1. Whats the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains. 2. I am trying to create a new universal user group. Why cant I? Universal groups are allowed only in native-mode Windows Server 2 ! environments. "ative mode re#uires that all domain controllers be promoted to Windows Server 2 ! $ctive Directory. !. What is LSD !? %t&s group policy inheritance model' where the policies are applied to Local machines' Sites' Domains and rgani(ational !nits. ). Why doesnt LSD ! wor" under Windows #$? %f the NTConfig.pol file e*ist' it has the highest priority among the numerous policies. +. Where are group policies stored? ,System-oot,System!2.Group/olicy 0. What is %&$ and %&'? Group policy template and group policy container. 1. Where is %&$ stored? ,System-oot ,.S2S345.sysvol.domainname./olicies.GU%D 6. (ou change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? 7he computer settings ta8e priority. 9. (ou want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame:; User <onfiguration:; Windows Settings:; -emote %nstallation Services:; <hoice 4ptions is your friend. 1 . Whats contained in administrative template conf.adm? =icrosoft "et=eeting policies 11. )ow can you restrict running certain applications on a machine? 3ia group policy' security settings for the group' then Software -estriction /olicies. 12. (ou need to automatically install an app, but *SI file is not available. What do you do? $ .zap te*t file can be used to add applications using the Software %nstaller' rather than the Windows %nstaller. 1!. Whats the difference between Software Installer and Windows Installer? 7he former has fewer privileges and will probably re#uire user intervention. /lus' it uses .(ap files. 1). What can be restricted on Windows Server +,,- that wasnt there in previous products? Group /olicy in Windows Server 2 ! determines a users right to modify networ8 and dial-up 7</>%/ properties. Users may be selectively restricted from modifying their %/ address and other networ8 configuration parameters. 1+. )ow fre.uently is the client policy refreshed? 9 minutes give or ta8e. 10. Where is secedit? %t&s now gpupdate. 11. (ou want to create a new group policy but do not wish to inherit. =a8e sure you chec8 /loc" inheritance among the options when creating the policy. 16. What is 0tattooing0 the 1egistry? 7he user can view and modify user preferences that are not stored in maintained portions of the -egistry. %f the group policy is removed or changed' the user preference will persist in the -egistry. 19. )ow do you fight tattooing in #$2+,,, installations? 2ou can&t.

2 . )ow do you fight tattooing in +,,- installations? User <onfiguration $dministrative 7emplates - System - Group /olicy - enable - ?nforce Show /olicies 4nly. 21. What does Intelli*irror do? %t helps to reconcile des8top settings' applications' and stored files for users' particularly those who move between wor8stations or those who must periodically wor8 offline. 22. Whats the ma3or difference between 45$ and #$4S on a local machine? @$7 and @$7!2 provide no security over locally logged-on users. 4nly native "7@S provides e*tensive permission control on both remote and local files. 2!. )ow do 45$ and #$4S differ in approach to user shares? 7hey don&t' both have support for sharing. 2). 67plan the List Folder Contents permission on the folder in #$4S. Same as -ead A ?*ecute' but not inherited by files within a folder. Bowever' newly created subfolders will inherit this permission. 2+. I have a file to which the user has access, but he has no folder permission to read it. 'an he access it? %t is possible for a user to navigate to a file for which he does not have folder permission. 7his involves simply 8nowing the path of the file obCect. ?ven if the user can&t drill down the file>folder tree using =y <omputer' he can still gain access to the file using the Universal "aming <onvention DU"<E. 7he best way to start would be to type the full path of a file into -unF window. 20. 4or a user in several groups, are 5llow permissions restrictive or permissive? /ermissive' if at least one group has $llow permission for the file>folder' user will have the same permission. 21. 4or a user in several groups, are Deny permissions restrictive or permissive? -estrictive' if at least one group has Deny permission for the file>folder' user will be denied access' regardless of other group permissions. 26. What hidden shares e7ist on Windows Server +,,- installation? $dminG' DriveG' %/<G' "?754G4"' printG and S2S345. 29. Whats the difference between standalone and fault8tolerant D4S 9Distributed 4ile System: installations? 7he standalone server stores the Dfs directory tree structure or topology locally. 7hus' if a shared folder is inaccessible or if the Dfs root server is down' users are left with no lin8 to the shared resources. $ fault-tolerant root node stores the Dfs topology in the $ctive Directory' which is replicated to other domain controllers. 7hus' redundant root nodes may include multiple connections to the same data residing in different shared folders. ! . Were using the D4S fault8tolerant installation, but cannot access it from a Win;< bo7. Use the U"< path' not client' only 2 and 2 ! clients can access Server 2 ! fault-tolerant shares. !1. Where e7actly do fault8tolerant D4S shares store information in 5ctive Directory? %n /artition Hnowledge 7able' which is then replicated to other domain controllers. !2. 'an you use Start8=Search with D4S shares? 2es. !!. What problems can you have with D4S installed? 7wo users opening the redundant copies of the file at the same time' with no file-loc8ing involved in

