Term
|
Definition
|
|
Term
| What are the Sytem Requirements to run AD RMS? |
|
Definition
-Pentium 4.3 GHz or higher _x000D_
-512MB RAM _x000D_
-40GB HDD _x000D_
-OS of Windows Server 2008 except Web Edition or Itanium Based systems _x000D_
-FAT32 or NTFS file system _x000D_
-Message Queing _x000D_
-IIS with ASP.NET enabled web service |
|
|
Term
| What are the considerations for AD RMS? |
|
Definition
-Reserve URLs that will not change and do not include a computer name nor use localhost _x000D_
-An AD DS domain running on Windows 2000 SP3, 2003, or Windows Server 2008 _x000D_
-AD RMS must be installed in the same domain as its potential users. _x000D_
-Domain User a |
|
|
Term
| What is a Server License certificate (SLC)? |
|
Definition
| it is a self-signed certificate generated during the AD RMS cetup of the frst server in a root cluster. |
|
|
Term
| What is a Rights Account Certificate (RAC)? |
|
Definition
issued to trusted users who have an email enabled account in AD DS. _x000D_
-RACs are generated when the user first tries to open rights-protected content. _x000D_
-have a duration of 365 days _x000D_
-Temp RACs do not tie the user to a specific computer and are valid for only 15 minutes _x000D_
-contains the public key of the user as well as his or her private key. |
|
|
Term
| What is a Client Licensor certificate (CLC)? |
|
Definition
After the user has a RAC and launches an AD RMS-enabled application the application automatically sends a request for a CLC to the AD RMS cluster. _x000D_
-includes the client licensor public key, the client licensor private key that is encyrpted by the user's public key, and the AD RMS cluster's public key. |
|
|
Term
| What is a Machine Certificate? |
|
Definition
The first time an AD RMS enabled applicaton is used a machine certificate is created. _x000D_
-contains the public key for the activated computer. Private key is containted within the lockbox on the computer. |
|
|
Term
| What is a Publishing License? |
|
Definition
created when the user saves content in a rights protected mode. the license lists which users can use the content and under which conditions as well s the rights each user has to the content. _x000D_
-includes the symmetric content key for decrypting content as well as the public key of the cluster. |
|
|
Term
|
Definition
| The use license is assigned to a user wh opens rights-protected content. |
|
|
Term
| What is a Federated Web SSO? |
|
Definition
usually spans firewalls because it links applications contained within an extranet in a resource organization to the internal directory stores of account organizations. _x000D_
The only trust that exists in this model is the federation trust.. It is always a one-way trust from the resource organization to the account organizations. _x000D_
-This is the most common deployement scenario. |
|
|
Term
| What is a Federated Web SSO with Forest Trust? |
|
Definition
the organization uses two AD DS forests. One is internal and the is an external forest located with in a perimeter network. _x000D_
-internal users have access to the applications from both the internal newtork and internet. _x000D_
-external users have access to the applications only from the internet |
|
|
Term
|
Definition
| use when all the users for an extranet application are external and do not have accounts within an AD DS domain. |
|
|
Term
| What kind of certificate does a Federation server need in an AD FS environment? |
|
Definition
| server authentication certificate and a token signing certificate |
|
|
Term
| What kind of certificate does a Federation Service Proxy use? |
|
Definition
must have a server authentication certificate to support SSL-encrypted communications with Web clients _x000D_
-must also have a client authentication certificate to authenticate the federation server during communications. |
|
|
Term
| What kind of certificate des an AD FS Web Agent use? |
|
Definition
| server authentication certificate to secure its communications with web clients. |
|
|
Term
| Is publisng CA configuration to AD DS directories optional or mandatory for a Standalone CA? |
|
Definition
optional _x000D_
_x000D_
Mandatory for Enterprise |
|
|
Term
|
Definition
| An administratively defined collection of network resources that share a common directory database and security policies. |
|
|
Term
|
Definition
Within an active directory, each resource is identified as an object. _x000D_
_x000D_
-Each object contains attributes _x000D_
-Active Directory uses DNS for locating and naming objects _x000D_
