Assignment 6/7 – Active Directory

Question 1

1. What is Active Directory? What term is used to describe managed components within the Active Directory database?

Answer 1

Active Directory is the database of all managed components within the domain. Components are called objects and include computers, users, account policies, roles, services, etc.

Question 2

2. What are the three roles that a computer can take on within a domain environment?

Answer 2

Client – users of the domain services
Member Server – provides services to the domain and clients
Domain Controller – maintains the Active Directory database

Question 3

3. What is the name of the file used to store the Active Directory database?

Answer 3

The Active Directory database is stored in a file called Ntds.dit.

Question 4

4. Describe the differences between a domain, tree and a forest with respect to domain structure.

Answer 4

A domain is an administratively-defined collection of network resources that share a common directory database and security policies.

A tree is a group of domains based on the same namespace that share a common schema, share resources between domains, and have two-way trust relations

A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.

Question 5

5. How are domains identified?

Answer 5

Domains are identified by their domain name. For example, Camosun.BC.CA for Camosun College.

Question 6

6. What is the difference between a default container and an organizational unit (OU)?

Answer 6

A container is a built-in structure for holding objects. Containers cannot be renamed, deleted, or have group policy applied to them.

Question 7

7. What is meant by a ‘trust relationship’ between domains?

Answer 7

Trust relationship allows users in one domain to use services within another domain. Child and Parent domains generally have a two way trust relationship by default.

Question 8

8. What is the process used by domain controllers to maintain consistency between the active directory information?

Answer 8

Domain Controllers use replication to maintain consistency.

Question 9

9. What is the process of promoting a member server to become a domain controller?

Answer 9

Install the Active Directory Domain Services role and use the Active Directory Domain Services Configuration Wizard to promote the server to become the Domain Controller.

Question 10

10. What is a common role to install at the same time as promoting a member server to a domain controller?

Answer 10

If a server is being promoted to a Domain Controller, then the DNS role is usually installed as well.

Question 11

11. What are some important settings to verify before promoting a member server to become a domain controller?

Answer 11

Make sure the computer name is correct.
Make sure the time zone is set correctly.
Use a static IP address.

Question 12

12. What are four methods for installing the Active Directory Domain Services Role?

Answer 12

Add a domain controller to an existing domain – replica domain controller
Add a new domain to an existing forest as a Child domain.
Add a new domain to an existing forest as a new tree.
Add a new forest when there is no existing domain.

Question 13

13. What is Windows Azure?

Answer 13

Windows Azure is a Microsoft cloud service used to create and maintain the Active Directory Role and Services.

Question 14

14. What is a Global Catalog server?

Answer 14

A Global Catalog Server is a domain controller used for searches and logons. They contain information about other objects in other forests as well as its own domain.

Question 15

15. What is meant by a ‘site’? How are sites typically defined?

Answer 15

A site is a physical representation of a network and is usually defined by an IP address range.

Question 16

16. What are the default containers and OU created when Active Directory is installed?

Answer 16

Default Containers:
Builtin
Computers
Users
ForeignSecurityPrincipals
ManagedServiceAccounts

Default OU:
Domain Controllers

Question 17

17. How many OUs should be ‘nested’ as recommended by Microsoft?

Answer 17

The maximum suggested is five.

Question 18

18. What is the primary reason for creating OUs besides organizing objects?

Answer 18

The primary reason besides keeping objects organized is to allow policy settings to be applied to the container and the subsequent objects inside them.

Question 19

19. What is the primary purpose of a domain user account versus a local user account?

Answer 19

Domain user accounts provide users the ability to access domain resources and control what they have access to.

Question 20

20. What is assigned to each user account?

Answer 20

Security Identification – SID

Question 21

21. What are the five recommendations when working with user accounts?

Answer 21

Use Active Directory to create and manage your user accounts.
Make use of templates if user accounts have similar settings
Manage the passwords- either have the user change it or select a fixed password.
Create a user profile to track environment settings and resouces.
Deprovision a user – remove access rights when a user account is no longer used.

Question 22

22. What is a computer account used for in Active Directory?

Answer 22

A computer account is used to manage a network computer – not just one specific user.
Policies can be applied to a computer and any user logging on to that computer will be subject to those policies.

Question 23

23. Who has the ability to create a computer account?

Answer 23

Account Operators
Domain Administrators
Enterprise Administrators

Question 24

24. What is a group?

Answer 24

A group is used to collect user account, computer accounts, and other group accounts and allow them to be managed.

Question 25

What are the two types of groups?

Answer 25

Security groups used to manage rights and permissions Distribution groups used to maintain a list of users for operations like e-mailing.

Question 26

26. What are some of the group scopes?

Answer 26

Group scope is used to define the extent within a domain that a group of users or computers will have access to domain resources. Group scope can be local, domain local, global, or universal.

Question 27

27. What are some best practices for user and group security?

Answer 27

Create groups based on user access needs. Assign user accounts to the appropriate groups Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.

Question 28

28. What are two methods for adding or removing members of a group?

Answer 28

On the group object, edit the Members tab and add the group member. On the user account, edit the Members Of tab and select the group to which you want to add the user.

Question 29

What is the AGDLP strategy for creating and managing groups?

Answer 29

Use the following sequence when creating and managing groups: Accounts – create the user/computer accounts Global groups – create the group and add the member accounts Domain Local groups – create the group that contains the resources you need to grant the accounts access to. Permissions – assign the permissions for the resource.

Question 30

30. What is the basic principle behind delegating administrative authority?

Answer 30

Delegating administrative authority shares administrative tasks with other users, but allows for strict control over specific administrative abilities.

Question 31

31. What are some of the advantages of using Azure AD?

Answer 31

Some advantage of Azure AD include: * User authentication goes through the local ISP and Internet to the Azure cloud instead of a local domain controller. This means no local server is necessary to deploy or manage saving time and money. * Active Directory replication is not necessary as all the information is stored centrally on the Azure cloud. * Users do not have to be on site to authenticate or use a VPN to connect to the site to be authenticated.

Question 32

32. What are some of the drawbacks of using Azure AD?

Answer 32

Some drawbacks of Azure AD include: * Users could lose Internet connectivity and lose access to the domain. * Many AD aware server applications do not recognize Azure AD yet. * You are completely dependent on Microsoft to maintain and manage your AD domain connectivity. If there is an outage with the Azure service, then you will not be able to connect to your domain.