Chapter 2 Active Directory, 1.5.3 Group Facts, 70 - 410 - Lesson 15, server final questions 91-113, 1. Overview of Active Directory, Active Directory, Active Directory, Active Directory, Active Directory, Active Directory, Active directory, Active di...

Which of the following is NOT an example of a special identity?

Dialup Service

Order the steps to delegate Administrative Control of an OU. a. In the Users or Groups page, click Add. b. Right-click the object over which you want to delegate control, and click Delegate Control. c. In the Select Users, Computers, or Groups dialog box, type the name of the user or group to which you want to delegate control of the object, and click OK. The user or group appears in the Selected users and groups list. d. Select the Tasks to delegate, whether common tasks or custom tasks. Set the delegated permissions for the user or group to which you delegate control. e. From the Tools menu in the Server Manager window, select Active Directory Users and Computers.

EBACD

What are the types of functional levels?

Forest & Domain.

What enables you to assign permissions to multiple users simultaneously?

Groups

Global Catalog

It stores a full replicate of every object within its own domain and a partial replica of each object within every domain in the forest

What is one of the main characteristics of a forest?

It uses partitions to store and replicate information

Schema

Like the blueprint for active directory, it defines the attributes each type of object can possess, the type of data that can be stored in each attribute, and the object's place in the directory tree.

Can you delete default groups created by Windows Server 2012?

No, Default groups cannot be deleted

Where do DC's store information?

On a ntds.dit file

Give an example of an object?

User, computer, printer, group, shared folder.

Creator Owner and Authenticated Users are two examples of _______.

Special Identity

What is DNS?

The Internet's system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.

Local User

An account that can access only resources on the local computer and does not reside inside of the domain.

Why are sites used?

Used for organisations that have branches in different geographic locations but fall under the same domain.

OU

Which of the following is a container object within Active Directory?

Within a domain, the primary hierarchical building block is the _________.

organizational unit

Name 3 benefits of Active Directory

1. Automatic replication, 2. centralized administration, 3. single log-on for access to resources

Domain Controller

A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.

What are OU's?

A container that represents a logical grouping of resources.

Distribution

A distribution group is used to maintain a list of users and is typically used for sending e-mails to all groups members. Distribution groups cannot be used for assigning permissions.

What is a domain tree?

A grouping of domains that share the same namespace

Domains

A logical grouping of network resources and devices that are administered as a single unit.

What is a domain?

A logical grouping of network resources and devices that are administered as a single unit.

Security

A security group is one that can be used to manage rights and permissions. • Group members get the permissions that are granted to the group. • A security group represents an object with a security identifier (SID), which through the member attribute, collects other object, such as users, computers, contacts, and other groups.

What is a Domain Controller?

A server that stores the Active Directory database and authenticates users on login.

What concept does AD use for managing resources on a Windows Network?

A tree concept

What directory services does Windows Server 2008 provide?

ADDS and ADLDS

What graphical tool can create user and computer accounts and was redesigned for Windows Server 2012?

Active Directory Administrative Center

What is Active Directory

Active Directory identifies all resources in a network and makes them accessible to users.

What are attributes?

All AD objects have attributes that take unique or multiple values , these values describe the object characteristics. For example a user object in Active directory will have attributes such as his first name, second name, Manager name etc.

How do DC's behave in a site?

All DCs within the same site replicate info at regular intervals, depending on where you log in the site will request the closes DC to perform an action.

What is an Application Partition?

Allows administrators to control what information is replicated to which domain controllers.

What does Microsoft recommend when creating OU's?

An OU structure no more than 10 levels deep

Domain User

An account that can access ADDS or network-based resources, such as shared folders and printers within a specified domain.

Order the steps to create an OU with Active Directory Administrative Center. a. Click OK. The organizational unit object appears in the container. b. In the left pane, right-click the object beneath which you want to create the new OU and, from the context menu, select New > Organizational Unit. c. From Server Manager's Tools menu, select Active Directory Administrative Center. d. In the Name field, type a name for the OU and add any optional information you want.

CBDA

What is the group scope for Domain Admins, Domain Controllers, and Domain Users default groups?

