Ch. 6 - Active Directory

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

D. HTTP

Azure Active Directory accesses resources through which of the following? A. NTML B. LDAP C. Kerberos D. HTTP

B. Azure Active Directory

Ben is developing a cloud-based application. He wants his application users to be able to use the same credentials that they use for their Microsoft 365 account. He also wants to use OpenID for a secure authentication process. Which of the following is the BEST match for what Ben wants? A. Kerberos Authentication Services B. Azure Active Directory C. Azure Active Directory Domain Services D. Active Directory Domain Services

A. Get-ADDomainControllerPasswordReplicationPolicy

Which of the following cmdlets is used to display the members of the allowed list or the denied list of the RODC PRP ? A. Get-ADDomainControllerPasswordReplicationPolicy B. Add-ADDomainControllerPasswordReplicationPolicy C. Get-ADAccountResultantPasswordReplicationPolicy D. Get-ADDomainControllerPasswordReplicationPolicyUsage

D. Use the RODC to provide a secure mechanism for granting non-administrative users rights.

Which of the following functions is available when using an RODC? A. Use the RODC for dynamic DNS. B. Use the RODC as a secure source domain for another domain controller in the forest. C. Use the RODC as a bridgehead server. D. Use the RODC to provide a secure mechanism for granting non-administrative users rights.

C. By using Azure AD, application developers can integrate a user's preexisting credentials into the app for single sign-on authentication.

Which of the following is a benefit offered by Azure Active Directory to application developers? A. By using Azure AD, application developers can implement Kerberos authentication for secure sign-on for users. B. By using Azure AD, application developers can create domains, trees, and forests for managing user data. C. By using Azure AD, application developers can integrate a user's preexisting credentials into the app for single sign-on authentication. D. By using Azure AD, application developers can use schema extensibility to replicate changes to the user experience with each application update.

C. A parent/child trust exists between a parent domain and the immediate child domain.

Which of the following is true about a default trust automatically created between domains in a forest? A. A tree root trust does not exist between the top domain within a tree and the parent domain. B. The trust is non-transitive. C. A parent/child trust exists between a parent domain and the immediate child domain. D. The trust is one-way.

A. They are also called interforest trusts

Which of the following is true about forest trusts? A. They are also called interforest trusts. B. They do not require the DNS to be configured. C. They can only be one-way trusts. D. They are non-transitive within the trusted forest.

A. If Domain A trusts Domain B, then Domain B has access to Domain A's resources.

Which of the following is true about the direction of access in a one-way trust relationship? A. If Domain A trusts Domain B, then Domain B has access to Domain A's resources. B. If Domain A trusts Domain B, then Domain A has access to Domain B's resources. C. If Domain A trusts Domain B and Domain B trusts Domain C, then Domain B has access to Domain C's resources. D. If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A has access to Domain C's resources.

B. Domain naming master & E. Schema master

Which of the following roles are forest roles? (Select two.) A. Primary domain controller emulator B. Domain naming master C. Relative IDs master D. Infrastructure master E. Schema master

B. Configure one of the domain controllers in Houston to be a Global Catalog server.

You are the network administrator for your company. Your network consists of two Active Directory domains, named research.westsim.local and sales.westsim.local. Your company has two sites, Dallas and Houston. Each site has two domain controllers, one for each domain. Users in Houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in Dallas. Users in Dallas do not report any problems logging in and accessing local resources. You want all users in Houston to experience adequate login and resource access response time. What should you do? A. Increase the replication frequency between the two sites. B. Configure one of the domain controllers in Houston to be a Global Catalog server. C. Enable Universal Group Membership Caching in Houston. D. Decrease the site link cost between the two sites.

D. Configure one of the domain controllers in Houston to be a global catalog server.

You are the network administrator for your company. Your network consists of two Active Directory domains, research.westsim.local and sales.westsim.local. Your company has two sites, Dallas and Houston. Each site has two domain controllers, one domain controller for each domain. Users in Houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in Dallas. Users in Dallas do not report any problems logging in and accessing local resources. You want all users in Houston to experience adequate login and resource access response time. What should you do? A. Increase the replication frequency between the two sites. B. Enable universal group membership caching in Houston. C. Decrease the site link cost between the two sites. D. Configure one of the domain controllers in Houston to be a global catalog server.

