Open Systems Interconnection (OSI) - Layer definitions 7__|Application [Performs services fr the applications used by end users [6 [Presentation | Provides data format information tothe application. For example, the | resentation layer tells the application layer whether there is encryption or whether itis ape picture. 5 [Session ‘Manages sessions between users, For example, the session layer will synchronize multiple web sessions and voice and video data in web conferences & [Transport | Defines data segments and numbers them at the source, Wansfers the data, and reassembles the data atthe destination. 3 [Network | Creates and addresses packets forthe end-to-end delivery through intermediary devices in other networks. 2 [Datalink | Creates and addresses frames forthe host-to-host delivery onthe local LANs and between WAN devices. 1 [Physical | Transmits binary data over media between devices. Physical layer protocols define media specifications. [Ue felerence: Dean (20%0)-Chaper 2 INo.| Layer Purpose DatagramPDU | Device 7| Application | sstorsenen tier 6 | Presentation | stesso 5 | Session ats eri se inn 4.| Transport | rmiwmimatcroernomen sans ‘Segment 3 | Network ein et ons Packet Router 2 | Datasink ae tto Frame Bridge/Switch 1.| Physical eens tin wg Bit RepeateriHubLogical address rules > Addresses in the same subnet must be connected to the same LAN (2, connects othe same bus, hub or switch) > Communication with other subnets must be sent to a router or gateway Logical Address Constraints — IP - 1 > 224.0.0.0 - 239.255.255.255 are reserved for multicast purposes > 240.0.0.0 - 255.255.255.254 are reserved for IETF research purposes > 127.0.0.4 ~ 127.255.255.255 is reserved for this device (loopback address) > 255.255.255.255 is reserved for all devices (universal broadcast address)Logical Address Constraints - IP - 2 > Private IP addresses — are addresses reserved for private networks, and cannot be used for intemet trafic (note: NAT provides a work around) = 10.0.0.0- 10.255.255.255 ~ 172.16.0.0 - 172.31.255.255 — 192.168.0.0 - 192.168.255.255, > Automatic private IP addresses (APIPA) 169.254 0.0 - 169.254.255.255, > First address and last address of each subnet, ‘9g, for the subnet 136, 186.0.0, 255.256.0.0 136.186.0.0 isthe network ID fortis subnet 136.186 255,255 isthe broadcast address for this subnet Which of these IP addresses are valid for a device? A.238- 1. 2. 3 255.255.255. 0 B.129-254-25b-127 /24 oswors: A ee) C. 472. Ub-129.255 255.255.255. 0 peo t D472. Ub. 10. O 255-255-255. 0 Penne E-172- bb. 10. O 255-255. O- O ronteroreet re F.?2. Lb. 10-255 /1b ma G.Ub9-254. 97-123 255.255. 0. OYou Must Remember! > Devices must be in the same subnet to communicate in the same LAN ‘Thus an IP address and a Subnet Mask must be configured ata minimum > Inorder to communicate with other subnets a router must be used ‘Thus a default gateway address must be configured in order to communicate outside the local LAN Calculating Subnet ID and Subnet Broadcast Address m2 — «© § 2 © 2 25 ff 25 Mf o ff o 10101100 . 00010000 . 11111111 . 00000001 11111111 . 11111111 . 00000000 . 00000000 10101100 . 00010000 . 00000000 . 00000000 172 16 0 vevra*" 10101100 . 00010000 . 00000000 . 00000000 Sibel OO] 72; ee 1O/e ee Of suas O} wonverion 49101100 . 00010000 . 11111111 . 11111111 Broadcast = «172s GSS. SS Dye. M (208) Network Fundamentals ~ CCNA Explermton Gute, pp 209-211Ten Areas of PM Knowledge . Integration Management 2. Scope Management . Time Management . Cost Management . Quality Management . Human Resource Management '. Communications Management . Risk Management 9. Procurement Management 10. Stakeholder Management PNONPREN se (OU ctor: inthe WPL in "ar: lard Monanimont El nne Tack Ratan Bane 48 SSO PMBOK Area 1 - Integration and Stakeholders Stakeholders are the people involved in or affected by project activities and include: 1 2 3 4, Those who may be affected but don't need to be informed ‘Those who will be affected or involved and need to be informed ‘Those who will have input into the decision making process ‘Those who have authority to make decisions All stakeholders need to be considered when making decisions Stakeholder Management is so important, in the latest PMBOK, it has been made the 10th knowledge arealPMBOK Area 1 — Integration and Key Stakeholders Key stakeholders have a role in making decisions in the project, ‘They tend to be specialised in areas of feasibility related tothe projec. Common feasibility concems: > Technical - isthe project technically possible? > Economic - Can we afford ths project? Wil it increase profit? > Legal --Can we be thrown in jal for doing this? > Organisational - Wil the organisation accept tis change? > Scheduling — Can we do it in time? Tipfom a project tering commit wi authrty and shin these aeos. 4. What is the Broadcast Addréss of 172.1 65.986 Gap = 64 (in 4 oe 172 16.5 Subnet ID 172.16. 5. 64 [172.165 | 1 Valid IP 172. 16.5. 65 5.125 172. 16. 128 Last Valid IP 172. 16. 5.126 Broadcast ID 172. 16.5. 127 a 172. 16 5. 192 126 is 255.255.255.192, thus the gap will be 256 - 192 = 64 or The Gap = The value of the MOST RIGHT BIT 1 | the 4° Octet: (128+64) 0 o (Oo {in Decimal) 84 Value of the Position 2Agile, Iterative & Hybrid Projects reciente’ | pease me She sme Selena te ort =n ee Sean | yarn | yan a Fig. Ota Pret Odes ‘Te 10 PMBOK hnondesge areas ae useful for larger predictive projects. Many sofware, Ic, et projects ae saler ‘re need to be more adaptable to the cangngneecs ofthe cent. ‘Agile projet managements also desired in these fs. Most companies will use a hybrid project management with predictive strategies used forthe over projectand agile ‘Srategies forte sub projet. reference PMI (207), Section: APDENGX2 Al Mera, Aap, and Hybrid Project Envronmens If quality is important test! * Know what to test for * Design experiments that accurately test «Test Unit Test - within each component «Test integration Test - between each component * Test system Test all components «Test User Acceptance Test - prior to client sign off Source: Seat, 2010) nermation Technology Project Manageme. 