GOOGLE IT SUPPORT PROFESSIONAL CERTIFICATE

Course 4 – System Administration and IT Infrastructure Services

Week 4: Directory Services

Coursera Study Guide

Enroll in Coursera Google IT Support Certificate Here

TABLE OF CONTENT

In the fourth week of this course, we’ll learn about directory services. Specifically, we’ll cover how two of the most popular directory services, Active Directory and OpenLDAP, work in action. We’ll explore the concept of centralized management and how this can help SysAdmins maintain and support all the different parts of an IT infrastructure. By the end of this module, you will know how to add users, passwords, and use group policies in Active Directory and OpenLDAP.

Learning Objectives

  • Understand what services a directory server provides.
  • Understand what LDAP and Active Directory are.

PRACTICE QUIZ:  INTRODUCTION TO DIRECTORY SERVICES

1. What does a directory server provide?

  • A real-time communication service
  • A network time service
  • A lookup service for an organization (CORRECT)
  • A replication service

That’s exactly right! A directory service allows members of an organization to lookup information about the organization, like network resources and their addresses.

2. What benefits does replication provide? Check all that apply.

  • Redundancy (CORRECT)
  • Enhanced security
  • Increased capacity
  • Decreased latency (CORRECT)

Great job! Directory server replication grants you redundancy by having multiple copies of the database being served by multiple servers. The added servers that provide lookup services also reduce the latency for clients querying the service.

3. What’s the most popular directory services protocol used today?

  • Directory Access Protocol
  • Directory System Protocol
  • Lightweight Directory Access Protocol (CORRECT)
  • Directory Operational Binding Management Protocol

Yep! LDAP is the most popular and widely used directory access protocol today.

PRACTICE QUIZ:  CENTRALIZED MANAGEMENT AND LDAP

1. Which of these are examples of centralized management? Check all that apply.

  • Role-based access control (CORRECT)
  • Centralized configuration management (CORRECT)
  • Copying configurations to various systems
  • Local authentication

Right on! Role-based access control makes it easier to administer access rights by changing role membership and allowing for inheritance to grant permissions (instead of granting each permission individually for each user account). Centralized configuration management is an easier way to manage configurations for services and hardware. By centralizing this, it becomes easier to push changes to multiple systems at once.

2. What’s does the LDAP Bind operation do exactly?

  • Modifies entries in a directory server
  • Looks up information in a directory server
  • Authenticates a client to the directory server (CORRECT)
  • Changes the password for a user account on the directory server

Awesome! A client authenticates to a directory server using the Bind operation. This could either be: (1) an anonymous bind; (2) a simple bind, where the password is sent in plaintext; or (3) an SASL bind, which involves a secure challenge-response authentication scheme.

3. Which of the following are authentication types supported by the LDAP Bind operation? Check all that apply.

  • Anonymous (CORRECT)
  • Simple (CORRECT)
  • Complex
  • SASL (CORRECT)

That’s it! Bind operations support three different mechanisms for authentication: (1) Anonymous, which doesn’t actually authenticate at all, and allows anyone to query the server; (2) Simple, which involves sending the password in plaintext; and (3) SASL, or Simple Authentication and Security Layer, which involves a secure challenge-response authentication mechanism.

PRACTICE QUIZ:  ACTIVE DIRECTORY

1. What is Active Directory? Check all that apply.

  • An open-source directory service
  • A Windows-only implementation of a directory service
  • Microsoft’s implementation of a directory service (CORRECT)
  • An LDAP-compatible directory service (CORRECT)

You got it! Active Directory is Microsoft’s Windows-specific implementation of a directory service. It’s fully LDAP compatible, so it works with any LDAP-supported client, though it has some features unique to the Windows ecosystem.

2. How is an Organizational Unit different from a normal container?

  • It’s not; it’s just a different name for a container
  • It can hold other objects (CORRECT)
  • It can only hold other containers
  • It can hold additional containers

Yep! An Organizational Unit can hold other objects and other containers.

3. When you create an Active Directory domain, what’s the name of the default user account?

  • Superuser
  • Root
  • Username
  • Administrator (CORRECT)

Correct! The default user in an AD domain is Administrator.

4. True or false: Machines in the Domain Controllers group are also members of the Domain Computers group.

  • True
  • False (CORRECT)

That’s right! While Domain Controllers are technically computers, they’re not included in the Domain Computers group. The Domain Computers group holds all computers joined to a domain for an organization, except for the Domain Controllers, which belong in the DC group.