B. Selective authentication

As a network administrator you would like to allow only the group of HR users from another forest the right to authenticate to the resources within your forest. Which of the following security settings would be the best choice for allowing the needed access but also following the principle of least privilege? A. Two-factor authentication B. Selective authentication C. Domain-wide authentication D. Forest-wide authentication

Logical organization of resources--Organizational Unit Collection of network resources--Domain Collection of related domain trees--Forest Resource in the directory--Object Group of related domains--Tree

Drag each Active Directory term on the left to its corresponding definition on the right. Tree Forest Domain Organizational Unit Object

B. Automation of user provisioning between existing Windows server Active Directory and cloud-based apps.

IT administrators can use Azure Active Directory for which of the following management strategies? A. User access control through Group Policy Objects. B. Automation of user provisioning between existing Windows server Active Directory and cloud-based apps. C. Authentication through Kerberos or NTLM protocols. D. Directory control through Organizational Units

D. Azure AD Connect

If IT administrators want to create a hybrid directory service between Azure Active Directory and Active Directory Domain Services, they must use which of the following to create this hybrid service? A. Dynamic CRM B. Azure Active Directory Domain Services C. Microsoft 365 D. Azure AD Connect

C. Shortcut trust

If you want to increase the speed of authentication and resource access between two domains within the same forest, which of the following is the best trust to create manually? A. External trust B. Forest trust C. Shortcut trust D. Realm trust

B. Azure Active Directory

Jim is the network administrator for a large company with multiple offices. All the employees at the company need access to various services like SQL database, machine learning, and Microsoft 365. Jim is spending a lot of time helping employees who have forgotten their credentials to the many different services they use for their jobs. Which of the following would be the BEST solution for Jim to implement to provide a single sign-on option for employees? A. A DNS server B. Azure Active Directory C. NTLM authentication D. Active Directory Domain Services

A group of domains based on the same name space.--not used A server that holds a copy of the Active Directory database that can be written to.--Domain Controller The first domain created in an Active Directory forest.--Forest Root Domain The highest level domain in a tree.--Tree Root Domain

Match the Active Directory term on the right with its corresponding definition on the left. Not every definition on the left have an associated term on the right. Domain Controller Forest Root Domain Tree Root Domain

A. Azure Active Directory

SAML, OpenID, and OAuth 2.0 can be used by which of the following for cloud-based application authentication? A. Azure Active Directory B. Active Directory Domain Services C. Group Policy objects D. Organizational Units

B. The Ntdsutil.exe tool

Which utility would you use to seize a role? A. The dsquery server -has fsmo desired_FSMO_role command B. The Ntdsutil.exe tool C. The Microsoft Management Console (MMC) Snap-in Tools D. A PowerShell cmdlet

C. Lists the FSMO roles and identifies the server on which they are running.

What does the netdom query fsmo command do? A. Lets you query the directory according to specified criteria. B. Finds where the current FSMO roles are being held. C. Lists the FSMO roles and identifies the server on which they are running. D. Transfers FSMO roles.

C. The administrative overhead of this model is greater because administrators must manually add users (or preferably groups) to the allowed list.

Which of the following BEST describes the few accounts cached administrative model? A. This model poses some security risk because passwords are replicated to the RODCs. B. Password management is facilitated because most users can have their passwords cached on demand. C. The administrative overhead of this model is greater because administrators must manually add users (or preferably groups) to the allowed list. D. If the WAN link is down, users will be unable to log on. For this reason, implement this model only if the branch site is connected to the main site with reliable WAN links.

D. No accounts cached model

Which of the following administrative models for a RODC provides the most security in small branch location? A. Local accounts only cached model B. Few accounts cached model C. Most accounts cached model D. No accounts cached model

A. A flat system (not hierarchical)., C. Can provide authentication through Security Assertion Markup Language (SAML)., & F. An Identity as a Service (IDaaS).

Which of the following are features of Azure Active Directory? (Select three.) A. A flat system (not hierarchical). B. An on-premises directory service. C. Can provide authentication through Security Assertion Markup Language (SAML). D. Uses Windows Challenge/Response (NTLM) for authentication. E. Uses Lightweight Directory Access Protocol (LDAP) for authentication. F. An Identity as a Service (IDaaS). G. A hierarchical system with forests, trees, and domains.

