Windows Server 2012 Exam 2, 2. Active Directory Administration, Windows Server Chapter 6, 70-640 : Windows Server 2008 Active Directory Configuration (Ch.1), Windows Server Chapter 6, Chapter 6 Terminology, Tools 4.2
What is the key benefit to using ADAC or the active directory users and computers console?
C: ADAC allows you to modify the properties of multiple users or multiple computers at once
What is the simplest way for admins to upgrade their active directory domain services infrastructure to win server 2012?
C: Add a new win server 2012 server to your existing directory services installation
Which of the following are the two built in user accounts created automatically on a computer running win server 2012?
C: Administrator , D: Guest
At which layer of the OSI model does DHCP operate?
C: Application layer
Which of the following is not one of the techniques you can use to provide fault tolerance for DHCP servers?
C: DHCP servers using identical scopes
Which of the following DHCP message types is sent frist in process of obtaining an address lease?
C: DHCPDISCOVER
What is the first domain installed in a new active directory forest called?
C: Domain tree root
Select the best reasons for using OUs
C: Duplicating organizational divisions, assigning group policy settings, and delegating administration
WHen using Netdom.exe to join an accont, you may add the parameter [/OU:OUDN] If this parameter is left out, where is the object placed?
C: In the computers container
An Active directory functional level must be low enough to ensure interoperability between domain controllers running different versions of Win Server. How does the functional level affect the AD forest?
C: Lower function level means fewer features available
WHich of the foloowing types of DHCP address allocation is the equivalent of a reservation in win server 2012
C: Manual allocation
What is required by DNS for active directory to function?
C: SRV records support
What are the dangerous consequences of a poorly chosen time to live?
C: Specifying a TTL that is too short can overburden root name and top level domain servers with requests
One method a DHCP server allocates IP addresses is called manual allocation. This process involves manually assigning an IP address to a particular server. What is the key benefit of DHCP manual allocation over manually configuring the address directly on the server?
C: This process prevents accidental duplication of permanently assigned IP addresses.
If the user named Amy is located in the sales OU of the central.cohowinery.com domain, what is the correct syntax for referencing this user in a command line utility?
C: cn=amy,ou=sales,dc=central,dc=cohowinery,dc=com
Which of the following utilities do you use to perform an offline domain join?
C: djoin
Which of the following is not a type of user account that can be configured in win server 2012?
C: network accounts
The following is an administrative grouping of scopes that is used to support multiple logical subnets on a single network segment:
C: superscope
Default SYSVOL Location
C:\Windows\SYSVOL
Order the steps to create an OU with Active Directory Administrative Center. a. Click OK. The organizational unit object appears in the container. b. In the left pane, right-click the object beneath which you want to create the new OU and, from the context menu, select New > Organizational Unit. c. From Server Manager's Tools menu, select Active Directory Administrative Center. d. In the Name field, type a name for the OU and add any optional information you want.
CBDA
Order the steps to create a restricted groups policy. a. Open the GPO in the Group Policy Management Editor and browse to the Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder. b. Right-click the Restricted Groups folder and from the context menu, select Add Group. The Add Group dialog box appears. c. From the Tools menu in the Server Manager window, select Group Policy Management. The Group Policy Management console appears. d. Create a new Group Policy object (GPO) and link it to your domain. e. Type or browse to add a group object and click OK. The group appears in the Restricted Groups folder and a Properties sheet for the policy appears. f. Click one or both of the Add buttons to add objects that should be members of the group, or other groups of which the group should be a member.
CDABEF
The LDIFDE.exe utility is most similar to what other utility?
CSVDE.exe
Global
Can have access to any domain in forest
GPO Linking
Can link to sites, domains, and OUs.
Active directory
Central repository of networked device information
You manage a group of 10 Windows 8 workstations that are currently configured as a Workgroup. Which advantages you could gain by installing Active Directory and adding the computers to a domain? (Select two.)
Centralized configuration control, Centralized authentication
What can create, validate and revoke public key certificates for internal uses of an organization?
Certificate Services.
You have installedMicrosoft FTP Server service on a Windows Server 2012 R2 host that is a member of the WestSim.com domain. The properties of this service are shown in the exhibit. You want the FTP Server service to log on and run on the system as a virtual service account named FTPSVC. What should you do?
Click LOG ON tab in the properties of the Microsoft FTP Service Specifiy a logon account of NT SERVICE/FTPSVC
How do you reset user passwords?
Click the 'search' icon that says "Find object in Active Directory Domain Services" Upon finding user, right click, 'reset password'
PDC Emulator
Manages password changes for computer and user accounts on replica domain controllers. Target DC for Group Policy updates. Time keeper for domain.
How does DNS work?
Client requests a website by typing a domain (URL) inside the web browser. The browser tries to resolve the domain to an IP address. The browser checks the local cache of the computer, and checks the local hosts file. If no record is found their either, it finally queries the DNS server. The DNS server returns the IP address to the client. The same series of events are usually followed when requesting access to resources within the local network and Active Directory, with the only difference that the local DNS server is aware of all internal hosts and domains.
Cluster
Cluster typically refers to a collection of servers working together. This can include the DC, Federated Server, and the WAP. This is a little more of a general term for "a few servers", so it's not super important.
Domain Naming Master
Manages the addition and removal of all domains, regardless of the domain, in the forest
Trees
Collection of domains within an active directory that have a common relationship
Domain
Collection of objects that share the same database. Administrator would change Joe's password once centrally, and every domain machine automatically recognizes the change.
What is a tree?
Collection of one or more domains and domain trees in a contiguous namespace, and is linked in a transitive trust hierarchy.
What is a forest?
Collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.
Domain Naming Master
Manages the addition and removal of all domains, regardless of the domain, in the forest hierarchy
CN
Common Name
Consider the Domain shown in the example below
Mary Bones Mary Hurd
schema
Master database that contains definitions of all objects in the Active Directory.
Global (Group Scope)
Membership ----------------------------- Global groups can contain members within the same domain. These include: • Global groups in the same domain (in native mode only). • Users and computers within the same domain. Use global groups to group users and computers within the domain who have similar access needs. ----------------------------- Resource Access • Global groups can be assigned permissions to resources anywhere in the forest. • Create global groups to organize users (e.g., Sales or Development).
Domain Local (group scope)
Membership ------------------------------ Domain local groups can contain members from any domain in the forest. These include: • Domain local groups in the same domain (in native mode only). • Global groups within the forest. • Universal groups within the forest (in native mode only). • Users and computers within the forest. ------------------------------ Resource Access • Domain local groups can be assigned permissions within a domain. • Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
Universal (Group Scope)
Membership ------------------------------ Universal groups can contain members from any domain in the forest. These include: • Universal groups within the forest. • Global groups within the forest. • Users and computers within the forest. ------------------------------ Resource Access • Universal groups can be assigned permissions to resources anywhere in the forest. • Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
Active Directory (AD)
Microsoft's directory sevice, which is a central database of all network resources, is used to manage the network and provide users with access to resources.
Active Directory (AD)
Microsoft's network directory service. Contains the objects tracked and managed by the network - includes objects such as users, groups, computers, servers, printers. Is a central repository of networked device information for querying, updating, and authenticating against the data. Used to search for printers or contacts. Dependent on DNS.
What Database does IAM work off of?
Minimum: SQL Server Standard 2012 R2 or higher Recommend: SQL Server Standard 2016 or higher
You are the network administrator for your company. Your network consists of two Active Directory domains: research.westsim.local and sales.westsim.local. Your company has two sites: Dallas and Houston. Each site has two domain controllers, with one domain controller for each domain. Users in Houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in Dallas. Users in Dallas do not report any problems logging in and accessing local resources. You want all users in Houston to experience adequate log on and resource access response time. What should you do?
Configure one of the domain controllers in Houston to be a global catalog server.
You are the network administrator for northsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. The company has one main office and several small branch offices. The branch offices do not have any on-site network administrators. You are preparing to deploy servers to each of the branch offices. Security is a concern. You must ensure that the passwords for only the members of the branch office are cached on the branch office domain controllers. You must also ensure that data stored on the branch office servers cannot be compromised, even if a hard drive is stolen. What should you do?
Configure the branch office servers as Read-Only Domain Controllers (RODCs) and install the Bitlocker feature.
What is an external in AD?
Connect to other forests or non-AD domains. Nontransitive, one- or two-way.
You and Sammy are creating an organizational unit structure and user accounts for the education.westsim.com domain. You created ACTG, PROD, and SALES organizational units on Server 1. Fifteen minutes later, you change the name of the ACTG organizational unit to ACCT. Before replication finishes, Sammy uses Server 2 to add several user accounts to the ACTG organizational unit. You check the ACCT OU to find the user accounts are not there. What should you do?
Move the user accounts from the LostAndFound container to the ACCT container
Your network has two sites as shown in the graphic. You want to configure Computer1 as a Global Catalog server. Which object's properties would you edit to accomplish this?
NTDS Settings
Your network has two sites as shown in the graphic. You want to configure Universal Group Membership Caching. Which object's properties would you edit to accomplish this?
NTDS Site Settings
Authentication protocols supported by Active Directory Service
NTLM and Kerberos
Concepts of Active Directory
Name space Object Container Schema Global Catalog Partition
Forest
Consists of one or more Active Directory trees that are in a common relationship
A _______ cannot logon or access the domain or network or be assigned permissions
Contact
Contain other objects like Users, Computers, OU, etc.
Container Object
Administrative Templates
Contains registry based Group Policy settings that are used to configure the computer environment, such as Control Panel, Printers, System, and Windows Components.
Join server 1 to the contoso.com domain Install and configure adfs on server 1 Run the following cmdlet on Server 2 Install-windows feature Run the following Windows cmdlet on Server 2: install-webapplicationproxy
Contoso has an O365 tenant. The company has two servers named Server1 and Server2 that run Windows 2012 R2 Server. The servers are not joined to the contoso.com domain. Server2 is deployed to the perimeter network. You install Secure Sockets Layer (SSL) certificates on both servers. You deploy internal and external firewalls. All firewalls allows HTTPS traffic. You must deploy single sign on and ADFS. You need to install and configure all ADFS components. Which four actions should you perform in sequence?
Domain Controller
Controls Active Directory services. ( stores all the information for user accounts and computer accounts) You can add user accounts and computer account, which is added to the database of the domain controller. The information will be entered into the schema(database) of the domain controller. Example: username, password, email, office number under (User Account Schema) Computer account: computer name, SID SCHEMA IS EXTENDABLE, Third party softwares may go into the Domain controller and add bits of information into the Schema Bottom Line: Domain controllers are the servers that control Active Directory Directory Services
An administrator needs to grant an e-mail distribution group of 100 members access to a database, how would the administrator proceed? The e-mail group is obsolete and can be dissolved. Assign the necessary access permissions to the database to the distribution group. Create a new group with the 100 members, then assign permissions. Remove the distribution group, and then convert the members into a universal group, granting access permissions. Convert the distribution group to a security group and then assign the group access permissions.
Convert the distribution group to a security group and then assign the group access permissions.
C
Country Name
You manage a Windows Server 2012 R2 server that stores user data files. The system volume is drive C:, while all user data is on drive E:. You want to use Windows Server Backup to configure a backup schedule. You want to back up only the E: volume twice a day. You want to be able to restore individual files and folders. If possible, you want to save backups on optical media so you can place the backup disc in a media catalog server for easy retrieval. What should you do?
Create a Scheduled Task that runs wbadmin start backup. Save the backup to an external hard disk.
Your organization runs a Hyper-V hypervisor on Windows Server 2012 R2 that hosts several Windows Server 2012 R2 virtual domain controllers. You want to add an additional virtual domain controller. Instead of installing a new Windows Server 2012 R2 virtual machine and promoting it to be a domain controller, you decide to simply copy one of the existing virtual domain controller's virtual machine files. Prior to cloning the source virtual machine, you need to check it for installed applications and services that aren't compatible with the cloning process. Which PowerShell cmdlet can you use to do this?
New-ADDCCloningConfigFile
You are working in PowerShell on a Windows Server 2012 domain controller. You need to create a group managed service account that will be used by a new service that only you will install later on the server. Which cmdlet should you use to do this?
New-ADServiceAccount
You are the network administrator at eastsim.com. The organization owns 8 restaurants located in California. The network consists of a single Active Directory domain. There is one domain controller and one database server located in each restaurant. The domain password policy requires the use of complex passwords that must be changed every 30 days. After implementing a new third party backup system the backups run without problems for the first month and then begin failing regularly. You determine that the failure is due to an expired password on the service account being used by the third party backup software. You must reconfigure the software to perform successful backups. Your solution should maintain current security standards and avoid future backup failures, while using the least amount of administrative effort. What should you do?
Create a managed service account. Then you should configure the backup software to use the managed service account.
Which of the following is a PowerShell cmdlet for creating user objects?
New-ADUser
Your organization runs a Hyper-V hypervisor on Windows Server 2012 R2 that hosts several Windows Server 2012 R2 virtual domain controllers. You want to add an additional virtual domain controller. Instead of installing a new Windows Server 2012 R2 virtual machine and promoting it to be a domain controller, you decide to simply copy one of the existing virtual domain controller's virtual machine files. What must you do to perform this procedure correctly? (Select two.)
Create the DCCloneConfig.XML for the cloned domain controller. Add the source domain controller's computer object to the Cloneable Domain Controllers group in the Users container.
After User information from HR/SIS Databases and Directory Systems are joined inside of the ____________ datbase, user info is routed to the 3 proper account lifecycle stages of ____________, _____________, and _______________.
Create, Update, and Retire
Builtin Container
Created by default
Update Sequence Number rollback
Creating a snapshot of a virtual domain controller and then rolling it back to that snapshot at a future point in time created a condition
What is the primary means by which people access resources on an active directory domain service network
D: By having a user account
Which of the following message types is not used during a successful DHCP address assignment?
D: DHCPINFORM
What command-line utility allows admins to modify groups' types and scope as well as add or remove members?
D: Dsmod.exe
What is an important difference between groups and OU's
D: Group memberships are independent of the domain's tree structure.
Who may join a computer to the domain?
D: Members of the computer's local admins group may join the computer to the domain
What is the primary purpose of name caching?
D: Name caching enables the second name resolution request for the same name to bypass the referral process
Which of the following is a container object within active directory?
D: OU
The following feature is available only on Active Directory-intergrated DNS zones:
D: Secure dynamic updates
To make use of PXE and WDS, what special config do you require ont he server and client?
D: The DHCP server on the network must have a custom PXXEClient option, option 60 configured with the location of the WDS server on the network
Which of the following groups do you use to consolidate groups and accounts that either span multiple domains or the entire forest?
D: Universal
Is it possible to add ad ds on a computer running server core?
D: Yes, you use powershell, by first installing ad ds role, and then promoting the server to a dc
Which of the following is not a reason why you should try to create as few domains as possible when designing an active directory infrastructure?
D: You must purchase a license from MS for each domain you create
Which of the following DHCP infrastructure designs requires the largest number of DHCP server implementations?
D: distributed
What is the primary reason for creating different sites on an active directory network?
D:To control the amount of traffic passing over the relatively slow and expensive WAN
You are the network administrator for eastsim.com. eastsim.com has one main office in Dallas, TX and two branch offices in New York, NY and Los Angeles, Ca. The branch offices are both connected to the main office by dedicated WAN links. There is no direct conection between the branch offices. The network consists of one Active Directory domain that contains 2,000 users. There are two domain controllers at each site listed in the table below. DC1 was the first domain controller installed in the domain and it currently hosts all five Flexible single Master Operations (FSMO) roles. You need to identify which server should be used as a backup operations master in the even that DC1 should fail. Which server should be used.
DC2
Active Directory keeps a naming convention for the domain that mirrors ______.
DNS
Which of the following server roles is installed automatically by the Active Directory Domain Services Configuration Wizard if the wizard cannot find it on another server elsewhere on the network?
DNS Server
What are domains identified by?
DNS name structure, the namespace.
Match the Active Directory term on the right with its corresponding definition on the left. not all of the definitions on the left have an associated term on the right.
