Shared Flashcard Set

Details

Windows Server 2008 70-640
New flash Cards
150
Computer Networking
Undergraduate 4
05/10/2012

Additional Computer Networking Flashcards

 


 

Cards

Term
What does the Audit Policy Setting Audit Account Logon Events do?
Definition

Creates an event when a user or computer attempts to authenticate using an Active Directory account.

 

 

Audits successful and failed account logons.

Term
What does Audit Policy Setting Audit Logon Events do?
Definition

Creates an event when a user logs on interactively (locally) to a computer or over the network (remotely).

 

 

audits successful and failed logons

Term
What does the Audit Policy Setting Audit Account Management do?
Definition

Audits events, including the creation, deletion, or modification of user, group, or computer accounts.

 

 

Successful account management activities are audited

Term
What does the Audit Policy Setting Audit Directory Service Access do?
Definition
Audits events that are specified in the system SACL, which is seen in an Active Directory object's Properties Advanced Security Settings dialog box.
Term
What does the audit policy setting Audit Policy Change do?
Definition

Audits changes to user rights assignment policies audit policies, or trust policies.

 

 

 

Successful policy changes are audited

Term
What Audit Policy Setting Audit Privilege Use do?
Definition

Audits the use of privilege or user right.

 

 

No auditing is performed by default.

Term
What does the audit policy setting Audit Systen Events do?
Definition

Audits system restart, shutdown, or changes that affect the system or security log.

 

 

successful and failed system events are audited.

Term
Audit Process Tracking
Definition

Audits events such as program activation and process exit.

 

 

Successful process tracking events are audited.

Term
Audit Object Acess
Definition
Audits access to objects such as files, folders, registry keys, and printers that have their own SACLs.  In addition to enabling this audit policy, you must configure the auditing entries in objects SACLs
Term
How can you change group scope?
Definition

Global-->Universal

Domain-->Local

Universal-->global

Universal-->domain local

Term
What is the best practice for group membership?
Definition

Accounts are members of

Global Groups which are a member of

Domain Local groups which are then added to

Acess Control Lists (ACL)

 

Term

True or False:

CSVDE is used to modify existing objects

Definition

False


LDIFDE is used to modify

Term
What is a shadow group?
Definition
A group that contains the same users as an OU. Contains users that meet certain criteria.
Term
What 3 things are required to join a computer to an AD Domain?
Definition
  • computer object must be created
  • must have appropriate permissions
  • must be a member of local admins group. 
Term
What is Netdom.exe used for?
Definition
  • join a computer to a domain from command prompt
    • remotely
    • specifies the OU for computer obect
  • creates a computer acct. 
Term
what is Gpotool.exe ?
Definition
used to troubleshoot GPO status, including problems caused by the replication of GPOs
Term
What is the default domain policy processing order?
Definition
site-->domain-->OU
Term
What is "Block Inheritence"?
Definition
Turned on in a domain or OU.  It can prevent inheritence from parents.
Term
What is enforce?
Definition

Enforce is set at parent level.

Will override any Block inheritence that are set.

Term
What two ways are there to filter GPO scope?
Definition
  1. Remove Apply Group Policy permission for authenticated users group.
    1. Do not set Deny 
  2. Determine groups to which GPO should not be applied and set GP permission to Deny
Term
What does IIS stand for?
Definition
Internet Information Services
Term
What  are the characteristics of an RMS root cluster?
Definition
  • only one in AD DS forest
  • designed to provide high availability and load balancing 
Term
What is the minimum server requirements for AD DS to be running on to user AD RMS?
Definition

Windows 200 SP3

or Windows Server2003

Term
What is a Server Licensor Certificate?
Definition
A self signed certificate generated during the RMS setup of the first server in a root cluster
Term
What is a Rights Account Certificate (RAC)?
Definition

issued to trusted users who have an email enabled account in AD DS.

 

It is generated when the user first tries to open rights protected content

 

contains the public key of the user as well as his or her private key.

Term
What is a Machine Certificate?
Definition

A machine certificate is created the first time an RMS-enabled app is used.

