Understanding Active Directory, DNS, and Network Security

Posted on Aug 2, 2024 in Computers

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an automatic tunneling protocol used by Windows workstation operating systems that emulates an IPv6 link using an IPv4 network.

Active Directory

Active Directory-integrated zones follow a multimaster update model, meaning that all such zones contain a read/write copy of the zone and can make changes to the zone information. Therefore, primary and secondary distinctions are not necessary.

Fill in the Blanks: Active Directory

1. An AD DS database that contains information about users, computers, printers, and services, which enables users to access those resources and administrators to control access to them, is called a Network operating system (NOS) directory.
2. The three phases of an IT services lifecycle, as defined by the Microsoft Operations Framework, are Plan, deliver, and operate.
3. To assign user rights with a graphical interface, you use the Group Policy Object Editor tool.
4. Only the restricted access forest model never includes trust relationships.
5. Creating and maintaining user accounts in an Active Directory is a data management task.
6. To raise the forest functional level on an existing AD DS installation with a graphical environment, you use the Active Directory Domains and Trusts tool.
7. The first domain you create in a new Active Directory domain Services installation is called the forest root domain.
8. The centralized administrative model is most effective in organizations that maintain small branch offices that do not merit their own IT personnel.
9. The Backup Operators group receives the Backup files and directories user right from the Default Domain Controllers Policy GPO.
10. The account and resource divisions domain model was a common practice in Windows NT 4.0, but the ability in AD DS to delegate administrative autonomy to individual OUs has largely eliminated the need for this practice.

Domain Name System (DNS)

Fill in the Blank: DNS

1. For a computer to be accessible from the Internet, it must have an IP address that is both registered and unique.
2. A referral is the process by which one DNS server sends a name resolution request to another DNS server.
3. The Internet Corporation for Assigned Names and Numbers (ICANN) manages IANA, the ultimate source for all registered addresses.
4. IANA allocates blocks of addresses to regional Internet registries (RIR), which allocate smaller blocks in turn to Internet service providers (ISPs). Ralph can configure the DNS server on the perimeter network to use the ISPs DNS server as a forwarder, or he can configure the workstations to use the ISPs DNS server as their primary DNS server.

Private IP Address Ranges:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

Fill in the Blanks: DNS and NetBIOS

1. Windows can use a variety of NetBIOS name resolution mechanisms, but the one most suited for the enterprise is the Windows Internet Name System (WINS).
2. Prefix is 2000:0000 Teredo is an automatic tunneling protocol used by the Windows workstation operating systems that are located behind NAT routers.
3. A special type of DNS server specifically intended to send recursive queries to another server is called a forwarder.
4. The primary method for transmitting IPv6 traffic over an IPv4 network is called tunneling.

Recursive vs. Iterative DNS Queries

In the DNS, there is a difference between a recursive query and an iterative query:

• Recursive Query: The DNS server receiving the name resolution request takes full responsibility for resolving the name. If the server possesses information about the requested name, it replies immediately to the requestor. If the server has no information about the name, it sends referrals to other DNS servers until it obtains the information it needs.
• Iterative Query: The server that receives the name resolution request immediately responds with the best information it possesses at the time.

Subnetting Example

Arthur can subnet the address he has been given by using three host bits to give him eight subnets with up to 16 hosts on each one. The computers will use a subnet mask of 255.255.255.240 and IP address ranges as follows:

• 192.16.85.1 – 192.16.85.14
• 192.16.85.17 – 192.16.85.30
• 192.16.85.33 – 192.16.85.46
• 192.16.85.49 – 192.16.85.62
• 192.16.85.65 – 192.16.85.78
• 192.16.85.81 – 192.16.85.94
• 192.16.85.97 – 192.16.85.110
• 192.16.85.113 – 192.16.85.126

Caching-Only DNS Server

A DNS server can function as a caching-only DNS server, which simply provides name resolution services to clients on the network.

IPv6 Address Assignment

IPv6 addresses are assigned or obtained in three ways:

1. Manually configuring one or more IPv6 addresses on the interface
2. Dynamically using DHCP
3. Both stateful and stateless address autoconfiguration

Classless Inter-Domain Routing (CIDR)

Classless Inter-Domain Routing (CIDR) is a subnetting method that enables administrators to place the division between the network bits and the host bits anywhere in the address, not just between octets.

