Windows Server 2012 Exam 2, 2. Active Directory Administration, Windows Server Chapter 6, 70-640 : Windows Server 2008 Active Directory Configuration (Ch.1), Windows Server Chapter 6, Chapter 6 Terminology, Tools 4.2

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

What is the key benefit to using ADAC or the active directory users and computers console?

C: ADAC allows you to modify the properties of multiple users or multiple computers at once

What is the simplest way for admins to upgrade their active directory domain services infrastructure to win server 2012?

C: Add a new win server 2012 server to your existing directory services installation

Which of the following are the two built in user accounts created automatically on a computer running win server 2012?

C: Administrator , D: Guest

At which layer of the OSI model does DHCP operate?

C: Application layer

Which of the following is not one of the techniques you can use to provide fault tolerance for DHCP servers?

C: DHCP servers using identical scopes

Which of the following DHCP message types is sent frist in process of obtaining an address lease?

C: DHCPDISCOVER

What is the first domain installed in a new active directory forest called?

C: Domain tree root

Select the best reasons for using OUs

C: Duplicating organizational divisions, assigning group policy settings, and delegating administration

WHen using Netdom.exe to join an accont, you may add the parameter [/OU:OUDN] If this parameter is left out, where is the object placed?

C: In the computers container

An Active directory functional level must be low enough to ensure interoperability between domain controllers running different versions of Win Server. How does the functional level affect the AD forest?

C: Lower function level means fewer features available

WHich of the foloowing types of DHCP address allocation is the equivalent of a reservation in win server 2012

C: Manual allocation

What is required by DNS for active directory to function?

C: SRV records support

What are the dangerous consequences of a poorly chosen time to live?

C: Specifying a TTL that is too short can overburden root name and top level domain servers with requests

One method a DHCP server allocates IP addresses is called manual allocation. This process involves manually assigning an IP address to a particular server. What is the key benefit of DHCP manual allocation over manually configuring the address directly on the server?

C: This process prevents accidental duplication of permanently assigned IP addresses.

If the user named Amy is located in the sales OU of the central.cohowinery.com domain, what is the correct syntax for referencing this user in a command line utility?

C: cn=amy,ou=sales,dc=central,dc=cohowinery,dc=com

Which of the following utilities do you use to perform an offline domain join?

C: djoin

Which of the following is not a type of user account that can be configured in win server 2012?

C: network accounts

The following is an administrative grouping of scopes that is used to support multiple logical subnets on a single network segment:

C: superscope

Default SYSVOL Location

C:\Windows\SYSVOL

Order the steps to create an OU with Active Directory Administrative Center. a. Click OK. The organizational unit object appears in the container. b. In the left pane, right-click the object beneath which you want to create the new OU and, from the context menu, select New > Organizational Unit. c. From Server Manager's Tools menu, select Active Directory Administrative Center. d. In the Name field, type a name for the OU and add any optional information you want.

CBDA

Order the steps to create a restricted groups policy. a. Open the GPO in the Group Policy Management Editor and browse to the Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder. b. Right-click the Restricted Groups folder and from the context menu, select Add Group. The Add Group dialog box appears. c. From the Tools menu in the Server Manager window, select Group Policy Management. The Group Policy Management console appears. d. Create a new Group Policy object (GPO) and link it to your domain. e. Type or browse to add a group object and click OK. The group appears in the Restricted Groups folder and a Properties sheet for the policy appears. f. Click one or both of the Add buttons to add objects that should be members of the group, or other groups of which the group should be a member.

CDABEF

The LDIFDE.exe utility is most similar to what other utility?

CSVDE.exe

Global

Can have access to any domain in forest

GPO Linking

Can link to sites, domains, and OUs.

Active directory

Central repository of networked device information

You manage a group of 10 Windows 8 workstations that are currently configured as a Workgroup. Which advantages you could gain by installing Active Directory and adding the computers to a domain? (Select two.)

Centralized configuration control, Centralized authentication

What can create, validate and revoke public key certificates for internal uses of an organization?

Certificate Services.

You have installedMicrosoft FTP Server service on a Windows Server 2012 R2 host that is a member of the WestSim.com domain. The properties of this service are shown in the exhibit. You want the FTP Server service to log on and run on the system as a virtual service account named FTPSVC. What should you do?

Click LOG ON tab in the properties of the Microsoft FTP Service Specifiy a logon account of NT SERVICE/FTPSVC

How do you reset user passwords?

Click the 'search' icon that says "Find object in Active Directory Domain Services" Upon finding user, right click, 'reset password'

PDC Emulator

Manages password changes for computer and user accounts on replica domain controllers. Target DC for Group Policy updates. Time keeper for domain.

How does DNS work?

Client requests a website by typing a domain (URL) inside the web browser. The browser tries to resolve the domain to an IP address. The browser checks the local cache of the computer, and checks the local hosts file. If no record is found their either, it finally queries the DNS server. The DNS server returns the IP address to the client. The same series of events are usually followed when requesting access to resources within the local network and Active Directory, with the only difference that the local DNS server is aware of all internal hosts and domains.

Cluster

Cluster typically refers to a collection of servers working together. This can include the DC, Federated Server, and the WAP. This is a little more of a general term for "a few servers", so it's not super important.

Domain Naming Master

Manages the addition and removal of all domains, regardless of the domain, in the forest

Trees

Collection of domains within an active directory that have a common relationship

Domain

Collection of objects that share the same database. Administrator would change Joe's password once centrally, and every domain machine automatically recognizes the change.

What is a tree?

Collection of one or more domains and domain trees in a contiguous namespace, and is linked in a transitive trust hierarchy.

What is a forest?

Collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.

Domain Naming Master

Manages the addition and removal of all domains, regardless of the domain, in the forest hierarchy

Common Name

Consider the Domain shown in the example below

Mary Bones Mary Hurd

schema

Master database that contains definitions of all objects in the Active Directory.

Global (Group Scope)

Membership ----------------------------- Global groups can contain members within the same domain. These include: • Global groups in the same domain (in native mode only). • Users and computers within the same domain. Use global groups to group users and computers within the domain who have similar access needs. ----------------------------- Resource Access • Global groups can be assigned permissions to resources anywhere in the forest. • Create global groups to organize users (e.g., Sales or Development).

Domain Local (group scope)

Membership ------------------------------ Domain local groups can contain members from any domain in the forest. These include: • Domain local groups in the same domain (in native mode only). • Global groups within the forest. • Universal groups within the forest (in native mode only). • Users and computers within the forest. ------------------------------ Resource Access • Domain local groups can be assigned permissions within a domain. • Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.

Universal (Group Scope)

Membership ------------------------------ Universal groups can contain members from any domain in the forest. These include: • Universal groups within the forest. • Global groups within the forest. • Users and computers within the forest. ------------------------------ Resource Access • Universal groups can be assigned permissions to resources anywhere in the forest. • Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.

Active Directory (AD)

Microsoft's directory sevice, which is a central database of all network resources, is used to manage the network and provide users with access to resources.

Active Directory (AD)

Microsoft's network directory service. Contains the objects tracked and managed by the network - includes objects such as users, groups, computers, servers, printers. Is a central repository of networked device information for querying, updating, and authenticating against the data. Used to search for printers or contacts. Dependent on DNS.

What Database does IAM work off of?

Minimum: SQL Server Standard 2012 R2 or higher Recommend: SQL Server Standard 2016 or higher

You are the network administrator for your company. Your network consists of two Active Directory domains: research.westsim.local and sales.westsim.local. Your company has two sites: Dallas and Houston. Each site has two domain controllers, with one domain controller for each domain. Users in Houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in Dallas. Users in Dallas do not report any problems logging in and accessing local resources. You want all users in Houston to experience adequate log on and resource access response time. What should you do?

Configure one of the domain controllers in Houston to be a global catalog server.

You are the network administrator for northsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. The company has one main office and several small branch offices. The branch offices do not have any on-site network administrators. You are preparing to deploy servers to each of the branch offices. Security is a concern. You must ensure that the passwords for only the members of the branch office are cached on the branch office domain controllers. You must also ensure that data stored on the branch office servers cannot be compromised, even if a hard drive is stolen. What should you do?

Configure the branch office servers as Read-Only Domain Controllers (RODCs) and install the Bitlocker feature.

What is an external in AD?

Connect to other forests or non-AD domains. Nontransitive, one- or two-way.

You and Sammy are creating an organizational unit structure and user accounts for the education.westsim.com domain. You created ACTG, PROD, and SALES organizational units on Server 1. Fifteen minutes later, you change the name of the ACTG organizational unit to ACCT. Before replication finishes, Sammy uses Server 2 to add several user accounts to the ACTG organizational unit. You check the ACCT OU to find the user accounts are not there. What should you do?

Move the user accounts from the LostAndFound container to the ACCT container

Your network has two sites as shown in the graphic. You want to configure Computer1 as a Global Catalog server. Which object's properties would you edit to accomplish this?

NTDS Settings

Your network has two sites as shown in the graphic. You want to configure Universal Group Membership Caching. Which object's properties would you edit to accomplish this?

NTDS Site Settings

Authentication protocols supported by Active Directory Service

NTLM and Kerberos

Concepts of Active Directory

Name space Object Container Schema Global Catalog Partition

Forest

Consists of one or more Active Directory trees that are in a common relationship

A _______ cannot logon or access the domain or network or be assigned permissions

Contact

Contain other objects like Users, Computers, OU, etc.

Container Object

Administrative Templates

Contains registry based Group Policy settings that are used to configure the computer environment, such as Control Panel, Printers, System, and Windows Components.

Join server 1 to the contoso.com domain Install and configure adfs on server 1 Run the following cmdlet on Server 2 Install-windows feature Run the following Windows cmdlet on Server 2: install-webapplicationproxy

Contoso has an O365 tenant. The company has two servers named Server1 and Server2 that run Windows 2012 R2 Server. The servers are not joined to the contoso.com domain. Server2 is deployed to the perimeter network. You install Secure Sockets Layer (SSL) certificates on both servers. You deploy internal and external firewalls. All firewalls allows HTTPS traffic. You must deploy single sign on and ADFS. You need to install and configure all ADFS components. Which four actions should you perform in sequence?

Domain Controller

Controls Active Directory services. ( stores all the information for user accounts and computer accounts) You can add user accounts and computer account, which is added to the database of the domain controller. The information will be entered into the schema(database) of the domain controller. Example: username, password, email, office number under (User Account Schema) Computer account: computer name, SID SCHEMA IS EXTENDABLE, Third party softwares may go into the Domain controller and add bits of information into the Schema Bottom Line: Domain controllers are the servers that control Active Directory Directory Services

An administrator needs to grant an e-mail distribution group of 100 members access to a database, how would the administrator proceed? The e-mail group is obsolete and can be dissolved. Assign the necessary access permissions to the database to the distribution group. Create a new group with the 100 members, then assign permissions. Remove the distribution group, and then convert the members into a universal group, granting access permissions. Convert the distribution group to a security group and then assign the group access permissions.

Convert the distribution group to a security group and then assign the group access permissions.

Country Name

You manage a Windows Server 2012 R2 server that stores user data files. The system volume is drive C:, while all user data is on drive E:. You want to use Windows Server Backup to configure a backup schedule. You want to back up only the E: volume twice a day. You want to be able to restore individual files and folders. If possible, you want to save backups on optical media so you can place the backup disc in a media catalog server for easy retrieval. What should you do?

Create a Scheduled Task that runs wbadmin start backup. Save the backup to an external hard disk.

Your organization runs a Hyper-V hypervisor on Windows Server 2012 R2 that hosts several Windows Server 2012 R2 virtual domain controllers. You want to add an additional virtual domain controller. Instead of installing a new Windows Server 2012 R2 virtual machine and promoting it to be a domain controller, you decide to simply copy one of the existing virtual domain controller's virtual machine files. Prior to cloning the source virtual machine, you need to check it for installed applications and services that aren't compatible with the cloning process. Which PowerShell cmdlet can you use to do this?

New-ADDCCloningConfigFile

You are working in PowerShell on a Windows Server 2012 domain controller. You need to create a group managed service account that will be used by a new service that only you will install later on the server. Which cmdlet should you use to do this?

New-ADServiceAccount

You are the network administrator at eastsim.com. The organization owns 8 restaurants located in California. The network consists of a single Active Directory domain. There is one domain controller and one database server located in each restaurant. The domain password policy requires the use of complex passwords that must be changed every 30 days. After implementing a new third party backup system the backups run without problems for the first month and then begin failing regularly. You determine that the failure is due to an expired password on the service account being used by the third party backup software. You must reconfigure the software to perform successful backups. Your solution should maintain current security standards and avoid future backup failures, while using the least amount of administrative effort. What should you do?

Create a managed service account. Then you should configure the backup software to use the managed service account.

Which of the following is a PowerShell cmdlet for creating user objects?

New-ADUser

Your organization runs a Hyper-V hypervisor on Windows Server 2012 R2 that hosts several Windows Server 2012 R2 virtual domain controllers. You want to add an additional virtual domain controller. Instead of installing a new Windows Server 2012 R2 virtual machine and promoting it to be a domain controller, you decide to simply copy one of the existing virtual domain controller's virtual machine files. What must you do to perform this procedure correctly? (Select two.)

Create the DCCloneConfig.XML for the cloned domain controller. Add the source domain controller's computer object to the Cloneable Domain Controllers group in the Users container.

After User information from HR/SIS Databases and Directory Systems are joined inside of the ____________ datbase, user info is routed to the 3 proper account lifecycle stages of ____________, _____________, and _______________.

Create, Update, and Retire

Builtin Container

Created by default

Update Sequence Number rollback

Creating a snapshot of a virtual domain controller and then rolling it back to that snapshot at a future point in time created a condition

What is the primary means by which people access resources on an active directory domain service network

D: By having a user account

Which of the following message types is not used during a successful DHCP address assignment?

D: DHCPINFORM

What command-line utility allows admins to modify groups' types and scope as well as add or remove members?

D: Dsmod.exe

What is an important difference between groups and OU's

D: Group memberships are independent of the domain's tree structure.

Who may join a computer to the domain?

D: Members of the computer's local admins group may join the computer to the domain

What is the primary purpose of name caching?

D: Name caching enables the second name resolution request for the same name to bypass the referral process

Which of the following is a container object within active directory?

D: OU

The following feature is available only on Active Directory-intergrated DNS zones:

D: Secure dynamic updates

To make use of PXE and WDS, what special config do you require ont he server and client?

D: The DHCP server on the network must have a custom PXXEClient option, option 60 configured with the location of the WDS server on the network

Which of the following groups do you use to consolidate groups and accounts that either span multiple domains or the entire forest?

D: Universal

Is it possible to add ad ds on a computer running server core?

D: Yes, you use powershell, by first installing ad ds role, and then promoting the server to a dc

Which of the following is not a reason why you should try to create as few domains as possible when designing an active directory infrastructure?

D: You must purchase a license from MS for each domain you create

Which of the following DHCP infrastructure designs requires the largest number of DHCP server implementations?

D: distributed

What is the primary reason for creating different sites on an active directory network?

D:To control the amount of traffic passing over the relatively slow and expensive WAN

You are the network administrator for eastsim.com. eastsim.com has one main office in Dallas, TX and two branch offices in New York, NY and Los Angeles, Ca. The branch offices are both connected to the main office by dedicated WAN links. There is no direct conection between the branch offices. The network consists of one Active Directory domain that contains 2,000 users. There are two domain controllers at each site listed in the table below. DC1 was the first domain controller installed in the domain and it currently hosts all five Flexible single Master Operations (FSMO) roles. You need to identify which server should be used as a backup operations master in the even that DC1 should fail. Which server should be used.

DC2

Active Directory keeps a naming convention for the domain that mirrors ______.

DNS

Which of the following server roles is installed automatically by the Active Directory Domain Services Configuration Wizard if the wizard cannot find it on another server elsewhere on the network?

DNS Server

What are domains identified by?

DNS name structure, the namespace.

Match the Active Directory term on the right with its corresponding definition on the left. not all of the definitions on the left have an associated term on the right.

Data Table: Contains all the information in the Active Directory data store. Link table: Contains data that represents linked attributes. SD Table: Contains data that represents inherited security descriptors for each object. Schema: Identifies the object classes that exist in the tree and the attributes of each class.