B. Must be accessible to add or remove a domain from the forest., E. Must be a global catalog server if it resides in a multiple domain environment., & F. Ensures that domain names are unique.

Which of the following are the responsibilities of the domain naming master? (Select three.) A. Acts as the domain master browser, creating browse lists of workgroups, domains, and servers. B. Must be accessible to add or remove a domain from the forest. C. Acts as a focal point for all Group Policy changes to avoid Group Policy object conflicts. D. Ensures synchronized time within the domain (and between domains in the forest) with the w32tm command. E. Must be a global catalog server if it resides in a multiple domain environment. F. Ensures that domain names are unique. G. Replicates password changes within a domain.

A. Azure Active Directory

Which of the following authentication services do current subscribers of Microsoft 365, Office 365, and Dynamic CRM already have an account with? A. Azure Active Directory B. DNS server C. Active Directory Domain Services D. Kerberos authentication

A. A cloud-based authentication service.

Which of the following best describes Azure Active Directory? A. A cloud-based authentication service. B. An on-premises directory service. C. A directory and access service which offers control through Group Policy objects. D. A cloud-based domain service managed by Microsoft.

A. A trust which creates a trusted relationship between forests.

Which of the following best describes a forest trust? A. A trust which creates a trusted relationship between forests. B. A trust which provides access to resources in a domain located in a separate forest or on a Windows NT 4.0 domain. C. A trust that forms a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 or later domain. D. A trust used to improve logon times between two domains within a forest.

B. A trust relationship which allows the trust to flow among domains.

Which of the following best describes a transitive trust? A. A trust relationship in which one domain trusts another domain, but the second domain does not trust the first domain. B. A trust relationship which allows the trust to flow among domains. C. A trust relationship that must be explicitly configured between domains. D. An external trust relationship.

D. A domain controller that hosts read-only partitions of Active Directory's database.

Which of the following best describes an RODC? A. A domain controller that's been assigned the responsibility for performing updates to the directory schema. B. A domain controller that's responsible for making changes to the directory's forest-wide domain name space. C. A domain controller assigned the responsibility to allocate sequences of RIDs to each domain controller in its domain. D. A domain controller that hosts read-only partitions of Active Directory's database.

B. Active Directory trust

Which of the following is an established relationship between domains that allow authentication, communication, and access to resources? A. Active Directory RODC B. Active Directory trust C. Active Directory RID master role D. Active Directory global catalog

C. Authentication will be granted only locally.

Which of the following will happen when a user attempts to log on if the WAN link to a writeable domain controller is not available and the password for a computer account is cached on an RODC? A. The authentication request will be denied. B. The authentication request will be sent to the writeable domain controller. C. Authentication will be granted only locally. D. Authentication will be granted to the entire domain.

C. Deploy VMs that run AD DS in two Availability Zones at the minimum. & D. Use standby operations master on at least one server.

You are deploying Active Directory Domain Services (AD DS) in an Azure virtual network. Which items should you consider when it comes to availability? (Select two.) A. Close all ports on the AD DS servers except for those necessary for authentication, authorization, and server synchronization. B. Use Bitlocker or Azure disk encryption to encrypt the AD DS database disk. C. Deploy VMs that run AD DS in two Availability Zones at the minimum. D. Use standby operations master on at least one server. E. Place AD DS servers in separate subnets with a Network Security Group (NSG) as a firewall.

C. Configure VMs to the correct size for the network load requirements. & E. Monitor the VMs and scale up or down when necessary.

You are deploying Active Directory Domain Services (AD DS) in an Azure virtual network. Which items should you consider when it comes to scalability? (Select two.) A. When using Azure VPN Gateway, be aware that inbound traffic is free, but outbound traffic is not. B. Active Directory Domain Services can be used as a shared service with multiple workloads to save on costs. C. Configure VMs to the correct size for the network load requirements. D. Azure Virtual Network is free, and you are allowed up to 50 virtual networks across all regions. E. Monitor the VMs and scale up or down when necessary.

