Chapter 4 Active Directory Server Pro: Install and Configure
Match each active directory component on the left with the appropriate description on the right.
A group of related domains that share the same DNS namespace- Tree A collection of related domain trees- Forest A server that holds a copy of the active directory database- Domain controller The process of copying changes between domain controllers- Replication A collection of network resources that share a common directory database-Domain Can make changes to the active directory database- Domain Controller
You manage a network with a single domain named east sim.com. The network currently has three domain controllers. During installation, you did not designate one of the domain controllers as a global catalog server. Now you need to make the domain controller a global catalog server. Which tool would you use?
Active Directory Users and Computers or Active Directory Sites and Services
You are network administrator for a multi-domain forest. Users in each domain have been trained to log in using their user principal name (UPN). Because of a recent policy change, you rename two of the domains in the forest. The number of help desk calls relating to user logon has increased in the last few days. Users are having a hard time remembering their UPNs. Management has asked you to devise a solution that will be easy for the users and require minimal effort on your part. What should you do?
Add an alternative User Principal Name (UPN) suffix to the forest. Configure all user accounts to use that suffix.
You are the administrator of a network with two Active Directory domains. Each domain currently includes 35 global groups and 75 domain local groups. You have been reading the Windows Server help files and have come to the conclusion that universal groups may be the answer to ease administrative management of these groups. You decide to incorporate universal groups. You want to make sure to not include changes to any group that will affect group member's assigned permissions. What should you do?
Add global groups to universal groups and then add those to domain local groups.
Match each Active Directory component on the left with the appropriate description on the right.
An object type that cannot be created, moved, renamed, or deleted- Generic Container A database that contains a partial replica of every object from every domain- Global Catalog Facilitates faster searches- Global Catalog A type of container object that can be created by the administrator- Organization Unit Identifies the types of objects that can exist in the tree- Schema Information about an object, such as a users name- Attributes
Your network has two sites as shown in the graphic. You want to configure Computer1 as a Global Catalog server. Which objects properties would you edit to accomplish this?
COMPUTER1> NTDS Settings
You manage a group of 10 Windows 8 workstations that are currently configured as a Workgroup. Which are advantages you could gain by installing Active Directory and adding the computers to a domain? Select two
Centralized authentication Centralized configuration control
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Shipping departments. User and computer accounts for each department are in their respective OU. At 5:30pm, you get a call from Mary Hurd, a user in the Sales department, stating that she can't log in. You use Active Directory Users and Computers and see the information shown in the image. You need to make sure Mary can log in. What should you do? (Select three.)
Change the log on hours to extend past 5:30pm, unlock Mary's account, Change Marys account to never expire
You are the network administrator for your company. You network consists of two active directory domains: research.westsim.local and sales.westsim.local. Your company has two sites: Dallas and Houston. Each site has two domain controllers, with one domain controller for each domain. Users in houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in dallas. Users in dallas do not report any problems logging in and accessing local resources. You want all users in houston to experience adequate log on and resource response time. What should you do?
Configure one of the domain controllers in houston to be a global catalog server
You are the administrator of a multi domain Active Directory forest. You have a Universal Group called SalesExecs. This group has successfully been used as an email distribution group. Later, you try to assign the group permissions to a shared folder, but SalesExecs does not appear as a choice. What should you do?
Convert the SalesExecs group from a Distribution group to a Security group.
You are the administrator for ABC Corporation. The network has a Single Active Directory domain called xyz.com. The Sales team has a shared folder on Srv1 that is used to hold sales contract information. You need to control access to this folder so that only members of the Sales team can access the folder. You create a group called Sales and add all members of the sales team as members of the group. However, when you go to assign permissions to the shared folder, the Sales group you created does not show in the list of available objects. You check the properties of the group and find the details shown in the image. You need to assign permission to the sales team as quickly as possible. What should you do?
Convert the group to a security group.
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Shipping departments. User and computer accounts for each department are in their respective OU. Organizational units have been created for the Accounting, Sales, and Shipping departments. User and computer accounts for each department are in their respective OU. Mary Hurd is a manager in the Sales Department. Mary is a member of the Managers global group. This group also has members from other Organizational Units. The Managers group has been given the Read share permission to the Reports shared folder. Mary's user account (mhurd) has also been given the Change share permission to the Reports shared folder. You need to create several new user accounts that have the same group membership and permission settings as the mhurd user account. You want to complete the configuration with as little effort as possible. What should you do?