D@S' changing the contents and then saving. 4nly one file will be propagated through D@S. !). I run *icrosoft 'luster Server and cannot install fault8tolerant D4S. 2eah' you can&t. %nstall a standalone one. !+. Is >erberos encryption symmetric or asymmetric? Symmetric. !0. )ow does Windows +,,- Server try to prevent a middle8man attac" on encrypted line? 7ime stamp is attached to the initial client re#uest' encrypted with the shared 8ey. !1. What hashing algorithms are used in Windows +,,- Server? -S$ Data Security&s =essage Digest + D=D+E' produces a 126-bit hash' and the Secure Bash $lgorithm 1 DSB$-1E' produces a 10 -bit hash. !6. What third8party certificate e7change protocols are used by Windows +,,Server? Windows Server 2 ! uses the industry standard /H<S-1 certificate re#uest and /H<S-1 certificate response to e*change <$ certificates with thirdparty certificate authorities. !9. Whats the number of permitted unsuccessful logons on 5dministrator account? Unlimited. -emember' though' that it&s the $dministrator account' not any account that&s part of the $dministrators group. ) . If hashing is one8way function and Windows Server uses hashing for storing passwords, how is it possible to attac" the password lists, specifically the ones using #$L*v?? $ crac8er would launch a dictionary attac8 by hashing every imaginable term used for password and then compare the hashes. )1. Whats the difference between guest accounts in Server +,,- and other editions? =ore restrictive in Windows Server 2 !. )2. )ow many passwords by default are remembered when you chec" 06nforce &assword )istory 1emembered0? User&s last 0 passwords. /osted inI Windows J

+@ 1esponses to AWindows Server +,,- 5ctive Directory and Security .uestionsB

1. Shahid Afridi SaysI
Kune 12th' 2 ) at !I ! pm

% really surpri(e to read this fruit

http://wLearnthat.com
Koin "ow J 5ogin J "ewsletters

GO

Bome ; Software 7utorials ; =icrosoft Windows ; Introduction to 5ctive Directory

1elated $utorials
1. 2. !. ). +. @ree $ctive Directory 7utorial @ree =icrosoft ?*cel 2 1 7utorial and ... =icrosoft Windows 3ista - @ree ... $dobe /hotoshop /art !I Wor8ing with ... $dobe /hotoshop /art 2I Wor8ing with ...

*ost &opular
1. ? $dding Lorders DWord 2 2 SeriesE 2. + Bow to Switch Letween 4pen ... !. - @ree $ctive Directory 7utorial ). C Bow to %nsert Symbols DWord 2 2 ... +. @ $dding and -emoving @rom the ... 0. D Bow to $lign 7e*t DWord 2 2 SeriesE 1. E @ootnotes and ?ndnotes DWord 2 2 ... 6. < Bow to Set =argins DWord 2 2 SeriesE 9. ; <reate and Use a @older DWindows ... 1 . ?, <opy' <ut' and /aste DWord 2 2 ...

