SUDAN UNIVERSITY OF SCIENCE &

TECHNOLOGY
COLLEGE OF TECHNOLOGY

System Administration &

Maintenance
IT Section. Third Year
LECT. Ameer Saleh
4/9/2022
System Administration

Organizations don't just run on their own, employees need computers along with access to the
Internet to reach out to clients. For example, the organization websites needs to be up and
running, the files have to be shared back and forth and so much more. All of these
requirements make up the IT infrastructure of an organization. IT infrastructure encompasses
the software, the hardware, network, and services required for an organization to operate in
an enterprise IT environment. Without an IT infrastructure, employees wouldn't be able to do
their jobs and the whole company will crumble before it even gets started. So organizations
employ the help of someone like a systems administrator to manage the company's IT
infrastructure. System administrators or as we like to call them Sysadmins they work in the
background to make sure a company's IT infrastructure is always working, constantly fighting
to prevent IT disasters from happening. Sysadmins have a lot of different responsibilities. Any
company that has an IT presence needs a sysadmin or someone who handles those
responsibilities. The role of a sysadmin can vary depending on the size of an organization. As
an organization gets bigger, you need teams of Sysadmins. Their responsibilities may be
separated out into different roles with job titles like network administrators and database
administrators. Companies like Facebook and Apple, don't have a single person running the IT
show. But in smaller companies, it's usually a single person who manages the entire company's
IT infrastructure. In this course, we'll focus on how just one person you, can single handedly
manage an IT infrastructure.

Basically, a sysadmin is responsible for their company's I.T. services, employees need these I.T.
services so that they can be productive. This includes things like email, file storage, running a
website and more. The services have to be stored somewhere, which are the servers. The term
servers can have multiple meanings and types like
1. Web server: A web server is computer software and underlying hardware that accepts
requests via HTTP (the network protocol created to distribute web content) or its secure
variant HTTPS. A user agent, commonly a web browser or web crawler, initiates
communication by making a request for a web page or other resource using HTTP, and
the server responds with the content of that resource or an error message. A web server
can also accept and store resources sent from the user agent if configured to do so
2. Database server: a server which uses a database application that provides database
services to other computer programs or to computers, as defined by the client–server
model. Database management systems (DBMSs) frequently provide database-server
functionality, and some database management systems rely exclusively on the client–
server model for database access.
3. Application server: a server that hosts applications or software that delivers a
business application through a communication protocol.
4. Mail server: a computer system that sends and receives emails.

1
 5. SSH server: a software program which uses the secure shell protocol to accept
connections from remote computers. . The SSH client always initiates the setup of the
secure connection, and the SSH server listens for incoming connection requests (usually
on TCP port 22 on the host system) and responds to them.
6. Files server: a computer attached to a network that provides a location for shared disk
access, i.e. storage of computer files (such as text, image, sound, video) that can be
accessed by the workstations that are able to reach the computer that shares the access
through a computer network.
7. Proxy server: a system or router that provides a gateway between users and the
internet.
8. Printer server: a type of server that connects printers to client computers over a network.
9. Domain Name server (DNS): or name server a hierarchical and decentralized naming
system used to identify computers reachable through the Internet or other Internet Protocol
networks

And an SSH server provides SSH services to other machines and so on and so forth. We call
them machines that use the services provided by a server, clients. Clients request the services
from a server and in turn, the servers respond with the services. A server can provide services
to multiple clients at once and the client can use multiple servers. Any computer can be a
server. I can start up a web server on my own home computer that would be able to serve my
own personal website on the internet for me.
Industry Standard Servers are typically running 24 seven and they don't run dinky little
hardware like my home laptop. They run on a really powerful and reliable hardware. Server
hardware can come in lots of different forms. They can be towers that sit upright, they look
very similar to the desktops we've seen. Those towers can be put in a closet or can sit on the
table if you want them to. But, what if you needed to have 10 servers? The towers would start
taking up way too much space. Instead, you can use rack servers, which lay flat and are usually
mounted in a 19-inch wide server rack. If you needed even more space, you could use blade
servers that are even slimmer than racks.
There are other types of form factors for servers but these are the most common ones. You can
also customize the hardware on your servers depending on the services. For example, on a file
server you'll want more storage resources so that you can store more files.
Working in a small IT organization, you could potentially deal with a handful of servers. You
don't want to have a monitor, keyboard and a mouse for each of these servers, do you?
Fortunately, you don't have to thanks to something we learned in an earlier course. We can
remotely connect to them with something like SSH. Even so, you should always have a monitor
keyboard on hand. Sometimes when you're working your network might be having issues and
SSH won't be an option. A common industry practice is to use something known as a KVM
Switch.
KVM stands for keyboard, video and mouse. A KVM Switch looks like a hub that you can
connect multiple computers to and control them using one keyboard, mouse and monitor.

2
Cloud Computing

You studied the cloud earlier, Your photos are stored in the Cloud, your email is stored in the
Cloud. Cloud computing is the concept that you can access your data, use applications, store
files, et cetera, from anywhere in the world as long as you have an internet connection.
Cloud is just a network of servers that store and process our data. A data center is a facility that
stores hundreds, if not thousands of servers. Companies with large amounts of data have to
keep their information stored in places like data centers.
Large companies like Google and Facebook usually own their own data centers because they
have billions of users that need access to their data at all times. Smaller companies could do
this, but usually rent out part of a data center for their needs. When you use the Cloud service,
this data is typically stored in the data center or multiple data centers, anywhere that's large
enough to hold the information of millions, maybe even billions of users. It's easy to see why
the Cloud has become a popular way of computing in the last few years. Now instead of holding
onto terabytes of storage space on your laptop, you can upload that data to a file storage service
like Dropbox, which stores that data in a managed location like a data center. The same goes
for your organization. Instead of managing your own servers, you can use internet services that
handle everything for you including security updates, server hardware, routine software
updates, and more. But with each of these options come a few drawbacks. The first is cost.
When you buy a server, you pay upfront for the hardware. That way, you can set up your
services like a file storage at potentially very little cost because you're the one managing it.
When you use Internet services like Dropbox, that offer file storage online, the starting cost
may be smaller. But in the long term, costs could add up since you're paying a fixed amount
every month. When comparing the cost of services, always keep in mind what a subscription
could cost you for every user in your organization. Weigh that against maintaining your own
hardware in the long term and then make a decision that works best for your organization.
The second drawback is dependency, your data is beholden to these platforms. If there's an
issue with the service, someone other than you is responsible for getting it up and running
again. That could cost your company precious loss of productivity and data.
Whether you choose to maintain physical service or use Cloud services, these are the type of
things you need to think about when providing services to your company. In the next couple of
lessons, we're going to talk about some of the other responsibilities of the system admin. We'll
give you a high level overview of these, then dive even deeper later in this course.

3
Sysadmin Tasks
Organizational Policies

In a small company, it's usually a sysadmin's responsibility to decide what computer policies to
use. In larger companies with hundreds of employees or more, this responsibility usually falls
under the chief security officer. But in smaller businesses or shops, as the IT lingo goes, the sys
admin has to think carefully about computer security and whether or not to allow access to
certain users. There are few common policy questions that come up in most IT settings that
you should know. Perhaps some questions can be useful like:

- Should users be allowed to install software? Probably not. You could run the risk of
having a user or accidentally install malicious software, which we'll learn about in the
upcoming course in security.
- Should users have complex passwords with certain requirements? It's definitely a good
rule of thumb to create a complex password that has symbols, random numbers, and
letters. A good guideline for a password blend is to make sure it has a minimum of 8
characters, that make it more difficult for someone to crack.
- Should you be able to view non-work related websites like Facebook? That's a personal
call. Some organizations prefer that their employees only use their work computer and
network strictly for business, but many allow other uses, so their employee can promote
their business or goods on social media platforms, stay up to date on current events, and
so on. It will definitely be a policy that you and your organization's leaders can work out
together.
- If you hand out a company phone to an employee, should you set a device password?
absolutely. People lose their mobile devices all the time. If a device is lost or stolen, it
should be password protected, at the very least, so that someone else can't easily view
company emails.

Whenever policies are decided upon, have to be documented somewhere. As you know from
a lesson in documentation in the first course, it's supercritical to maintain good
documentation. If you're managing systems, you'll be responsible for documenting your
company's policies, routine procedures, and more. You can store this documentation on
internal wiki site, file server, software, wherever. The takeaway here is that having
documentation of policies already available to your employees will help them learn and
maintain those policies.

IT Infrastructure Services
There are many other infrastructure services that you need to be aware of. As an IT support
specialist doing system administration, you'd be responsible for the IT infrastructure services

4
in your organization. Websites and other computers are also a service that has to be managed
and managing services doesn't just mean setting them up. They have to be updated routinely,
patched for security holes, and compatible with the computer within your organization. Later
in this course, we'll dive deeper into the essential infrastructure services that you might see in
an IT support specialist role.

User and Hardware Provisioning

In other responsibilities Sysadmins have is managing users and hardware, Sysadmins have to
be able to create new users and give them access to their company's resources. On the flipside
of that, they also have to remove users from an IT infrastructure if users leave the company.

It's not just user accounts they have to worry about, Sysadmins are also responsible for user
machines. They have to make sure a user is able to log in and that the computer has the
necessary software that a user needs to be productive. Sysadmins also have to ensure that the
hardware they are provisioning or setting up for users is standardized in some way. Not only do
Sysadmins have to standardize settings on a machine, they have to figure out the hardware
lifecycle of a machine. They often think of the hardware lifecycle of a machine in the literal way
by answering questions like:

- When was it built?

- When was it first used?
- Did the organization buy it brand new or was it used?
- Who maintained it before?
- How many users have used it in the current organization?
- What happens to this machine if someone needs a new one?

These are all good questions to ask when thinking about an organization's technology.
Sysadmins don't want to keep a ten year old computer in their organization. Or maybe they do.
Even that's something they might have to make a decision on. There are four main stages of the
hardware lifecycle.

Procurement: This is the stage where hardware is purchased or re-used for any employee.

Deployment: This is where hardware is set up so that the employee can do their job.
Maintenance: This is the stage where software is updated and hardware issues are fixed if and
when they occur.

Retirement: In this final stage, hardware becomes unusable or no longer needed and it needs
to be properly removed from the fleet.