296298313PMBOK Area 6 = project Human Resource Management What skills are required to get the project completed? How do we PROCURE those who have the skills? OR How do we train people to have those skills To whom do we assign to each task? How do we schedule the tasks to maximise the critical skills? Who in the project team do we go to for this problem? How do we motivate our human resources to produce quality work and finish on time? Reference: Schwalbe (201) Infrmaton Technology Projct Management, Ch. 9 Ez PMBOK Area 7 — Project communication Management When managing communication the following decisions need to be made:- who is responsible for the communication? - to whom do they communicate to? - what do they communicate? ie. - progress - changes - down time for current systems - how they will communicate? (ie)what methods of communication will be used?) - when they will communicate t-2e= things? Reference: Schwabe (2010 Information Technology Projet Management. Ch 9 igPMBOK Area 8 - Project Risk Management a Before we can manage a project we need to ascertain: 1. The IMPACT the eventuation of this risk would have on this project 2. The LIKELIHOOD or probability that this risk would eventuate during the life of the project Combining these factors we prioritise the risks and then deploy strategies to MITIGATE the chance of the risk eventuation and the damage. Quantitative Technique - expected Monetary Value Decision, Probability (P) times Outcome = EMV P=20, = — $300,000= $60,000 Project 1 P2800 $40,000 = $32,000 Pa200 $50,000 = $10,000 Project 2 meant $20,000 = $2,000 Pa7O $60,000 = $42,000 ‘Source Schwalbe, K. (2010) nformation Technology Project Management p. 442Qualitative Technique - Medium Probability ‘Source: Setmaloe,K (2010) formation Technelagy Project Management p42 Probability Impact Matrix risk 3 risk 7 risk 2 risk 5 risk 11 ‘Source: Stabe (2010) nermaton eehalogy Project Managemen 429PMBOK Area 9 - Project Procurement Management Ensure that your procurement practices align with your client's practices Make procurement decisions in the right order. e.g: 1. Business practices determine software requirements, 2. Software Requirements determine: + Hardware Platform/Operating system + Hardware Specifications + Training Requirements/ HR Requirements Ensure that you get approval before you spend the client's money. Procurement management also deals with contracts SOE's Standard Operating Environment + Means that you restrict hardware purchase to pre-approved models + You restrict the number of models approved to a number of categories. For Example: - Standard Workstations - Power User Workstations - Servers « These tend to be all from the same vendor, thus increasing the compatibility between the computers, allowing cloning of disk images. + Vendors agree to keep these models in production for a guaranteed period.The TCP/IP Protocol Suite Ea rel | | Davies & Taussig (2007), ch.2 rt What Is a Socket? a Asocket is a combination of an IP address, a transport protocol, and a port number ee +e peace’ Peta! Davies &You Must Remember! * Devices must be in the same subnet to communicate in the same LAN Thus an IP address and a Subnet Mask must be configured at a minimum * In order to communicate with other subnets a router must be used Thus a default gateway address must be configured in order to communicate outside the local LAN IPv4 Addressing 2-3 Hid 2 ea oe Brees Subnet 1 Network portion of addresses identical Host portion of addresses unique for subnetSimple IPv4 Implementations 1-2 Class A [Network 10 ost 15 oatina tice [O 224 wostts erwicme |112111212]0.0.0.0.0.0.0 010000000 0\00000.0.00) terniiexies class 8 Network 10 fest cates eres [TO 216 vests ermeme |22212223/12212211/00000000|00000000) dsasirnat class ¢ Network 15 Host 15 eemanee [TIO 8 hose crweme {¥2,22,22,23/1,2,2,1,2,2,2,3]2,2,2,1,2,1,2,2)0,0,0,0,0,0,0,0) Sratseat Logical Address Constraints 224.0.0.0 - 239.255.255.255 are reserved for multicast purposes 240.0.0.0 - 255.255.255.254 are reserved for IETF research purposes 127.0.0.1 ~ 127.255.255.255 is reserved for this device (loopback address) 255.255.255.255 is reserved for all devices (universal broadcast address) First address and last address of ‘each subnet ‘Ee iecovistne networib fran stnee «Private IP addresses - are addresses reserved for private networks, and cannot be used for internet traffic (note: NAT provides a work around) = 10.0.0.0 - 10.255.255.255 - Class A ~ 172.16.0.0 - 172.31.255.255 - Class B ~ 192.168.0.0 - 192.168.255.255 - Class C * Automatic private IP addresses (APIPA) 169,254,0.0 ~ 169.254.255.255 + Ifyou want a server to host a resource (e.g, web page) from anywhere on the internet you must allocate the server a PUBLIC IP address. “General pecking a Publ ores sn adres tat nat astrted byte ate ues on isle.Multiple Subnet Network 3-3 for 198.64.32.0/24 PeaSees2 0000 0000 Cane Goes Sea! Sem Sees 198.64.32.0/26 ee .0100 0000 wea mio) SoC! POD ECM 198. 64,32,64/26 a2 eee -1000 0000 aes 196. 64,32.128/26 Ee Sal -1100 0000 * 198,64.33.192/26 1100 0110 . 0100 0000 . 0010 0000 . 0000 0000 Network . Netork . Network . subnet Host = Borrowing Host Bits to Create Subnets Class ¢ Network Host | 24 canis [PO sssassasso owwemee [1721912191 a alta 7 4444 3[000.00000) tsubnet LEVEE IPP EY oa adttresses, Question 1: How many bits do we need to borrow if we want 8 subnets? Answer 1: We must borrow 3 subnet bits. Question 2: How many bits do we need to borrow if each of our subnets must have 8 addresses? (for the nerds - this includes the ID and broadcast addresses) Answer 2: We must borrow 4 subnet bits (Note: we need 10 addresses, so we borrow 4 subnet bits) {lek npr to nthe,The Benefits of Using Subnetting * Use a single network address across multiple locations (9. Divide a Class B Network Address so that each Branch can have its own subnet) + Reduce network congestion by segmenting traffic + Increase security by using firewalls to separate subnets Calculating Subnet ID and Subnet Broadcast Address Address 155 Mask 255 Add.Bin "10011011 “10011011 Result 155 67 255 ‘01000011 peteccers -01000011 67 255 “01011001 “aaaaaaia . -"01011001 ." 89 pas62) ° Voou1i320 10011011 . 01000011 . 01011001 . 00000000) 155. 67. 89 ° 10011011 “01000011 “01011001 “11111111 Broadeast___155 67 39 255 M2008 Network undue = CENA Exploration id, pp. 208211Subnetting with a non-255 subnet octet (binary method) Address 192 . 168 . 10 . O Mask 255. 255. «255.224 Add.Bin 11000000 . 10101000 . 00001010 . 00000000 Msk.Bin 11111111 . 11111111 . 11111111 . 11100000 And 11000000 . 10101000 . 00001010 . 00000000 Result 192 168 10 oO "error" 11000000 . 10101000 . 00001010 . 00000000 SubnetIO 192. 168s 10S, Firstavail, 11000000 10101000 00001010 "00000001 sitios 192.168. 0 last Avail 11000000 10101000 00001010 "00011110 vows 192.168. 1080 ‘erre" 11000000 10101000 00001010 00011111 Broadcast 192. 168 . 10 . 31 Subnetting ina Flash (@- For non.255 masks 1/2 a There are 256 possibilities for every octet Example: 192-268. 10-9 Bas.288-288-224 1, Subtract the non.255 number from 256 256 - 224 = 32 2. Start at zero count by the result until you 0, 32, 64, 96, 128, 160, 192, 224, 256 get to 266 3. These numbers become the last octet of 192 your subnet ID's 192.168. Q32 4. This forms the basis of your subnetting 192.168.10. table 192.168.10.96 eteSubnetting in a Flash 22) - For non.255 masks 2/2 + Extending from our base we build the table for our subnet plan Available No.| Network | 1D | First] Last | B'cast 0 | 192,168.10. 0 | 1 | 30 | 31 1 |192.168.10.| 32] 33 | 62 | 63 2 |192.168.10.| 64| 65 | 94 | 95 3 | 192.168.10.| 96 | 97 | 126 | 127 4 | 192.168.10. |128| 129 | 158 | 159 5 | 192.168.10. |160| 161 | 190 | 191 6 | 192,168.10. |192] 193 | 222 | 223 7 |192.168.10. [224] 225 | 254 | 255 256) Troubleshooting Using Subnetting in a Flash iu Can PCa: 192.168.10.29 /28 ping PCb: 192.168.10.34 /28, if they are connected to the same LAN? (Remember /28 = 255.255.255.240) 256-240 = 18 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 180, 176, 192, 208, 224, 240, {forms the basis of our subnet plan No. 4; ID=16, B'cast = 91, tst= 17, Last=30 <<< PCa's subnet No.2: 1D=32, B'east = 47, 1st = 33, Last= 46 <<< PCb's subnet ‘They are in cifferent subnets, hence they cannot communicateWhat about 172.16.0.0 /18? a Mask [255.255.192.0 Available No. Network ID Ast Last 0 172.16. 