Understanding Active Directory, DNS, and Network Security
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an automatic tunneling protocol used by Windows workstation operating systems that emulates an IPv6 link using an IPv4 network. Active Directory-integrated zones follow a multimaster update model, meaning that all such zones contain a read/write copy of the zone and can make changes to the zone information. Therefore, primary and secondary distinctions are not necessary.
Fill in the Blanks (Active Directory)
1. An AD DS database that contains information about users, computers, printers, and services, which enables users to access those resources and administrators to control access to them, is called a Network Operating System (NOS) directory.
2. The three phases of an IT services lifecycle, as defined by the Microsoft Operations Framework, are Plan, Deliver, and Operate.
3. To assign user rights with a graphical interface, you use the Group Policy Object Editor tool.
4. Only the restricted access forest model never includes trust relationships.
5. Creating and maintaining user accounts in an Active Directory is a data management task.
6. To raise the forest functional level on an existing AD DS installation with a graphical environment, you use the Active Directory Domains and Trusts tool.
7. The first domain you create in a new Active Directory Domain Services installation is called the forest root domain.
8. The centralized administrative model is most effective in organizations that maintain small branch offices that do not merit their own IT personnel.
9. The Backup Operators group receives the Backup files and directories user right from the Default Domain Controllers Policy GPO.
10. The account and resource divisions domain model was a common practice in Windows NT 4.0, but the ability in AD DS to delegate administrative autonomy to individual OUs has largely eliminated the need for this practice.
Fill in the Blanks (DNS and IP Addressing)
1. For a computer to be accessible from the Internet, it must have an IP address that is both registered and unique.
2. A referral is the process by which one DNS server sends a name resolution request to another DNS server.
3. The Internet Corporation for Assigned Names and Numbers (ICANN) manages IANA, the ultimate source for all registered addresses.
4. IANA allocates blocks of addresses to regional Internet registries (RIR), which allocate smaller blocks in turn to Internet service providers (ISPs). Ralph can configure the DNS server on the perimeter network to use the ISP’s DNS server as a forwarder, or he can configure the workstations to use the ISP’s DNS server as their primary DNS server.
Private IP Address Ranges: 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16
1. Windows can use a variety of NetBIOS name resolution mechanisms, but the one most suited for the enterprise is the Windows Internet Name System (WINS).
2. Prefix is 2000::/3. Teredo is an automatic tunneling protocol used by the Windows workstation operating systems that are located behind NAT routers.
3. A special type of DNS server specifically intended to send recursive queries to another server is called a forwarder.
4. The primary method for transmitting IPv6 traffic over an IPv4 network is called tunneling.
Recursive vs. Iterative DNS Queries
Recursive Query: The DNS server receiving the name resolution request takes full responsibility for resolving the name. If the server possesses information about the requested name, it replies immediately to the requestor. If the server has no information about the name, it sends referrals to other DNS servers until it obtains the information it needs.
Iterative Query: The server that receives the name resolution request immediately responds with the best information it possesses at the time.
Subnetting Example
Arthur can subnet the address he has been given by using three host bits to give him eight subnets with up to 16 hosts on each one. The computers will use a subnet mask of 255.255.255.240 and IP address ranges as follows:
192.168.85.1 – 192.168.85.14
192.168.85.17 – 192.168.85.30
192.168.85.33 – 192.168.85.46
192.168.85.49 – 192.168.85.62
192.168.85.65 – 192.168.85.78
192.168.85.81 – 192.168.85.94
192.168.85.97 – 192.168.85.110
192.168.85.113 – 192.168.85.126
Caching-Only DNS Server
A DNS server can function as a caching-only DNS server, which simply provides name resolution services to clients on the network.
IPv6 Address Assignment
IPv6 addresses are assigned or obtained in three ways:
1. Manually configuring one or more IPv6 addresses on the interface
2. Dynamically using DHCP
3. Both stateful and stateless address autoconfiguration
Classless Inter-Domain Routing (CIDR)
Classless Inter-Domain Routing (CIDR) is a subnetting method that enables administrators to place the division between the network bits and the host bits anywhere in the address, not just between octets.
Internal and External Domain Strategies
Three possible strategies you can use when creating your internal and external domains:
1. Use the same domain internally and externally
2. Create separate domains in the same hierarchy (e.g., Adatum.com (external), internal.adatum.com (third level))
3. Create separate internal and external domains (e.g., Adatum.local (internal), adatum.com (external))
Push vs. Pull Partnerships
The basic difference between push and pull partnerships is that:
1. Push partners trigger replication events when a specific number of database changes have occurred.
2. Pull partners initiate replication according to a predetermined schedule.
GlobalNames Zone and Functional Levels
Windows Server 2008 and Windows Server 2008 R2 include a new DNS feature called the GlobalNames zone, which can resolve single-label names like those used in the NetBIOS namespace.
Functional levels are essentially a version control mechanism for Active Directory forests and domains.
Forest Root Domain Functions
The forest root domain performs critical forest-level functions that make it vital to the operation of the other domains in the forest:
1. Forest-level administration groups – The forest root domain contains the enterprise admins and schema admins groups, membership in which should be limited to only the most trustworthy administrators.
2. Forest-level operations masters – The forest root domain contains the domain controllers that function as the domain-naming master and the schema master. These roles are vital to the creation of new domains and the modification of the schema for the forest.
3. Inter-domain authentication and authorization – users throughout the enterprise must have access to the forest root domain when they log on to other domains and when they access resources in other domains.
Creating and Managing Groups
1. Create domain local groups and grant them access to resources.
2. Create global groups and add users (or other global groups) to them.
3. Add the global groups as members of the domain local groups.
Intersite vs. Intrasite Replication
List three differences between the intersite and intrasite replication processes in an Active Directory Domain Services network. Choose any three of the following:
– Intersite replication events occur according to a schedule while intrasite replication is triggered by changes to the database.
