System Administration - Azure & Windows & VMware - Detailed
What is Active Directory?
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.
The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.
The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).
Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups. Active Directory categorizes directory objects by name and attributes. For example, the name of a user might include the name string, along with information associated with the user, such as passwords and Secure Shell keys.
The main service in Active Directory is Domain Services (AD DS), which stores directory information and handles the interaction of the user with the domain. AD DS verifies access when a user signs into a device or attempts to connect to a server over a network. AD DS controls which users have access to each resource, as well as group policies. For example, an administrator typically has a different level of access to data than an end user.
Other Microsoft and Windows operating system (OS) products, such as Exchange Server and SharePoint Server, rely on AD DS to provide resource access. The server that hosts AD DS is the domain controller.
Active Directory services : Several different services comprise Active Directory. The main service is Domain Services, but Active Directory also includes Lightweight Directory Services (AD LDS), Lightweight Directory Access Protocol (LDAP), Certificate Services, or AD CS, Federation Services (AD FS) and Rights Management Services (AD RMS). Each of these other services expands the product's directory management capabilities.
· Lightweight Directory Services has the same codebase as AD DS, sharing similar functionalities, such as the application program interface. AD LDS, however, can run in multiple instances on one server and holds directory data in a data store using Lightweight Directory Access Protocol.
· Lightweight Directory Access Protocol is an application protocol used to access and maintain directory services over a network. LDAP stores objects, such as usernames and passwords, in directory services, such as Active Directory, and shares that object data across the network.
· Certificate Services generates, manages and shares certificates. A certificate uses encryption to enable a user to exchange information over the internet securely with a public key.
· Active Directory Federation Services authenticates user access to multiple applications -- even on different networks -- using single sign-on (SSO). As the name indicates, SSO only requires the user to sign on once, rather than use multiple dedicated authentication keys for each service.
· Rights Management Services control information rights and management. AD RMS encrypts content, such as email or Microsoft Word documents, on a server to limit access.
Major features in Active Directory Domain Services
Active Directory Domain Services uses a tiered layout structure consisting of domains, trees and forests to coordinate networked elements.
Domains are the smallest of the main tiers, while forests are the largest. Different objects, such as users and devices, that share the same database will be on the same domain. A tree is one or more domains grouped together with hierarchical trust relationships. A forest is a group of multiple trees. Forests provide security boundaries, while domains -- which share a common database -- can be managed for settings such as authentication and encryption.
A domain is a group of objects, such as users or devices, that share the same AD database. Domains have a domain name system
A tree is one or more domains grouped together. The tree structure uses a contiguous namespace to gather the collection of domains in a logical hierarchy. Trees can be viewed as trust relationships where a secure connection, or trust, is shared between two domains. Multiple domains can be trusted where one domain can trust a second, and the second domain can trust a third. Because of the hierarchical nature of this setup, the first domain can implicitly trust the third domain without needing explicit trust.
A forest is a group of multiple trees. A forest consists of shared catalogs, directory schemas, application information and domain configurations. The schema defines an object's class and attributes in a forest. In addition, global catalog servers provide a listing of all the objects in a forest. According to Microsoft, the forest is Active Directory's security boundary.
Organizational Units (OUs) organize users, groups and devices. Each domain can contain its own OU. However, OUs cannot have separate namespaces, as each user or object in a domain must be unique. For example, a user account with the same username cannot be created.
Containers are similar to OUs, but Group Policy Objects cannot be applied or linked to container objects.
What is Active Directory?
Active Directory (AD) is a directory service that runs on Microsoft Windows Server. The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their name and attributes.
What Are Active Directory Domain Services?
Active Directory Domain Services (AD DS) are a core component of Active Directory and provide the primary mechanism for authenticating users and determining which network resources they can access. AD DS also provides additional features such as Single Sign-On (SSO), security certificates, LDAP, and access rights management.
The Hierarchical Structure of Active Directory Domain Services
AD DS organizes data in a hierarchical structure consisting of domains, trees, and forests, as detailed below.
Domains: A domain represents a group of objects such as users, groups, and devices, which share the same AD database. You can think of a domain as a branch in a tree. A domain has the same structure as standard domains and sub-domains, e.g. yourdomain.com and sales.yourdomain.com.