0) 0... T) 63254) fi 172.16. [64 . of 64 . 1[127 . 254] 2 172.16. [128 . o[128 . 1/191 . 254] a 172.16. 492 © OF 192... 41255 *,- 258) 256) ‘See Todd Lammle, CCNA® Cisco Certied Network Associate: Study Guide Chapter 4, Seventh Edtion, Wile, 2011 [e-book in library) Configuring IPv4 Manually Inte Brotacl enon TCP Proper Using PowerShell: cpa. here, ou cu ha enter New-NetIPAddress ~InterfaceAlias Oto hana st “ethernet” -rpaddress deel = 172.16.16.10 -Prefixtength 20 lke = -DefaultGateway 172.16.16.1 Cee stan waaIPv4 Troubleshooting Tools Tool RE] coerce i eee a ee ee ee eee ee save {RRS a oe ea Tat ert aie ee Foe esterase en ee ee aa oes eee ‘Displays satis and ther ntrmatin abou curent IP and PS connectors Tests [Pi or IPG connectivity to other IP nodes. Teal Pv and PE routing ables and to mediy the loca Pet routing Pathping “races the rote tata Pv or IP packet takes toa destination and eepay information on Dacketosees for eath route ar sunt the path 2 Tausste (200, Ch = Table 8 tracert = Tracert’is like a sequence of increasing pings that helps to map out the path our data travels in. | Ithelps us to identify where along that path the connection may be down.Troubleshooting Utilities ppcaion 16 Presentation msmser tras Fens ened 4 Transport Sess Segment 3 Network fahmoremsr es Packt Router ping traceroute, Ipcontig, Print route 2 Date-tnk —peseerteonrmn Frame BridgerSwitch Ethemet, MAC arp’, ipconig” 1 Physical = Sectorcom Bi Repeater Hub Lghtsindicators DESIGN -Some Algebra To calculate the number of bits (n) required Where x = the number of subnets required In(x)| In(2)| n=roundup| Or remember this table Note: Students are not required to memorise equations Warren(2017, Ch, Plon and Pvt addressing scheme, 233. Davies & Taussig (2007), ch2, from Table 42When determining host addresses you should: + Choose the number of host bits based on the number of hosts that you require on each subnet + Use 2"-2 to determine the number of hosts that are available on each subnet For subnets with 100 hosts, seven host bits are required: + 2-2 = 62 hosts (not enough) + 27-2 = 126 hosts warren2017, ch, Plan and Ped oderessing scheme, p.253 Davies & Taussg (2007), ch2, fom Table 42 WAKE BRAIN ZA ales oie CRU UL Paes) a aT Marae eM A Lely Lele Aes) ADVANCED. 3, i eure ue Mee Recut eae) rand one router eG alsFixed-length Subnet-mask Network for 198.64,32.0/24 Al subret mass hed e’bethe same! jE) Ee) Ee) Ee) asetu.32. Router I 398-b4.32.124 198-b4.32-25; (a Davies & Taussig (2007), Ch.2 More on Supernetting 128 a 64 128 52 A 96 128 160 192 Blatufsretatalatstelstatal tebe taba ilael fist ete etal et lel meal tl el el ee Lines of Kryptonite fill] Subnets chosen for subnetting must be adjacent and must consolidate within upper boundaries. For examp| 192.168.1.112/28 & 192.168.1.96/28 consolidate to 192.168.1.96/27 192.168.1.112/28 & 192.168.1.128/28 do not consolidate to anything Jf you touch the lines of kryptonite you lose your power to supernet!SSS sie Bien 2 - 32/87 1) El EB) + bu/2b SS Ss = wee SOC! SENG SOC men | i ow oe -128/2b ew SC AS ae Ge -192/27 TapRouter saeten Warren(2017), 70-741, Ch.5, Complex Networks, p.230 Eyed Te Teme ereWake Brain Which of the following are valid techniques for manually configuring an IP address in a Windows Computer? Per ear) aoe Changing the jumpers on the Network Interface Card (N Interface Card (NIC) er ee Ut ae Tae Why use DHCP? * Cater for ‘nomadic’ users who need to work at numerous. branches. * Centralise IP configuration settings * Allow flexibility in IP address managementDORA 1.DHCP client broadcasts a DHCPDISCOVER packet DORA 2. DHCP servers broadcast a DHCPOFFER packet J DHCP Server Pc2,DORA 3. DHCP client broadcasts a DHCPREQUEST packet DHCP Server an DORA 4. DHCP Server broadcasts a DHCPACK packet DHCP Server Pct Ip: 372. 16.92.19 SN: 258:258: 285.0DHCP Renewal B 1. The client tries to renew when 50% of the lease has expired: ‘A. DHCP client sends a unicast DHCPREQUEST packet B. DHCP Server’ sends a unicast DHCPACK packet 2. The client continues to try and renew using a unicast DHCPREQUEST every time it starts up. 3. If the client fails to renew its lease after 87.5% of the lease has : expired, the DHCP lease generation process starts over again with a DHCP client broadcasting a DHCPDISCOVER DHCP Installation « Add the DHCP role using Server Manager * If in a Domain, Authorise the DHCP server with a privileged BESS accountECT A Scope is a container for administrating a pool of addresses and IP configurations. All addresses in a Pool must come from the same subnet. A Server can have many Scopes. Ascope can have numerous pools of addresses (rare). De eer ae 2 la} i) =DHCP Exclusions a * Some devices need to have their IP settings manually a —?~—x *~(coleukeds Fea aad sures [T * These addresses cannot be nn rr offered to other devices. a ae * Exclusions prevent the DHCP server from offering these addresses DHCP Reservations * DHCP reservations ensure a device is allocated the same IP address. * Allocation is based on the device's MAC addressDHCP Options 1/2 DHCP Options 2/2 Key Options * Default Gateway = 003 Router * DNS Server = 006 DNS Server Other necessary IP address settings. e.g: Default Gateway DNS Server Can be applied at the Server, Scope, or Reservation levels. Policies can also be usedHow Are DHCP Options Applied? a You can apply DHCP options at various levels: 1, Server 2. Scope 3. Reserved client If the same setting is configured differently, the last applied wins (ie. Reserved Client) Relay agent a « ADHCP relay agent captures the dhcpDiscover broadcasts and then unicasts them to a DHCP server on another network. * The DHCP relay agent acts as a ‘man in the middle’ and will broadcast all packets from the DHCP server and unicast all packets from the DHCP client.Problem: If you have two DHCP servers on a network, what happens if they offer the same addresses? Solution: +50/50 rule for DHCP servers on the same network segment. + 80/20 rule for 2"4 server via DHCP relay + DHCP clustering (will cover in ENSA) REVISION QUESTION 2- SOLUTION See een at]DNS The Domain Name System resolves domain names to IP addresses e.g. You type: ping www.swin.edu.au DNS replaces www.swin.edu.au With 136.186.1.10 So it is as if you typed: ping 136.186.1.10 A Fully Qualified Domain Name (FQDN) consist of: ... e.g. AppServer105.Microsoft.com. Notes he OAS ot Beaseaheys thee, he sptem indies tere pe RON ‘Warren(2017), 70-741, C81, ONS, 2 Root Hints CE epee + 13 Servers (well server ——— farms to be precise) that tes Foner herent ‘Rot ees host records for all eaten att oe ee dS TLD Name Servers. ian Sey Gated Gna ane + Ifyou need to find an ‘unknown’ domain, you ask the root serversDNS - Top Level Domains * New TLD’s are periodically ra ee leg oon eae cou ae created. ca seat! * eg. in May 2010 nonLatin = Stent TLD's were created ons SSS wer Notwork (auch as an SP) ie. we tert ety Orton Egypt: n= om nts a ary oii Saudi Arabia: 4 fs hese UAE: Lu! 0 srr try + In 2012 ICANN accepted coor cpus applications for new TLDs, wash Maus | eg AFL Q. What