C. Make the domain controller in New York a Global Catalog server. & D. Create two sites, one called Los Angeles and one called New York. Assign the IP subnet in use at each location to the appropriate site.

You are the network administrator for a network with a single Active Directory domain and a default site configuration. Your domain consists of three domain controllers, two at the company headquarters in Los Angeles and one in New York. Active Directory Domains and Trusts shows that all three domain controllers are replicating without errors. You have implemented a group structure using Microsoft's recommendation. You have global groups, which are members of universal groups. The universal groups are members of domain local groups. You have assigned permissions to the domain's local groups. Users in Los Angeles aren't reporting any difficulties logging in and accessing local resources. However, users in New York report that login is very slow and that resource access is also very slow as well, even for local resources. You want to improve login and resource access performance for New York users. What should you do? (Select two. Each answer is part of the complete solution.) A. Create a GPO named Logon that grants the Log on Locally user right. Link the Logon GPO to the Los Angeles and New York sites. B. Create a GPO named Logon that grants the Log on Locally user right. Link the Logon GPO to the Domain Controllers OU. C. Make the domain controller in New York a Global Catalog server. D. Create two sites, one called Los Angeles and one called New York. Assign the IP subnet in use at each location to the appropriate site.

D. Enable Universal Group Membership Caching for the Denver and Miami sites.

You are the network administrator for a network with a single Active Directory forest. All domains in the forest are at Windows Server 2008 functional level, and the forest is also at a Windows Server 2008 functional level. Offices are located in Denver, Chicago, and Miami. Each geographic location has an Active Directory site configured. The links that connect the Denver and Miami sites to the corporate headquarters in Chicago are highly utilized, and you want to minimize replication traffic over them. Company headquarters is located in Chicago, and that location has multiple global catalog servers to service global queries efficiently. Several users in Denver and Miami are members of universal groups throughout the forest. You need to make sure that, in the event of a WAN link failure, group membership will be protected, and logons will be available. What should you do? A. Move two global catalog servers from the Chicago site to the Denver and Miami sites. B. Enable Universal Group Membership Caching for the Chicago site. C. Create a new Global Catalog server in the Denver and Miami sites. D. Enable Universal Group Membership Caching for the Denver and Miami sites.

A. Set the system time and time zone. & D. Configure the computer name.

You have not yet installed Active Directory Domain Services (ADDS) on a new Windows Server system. You are planning to use the computer as a domain controller in Active Directory. Which of the following steps is it recommended that you perform before you install the ADDS role? (Select two.) A. Set the system time and time zone. B. Configure the server to use DHCP to get an IP address. C. Install Desktop Experience. D. Configure the computer name. E. Install the DNS server role.

D. Designate the domain controllers at Sites 2 and 3 as Global Catalog servers.

You are the network administrator for an Active Directory forest with a single domain. The network has three sites with one domain controller at each site. You have created and configured sites in Active Directory Sites and Services, and replication is operating normally between sites. You configure two universal groups for use in securing the network. All users are members of one universal group or the other. After configuring the universal groups, users at Sites 2 and 3 report slow login and slow access to the corporate database. Users at Site 1 can log in and access the corporate database with acceptable performance. You want to improve login and resource access performance for users in Sites 2 and 3. What should you do? A. Edit the site link objects between Sites 1 and 2 and between Sites 2 and 3. Decrease the replication interval. B. Create site link bridges between Sites 1 and 2 and between Sites 1 and 3. C. Change the IP address scheme so that all users are on Site 1's IP subnet. D. Designate the domain controllers at Sites 2 and 3 as Global Catalog servers.

B. Create a shortcut trust.

You are the network administrator for corpnet.com. Users in the .sales.us.corpnet.com domain frequently need to access shares in sales.eu.corpnet.com, but report that it often takes a long time to be authenticated when accessing the shares. You need to reduce the amount of time it takes the users in sales.us.corpnet.com to be authenticated in sales.eu.corpnet.com. What should you do? A. Change the share rights on the shares in the sales.eu.corpnet.com domain. B. Create a shortcut trust. C. Create an external trust. D. Change the NTFS rights on the shares in the sales.eu.corpnet.com domain.

