70-640 PPT

DNS -- pages 393 to 449
Forward/Reverse Lookup Zones

Primary Zones/Secondary Zones
page 409 -
Zone properties - Security tab allows you to delegate permissions for a specific
zone.
Active Directory Integrated
page 393
Benefits: Multi-master, secure dynamic updates (only domain members can dynamica
lly register), AD Repl is encrypted.
DDNS
page 398
Static DNS NDDNS page 415
- example GNZ - Global Name Zones page 409
TTL
page 408
SOA
page 411
zone scavenging
page 412
Aging/Scavenging can be configured on each zone or on all zones on the server.
stub zone
page 412
Forwarders
page 409
If forwarding options are not available, delete any Root Zones if they exist, th
en create the forward.
.(Root) Zones also prevent the DNS servers from doing lookups with the Root Hint
s.
Conditional Forwarders
page 440
For forwarding DNS requests for specific domains.
Root hints
page 410
zone delegation
page 412
Manually created and updated referral to a DNS server that is authoritative in a
child domain.
round robin
page 411
disable recusion
disables forwarders
debug logging
page 449
Off by default, creates overhead, turn on temporarily to troubleshoot in case yo
u want to log DNS incoming/outgoing queries/transfers.
server scavenging
page 411
BIND secondaries 2003 on by default, 2008 off by default
page 412
Server Properties - allows Zone Transfer to a UNIX Secondary DNS Server.
Application Directory partitions
page 407
Replication Scope
page 414
IXFR
page 412
Remember, Secondary DNS servers need to be allowed on the Zone Transfers tab.
DNS Notify
page 409
Secure zone transfers
page 412 - AD integrated
SOA records
page 434
NS records
page 424
dnscmd.exe
page 442
DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile> (this will export a
zone even if it's AD Int to a zone file)
DnsCmd <ServerName> /CreateDirectoryPartition <FQDN of partition> (this will cre
ate a partition in case you wanted to replicate an AD-int zones to only certain
DC's)
Active Directory page 461-
1) install ADDS - AD Domain Services from Server Manager 2) run dcpromo.exe
dcpromo.exe
page 461
/unattend
page 462
remove a domain
page 480 - Domain Naming Master must be present
1) run dcpromo (answer file can be used) 2)uninstall ADDS from Server Manager
ADMT
page 573
domain and forest functional levels
page 557
previous version
page 558
alternate upn suffixes
page 49 and 118
Created with "AD Domains and Trusts" admin tool
forestprep
page 465
domainprep
page 466
forest trust
page 588
selective authentication
page 593
transitive trust
page 578
external trust
page 587
shortcut trust
page 586
Can be either one-way or two-way, but are always transitive (because it is a tru
st between 2 domains in the same forest)
sid filtering
page 592-593
configured with netdom.exe
subnets
page 509
site links
page 535
DEFAULTIPSITELINK connects all sites by default. This can be renamed and modifi
ed. The default Replication Interval is 180 minutes, which can be lowered to 15
minutes to Decrease Latency.
site link costs
page 541
infrastructure
page 544 - can use repadmin.exe
DFS replication of sysvol
page 494-496
one-way replication
FRS - page 494-496
bridgehead servers
page 538
scheduling
page 543
protocols
page 537
repadmin /syncall
page 544
If you are using Ad-Int zones, then this command would replicate any changes in
the DNS zones as well.
Repadmin can used to troubleshoot repl issues - other tools:
AD Sites & Services and AD Replication Monitor (replmon.exe from the 2003 Suppor
t Tools)
AD Sites & Services
page 532
Define sites, subnets, move DC's to the correct sites, define site links, force
replication.
Univ Group Member Caching
page 524
Configured on the Site object in AD Sites & Services
partial attribute set - adsiedit.msc
page 523
promoting a global catalog
page 524
FSMO's
page 480
D - Domain Naming Master
S - Schema Master
R - RID Master
I - Infrastructure Master
P - PDC Emulator
FSMO roles can be cooperatively transferred with ADUC, ADDT, and SM or seized wi
th ntdsutil
PDC emulator in root domain synced to Internet time source
page 483
schema management snapin, regsvr32 schmmgmt.dll
page 485
2008 DFL
page 559
Needed to support Fine-Grained Password Polices, PSO - password settings objects
(created with ADSIEDIT.MSC)
Also needed to support AES encryption for Kerberos auth.
Also needed to use DFS-R for sysvol folder replication.
Migrating ADMT
page 576
AD DS data management
tools page 619
Authentication Server
- password policies pg 357
- Auditing Auth pg 368
- RODC pg 374
Server Core - AD
page 23
need to use dcpromo /unattend in order to install on Server Core.
Hyper-V for DC's
page 631
Migrating to LDS
page 708
LDAP compliant db to support custom apps. During setup, you can configure repli
cation between multiple LDS instances.
LDS data store and authentication
use Adsiedit - page 709