Data Table: Contains all the information in the Active Directory data store. Link table: Contains data that represents linked attributes. SD Table: Contains data that represents inherited security descriptors for each object. Schema: Identifies the object classes that exist in the tree and the attributes of each class.
Client-server applications
Data or a service requested by one computer from another
Active Directory
Database of all objects managed within the boundary of a given network
Computers
Default container for all computers
Global Group
Default scope, can be used by computers within the domain and by members of other domains in the forest. Stored and replicated to all DCs within the domain DLG was created in.
You are planning an Active Directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in Active Directory. What feature will permit you to set up Active Directory to allow each manager to manage his or her own container but not any other containers? Multimaster replication Read-only domain controller Manager control Delegation of control
Delegation of control
Replication Boundaries
Determined by domain, use hierarchial names
Which of the following is NOT an example of a special identity?
Dialup Service
Which of the following is NOT an example of a special identity? Dialup Service Creator Owner Authenticated Users Anonymous Logon
Dialup Service
Active Directory
Directory service that houses information about all network resources
configuration partition
Directory stores configuration objects for each domain in the forest
What are the two group types.
Distribution & Security (created for the purpose of granting access permissions to users).
Which of these groups is not related to security and cannot have permissions assigned to it?
Distribution groups
Which of these groups is not related to security and cannot have permissions assigned to it? Universal groups Global groups Domain local groups Distribution groups
Distribution groups
What is the fundamental component of the Active Directory architecture, functioning as the boundary for virtually all directory functions, including administration, access control, database management, and replication?
Domain
Match the Active Directory term on the right with its corresponding definition on the left.
Domain Controller: A server that holds a copy of the Active Directory database that can be written to. Site: Represents a group of networks that are connected with high-speed links. Subnet: Represents a physical network segment. Forest Root Domain: The first domain created in an Active Directory forest. Tree Root Domain: The highest level domain in a tree.
What is the only OU created by default after installing Active Directory?
Domain Controllers OU
What is the only OU created by default after installing Active Directory? Users OU Domain Controllers OU Global OU Computers OU
Domain Controllers OU
Function Level
Domain Function Level must be that of earliest NOS Version
Which of these groups would an administrator use to assign permissions to resources in the same domain? Universal groups Global groups Domain local groups Distribution groups
Domain local groups
What is a Domain Partition?
Domain specific information that is replicated to all DCs within a domain.
RID (Relative ID) Master
Domain-Wide, Responsible for making sure that SIDs are unique within the domain - SID is long security id. All SIDs in a domain are the same up to the last 32 bits, called the RID. RID mastter makes sure those 32 bitts remain unique for each object in domain.
PDC Emulator
Domain-wide, Used for backward compatibility with Windows NT DCs and for propagating password changes quickly across all DC's in the domain (not hours - but seconds) - should not be the same machine as Global Catalog, ideally
child domains
Domains that share at least the top-level and second-level domain name structure as an existing domain in the forest; also called "subdomains."
What command-line utility allows administrators to modify a group's type and scope as well as add or remove members? PowerShell and the applicable cmdlet Active Directory Users and Computers console Active Directory Administrative Center Dsmod.exe
Dsmod.exe
Order the steps to delegate Administrative Control of an OU. a. In the Users or Groups page, click Add. b. Right-click the object over which you want to delegate control, and click Delegate Control. c. In the Select Users, Computers, or Groups dialog box, type the name of the user or group to which you want to delegate control of the object, and click OK. The user or group appears in the Selected users and groups list. d. Select the Tasks to delegate, whether common tasks or custom tasks. Set the delegated permissions for the user or group to which you delegate control. e. From the Tools menu in the Server Manager window, select Active Directory Users and Computers.
EBACD
child domain
Each domain in the tree that is connected to the tree root domain
You are the network administrator for a network with a single Active Directory forest. All domains in the forest are at Windows Server 2003 functional level and the forest is also at Windows Server 2003 functional level. Offices exist in Denver, Chicago, and Miami. Each geographic location has an Active Directory site configured. The links that connect the Denver and Miami sites to the corporate headquarters in Chicago are highly utilized, and you want to minimize replication traffic over them. Company headquarters is located in Chicago and that locaiton has multiple global catalog servers to service global queries efficiently. Several users in Denver and Miami are members of universal groups throughout the forest. You need to make sure that in the event of a WAN link failure that group membership will be protected and logons will be available. What should you do?
Enable Universal Group Membership Caching for the Denver and Miami sites
You manage a single-domain network named northsim.com. Currently, all users are located at a single site in Miami. You are opening a branch office in Orlando. The Orlando. office is connected to the Miami location using a dial-up connection and demand-dial routing. The link between offices is only used during the nighttime to synchronize sales information. About 50 full-time sales people work in the Orlando office. The branch office will have its own domain controller, ORD-DC1. You create a new site object for the Orlando office and move the server into that site. You create a site link object that connects the Orlando site to the Miami site. Users are reporting that logon is slow. You find that during logon, the WAN link must be established before logon is allowed. You want to improve logon for the Orlando location. What should you do?
Enable Universal Group Membership Caching on the Orlando site.
You are network administrator for an Active Directory forest with a single domain. Then network has three sites with one domain controller at each site. You have created and configured sites in Active Directory Sites and Services, and replication is operating normally between sites. You configure two universal groups for use in securing the network. All users are members of one universal group or the other. After configuring the universal groups, users at sites 2 and 3 report slows login and slow access to the corporate database. Users at site 1 can log in and access the corporate database with acceptable performance. You want to improve login and resource access performance for users in sites 2 and 3. What should you do?
Enable universal group membership caching at sites 2 and 3 Configure the domain controllers at sites 2 and 3 as global catalog servers
What is a domain account?
Enables access to Active Directory of network based resources. The account is stored in Active Directory.
trust relationship
Enables administrators from a particular domain to grant access to their domain's resources to users in other domains.
Enterprise Resource Authorization Manager (ERAM)
Enables organizations to streamline and optimize access control for unstructured data. The solution clearly shows who has access, who should have access, who owns the data, who has tried to access certain data and where sensitive information has been stored.
Which of the following default groups is a universal group?
Enterprise Admins
Which of the following default groups is a universal group? Certificate Publishers Enterprise Admins Domain Users Domain Admins
Enterprise Admins
To apply a GPO to a site, you must be a(n) _____________________
Enterprise admin
Objects
Everything within AD. Is an instance of a class. Joe object -> change name (change the first name attribute of joe)
Organizational Unit (OU) Part 2
Example: If you are 1 administrator and support an remote office in Boston, you may create a "Boston Administrator Organizational Unit OU" to give another person access. They will have permission to deal with user accounts and computer accounts. They will have the option to try and fix the problem before reaching out to you. It also provides security by giving limited permissions to these Organizational Unit (OU) . Groups are created for security purposes.
Your organization runs a Hyper-V hypervisor on Windows Server 2012 R2 that hosts several Windows Server 2012 R2 virtual domain controllers. You want to add an additional virtual domain controller. Instead of installing a new Windows Server 2012 R2 virtual machine and promoting it to be a domain controller, you decide to simply copy one of the existing virtual domain controllers virtual machine files. You have completed all of the preparatory steps and are now ready to clone the source virtual machine. Which PowerShell cmdlets must you use to do this? (Select three.)
Export-VM Import-VM Rename-VM
Even when OUs have been nested to many levels, they still will not adversely affect the response time to resource requests or complicate the application of Group Policy settings. T/F
False
Users may use several web based single-sign on services and/or network resources because of which service?
Federation Services (AD FS)
____ password policies mean that you can now create more than one set of account policies within a domain.
Fine-grained
Parents
First-level OUs
Namespaces can be
Flat or hierarchical
FSMO
Flexible Single Master Operations
FSMO
Flexible Single Master Operator: Schema Master, Domain Naming Master, PDC Emulator, RID (Relative ID) Master, Infrastructure Master
gpupdate /force
Forces Group Policy Updates
An Active Directory ________ consists of one or more separate domain trees that do not form a contiguous namespace.
Forest
What are the types of functional levels?
Forest & Domain.
Explain the term FOREST in AD?
Forest is used to define an assembly of AD domains that share a single schema for the AD. All DCʼs in the forest share this schema and is replicated in a hierarchical fashion among them.
Schema Master
Forest-Wide, the DC that is allowed to make changes to the schema (definitions of the database) - only one in the entire forest.
The schema is _______-wide.
Forest-wide
Domain Naming Master
Forest-wide, the DC responsible for the forest-wide namespace - MUST by on a DC that is also a Global Catalog Server
What is the top structure of AD?
Forest.
Different types of containers
Forests Trees Domains OU's (Organizational Units)
Which of the following are logical components of an Active Directory structure? (Choose all that apply.)
Forests Trees Domains Organizational units (OUs)
The Active Directory framework that holds the objects can be viewed at a number of levels. What are these levels?
Forests, trees and domains
In UMRA, Unique IDs are copied from where to where?
From HR and SIS to Directory Systems
Information from what 2 systems are joined inside of the UMRA database?
From the HR/SIS Database and the Directory Systems
Global Catalog
GC is a Domain Controller which maintains a full copy of the local domain partition and a partial copy of the entire forest.
Each Object has a
GUID and a SID
Groups are security principals, meaning you assign access permissions to a resource based on membership to a group. OUs are for organization and for assigning Group Policy settings.
Generally, how do groups differ from OUs?
You are the network administrator for westsim.com. The network consists of a single Active Directory domain.
Get-ADDomainControllerPasswordReplicationPolicyUsage
What is the group scope for Domain Admins, Domain Controllers, and Domain Users default groups? Distribution Universal Global Domain local
Global
Some of the following groups might grant or deny permissions to any resource located in any domain in the forest. Of them, which one's membership is replicated only in the domain controllers of the same domain?
Global groups
Some of the following groups might grant or deny permissions to any resource located in any domain in the forest. Of them, which one's membership is replicated only in the domain controllers of the same domain? Universal groups Global groups Domain local groups Distribution groups
Global groups
What is the primary difference between universal groups and global groups in Windows Server 2012 R2? Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site. Universal groups use less data in the global catalog. So, in considering replication traffic, global groups should be within a site. Universal groups use more data in the global catalog. However, global groups are best in general, both within a site and across sites. Global groups use less data than universal groups, but not significantly.
Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.
What does the acronym GAFE stand for?
Google Applications For Educators
GPME
Group Policy Management Editor
GPO
Group Policy Object
GPO
Group Policy Objects, Contain Group Policy settings
GPOs
Group Policy Objects. The settings that control the working environment of user accounts and computer accounts are known as Group Policy Object (GPO). It helps define the security options, software installation, registry-based policies and maintenance options, script options and folder redirection options
What relies on Domain Services?
Group Policy, Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server.
Organizational Unit
Grouping of related objects within a domain so that objects can be under the same group policies
What are sites?
Groupings of IP subnets that duplicate information among domain controllers.
What enables you to assign permissions to multiple users simultaneously?
Groups
How do groups differ from OUs? Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings. Groups are created by Server Manager, but you create OUs by scripts. OUs are security principals, meaning you assign access permissions to a resource based on membership in an organizational unit. Groups are for organization and for delegating permissions. Organizational units are container objects made from the Active Directory Users and Computers console.
Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings.
Organizational Unit (OU)
Groups, but for administrative purposes. Explanation: Marketing Department OU Unit One person in the marketing department has the permission to the OU and can give him the ability to change permissions in his department, rather than constantly contacting the IT department.n (If user in the marketing department needs help resetting a password, the 1 person with access to the Marketing Organizational Unit (OU) may make those changes.
What are 2 examples of authoritative data sources?
HR systems and SIS databases
Active Directory groups
Have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.
Flat Namespaces
Have only one level to store info, such as the NetBIOS
Group Policy
Hierarchical infrastructure that allows specific configurations for users and computers by the network administrator
What are functional levels?
Higher levels of functional level will not allow older versions of Windows to function but will add additional functionality or features. For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process.
Where does a forest sit in the Active Directory hierarchy?
Highest Level
Domain Controller Federation Servers (the extra is for "redundancy") A Web application proxy server
How many servers do you install with ADFS and what are they?
cn=amy,ou=sales,dc=central,dc=cohowinery,dc=com
If the user named Amy is located in the sales OU of the central.cohowinery.com domain, what is the correct syntax for referencing this user in a command line utility?
Read-Only Domain Controller (RODC)
In Active Directory Domain Services, a domain controller that supports only incoming replication traffic. It cannot be modified but can be used for authentication.
Forest
In Active Directory Domain Services, an architectural element that consists of one or more domains.
Forest Root Domain
In Active Directory Domain Services, the first domain created in a forest, also known as a parent domain.
Attributes
In Active Directory Domain Services, the individual properties that combine to form an object.
What is Domains in Active Directory?
In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains. Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.
Users; Computers; Global groups
In a domain running at the Windows Server 2012 domain functional level, which of the following security principals can members of a global group? (Choose all answers that are correct.)
To prevent Update Sequence Number (USN) rollback issues with virtual domain controllers, each domain controller (virtual or physical) is assigned a unique identifier called the VM-Generation-ID. For virtual domain controllers, where is this identifier stored? (Choose two.)
In a file within the virtual machine configuration. As an attribute of each domain controller computer object in Active Director
Claims Provider Trust
In the ADFS management snap in, claims trusts are objects created in resource partner organizations aka the claims provider to represent the organization in the trust relationship that will have access to resources in the resource partner organization. An example of this could be that Rackspace has a collection of users that can use their credentials (objects) to sign directly into Microsoft resources, such as a backend database that is managed by them.
attribute value
Information stored in each attribute.
schema
Information that defines the type, organization, and structure of data stored in the Active Directory database.
schema
Information that defines the type, organization, and structure of data stored in the Active Directory database. schema attributes A category of schema information that defines what type of information is stored in each object.
What is a key difference between a domain tree hierarchy and the organizational unit (OU) hierarchy within a domain? Ability to apply Group Policy Members allowed within Inheritance Membership
Inheritance
You are the network administrator for westsim.com. westsim.com has one main office and 50 branch offices. The network consists of one Active Directory domain that contains 5,000 users. You plan to deploy a Windows 2012 R2 domain controller in each branch office. Ten of the branch offices do not employ on-site IT staff. You need to recommend a solution for these 10 branch offices. Your solution must meet the following requirements: • Minimize network traffic during the installation of Active Directory Domain Services (AD DS). • Maximize the security of the branch office domain controllers. What should you recommend?
Install Active Directory Domain Services (AD DS) using the Install from Media feature and configure the read-only domain controller (RODC) option.
Workgroup
No centralized management or control. One ore more computers on a Windows LAN that are NOT joined to a domain. No dependencies between computers.
Can you delete default groups created by Windows Server 2012?
No, Default groups cannot be deleted
You are working in PowerShell on a Windows Server 2012 domain controller. You need to create a new group managed service account to be used by a new application that will be installed later on the Windows 7 workstations that are members of the domain. The domain functional level is set to Windows Server 2008 Can you do this?
No, group managed service accounts cannot be used by Windows operating systems prior to Windows 8.
You manage a Windows Server 2012 R2 system and need to perform an immediate system state backup. The backup will be saved on the C:\ volume. To accomplish this, you determine the wbadmin start systemstatebackup -backupTarget:C: is the appropriate command to use. Will this strategy work?
No, the backup cannot be saved to the same drive as the system state data.
Should you bring the old role-holder back on the LAN after seizing a FSMO role?
Nope!
Domain Local Group
ONly has access in the local domain
A(n) ____ is a grouping of related objects within a domain, similar to the idea of having subfolders within a folder, and can be used to reflect the structure of the organization without having to completely restructure the domain(s) when that structure changes.
OU
Forest, Domain, Organizational unit, User, Group, Contact, Computer, Shared Folder, Printer, Site, Subnet are all?
Objects
______ in Active Directory databases can be accessed via LDAP, ADSI, message API and Security Account Manager services.
Objects
Leaf
Objects such as users and computers which cannot contain other objects
Groups
Objects that act as containers for users, computers, and other groups.
Security Principal Object
Objects that can be authenticated and assigned permissions
Where do DC's store information?
On a ntds.dit file
What is a one-way trust?