Copy the mhurd user account. Assign the new account the Change share permission to the Reports shared folder
You've just deployed a new Active Directory domain, as shown in the fig. below. You now need to deploy Group Policy object (GPOs) to apply configuration settings and enforce security policies.
Corp Domain Controllers
You are the domain administrator for a single domain forest. You have 10 file servers that are member servers running Windows Server 2012 R2. Your company has designed its top level OU structure based on the 15 divisions for your company. Each division has a Global security group containing the user account for division managers. You have folders on your file servers that all division managers should have permission to access. For some resources all division managers will need Full Control, but for others they will only need Read or Change permissions. You need a group strategy that will facilitate the assignment of permission but minimized administrative effort. What should you do?
Create a Global group called AllMgrs; make each of the existing division managers groups a member.
You are the domain administrator for a single domain forest. Your company has based its top level OU structure on the four divisions for your company; Manufacturing, Operations, Marketing, and Transportation. Each division has a Global security group containing the user accounts for division managers. You want to have a single group that can be used when you need grant access to resources to all of your organization's managers. What should you do? (Choose two.)
Create a Universal security group called AlMgers and make each of the existing division manager groups a member, Create a Global security group called AllMgrs and make each of the existing division manager groups a member.
You manage a single domain named widgets.com. Organization Units (OUs) have been created for all company departments. Computer and user accounts have been moved into their corresponding department OUs. The CEO has requested the ability to send e-mails to managers and team leaders. He'd like to send a single e-mail and have it automatically forwarded to all users in the list. Because the e-mail list might change frequently, you do not want the e-mail list to be used for assigning permissions. What should you do?
Create a distribution global group. For each user on the e-mail list, make their user account a member of the group.
You get a call from a user one day telling you that his password no longer works. As you inquire about the reasons why the password doesn't work, he tells you that yesterday he got call from administrator asking for his user account and password, which he promptly supplied. You know that a legitimate administrator would have never made this request this request. You are concerned that impersonator might have contracted other users with the same request. To protect your network, you would like to reset all user account passwords, and force users to change their passwords at next logon. You want to accomplish this as quickly as possible. What should you do? (Select two.)
Create a script that runs Dsmod. Specify the new password and account properties in the script. Run the script, Run Ldifde to export user accounts information. Edit the .ldif file to modify the user account properties and passwords. Run Ldifde to modify the existing user accounts.
You are the network administrator for your company. Your company has three standalone servers that run Windows Server 2012 R2. All servers are located in a single location. You have decided to create a single Active Directory domain for your network. Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department. As you design Active Directory, you want these users to maintain their responsibilities. You must not give these users more permission that they need. What should you do?
Create an OU structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permissions to their department OU's
You are in charge of designing the Active Directory tree. You have a small company that has only one location. You have determined that you will have approximately 500 objects in your completed tree. The tree design has been the subject of some controversy. In preliminary meetings, you have determined that there are four primary areas of the company: Accounting, Manufacturing, Sales, and Administration. Each area is autonomous and reports directly to the CEO. In meetings on the Active Directory tree design, the manager of each area wants to make sure that some management control of their users and resources remains in the department. What should you do?
Create an Organizational Unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.
You are the administrator for a network with two domains: westsim.com and sales.westsim.com. You have a shared folder called Reports on the Sales 1 server in the sales.westsim.com domain. The ff. two users need access to this shared folder: o Mark in the westsim.com domain o Mary in the sales.westsim.com domain You create a global group called Sales in westsim.com. You grant this group the necessary permissions to the Reports shared folder. You add Mark as a member of the group; however you are unable to add Mary as a group member. What should you do? (Select two.)
Delete the existing group. Create a domain local group in sales.westsim.com. Add Mark and Mary as members and assign permissions to the share, Convert the group to a universal group.
You are the network administrator for an active directory first with a single domain. The network has three sites with one domain controller at each site. You have created and configured sites in active directory sites and services, and replication is operating normally between sites. You configure two universal groups for use in securing the network. All users are members of one universal group or the other. After configuring the universal groups, users at sites 2 and 3 report slow login and slow access to the corporate database. Users at sire 1 can log in and access the corporate database with acceptable performance. You want to improve login and resource access performance for users in sites 2 and 3. What should you do?
Designate the domain controllers at site 2 and 3 as global catalog servers.
