What is Domain ?
A domain is a set of interconnected resources on a windows based platform,
such as users, group, Computer, printers, applications there are called as Object. Users who are part of the domain are granted specific permissions to access the resources, which may be located
on one or more servers in the network.
A domain is a set of interconnected resources on a windows based platform,
such as users, group, Computer, printers, applications there are called as Object. Users who are part of the domain are granted specific permissions to access the resources, which may be located
on one or more servers in the network.
What is Domain Controller?
Administrators can manage user accounts, network access, shared resources, site topology,and other directory objects from any domain controller in the forest. In an Active Directory forest, a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources.
What is ActiveDirecoty
Active Directory stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon
process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
(or)
Features include:
Central location for network administration and security.
Information security and single sign-on for user access to networked resources.
The ability to scale up or down easily.
Standardizing access to application data.
Synchronization of directory updates across servers.
Where the AD Database is located ?
Active directory object that mean database stored ntds.dit file. NTDS.dit stands for New Technology DirecotoryService. Directory Information Tree. It located at C:\Windows:NTDS
Active directory object that mean database stored ntds.dit file. NTDS.dit stands for New Technology DirecotoryService. Directory Information Tree. It located at C:\Windows:NTDS
What are the names of AD management console ?
A. Active Directory user & computers
B. Active Directory Domain & trust
C. Active Directory Site & services
C. Active Directory Site & services
D. ADSI Edit (Active Directory Serivces Interface)
Describe the logical and physical components of Active Directory?
The logical structure components have relationship with each other so it manage to control access to stored data and finds hot the data will be managed between different domain in a forest.
Logical components are below:-
1. Objects:- like a user, computer, group, printer, etc
Organizational units
Organizational units
Domains
Tree
Forest
Physical components are below:-
1. Site
2. Subnet
3. Domain Controllers
What is Active Directory Object, Schema, Class, Attributes ?
Schema: -
The Active Directory Schema is the component that defines all the objects
and attributes that is used to store data in Schema partition.
Information is collected into active directory from various applications and services
(or)
Objects
Objects within the AD DS structure such as users, printers, computers, and sites are defined in the schema as objects. Each object has a list of attributes that define it and that can be used to search for that object.
For example, a user object for the employee named Mark antony will have a FirstName attribute of Mark and a LastName attribute of Wong. In addition, there might be other attributes assigned, such as departmental name, email address, and an entire range of possibilities.
Classes: -
Classes act as blueprints that can be used each time a new object is created. When a new object is created in the directory, the object’s class determines the attributes that are associated
with the new object
Attributes:-
Attributes contain data that defines the information that is stored in an object or in another attribute. For example, a user account object has attributes that store user information, such as the user’s first name, last name, password, office number, and telephone number.
What is Forest, Tree, Trust relationship, Types of trust & What is mean by Trusting &
Trusted Domain ?
Note : Refer what is domain and keep in mind
Forest:
Forest is the collection of one or more domains that share a common schema, configuration, and global catalog.
Tree:
Domain trees within the forest are a set of domains connected together via a two-way transitive trust, sharing a common schema, configuration, and global catalog
Trust relationship: The trust relationships between domains allow users with accounts defined in one domain to be authenticated by resource servers in another domain. All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the twoway, transitive trust relationship, which is the default trust relationship between domains. A two-way, transitive trust by definition
is really the combination of a transitive trust and a two-way trust.
The Active Directory supports two forms of trust relationships:
1. One-way trust relationships.
2. Two-way transitive trust between domains.
Types of Trust:
1) Tree-root trust
Automatically creates a transitive trust , two-way trust when you add a new tree-root domain to an existing forest. Tree-root trusts let every domain in different trees in the
same forest implicitly trust one another.
2) Parent-child trust
Automatically creates a transitive, two-way trust when you add a child domain to an existing domain. This trust lets every domain in a particular tree implicitly trust one another.
3) Shortcut trust
When domains that authenticate users are logically distant from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.
When domains that authenticate users are logically distant from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.
4) External trust
Administrators can manually create an external trust between domains in different forests or from a domain to a domain controller (DC). External trusts are nontransitive and can be one way or two way.
