294 notes part 3

PsoasmanPsoasman Member Posts: 2,687 ■■■■■■■■■□
Chapter 9:

1. 2 ways to locate AD objects (1) find option and Dsquery command.
2. Find option enables you to search for users, contacts, groups, computers, printers, shared folders, OUs, remote installation servers and clients.
3. Dsquery command enables you to find computers, contacts, subnets, groups, OUs, sites, services, and users.
4. The saved queries feature enables admins to create, edit, save, organize and email saved queries in order to monitor or perform a specific task on directory objects. Saved queries are stored in the saved queries folder.
5. To control access to AD objects, you grant or deny permissions to security principals. You set permissions to either deny or allow. Deny takes precedence.
6. When object is created, the user creating it automatically becomes its owner, controlling how permissions are set on the object and to whom permissions are granted.
7. You can set selective authentication differently for outgoing and incoming external and forest trusts. These selective trusts allow you to make flexible access control decisions between external domains and forest-wide.
8. When you assign a permission to a security principal for access to an object and that security principal is a member of group to which you assigned a different permission the security principal’s permissions are the combination of the assigned security principal and group permissions.
9. Permissions assigned through inheritance are propagated to a child object from a parent object.
10. You delegate administrative control of domains and containers in order to provide other administrators, groups, or users with the ability to manage functions according to their needs.
11. Delegation of control wizard is provided to automate and simplify the process of setting administrative permissions for a domain, OU, or container.


Chapter 10:

1. Group policies are collections of user and computer configurations settings that can be linked to computers, site, domains, and OUs.
2. Applied from local computer>site>domain>OU
3. Default order for application of GP settings is subject to following exceptions: No override, block policy inheritance, loopback setting, or computer is member of workgroup/
4. There are 3 parts to planning GP (1) plan the settings, (2) plan the GPOs, (3) plan administrative control of GPOs
5. Can build by centralized which uses a single GPO containing all policy settings for the associated site, domain, or OU. Decentralized uses a base GPO applied to the domain, which contains policy settings for as many users and computers as possible.
6. Centralized admin control can be delegated only to top level OU admins, decentralized to top and mid-level admins, or task-based.
7. Create an MMC for the GPO, makes it easier to open.
8. Disable unused settings to avoid processing those settings, this speeds up logons.
9. For the GPO to apply to a group, that group must have the read and apply GP permissions.
10. Deleting the GPO removes it from the AD domain.


Chapter 11:

1. Rsop is the sum of the policies applied to the user or computer, including the application of filters (security Groups, WMI filters) and exceptions (no override, block policy inheritance)
2. 2k3 provides 3 tools for generating Rsop queries, the RsoP wizard, Gpresult command line tool, advanced system info-policy tool.
3. Rsop wizard uses existing GPO settings to report the effects of GPOs on users and computers and can simulate the effects of planned GPOs. The logging mode reports the existing GPO settings for a user/pc.
4. Gpresult enables you to create and displays queries on the command line.
5. Advanced system info –policy tool enables you to create an Rsop query and view results in HTML report that appears in the Help/support window.
6. The folder redirection node, located under user configuration\windows settings in GP Object editor console, allows you to redirect certain special folders to network locations: My documents, My Pictures, Application data, Desktop, start menu.
7. In 2k3, a new feature allows you to redirect my docs to a user’s home folder; this is intended for organizations that already have this set up. Requires XP client.
8. 2 ways to set up folder redirection: (1) redirect special folders to one location for everyone in the site, domain, or OU. (2) Redirect special folders to a location according to security group membership.
9. The offline files feature provides users with access to redirected folders even when they aren’t connected to the network. If you use redirected folders of any type, is recommended that you enable offline files and folders.
10. Tasks for setting up offline folders are to configure SharePoint, configure computers to use offline files, and set up synchronization of offline files and folders.


