Question
Answer
What are the Sytem Requirements to run AD RMS?
-Pentium 4.3 GHz or higher _x000D_
-512MB RAM _x000D_
-40GB HDD _x000D_
-OS of Windows Server 2008 except Web Edition or Itanium Based systems _x000D_
-FAT32 or NTFS file system _x000D_
-Message Queing _x000D_
-IIS with ASP.NET enabled web service
What are the considerations for AD RMS?
-Reserve URLs that will not change and do not include a computer name nor use localhost _x000D_
-An AD DS domain running on Windows 2000 SP3, 2003, or Windows Server 2008 _x000D_
-AD RMS must be installed in the same domain as its potential users. _x000D_
-Domain User a
What is a Server License certificate (SLC)?
it is a self-signed certificate generated during the AD RMS cetup of the frst server in a root cluster.
What is a Rights Account Certificate (RAC)?
issued to trusted users who have an email enabled account in AD DS. _x000D_
-RACs are generated when the user first tries to open rights-protected content. _x000D_
-have a duration of 365 days _x000D_
-Temp RACs do not tie the user to a specific computer and are valid for only 15 minutes _x000D_
-contains the public key of the user as well as his or her private key.
What is a Client Licensor certificate (CLC)?
After the user has a RAC and launches an AD RMS-enabled application the application automatically sends a request for a CLC to the AD RMS cluster. _x000D_
-includes the client licensor public key, the client licensor private key that is encyrpted by the user’s public key, and the AD RMS cluster’s public key.
What is a Machine Certificate?
The first time an AD RMS enabled applicaton is used a machine certificate is created. _x000D_
-contains the public key for the activated computer. Private key is containted within the lockbox on the computer.
What is a Publishing License?
created when the user saves content in a rights protected mode. the license lists which users can use the content and under which conditions as well s the rights each user has to the content. _x000D_
-includes the symmetric content key for decrypting content as well as the public key of the cluster.
What is a Use license?
The use license is assigned to a user wh opens rights-protected content.
What is a Federated Web SSO?
usually spans firewalls because it links applications contained within an extranet in a resource organization to the internal directory stores of account organizations. _x000D_
The only trust that exists in this model is the federation trust.. It is always a one-way trust from the resource organization to the account organizations. _x000D_
-This is the most common deployement scenario.
What is a Federated Web SSO with Forest Trust?
the organization uses two AD DS forests. One is internal and the is an external forest located with in a perimeter network. _x000D_
-internal users have access to the applications from both the internal newtork and internet. _x000D_
-external users have access to the applications only from the internet
What is a Web SSO?
use when all the users for an extranet application are external and do not have accounts within an AD DS domain.
What kind of certificate does a Federation server need in an AD FS environment?
server authentication certificate and a token signing certificate
What kind of certificate does a Federation Service Proxy use?
must have a server authentication certificate to support SSL-encrypted communications with Web clients _x000D_
-must also have a client authentication certificate to authenticate the federation server during communications.
What kind of certificate des an AD FS Web Agent use?
server authentication certificate to secure its communications with web clients.
Is publisng CA configuration to AD DS directories optional or mandatory for a Standalone CA?
optional _x000D_
_x000D_
Mandatory for Enterprise
What is a Domain?
An administratively defined collection of network resources that share a common directory database and security policies.
What are objects?
Within an active directory, each resource is identified as an object. _x000D_
_x000D_
-Each object contains attributes _x000D_
-Active Directory uses DNS for locating and naming objects _x000D_
-Container objects hold or group other objects, either other containers or leaf objects
What is the Schema?
The schema identifies the object classes that exist in the tree and the attributes of the object.
What is an OU?
An organizational unit is like folder that subdivides and organizes network resources within a domain. _x000D_
-is a container object _x000D_
-can be used to logically organize network resources _x000D_
simplifies security administration _x000D_
-first level ous are called parents _x000D_
-second level ous are called children _x000D_
-ous can contain other ous or any type of leaf object.
What are Generic Containers?
used to organize Active Directory objects. _x000D_
-created by default _x000D_
-cannot be created, moved, renamed, or deleted. _x000D_
-have very few editable properties.
What is a tree?
A group of related domains tha share the same contiguous DNS name space.
What is a forest?
a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
What is a Domain Controller?
a server that holds a copy of the Active directory database that can be written to.
What is a Global Catalog?
A database that contains a partial replica of every object from every domain within a forest.
What is an AD DS?
a distributed database that stores and manages information about network resources, such as users, computers and printers.
What is AD LDS?
An LDAP directory service that you can use to create a directory store for use by directory-enabled applications. _x000D_
-formerly known as ADAM.
What is AD FS?
a feature that enables secure access to web applications outside of a user’s home domain or forest. _x000D_
-provides web SSO
What is AD RMS?
a feature that safeguards digital information from unauthorized use.
What is AD CS?
an identity and access control feature that creates and manages public key certificates used in software security systems.
What are the steps to prevent objects from accidental deletion?
In AD Users and Computers or Active Directory Sites and Services…do either or… _x000D_
-On the object tab, select the Protect object from accidental deletion check box. _x000D_
-On Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.
Where does Windows store standard zone data?
%windir%System32Dns
How do you change the replication scope for a zone using an application partition?
dnscmd/zonechangedirectorypartition _x000D_
_x000D_
/foest _x000D_
/domain
What cmdlets are used to manage user accounts?
-New-ADUser…creates a new AD user _x000D_
-Get-ADUser..displays one or more AD user’s profile _x000D_
-Set-ADUser…modifies an AD user _x000D_
-Enable-ADAccount/Disable-ADAccount…enables/disables an AD account. _x000D_
-Search-ADAccount…gets AD user, computer, and ser
How do you perform and offline domain join?
Djoin.exe/provision then copy resulting file to the computer that you want to join to the domain. _x000D_
run Djoin.exe/requestI=ODJ
Can you convert a group from global to domain local or domain global?
No. Not directly. First convert the group to a universal group and apply the changes, then convert the group to the desired scope.
What are the requirements to join a computer to a domain?
You must be a member of the Administrators group on the local computer or be given necessary rights.
What utilities do you use to create computer accounts from a command prompt or script?
-dsadd _x000D_
-netdom
What is a managed service account?
a new account type available in Windows Server 2008 R2 and Windows 7. Provides the same benefits of using a domain user account with these improvements. _x000D_
-passwords managed and reset automatically _x000D_
-when running at Win Server 2008 R2 functional level the SPN does not need to be managed as with local accounts.
What is a Virtual Account?
a new account type that are not created deleted.
What is AGDLP?
a strategy to manage users, groups, and permissions. _x000D_
-A place user accounts _x000D_
-G into Global groups _x000D_
-DL into Domain Local groups _x000D_
-P assign permissions to domain local groups. _x000D_
_x000D_
Used in mixed mode. Universal groups not available in mixed mode.
What is AGUDLP?
Same as AGDLP except Universal groups are used. _x000D_
_x000D_
Used in nateve mode where this more than one domain and you need to grand access to similar groups defined in multiple domains.
What do you use Active Directory Users and Computers for?
Use it to create, organize, and delete objects in Active Directory.
How do you access Active Directory Users and Computers?
-Server Manager _x000D_
-Admin Tools _x000D_
-Running dsa.msc
What is ADSI Edit?
It is the Active Directory Service Interfaces Editor. _x000D_
-use it to query, view, and edit attributes that are not exposed through other MMC snap-ins.
What is Dsadd used for?
creates a new object in Active Directory
What is Dsquery used for?
finds objects that match the search criteria. Returns a list of objects that match the search criteria.
What is Dsget used for?
retrieves property info about an object.
What is Csvde used for?
used to import and export Active Directory objects using a comma-seperated list file. _x000D_
-PASSWORD ARE NOT EXPORTED.
What is Ldifde used for?
imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. _x000D_
-passwords are NOT exported.
How do you export user accounts and import them with a password?
-Export the user accounts _x000D_
-Import the user accounts to create the accounts. User will be forced to change the password at next logon. _x000D_
-Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and
What is Powershell?
a command line environment designed for automating administration and maintenance for Windows Server 2008 and Windows Server 2008 R2.
What is the general syntax of Powershell cmdlts?
(command)-ADObject
What is Ldp?
allows you to search for and view the properties of multiple Active Directory objects. _x000D_
-GUI based
What is the ADMT?
-Active Directory Migration tool. _x000D_
GUI based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another.
What is the Active Directory Administrative Center?
an Active Directory management GUI tool built on Windows Powershell. _x000D_
-Creates or manages new or existing user accounts groups, computer accounts, organizational units and containers _x000D_
-Connect to one or several domains or domain controllers in the same instance of AD Admin Center. _x000D_
-Change domain and forest functional levels _x000D_
-Filter Active Directory data by using queries.
What is SOA?
-Start of Authority record. _x000D_
-first record in any DNS database file. _x000D_
-defines general paremeters for DNS zone. _x000D_
-only one SOA
What is NS?
-Name Server _x000D_
-identifies all name servers that can perform name resolution for the zone.
What is an A host?
maps an IPv4 DNS host name to an IP address.
What an AAAA?
maps an IPv6 DNS host name to an IP address.
What is a CNAME?
provides alternative names to hosts that already have a host record.
What is DNAME?
provides alternative names to domains that already have a host record.
what is SRV?
used by Windows Server 2008 to register network services.
What is PTR?
in a reverse lookup zone, the PTR reodrd maps an IP address to a host name.
What does a full zone transfer copy?
It copies all of the zone data with each zone transfer.
Who initiates a zone transfer?
the secondary server ALWAYs initiates the zone transfer.
What is DNS Notify?
-master servers are configured with a list of slave DNS servers. _x000D_
-when a change takes place, the master notifies the slave servers that the zone has changed. _x000D_
-the secondary server then initiates zone transfer, first checking the serial number, then
How do you improve DNS performance?
place multiple DNS servers on your network.
What does a caching only server do?
runs DNS but has no zones configured. _x000D_
-Use a caching only server to improve performance while eliminating zone transfers.
When can you disable zone transfers?
If a zone is AD-integrated and has no secondary servers, you can disable zone transfers.
What is a forwarder?
a DNS server that can be used by another DNS server to resolve queries for records that cannot be resolved through the cache.
What is a secondary zone?
you can eliminate the need for a forwarder for a specific zone by adding a secondary zone to the server.
What is a stub zone?
a zone with only a partial copy of the zone database. It holds only the following _x000D_
-SOA record for the zone _x000D_
-NS records for all authoritative DNS servers for the zone. _x000D_
-A records for authoritative name servers identified in the NS records.
What is a conditional forwarder?
a forwarder that is used for a specific domain.
When should you use a conditional forwarder?
use a conditional forwarder to eliminate all zone transfer traffic, or in conditions where you are not allowed to transfer data from a zone.
What is recursion?
the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution.
What are Root hints?
pointers to top level DNS servers on the internet.
What is DNS Round Robin?
a local balancing mechanism used by DNS servers to share and distribute network resorce loads.
What is Background Zone Loading?
DNS servers loads zone data from AD DS in the background while the server restarts.
What is an RODC?
-Read Only Domain Controller _x000D_
-an additional domain controller for a domain that hosts read-only partitions of the Active Directory database.
What is the No-refresh interval?
the time between the record’s last refresh and when it can next be refreshed.
What is the refresh-interval?
identifies a period of time when a record can be refreshed. It begins when the no-refresh interval ends.
What is the command adprep/forestprep used for?
used to update the Windows Server 2003 or Windows 2000 Server Active Directory schema for Windows Server 2008 or Windows Server 2008 R2. _x000D_
-run it only once in the forest _x000D_
-run on the domain controller that holds the schema master. _x000D_
-must be a member of the Admins group, Schema Admnis group, and the Domain Admins group.
What is the command adprep/domainprep used for?
-prepares a domain for a Windows Server 2008 or Windows Server 2008 R2 domain controller. _x000D_
-run on the controller that holds the infrastructure operations master. _x000D_
-run AFTER the adprep/forestprep command finishes and after the changes replicate to al
What is the adprep/rodcprep used for?
use if you plan on installing an RODC in any domain in the forest. _x000D_
-run only once in the forest. _x000D_
-can run this command on any computer in the forest. _x000D_
-must be a member of the Enterprise Admins.
When installing a new Windows Server 2008 or 2008 R2, what must the first domain controller be?
It must be a Global catalog server.
What must you do if you are installing a new Windows Server 2008 or 2008 R2 domain controller to create a new domain in an existing Windows 2000 or Window Server 2003 forest.
-run adprep/forestprep if this the first Windows Server 2008 or Windows Server 2008 R2 domain controlle in the forest. _x000D_
-Run adprep/rodc if you are making an rodc _x000D_
-schema must be updated before the os is installed if you are performing an unattended
What are the methods that can be used for installing AD DS?
-Active Directory Domain Services Installation Wizard _x000D_
-Command line (dcpromo) _x000D_
-Answer file _x000D_
-AD DS installation (media) (use ntdsutil.exe)
What command is used to remove AD DS?
dcpromo.exe
What do you do to remove a domain controller from a domain?
#NAME?
What do you do if you are removing the last domain controller from a domain?
#NAME?
What do you do if you are removing the last domain controller from a FOREST?
wizard…select Delete the domain and forest
What is available at 2000 Native Domain functional level?
-universal groups are available for security and distribution _x000D_
-group nesting _x000D_
-Group converting _x000D_
-Security Identifyer history
What is available at the 2003 domain functional level?
-All features in 2000 Native _x000D_
-Domain controller rename _x000D_
-Update logon time stamp _x000D_
-User password on IetOrgPerson object _x000D_
-User and computer container redirect. _x000D_
-Constrained delegation allows applications to take advantage of the secure delegat
What is available at the 2008 domain functional level?
includes all features available in 2003 and adds following… _x000D_
-DFS for SYSVOL _x000D_
-AES _x000D_
-Last Interactive Logon Info. _x000D_
-Fine-grained password policies that allow you to specify password and account lockout policies for users and global security groups in a domain.
What is available at the 2008 R2 domain functional level?
includes all previous features and adds… _x000D_
-Authentication Mechanism Assurance (AMA) allowing you to control access to network resources based on the type of certificate used during logon. _x000D_
-Automatic Service Principle Name (SPN) management when using managed service and virtual accounts.
What forest functional level must you be at to use the Active Directory Recycle Bin?
Windows Server 2008 R2?
What is a Site Link Bridge?
a collection of two or more site links that can be grouped as a single logical link. _x000D_
-enabled by default _x000D_
-if disabled, you must manually specify site link bridges
What is a Bridgehead server?
a domain controller in a site that replicates with domain controllers in other sites. _x000D_
-REPLICATION WITHIN A SITE DOES NOT USE BRIDGEHEAD SERVERS
What can be used to allow replication within mail messages in environments where WAN links are not available?
SMTP _x000D_
-cannot replicate only the configuration and schema directory partitions and global catalog read only replicas. _x000D_
-requires an enterprise CAwhen you use it over site links.
What is site link cost?
a number assigned to a site link that identifies the overall relative cost of using that site link. _x000D_
-default is 100 _x000D_
-the lower the number, the more preferred the site link.
What commands can you use to force replication?
-Replicate now _x000D_
-repadmin.exe/replicate
What are the stages of of DFS migration?
1. Not initiated _x000D_
2. Global state 0…this stage DFS replication has not started yet. FRS is still being used _x000D_
3. Global State 1…DFS begins to replicate but FRS is still the main replication method. _x000D_
4. Global State 2….FRS continues to replicate but DFS becomes master _x000D_
5. Global State 3…FRS completely stops and DFS becomes sole source of replication.
What does the schema master do?
Maintains the AD schema for the forest.
What does the Domain Naming Master do?
Adds new domains to and removes existing domains from the forest. _x000D_
-ensures that domain names are unique
What does the RID master do?
It allocates pools or blocks of numbers that are used by the domain controller when creating new security principles.
What does the PDC emulator do?
acts like a Windows NT 4.0 Primary Domain Controller. It performs other tasks normally associated with NT domain controllers.
What is the Infrastructure Master responsible for?
It is responsible for updating changes made to objects.
Question
Ans1
Ans2
What is DNS?
The Domain Name System (DNS) is a hierarchical, distributed database that maps logical host names to IP addresses
What does a DNS server hold?
A DNS server holds a database of hostnames and their corresponding IP addresses. Clients query the DNS server to get the IP address of a given host.
What was used before DNS?
a hosts file saved on each host computer
What makes up the DNS hierarchy?
The DNS hierarchy is made up of the following components: _x000D_
– . (dot) domain (also called the root domain) _x000D_
– Top Level Domains (TLDs) (.com, .edu, .gov) _x000D_
– Second-level and additional domains _x000D_
– Hosts
What is a FQDN?
Fully Qualified Domain Name – includes the host name and the name of all domains back to root.
What makes DNS a distributed database?
DNS is a distributed database because no one server holds all of the DNS information. Instead, multiple servers hold portions of the data.
What is a zone?
Zones typically contain one or more domains, although additional servers might hold information for child domains.
What do DNS servers do?
DNS servers hold zone files and process name resolution requests from client systems.
What is a DNS forward lookup?
A forward lookup uses the host name (or the FQDN) to find the IP address
What is a DNS reverse lookup?
A reverse lookup uses the IP address to find the host name (or FQDN).
What is an A record?
The A record maps a host name to an IP address and is used for forward lookups.
What is a PRT record?
The PTR record maps an IP address to a host name and is used for reverse lookups.
What is a CNAME record?
The CNAME record provides an alternate name (an alias) for a host.
What is a SRV record?
The SRV record identifies a service, such as an Active Directory domain controller.
How are DNS records created?
Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts automatically register and update their corresponding records with the DNS server.
What is the process followed when a client computer needs to find an IP address?
– The client examines its HOSTS file for the IP address. _x000D_
– If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address. _x000D_
– If the IP address is not in the cache, the client sends the request to a DNS server.
What is the process when a DNS server received a name resolution request?
1) The DNS server examines its local DNS cache for the IP address _x000D_
2) If the IP address is not in the server cache, it checks its HOSTS file. _x000D_
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative. _x000D_
4) Forwarding or Recursion _x000D_
5) After the information is found or received from another server, the DNS server returns the result to the client, and places the information in its server cache.
What is an authoritative DNS server?
a DNS server that has a full, complete copy of all the records for a particular zone.
What is DNS Forwarding?
Where the DNS server forwards the name resolution request to another DNS server, then waits for a response from that server
What is DNS Recursion
Where the DNS server queries root domain servers, top-level domain server and other DNS servers in an iterative manner until it finds the one that hosts the target domain.
What is a caching-only DNS server?
A caching-only DNS server has no zone information; it is not authoritative for any domains. It uses information in its server cache, or forwarding or recursion, to respond to client queries.
Who can install DNS in Server 2008?
Members of the Domain Admins group
Which versions of server 2008 can have DNS installed on them?
You can install DNS on any version of Windows Server 2008 except for the Windows Server 2008 Web Server edition.
What type of IP address must the DNS server have?
Static
How would you add the DNS role from a command prompt (or on a server core)?
start /w ocsetup DNS-Server-Core-Role
What command will give a list of installed services on a server?
Run the oclist command to get a list of services (including DNS) installed on a server.
What can be used to manage DNS on Server 2008?
Use the DNS snap-in or the dnscmd command to manage DNS.
What is a primary DNS zone?
the master copy of a zone database
What are the properties of a primary zone?
– The primary zone is the only writeable copy of the zone database. _x000D_
– Changes to the zone can only be made to the primary zone. _x000D_
– The server that holds the primary zone is called a primary server. _x000D_
– Each zone can have only a single primary zone s
What is a secondary DNS zone?
A secondary zone is a read-only copy of the zone database.
What are the properties of a secondary DNS zone?
– Changes cannot be made to the records in a secondary zone. _x000D_
– A server that holds a secondary zone is called a secondary server. _x000D_
– Secondary servers copy zone data from other servers through a process called zone transfer. _x000D_
– Secondary servers ca
What is an Active Directory-integrated DNS zone?
An Active Directory-integrated zone holds zone data in Active Directory instead of a text file.
What are the properties of an Active Directory-integrated DNS zone?
– Active Directory-integrated zones are multi-master zones, meaning that changes to the zone information can be made by multiple servers. Multiple servers hold read-write copies of the zone data. _x000D_
– Only DNS servers that are domain controllers can host
What is a stub zone?
A stub zone is a zone with only a partial copy of the zone database.
What are the properties of a stub zone?
– The stub zone only contains information about the name servers that are authoritative for the zone; it does not contain information for other hosts. _x000D_
– A stub zone is not authoritative for the zone; its purpose is to identify the name servers that can
What is the GlobalNames DNS zone?
The GlobalNames zone is a special zone in the DNS database that is used for single-label name resolution.
What is a GlobalNames DNS zone used for?
– Allow clients to use simple host names without domain information for name resolution. For example, to contact a server named web1.corp.us.westsim.private, users could simply enter the single-label name web1. _x000D_
– Allow DNS clients to contact NetBIOS-on
What are the features of a GlobalNames zone?
– When users enter a single-label name, the client computer first tries to resolve the name using DNS and the search suffix configuration. If that process fails, the GlobalNames zone is checked (if it exists). _x000D_
– Using the GlobalNames zone does not requ
What is a forward lookup DNS zone?
A forward lookup zone provides hostname-to-IP address resolution. Clients query the DNS server with the hostname, and receive the IP address in return.
What is a reverse lookup DNS zone?
A reverse lookup zone provides IP address-to-hostname resolution. Clients query the DNS server with the IP address, and receive the hostname in return.
How many servers can hold the primary zone file?
Only one server can hold the primary zone file. To place zone data on multiple servers, configure secondary servers.
Where does Windows store standard zone data?
Windows stores standard zone data in the %windir%System32Dns directory. The file is a text file with .dns added to the zone name.
Which types of zone support dynamic updates?
Primary and Active Directory-integrated zones support dynamic updates. Use an Active Directory-integrated zone to use secure dynamic updates.
What types of record does a reverse lookup zone hold?
Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP address to an A record.
What type of zones can a reverse lookup zone be?
A reverse lookup zone can be a primary zone, a secondary zone, or an Active Directory integrated zone.
What is the SOA (Start of Authority) record?
The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a zone. There is only one SOA record, and it is the first record in the zone database file. The SOA record includes parameters such as the authoritative server and the zone file serial number.
What is an NS (Name Server) record?
The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone (all authoritative DNS servers).
What is an A (Host Address) record?
The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is the most common resource record type.
What is an AAAA (Quad A) record?
The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address.
What is an MX (Mail Exchanger) Record?
The MX record identifies servers that can be used to deliver e-mail.
What is a CNAME record?
The CNAME record provides alternate names (or aliases) to hosts that already have a host record. Using a single A record with multiple CNAME records means that when the IP address changes, only the one A record needs to be modified.
What is a DNAME record?
The DNAME record provides alternate names (or aliases) to domains that already have a host record.
What is a SRV (Service Locator) record?
The SRV record is used by Windows Server 2008 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically creates these records as needed and during domain controller installation.
What is a PTR (Pointer) record?
In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. “points” to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
What are WINS and WINS-R records?
Add these records to a zone when you want to allow DNS to use WINS resolution. The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINS servers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse query that is not resolvable through DNS.
How can DNS records be automatically created on a DNS server?
By using Dynamic DNS. Dynamic DNS is required to support Active Directory.
When do dynamic updates occur?
– A network connection’s IP address is added, deleted, or changed. _x000D_
– The DHCP server changes or renews an IP address lease. _x000D_
– The client’s DNS information is manually changed using ipconfig /registerdns. _x000D_
– The client boots. _x000D_
– A server is promo
Which Windows clients support DDNS?
Windows clients (2000 and above) create their A records with the DNS server. Windows 9x/Me/NT clients do not support dynamic DNS.
How does the DHCP server tie in with DDNS?
The DHCP server registers the PTR record with the DNS server for clients capable of dynamic updates. The DHCP server updates both the A and PTR records for clients that do not support dynamic updates.
Are dynamic updates enabled by default on a primary zone?
Dynamic updates are not enabled on primary zones. You can enable dynamic updates when you create the zone or modify the zone properties later to enable this feature.
Are dynamic updates enabled by default on an Active Directory-integrated zone?
Dynamic updates are enabled on Active Directory-integrated zones. Note: When you convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is retained.
What are secure dynamic updates?
With secure dynamic updates, only domain members can create records, and only the original client can modify or remove records.
What is used to keep track of changes to a DNS zone?
The zone serial number keeps track of changes to the zone. When you make changes to the zone, the serial number is incremented.
What is a DNS master server?
A master server is the server from which the secondary copies the zone data. The master server can be the primary server or another secondary server.
What are the two types of zone transfer?
Zone transfers can copy all records or only changed records: _x000D_
– A full zone transfer (AXFR) copies all of the zone data with each zone transfer. _x000D_
– A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default method on Windows Server 2008.
Are zone transfers enabled in Server 2008 by default?
By default, zone transfer in Windows Server 2008 is disabled for security reasons. To use zone transfers, manually enable the feature in the DNS settings in Server Manager.
How can you restrict the servers to which zone transfers are allowed?
– Allow zone transfers only to servers that are listed as name servers. _x000D_
– Allow zone transfers only to servers you specifically identify.
How does a secondary server initiate a zone transfer?
– The secondary server contacts the master server and compares the serial number on the master with the serial number in its copy. _x000D_
– If the serial number on the master is greater, the secondary initiates zone transfer. _x000D_
– If the serial number is the
What is DNS notify?
Windows DNS servers support the use of DNS Notify. With DNS Notify, master servers are configured with a list of slave DNS servers.
How does DNS notify work?
– When a change takes place, the master notifies the slave servers that the zone has changed. _x000D_
– The secondary server then initiates zone transfer, first checking the serial number, then requesting changes.
What is a DNS caching server?
A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers.
How does an Active Directory-integrated zone store DNS information?
An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when Active Directory replicates.
How can you secure zone transfers to secondary servers?
Active Directory replication traffic is automatically secured. To secure zone transfers to secondary servers, use IPsec between servers.
How can you force an update of DNS zone data?
You can force an update of zone data through the DNS console or by using the Dnscmd command
cached credentials
A cached copy of a user’s logon credentials that have been stored on the user’s local workstation.
clock skew
The time difference between any client or member server and the domain controllers in a domain.
Domain Naming Master
A role that has the quthority tomanage the creation and deletion of domains, domain trees, and application data partitions in the forest. Upon creation of any of these, the Domain Naming Master ensures that the name assigned is unique to the forest.
_gc
Global catalog service that listens on port 3268 to respond to requests to search for an object in Active Directory.
indexed
An attribute has been stored in the partial attribute set replicated to all global catalog servers in the forest.
Infrastructure Master
A domain-specific role that is responsible for reference updates from its domain objects to other domains. This assists in tracking which domains own which objects.
seize
A forced, ungraceful transfer of a role. This procedure is used only in the event of a catastrophic failure o a domain controller that holds an FSMO role.
transfer
Move a role to a new domain controller.
universal group
Memberships stored in the global catalog. A universal group can contain users, groups and computers from any domain in the forest. In addition, universal groups through their membership in domain local groups, can receive permissions for any resource anywhere in the forest.
universal group membership caching
This feature stores universal group memberships on a local domain controller that can be used for logon to the domain, eliminating the need for frequent access to a global catalog server.
partial attribute set
PAS
A partial copy of all objects from other domains within the same forest. This partial copy of forest-wide data includes a subset of each object’s attributes.
Primary Domain Controller Emulator
PDC Emulator
A role that provides backward compatibility from Microsoft Windows NT 4.0 domains and other down-level clients.
relative identifier
RID
A variable length number that is assigned to objects as created and becomes part of the object’s security identifier (SID).
Relative Identifier Master
RID Master
Role that is responsible for assigning relative identifiers to domain controllers in the domain. Relative identifiers are variable-length numbers assigned by a domain controller when a new object is created,
security identifier
SID
A variable length number used to uniquely identify an object throughout the Active Directory domain. Part of the SID identifies the domain to which the object belongs and the other part is the RID.
AD DS
Active Directory Domain Services
Windows Server 2008 service that provides a centralized authentication service for Microsoft networks. Provides the full-fledged directory service that is called Active Directory in Windows Server 2008 and previous versions of Windows Server.
DN
Distinguished Name
The full name of the object that includes all hierarchical containers leading up to the root domain. The xxxxxxxxxxx begins with the object’s common name and appends each succeeding parent contain object, reflecting the object’s location in the Active Directory structure
DC
Domain Controller
A server that stores the Active Directory database and authenticates users with the network during logon.
KCC
Knowledge Consistency Checker
An internal Active Directory process tha automatically creates and maintains the replication topology. The xxxxxxxxxxx operates based on the information provided by an administrator in the Active Directory Sites and Services snap-in, which is located in the Administrative Tools folder on the domain controller, or an administrative workstation that has the Administrative Tools installed.
NC
Naming Context
An active Directory partition.
DNS
Domain Name System
The name resolution mechanism computers use for all Internet communications and for private networks that use the Active Directory domain services included with Microsoft Windows Server 2008, Windows Server 2003 and Windows 2000 Server.
GUID
Globally Unique Identifier
A 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed.
LDAP
Lightweight Directory Access Protocol
The protocol that has become an industry standard that enables data exchange between directory services and applications. The xxxxxxxxx standard defines the naming of all objects in the Active Directory database and therefore, provides a directory that can be integrated with other directory services such as Novell eDeirectory, and Active Directory –aware applications, such as Microsoft Exchange.
OU
Organizational Unit
A container that represents a logical grouping of resources that have similar security or administrative guidelines.
RODC
Read-Only Domain Controller
A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers within Active Directory. This feature was introduced in Windows Server 2008.
Application Partition
A partition that allows information to be replicated to administratively chosen domain controllers. An example of information that is commonly stored in an application partition is DNS data. xxxxxxxxx offer control over the scope and placement of information that is to be replicated
Attribute
Characteristics associated with an object class in Active Directory that make the object class unique within the database. The list of xxxxxxxs is defined only once in the schema, but the same xxxxxxxx can be associated with more than one object class.
Configuration NC
The configuration partition contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest.
container object
An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a leaf object.
cross-forest trust
Trust type that allows resources to be shared between Active Directory forests.
delegation
Administration of an Organizational Unit is tasked to a department supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords.
directory service
Allow businesses to define, manage, access, and secure network resources, including files, printers, people, and applications.
domain
A grouping of objects in Active Directory that can be namaged together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.
Domain NC
Active Directory domain partition that is replicated to each domain controller within a particular domain. Each domain’s xxxxxxx contains information about the objects that are stored within that domain; users, groups, computers, printers, Organization Units, and more.
domain tree
In Active Directory, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Each Active Directory forest can contain one or more xxxxxxxs, each of which can, in turn, contain one or more domains.
external trust
A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest
fault tolerant
The ability to respond gracefully to a software or hardware failure. In particular, a system is considered to be xxxxxxxx when it has the ability to continue providing authentication services after the failure of a domain controller.
forest
The largest container object within Active Directory. The xxxxxxxx container defines the fundamental security boundary within Active Directory, which means that a user can access resources across an entire Active Directory xxxxxxxx using a single logon/password combination.
forest root domain
The first domain created within an Active Directory forest.
functional levels
Designed to offer support for Active Directory domain controllers running various supported operating systems by limiting functionality to specific software versions. As legacy domain controllers are decommissioned, administrators can modify the xxxxxxxxx to expose new functionality within Active Directory. Some features in Active Directory cannot be activated, for example, until all domain controllers in a forest are upgraded to a specific level.
inbound replication
Occurs sehan a domain controller receives updates to the Active Directory database from other domain controllers on the network
IP address
A unique number used to identify all devices on an IP network. xxxxxxxxxxs are four octets long an commonly expressed in dotted-decimal notation, such as 192.168.10.1.
leaf object
An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a container object.
link-value replication
An improvement to replication that is available after the forest functional level has been raised to Windows Server 2003, or higher, enabling a single membership change to a group to trigger the replication of only the change to each member in the list, rather than the entire membership list.
locator service
Active Directory DNS provides direction for network clients that need to know which server performs what function.
loose consistency
Individual domain controllers in an Active Directory database may contain slightly different information, because it can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment.
object
An element in Active Directory that refers to a resource. Xxxxxxxs can be container xxxxxxs or leaf xxxxxs. Containers are used to organize resources for security or organizational purposes; leaf xxxxxxs refer to the end-node resources, such as users,computers, and printers.
outbound replication
Occurs when a domain controller transmits replication information to other domain controllers on the network.
partition
Portion of Active Directory database used to divide the database into manageable pieces.
Publish
1)An option that allows users to access network resources by searching the Active Directory database for the desired resource _x000D_
2) An option used to deploy applications. It allows users to install the applications that they consider useful to them.
replication
The process of keeping each domain controller in sync with changes made elsewhere on the network.
rolling upgrades
Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality.
schema
Master database that contains definitions of all objects in the Active Directory.
Schema NC
The partition that contains the rules and definitions used for creating and modifying, object classes and attributes within Active Directory.
shortcut trust
A manually created nontransitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path.
site
One or more IP subnets connected by fast links.
SRV record
The locator records within DNS that allows clients to locate an Active Directory domain controller or global catalog.
trust relationship
Enables administrators from a particular domain to grant access to their domain’s resources to users in other domains.
A record
The building block of the DNS that maps a single IP address to a DNS hostname.