5) Forest trust
5) Forest trust
When two forests have a functional level of Windows 2003, you can use
a forest trust to join the forests at the root. An administrator can manually create a two-way forest trust that lets all domains in both forests transitively trust each other. Forest trusts can
also be one way, in which case the domains in only one of the forests would trust the domains in the other forest. Multiple forest trusts aren't transitive. Therefore, if forest A has a forest trust to forest B and forest B has a forest trust to forest C, forest A does not implicitly trust forest C.
6) Realm trust
An administrator can manually create a realm trust between a domain and a non-Windows Kerberos 5 realm. Realm trusts can be transitive or nontransitive and one way or two way.
Trusting Domain & Trusted Domain:
A trust relationship enables a domain to trust another domain for authentication.In a trust relationship, a trusting domain allows accounts in a trusted domain to authenticate in its domain. For example, assume that domain A trusts domain B.Domain A is the trusting domain and domain B is the trusted domain. Domain a will allow user accounts in domain B to be used to authenticate
and access resources in domain A.
Some Characteristics of an Active Directory forest are below: All domains within a forest share implicit twoway transitive trusts with the other domains within the forest.
- All domains within an Active Directory forest share a common Active Directory schema.
- Noncontiguous namespace and differing name structure.
- All domains share a common global catalog.
- Active Directory domains are independent. Cross-domain communication is enabled by the Active Directory forest.
- A typical structure of an Active Directory forest is shown below.
What is Global Catalog ?
The global catalog is a distributed data repository that contains a searchable, maintain partial representation of every object in forest. Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
What is LDAP ?
ü LDAP stands for Lightweight Directory Access Protocol.
ü LDAP is not a database
ü LDAP is A protocol to handle information from a Database
ü One of the most common applications of LDAP is as an authentication backend for an email server
LDAP is extremely fast reading and searching information in the database. This is because the elements in a LDAP directory are arranged in a hierarchical tree, so searches are made always downwards. Because of that, LDAP is widely used as an authentication backend for all kind of services, specially the ones with a big amount of users. Write operations are not so fast, but in this kind of applications, users are used to read their personal information from the database, but not to change it.
What is OU?
Organizational Unit (OU)
Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.
An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can create containers within a domain that represent the hierarchical, it is an logical structures within your organization as shown above. This enables you to manage the configuration and use of accounts and resources based on your organizational model.
Organizational units can contain other organizational units. A hierarchy of containers can be extended as necessary to model your organization's hierarchy within a domain. Using organizational units will help you minimize the number of domains required for your network.
What is Group & How many types are they?
A collection of users, computers, contacts, and other groups. Distribution groups
are used only for e-mail. Security groups are used both to grant access to resources
and as e-mail distribution lists.
Two types of Group
1. Security Group
2. Distribution Group
Security Groups – This type of group has a unique characteristic in that it has a
Security Identifier (SID) assigned to it from Active Directory.
This SID enhances the function of the group so that it can be used for
assigning and controlling permissions to a resource. In essence, Security Groups
can be placed on an ACL of a resource. Security Groups can also be used for
email distribution lists.
This type of group is limited in capabilities, because it does not
have a SID assigned to it. Distribution Groups are designed to work with email,
but not for the assignment or control of permissions to a resource.
There is 3 types of scope in group
Domain Local Group – This group scope is designed to contain Global Groups and
Universal Groups, even though it can also contain user accounts and other
Domain Local Groups. If you want to follow a logical nesting rule pattern,
you will not put user accounts into Domain Local Groups. As you design
and create Domain Local Groups, you should be considering
“What the group is designed to do at the resource.” Examples might be
“Read SQL DB,” “Full Control HR Data,” or “Modify Finance Group Membership.”
Note:
Domain Local Groups can only be seen and used on domain controllers if the domain
is still in mixed mode. Mixed mode also eliminates the capability of nesting
Domain Local Groups into other Domain Local Groups.
This is due to the fact that NT4 domain controllers don’t understand the concept of
Domain Local Groups, so they are simply seen as Local Groups.
Global Groups –
This group scope is designed to contain user accounts.
Global Groups can contain user accounts and other Global Groups.
Global groups are designed to be “global” for the domain.
After you place user accounts into Global Groups, the Global Groups are typically
placed into Domain Local Groups or Local Groups (which reside on member servers
in the Security Accounts Manager (SAM)). As you design and create Global Groups,
you should be considering “What type of user belongs in this group.”
