- \n
- Active Directory Basics Terms<\/a> – Start Here<\/li>\n\n\n\n
- Active Directory Services<\/a><\/li>\n\n\n\n
- Active Directory DNS<\/a><\/li>\n\n\n\n
- Active Directory Replication <\/a><\/li>\n\n\n\n
- Active Directory Security (Authentication, Security Protocols, Permissions) <\/a><\/li>\n\n\n\n
- Active Directory Management Consoles<\/a><\/li>\n\n\n\n
- DHCP<\/a><\/li>\n\n\n\n
- Group Policy<\/a><\/li>\n<\/ul>\n\n\n\n
Active Directory Basics Terms<\/h2>\n\n\n\n
These are basic terms you should be familiar with when dealing with Active Directory. <\/p>\n\n\n\n
Active Directory <\/h3>\n\n\n\n
Active Directory is a directory service that centralizes the management of users, computers, and other objects within a network. Its primary function is to authenticate and authorize users and computers in a windows domain. For example, when a user signs into a computer on the domain it checks the username and password that was submitted to verify the account. If it is a valid username and password the user is authenticated and logged into the computer. <\/p>\n\n\n\n
Don’t get confused with the following three terms they all refer to Active Directory. <\/p>\n\n\n\n
- \n
- AD<\/strong> – This is just an abbreviation for Active Directory<\/li>\n\n\n\n
- AD DS<\/strong> – This is a server that is running the Active Directory Domain Services Role<\/li>\n\n\n\n
- Domain Controller<\/strong> – This is also a server running the Active Directory Domain Service Role. It is recommended to have multiple domain controllers for failover reasons. <\/li>\n<\/ul>\n\n\n\n
Active Directory Web Servers (ADWS)<\/h3>\n\n\n\n
This service was introduced in Windows Server 2008 R2. It is automatically installed with ADDS or ADLDS role and is configured to run automatically. This service provides remote management of any local directory services.<\/p>\n\n\n\n
Domain<\/h3>\n\n\n\n
The domain is a logical structure of containers and objects within Active Directory. A domain contains the following components: <\/p>\n\n\n\n
- \n
- A hierarchical structure for users, groups, computers and other objects<\/li>\n\n\n\n
- Security services that provide authentication and authorization to resources in the domain and other domains<\/li>\n\n\n\n
- Policies that are applied to users and computers<\/li>\n\n\n\n
- A DNS name to identify the domain. When you log into a computer that is part of a domain you are logging into the DNS domain name. My DNS domain is ad.activedirectorypro.com, this is how my domain is identified. <\/li>\n<\/ul>\n\n\n\n
Domain Tree<\/h3>\n\n\n\n
When you add a child domain to a parent domain you create what is called a domain tree. A domain tree is just a series of domains connected together in a hierarchical fashion all using the same DNS namespace. If activedirectorypro.com was to add a domain called training, or videos it would be named training.activedirectorypro.com and videos.activedirectorypro.com. These domains are part of the same domain tree and a trust is automatically created between the parent and child domains. <\/p>\n\n\n\n
Functional Levels<\/h3>\n\n\n\n
Functional levels determine what capabilities are available in the domain. Higher functional levels allow you to use the latest and greatest technologies in your Active Directory domain. When possible use the highest functional levels for your domain controllers.<\/p>\n\n\n\n
Forest<\/h3>\n\n\n\n
A forest is a collection of domain trees. The domain tree shares a common schema and configuration container. The domain tree is connected together through a transitive trust. When you first install Active Directory and create a domain you are also creating a forest.<\/p>\n\n\n\n
FQDN – Fully Qualified Domain Name<\/h3>\n\n\n\n
A fully Qualified Domain name is the hostname + the domain, for example, my domain is ad.activedirectorypro.com, a computer in the domain with hostname PC1 so the FQDN would be pc1.ad.activedirectorypro.com.<\/p>\n\n\n\n
FSMO<\/h3>\n\n\n\n
A domain controller has multiple functions that are referred to as the FSMO roles. These roles are all installed on the first domain controller in a new forest, you can move roles across multiple DCs to help with performance and failover.<\/p>\n\n\n\n
- \n
- Schema Master<\/strong> – The schema master is a forest wide role that handles all the changes to the Active Directory schema. <\/li>\n\n\n\n
- Domain Naming Master<\/strong> – This is a forest wide role that is the master of domain names. It handles the namespace and adding removing domain names. <\/li>\n\n\n\n
- PDC Emulator<\/strong> – This role handles password changes, user lockouts, group policy and is the time server for the clients. <\/li>\n\n\n\n
