воскресенье, 7 мая 2023 г.

Managing AD synchronization with CLI tools

Managing synchronization in Active Directory primarily involves replication between domain controllers.
Here are some examples of managing replication in AD using command-line tools:

REPADMIN: A command-line tool used for diagnosing and managing replication in AD.

Example: Force immediate replication between two domain controllers:
repadmin /replicate DC1 DC2 "CN=Configuration,DC=example,DC=com"

Example: Check replication status for a specific domain controller:
repadmin /showrepl DC1

Example: Display the replication partners for a domain controller:
repadmin /showreps DC1

PowerShell: PowerShell provides cmdlets for managing and automating AD tasks, including replication.

Example: Force replication between two domain controllers:
Sync-ADObject -Object "CN=John Doe,OU=Users,DC=example,DC=com" -Source DC1 -Destination DC2

Example: Check replication metadata for an object:
Get-ADReplicationAttributeMetadata -Object "CN=John Doe,OU=Users,DC=example,DC=com" -Server DC1

Example: Check replication status for a domain controller:
Get-ADReplicationFailure -Target DC1

10 Group Policy tools

Group Policy tools help administrators manage and troubleshoot Group Policy settings in an Active Directory environment. Here are some essential Group Policy tools:

1. Group Policy Management Console (GPMC): The GPMC is a centralized interface for managing Group Policy. It allows administrators to create, edit, link, and delete GPOs, as well as manage security filtering, WMI filtering, and delegation.

2. Group Policy Editor (GPEdit): The Group Policy Editor is a built-in Windows tool used to configure local Group Policy settings on individual machines. It can also be used to edit domain-based GPOs when connected to the Group Policy Management Console.

3. Resultant Set of Policy (RSoP): RSoP is a diagnostic tool that displays the cumulative effect of Group Policy settings applied to a user or computer. It helps administrators determine which settings are being applied and troubleshoot potential issues.

4. GPUpdate: GPUpdate is a command-line tool that forces an immediate refresh of Group Policy settings on a local computer. This is useful when testing or troubleshooting GPO changes without waiting for the automatic background refresh.

Example: Refresh Group Policy settings on the local machine
gpupdate /force

Example: Refresh only user policy settings on the local machine
gpupdate /target:user /force

5. GPResult: GPResult is a command-line tool that generates a report on the Group Policy settings applied to a user or computer. It can help administrators identify which GPOs are applied and diagnose potential issues.

Example:
gpresult /r

Example: Generate an HTML report for the computer policy settings
gpresult /h gpresult_computer.html /scope computer

7. Microsoft Security Compliance Toolkit: This toolkit provides a set of security configuration baselines for various Windows operating systems and applications. Administrators can use these baselines as a starting point for configuring security settings using Group Policy.

8. Advanced Group Policy Management (AGPM): AGPM is a Microsoft Desktop Optimization Pack (MDOP) component that provides enhanced management capabilities for GPOs, such as change control, versioning, and role-based delegation.

9. Local Security Policy (secpol.msc): This management console is used to configure local security policy settings, such as account policies, audit policies, and user rights assignments, on individual machines without Active Directory.

10. Security Configuration and Analysis (sca.msc): This management console is used to analyze and configure local security settings on individual machines. It can be used to compare current settings with predefined security templates and apply recommended configurations.

6. PowerShell: PowerShell is a command-line scripting environment that includes Group Policy cmdlets for managing GPOs, GPO links, and other Group Policy-related tasks.

Example: Create a new GPO and link it to an OU
New-GPO -Name "My New GPO" | New-GPLink -Target "OU=Users,DC=example,DC=com"

Example: Retrieve all GPOs linked to an OU
Get-GPInheritance -Target "OU=Users,DC=example,DC=com" | Select-Object -ExpandProperty GpoLinks

Example: Backup all GPOs to a specified folder
Backup-GPO -All -Path "C:\GPO_Backups"

Example: Set the order of GPOs linked to an OU
Set-GPInheritance -Target "OU=Users,DC=example,DC=com" -Order "GPO1,GPO2,GPO3"

Example: Import settings from a backed-up GPO to an existing GPO
Import-GPO -BackupGpoName "My Backup GPO" -TargetName "My Existing GPO" -Path "

