2008 R2 ADS Vocabulary - Session 2 Flashcards
1
Q
DNS is a network service
A
which is used to resolve computer names to Internet Protocol (IP) addresses
2
Q
The DNS server stores DNS records in the form of
A
of a distributed database
3
Q
The DNS server receives queries that contain system names
A
, and resolves these queries to IP addresses using a process known as name resolution.
4
Q
In Windows Server networks, the DNS server service can be integrated with
A
AD DS role.
5
Q
, DNS data is stored in and replicated through the
A
Active Directory (AD), providing AD DS with a mechanism to easily locate domain controllers and ensuring secure multi-master replication of zone data.
6
Q
When a Windows-based Dynamic Host Configuration Protocol (DHCP) service is implemented in the network, it automatically
A
directs all DHCP clients and servers to register their names and corresponding IP addresses with the DNS server.
7
Q
(DHCP)
A
Dynamic Host Configuration Protocol
8
Q
A DNS zone represents
A
one or more contiguous DNS domains of the DNS namespace. It is used to delegate authority and to facilitate the administration of data associated with a namespace.
9
Q
A server known as the (DNS) authoritative server is used to
A
store all the information relating to a particular zone. The same DNS server can be authoritative for a number of DNS zones.
10
Q
The procedure for transferring data from an authoritative server to a secondary server is known as
A
a zone transfer.
11
Q
Windows Server 2008 R2 supports the following types of DNS zones
A
- Primary zone
- Secondary zone
- AD integrated zones
- Stub zone
12
Q
New features of the DNS server in Windows Server 2008 R2 include support for the following:
A
- The DNAME Resource Record
- Read-Only Domain Controllers (RODC5)
- Use of Internet Protocol version 6 (IPv6)
- The GlobalNames Zone
13
Q
Other key features of the Windows Server 2008 R2 DNS server are as follows:
A
- Integration with Microsoft Networking Services such as WINS, AD DS, and DHCP
- RFC-Compliant Dynamic Updates (clients add their own records to DNS)
- DNS zones that are integrated with AD DS support secure dynamic updates
- Global Query Block List
14
Q
Advanced DNS Features
A
Forwarding
Root hints
Server scavenging
15
Q
Forwarding (DNS)
• The DNS server first tries to resolve a DNS client’s query using the data available in the local network. If no such data exists locally,
A
, the server forwards the query to a DNS server in an external network. You can configure a DNS server to forward all the queries it receives from client machines, instead of performing the name resolution itself.
16
Q
• Forwarders are responsible for handling all the
A
External traffic in a network because they forward all queries that need to be resolved to external DNS servers
17
Q
All the DNS servers in a network forward unresolved queries
A
to forwarders.
18
Q
• Conditional forwarders are forwarders configured
A
to forward queries for specific domain names to external DNS servers. You use conditional forwarders to resolve queries between two organizations.
19
Q
Root hints
A
are queries that enable a server to respond to requests from servers of unknown domains or domains higher than the server that receives the request.
20
Q
• A DNS server used as a forwarder is automatically located by other servers in the local network. However, you need to use root hints
A
to resolve the names of external DNS servers through the Internet root servers.
21
Q
• A file named—————- implements root hints for the DNS server service.
A
Cache.dns
22
Q
Cache.dns is stored on the server
A
in the following location:%
systemroot%\System32\Dns.
23
Q
The DNS and resource records for the host are also a part of the
A
Cache.dns file
24
Q
• In a private network, you can use records that are similar to the Cache.dns file to point to
A
to internal root DNS servers.
25
Server scavenging
| • In Windows Server 2008 R2, the server scavenging feature is used to
to remove old records from the zone data on a DNS server.
26
Scavenging removes stale records (records that have exceeded their refresh periods) from the zone data.
• The DNS server stamps all records with the date and time at which they are added, and uses a process known as aging to determine whether a record exceeds the refresh time period specified for it.
27
• You can configure server settings to periodically repeat scavenging to
free the zones from stale data
28
A DNS lookup is a process for
converting the IP address of a computer into its host domain name, and vice versa
29
A forward lookup zone is used to
to resolve domain names to their IP addresses.
30
A reverse lookup zone is used to
to identify the domain name corresponding to an IP address.