- RID Master<\/strong> – This role is responsible for processing RID pool requests from all DCs within the domain. When objects such as users and computers are created they get assigned a unique SID and a relative ID (RID). The RID master role ensures objects do not get assigned the same SID and RIDs. <\/li>\n\n\n\n
- Infrastructure master<\/strong> – This is a domain wide role used to reference objects in other domains. If users from Domain A are members of a security group in Domain B, the infrastructure master role is used to reference the accounts in the correct domain. <\/li>\n<\/ul>\n\n\n\n
Objects<\/h3>\n\n\n\n
When working with Active Directory you will primarily be working with objects. Objects are defined as a group of attributes that represent a resource in the domain. These objects are assigned a unique security identifier (SID) that is used to grant or deny the object access to resources in the domain. The default object types created in a new domain in Active Directory are:<\/p>\n\n\n\n
- \n
- Organizational Unit (OU)<\/strong> – An OU is a container object that can contain different objects from the same domain. You will use OUs to store and organize, user accounts, contacts, computers, and groups. You will also link group policy objects to an OU. <\/li>\n\n\n\n
- Users<\/strong> – User accounts are assigned to primarily assigned to users to gain access to domain resources. They can also be used to run programs or system services. <\/li>\n\n\n\n
- Computer<\/strong> – This simply is a computer that is joined to the domain.<\/li>\n\n\n\n
- Groups <\/strong>– There are two types of objects, a Security group, and a distribution group. A security group is a grouping of users accounts that can be used to provide access to resources. Distribution groups are used for email distribution lists. <\/li>\n\n\n\n
- Contacts <\/strong>– A contact is used for email purposes. You cannot log on to the domain as a contact and it cannot be used to secure permissions. <\/li>\n\n\n\n
- Shared Folder <\/strong>– When you publish a shared folder in Active Directory it creates an object. Publishing shared folders to AD makes it easier for users to find shared files and folders within the domain. <\/li>\n\n\n\n
- Share Printer <\/strong>– Just like shared folders you can publish printers to Active Directory. This also makes it easier for users to find and use printers on the domain. <\/li>\n<\/ul>\n\n\n\n
LDAP (Lightweight Directory Access Protocol)<\/h3>\n\n\n\n
LDAP is an open platform protocol used for accessing directory services. LDAP provides the communication mechanism for applications and other systems to use interact with directory servers. In simple terms, LDAP is a way of connecting and communicating with Active Directory.<\/p>\n\n\n\n
Global Catalog (GC)<\/h3>\n\n\n\n
The global catalog server contains a full replica of all objects and is used to perform forest wide searches. By default the first domain controller in a domain is designated as the GC server, it is recommended to have at least one GC server for each site to improve performance.<\/p>\n\n\n\n
Jet Database Engine<\/h3>\n\n\n\n
The Active Directory database is based on Microsoft’s Jet Blue engine and utilizes the Extensible Storage Engine (ESE) to work with the data. The database is a single file named ntds.dit, by default, it is stored in the %SYSTEMROOT%\\NTDS folder and each domain controller.<\/p>\n\n\n\n
Recycle Bin<\/h3>\n\n\n\n
The Active Directory recycle bin allows administrators to easily recover deleted items, this is not enabled by default. How to enable the Recycle Bin step by step guide.<\/a> <\/p>\n\n\n\n
Read-Only Domain Controller (RODC)<\/h3>\n\n\n\n
RODC servers hold a read-only copy of the Active Directory database and do not allow changes to AD. Its primary purpose is for branch offices and locations with poor physical security. <\/p>\n\n\n\n
Schema<\/h3>\n\n\n\n
The Active Directory schema defines every object class that can be created and used in an Active Directory forest. It also defines every attribute that can exist in an object. In other words, it is a blueprint of how data can be stored in Active Directory. For example, a user account is an instance of the user class, it uses attributes to store and provide information about that object. A computer account is another instance of a class that also is defined by its attributes. <\/p>\n\n\n\n
There are many classes and attributes unless your programming or troubleshooting some advanced issue it is not necessary to know everything about the schema. <\/p>\n\n\n\n
SYSVOL<\/h3>\n\n\n\n