19 Active Directory and Group Policy CLI tools

Below are some CLI tools for managing Active Directory (AD) and Group Policy Objects (GPO):

1. DSADD: A command-line tool used to create new AD objects, such as users, groups, computers, or OUs.
2. DSMOD: A command-line tool used to modify existing AD objects, such as updating user attributes or adding members to a group.
3. DSQUERY: A command-line tool used to search for and retrieve AD objects based on specific criteria.
4. DSGET: A command-line tool used to display the properties of AD objects, such as users, groups, or computers.
5. DSREMOVE: A command-line tool used to delete AD objects, such as users, groups, computers, or OUs.
6. DSRM: A command-line tool used to delete AD objects, similar to DSREMOVE, but with additional options for deleting tree structures.
7. PowerShell: PowerShell is a powerful command-line scripting environment with many AD-specific cmdlets for managing and automating AD tasks, such as creating, modifying, and deleting objects.
8. REPADMIN: A command-line tool used for diagnosing and managing replication in AD.
9. DCDIAG: A command-line tool used for diagnosing and troubleshooting domain controller issues.
10. NLTEST: A command-line tool used for testing domain trust relationships and locating domain controllers.
11. Ntdsutil: A command-line tool used for managing AD databases, performing metadata cleanup, and more.
12. LDIFDE: A command-line tool used for importing and exporting AD objects using the LDAP Data Interchange Format (LDIF).
13. CSVDE: A command-line tool used for importing and exporting AD objects using the comma-separated values (CSV) format.
14. DirSync: A directory synchronization tool for syncing on-premises AD with Azure AD.
15. Azure AD Connect: A tool for integrating on-premises AD with Azure AD, which also provides command-line options for managing synchronization tasks.
16. GPUpdate: A command-line tool used for forcing an immediate refresh of Group Policy settings on a local computer.
17. GPResult: A command-line tool used for generating a report on the Group Policy settings applied to a user or computer.
18. GPOTool: A command-line tool used for checking the consistency of GPO version numbers between domain controllers.
19. GPMC Scripts: A set of sample scripts included with the Group Policy Management Console (GPMC) that can be used for managing GPOs, GPO links, and other Group Policy-related tasks.

10 Group Policy terms

Group Policy is a feature in Active Directory (AD) environments that allows administrators to centrally manage and configure settings for users and computers. Here are some key Group Policy terms:

1. Group Policy Object (GPO): A collection of policy settings that can be linked to Organizational Units (OUs), domains, or sites within an AD environment. GPOs enable administrators to apply settings and restrictions to users and computers.

2. Group Policy Management Console (GPMC): A centralized interface for managing Group Policy within an AD environment. GPMC allows administrators to create, edit, link, and delete GPOs, as well as manage security filtering and delegation.

3. Security Filtering: A mechanism that allows administrators to target GPOs to specific users, groups, or computers. Security filtering is based on the permissions assigned to security principals (e.g., Read and Apply Group Policy).

4. WMI Filtering: Windows Management Instrumentation (WMI) filtering enables administrators to target GPOs to computers based on criteria such as operating system, hardware, or installed software. WMI filters are applied to GPOs using WMI Query Language (WQL) queries.

5. Loopback Processing: A Group Policy setting that allows administrators to apply user policy settings based on the computer account rather than the user account. This is useful for applying consistent settings to users on specific computers, such as kiosk or lab machines.

6. Resultant Set of Policy (RSoP): A tool for analyzing the cumulative effect of applied GPOs on a user or computer account. RSoP helps administrators determine which policy settings are being applied and troubleshoot potential issues.

7. Inheritance: The process by which GPOs are applied to child objects (e.g., sub-OUs) based on the settings applied to parent objects (e.g., parent OUs or domain). Inheritance can be blocked or enforced to control the propagation of GPO settings.

8. GPO Link: The association between a GPO and an OU, domain, or site in AD. The link determines where the GPO's settings are applied.

9. GPO Precedence: The order in which GPOs are processed and applied to users and computers. GPO precedence is determined by the link order, with lower numbers having higher precedence. If multiple GPOs have conflicting settings, the GPO with the highest precedence takes effect.

10. Delegation: The assignment of permissions to specific users or groups, allowing them to manage GPOs or parts of GPOs. Delegation enables administrators to distribute GPO management tasks to other users while maintaining control over sensitive settings.

