What’s New and What’s Coming from CBT Nuggets

October 3, 2017 at 10:53 pm

CBT Nuggets

We are always creating new content for you here at CBT Nuggets. Here is your October News Flash with the details! In an act of shameless self-promotion, I listed my courses in BOLD. What would you like to see from CBT Nuggets? Let me know in the comments area below this post.


  • Ansible Essentials
  • AWS Certified SysOps Administrator – Associate
  • CompTIA Security+ (SY0-501)
  • Installation, Storage, and Compute with Windows Server 2016 (Exam 70-740)
  • IT Expertise: Building and Configuring a Business Switch Network
  • Microsoft Teams
  • Salesforce Admin – Classic Interface
  • Soft Skills for ScrumMasters
  • VMware vSphere 6.5 (VCP6.5-DCV)
  • Windows 10 End User Essentials


  • End User Security Awareness
  • Designing and Operating Defensible Network Architectures
  • Agile Essentials
  • IT Expertise: Building and Configuring a Business Wireless Network
  • CompTIA Cloud Essentials (CLO-001)
  • Microsoft MCSA SQL Server 2016 70-761
  • Everything Linux
  • Microsoft Azure 70-533 with ARM Updates

Security Identifiers (SID) in Active Directory

March 12, 2017 at 11:45 am


Here is post on the SID in AD serving as a great primer for my Identity in Windows Server 2016 course at CBT Nuggets.

SID Overview

In our post here at the blog on the important FSMO roles, we examined the RID Master. This device helps with the creation of unique Security Identifiers (SIDs) in the domain. The SID is used to uniquely identify an object that receives security permissions. A SID consists of several components. One of those components is the Relative Identifier (RID). The RID Master gives your domain controllers each their own portion of the overall RID pool. This keeps different domain controllers from creating and assigning the same SID to different objects in your domain.

The SID Dissected

The Windows SID is generally made up of 2 fixed fields and up to 15 additional fields all separated by dashes. For example, the format looks like this:


Here is the actual SID I am using right now on Windows 10:


Notice the following about SIDs:

  • The first fixed field (v) describes the version of the SID structure, Microsoft has never changed this from 1
  • The second field (id) is the identifier authority; it uniquely identifies the authority involved; for example, NULL (0), World (1), Local (2), NT Authority (5)
  • The next 15 fields are not all required and are called sub-authorities; they help uniquely identify the object
  • The last sub-authority field is normally the RID

Well-Known SIDs

There are indeed well-known SIDs. For example:

  • S-1-5-10; this represents NT Authority/Self
  • S-1-1-0; this represents Everyone

There is also a well-known RID of 500. This translates to the built-in administrator account. Here we can see this on my Windows 10 system:


I hope you enjoyed this post on the important SIDs in Windows technologies!
Pearson Education (InformIT)

Active Directory FSMO Roles

March 11, 2017 at 1:10 pm


An Overview of FSMO Roles

When you think about your AD design, you immediately think about multiple domain controllers. And some of them might even be read only. This is to distribute the great load that might be placed on these servers in a very active enterprise. Why not distribute this load and ensure that AD resources are always available in the event of a machine or machines failing!

While it is true that we should design our forests in this manner, keep in mind that there are Flexible Single Master Operator (FSMO) Roles that dictate only one domain controller be responsible for certain functions. In these cases, AD nominates a specific domain controller as the master for such functions.

There are five of these roles total. Three exist for every domain, and two of the roles apply to the entire forest. Keep in mind, however, that you can have a single server providing multiple of these roles. This keeps us requiring at least 5 domain controllers for every forest.

Well, it is obviously time for us to cover each of these 5 roles in detail!

Schema Master (forest wide)

Want to make changes to your AD schema? Wow, you are fancy! You need to do this on the Schema Master. By default, this is the first DC you promoted in your forest.

Since changes to the schema are well-planned and pretty rare after your initial deployment is up and running, you can afford to have this role offline for measured time periods.

Domain Naming Master (forest wide)

This is the device that is in charge of changes to the forest-wide name space. Perhaps you need to add a domain to your domain tree in your forest? This machine needs to be online in order to make that happen. Once again, it defaults to the first DC you promote in your forest.

Once again, these types of changes (are thankfully) rare. Having this role offline for a time period is not typically then end of your world!

PDC Emulator (domain wide)

This FSMO role has many functions, including:

  • It maintains backward compatibility functioning as an old school Windows NT Primary Domain Controller (PDC)
  • It acts as the old school NT master browser
  • It attempts to maintain the latest passwords for all accounts (note this function like many others of the PDC Emulator has nothing to do with backward compatibility functions!)
  • It is the target server for most Group Policy management tools
  • It is responsible for acting as the primary time source for the domain and forest
  • It authorizes domain controller cloning

Since this device fulfills so many important functions, you want to make sure it is always online for the most part!

RID Master (domain wide)

This Relative Identifier (RID) Master exists per domain. This device ensures that Security Identifiers (SIDs) in the domain are unique. In my next post in this AD series, I will provide you with great details on the SIDs in your domain. Turns out they are pretty damn important!

