Showing posts with label Windows Server Infrastructure. Show all posts
Showing posts with label Windows Server Infrastructure. Show all posts

Saturday, January 21, 2017

Microsoft INF200.1x, Windows Server 2012 Fundamentals: Infrastructure - Domain and Domain Tree


What is a domain?

A domain is a logical grouping
An AD DS domain is a logical grouping of user, computer, and group objects for the purposes of management and security. All of these objects are stored in an AD DS database, and a copy of this database is stored on every domain controller in the AD DS domain. A domain is created when you promote a server to a domain controller.
There is always at least one domain, but you could have more
Most organizations could deploy only a single domain and ensure that all domain controllers contain all the domain information. However, organizations that have decentralized administrative structures, or that are distributed across multiple locations, might consider implementing multiple domains in the same forest to accommodate the administrative needs of their environment.
Tip
A single domain can contain approximately 2 billion objects, so most organizations do not need to deploy multiple domains due to object limitations. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest.

A domain is a replication, administrative, and authentication boundary

Visual representation of the three boundaries: replication, administrative, and authentication.
A domain is a replication boundary
When changes are made to any object in the domain, the domain controller where the change was made replicates that information to other domain controllers in the domain. This is referred to as a multi-master replication model and allows every domain controller in the domain to make changes to objects in the domain.
The domain is an administrative boundary
The domain contains an Administrator account and a Domain Admins group. By default, the Administrator account is a member of the Domain Admins group, and the Domain Admins group is a member of every local Administrators group of domain-joined computers. Also, by default, the Domain Admins group members have full control over every object in the domain.
The domain is an authentication boundary
An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins group, which both have full control over every object in the domain. Unless they are in the forest root domain, however, their range of control is limited to the domain. Password and account rules are managed at the domain level by default. The AD DS domain also provides an authentication center. All user accounts and computer accounts in the domain are stored in the domain database, and users and computers must connect to a domain controller to authenticate.
Tip
Domains do not provide security boundaries, because all domains in the forest trust each other.

What is a domain tree?

A domain tree is contiguous
A domain tree is a collection of one or more domains that share a contiguous name space and have a parent/child relationship. A tree can be a single tree or it can be multiple trees. The idea is that a tree is the fully qualified domain name (FQDN) of the domain and all its children. A tree serves no administrative purpose. In other words, there is no tree administrator as there is for a forest or domain.
Visual representation of a domain tree showing adatum.com with two domain trees.
What are the flexible single master operation (FSMO) roles for the domain?
Visual representation of the three FSMO roles: RID, Infrastructure, and PDC Emulator.
Only one domain controller in the domain performs each role. By default, the first domain controller in a domain fulfills all of these roles. Optionally, you can change the role holder to another domain controller within the same domain.
Relative ID (RID) Master role 
The RID master plays an integral part in the generation of SIDs for security principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts, SIDs, a mechanism is necessary to ensure that the SIDs generated by a domain controller are unique. Active Directory domain controllers generate SIDs by appending a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Therefore, each domain controller can be confident that the SIDs that it generates are unique.
Infrastructure Master role 
In a multiple domain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribute contains the distinguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the references
PDC Emulator role
The PDC Emulator role performs the following crucial functions for a domain:
·         Participates in special password update handling for the domain. When a user's password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC Emulator. This special replication ensures that the domain controllers know about the new password as quickly as possible.
·         Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at approximately the same time, there could be conflicts between the two versions that could not be reconciled as the GPO replicates. To avoid this situation, the PDC Emulator acts as the default focal point for all Group Policy changes.
·         Provides a master time source for the domain. Many Windows components and technologies rely on time stamps, so synchronizing time across all systems in a domain is crucial. By default, the PDC Emulator in the forest root domain is the time master for the entire forest. The PDC Emulator in each domain synchronizes its time with the forest root PDC Emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC Emulator. All other domain members synchronize their time with their preferred domain controller.
·         Acts as the domain master browser. When you open the network node in File Explorer, you see a list of workgroups and domains, and when you open a workgroup or domain, you see a list of computers. The browser service creates these two lists, called browse lists. In each network segment, a master browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The domain master browser serves to merge the lists of each master browser so that browse clients can retrieve a comprehensive browse list.
at No comments:
Labels: , , , , , , ,

Microsoft: INF200.1x Microsoft Windows Server 2012 Fundamentals: Infrastructure


What you will learn in this course:
  • How to install Windows Server 2012 including upgrades, editions, roles, features, and server core.
  • How to identify and use the physical and logical components of AD DS, such as forests, domains, and domain controllers.
  • How to perform day to day system administrator tasks such as backup and restore, and implementing the Recycle Bin.
  • How to create and configure user, group, and computer accounts.
  • How to implement Group Policy Objects to enforce standard processes in your organization.

Course Prerequisites:
  • Learners should have some general understanding of Windows Server and how it is used.
  • Windows PowerShell will be the tool of choice when implementing the features in this course. Learners should have a good foundation in accessing and using simple Windows PowerShell commands. To help in this area the course includes an Appendix on Windows PowerShell Basics.
 There are many resources available for learning the skills necessary to be successful in this course. For example,Microsoft Virtual Academy.

Module 1 – Windows Server Basics
Module 2 – AD DS Logical Components
Module 3 – AD DS Physical Components
Module 4 - Administering AD DS
Module 5 - User Accounts
Module 6 - Group Accounts
Module 7 - Computer Accounts
Module 8 - Group Policy         

 Where can you take this course?
Follow this link


Is this course for you?
This course is designed to help you understand Active Directory Domain Services in Windows Server 2012 and Windows Server 2012 R2.
You may already have some familiarity and real world experience with this technology. What follows are some sample
Questions that you would be expected to answer after completing this course. You can use these Questions to decide if the course content will be appropriate for you.  
  • If you answer all of these Questions correctly, you may already know the course material.
  • If you miss a few Questions, this course will fill in the gaps in your knowledge.
  • If you struggle to answer the Questions, this course will definitely help you gain a better understanding of how to use these concepts and technologies.
  • If you don't understand the Questions at all, you probably are not ready for this course. We suggest you review the recommended prerequisite knowledge and return to the course after additional self-study.

After completing the course, you should return to this topic and ensure you can easily answer the
Questions. Real world practice will be needed to master these skills, but this course will provide a step in the right direction.
  1. What is an Organizational Unit (OU) and why would you create additional OUs?
  2. What are the five flexible single master operations (FSMO) roles and where do they exist?
  3. What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
  4. Which optional AD DS feature enables you to quickly restore objects that have been deleted?
  5. What is Server Core and what are some advantages of using it?
  6. Which feature can you use to define different password policies and account lockout settings in a domain?
  7. Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
  8. What is the global catalog and when is it used?
  9. What is the global catalog and when is it used?
  10. What is an AD DS site and when should you consider creating a site?
  11. When should you use an authoritative restore?
  12. How are Group Policy settings and a Group Policy preferences different?
 
Answers:
  1. An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.
  2. FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.
  3. Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.
  4. The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.
  5. Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.
  6. Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.
  7. Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.
  8. The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
  9. The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
  10. An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.
  11. An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.
  12. Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.
at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)