Chapter 12:

1. The software installation extension in GROE console enables admins to centrally manage the installation of software on a client computer by assigning applications to users or computers or by publishing apps to users.
2. When you assign an app to user, the app is advertised to user on start menu the next time they log on. The registry and filenames are updated.
3. When you publish to user, the app doesn’t appear on start menu, no registry settings. Installed from add/remove in CP.
4. Windows installer package is a file that contains explicit instructions on the installation and removal of specific apps. You can deploy software using the software installation extension by using a windows installer package .msi.
5. Modifications enable you to customize windows installer packages. Mods can be transform (.mst) or patch (.msp) You can’t deploy these alone, use to modify an existing installer package.
6. The tasks for deploying software with GP are following: plan and prepare the software deployment, set up the SDP, create a GPO and GPO console for software deployment, specify the software deployment properties for the GPO, add installer packages to the GPO and select package deployment.
7. For a software deployment with GP, you can set up DFS to automatically direct users to the SDP.
8. You can define software deployment properties that affect all windows installer packages in the GPO.
9. You can define software deployment properties that affect individual packages in the GPO.
10. To maintain a software deployment, it might be necessary to redeploy, upgrade, or remove an app at some point in the software life cycle.
11. You can deploy an app previously deployed with GP if there are small changes that need to be made to the original software deployment configuration.
12. To upgrade software deployed with GP, you must create a windows installer package that contains the upgrade and then configure the upgrade in the upgrades tab in properties box for that package.
13. To remove software deployed with GP, you must choose whether to uninstall the software from all users and computers or to merely prevent new installations of the software by using the software installation extension.


Chapter 13:

1. Security settings define the security behavior of the system. Through the use of GPOs in AD, admins can apply security profiles to sites, domains, and OUs
2. The policies in the account policies can be applied only to the root domain of the domain tree and cannot be applied to sites or OUs.
3. You set auto enrollment of computers and user certs in the auto enrollment settings box in computer /user configuration for site, domain, or OU.
4. Software restriction policies address the problem of regulation unknown or untrusted code. These policies are security settings in a GPO provided to identify software and control its ability to run on local pc, domain, site or OU.
5. 2 default security settings (1) disallowed which doesn’t allow the software to run and (2) unrestricted, which allows the software to run with the rights of the user.
6. Auditing is tool for maintaining network security, allowing you to track user activities and system-wide events.
7. Security log is turned off by default, size if 512 KB
8. Security template is physical representation of security configuration, single file, where a group of settings is applied. Used to define account, local, policies, registry, file system, and event log.
9. SCA tool is used to analyze the current security config. And / or apply a template.

Chapter 14:
1. Once AD is installed, the directory and file replication service logs are enabled in event viewer console. The service log contains errors, warning, and info generated by AD.
2. System monitor is a tool that supports detailed monitoring of OS resources. Can collect and view real-time data on pc.
3. Performance object is logical collection of performance counters associated with a service to be monitored.
4. To monitor AD, you monitor the NTDS object. 120 counters.
5. The PLA snap-in provides you with the ability to create counter logs, trace logs, system alerts from local or remote computers.