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Support departments. User and computer accounts for each department are in their respective OU. The Support department has very high turnover. Nearly every week you need to add new user accounts. All user accounts have the same Department and Fax Number settings. Each user account must also have permission to the Orders shared folder. You want to create a template account to use when creating new accounts in the future. You want to create a template account to use when creating new accounts in the future. What should you do? (Select three.
Disable the user account Create a group called Support. Make the template account a member of the Shipping group. Assign permissions for the group to the Orders shared folder Create a user account with the Department and Fax Number settings.
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Shipping departments. User and computer accounts for each department are in their respective OU. Maria Hurd is going on a 7 week sabbatical and will not be in to work during that time. You would like to secure her user account to prevent it from being used to access network resources while she is away. What should you do?
Disable the user account.
When Active Directory is installed, several containers are created by default. Which default container would you be able to apply a Group Policy to?
Domain Controllers OU
You are the manager of the eastsim.com domain. Your Active Directory structure has organizational units (OUs) for each company department. You have several assistant administrators who help manage Active Directory objects. For each OU, you grant one of your assistants Full Control over the OU. You come to work on morning to find that while managing some user accounts, the administrator in charge of the Sales OU has deleted the entire OU and all of its objects from a recent backup. You want to make sure that your assistants can't delete the OUs they are in charge of. What should you do? (Select two.)
Edit the properties for each OU to prevent accidental deletion, Remove Full Control permissions from each OU. Run the Delegation of Control wizard for each OU, granting permissions to perform the necessary management tasks.
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for Accounting, Sales, and Shipping departments. User and computer for each department are in their respective OU. At 5:30pm, you get a call from Mary Hurd, a user in the Sales department, stating that she can't log in. You use Active Directory Users and Computers and see the information shown in the image. You need to make sure Mary can log in. What should you do?
Enable Mary's account.
You are the administrator for a small company, which uses a single Windows Server 2012 R2 to host a single domain. All client computers run Windows 8. Mary Hurd, a user in the Sales department, calls and reports that she is unable to log in using her computer (Sales1). You use Active Directory Users and Computers and see the screen shown in the image. You need to allow Mary to log in. What should you do?
Enable the computer account.
Match each default Active Directory
Holds the default service administrator accounts - Built-in container The default location for new user accounts and groups - User container The default location for domain controller computer accounts - Domain Controller OU The root container to the hierarchy - Domain container The default location for workstations when they join the domain - Computers container
You are the manager of the eastsim.com domain. Your two domain controllers have been upgraded to Windows Server 2012 R2. Your active Directory structure has organizational units (OUs) for each company department. You have several assistant administrators who help manage Active Directory objects. For each OU, you grant one of your assistants Full Control over the OU. You come to work on morning to find that while managing some user accounts, the administrator in charge of the Sales OU has deleted the entire OU. You restore the OU and all of its objects from a recent backup. You want to configure the OU to prevent accidental deletion. You edit the OU properties, but can't find the Project object from accidental deletion setting. What should you do so you can configure this setting?
In Active Directory Users and Computers, select View > Advanced Features.
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for Accounting, Sales, and Shipping departments. User and computer for each department are in their respective OU. You have hired a temporary worker named John Miller to work in the Shipping department during the holidays. John should only be allowed to log on to the Ship01 workstation and no others. What should you do?
In John's user account, add Ship01 to the Log On To list.
You are the domain administrator for north.westsim.com, which is a child domain in the westsim.com. You have a high-end color laser printer that is shared in the north.westsim.com Because of the high price per page you have removed the print permission from the Everyone group. You need to grant the print permissions to marketing users in the north.westsim.com east.westsim.com and west.westsim.com domains. What should you do?
In the North domain create a Domain local group called CLR-PRT. In all three domains create a Global group named Marketing. Add all three groups to the North CLR-PRT group and assign the print permission to the group.
Drag the Active directory term on the left to their corresponding definition on the right.
Logical organization of resources- Organization Unit Collection of network resources- Domain Collection of related domain trees- Forest Resource in the directory- Object Group of related domains- Tree
You are the network administrator for westsim.com. The network of a single Active Directory domain. All the servers run Windows Server 2012 R2 and all the clients run Windows 8. There is one main office and seven branch offices. You have been asked to create a script that can be used in the event of a disaster that destroys the entire network. The script must be able to re-create the company's Active Directory users, computers and groups, as well as sites and subnet objects. Which command should you use in your script?
