
!
!)
<
1
)
! !
4
M
'5 <
1
%
<
! )
1
)
!
!
%
4
1
!M
QQQQQQQ
3
)
!
+
3
##
!""
Primary DNS
Secondary DNS
Active Directory Integrated DNS
Forwarder
Caching only DNS
$
PTR records resolve IP addresses into hostnames.
As you can see, you need to type the reversed IP address and add "in-
addr.arpa" to it to query for PTR records. This is called reverse DNS.
One common myth about PTR records is that they are created for domain
names and your domain has to have one to make sure your mail will not be
rejected by other mail servers. The truth is that PTR records are created for IP
addresses, not domain names. This means that if you are using our servers to
send mail, you do not need to worry about your PTR record. IP addresses of all
our mail servers already have PTR records created.
If, however, you are using not only our mail server, but also some other server
outside our network and that mail server IP does not have a PTR record
created, we have no way to change that and you need to contact the company
which owns that mail server. For example, if you are sending mail through your
ISP mail server, you will need to contact their support team and request to
configure PTR records for all IP addresses their mail servers are using.
You can also always verify whether a particular IP address has a PTR record
created by running the "nslookup" tool or going to a site like
http://www.dnsreport.com.
For example:
C:\>&
> #
)
> &
Default Server: ns2.msoutlookonline.net
Address: 207.5.44.30
> j%('('*
Server: ns2.msoutlookonline.net
Address: 207.5.44.30
O
O
O
÷
!
÷
%
÷
!
'()*&
" #$%"$&
÷
!
%
÷
!
'()*&
" #%"&
÷
!
!
÷
!
!
÷
!
%
" #$%"$&
'()*&
÷
!
!
" #%"&
÷
+ !
÷
+ %
÷
+ !
'()*&
" #$%"$&
÷
+ !
" #%"&
)
%) 45)
&
Step By Step Tuto ial Ñow to mig ate DÑ= se e f om a cindows se e 2003 to cindows
se e 2008
9# )
) !
,#
,
;2;/
# ,
9#
) !
1! 4
3 556
)
) ,
;2;/
) , !
!
!
) !
Y
7
4
3 5569# 9#
pY ;
F
4
3 556#9
9#
;
7
!
)
%!
)
Final Tip
%!
,$!
9# ! -
9#
.
4
3 556#
4
3 556
1
8!4
K
!
K
)1
>1
! 4
3 556
%%3C )
4
3
4
!!
!4
3 556M
!4
3 556
!
13
)
!4
>1
1 !
c at a e some of t e items t at can be accessed ia t e System = ope ties dialog box?
),
#
!
)
)
!
c at cindows Se e 2008 se ice is used to install client ope ating systems oe t e
netwo k?
4
3 -43.
)
1
R;
)
1
!
4
3 " 9#
23 )
4
3
)
! 43
)
)
1 ) 833
1 S)
1
)
- .
1
!
)
) !
14
3 556/%
/% /
!%
1 !)
!
! /%
) )
)
4
3 556
)
! /%
5-
. /%'- .
/% -
1
.
3%
!
1
1
)
1)
1
#$%-
7.
!!4
3 556 % "
!
!
1
Ñow is a se e unning cindows Se e 2008 configu ed as a domain cont olle , suc as
t e domain cont olle fo t e oot domain o a c ild domain?
1B ;
3
4
3 556
)
!
1
1 )
A
1
!
)
A8
A
)
! <
)1
!
!
A-!
@
.)
>1%
!)* %!
!
A
1
A
;
!
-
.A
Ñow can you make su e t at netwo k clients ae t e most ecent cindows updates
installed and ae ot e impo tant secu ity featu es suc as t e cindows Fi ewall enabled
befo e t ey can gain full netwo k access?
<
! 2 13 - )
2 1
3 . 2 13
)
!
1
!
1 !!
23
!
!!"!
%
%
) 9#
)
!%
%
TelNet ---------- 23
SMTP ---------- 25
DNS ----------- 53
TFTP ----------- 69
WINS ---------- 42
BootP ---------- 67
DÑCP ---------- 68
SSÑ ------------ 22
RAP ----------- 38
$+
+'"
06
)
%&0"3
2%&0"270"
026 (
$4895,,
: $4895,,
#
8;;<"
+'"
(
="0"=%= " 0"
=
&
6
)
+'"
2 2
+'"
= + (
5' (
(
2 (
(
: ( #
)
3(
8' ( ()
#(
(
#
2
#
2
$ (0"!)
( )
(: ((
0"
";0"
( #
)
(
(
$$
>O'A :06
-10A
0"
$
6
#
# +-:#
))
2
#
))
$' ( (
!:?
(