Client-server applications

Data or a service requested by one computer from another

Active Directory

Database of all objects managed within the boundary of a given network

Computers

Default container for all computers

Global Group

Default scope, can be used by computers within the domain and by members of other domains in the forest. Stored and replicated to all DCs within the domain DLG was created in.

You are planning an Active Directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in Active Directory. What feature will permit you to set up Active Directory to allow each manager to manage his or her own container but not any other containers? Multimaster replication Read-only domain controller Manager control Delegation of control

Delegation of control

Replication Boundaries

Determined by domain, use hierarchial names

Which of the following is NOT an example of a special identity?

Dialup Service

Which of the following is NOT an example of a special identity? Dialup Service Creator Owner Authenticated Users Anonymous Logon

Dialup Service

Active Directory

Directory service that houses information about all network resources

configuration partition

Directory stores configuration objects for each domain in the forest

What are the two group types.

Distribution & Security (created for the purpose of granting access permissions to users).

Which of these groups is not related to security and cannot have permissions assigned to it?

Distribution groups

Which of these groups is not related to security and cannot have permissions assigned to it? Universal groups Global groups Domain local groups Distribution groups

Distribution groups

What is the fundamental component of the Active Directory architecture, functioning as the boundary for virtually all directory functions, including administration, access control, database management, and replication?

Domain

Match the Active Directory term on the right with its corresponding definition on the left.

Domain Controller: A server that holds a copy of the Active Directory database that can be written to. Site: Represents a group of networks that are connected with high-speed links. Subnet: Represents a physical network segment. Forest Root Domain: The first domain created in an Active Directory forest. Tree Root Domain: The highest level domain in a tree.

What is the only OU created by default after installing Active Directory?

Domain Controllers OU

What is the only OU created by default after installing Active Directory? Users OU Domain Controllers OU Global OU Computers OU

Domain Controllers OU

Function Level

Domain Function Level must be that of earliest NOS Version

Which of these groups would an administrator use to assign permissions to resources in the same domain? Universal groups Global groups Domain local groups Distribution groups

Domain local groups

What is a Domain Partition?

Domain specific information that is replicated to all DCs within a domain.

RID (Relative ID) Master

Domain-Wide, Responsible for making sure that SIDs are unique within the domain - SID is long security id. All SIDs in a domain are the same up to the last 32 bits, called the RID. RID mastter makes sure those 32 bitts remain unique for each object in domain.

PDC Emulator

Domain-wide, Used for backward compatibility with Windows NT DCs and for propagating password changes quickly across all DC's in the domain (not hours - but seconds) - should not be the same machine as Global Catalog, ideally

child domains

Domains that share at least the top-level and second-level domain name structure as an existing domain in the forest; also called "subdomains."

What command-line utility allows administrators to modify a group's type and scope as well as add or remove members? PowerShell and the applicable cmdlet Active Directory Users and Computers console Active Directory Administrative Center Dsmod.exe

Dsmod.exe

Order the steps to delegate Administrative Control of an OU. a. In the Users or Groups page, click Add. b. Right-click the object over which you want to delegate control, and click Delegate Control. c. In the Select Users, Computers, or Groups dialog box, type the name of the user or group to which you want to delegate control of the object, and click OK. The user or group appears in the Selected users and groups list. d. Select the Tasks to delegate, whether common tasks or custom tasks. Set the delegated permissions for the user or group to which you delegate control. e. From the Tools menu in the Server Manager window, select Active Directory Users and Computers.

EBACD

child domain

Each domain in the tree that is connected to the tree root domain

You are the network administrator for a network with a single Active Directory forest. All domains in the forest are at Windows Server 2003 functional level and the forest is also at Windows Server 2003 functional level. Offices exist in Denver, Chicago, and Miami. Each geographic location has an Active Directory site configured. The links that connect the Denver and Miami sites to the corporate headquarters in Chicago are highly utilized, and you want to minimize replication traffic over them. Company headquarters is located in Chicago and that locaiton has multiple global catalog servers to service global queries efficiently. Several users in Denver and Miami are members of universal groups throughout the forest. You need to make sure that in the event of a WAN link failure that group membership will be protected and logons will be available. What should you do?

Enable Universal Group Membership Caching for the Denver and Miami sites

You manage a single-domain network named northsim.com. Currently, all users are located at a single site in Miami. You are opening a branch office in Orlando. The Orlando. office is connected to the Miami location using a dial-up connection and demand-dial routing. The link between offices is only used during the nighttime to synchronize sales information. About 50 full-time sales people work in the Orlando office. The branch office will have its own domain controller, ORD-DC1. You create a new site object for the Orlando office and move the server into that site. You create a site link object that connects the Orlando site to the Miami site. Users are reporting that logon is slow. You find that during logon, the WAN link must be established before logon is allowed. You want to improve logon for the Orlando location. What should you do?

Enable Universal Group Membership Caching on the Orlando site.

You are network administrator for an Active Directory forest with a single domain. Then network has three sites with one domain controller at each site. You have created and configured sites in Active Directory Sites and Services, and replication is operating normally between sites. You configure two universal groups for use in securing the network. All users are members of one universal group or the other. After configuring the universal groups, users at sites 2 and 3 report slows login and slow access to the corporate database. Users at site 1 can log in and access the corporate database with acceptable performance. You want to improve login and resource access performance for users in sites 2 and 3. What should you do?

Enable universal group membership caching at sites 2 and 3 Configure the domain controllers at sites 2 and 3 as global catalog servers

What is a domain account?

Enables access to Active Directory of network based resources. The account is stored in Active Directory.

trust relationship

Enables administrators from a particular domain to grant access to their domain's resources to users in other domains.

Enterprise Resource Authorization Manager (ERAM)

Enables organizations to streamline and optimize access control for unstructured data. The solution clearly shows who has access, who should have access, who owns the data, who has tried to access certain data and where sensitive information has been stored.

Which of the following default groups is a universal group?

Enterprise Admins

Which of the following default groups is a universal group? Certificate Publishers Enterprise Admins Domain Users Domain Admins

Enterprise Admins

To apply a GPO to a site, you must be a(n) _____________________

Enterprise admin

Objects

Everything within AD. Is an instance of a class. Joe object -> change name (change the first name attribute of joe)

Organizational Unit (OU) Part 2

Example: If you are 1 administrator and support an remote office in Boston, you may create a "Boston Administrator Organizational Unit OU" to give another person access. They will have permission to deal with user accounts and computer accounts. They will have the option to try and fix the problem before reaching out to you. It also provides security by giving limited permissions to these Organizational Unit (OU) . Groups are created for security purposes.

Your organization runs a Hyper-V hypervisor on Windows Server 2012 R2 that hosts several Windows Server 2012 R2 virtual domain controllers. You want to add an additional virtual domain controller. Instead of installing a new Windows Server 2012 R2 virtual machine and promoting it to be a domain controller, you decide to simply copy one of the existing virtual domain controllers virtual machine files. You have completed all of the preparatory steps and are now ready to clone the source virtual machine. Which PowerShell cmdlets must you use to do this? (Select three.)

Export-VM Import-VM Rename-VM

Even when OUs have been nested to many levels, they still will not adversely affect the response time to resource requests or complicate the application of Group Policy settings. T/F

False

Users may use several web based single-sign on services and/or network resources because of which service?

Federation Services (AD FS)

____ password policies mean that you can now create more than one set of account policies within a domain.

Fine-grained

Parents

First-level OUs

Namespaces can be

Flat or hierarchical

FSMO

Flexible Single Master Operations

FSMO

Flexible Single Master Operator: Schema Master, Domain Naming Master, PDC Emulator, RID (Relative ID) Master, Infrastructure Master

gpupdate /force

Forces Group Policy Updates

An Active Directory ________ consists of one or more separate domain trees that do not form a contiguous namespace.

Forest

What are the types of functional levels?

Forest & Domain.

Explain the term FOREST in AD?

Forest is used to define an assembly of AD domains that share a single schema for the AD. All DCʼs in the forest share this schema and is replicated in a hierarchical fashion among them.

Schema Master

Forest-Wide, the DC that is allowed to make changes to the schema (definitions of the database) - only one in the entire forest.

The schema is _______-wide.

Forest-wide

Domain Naming Master

Forest-wide, the DC responsible for the forest-wide namespace - MUST by on a DC that is also a Global Catalog Server

What is the top structure of AD?

Forest.

Different types of containers

Forests Trees Domains OU's (Organizational Units)

Which of the following are logical components of an Active Directory structure? (Choose all that apply.)

Forests Trees Domains Organizational units (OUs)

The Active Directory framework that holds the objects can be viewed at a number of levels. What are these levels?

Forests, trees and domains

In UMRA, Unique IDs are copied from where to where?

From HR and SIS to Directory Systems

Information from what 2 systems are joined inside of the UMRA database?

From the HR/SIS Database and the Directory Systems

Global Catalog

GC is a Domain Controller which maintains a full copy of the local domain partition and a partial copy of the entire forest.

Each Object has a

GUID and a SID

Groups are security principals, meaning you assign access permissions to a resource based on membership to a group. OUs are for organization and for assigning Group Policy settings.

Generally, how do groups differ from OUs?

You are the network administrator for westsim.com. The network consists of a single Active Directory domain.

Get-ADDomainControllerPasswordReplicationPolicyUsage

What is the group scope for Domain Admins, Domain Controllers, and Domain Users default groups? Distribution Universal Global Domain local

Global

Some of the following groups might grant or deny permissions to any resource located in any domain in the forest. Of them, which one's membership is replicated only in the domain controllers of the same domain?

Global groups

What is the primary difference between universal groups and global groups in Windows Server 2012 R2? Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site. Universal groups use less data in the global catalog. So, in considering replication traffic, global groups should be within a site. Universal groups use more data in the global catalog. However, global groups are best in general, both within a site and across sites. Global groups use less data than universal groups, but not significantly.

Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.

What does the acronym GAFE stand for?

Google Applications For Educators

GPME

Group Policy Management Editor

GPO

Group Policy Object

GPO

Group Policy Objects, Contain Group Policy settings

GPOs

Group Policy Objects. The settings that control the working environment of user accounts and computer accounts are known as Group Policy Object (GPO). It helps define the security options, software installation, registry-based policies and maintenance options, script options and folder redirection options

What relies on Domain Services?

Group Policy, Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server.

Organizational Unit

Grouping of related objects within a domain so that objects can be under the same group policies

What are sites?

Groupings of IP subnets that duplicate information among domain controllers.

What enables you to assign permissions to multiple users simultaneously?

Groups

How do groups differ from OUs? Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings. Groups are created by Server Manager, but you create OUs by scripts. OUs are security principals, meaning you assign access permissions to a resource based on membership in an organizational unit. Groups are for organization and for delegating permissions. Organizational units are container objects made from the Active Directory Users and Computers console.

Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings.

Organizational Unit (OU)

Groups, but for administrative purposes. Explanation: Marketing Department OU Unit One person in the marketing department has the permission to the OU and can give him the ability to change permissions in his department, rather than constantly contacting the IT department.n (If user in the marketing department needs help resetting a password, the 1 person with access to the Marketing Organizational Unit (OU) may make those changes.

What are 2 examples of authoritative data sources?

HR systems and SIS databases

Active Directory groups

Have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.

Flat Namespaces

Have only one level to store info, such as the NetBIOS

Group Policy

Hierarchical infrastructure that allows specific configurations for users and computers by the network administrator

What are functional levels?

Higher levels of functional level will not allow older versions of Windows to function but will add additional functionality or features. For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process.

Where does a forest sit in the Active Directory hierarchy?

Highest Level

Domain Controller Federation Servers (the extra is for "redundancy") A Web application proxy server

How many servers do you install with ADFS and what are they?

cn=amy,ou=sales,dc=central,dc=cohowinery,dc=com

If the user named Amy is located in the sales OU of the central.cohowinery.com domain, what is the correct syntax for referencing this user in a command line utility?

Read-Only Domain Controller (RODC)

In Active Directory Domain Services, a domain controller that supports only incoming replication traffic. It cannot be modified but can be used for authentication.

Forest

In Active Directory Domain Services, an architectural element that consists of one or more domains.

Forest Root Domain

In Active Directory Domain Services, the first domain created in a forest, also known as a parent domain.

Attributes

In Active Directory Domain Services, the individual properties that combine to form an object.

What is Domains in Active Directory?

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains. Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.

Users; Computers; Global groups

In a domain running at the Windows Server 2012 domain functional level, which of the following security principals can members of a global group? (Choose all answers that are correct.)

To prevent Update Sequence Number (USN) rollback issues with virtual domain controllers, each domain controller (virtual or physical) is assigned a unique identifier called the VM-Generation-ID. For virtual domain controllers, where is this identifier stored? (Choose two.)

In a file within the virtual machine configuration. As an attribute of each domain controller computer object in Active Director

Claims Provider Trust

In the ADFS management snap in, claims trusts are objects created in resource partner organizations aka the claims provider to represent the organization in the trust relationship that will have access to resources in the resource partner organization. An example of this could be that Rackspace has a collection of users that can use their credentials (objects) to sign directly into Microsoft resources, such as a backend database that is managed by them.

attribute value

Information stored in each attribute.

schema

Information that defines the type, organization, and structure of data stored in the Active Directory database.

schema

Information that deﬁnes the type, organization, and structure of data stored in the Active Directory database. schema attributes A category of schema information that deﬁnes what type of information is stored in each object.

What is a key difference between a domain tree hierarchy and the organizational unit (OU) hierarchy within a domain? Ability to apply Group Policy Members allowed within Inheritance Membership

Inheritance

You are the network administrator for westsim.com. westsim.com has one main office and 50 branch offices. The network consists of one Active Directory domain that contains 5,000 users. You plan to deploy a Windows 2012 R2 domain controller in each branch office. Ten of the branch offices do not employ on-site IT staff. You need to recommend a solution for these 10 branch offices. Your solution must meet the following requirements: • Minimize network traffic during the installation of Active Directory Domain Services (AD DS). • Maximize the security of the branch office domain controllers. What should you recommend?

Install Active Directory Domain Services (AD DS) using the Install from Media feature and configure the read-only domain controller (RODC) option.

Workgroup

No centralized management or control. One ore more computers on a Windows LAN that are NOT joined to a domain. No dependencies between computers.

Can you delete default groups created by Windows Server 2012?

No, Default groups cannot be deleted

You are working in PowerShell on a Windows Server 2012 domain controller. You need to create a new group managed service account to be used by a new application that will be installed later on the Windows 7 workstations that are members of the domain. The domain functional level is set to Windows Server 2008 Can you do this?

No, group managed service accounts cannot be used by Windows operating systems prior to Windows 8.

You manage a Windows Server 2012 R2 system and need to perform an immediate system state backup. The backup will be saved on the C:\ volume. To accomplish this, you determine the wbadmin start systemstatebackup -backupTarget:C: is the appropriate command to use. Will this strategy work?

No, the backup cannot be saved to the same drive as the system state data.

Should you bring the old role-holder back on the LAN after seizing a FSMO role?

Nope!

Domain Local Group

ONly has access in the local domain

A(n) ____ is a grouping of related objects within a domain, similar to the idea of having subfolders within a folder, and can be used to reflect the structure of the organization without having to completely restructure the domain(s) when that structure changes.

Forest, Domain, Organizational unit, User, Group, Contact, Computer, Shared Folder, Printer, Site, Subnet are all?

Objects

______ in Active Directory databases can be accessed via LDAP, ADSI, message API and Security Account Manager services.

Objects

Leaf

Objects such as users and computers which cannot contain other objects

Groups

Objects that act as containers for users, computers, and other groups.

Security Principal Object

Objects that can be authenticated and assigned permissions

Where do DC's store information?

On a ntds.dit file

What is a one-way trust?

One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

site

One or more IP subnets connected by fast links.

What is a forest?

One or more Windows domains

Domain Tree

One or more domains that are part of the same contiguous namespace.

Windows NT

One primary domain controller replicated to all backup domain controllers, all changes had to made on the PDC

OAuth

Open Authorization

Organization Name

Organizational Unit

Organizational Unit- A container object used to organize objects in Active Directory. Allows for delegation of control and the ability to link GPOs.

What is the next level of Active Directory container object within a domain?