Admin Role Separation
Feature offered by Read-Only Domain Controllers (RODCs) that enables an administrator to configure a user as the local administrator of a specific RODC without making the user a Domain Admin with far-reaching authority over all domain controllers in the entire domain and full access to the Active Directory domain data.
aging
The dynamic update feature that places a timestamp on record, bases on the current server time, when the IP address is added. This is part of the aging ans scavenging process.
binaries
The executable files needed to install Windows.
dcpromo
The active Directory Installation Wizard.
domain netBIOS name
Domain name limited to 15 characters that is maintained for legacy compatibility with older applications that cannot use DNS for their name resolution.
dynamic updates
Enables the DNS database to be updated with the changed information when the Internet Protocol (IP) address if a host changes.
forward lookup zone
Zones necessary for computer hostname-to-IP address mapping, which are used for name resolution by various services.
global catalog
A domain controller that contains a partial relica of every domain in Active Directory. The xxxxxxxxx stores those attributes most frequently used in search operations (such as a user’s first and last names) and those attributes required t locate a full replica of the object. The Active Directory replication system builds the global catalog automatically.
incremental zone transfers
Method of conserving bandwidth by transferring part of a zone.
AD LDS
Active Directory Lightweight Directory Services
Role that provides developers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema to support their applications. This feature was introduced in Windows Server 2008.
DSRM
Directory Services Restore Mode
A Special startup mode used to run an offline defragmentation.
FSMO
Flexible Single Master Operations
The specific server roles that work together to enable the multimaster functionality of Active Directory.
FQDN
fully qualified domain name
The complete DNS name used to reference a host’s location in the DNS structure.
OID
Object Identifier
A unique string used to identify every class or attribute added to a schema. OIDs must be globally unique, and they are represented by a heriarchical dotted-decimal notation string.
PTR
pointer
The resource record that is the functional opposite of the A record, providing an IP address-to-name mapping for the system identified in the Name field using the inaddr.arpa domain name.
UPN
User Principal Name
A naming format that simplifies access to multiple services such as Active Directory and email. A xxxxxxxxx follows a naming convention that can reflect the forest root domain or another alias that follows the format of [email protected]
instance
A single occurence of an element.
latency
The amount of time or delay it takes to replicate information throughout the network.
netdom
A command-line tool that is used to create, delete, verify, and reset trust relationships from the Windows Server 2008 command line.
nslookup
A command-line tool that is critical for working with DNS on Serve Core.
Password Replication Policy
A list of user or group accounts whose passwords should be stored on a particular Read-Only Domain Controller (RODC) or should not be stored on the specific RODC.
priority
A mechanism to set up load balancing between multiple servers that are advertising the same SRV records. Clients will always use the record with the lowest numbered priority first. The will only use an SRV record with a higher-number priority if the lower-numbered priority record is unavailable.
restartable Active Directory
Feature that enables administrators to place the NTDS.DIT file in an offline mode without rebooting the domain controller outright. This feature was introduced in Windows Server 2008.
reverse lookup zone
Zone that answer queries in which a client provides an IP address and DNS resolves the IP address to a hostpage.
scavenging
The process of removing records that were not refreshed or updated within specified time intervals.
Server Core
A special installation option that creates a minimal environment for running only specific services and roles. Server Core runs without the Windows Desktop shell, which means that it must be administered exclusively from the command line or using Group Policy. This feature was introduced in Windows Server 2008.
Server Manager
A unility that enables ainistrators to view any other roles the server might be performing. The Server Manager utility launches automatically at startup after the Initial Configuration Tasks utility is closed. It can be accessed manually through the shortcut provided in the Administrative Tools folder or directly from the Start menu.
staged installation
To begin the Active Directory installation at a central location, such as a data center, and then allow a local administrator to complete the configuration.
SYSVOL
A shared folder that exists on all domain controllers and is used to store Group Policy Objects, login scripts, and other files that are replicated domain-wide.
time-to-live
The length of time a record is valid., after which it needs to be reregistered.
Unattended installation
Running dcpromo from the command line using a specially formatted text file to specify the necessary installation options.
weight
A relative weighting for SRV records that have the same priority. For exampl, consider three SRV records with the same priority with relative weights of 60, 20 and 20. Because 60 + 20 + 20 +100, the record with the weight of 60 will be used 60/100, or 60%, of the time, whereas each of the other two records will be used 20/100, or 20 percent, of the time.
zone transfers
The process fo replicating DNS information from the DNS server to another.
asynchronous replication
Each replication transaction does not need to complete before another can start because the transaction can be stored until the destination server is available.
bridgehead server
The server at each site that acts as a gatekeeper in managing site-to-site replication. This allows intersite replication to update only one domain controller within a site. After a xxxxxxxx is updated, it updates the remainder of its domain controller partners with the newly replicated information.
change notification
Method used by domain controllers to inform one another of when changes need to be replicated. Each domain controller will hold a change for 45 seconds before forwarding it, after which it will transmit the change to each of its replication partners in 3 second intervals.
compressed
To reduce the size of transmitted data to decrease the use of network bandwidth.
connection objects
The link, created by the Knowledge Consistency Checker, between domain controllers that replicate with one another in a site.
convergence
The amount of time required for replication so that all domain controllers in the environment contain the most up-to-date information.
cost
Value assigned to a site link object to define the push that relication will take. If more than one path can be used to replicate information, cost assignments will determine which path is chosen first. A lower-numbered cost value.
dcdiag
A command-line tool used for monitoring Active Directory.
dual counter-rotating ring
Created by the Knowledge Consistency Checker for the replication path. If one domain controller in the ring fails, traffic is routed in the opposite direction to allow replication to continue.
frequency
A value assigned to a site link that determines how often information will be replicated over the site link.
CIDR
Classless Inter-Domain Routing
Form of notation that shows the number of bits being used for the subnet mask. For example, for an IP address of 192.168.64.0 with a mask of 255.255.255.0, the CIDR representation would be 192.168.64.0/24.
ISTG
Intersite Topology Generator
A process that selects a bridgehead server and maps the topology to be used for intersite replication.
LVR
linked-value replication
An improvement to replication that is available for use after the forest functional level has been raised to Windows Server 2003 or higher, enabling a single membership change to a group to trigger the replication of only this change to each member in the list, rather than the entire membership list.
RPC over IP
Remote Procedure Calls over Internet Protocol
Default protocol used for all replication traffic.
SMTP
Simple Mail Transport Protocol
Transport protocol used for intersite replication when a direct or reliable IP connection is unavailable.
USN
update sequence number
A local value, maintained by each domain controller, that tracks the changes that are made at each DC, thus tracking which updates should be replicated to other domain controllers.
intrasite replication
The process of replicating Active Directory information between domain controllers within a site.
intersite replication
The process of replicating Active Directory information from one site to another.
preferred bridgehead servers
The administrator’s list of servers to be used as bridgehead servers. A bridgehead server is the server at each site that acts as a gatekeeper in managing site-to-site replication.
repadmin
A command-line tool that can check replication sonsistency between replication partners, monitor replication status, display replication metadata, and force replication events and Knowledge Consistency Check (KCC) recalculation.
replication partners
Servers that inform each other when updates are necessary. The Knowledge Consistency Checker (KCC) selects one or more replication partners for each domain controller in the site.
replication topology
Defines the path used by replicatin traffic.
schedule
Determines the time when a site link object is available to replicate information.
site link bridge
Defines a chain of site links by which domain controllers from different sites can communicate.
site links
A connection between two or more sites that enables intersite replication
timestamp
An attribute set on an object to indicate when it was last updated. Timestamps are used to assist in the resolution of conflicts during replication. If a change was made to an attribute of the same object, the timestamp can help determine which object is the most up-to-date.
transitive
Default characteristic of site links that use the same transport protocol. A domain controller inany site can connect to a domain controller in any other site by navigating a chain of site links.
urgent replication
The change will be placed at the “beginning of the line” and it will be applied before any other changes that are waiting to be replicated.
version ID
A value associated with each Active Directory attribute that keeps track of how many times that attribute has been changed.
well-connected
The network infrastructure between sites defined by fast and reliable IP subnets.
What is a Certificate Revocation List (CRL) ?
A Certificate Revocation List (CRL) is a digitally signed list of unexpired certificates that a particular CA has revoked.
AD CS supports two types of CRLs ?
The AD CS supports two types of CRLs. _x000D_
_x000D_
A Base CRL is a full, initial set of revoked certificates. _x000D_
_x000D_
A Delta CRL lists only certificates that have been revoked since the last full Base CRL was implemented.
Abbrev : CDP
CRL Distribution Point (CDP)
What is a CRL Distribution Point (CDP) ?
A CRL Distribution Point (CDP) is a certificate extension that indicates where the CRL for a particular CA can be retrieved.
Abbrev : LDAP
Lightweight Directory Access Protocol
How do CDPs help ?
Using CDPs enables PKI administrators to locate and access a relevant CRL so they can manually update the entries it contains. These entries are valid only for a specified time period.
A CDP may be located in
Active Directory (AD) : You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP. _x000D_
_x000D_
Accessing CRLs via a directory service uses more bandwidth than accessing CRLs directly because it requires that every client be able to authenticate to every server. Directories must be linked so that results can be located and passed back to the requesting PKI client. _x000D_
_x000D_
A local directory: _x000D_
You use the local directory of a CA server as the CDP to store CRLs on standalone CAs, which don’t require AD or use certificate templates. By default, standalone CAs hold all certificate requests in a pending queue until a CA approves them. _x000D_
_x000D_
PKI users can access CRL data in a local directory via the Internet or an extranet, using HTTP or FTP.
Abbrev :: OCSP
Online Certificate Status Protocol
What is OCSP ?
The OCSP enables you to manage and distribute the revocation status of a certificate via the Online Responder service.
Working of OCSP ??
you use the OCSP to submit a certificate status request to an Online Responder. The Online Responder service uses the OCSP to issue a digitally signed certificate status response, based on the CRLs that are provided to it by CAs.
configure an Online Responder
You can use the following sets of properties to configure an Online Responder: _x000D_
_x000D_
Web Proxy _x000D_
Audit _x000D_
Security
To validate whether AD replicated fine between to DCs run command ?
RepAdmin
If users at a Branch are to log onto a Domain using RODC ?
Password Replication Policy should be configured.
Abbrev : AD CS
Active Directory Certificate Services
Abbrev : PKI
Public Key Infrastructure
Abbrev : CAs
Certification Authorities
What is a CA used for ?
A CA is used to issue digital certificates and the directories are used to store policies and certificates.
Abbrev : CRL
Certificate Revocation List
What is a CRL ?
A CRL is a digitally signed list of unexpired certificates revoked by a CA.
What are Certificate Templates ?
Certificate templates give instructions to users about procedures for creating and submitting a valid certificate request. This is an essential part of an enterprise CA and enables an administrator to recognize, configure, and issue certificates that have been pre-configured for selected tasks.
Where are Certificate templates stored ?
Certificate templates are stored in Active Directory Domain Services (AD DS). _x000D_
_x000D_
This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates.
Benefits of using Certificate Templates ?
consistent application of the certificate policy across the forest. _x000D_
_x000D_
There are default templates that can be used.
Default Certificate Templates Available are ?
Computer _x000D_
Cross Certification Authority _x000D_
Directory Email Replication _x000D_
CEP Encryption _x000D_
Code Signing _x000D_
Domain Controller _x000D_
Domain Controller Authentication _x000D_
EFS Recovery Agent
How many versions of Certificate Templates are available ?
Version 1 _x000D_
Version 2 _x000D_
Version 3
Explain Version 1 certificate Template ?
Version 1certificate templates are available in a Windows Server 2000 PKI. When a CA is installed, these templates are created by default and cannot be removed or modified. However, you can create a duplicate copy of a version 1 template and change it to a modifiable version 2 or version 3 template. _x000D_
_x000D_
Version 1 templates are supported by CAs configured for Windows Server 2000 and Windows Server 2003 Standard Edition, which only support version 1 templates.
Explain Version 2 certificate Template ?
Version 2 certificate templates enable you to customize the settings and permissions of a template based on your needs. These templates are only issued by Enterprise CAs installed on Windows Server 2003 Enterprise Edition or higher.
Explain Version 2 certificate Template ?
Version 3 certificate templates enable an administrator to add the advanced Suite B cryptographic settings to their certificates. These settings contain advanced options for digital signatures, encryption, hashing, and key exchange. Administrators can only issue certificates based on version 3 certificate templates from CAs installed on Windows Server 2008 servers. These certificates can only be used on clients running Windows Server 2008 or Windows Vista.
Windows Server 2000 and Windows Server 2003 Standard Edition CAs support which version of certificate templates?
version 1
Windows Server 2003 Datacenter and Enterprise Edition CAs – support which version of certificate templates ?
versions 1 and 2
Windows Server 2008 CAs support which version of certificate templates ?
support for versions 1, 2, and 3
What are the permissions that you can assign to a certificate template ?
The permissions that you can assign to a certificate template are : _x000D_
_x000D_
Full Control _x000D_
Enroll _x000D_
Autoenroll _x000D_
Read _x000D_
Write
Note : Windows Server 2008 enables key archival and recovery to prevent potential loss of data that can result from the loss of a key.
Note : This process enables a Key Recovery Agent (KRA) to retrieve private keys, original certificates, and public keys from a database.
Abbrev : KRA
Key Recovery Agent
Note : Enterprise CAs can archive a user’s private key in their database when certificates are issued. These private keys are encrypted and stored by a CA.
Note :A private key can be recovered at a later time by using the private key archive.
How do you configure your environment for key archival ?
To configure your environment for key archival, you will need to _x000D_
_x000D_
* configure a KRA certificate template and enroll the KRA for a KRA certificate _x000D_
_x000D_
* enable key archival for a CA
How do you configure a KRA certificate template ?
you need to add the certificate template to a CA. _x000D_
_x000D_
_x000D_
If the certificate is configured with Read and Enroll permissions, the new KRA can use the Certificates snap-in and the Certificate Import Wizard to create a KRA certificate. _x000D_
_x000D_
If the certificate is configured with the Autoenroll permission, it will be issued automatically the next time the user logs on to the network
Restricted groups policy settings enable you to manage the membership of groups.
Restricted groups policy settings enable you to manage the membership of groups.
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail.
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail.
Delegating Administration Using Restricted Groups Policies with the _x000D_
Member Of Setting.
In Group Policy Management Editor, navigate to Computer ConfigurationPolicies _x000D_
Windows SettingsSecurity SettingsRestricted Groups.
You want to add a group to the local Administrators group on computers without _x000D_
removing accounts that already exist in the group. Describe the restricted groups _x000D_
policy you should create.
Create a restricted groups policy for the group you wish to add. Use the Member Of policy setting (This Group Is A Member Of) and specify Administrators
Abbrev : GPOs
Group Policy objects
Abbrev : GPMC
Group Policy Management Console
GPME
Group Policy Management Editor
Policy Setting states ?
A policy setting can have three states: _x000D_
_x000D_
Not Configured, _x000D_
Enabled, _x000D_
and Disabled.
A single GPO can be linked to more than one site or OU.
A single GPO can be linked to more than one site or OU.
What is the Scope of the GPO : Security Filters ?
You can narrow the _x000D_
_x000D_
Security Filters that specify global security groups to which the GPO should or should not apply.
WMI
Windows Management Instrumentation
What do Windows Management Instrumentation (WMI) filters do for the scope of a GPO ?
Windows Management Instrumentation (WMI) filters that specify a scope, _x000D_
using characteristics of a system such as operating system version or free disk space.
Abbrev : RSoP ?
Resultant Set of Policy
What is the Resultant Set of Policy (RSoP) ?
Users or Computers are likely to be within the scope of multiple GPOs linked to the sites, domain, or OUs in which the users or computers exist. _x000D_
_x000D_
This leads to the possibility that policy settings might be configured differently in multiple GPOs. _x000D_
_x000D_
You must be able to understand and evaluate the Resultant Set of Policy (RSoP), which determines the settings that are applied by a client when the settings are configured divergently in more than one GPO.
Refresh settings for Policy settings in the Computer Configuration node ?
Policy settings in the Computer Configuration node are applied at _x000D_
system startup and every 90–120 minutes thereafter.
Policy Refresh settings User Configuration policy settings ?
User Configuration policy settings are _x000D_
applied at logon and every 90–120 minutes thereafter.
Manual Refresh of Group policy settings is done using ?
gpupdate.exe _x000D_
/force _x000D_
/logoff _x000D_
/target: { computer | user } _x000D_
/wait: value _x000D_
/boot
What are the tools associated with Group Policy Updation ?
Gpupdate _x000D_
Secedit _x000D_
FLEX COMMAND _x000D_
_x000D_
FLEX COMMAND: Help in group updates of workstation. It can be applied directly to OUs etc
Abbrev : CSEs
Client-Side Extensions
Security settings are reapplied every 16 hours even if a GPO has not changed.
Security settings are reapplied every 16 hours even if a GPO has not changed.
Always Wait For Network At Startup And Logon policy setting
Without this setting, by default, Windows XP and Windows Vista clients perform only background refreshes, meaning that a client might start up and a user might log on without receiving the latest policies from the domain.
GPSI
Group Policy Software Installation
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network.
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network.
If a user is disconnected from the Enterprise network does group policy still apply itself ?
Yes, The previously applied group policy settings are still applied.
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment.
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment.
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured
When AD DS is installed, _x000D_
two default GPOs are created _x000D_
_x000D_
¦ Default Domain Policy _x000D_
¦ Default Domain Controllers Policy
¦ Default Domain Policy : This GPO is linked to the domain and has no security group or WMI filters. _x000D_
_x000D_
¦ Default Domain Controllers Policy : This GPO is linked to the Domain Controllers OU. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers.
Abbrev: GUID ?
globally unique identifier
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been updated
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the _x000D_
GPO has been updated
Describe the default Group Policy processing behavior, including refresh intervals and CSE application of policy settings
Every 90–120 minutes, the Group Policy Client service determines which GPOs are scoped to the user or computer and downloads any GPOs that have been updated, based on the GPOs’ version numbers. _x000D_
_x000D_
CSEs process the policies in the GPOs according to their policy processing configuration. _x000D_
_x000D_
By default, most CSEs apply policy settings only if a GPO has been updated. _x000D_
_x000D_
Some CSEs also do not apply settings if a slow link is detected.
Abbrev : DRA
Directory Replication Agent
Group Policy Storage ?
The GPC is an Active Directory object stored in the Group Policy Objects container _x000D_
within the domain naming context of the directory. Like all Active Directory objects, each GPC _x000D_
includes a globally unique identifier (GUID) attribute that uniquely identifies the object _x000D_
within Active Directory. The GPC defines basic attributes of the GPO, but it does not contain _x000D_
any of the settings. The settings are contained in the GPT, a collection of files stored in the SYSVOL _x000D_
of each domain controller in the %SystemRoot%SYSVOLDomainPoliciesGPO GUID _x000D_
path, where GPO GUID is the GUID of the GPC. When you make changes to the settings of a _x000D_
GPO, the changes are saved to the GPT of the server from which the GPO was opened
Scripting Languages that can be used to write code for Group Policy in Windows Server 2008
Microsoft Visual Basic, Scripting Edition (VBScript), Microsoft JScript, Perl, and Microsoft MS DOS style batch files (.bat and .cmd).
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT)
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT)
Abbrev : KCC
Knowledge Consistency Checker
How is Group Policy Container GPC of GPO replicated ?
The GPC in Active Directory is replicated by the Directory Replication Agent (DRA) using a topology generated by the Knowledge Consistency Checker (KCC).
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism.
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, _x000D_
you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism.
What does the Group Policy Verification Tool Gpotool.exe do ?
Gpotool.exe is used to troubleshoot GPO status, _x000D_
including problems caused by the replication _x000D_
of GPOs, leading to inconsistent versions of a GPC and GPT
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings.
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings.
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key.
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key.
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings
Starter GPOs can contain only Administrative Templates policy settings.
Starter GPOs can contain only Administrative Templates policy settings.
You can centralize the management of administrative templates by creating a central store
You can centralize the management of administrative templates by creating a central store
Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings
Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings
1. Litware, Inc., has three business units, _x000D_
each represented by an OU in the litwareinc.com domain. _x000D_
The business unit administrators want the ability to manage Group Policy for the users and computers in their OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for their business units? (Choose all _x000D_
that apply. Each correct answer is a part of the solution.) _x000D_
_x000D_
A. Copy administrative templates from the central store to the Policy Definitions folder on the administrators’ Windows Vista workstations. _x000D_
_x000D_
B. Add business unit administrators to the Group Policy Creator Owners group. _x000D_
_x000D_
C. Delegate Link GPOs permission to the administrators in the litwareinc.com domain. _x000D_
_x000D_
D. Delegate Link GPOs permission to the each business unit’s administrators in the business unit’s OU.
1. Correct Answers: B and D _x000D_
_x000D_
A. Incorrect: The central store is used to centralize administrative templates so that they do not have to be maintained on administrators’ workstations. _x000D_
_x000D_
B. Correct: To create GPOs, the business unit administrators must have permission to access the Group Policy Objects container. By default, the Group Policy Creator Owners group has permission, so adding the administrators to this group will _x000D_
allow them to create new GPOs. _x000D_
_x000D_
C. Incorrect: Business unit administrators require permission to link GPOs only to their business unit OU, not to the entire domain. Therefore, delegating permission to link GPOs to the domain grants too much permission to the administrators. _x000D_
_x000D_
D. Correct: After creating a GPO, business unit administrators must be able to scope the GPO to users and computers in their OU; therefore, they must have the Link GPOs permission.
You are an administrator at Contoso, Ltd. At a recent conference, you had a conversation _x000D_
with administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations _x000D_
you have deployed using a GPO. The Fabrikam administrators have asked _x000D_
you to copy the GPO to their domain. Which steps can you and the Fabrikam administrators _x000D_
perform? _x000D_
A. Right-click the Contoso GPO and choose Save Report. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import. _x000D_
B. Right-click the Contoso GPO and choose Back Up. Right-click the Group Policy _x000D_
Objects container in the Fabrikam domain and choose Restore From Backup. _x000D_
C. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Paste. _x000D_
D. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import Settings.
Correct Answer: D _x000D_
A. Incorrect: A saved report is an HTML or XML description of a GPO and its settings. _x000D_
It cannot be imported into another GPO. _x000D_
B. Incorrect: The Restore From Backup command is used to restore a GPO in its _x000D_
entirety. _x000D_
C. Incorrect: You cannot paste settings into a GPO. _x000D_
D. Correct: You can import settings to an existing GPO from the backed-up settings _x000D_
of another GPO.
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is a single Active Directory domain in the _x000D_
company network. Windows Server 2008 is run by all domain controllers that are configured as DNS servers. A _x000D_
domain controller named DC01 has a standard primary zone for wiikigo.com. A domain controller named DC02 _x000D_
has a standard secondary zone for wiikigo.com. You have to make sure that the replication of the wiikigo.com _x000D_
zone is encrypted. You must not lose any zone data. So what action should you perform? _x000D_
_x000D_
A. The zone transfer settings of the standard primary zone should be configured. The Master Servers lists on _x000D_
the secondary zone should be modified. _x000D_
_x000D_
B. The interface that the DNS server listens on should be modified on both servers. _x000D_
_x000D_
C. The primary zone should be converted into an Active Directory-integrated zone. The secondary zone should _x000D_
be deleted. _x000D_
_x000D_
D. The primary zone should be converted into an Active Directory-integrated stub zone. The secondary zone _x000D_
should be deleted.
C
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an organizational unit named Production in _x000D_
your company. The Production organizational unit has a child organizational unit named R D. After a GPO _x000D_
named Software Deployment is created by you, you link it to the Production organizational unit. You create a _x000D_
shadow group for the R D organizational unit. You have to deploy an application to users in the Production _x000D_
organizational unit. You also need to make sure that the application is not deployed to users in the R D _x000D_
organizational unit. What are two possible ways to achieve this goal? _x000D_
_x000D_
A. In order to achieve this goal, security filtering on the Software Deployment GPO should be configured to _x000D_
Deny Apply group policy for the R D security group. _x000D_
_x000D_
B. In order to achieve this goal, the Enforce setting should be configured on the software deployment GPO. _x000D_
_x000D_
C. In order to achieve this goal, the Block Inheritance setting should be configured on the R D organizational _x000D_
unit. _x000D_
_x000D_
D. In order to achieve this goal, the Block Inheritance setting should be configured on the Production _x000D_
organizational unit.
A and C
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. You have a domain controller named DC01. Windows _x000D_
Server 2008 is run by this domain controller. DC01 is configured as a DNS server for wiikigo.com. You have the _x000D_
DNS Server server role installed on a member server which is named Server01 and then you create a standard _x000D_
secondary zone for wiikigo.com. DC01 is configured as the master server for the zone. You have to make sure _x000D_
that Server01 receives zone updates from DC01. What action should you perform? _x000D_
_x000D_
A. The zone transfer settings for the wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
B. The Server01 computer account should be added to the DNSUpdateProxy group. _x000D_
_x000D_
C. A conditional forwarder should be added on S01. _x000D_
70-640 3D. The permissions of wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
D. The permissions of wiikigo.com zone should be modified on DC01.
A
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There are two domain controllers named DC01 and _x000D_
DC02 in your company. All domain and forest operations master roles are hosted by DC01. _x000D_
A problem occurred that DC01 fails. _x000D_
Since you are the technical support, you are required to reinstall the operating system to rebuild DC01. In _x000D_
addition, you are required to have all operations master roles rollbacked to their original state. A metadate _x000D_
cleanup is performed and all references of DC01 are removed. Which action should be performed to achieve _x000D_
the goal? (Choose three from the options below, and then put them in a correct order) _x000D_
1/ Operations master roles should be transferred from DC01 to DC02. _x000D_
2/ Operations master roles should be transferred from DC02 to DC01. _x000D_
3/ Operations master roles should be seized from DC01 to DC02. _x000D_
4/ Operations master roles should be seized from DC02 to DC01 _x000D_
5/ DC01 should be rebuilt as a replica domain controller. _x000D_
6/ DC02 should be rebuilt as a domain controller. _x000D_
_x000D_
A. 3->5->2 _x000D_
B. 3->6->1 _x000D_
C. 4->5->2 _x000D_
D. 4->6->1
A
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the company. Not _x000D_
all domain controllers in the forest are configured as Global Catalog Servers. One root domain and one child _x000D_
domain is contained in your domain structure. You modify the folder permissions on a file server that is in the _x000D_
child domain. You find that some Access Control entries start with S-1-5-21 and that no account name is listed. _x000D_
You have to list the account names. So what action should you perform? _x000D_
_x000D_
A. The schema should be modified to enable replication of the friendlynames attribute to the Global Catalog. _x000D_
_x000D_
B. The RID master role in the child domain should be moved to a domain controller that holds the Global _x000D_
Catalog. _x000D_
_x000D_
C. The infrastructure master role in the child domain should be moved to a domain controller that does not _x000D_
hold the Global Catalog. _x000D_
_x000D_
D. The RID master role in the child domain should be moved to a domain controller that does not hold the _x000D_
Global Catalog.
C
How would you delegate control of an AD OU to a user?
– Right Click on OU _x000D_
– Delegate Control _x000D_
– Choose User _x000D_
– Choose the appropriate option _x000D_
– Finish
What is an OU?
An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.
What are the different types of OU?
Parent OUs are OUs that contain other OUs. _x000D_
Child OUs are OUs within other OUs.
What organisational structures can you not apply GPO’s to?
Generic Containers
What is group policy inheritance?
Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.
How can you prevent objects from accidental deletion in AD?
– On the Object tab, select the Protect object from accidental deletion check box. (This option is only seen with Advanced Features selected from the View menu.) _x000D_
_x000D_
– On the Security tab, select the Deny Delete All Child Objects advanced permission for
What setting should be set at creation to prevent an AD OU being accidentally deleted?
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.
How would you delete an AD object that is protected from deletion?
To delete on abject that is protected, first clear the Protect container from accidental deletion setting, then delete the object.
What is delegation of authority?
Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups.
Describe some of the facts about delegating control :
– You can delegate control of any part of an OU or object at any level with the Delegation of Control Wizard or through the Authorization Manager console. _x000D_
_x000D_
– An object-based design allows you to delegate control based on the types of objects in each
What is the Builtin Default Container?
The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks.
What is the Computers default container?
The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain.
What is the Domain Controllers detault container?
The Domain Controllers OU is the default location for the computer accounts for domain controllers.
What is the LostAndFound default container?
The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
What is the NTDS Quotas default container?
The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own.
What is the Program Data default container?
The Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.
What is the System default container?
The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies.
What is the Users default container?
The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
What is special about AD containers?
They are automatically created and cannot be deleted
What is special about the Domain Controllers OU
It is the only default OU, and it can have a GPO applied, whereas the other default containers cannot have a GPO applied
How would you view hidden containers in AD Users and Computers?
Click Advanced Features from the View menu
Which containers are hidden by default in AD Users and Computers?
– LostAndFound _x000D_
– NTDS Quotas _x000D_
– Program Data _x000D_
– System
What is special about AD containers and how do they differ from OU’s?
They are automatically created and cannot have GPO’s applied to them.
What is the SAM database?
A local database that allows users to access local resources on the machine
What are the two types of user account?
Local and Domain
What is a local user account?
A local user account is created and stored on a local system and is not distributed to any other system. _x000D_
_x000D_
– Local user accounts are created with the Computer Management console. _x000D_
– The local Security Accounts Manager (SAM) manages the user account information. _x000D_
– Only local resources are accessible with local user accounts.
What is a domain user account?
A domain user account is created and centrally managed through Active Directory, and is replicated between domain controllers in the domain.
How can domain user accounts be created?
Domain user accounts are created with Active Directory Users and Computers, command line tools, and PowerShell.
What is unique to each domain user account?
Each domain user account has a unique security identifier (SID) to identify the user. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
How can external users with email accounts be represented in AD?
External users which need an e-mail account, can be represented through a contact object
What is a contact object?
an account that does not have any security permissions. Users represented as contact objects cannot log on to the domain. Use contacts to add information about individuals, such as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for attributes of contact objects.
What is the user or logon name?
The user or logon name is the name of the user account
What is the user principle name (UPN)?
The User Principle Name (UPN) combines the user account name with the DNS domain name _x000D_
_x000D_
– The UPN format is also known as the SMTP address format. _x000D_
– The DNS domain name in the UPN is known as the UPN suffix. _x000D_
– By default, the domain that holds the user account is selected for the UPN suffix. However, you can configure different UPN suffixes to use instead of the domain name.
What is the LDAP Distinguished Name (DN)?
The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. It has three basic attributes: _x000D_
Domain Component (DC) _x000D_
Organizational Unit (OU) _x000D_
Common Name (CN)
What is the Relative Distinguished Name (RDN)
The Relative Distinguished Name (RDN) is used to identify the object within its container. The RDN needs to be unique only within the object’s container.
When would you use the User cannot change password”option?
when you want to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that uses that account.
How would you unlock an account?
To unlock an account, go to the Account tab in the account object’s Properties dialog box, and select the Unlock Account box. Resetting the password on the account also unlocks a user account.
What should you do if a user account is accidentally deleted?
Restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account.
How would you add a User Principal Name (UPN) suffix to a forest?
1) Open Active Directory Domains and Trusts. _x000D_
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties. _x000D_
3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab. _x000D_
4) Click Add. _x000D_
5) Click OK.
What is a computer account?
A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device
How would you prestage a computer account?
From Active Directory Users and Computers, create a computer account. This process is called prestaging computer accounts. From the workstation, join the domain. The workstation will be associated with the computer account you created previously.
Where is the computer account created when you join a workstation to the domain?
In the Computers built-in container
How would you control where computer accounts are placed when a computer joins the domain?
Create computer account ahead of time (pre-stage them)
Which groups have permissions to create a computer account?
– Account Operators _x000D_
– Domain Admins _x000D_
– Enterprise Admins
How many computers are the Authenticated Users group members allowed to join to the domain (from a workstation)?
10 – this wil also create the computer account automatically if it doesn’t already exist. This ability comes from the Add workstations to a domain user right.
How would you allow a specific user to join a specific computer to the domain?
You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.
How would you give other users permissions to create computer accounts in AD?
By giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs.
Will a computer receive group policy settings once the computer account is created?
No, the computer must be joined to the domain before it receives any GPO settings or AD receives any workstation-specific information
What commands can be used to create computer accounts from a command prompt or script?
dsadd or netdom. (Use netdom join to jion a computer to the domain)
What establishes a secure channel between a computer and the domain controller?
The computer password (authomatically generated when the computer joins the domain).
Where is the computer account password saved?
On the local computer and in AD. BY default, it is changed every 30 days
What might cause a computer to fail to authenticate to the domain?
If the two computer passwords (on the local machine and in AD) become unsychronised. _x000D_
_x000D_
This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name.
How would you reset the computer account after a logon failure?
– Run the netdom reset command followed by the computer account name and the domain. _x000D_
– In Active Directory Users and Computers, right-click the computer account and select Reset Account. _x000D_
– Create a script in Visual Basic. _x000D_
_x000D_
After resetting the c
What is a local group?
Local groups exist only on the local computer, and control access to local resources.
What is a domain group?
Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
What is group scope?
Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.
What membership can a global group have?
Global groups can contain members within the same domain. These include: _x000D_
_x000D_
– Global groups in the same domain (in native mode only). _x000D_
– Users and computers within the same domain.
What should a global group be used for?
Use global groups to group users and computers within the domain who have similar access needs.
What membership can a domain local group have?
Domain local groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
– Domain local groups in the same domain (in native mode only). _x000D_
– Global groups within the forest. _x000D_
Universal groups within the forest (in native mode only). _x000D_
– Users and computers within the forest.
What membership can a universal group have?
Universal groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
– Universal groups within the forest. _x000D_
– Global groups within the forest. _x000D_
– Users and computers within the forest.
What resources can global groups permission?
Global groups can be assigned permissions to resources anywhere in the forest.
What resources can domain local groups permission?
