Wednesday, February 29, 2012
Chapter 11
This chapter dealt with maintaining and troubleshooting AD and recovering after a breakdown of the system. When AD databases update, it does so by writing changes to transaction buffers, which are stored on a server's RAM. Once enough transactions (change files) are built up (10MB), it gets written to a log file. This is then compared to the original file and written to memory. It serves as a checkpoint when recovering from a crash of a server or network. Like non-server computers, the AD database can become fragmented, and must be occasionally defragmented to maintain service and speed.It can be done either automatically online or offline, if the domain controller is running very slowly. Backing up AD was discussed next. Like normal server data, AD can be configured to back its database up on a schedule, or can be manually backed up. Restoring AD was next. Restorations can be done through replication, or the command line using wbadmin which can restore a domain controller to its previous setup to do a nonauthoritative restoration. Ntdsutil can be used to do an authoritative restoration, which can restore or repair an OU. This also restores all the objects within the OU via back links. Monitoring AD was next. As with the previous MOAC classes, the book went through how to setup and understand alerts using event viewer and the graphical reliability/performance monitor. The book discussed that the events recorded in these two tools should be monitored and traced in order to troubleshoot AD issues before they cause a critical stoppage.
Sunday, February 26, 2012
Chapter 10
This chapter covered how to plan a group policy management and implementation strategy. GP settings are controlled by an MMC snap-in called Policy Management. It includes a suite of tools that allows an admin to run GP backups, produces reports of how settings on AD policies of various levels, etc. Starter GPO's are templates that an administrator can use to create GPO's for their organization. Each new group policy made with the starter GPO will inherit the settings of the template. Security group filtering allows GPO settings to be applied to specified people within the organization, allowing those with the need to access certain resources or applications able to use them, even if the GPO setting would not normally allow it. WMI filtering allows an admin to create queries based on the configuration of a system and its hardware in order to determine where a GPO will be applied. Once a series of GP settings is implemented (the total of all settings is called a resultant set of policy) it can be difficult to predict the final outcome. There are a few tools (resultant set of policy wizard, GP results & GP modeling components of GP management and GPResult command-line tool) that can analyze and report the final set of policy and its affects on a user's computing environment.
Chapter 9
This chapter covered how to install software through group policy. Like much of the content of MOAC courses, alot of this was covered in CIS-256. Essentially, group policy can be used to install, modify or uninstall programs across a network using Win 2008. MSI files are those that perform this function. Some software does not allow for changes to MSI files, so these can be changed with what's called transform software to allow deployment via group policy. Software can be either published or assigned using GP deployment. Assigned programs are individually given to a specific user or machine, whereas published software is available to everyone on the network to download and install if they have need of it. It also functions in that if a user attempts to open a file with an extension on it requiring a specific application, it can automatically install to allow the file to be used by the end user.Software restriction policies can be set on software, allowing the admin to disallow programs of certain kinds to function on the computer. This includes rules for software publishers, hash, certificate, network zone and path rules.
Saturday, February 25, 2012
Chapter 8
This chapter covered configuring the user and computer environments using group policy. Like a few other chapters in this course's book, alot of this was covered in CIS-256.The first section of the chapter focused on security policies you can set through GP. The admin can set many different policies in the group config node for a GPO, including local policies, system services, registry file system and IPsec, etc. The user config node allows the admin to set public key and software restriction policies. One new application for account policies for server 08 is the ability to have a specific password policy implemented for a specific user within a domain, either less or more restrictive than those set in the password policy for the group, called fine-grained password policies. Audit policies allow administrators to track security events, including user attempts to access restricted resources. Event viewer can be configured to log only certain events, size, retention and the access rights of the log. There are logs for each type of service (AD, DNS, etc.) as well. Folder redirection is a GP folder that allows the admin to set the contents of a folder they specify to go to a network or another folder on the user's hard drive. This allows a folder's contents to be backed up as part of the server backup process and allows a user to gain access to a folder that would normally be inaccessable if it id on their personal machine, rather than on a network somewhere. Offline files allows users to modify copies of files that are stored on the network, and the changes made are then made to the original when the machine is reconnected. Disk quotas set the amount of space a user can store on a network.Group policy can be set ona refres interval automatically or manually, if the admin wants to set a policy that does not require a restart of their machine.
Monday, February 20, 2012
Chapter 7
Chapter 7 dealt with group policy. According to the book, group policy is a method of controlling settings across an AD network.GP has benefits in the cost of a network to an organization, in that it streamlines networks and user accounts on a network, and thus reduces the total cost of ownership, one of the two prime financial measures of cost effectiveness for a computer network in a corporation. An object called the Group Policy Container is created when the AD domain services role is installed in the MMC and contains policy information and settings. The MMC has a snap-in called the Group Policy Management Editor that is used to create group policies and their settings, which are divided into two categories; computer configuration and user configurations.
Sunday, February 19, 2012
Chapter 6
This chapter dealt with security planning and AD administrative delegation. The first part of the chapter discussed the need for the use of strong passwords and the need to educate users on the network of this need so as to tighten security for users.Then, the need to secure the administrator account was gone over, a repeat from chapter 5. Like many of the other MOAC courses I;ve taken through MCC, it was recommended that the admin account not be used for anything other than administrative tasks, and that all normal daily tasks be done on a non-admin user account instead, as an admin account getting hacked is much more damaging to a network than a simple user account. Next, organizing and planning an organizational unit (OU) structure was discussed. It is best to do this with the corporate structure in mind, with consideration for turnover rate, layers of control, etc.Once the OU structure is complete, leaf objects (users, computers, printers, etc.) can be moved around by dragging/dropping them or using the Move option on a right click.