The sysvol is a very important folder that is shared out on each domain controller. The default location is %SYSTEMROOT%\\SYSVOL\\sysvol and is made up of the following: <\/p>\n\n\n\n
- \n
- Group Policy Objects<\/li>\n\n\n\n
- Folders<\/li>\n\n\n\n
- Scripts<\/li>\n\n\n\n
- Junction Points<\/li>\n<\/ul>\n\n\n\n
Tombstone<\/h3>\n\n\n\n
Tombstone is a deleted object from AD that has not been removed from the database, the object technically remains in the database for a period of time. During this period of time the object can be restored. <\/p>\n\n\n\n
Object Name Attributes<\/h3>\n\n\n\n
The following are some important attributes that you should be familiar with when working with Active Directory. <\/p>\n\n\n\n
- \n
- userPrincipalName (UPN)<\/strong> \u2013 This is a common logon name that is in the format of an email address. A UPN looks like this, robert@ad.activedirectorypro.com, a UPN can be used to log into a windows domain. <\/li>\n\n\n\n
- objectGUID<\/strong> \u2013 This attribute is used to uniquely identify a user account. Even if the account is renamed or moved, the objectGUID never changes. <\/li>\n\n\n\n
- sAmAccountName<\/strong> \u2013 This attribute is user for account logons to a domain. It was the primary means to logon to a domain for older Windows versions, it can still be used on modern versions of Windows. <\/li>\n\n\n\n
- objectSID<\/strong> \u2013 This attribute is the security identifier (SID) of the user. The SID is used by the server to identify a user and their group membership to authorize users access to domain resources. <\/li>\n\n\n\n
- sIDHistory<\/strong> \u2013 This attribute contains previous SIDs for the user object. This is only needed if a user has moved to another domain. <\/li>\n\n\n\n
- Relative Distinguished Name (RDN)<\/strong> \u2013 The RDN is the first component of the distinguished name. It is the name of the object in Active Directory relative to its location in the hierarchical structure of AD<\/li>\n\n\n\n
- Distinguished Name (DN)<\/strong> \u2013 The DN attribute locates objects in the directory. This attribute is commonly used by services and applications to locate objects in Active Directory. a DN is made up of the following components:\n
- \n
- CN \u2013 common name<\/li>\n\n\n\n
- OU \u2013 organizational unit<\/li>\n\n\n\n
- DC \u2013 domain component<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Groups <\/h3>\n\n\n\n
Groups are used to collect user accounts, computer, and contact objects into management units. Creating groups makes it easier to control permissions to resources and assign resources such as printers and folders. There are two types of groups<\/p>\n\n\n\n
- \n
- Distribution<\/strong> \u2013 Distribution groups are used by email applications t easily send an email to a group of users. <\/li>\n\n\n\n
- Security<\/strong> \u2013 Security groups are a group of accounts that can be used to easily assign to a resource or apply for permissions. For example, if I wanted to lock down a folder for the HR department I could just put all the employees in a security group and apply the group to the folder instead of every individual account. <\/li>\n<\/ul>\n\n\n\n
Group Scope<\/h3>\n\n\n\n
Group scope identifies if the group can be applied in the domain or forest. Here are the three group scopes:<\/p>\n\n\n\n
- \n
- Universal<\/strong> \u2013 Can contain objects from other universal groups and any domain in the tree or forest. <\/li>\n\n\n\n
- Global<\/strong> \u2013 Can contain objects from the domain and be used in any domain tree or forest. <\/li>\n\n\n\n
- Domain Local<\/strong> \u2013 Can contain objects from any domain but can only be applied to the domain it was created in. <\/li>\n<\/ul>\n\n\n\n
Active Directory Services <\/h2>\n\n\n\n
Active Directory includes several other services that fall under the Active Directory Domain Services, these services include: <\/p>\n\n\n\n
Active Directory Certificate Services (AD CS)<\/h3>\n\n\n\n
This is a server role that allows you to build a public key infrastructure (PKI) and provide digital certificates for your organization. Certificates can be used to encrypt network traffic, application traffic, and used to authenticate users and computers. When you see https in a browser address that means it is using a certificate to encrypt the communication from the client to the server.<\/p>\n\n\n\n
Active Directory Domain Services (AD DS)<\/h3>\n\n\n\n
See Active Directory description<\/p>\n\n\n\n
Active Directory Federation Services (AD FS)<\/h3>\n\n\n\n