5. In what way are security groups different from distribution groups? 

  • They’re the exact same thing.
  • Security groups are used for computers, while distribution groups are used for users.
  • Security groups are used for users, while distribution groups are used for computers.
  • Security groups can be used to provide access to resources, while distribution groups are only used for email communication. (CORRECT)

You nailed it! Distribution groups can only be used for email communication, while security groups can be used to provide access to resources to members of the group.

6. What’s the difference between changing a password and resetting a password?

  • Changing a password requires the previous password. (CORRECT)
  • Changing a password does not require the previous password.
  • Resetting a password locks the account.
  • They’re the same.

You nailed it! Changing a password requires the previous password, while resetting a password only requires administrator access.

7. True or false: Joining a computer to Active Directory involves joining the computer to a workgroup.

  • True
  • False (CORRECT)

Yep! Joining a computer to Active Directory means binding it, or joining it, to the domain. An AD computer account is then created for it. A workgroup is a collection of standalone computers, not joined to an AD domain.

8. Joining a computer to an AD domain provides which of the following advantages? Check all that apply.

  • Centralized authentication (CORRECT)
  • More detailed logging
  • Centralized management with GPOs (CORRECT)
  • Better performance

Awesome job! Active Directory can be used to centrally manage computers that are joined to it by pushing Group Policy Objects. Computers joined to a domain will also authenticate, using Active Directory user accounts instead of local accounts, providing centralized authentication, too.

9. What are Group Policy Objects?

  • Special types of containers
  • Special types of computers groups
  • Special types of user groups
  • Settings for computers and user accounts in AD (CORRECT)

Exactly! GPOs are objects in AD that hold settings and preferences, which can be applied to user accounts or computer accounts. GPOs allow for centralized management of accounts and computers.

10. What’s the difference between a policy and a preference?

  • They’re the exact same thing.
  • A policy is used to set a preference.
  • A policy is enforced by AD, while a preference can be modified by a local user. (CORRECT)
  • A policy can be modified by a local user, while a preference is enforced by AD.

Correct: Right on! Policies are settings that are enforced and reapplied regularly by AD, while preferences are defaults for various settings, but can be modified by users.

11. With a brand new AD domain, what do you need to change before you can target groups of users and machines with GPOs?

  • Nothing; the default configuration is good to go.
  • You need to place users and computers into new OUs. (CORRECT)
  • You need to create an administrator account.
  • You need to rename the default groups.

Nice job! Since GPOs can only be applied to sites, domains, and OUs, and because the default users and computers groups in AD are not OUs, GPOs cannot target these groups directly. In order to target specific groups of users or computers, new OUs need to be created, and users or accounts need to be added to them.

12. Select the right order of enforcement of GPOs:

  • Site –> Domain –> OU (CORRECT)
  • OU –> Domain –> Site
  • Domain –> Site –> OU
  • Site –> OU –> Domain

You nailed it! When GPOs collide, they’re applied according to site first and domain second. Then, any OUs are applied from least specific to most specific.

13. What can we use to determine what policies will be applied for a given machine?

  • gpupdate
  • A control panel
  • A test domain
  • An RSOP report (CORRECT)

Great job! An RSOP, or Resultant Set of Policy, report will generate a report that contains a list of policies that will be applied to a given machine. It takes into account inheritance and precedence information.

14. How does a client discover the address of a domain controller?

  • It’s pushed via an AD GPO.
  • It sends a broadcast to the local network.
  • It makes a DNS query, asking for the SRV record for the domain. (CORRECT)
  • It’s provided via DHCP.

Excellent! The client will make a DNS query, asking for the SRV record for the domain. The SRV record contains address information for domain controllers for that domain.

15. Which of the following could prevent you from logging into a domain-joined computer? Check all that apply. 

  • You’re unable to reach the domain controller. (CORRECT)
  • Your computer is connected to Wifi.
  • The user account is locked. (CORRECT)
  • The time and date are incorrect. (CORRECT)

That’s right! If the machine is unable to reach the domain controller for whatever reason, it wouldn’t be able to authenticate against AD. Since AD authentication relies on Kerberos for encryption, authentication against AD will depend on the time being synchronized to within five minutes of the server and client. And of course, if the user account is locked, you won’t be able to authenticate to the account or log into the computer.