is the “.local” TLD? is DNS Zones and Records DNS zone is a specific portion of DNS namespace that contains DNS records. DNS Zones can have the following characteristics Zone focus: Forward lookup zone OR —_Reverse lookup zone all records Zone type: must first be Primary - RW, Secondary - RO, Stub - RO subset Primary z0¢ Resource records in forward lookup zones include: + A.M, SRV, NS, SOA, and CNAME (records can only be created in a Primary zone) Resource records in reverse lookup zones include: + PTR Zone Storage + Text - Stores zone data in text files on server + Active Directory Integrated - where zone data is stored using multimaster replication on domain controllers me iaDNS Zones and Records A DNS zone is a specific portion of DNS namespace that contains DNS records. DNS Zones can have the following characteristics: Zone focus: Forward lookup zone OR Reverse lookup zone Read-only Zone type: Primary - RW, Secondary - RO, Stub - RO subset Copy! te, cannot creste eee Resource records in forward lookup zones include: a + A.M, SRV, NS, SOA, and CNAME (records can only be created in a Primary zone) Resource records in reverse lookup zones include: + PTR Zone Storage + Text - Stores zone data in text files on server + Active Directory Integrated - where zone data is stored using multi-master replication on domain controllers Lo. DNS Zones and Records ADNS zone is a specific portion of DNS namespace that contains DNS records. DNS Zones can have the following characteristics: Zone focus: Forward lookup zone OR_Reverse lookup zone Zone type: Full Primary - RW, Secondary - RO, Stub - RO subset Copy! peace Resource records in forward lookup zones include: + AMX, SRV, NS, SOA, and CNAME (records can only be created in a Primary zone) Resource records in reverse lookup zones includ + PTR Zone Storage + Text - Stores zone data in text files on server + Active Directory Integrated - where zone data is stored using multi-master replication on domain controllersDNS Zones and Records A DNS zone is a specific portion of DNS namespace that contains DNS records. DNS Zones can have the following characteristics: Zone focus: Forward lookup zone OR Reverse lookup zone Paretyre Partial Primary - RW, Secondary -RO, Stub - RO subset Copy! Resource records in forward lookup zones include: becca eer + A.MX, SRV, NS, SOA, and CNAME (records can only be created in a Primary zone) Resource records in reverse lookup zones include: + PTR Zone Storage + Text - Stores zone data in text files on server + Active Directory Integrated - where zone data is stored using multi-master replication on domain controllers — ig DNS Record Types Identifies the stare of @zone of authority. Every zone contains an SOA resource record at the begnnng ‘ofthe zone fe when stores formation sbout the zane, coriguresepeston behaviour, 2nd sets the ‘Sefaul TL or names inte zone Mapsan FQON oan IP aos. Mapsan FQDN oan IPs actress servers forte sone speciied nthe SOA esouce record Uy incate the serves or ay delegated ones Every zone must conta atleast one NSecord ate zone oot Mops an IP adress a FQDN for reverse lookups Species an allas(smenymous name) Species a maitexchange serverfora ONS domain name. Amal exchange server iss host that receives mal forthe DNSaomariname, Species he addesses of servers fora spectic serie, proto and ONS domain,What Are DNS Zone Types? Peta) Read/write copy of a DNS 1.Primary — Reag/writ Read-only copy of a DNS database 2. Secondary Read-only, partial copy of a zone that contains only records used to locate name servers Configuring DNS Zones * Secondary and Stub zones must be configured to get zone records from a Master Server. * AMaster Server must be a DNS server that hosts a copy of the domain's zone. * APrimary Zone must ultimately be the source of the Master DNS data. * By default Master servers do not permit their data to be transferred. ts Always (Mo 1° means a2" st ones) For redundancy For sites with slow connections For Dynamic conditional forwarding. = 6SConfiguring DNS Zones - Dynamic Updates + Dynamic updates allow a device to ‘wewmwes SSS pate the IP address of its A ey record, if it is allocated a different IP eee address by DHCP. Ifa hacker gets access to a device, they can use Dynamic updates to change the record to an IP address of their choosing. * Itis best to only allow secure dynamic updates, which requires Active Directory and AD-integrated DNS zones. Configuring Zone Transfers * On the Master Server (Pormally the server that host the primary zone) Zone Transfers must be permitted. * Choosing To Any Server provides hackers with a gold mine of information. etsgyroneeiee Wiarren(2017, 70-76%, Ch, DNS, p32-53What Are DNS Queries? + Queries are recursive or iterative + DNS clients and DNS servers initiate queries + DNS servers are authoritative or non-authoritative for a namespace + Authoritative DNS servers keep host records in a zone (eg. a primary or secondary zone for most host records) + An authoritative DNS server for the namespace either: = Returns the requested IP address + Returns an authoritative "No, that name does not exist” + Anon-authoritative DNS server for the namespace either: ~ Checks its cache + Uses forwarders = Uses root hints + Le Roe not chek ou zone de DNS Queries - Recursive + When a DNS server receives a 4 Recursive query it either Fe esas rm returns the required result, or it Sale e yA returns an error; the DNS 4 server does not refer the DNS client to another server. ig meeseere ‘this query? eae aicethtst aoe a Wiarren(2017), 70:74, Ch, ONS, ps re +1 tam inDNS Queries - Iterative a ‘When a DNS server receives an rma atc com? Iterative query, it either returns ise Spee ge the required result, or it returns @ eon » ‘referral to another server that 4 might be authoritative for the = sacra requested record. Warren(2017, 70-74, Ch, ONS, pS va s J A B Wake the Brain - DNS Q.4 - Queries (Root Hints) ag the correct DNS query type (buttons on the left), targets (circles) between the devices.Forwarders Forwarders allow queries that cannot be resolved by a DNS server to be forwarded to: + an ISP’s DNS server * a Head office DNS server + a parent Domain’s DNS server This prevents the server from using Root Hints, unles: Warren2o1 ‘SHES Rees een ors 7), 70-741, Ch, DNS, ps Conditional Forwarders ¥f your network is regularly resolving names to a specific network (eg. a = —_——— = ————— > 5 [owt supplier, customer or partner). You can speed up resolution of the queries by Configuring a Conditional Forwarder. All queries for this domain will be forwarded directly to this domain's DNS servers (Queries for other domains will continue to be processed using Forwarders or Root Hints Warren2017), 70.74, Ch, DNS, 9:7DNS Security Warrer(2017), 70781, cht, DNS,pp.14.19 How a Client Resolves a Name DNSSec- uses Public/Private Key Infrastructure to confirm identity and encrypt DNS traffic. Split-Brain DNS - prevents external users, from gleaning details of network ~ Internal ONS: Dynamic, full copy of Zone ~ ternal ONS: Manual, ‘only small number of records, eg, wivTroubleshooting Name Resolution a ‘Command-line tools to troubleshoot configuration issues: Resolve-DnsName Nelookup