General Notes for the 294

Global catalog servers are AD DCs that have been given the added functionality of holding a copy of the global catalog database. The first DC installed in the domain, is always given this role. If you have a small branch office that contains a DC, for a small domain, and it’s connected to the rest of the corporate network by a WAN link, with little bandwidth, use UGM caching, to save bandwidth.
Except in a single domain, the infrastructure master should not be installed on a DC that also acts as a GC server
Place FSMO in a central location to user and servers on the network.
Place the domain naming master role on a server in the site where the majority of new DCs are installed.
Place the PDC, RID, and infrastructure masters in the location where the majority of administration for the respective domains takes place.
Place the infrastructure master so that it is able to contact the GC server. The IM compares its own info with the GC server to see whether its own data is up to date.
The structure of the AD forest is incorporated into the trust relationships between domains both internal and external to the forest. Multiple forests enable you to have different schemas. These groups have forest-wide control: domain admins of the FOREST ROOT DOMAIN, schema admins, enter. Admins.
Sites and the links between them are the means by which you can configure how replication traffic will take place across networks. Replication frequency determines how often the replication occurs. Site link availability prevails over replication frequency. You can set the site availability how you need to.
Site link only applies to IP. The KCC assigns a DC to be bridgehead server. Computers are assigned to sites based on their IP addresses and IP subnets. You create site topology by assigning an IP subnet from 1 site to another.
The 1st. replication process affects AD data including:
a. Domain info
b. Schema partition, replicated to all DCs within the same forest
c. Configuration partition, replicated to all DCs within same forest.
d. GC, replicated to all other GC servers.
e. ADP, replicated to only specific replicas
The 2nd replication process is that of the FRS, intended for replication of files between DCs, in sysvol.
Primary restore is used for a stand-alone DC, also used on 1st dc created, when you must restore the forest.
Nonauthoritative restore aka normal restore, used when you have more than 1 DC and you don’t need to rollback changes to made to AD. Restored DC receives info from other DCs.
Authoritative restore is when you make changes to AD and you need the other DC to revert.
Perform nonauthoritative restores locally, can’t restore system state remotely.
Ntdsutil requires the DC to be offline.
Create universal groups for groups that contain members from multiple domains in more than 1 forest. Make global groups members of universal groups. Use universal groups when providing access to resources across multiple domains.
Create global groups for groups that contain members from a single domain, but will be granted access to resources within other domains. Make universal groups members of DL groups, as applicable.make user’s members of DLGs.
Create DL groups for groups that contain members from a single domain, whether or not they will be granted access to resources within other domains. Make global groups members of the appropriate DL groups. Grant domain-wide rights to the DLGs.
Create local groups on member servers and computers. Make DL groups members of local groups. Grant local rights to local groups.
Members of the domain and enterprise admins can create OUs, but other users will need to have this right delegated to them.
Intellimirror uses a subset of GP capabilities to provide a fully managed user environment, enabling users who roam around, to have the same environment regardless of the computer they use.
GP software uses the .msi installer packages. Also supports .zap files, which are non-MS. It is a text file that uses the native installation method. To deploy updates to the software, you deploy a new package after making updates to the files in the installation share.
GPO tool is used to find out GP replication issues.

Comments

  • MishkoMishko Member Posts: 8 ■□□□□□□□□□
    Psoasman wrote: »
    Chapter 9:

    1. 2 ways to locate AD objects (1) find option and Dsquery command.
    2. Find option enables you to search for users, contacts, groups, computers, printers, shared folders, OUs, remote installation servers and clients.
    3. Dsquery command enables you to find computers, contacts, subnets, groups, OUs, sites, services, and users.
    4. The saved queries feature enables admins to create, edit, save, organize and email saved queries in order to monitor or perform a specific task on directory objects. Saved queries are stored in the saved queries folder.
    5. To control access to AD objects, you grant or deny permissions to security principals. You set permissions to either deny or allow. Deny takes precedence.
    6. When object is created, the user creating it automatically becomes its owner, controlling how permissions are set on the object and to whom permissions are granted.
    7. You can set selective authentication differently for outgoing and incoming external and forest trusts. These selective trusts allow you to make flexible access control decisions between external domains and forest-wide.
    8. When you assign a permission to a security principal for access to an object and that security principal is a member of group to which you assigned a different permission the security principal’s permissions are the combination of the assigned security principal and group permissions.
    9. Permissions assigned through inheritance are propagated to a child object from a parent object.
    10. You delegate administrative control of domains and containers in order to provide other administrators, groups, or users with the ability to manage functions according to their needs.
    11. Delegation of control wizard is provided to automate and simplify the process of setting administrative permissions for a domain, OU, or container.


    Chapter 10:

    1. Group policies are collections of user and computer configurations settings that can be linked to computers, site, domains, and OUs.
    2. Applied from local computer>site>domain>OU
    3. Default order for application of GP settings is subject to following exceptions: No override, block policy inheritance, loopback setting, or computer is member of workgroup/
    4. There are 3 parts to planning GP (1) plan the settings, (2) plan the GPOs, (3) plan administrative control of GPOs
    5. Can build by centralized which uses a single GPO containing all policy settings for the associated site, domain, or OU. Decentralized uses a base GPO applied to the domain, which contains policy settings for as many users and computers as possible.
    6. Centralized admin control can be delegated only to top level OU admins, decentralized to top and mid-level admins, or task-based.
    7. Create an MMC for the GPO, makes it easier to open.
    8. Disable unused settings to avoid processing those settings, this speeds up logons.
    9. For the GPO to apply to a group, that group must have the read and apply GP permissions.
    10. Deleting the GPO removes it from the AD domain.