-Container objects hold or group other objects, either other containers or leaf objects |
|
|
Term
|
Definition
| The schema identifies the object classes that exist in the tree and the attributes of the object. |
|
|
Term
|
Definition
An organizational unit is like folder that subdivides and organizes network resources within a domain. _x000D_
-is a container object _x000D_
-can be used to logically organize network resources _x000D_
simplifies security administration _x000D_
-first level ous are called parents _x000D_
-second level ous are called children _x000D_
-ous can contain other ous or any type of leaf object. |
|
|
Term
| What are Generic Containers? |
|
Definition
used to organize Active Directory objects. _x000D_
-created by default _x000D_
-cannot be created, moved, renamed, or deleted. _x000D_
-have very few editable properties. |
|
|
Term
|
Definition
| A group of related domains tha share the same contiguous DNS name space. |
|
|
Term
|
Definition
| a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces. |
|
|
Term
| What is a Domain Controller? |
|
Definition
| a server that holds a copy of the Active directory database that can be written to. |
|
|
Term
| What is a Global Catalog? |
|
Definition
| A database that contains a partial replica of every object from every domain within a forest. |
|
|
Term
|
Definition
| a distributed database that stores and manages information about network resources, such as users, computers and printers. |
|
|
Term
|
Definition
An LDAP directory service that you can use to create a directory store for use by directory-enabled applications. _x000D_
-formerly known as ADAM. |
|
|
Term
|
Definition
a feature that enables secure access to web applications outside of a user's home domain or forest. _x000D_
-provides web SSO |
|
|
Term
|
Definition
| a feature that safeguards digital information from unauthorized use. |
|
|
Term
|
Definition
| an identity and access control feature that creates and manages public key certificates used in software security systems. |
|
|
Term
| What are the steps to prevent objects from accidental deletion? |
|
Definition
In AD Users and Computers or Active Directory Sites and Services...do either or... _x000D_
-On the object tab, select the Protect object from accidental deletion check box. _x000D_
-On Security tab, select the Deny Delete All Child Objects advanced permission for Everyone. |
|
|
Term
| Where does Windows store standard zone data? |
|
Definition
|
|
Term
| How do you change the replication scope for a zone using an application partition? |
|
Definition
dnscmd/zonechangedirectorypartition _x000D_
_x000D_
/foest _x000D_
/domain |
|
|
Term
| What cmdlets are used to manage user accounts? |
|
Definition
-New-ADUser...creates a new AD user _x000D_
-Get-ADUser..displays one or more AD user's profile _x000D_
-Set-ADUser...modifies an AD user _x000D_
-Enable-ADAccount/Disable-ADAccount...enables/disables an AD account. _x000D_
-Search-ADAccount...gets AD user, computer, and ser |
|
|
Term
| How do you perform and offline domain join? |
|
Definition
Djoin.exe/provision then copy resulting file to the computer that you want to join to the domain. _x000D_
run Djoin.exe/requestI=ODJ |
|
|
Term
| Can you convert a group from global to domain local or domain global? |
|
Definition
| No. Not directly. First convert the group to a universal group and apply the changes, then convert the group to the desired scope. |
|
|
Term
| What are the requirements to join a computer to a domain? |
|
Definition
| You must be a member of the Administrators group on the local computer or be given necessary rights. |
|
|
Term
| What utilities do you use to create computer accounts from a command prompt or script? |
|
Definition
|
|
Term
| What is a managed service account? |
|
Definition
a new account type available in Windows Server 2008 R2 and Windows 7. Provides the same benefits of using a domain user account with these improvements. _x000D_
-passwords managed and reset automatically _x000D_
-when running at Win Server 2008 R2 functional level the SPN does not need to be managed as with local accounts. |
|
|
Term
| What is a Virtual Account? |
|
Definition
| a new account type that are not created deleted. |
|
|
Term
|
Definition
a strategy to manage users, groups, and permissions. _x000D_
-A place user accounts _x000D_
-G into Global groups _x000D_
-DL into Domain Local groups _x000D_
-P assign permissions to domain local groups. _x000D_
_x000D_
Used in mixed mode. Universal groups not available in mixed mode. |