Chapter 5
This chapter was devoted to AD administration or more specifically, how to deal with user and group accounts. User accounts are the method users access network resources. These allow users to access the network either on a specific machine (local account) and domain accounts, which are used to access network-associated resources. The second is a group account, where a number of users, usually broken down by function in an organization, are all assigned specific permissions and resources as a block.Group scopes are a part of group accounts, and control what objects it can have in it and controls where in the domain the group can be used.Win server 2008 has several tools available in it used to create AD objects, including batch files, CSVDE, LDIFDE and WSH.
Saturday, February 18, 2012
Chapter 4
This chapter deals the global catalog and flexible single master operations roles in the MMC. Global catalogs are used for several purposes, including facilitating object searches in the forest, resolving UPN's, maintaining universal group membership info and maintaining a copy of all objects int he domain. By default, the first domain controller in a forest is designated as the global catalog server. Flexible single master operations roles were discussed in the book next. FSMO roles are single-master roles that one DC in an AD forest or domain can control, and are used so as to minimize errors that could result from having multiple DC's carry out certain procedures, including adding or deleting domains from the AD forest. Three of the domain-specific roles of FSMO are the RID master (assigns relative IDs to domain controllers in the domain), Infrastructure master (updates references between domain objects and other domains) and the PDC emulator (provides backward compatibility with Microsoft .NET domains). Two forest-wide roles in AD are the domain naming master (manages the creation/deletion of domains, domain trees,apps data and partitions in the forest) and the schema master (manages changes in the AD schema). When a FSMO server goes down, roles can be continued by other servers vie either role transfer (moving a role fro mone server to another) or role seizure (moving a role to another server forcibly, usually when a server goes down forever).
Friday, February 17, 2012
Chapter 3
This chapter covered how to work with AD sites. Replication sites are a means by which admins can control replication traffic between AD domain controllers, both when the controllers are on the same server (intrasite replication) and on separate servers (intersite replication). Intersite replication communications are done using a compressed signal, whereas intrasite traffic isn't, in order to conserve bandwidth.After giving this lowdown, the book went through how the replication process worked. Replication occurs whenever an object is added to a domain, the value of an attribute changes or the name of an object changes. Whenever changes are made to an AD domain controller, the normal thing is for the AD controller to communicate changes to each other (replication). If changes take place on more than one domain controller, the replication goes to a bridgehead server which then makes the decision, based on several criteria (timestamp, etc) as to which change is replicated and then transmits this to all other domain controllers. Wit intrasite replication the knowledge consistency checker (KCC) to to map network topology between domain controllers. Intranetwork replication follows a rule that says no replication traffic should have to go more than 3 hops to hit an AD domain controller that can originate a change to the AD database in order to minimize the time required to change all the domain controllers' information. KCC can be configured manually, though doing this removes its ability to automate topology mapping. Intersite replication uses site links through which it communicates changes in AD domain controllers for a multisite network. It uses the intersite topology generator (ISTG) which chooses a bridgehead server and maps the network between sites. AD can use either RPC over IP or SMTP when senting replication traffic to AD domain controllers. AD occasionally has to deal with errors in replication, which are logged in event viewer. KCC can be forced to run under some of these circumstances in order to complete replication. AD replication is monitored by Dcdiag and Repadmin tools included in AD.
Monday, February 13, 2012
Chapter 2
Chapter 2 covered implementing AD on a network. First, the chapter went through Server Manager again, and how to do the initial config tasks (change the time and date). The next portion went through the minimum requirements for installing AD on the server. The forest root domain is the first of the domains installed on an AD server. According to the chapter, the root domain (unlike in a Linux machine) cannot be deleted, though any child domain within it can be once it is installed. The first domain controller installed will contain all the FSMO, or flexible single master operations roles which all function as a unit to allow the server to function in a multimaster capacity required by AD. Once AD is installed, the book advises you to a check on some systems to verify it installed and was configured correctly. These include application partition directory partition creation, aging & scavenging for zones, Forward lookup zones and SRV records and reverse lookup zones. The book described that the functional level of the AD domain is able to be raised to incorporate acquisitions as the structure of an organization changes, though the transition is one-way and can't be lowered again without reinstalling an entire domain. The book mentioned that the admin should install a second domain controller for fault tolerance, and to lessen the workload on the first controller. Read-only domain controllers (RODC's) can be hosted in an AD server in order to enhance network security where there is minimal security on a server. It also allows the server to be configured with a password replication policy, which keeps the passwords for that site's accounts and no others. If that specific server is stolen or hacked, it will not have passwords cashed from other sites in it. RODC's can be partially installed by an administrator, then installed the rest of the way by site admins. If a RODC server is taken or hacked, the admin can set the users' accounts on the affected server to reset, allowing the admin to then reset the passwords for those whose accounts were on the RODC. Modifying an AD schema is considered to be a potentially disruptive task on a server, and should be done on an outside network before implementing it network-wide. Trust relationships were covered next. These allow cross or out-of-network access to others while maintaining security in a system.
Subscribe to:
Posts (Atom)