    Chapter 11:

    1. Rsop is the sum of the policies applied to the user or computer, including the application of filters (security Groups, WMI filters) and exceptions (no override, block policy inheritance)
    2. 2k3 provides 3 tools for generating Rsop queries, the RsoP wizard, Gpresult command line tool, advanced system info-policy tool.
    3. Rsop wizard uses existing GPO settings to report the effects of GPOs on users and computers and can simulate the effects of planned GPOs. The logging mode reports the existing GPO settings for a user/pc.
    4. Gpresult enables you to create and displays queries on the command line.
    5. Advanced system info –policy tool enables you to create an Rsop query and view results in HTML report that appears in the Help/support window.
    6. The folder redirection node, located under user configuration\windows settings in GP Object editor console, allows you to redirect certain special folders to network locations: My documents, My Pictures, Application data, Desktop, start menu.
    7. In 2k3, a new feature allows you to redirect my docs to a user’s home folder; this is intended for organizations that already have this set up. Requires XP client.
    8. 2 ways to set up folder redirection: (1) redirect special folders to one location for everyone in the site, domain, or OU. (2) Redirect special folders to a location according to security group membership.
    9. The offline files feature provides users with access to redirected folders even when they aren’t connected to the network. If you use redirected folders of any type, is recommended that you enable offline files and folders.
    10. Tasks for setting up offline folders are to configure SharePoint, configure computers to use offline files, and set up synchronization of offline files and folders.


    Chapter 12:

    1. The software installation extension in GROE console enables admins to centrally manage the installation of software on a client computer by assigning applications to users or computers or by publishing apps to users.
    2. When you assign an app to user, the app is advertised to user on start menu the next time they log on. The registry and filenames are updated.
    3. When you publish to user, the app doesn’t appear on start menu, no registry settings. Installed from add/remove in CP.
    4. Windows installer package is a file that contains explicit instructions on the installation and removal of specific apps. You can deploy software using the software installation extension by using a windows installer package .msi.
    5. Modifications enable you to customize windows installer packages. Mods can be transform (.mst) or patch (.msp) You can’t deploy these alone, use to modify an existing installer package.
    6. The tasks for deploying software with GP are following: plan and prepare the software deployment, set up the SDP, create a GPO and GPO console for software deployment, specify the software deployment properties for the GPO, add installer packages to the GPO and select package deployment.
    7. For a software deployment with GP, you can set up DFS to automatically direct users to the SDP.
    8. You can define software deployment properties that affect all windows installer packages in the GPO.
    9. You can define software deployment properties that affect individual packages in the GPO.
    10. To maintain a software deployment, it might be necessary to redeploy, upgrade, or remove an app at some point in the software life cycle.
    11. You can deploy an app previously deployed with GP if there are small changes that need to be made to the original software deployment configuration.
    12. To upgrade software deployed with GP, you must create a windows installer package that contains the upgrade and then configure the upgrade in the upgrades tab in properties box for that package.
    13. To remove software deployed with GP, you must choose whether to uninstall the software from all users and computers or to merely prevent new installations of the software by using the software installation extension.


    Chapter 13:

    1. Security settings define the security behavior of the system. Through the use of GPOs in AD, admins can apply security profiles to sites, domains, and OUs
    2. The policies in the account policies can be applied only to the root domain of the domain tree and cannot be applied to sites or OUs.
    3. You set auto enrollment of computers and user certs in the auto enrollment settings box in computer /user configuration for site, domain, or OU.
    4. Software restriction policies address the problem of regulation unknown or untrusted code. These policies are security settings in a GPO provided to identify software and control its ability to run on local pc, domain, site or OU.
    5. 2 default security settings (1) disallowed which doesn’t allow the software to run and (2) unrestricted, which allows the software to run with the rights of the user.
    6. Auditing is tool for maintaining network security, allowing you to track user activities and system-wide events.
    7. Security log is turned off by default, size if 512 KB
    8. Security template is physical representation of security configuration, single file, where a group of settings is applied. Used to define account, local, policies, registry, file system, and event log.
    9. SCA tool is used to analyze the current security config. And / or apply a template.