New-ADObject.
You manage user accounts in the southsim.com domain. Each department is represented by an Organizational Unit (OU). Computer and user accounts for each department have been moved to their respective OUs. You want to control access to a new color printer named ColorMagic. To do this, you create the ff. groups: o A domain local group named ColorMagic-DL o A global group named Sales-GG You want all users in the sales department to have access to the new printer. What should you do? (Select three.)
On the ColorMagic printer object, assign permissions to the ColorMagic-DL group, On the Members Of tab for the Sales-GG group, add the ColorMagic-DL group, On the Members tab for the Sales-GG group, add all users accounts.
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the client run Windows 8. A user named Mary Merone is working on location in Africa. She calls to report that her laptop has failed. The hardware vendor replaced the laptop and now you need to join the new computer to the domain. However, there is no connectivity from the current location of the domain. You must ensure that the laptop is joined to the domain immediately even if it cannot be physically connected to a domain controller. What should you do first?
Prepare the computer to perform an offline domain join by creating an Active Directory account for the computer using the Djoin /provision command.
You have just ordered several laptop computers that will be used by members of the programming team. The laptop will arrive with Windows 8 pre-installed. You want the computer account for each new laptop to be added to the Developer OU in Active Directory. You want each programmer to join his or her new laptop to the domain. What should you do?
Prestage the computer accounts in Active Directory. Grant the programmers the right to join the workstation to the domain.
You are the administrator for a small network. You have approximately 50 users who are served by a single Windows Server 2012 R2 computer. You are providing Active Directory, DNS, and DHCP with this server. Your clients all use Windows 8. Last week an employee quit. A replacement has been hired, and will be starting next Monday. The new user will need to have access to everything the previous user had, including documents files held in the home folder. You need to set up an account for the new user, providing all access required. What should you do?
Rename the existing account, changing the name fields to match the new employee.
You have a laptop that you use for remote administrator from home and while traveling. The laptop has been joined to the domain using the name of AdminRemote. The processor in your laptop overheated one day, causing extensive damage. Rather than repair the computer, you purchase a new one for your use. The computer arrives and you edit the system properties and name it AdminRemote. When you try to join the computer to the domain, you receive an error message and are unable to proceed. What should you do?
Reset the computer account in Active Directory.
You are the administrator for a large, single-domain network. You have several Windows Server 2012 R2 domain controllers and member servers, with a few Windows Server 2008 member servers. Your 3500 client computers are a mix of Windows 7 Professional and Windows 8. Today, one of your users has called for help. It seems that his computer is reporting that a trust cannot be established between his Window 7 computer and the domain controller. He is unable to log on to the domain. You examine the computer's account in using Active Directory Users and Computers and there is nothing obviously wrong. You need to allow this user to log on to the domain. What should you do?
Reset the computer account, and rejoin the domain.
Prior to installing Active Directory on your network, you set up a test network in your lab. You created several user accounts that correspond to actual network users. Now that your test is done, you'd like to move all user accounts from your test network to a new domain that you've just installed. You decided to use the Ldifde command to import the user accounts into the production domain. You want to set passwords for the new user accounts. You want to use the least amount of effort as possible. What should you do?
Run Ldifde to export the user accounts. Run Ldifde to import the user accounts. Edit the .ldif file to specify user accounts passwords. Run Ldifde to modify the existing accounts.
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Shipping departments. User and computer accounts for each department are in their respective OU. Maria Hurd is going on a 7 week sabbatical and will not be working during that time. You would like to secure her user account to prevent it from being used to access network resources while she is away. What should you do?
Set an account expiration time for the last day Maria will be in the office.
You are the administrator of a network with single Active Directory domain. The domain currently includes 75 user accounts in the domain User container. You have list of new user account that include an IP telephone number. The user accounts are available via an export from your company's HR application in the form of a comma-delimited file. You want to create the new accounts as quickly and easily as possible. What should you do?
Use Csvde to import user accounts using the .csv file.
You manage user accounts in the southsim.com domain. Each department by an Organizational Unit (OU). Computer and user accounts for each department have been removed to their respective OUs. When a new employee in the sales department is hired, you create the user account, add to multiple groups, assign the user permissions to the sales contact database, and configure permissions to home and shared folders. Because of high turnover, you find that as users leave the organization, you spend several hours tracking down file ownership and reassigning permissions to other users. You would like to simplify this process. What should you do?