One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
site
One or more IP subnets connected by fast links.
What is a forest?
One or more Windows domains
Domain Tree
One or more domains that are part of the same contiguous namespace.
Windows NT
One primary domain controller replicated to all backup domain controllers, all changes had to made on the PDC
OAuth
Open Authorization
O
Organization Name
OU
Organizational Unit
OU
Organizational Unit- A container object used to organize objects in Active Directory. Allows for delegation of control and the ability to link GPOs.
What is the next level of Active Directory container object within a domain?
Organizational unit
You are the network administrator for northsim.com, a company that specializes in extreme sports vacations. The company has one main office and 30 branch offices. All of the branch offices have 3 to 10 users on location, and all of them are located in remote areas of the country. Due to the need to be located near natural resources, many of the branch offices lack basic security and almost all of them are connected to the main office via dial-up. Users at the branch offices complain that it takes a long time to log on to the domain. Management has authorized the purchase and deployment of one Windows Server 2012 R2 server for each branch office. You have been asked to develop a standard installation for the new servers being deployed. Your solution must meet the following requirements: • Each branch office server should perform authentication for users located at that branch office. • Each branch office server should be configured so as to minimize the amount of Active Directory information that will be compromised in the event that the server is stolen. • Each branch office server should be configured so as to minimize the amount of user data that will be compromised in the event that the server is stolen. What should you do?
Install a Read-Only Domain Controller (RODC) in each branch office. Configure the hard drive to use Bitlocker drive encryption.
You manage the network with a single Active Directory domain named eastsim.com. Your company has a single office in Dallas. You open a second office in San Antonio. The San Antonio location is connected to the Dallas location by a WAN link. All user and computer accounts in the branch office are members of the eastsim.com domain. You do not install a domain controller in the branch office. Recently, the WAN connection between Dallas and San Antonio went down. During the outage, several problems existed because of the lack of a domain controller in the San Antonio location. You want to eliminate these problems in the future. You want to make sure the user passwords are cached on a server in San Antonio, and the directory service replication only happens from Dallas to San Antonio. Changes should not be made at San Antonio and replicated back to domain controllers in Dallas. What should you do?
Install a Read-only Domain Controller (RODC) in the branch office.
You manage the network with a single Active Directory domain named eastsim.com Domain controllers run both Windows Server 2003 and Windows Server 2012 R2. The domani functional level is a t Windows Server 2003. Your company has recently opened a new branch office. You would like to create anew domain named branch1.eastsim.com for the branch office. You want to use a read-only domain controller for this domain. How should you install the RODC?
Install a full domain controller int he main office, then install the read-only domain controller in the branch office
Your organization runs a Hyper-V hypervisor on a Windows Server 2008 R2 system that hosts a mix of Windows Server 2008 R2 and Windows Server 2012 R2 virtual domain controllers. You want to use snapshots to protect your virtual domain controllers on this hypervisor host. However, you have heard that doing this can cause Update Sequence Number (USN) rollback issues. What must you do to prevent this from happening? (Choose two.)
Install the latest Integration Services from a Windows Server 2012 R2 hypervisor on the virtual domain controllers. Upgrade the hypervisor host to Windows Server 2012 or Windows Server 2012 R2.
GUID globally unique identifiers
128 bit hexadecimal, assigned on creation
Replication
180 min default, down to 15min option, Repadmin can be used to force replication
Domain Local Group
Intended to be used only within the domain it was created in. Stored and replicated to all DCs within the domain DLG was creattted in.
User Configuration
A Group Policy setting that enables administrators to customize the configuration of a user's desktop, environment, and security settings. Enforced policies are based on the user rather than on the computer used.
Linked value replication
A Windows Server 2003, Windows Server 2008, and Windows Server 2012 feature that replicates only the part of Active Directory that changed since the last replication.
Active Directory
A Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.
Domain Controller
A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.
Domain Controller
A Windows server with Active Directory Domain Services directory service installed. Allows for centralized authentication and management of a domain.
schema attributes
A category of schema information that defines what type of information is stored in each object.
What is a Domain Controller?
A server that stores the Active Directory database and authenticates users on login.
User Principal Name (UPN)
A user logon name that follows the format username@domain. Uers can use UPNs to log on to their own domain from a computer that's a member of a different domain
adfs
Active Directory Federation Services
What group must a user be in to have their password cached on an RODC?
Allowed RODC Password Replication Group
What is a local account?
Allows access to local computers only. Local account info stored in a SAM database on the computer.
What is an Application Partition?
Allows administrators to control what information is replicated to which domain controllers.
What is Mixed Mode?
Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.
OU
Allows us to delegate the management of our department, container for every department
When using CSVDE, what is the first line of the text file that uses proper attribute names?
B: header record
What are the two basic classes of active directory objects?
B: leaf ,D: container
Security Group
Can be assigned permissions
Local Policies
Can be configured on local host computers, policies apply only to that computer
Local Policies
Can be configured on the local host computer only
What is a realm?
Can be transitive or nontransitive (intransitive), one- or two-way.
Universal
Can create access between forests
Universal Group
Can create from any domain
attribute
Characteristics associated with an object class in Active Directory that make the object class unique within the database. The list of attributes is defined only once in the schema, but the same attribute can be associated with more than one object class.
What is the Active Directory schema?
Contains formal definitions of each object class/attribute that exists in a forest/object
Users
Contains groups and users
The ipv6 DNS host record is referred to as an?
D: AAAA record
DC
Domain Component
Infrastructure Master
Domain-wide, Maintains references to objects located in another domain (phantoms)
What is a Certificate Service used for?
Encrypt files, emails and network traffic.
KCC Knowledge Consistency CHecker
Ensures all DC have consistent information
Infrastructure Master
Ensures that objects are updates across all domains
128 bit Globally unique identifier
GUID
What is the primary difference between universal groups and global groups in Windows Server 2012?
Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.
domain tree
In Active Directory, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Each Active Directory forest can contain one or more domain trees, each of which can, in turn, contain one or more domains.
You are the network administrator for westsim.com. westsim.com has one main office and 10 branch offices. The network consists of three Active Directory domains: westsim.com, eastsim.com, and websales.eastsim.com. All the domain controllers run Windows Server 2012 R2. Users on the westsim.com network often search for other employees based on the postal code attribute but they complain that Active Directory searches take a long time to complete. You believe that you can speed up searches by adding the postal code attribute to the Global Catalog. What should you do?
In the Active Directory Schema snap-in, in the Properties of the Postal Code attribute, select the Replicate this attribute to the Global Catalog check box.
Where are attributes defined?
In the schema
Integrated Zone
Incorporated within Active Director with Multi-Master replication process
Active Directory Contact
Individual who is not part of the organization but related to the organization
What is the PowerShell cmdlet for installing a domain controller to the domain "adatum.com"?
Install-AddsForest -DomainName "adatum.com"
What is Federation Services?
Is a single sign-on service.
What is one of the main characteristics of a forest?
It uses partitions to store and replicate information
Directory Replication Server
Performs the replication
Active Directory Objects are
Physical entities of a Network and can be described by a set of attributes
partition
Portion of Active Directory database used to divide the database into manageable pieces.
ntds.dit
Primary Active Directory database file
functional levels
Interoperability with prior versions of Microsoft Windows
Which of the following is NOT a group scope?
Security groups
What is Rights Management Services?
Is a server software for information rights management. Which uses encryption and a form of selective functionality denial for limiting access to documents such as corporate emails, microsoft word documents and web pages and the operations authorized users can perform on them.
Delegation of Control
Set on a specific UO and assigns permissions based on common administrative tasks.
Creator Owner and Authenticated Users are two examples of _______.
Special Identity
LDAPS Port(s)
TCP 636
LDAP Port(s)
TCP/UDP 389
ms-DS-MachineAccountQuota
The attribute that specifies maximum number of devices a user can add to a domain
loose consistency
It can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment, which means that each individual domain controller may contain slightly different information until the replication process has been completed.
What is the executable part of the Active Directory instance?
It is a collection of windows services and processes that run on windows 2000 and later.
SRV record
The locator records within DNS that allows clients to locate an Active Directory domain controller or global catalog.
relative identifier (RID)
The part of a SID that's unique for each Active Directory object. See also security identifier (SID).
Schema NC
The partition that contains the rules and definitions used for creating and modifying object classes and attributes within Active Directory.
API (application programming interface) call
The process an application uses to make a request of the OS
What is Active Directory?
It is a directory service that microsoft developed for the Windows domain networks. Which is in most Windows Server Operating Systems as a set of processes and services.
Active Directory Domain Services (AD DS)
The server role required to setup a domain and promote a server to a Domain Controller.
AD LDS is installed as a server role via Server Manager.
True
What does a Lightweight Directory Service do?
It is a lightweight implementation of AD DS, which runs as a service on windows server. AD LDS shares the code base with AD DS and proves the same functionality but does not require creation of domains or domain controllers. It provides a data store for storage of directory data and a Directory Service with an LDAP directory service interface.
What is the purpose of AD FS?
It is an extension of that of AD DS. The latter enables users to authenticate with and use the devices that are part of the same network using one set of credentials.
Modify NIC (Network interface) settings: DNS server should be public IP of DC1 Join FS1 to your domain Request & install SSL certificate Install ADFS Role Configure ADFS ○ Create new farm ○ Add the server to the farm ○ Select SSL cert for use Export SSL
What do you need for the Federated Servers for ADFS?
Add IP of WAP1 to Public DNS host ○ Fs.domain.com| A record | WAP1 IP Edit firewall to allow port 443 (UDP/TCP inbound/outbound) Edit hosts file to point fs.domain.com to IP of FS1 Import SSL cert from FS1 Install WAP role by ○ Remote Access ○ Web Application Proxy
What do you need for the Web Proxy for ADFS?
Request goes to Proxy server when sends the information to the Federated servers (FS). The FS will then assign a token for you to complete authentication.
What handles an authentication request if you are outside of a network?
What versions of Windows began support of multiple local GPOs?
Windows Server 2008 R2 and Windows Vista
Minimum Requirement for Installing AD?
Windows Server, Advanced Server, Datacenter Server Minimum Disk space of 200MB for AD and 50MB for log files NTFS partition TCP/IP Installed and Configured to use DNS Administrative privilege for creating a domain in existing network
Unlike AD DS can there be multiple AD LDS instances run on the same server?
Yes.
What does a domain controller do?
It is contacted when a user logs into a device, accesses another device across the network or runs a line of business metro style app sideloaded into a device.
forest
defines the fundamental security boundary within Active Directory, which means that a user can access resources across an entire Active Directory forest using a single logon/password combination.
functional level
depends on which Windows server operating system versions are running on the domain controllers in that domain or forest
Domain Controllers create a
domain
What are objects grouped into?
domains
OU COmmand Line
dsadd ou "ou=HR,dc=corp,dc=conosto,dc=com
object
everything in the active directory is an ______
Members of a universal group can come ______.
from trusted forests
workgroup
has no centralized control or dependencies between computers
service account
is a special user account that an application or service uses to interact with the operating system.
Global Catalog
It stores a full replicate of every object within its own domain and a partial replica of each object within every domain in the forest
What does an Active Directory Domain Services do?
It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights.
Active directory domain services
the active directory database
ADFS Management snap-in
used to configure claims and relying party trusts (specifically the objects that can be represented across organizations.
group policy
used to configure settings for users and computers
Relative Distinguished Name (RDN)
used to identify the object within its container.
directory partition
used to replicate domain information
Like user accounts, there are both local and domain groups
• Local groups exist only on the local computer, and control access to local resources. • Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
To add or remove members of a group, use the following methods
• On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group. • On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.
In addition to the group scope, there are two types of groups
• Security • Distribution
standard abbreviations CN OU DC O C
○ CN = common name ○ OU = organizational unit ○ DC = domain component ○ O = organization name ○ C = country name
Global Catalogs
○ central information database ○ this information is replicated through all domain controllers in the forrest
containers
○ designed to hold other objects in the directory ■ forests, trees, domains, OUs, folders
partitions
○ domain partition: all objects in a domain, replicated across all domain controllers ○ schema partition: definitions of all objects and their attributes ■ also contains rules for creating and configuring objects ○ configuration partition: structure of Active Directory, domains, sites, services ○ application partition: application-specific data
Forests
○ group of domain trees that do not share a contiguous namespace ○ two-way transitive trust relationship
Organizational Units
○ logical subgroup in the domain ○ usually single work group, section, or department ○ any type of noncontainer object
Where is the path to the default GPT structure for a domain?
%systemroot%\SYSVOL\sysvol\<domain name>\Policies
Bandwidth
(1) the amount of traffic, or data transmission activity, on a network. (2) a measure of the highest and lowest frequencies that a medium can transmit
What is a shortcut in AD?
Joins two domains in different trees, transitive, one- or two-way.
Servers
. provide services such as file storage, user management, and printing.
Kerberos
Kerberos is a network authentication protocol, which is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Mention what is Kerberos?
Kerberos is an authentication protocol for network. It is built to offer strong authentication for server/client applications by using secret-key cryptography.
Process to convert full DC to RODC
1) Demote full DC 2) Remove any AD accounts and DNS records 3) Precreate RODC acount on existing DC 4) Promote to RODC
Name 3 benefits of Active Directory
1. Automatic replication, 2. centralized administration, 3. single log-on for access to resources
What are four considerations for a Group Implementation Plan
1. Create, edit and delete groups. 2. Define scope of groups 3. Create guidelines for old and new groups 4. Naming and nesting standards for groups.
What is DNS used for in Windows Server 2012 (name 3)
1. Resolving IP addresses to host names and vice versa, 2 locate global catalog servers and DC's, 3 locate mail servers.
NetBIOS Maximum Name Length
15 Characters
What is the LDAP default port in Active Directory?
LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following: Distinguished names Relative Distinguished names
Protocol used in directory services and what is its purpose?
LDAP is the protocol used to query or access active directory databases. It uses port 389.
globally unique identifier (GUID)
A 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed.
Computer Configuration
A Group Policy setting that enables administrators to customize the configuration of a user's desktop, environment, and security settings. Enforced policies are based on the computer used.
Directory Services Restore Mode (DSRM)
A boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally.
schema classes
A category of schema information that defines the types of objects that can be stored in Active Directory, such as user or computer accounts.
schema classes
A category of schema information that defines the types of objects that can be stored in Active Directory, such as user or computer accounts.
Cloud Application Management and SSO (HelloID)
A cloud-based Single Sign-On (SSO) solution that provides access to your cloud applications. Users may open the HelloID portal after authenticating their credentials and passing the configured access policies and any additional security settings (e.g. multifactor authentication). HelloID integrates with Active Directory to support just-in-time provisioning that synchronizes groups and attributes with the individual's SSO account at their first login.
Domain
A collection of objects that trust and share the same database, while providing a security boundary for users accessing network resources
forest
A collection of one or more Active Directory trees; can consist of a single tree with a single domain, or it can contain several trees each with a hierarchy of parent and child domains.
User Management Resource Administrator (UMRA)
A complete Identity and Access Management Software solution. Several modules are offered, including User Provisioning with more than 90 systems and applications
What are OU's?
A container that represents a logical grouping of resources.
ARP(address resolution protocol)
A core protocol in the TCP/IP suite that belongs in the network layer of the OSI model,, contains the physical address of the host, or node and then creates a local database that maps to MAC address to the host IP (logical) address
Logical Structure: What does the Active Directory instance consist of?
A database and corresponding executable code responsible for servicing requests and maintaining the database.
directory service
A database that stores information about a computer network and includes features for retrieving and managing that information
directory service
A database that stores information about a computer network and includes features for retrieving and managing that information.
schema directory partition
A directory partition containing the information needed to define Active Directory objects and object attributes for all domains in the forest.
schema directory partition
A directory partition containing the information needed to define Active Directory objects and object attributes for all domains in the forest
application directory partition
A directory partition that applications and services use to store information that benefits from automatic Active Directory replication and security.
application directory partition
A directory partition that applications and services use to store information that benefits from automatic Active Directory replication and security.
domain directory partition
A directory partition that contains all objects in a domain including users, groups, computers, OUs, and so forth.
domain directory partition
A directory partition that contains all objects in a domain, including users, groups, computers, OUs, and so forth.
configuration partition
A directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.
configuration partition
A directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.
global catalog partition
A directory partition that stores the global catalog which is a partial replica of all objects in the forest; contains most commonly accessed object attributes to facilitate object searches and user logons across domains.
global catalog partition
A directory partition that stores the global catalog, which is a partial replica of all objects in the forest. It contains the most commonly accessed object attributes to facilitate object searches and user logons across domains.