Global

The command-line utility can create new user accounts by importing information from a comma-separated value file?

CSVDE.exe

Trees

Collection of domains within an active directory that have a common relationship

Forest

Consists of one or more Active Directory trees that are in a common relationship

What is the Active Directory schema?

Contains formal definitions of each object class/attribute that exists in a forest/object

An administrator needs to grant an e-mail distribution group of 100 members access to a database, how would the administrator proceed? The e-mail group is obsolete and can be dissolved.

Convert the distribution group to a security group and then assign the group access permissions.

Active Directory

Directory service that houses information about all network resources

What is a Domain Partition?

Domain specific information that is replicated to all DCs within a domain.

Which of the following default groups is a universal group?

Enterprise Admins

Groups are security principals, meaning you assign access permissions to a resource based on membership to a group. OUs are for organization and for assigning Group Policy settings.

Generally, how do groups differ from OUs?

What is the primary difference between universal groups and global groups in Windows Server 2012?

Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.

Organizational Unit

Grouping of related objects within a domain so that objects can be under the same group policies

What are sites?

Groupings of IP subnets that duplicate information among domain controllers.

How do groups differ from OUs?

Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings.

Active Directory groups

Have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.

Group Policy

Hierarchical infrastructure that allows specific configurations for users and computers by the network administrator

Where does a forest sit in the Active Directory hierarchy?

Highest Level

Read-Only Domain Controller (RODC)

In Active Directory Domain Services, a domain controller that supports only incoming replication traffic. It cannot be modified but can be used for authentication.

Attributes

In Active Directory Domain Services, the individual properties that combine to form an object.

Users; Computers; Global groups

In a domain running at the Windows Server 2012 domain functional level, which of the following security principals can members of a global group? (Choose all answers that are correct.)

Where are attributes defined?

In the schema

What is a key difference between a domain tree hierarchy and the organizational unit (OU) hierarchy within a domain?

Inheritance

Global (Group Scope)

Membership ----------------------------- Global groups can contain members within the same domain. These include: • Global groups in the same domain (in native mode only). • Users and computers within the same domain. Use global groups to group users and computers within the domain who have similar access needs. ----------------------------- Resource Access • Global groups can be assigned permissions to resources anywhere in the forest. • Create global groups to organize users (e.g., Sales or Development).

Domain Local (group scope)

Membership ------------------------------ Domain local groups can contain members from any domain in the forest. These include: • Domain local groups in the same domain (in native mode only). • Global groups within the forest. • Universal groups within the forest (in native mode only). • Users and computers within the forest. ------------------------------ Resource Access • Domain local groups can be assigned permissions within a domain. • Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.

Universal (Group Scope)

Membership ------------------------------ Universal groups can contain members from any domain in the forest. These include: • Universal groups within the forest. • Global groups within the forest. • Users and computers within the forest. ------------------------------ Resource Access • Universal groups can be assigned permissions to resources anywhere in the forest. • Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.

What is a forest?

One or more Windows domains

Container

Pre-built container objects used to organize objects in Active Directory. Does NOT allow for delegation of control or the ability to link GPOs.

What do OU's contain?

Printers, groups, shared folders

Name some forest partitions

Schema, Configuration, Domain, Global, Application.

Of the default groups created when Active Directory is installed, what are the types of those groups?

Security groups

Which of the following is NOT a group scope?

Security groups

Active Directory Domain Services (AD DS)

Server role in Active Directory that allows admins to manage and store information about resources from a network. Promotes server to domain controller.

Distinguished Name

The "file path" given to objects in Active Directory for locating them without a GUI.

What is KCC?

The Knowledge Consistency Checker (KCC) automatically checks for directory consistency throughout an Exchange site every three hours, or whenever you modify the directory, to ensure that the directory database is consistent throughout the organisation.

Be aware of the following when managing groups

The basic best practices for user and group security are: • Create groups based on user access needs. • Assign user accounts to the appropriate groups. • Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network. After creating a group, you may need to convert the group's scope and/ or type. • Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access. • You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope. • If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.