31
In a reverse lookup query,
a client sends a request to a DNS server for a pointer (PTR) resource record that corresponds to the IP address of a host.
32
• You can add a forward lookup zone using
the DNS Manager or the dnscmd command-line utility.
33
• You can add a reverse lookup zone using the
DNS Manager or the dnscmd command-line utility
34
• During the creation of either of these zones, you also specify whether
the zone is AD integrated and its replication scope.
35
If the zone is AD integrated then you can also
configure secure dynamic updates.
36
Forwarders and Root Hints
You can reduce the workload on a DNS server by configuring it to answer requests related to local hosts and to forward requests for external domain names to an external DNS server. A DNS server that forwards queries for external resolution is known as a forwarder.
37
Two types of queries are processed by DNS forwarding servers
* Recursive Queries
| * Iterative Queries
38
• Recursive Queries
are sent by the DNS client to the DNS server. In a recursive query, either the DNS client receives an error message such as "sorry, name not found" or it receives an exact answer for the IP address that it sends to the DNS server. If the DNS server is able to resolve the client query, it sends the resolved IP address to the client. If it cannot resolve a recursive query, it changes the recursive query to an iterative query by searching its list of forwarders and sending iterative queries to each of them.
39
• Iterative Queries are queries
where the DNS server is asked either to resolve a query or to make a best guess referral to a DNS server that may be able to resolve it.
40
Conditional forwarding means
the DNS server forwards queries to different forwarders according to the specific domain names that must be resolved.
41
When the DNS server receives a query, it first
searches its zone data and cache to resolve the query. If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:
42
If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:
* If it finds a matching condition, the query is forwarded to the IP address of the forwarder corresponding to the domain name.
* If no matching condition is found, the DNS server attempts to resolve the query using standard recursion.
* Root hints are used by a DNS server to resolve queries if forwarders are unavailable to it. In some DNS environments, root hints are used in place of forwarders. The difference is that a DNS server using forwarding will request recursion, whereas a DNS server using root hints will attempt to resolve a query recursively itself.
43
Configuring Root Hints
on a DNS server, first open the DNS Manager and then select the root hints tab in server properties. This tab allows you to add a new root hint, remove a root hint, edit an existing root hint, or copy root hints from another server.
44
Server Aging and Scavenging
Unmanaged decayed resource records can result in problems such as the following:
• Unnecessarily long zone transfers
• Degradation of the performance and response time of the DNS server
• Possible IP conflicts
45
Configure aging and scavenging for a DNS server using the
DNS Manager console or the command line.
46
Aging and scavenging are disabled by
default
47
To use the aging and scavenging features,
enable the operations on the zone, at the DNS server, or manually by individual record.
48
The scavenging and aging operations use the
the timestamps on resource records to determine when the records must be removed.
49
A DNS server sets the data time value to start scavenging on a per zone basis when
* Users enable dynamic updates for the zone
* A primary zone that is enabled to use scavenging is loaded by a DNS server
* A DNS server starts
* A zone resumes its service after it has been paused
* The administrator manually activates the Scavenge stale resource records function
50
When setting aging and scavenging properties, you need to specify the
duration for which the server must not refresh its records. This prevents unnecessary updates to existing records, thereby reducing replication traffic.
51
You also need to set the refresh interval at which the server must refresh its records. The refresh interval is the (DNS Scavenging)
period needed between when a no-refresh interval expires and when a record is considered stale.
52
Configuring Zone Delegation
| Zone delegation involves
delegating authority for a particular subdomain to a different zone, either on the same DNS server or on another DNS server. It is what enables you to divide a DNS server into one or more zones. New zones can be distributed and replicated on other DNS servers to meet the requirements of an organization.
53
In addition, zone delegation helps
distribute the load of traffic among various servers, improves DNS name resolution performance, and creates a fault tolerant environment.
54
Zone delegation is configured using the
DNS Manager console.
55
Round Robin and Recursion
| Using the DNS Round Robin technique, a DNS server
rotates the DNS records for each incoming DNS request so that successive visitors are directed to different web servers. This option is enabled by default in Windows Server 2008 R2.