  • Creates a lockbox on the computer to correlate the machine certificate with the user's profile 
Term
What is a Publishing license?
Definition
  • created when the user saves content in a rights-protected made.
  • license lists which users can use the content and under which contions as well as the rights each user hasw to content. 
Term
What is a subnet?
Definition
a physical network segment
Term
What is site?
Definition
Represents a group of well connected networks
Term
Where does the AD database reside?
Definition

in a file called NTDS.dit

        • 3 parts
          • data table
            • contains all info in AD store
          • link table
            • data that represents linked attributes
          • security descriptor table
            • contains data that represents inherited security descriptors for each object
Term
What is a Global Catalog?
Definition

a database that contains a partial replica of every object from every domain within a forest

 

This provides for faster searches.

Term
What is A record?
Definition
maps a host name to an IP address and is used for forward lookups.
Term
What is a PTR record?
Definition
maps an IP address to a host name and is used for reverse lookups.
Term
What is an SRV record?
Definition
identifies a service such as an AD domain controller
Term
What is a Use License?
Definition
assigned to a user who opens rights-protected content.
tied to users RAC
Term
What is an RODC?
Definition
-a domain controller typically placed in the branch office, that maintains a copy of all objects in the domain and all attributes except secrets such as password related properties
-replication is one way
Term
What are the steps to deploying and RODC?
Definition
-ensure that the forest functional level is server 2003 or higher -if the forest has only domain controllers running, run adprep/rodcprep -ensure that at least one writable DC is running 2008
Term
What is a tree?
Definition
a group of related domains that share the same contiguous DNS name space.
Term
What is a forest?
Definition
a collection of related domain trees.
-it establishes the relationship between trees that have different DNS name spaces
Term
What are the characteristics of domains in a tree?
Definition
connected with a two-way transitive trust
-shares a common schema
-have common global catalogs
Term
What is a domain controller?
Definition
a server that holds a copy of the AD database that can be written to.
Term
What is recursion?
Definition
The DNS server queries root domain servers, top-level domain servers, and other DNS servers in an iterative manner until it finds the DNS server that hosts the target domain.
Term
What do you use an application partition for in Active Directory-integrated zone replication.
Definition
You use an application partion to customize which domain controllers receive the DNS data.
Term
What is a Primary zone?
Definition
  • only writeable copy of the zone database
  • changes to the zone can only be made to the primary zone
  • the server that holds the primary zone is called the primary server
  • each zone can have only a single primary zone server
  • zone data is stored in a text file 
Term
What is secondary server?
Definition
  • changes cannot be made to the records
  • copies zone data from other servers through a process called zone transfer
  • can copy zone data from the primary server or other secondary servers.
  • zone data is stored in a text file. 
Term
What is a stub zone?
Definition
  • only contains information about hte name servers that are authoritative for the zone.
  • NOT authoritative for the zone
  • dynamic, meaning it will kep the list of name servers for the zone updated automatically
  • use a stub zone to forward name requests based on zones while keeping name server lists updated automatically.
Term
What is deprovisioning?
Definition
the process of removing access rights for users when they leave your organization.
Term
What commands must be run to join a computer to a domain using offline domain join, and what are requirements?
Definition

Djoine.exe /provision

Djoin.exe /requestODJ

 

Term
What commands can you run to join a computer to the domain?
Definition

dsadd or netdom

 

use netdom to rename computer account

use netdom join to join a computer to a domain

Term
What is a Managed Service Account?
Definition

provides the same benefits of using a domain user account with these improvements

        • passwords are manged and reset automatically
        • when the domain is running at the Windows Server 2008 R2 functional level, the service princiapl name (SPN) doesn't need to be managed as with local accounts. 
Term
What tool do you juse to create, organize, and delete objects in Active Directory?
Definition
Active Directory Users and Computers
Term
What is ADSI Edit?
Definition

(active directory service interfaces editor)

 

acts as a low level GUI editor for common administrative tasks such as adding, deleting, and moving objects.

 

Used to query, view, and edit attributes that are not exposed through other MMC snap-ins.

Term
What is an SOA?
Definition

(start of authority)

first record in any dns database file.

defines the general parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a zone.

Term

What is the NS?

Definition

(Name Server)

  • identifies all name servers that can perform name resolution for the zone. 
Term
What records does a stub zone hold?
Definition
  • The SOA record for the zone
  • NS records for all authoritative DNS servers for the zone
  • A records for authoritative name servers identified in the NS records. 
Term
What is Disable Recursion?
Definition

 Recursion is the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution.

 

 

Disabling recursion will keep the server from using forwarders

 

Term
What are root hints?
Definition

pointers to top level DNS servers on the Internet.