In a small position, a typical hardware lifecycle might go something like this. First, a new

5
employee is hired by the company, human resources tells you to provision a computer for them
and set up their user account. Next, you allocate a computer you have from your inventory or
you order a new one if you need it. When you allocate hardware you may need to tag the
machine with a sticker so they can keep track of which inventory belongs to the organization.
Next, you image the computer with the base image for further using a streamlined method that
we discussed in our last course, operating systems and you. Next, you name the computer with
a standardized host name. This helps with managing machines.

Eventually, if a computer sees a hardware issue, a failure, you look into it and think through
the next steps. If it's getting too old, you'll have to figure out where to recycle it and where to
get new hardware. Finally, if a user leaves the company you'll also have to remove their access
from IT resources and wipe the machine so that you can eventually re-allocate it to someone
else. s.

Routine Maintenance
When you manage machines for a company, you don't just set it and forget it, you have to
constantly provide updates and maintenance so that they run the latest secure software. When
you have to do this for a fleet of machines, you don't want to immediately install updates as
soon as they come in. That would be way too time-consuming. Instead, to effectively update
and manage hardware, you do something called batch update. This means that once every
month or so, you update all your servers with the latest security patches. You have to find time
to take their services offline, perform the update, and verify that the new update works with the
service. You also don't have to perform an update every single time a new software becomes
available. But, it's common practice to do batch updates for security updates and very critical
system updates. And the security costs, we dive deeper into security practices, but a good
guideline is to keep your system secure by installing the latest security patches routinely.
Staying on top of your security is always a good idea.

Vendors
Not only do Sysadmins in a small company work with using computers, they also have to deal
with printers and phones, too. Whether your employees have cellphones or desk phones, their
phone lines have to be set up. Printers are still used in companies, which means they have to be
set up so employees can use them. Sysadmins might be responsible for making sure printers
are working or if renting a commercial printer, they have to make sure that someone can be on
site to fix it. What if a company's fax machine isn't working? If you don't know what a fax
machine is, that's not totally surprising. They've been slowly dying since the invention of email.
Fax machines are still alive and kicking at companies, and they're a big pain to deal with.

6
Sysadmins could be responsible for those, too. Video-audio conferencing machines, yep, they
probably need to handle those, too. In an enterprise setting, Sysadmins have to procure this
hardware one way or another. Working with vendors or other businesses to buy hardware is a
common practice. Setting up businesses accounts with vendors like Hewlett Packard, Dell,
Apple, etc., is usually beneficial since these companies can offer discounts to businesses. These
are things that sys admins have to think about. It's typically not scalable just to go out and
purchase devices on Amazon. Although if that's what's decided, they could do that too.
Sysadmins must be sure to weigh their option before purchasing anything. They need to think
about hardware supply. So if a certain laptop model isn't used anymore, they need to think of a
suitable backup that works with their organization. Price is also something to keep in mind.
They'll probably need formal approval from their manager or another leader to establish this
relationship with a vendor. It's not just technical implementations of hardware that Sysadmins
have to consider. It's so many things.

Troubleshooting and Managing Issues

We talked about troubleshooting a lot. In an earlier course, but it's worth mentioning again,
when you're managing an entire IT infrastructure, you'll constantly have to troubleshoot
problems and find solutions for your IT needs. This will probably take up most of your time as
an IT support specialist. This could involve a single client machine from an employee or server
or service that isn't behaving normally. Some folks, who start their careers in IT support
deepen their knowledge to become system administrators. They go from working on one
machine to multiple machines. For me, I made the leap during my internship as an IT support
specialist in college at a semiconductor lab. The lab ended up closing and they needed help
deprecating the environment. So, what started as an IT help desk support quickly transition to
assist admin role. That opportunity was my golden ticket to dabble to Active Directory, Sub
netting and decision making which is a core part of this job. Sysadmins also have to
troubleshoot and prioritize issues at a larger scale. If a server that sys admin manage stop
providing services to a thousand users and one person had an issue about the printer, which do
you think would have to be worked on first. Whatever the scenario, there are two skills that are
critical to arriving at a good solution for your users. We already covered them in an earlier
course. Do you know what they are? The first is troubleshooting, asking questions, isolating the
problem, following the cookie crumbs, and reading logs are the best ways to figure out the
issue. You might have to read logs from multiple machines or even the entire network. We
talked about centralized logging a little bit in the last course on operating systems and you
becoming a power user. If you need a refresher to how centralized logging works, check out the
supplemental reading. Anyway, the second super important skill that we covered is customer
service; showing empathy, using the right tone of voice and dealing well with difficult
situations. These skills are essential to all IT roles. In some companies, Sysadmins have to be
available around the clock. If a server or network goes down in the middle of the night,

7
someone has to be available to get it working again. Don't worry, a sysadmin doesn't have to be
awake and available 24/7. They can monitor their service and have it alert them in case of a
problem. So how do you keep track of your troubleshooting? A common industry standard is to
use some sort of ticketing or bug system. This is where users can request help on an issue and
then you can track your troubleshooting work, through the ticketing system. This helps you
organize and prioritize issues and document troubleshooting steps. Throughout this course,
we'll introduce types of services that a sysadmin needs to maintain and what responsibilities
they have in an organization. We'll also share some best practices for troubleshooting when it
comes to systems administration. When you work as an IT support specialist, systems
administration can become part of your job. So it helps to think about all aspects of managing
an IT infrastructure in an organization. The more prepared you are the better.

Contingency
Let's take a bit of a dark turn and talk about disasters. Like it or not, something at some point
will stop working, no matter how much planning you do. This happens in both small and large
companies. It's an equal opportunity problem. You can't account for everything, but you can be
prepared to recover from it. How? It's super important to make sure that your company's data
is routinely backed up somewhere. Preferably, far away from it's current location. What if a
tornado struck your building? And your backups got swept away with it? You wouldn't have a
building to work in, let alone, be able to recover your data, and get people up and running
again. Later in this course, we'll talk more about what methods you can use to backup your
organization's data, and to recover from a disaster. We'll try to keep things a little lighter in the
meantime. So far, you've learned a lot about the roles and responsibilities of a sys admin. Some
of it may seem like a lot of work. Some might even seem scary. Being responsible for keeping
data available isn't easy. But it's a rewarding role in IT, and you're already building your SA or
sys admin's skill set by learning the fundamentals of IT support. Next up, we've got a quiz for
you.

8
IT Infrastructure Services
I.T. infrastructure services are what allowing organization to function. These include;
connecting to the internet, managing networks by setting up the network hardware, connecting
computers through an internal network, et cetera. In this lesson, we're going to learn about the
common I.T. infrastructure services out there and what you need to know to start integrating
them into an organization. We'll also dig deeper into each infrastructure service individually.
We will focus more on the physical infrastructure services like servers, along with network
infrastructure services that keep your company connected to the Internet. In short, we'll be
servicing all infrastructure services needs.

The Role of IT Infrastructure Services in SysAdmin

There are lots of IT infrastructure services that keep a company running. In a smaller company,
a single person could be responsible for all these services. In larger companies, teams of
sysadmins might manage just one service. In this course, we're going to discuss

what you need to set up these services as the sole IT person in the company. We'll also give you
an overview of some of the cloud services that you can utilize if you wanted another company
to run your services. Reminder, as we mentioned before, cloud services are services that are
accessed through the internet like, Gmail. We can access our Gmail accounts from any
computing device, as long as we're connected to the Internet. By the end of this module, you
should be well versed in what services you'll need to have a functioning IT infrastructure for
your company.

Types of IT Infrastructure Services

You can set up different servers to run your services on, like a server to run your file storage
service. You can buy or rent hardware for these servers and set up and store them either on-
site, or at another location. Essentially, you manage these servers end-to-end. There's another
option. If you don't want to be responsible for managing the hardware tasks and updating your
server operating systems security patches and updates, you can use the Cloud alternative to
maintain your own infrastructure, which is called Infrastructure as a Service, or IaaS.

IaaS providers give you pre-configured virtual machines that you can use just as if you had a
physical server. Some popular IaaS providers are, Amazon Web Services and their Elastic
Compute Cloud or EC2 instances, Linode, which runs out virtual servers, Windows Azure, and
Google Compute Engine, which you've been using throughout this course.

Your company's internal network, is going to have multiple computers that need to be on a
certain subnet. You have to assign them IP addresses statically or using DHCP. The networking

9
hardware has to be set up, wireless internet will probably need to be available, DNS needs to be
working et cetera. If your company is large, networking is usually taken care of by a dedicated
team. But in smaller companies, you'll probably be responsible for setting up the network.

Network can be integrated in an IaaS provider, but in recent years, it's also been branched off
into its own Cloud service, Networking as a Service or NaaS. NaaS allows companies to
offshore their networking services so that they don't have to deal with the expensive
networking hardware. Companies also won't have to set up their own network security, manage
their own routing, setup WAN and private internets, and so on.

Company might want to use certain software. The right software has to be available to your
company's users. You have to deal with things like licences, security, updates, and
maintenance for each machine. The Cloud alternative to maintaining your own software is
known as Software as a Service, or SaaS. Instead of installing a word processor on every
machine, you can use Microsoft Office 365 or Google G suite. These are both services that you
can purchase that allow you to edit word documents, process spreadsheets, make presentations
and more, all from a web browser.

Some companies have a product built around a software application. In this case, there is some
things that software developers need to be able to code, build and shape their software. First,
specific applications have to be installed for their programming development environment.
Then, depending on the product, they might need a database to store information. Finally, if
they're serving web content like a website, they'll need to publish their product on the internet.

If you're building this entire pipeline yourself, you may need to set up a database and a web
server. The programming development environment will also have to be installed on every
machine that needs it. If you want an all-in-one solution to building and deploying a web
application, you can use something called Platform as a Service, or PaaS. This includes an
entire platform that allows you to build code, store information in a database, and serve your
application from a single platform. Popular options for PaaS are, Heroku, Windows Azure, and
Google App Engine. The last IT infrastructure service we'll discuss is the management of users,
access and authorization. A directory service, centralizes your organizations users and
computers in one location so that you can add, update, and remove users and computers. Some
popular directory services that you can set up are Windows Active Directory, OpenLDAP.
Directory services can also be deployed in the Cloud using Directory as a Service, or DaaS
providers.

