Introduction to Windows Server 2019 - Active Directory and GPOs (Notes)

Vocabulary flashcards covering key AD DS, forest/domain, replication, FSMO roles, and Group Policy concepts from the notes.

Active Directory Domain Services (AD DS)

The principal security engine of Windows Server responsible for authentication of users/devices and the infrastructure for identity, access control, and resource permissions.

Identity

A representation of each user, device, application, or service; a set of data that uniquely describes an object.

Authentication

The process of verifying the identity of a user, computer, group, device, service, or process.

Authorization

The process of granting or validating permissions for a service, application, or subject after authentication.

Stand-Alone Authentication (Workgroup)

A local configuration where each computer maintains its own trusted identities in a SAM database.

Security Accounts Manager (SAM)

The local credential store that holds users and groups for stand-alone Windows systems.

Join a Domain

The process by which a computer authenticates to an AD DS domain, often using a domain account for sign-in.

AD DS Objects

Entities in AD DS such as users, groups, and computers that are stored in the directory.

User Object

An AD DS object representing a user, with sign-in credentials and attributes describing the user.

Group Object

An AD DS object representing a collection of users or computers used to simplify permissions and administration.

Group Types

Two types of groups in AD DS: Security Groups and Distribution Groups.

Security Groups

Groups used to grant permissions and access control to resources.

Distribution Groups

Groups used for mail distribution; not typically used for access control.

Group Scopes

Defines the range of a group's permissions and membership within AD DS.

Local

A group scope limited to the local computer.

Domain-local

A group scope that applies permissions within a single domain.

Global

A group scope whose members come from one domain and can be used to grant permissions within the same domain (and across trusted domains when appropriate).

Universal

A group scope whose membership can include users from any domain in the forest and can grant access across domains.

Computer Object

An AD DS object that represents a computer, used to manage the computer’s access to resources.

Computers Container

The default container in which computers reside when joined to a domain.

Organizational Unit (OU)

A container within a domain used to group objects and link GPOs; supports delegation and administrative delegation.

AD Built-In Containers

Default containers in AD DS (e.g., Domain, Computers, Users, Domain Controllers, Built-in) used for object storage and permissions.

Forest

A logical container that groups one or more domains and stores authentication and directory data across the forest.

Domain

A group of computers within a forest that shares common policies and authentication boundaries.

Domain Controllers

Servers that host AD DS data (NTDS.dit) and SYSVOL; run Kerberos/KDC services for authentication.

Kerberos

Authentication protocol used by AD DS to provide ticket-based authentication within the domain.

Key Distribution Center (KDC)

A component of Kerberos that issues tickets to clients for access to services.

Global Catalog

A partial, read-only replica of the forest’s directory used to speed cross-domain searches.

Schema

Defines all object classes and attributes that AD DS uses to store data; replicated across the forest.

Schema Master

FSMO role holder responsible for schema updates; changes replicate to other domain controllers.

Domain Naming Master

FSMO role holder responsible for adding/removing domains in a forest.

RID Master

FSMO role holder that allocates security identifiers (SIDs) to new objects.

Infrastructure Master

FSMO role holder that updates cross-domain object references and group memberships.

PDC Emulator

FSMO role holder providing NT4 backward compatibility, time synchronization, and password management.

FSMO

Flexible Single Master Operations; set of single-master roles in AD DS (Schema Master, Domain Naming Master, RID Master, Infrastructure Master, PDC Emulator).

Transfers

Moving an FSMO role from one Domain Controller to another when planned.

Seizure

Taking ownership of an FSMO role when the current holder cannot be reached.

AD DS Replication

Multi-master replication of AD DS data so changes propagate to all domain controllers.

Partitions

Logical divisions of AD DS data used for efficient replication and organization.

Domain Partition

Partition that holds domain data; replicated within the domain.

Schema Partition

Partition that holds schema-related data; replicated to all domain controllers in the forest.

Configuration Partition

Partition that stores topology and replication information.

Application Directory Partition

Partition used by applications to store directory data; not used for standard user objects.

Sign-in Process

Computer authenticates with AD DS during startup by locating a domain controller via DNS and LSA handles the authentication.

DNS lookup

DNS query used to locate domain controllers for authentication and sign-in.

Local Security Authority (LSA)

Component on the domain controller that manages the actual authentication process.

Group Policy Object (GPO)

A container for policy settings applied to users and computers within AD DS.

GPO Storage: GPC and GPT

GPO data stored in Group Policy Container (GPC) metadata and Group Policy Template (GPT) settings.

GPC

Group Policy Container; stores GPO metadata in AD DS.

GPT

Group Policy Template; stores the actual policy settings (registry-based).

GPO Scope and Inheritance

Defines which users/computers a GPO applies to and how policies flow through OUs.

Domain-Based Group Policies

GPOs created in AD DS and linked to domains or OUs for domain-wide management.

Local GPO

Group Policy stored on a local computer, not in AD DS.

Default Domain Policy

Default GPO created with AD DS for domain-wide settings.

Default Domain Controllers Policy

Default GPO created for Domain Controllers to apply specific settings.

Administrative Templates

Policy settings stored in AD DS that modify registry keys; include User-related and Computer-related templates.

User-related settings

Administrative template settings that apply to users.

Computer-related settings

Administrative template settings that apply to computers.