Domain local groups can be assigned permissions within a domain.
What resources can universal groups permission?
Universal groups can be assigned permissions to resources anywhere in the forest.
What should global groups be used for?
Create global groups to organize users (e.g., Sales or Development).
What should domain local groups be used for?
Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
What should universal groups be used for?
Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
What is a security group?
A security group is one that can be used to manage rights and permissions. _x000D_
_x000D_
– Group members get the permissions that are granted to the group. _x000D_
– A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts, and other groups.
Which type of AD group should be used for assiging permissions?
Security
What is a ditribution group?
A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.
What happens if you convert a security group to a distribution group?
This would remove the permissions assigned to the group. _x000D_
_x000D_
This could prevent or allow unwanted access.
How would you convert a global group to a domain local group?
First convert to a universal group, then to a domain local.
Can you convert a global group nested in another global group into a universal group?
No – a universal group cannot be a member of a global group
Can you make a universal group a member of a global group?
No
What happens when a group is deleted?
All information about the group – including any permissions assigned – is deleted.
How can you recover a deleted group?
– Re-create the group, add all the original group members, and reassign any permissions granted to the group. _x000D_
– Restore the group from a recent backup.
When are the default local groups created?
During Windows installation
Can you rename or delete the default local groups?
CAN rename them _x000D_
_x000D_
CANNOT delete them
What is the Administrators default local group?
Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator.
What is the Backup Operators default local group?
Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings.
What is the User default local group?
Members of the Users group: _x000D_
_x000D_
– Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications. _x000D_
– Cannot share directories or install printers if the driver is not yet installed. _x000D_
– Cannot view or modify system files.
What group do “limited use”accounts become a member of automatically
Users default local group
What is the Power Users default local group?
Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows
What is the Guests default local group?
Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off.
What is the Administrators default domain group?
Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
What is the Server Operators default domain group?
Log on locally, back up and restore files and directories, change the system time, and force a local or remote shutdown. Can also create and delete shared resources, format the hard disk, and start and stop some services. Abilities extend to domain controllers.
What is the Backup Operators default domain group?
Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
What is the Account Operators default domain group?
Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
What is the Guests default domain group?
The domain Guest account is a member of this group. The group does not have any default rights.
What is the Network Configuration Operators default domain group?
Change TCP/IP settings including changes on domain controllers.
What is the Print Operators default domain group?
Create, share, manage, and delete printers on domain controllers. Manage Active Directory printer objects. Log on locally, add or remove device drivers, and shut down domain controllers.
What is the Users default domain group?
Perform common tasks such as running applications, using local and remote printers, and locking workstations. By default, all domain members are members of this group.
Which default domain groups are created in the Built-In Container?
Administrators _x000D_
Server Operators _x000D_
Backup Operators _x000D_
Account Operators _x000D_
Guests _x000D_
Network Configuration Operators _x000D_
Print Operators _x000D_
Users
What default domain groups are created in the Users container in AD?
Domain Admins _x000D_
Domain Computers _x000D_
Comain Controllers _x000D_
Comain Guests _x000D_
Domain Users _x000D_
Enterprise Admins _x000D_
Schema Admins _x000D_
Read-Only Domain Controllers _x000D_
DHCP Administrators _x000D_
Cert Publishers
What is the Domain Admins default domain group?
Full control over the domain. This group is a member of the Administrators group on all computers when they are joined to the domain. This means that members of the Domain Admins group can perform all tasks on any computer in the domain (including domain controllers).
What is the Domain Computers default domain group?
Contains all computers that are a member of the domain. When you join a computer to the domain, it becomes a member of this group.
What is the Domain Controllers default domain group?
Contains all domain controllers. When a computer is made a domain controller, it is added to this group.
What is the Domain Guests default domain group?
Contains all domain guests. It does not have any default rights
What is the Domain Users default domain group?
Contains all domain users. This group can be used to give access to all users in a domain.
What is the Enterprise Admins default domain group?
Full control over all domains in the forest. This group is a member of the Administrators group on all computers in the forest, allowing them to perform any task on any computer in the forest.
What is the Schema Admins default domain group?
Full control over the Active Directory schema. By default, the Administrator account is a member of this group.
What is the Read-Only Domain Controllers default domain group?
Contains all members who have administrative access to the Read-Only Domain Controllers in the domain.
What is the DHCP Administrators default domain group?
Contains all members who have administrative access to the DHCP service.
What is the Cert Publishers default domain group?
Contains all members which are permitted to publish certificates to the directory.
Describe the AGDLP strategy
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups
When is the AGDLP strategy used?
Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode).
What is nesting?
Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler–as long as you remember what permissions you have assigned at each level.
When is the AGUDLP strategy used?
Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains.
Describe the AGUDLP strategy
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
U: Into Universal groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups
When is the ALP strategy used?
Used on workstations and member servers. _x000D_
_x000D_
ALP is best used in a workgroup environment, not in a domain.
Describe the ALP strategy
A: Place user Accounts _x000D_
L: Into Local groups _x000D_
P: Assign Permissions to the local groups
When should universal groups be used?
Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.
What group should be used if both the users and resources are located in Multiple Domains?
Universal
What groups should not be used in a single domain design?
Universal
How can you start AD Users and Computers?
– Server Manager _x000D_
– Administrative Tools (from the Control Panel or Start menu) _x000D_
– Running dsa.msc
What is ADSI Edit?
Active Directory Service Interfaces Editor (ADSI Edit) acts as a low-level GUI editor for common administrative tasks such as adding, deleting, and moving objects.
What can you use ADSI Edit for?
You can use ADSI Edit to query, view, and edit attributes that are not exposed through other MMC snap-ins (such as Active Directory Users and Computers).
What does the command ds add do?
Dsadd creates a new object in Active Directory.
What does the command dsquery do?
Dsquery finds objects that match the search criteria (allows a search through the whole forest). The command returns a list of objects that match the search criteria. Use Dsquery * to search all object types.
What does the Dsget command do?
Dsget retrieves property information about an object. Use the -expand switch to show nested group membership for users.
What does the dsmod command do?
Dsmod modifies or changes the properties of an object.
What does the dsrm command do?
Dsrm removes (deletes) objects. Use the -subtree option to delete a container object and all objects below that object.
What does the movetree command do?
Movetree moves an OU and its objects (it does not move computer objects).
What does the netdom command do?
Netdom adds computer objects, joins a computer to a domain, and moves computer objects.
What does Csvde do?
The Csvde command imports and exports Active Directory objects using a comma-separated list file.
What can Csvde do?
Csvde can read existing information from Active Directory (export) or create new objects in Active Directory (import).
What can Csvde not do?
You cannot use Csvde to modify existing objects in Active Directory.
What are some common uses for CSvde?
– Using Csvde to export objects from one Active Directory system (or an Exchange 5.5 database) and import them into a different Active Directory database. _x000D_
– Using a database program to create a CSV file, modifying the file, and importing the objects in
Will Csvde import passwords for user accounts?
No
What does the Ldifde command do?
The Ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files.
What are some common uses for Ldifde?
– Using Ldifde to export a set of Active Directory objects, modifying various attributes, and then re-importing the file to change the attributes. _x000D_
– Exporting or importing data that exists on non-Active Directory LDAP directories.
How can you manage passwords with Ldifde?
Passwords are not exported with user accounts. You can change passwords for existing account with a .ldif file but you cannot create new user accounts with a password.
How would you export a user account and then import it with a password with Ldifde?
1) Export the user accounts. The unicodePwd field will be blank. _x000D_
2) Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next logon. _x000D_
3) Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account. _x000D_
4) Run Ldifde using the file with the passwords to modify the existing user accounts.
What does the Ldp command do?
The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying results.
What is the Active Directory Migration Tool?
The Active Directory Migration Tool (ADMT) is a GUI-based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another.
Where can you move AD objects with ADMT?
You can move objects to different domains within the same forest (intraforest), or to domains in other forests (interforest).
What must be in place for an interforest migration in ADMT?
The target forest must trust the source forest.
ACE
Access control entry
ACL
Access Control lists
Activate Windows Server
Cscript C:windowssystem32slmgr.vbs-ato
add server Core roles, components or features
Ocsetup.exe <component> /switch
ADSI
Active Directory Services Interface used by Windows PowerShell
Authentication
The mechanism by which an identity is validated by comparing secrets such as passwords provided by the user or computer to secrets maintained in the identity store
CN
Common Name
CSVDE
a command-line tool that imports or exports Active Directory objects from or to a comma-delimited text file.
DACL
Discretionary access control list
DC
Domain Controller
dll
Dynamic Link Library
DN
Distinguished name
DNS
Domain name system
Domain
An administrative unit of Active Directory. With a domain , all domain controllers replicate information about objects such as users,, groups and computers in the domain
DS Commands
Most of the DS commands take two modifies after the command itself: the object type and the object’s DN
DSAdd
creates an object in the directory IE dsadd user “user DN” -samid pre-windows 2000 logon name -pwd {Password | *} -mustchpwd yes
DSGet
returns specified attributes of an object
DSMod
Modifies specified attributes of an object
DSMove
moves and object to a new container or OU
DSQuery
performs a query based on parameters provided at the command line and returns a list of matching objects
DSRM
Removes and object, all objects in the subtree beneath a container object or both
forest
the boundary of an instance of Active Directory. A forest contains one or more domains. All domains in the forest replicate the schema and configuration partitions of the directory.
Forest root domain
the first domain created in a forest
functional level
A setting that determines which features of Active Directory are enabled within a domain or forest. The functional level limits the versions of Windows that can be used by domain controllers in a domain or forest.
global catalog or partial attribute set
A partition of the Active Directory data store that contains a subset of attributes for every object in the Active Directory forest. The global catalog is used for efficient object queries and location.
Groups
provide permissions
identity store
A database of information regarding users, groups, computers, and other security principals. Attributes stored in an identity store include user names and passwords
Join a domain
Netdom join %computername% /domain:
Kerberos
A standard protocol used by Active Directory for authentication
LDAP
Lightweight Directory Access Protocol
LDIFDE
Lightweight Directory Access Protocol Data Interchange Format is a draft internet standard for file format that can perform batch imports and exports of active directory objects including users. -i import -f filename to import to or from
MMC
Microsoft Management Console
Namespace
A folder on a disk – a hierarchy that can be navigated Like a disk volume letter name or Mapped drive.
organization units
are administrative containers within Active Directory that are used to collect objects that share common requirements for administration, configuration or visibility.
OU
Organizational Unit
Providers
Namespaces are created by providers, which can be thought of as drivers. Example file system has a provider as does the registry. Powershell can access and manipulate in the namespaces of those providers.
Psdrives
Windows Powershell namespaces from any provider can be represented as PSDrives Windows PowerShell automatically creates a PS Drive for each drive latter already defined by Windows
SACL
System Access Control List
SAM ID
Security Account Manager ID
schema
a definition of the attributes and objects classes supported by Active Directory.
scripting steps
connect to the container (OU), create the object (user), populate its properties, (display name), commit the changes
set a static IPv4 configuration
Netsh interface ipv4
Site
An active Directory object that represents a portion of the network with reliable connectivity. Within a site, domain controllers replicate updates within seconds, and clients attempt to use the services within their site before obtaining the services from other sites
TCP/IP
Transmission Control Protocol/Internet Protocol
Type Adapter
Is a translator between .NET framework and Windows PowerShell. To connect to an active directory object, you submit an LDAP query string LDAP://OU=People,DC=contoso,dc=com”
UPN
User Principle Name The logon name plus the UPN suffix which by default is the domain to which you would logon ie: [email protected] Unique to entire forest. Email unique to the world!
WMI
Windows Management Interface
Which properties can be modified for multiple users simultaneously
General, Account, Address, Profile, Organization Tabs
What are the distinctions between name of a user object and an account
User Object Names sAMAccountName, User PrincipalName (UPN), display name and RDN. Account properties=an identity to which permissions and rights can be assigned.
sAMAcccountName Attribute
(preWindows 2000 logo name) must be unique for the ENTIRE domain
RDN
Relative Distinguished Name of an object. Must be unique in an OU.
Display Name
How users are listed in the GAL
unlock a user account
Set objUser = GetObject”LDAP://UserDN”) objUser.IsAccountLocked = False objUser.SetInfo()
Distinguished Name (DN)
the most important LDAP attribute CN=”josephine fleming”,ou=people,dc=contoso,dc=com
SID
Security Identifier is created by the Windows 2000 security subsystem and assigned to security principal objects
Method
in the context of programming or scripting, an action performed on an object.
object
In the context of programming or scripting, a data structure that represents a system resource. Objects expose properties or attributes, methods or actions.
Delegation
Assignment of an administrative task.Delegation within Active Directory is achieved by modifying the DACL of an abject.
Saved Query
A view of Active Directory objects base on search criteria.
IP address
An IP (Internet Protocol) address isa 32 bit binary unique number identifier for a node or host connection on an IP network. usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets) separated by decimal points. This is known as “dotted decimal” notation.
Group policy Member Of setting
Member of settings are cumulative
Group[ Policy by Members settings
GPOs that use the Members setting, only the member setting with the highest GPO processing will be applied and its list of members will prevail,
audit policy
A setting that configures the logging of security-related activities
Delegation
An assignment of administrative responsibility. A grant of permission to perform an administrative task
Extensible Markup Language
(XML) an abbreviated version of the Standard Generalized Markup Language (SGML) XML enables the flexible development of user-defined doc types, providing non-proprietary, persistent, and verifiable file format for the storage and transmission of text and data both on and off the Internet
Firewall
A hardware or software product designed to isolate a system or network from another network. Traditionally used to protect a private network from intrusion from the Internet. A firewall inspects inbound or outbound packets or both and determines, based on rules, which packets to allow to the other side of the firewall.
LDAP
The Primary access protocol for Active Directory.
Group Policy
used to configure the membership of groups, security settings, software management and auditing
RSoP
Resultant Set of Policies
GPO
A Group Policy Object is, by itself, just a collection of configuration instructions that will be processed by the CSEs (Client Side Extensions) of computers.
SOA
Start of Authority, and important record type in the Domain Name System.
Repadmin
Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation
Will, the administrator for your organization, has decided to implement certificates for all of your internal users. What type of root certificate authority (CA) would he implement?
Enterprise
You are hired as a contractor for a new organization that has no network currently in place. You decide to implement an Active Directory domain and the Active Directory Domain Services (AD DS). Which of the follow are requirements to install Active Directory?
DNS
You have decided to implement certificate authority (CA) servers and you want all of your users to receive their certificates automatically without any user intervention. What two ways can you accomplish this goal?
Autoenrollment _x000D_
GPO enrollment
What role provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems?
Active Directory Federation Services (AD FS)
You have decided to place DNS on a read-only domain controller (RODC). What type of DNS zone do you now have?
Read-only DNS
What AD role allows administrators to configure services for issuing and managing public key certificates, which help organizations implement network security?
Active Directory Certificate Services (AD CS)
What role gives administrators the ability to enroll users into the certificate services program and allows for the issue and management of certificate requests?
Enrollment agents
You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your Internet users. What type of certificate authority do you need to set up?
Stand Alone Subordinate CA
Alexandria, the network administrator, has just hired a new junior administrator named Paige. Paige needs to be able to recover keys from the certificate authority server. What role does Alexandria need to give Paige so that she can recover keys?
Key recovery agent
What file outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the numerous properties that are associated with the Federation Service?
Trust policy
What is the Lightweight Directory Access Protocol (LDAP) directory service that allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires?
Active Directory Lightweight Directory Services (AD LDS)
You are the administrator of a network. Your company has decided to use server virtualization to help save money and add fault tolerance to your servers. What role-based utility is included with Windows Server 2008 making this possible?
Hyper-V
Your manager has explained to you that due to security requirements, you need to secure documents and emails using Microsoft Office 2007 Enterprise. What service do you need to install to help secure documents and emails?
Active Directory Rights Management Service (AD RMS)
Your company has one main location and five remote sites. One of the remote sites is having a problem with Active Directory and DNS being hacked into. What can you use to help solve this problem?
Implement a _x000D_
Read-only domain controller and a _x000D_
Read-only DNS server
Your company has one main location and one remote site. The remote site is 300 miles from the main location and it has no IT staff on site. What type of domain controller can you install so that a normal user can have the rights to manage it?
Read-only domain controller (RODC)
You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your internal users. What type of certificate authority do you need to set up?
Enterprise Subordinate CA
Your company has decided to install a certificate authority (CA). After you install the CA, you publish the certificate revocation list (CRL) to a central location for all CAs to use. What is this central location called?
CRL distribution point
Your company currently uses Windows Server 2008 domain controllers. Your company wants to use multiple account lockout policies depending on what department people are in. What does Windows Server 2008 offer so that you can do this?
Fine-grained password policy
You have decided to implement certificate authority servers. You have routers located on your network. What component allows systems to receive a certificate even though they do not have an Active Directory account?
Network Device Enrollment Service
What operations can you perform using the Active Directory Users And Computers tool if you need to reorganise AD based on an Organisation change?
Rename an organizational unit _x000D_
Query for resources _x000D_
Rename a group _x000D_
Create a computer account
In order to restrict security for the Texas OU, you remove some permissions at that level. Later, a junior systems administrator mentions that she is no longer able to make changes to objects within the Austin OU (which is located within the Texas OU). What is the most likely cause?
Inheritance
Isabel wants to check for any objects that have not been properly replicated among domain controllers. If possible, she would like to restore these objects to their proper place within the relevant Active Directory domains. What 2 steps does she need to do to accomplish this?
Select the Advanced Features item in the View menu _x000D_
Examine the contents of the LostAndFound folder using the Active Directory Users And Computers tool.
The domain contains over 200,000 objects and hundreds of OUs and takes a long time to load. _x000D_
What can you do to speed things up if you only want to view Computer objects?
Use the Filter option in the Active Directory Users And Computers tool to restrict the display of objects.
Jane, a consultant, has recommended that the Windows NT 4 domains be consolidated into a single Active Directory domain. Which of the following statements provide a valid justification to support Jane’s proposal?
In general, OU structure is more flexible than domain structure. _x000D_
It is possible to create a distributed system administration structure for OUs by using delegation.
operations are represented as common tasks within the Delegation of Control Wizard?
Reset passwords on user accounts. _x000D_
_x000D_
Manage Group Policy links. _x000D_
_x000D_
Modify the membership of a group. _x000D_
_x000D_
Create, delete, and manage groups.
New Helpdesk Op. How do you allow them to only change certain objects in the directory in certain OUs?
Use the Delegation of Control Wizard to assign the necessary permissions on the OU that he or she is to administer.
You are planning an OU design. What 3 pieces of information should be considered or consulted?
Business organizational requirements _x000D_
_x000D_
System administration requirements _x000D_
_x000D_
Security requirements
You want to allow the Super Users group to create and edit new objects within the Corporate OU. What option would you choose in the Delegation Wizard?
Create A Custom Task To Delegate
A systems administrator is using the Active Directory Users And Computers tool to view the objects within an OU. He has previously created many users, groups, and computers within this OU, but now only the users are showing. What is a possible explanation for this?
Filtering options have been set that specify that only User objects should be shown.
Two large AD Sites with 15 DCs each. Too much replication traffic between sites. What can you create at each site to reduce the bandwidth usage?
Create preferred Bridgehead Servers at each site to funnel the traffic between 2 servers only.
What does not need to be manually created when you are setting up a replication scenario involving three domains and three sites?
Connection objects. _x000D_
Automatically created by the Active Directory replication engine.
What services of Active Directory is responsible for maintaining the replication topology?
Knowledge Consistency Checker service.
What Active Directory objects are responsible for representing a transitive relationship between sites?
Site link bridges _x000D_
Default Transitive On.
______ is the protocol to use for links where the link is randomly unavailable and replication traffic must be sent whether the other end is connected or not.
SMTP _x000D_
Uses Store and Forward method to ensure that information is not lost if a connection cannot be established.
You have 7 sites with different speed links. You want to keep the number of domains to a minimum. What is the smallest number of domains you can have that cover all 7 sites?
One.
Changes to AD objects are only being replicated to some DCs and not all. Regarding the network links themselves what could be causing this problem?
Network connectivity is unavailable _x000D_
A WAN connection has failed
Changes to AD objects are only being replicated to some DCs and not all because of a possible configuration problem with a DC or Sites. What are 4 of the possible errors that have been made?
Connection objects are not properly configured. _x000D_
Sites are not properly configured. _x000D_
Site links are not properly configured _x000D_
One of the domain controllers is configured for manual replication updates.
A systems administrator suspects that there is an error in the replication configuration. How can he look for specific error messages related to replication?
By going to Event Viewer -> Directory Service log
One site, 50 DCs. What the? _x000D_
How can replication traffic be reduced and controlled, and how can the structure of AD more accurately reflect the structure of the network?
Create multiple site links. _x000D_
Configure one server at each of the new sites to act as a bridgehead server.
1. What tool do you use to: _x000D_
Determine replication data transfer statistics. _x000D_
2. Collect information about multiple Active Directory domain controllers at the same time. _x000D_
3. Measure other performance statistics, such as server CPU utilization.
Performance Monitor
What Active Directory objects should you modify to define the network boundaries for Active Directory sites?
Subnets – Define AD Site boundaries.
DIVULGE (di VULJ)
v to disclose something secret _x000D_
_x000D_
• She believed she had been fired because she had threatened to divulge information about the company’s mismanagement. _x000D_
_x000D_
• It is a basic tenet of most secret societies that members are not allowed to divulge anything about the initiation rites to outsiders. _x000D_
_x000D_
• His journal divulged a side of his personality that no one had ever seen.
Configure the costs for each link with these rules _x000D_
1. ISDN must have default site cost link _x000D_
2. Austin must use San Jose for replication
The ISDN line is required to have the default cost of 100. That means that the T1 line’s cost must be lower than 100 for this connection to be used by preference, and the only choice is 50. That leaves costs of 150 and 200 for the Austin links. Because Austin will never get replication information from Chicago, that link’s cost should be 200. That only leaves 150 for the cost of the link between Austin and San Jose.
What is the default Site Link Cost?
100
You want to create a new site called San Jose. Where do you do this?
AD S&S – Sites – New Site
Two sites connected via a T1 line and a dial up line for redundancy. _x000D_
You want to use the T1 line mainly. What do you do to ensure this occurs?
Lower the cost of the T1 Line
Only 1 GC for 3 Sites. HQ with 100 users is connected to other 2 sites (each have 20 users) via fast T1 connections. Where would you place the GC?
At HQ. _x000D_
Though ideally one GC per site.
How do you specify a server as a bridgehead server?
AD S&S – DC properties – Select protocol- and click Add
The company has three domain controllers, each of which has Knowledge Consistency Checker (KCC) errors consistently popping up in the directory services Event Viewer log. What does this indicate?
Replication problems
You need to keep track of licensing with the licensing server. Where can you configure the licensing server so that as the system administrator you can ensure you are compliant?
Configure licensing in the Active Directory Sites And Services tool.
You decide to create a trust relationship between Domain A and Domain B. Before you take any other actions, can users in Domain A use resources from Domain B yet?
No. _x000D_
A trust relationship only allows for the possibility of sharing resources between domains; it does not explicitly provide any permissions. In order to allow users to access resources in another domain, you must configure the appropriate permissions.
Plans are to deploy four Active Directory domains with the following requirements: _x000D_
minimize the number of servers _x000D_
enough fault tolerance to survive the complete failure of one domain controller. _x000D_
What is the minimum number of domain controllers to deploy initially?
8 _x000D_
Two per domain for fault tolerance
What server configurations can be directly promoted to become a domain controller for a new domain?
Member servers _x000D_
Stand-alone servers
Server1: Schema Master _x000D_
Server2: RID Master _x000D_
Server3: Windows NT 4 BDC _x000D_
Server4: Infrastructure Master _x000D_
Server5: PDC Emulator Master _x000D_
Entire environment migrating to Windows Server 2008. Which Server not needed?
Server3: Windows NT 4 BDC
Implicit trusts created between domains are known as ______
transitive trusts.
Need to add field to the properties of a User object. _x000D_
On what servers can the change be made?
The Schema Master is the only server within Active Directory on which changes to the schema can be made.
What are several Active Directory domains that share a contiguous namespace called?
A tree
Accidentally demoted the last domain controller of your ADTest.com domain. _x000D_
Want a complete undo. Possible?
Once the last domain controller in an environment has been removed, there is no way to recreate the same domain. If adequate backups had been performed, you may have been able to recover information by rebuilding the server
Items that depend on the DNS namespace are ….
Domains _x000D_
trees _x000D_
forests _x000D_
DNS zones
Which types of computers contain a copy of the Global Catalog (GC)?
Specified Active Directory domain controllers
Which pieces of information should you have before you use the Active Directory Installation Wizard to install a new subdomain?
name of the child domain _x000D_
name of the parent domain _x000D_
DNS configuration information _x000D_
NetBIOS name for the server
Which type of trust is automatically created between the domains in a domain tree?
Transitive two-way
A systems administrator wants to remove a domain controller from a domain. What is the easiest way to perform the task?
Use the Active Directory Installation Wizard to demote the domain controller.
Regarding the sharing of resources between forests…
A trust relationship must exist before resources can be shared between forests.
New remote location with very slow WAN link. Needs following specs: _x000D_
Fast logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware _x000D_
What can you implement to achieve the above requirements?
Universal group membership caching stores information locally once a user attempts to log on for the first time.
Of the five main single master functions, two apply to an entire Active Directory forest. What are the three that apply to just the domain?
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master
When deploying Active Directory, you decide to create a new domain tree. What do you need to do to create this?
Promote a Windows Server 2008 computer to a domain controller and select the option that makes this domain controller the first machine in a new domain that is a child of an existing one.
7 Reasons for Using Multiple Domains
Scalability _x000D_
Reducing replication traffic _x000D_
Meeting Business needs hierarchy – easier data managment _x000D_
Decentralized administration _x000D_
Multiple DNS or domain namesLegality
What are some of the Drawbacks of Multiple Domains?
Administrative inconsistency _x000D_
Increased management _x000D_
Decreased flexibility
Min Requirements for DC numbers
2 DCs per Domain
Recommended Req’s for DC numbers
2 DCs per Site
Reasons for adding extra DCs
Fault tolerance and reliability _x000D_
Performance
Main requirement for joining a new domain to an existing forest
Domain does not share a namespace with the existing Active Directory domain.
If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do first?
Prepare the domain by running: _x000D_
adprep /forestprep _x000D_
adprep /domainprep
What naming information do you need prior to joining a domain to a new tree?
name of the parent domain _x000D_
name of the child domain _x000D_
NetBIOS name for the new server
What other information (other than the 3 names) do you need prior to joining a domain to a new tree?
DNS configuration _x000D_
domain administrator username and password
DcPromo option selected to create a new domain tree.
” makes this domain controller the first machine in a new domain that is a child of an existing domain”
DcPromo option selected to create a new domain tree.
makes this domain controller the first machine in a new domain that is a child of an existing domain
3 Features common to all Domains in a Forest
Schema _x000D_
GC _x000D_
Configuration Info
Type of trust between the Forest Root Domain and all the rest of the domains in the forest
2-way Transitive
How is a new Domain Tree created?
Created top down – forest root domain – then child domains
How do you move a DC between domains?
1. Demote it. _x000D_
2. Move it. _x000D_
3. Promote it
True of False? A Trust grants all users in one domain access to the other domains.
False. _x000D_
Trust only provides the foundation. _x000D_
Rights must be granted to resources once Trust is established.
What 2 features of AD to ALL Trees and Forests share?
Schema and _x000D_
Global Catalog
What do you always have even if you only have 1 Domain?
A Tree and a Forest
What do you need to ensure is done before you remove the last DC from a Domain?
Computers no longer log on to this domain _x000D_
No user accounts are needed _x000D_
All encrypted data is decrypted _x000D_
All cryptographic keys are backed up
What are the 2 Forest Operation Master Roles?
Schema Master _x000D_
Domain Naming Master
What tool is used to manage the Forest Operation Master roles?
AD Domains & Trusts
What are the 3 Domain Operation master Roles?
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master
The Schema master holds ___
a master copy of the AD Schema
Where can changes to the AD Schema be made?
Only on the Schema Master
The Domain Naming Master __
tracks domains within the AD Forest
What does the RID Master do?
Creates a unique RID for every AD object
PDC Emulator is responsible for __
Maintaining backward compatibility with NT DCs – used only in Mixed Mode domains.
In a Forest running at 2k Native or later what role does the PDC play?
Acts as default DC if another is not available
The Infrastructure Master ensures
Ensures that group membership info stays current between DCs
How do you assign the Domain Naming Master Role?
Open AD D&T _x000D_
AD D&T Properties _x000D_
Select Operations Master _x000D_
Click Change
How do you assign all of the RID, PDC and Infrastructure Roles?
Open AD U _x000D_
right-click Domain _x000D_
Select Operation Masters _x000D_
Click Change
What is a transitive trust?
Implied trusts. _x000D_
If domain A trusts domain B AND _x000D_
domain B trusts domain C THEN _x000D_
domain A trusts domain C
What are External Trusts used for?
Used to provide access to external domain (NT) that can’t use forest trusts
What type of trust are External Trusts?
Non-transitive and either 1-way or 2-way (manually created)
On External Trusts, what is enabled by default to prevent hackers from using SID info to gain access?
Default SID filtering _x000D_
SID History cleaned of SID history attributes that are not members of the trusted domain.
When is a Realm Trust used?
Used to connect to non-Windows domain using Kerberos
What types of Realm Trusts are there?
Either Transitive or Non-Transitive _x000D_
And either 1-way or 2-way
Where do you configure Trust Releationships?
AD D&T – Domain Properties – Trusts Tab
What happens when Selective authentication is used with Cross Forest Trusts?
users can’t authenticate to DC or resource server unless explicitly enabled
What is a manually created Trust called?
Shortcut trusts
What is a Cross Forest Trust used for?
To Share resources between forests
What is the restriction on Cross Forest Trusts?
They cannot be Non-transitive.
Where would you go to enable Selective Authentication?
Trust properties – Selective Authentication
Where would you add a UPN suffix?
AD D&T – Properties – UPN Suffixes
You need to add another Global Catalog server to an existing domain. Where would you go to do this?
AD S&S _x000D_
– DC _x000D_
– NTDS Settings Properties _x000D_
– GC Checkbox
What happens when Universal Group Membership Caching is enabled on a W2k8 DC?
1. User logs on – Universal Groups cached from GC _x000D_
2. Next time user logs on – no need to contact GC
The benefits of Universal Group Membership Caching are:
Faster logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware
On a W2k8 DC how do you enable Universal Group Membership Caching?
AD S&S _x000D_
– Sites _x000D_
– DefaulFirstSite _x000D_
– NTDS Settings – Properties _x000D_
– checkbox
What forest and function levels does the network need for you to install RODC’s?
Windows 2003 functional Level or above
How many domains can a DC have or belong to at any one time?
One
Functional level if you have the following servers in your domain: _x000D_
2003 server _x000D_
2000 Server _x000D_
2008 server
Windows 2000 Native
Which NTFS feature can you implement to limit the amount of disk space occupied by users?
Disk Quotas
What two steps need to be done to convert a disk volume from FAT to NTFS?
CONVERT vol: /FS:NTFS
What 2 protocols are required to support AD?
TCP/IP _x000D_
DNS
Command used to promote or demote a DC?
dcpromo.exe
Your organisation needs one set of credentials for multiple forests. What 2008 role do you install?
AD Federation Services
How do you test that DNS forward lookups are working properly prior to installing AD?
ping hostname _x000D_
IP returned
What FS with these req’s? _x000D_
file-level security _x000D_
efficient use of space on large partitions. _x000D_
domain controller Sysvol must be stored
NTFS
You have decided that you must convert the system partition on your Windows Server 2008 from the FAT32 filesystem to NTFS. Which 2 steps must you take in order to convert the filesystem?
CONVERT /FS:NTFS _x000D_
Reboot the computer
Name 3 protocols need for AD to work properly
LDAP _x000D_
DNS _x000D_
TCP/IP
2 sites with non-communicative DCs. Names: _x000D_
server1.yourcompany.com and server1.yourcompany.com _x000D_
Problem?
Yes each server needs a unique FQDN.
How can you increase the space on a volume without backup, recreate restoring?
Use NTFS mounts to map new volume to existing volume.
What file system reqs exist for installation of AD?
NTFS volume. _x000D_
Greater than 4GB
What 5 connectivity tests should you do prior to installing AD? (assume second site connected via VPN)
Test NW adapater – drivers & config _x000D_
Check IPconfig _x000D_
Test Internet access _x000D_
Check LAN access _x000D_
Check Client Access _x000D_
Check WAN Access
How do you check the configuration of the TCP/IP protocol and output it to a text file?
ipconfig /all > ipcfg.txt
What are the 3 forest functional levels in W2k8?
2k Native (default) _x000D_
2k3 _x000D_
2k8
5 New features in W2k8 Functional Level but not in W2k3?
Fine-grained password policies. _x000D_
Read-only domain controller (RODC). _x000D_
Last interactive logon information. _x000D_
Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. _x000D_
Distributed File System replication support for Sysvol.
What is a Defunct Schema Class?
A Class of objects that has been marked as non-usable.
What is DNS?
Provides way of querying names and IP addresses, replicating the info in the DB as well as the schema
Name 7 different common DNS records.
SOA, NS, A, CNAME, PTR, MX, and SRV
What is an SOA record?
Start of Authority Record. _x000D_
defines the general parameters for the DNS zone, including who the authoritative server is
What is an NS record
Name Server _x000D_
list name servers for a domain; allow other name servers to look up names
What is an A record
Address Record for Host _x000D_
links hostname to ip address
What is a PTR record?
Pointer Record. _x000D_
Links IP address to hostname for reverse lookups
What is an MX record?