Organizational unit

You are the network administrator for northsim.com, a company that specializes in extreme sports vacations. The company has one main office and 30 branch offices. All of the branch offices have 3 to 10 users on location, and all of them are located in remote areas of the country. Due to the need to be located near natural resources, many of the branch offices lack basic security and almost all of them are connected to the main office via dial-up. Users at the branch offices complain that it takes a long time to log on to the domain. Management has authorized the purchase and deployment of one Windows Server 2012 R2 server for each branch office. You have been asked to develop a standard installation for the new servers being deployed. Your solution must meet the following requirements: • Each branch office server should perform authentication for users located at that branch office. • Each branch office server should be configured so as to minimize the amount of Active Directory information that will be compromised in the event that the server is stolen. • Each branch office server should be configured so as to minimize the amount of user data that will be compromised in the event that the server is stolen. What should you do?

Install a Read-Only Domain Controller (RODC) in each branch office. Configure the hard drive to use Bitlocker drive encryption.

You manage the network with a single Active Directory domain named eastsim.com. Your company has a single office in Dallas. You open a second office in San Antonio. The San Antonio location is connected to the Dallas location by a WAN link. All user and computer accounts in the branch office are members of the eastsim.com domain. You do not install a domain controller in the branch office. Recently, the WAN connection between Dallas and San Antonio went down. During the outage, several problems existed because of the lack of a domain controller in the San Antonio location. You want to eliminate these problems in the future. You want to make sure the user passwords are cached on a server in San Antonio, and the directory service replication only happens from Dallas to San Antonio. Changes should not be made at San Antonio and replicated back to domain controllers in Dallas. What should you do?

Install a Read-only Domain Controller (RODC) in the branch office.

You manage the network with a single Active Directory domain named eastsim.com Domain controllers run both Windows Server 2003 and Windows Server 2012 R2. The domani functional level is a t Windows Server 2003. Your company has recently opened a new branch office. You would like to create anew domain named branch1.eastsim.com for the branch office. You want to use a read-only domain controller for this domain. How should you install the RODC?

Install a full domain controller int he main office, then install the read-only domain controller in the branch office

Your organization runs a Hyper-V hypervisor on a Windows Server 2008 R2 system that hosts a mix of Windows Server 2008 R2 and Windows Server 2012 R2 virtual domain controllers. You want to use snapshots to protect your virtual domain controllers on this hypervisor host. However, you have heard that doing this can cause Update Sequence Number (USN) rollback issues. What must you do to prevent this from happening? (Choose two.)

Install the latest Integration Services from a Windows Server 2012 R2 hypervisor on the virtual domain controllers. Upgrade the hypervisor host to Windows Server 2012 or Windows Server 2012 R2.

GUID globally unique identifiers

128 bit hexadecimal, assigned on creation

Replication

180 min default, down to 15min option, Repadmin can be used to force replication

Domain Local Group

Intended to be used only within the domain it was created in. Stored and replicated to all DCs within the domain DLG was creattted in.

User Configuration

A Group Policy setting that enables administrators to customize the configuration of a user's desktop, environment, and security settings. Enforced policies are based on the user rather than on the computer used.

Linked value replication

A Windows Server 2003, Windows Server 2008, and Windows Server 2012 feature that replicates only the part of Active Directory that changed since the last replication.

Active Directory

A Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.

Domain Controller

A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.

Domain Controller

A Windows server with Active Directory Domain Services directory service installed. Allows for centralized authentication and management of a domain.

schema attributes

A category of schema information that defines what type of information is stored in each object.

What is a Domain Controller?

A server that stores the Active Directory database and authenticates users on login.

User Principal Name (UPN)

A user logon name that follows the format username@domain. Uers can use UPNs to log on to their own domain from a computer that's a member of a different domain

adfs

Active Directory Federation Services

What group must a user be in to have their password cached on an RODC?

Allowed RODC Password Replication Group

What is a local account?

Allows access to local computers only. Local account info stored in a SAM database on the computer.

What is an Application Partition?

Allows administrators to control what information is replicated to which domain controllers.

What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

Allows us to delegate the management of our department, container for every department

When using CSVDE, what is the first line of the text file that uses proper attribute names?

B: header record

What are the two basic classes of active directory objects?

B: leaf ,D: container

Security Group

Can be assigned permissions

Local Policies

Can be configured on local host computers, policies apply only to that computer

Local Policies

Can be configured on the local host computer only

What is a realm?

Can be transitive or nontransitive (intransitive), one- or two-way.

Universal

Can create access between forests

Universal Group

Can create from any domain

attribute

Characteristics associated with an object class in Active Directory that make the object class unique within the database. The list of attributes is defined only once in the schema, but the same attribute can be associated with more than one object class.

What is the Active Directory schema?

Contains formal definitions of each object class/attribute that exists in a forest/object

Users

Contains groups and users

The ipv6 DNS host record is referred to as an?

D: AAAA record

Domain Component

Infrastructure Master

Domain-wide, Maintains references to objects located in another domain (phantoms)

What is a Certificate Service used for?

Encrypt files, emails and network traffic.

KCC Knowledge Consistency CHecker

Ensures all DC have consistent information

Infrastructure Master

Ensures that objects are updates across all domains

128 bit Globally unique identifier

GUID

What is the primary difference between universal groups and global groups in Windows Server 2012?

Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.

domain tree

In Active Directory, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Each Active Directory forest can contain one or more domain trees, each of which can, in turn, contain one or more domains.

You are the network administrator for westsim.com. westsim.com has one main office and 10 branch offices. The network consists of three Active Directory domains: westsim.com, eastsim.com, and websales.eastsim.com. All the domain controllers run Windows Server 2012 R2. Users on the westsim.com network often search for other employees based on the postal code attribute but they complain that Active Directory searches take a long time to complete. You believe that you can speed up searches by adding the postal code attribute to the Global Catalog. What should you do?

In the Active Directory Schema snap-in, in the Properties of the Postal Code attribute, select the Replicate this attribute to the Global Catalog check box.

Where are attributes defined?

In the schema

Integrated Zone

Incorporated within Active Director with Multi-Master replication process

Active Directory Contact

Individual who is not part of the organization but related to the organization

What is the PowerShell cmdlet for installing a domain controller to the domain "adatum.com"?

Install-AddsForest -DomainName "adatum.com"

What is Federation Services?

Is a single sign-on service.

What is one of the main characteristics of a forest?

It uses partitions to store and replicate information

Directory Replication Server

Performs the replication

Active Directory Objects are

Physical entities of a Network and can be described by a set of attributes

partition

Portion of Active Directory database used to divide the database into manageable pieces.

ntds.dit

Primary Active Directory database file

functional levels

Interoperability with prior versions of Microsoft Windows

Which of the following is NOT a group scope?

Security groups

What is Rights Management Services?

Is a server software for information rights management. Which uses encryption and a form of selective functionality denial for limiting access to documents such as corporate emails, microsoft word documents and web pages and the operations authorized users can perform on them.

Delegation of Control

Set on a specific UO and assigns permissions based on common administrative tasks.

Creator Owner and Authenticated Users are two examples of _______.

Special Identity

LDAPS Port(s)

TCP 636

LDAP Port(s)

TCP/UDP 389

ms-DS-MachineAccountQuota

The attribute that specifies maximum number of devices a user can add to a domain

loose consistency

It can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment, which means that each individual domain controller may contain slightly different information until the replication process has been completed.

What is the executable part of the Active Directory instance?

It is a collection of windows services and processes that run on windows 2000 and later.

SRV record

The locator records within DNS that allows clients to locate an Active Directory domain controller or global catalog.

relative identiﬁer (RID)

The part of a SID that's unique for each Active Directory object. See also security identiﬁer (SID).

Schema NC

The partition that contains the rules and definitions used for creating and modifying object classes and attributes within Active Directory.

API (application programming interface) call

The process an application uses to make a request of the OS

What is Active Directory?

It is a directory service that microsoft developed for the Windows domain networks. Which is in most Windows Server Operating Systems as a set of processes and services.

Active Directory Domain Services (AD DS)

The server role required to setup a domain and promote a server to a Domain Controller.

AD LDS is installed as a server role via Server Manager.

True

What does a Lightweight Directory Service do?

It is a lightweight implementation of AD DS, which runs as a service on windows server. AD LDS shares the code base with AD DS and proves the same functionality but does not require creation of domains or domain controllers. It provides a data store for storage of directory data and a Directory Service with an LDAP directory service interface.

What is the purpose of AD FS?

It is an extension of that of AD DS. The latter enables users to authenticate with and use the devices that are part of the same network using one set of credentials.

Modify NIC (Network interface) settings: DNS server should be public IP of DC1 Join FS1 to your domain Request & install SSL certificate Install ADFS Role Configure ADFS ○ Create new farm ○ Add the server to the farm ○ Select SSL cert for use Export SSL

What do you need for the Federated Servers for ADFS?

Add IP of WAP1 to Public DNS host ○ Fs.domain.com| A record | WAP1 IP Edit firewall to allow port 443 (UDP/TCP inbound/outbound) Edit hosts file to point fs.domain.com to IP of FS1 Import SSL cert from FS1 Install WAP role by ○ Remote Access ○ Web Application Proxy

What do you need for the Web Proxy for ADFS?

Request goes to Proxy server when sends the information to the Federated servers (FS). The FS will then assign a token for you to complete authentication.

What handles an authentication request if you are outside of a network?

What versions of Windows began support of multiple local GPOs?

Windows Server 2008 R2 and Windows Vista

Minimum Requirement for Installing AD?

Windows Server, Advanced Server, Datacenter Server Minimum Disk space of 200MB for AD and 50MB for log files NTFS partition TCP/IP Installed and Configured to use DNS Administrative privilege for creating a domain in existing network

Unlike AD DS can there be multiple AD LDS instances run on the same server?

Yes.

What does a domain controller do?

It is contacted when a user logs into a device, accesses another device across the network or runs a line of business metro style app sideloaded into a device.

forest

defines the fundamental security boundary within Active Directory, which means that a user can access resources across an entire Active Directory forest using a single logon/password combination.

functional level

depends on which Windows server operating system versions are running on the domain controllers in that domain or forest

Domain Controllers create a

domain

What are objects grouped into?

domains

OU COmmand Line

dsadd ou "ou=HR,dc=corp,dc=conosto,dc=com

object

everything in the active directory is an ______

Members of a universal group can come ______.

from trusted forests

workgroup

has no centralized control or dependencies between computers

service account

is a special user account that an application or service uses to interact with the operating system.

Global Catalog

It stores a full replicate of every object within its own domain and a partial replica of each object within every domain in the forest

What does an Active Directory Domain Services do?

It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights.

Active directory domain services

the active directory database

ADFS Management snap-in

used to configure claims and relying party trusts (specifically the objects that can be represented across organizations.

group policy

used to configure settings for users and computers

Relative Distinguished Name (RDN)

used to identify the object within its container.

directory partition

used to replicate domain information

Like user accounts, there are both local and domain groups

• Local groups exist only on the local computer, and control access to local resources. • Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.

To add or remove members of a group, use the following methods

• On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group. • On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.

In addition to the group scope, there are two types of groups

• Security • Distribution

standard abbreviations CN OU DC O C

○ CN = common name ○ OU = organizational unit ○ DC = domain component ○ O = organization name ○ C = country name

Global Catalogs

○ central information database ○ this information is replicated through all domain controllers in the forrest

containers

○ designed to hold other objects in the directory ■ forests, trees, domains, OUs, folders

partitions

○ domain partition: all objects in a domain, replicated across all domain controllers ○ schema partition: definitions of all objects and their attributes ■ also contains rules for creating and configuring objects ○ configuration partition: structure of Active Directory, domains, sites, services ○ application partition: application-specific data

Forests

○ group of domain trees that do not share a contiguous namespace ○ two-way transitive trust relationship

Organizational Units

○ logical subgroup in the domain ○ usually single work group, section, or department ○ any type of noncontainer object

Where is the path to the default GPT structure for a domain?

%systemroot%\SYSVOL\sysvol\<domain name>\Policies

Bandwidth

(1) the amount of traffic, or data transmission activity, on a network. (2) a measure of the highest and lowest frequencies that a medium can transmit

What is a shortcut in AD?

Joins two domains in different trees, transitive, one- or two-way.

Servers

. provide services such as file storage, user management, and printing.

Kerberos

Kerberos is a network authentication protocol, which is designed to provide strong authentication for client/server applications by using secret-key cryptography.

Mention what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong authentication for server/client applications by using secret-key cryptography.

Process to convert full DC to RODC

1) Demote full DC 2) Remove any AD accounts and DNS records 3) Precreate RODC acount on existing DC 4) Promote to RODC

Name 3 benefits of Active Directory

1. Automatic replication, 2. centralized administration, 3. single log-on for access to resources

What are four considerations for a Group Implementation Plan

1. Create, edit and delete groups. 2. Define scope of groups 3. Create guidelines for old and new groups 4. Naming and nesting standards for groups.

What is DNS used for in Windows Server 2012 (name 3)

1. Resolving IP addresses to host names and vice versa, 2 locate global catalog servers and DC's, 3 locate mail servers.

NetBIOS Maximum Name Length

15 Characters

What is the LDAP default port in Active Directory?

LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following: Distinguished names Relative Distinguished names

Protocol used in directory services and what is its purpose?

LDAP is the protocol used to query or access active directory databases. It uses port 389.

globally unique identifier (GUID)

A 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed.

Computer Configuration

A Group Policy setting that enables administrators to customize the configuration of a user's desktop, environment, and security settings. Enforced policies are based on the computer used.

Directory Services Restore Mode (DSRM)

A boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally.

schema classes

A category of schema information that defines the types of objects that can be stored in Active Directory, such as user or computer accounts.

schema classes

A category of schema information that deﬁnes the types of objects that can be stored in Active Directory, such as user or computer accounts.

Cloud Application Management and SSO (HelloID)

A cloud-based Single Sign-On (SSO) solution that provides access to your cloud applications. Users may open the HelloID portal after authenticating their credentials and passing the configured access policies and any additional security settings (e.g. multifactor authentication). HelloID integrates with Active Directory to support just-in-time provisioning that synchronizes groups and attributes with the individual's SSO account at their first login.

Domain

A collection of objects that trust and share the same database, while providing a security boundary for users accessing network resources

forest

A collection of one or more Active Directory trees; can consist of a single tree with a single domain, or it can contain several trees each with a hierarchy of parent and child domains.

User Management Resource Administrator (UMRA)

A complete Identity and Access Management Software solution. Several modules are offered, including User Provisioning with more than 90 systems and applications

What are OU's?

A container that represents a logical grouping of resources.

ARP(address resolution protocol)

A core protocol in the TCP/IP suite that belongs in the network layer of the OSI model,, contains the physical address of the host, or node and then creates a local database that maps to MAC address to the host IP (logical) address

Logical Structure: What does the Active Directory instance consist of?

A database and corresponding executable code responsible for servicing requests and maintaining the database.

directory service

A database that stores information about a computer network and includes features for retrieving and managing that information

directory service

A database that stores information about a computer network and includes features for retrieving and managing that information.

schema directory partition

A directory partition containing the information needed to define Active Directory objects and object attributes for all domains in the forest.

schema directory partition

A directory partition containing the information needed to deﬁne Active Directory objects and object attributes for all domains in the forest

application directory partition

A directory partition that applications and services use to store information that benefits from automatic Active Directory replication and security.

application directory partition

A directory partition that applications and services use to store information that beneﬁts from automatic Active Directory replication and security.

domain directory partition

A directory partition that contains all objects in a domain including users, groups, computers, OUs, and so forth.

domain directory partition

A directory partition that contains all objects in a domain, including users, groups, computers, OUs, and so forth.

configuration partition

A directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.

conﬁguration partition

A directory partition that stores conﬁguration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.

global catalog partition

A directory partition that stores the global catalog which is a partial replica of all objects in the forest; contains most commonly accessed object attributes to facilitate object searches and user logons across domains.

global catalog partition

A directory partition that stores the global catalog, which is a partial replica of all objects in the forest. It contains the most commonly accessed object attributes to facilitate object searches and user logons across domains.

Objects are classified by?

A distinct set of characteristics known as attributes. In general objects in the same container have the same type of attributes.

Distribution

A distribution group is used to maintain a list of users and is typically used for sending e-mails to all groups members. Distribution groups cannot be used for assigning permissions.

replication partner

A domain controller configured to replicate with another domain controller.

replication partner

A domain controller conﬁgured to replicate with another domain controller.

domain controller (DC)

A domain controller is a server that stores the Active Directory database and authenticates users with the network during logon.