|
|
Term
|
Definition
Same as AGDLP except Universal groups are used. _x000D_
_x000D_
Used in nateve mode where this more than one domain and you need to grand access to similar groups defined in multiple domains. |
|
|
Term
| What do you use Active Directory Users and Computers for? |
|
Definition
| Use it to create, organize, and delete objects in Active Directory. |
|
|
Term
| How do you access Active Directory Users and Computers? |
|
Definition
-Server Manager _x000D_
-Admin Tools _x000D_
-Running dsa.msc |
|
|
Term
|
Definition
It is the Active Directory Service Interfaces Editor. _x000D_
-use it to query, view, and edit attributes that are not exposed through other MMC snap-ins. |
|
|
Term
|
Definition
| creates a new object in Active Directory |
|
|
Term
| What is Dsquery used for? |
|
Definition
| finds objects that match the search criteria. Returns a list of objects that match the search criteria. |
|
|
Term
|
Definition
| retrieves property info about an object. |
|
|
Term
|
Definition
used to import and export Active Directory objects using a comma-seperated list file. _x000D_
-PASSWORD ARE NOT EXPORTED. |
|
|
Term
|
Definition
imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. _x000D_
-passwords are NOT exported. |
|
|
Term
| How do you export user accounts and import them with a password? |
|
Definition
-Export the user accounts _x000D_
-Import the user accounts to create the accounts. User will be forced to change the password at next logon. _x000D_
-Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and |
|
|
Term
|
Definition
| a command line environment designed for automating administration and maintenance for Windows Server 2008 and Windows Server 2008 R2. |
|
|
Term
| What is the general syntax of Powershell cmdlts? |
|
Definition
|
|
Term
|
Definition
allows you to search for and view the properties of multiple Active Directory objects. _x000D_
-GUI based |
|
|
Term
|
Definition
-Active Directory Migration tool. _x000D_
GUI based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another. |
|
|
Term
| What is the Active Directory Administrative Center? |
|
Definition
an Active Directory management GUI tool built on Windows Powershell. _x000D_
-Creates or manages new or existing user accounts groups, computer accounts, organizational units and containers _x000D_
-Connect to one or several domains or domain controllers in the same instance of AD Admin Center. _x000D_
-Change domain and forest functional levels _x000D_
-Filter Active Directory data by using queries. |
|
|
Term
|
Definition
-Start of Authority record. _x000D_
-first record in any DNS database file. _x000D_
-defines general paremeters for DNS zone. _x000D_
-only one SOA |
|
|
Term
|
Definition
-Name Server _x000D_
-identifies all name servers that can perform name resolution for the zone. |
|
|
Term
|
Definition
| maps an IPv4 DNS host name to an IP address. |
|
|
Term
|
Definition
| maps an IPv6 DNS host name to an IP address. |
|
|
Term
|
Definition
| provides alternative names to hosts that already have a host record. |
|
|
Term
|
Definition
| provides alternative names to domains that already have a host record. |
|
|
Term
|
Definition
| used by Windows Server 2008 to register network services. |
|
|
Term
|
Definition
| in a reverse lookup zone, the PTR reodrd maps an IP address to a host name. |
|
|
Term
| What does a full zone transfer copy? |
|
Definition
| It copies all of the zone data with each zone transfer. |
|
|
Term
| Who initiates a zone transfer? |
|
Definition
| the secondary server ALWAYs initiates the zone transfer. |
|
|
Term
|
Definition
-master servers are configured with a list of slave DNS servers. _x000D_
-when a change takes place, the master notifies the slave servers that the zone has changed. _x000D_
-the secondary server then initiates zone transfer, first checking the serial number, then |
|
|
Term
| How do you improve DNS performance? |
|
Definition
| place multiple DNS servers on your network. |
|
|
Term
| What does a caching only server do? |
|
Definition
runs DNS but has no zones configured. _x000D_
-Use a caching only server to improve performance while eliminating zone transfers. |
|
|
Term
| When can you disable zone transfers? |
|
Definition
| If a zone is AD-integrated and has no secondary servers, you can disable zone transfers. |
|
|
Term
|
Definition
| a DNS server that can be used by another DNS server to resolve queries for records that cannot be resolved through the cache. |
|
|
Term
| What is a secondary zone? |