While Cloud Services are a great option, it's super important that you understand how a service
works and how to maintain before you employ the help of a Cloud Service. Even though Cloud
Service are widely used in the industry, and have a lot of pros, there are also some cons. These
include recurring cost, and the need to depend on the providers service.

10
Server Operating Systems
When you want to set up a server, you essentially install a service or application on that server
like a file storage service. The net server will provide those services to the machines that
request it. Maybe you thought you'd install services on, or use operating system like Windows
10. While that's an option, typically, in an organization, you want to install your services on a
server operating system. Server operating systems are regularly operating systems that are
optimized for server functionality. This includes functions like allowing more network
connections and more RAM capacity. Most operating systems have versions specifically made
for servers. In windows, you have Windows Server. In Linux, many distributions come with
server counterparts like Ubuntu server, which is optimized for server use. Mac OS is also
available in Mac OS Server. Server operating systems are usually more secure and come with
additional services already built in. So, you don't have to set up these services separately. You
can read more about the different server operating systems in the next supplemental reading.
For now, just keep in mind that when you install services on a server, you should be sure to use
a dedicated server operating system.

Virtualization
There are two ways you can run your services, either on dedicated hardware or on a virtualized
instance on a server, when you virtualize a server you're putting lots of virtual instances on one
server and each instance contains a service. There are a bunch of pros and cons to running your
services on either of these platforms. Here's the rundown. Performance, a service running on
dedicated hardware will have better performance than a service running in a virtualized
environment. This is because you only have one service using one machine as opposed to many
services using one machine. Cost, server hardware can be pretty expensive. If you put a service
on one piece of dedicated hardware and have to do that for nine other services, it starts to add
up. One of the huge benefits to virtualizing your service is that you can have ten services
running on ten different virtual instances, all on one physical server. Here's another way to
think about this, in a typical server if you only have one service running it's probably only
taking up 10-20% of your CP utilization, the rest of the hardware isn't being utilized. You can
add plenty more services to the physical server and still have a good threshold for resource
utilization.

Maintenance, servers require hardware maintenance and routine operating system updates.
Sometimes you need to take the service offline to do that maintenance. With virtualized
service, you can quickly stop your service or migrate them to another physical server, then take
as much time as you need for maintenance. Virtualized service makes server maintenance
much easier to do. Points of failure, when you put a service on one physical machine and that

11
machine has issues, you're entering a world of trouble. With virtualized service, you can easily
move services off a physical machine and spin up the same service on a different machine as a
backup. You could also do this with a physical server, but that could become costly if you
account for multiple service. Pro tip, you can prevent a single point of failure on a physical
machine if you have redundant servers set up, meaning you have duplicate servers as a backup.
You will learn about backups in the upcoming module. As you can see there are lots of benefits
to using virtualized servers, just make sure to weigh the pros and cons of visualizing your
service and using dedicated server hardware, that way you can make the right choice for your
company.

12
Network Services

A network service that's commonly used in organization is a file transfer service. So why would
you want to have a service dedicated to file transfer? Well, sure, you could probably carry
around a flash drive and copy files to each machine you work on or even use a remote copy
tools we learned in the last course, or you could essentially store huge files and transfer files
from one computer to another using the Internet. There are a few different file transfer
protocol services that are used today.

 FTP (File Transfer Protocol) It's a legacy way to transfer files from one computer to
another over the Internet, and it's still in use today. It's not a super secure way to
transfer data because it doesn't handle data encryption. Clients that want to access an
FTP server have to install an FTP client. On the FTP server, we install the software that
allows us to share information located in the directory on that server. FTP is primarily
used today to share web content. If you use a website host provider, you might see that
they have an FTP connection already available for use so they can easily copy files to and
from your web site.
 SFTP, it's a secure version of FTP, so it makes sense to choose this option over FTP.
During this SFTP process, data is sent through SSH and is encrypted.
 TFTP (Trivial FTP) It's a simpler way to transfer files than using FTP. TFTP doesn't
require user authentication like FTP, so any files that you store here should be generic
and not need to be secure. A popular use of TFTP is to host installation files. One
method of booting a computer that we haven't discussed yet is PXE or PXE boot, which
stands for preboot execution. This allows you to boot into a software that's available
over the network. A common use case for organization that want to install software over
a network is to keep operating system installation files in a TFTP server. That way, when
you perform a network boot, you can be automatically launched into the installer.
Depending on your usage of file transferring services, you might want to weigh the option we
mentioned.

13
DNS (Domain Name Server)
DNS is what maps human understandable names to IP addresses. It's an important network
service to set up and maintain when managing a company's IT infrastructure. If you don't set it
up correctly, no one will be able to access websites by their names. We don't really have to
think about DNS on our personal computers. When you connect a brand new machine to the
Internet and start typing in the web address, it just works automatically. You don't have to type
in IP address or anything, but something is happening in the background. When you connect to
a network, you're using the DNS server address that was provided by the router you connected
to. It updates your network setting to use that network server address, which is usually your
ISP's DNS server. From there, you're able to access pretty much any website. So why do you
need to set up your own DNS service if DNS just works out of the box? Well, there's two
reasons. First, if you're running a web service like a website, you want to be able to tell the
Internet what IP address to reach your website at. To do that, you need to set up DNS. The
second reason is that you probably want to work on your server or user machines remotely. In
theory, you could remote access into them through an IP address but you could also just use an
easy to remember host name. To do that you need DNS to map the IP address to the host
name.

DNS and Active Directory

Domain Name System (DNS) is a name resolution method that is used to resolve hostnames to
IP addresses. It is used on TCP/IP networks and across the internet. DNS is a namespace.
Active Directory (https://www.windows-activedirectory.com/active-directory-ad-
fundamentals.html) is built on DNS. DNS namespace is used internet-wide while the Active
Directory namespace is used across a private network.
The reason behind the choice of DNS is that it is highly scalable and it is an internet standard.
In the case of Active Directory, DNS maintains a database of services that are running on that
network. The list of services running is maintained in the form of service records (SRV).
Service records allow a client in an active directory environment to locate any service it needs
such as a printer. These SRV records are used to identify the domain controllers
also. A single DNS server cannot help in resolving a resource record. Several DNS servers are
used in the process. Each DNS server queries its own database to find an address
corresponding to a record. If the requested information is not available, then it forwards the
query to another DNS server. For example, a name resolution may first query an Internet root
server, then the first–level domain server, and then the second–level domain server, and so on
to resolve the name to its associated address.
Every time the computer’s IP address changes, making manual entries into the DNS database
is time-consuming and might result in some entries being left out. Hence Dynamic DNS is
required to make these updates automatic. Any newly installed server can also automatically
register its IP address and SRV records with the DNS server. Active Directory supports such
Dynamic updates to be made.
AD depends on DNS for name resolution and locating resources on a network. DNS has a
database that maintains resource records, which helps identify various servers, domains, and
services on the network. Some of the common types of DNS resource records are:

14
Maps a service to a particular server A DC registers an AD DNS entry at boot time with an A
record. The DC also registers AD DNS Service (SRV) records which help in mapping services
like Kerberos and LDAP (https://www.windows-active-directory.com/active-
directoryldap.html) to itself. When a client computer joins a network, it locates the DC by
asking a query to the DNS. The DNS then retrieves the SRV record from its database and
provides the DC’s hostname to the client. The client further asks the DNS using this hostname
to obtain the DC’s IP address. Thus, without the DNS, a client wouldn’t be able to authenticate
into AD or find various services.

Active Directory DNS zones

The DNS has a distributed database which means that information about all the domains,
subdomains, and host mappings are not stored on just one DNS server but distributed across
multiple servers. The management of the DNS database is made easy by dividing the DNS
namespace into multiple zones and assigning the responsibility of a zone to a particular server.
An AD DNS zone is a collection of hierarchical domain names with the root domain delegated
to one or more name servers. A zone contains all the information about a domain except for the
parts of the domain delegated to other name servers. The zone files begin with an AD DNS
Start of Authority (SOA) resource record that indicates the primary name server for the zone.
The New Zone Wizard displaying the three types of zones and storage For example, consider a
company ABC that has a namespace abc.com delegated to the name server ns1.abc.com. All the
domains under abc.com, be it sales, marketing, HR, finance, R&D, or administrators can be
placed in one zone. However, there could be a scenario where the company’s sales and finance
domains are administered in one country, say, the United States, and the R&D domain is
administered in India. In order to simplify the management of the DNS database, the sales and

15
finance subdomains can be placed in zone 1 and the responsibility could be given to a name
server called us.abc.com, while the R&D subdomain can be placed in a separate zone 2, and its
responsibility could be delegated to a name server called ind.abc.com.

Active Directory

A directory service is a hierarchical arrangement of resources that are structured in a way that
makes accessing them easy. However, functioning as a locator service is not AD’s exclusive
purpose. It also helps organizations have a central administration over all the activities carried
out in their networks. Organizations primarily use Active Directory to perform authentication
and authorization. It is a central database that is contacted before a user identity is verified and
granted access to a resource or a service. Once the authenticity of the user is verified, Active
Directory helps in determining if the user is authorized to use that particular resource or
service. If the user checks out on both counts, access is granted.

LDAP
Active Directory is based on the Lightweight Directory Access Protocol (LDAP). This protocol
provides a common language for clients and servers to speak to one another.
LDAP is a lightweight version of the Directory Access Protocol (DAP) which is an architecture
where the clients and servers communicate through the Open Systems Interconnection model.
It does not use the TCP/IP standards and requires a large investment. Hence, LDAP was
proposed as a lighter version of DAP while retaining the core functionalities of DAP. LDAP is
much easier on an organization’s wallet, and it also follows the TCP/IP protocol contains
records such as A record, CNAME record, MX record, and so on which make functioning of the
AD environment smoother.

How does Active Directory work?

Active Directory, or AD in short, allows the storage of resources in a hierarchical manner.
While deploying AD, there are two sides to be kept in mind with regards to its structure:

- The logical side: This side determines how the structure of the directory network is
arranged in a hierarchical fashion. The logical side is designed in such a way that the
hierarchy allows for certain resources to be placed within other resources, thus allowing
for parent-child relationship between the resources. This relationship can be used to
administer access rights and permissions easily. It depends on how the organization
wants to administer their IT environment.
- The physical side: This deals with the physical location of hardware such as the servers
in the physical world. It is important to design the physical structure carefully in order
to ensure performance efficiency between servers and resources.