5 FSMO terms with short explanations

FSMO (Flexible Single Master Operations) refers to specialized roles held by domain controllers within an Active Directory (AD) environment. These roles are assigned to ensure proper functioning and prevent conflicts in specific tasks. There are five FSMO roles:


1. Schema Master: This role is responsible for controlling updates and modifications to the AD schema. The schema defines object classes, attributes, and their relationships in AD. There can be only one Schema Master within an entire AD forest.

2. Domain Naming Master: This role manages the addition and removal of domains within an AD forest. It ensures that each domain has a unique name and prevents the creation of duplicate domains. There can be only one Domain Naming Master within an entire AD forest.

3. PDC Emulator (Primary Domain Controller Emulator): This role emulates the primary domain controller for legacy systems and handles time synchronization, password changes, and account lockouts. The PDC Emulator is also the authoritative source for password updates. There can be one PDC Emulator per domain.

4. RID Master (Relative ID Master): This role is responsible for assigning unique relative identifiers (RIDs) to domain controllers for creating new security principals (e.g., users, groups, and computers). Each security principal must have a unique SID (Security Identifier), which includes the RID. There can be one RID Master per domain.

5. Infrastructure Master: This role maintains cross-domain references and ensures consistency when moving or renaming objects between domains. The Infrastructure Master updates references to objects in other domains and is particularly important in a multi-domain environment. There can be one Infrastructure Master per domain.