|
Definition
| you can eliminate the need for a forwarder for a specific zone by adding a secondary zone to the server. |
|
|
Term
|
Definition
a zone with only a partial copy of the zone database. It holds only the following _x000D_
-SOA record for the zone _x000D_
-NS records for all authoritative DNS servers for the zone. _x000D_
-A records for authoritative name servers identified in the NS records. |
|
|
Term
| What is a conditional forwarder? |
|
Definition
| a forwarder that is used for a specific domain. |
|
|
Term
| When should you use a conditional forwarder? |
|
Definition
| use a conditional forwarder to eliminate all zone transfer traffic, or in conditions where you are not allowed to transfer data from a zone. |
|
|
Term
|
Definition
| the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. |
|
|
Term
|
Definition
| pointers to top level DNS servers on the internet. |
|
|
Term
|
Definition
| a local balancing mechanism used by DNS servers to share and distribute network resorce loads. |
|
|
Term
| What is Background Zone Loading? |
|
Definition
| DNS servers loads zone data from AD DS in the background while the server restarts. |
|
|
Term
|
Definition
-Read Only Domain Controller _x000D_
-an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. |
|
|
Term
| What is the No-refresh interval? |
|
Definition
| the time between the record's last refresh and when it can next be refreshed. |
|
|
Term
| What is the refresh-interval? |
|
Definition
| identifies a period of time when a record can be refreshed. It begins when the no-refresh interval ends. |
|
|
Term
| What is the command adprep/forestprep used for? |
|
Definition
used to update the Windows Server 2003 or Windows 2000 Server Active Directory schema for Windows Server 2008 or Windows Server 2008 R2. _x000D_
-run it only once in the forest _x000D_
-run on the domain controller that holds the schema master. _x000D_
-must be a member of the Admins group, Schema Admnis group, and the Domain Admins group. |
|
|
Term
| What is the command adprep/domainprep used for? |
|
Definition
-prepares a domain for a Windows Server 2008 or Windows Server 2008 R2 domain controller. _x000D_
-run on the controller that holds the infrastructure operations master. _x000D_
-run AFTER the adprep/forestprep command finishes and after the changes replicate to al |
|
|
Term
| What is the adprep/rodcprep used for? |
|
Definition
use if you plan on installing an RODC in any domain in the forest. _x000D_
-run only once in the forest. _x000D_
-can run this command on any computer in the forest. _x000D_
-must be a member of the Enterprise Admins. |
|
|
Term
| When installing a new Windows Server 2008 or 2008 R2, what must the first domain controller be? |
|
Definition
| It must be a Global catalog server. |
|
|
Term
| What must you do if you are installing a new Windows Server 2008 or 2008 R2 domain controller to create a new domain in an existing Windows 2000 or Window Server 2003 forest. |
|
Definition
-run adprep/forestprep if this the first Windows Server 2008 or Windows Server 2008 R2 domain controlle in the forest. _x000D_
-Run adprep/rodc if you are making an rodc _x000D_
-schema must be updated before the os is installed if you are performing an unattended |
|
|
Term
| What are the methods that can be used for installing AD DS? |
|
Definition
-Active Directory Domain Services Installation Wizard _x000D_
-Command line (dcpromo) _x000D_
-Answer file _x000D_
-AD DS installation (media) (use ntdsutil.exe) |
|
|
Term
| What command is used to remove AD DS? |
|
Definition
|
|
Term
| What do you do to remove a domain controller from a domain? |
|
Definition
|
|
Term
| What do you do if you are removing the last domain controller from a domain? |
|
Definition
|
|
Term
| What do you do if you are removing the last domain controller from a FOREST? |
|
Definition
| wizard...select Delete the domain and forest |
|
|
Term
| What is available at 2000 Native Domain functional level? |
|
Definition
-universal groups are available for security and distribution _x000D_
-group nesting _x000D_
-Group converting _x000D_
-Security Identifyer history |
|
|
Term
| What is available at the 2003 domain functional level? |
|
Definition
-All features in 2000 Native _x000D_
-Domain controller rename _x000D_
-Update logon time stamp _x000D_
-User password on IetOrgPerson object _x000D_
-User and computer container redirect. _x000D_
-Constrained delegation allows applications to take advantage of the secure delegat |
|
|
Term