Trees: A tree is one or more domains grouped together in a logical hierarchy. Since domains in a tree are related, they are said to “trust” each other.
Forest: A forest is the highest level of organization within AD and contains a group of trees. The trees in a forest can also trust each other, and will also share directory schemas, catalogs, application information, and domain configurations.
Organizational Units: An OU is used to organize users, groups, computers, and other organizational units.
Containers: A container is similar to an OU, however, unlike an OU, it is not possible to link a Group Policy Object (GPO) to a generic Active Directory container.
1. What is Active Directory?
It is a database and set of services that contain critical information about users and computers, including the environment and who is allowed to do what. All this information stored under the AD database makes it easy for the administration and users to find and easy to use.
2. What are the benefits of Active Directory?
The benefits of AD are: Security, Simple. Extensible. Resiliency.
3. Define Kerberos.
Kerberos is a widely used computer network authentication protocol that provides security to the service requests between two or more trusted hosts across untrustworthy networks(like the Internet). It is widely used because of the below-listed benefits:
· Single sign-on.
· Secure.
· Mutual authentication.
· Trusted third party.
4. What do you understand by domain in Active Directory?
An Active Directory domain is a grouping of network resources that share common administration and services. Each domain contains a database that will store the object identity information. Domains are grouped in a tree structure; the group of trees is known as an Active Directory forest.
5. List out new features of Active Directory in the latest windows server 2012.
The new features of Active Directory in the latest windows server 2012 are:
· Dynamic Access Control.
· Virtualization.
· Event logs.
· AD Recycle Bin.
· Windows Powershell History Viewer.
· Active Directory Federation Services.
· Group Managed Service Accounts.
· Simplified Management.
· Fine-Grained password policies.
6. Define SYSVOL folder.
The SYSVOL(System volume) folder is an essential part of AD found on each domain controller (DC). The log files and Active Directory database are stored in the SysVOL folder on the server.
The SYSVOL folder is located at C:\Windows\SYSVOL.
what is SYSVOL?
The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
7. What is RID Master?
RID is one of the FSMO roles in AD forest. It is responsible for allocating a unique RID sequence or relative IDs to all the domain controllers in its domain. Only one domain controller in each domain will be there that holds this role.
8. What do you understand about ARP?
ARP stands for Address Resolution Protocol, which provides connectivity in the present world. LAN is a group of two or more network devices. Each network device has an IP as one of its addresses, which keeps changing. ARP helps in connecting this IP address with the MAC address of the network device, which creates connectivity.
9. What is Subnet?
A subnet is a short form of the subnetwork where smaller networks are formed by dividing a larger network into smaller networks. This is done to improve a large network's performance and security. It helps in understanding network management. Also, each subnet has its own network address, which means each subnet is considered a separate network.
10. What is the Physical structure of AD?
The physical structure of AD is divided into:
· Domain Controller - A domain controller is a server running an active directory containing a complete replica of the domain database.
· Sites - Grouping of one or more than one subnet used by the replication service to optimize bandwidth.
11. What is the location of the AD database?
Microsoft Windows has a centralized database known as AD(Active Directory). It stores information about the user, computers, and other things in the network. The location of the Active Directory is not fixed. It is dependent on various things like the Operating System version, network configuration, etc. Although, in many cases, it is stored in the form of a file named NTDS.DIT, which is on a domain controller.
12. Differentiate between the Enterprise Admin group and Domain Admin Group in the Active Directory.
Let's discuss the Enterprise Admin group vs. the Domain Admin group.
Enterprise admin group | Domain admin group |
The enterprise admin group belongs to the administrator's group on all domain controllers in the forest. | Domain admin group belongs to the administrator's group on all workstations and domain controllers at the time they are linked to the domain. |
All members have complete control of all domains in the forest. | All members have complete control of the domain. |
Full control of the forest. | Full control in the domain. |
13. What happens if the replication in AD fails?
Replication in AD is a method of transferring objects from one domain controller to another domain controller. If AD replication fails, then it would lead to inconsistent results or operational failures that depend upon the domain controller who is in charge of the operation.