 

if you have a DNS server configured as a root zone server, it will never use the root hints file.  It considers itself authoritative and therefore will not access the Internet to forward DNS queries.

 

Term
How can you get a DNS server to acces the internet?
Definition
delete root zone in the DNS console
Term
What is Round Robin?
Definition

a local balancing mechanism used by DNS servers to share and distribute network resource loads.

 

It is a static method for load balancing.  If one server fails, DNS still sends requests to that failed server.

Term
What is an LLMNR?
Definition

Link local Multicast Name Resolution

Term
What is debug logging?
Definition
allows you to log the packets sent and received by DNS server.
Term
adprep /foresetprep
Definition
  • used to update Server 2003 or 2000 active directory schema for Server 2008 or R2
  • run this command only once in the forest
  • run on the domain controller that holds the schema operations master role for the forest
  •  
Term
adprep /domainprep
Definition
  • prepares a domain for Sever 2008 or 2008R2
  • run on the domain controller that holds the infrastructure operations master role for the domain
  • run AFTER the adprep /forestprep
  • run in each domain you plan on installing a dc that runs 2008 or 2008 R2
  • for domains at the Windows 2000 functional level, run adprep /domainprep/gpprep 
Term
adprep /rodcprep
Definition
  • run if you plan on installing an RODC in any domain in the forest
  • updates permissions on application directory partitions to enable replication of the partitions to RODCs.
  • runs remotely
  • run only once in the forest. 
Term
What do you need to do before creating a new domain running on a Windows Server 2008 or R2 domain controller in a 2000 or 2003 forest?
Definition
  • run the adprep /forestprep command if this is the first 2008 or R2 domain controller in the forest
  • if you plan on installing an RODC in any domain inthe forest  run adprep /rodcprep
  • schema must be updated before OS is installed if you are performing and unattended installation of AD DS with 2008 or 2008 R2.
Term
AD DS installation using wizards requires?
Definition
  • in server manager run Add Roles Wizard to install Active Directory binaries
  • run dcpromo.exe
  • can be used to install new 2008 forests, domains, and domain controllers. 
Term
How do you install AD DS at the command line?
Definition
  • use dcpromo combined with unattend installation switches.
  • /NewDomain with forest, tree, or child specifies the type of new domain.
  • use /databasePath:C:\Windows\ntds /logPath:C:\Windows\ntdslogs /sysvolpath:C:\Windows\sysvol to specify the location of the databse file, directory service log files, and system volume (SYSVOL) folder.
  •  
Term
When would you install AD DS from media?
Definition
use the media installation method if you need to perform a domain controller install where the domain controller will not be able to contact another domain controller during installation.
Term
How do you make a Windows Server 2003 domain controller an RODC?
Definition

remove AD DS

then reinstall the domain controller as an RODC

Term
What numbers are used to specify domain functional levels when a new domain is created in an existing forest?
Definition

0-200 Server Native

2-Server 2003

3-Server 2008

Term
What three tools can you use to remove a domain controller?
Definition
  • Active Directory Domain Services Installation Wizard
    • dcpromo.exe to start the wizard
  • dcpromo at the command line
  • dcpromo in an answer file 
Term
What must you do before removing a domain controller from a domain?
Definition
  • first, transfer the operations master roles hosted by the dc to other dcs
  • do not select the Delet the domain option
  • answer file
    • IsLastDCInDomain=yes
  • command line
    • /IsLastDCInDomain:Yes and /DemoteFSMO:Yes 
Term

What steps do you perform to remove the LAST dc from the forest.

 

Definition
Same as removing any dc except you select the Delete the domain and forest option.
Term
What new features are found in Windows Server 2008 and R2 functional levels?
Definition
  • DFS
  • Advanced Encryption Standard (AES)
  • Last interactive logon info.
  •  
Term
What does the Windows Server 2008 R2 domain functional level add?
Definition

Authentication mechanism assurance (AMA)

 

allows you to control access to netowrk resources based on the type of certificate used during logon.

Term
What forest functional leve must you be at to have forest trusts?
Definition
Windows Server 2003 with 2003,2008,3008R2 os
Term
What forest functional level must you be at to use Active Directory Recycle Bin?
Definition
2008 R2
Term
What powershell cmdlet should you use to roll back the functional level?
Definition
Set-ADDomainMode
Term
What operations master role do you raise the domain functional level?
Definition
PDC emulator
Term
you have a domain controller at 2003 functional level. Can you raise the domain functional level to 2008?
Definition

No.