    Chapter 14:
    1. Once AD is installed, the directory and file replication service logs are enabled in event viewer console. The service log contains errors, warning, and info generated by AD.
    2. System monitor is a tool that supports detailed monitoring of OS resources. Can collect and view real-time data on pc.
    3. Performance object is logical collection of performance counters associated with a service to be monitored.
    4. To monitor AD, you monitor the NTDS object. 120 counters.
    5. The PLA snap-in provides you with the ability to create counter logs, trace logs, system alerts from local or remote computers.


    General Notes for the 294

    Global catalog servers are AD DCs that have been given the added functionality of holding a copy of the global catalog database. The first DC installed in the domain, is always given this role. If you have a small branch office that contains a DC, for a small domain, and it’s connected to the rest of the corporate network by a WAN link, with little bandwidth, use UGM caching, to save bandwidth.
    Except in a single domain, the infrastructure master should not be installed on a DC that also acts as a GC server
    Place FSMO in a central location to user and servers on the network.
    Place the domain naming master role on a server in the site where the majority of new DCs are installed.
    Place the PDC, RID, and infrastructure masters in the location where the majority of administration for the respective domains takes place.
    Place the infrastructure master so that it is able to contact the GC server. The IM compares its own info with the GC server to see whether its own data is up to date.
    The structure of the AD forest is incorporated into the trust relationships between domains both internal and external to the forest. Multiple forests enable you to have different schemas. These groups have forest-wide control: domain admins of the FOREST ROOT DOMAIN, schema admins, enter. Admins.
    Sites and the links between them are the means by which you can configure how replication traffic will take place across networks. Replication frequency determines how often the replication occurs. Site link availability prevails over replication frequency. You can set the site availability how you need to.
    Site link only applies to IP. The KCC assigns a DC to be bridgehead server. Computers are assigned to sites based on their IP addresses and IP subnets. You create site topology by assigning an IP subnet from 1 site to another.
    The 1st. replication process affects AD data including:
    a. Domain info
    b. Schema partition, replicated to all DCs within the same forest
    c. Configuration partition, replicated to all DCs within same forest.
    d. GC, replicated to all other GC servers.
    e. ADP, replicated to only specific replicas
    The 2nd replication process is that of the FRS, intended for replication of files between DCs, in sysvol.
    Primary restore is used for a stand-alone DC, also used on 1st dc created, when you must restore the forest.
    Nonauthoritative restore aka normal restore, used when you have more than 1 DC and you don’t need to rollback changes to made to AD. Restored DC receives info from other DCs.
    Authoritative restore is when you make changes to AD and you need the other DC to revert.
    Perform nonauthoritative restores locally, can’t restore system state remotely.
    Ntdsutil requires the DC to be offline.
    Create universal groups for groups that contain members from multiple domains in more than 1 forest. Make global groups members of universal groups. Use universal groups when providing access to resources across multiple domains.
    Create global groups for groups that contain members from a single domain, but will be granted access to resources within other domains. Make universal groups members of DL groups, as applicable.make user’s members of DLGs.
    Create DL groups for groups that contain members from a single domain, whether or not they will be granted access to resources within other domains. Make global groups members of the appropriate DL groups. Grant domain-wide rights to the DLGs.
    Create local groups on member servers and computers. Make DL groups members of local groups. Grant local rights to local groups.
    Members of the domain and enterprise admins can create OUs, but other users will need to have this right delegated to them.
    Intellimirror uses a subset of GP capabilities to provide a fully managed user environment, enabling users who roam around, to have the same environment regardless of the computer they use.
    GP software uses the .msi installer packages. Also supports .zap files, which are non-MS. It is a text file that uses the native installation method. To deploy updates to the software, you deploy a new package after making updates to the files in the installation share.
    GPO tool is used to find out GP replication issues.


    Wowicon_cheers.gif
  • novovictusnovovictus Member Posts: 192
    I am working on this exam also, i love when people compile 'cliff notes' for me :)

    THANX!
    Working on: Doctor of Information Technology Information Assurance and Security @ Capella
  • mikeszmikesz Member Posts: 115
    Thanks very much for all the hard work.

    Mikesz
    Long term plan:
    2011: CCNA (70%), CCNA: Security, MCITP:Messaging
    2012: VCP, CEH, Linux+, start RHCA/E
    2013: finish RHCA/E, CCNP
Sign In or Register to comment.