The federation service allows single sign on to external systems like websites and applications. Office 365 is a common use for federation services. When you sign into office 365 the username and password is redirected through the federation server and the credentials are checked against your on-premise Active Directory. So this allows you to provide authentication to external systems by using your local Active Directory to authenticate the username and password. <\/p>\n\n\n\n
Active Directory Lightweight Directory Services (AD LDS)<\/h3>\n\n\n\n
This service provides directory services using the LDAP protocol without the need to deploy domain controllers. This is primarily used to provide directory service functionally to directory enabled applications. This does not replace AD DS.<\/p>\n\n\n\n
Active Directory Rights Management Services (AD RMS)<\/h3>\n\n\n\n
This service provides methods for protecting information on digital content. It protects documents by defining who can open, modify, print, forward or take other actions on documents. You can also use certificates to encrypt documents for better security. <\/p>\n\n\n\n
Active Directory DNS<\/h2>\n\n\n\n
Domain Name System is a service that provides name resolution, most commonly hostname to IP address resolution. In this section, you will learn about some of the important components of DNS. <\/p>\n\n\n\n
Resource Records<\/h3>\n\n\n\n
A resource record is an entry in the DNS system that helps locate resources based on IP or a domain name. There are many types of resource records, below is a list of common record types: <\/p>\n\n\n\n
- \n
- A<\/strong> \u2013 maps a hostname to an IPv4 address<\/li>\n\n\n\n
- AAAA<\/strong> \u2013 Maps a hostname to an IPv6 address<\/li>\n\n\n\n
- CNAME <\/strong>\u2013 Maps an alias to a hostname<\/li>\n\n\n\n
- MX<\/strong> \u2013 Used to locate a mail server<\/li>\n\n\n\n
- NS<\/strong> \u2013 Specifics a name server for a domain<\/li>\n\n\n\n
- PTR<\/strong> \u2013 Maps an IPv4 address to a hostname. The reverse of an A record. <\/li>\n\n\n\n
- SOA<\/strong> \u2013 Contains administrative information<\/li>\n\n\n\n
- SRV<\/strong> \u2013 Used to locate servers that host specific services <\/li>\n\n\n\n
- TXT<\/strong> \u2013 Can contain various data. Often used for verifying domains and security reasons. <\/li>\n<\/ul>\n\n\n\n
Dynamic DNS (DDNS) <\/h3>\n\n\n\n
Dynamic DNS is a method for clients to register and dynamically update their resource records with a DNS server. This allows clients that use DHCP to auto update their DNS record when their IP address changes. <\/p>\n\n\n\n
Host Name<\/h3>\n\n\n\n
This is most often the DNS A record, the DNS name of a device that can be communicated with. For example, a server with the name of DC1. If DC1 was registered in DNS you would refer to that as the hostname. <\/p>\n\n\n\n
Zones<\/h3>\n\n\n\n
A zone is used to host the DNS records for a particular domain. The most important and commonly used zone type is Active Directory integrated zones. There are several other zones you should be familiar with, I cover the other zones in my article, Windows DNZ Zones Explained<\/a>. <\/p>\n\n\n\n
DNS Aging and Scavenging<\/h3>\n\n\n\n
This is a feature that can be enabled to help automate the cleanup of stale DNS records. I’ve created a separate post that explains more and provides step by step instructions to configure DNS Aging and Scavenging.<\/a> <\/p>\n\n\n\n
SRV Records Used by Active Directory<\/h3>\n\n\n\n
In a Windows Domain, SRV records are used by clients to locate domain controllers for Active Directory. When you install the AD DS service the process will automatically create the SRV records for Active Directory. <\/p>\n\n\n\n
- \n
- Active Directory creates its SRV records in the following folders, where Domain_Name is the name of your domain:\n
- \n
- Forward Lookup Zones\/Domain_Name\/_msdcs\/dc\/_sites\/Default-First-Site-Name\/_tcp Forward Lookup Zones\/Domain_Name\/_msdcs\/dc\/_tcp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Here is a screenshot from my DNS:<\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/03\/SRV-AD-records.jpg\")
<\/figure>\n\n\n\nForwarders <\/h3>\n\n\n\n
DNS forwarders are servers that resolve hostnames that your internal DNS server cannot resolve, primarily external domains such as internet browsing. You can set up to forward DNS requests to any server of your choosing, often times an ISP is used. <\/p>\n\n\n\n
Root Hints<\/h3>\n\n\n\n
Root hint server is another method to resolve hostnames that your internal server cannot resolve. The difference is these servers serve as the root DNS zone for the internet. They are managed by several large organized for security and redundancy. You can use either root hints or forwards to resolve external names.<\/p>\n\n\n\n
Resources:<\/h4>\n\n\n\n
- \n
- Complete List of DNS resource record types<\/a><\/li>\n\n\n\n