Objects are classified by?
A distinct set of characteristics known as attributes. In general objects in the same container have the same type of attributes.
Distribution
A distribution group is used to maintain a list of users and is typically used for sending e-mails to all groups members. Distribution groups cannot be used for assigning permissions.
replication partner
A domain controller configured to replicate with another domain controller.
replication partner
A domain controller configured to replicate with another domain controller.
domain controller (DC)
A domain controller is a server that stores the Active Directory database and authenticates users with the network during logon.
Read-Only Domain Controller
A domain controller that stores a read-only copy of the Active Directory database but no password information. Changes to the domain must be made on a writeable DC and then replicated to an RODC.
operations master
A domain controller with sole responsibility for certain domain or forest-wide functions.
fully qualified domain name (FQDN)
A domain name that includes all parts of the name, including the top-level domain.
fully qualified domain name (FQDN)
A domain name that includes all parts of the name, including the top-level domain.
Catastrophic failure
A failure that destroys a component beyond use
Farm
A farm is just the collection of Federation servers. When you set up a Federation server the first time, you set up the first Federation server in a Farm. Any additional server is a new node being added to the farm
Forest
A forest is used to define an assembly of AD domains that share a single schema for the Active Directory
What is a Group
A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with group instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all permissions assigned to the group on any shared resources.
tree
A grouping of domains that share a common naming structure.
Tree
A grouping of domains that share a common naming strucutre
What is a domain tree?
A grouping of domains that share the same namespace
object
A grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or OU.
domain
A grouping of objects in Active Directory that can be managed together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.
organizational unit (OU)
A grouping of objects in Active Directory that can be managed together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.
Domain controller
A is a server that holds a copy of the Active Directory database
Global Catalog
A list of all the objects in an Active Directory Domain Services forest. The 1st DC in a forest must contain a Global Catalog.
Group Policy Object (GPO)
A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory.
Domains
A logical grouping of network resources and devices that are administered as a single unit.
What is a domain?
A logical grouping of network resources and devices that are administered as a single unit.
What is the key difference between a managed service account and a group managed service account.
A managed service account can be used on only one computer in a domain.
shortcut trust
A manually created nontransitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path.
CAN (campus area network)
A netowrk of connected LANs with ityjn a limited geographical area, such as the buildings in a university campus
security identifier (SID)
A numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an RID.
Security Identifier (SID)
A numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an RID. See also relative identifier)
What is an intransitive trust
A one way trust that does not extend beyond two domains.
What is a PAM trust?
A one-way trust used by Microsoft Identity Manager from a (possibly low-level) production forest to a (Windows Server 2016 functionality level) 'bastion' forest, which issues time-limited group memberships.
external trust
A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest.
application partition
A partition that allows information to be replicated to administratively chosen domain controllers. An example of information that is commonly stored in an application partition is DNS data. Application partitions offer control over the scope and placement of information that is to be replicated.
site
A physical location in which domain controllers communicate and replicate information regularly.
authentication
A process that confirms a user's identity; the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.
authentication
A process that confirms a user's identity, and the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.
Knowledge Consistency Checker (KCC)
A process that runs on every domain controller to determine the replication topology.
Lightweight Directory Access Protocol (LDAP)
A protocol that runs over TCP/IP and is designed to facilitate access to directory services and directory objects. It's based on a suite of protocols called X.500, developed by the International Telecommunication Union.
Lightweight Directory Access Protocol (LDAP)
A protocol that runs over TCP/IP and is designed to facilitate access to directory services and directory objects; based on a suite of protocols called X.500, developed by the International Telecommunications Union.
directory partition
A section of an Active Directory database stored on a domain controller's hard drive. These sections are managed by different processes and replicated to other domain controllers in an Active Directory network.
Security
A security group is one that can be used to manage rights and permissions. • Group members get the permissions that are granted to the group. • A security group represents an object with a security identifier (SID), which through the member attribute, collects other object, such as users, computers, contacts, and other groups.
Self Service Reset Password Management (SSRPM)
A self-service application that allows end users to reset their Active Directory passwords. The number of password-related calls to the helpdesk is thus significantly reduced or eliminated altogether.
right
A setting that specifies what types of actions a user can perform on a computer or network.
right
A setting that specifies what types of actions a user can perform on a computer or network.
SYSVOL
A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain.
SYSVOL folder
A shared folder that stores information from Active Directory that replicated to other domain controllers
SYSVOL folder
A shared folder that stores information from Active Directory that's replicated to other domain controllers.
Group Scope
A single group can be used across all computers within the domain in which the group resides. You can also use groups outside of their native domain - depending on the groups scope.
Forest
A single instance of AD. can have one or multiple domains that share the same schema (database definitions). 1 DC minimum. Also called a security boundary.
Global catalog
A system that replicates the information of every object in a tree and forest so that objects can be found and accessed from any domain.
Multiple-Master Replication
A technique in which duplicate copies of a file are updated on a regular basis, no matter which copy changes. This allows all DCs to allowing changes to AD and all others get the changes.
Bus topology
A topology in which a single cable connects all nodes on a network without intervening connectivity devices
What concept does AD use for managing resources on a Windows Network?
A tree concept
What is an Explicit trust?
A trust that an admin creates. It is not transitive and is one way only.
What is a transitive trust?
A trust that can extend beyond two domains to other trusted domains in the forest.
IP address
A unique number used to identify all devices on an IP network. IP addresses are four octets long and are commonly expressed in dotted-decimal notation, such as 192.168.10.1.
What are the security principals assigned?
A unique security identifiers (SIDs)
domain user account
A user account created in Active Directory that provides a single logon for users to access all resources in the domain for which they have been authorized.
local user account
A user account defined on a local computer that's authorized to access resources only on that computer; mainly used on stand-alone computers or in a workgroup network with computers that aren't part of an Active Directory domain.
local user account
A user account defined on a local computer that's authorized to access resources only on that computer. Local user accounts are mainly used on stand-alone computers or in a workgroup network with computers that aren't part of an Active Directory domain.
user principal name (UPN)
A user logon name that follows the format username@domain; can be used to log on to a user's own domain from a computer that's a member of a different domain.
What is an example of what AD DS does?
A user logs into a computer that is part of a windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or a normal user. Which also allows management and storage of information, provides authentication and authorization mechanisms and establishes a framework to deploy other related services.
Disk quota
A way in Windows Server 2012 NTFS to limit the amount of hard drive space on which users can store data. You can set up quotas on a volume and on individual users.
Active Directory Installation Wizard
A wizard used to promote a Windows Server 2012 computer to a domain controller. Using the Active Directory Installation Wizard, system administrators can create trees and forests.
(LDAP)
Lightweight Directory Access Protocol
Which of the following is not true about an object's attributes?
A: Admin must manually supply information for certain attributes ,B: every container object has, as an attribute, a list of all the other objects it contains
What are some best practices when creating internal DNS namespaces
A: Avoid an excessive number of domain levels
Generally, how do groups differ from OU's?
A: Groups are security principals, meaning you assign access permissions to a resource based on membership to a group. OUs are for organization and for assigning group policy permissions.
You are preparing to deploy win 8 to a large number of new workstations. Which of the following options would be best?
A: Install Win8 using pre-boot execution environment PXE and windows deployment services WDS
The following is a hexadecimal address that is uniquely associated with a specific network interface card NIC
A: MAC
What is the powershell cmdlet syntax for creating a new user account?
A: New-ADUser
what differences matter most in creating a single user versus multiple users?
A: Single user creation is often done from the graphical user interface GUI, whereas creating multiple user typically requires using command-line tools.
Which of the following is not a correct reason for creating an OU?
A: To create a permanent container that cannot be moved or renamed
What servers should not be DHCP clients?
A: Web servers, DHCP servers, and domain controllers
Data from a primary zone is transmitted to secondary zones using the following
A: Zone transfer
What is the key difference between groups and OU's
A: because groups are independent from domain structure, its members may be located anywhere in the domain or outside the domain
You are planning an active directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in active directory. What feature will permit you to set up active directory to allow each manager to manage his or her own container but not any other containers?
A: delegation of control
What is the primary difference between universal groups and global groups in Win server 2012?
A: global groups use less data in the global catelog. So, in considering replication traffic, universal groups should be within a site
Which of the following cannot contain multiple active directory domains?
A: organizational units
What is the default trust relationship between domains in one forest?
A: two-way trust relationship between domain trees
In a domain running at the win server 2012 domain functional level, which of the following security principals can be members of a global group?
A: users , B: computers , D: global groups
Schema
Like the blueprint for active directory, it defines the attributes each type of object can possess, the type of data that can be stored in each attribute, and the object's place in the directory tree.
What are 2 examples of Directory Systems?
AD (Active Directory) and GAFE
What services does Active Directory consist of?
AD DS, Domain services, Lightweight Directory Services, Certificate Services, Federation Services, Rights Management Services.
What directory services does Windows Server 2008 provide?
ADDS and ADLDS
What is the correct method for implementing groups in Active Directory? - Acronym
AGUDLP - Add Accounts to Global Groups, add Global Groups to Universal Groups, add Universal Groups to Domain Local Groups, apply Permissions.
On which of the following editions of Windows Server 2012 R2 can you install the AD DS role? (Choose all that apply.)
ANY (FESD) Foundation Essentials Standard Datacenter
Name 7 default groups in Active Directory?
Account operators, Enterprise Admins, Administrators, Guests, Domain Controllers, Users, Schema Admins.
AGDLP
Account, Group, Domain Local, Permissions
Arranged all the network users, computers, and other Objects into groupings
Active Directory
locator service
Active Directory DNS provides direction for network clients that need to know which server performs what function.
What does ADDS stand for?
Active Directory Domain Services
What is AD DS?
Active Directory Domain Services called a domain controller. It authenticates and authorizes all users and computers in a windows domain type network assigning and enforcing security policies for all computers and installing or updating software.
You are the network administrator for westsim.com. The network consists of one Active Directory domain that contains 1,500 users. westsim.com has one main office and 15 branch offices. There are three domain controllers at the main office and one domain controller at each branch office. You have been asked to identify which domain controller hosts the Schema Master role. Which utilities should you use?
Active Directory Schema snap-in Dsquery
What does a Certificate Service do?
Active Directory Services establishes an on-premises public key infrastructure.
You manage a network with a single domain named eastsim.com. The network currently has three domain controllers. During installation, you did not designate one of the domain controllers as a global catalog server. Now you need to make the domain controller a global catalog server. Which tool would you use?
Active Directory Users and Computers or Active Directory Sites and Services.
Listed on the left are various operation master roles. For each tool, identify the roles that you can transfer using that tool by dragging the role from the left to the boxes below the tool.
Active Directory Users and Computers: RID master, PDC emulator, Infrastructure master Active Directory Domains and Trusts: Domain naming master
Domain NC
Active Directory domain partition that is replicated to each domain controller within a particular domain. Each domain's Domain NC contains information about the objects that are stored within that domain: users, groups, computers, printers, Organizational Units, and more.
What is Active Directory
Active Directory identifies all resources in a network and makes them accessible to users.
intrasite replication
Active Directory replication between domain controllers in the same site.
intersite replication
Active Directory replication that occurs between two or more sites.
What defines what objects exist as well as what attributes are associated with any object in the Active Directory?
Active Directory schema
What is the simplest way for administrators to upgrade their AD DS infrastructure to Windows Server 2012?
Add a new Windows Server 2012 DC to your existing Directory Services installation.
Organizational Unit
Add them as new containers, we can add groups, compouters and resources to our OUS giving us one place to manage our domain with a nice orderly file structure
Domain Naming Master
Adds and removes domains and application partitions to and from the AD forest.
delegation
Administration of an Organizational Unit is tasked to a departmental supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords.
Domain
Administrative boundary for managing objects
What are attributes?
All AD objects have attributes that take unique or multiple values , these values describe the object characteristics. For example a user object in Active directory will have attributes such as his first name, second name, Manager name etc.
Domain Controllers
All DC's in Domain are containers
How do DC's behave in a site?
All DCs within the same site replicate info at regular intervals, depending on where you log in the site will request the closes DC to perform an action.
Workgroup
All hosts are peers, 20 housts maximum, no network wide password protection, all hosts must be on the same subnet
Active Directory Forests
All the domains together equals a forest. Largest boundary in the AD architechture
RID Master
Allocates active and standby RID pools to replica DCs in the same domain.
What is Trusting?
Allow users in on domain to access resources in another. Active Directory uses trusts.
Group Nesting
Allows you to make a group a member of another group
NETLOGON share
Also replicated, contains logon scripts -Net Logon services verifies logon requests, registers, authenticates and locates domain controllers
organizational unit (OU)
An Active Directory container used to organize a network's users and resources into logical administrative units.
organizational unit (OU)
An Active Directory container used to organize a network's users and resources into logical administrative units. permissions Settings that define which resources users can access and what level of access they have to resources.
naming context (NC)
An Active Directory partition.
What does Microsoft recommend when creating OU's?
An OU structure no more than 10 levels deep
1. log onto each federation server 2. modify the application pool identify by using the Internet Information Service (IIS)manager 3. modify the ADFS 2.0 windows service properties by using the Windows Services MMC Snap-in
An Organization has over 10,000 users and uses an SQL-Based ADFS Farm. You need to change the ADFS 2.0 service account password. What should you do?
ADMX
An XML-based file format used to create administrative templates, replacing the token-based administrative template (ADM) files used with earlier versions of Group Policy.
Domain User
An account that can access ADDS or network-based resources, such as shared folders and printers within a specified domain.
Local User
An account that can access only resources on the local computer and does not reside inside of the domain.
Mention what is Active Directory?
An active directory is a directory structure used on Micro-soft Windows based servers and computers to store data and information about networks and domains.
assigned application
An application package made available to users via Group Policy and places a shortcut to the application in the Start screen.
assigned application
An application package made available to users via Group Policy and places a shortcut to the application in the Start screen. The application is installed automatically if a user tries to run it or opens a document associated with it. If the assigned application applies to a computer account, the application is installed the next time Windows boots. attribute value Information stored in each attribute. See also schema attributes.
published application
An application package made available via Group Policy for users to install by using Programs and Features in Control Panel. The application is installed automatically if a user tries to run it or opens a document associated with it.
Trust relationship
An arrangement that defines whether and how security principals from one domain can access network resources in another domain
trust relationship
An arrangement that defines whether and how security principals from one domain can access network resources in another domain.
object
An element in Active Directory that refers to a resource. Objects can be container objects or leaf objects. Containers are used to organize resources for security or organizational purposes; leaf objects refer to the end-node resources, such as users, computers, and printers.
What is a cross link trust?
An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
What is an object?
An instance of an object class
Knowledge Consistency Checker (KCC)
An internal Active Directory process that automatically creates and maintains the replication topology. The KCC operates based on the information provided by an administrator in the Active Directory Sites and Services snap-in, which is located in the Administrative Tools folder on a domain controller, or an administrative workstation that has the Administrative Tools installed.
extension
An item in a GPO that allows an administrator to configure a policy setting.
extension
An item in a GPO that allows an administrator to configure a policy setting.
Objects and Schema
An object class is a component of AD schema which defines the "type" for an object or in other words it defines the set of mandatory and optional attributes an object can have.
Containers
An object designed to hold other objects within the directory. Like objects, containers have their own attributes.
Connection object
An object that can be defined as part of the Active Directory replication topology using the Active Directory Sites and Services tool. Connection objects are automatically created to manage Active directory replication, and administrators can use them to manually control the details of how and when replications occurs.
Install from media (IFM)
An option when installing a DC in an existing domain; much of the Active Directory database contents are copied to the new DC from media created from an existing DC.