Internal and External Domains

Strategies for Creating Internal and External Domains

Here are three possible strategies you can use when creating your internal and external domains:

1. Use the same domain internally and externally
2. Create separate domains in the same hierarchy
   Example: adatum.com (external), internal.adatum.com (third level)
3. Create separate internal and external domains
   Example: adatum.local (internal), adatum.com (external)

Active Directory Replication

Push vs. Pull Partnerships

The basic difference between push and pull partnerships in Active Directory replication is:

1. Push partners trigger replication events when a specific number of database changes have occurred.
2. Pull partners initiate replication according to a predetermined schedule.

GlobalNames Zone

Windows Server 2008 and Windows Server 2008 R2 include a new DNS feature called the GlobalNames zone, which can resolve single-label names like those used in the NetBIOS namespace.

Functional Levels

Functional levels are essentially a version control mechanism for Active Directory forests and domains.

Forest Root Domain

The forest root domain performs critical forest-level functions that make it vital to the operation of the other domains in the forest:

1. Forest-level administration groups: The forest root domain contains the enterprise admins and schema admins groups, membership in which should be limited to only the most trustworthy administrators.
2. Forest-level operations masters: The forest root domain contains the domain controllers that function as the domain-naming master and the schema master. These roles are vital to the creation of new domains and the modification of the schema for the forest.
3. Inter-domain authentication and authorization: Users throughout the enterprise must have access to the forest root domain when they log on to other domains and when they access resources in other domains.

Group Management

Steps for managing groups in Active Directory:

1. Create domain local groups and grant them access to resources.
2. Create global groups and add users (or other global groups) to them.
3. Add the global groups as members of the domain local groups.

Intersite vs. Intrasite Replication

Differences Between Intersite and Intrasite Replication

Here are three differences between the intersite and intrasite replication processes in an Active Directory Domain Services network:

1. Intersite replication events occur according to a schedule, while intrasite replication is triggered by changes to the database.
2. Intersite traffic is compressed, while intrasite traffic is not.
3. Intersite replication requires the creation and configuration of additional objects, while intrasite replication does not.

Scenario: Slow Logon Problem

Scenario: The best way to address the slow logon problem is to deploy a domain controller in the Brussels office. However, there is no one there qualified to administer a full domain controller, so the only alternative is to install an RODC. Because you must also create a new domain for the Brussels office, and because an RODC needs access to a full domain controller, you can create the domain at the Montreal office and deploy an RODC for that domain on the file server in the branch office.

Scenario: Installing a Certification Authority

Scenario: You are the IT administrator for Contoso, a large corporation with multiple sites. You want to deploy digital certificates to be used with L2TP with IPSec. The CA should be able to generate the certificates using a certificate template. Create a list of the tasks you must perform to install and configure the CA the director has requested, along with a reason for performing each task.

Answer:

1. Install Active Directory Certificate Services: Install the Active Directory Certificate Services role with the Certification Authority. You could also install the Certification Authority Web Enrollment role services, but it is not needed for auto-enrollment.
2. Choose Enterprise CA: To support Active Directory clients, create an enterprise CA.
3. Configure as Root CA: Because it is the first CA on the network, configure it to be a root CA.
4. Create Certificate Template: Open a blank MMC console, and add the Certificate Templates snap-in. Copy the IPSec existing templates, and modify it as needed. Make sure the digital certificate is a version 3 certificate.
5. Enable Autoenrollment: To allow auto-enrollment, you need to open the Properties sheet for the new template and, on the Security tab, assign the Allow Autoenroll, Allow Read and Allow Enroll permission to the Domain Users group that the users are in.
6. Enable Group Policy Settings: Lastly, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.

Scenario: Accessing Files Overseas

Scenario: You have a corporation that has one large office in New York and another office in London. You created a shared folder on a New York Windows Server 2008 file server to hold project files that need to be used by members from both offices. However, the users in London sometimes have to wait a couple of minutes to open a larger file. What can you do to alleviate this problem?

Answer: You can use DFS replication to replicate the shared folder to a shared folder in the London Office. When a user makes a change to a document, the document will be replicated to the other office. When a user accesses a file, it will be accessed locally. Therefore, the user will not have to wait while the file is loaded.

Scenario: Protecting Documents

Scenario: You have a shared folder that the sales team keeps bid documents. It is important that these documents do not get into the hands of a competitor. What can you do to ensure that they are protected?