- How to verify that SRV DNS records have been created for a domain controller<\/a><\/li>\n\n\n\n
- Root Hints vs Forwarders<\/a><\/li>\n\n\n\n
- DNS Best Practices<\/a><\/li>\n<\/ul>\n\n\n\n
Active Directory Replication<\/h2>\n\n\n\n
Replication is the process that ensures changes made to one domain controller are replicated to other domain controllers in the domain. <\/p>\n\n\n\n
Connection Objects<\/h3>\n\n\n\n
The connection object specifics which domain controllers replicate with each other, how often and their naming contexts. <\/p>\n\n\n\n
KCC<\/h3>\n\n\n\n
The Knowledge Consistency Checker (KCC) is a process that runs on all domain controllers and generates a replication topology based off the sites, subnets and site link objects. <\/p>\n\n\n\n
Subnets<\/h3>\n\n\n\n
A subnet is a logical portion of an IP network. Subnets are used to group devices into a specific network, often by location, building or floor. If you have a multisite environment, Active Directory needs to know about your subnets so it can properly identify the most efficient resources. If this information is not provided clients can authenticate and use the wrong domain controller. <\/p>\n\n\n\n
Site<\/h3>\n\n\n\n
A site is a collection of subnets. The Active Directory sites help define the replication flow and resource location for clients such as a domain controller. <\/p>\n\n\n\n
Site Link<\/h3>\n\n\n\n
Site links allow you to configure what sites are connected to each other.<\/p>\n\n\n\n
Site link Bridge<\/h3>\n\n\n\n
A site link bridge is a logical connection between sites. It is a method to logically represent transitive connectivity between sites. <\/p>\n\n\n\n
Site Topology<\/h3>\n\n\n\n
The site topology is a map that defines the network connectivity for replication and location for resources in the Active Directory forest. The site topology consistent of several components including sites, subnets, site links, site link bridges, and connection objects. <\/p>\n\n\n\n
Intra-Site Replication<\/h3>\n\n\n\n
This is replication that occurs between domain controllers in the same site. <\/p>\n\n\n\n
Inter-Site Replication<\/h3>\n\n\n\n
In an environment with multiple sites, a change in one site needs to be replicated to the other site. This is called Inter-Site replication. <\/p>\n\n\n\n
Resources:<\/strong><\/h4>\n\n\n\n
- \n
- How Active Directory Replication Works<\/a><\/li>\n\n\n\n
- Active Directory Replication Concepts<\/a><\/li>\n<\/ul>\n\n\n\n
Active Directory Security (Authentication, Security Protocols, Permissions) <\/h2>\n\n\n\n
Kerberos<\/h3>\n\n\n\n
Kerberos is a security protocol that securely allows users to prove their identity to gain access to domain resources. <\/p>\n\n\n\n
Ticket Granting Ticket (TGT)<\/h3>\n\n\n\n
The TGT are files created by the KDC, they are used to grant users access to network resources. <\/p>\n\n\n\n
Key Distribution Center (KDC)<\/h3>\n\n\n\n
KDC is a service that runs on domain controllers and supplies session tickets used in the Kerberos authentication protocol. <\/p>\n\n\n\n
Service Principal Names (SPN)<\/h3>\n\n\n\n
SPN is a unique identifier of a service instance. <\/p>\n\n\n\n
NTLM <\/h3>\n\n\n\n
NTLM is a collection of security protocols used to authenticate, provide integrity and confidentiality to users. Kerberos is the preferred authentication protocol and is used in modern Windows versions, NTLM is still available for older clients and systems on a workgroup. <\/p>\n\n\n\n
NTFS Permissions<\/h3>\n\n\n\n
NTFS permissions allow you to define who is authorized to access a file or folder. Below is a list of the basic permissions you can set: <\/p>\n\n\n\n
- \n
- Full Control<\/strong> – This gives users the rights to add, modify, move and delete files and folders. <\/li>\n\n\n\n
- Modify<\/strong> – Gives users view and rights to modify<\/li>\n\n\n\n
- Read & Execute<\/strong> – Gives users view and execute rights<\/li>\n\n\n\n
- Read<\/strong> – ready only rights<\/li>\n\n\n\n
- Write<\/strong> – right to a file and add new folders <\/li>\n<\/ul>\n\n\n\n
Share Permissions<\/h3>\n\n\n\n
Share permissions define the level of access to shared resources such as a folder. There are three basic shared permissions: <\/p>\n\n\n\n
- \n
- Read<\/strong> – Gives users view rights to the folder and subfolders<\/li>\n\n\n\n
- Change<\/strong> – Gives users read and modify rights<\/li>\n\n\n\n
- Full Control<\/strong> – Gives users modify, change and read rights. <\/li>\n<\/ul>\n\n\n\n
Discretionary access control list (DACL)<\/h3>\n\n\n\n
A DACL identifies what account is allows or denied access to an object such as a file or folder. <\/p>\n\n\n\n
Access Control Entries (ACE)<\/h3>\n\n\n\n