RID Masters provide the relative identifier information to other domain controllers in large blocks so these devices can create many SIDs without needing to bother the RID Master again for a very long time. So again, we have a situation where the RID Master can be offline and it not cause huge problems. An obvious exception to this would be if you were in the process of adding a huge number of accounts that need SIDs in your domain.

Infrastructure Master (domain wide)

This FSMO role maintains references to objects in other domains. We call these objects phantoms. Let’s say you have 10 users in Domain1 that actually exist in Domain2. It is the job of the Infrastructure Master of Domain1 to maintain the phantom information for these users.

This important device has many functions and aspects as follows:

  • This role is responsible for updating SID information and distinguished name information when this changes in the source domain
  • It checks in with the Global Catalog of the source domain to ensure it does not possess “stale” phantom information
  • This role is also responsible for performing updates to the domain when moving from Windows Server 2003 or later

It is important to note that if you enable the Active Directory Recycle Bin functionality, every DC in the forest now performs the roles above.

This role could be offline, of course, and how long you could tolerate that is very forest design specific.

Transferring Roles

Could you have all of these roles on a single DC? Sure you could, and many administrators do this for simplicity. You can transfer these roles however for simplicity:

  • Domain Naming Master – changed with the Active Directory Domains and Trusts snap-in
  • The Schema Master – changed with the Active Directory Schema snap-in
  • The RID, Infrastructure, and PDC Emulator Masters – changed with the Active Directory Users and Computers snap-in

Note that you can also use Windows PowerShell for these controls. From a Command Prompt, use NTDSUTIL.

I hope you will be joining me for tomorrow’s post on SIDs!

Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments

Active Directory (AD) Components

March 10, 2017 at 12:16 pm


AD Components Overview

In this post, we examine the key concepts that make up Windows Server Active Directory (AD). This is a continuing series here at the blog as we get excited for my 70-742 Identity in Windows Server 2016 to get fired up at CBT Nuggets.


The key element of AD is the domain. This is how we organize the structure in an enterprise. A domain consists of:

  • An X.500 (LDAP) based hierarchical structure of containers and objects
  • A DNS domain name
  • A security service
  • Policies
  • A Domain Controller (DC) that is authoritative for the domain (you should have more than one DC!)

Note that you can string domains together in your enterprise to create a domain tree. Perhaps we have cbtnuggetlabs.com as our first domain, then we create eugene.cbtnuggetlabs.com as our next domain. Note that these domains in a tree explicitly trust each other in a transitive way.


What a perfect name for our next component. A forest is a collection of domain trees! The first domain you create is called the forest root domain. This forest root domain could be renamed later on, but it cannot be removed. Once you have multiple domain trees in a forest,  trust relationships permit resource sharing.

You can even create forest trust relationships if your forest must access resources in another separate forest.

While it is cool that we can create a forest of multiple domain trees, it is almost always correct to keep things as simple as possible and create a single domain forest.

Organizational Units

What most of us think of when we envision AD is Organization Units (OUs). These are containers we create to fill with objects like users and groups and printers and then we assign policy to these units using Group Policy. Do not confuse OUs with another type of container object in AD called – a container. While there are some default containers in Windows Server, we tend to use OUs all the time as we are building our hierarchy.

When you install AD, some default containers and OUs get created for you. For example, there is a Domain Controllers OU.

The Global Catalog (GC)

Need to search a forest for something? The Global Catalog (GC) server comes to the rescue. The attributes you can search on are inside the GC and we call this a partial attribute set (PAS). There are tools you can use to manipulate what attributes make it into the GC.

I hope you found this post informative, and I would like to thank you for reading. Next up, we will examine the Flexible Single Master Operator (FSMO) Roles in AD.
Pearson Education (InformIT)

Why I Use CBT Nuggets Training – Part 4 – Killer Features!

December 20, 2016 at 3:38 pm

CBT Nuggets

There is another reason I use CBT Nuggets to learn new technologies – actually many reasons all in one here. CBT Nuggets is consistently introducing new technologies into the site that really assist me in my learning. For example:

  • Quiz questions (shown above) for validating my minutes of learning
  • Notes that I can take that follow me from app to app
  • Bookmarks in Nuggets
  • Transcripts
  • A speed control for speeding up or slowing down the instructor
  • A pop out player so I can use my multiple monitors to the fullest
  • A memory of where I left off in a Nugget

I have become so reliant on many of these features that I get saddened when I am using any other training tool lately!

Why I Use CBT Nuggets Training – Part 3 – Killer Apps!

December 8, 2016 at 10:59 pm


What is another compelling reason I use CBT Nuggets? It is the killer apps that we know have available for most all of your mobile devices.

With my iPhone CBT Nuggets app, I can watch content that is synced with my desktop version of CBT Nuggets. I have many of the same great features, including the ability to play an instructor at a slower or faster pace.