Read-Only Domain Controller

A domain controller that stores a read-only copy of the Active Directory database but no password information. Changes to the domain must be made on a writeable DC and then replicated to an RODC.

operations master

A domain controller with sole responsibility for certain domain or forest-wide functions.

fully qualified domain name (FQDN)

A domain name that includes all parts of the name, including the top-level domain.

fully qualiﬁed domain name (FQDN)

A domain name that includes all parts of the name, including the top-level domain.

Catastrophic failure

A failure that destroys a component beyond use

Farm

A farm is just the collection of Federation servers. When you set up a Federation server the first time, you set up the first Federation server in a Farm. Any additional server is a new node being added to the farm

Forest

A forest is used to define an assembly of AD domains that share a single schema for the Active Directory

What is a Group

A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with group instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all permissions assigned to the group on any shared resources.

tree

A grouping of domains that share a common naming structure.

Tree

A grouping of domains that share a common naming strucutre

What is a domain tree?

A grouping of domains that share the same namespace

object

A grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or OU.

domain

A grouping of objects in Active Directory that can be managed together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.

organizational unit (OU)

Domain controller

A is a server that holds a copy of the Active Directory database

Global Catalog

A list of all the objects in an Active Directory Domain Services forest. The 1st DC in a forest must contain a Global Catalog.

Group Policy Object (GPO)

A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory.

Domains

A logical grouping of network resources and devices that are administered as a single unit.

What is a domain?

A logical grouping of network resources and devices that are administered as a single unit.

What is the key difference between a managed service account and a group managed service account.

A managed service account can be used on only one computer in a domain.

shortcut trust

A manually created nontransitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path.

CAN (campus area network)

A netowrk of connected LANs with ityjn a limited geographical area, such as the buildings in a university campus

security identifier (SID)

A numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an RID.

Security Identifier (SID)

A numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an RID. See also relative identifier)

What is an intransitive trust

A one way trust that does not extend beyond two domains.

What is a PAM trust?

A one-way trust used by Microsoft Identity Manager from a (possibly low-level) production forest to a (Windows Server 2016 functionality level) 'bastion' forest, which issues time-limited group memberships.

external trust

A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest.

application partition

A partition that allows information to be replicated to administratively chosen domain controllers. An example of information that is commonly stored in an application partition is DNS data. Application partitions offer control over the scope and placement of information that is to be replicated.

site

A physical location in which domain controllers communicate and replicate information regularly.

authentication

A process that confirms a user's identity; the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.

authentication

A process that conﬁrms a user's identity, and the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.

Knowledge Consistency Checker (KCC)

A process that runs on every domain controller to determine the replication topology.

Lightweight Directory Access Protocol (LDAP)

A protocol that runs over TCP/IP and is designed to facilitate access to directory services and directory objects. It's based on a suite of protocols called X.500, developed by the International Telecommunication Union.

Lightweight Directory Access Protocol (LDAP)

A protocol that runs over TCP/IP and is designed to facilitate access to directory services and directory objects; based on a suite of protocols called X.500, developed by the International Telecommunications Union.

directory partition

A section of an Active Directory database stored on a domain controller's hard drive. These sections are managed by different processes and replicated to other domain controllers in an Active Directory network.

Security

A security group is one that can be used to manage rights and permissions. • Group members get the permissions that are granted to the group. • A security group represents an object with a security identifier (SID), which through the member attribute, collects other object, such as users, computers, contacts, and other groups.

Self Service Reset Password Management (SSRPM)

A self-service application that allows end users to reset their Active Directory passwords. The number of password-related calls to the helpdesk is thus significantly reduced or eliminated altogether.

right

A setting that specifies what types of actions a user can perform on a computer or network.

right

A setting that speciﬁes what types of actions a user can perform on a computer or network.

SYSVOL

A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain.

SYSVOL folder

A shared folder that stores information from Active Directory that replicated to other domain controllers

SYSVOL folder

A shared folder that stores information from Active Directory that's replicated to other domain controllers.

Group Scope

A single group can be used across all computers within the domain in which the group resides. You can also use groups outside of their native domain - depending on the groups scope.

Forest

A single instance of AD. can have one or multiple domains that share the same schema (database definitions). 1 DC minimum. Also called a security boundary.

Global catalog

A system that replicates the information of every object in a tree and forest so that objects can be found and accessed from any domain.

Multiple-Master Replication

A technique in which duplicate copies of a file are updated on a regular basis, no matter which copy changes. This allows all DCs to allowing changes to AD and all others get the changes.

Bus topology

A topology in which a single cable connects all nodes on a network without intervening connectivity devices

What concept does AD use for managing resources on a Windows Network?

A tree concept

What is an Explicit trust?

A trust that an admin creates. It is not transitive and is one way only.

What is a transitive trust?

A trust that can extend beyond two domains to other trusted domains in the forest.

IP address

A unique number used to identify all devices on an IP network. IP addresses are four octets long and are commonly expressed in dotted-decimal notation, such as 192.168.10.1.

What are the security principals assigned?

A unique security identifiers (SIDs)

domain user account

A user account created in Active Directory that provides a single logon for users to access all resources in the domain for which they have been authorized.

local user account

A user account defined on a local computer that's authorized to access resources only on that computer; mainly used on stand-alone computers or in a workgroup network with computers that aren't part of an Active Directory domain.

local user account

A user account deﬁned on a local computer that's authorized to access resources only on that computer. Local user accounts are mainly used on stand-alone computers or in a workgroup network with computers that aren't part of an Active Directory domain.

user principal name (UPN)

A user logon name that follows the format username@domain; can be used to log on to a user's own domain from a computer that's a member of a different domain.

What is an example of what AD DS does?

A user logs into a computer that is part of a windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or a normal user. Which also allows management and storage of information, provides authentication and authorization mechanisms and establishes a framework to deploy other related services.

Disk quota

A way in Windows Server 2012 NTFS to limit the amount of hard drive space on which users can store data. You can set up quotas on a volume and on individual users.

Active Directory Installation Wizard

A wizard used to promote a Windows Server 2012 computer to a domain controller. Using the Active Directory Installation Wizard, system administrators can create trees and forests.

(LDAP)

Lightweight Directory Access Protocol

Which of the following is not true about an object's attributes?

A: Admin must manually supply information for certain attributes ,B: every container object has, as an attribute, a list of all the other objects it contains

What are some best practices when creating internal DNS namespaces

A: Avoid an excessive number of domain levels

Generally, how do groups differ from OU's?

A: Groups are security principals, meaning you assign access permissions to a resource based on membership to a group. OUs are for organization and for assigning group policy permissions.

You are preparing to deploy win 8 to a large number of new workstations. Which of the following options would be best?

A: Install Win8 using pre-boot execution environment PXE and windows deployment services WDS

The following is a hexadecimal address that is uniquely associated with a specific network interface card NIC

A: MAC

What is the powershell cmdlet syntax for creating a new user account?

A: New-ADUser

what differences matter most in creating a single user versus multiple users?

A: Single user creation is often done from the graphical user interface GUI, whereas creating multiple user typically requires using command-line tools.

Which of the following is not a correct reason for creating an OU?

A: To create a permanent container that cannot be moved or renamed

What servers should not be DHCP clients?

A: Web servers, DHCP servers, and domain controllers

Data from a primary zone is transmitted to secondary zones using the following

A: Zone transfer

What is the key difference between groups and OU's

A: because groups are independent from domain structure, its members may be located anywhere in the domain or outside the domain

You are planning an active directory implementation for a company that currently has sales, accounting, and marketing departments. All department heads want to manage their own users and resources in active directory. What feature will permit you to set up active directory to allow each manager to manage his or her own container but not any other containers?

A: delegation of control

What is the primary difference between universal groups and global groups in Win server 2012?

A: global groups use less data in the global catelog. So, in considering replication traffic, universal groups should be within a site

Which of the following cannot contain multiple active directory domains?

A: organizational units

What is the default trust relationship between domains in one forest?

A: two-way trust relationship between domain trees

In a domain running at the win server 2012 domain functional level, which of the following security principals can be members of a global group?

A: users , B: computers , D: global groups

Schema

Like the blueprint for active directory, it defines the attributes each type of object can possess, the type of data that can be stored in each attribute, and the object's place in the directory tree.

What are 2 examples of Directory Systems?

AD (Active Directory) and GAFE

What services does Active Directory consist of?

AD DS, Domain services, Lightweight Directory Services, Certificate Services, Federation Services, Rights Management Services.

What directory services does Windows Server 2008 provide?

ADDS and ADLDS

What is the correct method for implementing groups in Active Directory? - Acronym

AGUDLP - Add Accounts to Global Groups, add Global Groups to Universal Groups, add Universal Groups to Domain Local Groups, apply Permissions.

On which of the following editions of Windows Server 2012 R2 can you install the AD DS role? (Choose all that apply.)

ANY (FESD) Foundation Essentials Standard Datacenter

Name 7 default groups in Active Directory?

Account operators, Enterprise Admins, Administrators, Guests, Domain Controllers, Users, Schema Admins.

AGDLP

Account, Group, Domain Local, Permissions

Arranged all the network users, computers, and other Objects into groupings

Active Directory

locator service

Active Directory DNS provides direction for network clients that need to know which server performs what function.

What does ADDS stand for?

Active Directory Domain Services

What is AD DS?

Active Directory Domain Services called a domain controller. It authenticates and authorizes all users and computers in a windows domain type network assigning and enforcing security policies for all computers and installing or updating software.

You are the network administrator for westsim.com. The network consists of one Active Directory domain that contains 1,500 users. westsim.com has one main office and 15 branch offices. There are three domain controllers at the main office and one domain controller at each branch office. You have been asked to identify which domain controller hosts the Schema Master role. Which utilities should you use?

Active Directory Schema snap-in Dsquery

What does a Certificate Service do?

Active Directory Services establishes an on-premises public key infrastructure.

You manage a network with a single domain named eastsim.com. The network currently has three domain controllers. During installation, you did not designate one of the domain controllers as a global catalog server. Now you need to make the domain controller a global catalog server. Which tool would you use?

Active Directory Users and Computers or Active Directory Sites and Services.

Listed on the left are various operation master roles. For each tool, identify the roles that you can transfer using that tool by dragging the role from the left to the boxes below the tool.

Active Directory Users and Computers: RID master, PDC emulator, Infrastructure master Active Directory Domains and Trusts: Domain naming master

Domain NC

Active Directory domain partition that is replicated to each domain controller within a particular domain. Each domain's Domain NC contains information about the objects that are stored within that domain: users, groups, computers, printers, Organizational Units, and more.

What is Active Directory

Active Directory identifies all resources in a network and makes them accessible to users.

intrasite replication

Active Directory replication between domain controllers in the same site.

intersite replication

Active Directory replication that occurs between two or more sites.

What defines what objects exist as well as what attributes are associated with any object in the Active Directory?

Active Directory schema

What is the simplest way for administrators to upgrade their AD DS infrastructure to Windows Server 2012?

Add a new Windows Server 2012 DC to your existing Directory Services installation.

Organizational Unit

Add them as new containers, we can add groups, compouters and resources to our OUS giving us one place to manage our domain with a nice orderly file structure

Domain Naming Master

Adds and removes domains and application partitions to and from the AD forest.

delegation

Administration of an Organizational Unit is tasked to a departmental supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords.

Domain

Administrative boundary for managing objects

What are attributes?

All AD objects have attributes that take unique or multiple values , these values describe the object characteristics. For example a user object in Active directory will have attributes such as his first name, second name, Manager name etc.

Domain Controllers

All DC's in Domain are containers

How do DC's behave in a site?

All DCs within the same site replicate info at regular intervals, depending on where you log in the site will request the closes DC to perform an action.

Workgroup

All hosts are peers, 20 housts maximum, no network wide password protection, all hosts must be on the same subnet

Active Directory Forests

All the domains together equals a forest. Largest boundary in the AD architechture

RID Master

Allocates active and standby RID pools to replica DCs in the same domain.

What is Trusting?

Allow users in on domain to access resources in another. Active Directory uses trusts.

Group Nesting

Allows you to make a group a member of another group

NETLOGON share

Also replicated, contains logon scripts -Net Logon services verifies logon requests, registers, authenticates and locates domain controllers

organizational unit (OU)

An Active Directory container used to organize a network's users and resources into logical administrative units.

organizational unit (OU)

An Active Directory container used to organize a network's users and resources into logical administrative units. permissions Settings that deﬁne which resources users can access and what level of access they have to resources.

naming context (NC)

An Active Directory partition.

What does Microsoft recommend when creating OU's?

An OU structure no more than 10 levels deep

1. log onto each federation server 2. modify the application pool identify by using the Internet Information Service (IIS)manager 3. modify the ADFS 2.0 windows service properties by using the Windows Services MMC Snap-in

An Organization has over 10,000 users and uses an SQL-Based ADFS Farm. You need to change the ADFS 2.0 service account password. What should you do?

ADMX

An XML-based file format used to create administrative templates, replacing the token-based administrative template (ADM) files used with earlier versions of Group Policy.

Domain User

An account that can access ADDS or network-based resources, such as shared folders and printers within a specified domain.

Local User

An account that can access only resources on the local computer and does not reside inside of the domain.

Mention what is Active Directory?

An active directory is a directory structure used on Micro-soft Windows based servers and computers to store data and information about networks and domains.

assigned application

An application package made available to users via Group Policy and places a shortcut to the application in the Start screen.

assigned application

An application package made available to users via Group Policy and places a shortcut to the application in the Start screen. The application is installed automatically if a user tries to run it or opens a document associated with it. If the assigned application applies to a computer account, the application is installed the next time Windows boots. attribute value Information stored in each attribute. See also schema attributes.

published application

An application package made available via Group Policy for users to install by using Programs and Features in Control Panel. The application is installed automatically if a user tries to run it or opens a document associated with it.

Trust relationship

An arrangement that defines whether and how security principals from one domain can access network resources in another domain

trust relationship

An arrangement that defines whether and how security principals from one domain can access network resources in another domain.

object

An element in Active Directory that refers to a resource. Objects can be container objects or leaf objects. Containers are used to organize resources for security or organizational purposes; leaf objects refer to the end-node resources, such as users, computers, and printers.

What is a cross link trust?

An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

What is an object?

An instance of an object class

Knowledge Consistency Checker (KCC)

An internal Active Directory process that automatically creates and maintains the replication topology. The KCC operates based on the information provided by an administrator in the Active Directory Sites and Services snap-in, which is located in the Administrative Tools folder on a domain controller, or an administrative workstation that has the Administrative Tools installed.

extension

An item in a GPO that allows an administrator to configure a policy setting.

extension

An item in a GPO that allows an administrator to conﬁgure a policy setting.

Objects and Schema

An object class is a component of AD schema which defines the "type" for an object or in other words it defines the set of mandatory and optional attributes an object can have.

Containers

An object designed to hold other objects within the directory. Like objects, containers have their own attributes.

Connection object

An object that can be defined as part of the Active Directory replication topology using the Active Directory Sites and Services tool. Connection objects are automatically created to manage Active directory replication, and administrators can use them to manually control the details of how and when replications occurs.

Install from media (IFM)

An option when installing a DC in an existing domain; much of the Active Directory database contents are copied to the new DC from media created from an existing DC.

Install from media (IFM)

An option when installing a domain controller in an existing domain; much of the Active Directory database contents are copied to the new DC from media created from an existing DC.

Application data partitions

Applications that rely on Active directory have the ability to use an application's data partitions to store application-specific data. Applications, services, or administrators can create application data partitions as container objects.

What is a forest trust?

Applies to the entire forest. Transitive, one- or two-way.

Of the key reasons for creating organizational units, which of the following is NOT one of them?

Assigning permissions to network resources

Of the key reasons for creating organizational units, which of the following is NOT one of them? Delegating administration Assigning Group Policy settings Duplicating organizational divisions Assigning permissions to network resources

Assigning permissions to network resources

Lingering objects

Lingering objects can exist if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).

What is the proper term for associating a Group Policy to a set of AD DS objects?

Linking

1,000.

At what number of users is an additional server needed?

Objects are explained by their __________ like Name, Location, Department, etc.

Attributes

What is the process of granting the user access only to the resources he or she is permitted to use?

Authorization

What you call the process of confirming that a user has the correct permissions to access one or more network resources?