Create OU's, users, groups, etc. (You can not use ADUC with LDS)
ntdsutil can be used to manage ADDS or LDS
to move DB location for LDS:
1) net stop "LDS instance name" 2)used ntdsutil to move the db location 3)net st
art "LDS instance name"
Other tool to test LDS or ADDS:
LDP.exe - can be used to make LDAP connections to LDS (or ADDS), can also make
LDAP-SSL connections if an SSL certificate was issued to the LDS server.
other tool to manage LDS or ADDS:
dsdbutil.exe - similar to ntdsutil - can make snapshot backups of LDS instance
or ADDS.
esentutl - question 5.2.2
MODES OF OPERATION:
Defragmentation: ESENTUTL /d <database name> [options
Recovery: ESENTUTL /r <logfile base name> [opt
Integrity: ESENTUTL /g <database name> [options
Checksum: ESENTUTL /k <file name> [options]
Repair: ESENTUTL /p <database name> [options
File Dump: ESENTUTL /m[mode-modifier] <filename
Copy File: ESENTUTL /y <source file> [options]
AD RMS
- MSMQ - MS Message Queuing - page 787 - transaction coor in distrib env.
- IIS 7 page 787
- SQL Server - pg 787 SQL for production (Windows Internal DB for lab)
These services must be started (or restarted) if there are issues with RMS.
Also, users need to be configured with and email address to use RMS
http://blogs.technet.com/rmssupp/archive/2006/11/30/helping-customers-help-thems
elves-w-irmcheck-pt-1.aspx
CA - pg 790
Self enrollments - page 800 - for test env - use CA certs for production
Delegation
page 803
RODC
page 377 - typo on the PPT slide forest and domain FL at 2003
there must be a 2008 RW DC and RODC is on 2008
run adprep /rodcprep
DNS zones on a RODC are read-only. If you want DNS to accept dynamic registrati
ons you would have to uninstall RODC and install DC as a R/W DC with AD int zone
s.
Also, if you have a 2003 AD and you are updating to 2008, you need to run:
adprep /forest and adprep /domain (same as adprep /forestprep and adprep /domain
prep )
credential caching
page 381-382
oclist, ocsetup - mentioned here because RODC's are put on Server Cores typicall
y pg 28
AD FS
pg 825
certs
pg 827
trust policies
pg 835
user and group claim mapping
pg 833
account store, AD or LDS
pg 855
With Federated Services, one organization defines the account store and the othe
r organization defines the resource store.
dsadd, etc pg 88
csvde, ldifde
page 90
ntdsutil - using IFM options to create backup media to do installs from
pg 472
bulk import for group objects
pg 159
upn sufix
pg 868
Powershell to create users
pg 103
template accounts
pg 87
Maintain AD accounts
pg 33
Domain Local Groups
pg 146
Groups
pg 145
Distribution groups do not have SID's and can't be assigned permissions, Securit
y groups do have SID's and can be assigned permissions.
Delegation of Control
pg 74
Add users to the "Group Policy Creator Owner Group" to allow them to create GPO'
s.
Use the "Delegation of Control" wizard to give permissions to link GPO's to an O
U.
Group Policy Inheritence
pg 255
Block Inheritence is applied to an OU and blocks GPO's that are being inherited
from above.
Enforce - can be applied to a GPO to enforce settings and it will go "through" a
block.
ADMX Central Store
pg 246, 252
copy the Windows\Policy Definitions folder to the sysvol folder
add additional .admx files to the central store
Use Vista and above clients to edit GPO's that use .admx templates
Restricted Groups
pg 291
Security Options
pg 303
Starter GPO's
pg 247
Shell Access Policies - used GPMC to configure filters to locate certain policie
s
Admin Templates in Group Policy
Deny Apply Group Policy
pg 263
used if you want certain group of users in an OU to not apply the GPO linked to
that OU or if you want a certain group of users in a domain not to apply a GPO l
inked to that domain.
Software Deployment
pg 322
Assign to computers, Assign or Publish to users
WSUS - not in book
Fine-grained Passwords
pg 360
Allowed List, Denied List
Password Repl Policy - for RODC's
page 380
Revealed list: msDS-RevealedUsers
Authentication to list: msDSAuthenticatedToAccountList
Repl Policies - see users who have cached pw's on the RODC and those that auth w
ith the RODC
RODC's by default don't store user passwords unless you use Password Replication
Polices (Allow or Deny groups).
You can configure a unique Password Replication Policy for each RODC.
ADUC - can be used to see users whose passwords were cached on a stolen RODC (so
you can reset those passwords)
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx
This website talks about configuring the RODC "Filtered Attribute Set" to limit
the attributes that are replicated to a RODC. Defined on the Schema Master (rec
ommended SM be 2008) - also recommended that the Forest Functional Level be 2008
for optimal security.
Denied List
page 381
Auditing
page 335
"Audit Account Logon Events" Success/Failure on the Default Domain Controller Po
licy to log auth attempts on the DC's to the Security Log in Event Viewer.
