Course 4 – System Administration and IT Infrastructure Services

by
Contents hide
1 Week 4: Directory Services
2 PRACTICE QUIZ: INTRODUCTION TO DIRECTORY SERVICES
Spread the love

Week 4: Directory Services

In week four of this course, we dive into directory services, exploring how two of the most popularly used directory services, Active Directory and OpenLDAP, works in practice. Here we touch central management and its values to a SysAdmin in reaching out to and supporting various components of an IT infrastructure. At the end of this module, you should be able to manage users, passwords, and group policies through Active Directory and OpenLDAP.

Learning Objectives

  • To describe the services available from a directory server.
  • Gain insight into LDAP and Active Directory.

PRACTICE QUIZ: INTRODUCTION TO DIRECTORY SERVICES

1. What roles does a directory server play in centralized management? Check all that apply.

  • Authorization
  • Confidentiality
  • Accounting (CORRECT)
  • Centralized authentication (CORRECT)

Great job! Now, a centralized directory server manages all authentication, authorization, and accounting; it provides a lot more convenience and security than several disconnected local systems.

2. In Active Directory, a Domain Controller functions as which of the following? Check all that apply.

  • A DNS server (CORRECT)
  • A Kerberos authentication server (CORRECT)
  • A server that holds a replica of the Active Directory database (CORRECT)
  • A container

Right on! It keeps a copy of the Active Directory database, provides Kerberos authentication services, and acts as a DNS server.

3. Which component of an LDAP entry contains the unique entry name?

  • Common name
  • Organizational unit
  • Distinguished name (CORRECT)

You got it! Distinguished Name or DN is a unique identifier of an LDAP record, and its position in the hierarchy of the directory will be given by it.

4. Directory services store information in a heirarchical structure. Which statements about Organizational Units (OUs) of a directory service hierarchy are true? Check all that apply.

  • Changes can be made to one sub-OU without affecting other sub-OUs within the same parent. (CORRECT)
  • Sub-member OUs inherit the characteristics of their parent OU. (CORRECT)
  • Specific files within an OU, or container, are called “objects.” A directory service is being installed on an exclusively Windows network. Which directory service software would be appropriate to install? (CORRECT)
  • Parent OUs inherit characteristics of their sub-members.

Yes! For instance, a stricter password requirement can be enforced for an employee in a specific Organizational Unit (OU), and different settings apply to other employees.

Correct! Changes made at the top level OU will cascade down and affect all lower-level OUs under it.

That’s right! Objects represent particular entries in the directory, therefore, it’s possible that an organizational unit (OU), such as one that holds user or other directory information, can contain different objects.

5. A directory service is being installed on an exclusively Windows network. Which directory service software would be appropriate to install?

  • OpenLDAP
  • Active Directory (CORRECT)
  • DSP
  • DISP

Awesome! Active Directory served as an updated implementation of Windows NT. Just like Windows NT, Active Directory also relies on LDAP to store directory data. However, it also has some extensibility and additional features that are specific to the Windows platform.

6. A Lightweight Directory Access Protocol (LDAP) entry reads as follows: dn: CN=John Smith ,OU=Sysadmin,DC=jsmith,DC=com. What is the common name of this entry?

  • CN=John Smith ,OU=Sysadmin,DC=jsmith,DC=com
  • jsmith
  • Sysadmin
  • John Smith (CORRECT)

Right on! A CN or Common Name basically is the name of an object in the directory. Therefore, the CN to this person is something like “John Smith” for uniquely identifying that individual in the directory.

7. What is the difference between a group policy and a group policy preference?

  • Preferences are reapplied every 90 minutes, and policies are more of a settings template.
  • Policies are reapplied every 90 minutes, and preferences are a settings template. (CORRECT)
  • A policy is editable only by admins, but anyone can edit a group policy preference.
  • A preference is editable only by admins, but anyone can edit a policy.

You nailed it! But with the exception of Group Policy Preferences that are normally used as templates with which users can change their default settings as needed, the Group Policy settings in the GPO are reapplied to the machine after every 90 minutes, by default.

8. Which of these are common reasons a group policy doesn’t take effect correctly? Check all that apply.

  • The GPO may be linked to the OU that contains the computer.
  • Kerberos may have issues with the UTC time on the clock. (CORRECT)
  • Replication failure may occur. (CORRECT)
  • Fast Logon Optimization may delay GPO changes from taking effect. (CORRECT)

Kerberos uses the authentication protocol of Active Directory and is very much time-sensitive. The authentication attempt will fail if the domain controller does not synchronize with a computer during a five-minute time frame (UTC).

Replication failure can cause issues in the application of Group Policy Object (GPO). GPO changes should be replicated to other domain controllers across your network so that every computer has the same awareness of what is in the direct view, which may include GPOs when replication fails.

Fast Logon Optimization is the quickest log-in and prioritizes applying some local machine policies before it can apply other policies, thus delaying its action and causing GPO changes to take a longer time to enforce automatically than one might expect.