Mail Exchange record _x000D_
Lists mail server who can accept mail for domain
What is an SRV record?
Service record _x000D_
Maps service (eg DC ) to IP address
Name the 3 queries types when DNS is used to resolve names or IP’s
Iterative, Recursive, and Inverse
What is an Iterative query?
Client asks Server. Server responds with best possible answer
What is a Recursive query?
Client queries server, server doesn’t know, asks each server up the line until answer is returned to client via server.
What is an Inverse query?
Client queries IP address instead of name.
A zone used to resolve names to IP addresses is a _________?
a Forward Lookup zone
A zone used to resolve IP addresses to names is a ________?
a Reverse Lookup zone
How do you create new zones?
with the New Zone wizard.
Where do you configure a zone for Dynamic updates?
Properties of the forward/reverse lookup zone – General Tab – Dynamic updates – None/Secure Only/Nonsecure and secure
What is the default setting for Dynamic updates
Secure only
Name 5 tools used to troubleshoot DNS problems?
DNS Snap-in _x000D_
DSS event log _x000D_
NSLookup _x000D_
Ipconfig _x000D_
DNS server log file
Multiple sites across Australia. _x000D_
Single AD tree required. _x000D_
What DNS and AD structures do you implement to ensure good performance?
Install a DNS server at each regional location and create a single domain name for all the regions for resolution of local resources.
3 Unix DNS, print & fax servers. _x000D_
New AD domain with integrated DNS replaces Unix DNS server. _x000D_
Can’t print or fax. What gives?
You need to manually add A resource records for the Unix machines.
How do you configure a DNS server so that it only answers queries from hosts on your intranet and no where else?
Configuring his server as a root server and leaving out root hints for the top-level domains _x000D_
And _x000D_
Leaving forwarding turned off
What must you do so that your customers can utilize all mirrored web servers?
Enable Round Robin DNS to balance out the load across all the servers you have mirrored and configured in the DNS
You have multiple remote locations by slow satellite links.Need to install DNS into these offices so that clients can locate authoritative DNS servers in the main location. What type of DNS zones should be installed in the remote locations?
Stub Zones – Contain: NS, A and SOA records
You have 5 W2k8 DC’s. All run as primary DNS zones. Need to ensure all hold same database and use only secure updates. _x000D_
What do you do?
Upgrade all servers to Active Directory Integrated servers.
Six Offices. Need single AD tree. _x000D_
How do you deploy DNS to enable efficient and responsive name/IP resolutions for this environment?
Create a single second-level name and deploy a DNS server at each location in the network
What are the two main server types in an NT domain?
PDC and BDC
Two types of domains in and NT – Multi-master domain topology?
Master Domain _x000D_
(trust) _x000D_
Resource Domain
3 Advantages of old NT over workgroups?
Centralised Admin _x000D_
Database replication _x000D_
Could scale to 1000’s of users
4 Limitations of NT model?
Didn’t scale/work well for very/large org _x000D_
Trust relationships needed a lot of work _x000D_
Excessive replication BAD for low-bandwidth WAN links _x000D_
Difficult to delegate admin duties
3 Features of AD?
LDAP for transferring information _x000D_
Reliance on DNS for name resolution _x000D_
Ability to extend the schema
Functions of Domains
Create security boundaries to protect resources and ease of administration _x000D_
Ease admin of usrs, grps, comps etc _x000D_
Provide central DB of NW obj’s
Type of server for remote locale with questionable security?
Read-only domain Controller
True or False: _x000D_
Two objects can have the same relative distinguished name
True. _x000D_
Jane Doe can be in AD twice (or more) in different OU’s
True of False?: _x000D_
Two objects can have the same distinguished name.
False. _x000D_
DN is unique to each AD object
AD Trust Relationships – 3 truths
1. Trusts are transitive _x000D_
2. By default, trusts are two-way relationships. _x000D_
3. Trusts are used to allow the authentication of users between domains.
Protocol used to query AD
LDAP
Policy that allows for different password and account lockout policies for different sets of users in the same domain?
Fine-grained password policy
What is the Server role that allows/provides for single sign-on capability for multiple apps?
AD Federation Services
Advantages of using Server 2008 AD Certificate Services?
Web enrollment _x000D_
Network Device Enrollment Service _x000D_
Online Responder
Which role allows a user to secure an email while using Microsoft Office 2007 Outlook?
AD Rights Management Services (AD RMS)
Identity and access (IDA) has five distinct categories. What are they?
Directory services, _x000D_
strong authentication, Federated Identities, information protection, _x000D_
and Identity Lifecycle Management
Another administrator has changed a user’s group settings. What is the easiest way to get the original setting back for the user?
Perform Auditing. _x000D_
Review logs. _x000D_
Undo what he did – the dunce!
What is the feature of AD that allows info to remain in sync between DC’s?
Replication
Which component of AD should you implement at remote sites to improve the performance of searches conducted for objects in all domains?
Global Catalog Server
Name of the server that is a repository of Active Directory topology and schema information for Active Directory?
Schema Master
You need to install the Active Directory Federation Services. What application do you use to do the install?
Server Manager
What term is used to refer to the actual structure that contains the information stored within Active Directory?
Data store
NW admin for a 200-node network. Only 30 need a new app. _x000D_
What can you do?
Create an OU with the 30 in it. _x000D_
Deploy app/update to the OU
Used to create a logical structure in AD is an ______?
Organisational Unit
List 8 Advantages of AD
Heirarchical Organisation _x000D_
Extensible Schema _x000D_
Centralised Data Storage _x000D_
Replication – DNS & AD _x000D_
Ease of Admin _x000D_
Network Security _x000D_
Scalability _x000D_
Search
What is Server Core?
a minimal install of Windows Server 2008, without GUI or .NET Framework
What are the hardware requirements for Server Core?
3Gb HDD, 256Mb RAM
What are 2 advantages of Server Core?
more secure (fewer services and components) and requires less management
What 9 server roles are supported in Core?
AD Domain Services (AD DS), AD Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, file server, print server, Streaming Media Services, IIS (doesn’t support ASP.NET), Hyper-V (server virtualization)
What 11 optional features are available in Server Core?
failover cluster, network load balancing, subsystem for UNIX, windows backup, multipath I/O, removeable storage management, Windows Bitlocker drive encryption, SNMP, WINS, Telnet, QoS
What command is used to change the administrator password?
net user administrator *
What command is used in Core to set IPv4 configuration?
netsh interface ipv4
What command is used to join a domain?
netdom
What command is used in Core to add roles, components, and features?
ocsetup.exe
What command is used in Core to view roles, components, and features?
oclist.exe
What command is used in Core to enable Remote Desktop?
cscript c:windowssystem32scregedit.wsf /AR0
What command is used to promote a domain controller?
dcpromo.exe
What command is used in Core to configure DNS?
dnscmd.exe
What command is used in Core to configure DFS?
dfscmd.exe
What command is used to add Active Directory Domain services?
dcpromo.exe
What is the one AD server role available in Core that can’t be added with ocsetup.exe?
AD Domain Services (added with dcpromo.exe)
What command is used to remove a domain controller?
dcpromo.exe
What piece of information is required when removing a domain controller?
the password of the local admin account
What 2 directory partitions do all domains in a forest share?
schema and configuration
How does Dynamic DNS (DDNS) differ from standard DNS?
DDNS allows real-time DNS updates
What command will send DNS registration info to a DNS server?
ipconfig /registerdns
How is DNS information replicated in DDNS?
through Active Directory
How was DNS information replicated in standard DNS?
through manual copies of the zone file
What two name resolution technologies does DDNS cover?
DNS and WINS
When does DDNS update the record?
when a client leases an IP address
What is Scope Option 003?
default gateway
What is Scope Option 006?
preferred DNS server
What is the scope for default gateway?
3
What is the scope for preferred DNS server?
6
Where does non-dynamic DNS store data?
in a text file located at %SystemRoot%System32DNS
What are the 3 types of DNS zones?
primary, secondary, and stub zone
What is a primary DNS zone?
a DNS zone which stores a copy of the zone that can be directly updated
What is a secondary DNS zone?
a copy of a primary DNS zone
What are secondary DNS zones used for?
load balancing, fault tolerance, and increasing capacity
What is a DNS stub zone?
a copy of a DNS zone containing only NS, SOA, and sometimes glue A records; it is not authoritative
What limitation exists on a DNS server storing its data in AD?
the DNS server must be a DC
What is secure DNS?
a DNS system where updates occur over a secure channel
How does secure DNS work?
when a DNS transfer is initiated, the DNS server verifies that the DNS server sending the update is on an approved list
What is the purpose of secure DNS?
to prevent poison entries
How is secure DNS set up in an Active Directory domain?
it is set up automatically
What are 3 reasons to use a stub zone?
keep delegated zone info current, improve name resolution, simplify administration
What does a Start of Authority (SOA) record do?
specifies the DNS server in charge of a zone
What 4 items does an SOA record specify?
primary server for the zone, zone administrator’s email address, secondary zone expiration values, minimum default TTL values
What is the Global Name Zone designed to do?
replace WINS
What is an A record?
address record
What 3 types of records are stored in a Forward Lookup Zone?
LDAP, Global Catalog, and Name Server records
How can repopulation be forced if a Forward Lookup Zone does not appear in AD?
use net stop logon and net start logon
What do Forward Lookup Zones do?
store domain name-to-IP address mappings
What do Reverse Lookup Zones do?
store IP address-to-domain name mappings
At what 3 times are Reverse Lookup Zones populated?
when IP addresses are leased, when machines are restarted, when ipconfig /registerdns is executed
What do root hints do?
provide a link between DNS servers and top-level DNS servers
What are 3 reasons to divide namespaces into more than 1 zone?
delegate responsibility, break up large namespaces for management, extend namespace to add subdomains
When creating subdomains, what needs to be done to make sure that all zone records stay current?
delegation records need to be added to other DNS servers to point to the authoritative server
How does round robin DNS work?
when an IP address for a server in a round robin pool is given out, that address is moved to the bottom of the list
What sort of servers most often utilize round robin DNS?
web servers
What is recursion?
forwarding requests to other servers for fulfillment
When is DNS recursion usually disabled?
When the network is sensitive
What is server scavenging?
process of getting rid of stale DNS records
What 2 containers are created when DNS is integrated with AD?
forestDNSzone and domainDNSzone
What do incremental zone transfers do?
replicate only changes to DNS (rather than all records)
Does DNS work on a push or pull basis?
pull: when changes are made, the DNS server notifies other servers that changes are available
What directory format does Active Directory use?
X500
What do AD tree structures share?
The same contiguous name space?
What is an RODC?
A Read Only Domain Controller
Do different forests share the same name space?
No
What is NTDS.dit?
The AD database
What is a domain?
A domain is an administratively-defined collection of network resources that share a common directory database and security policies
What is an AD object attribute?
Information about the object such as a user’s name, phone number, and email address) which is used for locating and securing resources.
What does an object schema identify?
The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.
What does AD use DNS for?
Active Directory uses DNS for locating and naming objects.
Name the OU structure
First-level OUs can be called parents. _x000D_
Second-level OUs can be called children. _x000D_
OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).
What is an AD tree?
A tree is a group of related domains that share the same contiguous DNS name space.
What is an AD forest?
A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
What is the forest root domain?
The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest.
What is the tree root domain?
The tree root domain is the highest level domain in a tree.
What is a child domain?
Each domain in the tree that is connected to the tree root domain is called a child domain.
What is a domain tree?
A domain tree is a group of domains based on the same name space. Domains in a tree: _x000D_
– Are connected with a two-way transitive trust. _x000D_
– Share a common schema. _x000D_
– Have common global catalogs.
What is a domain controller?
A domain controller is a server that holds a copy of the Active Directory database that can be written to
What is replication?
Replication is the process of copying changes to Active Directory between the domain controllers.
What two objects does AD use to represent the physical structure of the network?
– A subnet represents a physical network segment. Each subnet possesses its own unique network address space. _x000D_
– A site represents a group of well-connected networks (networks that are connected with high-speed links).
What manages AD replication between locations?
Sites and subnets are used to manage Active Directory replication between locations.
What does an AD site differ from a domain?
A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization.
How are clients assigned to AD sites?
Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask.
How are domain controllers assigned to AD sites?
Domain controllers are assigned to sites according to the location of their associated server object in Active Directory.
What is the structure of the NTDS.dit file?
– The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation. _x000D_
_x000D_
– The link table contains data that represents
What does the Global Catalog server do?
Responsible for replicating a subset of attributes throughout Active Directory
What are FSMO roles/What do they do?
Flexible Single-Master Operation roles are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes
What are the FSMO roles?
– Schema Master _x000D_
– Domain Naming Master _x000D_
– RID Master (Relative Identifier) _x000D_
– PDC Emulator _x000D_
– Infrastructure Master
What does the schema master do?
Maintains the schema (the mapping of all the different object types)
What does the RID master do?
The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts).
What does the PDC Emulator do?
The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers. (eg – time services)
What does the Infrastructure Master do?
Provides a mapping of all the container objects in AD. The infrastructure master is responsible for updating changes made to objects.
Which level do the Schema and Domain Naming Master roles operate at?
The Forest Level
What level do the RID, PDC and Infrastructure Master roles operate at?
The domain level
What is the Global Catalog?
The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.
What is an Operations Master?
A domain controller that performs an operations master role is known as an operations master or operations master role owner.
What does the Domain Naming Master do?
The domain naming master adds new domains to and removes existing domains from the forest.
What is a functional level?
A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest
What does a functional level define?
– Which Active Directory Domain Services (AD DS) features are available to the domain or forest. _x000D_
_x000D_
– Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating syste
Which domain functional levels does Server 2008 support?
Windows 2000 Native _x000D_
Windows Server 2003 _x000D_
Windows Server 2008
Which forest functional levels does Server 2008 support?
Windows 2000 _x000D_
Windows Server 2003 _x000D_
Windows Server 2008
What is a group policy?
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.
What are new services in AD 2008?
– AD Domain Services _x000D_
– AD Lightweight Directory Services _x000D_
– AD Certificate Services _x000D_
– AD Federation Services _x000D_
– AD Rights Management Services
What is an AD role?
A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server.
What is an AD role service?
Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role.
What is an AD feature?
A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support.
What is Active Directory Domain Services (AD DS)
AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role: _x000D_
– Helps administrators securely manage information. _x000D_
– Facilitates resource sharing and collaboration between users. _x000D_
– Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies, such as Group Policy.
What is Active Directory Lightweight Directory Service (AD LDS)
Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database.
What is Active Directory Federation Services (AD FS)
AD FS is a feature which enables secure access to web applications outside of a user’s home domain or forest. The AD FS role: _x000D_
_x000D_
– Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. _x000D_
– Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations.
What is Active Directory Rights Management Service (AD RMS)
AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role: _x000D_
_x000D_
– Can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions. _x000D_
– Allows organizations to create custom usage rights templates (such as “Confidential – Read Only”) that can be applied directly to information such as product specifications, financial reports, e-mail messages, and customer data.
What is Active Directory Certificate Services (AD CS)
AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role: _x000D_
_x000D_
– Provides customizable services for creating and managing public key certificates. _x000D_
– Enhances security by binding the identity of a person, device, or service to a corresponding private key. _x000D_
– Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Name some things that AD Certificate Services supports
Digital signatures _x000D_
Encrypting File System (EFS) _x000D_
Internet Protocol security (IPsec) _x000D_
Secure/Multipurpose Internet Mail Extensions (S/MIME) _x000D_
Secure Socket Layer/Transport Layer Security (SSL/TLS) _x000D_
Secure wireless networks _x000D_
Smart card logon _x000D_
Virtual Private Networks (VPN)
What AD roles are not supported on Server 2008 Standard?
AD FS requires the DataCenter or Enterprise editions for deployment.
WHich server roles can Server 2008 core run?
Active Directory _x000D_
Active Directory Lightweight Directory Services (AD LDS) _x000D_
Dynamic Host Configuration Protocol (DHCP) Server _x000D_
DNS Server _x000D_
File Server _x000D_
Print Server _x000D_
Media Services _x000D_
Web Server (IIS)
What are the limitations of Server 2008 core?
There is no Windows Shell. _x000D_
There is no managed code support (no .NET framework). All code has to be native Windows API code. _x000D_
There is only MSI support for unattended mode installs.
What methods can you use to manage a Server 2008 core system?
Log on and use the command prompt. _x000D_
Log on using Remote Desktop to gain access to the command prompt. _x000D_
Use Windows Remote Shell (winrm). _x000D_
Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system.
How would you add server roles to a Server 2008 core system?
Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive.
How would you see a list of roles, role services and features that can be installed on Server 2008 core?
run the oclist command
What does AD Domain Services (AD DS) do?
provides Identity and Access (IDA) solutions for enterprise networks
What does IDA refer to?
Identity and Access
What 4 things should an IDA infrastructure do?
store information about users, groups, computers, and objects; authenticate identities; control access; provide and audit trail
What 5 technologies comprise a Microsoft IDA solution?
AD Domain Services; AD Lightweight Directory Services; AD Certificate Services; AD Rights Management Services _x000D_
*AD Federation Services
What part of IDA does AD Domain Services provide?
identity management
What part of IDA does AD Lightweight Directory Services provide?
applications management
What part of IDA does AD Certificate Services provide?
trust management
What part of IDA does AD Rights Management Services provide?
integrity
What part of IDA does AD Federation Services provide?
partnership with external organizations
What did AD Lightweight Directory Services used to be called?
Active Directory Application Mode
What does AD Lightweight Directory Services do?
stores and replicates application-related database information
What best practice should be used when using AD Certificate Services to provide certificate services to external communities?
get a root certificate from a trusted third-party CA
What does AD Rights Management Services do?
provides persistent rights management, even after authentication (similar to Acrobat controls)
What 5 components does AD Rights Management Services require to function?
AD domain with Server 2000 SP3 or higher DC’s, IIS, database server AD RMS client, RMS-enabled browser
What does AD Federation Services do?
allows organizations to project rights and access controls across organizational boundaries
What is a schema?
a set of rules that defines classes of objects and attributes in a directory
What do replication services do?
distribute directory data across a network
What does a global catalog contain?
limited information about every object in the directory
What is another name for a global catalog?
partial attribute set
What command is used to launch configuration of a domain controller?
dcpromo.exe
What are the components of an AD infrastructure?
AD data store, DC’s, domains, forest, trees, functional level, OU’s, sites
What is the directory also known as?
the AD data store
How is the directory stored?
as a single file (Ntds.dit)
Where is the directory located by default?
%SystemRoot%Ntds folder on all domain controllers
What 4 partitions are usually found in the AD data store?
schema, configuration, global catalog, domain naming context
What important authentication service is run by all domain controllers?
Kerberos Key Distribution Center (KDC)
Where can a user receive authentication from?
any DC in their domain
What serves as a scope for administrative policies (password expiration, etc.)?
a domain
What is considered best practice when replication cannot occur reliably between domain controllers?
place them in separate domains
What is a forest?
a collection of one or more Active Directory domains
What is the first domain in a forest known as?
the forest root domain
What entity defines a security boundary?
a forest
What is a security boundary?
an entity outside which no data is replicated
What defines a tree?
the DNS namespace
What determines whether domains are part of the same tree?
whether those domains are part of a contiguous DNS namespace
What are the 3 domain functional levels?
Windows 2000 native, Windows Server 2003, and Windows Server 2008
What are the 2 forest functional levels?
Windows Server 2003 and Windows Server 2008
What requirement exists for the Windows Server 2008 domain functional level?
all DC’s must be running Server 2008
What requirement exists for the Windows Server 2008 forest functional level?
all domains must be Windows Server 2008 domains
What MMC is used to administer roles?
Server Manager
What are the two primary steps in creating a new DC?
add roles through Server Manager and promote server to DC
What command-line command can be used to promote a server to DC?
dcpromo.exe
What two names do all DC’s require?
a valid DNS name and a valid NetBIOS name
GPResult
A command-line tool that enables administrators to create and display a Resultant Set of Policy (RSoP) query from the command line.
Group Policy Modeling
A Group Policy Management feature that uses the Resultant Set of Policy snap-in to simulate the effect of a policy on the user environment.
Group Policy Results
A feature in Group Policy Management that is equivalent to the Logging mode within Resultant Set of Policy MMC snap-in. Rather than simulating policy effects like the Group Policy Modeling Qizard, Group Policy Results obtains Resultant Set of Policy (RSoP) information from the client computer to show the actual effects that policies have on the client computer and user environment.
Logging mode
The Resultant Set of Policy (RSoP) mode that queries existing policies in the hierarchy that are linked to sites, domains, domain controllers, and Organization Units. This mode is useful for documenting and understanding how combined policies are affecting users and computers. The results are returned in an MMC window that can be saved for later reference.
Planning mode
The Resultant Set of Policy (RSoP) mode that allows administrators to simulate the effect of policy settings prior to implementing them on a computer or user.
WMI Filtering
A filtering method that method uses filters written in the WMI Query Language (WQL) to control GPO application.
CIMOM
Common Information Management Object Model
A database used through Windows Management Instrumentation that contains information gathered when a computer starts and becomes part of the network. This information includes hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, scripts, Folder Redirection settings, and Security settings.
RSoP
REsultant Set of Policy
Query engine that looks at GPOs and then reports its findings. Use this tool to determine the effective settings for a user or a computer based on the combination of the local, site, domain, domain controller, and OU policies.
WMI
Windows Management Instrumentation
A component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. It allows administrators to create queries based on hardware, software, operating systems, and services.
WQL
WMI Query Language
A language that is similar to structured query language (SQL).
Assign
An option used to deploy required applications to pertinent users and computers.
Basic User
Stategy for enforcing restrictions that prevents any applicationfrom running that requires administrative rights but allows programs to run that only require resources that are accessible by normal users.
certifiicate rule
A software restiction rule that uses the signing certificate of an application to allow software from a trusted source to run or to prevent software that does not come from a trusted source from running. Certificate rules also can be used to run programs in disallowed areas of the operating system.
Disallowed
Strategy for enforcing restictions that prevents all applications from running except those that are specifically allowed.
distribution share
The shared folder that is a network location from which users can download software. Also known as the software distribution point.
file-activated installation
A method of distributing applications whereby an application is installed when a user opens a file associated with an application that does not currently exist.
hash
A series of bytes with a fixed length that uniquely identifies a program or file.
hash algorithm
A formula that generates a hash value.
hash rule
A sotrware-restriction rule applied to an appllication executable that will check the file’s hash value and prevent the application from running if the hash value is incorrect.
hash value
A value generated by a formula that makes it nearly impossible for another program to have the same hash.
Install This Application At Logon
A deployment option that allows the application to be installed immediately, rahter than advertising on the Start menu.
.msi file
A relational database file that is copied to the target computer system, with the program files it deploys. In addition to providing installation information, this database file assits in the self-healing process for damaged applications and clean application removal.
network zone rule
A software restiction rule that allows only Windows Installer packages to be installed if they come from a trusted area of the network.
patch files
Windows Installer files with the .msp extension that are used to apply service packs and hotfixes to installed soft
path rule
A software restriction rule that identifies software by specifiying the directory path where the application is stored in the file system.
Publish
1) An option that allows users to access network resoufces by searching the Active Directory database for the desired resource. (See lesson 1). _x000D_
2) An option used to deploy application. It allows users to install the applications that they consider useful to them. (See lesson 9)
repackaging
The process of preparing software for .msi distribution, which includes taking a snapshot of a clean computer system before the application is installed, installing the application as desired and taking a snapshot of the computer after the application is installed.
self-healing
A function that allows software to detect and correct problems, such as missing or deleted files.
software life cycle
A process that takes place from the time anapplication is evaluated for deployment in an organization until the time when it is deemed old or no longer suitable for use.
Unresticted
Stategy for enforcing restictions that allows all applications to run, except those that are specifically excluded.
.zap file
A non-Windows Installer package that can be created in a text editor.
SDLC
Software Development Live Cycle
A structured process used to develop information systems software, projects, or components; phases include analysis, design, implementation and maintenance.
Account Lockout Policies
A subcategory in the Account Policies category that specifies the number of unsuccessful logon attempts that, if made within a contiguous timeframe, might constitute a potential security threat from an intrruder. An Account Lockout Policy can be set to lock the account in question after a specified number ofinvalid attempts. Additionally, the policy specifies how long the account will remain locked.
account logon events
Setting that logs events related to successful user logons to a domain.
account management events
Setting that triggers an event that is written based on changes to account properties and group properties. Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling.
Audit Policy
Th section of GPO Local Policies that enables administrators to log successful and failed security events, such as logon events, account access, and object access.
auditing
Tracking events that take place on the local computer.
disk quotas
A setting that limits the amount of space available on the server for user data.
Enforce Password History
Group Policy setting that indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password.
gpupdate.exe
A command-line tool used to force a manual Group Policy refresh. Thistool was introduced in Windows Server 2003, and it is used in Windows Server 2003, and it is used in Windows Server 2003 and Windows Server 2008 to replace the secedit/refreshpolicy command that was used in Windows 2000.
Kerberos Policies
For domain accounts only, this policy enables administrators to configure settings that govern how Active Directory authentication functions.
Local Policies
Policies that enable administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log.
logon events
The setting logs events related to successful user logons on a computer.
msDS-PasswordSettings
A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as a Password Setting Object (PSO).
Offline Files
A separate Group Policy category that can allow files to be available to users, even when users are disconnected from the network.
Password Policies
A subcategovy in the Account Policies category that enforces password length, password history and so on. Password Policies can be applied to domain and local user accoutns.
policy change events
By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishement or removal of trust relationships, IPSec policy agent changes, and grants or removals of system access privileges.
Password Policies
A subcategory in the Account Policies category that enforces password length, password history, and so on. Password Policies can be applied to domain and local user accounts.
policy change events
By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishment or removal of trust relationsips, IPSec policy agent changes, and grants or removals of system access privileges.
refresh interval
The available period that each background refresh process that can set to ranges from 0 to 64,800 minutes (45 days).
Restricted Groups
Policy settings that enables an administrator to specify group membership lists.
Security Options
A subcategory of the Local Policies setting area of a Group Policy Object that includes security settings related to interactive log on, digital signing of data, restrictions for access to floppy and CD-ROM drives, unsigned driver installation behavior, and logon dialog box behavior.
system events
Events that rigger a log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled an can no longer append entries; security log cleaning; or any event that affects system security or the security log. In the Default Domain Controllers GPO, this setting is set tolog success by default.
System Services
The category that is used to configure the startup and security settings for services running on a computer.
tattooing
An Administrative Template setting that continues to apply until it is revised using a policy that overwrites the setting.
User Rights Assignment
A subcategory of the Local Policies setting area of a Group Policy Object that includes settings for items that pertain to rights needed by users to perform system-related tasks.
FGPP
Fine-Grained Password Policies
A policy that can be applied to one or more users or groups of users, allowing the administrator to specify a more or less stringent password policy for the subset than the password policy defined for the entire domain.
KDC
Key Distribution Center
Used to issue Kerberos tickets to users for domain accesss.
PSO
Password Settings Object
A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as msDS-PasswordSettings.
Administrative Templates
Files used to generate the user interface for the Group Policy settings that can be set using the Group Policy Management Editor.
ADMX
Windows Server 2008 Administrative Templates using the .admx extension.
asynchronous processing
A method of processing multiple scripts at the same time, without waiting for the outcome of a previously launched script to occur.
Block Policy Inheritance
A setting on a contianer object, such as a site, domain, or Organizational Unit, that will block all policies from parent containers from flowing to this container. It is not policy specific; it applies to all policies applied at parent levels.
Central Store
Single location in a SYSVOL directory containing Administrative Templates with the .admx extension.
Default Domain Controller Policy
A policy linked to the Domain Controllers OU; its settings affect all domain controllers in the domain.
domain GPO
A type of Group Policy Object associated with a domain.
Enforce
A setting on an individual GPO link that forces a particular GPO’s settings to flow down through the Active Directory, without being blocked by any child Organizational Units.
folder redirection
A setting that allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network.
GPO Inheritance
The process of applying Group Policy to all domains and the child objects contained within them.
GPC
Group Policy container
An Active Directory object that stores the properties of the GPO.
GPMC
Group Policy Management Console
The Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings.
GPO
Group Policy Object
Objects that contain all of the Group Policy settings that will be implemented on all user and computer objects within a site, domain, or OU.
GPT
Group Policy template
A folder located in the Policies subfolder of the SYSVOL share that stores policy setting, such as security settings and script files.
ROI
Return on investment
The amount of money gained (or lost) relative to the amount of money that was invested in a particular project or technology. Can be measured by tangible benefits, such as implementation costs and ongoing support. In addition, it can also be measured by intangible benefits, such as increased user ptoductivity, and other factors that are difficult to measure from a financial standpoint.
TCO
Total cost of ownership
A value used to assess the cost of implementaing computer software or hardware, both in terms of direct and indirect costs. TCO can be calculated based on how much ownership costs over the lifetime of a business resource.
WDS
Windows Deployment Services
A managed setting that can be defined or changed through Group Policies. This setting assists in rebuilding or deploying workstations quickly and efficiently in an eveterprise environment.
Group Policy Management Editor
The Microsoft Management console (MMC) fsnap-in that is used to create and modify Group Policies and their settings.
linking
A process that applies Group Policy setting sto various containers within Active Directory.
local GPO
A type of Group Policy Object associated with the local computer.
Loopback Processing
A Group Policy option that provides an alternative method of obtaining the ordered list of GPOs to be processed for the user. When set to Enabled, this setting has two options: Merge and Replace.
LSDOU
The sequence used to process policies: local policies, site policies, domain policies and then Organization Unit policies.
Merge
A Loopback Processing option. After all user policies run, the computer policy settings are reapplied, which allows all current GPO setting sto merge with the reapplied computer policy settings. In instances where conflicts arise between computer and user settings, the computer policy supersedes the user policy. This occurs before the desktop is presented to the user.
multiple local GPOs
A new feature in Windows Vista where by administrators can specify a different local GPO for administrators and create specific GPO settings for one or more local users configured on a wrokstation.
node
A subcategory of Group Policy settings.
offline file storage
This feature works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible.
registry-based policies
Settings that provide a consistent, sevure, manageable environment that addresses the users’ needs and the organization’s administrative goals.
Replace
A Loopback Processing option. This option overwrites the GPO list for a user object with the GPO list for the user’s logon computer. This means that the computer policy settings remove any conflicting user policy settings.
scripts
A managed setting that can be defined or changed through Group Policies. Scripts, including logon, logoff, startup, and shutdown commands, can assist in configurint the user environment.
securtity group filtering
An advanced technique that enables you to apply GPO setting to only one or more users or groups within a container by selectively granting the “Apply _x000D_
Group Policy” permissions to one or more user or security groups.
software settings
A subnode within the Computer Configuration and User Configuration nodes. The Software Settings folder located under the under the User Configuration node contains settings that are appplied to users designated by the Group Policy, regardless of the computer from which they log on to Active Directory.
starter GPO
A type of Group Policy that enables administrators to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO. Starter GPOs area new feature in Windows Server 2008.
synchronous processing
Processing method whereby each policy must be read and applied completely before the next policy can be invoked.
User Configuration
A Group Policy setting that enables administrators to customize the configuration of a user’s desktop, environment, and security settings. Enforced policies are based on the user rather than on the computer used.
Windows Settings
A subnode within the Computer Configuration and User Configuration nodes. The Windows Settings folder located under the Computer Computer Configuration node in the Group Policy Management Editor contains security settings and scripts that apply to all users who log on to Active Directory from that specific computer. The Windows Settings folder located under the User Configuration node contains settings related to folder redirection, security settings and scripts that are applied to associated users.
What is the order of group policies?
1 Local Policies _x000D_
2 Site Policies _x000D_
3 Domain Policies _x000D_
4 OU Policies _x000D_
_x000D_
LSDOU
Comma-Separated Value Directory Exchange
CSVDE
The command line utility used to import or export Active Directory information from a comma-separated value (.csv) file.
Comma-Separated Values
CSV
Format that contains a comma between each value. The CSV format can be used to import and export information from other third-party applications
LDAP Data Interchange Format
LDIF
The format for the data file containing the object records to be created.
LDAP Data Interchange Format Directory Exchange
LDIFDE
A command-line utility used to import or export Active Directory information and create, modify, and delete Active Directory objects.
Security Account Manager
SAM
A database containing userr accounts and security information that is located on a server.
Windows Script Host
WSH
Allows scripts to be run from a Windows desktop or a command prompt. The runtime programs provided to do this are WScript.exe and CScript.exe, respectively.
access token
Created when a user logs on, this value identifies the user and all of the user’s group memberships. Like a club membership card, it verifies a user’s permissions when the user attempts to access a local or network resource.
Anonymous Logon
Special identity that refers to users who have not supplied a username and password.
authenticate
To gain access to the network, prospective network users must identify themselves to a network using specific user accounts.
authentication
The process of confirming a user’s identity using a known value, such as a password, a pin number on a smart card, or, in the case of biometric authentication, the user’s fingerprint or hand print.
authorization
The process of confirming that an authenticated user has the correct permissions to access one or more network resources.
batch file
Files, typically configured with either a .bat extension or a .cmd extension, that can be used to automate many routine or repetitive tasks.
built-in user accounts
The accounts automatically created when Microsoft Windows Server 2008 is installed. By default, two built-in user accounts are created on a Windows Server 2008 computer: the Administrator account and the Guest account.
distribution group
Non-security-related groups created for the distribution of information to one or more persons.
domain account
The accounts used to access Active Directory or network-based resources, such as shared folders or printers.
domain local group
A group used to assign permissions to resources that reside only in the same domain as the domain local group. They can contain user accounts, computer accounts, global groups, and universal groups from any domain, in addition to other domain local groups from the same domain.
dsadd
A command-line tool used to create, delete, view, and modify Active Directory objects, including users, groups and Organizational Units.
