Saturday, March 3, 2012

Chapter 13

This chapter dealt with how to configure AD Certificate Services.AD certificate services is the PKI system AD uses in the identity lifecycle management to adapt to a user as they are added, change roles and leave an organization. Much of the introductory information dealt with PKI and how it works, which was covered in CIS 155, 185, 186 and touched on in many other CIS classes at MCC. Windows server 08 allows you to configure certificate templates within the certificate services role. When a certificate template's security is configured, AD users can request and download them as needed. The role can also be used to administer PKI across wireless networks.

Friday, March 2, 2012

Chapter 12

This chapter dealt with configuring name resolution and other services. Like many other MOAC classes, this chapter's information was partially covered in another class. The first part of the chapter went over DNS name resolution.This refers to translation of a web address (www.whatever.com) into an IP address that computers use to route traffic. DNS is the system by which these names are assigned, and are done in a distributive and hierarchical manner across the internet with top level domains (.com, .net, etc.) An AD domain controller can also be configured as a DNS server.

Wednesday, February 29, 2012

Chapter 11

This chapter dealt with maintaining and troubleshooting AD and recovering after a breakdown of the system. When AD databases update, it does so by writing changes to transaction buffers, which are stored on a server's RAM. Once enough transactions (change files) are built up (10MB), it gets written to a log file. This is then compared to the original file and written to memory. It serves as a checkpoint when recovering from a crash of a server or network. Like non-server computers, the AD database can become fragmented, and must be occasionally defragmented to maintain service and speed.It can be done either automatically online or offline, if the domain controller is running very slowly. Backing up AD was discussed next. Like normal server data, AD can be configured to back its database up on a schedule, or can be manually backed up. Restoring AD was next. Restorations can be done through replication, or the command line using wbadmin which can restore a domain controller to its previous setup to do a nonauthoritative restoration. Ntdsutil can be used to do an authoritative restoration, which can restore or repair an OU. This also restores all the objects within the OU via back links. Monitoring AD was next. As with the previous MOAC classes, the book went through how to setup and understand alerts using event viewer and the graphical reliability/performance monitor. The book discussed that the events recorded in these two tools should be monitored and traced in order to troubleshoot AD issues before they cause a critical stoppage.

Sunday, February 26, 2012

Chapter 10

This chapter covered how to plan a group policy management and implementation strategy. GP settings are controlled by an MMC snap-in called Policy Management. It includes a suite of tools that allows an admin to run GP backups, produces reports of how settings on AD policies of various levels, etc. Starter GPO's are templates that an administrator can use to create GPO's for their organization. Each new group policy made with the starter GPO will inherit the settings of the template. Security group filtering allows GPO settings to be applied to specified people within the organization, allowing those with the need to access certain resources or applications able to use them, even if the GPO setting would not normally allow it. WMI filtering allows an admin to create queries based on the configuration of a system and its hardware in order to determine where a GPO will be applied. Once a series of GP settings is implemented (the total of all settings is called a resultant set of policy) it can be difficult to predict the final outcome. There are a few tools (resultant set of policy wizard, GP results & GP modeling components of GP management and GPResult command-line tool) that can analyze and report the final set of policy and its affects on a user's computing environment.

Chapter 9

This chapter covered how to install software through group policy. Like much of the content of MOAC courses, alot of this was covered in CIS-256. Essentially, group policy can be used to install, modify or uninstall programs across a network using Win 2008. MSI files are those that perform this function. Some software does not allow for changes to MSI files, so these can be changed with what's called transform software to allow deployment via group policy. Software can be either published or assigned using GP deployment. Assigned programs are individually given to a specific user or machine, whereas published software is available to everyone on the network to download and install if they have need of it. It also functions in that if a user attempts to open a file with an extension on it requiring a specific application, it can automatically install to allow the file to be used by the end user.Software restriction policies can be set on software, allowing the admin to disallow programs of certain kinds to function on the computer. This includes rules for software publishers, hash, certificate, network zone and path rules.

Saturday, February 25, 2012

Chapter 8

This chapter covered configuring the user and computer environments using group policy. Like a few other chapters in this course's book, alot of this was covered in CIS-256.The first section of the chapter focused on security policies you can set through GP. The admin can set many different policies in the group config node for a GPO, including local policies, system services, registry file system and IPsec, etc. The user config node allows the admin to set public key and software restriction policies. One new application for account policies for server 08 is the ability to have a specific password policy implemented for a specific user within a domain, either less or more restrictive than those set in the password policy for the group, called fine-grained password policies. Audit policies allow administrators to track security events, including user attempts to access restricted resources. Event viewer can be configured to log only certain events, size, retention and the access rights of the log. There are logs for each type of service (AD, DNS, etc.) as well. Folder redirection is a GP folder that allows the admin to set the contents of a folder they specify to go to a network or another folder on the user's hard drive. This allows a folder's contents to be backed up as part of the server backup process and allows a user to gain access to a folder that would normally be inaccessable if it id on their personal machine, rather than on a network somewhere. Offline files allows users to modify copies of files that are stored on the network, and the changes made are then made to the original when the machine is reconnected. Disk quotas set the amount of space a user can store on a network.Group policy can be set ona refres interval automatically or manually, if the admin wants to set a policy that does not require a restart of their machine.

Monday, February 20, 2012

Chapter 7

Chapter 7 dealt with group policy. According to the book, group policy is a method of controlling settings across an AD network.GP has benefits in the cost of a network to an organization, in that it streamlines networks and user accounts on a network, and thus reduces the total cost of ownership, one of the two prime financial measures of cost effectiveness for a computer network in a corporation. An object called the Group Policy Container is created when the AD domain services role is installed in the MMC and contains policy information and settings. The MMC has a snap-in called the Group Policy Management Editor that is used to create group policies and their settings, which are divided into two categories; computer configuration and user configurations.