100 Active Directory terms

1. Active Directory (AD): Directory service for managing Windows-based networks and resources.
2. Domain Controller (DC): Server that hosts Active Directory services and authenticates users.
3. Forest: Highest level of logical grouping in Active Directory, containing one or more domains.
4. Domain: Logical group of network objects within an AD forest, sharing a common namespace.
5. Organizational Unit (OU): Container for organizing AD objects like users, groups, and computers.
6. Group Policy: Centralized management of settings and configurations for users and computers.
7. Group Policy Object (GPO): Collection of policy settings linked to OUs, domains, or sites.
8. Security Group: Group of users, computers, or other groups used for access control.
9. Distribution Group: Group used for email distribution in Microsoft Exchange environments.
10. Global Catalog (GC): Centralized index of AD objects, used for searches and logins.
11. LDAP: Lightweight Directory Access Protocol, used to access and manage AD information.
12. DNS: Domain Name System, resolves domain names to IP addresses, critical for AD functionality.
13. Sites: Represents physical locations in AD, helps optimize network traffic.
14. Subnet: IP address range associated with a specific site.
15. Site Link: Represents network connection between sites, used for replication traffic.
16. Replication: Process of synchronizing AD data across domain controllers.
17. FSMO: Flexible Single Master Operations, specialized roles held by DCs for specific tasks.
18. RID Master: Assigns unique relative IDs for new objects, one of the FSMO roles.
19. PDC Emulator: Emulates Primary Domain Controller, handles password changes and time sync.
20. Infrastructure Master: Maintains cross-domain references, one of the FSMO roles.
21. Domain Naming Master: Manages addition and removal of domains in a forest.
22. Schema Master: Controls updates to the AD schema, one of the FSMO roles.
23. Global Catalog Server: DC with a full copy of all objects in the forest.
24. Trust Relationship: Enables resource sharing and authentication between domains.
25. Kerberos: Authentication protocol used by AD to verify user and service identity.
26. Ticket Granting Ticket (TGT): Kerberos ticket for access to services within a domain.
27. Service Ticket: Kerberos ticket for a specific service.
28. SPN: Service Principal Name, uniquely identifies a service in a domain.
29. NTLM: NT LAN Manager, older authentication protocol used as a fallback for Kerberos.
30. SID: Security Identifier, unique identifier for security objects in AD.
31. RID: Relative Identifier, unique within a domain, combined with the domain SID to form a full SID.
32. USN: Update Sequence Number, used to track changes and replication in AD.
33. Tombstone: Deleted AD object that remains in the database for a specified period.
34. dcpromo: Deprecated utility for promoting and demoting domain controllers.
35. AD DS: Active Directory Domain Services, the main AD component for managing resources.
36. AD LDS: Active Directory Lightweight Directory Services, a lightweight AD variant.
37. AD FS: Active Directory Federation Services, enables single sign-on across applications.
38. AD RMS: Active Directory Rights Management Services, secures sensitive data.
39. GMSA: Group Managed Service Account, automates password management for service accounts.
40. Password policy: Configures password requirements and settings for users.
41. Fine-Grained Password Policy: Applies different password policies to specific users/groups.
42. CSVDE: Command-line tool for importing/exporting AD objects using CSV files.
43. LDIFDE: Command-line tool for importing/exporting AD objects using LDIF files.
44. REPADMIN: Command-line tool for diagnosing and managing replication in AD.
45. DCDIAG: Command-line tool for diagnosing and troubleshooting domain controller issues.
46. NLTEST: Command-line tool for testing domain trust relationships and locating DCs.
47. Ntdsutil: Command-line tool for managing AD databases, performing metadata cleanup, and more.
48. ADSI Edit: Graphical tool for managing AD objects and attributes at a low level.
49. Attribute Editor: Tab in the AD Users and Computers console for editing object attributes.
50. Group Policy Management Console (GPMC): Centralized interface for managing Group Policy.
51. Resultant Set of Policy (RSoP): Tool for analyzing the cumulative effect of applied GPOs.