Objects in Active Directory

Objects are components in the AD network that represent the physical resources that are part
of the AD environment. The object’s properties are defined by sets of information called
attributes. Some of the common AD objects are as follows:

16
 - User: Every member of the organization is denoted in AD through a user object. The
user object contains the member’s details such as their first name, last name, office,
telephone number, and so on.
- Contact: A contact object is used to store the contact of members that are not part of
the organization itself, but are in ways associated with the organization. They may be
vendors or suppliers who are not in the employ of the organization. Only the name of
the person and the contact details are stored. These contacts, unlike users, are not
offered access to network resources.
- Printer: Refers to the printers in the network. All printers in the organization’s
network can be represented using printer objects in the AD environment.
- Computer: This object contains information about all the computers in the network.
- Shared folder: This object is a pointer that points towards the location of a shared
folder in the AD network. It should be noted that only folders, and not individual files,
can be shared. If an individual file needs to be shared, it should be placed within a
folder.
- Group: A group is a collection of directory objects put together so that certain security
policies can be assigned to them. For example, an organization would want only a
particular department to have access to certain documents. In that case, the network
administrator would create a group containing all the department members and add a
security policy, providing them access to the file server containing the documents.
- Organizational units (OUs): OUs help in structuring your network resources in an
easy to locate manner. An OU is nothing but a container within which objects such as
users, printers, computers, and others can be placed. OUs should be contained within a
single domain; they cannot be shared across domains. The hierarchical arrangement of
OUs, however, can be followed across domains.

Structure of Active Directory

Think of AD as a forest. A forest has multiple trees, and the trees contain branches and leaves.
An AD environment is designed similarly. It may consist of one or more forests that represent
the whole organization or an organization’s subsidiaries. Each AD forest is made up of one or
more domains

What is a domain?
A domain is a collection of objects in an AD environment. All objects within a domain follow
the same policies for security and administrative purposes. Users seeking access to resources of
a domain need to be authenticated by a server called a Domain Controller (DC).
Each domain should have at least one domain controller (DC). An organization deploys
domains based on its departments or on the geographical locations of its branches. Large-scale
organizations usually create their domains based on geographical locations.
Let’s say an organization has a forest named example.com. If the organization is an MNC, it
would have deployed domains based on geographical locations such as the various countries it
is based on. If it is a smaller organization, it would deploy domains based on departments, such
as marketing, sales, among other examples.
Once the domains have been created, OUs can be nested under the domains for each of the sub
departments b to which users, computers, printers, and other objects can be added.

17
Active Directory DNS delegation
The names within a zone can be delegated to another zone maintained by a different server.
Thus the responsibility of a subdomain can be passed on to a different name server which will
handle requests for the resource records through a process called AD DNS delegation.
Delegation can be brought into effect with the help of NS and A resource records. DNS plays a
very important role in the smooth functioning of a network. In the event of DNS failure, it
would be difficult to find the IP address of a host, and thereby difficult to access any service.
DNS acts as a bidirectional translator between IP addresses and hostnames, thus making our
network communications easy.

DNS for Web Servers

You might remember that we can use a web server to store and serve content to clients that
request our services, if clients want to reach our website, we need to set up DNS so that they
can just type a URL to find us.
We can buy a domain name like SettingUpDNSIsFun.example.com. We can purchase domain
names like this from companies called domain registrars, like GoDaddy.com, or BluHost.com.
Once we have our domain name, we want to point our website files to this domain name. Our
website files can be stored on a cloud hosting provider, or we can decide to control this
ourselves and store it on our own servers. Typically, domain registrars also provide cloud
hosting services but they can charge you a monthly fee to host your web files for you. Protip, if
you don't want to utilize cloud hosting services, you can just run your own web server.

DNS for Internal Networks

The other reason we might want our own DNS servers is so we can map our internal computers
to IP addresses. That way, we can reference a computer by name, instead of IP address. There
are a few ways we can do this. One is using a local host file which contains static IP addresses
to hostname mappings. Let's take a look at an example of this. Remember, that we learned that
hosts files and networking allows us to map IP addresses to hosts things manually. In Linux,
our host file is code etc/hosts. It has an IP address that points to 127.0.0.1 which points to a
name called localhost. This just references back to the computer.
Localhost is commonly used as a way to access a local web server, if I change this IP address
mapping to www.sustech.edu, then save and open a web browser, and type www.sustech.edu, it
won't take me there.
The DNS query first, checks our local host file, then our local DNS servers. So, if there's an
entry for sustech.edu in my host file, you go to that IP address instead. Let's say I wanted to
access computer at 192.168.15 and her host name is catlady.examplecompany.com. I would
have to enter this in my host file for every single computer in my fleet. That's definitely not a
scalable option. So, what's our next choice? We can set up a local DNS server that contains all
the organizations computer names mapped to their IP addresses.
This is a more central storage location for this information. Then, we change our network
settings for all our computers to use as DNS server instead of the one given to us by our ISP.
Finally, let's look at one of the last DNS option we can use for an internal network. It can be
integrated with a directory service which handles user and machine information in its central
location like, active directory and LDAP. Once we set up DNS in our directory service, it will
automatically populate with machine to IP address mappings. So, there's no need to enter this
information in manually.

18
DHCP (Dynamic Host Configuration Protocol)
When managing IT infrastructure and you want to connect a computer on a network, you have
two options. You can grant it a static IP address or give it a DHCP assigned IP address. When
you use a static IP address, you have to keep track of every IP address you assign a computer
and manually entered in the network settings. If you enable DHCP, your computers will be
leased an IP address from a DHCP server. They'll automatically get IP addresses, and you don't
have to worry about manually setting addresses. If you ever decide you need to expand your IP
address range, you don't have to change anything on the client machines either, it just happens
automatically. To configure a DHCP server, you need to figure out which IP range you can use
to assign IP addresses. If you want to integrate with DNS, you need the address of your local
DNS servers.
What Gateway you should assign, and the subnet mask that gets used. Once you solve the
DHCP sever software, you had to configure the settings with this information. Different DHCP
server software manufacturers have different configuration setting layouts, so you have to
investigate the specific one you want to use. There are a lot of popular DHCP server software
you can use for this. Windows Server versions come with DHCP services built-in, but you can
read more about the options in the next reading. Once you turn on your DHCP server and your
client is set to receive DHCP addresses instead of static IP addresses, you should have working
DHCP settings. In the last lesson, we talked about how DNS ties in with DHCP. Well now in
DHCP configuration settings, we can specify a DNS server locations. The two servers then sync
up and when DHCP leases out new addresses, DNS updates IP address mappings
automatically. That's a super quick overview how DHCP servers are configured. Hopefully you
can now see why DHCP and DNS are critical network services for your organization.

19
Software services
Sysadmin must setup and configure a lot of services, one of these services are the software
services which covers a wide range of functions. We'll cover the major ones here.

1. Communication services, which enable employees in a company to talk to one another.

2. Security services, which add a layer of security protection to our IT infrastructure.
3. Productivity services: software that employees need to do their job.

Configuring Communication Services

Instant communication has drastically changed how we communicate in both our personal
lives and in the workplace. We can have multiple conversations with different people in real
time using chat applications like Facebook Messenger on your smartphones or WhatsApp. In a
business setting, there are similar methods of instant communication.
The first is Internet Channel Relay (IRC), which is a protocol that's used for chat messages, IRC
operates in a client and server model, so lots of IRC client software can be used to connect to an
IRC server. IRC was widely used in the 1990s as a way to facilitate all kinds of chats, group
chats, individual chats, and more. It's not as widely used today, given the wave of social media
instant chat messages. But if you're considering setting up an IRC, it is a free alternative to
other chat applications.
There are a lot more sophisticated and advanced chat applications out there that offer
Enterprise support. A few popular options are HipChat and Slack. Other communication
protocols called open IM protocols that are widely used and integrated into different
communication applications. One of the most popular
communication protocols is XMPP or Extensible Messaging and Presence Protocol. It's an
open source protocol used in instant messaging applications and social networking services.
XMPP is even used in Internet of Things (IoT) applications among other things.
A few popular and free applications that use XMPP are Pidgin and Adium.
You can use to promote team collaboration and efficiency. When managing an IT
infrastructure, it should be one of the communication services that you consider implementing
for your organization.

Configuring Email Services

One communication service that you're almost guaranteed to use today is email. We use
email for a wide range of communication. In an enterprise setting, it's important for a
sysadmin, or a sole IT support specialist, to be able to configure email services for the
company. To do this, you need to have a domain name set up for your company that you can
use as your email domain, like [email protected]. When you send or receive email, you
want to use this email address. There are two ways to set up email for a company.
1. The first is to run your own managed server. Using this option, you set up the email
service software on a server, then you create a DNS record for your mail server. There
are different DNS records. Remember that the A record is used for hostnames, but for
email servers we use MX, for the mail exchange record. Email server setup can be one of
the most complicated service to setup for a sysadmin. You have to get the email to
actually work, protect your email addresses from spam, filter out viruses and more. If
you'd like to learn more about setting up an email server, check out the next reading.

20
 2. An alternative approach to setting up your own email service is to use an email service
provider, like Google Suite. These service providers allow you to create email inboxes
and more by paying a monthly fee for every user in your organization. This ties you into
the Gmail webmail client, and allows you to access your email from anywhere, as long as
you're connected to the Internet. Whatever option you choose, you'll have to understand
the differences between email protocols when setting up the email accounts.

There are lots of email protocols out there, but we'll only do a rundown of the more
common ones you'll hear about, POP3, IMAP, and SMTP.
 Post Office Protocol version 3 (POP3) is an email protocol that downloads email from an
email server onto your local device. It then deletes the email from the email server. If
you want to retrieve your email through POP3, you can only view it from one device.
There are a few reasons why you might want to use POP3 to get your email. If you need
to keep your email storage under a certain quota, POP3 is a good way to maintain that
storage limitation. Another benefit of POP3 is privacy. Your email can only be seen from
your local device. If storage limitations and security are a concern for you, you might
want to consider using POP3 over something like IMAP.
 Internet Message Access Protocol (IMAP), allows you to download emails from your
email server onto multiple devices. It keeps your messages on the email server. This
email protocol is one of the more popular ways to retrieve email.
 Simple Mail Transfer Protocol (SMTP) which is a protocol used for sending emails.
While POP3 and IMAP and other protocols can be used to retrieve email, there's only
really one email protocol for sending email, SMTP. So there are lots of different email
protocols that can be implemented, depending on the email software of you choose. You
can read more about them in the supplemental reading. Email service is critical for any
organization. Companies needs to be able to contact clients and business partners and
communicate internally. If you work in an IT support specialist role, where you're
handling system administration tasks, you will need to weigh the pros and cons of a
dedicated email server or a cloud email service, decisions.