14. What does Active Directory Recycle Bin do?
The Active Directory Recycle bin is a tool of Windows Server 2008. That is used to recover, by chance, deleted AD objects such as groups, users, computers, or organizational units on a network without using a backed-up AD database. It facilitates the recovery of deleted objects and properties, and services are operated while the restoration is done.
15. List different types of containers.
The two types of containers are Default Containers and Organizational units(OU).
Container or Organizational Units(OU) | Contents |
Computers | Computers joined to the domain without a computer account are kept in this container. |
Builtin | Domain local security groups and default service administrator accounts are stored in this container. |
Domain Controllers | This container is the default location for domain controllers. |
Note:
The default containers are created automatically and cannot be deleted.
16. What is contained in system state data?
The System state data contains:
System files.
SYSVOL folder.
Registry.
Registration Database.
Startup files.
Memory page file.
AD information etc.
17. What is the port number of LDAP?
The port number of Lightweight Directory Access Protocol(LDAP) is 389.The LDAP helps users to find data about persons, organizations, or other resources. It is used in various applications to validate usernames and passwords of the users.
18. Name any three ports used by the Active Directory.
The three ports used by the AD are:
· DNS: port 53 TCP, UDP
· LDAP: port 389 TCP, UDP
· Kerberos: port 88 TCP, UDP
19. In what format is data shown in Active Directory?
In Active Directory, data is stored in the form of objects, including groups, users, applications, etc. It is presented in the form of a hierarchy where AD uses structured data stores for the logical organization of directory information.
20. What do you mean by the term forest in Active Directory?
Forest in AD is a collection of various trees with shared catalogs, application data, domain parameters, and directory schemas. It is the highest level container in the organization within the Active Directory and manages and controls authentication across the organization.
21. What is DNS in AD?
The Domain Name System in Active Directory holds a database to locate services active on that network. Computers use DNS to find Active Directory domain controllers when carrying out any of the key Active Directory operations, such as authentication, updating, or searching.
The three main components of DNS are:
· Domain Controller locator.
· Active Directory DNS objects.
· Active Directory domain names in DNS.
22. What are some common Active Directory issues?
Ans: Some of the common issues that occur in Active Directory are:
· AD can become unresponsive if Active Directory servers are not working properly
· AD databases can become corrupt if the database is not maintained properly or get damaged
23. Compare domain local, global, and universal groups in Active Directory.
The domain local, global, and universal groups are used to manage user access.
· Domain local groups: Permissions are granted to users inside a single domain using domain local groups
· Global groups: Permissions are given to users across multiple domains using global groups
· Universal groups: Permissions are given to users across multiple domains and forests using universal groups
24. List out the components of AD.
Ans: The main components of Active Directory are
· Kerberos - Kerberos is an authentication protocol of Microsoft Windows Server and is used by AD to provide secure access to their networks. It uses a combination of encryption and tickets to allow nodes to communicate over unsecured networks to ensure the identity of each other
· Domain Name System (DNS) - DNS is an active Directory that holds a database of the services active on that network. DNS is used as the domain controller location mechanism by Active Directory Domain Services (AD DS)
· Active Directory Domain Services (AD DS) - AD DS uses DNS name resolution services to allow clients to find domain controllers, and the domain controllers host the directory service to communicate with one another
· Lightweight Directory Access Protocol (LDAP) - It is a protocol used to work with various services within a network
25. What is the use of replication in AD?
The use of replication in AD is to share and update the AD objects from one DC to another DC to increase the availability, data defense, and performance. There are two types of replication in AD.
26. Name the different components of the active directory schema.
The three components of active directory schema are:
1. Classes: Attributes are organized into object classes in an Active Directory Schema. In an Active Directory structure, there are three different classes:
· Structural class
· Abstract class
· Auxilliary class
2. Objects: Objects is the basic element of Active Directory that represents resources present in the AD network, such as users, printers, applications, a group, or a computer.
3. Attributes: In the Active Directory environment, attributes are the entities that are used to hold data/information about the objects.
27. What is the use of APIPA?
Automatic Private IP Addressing is a feature of operating systems used by DHCP clients to automatically assign an Internet Protocol address to itself if there is no DHCP(Dynamic Host Configuration Protocol) server available to perform that function.