– Intersite traffic is compressed, while intrasite traffic is not.
– Intersite replication requires the creation and configuration of additional objects, while intrasite replication does not.
– Intersite replication occurs only between bridgehead servers, while intrasite domain controllers transmit to multiple replication partners.
Scenario: Replication Traffic
The total cost of the Los Angeles – Sacramento – San Francisco connection is less than that of the Los Angeles – San Francisco connection, so replication traffic will favor the half-price connection, rather than use the nearly-saturated T-1. 300, 100, 100, 100, 500, 500.
Scenario: GPO Precedence
Alice must create another GPO containing the following setting, link it to the domain, and modify its scope filtering by adding the Executives group and removing the Authenticated Users group. This GPO must take precedence over the Device Restrictions GPO.
• Prevent installation of devices not described by other policy sessions – Disabled.
Scenario: Slow Logon Problem
The best way to address the slow logon problem is to deploy a domain controller in the Brussels office. However, there is no one there qualified to administer a full domain controller, so the only alternative is to install an RODC. Because you must also create a new domain for the Brussels office, and because an RODC needs access to a full domain controller, you can create the domain at the Montreal office and deploy an RODC for that domain on the file server in the branch office.
Scenario: Installing a Certification Authority
To deploy the CA, install the Active Directory Certificate Services role with the Certification Authority. You could also install the Certification Authority Web Enrollment role services, but it is not needed for auto-enrollment. To support auto-enrollment, you need to install the CA on Windows Server 2008 R2 Enterprise Edition.
To support Active Directory clients, create an enterprise CA.
Because it is the first CA on the network, configure it to be a root CA.
Open a blank MMC console, and add the Certificate Templates snap-in. Copy the IPSec existing templates, and modify it as needed. Make sure the digital certificate is a version 3 certificate.
To allow auto-enrollment, you need to open the Properties sheet for the new template and, on the Security tab, assign the Allow Autoenroll, Allow Read and Allow Enroll permission to the Domain Users group that the users are in.
Lastly, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.
Scenario: Accessing Files Overseas
You can use DFS replication to replicate the shared folder to a shared folder in the London Office. When a user makes a change to a document, the document will be replicated to the other office. When a user accesses a file, it will be accessed locally. Therefore, the user will not have to wait while the file is loaded.
Scenario: Protecting Documents
Most likely multiple people will have access to this folder. While you can protect the document with NTFS permissions, NTFS permissions will not prevent someone with read access to take the document and print the document out and hand it to a competitor, to copy the document to a USB flash drive or to email the document. The only way to protect these documents is to use Active Directory Rights Management Services (AD RMS) and applying a rights policy template that specifies who can access the documents and what can be done with the document.
Dsmgmt.exe and BranchCache
Dsmgmt.exe is an interactive command-line program that administrators can use to manage AD DS partitions and their behavior.
BranchCache supports two operational modes, as follows:
Distributed cache mode – Each Windows 7 workstation on the branch office network caches data from the content server on its local drive and shares that cached data with other local workstations.
Hosted cache mode – Windows 7 workstations on the branch office network cache data from the content server on a branch office server, enabling other workstations to access the cached data from there.
BranchCache File Negotiation
1. The following steps of a successful BranchCache file negotiation in hosted cache mode are in the wrong order. Specify the proper order in which the steps actually occur.
a. Server sends requested file to client
b. Client sends request to content server
c. Client checks cache with metadata
d. Client sends request to caching server.
e. Caching server confirms file availability.
f. Content server replies with metadata.
Answer: b, f, c, e, d, a
2. Explain why it might be necessary to deploy a read-only domain controller for a branch office in two stages.
Membership in the Domain Admins group is required to promote a server to a domain controller. RODCs are intended for small branch offices that do not have trained AD DS administrators, so the two-stage deployment enables an AD DS administrator in the main office to create the RODC account. Then, a designated local administrator at the branch office can complete the deployment without domain privileges.
RSA Encryption and Decryption
This section provides a detailed example of RSA encryption and decryption using small prime numbers for demonstration purposes.
Hash Function
A hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size.
Smart Card
A smart card is a pocket-sized card with embedded integrated circuits consisting of non-volatile memory storage components, and perhaps dedicated security logic.
Certificate Templates
Certificate templates are sets of rules and settings that define the format and content of a certificate based on the certificate’s intended use.
Online Certificate Status Protocol (OCSP)
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
Certificate Enrollment Procedures
What are the 6 high-level procedures for certificate enrollment?
Answer:
1. Generating keys
2. Collecting required information
3. Requesting the certificate
4. Verifying the information
5. Creating the certificate
6. Sending or posting the certificate
Autoenrollment Permissions
What are the permissions necessary to enable autoenrollment of digital certificates?
Answer: To enable autoenrollment, you must configure the Allow Read, Allow Enroll, and Allow Autoenroll permissions to the same user or group.
Rights Policy Templates
Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content.
Rationale Behind Cloud Computing
The rationale behind cloud computing includes:
– High operational costs, typically associated with implementing and managing desktop and server infrastructures
– Low system utilization, often associated with non-virtualized server workloads in enterprise environments
– Inconsistent availability due to the high cost of providing hardware redundancy
– Poor agility, which makes it difficult for businesses to meet evolving market demands
Microsoft Azure
Microsoft Windows Azure and Microsoft SQL Azure are public cloud offerings that allow you to develop, deploy, and run your business applications over the Internet instead of hosting them locally on your own datacenter.
Software as a Service (SaaS)
This approach involves using the cloud to deliver a single application to multiple users, regardless of their location or the kind of device they are using. This is known as Software as a Service (SaaS).