Configuring Security Services

Security is super important to all organizations. It's integrated into pretty much all aspects of
an IT infrastructure service. There are lots of different security protocols that are put in place
for all sorts of things, keeping data encrypted, authentication, etc.

If you ever manage a web server that serves content to other users, you want to let them know
that when they access your website, you're keeping their interaction with you as secure as
possible. Let's say that you have an online bank account that you're logging into. The URL will
most likely begin with an HTTPS. HTTPS, or Hypertext Transfer Protocol Secure is a secure
version of HTTP. It makes sure the communication your web browser has with the website is
secured through encryption. HTTPS is also referred to as HTTP over TLS or HTTP over SSL.
This is because there are two protocols that enables us to make our web servers secure. The
first is Transport Layer Security protocol, or TLS, which is the most popular way to keep

21
communications secure over a network. TLS is widely used to keep web browsing secure, but it
can be used in a lot of other applications, too. The second protocol is Secure Socket Layer
protocol, or SSL. It's a way of securing communication between a web server and client. But it's
pretty old and insecure, so it's been deprecated in favor of TLS. You may still see it today being
used over the TLS protocol like SSL/TLS. The two protocols are often used interchangeably. In
fact, SSL version 3.0, was essentially TLS version 1.0. But TLS's new features and updates have
made it more secure than SSL. So if you're managing an organization's website on a server,
how do you enable TLS on the server so that the site can be using HTTPS? Well, you need to
get a digital certificate of trust from an entity called a certificate authority. The certificate
authority grants a certificate to your website saying that it trusts that you control the web
server. And verifies that you are who you say you are. Once it does that, you can install the
certificate on your web server. That way, when users visit your site, they'll see the HTTPS in the
URL instead of just HTTP. Security is an integral part of IT, and it's not just the responsibility
of security engineers. Everyone should be thinking about security. And all layers of your
infrastructure should have a layer of security built upon them. There are lots of other security
software that you can add to your IT infrastructure, which we'll dive into in the last course. For
now, it's a good idea to know the basics of keeping a web server secure with HTTPS.

Configuring User Productivity Services

In any organization the software that employees need to do their job is the software that an IT
support specialist managing IT infrastructure needs to provide. Depending on the
organization, you might need to get your users things like software development programs,
word processing, graphical editors,
finance software, and so on. Whatever software you provide, there are different things to
consider when using it in a commercial setting that might not have crossed your mind when
you've used a similar software personally.
 When you use software, you're doing so under the agreement of the developer's license,
For example, when you use open source software, the license agreement usually says
that it's free to use, share, and modify. When software is used as a consumer,
agreements can say that only a specific person can use the software.
 In a business or commercial setting, most software distributors will have a separate
agreement. In most cases, you can buy ten licenses, and any ten people in your company
can use it.
 If someone leaves the company or doesn't need the software anymore, you can take their
license and give it to someone else in the company. When considering software licenses,
it's important to review the terms and agreement, then move forward with whatever
option works best for your company. Things get a little more complicated when it comes
to cloud software services.
 You might have to deal with some of the same stipulations and also think through
whether to purchase added features for businesses and enterprises, like dedicated
customer support. Whatever method you use to provide software, whether it's installing
software on every machine or utilizing cloud software services, there's one thing to keep
in mind. Software used as a consumer won't be the same as software used as a business.

22
File services
Employees need to be able to share files with each other, whether that's to collaborate or
exchange information. We talked about shared folders in Windows in the last course, but in
this lesson I'm going to talk about more scalable and efficient ways to share data, enter file
storage services. File storage services allow us to centrally store files and manage access
between files and groups. You can set up a file storage server that will let users access a shared
directory to modify or add files and much, much more. In the next lesson, we'll go into depth
on two of the more popular ways you can use to manage, store, and share files over a network.
The other way to maintain a file storage service is by using a Cloud file storage provider. There
are lots of providers that offer secure and easily managed file storage. You can read about some
of the more popular ones in the supplemental reading. For now, let's see how to manage a file
storage service ourselves.

Network File Storage

You may have multiple users that want to share files between each other, they need to store the
files somewhere and they need to be able to retrieve the files over a network. Network file
system (NFS) allows us to do this. It's a protocol that enables files to be shared over a network.
The FAT system is compatible on all major operating systems. The easiest way to setup an NFS
server is by using a Linux environment.
You can install NFS server software that modify the configuration files for the directories that
you want to allow shared access to. Once you do that, the NFS service will be running in the
background of the server.
On each client machine that wants to access a server, you just mount the file system the way
you would any other file system. Except, you'd use the host name instead of a physical disk
device. From there, you can access the shared directory like you would any other folder in a
computer. Check out the next supplementary reading for some examples of NFS server
software you can configure for Linux.
NFS is a good solution to file sharing within the network, but as with anything on a network
heavy usage will slow down the file system. While NFS works with all major operating systems
there are still interoperability issues with Windows. If your fleet consists mostly of Windows
machines you might want to look at using something like Samba. Samba services are similar to
NFS since she can centrally share and manage files services. Also, all major operating systems
can use a Samba file sharing. The only reason you might want to consider Samba over NFS, is
because it works better with Windows operating systems. It also includes other services that
can be integrated with your organization like printer services.
One thing to note is that, you may hear the term Samba or SMB. These two are different. SMB
is a protocol that Samba implements. You can read more about SMB in the supplemental
reading. When you create a Windows shared folder it's actually using the SMB protocol,
Samba itself is a software service suite used for file services.
There are lots of other file storage services that you can use and you can read more about them
in, wait for it, the supplemental readings. A relatively affordable solution for FAT storage
hardware is to use a Network Attached Storage ( NAS, pronounced NAS). Instead of setting up
a dedicated server like you would other services. NASes are computers that are optimized for
file storage. They usually come with an operating system best stripped down in order just to
serve files over a network. They also come with lots of storage space. Whatever method you

23
choose, central file storage and management is an important part of I.T. infrastructure for any
organization.

Mobile Synchronization
The great thing about mobile devices is that you can take them almost anywhere, but the risk is
that they contain all kinds of information that will be hard to replace. Let's admit it, mobile
devices can sometimes be pretty easy to lose. Think about all that data, personal information
like emails, photos, videos, calendars, health data, location data, you Candy Crush high score.
It's also that you don't want to lose. So in this video we are going to check out some ways that
you can protect your valuable data even if your mobile device is damaged lost or stolen. So how
did we do this? For each type of important data on your mobile device, you want to make sure
that the data is synchronized or synced with another location. When you synchronize data, you
make sure that the data is the same in two or more places.
How does this work? Well if a calendar appointment is only stored on your device, then you
need your device with you to view the appointment, plus if you lose access to the device, you
lose all the appointment details, now you have no idea what time are supposed to be meeting
your friends for coffee. But if you use a calendar that syncs your data, you are all good. A
calendar that signed into
an online account will sync any schedule changes or new appointments to a central location in
the Cloud. If you sign into the calendar on another device but using the same account, you will
see the same set of appointments. As an IT support specialist, it's important that you
understand what data and which apps are critical to your organization and also what's critical
to the end users that you support. Most organizations will care about business data like email,
calendars, and contact information. You might also have apps that manage documents, photos,
videos and so on. Your challenge is to make sure that if the device is lost, you can still recover
the data. The best way to do this in which you might be responsible for in your IT support role,
is to make sure business-critical data is synced in at least two places. Lucky for us many mobile
apps automatically sync, in some cases mobile apps already used the Cloud as their canonical
data source. For example, if you sign into an account for your email and calendar apps, they
will probably get all of their data from servers in the Cloud, or your organization's local IT
infrastructure. If you lose your phone, you could just sign into the same account on a different
device and get the exact same data. With an app like this, you won't lose any data if the device
is damaged, lost or stolen.
Some apps can be configured to every so often automatically sync or back up data to a Cloud
storage service. This means that you might lose some data if you lose access to a mobile device,
but the loss will be limited to the time since the last backup. Other apps might store their data
only on the local device and not be able to back up their data to the Cloud, in that case you
want to synchronize your data to another location in case something happens to your device.
Maybe you remember from an earlier video how each app on your mobile device has a specific
location where it's allowed to store data. Well IOS and Android both support backing up this
app data to the Cloud. Not only will these mobile OSs backup app data but also your devices'
accounts and settings, too.

Configuring Security Services

Security is integrated into pretty much all aspects of an IT infrastructure service, there are lots
of different security protocols that are put in place for all sorts of things, keeping data
encrypted, authentication, etc. If you ever manage a web server that serves content to other

24
users, you want to let them know that when they access your website, you're keeping their
interaction with you as secure as possible. Let's say that you have an online bank account that
you're logging into. The URL will most likely begin with an HTTPS , or Hypertext Transfer
Protocol Secure is a secure version of HTTP. It makes sure the communication your web
browser has with the website is secured through encryption. HTTPS is also referred to as HTTP
over TLS or HTTP over SSL. This is because there are two protocols that enables us to make
our web servers secure. The first is Transport Layer Security protocol, or TLS, which is the
most popular way to keep communications secure over a network. TLS is widely used to keep
web browsing secure, but it can be used in a lot of other applications, too. We'll do a deep dive
into the technical details of TLS in a later course. The second protocol is Secure Socket Layer
protocol, or SSL. It's a way of securing communication between a web server and client. But it's
pretty old and insecure, so it's been deprecated in favor of TLS. You may still see it today being
used over the TLS protocol like SSL/TLS. The two protocols are often used interchangeably. In
fact, SSL version 3.0, was essentially TLS version 1.0. But TLS's new features and updates have
made it more secure than SSL. So if you're managing an organization's website on a server,
how do you enable TLS on the server so that the site can be using HTTPS? Well, you need to
get a digital certificate of trust from an entity called a certificate authority. The certificate
authority grants a certificate to your website saying that it trusts that you control the web
server. And verifies that you are who you say you are. Once it does that, you can install the
certificate on your web server. That way, when users visit your site, they'll see the HTTPS in the
URL instead of just HTTP. You'll learn more about certificates and certificate authorities in an
upcoming course. For now, think of certificates as a way to verify that something is
trustworthy. Security is an integral part of IT, and it's not just the responsibility of security
engineers.
Everyone should be thinking about security. And all layers of your infrastructure should have a
layer of security built upon them. There are lots of other security software that you can add to
your IT infrastructure, which we'll dive into in the last course. For now, it's a good idea to know
the basics of keeping a web server secure with HTTPS.