Install from media (IFM)
An option when installing a domain controller in an existing domain; much of the Active Directory database contents are copied to the new DC from media created from an existing DC.
Application data partitions
Applications that rely on Active directory have the ability to use an application's data partitions to store application-specific data. Applications, services, or administrators can create application data partitions as container objects.
What is a forest trust?
Applies to the entire forest. Transitive, one- or two-way.
Of the key reasons for creating organizational units, which of the following is NOT one of them?
Assigning permissions to network resources
Of the key reasons for creating organizational units, which of the following is NOT one of them? Delegating administration Assigning Group Policy settings Duplicating organizational divisions Assigning permissions to network resources
Assigning permissions to network resources
Lingering objects
Lingering objects can exist if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).
What is the proper term for associating a Group Policy to a set of AD DS objects?
Linking
1,000.
At what number of users is an additional server needed?
Objects are explained by their __________ like Name, Location, Department, etc.
Attributes
What is the process of granting the user access only to the resources he or she is permitted to use?
Authorization
What you call the process of confirming that a user has the correct permissions to access one or more network resources?
Authorization
Two Way Trust
Automatic two way trusts between domains or forests
Two Way Trusts
Automatic two way trusts between two domains in a forest, between parent and child
What is a built-in account?
Automatically created when Server 2008 is installed (i.e. Administrator or Guest).
Which built-in local user account is a member of the local Administrators group?
Local System
Name the three types of user accounts?
Local, Domain, Built-in
AD structure types
Logical Structure = Trees, Forest, Domains, & OU Physical Structures = Domain Controllers & Sites
What is a domain defined as?
Logical group of network objects that share the same AD database.
Drag the Active Directory terms on the left to their corresponding definition on the right.
Logical organization of resources - Organizational Unit Collection of network resources - Domain Collection of related domain trees - Forest Resource in the directory - Object Group of related domains - Tree
What is the logical/physical structure of Active Directory?
Logical: reflects administrative structure. Physical: A container object holds children or leaf objects.
What two graphical tools will help create either user or computer objects?
B: Active directory administrative center and active directory users and computer
What can be used to add, delete, or modify objects in Active directory, in addition to modifying the schema if necessary?
B: LDIFDE
What is the powershell cmdlet syntax for creating a new computer ibject?
B: New-ADComputer -Name <computer name> -path <distinguished name>
You are attempting to delete a global security group in the active directory users and computers console, and the console will not let you complete the task. Which of the following could possible be cases for the failure?
B: One of the group's members has the group set as its primary groups , D: you cannot delete global groups from the active directory users and computers console
What is the primary benefit of a DNS forwarder?
B: Reducing the traffic and making efficient use of available bandwidth across the network perimeter
A DHCP client first attempts to reacquire its lease at half the lease time, which is known as
B: T1
Which of the following items is a valid leaf object in Active directory?
B: User
Your DHCP servers are burdened with heavy traffic, most related to IP address renewals. Unfortunately, virtually all the IP addresses in each of your subnets are allocated. Which of the following options is the best way to lower the renewal traffic?
B: deploy additional DHCP servers on the most burdened subnets
Which of the following does an active directory client use to locate objects in another domain?
B: global catelog
Which of the following group scope modifications are not permitted?
B: global to domain local , C: universal to global
Which of the following network components are typically capable of functioning as DHCP relay agents?
B: routers ,D: win server 2012 components
What are the different kinds of groups?
B:there are two types: security and distribution, and three group scopes: domain local, global, and universal
Server Roles
Barebones servers are pretty much just glorified desktop computers. Windows Servers include a Server Manager snap in that allows admins to install specific tools to change the purpose of the server. These collections of tools and applications are bundled into Roles. For instance, if you take a bare server and want to use it as an Active Directory server, you would need to install the Active Directory Domain Services Role before you had access to the Users and Computers or Domains and Trusts snap ins
One way Trust
Between External Trusts
What allows administrators to grant users in one domain access to resources of another domain within the same domain tree?
Bidirectional trust relationship between domains
You are the network administrator for a network with a single Active Directory parent domain and two child domains. All domain controllers are running Windows Server 2012 R2. You are responsible for disaster recovery across the entire network. You decided to use Windows Server Backup. You schedule full server backups to be taken every night, along with a system state backup an hour later. On Friday morning, you are creating new users in the Accounting OU when you receive an error stating that the user cannot be created because the context could not be found. After some investigation you find that a co-worker has deleted the OU and the change has replicated to all domain controllers. You want to restore the latest version of the OU without affecting the rest of Active Directory. What should you do?
Boot a domain controller into Directory services restore mode. Perform a nonauthoritative restore. Run Ntdsutil and mark the Accounting OU as authoritative
Namespaces
Bounded area within which a name is resolved or translated into information that is encompassed by the name. An example would be a Phone book or in the computer world, A hostname that represents an IP address
Distribution Group
Building lists of users
Click on the container in Active Directory where group managed service accounts are created by default.
Managed Service Accounts.
You work for a consulting company. your best customer, a university on summer break, has a serious problem. one of the student interns carried a large cup of coffee into the computer room and promptly tripped over a section of the raised flooring. The coffee spilled and found its way into one of the domain controllers. Sparks flew and the domain controller was dead on arrival to the tech bench. The system board was no longer functional and two SCSI hard drives have failed. You replace the system board and SCSI hard drives. Fortunately, a system state backup was done two nights ago, but several changes in Active Directory have occurred since then and have been fully replicated to other domain controllers in this single domain network. You need to decide how to restore Active Directory on the failed server. You must complete the restoration as quickly as possible. What should you do?
Perform a non-authoritative restore of the entire Active Directory database
Schema Master
Performs updates to the AD schema. Generally placed on the forest root PDC.
Container
Pre-built container objects used to organize objects in Active Directory. Does NOT allow for delegation of control or the ability to link GPOs.
Which type of group policy setting doesn't lock configurations on the client computers?
Preferences
What do OU's contain?
Printers, groups, shared folders
Multi-Master Replication Process
Process to automatically replicate information between Domain Controllers, 3 hours by default
True
Promoting your system to a domain controller is the second phase of AD installation. True or false?
RSoP (Resultant Set of Policy)
Provides a report on what group policy settings are getting applied to users and computers
Primary Domain Contoller
Provides backwards support for legacy domain contrllers
You are the network administrator for southsim.com The company has one main office along with several branch offices. All the domain controllers run Windows Server 2012 R2 and all the client computers run Windows 7 or Windows 8. The domain functional level is set to Windows Server 2008 R2. The forest functional level is set to Windows Sever 2008. You need to enable the Active Directory Recycle Bin feature. What should you do?
Raise the forest functional level to Windows Server 2008 R2. Use Idp.exe to enable the Active Directory Recycle Bin
You are the administrator for WestSim Corporation. The network has a single domain, westsim.com, running a Windows 2003 functional level. Five domain controllers, all running Windows Server 2012 R2 server, are located on the network. Your network uses a distributed administrative approach. Numerous network administrators work in Active Directory adding users and maintaining user accounts. One day you check Active Directory and find a new OU that doesn't meet your organizational plan. You delete the OU and start checking to see who might have added it. You get a call from another administrator complaining that you deleted the OU she was working with. She explains the OU's purpose, and points out she had added it yesterday to prepare for a new department. She explains that although the OU was empty this morning, she had moved some user accounts into that OU at or shortly after the time you deleted the OU. You perform system state backups ever night. You need to get back the deleted objects as quickly as possible without disrupting the network. What should you do?
Re-create the OU. Move the user accounts from the LostAndFound container into the new OU.
A ____ is different from normal DCs in that you cannot use it to update information in Active Directory and it does not replicate to regular DCs.
Read-Only Domain Controller
RODC
Read-Only Domain Controller
You are the network administrator for a company with a single Active Directory domain. The domain functional level is Windows Server 2003. Each departmental administrative team has delegated control over an organization unit (OU) for their department. In the last few weeks there have been several new administrators join the team that have never managed Active Directory before. Yesterday, one of the new administrators inadvertently deleted an entire OU from within his department's OU structure. You have located a backup from two days ago to use for the restoration. What should you do?
Reboot a domain controller into directory services restore mode and restore Active Directory from the backup Run Ntdsutil and mark the deleted OU for authoritative restore
Redircmp
Redirects the default container for newly created computers to a specified, target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.
Redirusr
Redirects the default container for newly created users to a specified target OU so that newly created user objects are created in the specific target OU instead of in CN=Users.
Node
Refers specifically to the Federated Servers
DOmain Roles
Relative ID Master - Create a users security ID when an account is created, every usr must have unique security ID
Which of the following guidelines are NOT best practice for securing the Administrator account?
Renaming the Administrator account name so as not to distinguish it from non-administrative accounts
SYSVOL Folder
Replicated contains group polocies
What is the main feature of DC's with regards security and back-up?
Replication
Sites
Represent Physical Replication
Domains
Requires authentication to gain access.
What categories does the objects fall into?
Resources and security principles.
Schema Master
Responsible for performing updates to schema -archtiecture of the AD, masterDB with definitions of all objects in AD
AD Domain Services
Role to install AD, AD database. Enterprises should have two domain controllers (DC) each with its own copy of the database for redundancy purposes
You manage the network for the eastsim.com domain. You have three domain controllers, all running Windows Server 2012 R2. You have forgotten the Directory Services Restore Mode password for your domain controllers. What should you do to reset the password?
Run Ntdsutil
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 and all the clients run Windows 8. Company policy requires all users in the domain to change their passwords every 30 days. An application named App1 uses a service account named App1Svc. Every 30 days, App1 fails. When the App1Svc account password is reset, the application works fine. You need to prevent App1 from failing in the future without compromising corporate security standards. What should you do?
Run the New-ADServiceAccount cmdlet.
You are the network administrator for northsim.com. the network consists of one Active Directory domain. All of the servers run Windows Server 2012 R2 and all of the clients run Windows 7. While attempting to run a backup on a member server, you discover that you are unable to log on to the domain. After troubleshooting the problem, you determine that the clock on the member server is 15 minutes fast. You verify that the time is correct on the PDC Emulator. You have no trouble logging on to other member servers. You need to display the member server's current Windows Time Service information to determine which server is being used as a time service provider. What should you do?
Run the W32tm.exe command
Security Identifier for each Security Principal Object
SID
What are 2 structures or forms of data that can be extracted from an HR system or an SIS system?
SQL or CSVs
What special DNS resource record enables clients to locate domain controllers and other vital AD DS services?
SRV
How do you unlock accounts
Same as resetting passwords, but this time you simply click the 'unlock' account checkbox.
You manage a Windows Server 2012 R2 server that stores user data files. You want to use Windows Server Backup to configure a backup schedule. You want to perform a complete system backup every Monday, Wednesday, and Friday. You want to be able to restore the entire system or individual files from the backup. What should you do?
Save backups to a shared folder. Create a Scheduled Task that runs wbadmin start backup.
You have just installed a new domain controller running Windows Server 2012 R2. You would like to use Windows Server Backup to back up Active Directory. You would like to perform the backup so that you can restore the domain controller if the domain controller is able to boot but when Acitve Directory is corrupt. You want the backup to run once a day. You want to take the backup medium and put it in a safe in an offsite location. What should you do?
Save the backup to a local disk. Create a scheduled task to run wbadmin start systemsstatebackup.
Roaming Profile
Saves user profile to server so it follows the between machines
FOrest Roles
Schema Master. Domain Master
Active Directory Partitions
Schema partition Configuration partition Domain partition
Name some forest partitions
Schema, Configuration, Domain, Global, Application.
ntds.dit Partitions
Schema, configuration, and domain
FSMO Roles
Scheme Master - 1 per forest Domain Naming Master - 1 per forest PDC Emulator - 1 per domain RID Master - 1 per domain Infrastructure Master - 1 per domain
What is a RID Master and its scope?
Scope: 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects
What is a PDC Emulator and its scope?
Scope: 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the Security Descriptor Propagator (SDP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.
What is an Infrastructure Master and its scope?
Scope: 1 per domain/partition Synchronizes cross-domain group membership changes. The infrastructure master should not be run on a global catalog server (GCS) unless all DCs are also GCs, or the environment consists of a single domain. The Infrastructure Master role as described above is only for the domain partition (default naming context), netdom query fsmo and ntdsutil will only query the domain partition. However, every application partition, including Forest and Domain-level DNS domain zones has its own Infrastructure Master. The holder of this role is stored in the fSMORoleOwner attribute of the Infrastructure object in the root of the partition, it can be modified with ADSIEdit, for example one can modify the fSMORoleOwner attribute of the CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld object to CN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD.[44]
What is a Domain Naming Master and its scope?
Scope: 1 per forest Addition and removal of domains if present in root domain
What is a Schema Master and what is the scope?
Scope: 1 per forest Schema modifications.
Children
Second-level OUs
Group Types
Security - primarily used to assign permissions. Distribution lists - used to send emails to multiple recipients.
____ and user accounts enable an organization to delegate authority over objects, such as Active Directory containers, user accounts, groups, and applications.
Security Groups
What does the forest represent?
Security boundary within which users, computers, groups and other objects are accessible.
Of the default groups created when Active Directory is installed, what are the types of those groups?
Security groups
Of the default groups created when Active Directory is installed, what are the types of those groups? Distribution groups Security groups Domain groups All the above
Security groups
Which of the following is NOT a group scope? Universal groups Global groups Domain local groups Security groups
Security groups
SID
Security identifier. Unique set of numbers and letters used to identify each user and each group in Microsoft environments.
Group Policy Objects
Security is created by only allowing a computer has access to one file. Restricted from others.
Duplicating organizational divisions, assigning Group Policy settings, and delegating administration
Select the best reasons for using organizational units (OUs)?
LSDOU
Sequence used to process policies: Local Policies, Site Policies, Domain Policies, and then Organizational Unit Policies.
bridgehead server
Server at each site that acts as a gatekeeper in managing site-to-site replication. This allows intersite replication to update only one domain controller within a site. After a bridgehead server is updated, it updates the remainder of its domain controller partners with the newly replicated information.
Active Directory Domain Services (AD DS)
Server role in Active Directory that allows admins to manage and store information about resources from a network. Promotes server to domain controller.
Web Application Proxy (WAP)
Server that exists outside of your network Firewall which is why it is known as a perimeter server. It's job is to take authentication requests from users outside of the organization network and sends it to the Federation Server for approval. If approved, the FS sends back the x.509 certificate to the WAP which is then used to complete the authentication process.
Active directory domain services
Service that manages the process that allows users to sign onto a network from any computer on the netowrk and get access to the resources that the directory allows
permissions
Settings that define which resources users can access and what level of access they have to resources.
When virtualizing a DC, what feature should never be used?
Snapshots
Group Policy settings are divided into two subcategories: User Configuration and Computer Configuration. Each of those two are further organized into three subnodes. What are the three?
Software settings, Windows settings, and Administrative Templates
Flexible Single Master Operation (FSMO) roles
Specialized domain controller tasks that handle operations that can affect the entire domain or forest.
You are the network administrator for northsim.com. The network consists of a single Active Directory domain. all the servers run Windows server 2012 R2. All the clients run Windows 7 or Windows 8. While working in Active Directory Users and Computers, you discover that an organizational unit (OU) which contained several group objects is missing. You do not know how long the OU has been missing. You select a backup from the previous week. You need to determine whether this backup contains the missing OU. You attempt to mount the snapshot using NTDSUtil but are not successful. You must mount the backup as an Active directory snapshot. What should you do?
Start the Volume Shadow Copy Service (VSS)
What kind of IP address must be assigned to a domain controller?
Static
You have just installed a new domain on a new domain controller running Windows Server 2012 R2. You would like to use Windows Server BAckup to back up Active Directory. You would like to perform the backup so that you can restore the domain controller if the domain controller is able to boot but when Active Directory is corrupt. Which type of backup should you create?
System state backup
You can use a security group to grant permissions to resources and to enable email access. A distribution group, however, can only be used for email purposes; it cannot bu used to secure resources on your network. T/F
T
SMB Port(s)
TCP/UDP 445
Kerberos port(s)
TCP/UDP 88
Test-ComputerSecureChannel
Tests and repairs the secure channel between the local computer and its domain.