Authorization

Two Way Trust

Automatic two way trusts between domains or forests

Two Way Trusts

Automatic two way trusts between two domains in a forest, between parent and child

What is a built-in account?

Automatically created when Server 2008 is installed (i.e. Administrator or Guest).

Which built-in local user account is a member of the local Administrators group?

Local System

Name the three types of user accounts?

Local, Domain, Built-in

AD structure types

Logical Structure = Trees, Forest, Domains, & OU Physical Structures = Domain Controllers & Sites

What is a domain defined as?

Logical group of network objects that share the same AD database.

Drag the Active Directory terms on the left to their corresponding definition on the right.

Logical organization of resources - Organizational Unit Collection of network resources - Domain Collection of related domain trees - Forest Resource in the directory - Object Group of related domains - Tree

What is the logical/physical structure of Active Directory?

Logical: reflects administrative structure. Physical: A container object holds children or leaf objects.

What two graphical tools will help create either user or computer objects?

B: Active directory administrative center and active directory users and computer

What can be used to add, delete, or modify objects in Active directory, in addition to modifying the schema if necessary?

B: LDIFDE

What is the powershell cmdlet syntax for creating a new computer ibject?

B: New-ADComputer -Name <computer name> -path <distinguished name>

You are attempting to delete a global security group in the active directory users and computers console, and the console will not let you complete the task. Which of the following could possible be cases for the failure?

B: One of the group's members has the group set as its primary groups , D: you cannot delete global groups from the active directory users and computers console

What is the primary benefit of a DNS forwarder?

B: Reducing the traffic and making efficient use of available bandwidth across the network perimeter

A DHCP client first attempts to reacquire its lease at half the lease time, which is known as

B: T1

Which of the following items is a valid leaf object in Active directory?

B: User

Your DHCP servers are burdened with heavy traffic, most related to IP address renewals. Unfortunately, virtually all the IP addresses in each of your subnets are allocated. Which of the following options is the best way to lower the renewal traffic?

B: deploy additional DHCP servers on the most burdened subnets

Which of the following does an active directory client use to locate objects in another domain?

B: global catelog

Which of the following group scope modifications are not permitted?

B: global to domain local , C: universal to global

Which of the following network components are typically capable of functioning as DHCP relay agents?

B: routers ,D: win server 2012 components

What are the different kinds of groups?

B:there are two types: security and distribution, and three group scopes: domain local, global, and universal

Server Roles

Barebones servers are pretty much just glorified desktop computers. Windows Servers include a Server Manager snap in that allows admins to install specific tools to change the purpose of the server. These collections of tools and applications are bundled into Roles. For instance, if you take a bare server and want to use it as an Active Directory server, you would need to install the Active Directory Domain Services Role before you had access to the Users and Computers or Domains and Trusts snap ins

One way Trust

Between External Trusts

What allows administrators to grant users in one domain access to resources of another domain within the same domain tree?

Bidirectional trust relationship between domains

You are the network administrator for a network with a single Active Directory parent domain and two child domains. All domain controllers are running Windows Server 2012 R2. You are responsible for disaster recovery across the entire network. You decided to use Windows Server Backup. You schedule full server backups to be taken every night, along with a system state backup an hour later. On Friday morning, you are creating new users in the Accounting OU when you receive an error stating that the user cannot be created because the context could not be found. After some investigation you find that a co-worker has deleted the OU and the change has replicated to all domain controllers. You want to restore the latest version of the OU without affecting the rest of Active Directory. What should you do?

Boot a domain controller into Directory services restore mode. Perform a nonauthoritative restore. Run Ntdsutil and mark the Accounting OU as authoritative

Namespaces

Bounded area within which a name is resolved or translated into information that is encompassed by the name. An example would be a Phone book or in the computer world, A hostname that represents an IP address

Distribution Group

Building lists of users

Click on the container in Active Directory where group managed service accounts are created by default.

Managed Service Accounts.

You work for a consulting company. your best customer, a university on summer break, has a serious problem. one of the student interns carried a large cup of coffee into the computer room and promptly tripped over a section of the raised flooring. The coffee spilled and found its way into one of the domain controllers. Sparks flew and the domain controller was dead on arrival to the tech bench. The system board was no longer functional and two SCSI hard drives have failed. You replace the system board and SCSI hard drives. Fortunately, a system state backup was done two nights ago, but several changes in Active Directory have occurred since then and have been fully replicated to other domain controllers in this single domain network. You need to decide how to restore Active Directory on the failed server. You must complete the restoration as quickly as possible. What should you do?

Perform a non-authoritative restore of the entire Active Directory database

Schema Master

Performs updates to the AD schema. Generally placed on the forest root PDC.

Container

Pre-built container objects used to organize objects in Active Directory. Does NOT allow for delegation of control or the ability to link GPOs.

Which type of group policy setting doesn't lock configurations on the client computers?

Preferences

What do OU's contain?

Printers, groups, shared folders

Multi-Master Replication Process

Process to automatically replicate information between Domain Controllers, 3 hours by default

True

Promoting your system to a domain controller is the second phase of AD installation. True or false?

RSoP (Resultant Set of Policy)

Provides a report on what group policy settings are getting applied to users and computers

Primary Domain Contoller

Provides backwards support for legacy domain contrllers

You are the network administrator for southsim.com The company has one main office along with several branch offices. All the domain controllers run Windows Server 2012 R2 and all the client computers run Windows 7 or Windows 8. The domain functional level is set to Windows Server 2008 R2. The forest functional level is set to Windows Sever 2008. You need to enable the Active Directory Recycle Bin feature. What should you do?

Raise the forest functional level to Windows Server 2008 R2. Use Idp.exe to enable the Active Directory Recycle Bin

You are the administrator for WestSim Corporation. The network has a single domain, westsim.com, running a Windows 2003 functional level. Five domain controllers, all running Windows Server 2012 R2 server, are located on the network. Your network uses a distributed administrative approach. Numerous network administrators work in Active Directory adding users and maintaining user accounts. One day you check Active Directory and find a new OU that doesn't meet your organizational plan. You delete the OU and start checking to see who might have added it. You get a call from another administrator complaining that you deleted the OU she was working with. She explains the OU's purpose, and points out she had added it yesterday to prepare for a new department. She explains that although the OU was empty this morning, she had moved some user accounts into that OU at or shortly after the time you deleted the OU. You perform system state backups ever night. You need to get back the deleted objects as quickly as possible without disrupting the network. What should you do?

Re-create the OU. Move the user accounts from the LostAndFound container into the new OU.

A ____ is different from normal DCs in that you cannot use it to update information in Active Directory and it does not replicate to regular DCs.

Read-Only Domain Controller

RODC

Read-Only Domain Controller

You are the network administrator for a company with a single Active Directory domain. The domain functional level is Windows Server 2003. Each departmental administrative team has delegated control over an organization unit (OU) for their department. In the last few weeks there have been several new administrators join the team that have never managed Active Directory before. Yesterday, one of the new administrators inadvertently deleted an entire OU from within his department's OU structure. You have located a backup from two days ago to use for the restoration. What should you do?

Reboot a domain controller into directory services restore mode and restore Active Directory from the backup Run Ntdsutil and mark the deleted OU for authoritative restore

Redircmp

Redirects the default container for newly created computers to a specified, target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.

Redirusr

Redirects the default container for newly created users to a specified target OU so that newly created user objects are created in the specific target OU instead of in CN=Users.

Node

Refers specifically to the Federated Servers

DOmain Roles

Relative ID Master - Create a users security ID when an account is created, every usr must have unique security ID

Which of the following guidelines are NOT best practice for securing the Administrator account?

Renaming the Administrator account name so as not to distinguish it from non-administrative accounts

SYSVOL Folder

Replicated contains group polocies

What is the main feature of DC's with regards security and back-up?

Replication

Sites

Represent Physical Replication

Domains

Requires authentication to gain access.

What categories does the objects fall into?

Resources and security principles.

Schema Master

Responsible for performing updates to schema -archtiecture of the AD, masterDB with definitions of all objects in AD

AD Domain Services

Role to install AD, AD database. Enterprises should have two domain controllers (DC) each with its own copy of the database for redundancy purposes

You manage the network for the eastsim.com domain. You have three domain controllers, all running Windows Server 2012 R2. You have forgotten the Directory Services Restore Mode password for your domain controllers. What should you do to reset the password?

Run Ntdsutil

You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 and all the clients run Windows 8. Company policy requires all users in the domain to change their passwords every 30 days. An application named App1 uses a service account named App1Svc. Every 30 days, App1 fails. When the App1Svc account password is reset, the application works fine. You need to prevent App1 from failing in the future without compromising corporate security standards. What should you do?

Run the New-ADServiceAccount cmdlet.

You are the network administrator for northsim.com. the network consists of one Active Directory domain. All of the servers run Windows Server 2012 R2 and all of the clients run Windows 7. While attempting to run a backup on a member server, you discover that you are unable to log on to the domain. After troubleshooting the problem, you determine that the clock on the member server is 15 minutes fast. You verify that the time is correct on the PDC Emulator. You have no trouble logging on to other member servers. You need to display the member server's current Windows Time Service information to determine which server is being used as a time service provider. What should you do?

Run the W32tm.exe command

Security Identifier for each Security Principal Object

SID

What are 2 structures or forms of data that can be extracted from an HR system or an SIS system?

SQL or CSVs

What special DNS resource record enables clients to locate domain controllers and other vital AD DS services?

SRV

How do you unlock accounts

Same as resetting passwords, but this time you simply click the 'unlock' account checkbox.

You manage a Windows Server 2012 R2 server that stores user data files. You want to use Windows Server Backup to configure a backup schedule. You want to perform a complete system backup every Monday, Wednesday, and Friday. You want to be able to restore the entire system or individual files from the backup. What should you do?

Save backups to a shared folder. Create a Scheduled Task that runs wbadmin start backup.

You have just installed a new domain controller running Windows Server 2012 R2. You would like to use Windows Server Backup to back up Active Directory. You would like to perform the backup so that you can restore the domain controller if the domain controller is able to boot but when Acitve Directory is corrupt. You want the backup to run once a day. You want to take the backup medium and put it in a safe in an offsite location. What should you do?

Save the backup to a local disk. Create a scheduled task to run wbadmin start systemsstatebackup.

Roaming Profile

Saves user profile to server so it follows the between machines

FOrest Roles

Schema Master. Domain Master

Active Directory Partitions

Schema partition Configuration partition Domain partition

Name some forest partitions

Schema, Configuration, Domain, Global, Application.

ntds.dit Partitions

Schema, configuration, and domain

FSMO Roles

Scheme Master - 1 per forest Domain Naming Master - 1 per forest PDC Emulator - 1 per domain RID Master - 1 per domain Infrastructure Master - 1 per domain

What is a RID Master and its scope?

Scope: 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects

What is a PDC Emulator and its scope?

Scope: 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the Security Descriptor Propagator (SDP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.

What is an Infrastructure Master and its scope?

Scope: 1 per domain/partition Synchronizes cross-domain group membership changes. The infrastructure master should not be run on a global catalog server (GCS) unless all DCs are also GCs, or the environment consists of a single domain. The Infrastructure Master role as described above is only for the domain partition (default naming context), netdom query fsmo and ntdsutil will only query the domain partition. However, every application partition, including Forest and Domain-level DNS domain zones has its own Infrastructure Master. The holder of this role is stored in the fSMORoleOwner attribute of the Infrastructure object in the root of the partition, it can be modified with ADSIEdit, for example one can modify the fSMORoleOwner attribute of the CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld object to CN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD.[44]

What is a Domain Naming Master and its scope?

Scope: 1 per forest Addition and removal of domains if present in root domain

What is a Schema Master and what is the scope?

Scope: 1 per forest Schema modifications.

Children

Second-level OUs

Group Types

Security - primarily used to assign permissions. Distribution lists - used to send emails to multiple recipients.

____ and user accounts enable an organization to delegate authority over objects, such as Active Directory containers, user accounts, groups, and applications.

Security Groups

What does the forest represent?

Security boundary within which users, computers, groups and other objects are accessible.

Of the default groups created when Active Directory is installed, what are the types of those groups?

Security groups

Of the default groups created when Active Directory is installed, what are the types of those groups? Distribution groups Security groups Domain groups All the above

Security groups

Which of the following is NOT a group scope? Universal groups Global groups Domain local groups Security groups

Security groups

SID

Security identifier. Unique set of numbers and letters used to identify each user and each group in Microsoft environments.

Group Policy Objects

Security is created by only allowing a computer has access to one file. Restricted from others.

Duplicating organizational divisions, assigning Group Policy settings, and delegating administration

Select the best reasons for using organizational units (OUs)?

LSDOU

Sequence used to process policies: Local Policies, Site Policies, Domain Policies, and then Organizational Unit Policies.

bridgehead server

Server at each site that acts as a gatekeeper in managing site-to-site replication. This allows intersite replication to update only one domain controller within a site. After a bridgehead server is updated, it updates the remainder of its domain controller partners with the newly replicated information.

Active Directory Domain Services (AD DS)

Server role in Active Directory that allows admins to manage and store information about resources from a network. Promotes server to domain controller.

Web Application Proxy (WAP)

Server that exists outside of your network Firewall which is why it is known as a perimeter server. It's job is to take authentication requests from users outside of the organization network and sends it to the Federation Server for approval. If approved, the FS sends back the x.509 certificate to the WAP which is then used to complete the authentication process.

Active directory domain services

Service that manages the process that allows users to sign onto a network from any computer on the netowrk and get access to the resources that the directory allows

permissions

Settings that define which resources users can access and what level of access they have to resources.

When virtualizing a DC, what feature should never be used?

Snapshots

Group Policy settings are divided into two subcategories: User Configuration and Computer Configuration. Each of those two are further organized into three subnodes. What are the three?

Software settings, Windows settings, and Administrative Templates

Flexible Single Master Operation (FSMO) roles

Specialized domain controller tasks that handle operations that can affect the entire domain or forest.

You are the network administrator for northsim.com. The network consists of a single Active Directory domain. all the servers run Windows server 2012 R2. All the clients run Windows 7 or Windows 8. While working in Active Directory Users and Computers, you discover that an organizational unit (OU) which contained several group objects is missing. You do not know how long the OU has been missing. You select a backup from the previous week. You need to determine whether this backup contains the missing OU. You attempt to mount the snapshot using NTDSUtil but are not successful. You must mount the backup as an Active directory snapshot. What should you do?

Start the Volume Shadow Copy Service (VSS)

What kind of IP address must be assigned to a domain controller?

Static

You have just installed a new domain on a new domain controller running Windows Server 2012 R2. You would like to use Windows Server BAckup to back up Active Directory. You would like to perform the backup so that you can restore the domain controller if the domain controller is able to boot but when Active Directory is corrupt. Which type of backup should you create?

System state backup

You can use a security group to grant permissions to resources and to enable email access. A distribution group, however, can only be used for email purposes; it cannot bu used to secure resources on your network. T/F

SMB Port(s)

TCP/UDP 445

Kerberos port(s)

TCP/UDP 88

Test-ComputerSecureChannel

Tests and repairs the secure channel between the local computer and its domain.

Distinguished Name

The "file path" given to objects in Active Directory for locating them without a GUI.

Distinguished Name

The "file path" given to objects in Active Directory for locating them without a GUI. Includes CNs, OUs, and DC's

Schema

The AD Schema defines the content and structure of the object classes and the object attributes used to create an object

abstraction layer

The Internet is organized into several ________ that are controlled by various protocols. From the bottom up, we have the link layer (Ethernet protocol), the Internet layer (IP), transport layer (TCP), and application layer (HTTP).

What is DNS?

The Internet's system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.

What is KCC?

The Knowledge Consistency Checker (KCC) automatically checks for directory consistency throughout an Exchange site every three hours, or whenever you modify the directory, to ensure that the directory database is consistent throughout the organisation.

Never have password expiration Have the "log on as a service" right on computers hosting the ADFS role Have the "log on as a batch" right on computers hosting ADFS

The Local account used to run ADFS should have the following:

SYSVOL

The SysVOL folder keeps the server's copy of the domain's public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.

Explain what is SYSVOL?

The SysVOL folder keeps the serverʼs copy of the domainʼs public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.

Active Directory (AD)

The Windows Server standard used to manage large and small network systems. It uses a hierarchical directory structure that is designed as a database containing information about objects belonging to the entire network.