What are the different kinds of groups?

There are two types: security and distribution; and there are three group scopes: domain local, global, and universal.

What do domains contain?

They contain child domains and OU's.

There are two types: security and distribution, and three group scopes: domain local, global, and universal.

What are the different kinds of groups?

Dsmod.exe

What command-line utility allows administrators to modify groups' type and scope as well as add or remove members?

Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.

What is the primary difference between universal groups and global groups in Windows Server 2012?

What is the role of DNS in Active Directory?

When installed on a Windows Server, DNS uses a database or a file that contains list of domain names and corresponding IP addresses.

Global to domain local; Universal to global

Which of the following group scope modifications are not permitted? (Choose all answers that are correct.)

Universal

Which of the following groups do you use to consolidate groups and accounts that either span multiple domains or the entire forest?

To create a permanent container that cannot be moved or renamed

Which of the following is not a correct reason for creating an OU?

What is Active Directory Used in?

Windows 2000, Windows Server 2003, Windows Server 2008

Duplicating organizational divisions, assigning Group Policy settings, and delegating administration

Select the best reasons for using organizational units (OUs)?

Delegation of control

You are planning an Active Directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in Active Directory. What feature will permit you to set up Active Directory to allow each manager to manage his or her own container but not any other containers?

In Windows Server 2012, after a user logs on to Active Directory, a(an) ________ is created that identifies the user and all the user's group memberships.

access token

Members of a universal group can come ______.

from trusted forests

Like user accounts, there are both local and domain groups

• Local groups exist only on the local computer, and control access to local resources. • Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.

To add or remove members of a group, use the following methods

• On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group. • On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.

In addition to the group scope, there are two types of groups

• Security • Distribution

Adding object to the Member Of tab for a group makes the group a member of another group (if does not add members to the group).

• When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it: • Re-create the group, add all the original group members, and reassign any permissions granted to the group. • Restore the group from a recent backup.

What is a Group

A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with group instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all permissions assigned to the group on any shared resources.

What is an object?

An instance of an object class

What is DNS used for in Windows Server 2012 (name 3)

1. Resolving IP addresses to host names and vice versa, 2 locate global catalog servers and DC's, 3 locate mail servers.

Of the key reasons for creating organizational units, which of the following is NOT one of them?

Assigning permissions to network resources

Order the steps to create a restricted groups policy. a. Open the GPO in the Group Policy Management Editor and browse to the Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder. b. Right-click the Restricted Groups folder and from the context menu, select Add Group. The Add Group dialog box appears. c. From the Tools menu in the Server Manager window, select Group Policy Management. The Group Policy Management console appears. d. Create a new Group Policy object (GPO) and link it to your domain. e. Type or browse to add a group object and click OK. The group appears in the Restricted Groups folder and a Properties sheet for the policy appears. f. Click one or both of the Add buttons to add objects that should be members of the group, or other groups of which the group should be a member.

CDABEF

How does DNS work?

Client requests a website by typing a domain (URL) inside the web browser. The browser tries to resolve the domain to an IP address. The browser checks the local cache of the computer, and checks the local hosts file. If no record is found their either, it finally queries the DNS server. The DNS server returns the IP address to the client. The same series of events are usually followed when requesting access to resources within the local network and Active Directory, with the only difference that the local DNS server is aware of all internal hosts and domains.

What is the only OU created by default after installing Active Directory?

Domain Controllers OU

What are functional levels?

Higher levels of functional level will not allow older versions of Windows to function but will add additional functionality or features. For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process.

cn=amy,ou=sales,dc=central,dc=cohowinery,dc=com

If the user named Amy is located in the sales OU of the central.cohowinery.com domain, what is the correct syntax for referencing this user in a command line utility?

What is the main feature of DC's with regards security and back-up?

Replication

Name some Active Directory Standards

X500 and LDAP

One of the group's members has the group set as its primary group.; You do not have the proper permissions for the container in which the group is located.

You are attempting to delete a global security group in the Active Directory Users and Computers console, and the console will not let you complete the task. Which of the following could possibly be causes for the failure? (Choose all answers that are correct.)