You must have all domain controllers at the level you want to raise to.

Term
Where can you raise the domain functional level in Active Directory?
Definition

Active Directory Users and Computers or

Active Directory Domainst and Trusts

Term
Where can you raise the forest functional level?
Definition
Active Directory Domains and Trusts
Term
What operation master must you raise the forest functional level?
Definition
schema operations master
Term
What can keep you from being able to raise the functional level to Windows Server 2008 or 2008 R2?
Definition
  • Domain controllers that don't run the necessary operating system version
  • insufficient hardware
  • domain controller running an antivirus program that is incompatible with Server 2008 or 2008 R2
  • Use of version specific program that does not run on Server 2008 or 2008 R2
  • the need to upgrade a program with the latest service pack. 
Term
What FRS even id indicates that FRS is in the process of starting the service?
Definition
13508
Term
What FRS event id indicates that the service has started successfully?
Definition
13509
Term
What FRS event id indicates that the service is started, the folders are shared, and the domain controller is functional?
Definition
13516
Term
What command do you run to verify that a new domain controller has been successfully added to the domain?
Definition

netdiag /test:member

 

Term
What command do you run to verify communication from the new domain controller to ohter doman controllers?
Definition

netdiag /test:dsgetdc

 

Term
What command do you run to verify proper permissions are set for replication?
Definition
dcdiag /test:letlogons
Term
What is Active Directory replication?
Definition
the process of copying Active Directory database changes between domain controllers
Term
What is a subnet?
Definition
  • represents a physical network segment
  • identifies the network address and mask
  • Domain controllers are indirecty associated with ______ based on the domain controer IP address.
Term
  • What is a site?
Definition
  • represents a group of we-connected networks
  • linked to one or more subnets
  • can host domain controllers from more than one domain, and a domain can be represented in more than one site
  • create additional _____ to identify locations separated by WAN links 
Term
What is a site link?
Definition
  • an Active Directory object that represents logical paths between sites that can be used for Active Directory replication
  • represent logical not physical connections

 

Term
What is a site link bridge?
Definition

a collection of two or more site links that can be grouped as a single logical link.

 

*connection*

Term
What is a Bridgehead Server?
Definition

a domain controller in a site that replicates with domain controllers in other sites

 

*replication*

Term
When is a bridgehead server not in use?
Definition
replication within a site.
Term
What is a connection?
Definition

a logical communication channel between domain controllers

 

unidirectional

Term
What is Directory Services Remote Procedure Call (DS-RPC) used for?
Definition

used for intra and inter-site replication

also know as IP

Does not require a CA

Term
What is Inter-Site Messaging--Simple Mail Transfer Protocol? (ISM-SMTP)
Definition

allows replication within mail messages in environments where wide area network links are not available.

 

 

Term
What is a preferred bridgehead server?
Definition

a domain controller in a site that has been designated as a potential bridgehead server

 

Should be a global catalog server.

Term
How do you adjust the site coverage for replication?
Definition

use the autositecoverage setting in the

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter

 

Term
What are the benefits of using DFS over FRS?
Definition
  • faster replication/decreased network traffic
  • flexible scheduling and bandwidth throttling to limit the quantity of data transmitted and/or accepted within a specified perioed of time.
  • automatic self-healing for many database errors.
  • improved support for RODCs
  • built in health monitoring tools 
Term
What are the first steps to migrating from FRS to DFS?
Definition
  • upgrade all domain controllers to 2008 or R2
  • Change the domain functional level to Server 2008 or R2
  • Verify the current state of replication by running repadmin /ReplSum
  • run the dfsrmig command to start the and control the migration. 
Term
What is a schema master?
Definition
maintains the Active Directory schema for the forest
Term
What ist he Domain Naming Master?
Definition
adds new domains to and removes existing domains from the forest.
Term
if it resides in a multiple domain environment, the Domain Naming Master must be a....
Definition
global catalog server
Term
What is the RID master?
Definition
allocates pools or blocks of numbers that are used by the domain controller when creating new security principles.
Term
What is a primary domain controller emulator?
Definition
acts like a Windows NT 4.0 Primary Domain Controller and performs other tasks normally associated with NT domain controllers
Term
What is an infrastructure master?
Definition
responsible for updating changes made to objects.
Term
What two operations masters should be on a global catalog server?
Definition