28. On which factors Active Directory Domain Services are dependent?
AD Domain Services depend on the directory database, name resolution, the replication topology, network connectivity, the replication engine, authentication, and authorization.
29. What is the difference between a domain and a forest?
A domain is a logical grouping of users, computers, and other resources while a forest is a collection of one or more domains that share a common schema, configuration, and Global Catalog.
30. What is the role of the RID Master in Active Directory?
The RID Master is responsible for assigning Relative Identifiers (RIDs) to objects in Active Directory. RIDs are unique identifiers that are used to identify objects in Active Directory. The job of RID Master is to ensure that no two objects in Active Directory have the same RID.
Mention what are the new features in Active Directory (AD) of Windows server 2012?
· dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the steps and review the detailed results during the installation process
· Enhanced Administrative Center: Compared to the earlier version of active directory, the administrative center is well designed in Windows 2012. The exchange management console is well designed
· Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active directory recycle bin through the GUI in the Active Directory Administrative Center, which was not possible with the earlier version
· Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much easier compared to an earlier It allows you to create different password policies in the same domain
· Windows Power Shell History Viewer: You can view the Windows PowerShell commands that relates to the actions you execute in the Active Directory Administrative Center UI
Which is the default protocol used in directory services?
The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
Explain the term FOREST in AD?
Forest is used to define an assembly of AD domains that share a single schema for the AD. All DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.
1. What do you mean by Active Directory?
An active directory is an index structure used on Microsoft Windows-based servers and computers to stock up data and information about domains and networks.
2. Name the default protocol used in directory services?
The non-payment protocol utilized in directory services is LDAP (Lightweight Directory Access Protocol).
3. Define SYSVOL?
The SysVOL file keeps the server’s copy of the domain’s public files. The fillings such as users, group policy, etc. of the SysVOL folders are simulated to all area controllers in the domain.
4. Define the term FOREST in AD?
Forest is used to describing a congregation of AD domains that split a separate schema for the AD. All DC’s in the forest share this plan and is practical in a hierarchical fashion among them.
5. What is Kerberos?
Kerberos is a verification protocol for the network. It is built to present secure verification for client applications by using secret-key cryptography.
6. What do you mean by lingering objects?
Lingering objects can exist if a field controller does not duplicate for a gap of time that is longer than the gravestone lifetime.
7. Define Active Directory Schema?
Schema is a lively directory constituent describes all the objects and attributes that the directory service uses to amass data.
8. Name the components of AD?
The components of AD are:
• Physical Structures: Domain controller and Sites
• Logical Structure: Trees, Forest, Domains and OU
9. Define Infrastructure Master?
Infrastructure Master is answerable for updating information about the customer and group and universal catalogue.
10. Define the domain?
A domain is a place of network resources for a collection of users. The user needs only to log in to the domain to increase access to the resources, which may be situated on a number of several servers in the network.
11. Explain subnet?
In computer networks based upon the Internet Protocol Suite, a subnetwork is a piece of the network’s computers and network campaign that have a widespread elected IP address routing prefix.
12. What do you mean by organizational units?
The Organizational Unit is a serious design factor impacting policy, security, competence and the charge of administration. Organizational Units are a kind of LDAP (X.500) pot. It can be a reflection of as a sub-domain element with comparable properties to domains.
13. What do you mean by Active Directory Recycle Bin?
Active Directory Recycle bin is a characteristic of Windows Server 2008 AD. It helps to re-establish by chance deleted Active Directory objects without using a backed-up AD database, rebooting area controller.
14. Tell me the purpose of replication in AD?
The reason for replication is to share out the data stored within the index throughout the organization for amplified availability, performance, and data defense. Systems administrators can tune duplication to occur based on their physical network communications and other constraints.
15. Define Mixed Mode?
Allows domain controllers operation both Windows 2000 and previous versions of Windows NT to co-exist in the area. In mixed mode, the domain features from preceding versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by non-payment. In a mixed way, the field may have Windows NT 4.0 backup domain controllers at hand.
16. Explain stale?
Stale refers to references to objects that have been stimulated so that the local copy of the distant object's name is out of date.