"Audit Logon Events" Success/Failure is typically used on an OU to audit any fai
led authentication attempts (local or from the network) on the computers in that
OU.
"Audit System Events" Success/Failure on a Default Domain policy would audit shu
tdowns on every computer in the domain.
"Audit Object Access" Success/Failure, then audit the specific NTFS folders/file
s and user groups that need to be audited.
auditpol.exe - allows for auditing old and new values in the Security Log in Eve
nt Viewer
page 342
http://support.microsoft.com/kb/921469
auditpol /list /subcategory:*
auditpol /set /subcategory:"user account management" /success:enable /failure:en
able
auditpol /set /subcategory:"directory service changes" /success:enable /failure:
enable
adsiedit.msc - needed for PSO's
page 361
wbadmin.exe - can not back up indiv files, but can restore indiv files
page 630
If you backup the System State - that will include the entire System Volume.
Authoritative Restore
page 642-644
1)Reboot, F8, Directory Services Restore Mode 2) Restore System State 3) use NTD
SUTIL to mark the OU as authoritative 4)then reboot DC
Offline Defrag - with the restartable AD DS service
page 623
Moving the AD db - again with the restartable AD DS service and ntdsutil
Task Manager, Event Viewer etc - page 660
Server Performance Advisor (download from MS) - pg 360 - replaced by Windows Rel
iability and Performance Monitor
Windows System Resource Monitor
pg 672
Performance Monitor and data Collectors
pg 667
Use the System - Data Collector called "Active Directory Diagnostics" to collect
performance/diagnostic data
AD diagnostics
pg 667
Event Viewer subscriptions - not in book
wecutil qc -- quick config for the collecting computer
winrm quickconfig - on the forwarding computer
Configure the collecting computer to collect events from the forwarding computer
to the Forwarded Events log on the collecting computer.
Standalone vs Enterprise CA's
pg 732
Use Enterprise CA's if you want all systems in the forest to trust the certs iss
ued by the CA.
Then, use Group Polcies to automatically deploy the certs.
CA heirarchy - root, subordinates
pg 734
Cert requests - web - standalone and ent
Cert requests - rpc - ent
page 733
Cert Practice Statement - who you are, policies, procedures, how you protect you
r CA's
page 739
Key Archival - supported with Ent and Datacenter versions
page 741, 756 - private key stored on CA in case user loses it
CA backup and restore
page 766
CA Administravtive Role Assignment - not in book
CA Admin, Cert Manager, Backup Op, Auditor, Enrollees
CA Properties - Security tab
Cert Templates
Key Recovery Agent
CA properties, Recovery agents tab,
NDES - network device enrollment service
uses SCEP - Simple Cert Enrollment Protocol
page 732
Autoenrollment
page 773 - Cert Templates
Web enrollment
page 731
smart card enrollment
pg 757
creating enrollment agents
certificates snap-in - request All Tasks, Advanced, Enroll on behalf of
CA properties, 2008 supports restricted enrollment agents
online responders - OCSP - online cert status protocol
page 731, 759
On a webserver on the DMZ - can be made fault tolerant using NLB cluster.
NLB Clusters can be configured with Port Rules to only accept traffic on certain
ports - like HTTP.
CDP - CRL Dist Point
page 754
AIA - Auth Info Access
page 760
Misc:
http://www.microsoft.com/windows/products/winfamily/cardspace/default.mspx
or
http://windows.microsoft.com/en-US/windows-vista/Windows-CardSpace
Windows Cardspace - Windows CardSpace is client software that makes it possible
for users to provide their digital identity to online services in a more simple
and secure way. It is an online virtual information card an ID card for the Intern
et that helps prove a user's identity, and it is very difficult to fake or steal.
Feature comes with Vista. Cardspace app has the ability to backup the digital I
D (to a USB for example).
R2 New Features:
Authentication mechanism assurance in Windows Server 2008 R2
http://blogs.technet.com/b/activedirectoryua/archive/2008/11/21/authentication-m
echanism-assurance-in-windows-server-2008-r2.aspx
Service Accounts Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx
"Managed service accounts in Windows Server 2008 R2 and Windows 7 are managed do
main accounts that provide the following features to simplify service administra
tion:
Automatic password management.
Simplified SPN (service principal names (SPNs), which are required for Kerberos
authentication) management, including delegation of management to other administ
rators. Additional automatic SPN management is available at the Windows Server 2
008 R2 domain functional level."
DNS Devolution:
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx
83-640 Labs:
Help works for ntdsutil!
change group type (2-3 of these), i.e. security to distribution, universal to do