Everyone
A special identity group that contains all authenticated users and domain guests.
global group
A group used to grant or deny permissions to any resource located in any domain in the forest. Global groups can contain user accounts, computer accounts, and/or other global groups only from within the same domain as the global group.
group
A collection of user or computer accounts that is used to simplify the assignment of permissions to network resources.
group nesting
The process of configuring one or more groups as members of another group.
group scope
Group characteristic that controls which objects the group can contain, limiting the objects to the same domain or permitting objects from remote domains as well, and controls the location in the domain or forest where the group can be used.
group type
Group characteristic that defines how a group is to be used within Active Directory.
header record
The first line of the imported or exported text file that uses proper attribute names.
local account
The accounts used to access the local computer only. They are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers, not do these accounts have domain access.
local group
A collection of user accounts that are local to one specific workstation or member server. Local groups are created in the security database of a local computer and are not replicated to Active Directory or to any other computers on the network.
nested
An object placed inside another object of the same type.
nested membership
When a group is placed in a second group, the members of the first group become members of the second group.
SAM account name
Each user’s login name–the portion to the left of the ‘@’ within a User Principle Name. The SAM account name must be unique across a domain.
security group
Security-related groups created for purposes of granting resource access permissions to multiple users.
special identity group
Group used to define permission assignments. Adminitrators cannot manually modify the group membership of special identity groups, nor can they view their membership lists.
Active Directory Migration Tool
ADMT
A free tool used to move objects between domains.
Delegation of Control Wizard
A simple interface used to delegate permissions for domains, Organizational Units, and containers.
dictionary attack
Automated pass-word-cracking tools that try every possible combination of characters until the correct sequence of characters is finally discoverer.
drag-and-drop
User interface enabling the user to drag on object and drop it on a target. This feature was introduced in Windows Server 2003.
dsmove
A command-line utility used to move an object from one location to another.
password
An alphanumeric sequence of characters entered with a username to access a server, workstation, or shared resource.
password-cracking
An attempt to discover a user’s password.
personal identification number
PIN
Typically consists of at least four characters or digits that are entered while presenting a physical access token, such as an ATM card or a smart card.
Run as Administrator
Option that enables administrators to maintain their primary logon as a standard user and create a secondary session for access to an administrative tool.
runas
A command-line tool that enables administrators to log on with alternate credentials.
Secondary Logon
A feature that provides the ability to log on with an alternate set of credentials to that of the primary logon.
strong password
A password that follows guidelines that make it difficult for a potential hacker to determine that user’s password. Password guidelines include a minimum required password length, a password history, requiring multiple types of characters within a password, and setting a minimum password age.
Question
Answer
What are the Sytem Requirements to run AD RMS?
-Pentium 4.3 GHz or higher _x000D_
-512MB RAM _x000D_
-40GB HDD _x000D_
-OS of Windows Server 2008 except Web Edition or Itanium Based systems _x000D_
-FAT32 or NTFS file system _x000D_
-Message Queing _x000D_
-IIS with ASP.NET enabled web service
What is a Server License certificate (SLC)?
it is a self-signed certificate generated during the AD RMS cetup of the frst server in a root cluster.
What is a Rights Account Certificate (RAC)?
issued to trusted users who have an email enabled account in AD DS. _x000D_
-RACs are generated when the user first tries to open rights-protected content. _x000D_
-have a duration of 365 days _x000D_
-Temp RACs do not tie the user to a specific computer and are valid for only 15 minutes _x000D_
-contains the public key of the user as well as his or her private key.
What is a Client Licensor certificate (CLC)?
After the user has a RAC and launches an AD RMS-enabled application the application automatically sends a request for a CLC to the AD RMS cluster. _x000D_
-includes the client licensor public key, the client licensor private key that is encyrpted by the user’s public key, and the AD RMS cluster’s public key.
What is a Machine Certificate?
The first time an AD RMS enabled applicaton is used a machine certificate is created. _x000D_
-contains the public key for the activated computer. Private key is containted within the lockbox on the computer.
What is a Publishing License?
created when the user saves content in a rights protected mode. the license lists which users can use the content and under which conditions as well s the rights each user has to the content. _x000D_
-includes the symmetric content key for decrypting content as well as the public key of the cluster.
What is a Use license?
The use license is assigned to a user wh opens rights-protected content.
What is a Federated Web SSO?
usually spans firewalls because it links applications contained within an extranet in a resource organization to the internal directory stores of account organizations. _x000D_
The only trust that exists in this model is the federation trust.. It is always a one-way trust from the resource organization to the account organizations. _x000D_
-This is the most common deployement scenario.
What is a Federated Web SSO with Forest Trust?
the organization uses two AD DS forests. One is internal and the is an external forest located with in a perimeter network. _x000D_
-internal users have access to the applications from both the internal newtork and internet. _x000D_
-external users have access to the applications only from the internet
What is a Web SSO?
use when all the users for an extranet application are external and do not have accounts within an AD DS domain.
What kind of certificate does a Federation server need in an AD FS environment?
server authentication certificate and a token signing certificate
What kind of certificate does a Federation Service Proxy use?
must have a server authentication certificate to support SSL-encrypted communications with Web clients _x000D_
-must also have a client authentication certificate to authenticate the federation server during communications.
What kind of certificate des an AD FS Web Agent use?
server authentication certificate to secure its communications with web clients.
Is publisng CA configuration to AD DS directories optional or mandatory for a Standalone CA?
optional _x000D_
_x000D_
Mandatory for Enterprise
What is a Domain?
An administratively defined collection of network resources that share a common directory database and security policies.
What are objects?
Within an active directory, each resource is identified as an object. _x000D_
_x000D_
-Each object contains attributes _x000D_
-Active Directory uses DNS for locating and naming objects _x000D_
-Container objects hold or group other objects, either other containers or leaf objects
What is the Schema?
The schema identifies the object classes that exist in the tree and the attributes of the object.
What is an OU?
An organizational unit is like folder that subdivides and organizes network resources within a domain. _x000D_
-is a container object _x000D_
-can be used to logically organize network resources _x000D_
simplifies security administration _x000D_
-first level ous are called parents _x000D_
-second level ous are called children _x000D_
-ous can contain other ous or any type of leaf object.
What are Generic Containers?
used to organize Active Directory objects. _x000D_
-created by default _x000D_
-cannot be created, moved, renamed, or deleted. _x000D_
-have very few editable properties.
What is a tree?
A group of related domains tha share the same contiguous DNS name space.
What is a forest?
a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
What is a Domain Controller?
a server that holds a copy of the Active directory database that can be written to.
What is a Global Catalog?
A database that contains a partial replica of every object from every domain within a forest.
What is an AD DS?
a distributed database that stores and manages information about network resources, such as users, computers and printers.
What is AD LDS?
An LDAP directory service that you can use to create a directory store for use by directory-enabled applications. _x000D_
-formerly known as ADAM.
What is AD FS?
a feature that enables secure access to web applications outside of a user’s home domain or forest. _x000D_
-provides web SSO
What is AD RMS?
a feature that safeguards digital information from unauthorized use.
What is AD CS?
an identity and access control feature that creates and manages public key certificates used in software security systems.
What are the steps to prevent objects from accidental deletion?
In AD Users and Computers or Active Directory Sites and Services…do either or… _x000D_
-On the object tab, select the Protect object from accidental deletion check box. _x000D_
-On Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.
Where does Windows store standard zone data?
%windir%System32Dns
How do you change the replication scope for a zone using an application partition?
dnscmd/zonechangedirectorypartition _x000D_
_x000D_
/foest _x000D_
/domain
How do you perform and offline domain join?
Djoin.exe/provision then copy resulting file to the computer that you want to join to the domain. _x000D_
run Djoin.exe/requestI=ODJ
Can you convert a group from global to domain local or domain global?
No. Not directly. First convert the group to a universal group and apply the changes, then convert the group to the desired scope.
What are the requirements to join a computer to a domain?
You must be a member of the Administrators group on the local computer or be given necessary rights.
What utilities do you use to create computer accounts from a command prompt or script?
-dsadd _x000D_
-netdom
What is a managed service account?
a new account type available in Windows Server 2008 R2 and Windows 7. Provides the same benefits of using a domain user account with these improvements. _x000D_
-passwords managed and reset automatically _x000D_
-when running at Win Server 2008 R2 functional level the SPN does not need to be managed as with local accounts.
What is a Virtual Account?
a new account type that are not created deleted.
What is AGDLP?
a strategy to manage users, groups, and permissions. _x000D_
-A place user accounts _x000D_
-G into Global groups _x000D_
-DL into Domain Local groups _x000D_
-P assign permissions to domain local groups. _x000D_
_x000D_
Used in mixed mode. Universal groups not available in mixed mode.
What is AGUDLP?
Same as AGDLP except Universal groups are used. _x000D_
_x000D_
Used in nateve mode where this more than one domain and you need to grand access to similar groups defined in multiple domains.
What do you use Active Directory Users and Computers for?
Use it to create, organize, and delete objects in Active Directory.
How do you access Active Directory Users and Computers?
-Server Manager _x000D_
-Admin Tools _x000D_
-Running dsa.msc
What is ADSI Edit?
It is the Active Directory Service Interfaces Editor. _x000D_
-use it to query, view, and edit attributes that are not exposed through other MMC snap-ins.
What is Dsadd used for?
creates a new object in Active Directory
What is Dsquery used for?
finds objects that match the search criteria. Returns a list of objects that match the search criteria.
What is Dsget used for?
retrieves property info about an object.
What is Csvde used for?
used to import and export Active Directory objects using a comma-seperated list file. _x000D_
-PASSWORD ARE NOT EXPORTED.
What is Ldifde used for?
imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. _x000D_
-passwords are NOT exported.
What is Powershell?
a command line environment designed for automating administration and maintenance for Windows Server 2008 and Windows Server 2008 R2.
What is the general syntax of Powershell cmdlts?
(command)-ADObject
What is Ldp?
allows you to search for and view the properties of multiple Active Directory objects. _x000D_
-GUI based
What is the ADMT?
-Active Directory Migration tool. _x000D_
GUI based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another.
What is the Active Directory Administrative Center?
an Active Directory management GUI tool built on Windows Powershell. _x000D_
-Creates or manages new or existing user accounts groups, computer accounts, organizational units and containers _x000D_
-Connect to one or several domains or domain controllers in the same instance of AD Admin Center. _x000D_
-Change domain and forest functional levels _x000D_
-Filter Active Directory data by using queries.
What is SOA?
-Start of Authority record. _x000D_
-first record in any DNS database file. _x000D_
-defines general paremeters for DNS zone. _x000D_
-only one SOA
What is NS?
-Name Server _x000D_
-identifies all name servers that can perform name resolution for the zone.
What is an A host?
maps an IPv4 DNS host name to an IP address.
What an AAAA?
maps an IPv6 DNS host name to an IP address.
What is a CNAME?
provides alternative names to hosts that already have a host record.
What is DNAME?
provides alternative names to domains that already have a host record.
what is SRV?
used by Windows Server 2008 to register network services.
What is PTR?
in a reverse lookup zone, the PTR reodrd maps an IP address to a host name.
What does a full zone transfer copy?
It copies all of the zone data with each zone transfer.
Who initiates a zone transfer?
the secondary server ALWAYs initiates the zone transfer.
How do you improve DNS performance?
place multiple DNS servers on your network.
What does a caching only server do?
runs DNS but has no zones configured. _x000D_
-Use a caching only server to improve performance while eliminating zone transfers.
When can you disable zone transfers?
If a zone is AD-integrated and has no secondary servers, you can disable zone transfers.
What is a forwarder?
a DNS server that can be used by another DNS server to resolve queries for records that cannot be resolved through the cache.
What is a secondary zone?
you can eliminate the need for a forwarder for a specific zone by adding a secondary zone to the server.
What is a stub zone?
a zone with only a partial copy of the zone database. It holds only the following _x000D_
-SOA record for the zone _x000D_
-NS records for all authoritative DNS servers for the zone. _x000D_
-A records for authoritative name servers identified in the NS records.
What is a conditional forwarder?
a forwarder that is used for a specific domain.
When should you use a conditional forwarder?
use a conditional forwarder to eliminate all zone transfer traffic, or in conditions where you are not allowed to transfer data from a zone.
What is recursion?
the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution.
What are Root hints?
pointers to top level DNS servers on the internet.
What is DNS Round Robin?
a local balancing mechanism used by DNS servers to share and distribute network resorce loads.
What is Background Zone Loading?
DNS servers loads zone data from AD DS in the background while the server restarts.
What is an RODC?
-Read Only Domain Controller _x000D_
-an additional domain controller for a domain that hosts read-only partitions of the Active Directory database.
What is the No-refresh interval?
the time between the record’s last refresh and when it can next be refreshed.
What is the refresh-interval?
identifies a period of time when a record can be refreshed. It begins when the no-refresh interval ends.
What is the command adprep/forestprep used for?
used to update the Windows Server 2003 or Windows 2000 Server Active Directory schema for Windows Server 2008 or Windows Server 2008 R2. _x000D_
-run it only once in the forest _x000D_
-run on the domain controller that holds the schema master. _x000D_
-must be a member of the Admins group, Schema Admnis group, and the Domain Admins group.
What is the adprep/rodcprep used for?
use if you plan on installing an RODC in any domain in the forest. _x000D_
-run only once in the forest. _x000D_
-can run this command on any computer in the forest. _x000D_
-must be a member of the Enterprise Admins.
When installing a new Windows Server 2008 or 2008 R2, what must the first domain controller be?
It must be a Global catalog server.
What are the methods that can be used for installing AD DS?
-Active Directory Domain Services Installation Wizard _x000D_
-Command line (dcpromo) _x000D_
-Answer file _x000D_
-AD DS installation (media) (use ntdsutil.exe)
What command is used to remove AD DS?
dcpromo.exe
What do you do if you are removing the last domain controller from a FOREST?
wizard…select Delete the domain and forest
What is available at 2000 Native Domain functional level?
-universal groups are available for security and distribution _x000D_
-group nesting _x000D_
-Group converting _x000D_
-Security Identifyer history
What is available at the 2008 domain functional level?
includes all features available in 2003 and adds following… _x000D_
-DFS for SYSVOL _x000D_
-AES _x000D_
-Last Interactive Logon Info. _x000D_
-Fine-grained password policies that allow you to specify password and account lockout policies for users and global security groups in a domain.
What is available at the 2008 R2 domain functional level?
includes all previous features and adds… _x000D_
-Authentication Mechanism Assurance (AMA) allowing you to control access to network resources based on the type of certificate used during logon. _x000D_
-Automatic Service Principle Name (SPN) management when using managed service and virtual accounts.
What forest functional level must you be at to use the Active Directory Recycle Bin?
Windows Server 2008 R2?
What is a Site Link Bridge?
a collection of two or more site links that can be grouped as a single logical link. _x000D_
-enabled by default _x000D_
-if disabled, you must manually specify site link bridges
What is a Bridgehead server?
a domain controller in a site that replicates with domain controllers in other sites. _x000D_
-REPLICATION WITHIN A SITE DOES NOT USE BRIDGEHEAD SERVERS
What can be used to allow replication within mail messages in environments where WAN links are not available?
SMTP _x000D_
-cannot replicate only the configuration and schema directory partitions and global catalog read only replicas. _x000D_
-requires an enterprise CAwhen you use it over site links.
What is site link cost?
a number assigned to a site link that identifies the overall relative cost of using that site link. _x000D_
-default is 100 _x000D_
-the lower the number, the more preferred the site link.
What commands can you use to force replication?
-Replicate now _x000D_
-repadmin.exe/replicate
What are the stages of of DFS migration?
1. Not initiated _x000D_
2. Global state 0…this stage DFS replication has not started yet. FRS is still being used _x000D_
3. Global State 1…DFS begins to replicate but FRS is still the main replication method. _x000D_
4. Global State 2….FRS continues to replicate but DFS becomes master _x000D_
5. Global State 3…FRS completely stops and DFS becomes sole source of replication.
What does the schema master do?
Maintains the AD schema for the forest.
What does the Domain Naming Master do?
Adds new domains to and removes existing domains from the forest. _x000D_
-ensures that domain names are unique
What does the RID master do?
It allocates pools or blocks of numbers that are used by the domain controller when creating new security principles.
What does the PDC emulator do?
acts like a Windows NT 4.0 Primary Domain Controller. It performs other tasks normally associated with NT domain controllers.
What is the Infrastructure Master responsible for?
It is responsible for updating changes made to objects.
Question
Ans1
Ans2
What is DNS?
The Domain Name System (DNS) is a hierarchical, distributed database that maps logical host names to IP addresses
What does a DNS server hold?
A DNS server holds a database of hostnames and their corresponding IP addresses. Clients query the DNS server to get the IP address of a given host.
What was used before DNS?
a hosts file saved on each host computer
What makes up the DNS hierarchy?
The DNS hierarchy is made up of the following components: _x000D_
– . (dot) domain (also called the root domain) _x000D_
– Top Level Domains (TLDs) (.com, .edu, .gov) _x000D_
– Second-level and additional domains _x000D_
– Hosts
What is a FQDN?
Fully Qualified Domain Name – includes the host name and the name of all domains back to root.
What makes DNS a distributed database?
DNS is a distributed database because no one server holds all of the DNS information. Instead, multiple servers hold portions of the data.
What is a zone?
Zones typically contain one or more domains, although additional servers might hold information for child domains.
What do DNS servers do?
DNS servers hold zone files and process name resolution requests from client systems.
What is a DNS forward lookup?
A forward lookup uses the host name (or the FQDN) to find the IP address
What is a DNS reverse lookup?
A reverse lookup uses the IP address to find the host name (or FQDN).
What is an A record?
The A record maps a host name to an IP address and is used for forward lookups.
What is a PRT record?
The PTR record maps an IP address to a host name and is used for reverse lookups.
What is a CNAME record?
The CNAME record provides an alternate name (an alias) for a host.
What is a SRV record?
The SRV record identifies a service, such as an Active Directory domain controller.
How are DNS records created?
Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts automatically register and update their corresponding records with the DNS server.
What is the process followed when a client computer needs to find an IP address?
– The client examines its HOSTS file for the IP address. _x000D_
– If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address. _x000D_
– If the IP address is not in the cache, the client sends the request to a DNS server.
What is the process when a DNS server received a name resolution request?
1) The DNS server examines its local DNS cache for the IP address _x000D_
2) If the IP address is not in the server cache, it checks its HOSTS file. _x000D_
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative. _x000D_
4) Forwarding or Recursion _x000D_
5) After the information is found or received from another server, the DNS server returns the result to the client, and places the information in its server cache.
What is an authoritative DNS server?
a DNS server that has a full, complete copy of all the records for a particular zone.
What is DNS Forwarding?
Where the DNS server forwards the name resolution request to another DNS server, then waits for a response from that server
What is DNS Recursion
Where the DNS server queries root domain servers, top-level domain server and other DNS servers in an iterative manner until it finds the one that hosts the target domain.
What is a caching-only DNS server?
A caching-only DNS server has no zone information; it is not authoritative for any domains. It uses information in its server cache, or forwarding or recursion, to respond to client queries.
Who can install DNS in Server 2008?
Members of the Domain Admins group
Which versions of server 2008 can have DNS installed on them?
You can install DNS on any version of Windows Server 2008 except for the Windows Server 2008 Web Server edition.
What type of IP address must the DNS server have?
Static
How would you add the DNS role from a command prompt (or on a server core)?
start /w ocsetup DNS-Server-Core-Role
What command will give a list of installed services on a server?
Run the oclist command to get a list of services (including DNS) installed on a server.
What can be used to manage DNS on Server 2008?
Use the DNS snap-in or the dnscmd command to manage DNS.
What is a primary DNS zone?
the master copy of a zone database
What is a secondary DNS zone?
A secondary zone is a read-only copy of the zone database.
What is an Active Directory-integrated DNS zone?
An Active Directory-integrated zone holds zone data in Active Directory instead of a text file.
What is a stub zone?
A stub zone is a zone with only a partial copy of the zone database.
What is the GlobalNames DNS zone?
The GlobalNames zone is a special zone in the DNS database that is used for single-label name resolution.
What is a forward lookup DNS zone?
A forward lookup zone provides hostname-to-IP address resolution. Clients query the DNS server with the hostname, and receive the IP address in return.
What is a reverse lookup DNS zone?
A reverse lookup zone provides IP address-to-hostname resolution. Clients query the DNS server with the IP address, and receive the hostname in return.
How many servers can hold the primary zone file?
Only one server can hold the primary zone file. To place zone data on multiple servers, configure secondary servers.
Where does Windows store standard zone data?
Windows stores standard zone data in the %windir%System32Dns directory. The file is a text file with .dns added to the zone name.
Which types of zone support dynamic updates?
Primary and Active Directory-integrated zones support dynamic updates. Use an Active Directory-integrated zone to use secure dynamic updates.
What types of record does a reverse lookup zone hold?
Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP address to an A record.
What type of zones can a reverse lookup zone be?
A reverse lookup zone can be a primary zone, a secondary zone, or an Active Directory integrated zone.
What is the SOA (Start of Authority) record?
The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a zone. There is only one SOA record, and it is the first record in the zone database file. The SOA record includes parameters such as the authoritative server and the zone file serial number.
What is an NS (Name Server) record?
The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone (all authoritative DNS servers).
What is an A (Host Address) record?
The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is the most common resource record type.
What is an AAAA (Quad A) record?
The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address.
What is an MX (Mail Exchanger) Record?
The MX record identifies servers that can be used to deliver e-mail.
What is a CNAME record?
The CNAME record provides alternate names (or aliases) to hosts that already have a host record. Using a single A record with multiple CNAME records means that when the IP address changes, only the one A record needs to be modified.
What is a DNAME record?
The DNAME record provides alternate names (or aliases) to domains that already have a host record.
What is a SRV (Service Locator) record?
The SRV record is used by Windows Server 2008 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically creates these records as needed and during domain controller installation.
What is a PTR (Pointer) record?
In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. “points” to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
What are WINS and WINS-R records?
Add these records to a zone when you want to allow DNS to use WINS resolution. The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINS servers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse query that is not resolvable through DNS.
How can DNS records be automatically created on a DNS server?
By using Dynamic DNS. Dynamic DNS is required to support Active Directory.
Which Windows clients support DDNS?
Windows clients (2000 and above) create their A records with the DNS server. Windows 9x/Me/NT clients do not support dynamic DNS.
How does the DHCP server tie in with DDNS?
The DHCP server registers the PTR record with the DNS server for clients capable of dynamic updates. The DHCP server updates both the A and PTR records for clients that do not support dynamic updates.
Are dynamic updates enabled by default on a primary zone?
Dynamic updates are not enabled on primary zones. You can enable dynamic updates when you create the zone or modify the zone properties later to enable this feature.
Are dynamic updates enabled by default on an Active Directory-integrated zone?
Dynamic updates are enabled on Active Directory-integrated zones. Note: When you convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is retained.
What are secure dynamic updates?
With secure dynamic updates, only domain members can create records, and only the original client can modify or remove records.
What is used to keep track of changes to a DNS zone?
The zone serial number keeps track of changes to the zone. When you make changes to the zone, the serial number is incremented.
What is a DNS master server?
A master server is the server from which the secondary copies the zone data. The master server can be the primary server or another secondary server.
What are the two types of zone transfer?
Zone transfers can copy all records or only changed records: _x000D_
– A full zone transfer (AXFR) copies all of the zone data with each zone transfer. _x000D_
– A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default method on Windows Server 2008.
Are zone transfers enabled in Server 2008 by default?
By default, zone transfer in Windows Server 2008 is disabled for security reasons. To use zone transfers, manually enable the feature in the DNS settings in Server Manager.
How can you restrict the servers to which zone transfers are allowed?
– Allow zone transfers only to servers that are listed as name servers. _x000D_
– Allow zone transfers only to servers you specifically identify.
What is DNS notify?
Windows DNS servers support the use of DNS Notify. With DNS Notify, master servers are configured with a list of slave DNS servers.
How does DNS notify work?
– When a change takes place, the master notifies the slave servers that the zone has changed. _x000D_
– The secondary server then initiates zone transfer, first checking the serial number, then requesting changes.
What is a DNS caching server?
A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers.
How does an Active Directory-integrated zone store DNS information?
An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when Active Directory replicates.
How can you secure zone transfers to secondary servers?
Active Directory replication traffic is automatically secured. To secure zone transfers to secondary servers, use IPsec between servers.
How can you force an update of DNS zone data?
You can force an update of zone data through the DNS console or by using the Dnscmd command
cached credentials
A cached copy of a user’s logon credentials that have been stored on the user’s local workstation.
clock skew
The time difference between any client or member server and the domain controllers in a domain.
Domain Naming Master
A role that has the quthority tomanage the creation and deletion of domains, domain trees, and application data partitions in the forest. Upon creation of any of these, the Domain Naming Master ensures that the name assigned is unique to the forest.
_gc
Global catalog service that listens on port 3268 to respond to requests to search for an object in Active Directory.
indexed
An attribute has been stored in the partial attribute set replicated to all global catalog servers in the forest.
Infrastructure Master
A domain-specific role that is responsible for reference updates from its domain objects to other domains. This assists in tracking which domains own which objects.
seize
A forced, ungraceful transfer of a role. This procedure is used only in the event of a catastrophic failure o a domain controller that holds an FSMO role.
transfer
Move a role to a new domain controller.
universal group
Memberships stored in the global catalog. A universal group can contain users, groups and computers from any domain in the forest. In addition, universal groups through their membership in domain local groups, can receive permissions for any resource anywhere in the forest.
universal group membership caching
This feature stores universal group memberships on a local domain controller that can be used for logon to the domain, eliminating the need for frequent access to a global catalog server.
partial attribute set
PAS
A partial copy of all objects from other domains within the same forest. This partial copy of forest-wide data includes a subset of each object’s attributes.
Primary Domain Controller Emulator
PDC Emulator
A role that provides backward compatibility from Microsoft Windows NT 4.0 domains and other down-level clients.
relative identifier
RID
A variable length number that is assigned to objects as created and becomes part of the object’s security identifier (SID).
Relative Identifier Master
RID Master
Role that is responsible for assigning relative identifiers to domain controllers in the domain. Relative identifiers are variable-length numbers assigned by a domain controller when a new object is created,
security identifier
SID
A variable length number used to uniquely identify an object throughout the Active Directory domain. Part of the SID identifies the domain to which the object belongs and the other part is the RID.
AD DS
Active Directory Domain Services
Windows Server 2008 service that provides a centralized authentication service for Microsoft networks. Provides the full-fledged directory service that is called Active Directory in Windows Server 2008 and previous versions of Windows Server.
DN
Distinguished Name
The full name of the object that includes all hierarchical containers leading up to the root domain. The xxxxxxxxxxx begins with the object’s common name and appends each succeeding parent contain object, reflecting the object’s location in the Active Directory structure
DC
Domain Controller
A server that stores the Active Directory database and authenticates users with the network during logon.
KCC
Knowledge Consistency Checker
An internal Active Directory process tha automatically creates and maintains the replication topology. The xxxxxxxxxxx operates based on the information provided by an administrator in the Active Directory Sites and Services snap-in, which is located in the Administrative Tools folder on the domain controller, or an administrative workstation that has the Administrative Tools installed.
NC
Naming Context
An active Directory partition.
DNS
Domain Name System
The name resolution mechanism computers use for all Internet communications and for private networks that use the Active Directory domain services included with Microsoft Windows Server 2008, Windows Server 2003 and Windows 2000 Server.
GUID
Globally Unique Identifier
A 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed.
LDAP
Lightweight Directory Access Protocol
The protocol that has become an industry standard that enables data exchange between directory services and applications. The xxxxxxxxx standard defines the naming of all objects in the Active Directory database and therefore, provides a directory that can be integrated with other directory services such as Novell eDeirectory, and Active Directory –aware applications, such as Microsoft Exchange.
OU
Organizational Unit
A container that represents a logical grouping of resources that have similar security or administrative guidelines.
RODC
Read-Only Domain Controller
A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers within Active Directory. This feature was introduced in Windows Server 2008.
Application Partition
A partition that allows information to be replicated to administratively chosen domain controllers. An example of information that is commonly stored in an application partition is DNS data. xxxxxxxxx offer control over the scope and placement of information that is to be replicated
Attribute
Characteristics associated with an object class in Active Directory that make the object class unique within the database. The list of xxxxxxxs is defined only once in the schema, but the same xxxxxxxx can be associated with more than one object class.
Configuration NC
The configuration partition contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest.
container object
An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a leaf object.
cross-forest trust
Trust type that allows resources to be shared between Active Directory forests.
delegation
Administration of an Organizational Unit is tasked to a department supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords.
directory service
Allow businesses to define, manage, access, and secure network resources, including files, printers, people, and applications.
domain
A grouping of objects in Active Directory that can be namaged together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.
Domain NC
Active Directory domain partition that is replicated to each domain controller within a particular domain. Each domain’s xxxxxxx contains information about the objects that are stored within that domain; users, groups, computers, printers, Organization Units, and more.
domain tree
In Active Directory, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Each Active Directory forest can contain one or more xxxxxxxs, each of which can, in turn, contain one or more domains.
external trust
A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest
fault tolerant
The ability to respond gracefully to a software or hardware failure. In particular, a system is considered to be xxxxxxxx when it has the ability to continue providing authentication services after the failure of a domain controller.
forest
The largest container object within Active Directory. The xxxxxxxx container defines the fundamental security boundary within Active Directory, which means that a user can access resources across an entire Active Directory xxxxxxxx using a single logon/password combination.
forest root domain
The first domain created within an Active Directory forest.
functional levels
Designed to offer support for Active Directory domain controllers running various supported operating systems by limiting functionality to specific software versions. As legacy domain controllers are decommissioned, administrators can modify the xxxxxxxxx to expose new functionality within Active Directory. Some features in Active Directory cannot be activated, for example, until all domain controllers in a forest are upgraded to a specific level.
inbound replication
Occurs sehan a domain controller receives updates to the Active Directory database from other domain controllers on the network
IP address
A unique number used to identify all devices on an IP network. xxxxxxxxxxs are four octets long an commonly expressed in dotted-decimal notation, such as 192.168.10.1.
leaf object
An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a container object.
link-value replication
An improvement to replication that is available after the forest functional level has been raised to Windows Server 2003, or higher, enabling a single membership change to a group to trigger the replication of only the change to each member in the list, rather than the entire membership list.
locator service
Active Directory DNS provides direction for network clients that need to know which server performs what function.
loose consistency
Individual domain controllers in an Active Directory database may contain slightly different information, because it can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment.
object
An element in Active Directory that refers to a resource. Xxxxxxxs can be container xxxxxxs or leaf xxxxxs. Containers are used to organize resources for security or organizational purposes; leaf xxxxxxs refer to the end-node resources, such as users,computers, and printers.
outbound replication
Occurs when a domain controller transmits replication information to other domain controllers on the network.
partition
Portion of Active Directory database used to divide the database into manageable pieces.
Publish
1)An option that allows users to access network resources by searching the Active Directory database for the desired resource _x000D_
2) An option used to deploy applications. It allows users to install the applications that they consider useful to them.
replication
The process of keeping each domain controller in sync with changes made elsewhere on the network.
rolling upgrades
Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality.
schema
Master database that contains definitions of all objects in the Active Directory.
Schema NC
The partition that contains the rules and definitions used for creating and modifying, object classes and attributes within Active Directory.
shortcut trust
A manually created nontransitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path.
site
One or more IP subnets connected by fast links.
SRV record
The locator records within DNS that allows clients to locate an Active Directory domain controller or global catalog.
trust relationship
Enables administrators from a particular domain to grant access to their domain’s resources to users in other domains.
A record
The building block of the DNS that maps a single IP address to a DNS hostname.
Admin Role Separation
Feature offered by Read-Only Domain Controllers (RODCs) that enables an administrator to configure a user as the local administrator of a specific RODC without making the user a Domain Admin with far-reaching authority over all domain controllers in the entire domain and full access to the Active Directory domain data.
aging
The dynamic update feature that places a timestamp on record, bases on the current server time, when the IP address is added. This is part of the aging ans scavenging process.
binaries
The executable files needed to install Windows.
dcpromo
The active Directory Installation Wizard.
domain netBIOS name
Domain name limited to 15 characters that is maintained for legacy compatibility with older applications that cannot use DNS for their name resolution.
dynamic updates
Enables the DNS database to be updated with the changed information when the Internet Protocol (IP) address if a host changes.
forward lookup zone
Zones necessary for computer hostname-to-IP address mapping, which are used for name resolution by various services.
global catalog
A domain controller that contains a partial relica of every domain in Active Directory. The xxxxxxxxx stores those attributes most frequently used in search operations (such as a user’s first and last names) and those attributes required t locate a full replica of the object. The Active Directory replication system builds the global catalog automatically.
incremental zone transfers
Method of conserving bandwidth by transferring part of a zone.
AD LDS
Active Directory Lightweight Directory Services
Role that provides developers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema to support their applications. This feature was introduced in Windows Server 2008.
DSRM
Directory Services Restore Mode
A Special startup mode used to run an offline defragmentation.
FSMO
Flexible Single Master Operations
The specific server roles that work together to enable the multimaster functionality of Active Directory.
FQDN
fully qualified domain name
The complete DNS name used to reference a host’s location in the DNS structure.
OID
Object Identifier
A unique string used to identify every class or attribute added to a schema. OIDs must be globally unique, and they are represented by a heriarchical dotted-decimal notation string.