Domain naming master

 schema master

Term
What are the only exceptions to placing an infrastructure master on a global catalog server?
Definition
  • in a forest that contains a single Active Directory domain
  • if every domain controller in a domain that is part of a multi-domain forest also hostst he global catalog. 
Term
What two operation master roles should be on a single domain controller?
Definition

RID master

PDC emulator

Term
What command must you run to identify the operations master role owners?
Definition
  • netdom query fsmo
  • dcdiag /test:knowsofroleholders /v
  • dsquery server -hasfsmo
Term
What do you use to transfer RID Master, PDC emulator and infrastructure master roles?
Definition
Active Directory Users and Computers
Term
Wht do you use to transfer the domain naming master?
Definition
Active Directory Domains and Trusts
Term
What do you use to transfer the schema master role?
Definition
Active Directory schema snap-in
Term
What do you user the command line tool Ntdsutil.exe for?
Definition
to transfer any of the operations master roles.
Term
When would use Global Membership Caching as opposed to a Global catalog?
Definition

use only of all of the following are NOT true

  • site has more than 100 users
  • WAN link connecting the site to the rest of the network is reliable and fast
  • location has roaming users
  • location runs an application that requires a global catalog server. 
Term
What is a local user?
Definition
an account created and stored on a local system and is not distributed to any other system
Term
What is a domain user account?
Definition
created and centrally managed through Active Directory, and is replicated between domain controllers in the domain.
Term
What do clients use LDAP for?
Definition
query, create, update, an delete information that is stored in a directory service over a TCP connection throu the TCP default port of 389.
Term
What are the attributes of a Parent/child trust?
Definition
  • created by default
  • transitive
  • two-way
Term
What are attributes of a Tree root trust?
Definition
  • created by default
  • transitive
  • two-way 
Term
What are the attributes of an external trust?
Definition
  • created manually
  • non-transitive
  • one-way, although you can create two one-way trusts to simulate a two-way trust 
Term
What are the attributes of a realm trust?
Definition
  • created manually
  • transitive or non transitive
  • either one way or two way 
Term
What are the attributes of a forest trust?
Definition
  • created manually
  • transitive within the two forests but non-transitive between other forests.
  • either one way or two way. 
Term
What are the attributes of a shortcut trust?
Definition
  • created manually
  • transitive
  • either one way or two way 
Term
When is a Parent/child trust established?
Definition
when a new child domain is added to an existing domain tree.
Term
What is a tree root trust?
Definition
a default trust type that is established when a domain tree is created in an existing forest.
Term
What is an external trust?
Definition
provide access to resources located on a Windows NT .0 domain or a domain located in a seperate forest that is not joined by a forest trust.
Term
What is a realm trust?
Definition
form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 domain
Term
What is a forest trust?
Definition
shares resources between forests
Term
What is a shortcut trust?
Definition
improve user logon times between two domains within a forest by reducing the amount of Kerberos traffic on the network caused by authentication.
Term
What steps should be taken to ensure that all members ina group automatically enroll for a certificate based on a template?
Definition
  1. configure the autoenrollment settings in a GPO
  2. Assign read, enroll, and autoenroll permission to the Domain users group on the certifcate template
Term
What utility should you run to configure a member server to receive a custom application directory partition for data replcation?
Definition
dcpromo
Term
What is used to identify possible registry settings that can be configured?
Definition
ADM files
Term
What are .admx files
Definition
language neutral files that store settings in XML format.
Term
What are .adml files?
Definition
a set of language dependent files that provide localized information when viewing template settings in the GPO.
Term
What is a started GPO?
Definition

a template that contains settings for the Administrative Templates portion of a Group Policy Object.

 

Software distribution and security  settings are not contained in these

Term
What command should you run to manually refresh group policy settings?
Definition
Gpupdate with whatever switch you need.
Term
What is loopback processing?
Definition
reapplies computer settings after user logon.
Term
By default how fast does a link speed have to be to allow software installation policies?
Definition
501 kbps or higher
Term
What must be present before you can issue an OCSP?
Definition

IIS must be installed on the computer before the Online Responder can be installed. The correct configuration of IIS for the Online Responder is installed automatically when you install an Online Responder.

  • An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed.
  • The URL for the Online Responder must be included in the authority information access (AIA) extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status.
Supporting users have an ad free experience!