/revious /age "e*t /age

Basic Active Directory Components by Feremy 1eis on Wednesday, Fuly ,+, +,,<
/asic 5ctive Directory 'omponents
$t its core' $ctive Directory needs structure to wor8 properly. %t provides the basic building bloc8s for people to build their own directory. 7hese basic building bloc8s of $ctive Directory include domains' domain controllers' trusts' forests' organi(ational units' groups' sites' replication' and the global catalog.

!nderstanding 4orests
$t the top of the $ctive Directory structure is a forest. $ forest holds all of the obCects' organi(ational units' domains' and attributes in its hierarchy. Under a forest are one or more trees which hold domains' 4Us' obCects' and attributes.

$s illustrated in this image' there are two trees in the forest. 2ou might use a structure li8e this for organi(ations with more than one operating company. 2ou could also design a structure with multiple forests' but these are for very specific reasons and not common.

Domains
$t the heart of the $ctive Directory structure is the domain. 7he domain is typically of the %nternet naming variety De.g. 5earnthat.comE' but you are not forced to stic8 with this structure : you could technically name your domain whatever you wish. =icrosoft recommends using as few domains and possible in building your $ctive Directory structure and to rely on 4rgani(ational Units for structure. Domains can contain multiple nested 4Us' allowing you to build a pretty robust and specific structure.

Domain 'ontrollers
%n Windows "7' domains used a /rimary Domain <ontroller D/D<E and Lac8up Domain <ontroller DLD<E model. 7his had one server' the /D<' which was Min chargeN while the other D<s where subservient. %f the /D< failed' you had to promote a LD< to become the /D< and be the server in charge.

%n $ctive Directory' you have multiple Domain <ontrollers which are e#ual peers. ?ach D< in the $ctive Directory domain contains a copy of the $D database and synchroni(es changes with all other D<s by multi-master replication. -eplication occurs fre#uently and on a pull basis instead of a push one. $ server re#uests updates from a fellow domain controller. %f information on one D< changes De.g. a user changes their passwordE' it sends signal to the other domain controllers to begin a pull replication of the data to ensure they are all up to date. Servers not serving as D<s' but in the $ctive Directory domain' are called Omember servers.& $ctive Directory re#uires at least one Domain <ontroller' but you can install as many as you want Dand it&s recommended you install at least two domain controllers in case one failsE.

$rust 1elationships
7rust -elationships are important in an $ctive Directory environment so forests and domains can communicate with one another and pass credentials. Within a single forest' trusts are created when a domain is created. Ly default' domains have an implicit twoway transitive trust created. 7his means each domain trusts each other for security access and credentials. $ user in domain $ can access resources permitted to him in domain L while a user in domain L can access resources permitted to her in domain $. $D allows several different types of trusts to be created' but understanding the two-way transitive trust is the most important to understanding $D.

rganiGational !nits
$n 4rgani(ational Unit D4UE is a container which gives a domain hierarchy and structure. %t is used for ease of administration and to create an $D structure in the company&s geographic or organi(ational terms.

Organizational Units $n 4U can contain 4Us' allowing for the creating of a multi-level structure' as shown in the image above. 7here are three primary reasons for creating 4UsI rganiGational StructureH @irst' creating 4Us allows a company to build a structure in $ctive Directory which matches their firm&s geographic or organi(ational structure. 7his permits ease of administration and a clean structure. Security 1ightsH 7he second reason to create an 4U structure is to assign security rights to certain 4Us. 7his' for e*ample' would allow you to apply $ctive Directory /olicies to one 4U which are different than another. 2ou could setup policies which install an accounting software application on computers in the $ccounting 4U. Delegated 5dministrationH 7he third reason to create 4Us is to delegate administrative responsibility. $D $rchitects can design the structure to allow local administrators certain administrative responsibility for their 4U and no other. 7his allows for a delegated administration not available in Windows "7 networ8s.

%roups
Groups serve two functions in $ctive DirectoryI security and distribution. $ security group contains accounts which can be used for security access. @or e*ample' a security group could be assigned rights to a particular directory on a file server. $ distribution group is used for sending information to users. %t cannot be used for security access.