17. Define SID?
Security Identifier is an exceptional variable-length identifier used to recognize a trustee or refuge principal.
18. Do we use clustering in Active Directory? Why?
No one installs Active Directory in a bunch. There is no need for clustering a field controller. Active Directory provides total joblessness with two or more servers.
19. What is RID Master?
RID master refers to a Relative Identifier for conveying exceptional IDs to the object shaped in AD.
20. What is child DC?
Child DC is a sub-area controller under the root domain controller which shares a namespace.
21. What is the port no of Kerbrose?
The port no is 88
22. What is the port number of Global catalog?
The port number of the global catalog is 3268
23. Tell me the port no of LDAP?
The port no of LDAP is 389
24. If I try to look schema, how can I do that?
List schmmgmt.dll using this command:
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool --> schema.msc
25. Define Native Mode?
When all domain controllers in a given area are consecutively Windows 2000 Server, this way permits organizations to take the lead of new Active Directory features such as worldwide groups, inter-domain group membership and nested group membership.
DNS & Basics
What is DNS? A Domain Name System (DNS) turns domain names into IP addresses, which allow browsers to get to websites and other internet resources. Every device on the internet has an IP address, which other devices can use to locate the device.
DNS stands for Domain Name System. It's a system that translates website domain names (hostnames) into numerical values (IP addresses) so they can be found and loaded into your web browser.
The Internet's DNS system works much like a phone book by managing the mapping between names and numbers. DNS servers translate requests for names into IP addresses, controlling which server an end user will reach when they type a domain name into their web browser. These requests are called queries.
All computers on the Internet, from your smart phone or laptop to the servers that serve content for massive retail websites, find and communicate with one another by using numbers. These numbers are known as IP addresses. When you open a web browser and go to a website, you don't have to remember and enter a long number. Instead, you can enter a domain name like example.com and still end up in the right place.
A DNS service such as Amazon Route 53 is a globally distributed service that translates human readable names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. The Internet’s DNS system works much like a phone book by managing the mapping between names and numbers. DNS servers translate requests for names into IP addresses, controlling which server an end user will reach when they type a domain name into their web browser. These requests are called queries.
The DNS operates as a distributed database, where different types of DNS servers are responsible for different parts of the DNS name space. The three DNS server types server are the following: DNS stub resolver server. DNS recursive resolver server. DNS authoritative server.
A DNS zone is a portion of the DNS namespace that is managed by a specific organization or administrator. A DNS zone is an administrative space which allows for more granular control of DNS components, such as authoritative nameservers. The domain name space is a hierarchical tree, with the DNS root domain at the top.
What are the 4 parts of DNS?
The URL www.codesweetly.com is a fully qualified domain name (FQDN) because it contains all four levels of the DNS hierarchy. In other words, it has a root-level domain, top-level domain, domain name, and subdomain. Each dot mark ( . ) in a URL serves as a separator between each DNS hierarchy level.
Types of DNS Service
Authoritative DNS: An authoritative DNS service provides an update mechanism that developers use to manage their public DNS names. It then answers DNS queries, translating domain names into IP address so computers can communicate with each other. Authoritative DNS has the final authority over a domain and is responsible for providing answers to recursive DNS servers with the IP address information. Amazon Route 53 is an authoritative DNS system.
Recursive DNS: Clients typically do not make queries directly to authoritative DNS services. Instead, they generally connect to another type of DNS service known a resolver, or a recursive DNS service. A recursive DNS service acts like a hotel concierge: while it doesn't own any DNS records, it acts as an intermediary who can get the DNS information on your behalf. If a recursive DNS has the DNS reference cached, or stored for a period of time, then it answers the DNS query by providing the source or IP information. If not, it passes the query to one or more authoritative DNS servers to find the information.
Domain Name System (DNS) is a distributed database system for managing host names and their associated Internet Protocol (IP) addresses. With DNS, you can use simple names, such as www.jkltoys.com, to locate a host, rather than using the IP addresses, for example, 192.168.12.88 in IPv4, or 2001:D88::1 in IPv6.
