IT Tech

Published on December 2017 | Categories: Documents | Downloads: 38 | Comments: 0 | Views: 349
of 10
Download PDF   Embed   Report

Comments

Content

What is Active Directory? After years of working with Windows Server I'll give you an understandable definition. AD is an organizational database of all the objects, and users in a Windows network. It centrally organizes all the resources in an organization for security and distribution. What the hell does that mean? I'll explain it. It's actually pretty simple, and makes sense. The next few sections will explain some of the features that make AD so attractive. Think of AD as a "directory." Meaning, all services and actions performed must contact the directory for details and locations. AD is the heart of a Windows network.It provides the function of everything from holding namespace all the way to granular security. AD serves as a true "directory" of user accounts, aliases, object and server names. Permissions and access controls are easily defined and management of network resources is simplified. If you ever worked with Novell Directory Services (NDS) active directory will seem similar. Global Catalog Server A global catalog server is created by default when AD is deployed on a Windows server. It is used to process logons and answers other queries about the state and location of different objects in the forest. You can specify other servers in your organization to also act as global catalog servers. In organizations with 2 Windows Servers, I always specify the second server as a duplicate GC and domain controller. This ensures that users can still logon to the domain in the event that one of servers is down. Domain Controller By default, when you install Windows Server, it will have the role of a "stand-alone server." In order to use AD, that role must be changed to a domain controller. The next question you might ask is, how is a domain controller different from a stand-alone server. The simple answer: many ways. A stand-alone server acts much like a regular [xp] box. A DC holds domain-wide directory data and manages user-domain interactions. They process logons, authentication and directory searches. By running a server as a DC with Active Directory, management is simplified, and you get a rich, full-featured set of tools to run your network. Components of a Domain Controller A domain controller holds all the user accounts, groups, and other organization units of the network. These are often referred to as "objects." Active directory creates and maintains a "Global Catalog." The GC is used as a reference to find different objects. It doesn't come into play too much in a small, single-domain network. However, it is important, as many things will take much longer without it. The best feature of AD is that it will synchronize with any other DC in it's domain. For example, you have two servers running AD on the network. If you add two user accounts on server1, those user accounts will automatically appear on server2 in a few minutes. It's called replication. Replication is what makes AD a night in shinning armor. Personally, I had a situation where a two-server network was operational after one had crashed. However, the server that crashed was the GC, and the second server was not an additional GC. Users were still able to logon (using cached credentials), but navigating through different file shares and some other AD dependent tasks took nearly 4 times as long. This was because the AD was requesting objects from the GC. When it figured out the GC wasn't available, it simple used a "cached" copy of the information from the active directory. Needless to say everyone bitched about how slow the network was until I was able to fix it.

BASICS OF ACTIVE DIRECTORY 1. Define Active directory service Answer : ADS is a new logical network model of windows 2000 and 2003 which includes forest, trees, domain, etc. 2. What if forest. ? Answer : forest is collection of single or multiple trees. 3. What is trees ? Answer : Trees are collection of single or multiple domain arrange in hierarchy using child-parent relationship. 4. Which authentication protocol are supported by ADS ? Answer : NTLM and Kerberos 5. What is Global Catalog ? Answer : GC is a DC which maintains full copy of local domain partion and partial copy of entire forest. 6. What is function of LDAP ? Answer : LDAP is a protocol used to query or access active directory database. It uses port 389. 7. What are the requirements for ADS > Answer : a) Windows 2000/2003 Server Operating System b) TCP/IP protocol and IP address c) Network Card with Active state d) NTFS partition 8. What is Sysvol ? Answer : Sysvol(System Volume) a special folder located on NTFS partition of DC for storing domain public files like logon script, GPO templates, etc. The contents of sysvol folder are replicated to all DC in a domain.