Distinguished Name
The "file path" given to objects in Active Directory for locating them without a GUI.
Distinguished Name
The "file path" given to objects in Active Directory for locating them without a GUI. Includes CNs, OUs, and DC's
Schema
The AD Schema defines the content and structure of the object classes and the object attributes used to create an object
abstraction layer
The Internet is organized into several ________ that are controlled by various protocols. From the bottom up, we have the link layer (Ethernet protocol), the Internet layer (IP), transport layer (TCP), and application layer (HTTP).
What is DNS?
The Internet's system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.
What is KCC?
The Knowledge Consistency Checker (KCC) automatically checks for directory consistency throughout an Exchange site every three hours, or whenever you modify the directory, to ensure that the directory database is consistent throughout the organisation.
Never have password expiration Have the "log on as a service" right on computers hosting the ADFS role Have the "log on as a batch" right on computers hosting ADFS
The Local account used to run ADFS should have the following:
SYSVOL
The SysVOL folder keeps the server's copy of the domain's public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
Explain what is SYSVOL?
The SysVOL folder keeps the serverʼs copy of the domainʼs public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
Active Directory (AD)
The Windows Server standard used to manage large and small network systems. It uses a hierarchical directory structure that is designed as a database containing information about objects belonging to the entire network.
Active Directory
The Windows directory service that enables administrators to create and manage users and groups, set network-wide user and computer policies, manage security, and organize network resources.
Be aware of the following when managing groups
The basic best practices for user and group security are: • Create groups based on user access needs. • Assign user accounts to the appropriate groups. • Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network. After creating a group, you may need to convert the group's scope and/ or type. • Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access. • You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope. • If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.
Single Sign on (SSO)
The big point of ADFS is to allow for single sign on. If you sign on in one place, your linked services can use the stored single sign on information (Hence, you only performed a "single" sign in. This allows admins to manage your sign on details for multiple services directly on the AD, instead of dealing with a metric ton of sign on details for these multiple services.
Backbone
The central conduit of a network that connects network segments and significant shared devices and is sometimes considered to be called the "a netowrk of networks"
Active Directory (AD)
The centralized directory database that contains user account information and security for the entire group of computers on a network.
Csvde
The command imports and exports Active Directory objects using a comma-separated values file
Configuration NC
The configuration partition contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest.
domain
The core structural unit of Active Directory; contains OUs and represents administrative, security, and policy boundaries.
Mention which is the default protocol used in directory services?
The default protocol used in directory services is LDAP (Lightweight Directory Access Protocol).
You are the administrator of DC1, which is a Windows Server 2012 R2 domain controller in your company's domain. You are experiencing problems with DC1 and decide to run the Active Directory Domain Services Configuration Wizard again on this machine. What happens?
The domain controller is demoted to a member server.
What is a trusted domain?
The domain that is trusted; whose users have access to the trusting domain.
If creating a Local Group Policy Object, then a secondary GPO, then a tertiary GPO, what policy settings are included in each GPO?
The first GPO contains both Computer Configuration and User Configuration settings, while the secondary and tertiary GPOs contain only User Configuration settings.
forest root domain
The first domain created in a new forest.
forest root domain
The first domain created within an Active Directory forest.
distinguished name (DN)
The full name of an object that includes all hierarchical containers leading up to the root domain. The distinguished name begins with the object's common name and appends each succeeding parent container object, reflecting the object's location in the Active Directory structure.
A virtual domain controller has been powered on and begins to boot. When it does, the hypervisor host detects that the value of the Vm-Generation-ID in the virtual machine's configuration and the value of the VM-Generation-ID in the virtual domain controller's computer object in Active Directory don't match. What happens next?
The hypervisor pushes the latest RID pool and USN to the virtual domain controller.
What determines the functional level of an Active Directory forest?
The lowest version of Windows Server on a domain controller
Domain Name System (DNS)
The name resolution mechanism computers use for all Internet communications and for private networks that use the Active Directory domain services included with Microsoft Windows Server 2008, Windows Server 2003, and Windows 2000 Server
GPO scope
The objects affected by a GPO linked to a site, domain, or OU.
GPO scope
The objects affected by a GPO linked to a site, domain, or OU. Group Policy Object (GPO) A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory.
relative identifier (RID)
The part of a SID that's unique for each Active Directory object.
multimaster replication
The process for replicating Active Directory objects; changes to the database can occur on any domain controller and are propagated to all other domain controllers.
multimaster replication
The process for replicating Active Directory objects; changes to the database can occur on any domain controller and are propagated, or replicated, to all other domain controllers. object A grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or OU.
Authorization
The process of determining whether an identified user or process is permitted access to a resource and the user's appropriate level of access.
Authentication
The process of verifying that user is who they claim to be.
Lightweight Directory Access Protocol (LDAP)
The protocol that has become an industry standard that enables data exchange between directory services and applications. The LDAP standard defines the naming of all objects in the Active Directory database and, therefore, provides a directory that can be integrated with other directory services, such as Novell eDirectory, and Active Directory-aware applications, such as Microsoft Exchange.
Application layer
The seventh layer of the OSI model. protocols enables software programs to negotiate formatting, procedural, security, synchronization and other requirements with the network
True
The system chosen to be the RODC must be a non-member server. True or false?
Active Directory replication
The transfer of information between all domain controllers to make sure they have consistent and up-to-date information.
forest root domain
The first domain created in a new forest.
What are the different kinds of groups?
There are two types: security and distribution; and there are three group scopes: domain local, global, and universal.
What are the different kinds of groups? There are two types: security and distribution. There are two types: security and distribution; and there are three group scopes: domain local, global, and universal. There are three group scopes: domain local, global, and universal. There are three group types: domain local, global, and universal.
There are two types: security and distribution; and there are three group scopes: domain local, global, and universal.
PDC emulator
There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to the PDC emulator. It acts as a "tie-breaker" and it controls the time sync across the domain.
Users
These are created within a specific domain and can authenticate against any DC within that domain, Kerberos used by default for authentication and authorization. They can be a member of multiple groups, SID of each group to which a user belongs is added to the user's security token upon logon.
Sites
These represent the physical structure or topology of your network. It is by definition, a collection of well-connected subnets. Branch offices might be created as a site. in AD subnets are used to determine relative location of an item in the directory.
What do domains contain?
They contain child domains and OU's.
User Management Resource Administrator (UMRA)
This automates the entire account lifecycle process, from the creation of accounts, all the way to retirement. It does this by pulling information from an authoritative data source, such as an HR and Student Information System, and synchronizes that information with Active Directory or other downstream systems
Self Service Reset Password Management (SSRPM)
This enables end users to reset their own passwords after authenticating their identity via security questions (e.g. "What was the name of your first pet?"). Self-service reduces the need for users to call the helpdesk for assistance and allows IT professionals to focus on more productive tasks. At first login, users can be forced to claim their user accounts via SSRPM and begin the enrollment process. End users access SSRPM by clicking the "I have forgotten my password" link located in any login screen (Windows 7, Vista, XP, Windows 10, Outlook Web Access, Citrix, etc.) or via a web form.
User Lifecycle Provisioning
This helps any organization with the costly and time-intensive process of creation and management of user accounts. The time and money spent on managing accounts is time and money that could be used toward other business-related projects.
what is GAFE?
This is a core suite of productivity applications that Google offers to schools and educational institutions for FREE. These communication and collaboration apps include Gmail, Calendar, Drive, Docs and Sites, and a GAFE account unlocks access to dozens of other collaborative tools supported by Google. All of these applications exist completely online (or in the cloud), meaning that all creations can be accessed from any device with an Internet connection. Once a school decides to embrace Google Apps for Education, they can register their school domain (web address), and administer all teacher and student accounts from an administrative dashboard."
Relying Party Trust
This is the other end of the trust. This is a collection of objects in the other, receiving organization. In the example above, this would be Slack's collection of trusted objects.
Federated Server
This is the server that actually handles and approves all of the requests. There are typically two of these in a farm, but you can get by with just one; it just isn't recommended. These have the Federation Services role installed, and takes and approves requests from users within the network or from the Web Application Proxy.
Password Synchronization Manager (PSM)
This synchronizes an end user's password across multiple systems, eliminating multiple passwords
What is the primary reason for creating different sites on an Active Directory network?
To control the traffic passing over relatively slow and expensive WAN links between locations
TOMBSTONE lifetime
Tombstone lifetime determines how long a deleted object is retained in AD. The deleted objects in AD are stored in a special object referred to as TOMBSTONE. Usually, windows will use a 60-day tombstone lifetime if time is not set in the forest configuration.
How do you create new user account or reset password?
Tools/AD Users and Computers Choose domain, right click(usually under user) Create Temp password to hand to new user
Identity and Access Manager (IAM)
Tools4ever's enterprise-level Identity and Access Management solution. IAM's processes are driven according to individuals' "Core Identity", which is constructed using non-sensitive data - supporting all users on the same platform while leaving their personally identifiable information untouched and secure. User accounts are rapidly created, provisioned, and disabled according to Access Governance (AG) processes run on a scheduled, ad hoc, or triggered basis
Forest
Top level of the Activity Directory container
Your network currently has the following Active Directory domains: westsim.com, emea.westsim.com, uk.emea.westsim.com, and us.westsim.com. Your company is closing its offices in the United States. Previously, most of the network administration took place in that office. Now all IT administration will take place in your London offices. You have removed all domain controllers from the us.westsim.com domain except for the DC1 server. This server hosts the following roles:• RID master• PDC emulator• Domain naming master• Infrastructure masterPrior to removing Active Directory from the domain controller, you need to transfer the necessary operation master roles to servers in the westsim.com domain. The westsim.com domain has the following domain controllers: WS1, WS2, WS3, and WS4. All servers are also global catalog servers except for WS3. What should you do to prepare for Active Directory removal on DC1?
Transfer the domain naming master to WS1, WS2, or WS4
Your network currently has two domains: eastsim.com and sales.eastsim.com You need to remove the sales.eastsim.com domain. You have removed all domain controllers in the domain except for the DC1.sales.eastsim.com server. This server holds the following infrastructure master roles: * RID master * PDC emulator * Infrastructure master * Domain naming master You are getting ready to remove Active Directory from DC1. What should you do first?
Transfer the domain naming master to a domain controller in eastsim.com.
An Active Directory __________ is a set of domains sharing a common network configuration, schema, and global catalog.
Tree
true
True or False: After 1,000 users, an additional server is needed for up to ever 15,000 additional users
True
True or False: You need to install the ADFS Service Communication Certificate on each web proxy server.
False
True/False: You can use a wildcard SSL certificate for ADFS?
cross-forest trust
Trust type that allows resources to be shared between Active Directory forests.
What is created in a forest automatically when domains are created?
Trusts
Federation Trusts
Trusts are basically just agreements between two different end points to allow secure online transactions between them. When an application or service is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application or service. Trusts basically bypass this and prevent you from needing secondary creds.
How many servers are required for IAM?
Two Servers • Application Server • Database Server (Can be shared with appropriate resources) Recommended to be VM's
What is a two-way trust?
Two domains allow access to users on both domains.
Groups
Two kinds of these, security and distribution
Workgroup example
Two seperate computers have the same login information for joe. Admin would have to change it in each seperate location where Joe has an account.
One Way Trust
Unidirectional authentication path created between two domains or forests
What are the three group scopes?
Universal (grants resources to users and groups from any domain in the forest), Global (in a domain) and Domain Local (on a single domain in the forest).
Which of these groups' membership is stored in the global catalog?
Universal groups
Which of these groups' membership is stored in the global catalog? Universal groups Global groups Domain local groups Distribution groups
Universal groups
Infrastructure Master
Updates cross domain references and phantoms/tombstones from the Global Catalog.
You need to deploy a new Windows Server 2012 R2 domain controller DC2. DC1 is a Windows Server 2008 domain controller. What must you do first to use the install from media option for DC2?
Upgrade DC1 to Windows Server 2012 R2.
rolling upgrades
Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality.
You manage the network for the eastsim.com domain. The domain functional level is at Windows 2000 Native. You want to enable linked-value replication. You want to take the minimum action that is possible. What should you do?
Upgrade the forest functional level to Windows Server 2003
Hierarchical Namespaces
Use several levels, Such as in an internet name, www.sales.company.com .com represents the top level. company represents the second level domain sales is a subdomain www is the web server name
Each user must belong to a group, how is it achieved?
Use the 'Member of' tab, click 'Add' Enter object name and 'check the name' Click 'Apply' then 'Ok'
You are the network administrator for westsim.com. The network will consist of one Active Directory domain that contains 100 users. You install Windows Server 2012 on a server named DC1. You then install Active Directory Domain Services (AD DS) and promote DC1 to a domain controller. After creating the new domain, you create a replica domain controller named DC2. Several months after installation, DC1 fails. Parts to restore the sedrdver will not be available for several weeks. You need to transfer the Flexible Single Master Operations (FSMO) roles to DC2. What should you do?
Use the NTDSUtil in an elevated command prompt on DC2 to seize the roles
You are the network administrator for westsim.com The network consists of a single Active Directory domain. All the servers fun Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. The forest functional level is set to Windows Sever 2008 R2. The active Directory recycle bin has been enabled. While working in Active Directory Users and Computers, you accidentally delete a group. You need to restore the group using the least amount of administrative effort. What should you do?
Use the Restore-ADObject PowerShell command to restore the group
Why are sites used?
Used for organisations that have branches in different geographic locations but fall under the same domain.
Group Policy
Used to configure settings for users and computers. Configure one or more setting in one of these and apply to one or more users or computers by linking group policy to an organizational unit (OU). Two policies are in place by default when the first DC is created: Default Domain Policy and Default Domain Controllers Policy
Relative ID Master
Used to create a user's security ID when an account is created
Organizational Units
Used to organize objects in AD (mainly users and computers), it is a kind of container. Use them to link GPO's and Delegation of controls.
Secure Sockets Layer (SSL) certificate
Used to secure communications between federation servers, clients, Web Application Proxy, and Federation Server Proxy computers. This certificate is always assigned to your Federated Service name, so will it will appear as and be issued to either fs.domain.com, or the recommended sts.domain.com.
UPN
User Principal Name (user name in email format)
built-in user accounts
User accounts created by Windows automatically during installation.
Objects represents a single entitiy, what are those entities?
User, a computer, a printer, or a group and its attributes.
Give an example of an object?
User, computer, printer, group, shared folder.
Gives Permissions to
Users to access files and folders, option to access VPN
LDAP
Uses Port 389 and 3268
There are two types: security and distribution, and three group scopes: domain local, global, and universal.
What are the different kinds of groups?
1. Certificate's Subject Name and Subject Alternative Name must include the federation service name. 2. Certificate's Subject Alternative Name must contain the value enterpriseregistration and the UPN suffix of the organization 3. Certificate cannot be a wildcard certificate. 4. It's neccessary to have both the certificate and the private key when running the ADFS Configuration wizard. 5. Must be issued by a trusted 3rd party certification authority (CA)
What are the requirements for the Service Communications Certificate
Dsmod.exe
What command-line utility allows administrators to modify groups' type and scope as well as add or remove members?
Install ADDS (Active Directory Domain Services) ○ Promote to Domain Controller Add UPN suffix w/ AD "Domains and Trusts" (This is simply adding your 365 verified domain into AD) Use DNS manager to add "fs.domain.com" DNS records ○ Use the public IP of FS1 ○"enterpriseregistration.domain.com" CNAME fs.domain.com
What do you need to setup the Domain Controller for ADFS?
You must update Azure AD Connect within the Tasks section.
What happens if the SSL certificate expires?
read-only domain controller
What is RODC
Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.
What is the primary difference between universal groups and global groups in Windows Server 2012?
Port 443 inbound and outbound
What port needs to be open for ADFS?
Federated Servers
What takes care of authentication when ADFS is configured?
Add Roles and Features
What tool do we use to add Active Directory Domain Services?