52. Delegation of Control: Assigning limited administrative privileges to specific users or groups.
53. Read-Only Domain Controller (RODC): DC with read-only AD database, used in branch offices.
54. SYSVOL: Shared folder on DCs containing scripts, GPOs, and other AD-related files.
55. FRS: File Replication Service, deprecated replication technology for SYSVOL.
56. DFS-R: Distributed File System Replication, used for replicating SYSVOL in modern AD.
57. UPN: User Principal Name, user identifier format resembling an email address.
58. Netlogon: Service on DCs for authenticating users and handling domain-related tasks.
59. SAM: Security Accounts Manager, stores local user and group information on Windows systems.
60. Local Security Authority (LSA): Component responsible for enforcing security policies.
61. Security Token: Data structure containing user's security identifier and group memberships.
62. AD Recycle Bin: Feature for easily recovering accidentally deleted AD objects.
63. Active Directory Administrative Center (ADAC): Graphical management tool for AD.
64. PowerShell: Command-line scripting environment, with AD-specific cmdlets for management.
65. PSOs: Password Settings Objects, used to define fine-grained password policies.
66. Authentication Silos: Groups of users or computers with restricted authentication scope.
67. Shadow Groups: Dynamic groups that mirror the membership of another group or attribute.
68. Active Directory Users and Computers (ADUC): Management console for AD objects.
69. Domain functional level: Minimum domain controller OS version within a domain.
70. Forest functional level: Minimum domain controller OS version across all domains in a forest.
71. Active Directory Sites and Services: Management console for AD sites, subnets, and replication.
72. Schema: Set of rules defining AD object classes, attributes, and their relationships.
73. DirSync: Directory synchronization tool for syncing on-premises AD with Azure AD.
74. Azure AD Connect: Tool for integrating on-premises AD with Azure AD.
75. ADFS Proxy: Server that enables external access to AD FS for single sign-on.
76. Home Folder: Personal network storage location for users, typically mapped as a network drive.
77. Roaming Profiles: User profiles stored on a server, enabling consistent settings across devices.
78. Folder Redirection: Redirects user folders to network locations for centralized storage.
79. Universal Group: AD group type that can contain members from any domain in a forest.
80. Domain Local Group: AD group type that can have members from the same domain.
81. Global Group: AD group type that can contain members from its own domain only.
82. Security Principal: AD object that can be assigned permissions, such as users, groups, or computers.
83. Object Class: Defines a type of object in AD, such as user, group, or computer.
84. Object Attribute: Property of an AD object, such as name, description, or email address.
85. LDAP Query: Search filter used to locate specific objects or attributes in AD.
86. LDAPS: LDAP over SSL, a secure version of LDAP for encrypting communication with AD.
87. SACL: System Access Control List, defines auditing settings for AD objects.
88. DACL: Discretionary Access Control List, defines access permissions for AD objects.
89. ACE: Access Control Entry, individual permission entry in a DACL or SACL.
90. ACL: Access Control List, a collection of ACEs defining access permissions or audit settings.
91. Inheritance: Permission propagation from parent objects to child objects in AD hierarchy.
92. AGDLP: Account-Global-Domain Local-Permission, a best practice for granting permissions in AD.
93. AGUDLP: Account-Global-Universal-Domain Local-Permission, a best practice for multi-domain environments.
94. AAD: Azure Active Directory, Microsoft's cloud-based identity and access management service.
95. Hybrid Identity: Integration of on-premises AD and Azure AD for single sign-on and management.
96. Azure AD B2B: Business-to-business collaboration feature in Azure AD for external users.
97. Azure AD B2C: Business-to-customer identity management in Azure AD for customer-facing apps.
98. MFA: Multi-Factor Authentication, additional security layer requiring more than one verification method.
99. Conditional Access: Azure AD feature for enforcing access policies based on user context.
100. IdP: Identity Provider, a system responsible for authenticating and authorizing users.