Am I boarding a flight with no Internet access for streaming? No problem! I add the Nuggets that I want to watch to my Offline Queue so I can enjoy the content while in Airplane Mode!

With each passing quarter – our amazing developers bring their apps to new platforms. For example, last month they unveiled a killer Apple TV app for CBT Nuggets viewing.

I hope this post was informative for you, and I would like to thank you for reading!

Master the OSPF LSA Types

June 18, 2016 at 12:47 pm


An Overview of OSPF LSA Types

We know that Link State Advertisements (LSA) are the life blood of an OSPF network. The flooding of these updates (and the requests for this information) allow the OSPF network to create a map of the network. This of course occurs with a little help from Dijkstra’s Shortest Path First Algorithm.

But not all OSPF LSA’s are created equal. In this post, we will examine the different types that are used within the OSPF multi area design. In the very next post here at the blog, we will recap how they are dynamically filtered when we have an OSPF domain that consists of special areas like Stub or Totally Stubby.

The Router (Type 1) LSA

We begin with what many call the “fundamental” or “building block” Link State Advertisement. The Type 1 LSA (also known as the Router LSA) is flooded within an area. It describes the interfaces of the local router that are participating in OSPF and the neighbors the local OSPF speaker has established.

The Network (Type 2) LSA

Do you remember how OSPF functions on an Ethernet (broadcast) segment? It elects a Designated Router (DR) and Backup Designated Router (BDR) in order to reduce the number of adjacencies that must be formed and the chaos that would result from a full mesh of these relationships. Well, the Type 2 LSA is sent by the Designated Router into the local area. This LSA describes all of the routers that are attached to that Ethernet segment.

The Summary (Type 3) LSA

Ready for a big difference with this LSA type? Recall that your Type 1 and Type 2 LSAs are sent within an area. We call these intra-area LSAs. Now it is time for the first of our inter-area LSAs. The Summary (Type 3) LSA is used for advertising prefixes learned from the Type 1 and Type 2 LSAs into a different area. Do you recall what device would send such an LSA? Sure, it would be the Area Border Router that separates areas.

So let’s say we have an area design like this – AREA 1-AREA 0-AREA 2. The Area 1 ABR would send the Type 3 LSAs into Area 0. It’s ABR into Area 2 would send these Type 3 LSAs into that area to provide full reachability in the OSPF domain. The Type 3 LSAs remain Type 3 LSAs during this journey, it is just OSPF costs and advertising router details that change in the advertisements. Notice also that in this example we are describing a multi area OSPF design that is not using any special area types like Stub or Totally Stubby.

The ASBR Summary (Type4) LSA

Do you recall the very special OSPF router that brings in routes from another domain (like an EIGRP domain)? It is the Autonomous System Boundary Router. In order to inform routers in different areas about the existence of this special router, the Type 4 LSA is used. This Summary LSA provides the router ID of the ASBR. So once again, the Area Border Router is responsible for shooting this information into the next area and we have another example of an inter-area LSA.

The External (Type 5) LSA

So the ASBR is the device that is brining in prefixes from other routing domains. The Type 4 LSA describes this device. But what LSA is used for the actual prefixes that are coming in from the other domain? Yes, you guessed it, it is the Type 5 LSA. The OSPF ASBR creates these LSAs and they are sent to the Area Border Routers for dissemination into the other areas. Remember, this might change if we are using special area types.

The NSSA External (Type 7) LSA

Remember that in OPSF there is a VERY special area type called a Not So Stubby Area. This area can act stub, but it can also bring in external prefixes from an ASBR. You guessed it, these prefixes are sent as Type 7 LSAs. When an ABR gets these Type 7 LSAs, it sends them alone in to the other areas as a Type 5 LSA. So the Type 7 designation is just for that very special NSSA area functionality.

Other LSA Types

Are there other LSA types? You bet there are. But we do not often encounter these. For example, a Type 6 LSA is used for Multicast OSPF and that technology never really caught on, allowing Protocol Independent Multicast to win out.

I hope you enjoyed this recap of the very important LSA types we have in OSPF. This is all detailed and demonstrated further in my latest course on OSPF for CBT Nuggets. I hope you will consider a free week subscription and checking that out. It is garnering rave reviews.

Study with passion my friends!
Cisco Learning Network Store home page

CompTIA A+ 220-901 Completes Feb 15, 2016!

January 13, 2016 at 7:53 pm


The First of Two New A+ Courses (220-901):

Many of you have asked about a completion date for this new 220-901 course – here it is! February 15, 2016. Woohoo!

Why Wait?

Why wait for great content – start watching now at:

CompTIA A+ 220-901

The following Nuggets are waiting for you as of this post time:

  • HANDS ON LAB: Ports
  • DHCP and DNS
  • Other Network Protocols
  • TCP versus UDP
  • WiFi Standards
  • HANDS ON LAB: SOHO Wireless Router

Notice how much great networking content this new A+ contains! I could not resist starting there in Nugget creation 🙂

I have not checked this book out – but knowing the Exam Cram reputation – I am betting it is a nice companion product!