QUIZ: DIRECTORY SERVICES

1. What roles does a directory server play in centralized management? Check all that apply.

  • Authorization
  • Confidentiality
  • Accounting (CORRECT)
  • Centralized authentication (CORRECT)

Great job! A directory server offers a centralized mechanism for handling authentication, authorization, and accounting. This is much more convenient and secure, compared to a bunch of disconnected local systems.

2. In Active Directory, a Domain Controller functions as which of the following? Check all that apply.

  • A DNS server (CORRECT)
  • A Kerberos authentication server (CORRECT)
  • A server that holds a replica of the Active Directory database (CORRECT)
  • A container

Right on! A Domain Controller has a copy of the Active Directory database, provides Kerberos authentication services, and serves DNS.

3. Which component of an LDAP entry contains the unique entry name?

  • Common name
  • Organizational unit
  • Distinguished name (CORRECT)

You got it! The distinguished name, or DN, is the unique entry for an LDAP record.

4. Directory services store information in a heirarchical structure. Which statements about Organizational Units (OUs) of a directory service hierarchy are true? Check all that apply.

  • Changes can be made to one sub-OU without affecting other sub-OUs within the same parent. (CORRECT)
  • Sub-member OUs inherit the characteristics of their parent OU. (CORRECT)
  • Specific files within an OU, or container, are called “objects.” A directory service is being installed on an exclusively Windows network. Which directory service software would be appropriate to install? (CORRECT)
  • Parent OUs inherit characteristics of their sub-members.

You got it! For example, we could enforce stricter password requirements for employees organized under one particular OU than another.

You got it! Any changes made to the higher-level users’ OU would affect all sub-OUs.

You got it! Objects are particular data-points with any given Organizational Unit (container), for example, user information.

5. A directory service is being installed on an exclusively Windows network. Which directory service software would be appropriate to install?

  • OpenLDAP
  • Active Directory (CORRECT)
  • DSP
  • DISP

Awesome! Microsoft’s Active Directory uses Lightweight Directory Access Protocol (LDAP) to store directory data and has some customization and added features for the Windows platform.

6. A Lightweight Directory Access Protocol (LDAP) entry reads as follows: dn: CN=John Smith ,OU=Sysadmin,DC=jsmith,DC=com. What is the common name of this entry?

  • CN=John Smith ,OU=Sysadmin,DC=jsmith,DC=com
  • jsmith
  • Sysadmin
  • John Smith (CORRECT)

Right on! CN is the common name of the object. In this case, since it’s a person, we use John Smith as the name.

7. What is the difference between a group policy and a group policy preference?

  • Preferences are reapplied every 90 minutes, and policies are more of a settings template.
  • Policies are reapplied every 90 minutes, and preferences are a settings template. (CORRECT)
  • A policy is editable only by admins, but anyone can edit a group policy preference.
  • A preference is editable only by admins, but anyone can edit a policy.

You nailed it! By default, policies in the GPO will be reapplied on the machine every 90 minutes. Group policy preferences, on the other hand, are settings that, in many cases, are meant to be a template for settings.

8. Which of these are common reasons a group policy doesn’t take effect correctly? Check all that apply.

  • The GPO may be linked to the OU that contains the computer.
  • Kerberos may have issues with the UTC time on the clock. (CORRECT)
  • Replication failure may occur. (CORRECT)
  • Fast Logon Optimization may delay GPO changes from taking effect. (CORRECT)

Nice job! Kerberos, the authentication protocol that AD uses, is sensitive to time differences. If the domain controller and computer don’t agree on the UTC time (usually to within five minutes), then the authentication attempt will fail.

Nice job! Replication failure is one reason that a GPO might fail to apply as expected. Changes have to be replicated out to other domain controllers. If replication fails, then different computers on your network can have different ideas about the state of directory objects, like Group Policy Objects.

Nice job! Fast Logon Optimization means the group policy engine applies policy settings to the local machine that may sacrifice the immediate application of some types of policies in order to make logon faster. It can mean that some GPO changes take much longer to be automatically applied than you might expect.

9. To manage OpenLDAP policies over Command Line Interface (CLI), a certain type of file is needed.

What is this type of file called?