Active Directory

The Windows directory service that enables administrators to create and manage users and groups, set network-wide user and computer policies, manage security, and organize network resources.

Be aware of the following when managing groups

The basic best practices for user and group security are: • Create groups based on user access needs. • Assign user accounts to the appropriate groups. • Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network. After creating a group, you may need to convert the group's scope and/ or type. • Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access. • You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope. • If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.

Single Sign on (SSO)

The big point of ADFS is to allow for single sign on. If you sign on in one place, your linked services can use the stored single sign on information (Hence, you only performed a "single" sign in. This allows admins to manage your sign on details for multiple services directly on the AD, instead of dealing with a metric ton of sign on details for these multiple services.

Backbone

The central conduit of a network that connects network segments and significant shared devices and is sometimes considered to be called the "a netowrk of networks"

Active Directory (AD)

The centralized directory database that contains user account information and security for the entire group of computers on a network.

Csvde

The command imports and exports Active Directory objects using a comma-separated values file

Configuration NC

The configuration partition contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest.

domain

The core structural unit of Active Directory; contains OUs and represents administrative, security, and policy boundaries.

Mention which is the default protocol used in directory services?

The default protocol used in directory services is LDAP (Lightweight Directory Access Protocol).

You are the administrator of DC1, which is a Windows Server 2012 R2 domain controller in your company's domain. You are experiencing problems with DC1 and decide to run the Active Directory Domain Services Configuration Wizard again on this machine. What happens?

The domain controller is demoted to a member server.

What is a trusted domain?

The domain that is trusted; whose users have access to the trusting domain.

If creating a Local Group Policy Object, then a secondary GPO, then a tertiary GPO, what policy settings are included in each GPO?

The first GPO contains both Computer Configuration and User Configuration settings, while the secondary and tertiary GPOs contain only User Configuration settings.

forest root domain

The first domain created in a new forest.

forest root domain

The first domain created within an Active Directory forest.

distinguished name (DN)

The full name of an object that includes all hierarchical containers leading up to the root domain. The distinguished name begins with the object's common name and appends each succeeding parent container object, reflecting the object's location in the Active Directory structure.

A virtual domain controller has been powered on and begins to boot. When it does, the hypervisor host detects that the value of the Vm-Generation-ID in the virtual machine's configuration and the value of the VM-Generation-ID in the virtual domain controller's computer object in Active Directory don't match. What happens next?

The hypervisor pushes the latest RID pool and USN to the virtual domain controller.

What determines the functional level of an Active Directory forest?

The lowest version of Windows Server on a domain controller

Domain Name System (DNS)

The name resolution mechanism computers use for all Internet communications and for private networks that use the Active Directory domain services included with Microsoft Windows Server 2008, Windows Server 2003, and Windows 2000 Server

GPO scope

The objects affected by a GPO linked to a site, domain, or OU.

GPO scope

The objects affected by a GPO linked to a site, domain, or OU. Group Policy Object (GPO) A list of settings that administrators use to conﬁgure user and computer operating environments remotely through Active Directory.

relative identifier (RID)

The part of a SID that's unique for each Active Directory object.

multimaster replication

The process for replicating Active Directory objects; changes to the database can occur on any domain controller and are propagated to all other domain controllers.

multimaster replication

The process for replicating Active Directory objects; changes to the database can occur on any domain controller and are propagated, or replicated, to all other domain controllers. object A grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or OU.

Authorization

The process of determining whether an identified user or process is permitted access to a resource and the user's appropriate level of access.

Authentication

The process of verifying that user is who they claim to be.

Lightweight Directory Access Protocol (LDAP)

The protocol that has become an industry standard that enables data exchange between directory services and applications. The LDAP standard defines the naming of all objects in the Active Directory database and, therefore, provides a directory that can be integrated with other directory services, such as Novell eDirectory, and Active Directory-aware applications, such as Microsoft Exchange.

Application layer

The seventh layer of the OSI model. protocols enables software programs to negotiate formatting, procedural, security, synchronization and other requirements with the network

True

The system chosen to be the RODC must be a non-member server. True or false?

Active Directory replication

The transfer of information between all domain controllers to make sure they have consistent and up-to-date information.

forest root domain

The ﬁrst domain created in a new forest.

What are the different kinds of groups?

There are two types: security and distribution; and there are three group scopes: domain local, global, and universal.

What are the different kinds of groups? There are two types: security and distribution. There are two types: security and distribution; and there are three group scopes: domain local, global, and universal. There are three group scopes: domain local, global, and universal. There are three group types: domain local, global, and universal.

There are two types: security and distribution; and there are three group scopes: domain local, global, and universal.

PDC emulator

There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to the PDC emulator. It acts as a "tie-breaker" and it controls the time sync across the domain.

Users

These are created within a specific domain and can authenticate against any DC within that domain, Kerberos used by default for authentication and authorization. They can be a member of multiple groups, SID of each group to which a user belongs is added to the user's security token upon logon.

Sites

These represent the physical structure or topology of your network. It is by definition, a collection of well-connected subnets. Branch offices might be created as a site. in AD subnets are used to determine relative location of an item in the directory.

What do domains contain?

They contain child domains and OU's.

User Management Resource Administrator (UMRA)

This automates the entire account lifecycle process, from the creation of accounts, all the way to retirement. It does this by pulling information from an authoritative data source, such as an HR and Student Information System, and synchronizes that information with Active Directory or other downstream systems

Self Service Reset Password Management (SSRPM)

This enables end users to reset their own passwords after authenticating their identity via security questions (e.g. "What was the name of your first pet?"). Self-service reduces the need for users to call the helpdesk for assistance and allows IT professionals to focus on more productive tasks. At first login, users can be forced to claim their user accounts via SSRPM and begin the enrollment process. End users access SSRPM by clicking the "I have forgotten my password" link located in any login screen (Windows 7, Vista, XP, Windows 10, Outlook Web Access, Citrix, etc.) or via a web form.

User Lifecycle Provisioning

This helps any organization with the costly and time-intensive process of creation and management of user accounts. The time and money spent on managing accounts is time and money that could be used toward other business-related projects.

what is GAFE?

This is a core suite of productivity applications that Google offers to schools and educational institutions for FREE. These communication and collaboration apps include Gmail, Calendar, Drive, Docs and Sites, and a GAFE account unlocks access to dozens of other collaborative tools supported by Google. All of these applications exist completely online (or in the cloud), meaning that all creations can be accessed from any device with an Internet connection. Once a school decides to embrace Google Apps for Education, they can register their school domain (web address), and administer all teacher and student accounts from an administrative dashboard."

Relying Party Trust

This is the other end of the trust. This is a collection of objects in the other, receiving organization. In the example above, this would be Slack's collection of trusted objects.

Federated Server

This is the server that actually handles and approves all of the requests. There are typically two of these in a farm, but you can get by with just one; it just isn't recommended. These have the Federation Services role installed, and takes and approves requests from users within the network or from the Web Application Proxy.

Password Synchronization Manager (PSM)

This synchronizes an end user's password across multiple systems, eliminating multiple passwords

What is the primary reason for creating different sites on an Active Directory network?

To control the traffic passing over relatively slow and expensive WAN links between locations

TOMBSTONE lifetime

Tombstone lifetime determines how long a deleted object is retained in AD. The deleted objects in AD are stored in a special object referred to as TOMBSTONE. Usually, windows will use a 60-day tombstone lifetime if time is not set in the forest configuration.

How do you create new user account or reset password?

Tools/AD Users and Computers Choose domain, right click(usually under user) Create Temp password to hand to new user

Identity and Access Manager (IAM)

Tools4ever's enterprise-level Identity and Access Management solution. IAM's processes are driven according to individuals' "Core Identity", which is constructed using non-sensitive data - supporting all users on the same platform while leaving their personally identifiable information untouched and secure. User accounts are rapidly created, provisioned, and disabled according to Access Governance (AG) processes run on a scheduled, ad hoc, or triggered basis

Forest

Top level of the Activity Directory container

Your network currently has the following Active Directory domains: westsim.com, emea.westsim.com, uk.emea.westsim.com, and us.westsim.com. Your company is closing its offices in the United States. Previously, most of the network administration took place in that office. Now all IT administration will take place in your London offices. You have removed all domain controllers from the us.westsim.com domain except for the DC1 server. This server hosts the following roles:• RID master• PDC emulator• Domain naming master• Infrastructure masterPrior to removing Active Directory from the domain controller, you need to transfer the necessary operation master roles to servers in the westsim.com domain. The westsim.com domain has the following domain controllers: WS1, WS2, WS3, and WS4. All servers are also global catalog servers except for WS3. What should you do to prepare for Active Directory removal on DC1?

Transfer the domain naming master to WS1, WS2, or WS4

Your network currently has two domains: eastsim.com and sales.eastsim.com You need to remove the sales.eastsim.com domain. You have removed all domain controllers in the domain except for the DC1.sales.eastsim.com server. This server holds the following infrastructure master roles: * RID master * PDC emulator * Infrastructure master * Domain naming master You are getting ready to remove Active Directory from DC1. What should you do first?

Transfer the domain naming master to a domain controller in eastsim.com.

An Active Directory __________ is a set of domains sharing a common network configuration, schema, and global catalog.

Tree

true

True or False: After 1,000 users, an additional server is needed for up to ever 15,000 additional users

True

True or False: You need to install the ADFS Service Communication Certificate on each web proxy server.

False

True/False: You can use a wildcard SSL certificate for ADFS?

cross-forest trust

Trust type that allows resources to be shared between Active Directory forests.

What is created in a forest automatically when domains are created?

Trusts

Federation Trusts

Trusts are basically just agreements between two different end points to allow secure online transactions between them. When an application or service is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application or service. Trusts basically bypass this and prevent you from needing secondary creds.

How many servers are required for IAM?

Two Servers • Application Server • Database Server (Can be shared with appropriate resources) Recommended to be VM's

What is a two-way trust?

Two domains allow access to users on both domains.

Groups

Two kinds of these, security and distribution

Workgroup example

Two seperate computers have the same login information for joe. Admin would have to change it in each seperate location where Joe has an account.

One Way Trust

Unidirectional authentication path created between two domains or forests

What are the three group scopes?

Universal (grants resources to users and groups from any domain in the forest), Global (in a domain) and Domain Local (on a single domain in the forest).

Which of these groups' membership is stored in the global catalog?

Universal groups

Which of these groups' membership is stored in the global catalog? Universal groups Global groups Domain local groups Distribution groups

Universal groups

Infrastructure Master

Updates cross domain references and phantoms/tombstones from the Global Catalog.

You need to deploy a new Windows Server 2012 R2 domain controller DC2. DC1 is a Windows Server 2008 domain controller. What must you do first to use the install from media option for DC2?

Upgrade DC1 to Windows Server 2012 R2.

rolling upgrades

Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality.

You manage the network for the eastsim.com domain. The domain functional level is at Windows 2000 Native. You want to enable linked-value replication. You want to take the minimum action that is possible. What should you do?

Upgrade the forest functional level to Windows Server 2003

Hierarchical Namespaces

Use several levels, Such as in an internet name, www.sales.company.com .com represents the top level. company represents the second level domain sales is a subdomain www is the web server name

Each user must belong to a group, how is it achieved?

Use the 'Member of' tab, click 'Add' Enter object name and 'check the name' Click 'Apply' then 'Ok'

You are the network administrator for westsim.com. The network will consist of one Active Directory domain that contains 100 users. You install Windows Server 2012 on a server named DC1. You then install Active Directory Domain Services (AD DS) and promote DC1 to a domain controller. After creating the new domain, you create a replica domain controller named DC2. Several months after installation, DC1 fails. Parts to restore the sedrdver will not be available for several weeks. You need to transfer the Flexible Single Master Operations (FSMO) roles to DC2. What should you do?

Use the NTDSUtil in an elevated command prompt on DC2 to seize the roles

You are the network administrator for westsim.com The network consists of a single Active Directory domain. All the servers fun Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. The forest functional level is set to Windows Sever 2008 R2. The active Directory recycle bin has been enabled. While working in Active Directory Users and Computers, you accidentally delete a group. You need to restore the group using the least amount of administrative effort. What should you do?

Use the Restore-ADObject PowerShell command to restore the group

Why are sites used?

Used for organisations that have branches in different geographic locations but fall under the same domain.

Group Policy

Used to configure settings for users and computers. Configure one or more setting in one of these and apply to one or more users or computers by linking group policy to an organizational unit (OU). Two policies are in place by default when the first DC is created: Default Domain Policy and Default Domain Controllers Policy

Relative ID Master

Used to create a user's security ID when an account is created

Organizational Units

Used to organize objects in AD (mainly users and computers), it is a kind of container. Use them to link GPO's and Delegation of controls.

Secure Sockets Layer (SSL) certificate

Used to secure communications between federation servers, clients, Web Application Proxy, and Federation Server Proxy computers. This certificate is always assigned to your Federated Service name, so will it will appear as and be issued to either fs.domain.com, or the recommended sts.domain.com.

UPN

User Principal Name (user name in email format)

built-in user accounts

User accounts created by Windows automatically during installation.

Objects represents a single entitiy, what are those entities?

User, a computer, a printer, or a group and its attributes.

Give an example of an object?

User, computer, printer, group, shared folder.

Gives Permissions to

Users to access files and folders, option to access VPN

LDAP

Uses Port 389 and 3268

There are two types: security and distribution, and three group scopes: domain local, global, and universal.

What are the different kinds of groups?

1. Certificate's Subject Name and Subject Alternative Name must include the federation service name. 2. Certificate's Subject Alternative Name must contain the value enterpriseregistration and the UPN suffix of the organization 3. Certificate cannot be a wildcard certificate. 4. It's neccessary to have both the certificate and the private key when running the ADFS Configuration wizard. 5. Must be issued by a trusted 3rd party certification authority (CA)

What are the requirements for the Service Communications Certificate

Dsmod.exe

What command-line utility allows administrators to modify groups' type and scope as well as add or remove members?

Install ADDS (Active Directory Domain Services) ○ Promote to Domain Controller Add UPN suffix w/ AD "Domains and Trusts" (This is simply adding your 365 verified domain into AD) Use DNS manager to add "fs.domain.com" DNS records ○ Use the public IP of FS1 ○"enterpriseregistration.domain.com" CNAME fs.domain.com

What do you need to setup the Domain Controller for ADFS?

You must update Azure AD Connect within the Tasks section.

What happens if the SSL certificate expires?

read-only domain controller

What is RODC

Global groups use less data in the global catalog. So, in considering replication traffic, universal groups should be within a site.

What is the primary difference between universal groups and global groups in Windows Server 2012?

Port 443 inbound and outbound

What port needs to be open for ADFS?

Federated Servers

What takes care of authentication when ADFS is configured?

Add Roles and Features

What tool do we use to add Active Directory Domain Services?

Staged

What type of RODC deployment permits a common (non-admin) user account to install AD and promote the system?

link-value replication

When a change is made to the member list of a group object, only the portion of the member list that has been added, modified, or deleted will be replicated.

inbound replication

When a domain controller transmits replication information to other domain controllers on the network

outbound replication

When a domain controller transmits replication information to other domain controllers on the network

Transitive Trust

When a new domain is created, it shares resources with its parent domain by default, enabling an authenticated user to access resources in both the child and parent domain.

What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.

When would administrators choose to use a User Template?

When an administrator wants to save time while creating single users with many attributes

What is the role of DNS in Active Directory?

When installed on a Windows Server, DNS uses a database or a file that contains list of domain names and corresponding IP addresses.

The public IP address of the webproxy

When setting up an A records for your ADFS system what does the record correspond to?

FOreign Security Principles

When we give access to our resources from outside of our forest, an object is created allowing that outside user access into our domain

Global Catalog (Read only category)

Which of the following Active Directory components stores a full copy of all objects in the directory to facilitate searching?

Domain Controllers OU

Which of the following can be right-clicked to begin the RDOC staging process?

Global to domain local; Universal to global

Which of the following group scope modifications are not permitted? (Choose all answers that are correct.)

Universal

Which of the following groups do you use to consolidate groups and accounts that either span multiple domains or the entire forest?

Branch Office

Which of the following is a common use for Read-Only Domain Controllers?

Which of the following is a container object within Active Directory?

To create a permanent container that cannot be moved or renamed

Which of the following is not a correct reason for creating an OU?