Printing Services.
While our world is moving more and more into the digital space, there are still aspects of our
lives that require good old-fashioned paper. Many organizations still use printers, and as an IT
support specialist, you have to manage them as you would any other device.
If you have a printer at home, you probably connect it directly to your computer or you may
print over your home network through Wi-Fi, some small organizations can get away with this
type of printer management, but most large organizations have lots of printers that need to be
managed and large volumes of information that need to be printed. When managing printer IT
infrastructure, you need to have a place to centrally manage all your printers. You'll probably
be running commercial printers that also can report diagnostics information like low toner
levels.
Along with managing print essentially, you'll also need to be able to deploy printer driver
software so that your users can print from their computers.
There are a few different ways that printers can be managed and Setting them up really
depends of how many printers you have and how many people are in your company.

25
In a small company with less than a hundred people, setting up one or two commercial printers
should be more than enough. To set up a print server, all you have to do is install a print service
on a server. Most of operating systems already come with a printer service readily available.
For example, let's look at Windows. In the Windows server operating system, there's a Print
and Document Services that can be enabled. All you have to do is add your network printer to
the service and install the drivers for those printers. In Linux, a common print server that's
usually pre-installed on machines is CUPS or Common UNIX Printing System, CUPS allows
you to easily manage printers from a simple web URL. When your print service set up, you
need to add the printer to the client machine. Just search for printer server name, and connect
to the device and start printing.
Another way you can manage printers is by using the cloud service provider. This allows you to
manage your printers through a web browser. It also lets your users print through a web
browser so no setup is involved on their machines. Printer setup is pretty easy to do. Most of it
depends on what printer service you decide to go with.

26
Platform Services
Platform services provide a platform for developers to completely build and deploy software
applications, without having to deal with OS maintenance, server hardware, networking or
other services that are needed to use the platform tools.
A web server that we deploy our web applications to, or the development software that we use
to code our applications are both examples of platform services. In this day and age. Most
businesses have a digital presence. Whether that's a Web site that promotes their business, or
even a website that is their business. Businesses that run web services keep their services
stored on a web server. A web server stores and serves content to clients through the Internet.
You can access web service using a domain name like Google dot com. A web server itself stores
web files and runs an HTTP service or HTTP server, that processes HTTP requests. Remember
that HTTP is how the Web formats and transfer's web pages (You can think of the web server
as the physical server that stores with files and the HTTP server software). When your web
browser makes a request to fetch a web page from a URL, it sends an HTTP request that gets
processed by the HTTP server. Then the HTTP server sends out and HTTP response with the
content that you requested. There are a lot of popular HTTP server software out there. But the
most widely used is the Apache HTTP server, most commonly referred to as Apache. Apache is
a free and open source. It helps serve a large percentage of web pages on the Internet. Let's
actually see how a web server serves
When you run a service that operates on the web, you need to have a web server that serves
web pages to clients that request it, like we just covered. But you may also need to store
information. Have you ever thought about what happens to your information when you create
an account online for a website? Where do they store that info? Do they put it in a folder on a
web server? If they do, you need to stop using that service immediately. Customer information,
like news articles, videos, large amounts of text, image or audio files generally get stored in a
database. Databases allow us to store query, filter, and manage large amounts of data. When
you build a web product, you'll probably store the data in a database. Database servers consist
of database software that's running that you're able to read and write from. Common database
systems like MySQL and PostgreSQL are widely used in application and web development and
data analytics. These database systems usually require a knowledge of special languages or
syntaxes to be able to parse and filter through the large amounts of data. If you want to dig
deeper into database systems, check out the next reading. Administrating and managing a
database can be incredibly complex. Losing precious data could cost the company dearly.

Managing Cloud Resources

Now that you know more about the different services you can host on a cloud provider, let's
talk about how to make the most of the cloud for your organization.
When we say that a service is running in the cloud, we mean that it's running somewhere else,
either in a data center or in other remote service. These data centers house a large assortment
of machines, and different types of machines are used for different services. For example, some
machines may have local Solid State Drive, SSD for increased performance, while others may
rely on virtual drives mounted over the network to lower costs. When you use Software as a
Service or SaaS, the software is already pre-configured and the user isn't deeply involved in the
cloud configuration. If you choose a cloud email solution like gmail, a cloud storage solution

27
like Dropbox or a cloud productivity suite like Microsoft Office 365, there are only a small
number of options for you to select or customize.
The cloud provider manages everything related to the service for you including; deciding
whether VMs are hosted, ensuring that it has enough capacity to serve your needs, forming
back as frequently and reliably and more; When you use Infrastructure as a Service or IaaS on
the other hand, you're hosting your own services in the cloud. You need to decide how you
want the infrastructure to look depending on what you want to run on it. For example, you
need to decide which of the many available machine types you'll use and what kind of storage
they'll need. Pro tip. Start small, then select more powerful instances as needed.
The bottom line is, when you set up cloud resources, you need to consider regions. A region is a
geographical location containing a number of data centers. Each of these data centers is called
a zone, and each zone is independent of the others. If one of them fails for some reason, the
others are still available and services can be migrated without visibly affecting users.
Large cloud providers usually offer their services in lots of different regions around the world,
and which region you choose will mostly depend on where your users are located. Smaller
cloud providers may offer fewer regions but they may be the only provided with the availability
in your city or country.
It doesn't matter where exactly the data center is located, but users may experience more
latency if it's further away from them. You may also hear about public, private and hybrid
clouds. The public cloud is what we call cloud services provided to you by a third party. The
name refers to the fact that the cloud providers offers services to the public. When your
company owns the services and the rest of your infrastructure, whether on-site or in a remote
data center, we call that the private cloud. And the hybrid cloud is a mixture of both public and
private cloud. Some workloads are run on servers owned by your company, while others are
run on servers owned by a third party. The trick to making the most of the hybrid cloud is
ensuring that everything is integrated smoothly, so you can access, migrate, and manage data
seamlessly no matter where it's hosted.

Typical Cloud Infrastructure Setups

Let's say you have a web server providing a website to clients. In a typical setup for this kind of
service running in a cloud, a number of virtual machines will be serving this same website. A
load balancer ensures that each VM (Virtual Machine) receives a balanced number of queries.
Whenever there's a request for your website, a different VM will be picked to serve the
response. These types of services are usually configured to spin out more virtual machines
when there are lot of queries. And to shut down some of the VMs when the number of queries
goes down. This capability is called autoscaling. It allows the service to increase or reduce
capacity as needed, while the service owner only pays for the cost of the machines that are in
use at any given time. Since some machines will shut down when the demand is lower, then
local disks will also disappear and should be considered ephemeral or short-lived. If you need
data persistence, you have to create separate storage resources to hold that data and connect
that storage to the VMs. Usually, VMs operating websites or web services are connected to a
database, also running in the cloud. This database is also served by multiple machines behind a
load balancer. But this is managed by the cloud provider, and doesn't concern the cloud user.
To make sure the service is running smoothly, you can set up monitoring and alerting. When
you do this, you can detect and correct any problems with your service before your users even
notice. Most cloud providers include monitoring and alerting solutions as part of their services.
You can configure when and how you want to be alerted if the monitoring infrastructure

28
detects performance issues. It may seem tricky to set up cloud resources, but most providers
make them easy to configure.

When and How to Choose Cloud

As an IT support specialist, you might have to decide when a cloud service is a better choice
than using your own physical hardware. Using cloud infrastructure doesn't require a large
upfront investment. So, it's a good choice if you aren't sure how long you need it. If you're
setting up temporary infrastructure, or trying something that might not last, a cloud service
may be your best option.
Choosing to use cloud infrastructure also makes sense when you have demand that varies
greatly throughout the year. If you operate a website that gets a lot of traffic during one season,
but much less for the remainder of the year, you wouldn't want to invest a lot of infrastructure
just to have it sit idle most of the time.
Another reason to choose the cloud is geographical location. If your users, employees of your
company, or external users of your services are distributed around the world, having all of your
service on-site won't satisfy their needs.
You want to use a provider that has datacenters in or close to the location that you want to
serve. Let's say you decided that your use case with the cloud model, how do you decide which
of the many cloud providers to use? Take a look at your specific needs, and compare the
services offered by the various providers, and then figure out which one best serves your needs.
Most cloud providers offer free trials, so it's a good idea to test them out to see if they meet
your needs, to check how well your company's infrastructure integrates with the cloud
providers.
Finally, the technology in this space is evolving quickly, there are more services and solutions
offered by cloud providers every year, so make sure you're up to date about the latest changes
in the field before making a decision. That's it. Now you've got a better idea of what to think
about when you want to move your services to the cloud. To help you practice these concepts,
you'll be the one setting up the instances and the associated resource in the next quick lab
exercises, instead of connecting to an already existing VM. Exciting, right? Well, you've done it
again. You've covered a lot of information in this module about software and platform services.

29
Directory Services and Directory Server
Have you ever looked up someone's phone number in a phone directory? Or use a directory
listing at a shopping mall to find a specific store? A directory server essentially provides the
same functionality.
A directory server is a server that contains a lookup service that provides mapping between
network resources and their network addresses, It's used to organize and look up
organizational objects and entities ranging from things like user accounts, user groups,
telephone numbers, and network shares.