How to Become a Desktop Engineer Interview Questions =================== A) Tell me something about yourself. Tell about your education, place you belong to, some struggle in life which shows that you have positive attitude and will to fight the odds. B) Technical Questions: 1) What is Active Directory? A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. For example we can create, manage and administer users, computers and printers in the network from active directory. 2) What is DNS? Why it is used? What is "forward lookup" and "reverse lookup" in DNS? What are A records and mx records? DNS is domain naming service and is used for resolving names to IP address and IP addresses to names. The computer understands only numbers while we can easily remember names. So to make it easier for us what we do is we assign names to computers and websites. When we use these names (Like yahoo.com) the computer uses DNS to convert to IP address (number) and it executes our request. Forward lookup: Converting names to IP address is called forward lookup. Reverse lookup: Resolving IP address to names is called reverse lookup. 'A' record: Its called host record and it has the mapping of a name to IP address. This is the record in DNS with the help of which DNS can find out the IP address of a name. 'MX' Record: its called mail exchanger record. Its the record needed to locate the mail servers in the network. This record is also found in DNS. 3) What id DHCP? Why it is used? What are scopes and super scopes? DHCP: Dynamic host configuration protocol. Its used to allocate IP addresses to large number of PCs in a network environment. This makes the IP management very easy. Scope: Scope contains IP address like subnet mask, gateway IP, DNS server IP and exclusion range which a client can use to communicate with the other PCs in the network. Superscope: When we combine two or more scopes together its called super scope. 4) What are the types of LAN cables used? What is a cross cable? Types of LAN cables that are in use are "Cat 5" and "Cat 6". "Cat 5" can support 100 Mbps of speed and "CAT 6" can support 1Gbps of speed. Cross cable: Its used to connect same type of devices without using a switch/hub so that they can communicate. 5) What is the difference between a normal LAN cable and cross cable? What could be the maximum length of the LAN cable? The way the paired wires are connected to the connector (RJ45) is different in cross cable and normal LAN cable. The theoritical length is 100 meters but after 80 meters you may see drop in speed due to loss of signal.

6) What would you use to connect two computers without using switches? Cross cable. 7) What is IPCONFIG command? Why it is used? IPCONFIG command is used to display the IP information assigned to a computer. Fromthe output we can find out the IP address, DNS IP address, gateway IP address assigned to that computer. 8) What is APIPA IP address? Or what IP address is assigned to the computer when the DHCP server is not available? When DHCP server is not available the Windows client computer assignes an automatic IP address to itself so that it can communicate with the network cmputers. This ip address is called APIPA. ITs in the range of 169.254.X.X. APIPA stands for Automatic private IP addressing. Its in the range of 169.254.X.X. 9) What is a DOMAIN? What is the difference between a domain and a workgroup? Domain is created when we install Active Directory. It's a security boundary which is used to manage computers inside the boundary. Domain can be used to centrally administor computers and we can govern them using common policies called group policies. We can't do the same with workgroup. 10) Do you know how to configure outlook 2000 and outlook 2003 for a user? Please visit the link below to find out how to configure outlook 2000 and outlook 2003.http://www.it.cmich.edu/quickguides/qg_outlook2003_server.asp 11) What is a PST file and what is the difference between a PST file and OST file? What file is used by outlook express? PST file is used to store the mails locally when using outlook 2000 or 2003. OST file is used when we use outlook in cached exchanged mode. Outlook express useds odb file. 12) What is BSOD? What do you do when you get blue screen in a computer? How do you troubleshoot it? BSOD stands for blue screen of Death. when there is a hardware or OS fault due to which the windows OS can run it give a blue screen with a code. Best way to resolve it is to boot the computer is "Last known good configuration". If this doesn't work than boot the computer in safe mode. If it boots up than the problem is with one of the devices or drivers. 13) What is RIS? What is Imaging/ghosting? RIS stands for remote installation services. You save the installed image on a windows server and then we use RIS to install the configured on in the new hardware. We can use it to deploy both server and client OS. Imaging or ghosting also does the same job of capturing an installed image and then install it on a new hardware when there is a need. We go for RIS or iamging/ghosting because installing OS everytime using a CD can be a very time consuming task. So to save that time we can go for RIS/Ghosting/imaging. 14) What is VPN and how to configure it? VPN stands for Virtual private network. VPN is used to connect to the corporate network to access the resources like mail and files in the LAN. VPN can be configured using the stepsmentioned in the KB: http://support.microsoft.com/kb/305550 15) Your computer slowly drops out of network. A reboot of the computer fixes the

problem. What to do to resolve this issue? Update the network card driver. 16) Your system is infected with Virus? How to recover the data? Install another system. Insall the OS with the lates pathces, Antivirus with latest updates. Connect the infected HDD as secondary drive in the system. Once done scan and clean the secondary HDD. Once done copy the files to the new system. 17) How to join a system to the domain? What type of user can add a system to the domain? Please visit the article below and read "Adding the Workstation to the Domain" http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/active directory/stepbystep/domxppro.mspx 18) What is the difference between a switch and a hub? Switch sends the traffic to the port to which its meant for. Hub sends the traffic to all the ports. 19) What is a router? Why we use it? Router is a switch which uses routing protocols to process and send the traffic. It also receives the traffic and sends it across but it uses the routing protocols to do so. 20) What are manageable and non manageable switches? Switches which can be administered are calledmanageable switches. For example we can create VLAN for on such switch. On no manageable swiches we can't do so.