56
Although Round Robin DNS is easy to implement, it has some drawbacks:
* It does not offer any failover functionality
* It does not control the order in which connections are rotated
* Attackers may exploit the process of DNS recursion to damage a network using an amplifier attack
57
CONFIGURE ZONES
| A zone is a
contiguous portion of a domain of the DNS namespace
58
There are three types of zones:
primary, secondary, and stub.
59
The DDNS is an important part of the AD because the domain controller of the AD
registers its service location resource records, which are used to locate AD domain controllers, in DNS to enable other computers in a forest or a domain to search for these records.
60
Dynamic Domain Name System
(DDNS)
61
(DDNS) is used
enables name resolution for computers with dynamic IP addresses (addresses that are assigned automatically through DHCP).
62
(SDDNS)
Secure Dynamic Domain Name System
63
(SDDNS) is used
only for zones that are integrated into AD, where only members of the domain can dynamically update DNS records.
64
Non-dynamic Domain Name System
System (NDDNS)
65
System (NDDNS)
In Windows Server 2008 R2, use a Non-dynamic Domain Name System (NDDNS) to work with existing DNS servers. In this system, database entries are
are static and must be created and updated manually.
66
Database entries in the DDNS take precedence over
those in the NDDNS.
67
To configure dynamic updates, choose one of three options:
* Allow Only Secure Dynamic Updates
* Allow Both Non-Secure and Secure Dynamic Updates
* Do Not Allow Dynamic Updates
68
Configuring DNS Zones
A DNS namespace can be divided into zones, each of which stores name information for one or more DNS domains. Forward lookup zones resolve names into IP addresses, and reverse lookup zones resolve IP addresses into names.
Initially, a zone has a single DNS domain name. You can add subdomains as members of the same zone, or add subdomains and delegate them to a new zone created for these subdomains.
69
You can configure a single DNS server to manage
one or multiple zones. You can also choose to partition domains across multiple zone files, distribute management of the domain across various groups, and make data replication more efficient.
70
A DNS server can host three types of zones:
Primary Zone
Secondary Zone
Stub Zone
71
Primary Zone
A primary zone is the main source of information relating to a zone and it is hosted by the master server.
72
Secondary Zone
A secondary zone is a read-only copy of the data in a primary zone and it is hosted on a separate server.
73
Stub Zone
A stub zone contains only resource records that are necessary to identify the authoritative DNS servers for a zone. It contains NS, SOA, and glue (A or AAAA) records.
74
DNS Integration with AD DS
When you use AD-integrated zone storage, the zone information is saved in the AD tree under a domain or application directory partition.
75
Advantages of integrating AD DS and DNS include the following:
* Automatic replication for new zones
* Streamlined administration
* Faster and more efficient replication
* Multi-master data replication
* Enhanced security
76
In the multi-master update model of the AD DS,
any primary DNS server for an AD-integrated zone can process requests from DNS clients to update the zone, as long as a domain controller is available on the network.
77
To secure standard or AD-integrated DNS zones, you can do the following:
* Allow only secure dynamic updates
* Configure the Discretionary Access Control List (DACL) for a zone
* Restrict zone transfers
* Ensure secure zone delegation
78
When clients make a request for a server using a hostname without an FQDN (\\server5 or http://intranet) it can be challenging to provide consistent name resolution, especially in a multi-domain environment. The Global Name Zone (GNZ) solves this problem by being a
failover zone during lookup. If the name being requested is not the requested domain, the GNZ is checked. And since this domain can be replicated forest-wide, it can hold a consistent definition of servers that need to be available universally.
79
To create a GNZ
Create a new forward lookup zone in the DNS manager named GlobalNames
In an elevated command prompt run the following command: dnscmd /config /enableglobalnamessupport
80
For protection, the Global Query Block List can be defined to
to prevent dynamic update entries from being added to any zones that should not be (specifically rogue ISATAP and WPAD servers)
81
The DNS can be divided into zones that use zone transfers to replicate and synchronize copies of zone data on multiple DNS servers:
• Both primary and secondary DNS servers can perform zone transfers.
82
During a zone transfer, the primary server responds to a request from the secondary, or destination, server by
providing all the information required for a zone transfer.
