1
|
|
2
|
- Explain the contents of the Active Directory
- Plan how to set up Active Directory elements such as organizational
units, domains, trees, forests, and sites
- Plan which Windows 2000 security features to use in an organization,
including interactive logon, object security, and services security
|
3
|
- Plan how to use groups, group policies, and security templates
- Plan IP security measures
|
4
|
- Security Accounts Manager (SAM) database holds data on user accounts,
groups, and security privileges
- One primary domain controller (PDC) has master copy of the SAM
- One or more backup domain controllers (BDCs) have backup copies of the
SAM
|
5
|
|
6
|
- Domain objects including user accounts, computers, servers, printers,
groups, security policies, domains, and other objects compose the Active
Directory
|
7
|
|
8
|
- Multimaster replication: In Windows 2000 there can be multiple servers,
called domain controllers (DCs), that store the Active Directory and
replicate it to each other. Because each DC acts as a master,
replication does not stop when one is down. Each DC is a master in its
own right.
|
9
|
|
10
|
- Schema: Elements used in the definition of each object contained in the
Active Directory, including the object class and its attributes
|
11
|
|
12
|
- Username
- User’s full name
- Password
|
13
|
|
14
|
- Domain
- User account
- Group
- Shared drive
- Shared folder
- Computer
- Printer
|
15
|
- Common name (CN): The most basic name of an object in the Active
Directory, such as the name of a printer
- Distinguished name (DN): A name in the Active Directory that contains
all hierarchical components of an object, such as that object’s
organizational unit and domain, in addition to the object’s common name
|
16
|
- Relative distinguished name (RDN): An object name in the Active
Directory that has two or more related components, such as the RDN of a
user account name that consists of User (a container for accounts) and
the first and last name of the actual user
|
17
|
- Namespace: A logical area on a network that contains directory services
and named objects, and that has the ability to perform name resolution
|
18
|
- Contiguous namespace: A namespace in which every child object contains
the name of its parent object
- Disjointed namespace: A namespace in which the child object name does
not resemble the name of its parent object
|
19
|
- Domains
- Organizational units (OUs)
- Trees
- Forests
- Sites
|
20
|
|
21
|
- Provide a security boundary for objects in a common relationship
- Establish a set of data to be replicated among DCs
- Expedite management of a set of objects
|
22
|
|
23
|
|
24
|
|
25
|
|
26
|
- Group related objects, such as user accounts and printers, for easier
management
- Reflect the structure of an organization
- Group objects to be administered using the same group policies
|
27
|
|
28
|
- Limit OUs to 10 levels or fewer
- OUs use less CPU resources when they are set up horizontally instead of
vertically
- Each request through an OU level requires CPU time in a search
|
29
|
|
30
|
|
31
|
- Member domains are in a contiguous namespace
- Member domains can compose a hierarchy
- Member domains use the same schema for common objects
- Member domains use the same global catalog
|
32
|
- Global catalog: A grand repository for all objects and the most
frequently used attributes for each object in all domains. Each tree has
one global catalog.
|
33
|
- Authenticating users
- Providing lookup and access to resources in all domains
- Providing replication of key Active Directory elements
- Keeping a copy of the most attributes for all objects
|
34
|
|
35
|
- Kerberos Transitive Trust Relationship: A set of two-way trusts between
two or more domains in which Kerberos security is used.
|
36
|
- Trusted domain: A domain that has been granted security access to
resources in another domain
- Trusting domain: A domain that allows another domain security access to
its resources and objects, such as servers
|
37
|
|
38
|
|
39
|
- Make sure each tree has at least one DC that is also configured as a
global catalog
- Locate global catalog servers in a network design architecture that
enables fast user authentication (so that authentication does not have
to be performed over a WAN link, for example)
|
40
|
- Member trees use a disjointed namespace (but contiguous namespaces
within trees)
- Member trees use the same schema
- Member trees use the same global catalog
|
41
|
- Single forest: An Active Directory model in which there is only one
forest with interconnected trees and domains that use the same schema
and global catalog
|
42
|
|
43
|
- Separate forest: An Active Directory model that links two or more
forests in a partnership, but the forests cannot have Kerberos
transitive trusts or use the same schema
|
44
|
|
45
|
|
46
|
|
47
|
- When you create a separate forest structure remember that:
- Replication cannot take place between forests
- The forests use different schema and global catalogs
- The forests cannot be easily blended into a single forest in the future
|
48
|
- Site: An option in the Active Directory to interconnect IP subnets so
that it can determine the fastest route to connect clients for
authentication and to connect DCs for replication of the Active
Directory. Site information also enables the Active Directory to create
redundant routes for DC replication.