9. To manage OpenLDAP policies over Command Line Interface (CLI), a certain type of file is needed.

What is this type of file called?

  • TXT files
  • LDIF files (CORRECT)
  • LDAP config files
  • ADL files

You nailed it! The acronym LDIF denotes LDAP Data Interchange Format, which is a protocol for the formation of the directory data. The LDIF file is typically a text document consisting of a list of entries and a number of attributes and their values that describe directory entries, following the LDIF-specific formatting and notation. This is a very frequently found way of getting information into and out of LDAP (Lightweight Directory Access Protocol) directories, as well as exchanging it.

10. What are the three ways to authenticate to an LDAP server?

  • Simple bind (CORRECT)
  • Anonymous bind (CORRECT)
  • PGP
  • SASL (CORRECT)

Awesome! As an anonymous bind, where no credentials are needed. Basic bind usually contains username and password authentication where there is no encryption. SASL, unlike a simple bind, can use various protection layers to secure credential usage.

11. When there are conflicting GPOs, what’s the order in which they’re evaluated and applied?

  • OU, Site, Domain
  • Site, Domain, OU (CORRECT)
  • Site, OU, Domain
  • OU, Domain, Site

Correct! The site-specific GPOs are prioritized first, then comes the domain-based GPOs. Finally, the GPOs of Organizational Unit (OU) are evaluated beginning from the least specific towards the most specific one.

12. What would you use if you wanted to set a default wallpaper background for all machines in your company, but still wanted users to be able to set their own wallpaper?

  • A policy
  • A preference (CORRECT)

Yep! A preference can be set using a GPO to alter the default settings while leaving the flexibility of changing them to the users.

13. Which is NOT an advantage of replication of data in terms of directory services?

  • It allows you to manage user accounts locally. (CORRECT)
  • It provides redundancy for your data.
  • It decreases latency when you access the directory service.
  • It allows flexibility, allowing you to easily create new object types as your needs change.

Well done! Directory service makes it possible to manage users and computer information on the entire network from only one machine.

14. What are examples of Lightweight Directory Access Protocol (LDAP) directory server software? Check all that apply.

  • RDP
  • ADUC
  • OpenLDAP (CORRECT)
  • Microsoft’s Active Directory (CORRECT)

Muchness! OpenLDAP is an open-source implementation of LDAP that works on a variety of platforms, including Windows, Linux, and other Unix derivatives, such as BSD, AIX, Solaris, HP-UX-even Android.</p>

In the same way, Active Directory employs Lightweight Directory Access Protocol LDAP for storing directory data with additional customizations and features built specifically into it inasmuch as the Windows platform is concerned.

15. Which of these are common ways to authenticate LDAP directory queries? Check all that apply.

  • Anonymous (CORRECT)
  • SASL Authentication
  • Simple (CORRECT)
  • Private

In anonymous binding, there is no authentication taking place at all.

SASL authentication is commonly used and can integrate security protocols like TLS and Kerberos for enhanced protection.

Simple authentication requires the directory entry name and password, which are typically sent in plain text, making it insecure.

16. Which of these statements about Active Directory (AD) are true? Check all that apply.

  • AD is incompatible with Linux, OS X, and other non-Windows hosts.
  • AD can “speak” LDAP. (CORRECT)
  • AD is used as a central repository of group policy objects, or GPOs. (CORRECT)
  • AD includes a tool called the Active Directory Authentication Center, or ADAC.

Active Directory works like OpenLDAP and is capable of using LDAP protocol.

Active Directory also provides centralized authentication and directory services. It acts as a centralized database for Group Policy Objects (GPOs), which are critical for Windows machine configuration management.

17. The following command is typed into PowerShell: Add-Computer -DomainName ‘mywebsite.com’ -Server ‘dc2’. What does this command do?

  • Changes the computers name in the ADAC
  • Tells us the functional level of the current version of AD
  • Joins a computer to the domain mywebsite.com using Domain Controller 2 (CORRECT)
  • Adds a computer to a workgroup

Woohoo! In fact, since the new computer is being added into the domain through PowerShell, it will be authenticated by the Active Directory domain. Then you can use Group Policy to centralize the management configuration and settings of the machine. This saves administrative effort and enforces security policies for all computers joined to the domain.

18. A particular computer on your network is a member of several GPOs. GPO-A has precedence set to 1. GPO-B has precedence set to 2, and GPO-C has precedence set to 3. According to the given levels of precedence, what will be the resultant set of policy (RSOP) for this machine?

  • GPO-C will take precedence and overwrite any conflicting settings.
  • GPO-A will take precedence and overwrite any conflicting settings. (CORRECT)
  • GPO-B will take precedence and overwrite any conflicting settings.
  • The computer will default to local policy due to the confusion.