83
A master DNS server can be used as
as primary and secondary DNS servers. If it is used as the primary DNS server for a transfer, the DNS server that hosts the primary zone directly performs the zone transfer.
84
If the master server is used as a secondary server, the zone transfer is
is performed by a read-only secondary zone file.
85
. A zone transfer can occur when
* The refresh interval has expired for a zone
* A notification to make changes in the zone file is sent by the primary server to a secondary server
* A secondary server queries the primary DNS server for a change in the zone
* A DNS console at a secondary server for the zone manually initiates a transfer from the primary server
86
A zone transfer may be either
* A full zone transfer
| * An incremental zone transfer (IXFR)
87
IXFR are faster and create less traffic than full zone transfers, and they are used as the
standard transfer type in Windows Server 2008 R2.
88
A full zone transfer is required, for example,
when you configure a new secondary DNS server to store a copy of the zone data on a primary server.
89
The transferred zone has a version number and a refresh interval specified in SOA RR properties. This is to
to enable subsequent incremental transfers.
90
The following steps occur to complete an incremental zone transfer:
* A SOA query is sent to the primary server by the secondary server to renew the zone after the refresh interval expires.
* The primary server responds to the SOA query by sending a serial number that specifies the current state of the primary server's zone data.
* The secondary server checks the serial number against its local serial number. If the sequence number in the response is greater than the local number then a zone transfer is required.
* The secondary server sends an IXFR or AXFR query to request a zone transfer to the primary server that has the current value of the zone.
* The primary server responds with a transfer according to the query the secondary server has sent - a full transfer, or if the zone has a history of recent changes, an incremental zone transfer.
91
Application Directory Partitions
| DNS zones can be stored in
a domain or in application directory partitions of AD DS.
92
Application directory partitions store zone data and ensure that it is replicated with the required scope: for example
, to all DNS servers across a forest or to all domain controllers in a domain.
93
DNS-specific application directory partitions are created automatically in each domain of the forest when
when a DNS service or AD is installed or upgraded on a domain controller.
94
The following two DNS-specific application directory partitions are created when AD is installed or upgraded on a domain controller:
* ForestDNSZone
| * DomainDNSZones
95
The Choose Zone Replication Scope dialog box enables you to choose from one of four zone replication scopes:
* To all DNS servers in this forest
* To all DNS servers in this domain
* To all domain controllers in this domain
* To all domain controllers in the scope of this directory partition
96
You can create a custom application directory domain partitions and enlist specific AD-integrated DNS servers to participate in custom replication by using the dnscmd command-line utility.
dnscmd /createdirectorypartition
| dnscmd /EnlistDirectoryPartition
97
Custom Application Directory Partitions Create it then you need to change the replication scope of the DNS zones to enable them to
to use the new application directory partition for replication using dnscmd or the DNS management console.
98
Introducing Active Directory objects
In Active directory, administrators create and manage security principals such as users.
99
The roles of a user account are as follows:
Authenticate a User Identity
| Provide Access to Domain Resources
100
Authenticate a User Identity
You can log on to several computers in the domain by using a user account that can be authenticated by a DC. You can enhance the security of the domain by not enabling multiple users to share a single account.
101
Provide Access to Domain Resources
When you are authenticated by the domain, you are allowed or denied access to the domain resources based on the permissions you are granted.
102
In AD computers also manage computer accounts to allow trusted access by the user accounts and group accounts (which are used to define more efficient access to resources) as well as Organizational Units (OUs) (which look and act like folders, allowing you to define the structure of AD) Use the following guidelines to design an OU delegation:
* Identify and create administrative groups to which rights need to be delegated
* Identify users or groups to which rights need to be delegated in the OU and place them in the administrative group
* Create objects that need to be controlled and place them in the OU
* In the administrative group, delegate administrative tasks to the OU
103
In Active Directory you can also create contact objects and create distribution groups which
cannot be assigned permissions but can be used as identity components for lookup. Creation of all these objects can be done in Active Directory Users and Computers.
104
Active Directory objects have Lightweight Directory Access Protocol (LDAP) standard distinguished names (DN). An example might be
"CN=John J. Anderson,OU=entAccounts,DC=easynomadtravel,DC=int" where "CN=John J. Anderson" represents the common name of the individual user account, "OU=entAccounts " represents the organizational unit in which the user is held, and "DC=easynomadtravel,DC=int" represents the DNS name of the user's domain.