DNScmd tar mel ee Prec R tr ernie et The troubleshooting process: Identify client DNS server with nslookup or Powershell emdlet Resolve-DnsName ‘Communicate via ping Use DNS management console or nslookup to verity records Server Roles al * File Server * Print Server * Web Server (IIS) * Application Server * Database Server * Domain Controller But how do we control access to these servers?Accounts | « User - every user who logs on to a Windows network must have a valid user account « Computer - every computer that connects to a Windows domain must have a valid computer account Brief Introduction to User Accounts | * User Accounts enable us to control access to computers and objects on the computer (e.g. files, folders, printers, etc) + Adding a password to the user account allows the system to authenticate a user. * Access lists on the computer or object allows the system authorise whether the user can or cannot access the object. * Every user account has a Security Identifier (SID) that is unique across a system. This SID is used every time a user accesses an object * Get-ADUser -Identity “” will return user details including the user's SID.Access Tokens * Every time a user logs onto User Access a system an Access Token maces is generated. User sio * This access token contains the user account's SID other Sid * This token is presented when an object is accessed and is used to authorise access by the object. Privileges other information File Server Technologies that help manage: - Storage - Shared folders - Replication between distributed file servers (DFS) - Fast file searching -Access from other NOS's (e.g. Unix)Share Permissions Read eed isthe defoule permission that asigned othe Everyone groupie all user accounsin the system) Read owe ‘Change ‘Changes nota defaule permission for any group ‘Changs permisslon allows all Rea permissions ls Full Control ul Control isthe datalt permission thats asigned {0 the Administrators group onthe local computer. Full Control lows al Read nd Changs permisions, Pls: errs eee ne Display flder names, fenames, fle data and axvibutes Execute program les Acces ther foters wan the shared folder Create folders ‘Ades to folders Change dat files Append datato fies mE Change fe atrbvces Delete folders and fles Perform all actions permite bythe Read permission Change fe permissions Te owrership offs Perform all ash allowed by te Change permission Printer Terminology Print Server Os Physical onter 1 Cs Pryseal Frter2 ©, Physel Finer 3 Logical Printer = Soft Printer cu i Physical Printer = Hard PrinterSecurity Options for Network Printing + The default security allows everyone to: + Print + Manage their own print jobs + The available permissions are: + Print + Manage this printer + Manage documents ‘MOC 20410D installing and Configuring Windows Server 2012-Mod.10-p.27 i What Is Printer Pooling? + Printer pooling combines multiple physical printers into a single logical unit + Aprinter pool: + Increases availability and scalability + Requires that all printers use the same driver + Requires that all printers are in the same locationPrioritising Printer Use with Soft Printers * More than one software printer can print to a physical printer. « Using different software printers and printer permissions you can prioritise Geary who gets first use of the printer. « Priority 1 is the lowest priority. Priority 99 the highest. Web Server (IIS) & * Internet Information Services is Microsoft's web server (Apache [by Rob McCool] is a multi-platform web server) * Distributes documents via the http protocol (TCP port 80) * Relies on DNS in order to translate URLs into IP addressesApplication Server « Used to add dynamic content to web pages e.g. Swinburne Library Catalogue * Connects web pages to databases - Generally needs SQL Server also installed Share Permissions - Important facts + Inthe Windows Server family, when you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive. * Apply only to users who gain access to the resource over the network. They do not apply to users who log on locally, such as on a terminal server. In these cases, use access. control on NTFS to set permissions. * Apply toall files and folders in the shared resource. Ifyou want to provide a more detailed level of security to the subfolders or objects in a shared folder, use access control on NTFS. * Are the only way to secure network resources on FAT and FAT32 volumes, because NTFS permissions are not available on FAT or FAT32 volumes. + Specify the maximum number of users who are allowed to access the shared resource ‘over the network. This is in addition to the security provided by NTFS.AHistorical Network — Client Server All resources are shared on the server and controlled by the server Dean (2010) p. 4-8, Workgroups ‘A Workgroup is a peer-to-peer network © One password for each user on every computer they access. worKGRouP © Every PC that shares a resource acts as a server. © Every PC that accesses a shared resource acts as a client. Dean (2010) p. 3-4, & p. 443Domains © Resources can be anywhere on the network © Domain controller authenticates users and computer account © Domain controller authorises access to resources Dean (20101 9 448 Accounts + User - every user who logs on to a Windows network must have a valid user account * Computer - every computer that connects to a Windows domain must have a valid computer accountBrief Introduction to User accounts + User Accounts enable us to control access to computers and objects on the computer (e.g. files, folders, printers, etc) + Adding a password to the user account allows the system to authenticate a user. * Access lists on the computer or object allows the system authorise whether the user can or cannot access the object. * Every user account has a Security Identifier (SID) that is unique across a system. This SID is used every time a user accesses an object. Access Tokens * Every time a user logs onto a system an Access Token is generated. * This access token contains the user account's SID * This token is presented when an object is accessed and is used to authorise access by the object. User Access Token User SID other SID Privileges: ‘other InformationSET e eee i eee eld * Inthe Windows Server family, when you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive. * Apply only to users who gain access tothe resource over the network. They do nat apply to users who log on locally, such as on a terminal server. In these cases, use access control on NTFS (0 et permissions. + Apply to all files and folders in the shared resource. If you want to provide a more detailed level of security to the subfolders or objects in a shared folder, use access control on NTFS. + Are the only way to secure network resources on FAT and FAT32 volumes, because NTFS permissions are not available on FAT or FAT32 volumes. *+ Specify the maximum number of users who are allowed to access the shared resource over the network. This isin addition to the security provided by NTFS. ‘Source: hep:/Rechnet microsoftcomv/en-us/library/c784499(WS.10.05px Security Permissions a one eens + Apart of the NTFS file system paces Te = ». cannot be used on FAT partitions. Peettnede