Use a programming language to create a deprovisioning solution. Write scripts or routines that run automatically when the user account is deleted to reassign ownership and permissions.
You are the administrator for WestSim Corp. The network has single domain, westsim.com Five domain controllers, all running Windows 2008 server are located on the network. The Active Directory Structure is shown in the image. All user and computer accounts have been placed in the department OUs. Main offices are located in Orlando, with additional offices in Boston and New York and a small branch office in Chicago. There are three departments within the company: Sales, Marketing, and Accounting. Employees from each department are at each location. You want to appoint an employee in each department to help with changing passwords for users within their department. They should not be able to perform any other tasks. What should you do?
Use the Delegation Control wizard. Grant each user administrators permissions to modify passwords for their department OU.
You are the administrator of a network with single Active Directory domain. The domain currently includes 75 user accounts. You have been asked to add 50 additional accounts. Your Human Resources manager has an existing database of employees that can be imported to Active Directory. You would like to use an automated method for data import if possible. What should you do? (Select two.)
Use the Ldifde.exe, Use the Csvde.exe
Consider the text file shown in the exhibit. Which tool would you use to process this file to make changes to Active Directory?
csvde.
You are the administrator of a network with a single Active Directory domain. You would like to create a script to distribute to the Help Desk support staff for their needs when creating domain user accounts. The Help Desk staff will input various user account values will be used in the script. Which of the ff. commands should you script include?
dsadd
You are the administrator of a network with a single Active Directory domain. The domain includes a user named Bob Smith. You have been asked by the network security group to provide a listing of all the domain groups to which Bob Smith is a member. You would prefer to use a command-line utility so that the output can be saved and printed. Which command should you use?
dsget
You manage a Windows Server 2012 R2 system that is an Active Directory domain controller for your organization. You need to use command-line tools to generate a list of all users in the domain and then view the value of the Office property of each user. Which command should you use?
dsquery user -name * | dsget user -display -office
You need to use a PowerShell to generate a list of all Active Directory computers accounts located in just the Computers container (cn=Computers,dc=testoutdemo,dc=). Which cmdlet should you use?
get-adcomputer -filter * -SearchBase "cn=Computers,dc=testoutdemo,dc=com"
You are network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2 and all the client run Windows 8. The company is opening a new branch office in New York which will have one hundred new users. All the information on the new accounts is contained in a file named branch.csv, which specifies a unique name and password for each user. You need to run a script to successfully create the new accounts contained in the branch.csv file. The new accounts must be assigned the appropriate passwords as contained in the branch.csv file. What command should you run? (Select two.)
import-csv, new-ADUser.
Consider the text file shown in the exhibit. Which tool would you use to process this file to make changes to Active Directory?
ldifde
You manage a Windows Server 2012 R2 system that functions as your company's domain controller. Your organization was recently acquired by a larger organization and the company name has changed as a result. You need to modify the Company property of each user account in Active Directory. Which tools could you use to make this change? (Select two.)
ldifde dsmod
You manage a Windows Server 2012 R2 system that functions as your company's domain controller. You want to test a new network application in a lab environment prior to rolling it on to your production network. To make the test realistic, you want to export all Active Directory objects from your production domain controller and import them to a domain controller in the test environment. Which tools could you use to do this? (Select two.)
ldifde, csvde.
You have a laptop that you use for remote administrator from home and while traveling. The laptop has been joined to the domain using the name of AdminRemote. The processor in your laptop overheated one day, causing extensive damage. Rather than repair the computer, you purchase a new one for your use. The computer arrives and you edit the system properties and name it AdminRemote. When you try to join the computer to the domain, you receive an error message and are unable to proceed. You want the new computer to be joined to the domain using the same name as the old computer. Which commands should you run?
netdom reset, then netdom join
You are the administrator for a network with two domains: westsim.com and branch.westsim.com. User accounts for the sales team are in both domains. You have a shared folder called Reports on the Sales1 server in the westsim.com domain. You also have a shared folder called Contacts of the Sales6 server in the branch.westsim.com domain. All sales users need access to both shared folders. You need to implement a group strategy to provide access to the necessary resources. What should you do?
o Create a global group in each domain. Add users within each domain to the group. o Create a universal group in westsim.com o Add the global groups for each domain to the universal group. o Add the universal group to domain local groups in each domain. o Assign permissions to the domain local groups.