105
Searching for different objects can be done using the
Active Directory object search interface, the saved query interface, or the dsquery.exe command-line utility.
106
Active Directory user and computer objects are security principals, but they are also securables
– they have an associated ACL
107
. Users can be delegated permission to manage objects that reside in an OU, including other users. By default, object permission applied at the OU level are
are inherited by any hosted objects – this inheritance can be filtered, and specific permission can also be applied to override any inherited permissions.
108
A deny setting always takes precedence over
over an allow permission, unless an allow permission is specifically set.
109
The Delegation of Control Wizard is used to semi-automate the process of
delegating permissions and permission sets to users.
110
Automate creation of Active Directory objects
| To create a new user account you can
can copy another user account using the ADUC interface. Many properties, such as group membership, will be copied to the new account. A dedicated account could be created specifically as a blueprint for new user accounts.
111
The DS suite of command line tools can be deployed to manage user, computer, group and OU objects –
object can be created, deleted, moved and copied and their associated attribute values can be modified, including the user account password
112
The DS suite of command line tools
* Dsadd – create a new Active Directory object
* Dsget – returns Active Directory object attribute values
* Dsmod – modifies Active Directory object attribute values
* Dsmove – moves an Active Directory object within the directory
* Dsrm – removes an Active Directory object
* Dsquery – searches for Active Directory objects and returns a result set
113
The CSVDE command utility can be deployed to import
a comma-delimited text file – a *.cve file – of user and computer accounts and their properties – it cannot be used to modify existing objects and their properties.
114
CSVDE can also export
Active Directory details – the default mode.
| C: \ > csvde –f sk-newusers.cve
115
The LDIFDE utility can be used for
adding, modifying, and removing user and computer accounts (the modifying and deleting is specified by importing an .Idf file with modify commands) – a *.ldf is used to provided the object detail. LDIFDE supports importing user passwords, and operates in export mode by default.
• C: \ > Idifde –f c:\myADdata\myLDlFmods.ldf
116
Windows PowerShell cmdlets can be used to
automate the creation of user and compute account PS C:\> New-ADUser –Name "Jack B. Yeats" –SAMAccountName jbyeats
117
The netdom.exe command can use used to
to create a domain computer account and join a computer to a domain. NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
118
Computers joined to a domain from system properties without an explicit /OU path will appear in the default Computers container of AD unless
unless the redircmp.exe command has been used to specify an alternate container.
C:\>redircmp
119
In a Windows 7 – Server 2008 R2 environment, you can deploy an offline domain join using
djoin.exe
• djoin /provision /domain /machine /machineou
• /savefile offblob.txt
120
Maintain Active Directory accounts
Active Directory user accounts can be renamed, locked/unlocked, moved, disabled and deleted
121
Active Directory user account passwords can be reset by
an administrator at any time, or changed by a user.
122
Maintain Active Directory accounts
| Administrators can manage these propreties in the
in the ADUC mmc or with DS commands or PowerShell.
123
The Active Directory user account Accounts properties allow an administrator to limit a user in the following ways:
* allowable domain log on period for an individual user
* allowable computers to log on to
* allowable dates before an account is expired
* other various defined allowable account settings (allowed log on without smart card, etc)
124
An Active Directory user accounts has an associated list
of attributes can be managed directly using the Users and Computers console, or using command-line utilities.
125
The attribute values of multiple user accounts can be alter at the
same time using the Users and Computers console (ctrl or shift clicking), dsquery piped to dsmod, or Windows PowerShell cmdlets – the list of configurable attributes is limited to certain attributes.
126
Users Accounts have many important security related properties on the "account" tab:
User Must Change Password at Next Logon
User Cannot Change Password
Password Never Expires
Store Passwords by Using Reversible Encryption
Account is Disabled
Smart Card is Required for Interactive Logon
127
User Must Change Password at Next Logon
The "User must change password at next logon" option will force a user to change the password the next time they log on to the network. You can activate this option to ensure that no one except the user knows the password.