Or ~ sometimes called NTFS = co permissions. = 5 ~ always apply whether the user is local (i.e. interactive), network or ALE PERMISSIONS remote. besa ‘Atew Dy - attached to the object. File or joa ie Folder) not the User account. Soe Zacker (2017) 70-740, p. 188Permissions Change with Each Object Type a + There are many fueremsens pgp ICN — different objects in Re eeieee ee Active Directory. tao Nee + Each object has a set of ce ep esteem permissions applicable vm co Be ei to that object. Mace ee Mange etme Spams soy | 6 Sa + mato sete | trgmeoenmmces | © treme etme sername | SRD 1 Most eter sstnes | 3 ert tetera nd pe Zacker (2017) 70-740. p. 118NTFS File & Folder Permissions Ti gee aa pois Read | =» Only Zacker (2017) 70-740, p. 118 Access Control Lists + When a user tries to access an object (e.g. file, folder, printer...), the SIDs in the Access Token are compared against the ACE's in the Discretionary Access Control List (DACL). * When a match is made the decision to permit or deny the user access to the object is made erniolten * If no match is made, the user is denied. Source hip/technemoeo comien-sbrary/cc7SP267W 10hActive Directory * Active Directory (AD) is an Object Oriented Database (it has a schema). + Examples of objects in this database are like Users, Computers, Printers, Sites and Volumes (e.g. HDDs) + We can use AD to control who can: ~ manage these objects ~ access these object + We can use AD to deploy software and configurations to computers. Domain Terminology boi itis 2 ‘onteer itn domain ‘hon ‘Warren (2017), 70-742, Ch, pp. 2-4Installing a Domain * Windows Server must be the ‘operating system Peete “Ay Post-deployment Contigura + DNS must be pre-existing or Configuration requ fr Active Oecory Domain installed at the same time. Sences at SWINTESVR Pome this eve oa domain cena * The Active Directory Domain Service — @ Feature installation (ADDS) role is installed first, then the Seer Eee server is Promoted to become a Configuration required. Installation succeeded on Win SVR ‘Add Roles and Features Domain Controller Task Details g a Domain Controller B Options for Instal * Add a DC to an existing Domain « Add a new Domain to an existing Forest Select the deployment operation . ; © Add a domain controller to an existing domain Roa fa ane domain pin tet ‘ ‘Add a new forest ~ Tree Domain « Add a new ForestMulti-master Replication ia * Any object (i.e. user account, computer account, etc) created ‘on one Domain Controller will be replicated to the other Domain controllers in the Active Directory « Domain. mak * Thus all AD objects and records are backed up automatically. * If one DC crashes, other DCs can authenticate logins. Win Joa! Domain Domain & Forest Functional Levels a + Every new version of Windows Server adds new features. * Some features are only compatible with the latest jacoaaee ioe are ae version of Windows Server. Conse ch net sows Soe 06 * Setting a high Domain or Forest eortewe ara Functional Level prevents Domain Controllers running incompatible Windows Server versions from being added to the Domain or Forest.Creating User Accounts in Domain a * Active Directory Users & Computers (DSA) * Active Directory Administrative Center (ADAC) * Powershell: User Account Properties + Logon hours restricts the times users can log on. * Log On To... restricts the computers users can log on to. * Account expires means contractors and students cannot access the system after their term expires. + Scroll down for Account is disabled, to reset the login for a user who has entered too many bad passwords.Creating Computer Accounts... 1, Use DSA or ADAC to create a new computer account 2. Use PowerShell to create a new account New-ADComputer -name sWin1OPCS 3. Provide ‘Authorised’ credentials when joining a PC to a Domain AY) Rot Meee Mute Cea nUe er er et OU Reese une eka ca eesti MP Re ae OMe (alli me cele 1c ce oR aa Taleo) a It is embedded in access tokens that are presented whenever an Pc are cet Ee- used by ‘non-Administrators’ to share resources on a local computer in a workgroup or a domain. (we wil nous Loca groups in Network Admin) - used to group user and computer accounts from the local domain. (Cam also be used to group other Global groups from te focal domain) - used to provide access to resources in the local domain - used to group Global groups from multiple domainsUnderstanding Group Scopes 1 Select the appropriate group scope for this scenario ‘An administrator needs to make a folder accessible to users across the network. What group scope should they use to allocate access permissions to this folder? ANSWER: The administrator should use the [—] group scope. Urs Local Domain Loa Gt Understanding Group Scopes 2 Select the appropriate group scope for this scenario ‘The users in the Accounting team need the same access to resources throughout the network. All users accounts are in the same domain. What group scope should the Administrator use to meet the needs of this team? ANSWER: The administrator should use the [—] group scope. toca Doman Local Universal otaUnderstanding Group Scopes 3 Select the appropriate group scope for this scenario This group needs to streamline access for teams of scientists from many domains to many data folders in many domains, What group scope should the Administrator use to meet the needs of these teams? ANSWER: The administrator should use the [— group scope. Understanding Group Scopes 4 Select the appropriate group scope for this scenario The company has just purchased a new printer. The administrator needs to make this printer available to all users in the domain What group scope should the Administrator use achieve this outcome? ANSWER: The administrator should use the [—} group scope.ecole ot eed new ov ees ie sete. ‘os a! ee mans | conor tects cose Uinvvnin 1984 30345 Ch 4 nin B28 NSU Penny PrN Py Penny cree Pray Ce CL Cry ears EEOrury Pronos PatientData Member of ‘aston DL PatientData_RW [i as RW Assigh DL PatientData_R me Member of aePowershell Carrey Lu Dre Creates user accounts. Eee ‘Modifies the properties of user accounts, feos Deletes user accounts. PES MN Resets the password of a user account PASC Cn Modifies the expiration date of a user account. Pieces Unlocks a user account. Erect’ Enables a user account. Disable-ADAccount Disables a user account. NewAduser-name i il ceteo asad we count nthe Users contin Neder ame J =P BIT Aces Sa -2cOurP asd (CnwestTo ScureSing AP “PoSSnsc Foc) erable sve ‘nc on eve acount the Orgone! “*Examinable User Account Templates Attributes that copy: * Group Memberships + Home Directories - %username% * Profile Settings * Logon Scripts * Logon Hours * Password Settings + Department Name * Manager ‘Hint: Name the template in 0 way that mokes it stand out from user accounts, eg _usrSolesTemplate.Bulk User Account Creation * CSVDE - Can import/export new user account details from a Comma Separated Value (i.e. spreadsheet text). *« LDIFDE - Can import/export new user account details from an LDAP database hin: ADDS uses LOAPformet, 50 if you wont expr user accounts and import tem into @ new domain use LIFOE) Why OU's? + Allows a logical structure that speeds up locating