B. Modify the properties of the File1 computer account in Active Directory Users and Computers.

You are the network administrator for corpnet.com. corpnet.com uses a vendor named partner.com. You create a cross-forest trust with Selective Authentication between the corpnet.com Active Directory forest and the partner.com Active Directory forest. On a file server named File1, you create a share named Share1 and assign the following permissions: Partner\SalesUsers - Allow-Modify NTFS permissions. Partner\SalesUsers - Allow-Full Control share permissions. Users in the Partner\SalesUsers group report that they cannot connect to the \\File1\Share1 share. You need to ensure that users in the Partner\SalesUsers group can connect to the share and modify data. What should you do? A. Modify the NTFS permissions on the \\File1\Share1 share. B. Modify the properties of the File1 computer account in Active Directory Users and Computers. C. Modify the name suffix routing on the cross-forest share between the two forests. D. Modify the share permissions on \\File1\Share1 share.

D. Install a read-only domain controller (RODC) in each branch office. Configure the hard drive to use BitLocker drive encryption.

You are the network administrator for northsim.com, a company that specializes in extreme sports vacations. The company has one main office and 30 branch offices. All of the branch offices have 3 to 10 users on location, and all of them are located in remote areas of the country. Due to the need to be located near natural resources, many of the branch offices lack basic security, and almost all of them are connected to the main office via a very slow connection. Users at the branch offices complain that it takes a long time to log on to the domain. Management has authorized the purchase and deployment of one Windows Server for each branch office. You have been asked to develop a standard installation for the new servers being deployed. Your solution must meet the following requirements: Each branch office server should perform authentication for users located at that branch office. Each branch office server should be configured to minimize the amount of Active Directory information that will be compromised in the event that the server is stolen. Each branch office server should be configured to minimize the amount of user data that will be compromised in the event that the server is stolen. What should you do? A. Install a writable domain controller in each branch office. Configure the hard drive to use BitLocker drive encryption. B. Install a read-only domain controller (RODC) in each branch office. Configure all of the files on the hard drive to use the Encrypting File System (EFS). C. Install a writable domain controller in each branch office. Configure all the files on the hard drive to use the Encrypting File System (EFS). D. Install a read-only domain controller (RODC) in each branch office. Configure the hard drive to use BitLocker drive encryption.

A. Get-ADDomainControllerPasswordReplicationPolicyUsage

You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server, and all of the clients run the Windows operating system. The company has a branch office in Atlanta that has a read-only domain controller (RODC) named ATLRODC1. Management has requested a list of the users who have been authenticated by ATLRODC1 in the past and whose user accounts are cached on the RODC. Which command should you use to retrieve this information? A. Get-ADDomainControllerPasswordReplicationPolicyUsage B. Get-ADUser C. Get-ADAccountResultantPasswordReplicationPolicy D. Get-ADDomainControllerPasswordReplicationPolicy

B. Dsquery & D. Active Directory Schema snap-in

You are the network administrator for westsim.com. The network consists of one Active Directory domain that contains 1,500 users. westsim.com has one main office and 15 branch offices. There are three domain controllers at the main office and one domain controller at each branch office. You have been asked to identify which domain controller hosts the schema master role. Which utilities should you use? (Select two.) A. Dsget B. Dsquery C. Active Directory Users and Computers D. Active Directory Schema snap-in

A. Centralized configuration control & E. Centralized authentication

You manage a group of 20 Windows 10 workstations that are currently configured as a Workgroup. Which advantages could you realize by installing Active Directory and adding the computers to a domain? (Select two.) A. Centralized configuration control B. Decreased implementation cost C. Reduced need for specialized hardware D. Increased local control of workstation settings E. Centralized authentication

B. Install a read-only domain controller (RODC) in the branch office.

You manage a network with a single Active Directory domain named eastsim.com. Your company has a single office in Dallas. You open a second office in San Antonio. The San Antonio location is connected to the Dallas location by a WAN link. All user and computer accounts in the branch office are members of the eastsim.com domain. You did not install a domain controller in the branch office. Recently, the WAN connection between Dallas and San Antonio went down. During the outage, several problems existed because of the lack of a domain controller in the San Antonio location. You want to eliminate these problems in the future. You want to ensure that user passwords are cached on a server in San Antonio and that directory service replication only happens from Dallas to San Antonio. Changes should not be made in San Antonio and replicated back to domain controllers in Dallas. What should you do? A. Install a domain controller in San Antonio. Make it a Global Catalog server. B. Install a read-only domain controller (RODC) in the branch office. C. Install a domain controller in San Antonio. Create a new site for the branch office and move the domain controller to that site. Enable Universal Group Membership Caching on the site. D. Install Active Directory Lightweight Directory Services (AD LDS) on a member server in the branch office. Configure an instance and run Adamsync once to populate the directory from a domain controller in Dallas.