|
49
|
- Reflects one or more interconnected subnets (512 Kbps or faster)
- Reflects the same boundaries as the LAN
- Used for DC replication
- Enables clients to access the closest DC
- Composed of servers and configuration objects
|
50
|
- Site link object: An object created in the Active Directory to indicate
one or more physical links between two different sites
- Site link bridge: An Active Directory object (usually a router) that
combines individual site link objects to create faster routes when there
are three or more site links
|
51
|
|
52
|
|
53
|
|
54
|
- Define sites in the Active Directory on networks that have multiple
global catalog servers that reside in different subnets
- Use sites to enhance network performance by optimizing authentication
and replication
|
55
|
- Keep the Active Directory implementation as simple as possible
- Implement the least number of domains possible
- Implement only one domain on most small networks
- Use OUs to reflect the organizational structure (instead of using
domains for this purpose)
|
56
|
- Create only the number of OUs that are necessary
- Do not create OUs more than 10 levels
deep
- Use domains for natural security boundaries
- Implement trees and forests only as necessary
|
57
|
- Use trees for domains that have a contiguous namespace
- Use forests for multiple trees that have disjointed namespaces between
them
- Use sites in situations where there are multiple IP subnets and
geographic locations to improve performance
|
58
|
- Account or interactive logon security
- Object security
- Services security
|
59
|
- DC checks that the user account is in the Active Directory
- DC verifies the exact user account name and password
|
60
|
- Security descriptor: An individual security property associated with a
Windows 2000 Server object, such as enabling the account MGardner (the
security descriptor) to access the folder, Databases
- Access control list (ACL): A list of all security descriptors that have
been set up for a particular object, such as for a shared folder or a
shared printer
|
61
|
- User account(s) that can access an object
- Permissions that determine the type of access
- Ownership of the object
|
62
|
- Deny: No access to the object
- Read: Access to view or read the object’s contents
- Write: Permission to change the object’s contents or properties
- Delete: Permission to remove an object
- Create: Permission to add an object
- Full Control: Permission for nearly any activity
|
63
|
|
64
|
- Deny permission supercedes other permissions, thus if there is a
permissions conflict for one of your users, check the deny permissions
associated with that user’s account
|
65
|
- Windows 2000 enables you to set up security on individual services, such
as DHCP
|
66
|
|
67
|
- Set up security groups of user accounts as a way to more easily manage
security
|
68
|
|
69
|
- Use group policies to manage security for local servers, OUs, and
domains
- Employ security templates when you need to manage several different
group policies
|
70
|
- Account polices
- Local server and domain policies
- Event log tracking policies
- Group restrictions
- Service access security
- Registry security
- File system security
|
71
|
|
72
|
- IP security (IPSec): A set of IP-based secure communications and
encryption standards created through the Internet Engineering Task Force
(IETF)
|
73
|
- IP security (IPSec) can function in three roles relative to a client:
- Client (Respond Only) in which the server uses IPSec, if the client is
using it first
- Server (Request Security) in which the server uses IPSec by default,
but will discontinue using IPSec if it is not supported by the client
- Secure Server (Require Security) in which the server only communicates
via IPSec
|
74
|
|
75
|
- On a network that uses IPSec, if you are having trouble gathering
network performance information from some older devices that do not
support IPSec, omit the SNMP communications protocol from IPSec
|
76
|
- Active Directory and security implementation are interrelated
- The Active Directory is a set of services for managing Windows 2000
servers
- Use Active Directory elements such as OUs, domains, trees, and forests
to help manage server objects and resources
|
77
|
- Use sites to configure network communications for better performance
through taking advantage of existing subnets
- Groups and group policies enable you to manage security
|