objects + Allows users to be delegated management privileges. ! + Allows configurations to be targeted using Group Policy Create Via: * Right click in DSA or ADAC * PowerShell New-ADOrganizationalUnit-name HBe-path "de-swin,deslocaP Warren (2017), 70-742, p.70Organisational Unit Structure i The hierarchy of OUs is generally based on: + Location: e.g. Aus, USA, Jpn + Business Unit: e.g, Sales, Accounting, Research + Resource: e.g. Server, Laptop, PC, User Hierarchy determined by Admin e.g. « Location > Unit > Resource « Location > Resource > Unit * Unit > Resource > Location « Resource > Unit> Location + etc Changing Default Location of Computer Accounts * The default AD containers Users and Computers are not OUs, they cannot have GPOs linked to them. * It is best to change the default locations by using redircmp and redirusr ae redircmp redircmp “OU=Melb,DC=swin,DC=local” Will redirect all new computers account that don't have a DN set to the Melb OURevision -Security Permissions + Apart of the NTFS file system ~ :. cannot be used on FAT partitions. = sometimes called NTFS permissions. ~ always apply whether the user is, local (ie. interactive), network or remote. ~ attached to the object (I. File or Folder) not the User account. ‘lweys opply (pioloen remains Zacker (2017), 70-740, p.118, Table 2-3. € READ THISitis examinablelt Revision - Permissions Change with Each Object Type « There are many different objects in Active Directory. « Each object has a set of permissions applicable to that object. PARTE PRISIONSPermission Inheritance © China ropes Gees Seng, Sey ei ene Gat Ottrone C\oeNOHOMe mp eueranes acrexron ome * Permissions assigned for an object are Explicit (black ticks) + Permissions assigned for a parent object are Inherited (grey ticks) « Explicit permissions override Inherited permissions Farber 2017 M-74n 9 147 Permission Precedence For Security Permissions attached a to an object: + Explicit Deny overrides Explicit Allow + Explicit Allow overrides Inherited Deny * Inherited Deny overrides Inherited Allow * The Effective Access tab in Advanced Security can confirm the effective access of a user or group.8% Revision - Group Role Based Access Control Identity Groups (Account) ~ Used for grouping accounts that have similar requirements. e.g. user accounts from the sales department ~ Global groups nearly always fill this role ~ The name of the group reflects the accounts e.g. G Sales Access Groups (ACL) - Used to control access to resources (hence ACL) ~ Domain Local groups nearly always fill this role (Global groups can fill this role in an SBS or temporary domain) ~ The name reflects the resource(s) and the permissions being given e.g. DL_SalesData_RW or ACL SalesFolders RO ion - GROUP SCOPES Membership Resources scope | Purpose ‘emeemmemenmnre acne | Uniations 6 z= =| No | ~ | - eco ups i obese Netra eR ee eae eee Warren (2017), 70-742, p.64Group}Stratesy im tmacsad caraanu sea ee ma momineme cA ~~ Cc “_ feng a € sisal Nesting Global Groups Second Level Account Groups + Occasionally we face the need to group multiple account groups e.g. - A department made of up teams: + Sometimes the whole department has the same requirements, but the teams the department have different requirements. + Solution create an account group for the department, nest the team account groups into the department's group. ~ A team is spread across numerous domains, yet have the same requirements + Resources forthe Admin team is spread across many domains, Members of the ITAdmin team are spread across mary domains. + Solution: create an account group for TAdmin members on each domain e.g. Au_{TAdmin, Id ITAdmin, Co_ITAdmin. Create forest wide account group for the ITAdmin team, nest the domain account groups into the forest account group.If the 2° account group is collecting groups from a single domain it should be a group. If the 2° account group collects groups from domains it should be a group. Note: We do not use Domain Local groups for 2° account groups.2°4 Level Account Groups - Global « Use when grouping Global groups from the same Domain + eg. Adepartment is made up of many teams. Sometimes access needs to be based on department membership, other times team membership 24 Level Account Groups - Universal a * Global groups cannot have members from other Domains, so Universal groups must be used when grouping teams from different domains. * e.g. The IT technicians in each domain need to have the same access.1G uUDLA\ § (usttes Why don't we just use Universal groups? a Q EXAM TIP Universal group membership lists are maintained in the Global Catalog, whereas other groups memberships are not.Access Based Enumeration * A property of the Share that prevents users from seeing resources they don’t have permissions to. Special Identities There are some groups whose memberships are automatically generated: « Everyone - all user accounts and the guest account « Authenticated users - all user accounts *« Anonymous Logon - all users, even those without accounts « Interactive - users logged on locally + Network - users accessing resources from a remote computer « Creator Owner - the user account that created the file or the user/group allocated ownership. Creator Owner automatically have FC they create.Combining NTFS & Share permissions a The most restrictive applies* when combining for a single SID What is the effective permission? for: - Group A= Read Only ——— - Group B = Change Combining Permissions allocated to different groups a * Allow Permissions Cumulate (for both Share and NTFS permissions) Zacker (2017), 70-740, p.199-100Question- NTFS Permissions Combining Auser account isa member of all three group. When they attempt to access data in this folder, what will be their effective NTFS permissions? Cumulative for different groups ea MktDataHow permissions combine + If accessing the resource locally - combine NTFS Allow permissions from all ACL groups the account is a ‘member’ of, remembering that deny overrides other permissions Seis If accessing the resource ==] R eal lnc via the network - t feat | aw | | rc [| m [Fe J i> ige Pay ere erg Sao Pea ree ce all three groups logs on to ear) accesses a file in the folder. ua) Paes the effective permissions oeeroerercsSolution 1A reed Sea ead Cs re eee Ser ae eres) accesses a file in the folder. eee eae oan eget pera ea tect ee Cea Cee kT Peters iron) ice 3) ere ee eer Ses ener Cert ree rare) in the le only has mee RUS ccd Peete Click anywhere to see the solution,Solution 1B Or ee ead aed Peas acs of all three groups logs ec Pree ES acea aus only has inherited Pee Le neces Pee ca Pees pees Cee es effective permission is Cee oa roi Exercise 2 eee ea ear Pesos Poa eer ear ee Prete ec Poe eer) acre) only has inherited Peed Ce eeeSolution 2 ore tarard ao Prana Berea all three groups logs on to Caan) Pee euro eee ea) eae cee aed for this user? Best Practice for Sharing a Folder « Remove Inheritance (convert to explicit permissions) * Remove the Users group from NTFS permissions Then * Share Everyone Full Control and allow NTFS permissions to control access Or * Share Everyone Change if the boss is anxious about security And + Justify your choice, if doing