A single server might be responsible only for knowing the host names and IP addresses for a small part of a zone, but DNS servers can work together to map all domain names to their IP addresses. DNS servers that work together allows computers to communicate across the Internet.
DNS data is broken up into a hierarchy of domains. Servers are responsible to know only a small portion of data, such as a single subdomain. The portion of a domain for which the server is directly responsible is called a zone. A DNS server that has complete host information and data for a zone is authoritative for the zone. An authoritative server can answer queries about hosts in its zone, using its own resource records. The query process depends on a number of factors. Understanding DNS queries explains the paths that a client can use to resolve a query.
Understanding zones
Domain Name System (DNS) data is divided into manageable sets of data called zones. And each of these sets is a specific zone type.
Understanding Domain Name System queries
Domain Name System (DNS) clients use DNS servers to resolve queries. The queries might come directly from the client or from an application running on the client.
Domain Name System domain setup
Domain Name System (DNS) domain setup requires domain name registration to prevent others from using your domain name.
Dynamic updates
IBM® i Domain Name System (DNS) that is based on BIND 9 supports dynamic updates. Outside sources, such as Dynamic Host Configuration Protocol (DHCP), can send updates to the DNS server. In addition, you can also use DNS client tools, such as Dynamic Update Utility (NSUPDATE), to perform dynamic updates.
BIND 9 features
BIND 9 is similar to BIND 8; however, it provides several features to enhance performance of your Domain Name System (DNS) server, such as views.
Domain Name System resource records
Resource records are used to store data about domain names and IP addresses. You can use the Resource record lookup table to look into the resource records supported for the IBM i operating system.
Mail and Mail Exchanger records
Domain Name System (DNS) supports advanced mail routing through the use of Mail and Mail Exchanger (MX) records.
DNS, or Domain Name System, is a crucial component of the internet that translates human-readable domain names into IP addresses, allowing computers to locate and connect with each other. Here are some key DNS concepts:
Domain Name: A human-readable name (e.g., www.example.com) that is used to identify a specific location on the internet.
IP Address: A numerical label assigned to each device participating in a computer network. It serves two main purposes: host or network interface identification and location addressing.
DNS Server: Computers that store DNS databases and respond to DNS queries. They play a crucial role in translating domain names into IP addresses.
DNS Resolver: A component of the DNS software that runs on a user's device or a local network. It is responsible for sending DNS queries to DNS servers and receiving and caching the responses.
DNS Query: A request made by a DNS resolver to a DNS server, asking for the IP address associated with a particular domain name.
DNS Response: The reply from a DNS server to a DNS query. It contains the requested information, such as the IP address associated with the queried domain name.
Root DNS Server: The top-level DNS server in the hierarchical DNS structure. It stores information about the authoritative DNS servers for top-level domains (TLDs) like .com, .org, .net, etc.
TLD (Top-Level Domain): The highest level in the DNS hierarchy, representing the rightmost part of a domain name. Examples include .com, .org, .net, and country-code TLDs like .uk, .fr, etc.
Authoritative DNS Server: A DNS server that stores the actual DNS records (such as IP addresses) for a domain. It is considered the final authority on DNS information for a specific domain.
DNS Cache: A temporary storage location that stores DNS records for a specific period. Caching helps improve DNS query response times and reduce the load on DNS servers.
DNS Record Types:
A Record: Associates a domain with an IPv4 address.
AAAA Record: Associates a domain with an IPv6 address.
CNAME Record: Alias of one domain to another (canonical name).
MX Record: Specifies mail servers responsible for receiving email on behalf of a domain.
NS Record: Specifies authoritative DNS servers for the domain.
PTR Record: Used for reverse DNS lookups to map an IP address to a domain name.
TXT Record: Allows arbitrary text to be associated with a domain. Often used for verification or information purposes.
Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF) standard based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares many implementation details. DHCP allows hosts to obtain required TCP/IP configuration information from a DHCP server.
Windows Server 2016 includes DHCP Server, which is an optional networking server role that you can deploy on your network to lease IP addresses and other information to DHCP clients. All Windows-based client operating systems include the DHCP client as part of TCP/IP, and DHCP client is enabled by default.
Benefits of DHCP
DHCP provides the following benefits.
