adding and confirm onsite

0CloudSupportAssociateMianJing.txt

@@ -586,6 +586,7 @@ Global catalog
 Built in tools to troubleshoot network issues
 Best security practices for windows servers
 User not authorized to rdp error
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 Why shouldn’t you reboot during windows updates
 What does site binding refer to
 How can you list network routes in windows

Active Directory forest.txt

@@ -0,0 +1,14 @@
+Active Directory forest.txt
+
+An Active Directory forest is the highest level of organization within Active Directory. Each forest shares a single database, a single global address list and a security boundary. By default, a user or administrator in one forest cannot access another forest.
+
+Forests, trees, and domains
+The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network.
+
+Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.
+
+A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.
+
+A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy.
+
+At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

Active Directory.txt

@@ -1,7 +1,7 @@
 Active Directory.txt
 
 
-Active Directory provides a centralised control for network administration and security. Server computers configured with Active Directory are known as domain controllers. Active Directory stores all information and settings for a deployment in a central database, and allows administrators to assign policies and deploy and update software.
+Active Directory provides a centralised control for network administration and security. Server computers configured with Active Directory are known as domain controllers. Active Directory stores all information and settings for a deployment in a central database, and allows administrators to assign policies（GPO?） and deploy and update software.
 
 If your office used Active Directory, all of the machines would be connected on a domain, which means all of the information is stored in a central location, not locally on the individual computers’ hard drives. The domain is controlled by a global catalog, which keeps track of all of the devices that are registered to the network. The global catalog stores the IP addresses, computer names, and users, so that the global administrator can oversee everything that happens on the domain. In order to access someone else’s computer, a user would just need that computer’s name, because everything is already linked on the back end.
 

Best security practices for windows servers.txt

@@ -0,0 +1,33 @@
+Best security practices for windows servers.txt
+
+Best Practices for Security Fundamentals
+
+□
+Physically secure your computers
+□
+Apply the most recent security updates to all computers
+□
+Protect against unauthorized administrators 
+□
+Enforce role separation to limit administrative exposure
+□
+Design for defense in depth
+□
+Create and maintain secure baselines for all systems
+□
+Use strong passwords or pass phrases 
+□
+Control access to exported files
+□
+Secure package source files
+
+1: Reduce the attack surface whenever possible
+2: Use only reputable applications
+3: Use a normal user account when you can
+4: Create multiple Administrator accounts
+5: Don't go overboard with audit logging
+6: Make use of local security policies
+7: Review your firewall configuration
+8: Practice isolation of services
+9: Apply security patches in a timely manner
+10: Make use of the Security Configuration Wizard

Global catalog.txt

@@ -0,0 +1,14 @@
+Global catalog.txt
+
+The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest.Global catalog servers respond to global catalog queries.
+
+A global catalog server:
+Finds objects.
+Supplies user principal name authentication.
+Validates object references within a forest.
+Supplies universal group membership information in a multiple-domain environment.
+
+
+Every domain controller in a forest stores three full writable directory partitions: a domain directory partition, a schema directory partition, and a configuration directory partition. A Global Catalog is a domain controller that stores these writable directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because, although they collectively contain every object in the directory, only a limited set of specific attributes are included for each object. The Global Catalog is built automatically by the Active Directory replication system.
+All of the directory partitions on a Global Catalog server, whether full or partial partitions, are stored in a single directory database (Ntds.dit) on that server. There is no separate storage area for Global Catalog attributes; they are treated as additional information in the domain controller directory database.
+When a new domain is added to the forest, the information about the new domain is stored in the configuration directory partition, which reaches the Global Catalog server (and all domain controllers) through replication of forest-wide information. When a new Global Catalog server is designated, this information is also stored in the configuration directory partition and replicated to all domain controllers in the forest.

User not authorized to rdp error.txt

@@ -0,0 +1,23 @@
+User not authorized to rdp error.txt
+
+How To Fix Connection Was Denied RDP Errors
+When a user tries to RDP into a server or workstation they may get the error “The connection was denied because the user account is not authorized for remote login”. The cause of this error is really common but easy to fix.
+
+
+The most common cause of the connection was denied error is either the user is not part of the Remote Desktop User Group or the local security policy is not configured to allow remote access.
+
+If the user is already in the Remote Desktop User Group but the error “The connection was denied because the user account is not authorized for remote login” persists then have a look at local security policy of the server or workstation you are trying to RDP into.
+
+Click Start > Run and type: secpol.msc
+
+Expand Local Policies and click on User Right Assignment. This should now bring up more options in the right window of the Local Security Policy, as shown below.
+
+Find Allow log on through Remote Desktop Services, right click on it and select Properties. You will now have the option to Add User or Group.
+
+If this is a new server/workstation deployment you probably won’t have the Remote Desktop User Group listed. If the RDP group is already listed here, try and add the individual user that is getting the error.
+
+Once you add the Remote Desktop Group or User then RDP should work but to be on the safe side, ensure the Remote Desktop service Logon account is the Network System and not as a local service.
+
+
+in the allow list, add the user name
+

importance of time in a Windows domain.txt

@@ -2,7 +2,8 @@ importance of time in a Windows domain.txt
 
 Windows AD needs timestamps for resolving AD replication conflicts and for Kerberos authentication. Kerberos uses them to protect against replay attacks—where an authentication packet is intercepted on the network and then resent later to authenticate on the original sender's behalf.
 
-When a Windows server receives a Kerberos authentication request, it compares the timestamp in the request to its local time. If the difference between the local time and the timestamp is too big, the authentication request is rejected and Kerberos authentication fails. The allowed time skew can be configured using the Maximum tolerance for computer clock synchronization GPO setting (located in the Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy GPO container). It determines the maximum time skew (in minutes) that Windows will tolerate between client and a server clocks in a Windows Kerberos environment. Setting the time skew too high creates a higher risk for replay attacks. The default setting is five minutes.
+When a Windows server receives a Kerberos authentication request, it compares the timestamp in the request to its local time. If the difference between the local time and the timestamp is too big, the authentication request is rejected and Kerberos authentication fails. 
+The allowed time skew can be configured using the Maximum tolerance for computer clock synchronization GPO setting (located in the Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy GPO container). It determines the maximum time skew (in minutes) that Windows will tolerate between client and a server clocks in a Windows Kerberos environment. Setting the time skew too high creates a higher risk for replay attacks. The default setting is five minutes.
 
 The service responsible for time synchronization between Windows clients and AD domain controllers (DCs) is the Windows Time service (W32time.exe). All Windows machines, starting with Windows 2000 and Windows XP, have the W32time service installed by default. The time service will automatically perform time synchronization at machine startup and at regular intervals (by default, every 8 hours). In an AD forest, the machines use a time hierarchy that follows the following rules: