System Administration And IT Infrastructure Services. Week 4: Directory Services

a lookup service for an organization; A directory service allows members of an organization to lookup information about the organization, like network resources and their addresses.

redundancy; Directory server replication grants you redundancy by having multiple copies of the database being served by multiple servers. The added servers that provide lookup services also reduce the latency for clients querying the service. decreased latency

lightweight directory access protocol; LDAP is the most popular and widely used directory access protocol today.

role-based access control; Role-based access control makes it easier to administer access rights by changing role membership and allowing for inheritance to grant permissions (instead of granting each permission individually for each user account). Centralized configuration management is an easier way to manage configurations for services and hardware. By centralizing this, it becomes easier to push changes to multiple systems at once. centralized configuration management

Common Name; The Common Name contains a descriptor of the object, like the full name for a user account. A Distinguished Name is the unique name for the entry, and includes the attributes and values associated with the entry. Distinguished Name

authenticates a client to the directory server; A client authenticates to a directory server using the Bind operation. This could either be: (1) an anonymous bind; (2) a simple bind, where the password is sent in plaintext; or (3) an SASL bind, which involves a secure challenge-response authentication scheme.

anonymous; Bind operations support three different mechanisms for authentication: (1) Anonymous, which doesn't actually authenticate at all, and allows anyone to query the server; (2) Simple, which involves sending the password in plaintext; and (3) SASL, or Simple Authentication and Security Layer, which involves a secure challenge-response authentication mechanism. simple SASL

microsoft's implementation of a directory server; Active Directory is Microsoft's Windows-specific implementation of a directory server. It's fully LDAP compatible, so it works with any LDAP-supported client, though it has some features unique to the Windows ecosystem. an LDAP-compatible directory server

it can hold other objects; An Organizational Unit is a special type of container that can hold other containers and ordinary objects.

Administrator; The default user in an AD domain is Administrator.

false; While Domain Controllers are technically computers, they're not included in the Domain Computers group. The Domain Computers group holds all computers joined to a domain for an organization, except for the Domain Controllers, which belong in the DC group.

security groups can be used to provide access to resources, while distribution groups are only used for email communication; Distribution groups can only be used for email communication, while security groups can be used to provide access to resources to members of the group.

changing a password required the previous password; When changing a password, the previous password must be supplied first. When resetting the password, an administrator is able to override this and set the password without knowledge of the previous one.

false;Joining a computer to Active Directory means binding it, or joining it, to the domain. An AD computer account is then created for it. A workgroup is a collection of standalone computers, not joined to an AD domain.

centralized authentication; Active Directory can be used to centrally manage computers that are joined to it by pushing Group Policy Objects. Computers joined to a domain will also authenticate, using Active Directory user accounts instead of local accounts, providing centralized authentication, too. centralized management with GPOs

Settings for computers and user accounts in AD; GPOs are objects in AD that hold settings and preferences, which can be applied to user accounts or computer accounts. GPOs allow for centralized management of accounts and computers.

A policy is enforced by AD, while a preference can be modified by a local user; Policies are settings that are enforced and reapplied regularly by AD, while preferences are defaults for various settings, but can be modified by users.

You need to place users and computers into new OUs; Since GPOs can only be applied to sites, domains, and OUs, and because the default users and computers groups in AD are not OUs, GPOs cannot target these groups directly. In order to target specific groups of users or computers, new OUs need to be created, and users or accounts need to be added to them.

Site -> Domain -> OU; When GPOs collide, they're applied according to site first and domain second. Then, any OUs are applied from least specific to most specific.

test domain; Not quite. A test domain could be useful for testing the outcome and behavior of group policy configuration options; it wouldn't be a good way to figure out the overall list of policies that would be applied, though.

It makes a DNS query, asking for the SRV record for the domain; The client will make a DNS query, asking for the SRV record for the domain. The SRV record contains address information for domain controllers for that domain.

You're unable to reach the domain controller; If the machine is unable to reach the domain controller for whatever reason, it wouldn't be able to authenticate against AD. Since AD authentication relies on Kerberos for encryption, authentication against AD will depend on the time being synchronized to within five minutes of the server and client. And of course, if the user account is locked, you won't be able to authenticate to the account or log into the computer. the user account is locked the are time and date are incorrect

authorization centralized authentication accounting; A directory server offers a centralized mechanism for handling authentication, authorization, and accounting. This is much more convenient and secure, compared to a bunch of disconnected local systems

A Kerberos authentication server A DNS server A server that holds a replica of the Active Directory database

Distinguished Name; The distinguished name, or DN, is the unique entry for an LDAP record.

A sub-member OUs inherit the characteristics of their parent OU.; Any changes made to the higher-level users' OU would affect all sub-OUs. Specific files within an OU, or container, are called "objects"; Objects are particular data-points with any given Organizational Unit (container), for example, user information. Changes can be made to one sub-OU without affecting other sub-Us within the same parent; For example, we could enforce stricter password requirements for employees organized under one particular OU than another.

Role-based Access Control (RBAC) can organize user groups centrally; In most organizations, access to computer and network resources is based on your role in the organization. If you or another person change roles in the company, then all you have to do is change the user groups that you're a part of, not the rights that you have to directly access resources. Access and authorization are managed in one place; Creating user accounts and granting access to resources can be done all in one place using centralized management! configuration management is centralized; Having access to configuration management in one place allows us to set up printers, configure software, or mount network filesystems without having to do it separately on each computer!

Bind; When you log into a website that uses a directory service, the website will use LDAP to check if that user account is in the user directories and that the password is valid. If it's valid, then you'll be granted access into that account.

the default OU called Domain Controllers contains all Domain Controllers in the domain; Default user groups exist. The Domain Controllers user group contains all Domain Controllers in the domain. Delegation can be used in Active Directory; Just like you can set NTFS DACLs to give accounts permission in the file system, you can set Access Control Lists on Active Directory objects.

Joins a computer to the domain my website.com using Domain Controller 2; We can join computers to the domain from PowerShell. Now, our new computer will use this Active Directory domain for authentication, and we can use Group Policy to manage this machine

Kerberos may have issues with the UTC time on the clock; Kerberos, the authentication protocol that AD uses, is sensitive to time differences. If the domain controller and computer don't agree on the UTC time (usually to within five minutes), then the authentication attempt will fail. Fast Logon Optimization may delay GPO changes from taking effect; Fast Logon Optimization means the group policy engine applies policy settings to the local machine that may sacrifice the immediate application of some types of policies in order to make logon faster. It can mean that some GPO changes take much longer to be automatically applied than you might expect. Replication failure may occur; Replication failure is one reason that a GPO might fail to apply as expected. Changes have to be replicated out to other domain controllers. If replication fails, then different computers on your network can have different ideas about the state of directory objects, like Group Policy Objects.

LDIF files; LDIF stands for LDAP Data Interchange Format, and is a form of notation. An LDIF file is just a text file that lists attributes and values that describe something in LDIF notation.