PTR
pointer
The resource record that is the functional opposite of the A record, providing an IP address-to-name mapping for the system identified in the Name field using the inaddr.arpa domain name.
UPN
User Principal Name
A naming format that simplifies access to multiple services such as Active Directory and email. A xxxxxxxxx follows a naming convention that can reflect the forest root domain or another alias that follows the format of [email protected]
instance
A single occurence of an element.
latency
The amount of time or delay it takes to replicate information throughout the network.
netdom
A command-line tool that is used to create, delete, verify, and reset trust relationships from the Windows Server 2008 command line.
nslookup
A command-line tool that is critical for working with DNS on Serve Core.
Password Replication Policy
A list of user or group accounts whose passwords should be stored on a particular Read-Only Domain Controller (RODC) or should not be stored on the specific RODC.
priority
A mechanism to set up load balancing between multiple servers that are advertising the same SRV records. Clients will always use the record with the lowest numbered priority first. The will only use an SRV record with a higher-number priority if the lower-numbered priority record is unavailable.
restartable Active Directory
Feature that enables administrators to place the NTDS.DIT file in an offline mode without rebooting the domain controller outright. This feature was introduced in Windows Server 2008.
reverse lookup zone
Zone that answer queries in which a client provides an IP address and DNS resolves the IP address to a hostpage.
scavenging
The process of removing records that were not refreshed or updated within specified time intervals.
Server Core
A special installation option that creates a minimal environment for running only specific services and roles. Server Core runs without the Windows Desktop shell, which means that it must be administered exclusively from the command line or using Group Policy. This feature was introduced in Windows Server 2008.
Server Manager
A unility that enables ainistrators to view any other roles the server might be performing. The Server Manager utility launches automatically at startup after the Initial Configuration Tasks utility is closed. It can be accessed manually through the shortcut provided in the Administrative Tools folder or directly from the Start menu.
staged installation
To begin the Active Directory installation at a central location, such as a data center, and then allow a local administrator to complete the configuration.
SYSVOL
A shared folder that exists on all domain controllers and is used to store Group Policy Objects, login scripts, and other files that are replicated domain-wide.
time-to-live
The length of time a record is valid., after which it needs to be reregistered.
Unattended installation
Running dcpromo from the command line using a specially formatted text file to specify the necessary installation options.
weight
A relative weighting for SRV records that have the same priority. For exampl, consider three SRV records with the same priority with relative weights of 60, 20 and 20. Because 60 + 20 + 20 +100, the record with the weight of 60 will be used 60/100, or 60%, of the time, whereas each of the other two records will be used 20/100, or 20 percent, of the time.
zone transfers
The process fo replicating DNS information from the DNS server to another.
asynchronous replication
Each replication transaction does not need to complete before another can start because the transaction can be stored until the destination server is available.
bridgehead server
The server at each site that acts as a gatekeeper in managing site-to-site replication. This allows intersite replication to update only one domain controller within a site. After a xxxxxxxx is updated, it updates the remainder of its domain controller partners with the newly replicated information.
change notification
Method used by domain controllers to inform one another of when changes need to be replicated. Each domain controller will hold a change for 45 seconds before forwarding it, after which it will transmit the change to each of its replication partners in 3 second intervals.
compressed
To reduce the size of transmitted data to decrease the use of network bandwidth.
connection objects
The link, created by the Knowledge Consistency Checker, between domain controllers that replicate with one another in a site.
convergence
The amount of time required for replication so that all domain controllers in the environment contain the most up-to-date information.
cost
Value assigned to a site link object to define the push that relication will take. If more than one path can be used to replicate information, cost assignments will determine which path is chosen first. A lower-numbered cost value.
dcdiag
A command-line tool used for monitoring Active Directory.
dual counter-rotating ring
Created by the Knowledge Consistency Checker for the replication path. If one domain controller in the ring fails, traffic is routed in the opposite direction to allow replication to continue.
frequency
A value assigned to a site link that determines how often information will be replicated over the site link.
CIDR
Classless Inter-Domain Routing
Form of notation that shows the number of bits being used for the subnet mask. For example, for an IP address of 192.168.64.0 with a mask of 255.255.255.0, the CIDR representation would be 192.168.64.0/24.
ISTG
Intersite Topology Generator
A process that selects a bridgehead server and maps the topology to be used for intersite replication.
LVR
linked-value replication
An improvement to replication that is available for use after the forest functional level has been raised to Windows Server 2003 or higher, enabling a single membership change to a group to trigger the replication of only this change to each member in the list, rather than the entire membership list.
RPC over IP
Remote Procedure Calls over Internet Protocol
Default protocol used for all replication traffic.
SMTP
Simple Mail Transport Protocol
Transport protocol used for intersite replication when a direct or reliable IP connection is unavailable.
USN
update sequence number
A local value, maintained by each domain controller, that tracks the changes that are made at each DC, thus tracking which updates should be replicated to other domain controllers.
intrasite replication
The process of replicating Active Directory information between domain controllers within a site.
intersite replication
The process of replicating Active Directory information from one site to another.
preferred bridgehead servers
The administrator’s list of servers to be used as bridgehead servers. A bridgehead server is the server at each site that acts as a gatekeeper in managing site-to-site replication.
repadmin
A command-line tool that can check replication sonsistency between replication partners, monitor replication status, display replication metadata, and force replication events and Knowledge Consistency Check (KCC) recalculation.
replication partners
Servers that inform each other when updates are necessary. The Knowledge Consistency Checker (KCC) selects one or more replication partners for each domain controller in the site.
replication topology
Defines the path used by replicatin traffic.
schedule
Determines the time when a site link object is available to replicate information.
site link bridge
Defines a chain of site links by which domain controllers from different sites can communicate.
site links
A connection between two or more sites that enables intersite replication
timestamp
An attribute set on an object to indicate when it was last updated. Timestamps are used to assist in the resolution of conflicts during replication. If a change was made to an attribute of the same object, the timestamp can help determine which object is the most up-to-date.
transitive
Default characteristic of site links that use the same transport protocol. A domain controller inany site can connect to a domain controller in any other site by navigating a chain of site links.
urgent replication
The change will be placed at the “beginning of the line” and it will be applied before any other changes that are waiting to be replicated.
version ID
A value associated with each Active Directory attribute that keeps track of how many times that attribute has been changed.
well-connected
The network infrastructure between sites defined by fast and reliable IP subnets.
What is a Certificate Revocation List (CRL) ?
A Certificate Revocation List (CRL) is a digitally signed list of unexpired certificates that a particular CA has revoked.
AD CS supports two types of CRLs ?
The AD CS supports two types of CRLs. _x000D_
_x000D_
A Base CRL is a full, initial set of revoked certificates. _x000D_
_x000D_
A Delta CRL lists only certificates that have been revoked since the last full Base CRL was implemented.
Abbrev : CDP
CRL Distribution Point (CDP)
What is a CRL Distribution Point (CDP) ?
A CRL Distribution Point (CDP) is a certificate extension that indicates where the CRL for a particular CA can be retrieved.
Abbrev : LDAP
Lightweight Directory Access Protocol
How do CDPs help ?
Using CDPs enables PKI administrators to locate and access a relevant CRL so they can manually update the entries it contains. These entries are valid only for a specified time period.
A CDP may be located in
Active Directory (AD) : You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP. _x000D_
_x000D_
Accessing CRLs via a directory service uses more bandwidth than accessing CRLs directly because it requires that every client be able to authenticate to every server. Directories must be linked so that results can be located and passed back to the requesting PKI client. _x000D_
_x000D_
A local directory: _x000D_
You use the local directory of a CA server as the CDP to store CRLs on standalone CAs, which don’t require AD or use certificate templates. By default, standalone CAs hold all certificate requests in a pending queue until a CA approves them. _x000D_
_x000D_
PKI users can access CRL data in a local directory via the Internet or an extranet, using HTTP or FTP.
Abbrev :: OCSP
Online Certificate Status Protocol
What is OCSP ?
The OCSP enables you to manage and distribute the revocation status of a certificate via the Online Responder service.
Working of OCSP ??
you use the OCSP to submit a certificate status request to an Online Responder. The Online Responder service uses the OCSP to issue a digitally signed certificate status response, based on the CRLs that are provided to it by CAs.
configure an Online Responder
You can use the following sets of properties to configure an Online Responder: _x000D_
_x000D_
Web Proxy _x000D_
Audit _x000D_
Security
To validate whether AD replicated fine between to DCs run command ?
RepAdmin
If users at a Branch are to log onto a Domain using RODC ?
Password Replication Policy should be configured.
Abbrev : AD CS
Active Directory Certificate Services
Abbrev : PKI
Public Key Infrastructure
Abbrev : CAs
Certification Authorities
What is a CA used for ?
A CA is used to issue digital certificates and the directories are used to store policies and certificates.
Abbrev : CRL
Certificate Revocation List
What is a CRL ?
A CRL is a digitally signed list of unexpired certificates revoked by a CA.
What are Certificate Templates ?
Certificate templates give instructions to users about procedures for creating and submitting a valid certificate request. This is an essential part of an enterprise CA and enables an administrator to recognize, configure, and issue certificates that have been pre-configured for selected tasks.
Where are Certificate templates stored ?
Certificate templates are stored in Active Directory Domain Services (AD DS). _x000D_
_x000D_
This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates.
Benefits of using Certificate Templates ?
consistent application of the certificate policy across the forest. _x000D_
_x000D_
There are default templates that can be used.
Default Certificate Templates Available are ?
Computer _x000D_
Cross Certification Authority _x000D_
Directory Email Replication _x000D_
CEP Encryption _x000D_
Code Signing _x000D_
Domain Controller _x000D_
Domain Controller Authentication _x000D_
EFS Recovery Agent
How many versions of Certificate Templates are available ?
Version 1 _x000D_
Version 2 _x000D_
Version 3
Explain Version 1 certificate Template ?
Version 1certificate templates are available in a Windows Server 2000 PKI. When a CA is installed, these templates are created by default and cannot be removed or modified. However, you can create a duplicate copy of a version 1 template and change it to a modifiable version 2 or version 3 template. _x000D_
_x000D_
Version 1 templates are supported by CAs configured for Windows Server 2000 and Windows Server 2003 Standard Edition, which only support version 1 templates.
Explain Version 2 certificate Template ?
Version 2 certificate templates enable you to customize the settings and permissions of a template based on your needs. These templates are only issued by Enterprise CAs installed on Windows Server 2003 Enterprise Edition or higher.
Explain Version 2 certificate Template ?
Version 3 certificate templates enable an administrator to add the advanced Suite B cryptographic settings to their certificates. These settings contain advanced options for digital signatures, encryption, hashing, and key exchange. Administrators can only issue certificates based on version 3 certificate templates from CAs installed on Windows Server 2008 servers. These certificates can only be used on clients running Windows Server 2008 or Windows Vista.
Windows Server 2000 and Windows Server 2003 Standard Edition CAs support which version of certificate templates?
version 1
Windows Server 2003 Datacenter and Enterprise Edition CAs – support which version of certificate templates ?
versions 1 and 2
Windows Server 2008 CAs support which version of certificate templates ?
support for versions 1, 2, and 3
What are the permissions that you can assign to a certificate template ?
The permissions that you can assign to a certificate template are : _x000D_
_x000D_
Full Control _x000D_
Enroll _x000D_
Autoenroll _x000D_
Read _x000D_
Write
Note : Windows Server 2008 enables key archival and recovery to prevent potential loss of data that can result from the loss of a key.
Note : This process enables a Key Recovery Agent (KRA) to retrieve private keys, original certificates, and public keys from a database.
Abbrev : KRA
Key Recovery Agent
Note : Enterprise CAs can archive a user’s private key in their database when certificates are issued. These private keys are encrypted and stored by a CA.
Note :A private key can be recovered at a later time by using the private key archive.
How do you configure your environment for key archival ?
To configure your environment for key archival, you will need to _x000D_
_x000D_
* configure a KRA certificate template and enroll the KRA for a KRA certificate _x000D_
_x000D_
* enable key archival for a CA
How do you configure a KRA certificate template ?
you need to add the certificate template to a CA. _x000D_
_x000D_
_x000D_
If the certificate is configured with Read and Enroll permissions, the new KRA can use the Certificates snap-in and the Certificate Import Wizard to create a KRA certificate. _x000D_
_x000D_
If the certificate is configured with the Autoenroll permission, it will be issued automatically the next time the user logs on to the network
Restricted groups policy settings enable you to manage the membership of groups.
Restricted groups policy settings enable you to manage the membership of groups.
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail.
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail.
Delegating Administration Using Restricted Groups Policies with the _x000D_
Member Of Setting.
In Group Policy Management Editor, navigate to Computer ConfigurationPolicies _x000D_
Windows SettingsSecurity SettingsRestricted Groups.
You want to add a group to the local Administrators group on computers without _x000D_
removing accounts that already exist in the group. Describe the restricted groups _x000D_
policy you should create.
Create a restricted groups policy for the group you wish to add. Use the Member Of policy setting (This Group Is A Member Of) and specify Administrators
Abbrev : GPOs
Group Policy objects
Abbrev : GPMC
Group Policy Management Console
GPME
Group Policy Management Editor
Policy Setting states ?
A policy setting can have three states: _x000D_
_x000D_
Not Configured, _x000D_
Enabled, _x000D_
and Disabled.
A single GPO can be linked to more than one site or OU.
A single GPO can be linked to more than one site or OU.
What is the Scope of the GPO : Security Filters ?
You can narrow the _x000D_
_x000D_
Security Filters that specify global security groups to which the GPO should or should not apply.
WMI
Windows Management Instrumentation
What do Windows Management Instrumentation (WMI) filters do for the scope of a GPO ?
Windows Management Instrumentation (WMI) filters that specify a scope, _x000D_
using characteristics of a system such as operating system version or free disk space.
Abbrev : RSoP ?
Resultant Set of Policy
What is the Resultant Set of Policy (RSoP) ?
Users or Computers are likely to be within the scope of multiple GPOs linked to the sites, domain, or OUs in which the users or computers exist. _x000D_
_x000D_
This leads to the possibility that policy settings might be configured differently in multiple GPOs. _x000D_
_x000D_
You must be able to understand and evaluate the Resultant Set of Policy (RSoP), which determines the settings that are applied by a client when the settings are configured divergently in more than one GPO.
Refresh settings for Policy settings in the Computer Configuration node ?
Policy settings in the Computer Configuration node are applied at _x000D_
system startup and every 90–120 minutes thereafter.
Policy Refresh settings User Configuration policy settings ?
User Configuration policy settings are _x000D_
applied at logon and every 90–120 minutes thereafter.
Manual Refresh of Group policy settings is done using ?
gpupdate.exe _x000D_
/force _x000D_
/logoff _x000D_
/target: { computer | user } _x000D_
/wait: value _x000D_
/boot
What are the tools associated with Group Policy Updation ?
Gpupdate _x000D_
Secedit _x000D_
FLEX COMMAND _x000D_
_x000D_
FLEX COMMAND: Help in group updates of workstation. It can be applied directly to OUs etc
Abbrev : CSEs
Client-Side Extensions
Security settings are reapplied every 16 hours even if a GPO has not changed.
Security settings are reapplied every 16 hours even if a GPO has not changed.
Always Wait For Network At Startup And Logon policy setting
Without this setting, by default, Windows XP and Windows Vista clients perform only background refreshes, meaning that a client might start up and a user might log on without receiving the latest policies from the domain.
GPSI
Group Policy Software Installation
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network.
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network.
If a user is disconnected from the Enterprise network does group policy still apply itself ?
Yes, The previously applied group policy settings are still applied.
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment.
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment.
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured
When AD DS is installed, _x000D_
two default GPOs are created _x000D_
_x000D_
¦ Default Domain Policy _x000D_
¦ Default Domain Controllers Policy
¦ Default Domain Policy : This GPO is linked to the domain and has no security group or WMI filters. _x000D_
_x000D_
¦ Default Domain Controllers Policy : This GPO is linked to the Domain Controllers OU. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers.
Abbrev: GUID ?
globally unique identifier
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been updated
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the _x000D_
GPO has been updated
Describe the default Group Policy processing behavior, including refresh intervals and CSE application of policy settings
Every 90–120 minutes, the Group Policy Client service determines which GPOs are scoped to the user or computer and downloads any GPOs that have been updated, based on the GPOs’ version numbers. _x000D_
_x000D_
CSEs process the policies in the GPOs according to their policy processing configuration. _x000D_
_x000D_
By default, most CSEs apply policy settings only if a GPO has been updated. _x000D_
_x000D_
Some CSEs also do not apply settings if a slow link is detected.
Abbrev : DRA
Directory Replication Agent
Group Policy Storage ?
The GPC is an Active Directory object stored in the Group Policy Objects container _x000D_
within the domain naming context of the directory. Like all Active Directory objects, each GPC _x000D_
includes a globally unique identifier (GUID) attribute that uniquely identifies the object _x000D_
within Active Directory. The GPC defines basic attributes of the GPO, but it does not contain _x000D_
any of the settings. The settings are contained in the GPT, a collection of files stored in the SYSVOL _x000D_
of each domain controller in the %SystemRoot%SYSVOLDomainPoliciesGPO GUID _x000D_
path, where GPO GUID is the GUID of the GPC. When you make changes to the settings of a _x000D_
GPO, the changes are saved to the GPT of the server from which the GPO was opened
Scripting Languages that can be used to write code for Group Policy in Windows Server 2008
Microsoft Visual Basic, Scripting Edition (VBScript), Microsoft JScript, Perl, and Microsoft MS DOS style batch files (.bat and .cmd).
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT)
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT)
Abbrev : KCC
Knowledge Consistency Checker
How is Group Policy Container GPC of GPO replicated ?
The GPC in Active Directory is replicated by the Directory Replication Agent (DRA) using a topology generated by the Knowledge Consistency Checker (KCC).
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism.
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, _x000D_
you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism.
What does the Group Policy Verification Tool Gpotool.exe do ?
Gpotool.exe is used to troubleshoot GPO status, _x000D_
including problems caused by the replication _x000D_
of GPOs, leading to inconsistent versions of a GPC and GPT
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings.
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings.
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key.
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key.
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings
Starter GPOs can contain only Administrative Templates policy settings.
Starter GPOs can contain only Administrative Templates policy settings.
You can centralize the management of administrative templates by creating a central store
You can centralize the management of administrative templates by creating a central store
Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings
Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings
1. Litware, Inc., has three business units, _x000D_
each represented by an OU in the litwareinc.com domain. _x000D_
The business unit administrators want the ability to manage Group Policy for the users and computers in their OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for their business units? (Choose all _x000D_
that apply. Each correct answer is a part of the solution.) _x000D_
_x000D_
A. Copy administrative templates from the central store to the Policy Definitions folder on the administrators’ Windows Vista workstations. _x000D_
_x000D_
B. Add business unit administrators to the Group Policy Creator Owners group. _x000D_
_x000D_
C. Delegate Link GPOs permission to the administrators in the litwareinc.com domain. _x000D_
_x000D_
D. Delegate Link GPOs permission to the each business unit’s administrators in the business unit’s OU.
1. Correct Answers: B and D _x000D_
_x000D_
A. Incorrect: The central store is used to centralize administrative templates so that they do not have to be maintained on administrators’ workstations. _x000D_
_x000D_
B. Correct: To create GPOs, the business unit administrators must have permission to access the Group Policy Objects container. By default, the Group Policy Creator Owners group has permission, so adding the administrators to this group will _x000D_
allow them to create new GPOs. _x000D_
_x000D_
C. Incorrect: Business unit administrators require permission to link GPOs only to their business unit OU, not to the entire domain. Therefore, delegating permission to link GPOs to the domain grants too much permission to the administrators. _x000D_
_x000D_
D. Correct: After creating a GPO, business unit administrators must be able to scope the GPO to users and computers in their OU; therefore, they must have the Link GPOs permission.
You are an administrator at Contoso, Ltd. At a recent conference, you had a conversation _x000D_
with administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations _x000D_
you have deployed using a GPO. The Fabrikam administrators have asked _x000D_
you to copy the GPO to their domain. Which steps can you and the Fabrikam administrators _x000D_
perform? _x000D_
A. Right-click the Contoso GPO and choose Save Report. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import. _x000D_
B. Right-click the Contoso GPO and choose Back Up. Right-click the Group Policy _x000D_
Objects container in the Fabrikam domain and choose Restore From Backup. _x000D_
C. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Paste. _x000D_
D. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import Settings.
Correct Answer: D _x000D_
A. Incorrect: A saved report is an HTML or XML description of a GPO and its settings. _x000D_
It cannot be imported into another GPO. _x000D_
B. Incorrect: The Restore From Backup command is used to restore a GPO in its _x000D_
entirety. _x000D_
C. Incorrect: You cannot paste settings into a GPO. _x000D_
D. Correct: You can import settings to an existing GPO from the backed-up settings _x000D_
of another GPO.
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is a single Active Directory domain in the _x000D_
company network. Windows Server 2008 is run by all domain controllers that are configured as DNS servers. A _x000D_
domain controller named DC01 has a standard primary zone for wiikigo.com. A domain controller named DC02 _x000D_
has a standard secondary zone for wiikigo.com. You have to make sure that the replication of the wiikigo.com _x000D_
zone is encrypted. You must not lose any zone data. So what action should you perform? _x000D_
_x000D_
A. The zone transfer settings of the standard primary zone should be configured. The Master Servers lists on _x000D_
the secondary zone should be modified. _x000D_
_x000D_
B. The interface that the DNS server listens on should be modified on both servers. _x000D_
_x000D_
C. The primary zone should be converted into an Active Directory-integrated zone. The secondary zone should _x000D_
be deleted. _x000D_
_x000D_
D. The primary zone should be converted into an Active Directory-integrated stub zone. The secondary zone _x000D_
should be deleted.
C
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an organizational unit named Production in _x000D_
your company. The Production organizational unit has a child organizational unit named R D. After a GPO _x000D_
named Software Deployment is created by you, you link it to the Production organizational unit. You create a _x000D_
shadow group for the R D organizational unit. You have to deploy an application to users in the Production _x000D_
organizational unit. You also need to make sure that the application is not deployed to users in the R D _x000D_
organizational unit. What are two possible ways to achieve this goal? _x000D_
_x000D_
A. In order to achieve this goal, security filtering on the Software Deployment GPO should be configured to _x000D_
Deny Apply group policy for the R D security group. _x000D_
_x000D_
B. In order to achieve this goal, the Enforce setting should be configured on the software deployment GPO. _x000D_
_x000D_
C. In order to achieve this goal, the Block Inheritance setting should be configured on the R D organizational _x000D_
unit. _x000D_
_x000D_
D. In order to achieve this goal, the Block Inheritance setting should be configured on the Production _x000D_
organizational unit.
A and C
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. You have a domain controller named DC01. Windows _x000D_
Server 2008 is run by this domain controller. DC01 is configured as a DNS server for wiikigo.com. You have the _x000D_
DNS Server server role installed on a member server which is named Server01 and then you create a standard _x000D_
secondary zone for wiikigo.com. DC01 is configured as the master server for the zone. You have to make sure _x000D_
that Server01 receives zone updates from DC01. What action should you perform? _x000D_
_x000D_
A. The zone transfer settings for the wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
B. The Server01 computer account should be added to the DNSUpdateProxy group. _x000D_
_x000D_
C. A conditional forwarder should be added on S01. _x000D_
70-640 3D. The permissions of wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
D. The permissions of wiikigo.com zone should be modified on DC01.
A
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There are two domain controllers named DC01 and _x000D_
DC02 in your company. All domain and forest operations master roles are hosted by DC01. _x000D_
A problem occurred that DC01 fails. _x000D_
Since you are the technical support, you are required to reinstall the operating system to rebuild DC01. In _x000D_
addition, you are required to have all operations master roles rollbacked to their original state. A metadate _x000D_
cleanup is performed and all references of DC01 are removed. Which action should be performed to achieve _x000D_
the goal? (Choose three from the options below, and then put them in a correct order) _x000D_
1/ Operations master roles should be transferred from DC01 to DC02. _x000D_
2/ Operations master roles should be transferred from DC02 to DC01. _x000D_
3/ Operations master roles should be seized from DC01 to DC02. _x000D_
4/ Operations master roles should be seized from DC02 to DC01 _x000D_
5/ DC01 should be rebuilt as a replica domain controller. _x000D_
6/ DC02 should be rebuilt as a domain controller. _x000D_
_x000D_
A. 3->5->2 _x000D_
B. 3->6->1 _x000D_
C. 4->5->2 _x000D_
D. 4->6->1
A
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the company. Not _x000D_
all domain controllers in the forest are configured as Global Catalog Servers. One root domain and one child _x000D_
domain is contained in your domain structure. You modify the folder permissions on a file server that is in the _x000D_
child domain. You find that some Access Control entries start with S-1-5-21 and that no account name is listed. _x000D_
You have to list the account names. So what action should you perform? _x000D_
_x000D_
A. The schema should be modified to enable replication of the friendlynames attribute to the Global Catalog. _x000D_
_x000D_
B. The RID master role in the child domain should be moved to a domain controller that holds the Global _x000D_
Catalog. _x000D_
_x000D_
C. The infrastructure master role in the child domain should be moved to a domain controller that does not _x000D_
hold the Global Catalog. _x000D_
_x000D_
D. The RID master role in the child domain should be moved to a domain controller that does not hold the _x000D_
Global Catalog.
C
How would you delegate control of an AD OU to a user?
– Right Click on OU _x000D_
– Delegate Control _x000D_
– Choose User _x000D_
– Choose the appropriate option _x000D_
– Finish
What is an OU?
An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.
What are the different types of OU?
Parent OUs are OUs that contain other OUs. _x000D_
Child OUs are OUs within other OUs.
What organisational structures can you not apply GPO’s to?
Generic Containers
What is group policy inheritance?
Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.
What setting should be set at creation to prevent an AD OU being accidentally deleted?
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.
How would you delete an AD object that is protected from deletion?
To delete on abject that is protected, first clear the Protect container from accidental deletion setting, then delete the object.
What is delegation of authority?
Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups.
What is the Builtin Default Container?
The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks.
What is the Computers default container?
The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain.
What is the Domain Controllers detault container?
The Domain Controllers OU is the default location for the computer accounts for domain controllers.
What is the LostAndFound default container?
The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
What is the NTDS Quotas default container?
The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own.
What is the Program Data default container?
The Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.
What is the System default container?
The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies.
What is the Users default container?
The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
What is special about AD containers?
They are automatically created and cannot be deleted
What is special about the Domain Controllers OU
It is the only default OU, and it can have a GPO applied, whereas the other default containers cannot have a GPO applied
How would you view hidden containers in AD Users and Computers?
Click Advanced Features from the View menu
Which containers are hidden by default in AD Users and Computers?
– LostAndFound _x000D_
– NTDS Quotas _x000D_
– Program Data _x000D_
– System
What is special about AD containers and how do they differ from OU’s?
They are automatically created and cannot have GPO’s applied to them.
What is the SAM database?
A local database that allows users to access local resources on the machine
What are the two types of user account?
Local and Domain
What is a local user account?
A local user account is created and stored on a local system and is not distributed to any other system. _x000D_
_x000D_
– Local user accounts are created with the Computer Management console. _x000D_
– The local Security Accounts Manager (SAM) manages the user account information. _x000D_
– Only local resources are accessible with local user accounts.
What is a domain user account?
A domain user account is created and centrally managed through Active Directory, and is replicated between domain controllers in the domain.
How can domain user accounts be created?
Domain user accounts are created with Active Directory Users and Computers, command line tools, and PowerShell.
What is unique to each domain user account?
Each domain user account has a unique security identifier (SID) to identify the user. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
How can external users with email accounts be represented in AD?
External users which need an e-mail account, can be represented through a contact object
What is a contact object?
an account that does not have any security permissions. Users represented as contact objects cannot log on to the domain. Use contacts to add information about individuals, such as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for attributes of contact objects.
What is the user or logon name?
The user or logon name is the name of the user account
What is the user principle name (UPN)?
The User Principle Name (UPN) combines the user account name with the DNS domain name _x000D_
_x000D_
– The UPN format is also known as the SMTP address format. _x000D_
– The DNS domain name in the UPN is known as the UPN suffix. _x000D_
– By default, the domain that holds the user account is selected for the UPN suffix. However, you can configure different UPN suffixes to use instead of the domain name.
What is the LDAP Distinguished Name (DN)?
The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. It has three basic attributes: _x000D_
Domain Component (DC) _x000D_
Organizational Unit (OU) _x000D_
Common Name (CN)
What is the Relative Distinguished Name (RDN)
The Relative Distinguished Name (RDN) is used to identify the object within its container. The RDN needs to be unique only within the object’s container.
When would you use the User cannot change password”option?
when you want to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that uses that account.
How would you unlock an account?
To unlock an account, go to the Account tab in the account object’s Properties dialog box, and select the Unlock Account box. Resetting the password on the account also unlocks a user account.
What should you do if a user account is accidentally deleted?
Restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account.
How would you add a User Principal Name (UPN) suffix to a forest?
1) Open Active Directory Domains and Trusts. _x000D_
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties. _x000D_
3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab. _x000D_
4) Click Add. _x000D_
5) Click OK.
What is a computer account?
A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device
How would you prestage a computer account?
From Active Directory Users and Computers, create a computer account. This process is called prestaging computer accounts. From the workstation, join the domain. The workstation will be associated with the computer account you created previously.
Where is the computer account created when you join a workstation to the domain?
In the Computers built-in container
How would you control where computer accounts are placed when a computer joins the domain?
Create computer account ahead of time (pre-stage them)
Which groups have permissions to create a computer account?
– Account Operators _x000D_
– Domain Admins _x000D_
– Enterprise Admins
How many computers are the Authenticated Users group members allowed to join to the domain (from a workstation)?
10 – this wil also create the computer account automatically if it doesn’t already exist. This ability comes from the Add workstations to a domain user right.
How would you allow a specific user to join a specific computer to the domain?
You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.
How would you give other users permissions to create computer accounts in AD?
By giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs.
Will a computer receive group policy settings once the computer account is created?
No, the computer must be joined to the domain before it receives any GPO settings or AD receives any workstation-specific information
What commands can be used to create computer accounts from a command prompt or script?
dsadd or netdom. (Use netdom join to jion a computer to the domain)
What establishes a secure channel between a computer and the domain controller?
The computer password (authomatically generated when the computer joins the domain).
Where is the computer account password saved?
On the local computer and in AD. BY default, it is changed every 30 days
What might cause a computer to fail to authenticate to the domain?
If the two computer passwords (on the local machine and in AD) become unsychronised. _x000D_
_x000D_
This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name.
What is a local group?
Local groups exist only on the local computer, and control access to local resources.
What is a domain group?
Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
What is group scope?
Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.
What membership can a global group have?
Global groups can contain members within the same domain. These include: _x000D_
_x000D_
– Global groups in the same domain (in native mode only). _x000D_
– Users and computers within the same domain.
What should a global group be used for?
Use global groups to group users and computers within the domain who have similar access needs.
What membership can a domain local group have?
Domain local groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
– Domain local groups in the same domain (in native mode only). _x000D_
– Global groups within the forest. _x000D_
Universal groups within the forest (in native mode only). _x000D_
– Users and computers within the forest.
What membership can a universal group have?
Universal groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
– Universal groups within the forest. _x000D_
– Global groups within the forest. _x000D_
– Users and computers within the forest.
What resources can global groups permission?
Global groups can be assigned permissions to resources anywhere in the forest.
What resources can domain local groups permission?
Domain local groups can be assigned permissions within a domain.
What resources can universal groups permission?
Universal groups can be assigned permissions to resources anywhere in the forest.
What should global groups be used for?
Create global groups to organize users (e.g., Sales or Development).
What should domain local groups be used for?
Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
What should universal groups be used for?
Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
What is a security group?
A security group is one that can be used to manage rights and permissions. _x000D_
_x000D_
– Group members get the permissions that are granted to the group. _x000D_
– A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts, and other groups.
Which type of AD group should be used for assiging permissions?
Security
What is a ditribution group?
A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.
What happens if you convert a security group to a distribution group?
This would remove the permissions assigned to the group. _x000D_
_x000D_
This could prevent or allow unwanted access.
How would you convert a global group to a domain local group?
First convert to a universal group, then to a domain local.
Can you convert a global group nested in another global group into a universal group?
No – a universal group cannot be a member of a global group
Can you make a universal group a member of a global group?
No
What happens when a group is deleted?
All information about the group – including any permissions assigned – is deleted.
How can you recover a deleted group?
– Re-create the group, add all the original group members, and reassign any permissions granted to the group. _x000D_
– Restore the group from a recent backup.
When are the default local groups created?
During Windows installation
Can you rename or delete the default local groups?
CAN rename them _x000D_
_x000D_
CANNOT delete them
What is the Administrators default local group?
Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator.
What is the Backup Operators default local group?
Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings.
What is the User default local group?
Members of the Users group: _x000D_
_x000D_
– Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications. _x000D_
– Cannot share directories or install printers if the driver is not yet installed. _x000D_
– Cannot view or modify system files.
What group do “limited use”accounts become a member of automatically
Users default local group
What is the Power Users default local group?
Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows
What is the Guests default local group?
Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off.
What is the Administrators default domain group?
Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
What is the Server Operators default domain group?
Log on locally, back up and restore files and directories, change the system time, and force a local or remote shutdown. Can also create and delete shared resources, format the hard disk, and start and stop some services. Abilities extend to domain controllers.
What is the Backup Operators default domain group?
Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
What is the Account Operators default domain group?
Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
What is the Guests default domain group?
The domain Guest account is a member of this group. The group does not have any default rights.
What is the Network Configuration Operators default domain group?
Change TCP/IP settings including changes on domain controllers.