Remove an existing forest (DNS Global Catalog RODC)

Which of the following is not a specified option when promoting a domain controller in Windows Server 2016?

Metadata

Which of the following may need a manual clean after AD is uninstalled?

Member server (A none-member server does not provide servers as files and print server)

Which server provides services like files, print server and so on?

OAuth

Which single sign-on (SSO) technology depends on tokens? a. OAuth b. CardSpace c. OpenID d. All SSO technologies use tokens.

What is Active Directory Used in?

Windows 2000, Windows Server 2003, Windows Server 2008

Enterprise Single Sign-On Manager (E-SSOM)

With this complete Enterprise SSO solution, you have a powerful multi-platform Single Sign-on solution that offers two-factor authentication. Follow Me and Fast User Switching.

Cloud Single Sign-On (HelloID)

With this, it's as easy for IT and system administrators to grant and revoke permissions to cloud services as it is for end users to access them. By only having a single set of credentials to manage, user administration is a breeze.

Objects

Within Active Directory, each resource is identified as

AD Components

Workgroup, domain, AD Domain Services, site, replication, objects, schema, group policy, organizational units, default domain policy, forest, global catalog, trust, tree

A common reason that one can't join a computer to the domain.

Wrong DNS server address

Name some Active Directory Standards

X500 and LDAP

Can a domain user, who does not possess explicit object creation permissions, create computer objects?

Yes, authenticated users can create workstation, but not server objects

Can an administrator launch the Group Policy Management console from a workstation?

Yes, if the workstation is running the Remote Server Administration Tools package

One of the group's members has the group set as its primary group.; You do not have the proper permissions for the container in which the group is located.

Delegation of control

Configure OU-Based filtering by using AADC

You are the Office 365 Admin for your company. The company syncs the local AD objects with a central identity management system. The environment has the following characteristics. Each Department has its own Organization Unity (OU) The Company has OU hierarchies for partner user accounts. All Users accounts are maintained by the central identity management system. You need to ensure that the partner accounts are NOT synchronized with O365. What should you do?

You are attempting to delete a global security group in the Active Directory Users and Computers console, and the console will not let you complete the task. Which of the following could possibly be causes for the failure? (Choose all answers that are correct.) One of the group's members has the group set as its primary group. You cannot delete global groups from the Active Directory Users and Computers console. There are still members in the group. One of the group's members has the group set as its primary group.

You do not have the proper permissions for the container in which the group is located. One of the group's members has the group set as its primary group.

Domain Controller (Part 2)

You may create groups within the user account folder to for specific people with special permissions (Example:group in Domain Controller for Accounting People)

You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 and Windows 8. There is one main office and seven branch offices. There are two writable domain controllers in the main office. There is one read-only domain controller (RODC) in each branch office. The domain functional level is set to Windows Server 2003. While visiting one of the branch offices, you accidentally delete a folder from the SYSVOl share on the local RODC. You need to restore the contents of the SYSVOL on the RODC. Waht should you do?

You should set the Burflags registry setting on one of the writable domain controllers to D2.

Domain Tree

a DNS namespace: it has a single root domain and is built as a strict hierarchy

Domain user account

a account created and centrally managed through Active Directory.

MAC

a brand name (Macintosh) which covers several lines of personal computers designed, developed, and marketed by Apple Inc.

Active Directory

a centralized database that contains user account and security information

Replication

a change that you make on domain controller A is also applied to the domain controller where you didn't make the change. Same site: 15 seconds. Across Sites: 15 - 180 minutes

expansion card

a circuit board which can be inserted into an expansion slot on the PC's motherboard, to give the PC extra capabilities. Common examples are sound cards, graphics cards and network cards

packet

a collection of data used by the TCP/IP protocol to transmit data across the Internet. Each packet contains routing data as well as the content of the message.

Forest

a collection of related domain trees. it establishes the relationship between trees that have different DNS name spaces.

sound card

a computer peripheral device for audio input and output. Sound cards contain the software necessary for audio processing and at least 2 jacks, one for a speaker output and the other for microphone input.

host

a computer that's connected directly to the Internet -- often a computer that provides certain services or resources.

organizational unit

a container used to organize objects in the active directory

monitor

a device resembling a television that displays computer images.

modem

a device that converts digital data into analog signals and vice-versa for transmission over a telephone line.

scanner

a device that reads a printed page and converts it into a graphics image for the computer.

router

a device that transmits data between two different networks.

Object

a distinct, named set of attributes or characteristics that represent a network resource

Read-Only Domain Controller (RODC)

a domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers within Active Directory.

UGMC (Universal Group Membership Caching )

a feature that caches the group membership of universal groups

domain tree

a group of domains based on the same namespace

Tree

a group of related domains that share the same contiguous DNS namespace

mouse

a hand-held electronic pointing device that controls the coordinates of a cursor on your computer screen as you move it around on a surface.

ZIP drive

a high-density removable-media drive similar to the old floppy 3.5" disk. Each ZIP diskette holds either 100 or 250 megabytes.

built-in user account

a local user account that is created automatically during installation

ping

a networking utility used by network administrators to test the reachability of a host on the Internet.

traceroute

a networking utility used to trace the route and measure delays of packets moving through the Internet.

printer

a peripheral device which produces a hard copy of documents stored in electronic form, usually on physical print media such as paper

Site

a physical location in which domain controllers communicate and replicate informaiotn regularly

Member server

a server that is not running as a domain controller

Domain Controller

a server that stores a replica of the account and security information for the domain and defines the domain boundaries

byte

a single letter, number or symbol. There are 8 bits in a byte.

Active Directory

a technology created by Microsoft that provides a variety of network services

IP address

a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.

mainframe

a very large, expensive and powerful computer capable of supporting thousands of users at the same time.

Which of the following can you do when deploying AD DS across a Windows Azure deployment? (Choose all that apply.)

a. Deploy the forest root domain controller for a new forest. b. Deploy a replica domain controller for a forest hosted on your local network. c. Deploy a DNS server that provides service to an AD DS domain hosted in Windows Azure.

Which of the following are best practices that you should follow when planning an AD DS domain structure? (Choose all that apply.)

a. Employ a test lab. b. Prepare thorough documentation. c. Keep everyone, including top managers, informed. d. Understand thoroughly the network's TCP/IP infrastructure. e. Develop and adhere to an adequate security policy. f. Know the capabilities of your WAN links.

Which of the following tools can you use to install AD DS on a server running Windows Server 2012 R2? (Choose all that apply.)

a. The dcpromo.exe command using an answer file d. Server Manager e. Windows PowerShell

Which of the following are features of a global catalog server? (Choose all that apply.)

a. Validation of universal group memberships at logon c. Validation of UPNs across the forest.

Which of the following are not valid domain or forest functional levels for a domain controller running Windows Server 2012 R2? (Choose all that apply.)

a. Windows 2000 mixed b. Windows 2000 native c. Windows Server 2003

In Windows Server 2012 R2, after a user logs on to Active Directory, a(an) ________ is created that identifies the user and all the user's group memberships. access token access control entry authentication token universal group

access token

In Windows Server 2012, after a user logs on to Active Directory, a(an) ________ is created that identifies the user and all the user's group memberships.

access token

DVD drive

acronym for "Digital Video Disc" It's a CD format that can store up to 17 gigabytes of data (enough for a full-length movie)

CD-ROM drive

acronym for Compact Disc with Read-Only Memory; A disk for storing computer information. It looks like an audio CD.

acronym for Personal Computer. Normally refers to computers running Windows with a Pentium processor.

PDA

acronym for Personal Digital/Data Assistant. Generic term for handheld devices such as Palm Pilots that are commonly used to store address and calendar information.

ROM BIOS

acronym for Read Only Memory-Basic Input/Output System.

USB port

acronym for Universal Serial Bus. This is a serial bus standard to interface peripheral devices, intended to help retire all legacy varieties of serial and parallel ports, using a single standardized interface socket.

ROM

acronym for read only memory. Performs computers most primary functions. This memory is permanent and remains even when you turn off the computer.

RAM

acroymn for random access memory. Computer's main memory used to process information. Disappears when you turn off the computer.

kerberos

active directory uses ______ to authenticate

domain naming master

adds new domains to and removes existing domains from the forest

multimaster database

administrators can update the ntds.dit from any domain controller.

Workgroup

all hosts are peers; users must have account on each host they login to

RID (Relative ID) Master

allocates pools or blocks of numbers (aka RIDs)are used by the domain controller when creating new security principles (such as user, group, or computer accounts). The RID is assigned to a new security principal when it is created, and is combined with the domain ID to create a security identifier (SID).

directory service

allows businesses to define, manage, access, and secure network resources, including files, printers, people, and applications.

Publishing

allows users to access network resources by searching the Active Directory database for the desired resource.

Local user account

an account that is created and stored on a local system and is not distributed to any other system.

RODC (read-only domain controller)

an additional domain controller for a domain that hosts read-only partitions of the Active Directory database.

Active Directory

an infrastructure (directory) that stores information and objects and used to authenticate/authorize the Users, Computers, Resources which are part of a network

Active Directory

an infrastructure (directory) that stores information and objects.

keyboard

an input device consisting of various keys that allows the user to input data, control cursor and pointer locations.

peripheral

any piece of hardware attached to a computer, such as a printer or scanner.

Object

any specific item that can be cataloged in Active Directory Such as Users computers printers folders files

SVR Records

are locator records that allow a client to locate a domain controller or global catalog. without svr records, the client would not be able to authenticate against active directory.

Distribution Groups

are organizational only and not for access control (authorization), used in messaging, typically. westlafayettefaculty vs northwest faculty etc...

Generic Containers

are used to organize Active Directory objects

expansion slot

area in a computer's motherboard that accepts additional input/output boards to increase the capability of the computer.

kilobyte (KB)

as much information as a one-page, double-spaced letter. There are 1,024 bytes in a kilobyte.

megabyte (MB)

as much information as in a bestselling novel. There are 1,048,576 bytes in a megabyte.

terabyte (TB)

as much information as in a bookstore. There are 1,099,511,627,776 bytes in a terabyte.

gigabyte (GB)

as much information as in an encyclopedia set. There are 1,073,741,824 bytes in a gigabyte.

Global Catalog Server

at least one DC must be configured as this in a multi-domain forest. Should ideally be located on a server other than the PDC Emulator. For single domain, all DC's should be this as it will maintain full functionality of domain if one DC should fail. Lists all objects in the directory.

What you call the process of confirming a user's identity by using a known value such as a password, a smart card, or a fingerprint?

authentication

Trusts

bond Domains together (Trusts can be one way Example google and motrolla, google does not know the other side) Motorolla cannot access google)

Containers

built-in objects that can store or hold other objects

Your computer is running the Server Core edition of Windows Server 2012 R2. You want to promote this server to domain controller. What should you do? (Each correct answer presents a complete solution. Choose two answers.)

c. Use the Install-ADDSDomainController cmdlet in Windows PowerShell. e. Use dcpromo.exe together with an answer file that provides the required parameters.

universal group

can be used by all computers in forest and contain members from any domain within the forest

global group

can be used by computers within the domain and other domains in the forest

fault tolerant

capable of responding gracefully to a software or hardware failure.

CPU

central processing unit: the brain of the computer that processes instructions and manages the flow of information through a computer system.

What would be the distinguished name (DN) for a user named Ella Parker, whose user account resides in the Marketing OU of the adatum.com domain?

cn=Ella Parker,ou=Marketing,dc=adatum,dc=com

domain

collection of objects with a shared database

Tree

collection of one or more domains in a contiguous namespace that are linked in a trust hierarchy

User Principal Name (UPN)

combines the user account name with the DNS domain name (For example, account awaters in the westsim.com domain would have [email protected])

Ldifde

command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files

repadmin

command that helps administrators diagnose AD replication problems between domain controllers running Windows operating systems

Group Policy Objects

contain Group Policy settings and are linked to OUs where users and computers are stored

Organizational Units

containers which you can place users, groups, computers, and other organizational units

schema

contains a definition of each object class and the attributes of the object class that can exist in an Active Directory forest

data table

contains all the information in the Active Directory data store: users, groups, application specific data, and any other data that is stored in Active Directory after its installation.

application directory partition

contains application-specific data created by applications and services

SD (security descriptor) table

contains data that represents inherited security descriptors for each object.

link table

contains data that represents linked attributes, which contain values that refer to other objects in Active Directory.

domain

contains the OUs

Users container

contains the domain's predefined users and groups

organizational unit

contains user and computer accounts

A ____ is one in which every child object contains the name of the parent object.

contiguous namespace

Group Policy Management Editor

controls the computer and user configurations where GPOs are controlled

class

defines set of mandatory and optional attributes an object can have

Active Directory is a ____ that houses information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information.

directory service

1. A ____ usually is a higher-level representation of how a business, government, or school is organized, for example reflecting a geographical location or major division of that organization.

domain

Click on all of the organizational units in the domain represented in the image below

domain controllers sales

You are the network administrator for westsim.com. The network consists of a single active directory domain. all the servers run Windows Server 2012 R2 and all the clients run Windows 7 or Windows 8. The network had a child domain named east.westsim.com. The domain was decommissioned but several snapshots were taken prior to the decommissioning. Management requests that you identify the members of a group that existed in the east.westsim.com. You mounted the last snapshot to examine the group on a domain controller named DC1, but you now need to see the data in the snapshot. What command should you run?

dsamain

You have activated an Active Directory database snapshot on your Windows Server 2012 R2 system and have mounted it. You now need to view the contents of the snapshot. To do this, you decided to access the mounted snapshot in Active Directory Users and Computers using the Lightweight Directory Access Protocol (LDAP). Which comman should you use to do this?

dsamain

Infrastructure Master

ensures all objects are updated

domain controllers

enterprises should have 2 _____ _______ each with a copy of its own database

Administrator role separation

feature that allows RODCs to provide a secure mechanism for granting non-administrative domain users the right to log on to a domain controller. This allows the domain user to perform local administrative tasks such as installing drivers or security updates.

An Active Directory _____ consists of one or more separate domain trees.

forest

sub domains connecting together becomes

forest

first domain controller

forest root domain

Members of a universal group can come ______. from different organizational units from different domains from trusted forests only from within the domain

from trusted forests

The forest ____ refers to the Active Directory functions supported forest-wide.

functional level

Commands to list FSMO assignments (PS)

get-adforest, get-addomain

The ____ stores information about every object within a forest.

global catalog

A ____ is intended to contain user accounts from a single domain and can also be set up as a member of a domain local group in the same or another domain.

global security group

The Delegation of Control Wizard is capable of ________ permissions.

granting

The Delegation of Control Wizard is capable of ________ permissions. granting modifying removing all the above

granting

Trees

group of domains that share a contiguous namespace ■ parent domain plus one or more sets of child domains ■ child domains name will reflect parent

Security Groups

have SIDs added to user tokens and can be used in ACL's

Microsoft combined X.500 and LDAP for Active Directory's structure

hierarchical organization of entries each entry has a set of attributes each entry has a unique distinguished name

Firewire

high-speed external connection used for connecting peripherals, also referred to as "IEEE 1394".

cache memory

high-speed memory located between the CPU and the main memory. Cache memory is designed to supply the processor with the most frequently requested data. Storing data here speeds up the operation of the computer

schema

holds classes for objects you create

Schema

holds the classes for the objects you create. AD needs to know what the user joe will look like, default schema with common definitions. What properties a class will have

Builtin container

holds the default service administrator accounts

user account

identifies a single user

global catalog server

in a multi domain forest at least one domain controller should be the

global catalog servers

in a single domain forest all the domain controllers should be

Active Directory structures are an arrangements of what?

information about objects.

information technology: the branch of engineering that deals with the use of computers and telecommunications to retrieve and store and transmit information.

What do you call the process that after you link a GPO to a site with multiple domains, the Group Policy settings are applied to all the domains and the child objects beneath them?

inheritance

domain local group

intended to be used only within the domain it was created in

Global Catalog

is a database that contains a partial replica of every object from every domain within a forest.

computer account

is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device.

container object

is one that can have other objects housed within it; these can be additional container objects as well as leaf objects.

leaf object

is one that can have other objects housed within it; these can be additional container objects as well as leaf objects.

Deprovisioning

is the process of removing access rights from a user account when the user leaves the organization.

Active Directory

it is a centralized authentication service for Microsoft networks provides the main repository for information about users, computers, services and other microsoft services.