DACL contains ACEs, the ACE defines what account and what level of access is to be granted to the resource. If no ACE is present the system denies all access to the object. <\/p>\n\n\n\n
System Access Control List (SACL)<\/h3>\n\n\n\n
The SACL enables admins to log attempts to access a security object. <\/p>\n\n\n\n
Fine Grained Password Policy<\/h3>\n\n\n\n
A feature in Windows 2008 and above that allows you to define different password and account lockout policies for different accounts. Generally, all accounts should have the same policy but you may have a service account or a very specific account that needs a different policy. For example, our guest wifi account kept getting locked out due to bad password attempts. I used a fine granted password policy to set a higher account lockout then the rest of the domain.<\/p>\n\n\n\n
Resources: <\/h4>\n\n\n\n
- \n
- Kerberos for the Busy Admin<\/a><\/li>\n\n\n\n
- Windows Authentication Technical Overview<\/a><\/li>\n\n\n\n
- Differences Between Share and NTFS Permissions<\/a><\/li>\n\n\n\n
- Access Control Lists <\/a><\/li>\n<\/ul>\n\n\n\n
Active Directory Management Consoles<\/h2>\n\n\n\n
This section includes the management consoles you will need to use to manage the various Active Directory technologies. You will need to install the Remote Server Administration Tools (RSAT)<\/a> to access these management consoles. <\/p>\n\n\n\n
Active Directory Users and Computers (ADUC)<\/h3>\n\n\n\n
This is the most commonly used console for managing users, computers, groups, and contacts. <\/p>\n\n\n\n
Shortcut:<\/strong> dsa.msc<\/p>\n\n\n\n
Active Directory Administrative Center (ADAC)<\/h3>\n\n\n\n
Starting with Server 2008 R2 Microsoft introduces the ADAC to manage their directory service objects. This console can be used to create and manage user accounts, computer accounts, groups, and organizational units. It provides the same functionality as the Active Directory Users and Computers tool. Due to the complicated interface, I prefer ADUC over this console. <\/p>\n\n\n\n
Active Directory Domains and Trusts<\/h3>\n\n\n\n
This console is used to raise the domain mode or functional level of a domain or forest. It is also used to manage trust relationships. <\/p>\n\n\n\n
Shortcut:<\/strong> domain.msc<\/p>\n\n\n\n
Active Directory Sites and Services<\/h3>\n\n\n\n
This is the main console for managing replication. This console is used to manage site topology objects, connection objects, schedule replication, manually force replication, enable the global catalog, and enable universal group caching. <\/p>\n\n\n\n
Shortcut:<\/strong> dssite.msc<\/p>\n\n\n\n
ADSI Edit<\/h3>\n\n\n\n
Active Directory Service Interfaces Editor is a GUI tool that can be used to manage objected in Active Directory. This tool provides access to object data that is not available in Active Directory Users and Computers.<\/p>\n\n\n\n
Shortcut:<\/strong> adsiedit.msc<\/p>\n\n\n\n
DFS Management<\/h3>\n\n\n\n
This console is used to manage DFS namespaces and DFS replication. <\/p>\n\n\n\n
Shortcut:<\/strong> dfsmgmt.msc<\/p>\n\n\n\n
DHCP<\/h3>\n\n\n\n
This console is used to create DCHP scopes, view lease information and all things DHCP. <\/p>\n\n\n\n
Shortcut: <\/strong>dhcpmgmt.msc<\/p>\n\n\n\n
DNS<\/h3>\n\n\n\n
This console is used to create DNS zones, resource records and manage all things DNS. <\/p>\n\n\n\n
Shortcut:<\/strong> dnsmgmt.msc<\/p>\n\n\n\n
Group Policy Management<\/h3>\n\n\n\n
This console is used to manage group policy and group policy objects. <\/p>\n\n\n\n
Shortcut:<\/strong> gpmc.msc<\/p>\n\n\n\n
PowerShell<\/h3>\n\n\n\n
Although this is not a management console it is the most powerful tool to automate administrative tasks. PowerShell can speed up many routine tasks that the GUI management tools cannot do. <\/p>\n\n\n\n
Resources: <\/h4>\n\n\n\n
- \n
- Huge list of MMC shortcuts <\/a><\/li>\n<\/ul>\n\n\n\n
Dynamic Host Control Protocol (DHCP)<\/h2>\n\n\n\n
Dynamic Host configuration protocol is a service that provides centralized control of IP address. When your computer connects to a wired or wireless network a DHCP server is contacted to find and assign you an available IP address. <\/p>\n\n\n\n
Scope<\/h3>\n\n\n\n
A DHCP scope is a collection of IP address settings that are configured for devices such as a computer to use. You can create multiple scopes for different device types and subnets. For example, I have a scope for computers and different scopes for IP phones. When you setup a scope, you will need to configure the following: <\/p>\n\n\n\n
- \n
- Scope name<\/strong> – This is the name of the scope. Give it a descriptive name so it is easy to identify which devices it is for. <\/li>\n\n\n\n