Directory Services
Directory services are an essential part of today's network-centric computing infrastructure.
Directory-enabled applications now power almost all the mission critical processes of an
enterprise, including resource planning, value chain management, security and firewalls, and
resource provisioning. Directory services also provide the foundation for deployment of e-
business and extranet applications.
A directory service is the collection of software and processes that store information about your
enterprise, subscribers, or both. An example of a directory service is the Domain Name System
(DNS), which is provided by DNS servers, a DNS server stores the mappings of computer host
names and other forms of domain name to IP addresses, a DNS client sends questions to a
DNS server about these mappings (e.g. What is the IP address of test.example.com?). Thus, all
of the computing resources (hosts) become clients of the DNS server.
The mapping of host names enables users of the computing resources to locate computers on a
network, using host names rather than complex numerical IP addresses.
Instead of managing user accounts and computer information locally on every machine, all that
information can be stored on a directory server for easy access and management.
The ideal enterprise quality directory server should support replication. This means that the
store directory data can be copied and distributed across a number of physically distributed
servers but still appears as one unified data store for querying and administering.

Replication Importance.
It provides redundancy by having multiple servers available simultaneously. So there'll be
minimal disruption to the service in the event that one of server explodes, replication also
decreases latency when you access the directory service. By having replicas of your directory
server located in each office, you're able to answer directory service queries more quickly.
The directory service should also be flexible, allowing you to easily create new object types as
your needs change. Access to the information stored in the directory server database should be
accessible from a variety of OS types and from the designated areas of the corporate network.
Directory services are useful for organizing data and making it searchable for an organization.
This is achieved through the use of a hierarchal model of objects and containers. The
containers are referred to as organizational units or OUs, and they can contain objects or more
organizational units. This is similar in organizational structure to a file system. OUs are like
folders which can contain individual files or objects for a directory service. OUs can also
contain additional folders. The management benefits of this structure are pretty clear. Can you
imagine trying to keep your music library organized if there was no such thing as subfolders?
Crazy. This hierarchal structure can be used to convey additional information about what's

30
stored within. Take your directory structure as an example. You may have OU code user which
contains all user accounts. Within this OU, there could be additional OUs which represent the
actual team structure of your organization. The user's OU could contain additional OUs like
sales, engineering, marketing which include the user account objects for the individuals that
belong to these current teams. This structure can be used to convey differences between these
sub-OU sub-users. For example, we could influence stricter password requirements for
members of engineering without affecting sales or marketing. Sub members inherit their
characteristics of their parent OU. So any changes made to the higher level user's OU would
affect all sub-OUs, including sales, marketing, and engineering. Someone with the
responsibilities of a systems administrator, whether that's a system admin or I.T. support
specialist, would be responsible for the setup, configuration, and maintenance of the directory
server. This includes the OS itself on which the directory service would run. Standard OS
management tasks are involved here, like ensuring that updates are installed and configuring
standard services. Other responsibilities include the installation and configuration of the
directory service itself. So installing the service and configuring any related services. If multiple
servers are used in a replication setup, this needs to be configured, too. It's very likely that the
hierarchy in overall structure of the directory itself would also be up to the sysadmin to design
and implement.

Directory Server
Directory Server provides a central repository for storing and managing
information. Almost any kind of information can be stored, from identity profiles
and access privileges to information about application and network resources,
printers, network devices and manufactured parts. Information stored in Directory
Server can be used for the authentication and authorization of users to enable secure
access to enterprise and Internet services and applications. Directory Server is
extensible, can be integrated with existing systems, and enables the consolidation of
employee, customer, supplier, and partner information.
Directory Server provides the foundation for the new generation of e-business
applications and Web services, with a centralized and distributed data repository
that can be used in your intranet or over your extranet with your trading partners.

 Directories
The Directory Server allows access to a type of database that stores information in a
hierarchical structure similar to the way that the IBM i integrated file system is
organized.
 Distributed directories
A distributed directory is directory environment in which data is partitioned across
multiple directory servers. To make the distributed directory appear as a single directory
to client applications, one or more proxy servers are provided which have knowledge of
all the servers and the data they hold.
There are many tasks held by distributed directories as:

31
 - The Proxy server
The Proxy server is a special type of IBM® Tivoli® Directory Server that
provides request routing, load balancing, fail over, distributed authentication and
support for distributed/membership groups and partitioning of containers. Most
of these functions are provided in a new backend, the proxy backend. IBM
Security Directory Proxy Server does not have an RDBM backend and cannot
take part in replication.
- Splitting data within a subtree
You can split data within a subtree that is based on a hash of the RDN by using a
proxy server.
- Synchronizing information
There are two main kinds of configuration information that must be kept
synchronized among the servers in a distributed directory.
- Partition entries
Partition entries exist as the base of a partition, for example, o=sample. These
entries cannot be modified through the proxy server.
- Password policy in a distributed directory
Password Policy in a distributed directory is enforced on the backend servers
with some additional overhead in the proxy server.
- Failover and load balancing
The proxy server performs load balancing on read requests when high
consistency is disabled. When high consistency is enabled, all read and write
requests are sent to the primary write server until a failover occurs. If a backend
server is unavailable, the operation displays an error. All subsequent operations
fail over to the next available server.
- Weighted prioritization of backend servers
The proxy server prioritizes back-end servers into 5 possible tiers. At a given time
the proxy server will only use servers in one tier. When all the write servers
within a tier fail. The proxy server will failover to the second tier. When the
second tier fails it will failover to the third tier, so on and so forth.
- Failover between proxy servers
Failover support between proxies is provided by creating an additional proxy
server that is identical to the first proxy server. These are not the same as peer
masters, the proxy servers have no knowledge of each other and must be
managed through a load balancer.
-
 Distinguished names (DNs)
Every entry in the directory has a distinguished name (DN). The DN is the name that
uniquely identifies an entry in the directory. The first component of the DN is referred
to as the Relative Distinguished Name (RDN).
 Suffix (naming context)
A suffix (also known as a naming context) is a DN that identifies the top entry in a
locally held directory hierarchy.
 Schema
A schema is a set of rules that governs the way that data can be stored in the directory.

32
 The schema defines the type of entries allowed, their attribute structure and the syntax
of the attributes.
 Recommended practices for directory structure
The Directory Server is often used as a repository for users and groups. This section
describes some recommended practices for setting up a structure that is optimized for
managing users and groups. This structure and associated security model can be
extended to other uses of the directory.
 Publishing
Directory Server provides the ability to have the system publish certain kinds of
information to an LDAP directory. That is, the system will create and update LDAP
entries representing various types of data.
 Replication
Replication is a technique used by directory servers to improve performance and
reliability. The replication process keeps the data in multiple directories synchronized.
 Realms and user templates
The realm and user template objects found in the Web administration tool are used in
order to relieve the user of the need to understand some of the underlying LDAP issues.
 Search parameters
To limit the amount of resources used by the server, an administrator can set search
parameters to restrict users' search capabilities. Search capabilities can also be extended
for special users.
 National language support (NLS) considerations
NLS considerations include data formats, characters, mapping methods, and string case.
 Language tags
The term language tags defines a mechanism that enables the Directory Server to
associate natural language codes with values held in a directory and enables clients to
query the directory for values that meet certain natural language requirements.
 LDAP directory referrals
Referrals allow Directory Servers to work in teams. If the DN that a client requests is not
in one directory, the server can automatically send (refer) the request to any other LDAP
server.
 Transactions
You can configure your Directory Server to allow clients to use transactions. A
transaction is a group of LDAP directory operations that are treated as one unit.
You can configure your Directory Server to allow clients to use transactions. A transaction is
a group of LDAP directory operations that are treated as one unit.
None of the individual LDAP operations that make up a transaction are permanent until all
operations in the transaction have completed successfully and the transaction has been
committed. If any of the operations fail or the transaction is cancelled, the other operations
are undone. This capability can help users to keep LDAP operations organized. For
example, a user might set up a transaction on his client that will delete several directory
entries. If the client loses its connection to the server part way through the transaction,
none of the entries are deleted. Therefore the user can simply start the transaction over
rather than having to check to see which entries were successfully deleted.
The following LDAP operations can be part of a transaction:
 Add

33
  Modify
 Modify RDN
 Delete
Note: Do not include changes to the directory schema (the cn=schema suffix) in transactions.
Though it is possible to include them, they cannot be backed out if the transaction fails. This
could cause your directory server to experience unpredictable problems.

 Directory Server security

variety of functions can be used to secure the Directory Server.

 Auditing
Auditing allows you to track the details of certain Directory Server transactions.
 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
the Directory Server
To make communications with your Directory Server more secure, Directory
Server can use Secure Sockets Layer (SSL) security and Transport Layer Security
(TLS).
 Kerberos authentication with the Directory Server
Directory Server allows you to use Kerberos authentication. Kerberos is a
network authentication protocol that uses secret key cryptography to provide
strong authentication to client and server applications.
 Password encryption
Directory Server enables you to prevent unauthorized access to user passwords.
The administrator may configure the server to encrypt userpassword attribute
values in either a one-way encrypting format or a two-way encrypting format. The
encrypted passwords are tagged with the encrypting algorithm name so that
passwords encrypted in different formats can coexist in the directory. When the
encrypting configuration is changed, existing encrypted passwords remain
unchanged and continue to work.
 Groups and roles
Use groups and roles to organize and control the access or permissions of
members.
 Administrative access
Use administrative access to control access to specific administrative tasks.
 Administrative Roles
While configuring an administrative group member, the root administrator has to
explicitly assign an administrative role to the member.
 Proxy authorization
The proxy authorization is a special form of authentication. By using this proxy
authorization mechanism, a client application can bind to the directory with its
own identity but is allowed to perform operations on behalf of another user to
access the target directory. A set of trusted applications or users can access the
Directory Server on behalf of multiple users.
 Access control lists
Access control lists (acls) provide a means to protect information stored in a

34
 LDAP directory. Administrators use acls to restrict access to different portions of
the directory, or specific directory entries.
 Ownership of LDAP directory objects
Each object in your LDAP directory has at least one owner. Object owners have
the power to delete the object. Owners and the server administrator are the only
users that can change the ownership properties and the access control list (ACL)
attributes of an object. Ownership of objects can be either inherited or explicit.
 Password policy
With the use of LDAP servers for authentication, is important that a LDAP server
support policies regarding password expiration, failed login attempts, and
password rules. Directory Server provides configurable support for all three of
these kinds of policies.
 Password policy tips
Password policy may not always behave as expected.
 Authentication
Use an authentication method to control access within the Directory Server.
 Denial of service
Use the denial of service configuration option to protect against denial of service
attacks.
 Operating system projected backend
The system projected backend has the ability to map IBM i objects as entries
within the LDAP-accessible directory tree. The projected objects are LDAP
representations of the operating system objects instead of actual entries stored in
the LDAP server database.
 Unique attributes
The unique attributes function ensures that specified attributes always have
unique values within a directory.
 Operational attributes
There are several attributes that have special meaning to the Directory Server
known as operational attributes. These are attributes that are maintained by the
server and either reflect information the server manages about an entry or affect
server operation.
 Server caches
LDAP caches are fast storage buffers in memory used to store LDAP information
such as queries, answers, and user authentication for future use. Tuning the
LDAP caches is crucial to improving performance.
 Controls and extended operations
Controls and extended operations allow the LDAP protocol to be extended
without changing the protocol itself.
 Save and restore considerations
Directory Server stores data and configuration information in several locations.