7here are three group scopesI %lobalH Global scope security groups contains users only from the domain in which is created. Global security groups can be members of both Universal and Domain 5ocal groups. !niversalH Universal scope security groups can contain users' global groups' and universal groups from any domain. 7hese groups are typically used in a multi-domain environment if access is re#uired across domains. Domain LocalH Domain 5ocal scope groups are often created in domains to assign security access to a particular local domain resource. Domain 5ocal scope groups can contain user accounts' universal groups' and global groups from any domain. Domain 5ocal scope groups can contain domain local groups in the same domain.

Sites
$n $ctive Directory site obCect represents a collection of %/ subnets' usually constituting a physical 5ocal $rea "etwor8 D5$"E. =ultiple sites are connected for replication by site lin8s. 7ypically' sites are used forI &hysical Location DeterminationH ?nables clients to find local resources such as printers' shares' or domain controllers. 1eplicationH 2ou can optimi(e replication between domain controllers by creating lin8s.

Ly default' $ctive Directory uses automatic site coverage' though you can purposefully setup sites and resources.

1eplication
Since most $ctive Directory networ8s contain multiple domain controllers and users could theoretically attach to any D< for authentication or information' each of the servers needs to be 8ept up to date. Domain <ontrollers stay up to date by replicating the database between each other. %t performs this using a pull method : a server re#uests new information from a different D< fre#uently. $fter a change' the D< initiates a replication after waiting 1+ seconds Din Windows 2 !E or + minutes Din Windows 2 E. Windows Server 2 ! uses technology to only replicate changed information and compressions replication over W$" lin8s. Windows Server sets up a replication topology to determine where a server updates from. %n a large networ8' this 8eeps replication time down as servers replicate in a form of a ring networ8.

$ctive Directory uses multi-master replication. =ultimaster replication does not rely on a single primary domain controller' but instead treats each D< as an authority. When a change is made on any D<' it is replicated to all other D<s. $lthough each D< is replicated ali8e' all of the D<s aren&t equal. 7here are several flexible single-master operation roles which are assigned to one domain controller at a time. $D uses -emote /rocedure <alls D-/<E for replication and can use S=7/ for changes to schema or configuration.

4S*

1oles

$ll domain controllers are not e#ual. We 8now' it&s hard to hear. 2ou&ve spent this whole time reading this tutorial thin8ing that all D<s are created e#ual and now we have to burst your bubble. Some D<s have more responsibility than others. %t&s Cust part of lifeP 7here are five roles which are called operations masters' or fle*ible single-master operations D@S=4sE. 7wo are forestwide roles and three are domainwide roles. 7he forestwide roles areI Schema masterH <ontrols update to the $ctive Directory schema. Domain naming masterH <ontrols the addition and removal of domains from the forest. 7he three domainwide roles areI 1ID masterH $llocates pools of uni#ue identifier to domain controllers for use when creating obCects. D-%D is relative identifierE.

Infrastructure masterH Synchroni(es cross-domain group membership changes. 7he infrastructure master cannot run on a global catalog server' unless all of the D<s are global catalog servers. &D' 6mulatorH /rovides bac8ward compatibility for "7 ) clients for /D< operations : such as a password change. 7he /D< also serves as the master time server.

%lobal 'atalog
$s a networ8 gets larger' it can contain multiple domains and many domain controllers. ?ach domain only contains records from its own domain in its $D database to 8eep the database small and replication manageable. 7he $ctive Directory domain relies on a global catalog database which contains a global listing of all obCects in the forest. 7he Global <atalog is held on D<s configured as global catalog ser ers. 7he global catalog contains a subset of information : such as a user&s first name and last name : and the distinguished name of the obCect so your client can contact the proper domain controller if you need more information. 7he distinguished name is the full address of an obCect in the directory. @or e*ample' a printer in the 4U $ccounting in the 5earnthat.com domain might have a distinguished name ofI CN!Acct"aser#$OU!Accounting$%C!"earnthat$%C!com 7he G< database is only a subset of the entire database called the /artial $ttribute Set D/$SE' containing 1+1 of the 1' 1 properties available in Windows Server 2 !. 2ou can define additional properties for replication to the G< by modifying schema. /age C of 12 ww.techinterviews.com>QpR12Scomment-1!6)!