- IP address range<\/strong> – This is the IP range that you want the devices to use. For example 10.2.2.0\/24<\/li>\n\n\n\n
- IP address exclusions<\/strong> – You can specify to exclude IP address from the scope. This is useful if you have devices on the subnet that need a static IP like a router or server. <\/li>\n\n\n\n
- Lease duration<\/strong> – The lease specifies how long a client has an IP address before returning it to the pool. <\/li>\n\n\n\n
- DHCP options<\/strong> – There are a number of different options you can include when DHCP assigns an IP address. More on this below<\/li>\n<\/ul>\n\n\n\n
DHCP options<\/h3>\n\n\n\n
There are many DCHP options, below are the most commonly used options in a Windows domain. <\/p>\n\n\n\n
- \n
- 003 router<\/strong> – The default gateway of the subnet<\/li>\n\n\n\n
- 005 DNS server<\/strong> – The IP address of the DNS server clients should use for name resolution. <\/li>\n\n\n\n
- 015 DNS Domain Name<\/strong> – The DNS suffix the client should use, often the same as the domain name. <\/li>\n<\/ul>\n\n\n\n
DHCP filtering<\/h3>\n\n\n\n
DHCP filtering can be used to deny or allow devices based on their MAC address. For example, I use it to block mobile devices from connecting to our secure wifi. <\/p>\n\n\n\n
Superscopes<\/h3>\n\n\n\n
A superscope is a collection of individual DHCP scopes. This can be used when you want to join to scopes together. Honestly, I’ve never used this. <\/p>\n\n\n\n
Split Scopes<\/h3>\n\n\n\n
This is a method of providing fault tolerance for a DHCP scope. Using DHCP failover is not the preferred method for fault tolerance. <\/p>\n\n\n\n
DHCP Failover<\/h3>\n\n\n\n
DCHP failover was a new feature starting in server version 2012. It allows two DHCP servers to share lease information providing high availability for DCHP services. If one server becomes unavailable the other server takes over. <\/p>\n\n\n\n
Resources: <\/h4>\n\n\n\n
- \n
- DHCP Parameters <\/a><\/li>\n<\/ul>\n\n\n\n
Group Policy<\/h2>\n\n\n\n
Group policy allows you to centrally manage user and computer settings. You can use group policy to set password policies, auditing policies, lock screen, map drives, deploy software, one drive, office 365 settings and much more. <\/p>\n\n\n\n
Group Policy Objects (GPO)<\/h3>\n\n\n\n
GPO’s are a collection of policy settings that you use to apply to computers or users. <\/p>\n\n\n\n
Group Policy Refresh Frequency <\/h3>\n\n\n\n
Client workstations and member servers refresh their policies every 90 minutes. To avoid overwhelming the domain controllers their is a random offset interval added to every machine. This prevents all the machines from requesting group policy upgrades from the DC at the same time and potentially crashing it. <\/p>\n\n\n\n
Policy Processing<\/h3>\n\n\n\n
Group policies apply in the following order<\/p>\n\n\n\n
- \n
- Local<\/li>\n\n\n\n
- Site<\/li>\n\n\n\n
- Domain<\/li>\n\n\n\n
- Organizational Unit (OU)<\/li>\n<\/ul>\n\n\n\n
Block inheritance<\/h3>\n\n\n\n
By default, group policy objects are inherited. To change this behavior you can use the block inheritance option at an OU level. <\/p>\n\n\n\n
No Override<\/h3>\n\n\n\n
If you want to enforce policies and prevent them from being blocked use the no override option. <\/p>\n\n\n\n
User Settings<\/h3>\n\n\n\n
In a GPO there are user and computer settings. User settings only apply to user objects. If you configure user settings in the GPO, the GPO must be applied to user objects. <\/p>\n\n\n\n
Computer Settings<\/h3>\n\n\n\n
The computer settings in a GPO are settings that can be applied to a computer. If you configure the computer settings the GPO must be applied to computer objects. <\/p>\n\n\n\n
Resultant Set of Policy (RsoP)<\/h3>\n\n\n\n
Resultant Set of Policy is a Microsoft tool that is built into Windows 7 and later versions. It provides administrators a report on what group policy settings are getting applied to users and computers. It can also be used to simulate settings for planning purposes.<\/p>\n\n\n\n
I have a complete tutorial in my article How to use RSoP to check and troubleshoot group policy settings.<\/a> <\/p>\n\n\n\n
Group Policy Preferences<\/h3>\n\n\n\n
Group Policy Preferences are primarily used to configure settings that can later be changed at the client level. Preferences also have the option to do some advanced targeting such as applying to a certain OU, Windows version, users in a group and so on. Preferences are commonly used to configure the following: <\/p>\n\n\n\n
- \n
- Drive Mappings<\/li>\n\n\n\n
- Registry settings<\/li>\n\n\n\n
- Install printers<\/li>\n\n\n\n
- Schedule tasks<\/li>\n\n\n\n
