Advanced Windows Server Test 3
Folder redirection
A Group Policy feature that allows an administrator to set policies that redirect one or more folders in a user's profile directory
Key Distribution Center (KDC)
A component of Kerberos that uses the Active Directory database to store keys for encrypting and decrypting data in the authentication process.
Security Accounts Manager (SAM) database
A database on stand-alone and member computers that holds local user and group account information
Ticket-granting ticket (TGT)
A digital message used by Kerberos; grants an account access to the issuing domain controller, and is used to request a service ticket without having to authenticate again.
PDC emulator
A domain-wide Flexible Single Master Operation role that processes password changes for older Windows clients (Windows 9x and NT) and is used during logon authentication
RID master
A domain-wide Flexible Single Master Operation role that's responsible for issuing unie pools of RIDs to each DC, thereby guaranteeing unique SIDs throughout the domain.
Infrastructure master
A domain-wide Flexible Single Master Operation role that's responsible for making sure changes made to object names in one domain are updated in references to these objects in other domains
Group policy preference
A feature of Group Policy that contains settings organized into categories, which enables administrators to set up a baseline computing environment yet still allows users to make changes to configured settings.
Kerberos delegation
A feature of the Kerberos authentication protocol that allows a service to impersonate a client, relieving the client from having to authenticate to more than one service
Domain naming master
A forest-wide Flexible Single Master Operation role that manages adding, removing, and renaming domains in the forest
Schema master
A forest-wide Flexible Single Master Operation role that's responsible for replication the schema directory partition to all other domain controllers in the forest when changes occur.
Nonauthoritative restore
A method of restoring Active Directory data from a backup that restores the database, or portions of it, and allows the data to be updated through replication by other domain controllers.
Authoritative restore
A method of restoring Active Directory data from a backup to ensure that restored objects aren't overwritten by changes from other domain controllers through replication
Published application
A method of software deployment in which the application isn't installed automatically; instead, a link to install the application is available in Control Panel's Programs and Features
GPO scope
A property of GPO processing that defines which objects a GPO affects.
10 hours
A service ticket by default lasts for how long?
Batch file
A text file containing a series of commands that's saved with a .bat extension
.mst
A transform file utilizes what file name extension?
Mutual authentication
A type of authentication in which the identities of both the client and server are verified.
Constrained delegation
A type of delegation that limits the delegation to specific services running on specific computers.
Unmanaged policy setting
A type of group policy setting that persists on the user or computer account, meaning it remains even after the computer or user object falls out of the GPO's scope.
Managed policy setting
A type of group policy setting whereby the setting on the user or computer account reverts to its original state when the object is no longer in the scope of the GPO containing the setting.
Relative identifier (RID)
A unique value combined with a domain identifier to form the security identifier for an Active Directory object.
Service account
A user account that Windows services use to log on with a specific set of rights and permissions
%systemroot%\PolicyDefinitions
ADMX and ADML files are placed under what directory within Windows?
Get-ADForest
An administrator needs to know which servers carry forest-wide roles. What PowerShell cmdlet can be used to display this information?
False
Before an RODC can be installed, the forest functional level must be at least Windows Server 2008.
180 days
By default, for how long are deleted objects stored within the Active Directory database before they are removed entirely?
Once per hour
By default, replication between DCs when no changes have occurred is scheduled to happen how often?
5 minutes
By default, the maximum tolerance for computer clock synchronization is set to what value?
7 days
By default, what is the maximum period during which a TGT can be renewed?
False
Every domain in a forest must have at least one global catalog server.
True
GPO enforcement is configured on a GPO, not on an Active Directory container.
Domain GPOs
Group Policy objects stored in Active Directory on domain controllers. They can be linked to a site, a domain, or an OU and affect users and computers whose accounts are stored in these containers.
Local GPOs
Group Policy objects stored on local computers that can be edited by the Group Policy Object Editor snap-in
The computer accounts must be in a non-default created OU
Group Policy updates can be forced using GPMC. What requirements exist for an administrator to be able to do this?
wbadmin start systemstaterecovery
How can an administrator initiate a system state recovery using the command line?
By using the Test-ADServiceAccount cmdlet
How can an administrator test an MSA to ensure that it can access the domain with its current credentials, or can be installed on a member computer?
Through subnets added to the site
How is a computer's designated site determined, such that the computer is given a domain controller to request services from within the same site?
Every 90 minutes
How often are computer and user policies applied after a user has logged into a computer?
12 hours
How often does garbage collection run on a DC?
False
If a package has been deployed to a computer and changes are made to the package, the package will be automatically reinstalled.
Slow link detection is disabled
If the slow link detection policy is set at 0, what does this indicate?
The resource must have proper permissions set for ComputerName$, where ComputerName is the name of the computer attempting to access the resource.
If using virtual accounts to access the network, how are permissions added to a network resource to allow the virtual account access?
dsadd
In addition to the New-ADUser PowerShell cmdlet, what other command line tool can be used to add users to Active Directory?
True
In order to connect two or more sites for replication purposes, a site link must be created.
gpupdate /force
In order to force a computer to immediately download and apply all group policies, what command should be run?
System
In the Computer Configuration node, what folder contains policies that can be used to affect general computer system operation settings, such as disk quotas and group policy processing?