Reliable IP address configuration. DHCP minimizes configuration errors caused by manual IP address configuration, such as typographical errors, or address conflicts caused by the assignment of an IP address to more than one computer at the same time.
Reduced network administration. DHCP includes the following features to reduce network administration:
Centralized and automated TCP/IP configuration.
The ability to define TCP/IP configurations from a central location.
The ability to assign a full range of additional TCP/IP configuration values by means of DHCP options.
The efficient handling of IP address changes for clients that must be updated frequently, such as those for portable devices that move to different locations on a wireless network.
The forwarding of initial DHCP messages by using a DHCP relay agent, which eliminates the need for a DHCP server on every subnet.
What is virtualization?
Virtualization creates a simulated, or virtual, computing environment as opposed to a physical environment. Virtualization often includes computer-generated versions of hardware, operating systems, storage devices, and more. This allows organizations to partition a single physical computer or server into several virtual machines. Each virtual machine can then interact independently and run different operating systems or applications while sharing the resources of a single host machine.
By creating multiple resources from a single computer or server, virtualization improves scalability and workloads while resulting in the use of fewer overall servers, less energy consumption, and less infrastructure costs and maintenance. There are four main categories virtualization falls into. The first is desktop virtualization, which allows one centralized server to deliver and manage individualized desktops. The second is network virtualization, designed to split network bandwidth into independent channels to then be assigned to specific servers or devices. The third category is software virtualization, which separates applications from the hardware and operating system. And the fourth is storage virtualization, which combines multiple network storage resources into a single storage device where multiple users may access it.
Hyper V - Hyper-V is Microsoft's hardware virtualization product. It lets you create and run a software version of a computer, called a virtual machine. Each virtual machine acts like a complete computer, running an operating system and programs. When you need computing resources, virtual machines give you more flexibility, help save time and money, and are a more efficient way to use hardware than just running one operating system on physical hardware.
The Hyper-V role in Windows Server lets you create a virtualized computing environment where you can create and manage virtual machines. You can run multiple operating systems on one physical computer and isolate the operating systems from each other. With this technology, you can improve the efficiency of your computing resources and free up your hardware resources.
Active Directory Domain Services & Active Directory Sites and Services :
Active Directory Domain Services (AD DS) are the core functions in Active Directory that manage users and computers and allow sysadmins to organize the data into logical hierarchies. AD DS provides for security certificates, Single Sign-On (SSO), LDAP, and rights management.
Active Directory Domain Services Terms.
- Schema: The set of
user configured rules that govern objects and attributes in AD DS.
- Global
Catalog:
The container of all objects in AD DS. If you need to find the name of a
user, that name is stored in the Global Catalog.
- Query and
Index Mechanism: This system allows users to find each
other in AD. A good example would be when you start typing a name in your
mail client, and the mail client shows you possible matches.
- Replication
Service:
The replication service makes sure that every DC on the network has the
same Global Catalog and Schema
- Sites: Sites are
representations of the network topology, so AD DS knows what objects go
together to optimize replication and indexing.
- Lightweight
Directory Access Protocol: LDAP is a protocol that allows AD to
communicate with other LDAP enabled directory services across platforms.
What Services are Provided in Active Directory
Domain Services?
Here
are the services that AD DS provides as the core functionality required by a
centralized user management system.
- Domain
Services:
Stores data and manages communications between the users and the DC. This
is the primary functionality of AD DS.
- Certificate
Services:
Allows your DC to serve digital certificates, signatures, and public key
cryptography.
- Lightweight
Directory Services: Supports LDAP for cross platform domain
services, like any Linux computers in your network.
- Directory
Federation Services: Provides SSO authentication for
multiple applications in the same session, so users don’t have to keep
providing the same credentials.
- Rights Management: Controls information rights and data access policies. For example, Rights Management determines if you can access a folder or send an email.
Role of Domain Controllers with Active Directory Domain Services
Domain Controllers (DC) are the servers in your network that host AD DS. DCs respond to authentication requests and store AD DS data. DCs host other services that are complementary to AD DS as well. Those are:
- Kerberos Key Distribution Center (KDC): The kdc verifies and encrypts Kerberos tickets that AD DS uses for authentication
- NetLogon: Netlogon is the authentication communication service.