  • TXT files
  • LDIF files (CORRECT)
  • LDAP config files
  • ADL files

You nailed it! LDIF stands for LDAP Data Interchange Format, and is a form of notation. An LDIF file is just a text file that lists attributes and values that describe something in LDIF notation.

10. What are the three ways to authenticate to an LDAP server?

  • Simple bind (CORRECT)
  • Anonymous bind (CORRECT)
  • PGP
  • SASL (CORRECT)

Awesome! In anonymous bind, credentials aren’t actually required. Simple bind uses simple username and password authentication and is usually not encrypted. Lastly, SASL incorporates some added security layers to protect credentials.

11. When there are conflicting GPOs, what’s the order in which they’re evaluated and applied?

  • OU, Site, Domain
  • Site, Domain, OU (CORRECT)
  • Site, OU, Domain
  • OU, Domain, Site

Correct! Site-specific GPOs are applied first, followed by domain-specific ones. Lastly, OU GPOs are evaluated, from least specific to most specific.

12. What would you use if you wanted to set a default wallpaper background for all machines in your company, but still wanted users to be able to set their own wallpaper?

  • A policy
  • A preference (CORRECT)

Yep! A preference can be set via GPO, which allows you to modify default options, while still allowing users to change them.

13. Which is NOT an advantage of replication of data in terms of directory services?

  • It allows you to manage user accounts locally. (CORRECT)
  • It provides redundancy for your data.
  • It decreases latency when you access the directory service.
  • It allows flexibility, allowing you to easily create new object types as your needs change.

Well done! Directory services allow you to manage user accounts and computer information for the entire network from one machine!

14. What are examples of Lightweight Directory Access Protocol (LDAP) directory server software? Check all that apply.

  • RDP
  • ADUC
  • OpenLDAP (CORRECT)
  • Microsoft’s Active Directory (CORRECT)

Well done! OpenLDAP is an open-source implementation of LDAP that runs on a wide range of platforms including Windows, Linux, and other Unix derivatives such as BSD, AIX, Solaris, HP-UX, and even Android!

Well done! Active Directory uses Lightweight Directory Access Protocol (LDAP) to store directory data and has some customization and added features for the Windows platform.

15. Which of these are common ways to authenticate LDAP directory queries? Check all that apply.

  • Anonymous (CORRECT)
  • SASL Authentication
  • Simple (CORRECT)
  • Private

Nice job! When using anonymous binding, you aren’t actually authenticating at all.

Nice job! A commonly used authentication method is SASL authentication. This method can employ the help of security protocols like TLS, which you’ve already learned about, and Kerberos.

Nice job! When you use simple authentication, you just need the directory entry name and password; this is usually sent in plain text, meaning it’s not secure at all.

16. Which of these statements about Active Directory (AD) are true? Check all that apply.

  • AD is incompatible with Linux, OS X, and other non-Windows hosts.
  • AD can “speak” LDAP. (CORRECT)
  • AD is used as a central repository of group policy objects, or GPOs. (CORRECT)
  • AD includes a tool called the Active Directory Authentication Center, or ADAC.

Great work! Active Directory works in a similar fashion to OpenLDAP; it actually knows how to speak the LDAP protocol.

Great work! AD does a lot more than just provide directory services and centralize authentication. It also becomes the central repository of group policy objects, or GPOs, which are used for configuration management on Windows machines.

17. The following command is typed into PowerShell: Add-Computer -DomainName ‘mywebsite.com’ -Server ‘dc2’. What does this command do?

  • Changes the computers name in the ADAC
  • Tells us the functional level of the current version of AD
  • Joins a computer to the domain mywebsite.com using Domain Controller 2 (CORRECT)
  • Adds a computer to a workgroup

Woohoo! We can join computers to the domain from PowerShell. Now, our new computer will use this Active Directory domain for authentication, and we can use Group Policy to manage this machine!

18. A particular computer on your network is a member of several GPOs. GPO-A has precedence set to 1. GPO-B has precedence set to 2, and GPO-C has precedence set to 3. According to the given levels of precedence, what will be the resultant set of policy (RSOP) for this machine?

  • GPO-C will take precedence and overwrite any conflicting settings.
  • GPO-A will take precedence and overwrite any conflicting settings. (CORRECT)
  • GPO-B will take precedence and overwrite any conflicting settings.
  • The computer will default to local policy due to the confusion.

Great work! The highest-numbered link order in the least specific container is applied first, and the lowest-numbered link order in the most specific container is the last GPO applied. This means that precedence 1 will be the GPO in effect.