What is the Print Operators default domain group?
Create, share, manage, and delete printers on domain controllers. Manage Active Directory printer objects. Log on locally, add or remove device drivers, and shut down domain controllers.
What is the Users default domain group?
Perform common tasks such as running applications, using local and remote printers, and locking workstations. By default, all domain members are members of this group.
Which default domain groups are created in the Built-In Container?
Administrators _x000D_
Server Operators _x000D_
Backup Operators _x000D_
Account Operators _x000D_
Guests _x000D_
Network Configuration Operators _x000D_
Print Operators _x000D_
Users
What default domain groups are created in the Users container in AD?
Domain Admins _x000D_
Domain Computers _x000D_
Comain Controllers _x000D_
Comain Guests _x000D_
Domain Users _x000D_
Enterprise Admins _x000D_
Schema Admins _x000D_
Read-Only Domain Controllers _x000D_
DHCP Administrators _x000D_
Cert Publishers
What is the Domain Admins default domain group?
Full control over the domain. This group is a member of the Administrators group on all computers when they are joined to the domain. This means that members of the Domain Admins group can perform all tasks on any computer in the domain (including domain controllers).
What is the Domain Computers default domain group?
Contains all computers that are a member of the domain. When you join a computer to the domain, it becomes a member of this group.
What is the Domain Controllers default domain group?
Contains all domain controllers. When a computer is made a domain controller, it is added to this group.
What is the Domain Guests default domain group?
Contains all domain guests. It does not have any default rights
What is the Domain Users default domain group?
Contains all domain users. This group can be used to give access to all users in a domain.
What is the Enterprise Admins default domain group?
Full control over all domains in the forest. This group is a member of the Administrators group on all computers in the forest, allowing them to perform any task on any computer in the forest.
What is the Schema Admins default domain group?
Full control over the Active Directory schema. By default, the Administrator account is a member of this group.
What is the Read-Only Domain Controllers default domain group?
Contains all members who have administrative access to the Read-Only Domain Controllers in the domain.
What is the DHCP Administrators default domain group?
Contains all members who have administrative access to the DHCP service.
What is the Cert Publishers default domain group?
Contains all members which are permitted to publish certificates to the directory.
Describe the AGDLP strategy
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups
When is the AGDLP strategy used?
Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode).
What is nesting?
Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler–as long as you remember what permissions you have assigned at each level.
When is the AGUDLP strategy used?
Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains.
Describe the AGUDLP strategy
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
U: Into Universal groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups
When is the ALP strategy used?
Used on workstations and member servers. _x000D_
_x000D_
ALP is best used in a workgroup environment, not in a domain.
Describe the ALP strategy
A: Place user Accounts _x000D_
L: Into Local groups _x000D_
P: Assign Permissions to the local groups
When should universal groups be used?
Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.
What group should be used if both the users and resources are located in Multiple Domains?
Universal
What groups should not be used in a single domain design?
Universal
How can you start AD Users and Computers?
– Server Manager _x000D_
– Administrative Tools (from the Control Panel or Start menu) _x000D_
– Running dsa.msc
What is ADSI Edit?
Active Directory Service Interfaces Editor (ADSI Edit) acts as a low-level GUI editor for common administrative tasks such as adding, deleting, and moving objects.
What can you use ADSI Edit for?
You can use ADSI Edit to query, view, and edit attributes that are not exposed through other MMC snap-ins (such as Active Directory Users and Computers).
What does the command ds add do?
Dsadd creates a new object in Active Directory.
What does the command dsquery do?
Dsquery finds objects that match the search criteria (allows a search through the whole forest). The command returns a list of objects that match the search criteria. Use Dsquery * to search all object types.
What does the Dsget command do?
Dsget retrieves property information about an object. Use the -expand switch to show nested group membership for users.
What does the dsmod command do?
Dsmod modifies or changes the properties of an object.
What does the dsrm command do?
Dsrm removes (deletes) objects. Use the -subtree option to delete a container object and all objects below that object.
What does the movetree command do?
Movetree moves an OU and its objects (it does not move computer objects).
What does the netdom command do?
Netdom adds computer objects, joins a computer to a domain, and moves computer objects.
What does Csvde do?
The Csvde command imports and exports Active Directory objects using a comma-separated list file.
What can Csvde do?
Csvde can read existing information from Active Directory (export) or create new objects in Active Directory (import).
What can Csvde not do?
You cannot use Csvde to modify existing objects in Active Directory.
Will Csvde import passwords for user accounts?
No
What does the Ldifde command do?
The Ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files.
What are some common uses for Ldifde?
– Using Ldifde to export a set of Active Directory objects, modifying various attributes, and then re-importing the file to change the attributes. _x000D_
– Exporting or importing data that exists on non-Active Directory LDAP directories.
How can you manage passwords with Ldifde?
Passwords are not exported with user accounts. You can change passwords for existing account with a .ldif file but you cannot create new user accounts with a password.
How would you export a user account and then import it with a password with Ldifde?
1) Export the user accounts. The unicodePwd field will be blank. _x000D_
2) Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next logon. _x000D_
3) Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account. _x000D_
4) Run Ldifde using the file with the passwords to modify the existing user accounts.
What does the Ldp command do?
The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying results.
What is the Active Directory Migration Tool?
The Active Directory Migration Tool (ADMT) is a GUI-based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another.
Where can you move AD objects with ADMT?
You can move objects to different domains within the same forest (intraforest), or to domains in other forests (interforest).
What must be in place for an interforest migration in ADMT?
The target forest must trust the source forest.
ACE
Access control entry
ACL
Access Control lists
Activate Windows Server
Cscript C:windowssystem32slmgr.vbs-ato
add server Core roles, components or features
Ocsetup.exe <component> /switch
ADSI
Active Directory Services Interface used by Windows PowerShell
Authentication
The mechanism by which an identity is validated by comparing secrets such as passwords provided by the user or computer to secrets maintained in the identity store
CN
Common Name
CSVDE
a command-line tool that imports or exports Active Directory objects from or to a comma-delimited text file.
DACL
Discretionary access control list
DC
Domain Controller
dll
Dynamic Link Library
DN
Distinguished name
DNS
Domain name system
Domain
An administrative unit of Active Directory. With a domain , all domain controllers replicate information about objects such as users,, groups and computers in the domain
DS Commands
Most of the DS commands take two modifies after the command itself: the object type and the object’s DN
DSAdd
creates an object in the directory IE dsadd user “user DN” -samid pre-windows 2000 logon name -pwd {Password | *} -mustchpwd yes
DSGet
returns specified attributes of an object
DSMod
Modifies specified attributes of an object
DSMove
moves and object to a new container or OU
DSQuery
performs a query based on parameters provided at the command line and returns a list of matching objects
DSRM
Removes and object, all objects in the subtree beneath a container object or both
forest
the boundary of an instance of Active Directory. A forest contains one or more domains. All domains in the forest replicate the schema and configuration partitions of the directory.
Forest root domain
the first domain created in a forest
functional level
A setting that determines which features of Active Directory are enabled within a domain or forest. The functional level limits the versions of Windows that can be used by domain controllers in a domain or forest.
global catalog or partial attribute set
A partition of the Active Directory data store that contains a subset of attributes for every object in the Active Directory forest. The global catalog is used for efficient object queries and location.
Groups
provide permissions
identity store
A database of information regarding users, groups, computers, and other security principals. Attributes stored in an identity store include user names and passwords
Join a domain
Netdom join %computername% /domain:
Kerberos
A standard protocol used by Active Directory for authentication
LDAP
Lightweight Directory Access Protocol
LDIFDE
Lightweight Directory Access Protocol Data Interchange Format is a draft internet standard for file format that can perform batch imports and exports of active directory objects including users. -i import -f filename to import to or from
MMC
Microsoft Management Console
Namespace
A folder on a disk – a hierarchy that can be navigated Like a disk volume letter name or Mapped drive.
organization units
are administrative containers within Active Directory that are used to collect objects that share common requirements for administration, configuration or visibility.
OU
Organizational Unit
Providers
Namespaces are created by providers, which can be thought of as drivers. Example file system has a provider as does the registry. Powershell can access and manipulate in the namespaces of those providers.
Psdrives
Windows Powershell namespaces from any provider can be represented as PSDrives Windows PowerShell automatically creates a PS Drive for each drive latter already defined by Windows
SACL
System Access Control List
SAM ID
Security Account Manager ID
schema
a definition of the attributes and objects classes supported by Active Directory.
scripting steps
connect to the container (OU), create the object (user), populate its properties, (display name), commit the changes
set a static IPv4 configuration
Netsh interface ipv4
Site
An active Directory object that represents a portion of the network with reliable connectivity. Within a site, domain controllers replicate updates within seconds, and clients attempt to use the services within their site before obtaining the services from other sites
TCP/IP
Transmission Control Protocol/Internet Protocol
Type Adapter
Is a translator between .NET framework and Windows PowerShell. To connect to an active directory object, you submit an LDAP query string LDAP://OU=People,DC=contoso,dc=com”
UPN
User Principle Name The logon name plus the UPN suffix which by default is the domain to which you would logon ie: [email protected] Unique to entire forest. Email unique to the world!
WMI
Windows Management Interface
Which properties can be modified for multiple users simultaneously
General, Account, Address, Profile, Organization Tabs
What are the distinctions between name of a user object and an account
User Object Names sAMAccountName, User PrincipalName (UPN), display name and RDN. Account properties=an identity to which permissions and rights can be assigned.
sAMAcccountName Attribute
(preWindows 2000 logo name) must be unique for the ENTIRE domain
RDN
Relative Distinguished Name of an object. Must be unique in an OU.
Display Name
How users are listed in the GAL
unlock a user account
Set objUser = GetObject”LDAP://UserDN”) objUser.IsAccountLocked = False objUser.SetInfo()
Distinguished Name (DN)
the most important LDAP attribute CN=”josephine fleming”,ou=people,dc=contoso,dc=com
SID
Security Identifier is created by the Windows 2000 security subsystem and assigned to security principal objects
Method
in the context of programming or scripting, an action performed on an object.
object
In the context of programming or scripting, a data structure that represents a system resource. Objects expose properties or attributes, methods or actions.
Delegation
Assignment of an administrative task.Delegation within Active Directory is achieved by modifying the DACL of an abject.
Saved Query
A view of Active Directory objects base on search criteria.
IP address
An IP (Internet Protocol) address isa 32 bit binary unique number identifier for a node or host connection on an IP network. usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets) separated by decimal points. This is known as “dotted decimal” notation.
Group policy Member Of setting
Member of settings are cumulative
Group[ Policy by Members settings
GPOs that use the Members setting, only the member setting with the highest GPO processing will be applied and its list of members will prevail,
audit policy
A setting that configures the logging of security-related activities
Delegation
An assignment of administrative responsibility. A grant of permission to perform an administrative task
Extensible Markup Language
(XML) an abbreviated version of the Standard Generalized Markup Language (SGML) XML enables the flexible development of user-defined doc types, providing non-proprietary, persistent, and verifiable file format for the storage and transmission of text and data both on and off the Internet
Firewall
A hardware or software product designed to isolate a system or network from another network. Traditionally used to protect a private network from intrusion from the Internet. A firewall inspects inbound or outbound packets or both and determines, based on rules, which packets to allow to the other side of the firewall.
LDAP
The Primary access protocol for Active Directory.
Group Policy
used to configure the membership of groups, security settings, software management and auditing
RSoP
Resultant Set of Policies
GPO
A Group Policy Object is, by itself, just a collection of configuration instructions that will be processed by the CSEs (Client Side Extensions) of computers.
SOA
Start of Authority, and important record type in the Domain Name System.
Repadmin
Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation
Will, the administrator for your organization, has decided to implement certificates for all of your internal users. What type of root certificate authority (CA) would he implement?
Enterprise
You are hired as a contractor for a new organization that has no network currently in place. You decide to implement an Active Directory domain and the Active Directory Domain Services (AD DS). Which of the follow are requirements to install Active Directory?
DNS
You have decided to implement certificate authority (CA) servers and you want all of your users to receive their certificates automatically without any user intervention. What two ways can you accomplish this goal?
Autoenrollment _x000D_
GPO enrollment
What role provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems?
Active Directory Federation Services (AD FS)
You have decided to place DNS on a read-only domain controller (RODC). What type of DNS zone do you now have?
Read-only DNS
What AD role allows administrators to configure services for issuing and managing public key certificates, which help organizations implement network security?
Active Directory Certificate Services (AD CS)
What role gives administrators the ability to enroll users into the certificate services program and allows for the issue and management of certificate requests?
Enrollment agents
You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your Internet users. What type of certificate authority do you need to set up?
Stand Alone Subordinate CA
Alexandria, the network administrator, has just hired a new junior administrator named Paige. Paige needs to be able to recover keys from the certificate authority server. What role does Alexandria need to give Paige so that she can recover keys?
Key recovery agent
What file outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the numerous properties that are associated with the Federation Service?
Trust policy
What is the Lightweight Directory Access Protocol (LDAP) directory service that allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires?
Active Directory Lightweight Directory Services (AD LDS)
You are the administrator of a network. Your company has decided to use server virtualization to help save money and add fault tolerance to your servers. What role-based utility is included with Windows Server 2008 making this possible?
Hyper-V
Your manager has explained to you that due to security requirements, you need to secure documents and emails using Microsoft Office 2007 Enterprise. What service do you need to install to help secure documents and emails?
Active Directory Rights Management Service (AD RMS)
Your company has one main location and five remote sites. One of the remote sites is having a problem with Active Directory and DNS being hacked into. What can you use to help solve this problem?
Implement a _x000D_
Read-only domain controller and a _x000D_
Read-only DNS server
Your company has one main location and one remote site. The remote site is 300 miles from the main location and it has no IT staff on site. What type of domain controller can you install so that a normal user can have the rights to manage it?
Read-only domain controller (RODC)
You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your internal users. What type of certificate authority do you need to set up?
Enterprise Subordinate CA
Your company has decided to install a certificate authority (CA). After you install the CA, you publish the certificate revocation list (CRL) to a central location for all CAs to use. What is this central location called?
CRL distribution point
Your company currently uses Windows Server 2008 domain controllers. Your company wants to use multiple account lockout policies depending on what department people are in. What does Windows Server 2008 offer so that you can do this?
Fine-grained password policy
You have decided to implement certificate authority servers. You have routers located on your network. What component allows systems to receive a certificate even though they do not have an Active Directory account?
Network Device Enrollment Service
What operations can you perform using the Active Directory Users And Computers tool if you need to reorganise AD based on an Organisation change?
Rename an organizational unit _x000D_
Query for resources _x000D_
Rename a group _x000D_
Create a computer account
In order to restrict security for the Texas OU, you remove some permissions at that level. Later, a junior systems administrator mentions that she is no longer able to make changes to objects within the Austin OU (which is located within the Texas OU). What is the most likely cause?
Inheritance
Isabel wants to check for any objects that have not been properly replicated among domain controllers. If possible, she would like to restore these objects to their proper place within the relevant Active Directory domains. What 2 steps does she need to do to accomplish this?
Select the Advanced Features item in the View menu _x000D_
Examine the contents of the LostAndFound folder using the Active Directory Users And Computers tool.
The domain contains over 200,000 objects and hundreds of OUs and takes a long time to load. _x000D_
What can you do to speed things up if you only want to view Computer objects?
Use the Filter option in the Active Directory Users And Computers tool to restrict the display of objects.
Jane, a consultant, has recommended that the Windows NT 4 domains be consolidated into a single Active Directory domain. Which of the following statements provide a valid justification to support Jane’s proposal?
In general, OU structure is more flexible than domain structure. _x000D_
It is possible to create a distributed system administration structure for OUs by using delegation.
operations are represented as common tasks within the Delegation of Control Wizard?
Reset passwords on user accounts. _x000D_
_x000D_
Manage Group Policy links. _x000D_
_x000D_
Modify the membership of a group. _x000D_
_x000D_
Create, delete, and manage groups.
New Helpdesk Op. How do you allow them to only change certain objects in the directory in certain OUs?
Use the Delegation of Control Wizard to assign the necessary permissions on the OU that he or she is to administer.
You are planning an OU design. What 3 pieces of information should be considered or consulted?
Business organizational requirements _x000D_
_x000D_
System administration requirements _x000D_
_x000D_
Security requirements
You want to allow the Super Users group to create and edit new objects within the Corporate OU. What option would you choose in the Delegation Wizard?
Create A Custom Task To Delegate
A systems administrator is using the Active Directory Users And Computers tool to view the objects within an OU. He has previously created many users, groups, and computers within this OU, but now only the users are showing. What is a possible explanation for this?
Filtering options have been set that specify that only User objects should be shown.
Two large AD Sites with 15 DCs each. Too much replication traffic between sites. What can you create at each site to reduce the bandwidth usage?
Create preferred Bridgehead Servers at each site to funnel the traffic between 2 servers only.
What does not need to be manually created when you are setting up a replication scenario involving three domains and three sites?
Connection objects. _x000D_
Automatically created by the Active Directory replication engine.
What services of Active Directory is responsible for maintaining the replication topology?
Knowledge Consistency Checker service.
What Active Directory objects are responsible for representing a transitive relationship between sites?
Site link bridges _x000D_
Default Transitive On.
______ is the protocol to use for links where the link is randomly unavailable and replication traffic must be sent whether the other end is connected or not.
SMTP _x000D_
Uses Store and Forward method to ensure that information is not lost if a connection cannot be established.
You have 7 sites with different speed links. You want to keep the number of domains to a minimum. What is the smallest number of domains you can have that cover all 7 sites?
One.
Changes to AD objects are only being replicated to some DCs and not all. Regarding the network links themselves what could be causing this problem?
Network connectivity is unavailable _x000D_
A WAN connection has failed
Changes to AD objects are only being replicated to some DCs and not all because of a possible configuration problem with a DC or Sites. What are 4 of the possible errors that have been made?
Connection objects are not properly configured. _x000D_
Sites are not properly configured. _x000D_
Site links are not properly configured _x000D_
One of the domain controllers is configured for manual replication updates.
A systems administrator suspects that there is an error in the replication configuration. How can he look for specific error messages related to replication?
By going to Event Viewer -> Directory Service log
One site, 50 DCs. What the? _x000D_
How can replication traffic be reduced and controlled, and how can the structure of AD more accurately reflect the structure of the network?
Create multiple site links. _x000D_
Configure one server at each of the new sites to act as a bridgehead server.
1. What tool do you use to: _x000D_
Determine replication data transfer statistics. _x000D_
2. Collect information about multiple Active Directory domain controllers at the same time. _x000D_
3. Measure other performance statistics, such as server CPU utilization.
Performance Monitor
What Active Directory objects should you modify to define the network boundaries for Active Directory sites?
Subnets – Define AD Site boundaries.
DIVULGE (di VULJ)
v to disclose something secret _x000D_
_x000D_
• She believed she had been fired because she had threatened to divulge information about the company’s mismanagement. _x000D_
_x000D_
• It is a basic tenet of most secret societies that members are not allowed to divulge anything about the initiation rites to outsiders. _x000D_
_x000D_
• His journal divulged a side of his personality that no one had ever seen.
Configure the costs for each link with these rules _x000D_
1. ISDN must have default site cost link _x000D_
2. Austin must use San Jose for replication
The ISDN line is required to have the default cost of 100. That means that the T1 line’s cost must be lower than 100 for this connection to be used by preference, and the only choice is 50. That leaves costs of 150 and 200 for the Austin links. Because Austin will never get replication information from Chicago, that link’s cost should be 200. That only leaves 150 for the cost of the link between Austin and San Jose.
What is the default Site Link Cost?
100
You want to create a new site called San Jose. Where do you do this?
AD S&S – Sites – New Site
Two sites connected via a T1 line and a dial up line for redundancy. _x000D_
You want to use the T1 line mainly. What do you do to ensure this occurs?
Lower the cost of the T1 Line
Only 1 GC for 3 Sites. HQ with 100 users is connected to other 2 sites (each have 20 users) via fast T1 connections. Where would you place the GC?
At HQ. _x000D_
Though ideally one GC per site.
How do you specify a server as a bridgehead server?
AD S&S – DC properties – Select protocol- and click Add
The company has three domain controllers, each of which has Knowledge Consistency Checker (KCC) errors consistently popping up in the directory services Event Viewer log. What does this indicate?
Replication problems
You need to keep track of licensing with the licensing server. Where can you configure the licensing server so that as the system administrator you can ensure you are compliant?
Configure licensing in the Active Directory Sites And Services tool.
You decide to create a trust relationship between Domain A and Domain B. Before you take any other actions, can users in Domain A use resources from Domain B yet?
No. _x000D_
A trust relationship only allows for the possibility of sharing resources between domains; it does not explicitly provide any permissions. In order to allow users to access resources in another domain, you must configure the appropriate permissions.
Plans are to deploy four Active Directory domains with the following requirements: _x000D_
minimize the number of servers _x000D_
enough fault tolerance to survive the complete failure of one domain controller. _x000D_
What is the minimum number of domain controllers to deploy initially?
8 _x000D_
Two per domain for fault tolerance
What server configurations can be directly promoted to become a domain controller for a new domain?
Member servers _x000D_
Stand-alone servers
Server1: Schema Master _x000D_
Server2: RID Master _x000D_
Server3: Windows NT 4 BDC _x000D_
Server4: Infrastructure Master _x000D_
Server5: PDC Emulator Master _x000D_
Entire environment migrating to Windows Server 2008. Which Server not needed?
Server3: Windows NT 4 BDC
Implicit trusts created between domains are known as ______
transitive trusts.
Need to add field to the properties of a User object. _x000D_
On what servers can the change be made?
The Schema Master is the only server within Active Directory on which changes to the schema can be made.
What are several Active Directory domains that share a contiguous namespace called?
A tree
Accidentally demoted the last domain controller of your ADTest.com domain. _x000D_
Want a complete undo. Possible?
Once the last domain controller in an environment has been removed, there is no way to recreate the same domain. If adequate backups had been performed, you may have been able to recover information by rebuilding the server
Items that depend on the DNS namespace are ….
Domains _x000D_
trees _x000D_
forests _x000D_
DNS zones
Which types of computers contain a copy of the Global Catalog (GC)?
Specified Active Directory domain controllers
Which pieces of information should you have before you use the Active Directory Installation Wizard to install a new subdomain?
name of the child domain _x000D_
name of the parent domain _x000D_
DNS configuration information _x000D_
NetBIOS name for the server
Which type of trust is automatically created between the domains in a domain tree?
Transitive two-way
A systems administrator wants to remove a domain controller from a domain. What is the easiest way to perform the task?
Use the Active Directory Installation Wizard to demote the domain controller.
Regarding the sharing of resources between forests…
A trust relationship must exist before resources can be shared between forests.
New remote location with very slow WAN link. Needs following specs: _x000D_
Fast logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware _x000D_
What can you implement to achieve the above requirements?
Universal group membership caching stores information locally once a user attempts to log on for the first time.
Of the five main single master functions, two apply to an entire Active Directory forest. What are the three that apply to just the domain?
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master
When deploying Active Directory, you decide to create a new domain tree. What do you need to do to create this?
Promote a Windows Server 2008 computer to a domain controller and select the option that makes this domain controller the first machine in a new domain that is a child of an existing one.
7 Reasons for Using Multiple Domains
Scalability _x000D_
Reducing replication traffic _x000D_
Meeting Business needs hierarchy – easier data managment _x000D_
Decentralized administration _x000D_
Multiple DNS or domain namesLegality
What are some of the Drawbacks of Multiple Domains?
Administrative inconsistency _x000D_
Increased management _x000D_
Decreased flexibility
Min Requirements for DC numbers
2 DCs per Domain
Recommended Req’s for DC numbers
2 DCs per Site
Reasons for adding extra DCs
Fault tolerance and reliability _x000D_
Performance
Main requirement for joining a new domain to an existing forest
Domain does not share a namespace with the existing Active Directory domain.
If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do first?
Prepare the domain by running: _x000D_
adprep /forestprep _x000D_
adprep /domainprep
What naming information do you need prior to joining a domain to a new tree?
name of the parent domain _x000D_
name of the child domain _x000D_
NetBIOS name for the new server
What other information (other than the 3 names) do you need prior to joining a domain to a new tree?
DNS configuration _x000D_
domain administrator username and password
DcPromo option selected to create a new domain tree.
” makes this domain controller the first machine in a new domain that is a child of an existing domain”
DcPromo option selected to create a new domain tree.
makes this domain controller the first machine in a new domain that is a child of an existing domain
3 Features common to all Domains in a Forest
Schema _x000D_
GC _x000D_
Configuration Info
Type of trust between the Forest Root Domain and all the rest of the domains in the forest
2-way Transitive
How is a new Domain Tree created?
Created top down – forest root domain – then child domains
How do you move a DC between domains?
1. Demote it. _x000D_
2. Move it. _x000D_
3. Promote it
True of False? A Trust grants all users in one domain access to the other domains.
False. _x000D_
Trust only provides the foundation. _x000D_
Rights must be granted to resources once Trust is established.
What 2 features of AD to ALL Trees and Forests share?
Schema and _x000D_
Global Catalog
What do you always have even if you only have 1 Domain?
A Tree and a Forest
What do you need to ensure is done before you remove the last DC from a Domain?
Computers no longer log on to this domain _x000D_
No user accounts are needed _x000D_
All encrypted data is decrypted _x000D_
All cryptographic keys are backed up
What are the 2 Forest Operation Master Roles?
Schema Master _x000D_
Domain Naming Master
What tool is used to manage the Forest Operation Master roles?
AD Domains & Trusts
What are the 3 Domain Operation master Roles?
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master
The Schema master holds ___
a master copy of the AD Schema
Where can changes to the AD Schema be made?
Only on the Schema Master
The Domain Naming Master __
tracks domains within the AD Forest
What does the RID Master do?
Creates a unique RID for every AD object
PDC Emulator is responsible for __
Maintaining backward compatibility with NT DCs – used only in Mixed Mode domains.
In a Forest running at 2k Native or later what role does the PDC play?
Acts as default DC if another is not available
The Infrastructure Master ensures
Ensures that group membership info stays current between DCs
How do you assign the Domain Naming Master Role?
Open AD D&T _x000D_
AD D&T Properties _x000D_
Select Operations Master _x000D_
Click Change
How do you assign all of the RID, PDC and Infrastructure Roles?
Open AD U _x000D_
right-click Domain _x000D_
Select Operation Masters _x000D_
Click Change
What is a transitive trust?
Implied trusts. _x000D_
If domain A trusts domain B AND _x000D_
domain B trusts domain C THEN _x000D_
domain A trusts domain C
What are External Trusts used for?
Used to provide access to external domain (NT) that can’t use forest trusts
What type of trust are External Trusts?
Non-transitive and either 1-way or 2-way (manually created)
On External Trusts, what is enabled by default to prevent hackers from using SID info to gain access?
Default SID filtering _x000D_
SID History cleaned of SID history attributes that are not members of the trusted domain.
When is a Realm Trust used?
Used to connect to non-Windows domain using Kerberos
What types of Realm Trusts are there?
Either Transitive or Non-Transitive _x000D_
And either 1-way or 2-way
Where do you configure Trust Releationships?
AD D&T – Domain Properties – Trusts Tab
What happens when Selective authentication is used with Cross Forest Trusts?
users can’t authenticate to DC or resource server unless explicitly enabled
What is a manually created Trust called?
Shortcut trusts
What is a Cross Forest Trust used for?
To Share resources between forests
What is the restriction on Cross Forest Trusts?
They cannot be Non-transitive.
Where would you go to enable Selective Authentication?
Trust properties – Selective Authentication
Where would you add a UPN suffix?
AD D&T – Properties – UPN Suffixes
You need to add another Global Catalog server to an existing domain. Where would you go to do this?
AD S&S _x000D_
– DC _x000D_
– NTDS Settings Properties _x000D_
– GC Checkbox
What happens when Universal Group Membership Caching is enabled on a W2k8 DC?
1. User logs on – Universal Groups cached from GC _x000D_
2. Next time user logs on – no need to contact GC
The benefits of Universal Group Membership Caching are:
Faster logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware
On a W2k8 DC how do you enable Universal Group Membership Caching?
AD S&S _x000D_
– Sites _x000D_
– DefaulFirstSite _x000D_
– NTDS Settings – Properties _x000D_
– checkbox
What forest and function levels does the network need for you to install RODC’s?
Windows 2003 functional Level or above
How many domains can a DC have or belong to at any one time?
One
Functional level if you have the following servers in your domain: _x000D_
2003 server _x000D_
2000 Server _x000D_
2008 server
Windows 2000 Native
Which NTFS feature can you implement to limit the amount of disk space occupied by users?
Disk Quotas
What two steps need to be done to convert a disk volume from FAT to NTFS?
CONVERT vol: /FS:NTFS
What 2 protocols are required to support AD?
TCP/IP _x000D_
DNS
Command used to promote or demote a DC?
dcpromo.exe
Your organisation needs one set of credentials for multiple forests. What 2008 role do you install?
AD Federation Services
How do you test that DNS forward lookups are working properly prior to installing AD?
ping hostname _x000D_
IP returned
What FS with these req’s? _x000D_
file-level security _x000D_
efficient use of space on large partitions. _x000D_
domain controller Sysvol must be stored
NTFS
You have decided that you must convert the system partition on your Windows Server 2008 from the FAT32 filesystem to NTFS. Which 2 steps must you take in order to convert the filesystem?
CONVERT /FS:NTFS _x000D_
Reboot the computer
Name 3 protocols need for AD to work properly
LDAP _x000D_
DNS _x000D_
TCP/IP
2 sites with non-communicative DCs. Names: _x000D_
server1.yourcompany.com and server1.yourcompany.com _x000D_
Problem?
Yes each server needs a unique FQDN.
How can you increase the space on a volume without backup, recreate restoring?
Use NTFS mounts to map new volume to existing volume.
What file system reqs exist for installation of AD?
NTFS volume. _x000D_
Greater than 4GB
What 5 connectivity tests should you do prior to installing AD? (assume second site connected via VPN)
Test NW adapater – drivers & config _x000D_
Check IPconfig _x000D_
Test Internet access _x000D_
Check LAN access _x000D_
Check Client Access _x000D_
Check WAN Access
How do you check the configuration of the TCP/IP protocol and output it to a text file?
ipconfig /all > ipcfg.txt
What are the 3 forest functional levels in W2k8?
2k Native (default) _x000D_
2k3 _x000D_
2k8
5 New features in W2k8 Functional Level but not in W2k3?
Fine-grained password policies. _x000D_
Read-only domain controller (RODC). _x000D_
Last interactive logon information. _x000D_
Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. _x000D_
Distributed File System replication support for Sysvol.
What is a Defunct Schema Class?
A Class of objects that has been marked as non-usable.
What is DNS?
Provides way of querying names and IP addresses, replicating the info in the DB as well as the schema
Name 7 different common DNS records.
SOA, NS, A, CNAME, PTR, MX, and SRV
What is an SOA record?
Start of Authority Record. _x000D_
defines the general parameters for the DNS zone, including who the authoritative server is
What is an NS record
Name Server _x000D_
list name servers for a domain; allow other name servers to look up names
What is an A record
Address Record for Host _x000D_
links hostname to ip address
What is a PTR record?
Pointer Record. _x000D_
Links IP address to hostname for reverse lookups
What is an MX record?
Mail Exchange record _x000D_
Lists mail server who can accept mail for domain
What is an SRV record?
Service record _x000D_
Maps service (eg DC ) to IP address
Name the 3 queries types when DNS is used to resolve names or IP’s
Iterative, Recursive, and Inverse
What is an Iterative query?
Client asks Server. Server responds with best possible answer
What is a Recursive query?
Client queries server, server doesn’t know, asks each server up the line until answer is returned to client via server.
What is an Inverse query?
Client queries IP address instead of name.
A zone used to resolve names to IP addresses is a _________?
a Forward Lookup zone
A zone used to resolve IP addresses to names is a ________?
a Reverse Lookup zone
How do you create new zones?
with the New Zone wizard.
Where do you configure a zone for Dynamic updates?
Properties of the forward/reverse lookup zone – General Tab – Dynamic updates – None/Secure Only/Nonsecure and secure
What is the default setting for Dynamic updates
Secure only
Name 5 tools used to troubleshoot DNS problems?
DNS Snap-in _x000D_
DSS event log _x000D_
NSLookup _x000D_
Ipconfig _x000D_
DNS server log file
Multiple sites across Australia. _x000D_
Single AD tree required. _x000D_
What DNS and AD structures do you implement to ensure good performance?
Install a DNS server at each regional location and create a single domain name for all the regions for resolution of local resources.
3 Unix DNS, print & fax servers. _x000D_
New AD domain with integrated DNS replaces Unix DNS server. _x000D_
Can’t print or fax. What gives?
You need to manually add A resource records for the Unix machines.
How do you configure a DNS server so that it only answers queries from hosts on your intranet and no where else?
Configuring his server as a root server and leaving out root hints for the top-level domains _x000D_
And _x000D_
Leaving forwarding turned off
What must you do so that your customers can utilize all mirrored web servers?
Enable Round Robin DNS to balance out the load across all the servers you have mirrored and configured in the DNS
You have multiple remote locations by slow satellite links.Need to install DNS into these offices so that clients can locate authoritative DNS servers in the main location. What type of DNS zones should be installed in the remote locations?
Stub Zones – Contain: NS, A and SOA records
You have 5 W2k8 DC’s. All run as primary DNS zones. Need to ensure all hold same database and use only secure updates. _x000D_
What do you do?
Upgrade all servers to Active Directory Integrated servers.
Six Offices. Need single AD tree. _x000D_
How do you deploy DNS to enable efficient and responsive name/IP resolutions for this environment?