Answer: Most likely multiple people will have access to this folder. While you can protect the document with NTFS permissions, NTFS permissions will not prevent someone with read access to take the document and print the document out and hand it to a competitor, to copy the document to a USB flash drive or to email the document. The only way to protect these documents is to use Active Directory Rights Management Services (AD RMS) and applying a rights policy template that specifies who can access the documents and what can be done with the document.

Dsmgmt.exe

Dsmgmt.exe is an interactive command-line program that administrators can use to manage AD DS partitions and their behavior.

BranchCache

BranchCache supports two operational modes:

• Distributed cache mode: Each Windows 7 workstation on the branch office network caches data from the content server on its local drive and shares that cached data with other local workstations.
• Hosted cache mode: Windows 7 workstations on the branch office network cache data from the content server on a branch office server, enabling other workstations to access the cached data from there.

BranchCache File Negotiation

Question: The following steps of a successful BranchCache file negotiation in hosted cache mode are in the wrong order. Specify the proper order in which the steps actually occur.

1. Server sends requested file to client
2. Client sends request to content server
3. Client checks cache with metadata
4. Client sends request to caching server
5. Caching server confirms file availability
6. Content server replies with metadata

Answer: b, f, c, e, d, a

Two-Stage RODC Deployment

Question: Explain why it might be necessary to deploy a read-only domain controller for a branch office in two stages.

Answer: Membership in the Domain Admins group is required to promote a server to a domain controller. RODCs are intended for small branch offices that do not have trained AD DS administrators, so the two-stage deployment enables an AD DS administrator in the main office to create the RODC account. Then, a designated local administrator at the branch office can complete the deployment without domain privileges.

RSA Encryption Example

Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but one can also use OpenSSL to generate and examine a real keypair.

1. Choose two distinct prime numbers:
   p = 61 and q = 53
2. Compute n = pq:
   n = 61 x 53 = 3233
3. Compute the totient of the product:
   φ(n) = (p – 1)(q – 1) = (61 – 1)(53 – 1) = 3120
4. Choose a coprime number:
   Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120. Let e = 17.
5. Compute d:
   Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding d = 2753. Worked example for the modular multiplicative inverse:
   d x e mod φ(n) = 1
   2753 x 17 mod 3120 = 1
6. Public Key: The public key is (n = 3233, e = 17).
7. Encryption Function: For a padded plaintext message m, the encryption function is:
   c(m) = m¹⁷ mod 3233
8. Private Key: The private key is (d = 2753).
9. Decryption Function: For an encrypted ciphertext c, the decryption function is:
   m(c) = c²⁷⁵³ mod 3233
10. Example: To encrypt m = 65, we calculate:
    c = 65¹⁷ mod 3233 = 2790
    To decrypt c = 2790, we calculate:
    m = 2790²⁷⁵³ mod 3233 = 65

Hash Function

A hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size.

Smart Card

A smart card is a pocket-sized card with embedded integrated circuits consisting of non-volatile memory storage components, and perhaps dedicated security logic.

Certificate Templates

Certificate templates are sets of rules and settings that define the format and content of a certificate based on the certificate’s intended use.

Online Certificate Status Protocol (OCSP)

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Certificate Enrollment

Question: What are the 6 high-level procedures for certificate enrollment?

Answer:

1. Generating keys
2. Collecting required information
3. Requesting the certificate
4. Verifying the information
5. Creating the certificate
6. Sending or posting the certificate

Autoenrollment Permissions

Question: What are the permissions necessary to enable autoenrollment of digital certificates?

Answer: To enable autoenrollment, you must configure the Allow Read, Allow Enroll, and Allow Autoenroll permissions to the same user or group.

Rights Policy Templates

Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content.

Cloud Computing

Rationale Behind Cloud Computing

:- High operational costs, typically associated with implementing and managing desktop and server infrastructures

– Low system utilization, often associated with non-virtualized server workloads in enterprise environments

– Inconsistent availability due to the high cost of providing hardware redundancy

– Poor agility, which makes it difficult for businesses to meet evolving market demands

Microsoft Windows Azure and Microsoft SQL Azure are public cloud offerings that allow you to develop, deploy, and run your business applications over the Internet instead of hosting them locally on your own datacenter

This approach involves using the cloud to deliver a single application to multiple users, regardless of their location or the kind of device they are using SaaS.