main local, etc.
(refer to Transcender screenshot Lab 5 Task 3)
Assign a delegation to another DC (DNS)
Raise domain AND forest functional level
Set postalCode attribute to replicate with global Catalog
Disable round-robin and recursive lookup
Remove a RODC, reset the passwords for users/computers, and export that list of
users/computers to a txt
Also - practice removing and exporting.
Use pre-existing GPOs to not show last user login name on your DC, and password
history of 12 on domain
Also - practice GPO setting - to not display last login name
Set replication to ignore schedules
Practice - AD Sites & Services - IP properties - ignore schedules. Not in Trans
cender!
Set DEFAULTSITEIPLINK to not replicate on Sundays
Set Branch location to enable universal name caching
Change DEFAULTIPLINK cost
Practice - Ad Sites & Services - DefaultIPSiteLink Properties - change cost. No
t in Transcender!
Change users description in AD USERS and comptuers
Practice - AD Users & Computers - user properties - change description. Not in
Transcnder!
Create dns conditional forwarder
Replicate company attribute to Global catalog
Change DSRM password
Disable DNS load bad data
Practice - DNS - Server properties - Advanced
Block inheritance in GPO
Disable user configuration in GPO
Practice - Group Policy Mngt Console - Group Policy Objects container - right cl
ick on GPO - GPO status
Assign permission on a certificate template
Practice - MMC - Add Certificates Template snap-in - right click on template - p
roperties - security
Change DEFAULTIPLINK replication interval
Create a new forward lookup zone in dns
Change gpo security filter
Enforce Password History
=============================================
Computer Configuration\Windows Settings\Security Settings\Password Policy
============================================
Interactive logon: Do not display last user name
============================================
Computer Configuration\Windows Settings\Security Settings\Local Policies\Securit
y Options\
practice GPO setting - to not display last login name
============================================
Enable "PostalCode" attribute to replicate all GC servers
============================================
Run regsvr32 schmmgmt.dll
Run MMC
File - add/remove snap-in
Add Active Directory Schema
Right click Active Directory Schemas, select Connect to Schema Operations Master
Select Attributes
Find postalCode, rightclick, properties
Select Replicate this attribute to the Global Catalog
============================================
Raise Domain Functional Level to 2008
============================================
From Active Directory Users and Computers, right click on the domain
Select Raise domain functional level
============================================
Enable GC on Domain Controller
============================================
From Active Directory Sites and Services, right click NTDS Settings under applic
able DC Server
Select properties, check Global Catalog box
=============================================
Add a task to Event Viewer for Services with ID 7036
=============================================
From Diagnostics\Event Viewer\Windows Logs\System, right click on log ID 7036
Select Attach Task to This Event
=============================================
Configure DNS Delegation
=============================================
From DNS manager, right click on dns for domain, select New Delegation
Enter delegated domain name (eg west.contuso.com)
Click Next then Add
Enter server FQDN (eg server.west.contuso.com) and server IP address
===========================================
Configure DNS Debugging
===========================================
Right click on DNS Server, Properties, Debug Logging
===========================================
DNS - Configure Conditional Forwarding
===========================================
Right click on conditional forwarders, configure FQDN and IP address
===========================================
DNS - Zone Transfer settings
===========================================
Right click on zone, Properties, Zone Transfers
===========================================
Change Cost - ADDS
===========================================
Practice - Ad Sites & Services - DefaultIPSiteLink Properties - change cost. No
t in Transcender!
From Active Directory Sites and Services, select Intersite transports\IP\Site Li
nk
Right click, Properties
Modify Cost
=============================================
Reset DSRM Password from Command Prompt
=============================================
Run ntdsutil
set dsrm password
reset password on server null

70-640 PPT

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

70-640 PPT

Încărcat de

Drepturi de autor:

Formate disponibile

DNS -- pages 393 to 449

Forward/Reverse Lookup Zones

S-ar putea să vă placă și