Staged
What type of RODC deployment permits a common (non-admin) user account to install AD and promote the system?
link-value replication
When a change is made to the member list of a group object, only the portion of the member list that has been added, modified, or deleted will be replicated.
inbound replication
When a domain controller transmits replication information to other domain controllers on the network
outbound replication
When a domain controller transmits replication information to other domain controllers on the network
Transitive Trust
When a new domain is created, it shares resources with its parent domain by default, enabling an authenticated user to access resources in both the child and parent domain.
What is Native Mode?
When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.
When would administrators choose to use a User Template?
When an administrator wants to save time while creating single users with many attributes
What is the role of DNS in Active Directory?
When installed on a Windows Server, DNS uses a database or a file that contains list of domain names and corresponding IP addresses.
The public IP address of the webproxy
When setting up an A records for your ADFS system what does the record correspond to?
FOreign Security Principles
When we give access to our resources from outside of our forest, an object is created allowing that outside user access into our domain
Global Catalog (Read only category)
Which of the following Active Directory components stores a full copy of all objects in the directory to facilitate searching?
Domain Controllers OU
Which of the following can be right-clicked to begin the RDOC staging process?
Global to domain local; Universal to global
Which of the following group scope modifications are not permitted? (Choose all answers that are correct.)
Universal
Which of the following groups do you use to consolidate groups and accounts that either span multiple domains or the entire forest?
Branch Office
Which of the following is a common use for Read-Only Domain Controllers?
OU
Which of the following is a container object within Active Directory?
To create a permanent container that cannot be moved or renamed
Which of the following is not a correct reason for creating an OU?
Remove an existing forest (DNS Global Catalog RODC)
Which of the following is not a specified option when promoting a domain controller in Windows Server 2016?
Metadata
Which of the following may need a manual clean after AD is uninstalled?
Member server (A none-member server does not provide servers as files and print server)
Which server provides services like files, print server and so on?
OAuth
Which single sign-on (SSO) technology depends on tokens? a. OAuth b. CardSpace c. OpenID d. All SSO technologies use tokens.
What is Active Directory Used in?
Windows 2000, Windows Server 2003, Windows Server 2008
Enterprise Single Sign-On Manager (E-SSOM)
With this complete Enterprise SSO solution, you have a powerful multi-platform Single Sign-on solution that offers two-factor authentication. Follow Me and Fast User Switching.
Cloud Single Sign-On (HelloID)
With this, it's as easy for IT and system administrators to grant and revoke permissions to cloud services as it is for end users to access them. By only having a single set of credentials to manage, user administration is a breeze.
Objects
Within Active Directory, each resource is identified as
AD Components
Workgroup, domain, AD Domain Services, site, replication, objects, schema, group policy, organizational units, default domain policy, forest, global catalog, trust, tree
A common reason that one can't join a computer to the domain.
Wrong DNS server address
Name some Active Directory Standards
X500 and LDAP
Can a domain user, who does not possess explicit object creation permissions, create computer objects?
Yes, authenticated users can create workstation, but not server objects
Can an administrator launch the Group Policy Management console from a workstation?
Yes, if the workstation is running the Remote Server Administration Tools package
One of the group's members has the group set as its primary group.; You do not have the proper permissions for the container in which the group is located.
You are attempting to delete a global security group in the Active Directory Users and Computers console, and the console will not let you complete the task. Which of the following could possibly be causes for the failure? (Choose all answers that are correct.)
Delegation of control
You are planning an Active Directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in Active Directory. What feature will permit you to set up Active Directory to allow each manager to manage his or her own container but not any other containers?
Configure OU-Based filtering by using AADC
You are the Office 365 Admin for your company. The company syncs the local AD objects with a central identity management system. The environment has the following characteristics. Each Department has its own Organization Unity (OU) The Company has OU hierarchies for partner user accounts. All Users accounts are maintained by the central identity management system. You need to ensure that the partner accounts are NOT synchronized with O365. What should you do?
You are attempting to delete a global security group in the Active Directory Users and Computers console, and the console will not let you complete the task. Which of the following could possibly be causes for the failure? (Choose all answers that are correct.) One of the group's members has the group set as its primary group. You cannot delete global groups from the Active Directory Users and Computers console. There are still members in the group. One of the group's members has the group set as its primary group.
You do not have the proper permissions for the container in which the group is located. One of the group's members has the group set as its primary group.
Domain Controller (Part 2)
You may create groups within the user account folder to for specific people with special permissions (Example:group in Domain Controller for Accounting People)
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 and Windows 8. There is one main office and seven branch offices. There are two writable domain controllers in the main office. There is one read-only domain controller (RODC) in each branch office. The domain functional level is set to Windows Server 2003. While visiting one of the branch offices, you accidentally delete a folder from the SYSVOl share on the local RODC. You need to restore the contents of the SYSVOL on the RODC. Waht should you do?
You should set the Burflags registry setting on one of the writable domain controllers to D2.
Domain Tree
a DNS namespace: it has a single root domain and is built as a strict hierarchy
Domain user account
a account created and centrally managed through Active Directory.
MAC
a brand name (Macintosh) which covers several lines of personal computers designed, developed, and marketed by Apple Inc.
Active Directory
a centralized database that contains user account and security information
Replication
a change that you make on domain controller A is also applied to the domain controller where you didn't make the change. Same site: 15 seconds. Across Sites: 15 - 180 minutes
expansion card
a circuit board which can be inserted into an expansion slot on the PC's motherboard, to give the PC extra capabilities. Common examples are sound cards, graphics cards and network cards
packet
a collection of data used by the TCP/IP protocol to transmit data across the Internet. Each packet contains routing data as well as the content of the message.
Forest
a collection of related domain trees. it establishes the relationship between trees that have different DNS name spaces.
sound card
a computer peripheral device for audio input and output. Sound cards contain the software necessary for audio processing and at least 2 jacks, one for a speaker output and the other for microphone input.
host
a computer that's connected directly to the Internet -- often a computer that provides certain services or resources.
organizational unit
a container used to organize objects in the active directory
monitor
a device resembling a television that displays computer images.
modem
a device that converts digital data into analog signals and vice-versa for transmission over a telephone line.
scanner
a device that reads a printed page and converts it into a graphics image for the computer.
router
a device that transmits data between two different networks.
Object
a distinct, named set of attributes or characteristics that represent a network resource
Read-Only Domain Controller (RODC)
a domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers within Active Directory.
UGMC (Universal Group Membership Caching )
a feature that caches the group membership of universal groups
domain tree
a group of domains based on the same namespace
Tree
a group of related domains that share the same contiguous DNS namespace
mouse
a hand-held electronic pointing device that controls the coordinates of a cursor on your computer screen as you move it around on a surface.
ZIP drive
a high-density removable-media drive similar to the old floppy 3.5" disk. Each ZIP diskette holds either 100 or 250 megabytes.
built-in user account
a local user account that is created automatically during installation
ping
a networking utility used by network administrators to test the reachability of a host on the Internet.
traceroute
a networking utility used to trace the route and measure delays of packets moving through the Internet.
printer
a peripheral device which produces a hard copy of documents stored in electronic form, usually on physical print media such as paper
Site
a physical location in which domain controllers communicate and replicate informaiotn regularly
Member server
a server that is not running as a domain controller
Domain Controller
a server that stores a replica of the account and security information for the domain and defines the domain boundaries
byte
a single letter, number or symbol. There are 8 bits in a byte.
Active Directory
a technology created by Microsoft that provides a variety of network services
IP address
a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.
mainframe
a very large, expensive and powerful computer capable of supporting thousands of users at the same time.
Which of the following can you do when deploying AD DS across a Windows Azure deployment? (Choose all that apply.)
a. Deploy the forest root domain controller for a new forest. b. Deploy a replica domain controller for a forest hosted on your local network. c. Deploy a DNS server that provides service to an AD DS domain hosted in Windows Azure.
Which of the following are best practices that you should follow when planning an AD DS domain structure? (Choose all that apply.)
a. Employ a test lab. b. Prepare thorough documentation. c. Keep everyone, including top managers, informed. d. Understand thoroughly the network's TCP/IP infrastructure. e. Develop and adhere to an adequate security policy. f. Know the capabilities of your WAN links.
Which of the following tools can you use to install AD DS on a server running Windows Server 2012 R2? (Choose all that apply.)
a. The dcpromo.exe command using an answer file d. Server Manager e. Windows PowerShell
Which of the following are features of a global catalog server? (Choose all that apply.)
a. Validation of universal group memberships at logon c. Validation of UPNs across the forest.
Which of the following are not valid domain or forest functional levels for a domain controller running Windows Server 2012 R2? (Choose all that apply.)
a. Windows 2000 mixed b. Windows 2000 native c. Windows Server 2003
In Windows Server 2012 R2, after a user logs on to Active Directory, a(an) ________ is created that identifies the user and all the user's group memberships. access token access control entry authentication token universal group
access token
In Windows Server 2012, after a user logs on to Active Directory, a(an) ________ is created that identifies the user and all the user's group memberships.
access token
DVD drive
acronym for "Digital Video Disc" It's a CD format that can store up to 17 gigabytes of data (enough for a full-length movie)
CD-ROM drive
acronym for Compact Disc with Read-Only Memory; A disk for storing computer information. It looks like an audio CD.
PC
acronym for Personal Computer. Normally refers to computers running Windows with a Pentium processor.
PDA
acronym for Personal Digital/Data Assistant. Generic term for handheld devices such as Palm Pilots that are commonly used to store address and calendar information.
ROM BIOS
acronym for Read Only Memory-Basic Input/Output System.
USB port
acronym for Universal Serial Bus. This is a serial bus standard to interface peripheral devices, intended to help retire all legacy varieties of serial and parallel ports, using a single standardized interface socket.
ROM
acronym for read only memory. Performs computers most primary functions. This memory is permanent and remains even when you turn off the computer.
RAM
acroymn for random access memory. Computer's main memory used to process information. Disappears when you turn off the computer.
kerberos
active directory uses ______ to authenticate
domain naming master
adds new domains to and removes existing domains from the forest
multimaster database
administrators can update the ntds.dit from any domain controller.
Workgroup
all hosts are peers; users must have account on each host they login to
RID (Relative ID) Master
allocates pools or blocks of numbers (aka RIDs)are used by the domain controller when creating new security principles (such as user, group, or computer accounts). The RID is assigned to a new security principal when it is created, and is combined with the domain ID to create a security identifier (SID).
directory service
allows businesses to define, manage, access, and secure network resources, including files, printers, people, and applications.
Publishing
allows users to access network resources by searching the Active Directory database for the desired resource.
Local user account
an account that is created and stored on a local system and is not distributed to any other system.
RODC (read-only domain controller)
an additional domain controller for a domain that hosts read-only partitions of the Active Directory database.
Active Directory
an infrastructure (directory) that stores information and objects and used to authenticate/authorize the Users, Computers, Resources which are part of a network
Active Directory
an infrastructure (directory) that stores information and objects.
keyboard
an input device consisting of various keys that allows the user to input data, control cursor and pointer locations.
peripheral
any piece of hardware attached to a computer, such as a printer or scanner.
Object
any specific item that can be cataloged in Active Directory Such as Users computers printers folders files
SVR Records
are locator records that allow a client to locate a domain controller or global catalog. without svr records, the client would not be able to authenticate against active directory.
Distribution Groups
are organizational only and not for access control (authorization), used in messaging, typically. westlafayettefaculty vs northwest faculty etc...
Generic Containers
are used to organize Active Directory objects
expansion slot
area in a computer's motherboard that accepts additional input/output boards to increase the capability of the computer.
kilobyte (KB)
as much information as a one-page, double-spaced letter. There are 1,024 bytes in a kilobyte.
megabyte (MB)
as much information as in a bestselling novel. There are 1,048,576 bytes in a megabyte.
terabyte (TB)
as much information as in a bookstore. There are 1,099,511,627,776 bytes in a terabyte.
gigabyte (GB)
as much information as in an encyclopedia set. There are 1,073,741,824 bytes in a gigabyte.
Global Catalog Server
at least one DC must be configured as this in a multi-domain forest. Should ideally be located on a server other than the PDC Emulator. For single domain, all DC's should be this as it will maintain full functionality of domain if one DC should fail. Lists all objects in the directory.
What you call the process of confirming a user's identity by using a known value such as a password, a smart card, or a fingerprint?
authentication
Trusts
bond Domains together (Trusts can be one way Example google and motrolla, google does not know the other side) Motorolla cannot access google)
Containers
built-in objects that can store or hold other objects
Your computer is running the Server Core edition of Windows Server 2012 R2. You want to promote this server to domain controller. What should you do? (Each correct answer presents a complete solution. Choose two answers.)
c. Use the Install-ADDSDomainController cmdlet in Windows PowerShell. e. Use dcpromo.exe together with an answer file that provides the required parameters.
universal group
can be used by all computers in forest and contain members from any domain within the forest
global group
can be used by computers within the domain and other domains in the forest
fault tolerant
capable of responding gracefully to a software or hardware failure.
CPU
central processing unit: the brain of the computer that processes instructions and manages the flow of information through a computer system.
What would be the distinguished name (DN) for a user named Ella Parker, whose user account resides in the Marketing OU of the adatum.com domain?
cn=Ella Parker,ou=Marketing,dc=adatum,dc=com
domain
collection of objects with a shared database
Tree
collection of one or more domains in a contiguous namespace that are linked in a trust hierarchy
User Principal Name (UPN)
combines the user account name with the DNS domain name (For example, account awaters in the westsim.com domain would have [email protected])
Ldifde
command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files
repadmin
command that helps administrators diagnose AD replication problems between domain controllers running Windows operating systems
Group Policy Objects
contain Group Policy settings and are linked to OUs where users and computers are stored
Organizational Units
containers which you can place users, groups, computers, and other organizational units
schema
contains a definition of each object class and the attributes of the object class that can exist in an Active Directory forest
data table
contains all the information in the Active Directory data store: users, groups, application specific data, and any other data that is stored in Active Directory after its installation.
application directory partition
contains application-specific data created by applications and services
SD (security descriptor) table
contains data that represents inherited security descriptors for each object.
link table
contains data that represents linked attributes, which contain values that refer to other objects in Active Directory.
domain
contains the OUs
Users container
contains the domain's predefined users and groups
organizational unit
contains user and computer accounts
A ____ is one in which every child object contains the name of the parent object.
contiguous namespace
Group Policy Management Editor
controls the computer and user configurations where GPOs are controlled
class
defines set of mandatory and optional attributes an object can have
Active Directory is a ____ that houses information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information.
directory service
1. A ____ usually is a higher-level representation of how a business, government, or school is organized, for example reflecting a geographical location or major division of that organization.
domain
Click on all of the organizational units in the domain represented in the image below
domain controllers sales
You are the network administrator for westsim.com. The network consists of a single active directory domain. all the servers run Windows Server 2012 R2 and all the clients run Windows 7 or Windows 8. The network had a child domain named east.westsim.com. The domain was decommissioned but several snapshots were taken prior to the decommissioning. Management requests that you identify the members of a group that existed in the east.westsim.com. You mounted the last snapshot to examine the group on a domain controller named DC1, but you now need to see the data in the snapshot. What command should you run?
dsamain
You have activated an Active Directory database snapshot on your Windows Server 2012 R2 system and have mounted it. You now need to view the contents of the snapshot. To do this, you decided to access the mounted snapshot in Active Directory Users and Computers using the Lightweight Directory Access Protocol (LDAP). Which comman should you use to do this?
dsamain
Infrastructure Master
ensures all objects are updated
domain controllers
enterprises should have 2 _____ _______ each with a copy of its own database
Administrator role separation
feature that allows RODCs to provide a secure mechanism for granting non-administrative domain users the right to log on to a domain controller. This allows the domain user to perform local administrative tasks such as installing drivers or security updates.