C. Active Directory Users and Computers or Active Directory Sites and Services

You manage a network with a single domain named eastsim.com. The network currently has three domain controllers. During installation, you did not designate one of the domain controllers as a global catalog server. Now you need to make the domain controller a global catalog server. Which tool should you use to accomplish this task? A. Active Directory Sites and Services B. Active Directory Users and Computers C. Active Directory Users and Computers or Active Directory Sites and Services D. Active Directory Domains and Trusts E. Active Directory Domains and Trusts or Active Directory Sites and Services

B. Prepopulate passwords on the RODC.

You manage the network with a single Active Directory domain. You have installed a read-only domain controller in your branch office. As part of the configuration, you added the Sales Users group and the Sales Computers group as members of the Allowed RODC Password Replication Group group. You get a call from a user in the branch office saying that she can't log on. You verify that her user and computer accounts are members of the correct groups. You check and find that the WAN link to the branch office is down. You need to modify the configuration so that the user can log on even when the WAN link is down. What should you do? A. Reset the user account password. Reset the computer account. B. Prepopulate passwords on the RODC. C. Add the Sales Users group and the Sales Computers group to the password replication policy of the RODC. D. Add the user and the computer account directly to the password replication policy of the RODC.

select AD-Domain-Services

You need to add a new Windows server to an Active Directory domain. You intend to make this new server a domain controller. This server was installed with a server core deployment, so you'll need to install the Active Directory Domain Services role from the PowerShell console. From the drop-down list, select the name of the service you would enter to complete the following PowerShell command: Install-WindowsFeature -Name ________________________ -includemanagementtools

C. Transfer the domain naming master to WS1, WS2, or WS4.

Your network currently has the following Active Directory domains: westsim.com, emea.westsim.com, uk.emea.westsim.com, and us.westsim.com. Your company is closing its offices in the United States. Previously, most of the network administration took place in that office. Now all IT administration will take place in your London office. You have removed all domain controllers from the us.westsim.com domain except for the DC1 server. This server hosts the following roles: RID master PDC emulator Domain naming master Infrastructure master Prior to removing Active Directory from the domain controller, you need to transfer the necessary operation master roles to servers in the westsim.com domain. The westsim.com domain has the following domain controllers: WS1, WS2, WS3, and WS4. All servers are also global catalog servers except for WS3. What should you do to prepare for Active Directory removal on DC1? A. Transfer the infrastructure master to WS1, WS2, or WS4. B. Transfer the infrastructure master to WS3. C. Transfer the domain naming master to WS1, WS2, or WS4. D. Transfer the domain naming master to WS3.

D. Transfer the domain naming master to a domain controller in eastsim.com.

Your network currently has two domains, eastsim.com and sales.eastsim.com. You need to remove the sales.eastsim.com domain. You have removed all domain controllers in the domain except for the DC1.sales.eastsim.com server. This server holds the following infrastructure master roles: RID master PDC emulator Infrastructure master Domain naming master You are getting ready to remove Active Directory from DC1. What should you do first? A. Transfer the infrastructure master and the domain naming master to a domain controller in eastsim.com. B. Transfer the infrastructure master to a domain controller in eastsim.com. C. Transfer all roles to a domain controller in eastsim.com. D. Transfer the domain naming master to a domain controller in eastsim.com.


Set pelajaran terkait

Chapter 12: Head and Neck, with Basic Vision and Hearing Basics

View Set

A&P 2 Ch. 24: Nutrition Metabolism/Energy Balance

View Set

Craven Ch. 9: Patient Education and Health Promotion

View Set

Part 1: Respiration and the Vertebral Column

View Set