Great work! The operations are performed in the order of the highest-numbered link order in the least specific container applied first, with the lowest-numbered link order in the most specific container applied last. This means that the GPO with precedence 1 will be the one in effect.

19. What are the main differences between OpenLDAP and Microsoft’s Active Directory (AD)? Check all that apply.

  • AD is open-source, and OpenLDAP is not.
  • OpenLDAP doesn’t work on Windows, but AD can be used on any operating system.
  • OpenLDAP is open source, and AD is not. (CORRECT)
  • OpenLDAP works on any operating system, AD does not. (CORRECT)

OpenLDAP is public, widely used, and the free and open-source directory service.

There is compatibility with many supported operating systems such as Linux, macOS, and Microsoft Windows.

20. In order to authenticate user accounts against AD, what must be done to the computer first?

  • Configure the firewall
  • Enable the administrator account
  • Join it to the domain (CORRECT)
  • Configure remote logging

Correct: Excellent! The computer must be associated with the domain so that user accounts can authenticate against the domain controller instead of local accounts. This allows one to centrally authenticate all user accounts across the entire network.

21. A client discovers the address of a domain controller by making a DNS query for which record?

  • A record
  • AAAA record
  • SRV record (CORRECT)
  • TXT record

Correct: That’s it! When the client needs to find a domain controller, it queries the DNS server for the SRV (Service) record associated with the domain. The DNS server returns to the client the address of a domain controller that can handle authentication requests for that domain. This is important; it’s how domain-joined devices will talk to Active Directory.

22. When you log into a website that uses a directory service, what command authenticates your username and password?

  • Remove
  • Add
  • Bind (CORRECT)
  • Modify

Correct: Exactly! When authenticating to a website that is directory-enabled, the website will actually query the directory using LDAP to verify whether this user account exists and is attached to the provided password. If both of these are valid, the user is granted access to the user’s account with all access to services that the website provides. All of this ensures that the user is authenticated securely and that the directory service performs validation.

23. You’d like to change the minimum password length policy in the Default Domain Policy group policy preference (GPO). What’s the best way to go about doing this?

  • Manually edit config files in SYSVOL
  • Open ADAC and edit policy settings there
  • Open the Group Policy Management Console by running gpmc.msc from the CLI (CORRECT)
  • Edit the Windows Registry to change group policy settings

Correct: To change a group policy, you have to open the Group Policy Management Console (GPMC where you can modify the settings. It allows administrators to configure and manage GPOs for end-users and computers in the domain.

24. You’re trying to remove an organizational unit (OU) that an LDAP Data Interchange Format (LDIF) file refers to. Which Command Line Interface (CLI) command would you use?

  • ldapsearch
  • ldapmodify
  • ldapdelete (CORRECT)
  • ldapadd

Correct: That is a worthy woohoo. The ldapdelete command removes the object specified in LDIF (LDAP Data Interchange Format) file. When invoked, removes the object from the directory service, so that it can no longer be available or accessible in the LDAP database.

25. Instead of assigning access for each user account individually, ________ is a more efficient and easier-to-manage approach.

  • Centralized Authentication
  • Role-Based Access Control (RBAC) (CORRECT)
  • Active Directory
  • LDAP

Correct: Precisely! Role-Based Access Control (RBAC) alleviates the task of access management by assigning access rights to roles instead of associating them with an individual account. Users are assigned this role based on their job functions, hence simplifying the management and maintenance of accessed resources. It addresses the complexity as well as the level of security so that only authorized users can gain access to the specific resources.

26. Which of these are advantages of centralized management using directory services? Check all that apply.

  • Access and authorization are managed in one place. (CORRECT)
  • Configuration management is centralized. (CORRECT)
  • Configuration can take place at each device.
  • Role-based Access Control (RBAC) can organize user groups centrally. (CORRECT)

Thus, you can continue to create user accounts and manage resource access from a centralized management system for all of them: Well done!

Great! The centralized configuration management application allows you to install printers, configure software, or mount network filesystems without the need for every individual computer.

Good work! Generally, in most organizations, access is granted to a computer and network resource based on your role. If you happen to change your job role, you only need to update the user groups of which you are part, instead of changing your access rights directly for those resources.

27. Which of these statements are true about Domain Controllers (DCs)? Check all that apply.

  • Delegation can be used in Active Directory. (CORRECT)
  • The default Organizational Unit (OU) called Domain Controllers contains all Domain Controllers in the domain.
  • Changes that are safe to be made by multiple Domain Controllers at once are tasked by granting them Flexible Single-Master Operations.
  • You should always use your Domain Admin or Enterprise Admin for day-to-day use.

Correct: The beauty of using NTFS Discretionary Access Control Lists (DACLs) is that you can set permissions on a file and folder basis, and when it comes to Active Directory objects, you can also set up Access Control Lists (ACLs) to restrict who can access and define the permissions for each user or group or even another entity within the directory. This way, you would have a structured method of implementing the same security and access policies on both files and directory objects.

Leave a Comment