35
Centralized Management

Sysadmins have a set of systems they're responsible for and they have to manage those
systems so they're available to serve their function to the organization. For example, as a
sysadmin, I might be responsible for making sure that all of the servers in my network are kept
up to date with security patches and application updates.
There are many considerations to think about, should I go around and log into each server?
should I check each one at a time? What if I need to manage user accounts on end user
devices? Should I go to each employee's desk and set their account up that way? doing these
tasks one in a time would be super time-consuming, and probably inconsistent. Instead
centralized management is used, a central service that provides instructions to all of the
different parts of my IT infrastructure. Directory services are one of these services.
Directory services provides centralized authentication, authorization, and accounting, also
known as AAA. When computers and applications are configured to use directory services, or
AAA services, decisions about granting or denying access to computers, file systems, and other
IT resources are now centralized. Now you can create a user account once, and it's available for
the entire network at once.
AAA, Authentication, Authorization, and Accounting framework is used to manage the activity of the
user to a network that it wants to access by authentication, authorization, and accounting mechanism.
AAA uses effective network management that keeps the network secure by ensuring that only those
who are granted access are allowed and their activities while in the network are also monitored and
logged.

AAA uses methods to challenge whoever wants to have network access by asking them their
authorized and authenticated credentials to prove that they are legitimate users before gaining
access to the network. AAA is widely used in network devices such as routers, switches, and
firewalls just to give a few to control and monitor access within the network.

AAA addresses the limitations of local security configuration and the scalability issues that
come with it. For example, if you need to change or add a password, it has to be done locally
and to all devices, which will require a lot of time and resources. Having an external AAA
server solves these issues by centralizing such tasks within the network. Having backup AAA
servers in the network ensures redundancy and security throughout the network.

36
Authentication

This is a method on the AAA framework wherein the credentials of the user are being
challenged by asking, for example, their username and password, which is encrypted using a
hashing algorithm that makes it harder for the hackers to intercept.

Authorization

Once the credentials of the user are authenticated, the authorization process determines what
that specific user is allowed to do and access within the premise of the network. Users are
categorized to know what type of operations they are allowed to perform such as an
Administrator or Guest. The user profiles are configured and controlled from the AAA server.
This centralized approach eliminates the hassle of editing on a “per box” basis.

Accounting

The last process that is done in the AAA mechanism is an accounting of everything the user is
doing within the network. AAA servers monitor the resources being used during the network
access. Accounting also logs the session statistics and auditing usage information that is being
used, usually for authorization control, billing invoice, resource utilization, trend analysis, and
planning the data capacity of the business operations.

37
AAA Protocols

There are two most commonly used protocols in implementing AAA, Authentication,
Authorization, and Accounting in the network. RADIUS and TACACS+ are open standards that
are used by different vendors to ensure security within the network.

Remote Authentication Dial-In User Service (RADIUS) – is a networking protocol

operating on ports UDP 1645 and UDP 1812 that provides centralized AAA management for
users who connect and use Network Access Server (NAS), such as VPN concentrator, router,
and switch. This client/server protocol and software enables remote access servers to
communicate with a central server to perform AAA operations for remote users. This protocol
operates at the application layer and can use either TCP or UDP as a transport protocol.

Terminal Access Controller Access-Control System Plus (TACACS+) – is a remote

authentication protocol, which allows a remote access server to communicate with an
authentication server to validate user access onto the network. TACACS+ permits a client to
accept a username and password and pass a query to a TACACS+ authentication server.

Let us say you have a network file system that you need to give everyone in the IT department
access to. You could set up the network share, and then give it a list of user accounts to grant
access to the share. But what happens when someone new joins the IT department? What
about when someone leaves? Instead of granting access based on who you are, what if you
granted access based on what you do? In most organizations, access to computer and network
resources is based on your role in the organization.
When you manage access to resources on a computer and on the network, you'll often grant
and deny access based on user groups. User groups can be used to organize user accounts in
all sorts of ways. You might create groups of buildings that people work out of, or the person's
role in the organization, or really almost anything else. What's important is that you use groups
to organize accounts based on the way that you'll manage them.
For example as a systems administrator, you might have permission to do things like creating
user accounts and resetting passwords. You are allowed to do that because of your role as a
systems administrator. If you add another systems administrator to your organization, you
don't want to have to find out all of the things that a sysadmin should have access to, then
grant them individual account access to each of those resources. That would just take forever.
Instead, we'll create a group of sysadmins and add all system administrators to that group.
Then we can give the systems administrators' group access to any resources they need. If you or
another person change roles in the company, then all you have to do is change the groups that
you are a part of, not the rights that you have to directly access resources. We call this role-
based access control, or RBAC. Controlling access to resources isn't all you can do. You can also
centralize configuration management. Just like you don't want to run around to every
computer to configure user accounts, you wouldn't want to do that to setup printers, configure
software, or mount network file systems. By centralizing the configuration management of your
computers and software, you can create rules about how things should work in your

38
organization. There are many ways to centralize your configuration management. And an easy
way to get started is with as simple a tool as logon scripts that run each time someone logs on
to a computer.

Role-Based Access Control

Role-based access control (RBAC) is a method of restricting network access based on the roles
of individual users within an enterprise.
RBAC ensures employees access only information they need to do their jobs and prevents them
from accessing information that doesn't pertain to them.

An employee's role in an organization determines the permissions that individual is granted

and ensures lower-level employees can't access sensitive information or perform high-level
tasks.
In the role-based access control data model, roles are based on several factors, including
authorization, responsibility and job competency. As such, companies can designate whether a
user is an end user, an administrator or a specialist user. In addition, access to computer
resources can be limited to specific tasks, such as the ability to view, create or modify files.
Limiting network access is important for organizations that have many workers, employ
contractors or permit access to third parties, like customers and vendors, which makes it
difficult to monitor network access effectively. Companies that depend on RBAC are better able
to secure their sensitive data and critical applications.

Benefits of RBAC
There are multiple benefits to using RBAC, including:

 Improving operational efficiency. With RBAC, companies can decrease the need
for paperwork and password changes when they hire new employees or switch the roles
of existing employees. RBAC lets organizations quickly add and change roles, as well as
implement them across platforms, operating systems (OSes) and applications. It also
cuts down on the potential for error when assigning user permissions. Additionally, with
RBAC, companies can more easily integrate third-party users into their networks by
giving them predefined roles.
 Enhancing compliance. Every organization must comply with local, state and federal
regulations. Companies generally prefer to implement RBAC systems to meet the
regulatory and statutory requirements for confidentiality and privacy because executives
and IT departments can more effectively manage how the data is accessed and used.
This is particularly important for financial institutions and healthcare companies that
manage sensitive data.
 Giving administrators increased visibility. RBAC gives network administrators
and managers more visibility and oversight into the business, while also guaranteeing
authorized users and guests on the system are only given access to what they need to do
their jobs.

39
  Reducing costs. By not allowing user access to certain processes and applications,
companies may conserve or more cost-effectively use resources, such as network
bandwidth, memory and storage.
 Decreasing risk of breaches and data leakage. Implementing RBAC means
restricting access to sensitive information, thus reducing the potential for data breaches
or data leakage.

RBAC vs. ABAC

Role-based access control and attribute-based access control (ABAC) are both types of access control
methods, but their approaches are different.

While RBAC grants access rights depending on the roles of users, ABAC controls access based on a
combination of attributes, i.e., user attributes, resource attributes, attributes associated with the system
or application to be accessed and environmental attributes.

User attributes may include name, nationality, organization, ID, role and security clearance. Examples
of resource attributes include owner, name and data creation date, while environmental attributes
include access location, time of access and threat levels.

In addition to simplifying access management, ABAC enables companies to reduce risks from
unauthorized access and helps to centralize auditing.

Organizations should use RBAC for coarse-grained access control, such as giving all professors in a
university access to Google for doing research or giving all contractors access to corporate email. On the
other hand, companies should use ABAC for fine-grained access control or if they need to make
decisions under specific conditions, e.g., giving professors access to Google only if they work in building
X and teach freshman classes.

Configuration Manager
Configuration Manager is used to help sysadmins with the following systems management
activities:
 Increase IT productivity and efficiency by reducing manual tasks and letting you focus
on high-value projects.
 Maximize hardware and software investments.
 Empower user productivity by providing the right software at the right time.

40
Configuration Manager helps you deliver more effective IT services by enabling:
 Secure and scalable deployment of applications, software updates, and operating
systems.
 Real-time actions on managed devices.
 Cloud-powered analytics and management for on-premises and internet-based devices.
 Compliance settings management.
 Comprehensive management of servers, desktops, and laptops.

To be successful with Configuration Manager in a production environment, thoroughly plan

and test the management features. Configuration Manager is a powerful management
application, with the potential to affect every computer in your organization. When you deploy
and manage Configuration Manager with careful planning and consideration of your business
requirements, Configuration Manager can reduce your administrative overhead and total cost
of ownership.

User interfaces

The Configuration Manager console

After you install Configuration Manager, use the Configuration Manager console to configure
sites and clients, and to run and monitor management tasks. This console is the main point of
administration, and lets you manage multiple sites.
You can install the Configuration Manager console on additional computers, and restrict access
and limit what administrative users can see in the console by using Configuration Manager
role-based administration.

Software Center
Software Center is an application that's installed when you install the Configuration Manager
client on operating systems. Users use Software Center to request and install software that you
deploy. Software Center lets users do the following actions:
 Browse for and install applications, software updates, and new OS versions
 View their software request history
 View device compliance against your organization's policies
 Show custom tabs in Software Center to meet additional business requirements.

41