Examples might be “Salesreps,” “HR Managers,” or “Finance Managers.”
Note:
Global Groups can only contain user accounts if the domain is in mixed mode.
Like group nesting is not available in mixed mode due to legacy NT4 domain controllers.
Universal Groups –
This group scope is designed to contain Global Groups from multiple domains.
Universal Groups are designed to help “group” groups in a multi-Domain enterprise.
Universal Groups can contain Global Groups, other Universal Groups,
and user accounts. After the Global Groups from the different domains are
placed into the Universal Group, the Universal Group is typically placed into a Domain Local Group or Local Group.
As you design and create Universal Groups, you should be almost mimicking the concepts of the
Global Group, but from an enterprise standpoint. So, you might have a Universal Group named
“All HR Managers” or “All Finance Managers.” Within each of these Universal Groups, you will have
the “HR Managers” or “Finance Managers” from each domain as members.
Note:
Universal Groups cannot be used as Security Groups if the domain is in mixed mode. This means that
they can’t be used for controlling access to resources via permissions. Again, this is because NT4
domain controllers don’t understand the concept of Universal Groups.
(or)
Active Directory defines two group types:
Security groups. These groups can be placed on Access Control Lists (ACLs) to control access to
Distribution groups. These groups function solely as e-mail distribution lists. They cannot be
Domain Local. This group scope accepts members from any domain, but can be placed only on
ACLs for resources in the group's own domain. This group is intended for use on the ACL of a resource.
Global. This group scope accepts members only from its own domain, but can be placed into
Universal. This group scope accepts members from any domain and can be placed in domain
local groups in any domain.
What is Group Policy?
The infrastructure within Active Directory directory service that enables directory-based change
and configuration management of user and computer settings, including security and user data.
You use Group Policy to define configurations for groups of users and computers. With Group
Policy, you can specify policy settings for registry-based policies, security, software installation,
scripts, folder redirection, remote installation services, and Internet Explorer maintenance.
To create an individual GPO, use the Group Policy Object Editor. To manage Group Policy objects
across an enterprise, you can use the Group Policy Management console.
(OR)
Administrators useing Group Policy to define specific configurations for groups of users and
computers through the Group Policy Object Editor tool (formally known as GPedit) and contained
in a Group Policy object (GPO),
How Group Policy is applied and inherited?
What is Group policy editor ?
The Microsoft Management Console (MMC) snap-in that is used to edit Group Policy objects (GPOs).
What is Group policy Object ?
A collection of Group Policy settings. GPOs are essentially the documents created by the
Group Policy Object Editor. GPOs are stored at the domain level, and they affect users and
computers that are contained in sites, domains, and organizational units. In addition, each
computer has exactly one group of policy settings stored locally, called the local Group Policy
object.
What is NTLM & explain that ?
NTLM is stands for NT LAN Manager its an Authentication protocol used in Windows NT and
in Windows 2000 Server work-group environments.
NTLM Authentication mechanism are below:
Disadvantage:
NTLM is an old protocol and while it still works and is effective, it has some limitations are below .
Ø It's not a very fast protocol and has quite a high overhead.
Ø Each client access requires the server to contact a domain controller for verification, putting
load on the server.
Ø There is a proprietary protocol cutting down on supportability.
Ø No support for delegation of authentication is provided.
Ø Servers are not able to authenticate with other servers.
What is Kerberos & explain that ?
Kerberos authentication offers the following advantages over NTLM authentication:
Mutual authentication. When a client uses the Kerberos v5 protocol for authentication with
a particular service on a particular server, Kerberos provides the client with an assurance that
the service is not being impersonated by malicious code on the network.
Delegation support. Servers that use Kerberos authentication to authenticate clients can
impersonate those clients and use the client's security context to access network resources.
Performance. Kerberos authentication offers improved performance over NTLM authentication.
Simplified trust management. Networks with multiple domains no longer require a complex set
of explicit, point-to-point trust relationships.
Interoperability. Microsoft's implementation of the Kerberos protocol is based on standards-track
specifications recommended to the Internet Engineering Task Force (IETF). As a result, the implementation
of the protocol in Windows 2000 lays a foundation for interoperability with other networks where
Kerberos version 5 is used for authentication.
.gif){kind=link}
No comments:
Post a Comment