True
Local GPOs are edited with the gpedit.msc tool.
Security templates
Text files with an .inf extension that contain information for defining policy settings in the Computer Configuration, Policies, Windows Settings, Security Settings node of a local or domain GPO
24
The Default Domain Policy sets the "Enforce password history" setting to what value by default?
42 days
The Default Domain Policy sets the maximum password age to what value?
6.2
The Windows 8 and Windows Server 2012 operating systems have an operating system version number of:
Kerberos
The authentication protocol used in a Windows domain environment to authenticate logons and grant accounts access to domain resources.
/sync
The gpupdate command in conjunction with which option below causes synchronous processing during the next computer restart or user logon?
Folder redirection
The option to turn off background processing is not available for which type of policy below?
Authenticated Users
The standard DACL for a package object assigns read permissions to what group by default?
Replay attack
Timestamps within Kerberos are used to help guard against what type of attack?
Computer Configuration\Policies\Administrative Templates\System\Group Policy
To find a full list of policies and preferences that can have background processing disabled, where should you look?
True
Software packages that are assigned to target computers are mandatory for installation.
wbsadmin.exe
Which option below is not one of the three main methods for cleaning up metadata?
Software installation policies
Which policy below requires synchronous processing to ensure a consistent computing environment?
DHCP
Which server role below can't be installed on a server that will be cloned?
Service ticket
Which type of ticket below is requested by an account when it wants to access a network resource, such as a shared folder?
Every 8 hours
With universal group membership caching, how often is the cached information on group membership refreshed?
True
Within the Logon properties window, a PowerShell script can be added to run when a user logs on or off.
ntds.dit
Within the NTDS folder, which file stores the main Active Directory database?
True
Although a user account must be unique throughout a domain, a user account can be the same within different domains in the same forest.
PDC emulator
An administrator has received a call indicating that user logons are no longer being accepted within a single domain in the forest. What FSMO role should be investigated?
True
On a slow link, policies involving folder redirection are not processed.
DEFAULTIPSITELINK
Once Active Directory has been installed, a default site is created. What is the name for this site?
True
Once an account has been given a TGT, it can request a service ticket to access a domain resource.
Accout lockout threshold
Select below the Account Lockout Policy item that determines how many failed logins can occur on an account before the account is locked
Domain naming master
Select below the FSMO role that is required to be online to facilitate the addition or removal of a domain controller:
Perform Group Policy Modeling analyses
Select below the policy permission that grants a user or group the ability to use the GPO Modeling Wizard on a target container:
The Kerberos message is considered invalid
Using default settings, if a computer's clock differs more than 5 minutes than a Kerberos message's timestamp, what happens?
Get-ADServiceAccount
What PowerShell cmdlet can be used to show an MSA's properties?
scwcmd.exe
What command can be used to convert an XML policy file into a GPO?
Basic
What option under the folder redirection settings redirects everyone's folder to the same location?
Read
What permission is given to the Enterprise Domain Controllers universal group on all GPOs by default, and grants permission to view settings and back up a GPO?
Always wait for the network at computer startup and logon
What policy setting can be used to force synchronous processing?
Unmanaged policy setting
What type of policy setting is persistent, remaining even after a computer or user object falls out of a GPO's scope until it's changed by another policy or manually?
True
When a user logs on to a domain, the client computer always tries to authenticate to a DC in the same site.
Template policy and current computer policy don't match
When working with policies in the Security Configuration and Analysis snap-in, what does an X in a red circle indicate?
Infrastructure master
Which FSMO role is responsible for ensuring that changes made to object names within one domain are updated in references to those objects in other domains?
-
Which character below can be legally used in a username?
Assigned application
A method of software deployment in which an application can be installed automatically when the computer starts, a user logs on to the domain, or a user opens a file associated with the application.
Tombstone lifetime
A period of time in which deleted Active Directory objects are marked for deletion but left in the database.
Template policy and current computer policy don't match
A policy setting within the Security Configuration and Analysis snap-in with a question mark in a white circle indicates which option below?
Managed service account
A service account that enables administrators to manage rights and permissions for services with password management handled automatically
False
Administrative template files are in HTML format, using the .admx extension.
Active Directory snapshot
An exact replica of the Active Directory database at a specific moment
The user account password expired
Approximately 42 days after a service was configured to use a normal user account, the service has stopped working and refuses to run. An administrator has verified that the account still exists on the domain. Assuming default domain policy settings, what could be the issue?
Shared Folders
In the User Configuration node, where can policies that determine whether a user can publish DFS root folders in Active Directory?
HKEY_LOCAL_USER
Settings under the User Configuration node affect what Registry key?
PDC emulator
The RID master FSMO role is ideally placed on the same server as what other role?
Control Panel
Under the Computer Configuration, which folder contains settings related to the Regional and Language Options, User Accounts, and Personalization options?
Key Distribution Center
What component of Kerberos is responsible for storing keys for encrypting and decrypting data in the authentication process?
Set-GPPermission
Which PowerShell cmdlet below can be used to set permissions for a security principal to a GPO or to all GPOs?
Policy doesn't exist on the computer
Within the Security Configuration and Analysis snap-in, what does an exclamation point in a white circle indicate?