Organizational Unit (OU)

it is a container that represents a logical grouping of resources that have similar security or administrative guidelines. organizational units can contain: users, groups, contracts, printers , shared folders, computers,

Domain Controller

it is a server that stores the active directory database data and authenticates users with the network during logon

What kind of GPO stores its settings on the local computer in the %systemroot%/System32/GroupPolicy folder?

local GPO

What are the two types of user accounts in Windows Server 2012?

local and domain

schema master

maintains the Active Directory schema for the forest

In a ____, the user does not have permission to update the folder containing his profile.

mandatory user profile

If information on one DC changes, such as the creation of an account, it is replicated to all other DCs in a process called ____.

multimaster replication

What capability allows you to create specific GPO settings for one or more local users configured on a workstation?

multiple local GPOs

DNS is a TCP/IP-based name service that converts computer and domain host names to dotted decimal addresses and vice versa, through a process called ____.

name resolution

An object is uniquely identified by its ______ and has a set of ________.

name, attributes

namespace

namespace ○ a bounded area within which a name is resolved or translated into information that is encompassed by the name ○ phonebook: bound in a geographic location, resolves names to phone numbers and addresses ○ Microsoft made this concept dynamic, the namespace is updated and changed regularly ○ structure ■ flat: one level - NetBIOS ■ hierarchical: several levels of name definition - DNS namespace support.weber.edu ○ types ■ contiguous: name of child objects contains the names of the parent object ■ disjointed: name of child object does not contain the name of the parent object

Command to list FSMO assignments (cmd.exe)

netdom query fsmo

Which file can you view to identify SRV records associated with a domain controller?

netlogon.dns

Differentiation between Consulting and Support... • In most cases, consulting services are defined as:

o Creating New projects o Adding functionality to existing projects o Modifying projects due to source data or network changes.

Differentiation between Consulting and Support... • In most cases, support is defined as:

o General question about product functionality o Error resolution o Basic assistance with user created projects.

Every resource in a domain is called a(n) ____.

object

instance of a class

object is an_________ of a_________

Sites

one or more IP subnets that are connected by a high-speed link, typically defined by a geographical location

Lightweight Directory Access Protocol

open, vendor-neutral application layer, current version is 3 accessing and maintaining distributed directory information services over an IP network operations include: add, delete, modify TCP/UDP 389

Within a domain, the primary hierarchical building block is the _________. forest group organizational unit user

organizational unit

site

physical structure of the network / collection of subnets

replication

process of keeping each domain controller in synch with changes that have been made elsewhere on the network

Active Directory Lightweight Domain Services (AD LDS)

provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full-fledged Active Directory DS directory service.

Active Directory Domain Services (AD DS)

provides the full-fledged directory service that was referred to as Active Directory in Windows Server 2003 and Windows 2000.

Primary DOmain COntroler (PDC Emulator)

provites backwards compatability for NT4, :User authentication

A ____ is typically used to enable one- or two-way access between a Windows Server domain within a forest and a realm of UNIX/Linux computers.

realm trust

binary system

refers to the 'language' computers speak. Binary code (or machine language) consists only of zeroes and ones (ie a choice is either on or off), called bits. Letters and other information have a specific binary representation, made up of up to 8 bits (one byte).

RID

relative identifier

A domain controller in your domain has experienced a catastrophic failure. Because the server failed before it could be cleanly removed from your domain, Active Directory still thinks the failed domain controller is present. All of the other domain controllers will continue to try to replicate with it, potentially resulting in database inconsistency. You need to removed the failed server by cleaning the metadata. Which ntdsutil command should you use to do this?

remove selected server

global catalog

replicates the information of every object in a tree and forest

site

represents a group of well-connected networks

subnet

represents a physical network

Schema Master

responsible for performing updates to the schema of the AD structure

Flexible Single Master Operation (FSMO)

roles Specialized domain controller tasks that handle operations that can affect the entire domain or forest. Only one domain controller can be assigned a particular FSMO. forest A collection of one or more Active Directory trees. A forest can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains.

Each kind of object in Active Directory is defined through the ____, which is like a small database of information associated with that object, including the object class and its attributes.

schema

forest

single instance of active directory - contains domains

A ____ is a TCP/IP-based concept (container) within Active Directory that is linked to IP subnets.

site

FSMO (Flexible Single-Master Operation)

specialized domain controller tasks assigned to a domain controller in the domain or forest

Token Signing Certificate

standard x.509 certificate that is used to securely sign all tokens that the federation server issues and that the cloud service e.g. Office 365, will accept and validate. This is critical to the Federation Service. If there is something wrong with this, the validation will fail. It is unlikely that you will get questions about how to fix a failure, but know that it exists and know to identify it as an x.509.

Domain partition

stores the user, computer, group, and object data for a domain, as well as the domain's schema and configuration data.

directory service

stores, organizes, and provides access to information in a directory

Click on the item in the imagine below that defines a security and replication boundary

testoutdemo.com

Ethernet

the Ethernet is the international standard networking technology for wired implementations such as local area networks.

domain

the basic administrative unit of an Active Directory structure.

Domain Controllers OU

the default location for domain controllers computer accounts.

Computers container

the default location for new computer accounts created in the domain

tree root domain

the highest level domain in a tree.

motherboard

the main circuit board inside a computer, containing the central processing unit, the bus, memory sockets, expansion slots, and more

packet switching

the method by which information is transmitted through the Internet. Information is broken into packets and each packet is routed independently from source to destination.

User Name (logon name )

the name of the user account. (For example, Andy Waters may have the following logon name, awaters. )

hardware

the physical components of a computer; central processing unit, monitor, keyboard, mouse, etc.

hard drive

the primary memory of a computer. Hard drives store all the computer's information and retains the information when the computer is turned off.

Replication

the process of domain controllers sharing information.

Demotion

the process of making a dc a member server

Promotion

the process of making a member server a dc

software

the programs that enable a computer to perform a specific task.

Domain container

the root container to the hierarchy

bit

the smallest unit of computer memory

Distinguished names

the way the Active Directory refers to objects

Clients

they request services from servers.

video card

this is the component of your computer that puts a picture onto your screen. They can also 'accelerate' motion video and 3D games.

forest root domain

top-level domain in the top tree. It is the first domain created in the Active Directory.

A(n) ____ means that if A and B have a trust and B and C have a trust, A and C automatically have a trust as well.

transitive trust

A ____ contains one or more domains that are in a common relationship.

tree

To perform an offline domain join, how many times would an administrator run the Djoin.exe command?

twice

network

two or more computers that are connected together to share resources such as hardware, data, and software.

Organizational Unit

unit is like a folder that subdivides and organizes network resources within a domain

Directory Service

used to retrieve information for authentication

Domain Account

user logs into the domain-centralized management of users

Local Account

user logs into the local computer only

Roaming Profiles

user profiles that can be saved on the server

Object Classes (domain classes)

users, groups , computers domain controllers, and printers. object classes have common sets of attributes. these are the following: unique name globally unique identifier (guid) required objects attributes open object attributes

tape backup

using magnetic tape for storing duplicate copies of hard disk files.

Ldp

utility allows you to search for and view the properties of multiple Active Directory objects.

You manage a Windows Server 2012 R2 system and need to perform an immediate system state backup. The backup should be save on the E:\ volume. Which command should you use to do this?

wbadmin start systemstatebackup -backupTarget:E:

organizational unit (OU)

what folder stores users, computers and other info

PDC emulator troubleshooting

• Time is not syncing • User's accounts are not locked out • Windows NT BDCs are not getting updates • If pre-windows 2000 computers are unable to change their passwords

Adding object to the Member Of tab for a group makes the group a member of another group (if does not add members to the group).

• When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it: • Re-create the group, add all the original group members, and reassign any permissions granted to the group. • Restore the group from a recent backup.

objects

○ any item that can be cataloged in Active Directory ○ users, computer, printer, folders, files ○ objects have attributes ○ Active Directory schema defines what those attributes can be ○ objects can be logically grouped with similar objects into classes

distinguished names

○ defines the complete path from the top of the tree to the object ○ unambiguous representation of the name of any resource ○ naming format, layout representation

Schemas

○ set of rules that define the classes of objects and their attributes ○ user class can contain user account objects ○ user class possess attributes such as password, group membership, home folder ○ attributes can be indexed so they are searchable ○ the default schema can be modified but it is a dangerous and difficult task

Domains

○ the core unit of the network structure ○ logical grouping of computers that share a common directory database and security ○ domains can be organized into larger units called trees and forests ○ we can define the trust relationships between these units ○ why have multiple domains? ■ security boundaries ■ group policy for each ■ geographic boundaries ■ business boundaries ■ compliance or regulation (Chinese Firewall)

Which of the following would be the correct FQDN for a resource record in a reverse lookup zone if the computer's ip address is 10.75.143.88?

A: 88.143.75.10.in-addr.arpa

A DNS server that hosts a primary or secondary zone containing a particular record can issue the following response to a query for that record:

A: Authoritative answer

Regarding Group Policy in Windows Server 2008 and Windows Vista, Microsoft used the token-based administrative template (ADM) files. What did Microsoft replace ADM files with in Windows Server 2012?

ADMX files (XML-based file format)

What graphical tool can create user and computer accounts and was redesigned for Windows Server 2012?

Active Directory Administrative Center

What user creation tool was redesigned in Windows Server 2012 to incorporate new features such as the Active Directory Recycle Bin and fine-grained password policies?

Active Directory Administrative Center (ADAC)

What two common tools help create both User and Computer objects?

Active Directory Administrative Center and Active Directory Users and Computer

What is the global catalog?

An index of all AD DS objects in a forest

What client applications utilize Domain Name system to resolve host names into IP addresses?

B: All Internet application working with host names must use DNS to resolve host names into IP addresses

Which of the following are types of zone transfers supported by the DNS server in win server 2012?

B: full zone transfers ,C: incremental zone transfers

Which of the following is not one of the elements of the domain name system DNS?

B: relay agents

How does CSVDE.exe differ from LDIFDE.exe?

Both utilities can import users, but only LDIFDE can modify or delete objects later

What is the primary means by which people access resources on an AD DS network?

By having a user account

What is the maximum length for a fully qualified domain name, including the trailing period?

C: 255 characters

This DNS configuration item will forward DNS queries to different servers based on the domain name of the query.

C: conditional forwarder

In the fully qualified domain name www.sales.contoso.com, which of the following is the second-level domain?

C: contoso

The command-line utility can create new user accounts by importing information from a comma-separated value file?

CSVDE.exe

What are the two basic classes of Active Directory objects?

Container and leaf objects

What would be a sufficient user account to provide temporary access to the network for a user such as a vendor representative or a temporary employee?

Guest

What is a key difference between a domain tree hierarchy and the organizational unit (OU) hierarchy within a domain?

Inheritance

What nonlocal GPO has its properties stored in the Active Directory object Group Policy container (GPC), as well as a Group Policy template located in the SYSVOL share?

domain GPO

Within a domain, the primary hierarchical building block is the _________.

organizational unit

What is the technique called that you can modify the default permission assignments so that only certain users and computers receive the permissions and, consequently, the settings in the GPO?

security filtering

The three types of Group Policy Objects (GPOs) include local, domain and _____.

starter

What kind of GPO serves as a template for the creation of domain GPOs based on a standard collection of settings?

starter GPO

When multiple GPOs are linked to a container, which GPO in the list has the highest priority?

the first

Resource access for individuals takes place through their ______.

user accounts

What is the SAM account name and the User Principal Name for the account [email protected]?

SAM account name is ella, and the User Principal Name is [email protected]

If an administrator creates a domain tree in an Active Directory forest, and then creates a separate and different domain tree, what is the relationship between the two domain trees?

Same security entity as one Active Directory forest, bidirectional trust between domain trees

When is an Active Directory site topology created?

Site topology is manually configured dependent on WAN bandwidth and transmission speed.

What administrative division in Active Directory is defined as a collection of subnets that have good connectivity between them to facilitate the replication process?

Sites

Configuring a Central Store of ADMX files help solve the problem of ________.

"SYSVOL bloat"

An administrator needs to grant an e-mail distribution group of 100 members access to a database, how would the administrator proceed? The e-mail group is obsolete and can be dissolved.

Convert the distribution group to a security group and then assign the group access permissions.

Installing Windows Server 2012 Active Directory Domain Services installs two default policies: Default Domain Policy and Default Domain Controller Policy. The administrator needs different policy settings. How best to proceed?

Create new Group Policy Objects to augment or override the existing default settings.

Which of these groups would an administrator use to assign permissions to resources in the same domain?

Domain local groups

What command-line utility requires you know the SAM account name as well as the user login ID before creating user accounts?

Dsadd.exe

What command-line utility allows administrators to modify a group's type and scope as well as add or remove members?

Dsmod.exe

Local GPOs contain fewer options than domain GPOs. Local GPOs do not support ______.

Folder redirection or Group Policy software installation

What is the group scope for Domain Admins, Domain Controllers, and Domain Users default groups?

Global

What is not a container, nor full-fledged security division and cannot have Group Policy settings applied directly to them?

Group

What application or interface allows you to configure security filtering?

Group Policy Management console

What is the Microsoft Management Console (MMC) snap-in that you use to create GPOs and manage their deployment to AD DS objects?

Group Policy Management console

What is an important difference between groups and OUs?

Group memberships are independent of the domain's tree structure.

How do groups differ from OUs?

Groups are security principals, meaning you assign access permissions to a resource based on membership in a group. OUs are for organization and for assigning Group Policy settings.

What is the order in which Windows systems receiving and process multiple GPOs.

LSDOU (local, site, domain, then OU)

What is the PowerShell cmdlet used to create user objects?

New-ADUser

What is a container object that functions in a subordinate capacity to a domain, and still inherits policies and permissions from its parent objects?

Organizational unit

Group Policies applied to parent containers are inherited by all child containers and objects. What are the ways you can alter inheritance?

Using the Enforce, Block Policy Inheritance, or Loopback settings

What is the method for removing a domain controller in Windows Server 2012?

Using the Remove Roles and Features Wizard

For Server Core installations, how does Windows Server 2012 differ from Windows Server 2008 when installing the AD DS role and promoting the system to a domain controller?

Windows Server 2012 now allows administrators to use PowerShell.

What are the two built-in user accounts are created on a computer running Windows Server 2012?

Windows Server 2012 Exam 2, 2. Active Directory Administration, Windows Server Chapter 6, 70-640 : Windows Server 2008 Active Directory Configuration (Ch.1), Windows Server Chapter 6, Chapter 6 Terminology, Tools 4.2

संबंधित स्टडी सेट्स

Vistas 2, Chapter 7, (12) 4 - Escoger, Online Homework, Reflexive Verbs

Orgo 2 Safety Review

Mid term path 370

World Geography Spring Interim Review 30a-35e

ATI Neuro Questions

The Expenditures Approach (LM 6 Part 1)

Chapter 7 and 35 Quiz

Mandatory Assignment - Circulatory System: Heart

LPI Linux Essentials 010 V1.6 - Chapter 1 Quiz

HORM #4

Rosh Boost: Family Medicine

FSA Module 2

Pathophysiology Ch 1

Community Textbook Questions

Chapter 21 Mastering

Finance

Fetal Pig Dissection with Pictures

Grammar Exit Test 7 grade

Art History Unit 6- Quiz 2

MS - Upper and Lower GI

Windows Server 2012 Exam 2, 2. Active Directory Administration, Windows Server Chapter 6, 70-640 : Windows Server 2008 Active Directory Configuration (Ch.1), Windows Server Chapter 6, Chapter 6 Terminology, Tools 4.2

संबंधित स्टडी सेट्स

Vistas 2, Chapter 7, (12) 4 - Escoger, Online Homework, Reflexive Verbs

Orgo 2 Safety Review

Mid term path 370

World Geography Spring Interim Review 30a-35e

ATI Neuro Questions

The Expenditures Approach (LM 6 Part 1)

Chapter 7 and 35 Quiz

Mandatory Assignment - Circulatory System: Heart

LPI Linux Essentials 010 V1.6 - Chapter 1 Quiz

HORM #4

Rosh Boost: Family Medicine

FSA Module 2

Pathophysiology Ch 1

Community Textbook Questions

Chapter 21 Mastering

Finance

Fetal Pig Dissection with Pictures

Grammar Exit Test 7 grade

Art History Unit 6- Quiz 2

MS - Upper and Lower GI

Pathophysiology Ch 1