- Set file and folder permissions<\/li>\n\n\n\n
- Set power settings<\/li>\n<\/ul>\n\n\n\n
Templates<\/h3>\n\n\n\n
You can install additional group policy templates to extend the default GPOs supplied by Microsoft. Some common templates used are Office 365, Chrome, Firefox and those supplied by 3rd party applications. Templates are xml based files usually in a ADM format or ADMX file extension. <\/p>\n\n\n\n
Resources: <\/h4>\n\n\n\n
- \n
- Group Policy Architecture<\/a><\/li>\n\n\n\n
- Group Policy Overview<\/a><\/li>\n<\/ul>\n\n\n\n
Did I miss anything? Have anything to share? Let me know in the comments below.<\/h4>\n","protected":false},"excerpt":{"rendered":"
In this post, I’m going to list and explain the most commonly used terminology in Active Directory and related technologies.\u00a0<\/p>\n
If you are new to Active Directory, this will be a great resource for you to get familiar with Active Directory terms and fundamental concepts.\u00a0<\/p>\n","protected":false},"author":1,"featured_media":40557,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1835],"tags":[],"_links":{"self":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/3669"}],"collection":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/comments?post=3669"}],"version-history":[{"count":3,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/3669\/revisions"}],"predecessor-version":[{"id":40554,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/3669\/revisions\/40554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media\/40557"}],"wp:attachment":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media?parent=3669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/categories?post=3669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/tags?post=3669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Group Policy Overview<\/a><\/li>\n<\/ul>\n\n\n\n
- Group Policy Architecture<\/a><\/li>\n\n\n\n
- 005 DNS server<\/strong> – The IP address of the DNS server clients should use for name resolution. <\/li>\n\n\n\n
- IP address range<\/strong> – This is the IP range that you want the devices to use. For example 10.2.2.0\/24<\/li>\n\n\n\n
- Scope name<\/strong> – This is the name of the scope. Give it a descriptive name so it is easy to identify which devices it is for. <\/li>\n\n\n\n
- Windows Authentication Technical Overview<\/a><\/li>\n\n\n\n
- Change<\/strong> – Gives users read and modify rights<\/li>\n\n\n\n
- Modify<\/strong> – Gives users view and rights to modify<\/li>\n\n\n\n
- Active Directory Replication Concepts<\/a><\/li>\n<\/ul>\n\n\n\n
- How to verify that SRV DNS records have been created for a domain controller<\/a><\/li>\n\n\n\n
- Complete List of DNS resource record types<\/a><\/li>\n\n\n\n
- Forward Lookup Zones\/Domain_Name\/_msdcs\/dc\/_sites\/Default-First-Site-Name\/_tcp Forward Lookup Zones\/Domain_Name\/_msdcs\/dc\/_tcp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- AAAA<\/strong> \u2013 Maps a hostname to an IPv6 address<\/li>\n\n\n\n
- Global<\/strong> \u2013 Can contain objects from the domain and be used in any domain tree or forest. <\/li>\n\n\n\n
- Security<\/strong> \u2013 Security groups are a group of accounts that can be used to easily assign to a resource or apply for permissions. For example, if I wanted to lock down a folder for the HR department I could just put all the employees in a security group and apply the group to the folder instead of every individual account. <\/li>\n<\/ul>\n\n\n\n
- Distribution<\/strong> \u2013 Distribution groups are used by email applications t easily send an email to a group of users. <\/li>\n\n\n\n
- objectGUID<\/strong> \u2013 This attribute is used to uniquely identify a user account. Even if the account is renamed or moved, the objectGUID never changes. <\/li>\n\n\n\n
- userPrincipalName (UPN)<\/strong> \u2013 This is a common logon name that is in the format of an email address. A UPN looks like this, robert@ad.activedirectorypro.com, a UPN can be used to log into a windows domain. <\/li>\n\n\n\n
- Users<\/strong> – User accounts are assigned to primarily assigned to users to gain access to domain resources. They can also be used to run programs or system services. <\/li>\n\n\n\n
- Domain Naming Master<\/strong> – This is a forest wide role that is the master of domain names. It handles the namespace and adding removing domain names. <\/li>\n\n\n\n
- Schema Master<\/strong> – The schema master is a forest wide role that handles all the changes to the Active Directory schema. <\/li>\n\n\n\n
- AD DS<\/strong> – This is a server that is running the Active Directory Domain Services Role<\/li>\n\n\n\n
- Active Directory Services<\/a><\/li>\n\n\n\n