19. What are the main differences between OpenLDAP and Microsoft’s Active Directory (AD)? Check all that apply.

  • AD is open-source, and OpenLDAP is not.
  • OpenLDAP doesn’t work on Windows, but AD can be used on any operating system.
  • OpenLDAP is open source, and AD is not. (CORRECT)
  • OpenLDAP works on any operating system, AD does not. (CORRECT)

Great work! OpenLDAP is a popular directory service that is free and open-source.

Great work! OpenLDAP can also be used on any operating system, including Linux, Mac OS, even Microsoft Windows.

20. In order to authenticate user accounts against AD, what must be done to the computer first?

  • Configure the firewall
  • Enable the administrator account
  • Join it to the domain (CORRECT)
  • Configure remote logging

Correct: Excellent! A computer needs to be joined to the domain before user accounts can be authenticated against the domain controller (instead of local accounts).

21. A client discovers the address of a domain controller by making a DNS query for which record?

  • A record
  • AAAA record
  • SRV record (CORRECT)
  • TXT record

Correct: Wohoo! A client will query a DNS server, asking for the SRV record for the domain. The server will reply with the address of a domain controller for that domain.

22. When you log into a website that uses a directory service, what command authenticates your username and password?

  • Remove
  • Add
  • Bind (CORRECT)
  • Modify

Correct: Woohoo! When you log into a website that uses a directory service, the website will use LDAP to check if that user account is in the user directories and that the password is valid. If it’s valid, then you’ll be granted access into that account.

23. You’d like to change the minimum password length policy in the Default Domain Policy group policy preference (GPO). What’s the best way to go about doing this?

  • Manually edit config files in SYSVOL
  • Open ADAC and edit policy settings there
  • Open the Group Policy Management Console by running gpmc.msc from the CLI (CORRECT)
  • Edit the Windows Registry to change group policy settings

Correct: Well done! To change a group policy, we need to open GPMC and edit policy settings there.

24. You’re trying to remove an organizational unit (OU) that an LDAP Data Interchange Format (LDIF) file refers to. Which Command Line Interface (CLI) command would you use?

  • ldapsearch
  • ldapmodify
  • ldapdelete (CORRECT)
  • ldapadd

Correct: Woohoo! The ldapdelete command will remove the object that the LDIF file refers to.

25. Instead of assigning access for each user account individually, ________ is a more efficient and easier-to-manage approach.

  • Centralized Authentication
  • Role-Based Access Control (RBAC) (CORRECT)
  • Active Directory
  • LDAP

Correct: Wohoo! Role-Based Access Control is the concept of linking access to roles, and then assigning individual accounts to the appropriate roles. This is much easier to manage and maintain, as opposed to granting individual access to resources per account.

26. Which of these are advantages of centralized management using directory services? Check all that apply.

  • Access and authorization are managed in one place. (CORRECT)
  • Configuration management is centralized. (CORRECT)
  • Configuration can take place at each device.
  • Role-based Access Control (RBAC) can organize user groups centrally. (CORRECT)

Correct: Great work! Creating user accounts and granting access to resources can be done all in one place using centralized management!

Correct: Great work! Having access to configuration management in one place allows us to set up printers, configure software, or mount network filesystems without having to do it separately on each computer!

Correct: Great work! In most organizations, access to computer and network resources is based on your role in the organization. If you or another person change roles in the company, then all you have to do is change the user groups that you’re a part of, not the rights that you have to directly access resources.

27. Which of these statements are true about Domain Controllers (DCs)? Check all that apply.

  • Delegation can be used in Active Directory. (CORRECT)
  • The default Organizational Unit (OU) called Domain Controllers contains all Domain Controllers in the domain.
  • Changes that are safe to be made by multiple Domain Controllers at once are tasked by granting them Flexible Single-Master Operations.
  • You should always use your Domain Admin or Enterprise Admin for day-to-day use.

Correct: Right on! Just like you can set NTFS DACLs to give accounts permission in the file system, you can set Access Control Lists on Active Directory objects.

Previous Week 3
Next Week 5

Subscribe to our site

Get new content delivered directly to your inbox.

Quiztudy Top Courses

Popular in Coursera

Liking our content? Then, don’t forget to ad us to your BOOKMARKS so you can find us easily!

Subscribe