Introduction Most users log on to their local computer and to remote computers by using a combination of their user name and a password typed at the keyboard. Although alternative technologies for authentication, such as biometrics, smartcards, and one-time passwords, are available for all popular operating systems, most organizations still rely on traditional passwords and will continue to do so for years to come. Therefore it is very important that organizations define and enforce password policies for their computers that include mandating the use of strong passwords. Strong passwords meet a number of requirements for complexity - including length and character categories - that make passwords more difficult for attackers to determine. Establishing strong password policies for your organization can help prevent attackers from impersonating users and can thereby help prevent the loss, exposure, or corruption of sensitive information. This document explains how to implement strong password policies on computers running the Microsoft Windows 2000, Windows XP, andWindows Server 2003 operating systems. Depending on whether the computers in your organization are members of an Active Directory domain, stand-alone computers, or both, to implement strong password policies you will need to perform one or both of the following tasks:  Configure password policy settings in an Active Directory Domain.  Configure password policy settings on stand-alone computers. Once you have configured the appropriate password policy settings, users in your organization will be able to create new passwords only if the passwords meet the length and complexity requirements for strong passwords, and users will not be able to immediately change their new

passwords. IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly. Top Of Page Before You Begin Before configuring password policies on the computers in your network, you need to identify what settings are relevant, determine what values you will use for those settings, and understand how Windows stores password policy configuration information. Note: The Windows 95, Windows 98, and Windows Millennium Edition operating systems do not support advanced security features such as password policies. If your network includes standalone computers (computers that do not belong to a domain) running these operating systems, you will not be able to enforce password policies on them. If your network includes computers running these operating systems that are members of an Active Directory directory service domain, you will be able to enforce password policies at the domain level only. Identifying Settings Related to Password Policies For Windows 2000, Windows XP, and Windows Server 2003 there are five settings you can configure that relate to password characteristics: Enforce password history, Maximum password age, Minimum password age, Minimum password length, and Passwords must meet complexity requirements. For help in determining values for these settings that match the business requirements of your organization, see "Selecting Secure Passwords" in the Security Guidance Kit.

 Enforce password history determines the number of unique new passwords a user must use before an old password can be reused. The value of this setting can be between 0 and 24; if this value is set to 0, enforce password history is disabled. For most organizations, set this value to 24 passwords.

 Maximum password age determines how many days a password can be used before the user is required to change it. The value of this between 0 and 999; if it is set to 0, passwords never expire. Setting this value too low can cause a frustration for your users; setting it too high or disabling it gives potential attackers more time to determine passwords. For most organizations, set this value to 42 days.

 Minimum password age determines how many days a user must keep new passwords before they can change them. This setting is designed to work with the Enforce password history setting so that users cannot quickly reset their passwords the required number of times and then change back to their old passwords. The value of this setting can be between 0 and 999; if it is set to 0, users can immediately change new passwords. It is recommended that you set this value to 2 days.

 Minimum password length determines how short passwords can be. Although Windows 2000, Windows XP, and Windows Server 2003 support passwords up to 28 characters, the value of this setting can be only between 0 and 4 characters. If it is set to 0, users are allowed to have blank passwords, so you should not use a value of 0. It is recommended that you set this value to 8 characters.

 Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements:  The password is at least six characters long.

 The password contains characters from at least three of the following five categories:  English uppercase characters (A - Z)  English lowercase characters (a - z)  Base 10 digits (0 - 9)  Non-alphanumeric (For example: !, $, #, or %)  Unicode characters  The password does not contain three or more characters from the user's account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high. When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case insensitive. These complexity requirements are enforced upon password change or creation of new passwords. It is recommended that you enable this setting. Understanding How the Windows Operating System Stores Password Policy Configuration Information Before you implement password policies in your organization, you need to understand a little about how password policy configuration information is stored in Windows 2000, Windows XP, and Windows Server 2003. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings. There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts. Active Directory domains use Group Policy objects (GPOs) to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide setting including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU, and contains initial security settings for domain controllers. It is a best practice to avoid modifying these built-in GPOs, if you need to apply password policy settings that diverge from the default settings, you should instead create a new GPO and link it to

the root container for the domain or to the Domain Controllers OU and assign it a higher priority than the built-in GPO: If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence. Top Of Page Implementing Password Policy Settings Step-by-Step This section provides the following step-by-step instructions for enhancing security by implementing password policy settings on the computers in your organization.  Configuring password policy settings in an Active Directory-based domain.  Configuring password policy settings on stand-alone computers. Configuring Password Policy Settings in an Active Directory-Based Domain Requirements  Credentials: You must be logged on as a member of the Domain Admins group.  Tools: Active Directory Users and Computers.