100 VMware, vCenter and ESXi terms

1. vCenter Server: Centralized management platform for VMware vSphere environments.
2. ESXi: VMware's hypervisor, allowing virtualization of physical servers.
3. VM: Virtual machine, a virtualized computing environment.
4. vSphere: VMware's suite for managing virtualized data centers.
5. vMotion: Live migration of VMs between hosts without downtime.
6. DRS: Distributed Resource Scheduler, balances workloads across hosts.
7. HA: High Availability, restarts VMs on other hosts if a host fails.
8. SSO: Single Sign-On, central authentication for VMware products.
9. VUM: vSphere Update Manager, manages updates and patches for vSphere components.
10. vSAN: Virtual SAN, software-defined storage solution.
11. VDS: vSphere Distributed Switch, centralized network management for VMs.
12. vSwitch: Virtual switch, network switch for VMs on a host.
13. Resource pool: Group of VMs sharing resources like CPU and memory.
14. Datastore: Storage location for VM files, shared among hosts.
15. OVF: Open Virtualization Format, standard for packaging VMs.
16. Hot-add: Adding resources to a running VM without downtime.
17. Snapshot: Point-in-time copy of a VM's state.
18. Templates: Pre-configured VMs for fast deployment.
19. vApp: Container for managing multiple VMs with shared configurations.
20. VCHA: vCenter High Availability, protects vCenter Server against failures.
21. VAMI: vSphere Appliance Management Interface, manages vCenter Server Appliance.
22. Host profile: Configuration template for ESXi hosts.
23. Auto Deploy: Automates deployment of ESXi hosts using PXE boot.
24. VMFS: Virtual Machine File System, filesystem for storing VMs.
25. NFS: Network File System, file sharing protocol for datastores.
26. Fault Tolerance: Provides continuous availability by running two synchronized VMs.
27. vSphere Replication: VM replication for disaster recovery.
28. Storage vMotion: Live migration of VM storage without downtime.
29. VAAI: vSphere APIs for Array Integration, offloads storage tasks to storage arrays.
30. VASA: vSphere APIs for Storage Awareness, enables storage visibility and management.
31. EVC: Enhanced vMotion Compatibility, allows vMotion between hosts with different CPUs.
32. VCAP: vSphere Client plug-in, extends vCenter functionality with third-party applications.
33. Proactive HA: Predictive High Availability, relocates VMs based on hardware health alerts.
34. vSphere Lifecycle Manager: Simplifies lifecycle management for vSphere infrastructure.
35. Content Library: Centralized repository for VM templates, ISO images, and scripts.
36. Linked Mode: Connecting multiple vCenter Servers for centralized management.
37. VMkernel: Operating system layer of ESXi, responsible for resource management.
38. vSphere Web Client: Browser-based interface for managing vSphere environments.
39. vSphere Client (HTML5): Modern, HTML5-based interface for managing vSphere environments.
40. Storage I/O Control: Balances storage I/O resources among VMs on shared storage.
41. Network I/O Control: Balances network I/O resources among VMs and system traffic.
42. Storage DRS: Storage Distributed Resource Scheduler, balances storage capacity and I/O.
43. VADP: vSphere APIs for Data Protection, enables third-party backup and recovery solutions.
44. Affinity rules: Define VM placement preferences to improve performance or availability.
45. Alarms: Monitors and alerts for vSphere components based on predefined conditions.
46. Permissions: Control access to vSphere components through user and group roles.
47. Tags: Metadata for organizing and searching vSphere objects.
48. Custom attributes: Custom metadata fields for annotating vSphere objects.
49. VM-Host affinity rules: Define VM-host placement preferences for better resource utilization.
50. Nested virtualization: Running a VM inside another VM, typically for lab or testing purposes.
51. VIB: vSphere Installation Bundle, a package containing drivers or software for ESXi.
52. Paravirtualization: Technique to improve VM performance by using specialized virtual hardware.
53. vGPU: Virtual Graphics Processing Unit, sharing physical GPU resources among VMs.
54. NIOC: Network I/O Control, prioritizes and allocates network resources for VMs.
55. Admission Control: Ensures sufficient resources are available for VM failover in HA clusters.
56. VMCI: Virtual Machine Communication Interface, allows fast communication between VMs and hosts.
57. DPM: Distributed Power Management, powers hosts on/off based on resource demand.
58. Storage Profiles: Define storage capabilities and requirements for VM placement.
59. Storage Policy-Based Management: VM storage provisioning based on defined policies.
60. VM Encryption: Protects VM data by encrypting VM files at rest.
61. Instant Clone: Rapidly creates VM copies without the need for full clones.
62. vSphere Trust Authority: Enhances security by establishing a trusted relationship with hosts.
63. Secure Boot: Ensures only digitally signed software runs on ESXi hosts and VMs.
64. Per-VM EVC: Enables EVC at the VM level, allowing migration across different CPU generations.
65. Resource allocation settings: Configure shares, reservations, and limits for VM resources.
66. Transparent Page Sharing: Memory-saving technique by sharing identical memory pages.
67. Memory Ballooning: Reclaims unused memory from VMs to allocate to others.
68. CPU Ready: Metric indicating a VM's CPU time waiting to be scheduled.
69. Lockstep: Technique used by Fault Tolerance to keep primary and secondary VMs in sync.
70. Image Builder: Creates custom ESXi images by adding or removing VIBs from base images.
71. SCSI Reservation: Lock mechanism for coordinating access to shared storage resources.
72. LUN Masking: Restricts access to storage LUNs for specific hosts.
73. iSCSI: Internet Small Computer System Interface, IP-based protocol for storage area networks.
74. RDM: Raw Device Mapping, direct access to a physical storage device from a VM.
75. Thin Provisioning: Allocates storage space to VMs on-demand, conserving storage resources.
76. Thick Provisioning: Allocates entire storage space to VMs upfront, improving performance.
77. IOPS: Input/Output Operations Per Second, measures storage performance.
78. Latency: Time delay between a storage request and response, impacts performance.
79. NUMA: Non-Uniform Memory Access, optimizes memory access in multi-processor systems.
80. vNUMA: Virtual NUMA, exposes NUMA architecture to VMs for performance optimization.
81. DVS Health Check: Monitors vSphere Distributed Switch configuration for consistency.
82. LACP: Link Aggregation Control Protocol, combines multiple network links for redundancy.
83. Port Group: Logical grouping of network ports on a vSwitch or VDS.
84. PVLAN: Private VLAN, isolates VM network traffic within the same VLAN.
85. VXLAN: Virtual Extensible LAN, overlay network that extends Layer 2 across Layer 3.
86. SR-IOV: Single Root I/O Virtualization, enables direct access to physical network devices.
87. NSX: VMware's network virtualization and security platform.
88. vSphere Integrated Containers: Runs containerized applications natively on vSphere infrastructure.
89. Virtual Hardware Version: Represents the virtual hardware features available to a VM.
90. VMware Tools: Suite of utilities to enhance VM performance and management.
91. vSphere SDK: Software Development Kit for building custom applications for vSphere.
92. OVA: Open Virtual Appliance, a single file package of an OVF.
93. vRealize Operations: Performance monitoring and capacity management for vSphere environments.
94. vRealize Log Insight: Log analytics and troubleshooting tool for vSphere.
95. vRealize Automation: Automates provisioning and management of applications and infrastructure.
96. vCloud Director: Manages and provisions multi-tenant cloud resources.
97. vCloud Suite: Integrated set of VMware's cloud management tools.
98. vSphere ROBO: Remote Office Branch Office, simplifies management of remote sites.
99. vSphere Essentials Kit: All-in-one solution for small businesses, includes core vSphere features.
100.vSphere Standard/Enterprise/Enterprise Plus: Different editions of vSphere with varying features.