An Active Directory _____ consists of one or more separate domain trees.
forest
sub domains connecting together becomes
forest
first domain controller
forest root domain
Members of a universal group can come ______. from different organizational units from different domains from trusted forests only from within the domain
from trusted forests
The forest ____ refers to the Active Directory functions supported forest-wide.
functional level
Commands to list FSMO assignments (PS)
get-adforest, get-addomain
The ____ stores information about every object within a forest.
global catalog
A ____ is intended to contain user accounts from a single domain and can also be set up as a member of a domain local group in the same or another domain.
global security group
The Delegation of Control Wizard is capable of ________ permissions.
granting
The Delegation of Control Wizard is capable of ________ permissions. granting modifying removing all the above
granting
Trees
group of domains that share a contiguous namespace ■ parent domain plus one or more sets of child domains ■ child domains name will reflect parent
Security Groups
have SIDs added to user tokens and can be used in ACL's
Microsoft combined X.500 and LDAP for Active Directory's structure
hierarchical organization of entries each entry has a set of attributes each entry has a unique distinguished name
Firewire
high-speed external connection used for connecting peripherals, also referred to as "IEEE 1394".
cache memory
high-speed memory located between the CPU and the main memory. Cache memory is designed to supply the processor with the most frequently requested data. Storing data here speeds up the operation of the computer
schema
holds classes for objects you create
Schema
holds the classes for the objects you create. AD needs to know what the user joe will look like, default schema with common definitions. What properties a class will have
Builtin container
holds the default service administrator accounts
user account
identifies a single user
global catalog server
in a multi domain forest at least one domain controller should be the
global catalog servers
in a single domain forest all the domain controllers should be
Active Directory structures are an arrangements of what?
information about objects.
IT
information technology: the branch of engineering that deals with the use of computers and telecommunications to retrieve and store and transmit information.
What do you call the process that after you link a GPO to a site with multiple domains, the Group Policy settings are applied to all the domains and the child objects beneath them?
inheritance
domain local group
intended to be used only within the domain it was created in
Global Catalog
is a database that contains a partial replica of every object from every domain within a forest.
computer account
is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device.
container object
is one that can have other objects housed within it; these can be additional container objects as well as leaf objects.
leaf object
is one that can have other objects housed within it; these can be additional container objects as well as leaf objects.
Deprovisioning
is the process of removing access rights from a user account when the user leaves the organization.
Active Directory
it is a centralized authentication service for Microsoft networks provides the main repository for information about users, computers, services and other microsoft services.
Organizational Unit (OU)
it is a container that represents a logical grouping of resources that have similar security or administrative guidelines. organizational units can contain: users, groups, contracts, printers , shared folders, computers,
Domain Controller
it is a server that stores the active directory database data and authenticates users with the network during logon
What kind of GPO stores its settings on the local computer in the %systemroot%/System32/GroupPolicy folder?
local GPO
What are the two types of user accounts in Windows Server 2012?
local and domain
schema master
maintains the Active Directory schema for the forest
In a ____, the user does not have permission to update the folder containing his profile.
mandatory user profile
If information on one DC changes, such as the creation of an account, it is replicated to all other DCs in a process called ____.
multimaster replication
What capability allows you to create specific GPO settings for one or more local users configured on a workstation?
multiple local GPOs
DNS is a TCP/IP-based name service that converts computer and domain host names to dotted decimal addresses and vice versa, through a process called ____.
name resolution
An object is uniquely identified by its ______ and has a set of ________.
name, attributes
namespace
namespace ○ a bounded area within which a name is resolved or translated into information that is encompassed by the name ○ phonebook: bound in a geographic location, resolves names to phone numbers and addresses ○ Microsoft made this concept dynamic, the namespace is updated and changed regularly ○ structure ■ flat: one level - NetBIOS ■ hierarchical: several levels of name definition - DNS namespace support.weber.edu ○ types ■ contiguous: name of child objects contains the names of the parent object ■ disjointed: name of child object does not contain the name of the parent object
Command to list FSMO assignments (cmd.exe)
netdom query fsmo
Which file can you view to identify SRV records associated with a domain controller?
netlogon.dns
Differentiation between Consulting and Support... • In most cases, consulting services are defined as:
o Creating New projects o Adding functionality to existing projects o Modifying projects due to source data or network changes.
Differentiation between Consulting and Support... • In most cases, support is defined as:
o General question about product functionality o Error resolution o Basic assistance with user created projects.
Every resource in a domain is called a(n) ____.
object
instance of a class
object is an_________ of a_________
Sites
one or more IP subnets that are connected by a high-speed link, typically defined by a geographical location
Lightweight Directory Access Protocol
open, vendor-neutral application layer, current version is 3 accessing and maintaining distributed directory information services over an IP network operations include: add, delete, modify TCP/UDP 389
Within a domain, the primary hierarchical building block is the _________. forest group organizational unit user
organizational unit
site
physical structure of the network / collection of subnets
replication
process of keeping each domain controller in synch with changes that have been made elsewhere on the network
Active Directory Lightweight Domain Services (AD LDS)
provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full-fledged Active Directory DS directory service.
Active Directory Domain Services (AD DS)
provides the full-fledged directory service that was referred to as Active Directory in Windows Server 2003 and Windows 2000.
Primary DOmain COntroler (PDC Emulator)
provites backwards compatability for NT4, :User authentication
A ____ is typically used to enable one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers.
realm trust
binary system
refers to the 'language' computers speak. Binary code (or machine language) consists only of zeroes and ones (ie a choice is either on or off), called bits. Letters and other information have a specific binary representation, made up of up to 8 bits (one byte).
RID
relative identifier
A domain controller in your domain has experienced a catastrophic failure. Because the server failed before it could be cleanly removed from your domain, Active Directory still thinks the failed domain controller is present. All of the other domain controllers will continue to try to replicate with it, potentially resulting in database inconsistency. You need to removed the failed server by cleaning the metadata. Which ntdsutil command should you use to do this?
remove selected server
global catalog
replicates the information of every object in a tree and forest
site
represents a group of well-connected networks
subnet
represents a physical network
Schema Master
responsible for performing updates to the schema of the AD structure
Flexible Single Master Operation (FSMO)
roles Specialized domain controller tasks that handle operations that can affect the entire domain or forest. Only one domain controller can be assigned a particular FSMO. forest A collection of one or more Active Directory trees. A forest can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains.
Each kind of object in Active Directory is defined through the ____, which is like a small database of information associated with that object, including the object class and its attributes.
schema
forest
single instance of active directory - contains domains
A ____ is a TCP/IP-based concept (container) within Active Directory that is linked to IP subnets.
site
FSMO (Flexible Single-Master Operation)
specialized domain controller tasks assigned to a domain controller in the domain or forest
Token Signing Certificate
standard x.509 certificate that is used to securely sign all tokens that the federation server issues and that the cloud service e.g. Office 365, will accept and validate. This is critical to the Federation Service. If there is something wrong with this, the validation will fail. It is unlikely that you will get questions about how to fix a failure, but know that it exists and know to identify it as an x.509.
Domain partition
stores the user, computer, group, and object data for a domain, as well as the domain's schema and configuration data.
directory service
stores, organizes, and provides access to information in a directory
Click on the item in the imagine below that defines a security and replication boundary
testoutdemo.com
Ethernet
the Ethernet is the international standard networking technology for wired implementations such as local area networks.
domain
the basic administrative unit of an Active Directory structure.
Domain Controllers OU
the default location for domain controllers computer accounts.
Computers container
the default location for new computer accounts created in the domain
tree root domain
the highest level domain in a tree.
motherboard
the main circuit board inside a computer, containing the central processing unit, the bus, memory sockets, expansion slots, and more
packet switching
the method by which information is transmitted through the Internet. Information is broken into packets and each packet is routed independently from source to destination.
User Name (logon name )
the name of the user account. (For example, Andy Waters may have the following logon name, awaters. )
hardware
the physical components of a computer; central processing unit, monitor, keyboard, mouse, etc.
hard drive
the primary memory of a computer. Hard drives store all the computer's information and retains the information when the computer is turned off.
Replication
the process of domain controllers sharing information.
Demotion
the process of making a dc a member server
Promotion
the process of making a member server a dc
software
the programs that enable a computer to perform a specific task.
Domain container
the root container to the hierarchy
bit
the smallest unit of computer memory
Distinguished names
the way the Active Directory refers to objects
Clients
they request services from servers.
video card
this is the component of your computer that puts a picture onto your screen. They can also 'accelerate' motion video and 3D games.
forest root domain
top-level domain in the top tree. It is the first domain created in the Active Directory.
A(n) ____ means that if A and B have a trust and B and C have a trust, A and C automatically have a trust as well.
transitive trust
A ____ contains one or more domains that are in a common relationship.
tree
To perform an offline domain join, how many times would an administrator run the Djoin.exe command?
twice
network
two or more computers that are connected together to share resources such as hardware, data, and software.
Organizational Unit
unit is like a folder that subdivides and organizes network resources within a domain
Directory Service
used to retrieve information for authentication
Domain Account
user logs into the domain-centralized management of users
Local Account
user logs into the local computer only
Roaming Profiles
user profiles that can be saved on the server
Object Classes (domain classes)
users, groups , computers domain controllers, and printers. object classes have common sets of attributes. these are the following: unique name globally unique identifier (guid) required objects attributes open object attributes
tape backup
using magnetic tape for storing duplicate copies of hard disk files.
Ldp
utility allows you to search for and view the properties of multiple Active Directory objects.
You manage a Windows Server 2012 R2 system and need to perform an immediate system state backup. The backup should be save on the E:\ volume. Which command should you use to do this?
wbadmin start systemstatebackup -backupTarget:E:
organizational unit (OU)
what folder stores users, computers and other info
PDC emulator troubleshooting
• Time is not syncing • User's accounts are not locked out • Windows NT BDCs are not getting updates • If pre-windows 2000 computers are unable to change their passwords
Adding object to the Member Of tab for a group makes the group a member of another group (if does not add members to the group).
• When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it: • Re-create the group, add all the original group members, and reassign any permissions granted to the group. • Restore the group from a recent backup.
objects
○ any item that can be cataloged in Active Directory ○ users, computer, printer, folders, files ○ objects have attributes ○ Active Directory schema defines what those attributes can be ○ objects can be logically grouped with similar objects into classes
distinguished names
○ defines the complete path from the top of the tree to the object ○ unambiguous representation of the name of any resource ○ naming format, layout representation
Schemas
○ set of rules that define the classes of objects and their attributes ○ user class can contain user account objects ○ user class possess attributes such as password, group membership, home folder ○ attributes can be indexed so they are searchable ○ the default schema can be modified but it is a dangerous and difficult task
Domains
○ the core unit of the network structure ○ logical grouping of computers that share a common directory database and security ○ domains can be organized into larger units called trees and forests ○ we can define the trust relationships between these units ○ why have multiple domains? ■ security boundaries ■ group policy for each ■ geographic boundaries ■ business boundaries ■ compliance or regulation (Chinese Firewall)
Which of the following would be the correct FQDN for a resource record in a reverse lookup zone if the computer's ip address is 10.75.143.88?
A: 88.143.75.10.in-addr.arpa
A DNS server that hosts a primary or secondary zone containing a particular record can issue the following response to a query for that record:
A: Authoritative answer
Regarding Group Policy in Windows Server 2008 and Windows Vista, Microsoft used the token-based administrative template (ADM) files. What did Microsoft replace ADM files with in Windows Server 2012?
ADMX files (XML-based file format)
What graphical tool can create user and computer accounts and was redesigned for Windows Server 2012?
Active Directory Administrative Center
What user creation tool was redesigned in Windows Server 2012 to incorporate new features such as the Active Directory Recycle Bin and fine-grained password policies?
Active Directory Administrative Center (ADAC)
What two common tools help create both User and Computer objects?
Active Directory Administrative Center and Active Directory Users and Computer
What is the global catalog?
An index of all AD DS objects in a forest
What client applications utilize Domain Name system to resolve host names into IP addresses?
B: All Internet application working with host names must use DNS to resolve host names into IP addresses
Which of the following are types of zone transfers supported by the DNS server in win server 2012?
B: full zone transfers ,C: incremental zone transfers
Which of the following is not one of the elements of the domain name system DNS?
B: relay agents
How does CSVDE.exe differ from LDIFDE.exe?
Both utilities can import users, but only LDIFDE can modify or delete objects later
What is the primary means by which people access resources on an AD DS network?
By having a user account
What is the maximum length for a fully qualified domain name, including the trailing period?
C: 255 characters
This DNS configuration item will forward DNS queries to different servers based on the domain name of the query.
C: conditional forwarder
In the fully qualified domain name www.sales.contoso.com, which of the following is the second-level domain?
C: contoso
The command-line utility can create new user accounts by importing information from a comma-separated value file?
CSVDE.exe
What are the two basic classes of Active Directory objects?
Container and leaf objects
What would be a sufficient user account to provide temporary access to the network for a user such as a vendor representative or a temporary employee?
Guest
What is a key difference between a domain tree hierarchy and the organizational unit (OU) hierarchy within a domain?
Inheritance
What nonlocal GPO has its properties stored in the Active Directory object Group Policy container (GPC), as well as a Group Policy template located in the SYSVOL share?
domain GPO
Within a domain, the primary hierarchical building block is the _________.
organizational unit
What is the technique called that you can modify the default permission assignments so that only certain users and computers receive the permissions and, consequently, the settings in the GPO?
security filtering
The three types of Group Policy Objects (GPOs) include local, domain and _____.
starter
What kind of GPO serves as a template for the creation of domain GPOs based on a standard collection of settings?
starter GPO
When multiple GPOs are linked to a container, which GPO in the list has the highest priority?
the first
Resource access for individuals takes place through their ______.
user accounts
What is the SAM account name and the User Principal Name for the account [email protected]?
SAM account name is ella, and the User Principal Name is [email protected]
If an administrator creates a domain tree in an Active Directory forest, and then creates a separate and different domain tree, what is the relationship between the two domain trees?
Same security entity as one Active Directory forest, bidirectional trust between domain trees
When is an Active Directory site topology created?
Site topology is manually configured dependent on WAN bandwidth and transmission speed.
What administrative division in Active Directory is defined as a collection of subnets that have good connectivity between them to facilitate the replication process?
Sites
Configuring a Central Store of ADMX files help solve the problem of ________.
"SYSVOL bloat"
An administrator needs to grant an e-mail distribution group of 100 members access to a database, how would the administrator proceed? The e-mail group is obsolete and can be dissolved.
Convert the distribution group to a security group and then assign the group access permissions.
Installing Windows Server 2012 Active Directory Domain Services installs two default policies: Default Domain Policy and Default Domain Controller Policy. The administrator needs different policy settings. How best to proceed?
Create new Group Policy Objects to augment or override the existing default settings.
Which of these groups would an administrator use to assign permissions to resources in the same domain?
Domain local groups
What command-line utility requires you know the SAM account name as well as the user login ID before creating user accounts?
Dsadd.exe
What command-line utility allows administrators to modify a group's type and scope as well as add or remove members?
Dsmod.exe
Local GPOs contain fewer options than domain GPOs. Local GPOs do not support ______.
Folder redirection or Group Policy software installation
What is the group scope for Domain Admins, Domain Controllers, and Domain Users default groups?
Global
What is not a container, nor full-fledged security division and cannot have Group Policy settings applied directly to them?
Group
What application or interface allows you to configure security filtering?
Group Policy Management console
What is the Microsoft Management Console (MMC) snap-in that you use to create GPOs and manage their deployment to AD DS objects?
Group Policy Management console
What is an important difference between groups and OUs?
Group memberships are independent of the domain's tree structure.
How do groups differ from OUs?
Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings.
What is the order in which Windows systems receiving and process multiple GPOs.
LSDOU (local, site, domain, then OU)
What is the PowerShell cmdlet used to create user objects?
New-ADUser
What is a container object that functions in a subordinate capacity to a domain, and still inherits policies and permissions from its parent objects?
Organizational unit
Group Policies applied to parent containers are inherited by all child containers and objects. What are the ways you can alter inheritance?
Using the Enforce, Block Policy Inheritance, or Loopback settings
What is the method for removing a domain controller in Windows Server 2012?
Using the Remove Roles and Features Wizard
For Server Core installations, how does Windows Server 2012 differ from Windows Server 2008 when installing the AD DS role and promoting the system to a domain controller?
Windows Server 2012 now allows administrators to use PowerShell.
What are the two built-in user accounts are created on a computer running Windows Server 2012?
administrator and guest