Create a single second-level name and deploy a DNS server at each location in the network
What are the two main server types in an NT domain?
PDC and BDC
Two types of domains in and NT – Multi-master domain topology?
Master Domain _x000D_
(trust) _x000D_
Resource Domain
3 Advantages of old NT over workgroups?
Centralised Admin _x000D_
Database replication _x000D_
Could scale to 1000’s of users
4 Limitations of NT model?
Didn’t scale/work well for very/large org _x000D_
Trust relationships needed a lot of work _x000D_
Excessive replication BAD for low-bandwidth WAN links _x000D_
Difficult to delegate admin duties
3 Features of AD?
LDAP for transferring information _x000D_
Reliance on DNS for name resolution _x000D_
Ability to extend the schema
Functions of Domains
Create security boundaries to protect resources and ease of administration _x000D_
Ease admin of usrs, grps, comps etc _x000D_
Provide central DB of NW obj’s
Type of server for remote locale with questionable security?
Read-only domain Controller
True or False: _x000D_
Two objects can have the same relative distinguished name
True. _x000D_
Jane Doe can be in AD twice (or more) in different OU’s
True of False?: _x000D_
Two objects can have the same distinguished name.
False. _x000D_
DN is unique to each AD object
AD Trust Relationships – 3 truths
1. Trusts are transitive _x000D_
2. By default, trusts are two-way relationships. _x000D_
3. Trusts are used to allow the authentication of users between domains.
Protocol used to query AD
LDAP
Policy that allows for different password and account lockout policies for different sets of users in the same domain?
Fine-grained password policy
What is the Server role that allows/provides for single sign-on capability for multiple apps?
AD Federation Services
Advantages of using Server 2008 AD Certificate Services?
Web enrollment _x000D_
Network Device Enrollment Service _x000D_
Online Responder
Which role allows a user to secure an email while using Microsoft Office 2007 Outlook?
AD Rights Management Services (AD RMS)
Identity and access (IDA) has five distinct categories. What are they?
Directory services, _x000D_
strong authentication, Federated Identities, information protection, _x000D_
and Identity Lifecycle Management
Another administrator has changed a user’s group settings. What is the easiest way to get the original setting back for the user?
Perform Auditing. _x000D_
Review logs. _x000D_
Undo what he did – the dunce!
What is the feature of AD that allows info to remain in sync between DC’s?
Replication
Which component of AD should you implement at remote sites to improve the performance of searches conducted for objects in all domains?
Global Catalog Server
Name of the server that is a repository of Active Directory topology and schema information for Active Directory?
Schema Master
You need to install the Active Directory Federation Services. What application do you use to do the install?
Server Manager
What term is used to refer to the actual structure that contains the information stored within Active Directory?
Data store
NW admin for a 200-node network. Only 30 need a new app. _x000D_
What can you do?
Create an OU with the 30 in it. _x000D_
Deploy app/update to the OU
Used to create a logical structure in AD is an ______?
Organisational Unit
List 8 Advantages of AD
Heirarchical Organisation _x000D_
Extensible Schema _x000D_
Centralised Data Storage _x000D_
Replication – DNS & AD _x000D_
Ease of Admin _x000D_
Network Security _x000D_
Scalability _x000D_
Search
What is Server Core?
a minimal install of Windows Server 2008, without GUI or .NET Framework
What are the hardware requirements for Server Core?
3Gb HDD, 256Mb RAM
What are 2 advantages of Server Core?
more secure (fewer services and components) and requires less management
What 9 server roles are supported in Core?
AD Domain Services (AD DS), AD Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, file server, print server, Streaming Media Services, IIS (doesn’t support ASP.NET), Hyper-V (server virtualization)
What 11 optional features are available in Server Core?
failover cluster, network load balancing, subsystem for UNIX, windows backup, multipath I/O, removeable storage management, Windows Bitlocker drive encryption, SNMP, WINS, Telnet, QoS
What command is used to change the administrator password?
net user administrator *
What command is used in Core to set IPv4 configuration?
netsh interface ipv4
What command is used to join a domain?
netdom
What command is used in Core to add roles, components, and features?
ocsetup.exe
What command is used in Core to view roles, components, and features?
oclist.exe
What command is used in Core to enable Remote Desktop?
cscript c:windowssystem32scregedit.wsf /AR0
What command is used to promote a domain controller?
dcpromo.exe
What command is used in Core to configure DNS?
dnscmd.exe
What command is used in Core to configure DFS?
dfscmd.exe
What command is used to add Active Directory Domain services?
dcpromo.exe
What is the one AD server role available in Core that can’t be added with ocsetup.exe?
AD Domain Services (added with dcpromo.exe)
What command is used to remove a domain controller?
dcpromo.exe
What piece of information is required when removing a domain controller?
the password of the local admin account
What 2 directory partitions do all domains in a forest share?
schema and configuration
How does Dynamic DNS (DDNS) differ from standard DNS?
DDNS allows real-time DNS updates
What command will send DNS registration info to a DNS server?
ipconfig /registerdns
How is DNS information replicated in DDNS?
through Active Directory
How was DNS information replicated in standard DNS?
through manual copies of the zone file
What two name resolution technologies does DDNS cover?
DNS and WINS
When does DDNS update the record?
when a client leases an IP address
What is Scope Option 003?
default gateway
What is Scope Option 006?
preferred DNS server
What is the scope for default gateway?
3
What is the scope for preferred DNS server?
6
Where does non-dynamic DNS store data?
in a text file located at %SystemRoot%System32DNS
What are the 3 types of DNS zones?
primary, secondary, and stub zone
What is a primary DNS zone?
a DNS zone which stores a copy of the zone that can be directly updated
What is a secondary DNS zone?
a copy of a primary DNS zone
What are secondary DNS zones used for?
load balancing, fault tolerance, and increasing capacity
What is a DNS stub zone?
a copy of a DNS zone containing only NS, SOA, and sometimes glue A records; it is not authoritative
What limitation exists on a DNS server storing its data in AD?
the DNS server must be a DC
What is secure DNS?
a DNS system where updates occur over a secure channel
How does secure DNS work?
when a DNS transfer is initiated, the DNS server verifies that the DNS server sending the update is on an approved list
What is the purpose of secure DNS?
to prevent poison entries
How is secure DNS set up in an Active Directory domain?
it is set up automatically
What are 3 reasons to use a stub zone?
keep delegated zone info current, improve name resolution, simplify administration
What does a Start of Authority (SOA) record do?
specifies the DNS server in charge of a zone
What 4 items does an SOA record specify?
primary server for the zone, zone administrator’s email address, secondary zone expiration values, minimum default TTL values
What is the Global Name Zone designed to do?
replace WINS
What is an A record?
address record
What 3 types of records are stored in a Forward Lookup Zone?
LDAP, Global Catalog, and Name Server records
How can repopulation be forced if a Forward Lookup Zone does not appear in AD?
use net stop logon and net start logon
What do Forward Lookup Zones do?
store domain name-to-IP address mappings
What do Reverse Lookup Zones do?
store IP address-to-domain name mappings
At what 3 times are Reverse Lookup Zones populated?
when IP addresses are leased, when machines are restarted, when ipconfig /registerdns is executed
What do root hints do?
provide a link between DNS servers and top-level DNS servers
What are 3 reasons to divide namespaces into more than 1 zone?
delegate responsibility, break up large namespaces for management, extend namespace to add subdomains
When creating subdomains, what needs to be done to make sure that all zone records stay current?
delegation records need to be added to other DNS servers to point to the authoritative server
How does round robin DNS work?
when an IP address for a server in a round robin pool is given out, that address is moved to the bottom of the list
What sort of servers most often utilize round robin DNS?
web servers
What is recursion?
forwarding requests to other servers for fulfillment
When is DNS recursion usually disabled?
When the network is sensitive
What is server scavenging?
process of getting rid of stale DNS records
What 2 containers are created when DNS is integrated with AD?
forestDNSzone and domainDNSzone
What do incremental zone transfers do?
replicate only changes to DNS (rather than all records)
Does DNS work on a push or pull basis?
pull: when changes are made, the DNS server notifies other servers that changes are available
What directory format does Active Directory use?
X500
What do AD tree structures share?
The same contiguous name space?
What is an RODC?
A Read Only Domain Controller
Do different forests share the same name space?
No
What is NTDS.dit?
The AD database
What is a domain?
A domain is an administratively-defined collection of network resources that share a common directory database and security policies
What is an AD object attribute?
Information about the object such as a user’s name, phone number, and email address) which is used for locating and securing resources.
What does an object schema identify?
The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.
What does AD use DNS for?
Active Directory uses DNS for locating and naming objects.
Name the OU structure
First-level OUs can be called parents. _x000D_
Second-level OUs can be called children. _x000D_
OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).
What is an AD tree?
A tree is a group of related domains that share the same contiguous DNS name space.
What is an AD forest?
A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
What is the forest root domain?
The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest.
What is the tree root domain?
The tree root domain is the highest level domain in a tree.
What is a child domain?
Each domain in the tree that is connected to the tree root domain is called a child domain.
What is a domain tree?
A domain tree is a group of domains based on the same name space. Domains in a tree: _x000D_
– Are connected with a two-way transitive trust. _x000D_
– Share a common schema. _x000D_
– Have common global catalogs.
What is a domain controller?
A domain controller is a server that holds a copy of the Active Directory database that can be written to
What is replication?
Replication is the process of copying changes to Active Directory between the domain controllers.
What two objects does AD use to represent the physical structure of the network?
– A subnet represents a physical network segment. Each subnet possesses its own unique network address space. _x000D_
– A site represents a group of well-connected networks (networks that are connected with high-speed links).
What manages AD replication between locations?
Sites and subnets are used to manage Active Directory replication between locations.
What does an AD site differ from a domain?
A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization.
How are clients assigned to AD sites?
Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask.
How are domain controllers assigned to AD sites?
Domain controllers are assigned to sites according to the location of their associated server object in Active Directory.
What does the Global Catalog server do?
Responsible for replicating a subset of attributes throughout Active Directory
What are FSMO roles/What do they do?
Flexible Single-Master Operation roles are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes
What are the FSMO roles?
– Schema Master _x000D_
– Domain Naming Master _x000D_
– RID Master (Relative Identifier) _x000D_
– PDC Emulator _x000D_
– Infrastructure Master
What does the schema master do?
Maintains the schema (the mapping of all the different object types)
What does the RID master do?
The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts).
What does the PDC Emulator do?
The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers. (eg – time services)
What does the Infrastructure Master do?
Provides a mapping of all the container objects in AD. The infrastructure master is responsible for updating changes made to objects.
Which level do the Schema and Domain Naming Master roles operate at?
The Forest Level
What level do the RID, PDC and Infrastructure Master roles operate at?
The domain level
What is the Global Catalog?
The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.
What is an Operations Master?
A domain controller that performs an operations master role is known as an operations master or operations master role owner.
What does the Domain Naming Master do?
The domain naming master adds new domains to and removes existing domains from the forest.
What is a functional level?
A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest
Which domain functional levels does Server 2008 support?
Windows 2000 Native _x000D_
Windows Server 2003 _x000D_
Windows Server 2008
Which forest functional levels does Server 2008 support?
Windows 2000 _x000D_
Windows Server 2003 _x000D_
Windows Server 2008
What is a group policy?
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.
What are new services in AD 2008?
– AD Domain Services _x000D_
– AD Lightweight Directory Services _x000D_
– AD Certificate Services _x000D_
– AD Federation Services _x000D_
– AD Rights Management Services
What is an AD role?
A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server.
What is an AD role service?
Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role.
What is an AD feature?
A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support.
What is Active Directory Domain Services (AD DS)
AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role: _x000D_
– Helps administrators securely manage information. _x000D_
– Facilitates resource sharing and collaboration between users. _x000D_
– Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies, such as Group Policy.
What is Active Directory Lightweight Directory Service (AD LDS)
Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database.
What is Active Directory Federation Services (AD FS)
AD FS is a feature which enables secure access to web applications outside of a user’s home domain or forest. The AD FS role: _x000D_
_x000D_
– Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. _x000D_
– Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations.
What is Active Directory Rights Management Service (AD RMS)
AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role: _x000D_
_x000D_
– Can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions. _x000D_
– Allows organizations to create custom usage rights templates (such as “Confidential – Read Only”) that can be applied directly to information such as product specifications, financial reports, e-mail messages, and customer data.
What is Active Directory Certificate Services (AD CS)
AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role: _x000D_
_x000D_
– Provides customizable services for creating and managing public key certificates. _x000D_
– Enhances security by binding the identity of a person, device, or service to a corresponding private key. _x000D_
– Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Name some things that AD Certificate Services supports
Digital signatures _x000D_
Encrypting File System (EFS) _x000D_
Internet Protocol security (IPsec) _x000D_
Secure/Multipurpose Internet Mail Extensions (S/MIME) _x000D_
Secure Socket Layer/Transport Layer Security (SSL/TLS) _x000D_
Secure wireless networks _x000D_
Smart card logon _x000D_
Virtual Private Networks (VPN)
What AD roles are not supported on Server 2008 Standard?
AD FS requires the DataCenter or Enterprise editions for deployment.
WHich server roles can Server 2008 core run?
Active Directory _x000D_
Active Directory Lightweight Directory Services (AD LDS) _x000D_
Dynamic Host Configuration Protocol (DHCP) Server _x000D_
DNS Server _x000D_
File Server _x000D_
Print Server _x000D_
Media Services _x000D_
Web Server (IIS)
What are the limitations of Server 2008 core?
There is no Windows Shell. _x000D_
There is no managed code support (no .NET framework). All code has to be native Windows API code. _x000D_
There is only MSI support for unattended mode installs.
What methods can you use to manage a Server 2008 core system?
Log on and use the command prompt. _x000D_
Log on using Remote Desktop to gain access to the command prompt. _x000D_
Use Windows Remote Shell (winrm). _x000D_
Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system.
How would you add server roles to a Server 2008 core system?
Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive.
How would you see a list of roles, role services and features that can be installed on Server 2008 core?
run the oclist command
What does AD Domain Services (AD DS) do?
provides Identity and Access (IDA) solutions for enterprise networks
What does IDA refer to?
Identity and Access
What 4 things should an IDA infrastructure do?
store information about users, groups, computers, and objects; authenticate identities; control access; provide and audit trail
What 5 technologies comprise a Microsoft IDA solution?
AD Domain Services; AD Lightweight Directory Services; AD Certificate Services; AD Rights Management Services _x000D_
*AD Federation Services
What part of IDA does AD Domain Services provide?
identity management
What part of IDA does AD Lightweight Directory Services provide?
applications management
What part of IDA does AD Certificate Services provide?
trust management
What part of IDA does AD Rights Management Services provide?
integrity
What part of IDA does AD Federation Services provide?
partnership with external organizations
What did AD Lightweight Directory Services used to be called?
Active Directory Application Mode
What does AD Lightweight Directory Services do?
stores and replicates application-related database information
What best practice should be used when using AD Certificate Services to provide certificate services to external communities?
get a root certificate from a trusted third-party CA
What does AD Rights Management Services do?
provides persistent rights management, even after authentication (similar to Acrobat controls)
What 5 components does AD Rights Management Services require to function?
AD domain with Server 2000 SP3 or higher DC’s, IIS, database server AD RMS client, RMS-enabled browser
What does AD Federation Services do?
allows organizations to project rights and access controls across organizational boundaries
What is a schema?
a set of rules that defines classes of objects and attributes in a directory
What do replication services do?
distribute directory data across a network
What does a global catalog contain?
limited information about every object in the directory
What is another name for a global catalog?
partial attribute set
What command is used to launch configuration of a domain controller?
dcpromo.exe
What are the components of an AD infrastructure?
AD data store, DC’s, domains, forest, trees, functional level, OU’s, sites
What is the directory also known as?
the AD data store
How is the directory stored?
as a single file (Ntds.dit)
Where is the directory located by default?
%SystemRoot%Ntds folder on all domain controllers
What 4 partitions are usually found in the AD data store?
schema, configuration, global catalog, domain naming context
What important authentication service is run by all domain controllers?
Kerberos Key Distribution Center (KDC)
Where can a user receive authentication from?
any DC in their domain
What serves as a scope for administrative policies (password expiration, etc.)?
a domain
What is considered best practice when replication cannot occur reliably between domain controllers?
place them in separate domains
What is a forest?
a collection of one or more Active Directory domains
What is the first domain in a forest known as?
the forest root domain
What entity defines a security boundary?
a forest
What is a security boundary?
an entity outside which no data is replicated
What defines a tree?
the DNS namespace
What determines whether domains are part of the same tree?
whether those domains are part of a contiguous DNS namespace
What are the 3 domain functional levels?
Windows 2000 native, Windows Server 2003, and Windows Server 2008
What are the 2 forest functional levels?
Windows Server 2003 and Windows Server 2008
What requirement exists for the Windows Server 2008 domain functional level?
all DC’s must be running Server 2008
What requirement exists for the Windows Server 2008 forest functional level?
all domains must be Windows Server 2008 domains
What MMC is used to administer roles?
Server Manager
What are the two primary steps in creating a new DC?
add roles through Server Manager and promote server to DC
What command-line command can be used to promote a server to DC?
dcpromo.exe
What two names do all DC’s require?
a valid DNS name and a valid NetBIOS name
GPResult
A command-line tool that enables administrators to create and display a Resultant Set of Policy (RSoP) query from the command line.
Group Policy Modeling
A Group Policy Management feature that uses the Resultant Set of Policy snap-in to simulate the effect of a policy on the user environment.
Group Policy Results
A feature in Group Policy Management that is equivalent to the Logging mode within Resultant Set of Policy MMC snap-in. Rather than simulating policy effects like the Group Policy Modeling Qizard, Group Policy Results obtains Resultant Set of Policy (RSoP) information from the client computer to show the actual effects that policies have on the client computer and user environment.
Logging mode
The Resultant Set of Policy (RSoP) mode that queries existing policies in the hierarchy that are linked to sites, domains, domain controllers, and Organization Units. This mode is useful for documenting and understanding how combined policies are affecting users and computers. The results are returned in an MMC window that can be saved for later reference.
Planning mode
The Resultant Set of Policy (RSoP) mode that allows administrators to simulate the effect of policy settings prior to implementing them on a computer or user.
WMI Filtering
A filtering method that method uses filters written in the WMI Query Language (WQL) to control GPO application.
CIMOM
Common Information Management Object Model
A database used through Windows Management Instrumentation that contains information gathered when a computer starts and becomes part of the network. This information includes hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, scripts, Folder Redirection settings, and Security settings.
RSoP
REsultant Set of Policy
Query engine that looks at GPOs and then reports its findings. Use this tool to determine the effective settings for a user or a computer based on the combination of the local, site, domain, domain controller, and OU policies.
WMI
Windows Management Instrumentation
A component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. It allows administrators to create queries based on hardware, software, operating systems, and services.
WQL
WMI Query Language
A language that is similar to structured query language (SQL).
Assign
An option used to deploy required applications to pertinent users and computers.
Basic User
Stategy for enforcing restrictions that prevents any applicationfrom running that requires administrative rights but allows programs to run that only require resources that are accessible by normal users.
certifiicate rule
A software restiction rule that uses the signing certificate of an application to allow software from a trusted source to run or to prevent software that does not come from a trusted source from running. Certificate rules also can be used to run programs in disallowed areas of the operating system.
Disallowed
Strategy for enforcing restictions that prevents all applications from running except those that are specifically allowed.
distribution share
The shared folder that is a network location from which users can download software. Also known as the software distribution point.
file-activated installation
A method of distributing applications whereby an application is installed when a user opens a file associated with an application that does not currently exist.
hash
A series of bytes with a fixed length that uniquely identifies a program or file.
hash algorithm
A formula that generates a hash value.
hash rule
A sotrware-restriction rule applied to an appllication executable that will check the file’s hash value and prevent the application from running if the hash value is incorrect.
hash value
A value generated by a formula that makes it nearly impossible for another program to have the same hash.
Install This Application At Logon
A deployment option that allows the application to be installed immediately, rahter than advertising on the Start menu.
.msi file
A relational database file that is copied to the target computer system, with the program files it deploys. In addition to providing installation information, this database file assits in the self-healing process for damaged applications and clean application removal.
network zone rule
A software restiction rule that allows only Windows Installer packages to be installed if they come from a trusted area of the network.
patch files
Windows Installer files with the .msp extension that are used to apply service packs and hotfixes to installed soft
path rule
A software restriction rule that identifies software by specifiying the directory path where the application is stored in the file system.
Publish
1) An option that allows users to access network resoufces by searching the Active Directory database for the desired resource. (See lesson 1). _x000D_
2) An option used to deploy application. It allows users to install the applications that they consider useful to them. (See lesson 9)
repackaging
The process of preparing software for .msi distribution, which includes taking a snapshot of a clean computer system before the application is installed, installing the application as desired and taking a snapshot of the computer after the application is installed.
self-healing
A function that allows software to detect and correct problems, such as missing or deleted files.
software life cycle
A process that takes place from the time anapplication is evaluated for deployment in an organization until the time when it is deemed old or no longer suitable for use.
Unresticted
Stategy for enforcing restictions that allows all applications to run, except those that are specifically excluded.
.zap file
A non-Windows Installer package that can be created in a text editor.
SDLC
Software Development Live Cycle
A structured process used to develop information systems software, projects, or components; phases include analysis, design, implementation and maintenance.
Account Lockout Policies
A subcategory in the Account Policies category that specifies the number of unsuccessful logon attempts that, if made within a contiguous timeframe, might constitute a potential security threat from an intrruder. An Account Lockout Policy can be set to lock the account in question after a specified number ofinvalid attempts. Additionally, the policy specifies how long the account will remain locked.
account logon events
Setting that logs events related to successful user logons to a domain.
account management events
Setting that triggers an event that is written based on changes to account properties and group properties. Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling.
Audit Policy
Th section of GPO Local Policies that enables administrators to log successful and failed security events, such as logon events, account access, and object access.
auditing
Tracking events that take place on the local computer.
disk quotas
A setting that limits the amount of space available on the server for user data.
Enforce Password History
Group Policy setting that indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password.
gpupdate.exe
A command-line tool used to force a manual Group Policy refresh. Thistool was introduced in Windows Server 2003, and it is used in Windows Server 2003, and it is used in Windows Server 2003 and Windows Server 2008 to replace the secedit/refreshpolicy command that was used in Windows 2000.
Kerberos Policies
For domain accounts only, this policy enables administrators to configure settings that govern how Active Directory authentication functions.
Local Policies
Policies that enable administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log.
logon events
The setting logs events related to successful user logons on a computer.
msDS-PasswordSettings
A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as a Password Setting Object (PSO).
Offline Files
A separate Group Policy category that can allow files to be available to users, even when users are disconnected from the network.
Password Policies
A subcategovy in the Account Policies category that enforces password length, password history and so on. Password Policies can be applied to domain and local user accoutns.
policy change events
By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishement or removal of trust relationships, IPSec policy agent changes, and grants or removals of system access privileges.
Password Policies
A subcategory in the Account Policies category that enforces password length, password history, and so on. Password Policies can be applied to domain and local user accounts.
policy change events
By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishment or removal of trust relationsips, IPSec policy agent changes, and grants or removals of system access privileges.
refresh interval
The available period that each background refresh process that can set to ranges from 0 to 64,800 minutes (45 days).
Restricted Groups
Policy settings that enables an administrator to specify group membership lists.
Security Options
A subcategory of the Local Policies setting area of a Group Policy Object that includes security settings related to interactive log on, digital signing of data, restrictions for access to floppy and CD-ROM drives, unsigned driver installation behavior, and logon dialog box behavior.
system events
Events that rigger a log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled an can no longer append entries; security log cleaning; or any event that affects system security or the security log. In the Default Domain Controllers GPO, this setting is set tolog success by default.
System Services
The category that is used to configure the startup and security settings for services running on a computer.
tattooing
An Administrative Template setting that continues to apply until it is revised using a policy that overwrites the setting.
User Rights Assignment
A subcategory of the Local Policies setting area of a Group Policy Object that includes settings for items that pertain to rights needed by users to perform system-related tasks.
FGPP
Fine-Grained Password Policies
A policy that can be applied to one or more users or groups of users, allowing the administrator to specify a more or less stringent password policy for the subset than the password policy defined for the entire domain.
KDC
Key Distribution Center
Used to issue Kerberos tickets to users for domain accesss.
PSO
Password Settings Object
A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as msDS-PasswordSettings.
Administrative Templates
Files used to generate the user interface for the Group Policy settings that can be set using the Group Policy Management Editor.
ADMX
Windows Server 2008 Administrative Templates using the .admx extension.
asynchronous processing
A method of processing multiple scripts at the same time, without waiting for the outcome of a previously launched script to occur.
Block Policy Inheritance
A setting on a contianer object, such as a site, domain, or Organizational Unit, that will block all policies from parent containers from flowing to this container. It is not policy specific; it applies to all policies applied at parent levels.
Central Store
Single location in a SYSVOL directory containing Administrative Templates with the .admx extension.
Default Domain Controller Policy
A policy linked to the Domain Controllers OU; its settings affect all domain controllers in the domain.
domain GPO
A type of Group Policy Object associated with a domain.
Enforce
A setting on an individual GPO link that forces a particular GPO’s settings to flow down through the Active Directory, without being blocked by any child Organizational Units.
folder redirection
A setting that allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network.
GPO Inheritance
The process of applying Group Policy to all domains and the child objects contained within them.
GPC
Group Policy container
An Active Directory object that stores the properties of the GPO.
GPMC
Group Policy Management Console
The Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings.
GPO
Group Policy Object
Objects that contain all of the Group Policy settings that will be implemented on all user and computer objects within a site, domain, or OU.
GPT
Group Policy template
A folder located in the Policies subfolder of the SYSVOL share that stores policy setting, such as security settings and script files.
ROI
Return on investment
The amount of money gained (or lost) relative to the amount of money that was invested in a particular project or technology. Can be measured by tangible benefits, such as implementation costs and ongoing support. In addition, it can also be measured by intangible benefits, such as increased user ptoductivity, and other factors that are difficult to measure from a financial standpoint.
TCO
Total cost of ownership
A value used to assess the cost of implementaing computer software or hardware, both in terms of direct and indirect costs. TCO can be calculated based on how much ownership costs over the lifetime of a business resource.
WDS
Windows Deployment Services
A managed setting that can be defined or changed through Group Policies. This setting assists in rebuilding or deploying workstations quickly and efficiently in an eveterprise environment.
Group Policy Management Editor
The Microsoft Management console (MMC) fsnap-in that is used to create and modify Group Policies and their settings.
linking
A process that applies Group Policy setting sto various containers within Active Directory.
local GPO
A type of Group Policy Object associated with the local computer.
Loopback Processing
A Group Policy option that provides an alternative method of obtaining the ordered list of GPOs to be processed for the user. When set to Enabled, this setting has two options: Merge and Replace.
LSDOU
The sequence used to process policies: local policies, site policies, domain policies and then Organization Unit policies.
Merge
A Loopback Processing option. After all user policies run, the computer policy settings are reapplied, which allows all current GPO setting sto merge with the reapplied computer policy settings. In instances where conflicts arise between computer and user settings, the computer policy supersedes the user policy. This occurs before the desktop is presented to the user.
multiple local GPOs
A new feature in Windows Vista where by administrators can specify a different local GPO for administrators and create specific GPO settings for one or more local users configured on a wrokstation.
node
A subcategory of Group Policy settings.
offline file storage
This feature works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible.
registry-based policies
Settings that provide a consistent, sevure, manageable environment that addresses the users’ needs and the organization’s administrative goals.
Replace
A Loopback Processing option. This option overwrites the GPO list for a user object with the GPO list for the user’s logon computer. This means that the computer policy settings remove any conflicting user policy settings.
scripts
A managed setting that can be defined or changed through Group Policies. Scripts, including logon, logoff, startup, and shutdown commands, can assist in configurint the user environment.
securtity group filtering
An advanced technique that enables you to apply GPO setting to only one or more users or groups within a container by selectively granting the “Apply _x000D_
Group Policy” permissions to one or more user or security groups.
software settings
A subnode within the Computer Configuration and User Configuration nodes. The Software Settings folder located under the under the User Configuration node contains settings that are appplied to users designated by the Group Policy, regardless of the computer from which they log on to Active Directory.
starter GPO
A type of Group Policy that enables administrators to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO. Starter GPOs area new feature in Windows Server 2008.
synchronous processing
Processing method whereby each policy must be read and applied completely before the next policy can be invoked.
User Configuration
A Group Policy setting that enables administrators to customize the configuration of a user’s desktop, environment, and security settings. Enforced policies are based on the user rather than on the computer used.
Windows Settings
A subnode within the Computer Configuration and User Configuration nodes. The Windows Settings folder located under the Computer Computer Configuration node in the Group Policy Management Editor contains security settings and scripts that apply to all users who log on to Active Directory from that specific computer. The Windows Settings folder located under the User Configuration node contains settings related to folder redirection, security settings and scripts that are applied to associated users.
What is the order of group policies?
1 Local Policies _x000D_
2 Site Policies _x000D_
3 Domain Policies _x000D_
4 OU Policies _x000D_
_x000D_
LSDOU
Comma-Separated Value Directory Exchange
CSVDE
The command line utility used to import or export Active Directory information from a comma-separated value (.csv) file.
Comma-Separated Values
CSV
Format that contains a comma between each value. The CSV format can be used to import and export information from other third-party applications
LDAP Data Interchange Format
LDIF
The format for the data file containing the object records to be created.
LDAP Data Interchange Format Directory Exchange
LDIFDE
A command-line utility used to import or export Active Directory information and create, modify, and delete Active Directory objects.
Security Account Manager
SAM
A database containing userr accounts and security information that is located on a server.
Windows Script Host
WSH
Allows scripts to be run from a Windows desktop or a command prompt. The runtime programs provided to do this are WScript.exe and CScript.exe, respectively.
access token
Created when a user logs on, this value identifies the user and all of the user’s group memberships. Like a club membership card, it verifies a user’s permissions when the user attempts to access a local or network resource.
Anonymous Logon
Special identity that refers to users who have not supplied a username and password.
authenticate
To gain access to the network, prospective network users must identify themselves to a network using specific user accounts.
authentication
The process of confirming a user’s identity using a known value, such as a password, a pin number on a smart card, or, in the case of biometric authentication, the user’s fingerprint or hand print.
authorization
The process of confirming that an authenticated user has the correct permissions to access one or more network resources.
batch file
Files, typically configured with either a .bat extension or a .cmd extension, that can be used to automate many routine or repetitive tasks.
built-in user accounts
The accounts automatically created when Microsoft Windows Server 2008 is installed. By default, two built-in user accounts are created on a Windows Server 2008 computer: the Administrator account and the Guest account.
distribution group
Non-security-related groups created for the distribution of information to one or more persons.
domain account
The accounts used to access Active Directory or network-based resources, such as shared folders or printers.
domain local group
A group used to assign permissions to resources that reside only in the same domain as the domain local group. They can contain user accounts, computer accounts, global groups, and universal groups from any domain, in addition to other domain local groups from the same domain.
dsadd
A command-line tool used to create, delete, view, and modify Active Directory objects, including users, groups and Organizational Units.
Everyone
A special identity group that contains all authenticated users and domain guests.
global group
A group used to grant or deny permissions to any resource located in any domain in the forest. Global groups can contain user accounts, computer accounts, and/or other global groups only from within the same domain as the global group.
group
A collection of user or computer accounts that is used to simplify the assignment of permissions to network resources.
group nesting
The process of configuring one or more groups as members of another group.
group scope
Group characteristic that controls which objects the group can contain, limiting the objects to the same domain or permitting objects from remote domains as well, and controls the location in the domain or forest where the group can be used.
group type
Group characteristic that defines how a group is to be used within Active Directory.
header record
The first line of the imported or exported text file that uses proper attribute names.
local account
The accounts used to access the local computer only. They are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers, not do these accounts have domain access.
local group
A collection of user accounts that are local to one specific workstation or member server. Local groups are created in the security database of a local computer and are not replicated to Active Directory or to any other computers on the network.
nested
An object placed inside another object of the same type.
nested membership
When a group is placed in a second group, the members of the first group become members of the second group.
SAM account name
Each user’s login name–the portion to the left of the ‘@’ within a User Principle Name. The SAM account name must be unique across a domain.
security group
Security-related groups created for purposes of granting resource access permissions to multiple users.
special identity group
Group used to define permission assignments. Adminitrators cannot manually modify the group membership of special identity groups, nor can they view their membership lists.
Active Directory Migration Tool
ADMT
A free tool used to move objects between domains.
Delegation of Control Wizard
A simple interface used to delegate permissions for domains, Organizational Units, and containers.
dictionary attack
Automated pass-word-cracking tools that try every possible combination of characters until the correct sequence of characters is finally discoverer.
drag-and-drop
User interface enabling the user to drag on object and drop it on a target. This feature was introduced in Windows Server 2003.
dsmove
A command-line utility used to move an object from one location to another.
password
An alphanumeric sequence of characters entered with a username to access a server, workstation, or shared resource.
password-cracking
An attempt to discover a user’s password.
personal identification number
PIN
Typically consists of at least four characters or digits that are entered while presenting a physical access token, such as an ATM card or a smart card.
Run as Administrator
Option that enables administrators to maintain their primary logon as a standard user and create a secondary session for access to an administrative tool.
runas
A command-line tool that enables administrators to log on with alternate credentials.
Secondary Logon
A feature that provides the ability to log on with an alternate set of credentials to that of the primary logon.
strong password
A password that follows guidelines that make it difficult for a potential hacker to determine that user’s password. Password guidelines include a minimum required password length, a password history, requiring multiple types of characters within a password, and setting a minimum password age.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>