128
User Cannot Change Password
The "User cannot change password" option prevents users from changing their passwords. You will need to enable this option when you want to maintain control over specific user accounts.
129
Password Never Expires
The "Password never expires" option prevents the expiry of user passwords. It is recommended that you do not set this option and that you enforce regular password changes for your user accounts.
130
Store Passwords by Using Reversible Encryption
The "Store passwords by using reversible encryption" option is necessary to support applications that require knowledge of the password of the user account for authentication purposes. This option will enable you to log on to a Windows network from a Mac-based network by using an Apple computer.
131
Account is Disabled
The "Account is disabled" setting prevents a user from logging on to the network.
132
Smart Card is Required for Interactive Logon
The "Smart card is required for interactive logon" option requires you to use a smart card to interactively log on to the network. You need to have a smart card reader attached to your computer and a valid personal identification number (PIN) for your smart card. When you enable this option, your user account password is set to a random and complex value, and the "Password never expires" account option is enabled.
133
Account is Sensitive and Cannot be Delegated
| The "Account is sensitive and cannot be delegated" option can be used if
a guest account or temporary account should not be assigned for delegation by another account.
134
Active Directory security groups are deployed to
to manage access to Active Directory environment resources like folder, files and printers and to provide email group distribution.
135
Active Directory distribution groups are for
email only.
136
Both group types (AD Security and distribution Groups) support the three available defined scopes –
domain local, global, or universal. A group can be converted from group type to another if needed.
137
For the greatest degree of flexibility to add more users to a group in any domain in the forest and to apply a group to a resource on any server in the domain, the recommended practice is to
to follow the AGDLP (IGDLA) and AGUDLP (IGUDLA) methods of group nesting.
138
Global groups have
limited membership (can only contain users and other global groups from its parent domain). However, the Global group has unlimited visibility (can be seen, used, given permissions, and nested in domain local groups in all domains in the forest or trusting forests or domains)
139
The Domain Local group has
unlimited membership (can include security principals (user, computer and group) from anywhere within its forest and from an external forest where external trust exists.) However, the Domain Local group has limited visibility. (It can only be seen on servers within the parent domain, and can only be nested within other Domain local groups (and almost never is))
140
Universal groups are used in
multi-domain forests and can contain global groups from any domain in the forest. They have unlimited membership and unlimited visibility. The typical use of a Universal group would be to condense the same Global group from multiple domains into a single referenced entity
141
Universal Example :
3 domains have Global Groups called Sales. Each domain also has a Domain Local group called SalesReportReaders. Without Universal groups there would have to be 3 globals nested in each domain local. If there was a change, such as a new domain with a Sales global group in the future, all three of the domains would need to update their Domain Local group. With a Universal Group, all the Sales Globals can be nested in the Universal, and the Universal can be nested in the Domain Locals. As long as the new domain is also nested in the new Universal as well, business continuity is maintained. )One note: Universal Groups are replicated within a forest in the global catalog, so changes to the content of a universal group should be minimized (ie: avoid adding individual users, add groups)
142
Group creation and attribute manipulation can be performed using command-line tools such as
DSadd, DSMod, CSVDE, LDIFDE, PowerShell (New-ADGroup, Add-ADGroupMember)
143
Shadow Group : The term Shadow group is simply a term for
a group that has the same membership as the contents of an organizational unit. There is no unscripted way to create a Shadow group.
144
Default groups and special identities are automatically created when a root domain controller is installed in a forest and during the creation of any further child or forest domains –
they are scoped mainly at the domain level, and are design to ease the management of Active Directory, and to simplify resource access.
145
• Anonymous logon
a user that gains access with a user name or password. Usually associated with remote
access, in Server 2008 and 2008 R2, this user type is not a member of the Everyone special identity group
146
• Authenticated users
– a user that has a valid name and password, and is authenticated to work on the network
147
• Everyone —
on Windows 2003+ system all authenticated Users and Domain guests Note: The domain guest account is usually turned off
148
• Interactive —
a user account that is connect directly to the local computer, or via remote desktop connection
149
• Network
— a user that is currently connected to a resource on this computer that is connecting from another network computer
150
• Creator Owner
The user that created a particular object
151
• Self —
a placeholder for you the current user