- Windows Time (W32time): Kerberos requires all computer times to be in sync.
- Intersite Messaging (IsmServ): Intersite messaging allows DCs to communicate with each other for replication and site-routing.
Active Directory Sites and Services console is used to create and manage sites, and control how the directory is replicated within a site and between sites. Using this tool, you can specify connections between sites, and how they are to be used for replication.
The following is a partial list of tasks that can be managed using Active Directory Sites and Services:
- Creating sites
- Creating subnets and associating subnets with sites
- Creating site links
- Configuring site properties
- Moving servers between sites
ADFS : Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. As a component of Windows Server operating systems, it provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).
Active Directory FSMO roles in Windows
Flexible single-master operator (FSMO) roles are special roles assigned to Active Directory domain controllers (DCs). Each FSMO role can be assigned to only one DC at a time, and that DC is the only one permitted to process a particular type of critical change to Active Directory.
What are the 5 FSMO roles? There are five Active Directory FSMO roles:
Schema Master
Domain Naming Master
Relative ID (RID) Master
Primary Domain Controller (PDC) Emulator
Infrastructure Master (domain level)
The same DC can be assigned multiple FSMO roles, or even all five of them. The DC that is assigned a particular FSMO role is called the role owner.
Windows Authentication Concepts
Authentication is a process for verifying the identity of an object or person. When you authenticate an object, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that the person is not an imposter.
In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses either a key only the user knows (as with public key cryptography) or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt.
Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. Active Directory is the recommended and default technology for storing identity information, which include the cryptographic keys that are the user's credentials. Active Directory is required for default NTLM and Kerberos implementations.
Authentication techniques range from a simple logon to an operating system or a sign-in to a service or application, which identifies users based on something that only the user knows, such as a password, to more powerful security mechanisms that use something that the user has'such as tokens, public key certificates, pictures, or biological attributes. In a business environment, users might access multiple applications on many types of servers within a single location or across multiple locations. For these reasons, authentication must support environments for other platforms and for other Windows operating systems.
Authentication
Authentication is the process of proving that you're who you say you are. This is achieved by verification of the identity of a person or device. It's sometimes shortened to AuthN. The Microsoft identity platform uses the OpenID Connect protocol for handling authentication.
Authorization
Authorization is the act of granting an authenticated party permission to do something. It specifies what data you're allowed to access and what you can do with that data. Authorization is sometimes shortened to AuthZ. The Microsoft identity platform uses the OAuth 2.0 protocol for handling authorization.
Multifactor authentication
Multifactor authentication is the act of providing another factor of authentication to an account. This is often used to protect against brute force attacks. It's sometimes shortened to MFA or 2FA. The Microsoft Authenticator can be used as an app for handling two-factor authentication. For more information, see multifactor authentication.
Authentication and authorization using the Microsoft identity platform
Creating apps that each maintain their own username and password information incurs a high administrative burden when adding or removing users across multiple apps. Instead, your apps can delegate that responsibility to a centralized identity provider.
Microsoft Entra ID is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as:
Conditional Access policies that require a user to be in a specific location.
Multi-Factor Authentication which requires a user to have a specific device.
Enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. This capability is called single sign-on (SSO).
The Microsoft identity platform simplifies authorization and authentication for application developers by providing identity as a service. It supports industry-standard protocols and open-source libraries for different platforms to help you start coding quickly. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, access Microsoft APIs, or access other APIs that developers have built.
Trusted Domain
A trusted domain is a domain that the local system trusts to authenticate users. In other words, if a user or application is authenticated by a trusted domain, this authentication is accepted by all domains that trust the authenticating domain.
Site Links for Other References
https://www.indeed.com/hire/interview-questions/active-directory
https://www.javatpoint.com/active-directory-interview-questions
https://www.windowstricks.in/active-directory-real-time-interview-questions-and-answers
https://www.mygreatlearning.com/blog/system-administration-interview-questions
https://www.interviewbit.com/azure-interview-questions
https://www.edureka.co/blog/interview-questions/azure-interview-questions
https://www.windows-active-directory.com/active-directory-sites.html
Comments
Post a Comment