this in an exam ;)How permissions combine + If accessing the resource locally - combine NTFS Allow permissions from alll ACL groups the account is a ‘member of, remembering that deny overrides other permissions. aw [] rc [| wf > gee /aN REC cacy Dee nay a eee three groups logs on to this, De eee Ee) = - Ce eC Cee aed what will be the effective Pe nem cedSolution 3A NC ee has the following permissions. rae three groups logs on to this member server and accesses Be aay CUES as eee! Pe SC ed Exercise 3B Eee ea CO eee ra ‘groups logs on to their Ree EE Ce easton i eee) Cece ee As Share permissions & Snot Spay te esc/wirteSolution 3B Cee ea ee eae eee ee eae] Riecae t cae Ree Eee Cee ad Inherited permissions what will be the effective permissions for ee te oes Nee aoe! the following permissions Auser who is a member of all ee ur Re ee RE Inthe folder. ifthe fle only has inherited permissions what will be the See this user? rere querer Effective pefmission is maeSolution 4 Orne Pecos ‘Auser who is a member of all Cet eter Ree eee What Happens... when you change your screen saver settings? i Lock screen thetLocal Computer Policies Solution: Use Local Computer Policies + Run Local Group Policy (. gpedit.msc) Editor What are Group Policies ey Map eoimioolam Computer Config « Settings applied according to Computer Account. “Deploy software for all users that use a specific computer + Startup/Shutdown scripts * Deploy Printers * Control Updates User Config + Settings applied according to User Account. + Deploy software to where the user logs on *Logon/logoff scripts “Deploy PrintersComponents of Group Policy * Computer Configuration settings « Application can be based on User Account or Computer Account * Cannot be “changed” by the user * GPO have two components * Group Policy Container ~ Stored in AD = Automatically replicated to other * Group Policy Template - Contain the GPO settings. DCs in Domain. ~ Points to GPT for settings GPO Settings « Simple radio button. * Dropdown list/Spin box. * Text box. * Some must be configured with other settings. « These settingsare recorded in the registry. * Some settings apply only to Domain Controllers * Beware the Double Negative. = Will not replicate if stored in wrong location. ~ Store in Sysvol (default location) (will replicate if in default location) FS Nett Pgens ig’ Ontongens Comet Oba onan 7 Fee ao ee Faseesacretene senatorPreferences & + Can be changed by the user + ie. Setting is not greyed out When GPOs Apply + Computer Configuration settings - at start up + User Configuration settings - at sign in * GPUpdate = /target: ~ Nogoff = boot = /force - reapplies all settings * DC linked - every 5 minutes = only applies settings that have changed * non-DC linked - every 90 min (+0-30 min offset) - only applies settings that have changed Remember that it will take time to replicate. Speed up by using GPUpdate on the target computer.Default GPOs Default GPOs * Default Domain Policy pre-linked to Domain ~ Default Security settings ~ Default Power settings * Default Domain Controller Policy pre- linked to Domain Controllers OU = Default user rights * Resetting default GPOs - DCGPOFix ~ DCGPOFix /target:Domain - DCGPOFix /target:DC GPO Linking - /mportant! * Must be linked to: ~- Site - Domain - OU * Cannot be linked to: - Groups ~ Users - Computers = Users or Computers containers in AD « A Container can have multiple GPOs linked * AGPO can be linked to many containersDelegate Control - GPOs e * Permissions to link GPOs to an OU can be delegated. « Use Delegate Control... wizard a + Unlinking a GPO prevents the GPO from applying. * Useful for quick troubleshootingGPO Link Precedence - Important What happens when two GPOs configure the same setting differently? + Order of Application 1. Local 2. Site 3. Domain 4, Parent OU 5. Child OU Last linked applied first = First linked applied last * Last applied wins! + The Precedence is opposite to the order of application. The GPO with precedence 1 wins! If GPOs are configuring different settings, the settings cumulate a Controlling Scope - Block Inheritance & * Blocking Inheritance prevents GPOs linked to any parent container from applying to objects in the OU. + You cannot selectively block inheritance, you can only block all.Control Scope - Enforcing a Enforcing a GPO: * Overrides Blocking Inheritance * Overrides conflicting settings * Allows ‘Head Office’ to override rogue branch administrators Filtering GPOs 1/3 Security Filtering + Default is Authenticated users «Scope can be narrowed by replacing default with an account group. «Thus GPO will apply to user and computer accounts in these groups +Allow permissions onlyFiltering GPOs 2/3 Filtering GPOs 3/3 WM Filtering Scripts that can assess the environment and apply settings accordingly. eg. Only install software if RAM > 8 GB RAM GPO permissions * Access via: GPMC, Delegation tab, Advanced button « Full range of permissions, including Deny « Note: Must have Read permissions for Apply group policy permission to workAdministrative Templates * ADML ~ support other languages. i.e, a Global company can have a Domains where Administrators will see the GPO interface in their own language. eg An admin in Australia can create @ GPO in English, an admin in Chile can open that GPO and edit it in Spanish * ADMX ~ xml files with code for the GPO settings. ~ Software developers can create for their software e.g. Download and install ADMX for Microsoft Office or Adobe products Scenario 1 sWin.com —_sWin.com requires all computers to have an anti-virus oy me Sales MarketingScenario 1 sWin.com —sWin.com requires all computers to have an anti-virus ¢ application installed. & a té] SL Sales + Create a GPO that installs the anti-virus software LIZ) + Link the GPO to the domain Marketing Scenario 2 ‘sWin.com For additional security, there should be no autoplay of CD's, DVD's or USB devices on any computer, except the Marketing department (as they have to view many multimedia presentations) Sales MarketingScenario 2 - Solution 1 swvin.com res For additional security, there should be no autoplay of CD's, c NTIS or USE dejices orev cornraltarteeentte Marketing department (as they have to view many multimedia presentations) wg Seles “Turn off autoplay + Create a GPO that turns off autoplay + Link the GPO to the domain + Block inheritance at the Marketing OU Marketing Scenario 2 - Solution 2 For additional security, there should be no autoplay of CD's, DVD's or USB devices on any computer, except the Marketing department (as they have to view many ee) multimedia presentations) eee ee EI Sales mec —] + Create a GPO that tums off autoplay Marketi o + Link the GPO to the domain sWin.com + Create a GPO that turns on autoplay + Link the GPO to the Marketing OUTroubleshooting GPOs + Group Policy Modelling AGPMC wizard + Group Policy Results Communicates with computer and incorporates the Local Computer Policy in the analysis. © gpresult Acommand line tool, can be used on any PC in the domain. 6, gpresult 4 PciGpoReport htm Printer Deployment with GPOs « Can be done via the Print Management console Dp wth Group Poy x oe ene ar Oe HH eae 7 winsocitecsR Petia FOF Pent cuLetad ero Pemaine