 To implement password policy on computer systems that belong to an Active Directory domain

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

2. Right-click the root container for the domain: Note: Screen shots in this document reflect a test environment and the information might differ from the information displayed on your screen.

3. Select Properties from the menu that appears: 4. In the properties dialog box for your domain, click the Group Policy tab, and then click New to create a new Group Policy object in the root container. Type "Domain Policy" for the name of the new policy and then click Close. Note: Microsoft recommends that you create a new Group Policy object rather than editing the built-in one called Default Domain Policy because doing so makes it much easier to recover from serious problems with security settings. If the new security settings create problems, you can temporarily disable the new Group Policy object until you isolate the settings that caused the problems.

5. Right-click the root container for the domain, and then click Properties. 6. In the properties dialog box, click the Group Policy tab, and then select Domain Policy.

7. Click Up to move the new GPO to the top of the list, and then click Edit to open the Group Policy Object Editor for the GPO you just created.

8. Under Computer Configuration, navigate to the Windows Settings\Security Settings\Account Policies\Password Policy folder.

9. In the details pane, double-click Enforce password history, select the Define this policy setting check box, set the value of Keep password history to 24, and then click OK.

10.

In the details pane, double-click Maximum password age, select the

Define this policy setting check box, set the value of Password will expire in to 42, click OK, and then click OK to close the Suggested Value Changes window that appears.

11.

In the details pane, double-click Minimum Password Age, select the Define this policy setting check box, set the value of Password can be changed after to 2, and then click OK.

12.

In the details pane, double-click Minimum Password Length, select the Define this policy setting check box, set the value of Password must be at least to 8, and then click OK.

13.

In the details pane, double-click Password must meet complexity requirements, select the Define this policy setting in the template check box, select Enabled, and then click OK.

14.

Close the Group Policy Object Editor, click OK to close your domain's properties dialog box, and then exit Active Directory Users and Computers.

Verifying New Settings Use the following procedure to verify that the appropriate password policy settings are applied and effective in the Domain Policy GPO. Verifying the settings and their operation ensures that the correct password policies will be applied to all users in the domain. Requirements  Credentials: You must be logged on as a member of the Domain Admins group.  Tools: Active Directory Users and Computers.

 To verify password policy settings for an Active Directory domain 1. Open Active Directory Users and Computers, right-click your domain, and then click Properties.

2. In your properties dialog box for your domain, click the Group Policy tab, select the Domain Policy GPO, and then click Edit to open the Group Policy Object Editor.

3. Under Computer Configuration, go to the Windows Settings\Security

Settings\Account Policies\Password Policy folder, and verify that your settings match the settings shown here:

4. Close the Group Policy Object Editor, click OK to close the properties dialog box for your domain, and then exit Active Directory Users and Computers. 5. Verify that users cannot specify passwords that are shorter than 8 characters, that they cannot create non-complex passwords, and that they cannot immediately change their new passwords. Configuring Password Policy Settings on Stand-Alone Computers  Credentials: You must be logged on as a member of the Administrators group.  Tools: Local Security Policy.

 To implement password policy on computer systems that do not belong to an Active Directory domain

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy. 2. Navigate to the Account Policies\Password Policy folder.

3. In the details pane, double-click Enforce password history, set the value of Keep password history to 24, and then click OK.

4. In the details pane, double-click Maximum password age, set the value of Password will expire in to 42, and then click OK.

5. In the details pane, double-click Minimum Password Age, set the value of Password can be changed after to 2, and then click OK.

6. In the details pane, double-click Minimum Password Length, set the value of Password must be at least to 8, and then click OK.

7. In the details pane, double-click Password must meet complexity requirements, select Enabled, and then click OK.

8. Close Local Security Policy. Verifying New Settings Use the following procedure to verify that the appropriate password policy settings are configured and effective for the stand-alone computers in your organization. Verifying the settings and their operation ensures that the correct password policies will be applied to these computers. Requirements  Credentials: You must be logged on as a member of the Administrators group.  Tools: Local Security Policy.

 To verify password policy settings for computer systems that do not belong to an Active Directory domain

1. Open Local Security Policy, navigate to the Account Policies\Password Policy folder, and verify your settings match the settings shown here:

2. Close Local Security Policy. 3. Verify that users cannot specify passwords that are shorter than 8 characters, that they cannot create non-complex passwords, and that they cannot immediately change their new passwords. Top Of Page Related Information For more information about password policies and password-related features in Windows see the following:  "Selecting Secure Passwords" in the Security Guidance Kit

 Account Passwords and Policies on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22208 Top Of Page

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close