| What is available at the 2008 domain functional level? |
|
Definition
includes all features available in 2003 and adds following... _x000D_
-DFS for SYSVOL _x000D_
-AES _x000D_
-Last Interactive Logon Info. _x000D_
-Fine-grained password policies that allow you to specify password and account lockout policies for users and global security groups in a domain. |
|
|
Term
| What is available at the 2008 R2 domain functional level? |
|
Definition
includes all previous features and adds... _x000D_
-Authentication Mechanism Assurance (AMA) allowing you to control access to network resources based on the type of certificate used during logon. _x000D_
-Automatic Service Principle Name (SPN) management when using managed service and virtual accounts. |
|
|
Term
| What forest functional level must you be at to use the Active Directory Recycle Bin? |
|
Definition
|
|
Term
| What is a Site Link Bridge? |
|
Definition
a collection of two or more site links that can be grouped as a single logical link. _x000D_
-enabled by default _x000D_
-if disabled, you must manually specify site link bridges |
|
|
Term
| What is a Bridgehead server? |
|
Definition
a domain controller in a site that replicates with domain controllers in other sites. _x000D_
-REPLICATION WITHIN A SITE DOES NOT USE BRIDGEHEAD SERVERS |
|
|
Term
| What can be used to allow replication within mail messages in environments where WAN links are not available? |
|
Definition
SMTP _x000D_
-cannot replicate only the configuration and schema directory partitions and global catalog read only replicas. _x000D_
-requires an enterprise CAwhen you use it over site links. |
|
|
Term
|
Definition
a number assigned to a site link that identifies the overall relative cost of using that site link. _x000D_
-default is 100 _x000D_
-the lower the number, the more preferred the site link. |
|
|
Term
| What commands can you use to force replication? |
|
Definition
-Replicate now _x000D_
-repadmin.exe/replicate |
|
|
Term
| What are the stages of of DFS migration? |
|
Definition
1. Not initiated _x000D_
2. Global state 0...this stage DFS replication has not started yet. FRS is still being used _x000D_
3. Global State 1...DFS begins to replicate but FRS is still the main replication method. _x000D_
4. Global State 2....FRS continues to replicate but DFS becomes master _x000D_
5. Global State 3...FRS completely stops and DFS becomes sole source of replication. |
|
|
Term
| What does the schema master do? |
|
Definition
| Maintains the AD schema for the forest. |
|
|
Term
| What does the Domain Naming Master do? |
|
Definition
Adds new domains to and removes existing domains from the forest. _x000D_
-ensures that domain names are unique |
|
|
Term
| What does the RID master do? |
|
Definition
| It allocates pools or blocks of numbers that are used by the domain controller when creating new security principles. |
|
|
Term
| What does the PDC emulator do? |
|
Definition
| acts like a Windows NT 4.0 Primary Domain Controller. It performs other tasks normally associated with NT domain controllers. |
|
|
Term
| What is the Infrastructure Master responsible for? |
|
Definition
| It is responsible for updating changes made to objects. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| The Domain Name System (DNS) is a hierarchical, distributed database that maps logical host names to IP addresses |
|
|
Term
| What does a DNS server hold? |
|
Definition
| A DNS server holds a database of hostnames and their corresponding IP addresses. Clients query the DNS server to get the IP address of a given host. |
|
|
Term
| What was used before DNS? |
|
Definition
| a hosts file saved on each host computer |
|
|
Term
| What makes up the DNS hierarchy? |
|
Definition
The DNS hierarchy is made up of the following components: _x000D_
- . (dot) domain (also called the root domain) _x000D_
- Top Level Domains (TLDs) (.com, .edu, .gov) _x000D_
- Second-level and additional domains _x000D_
- Hosts |
|
|
Term
|
Definition
| Fully Qualified Domain Name - includes the host name and the name of all domains back to root. |
|
|
Term
| What makes DNS a distributed database? |
|
Definition
| DNS is a distributed database because no one server holds all of the DNS information. Instead, multiple servers hold portions of the data. |
|
|
Term
|
Definition
| Zones typically contain one or more domains, although additional servers might hold information for child domains. |
|
|
Term
|
Definition
| DNS servers hold zone files and process name resolution requests from client systems. |
|
|
Term
| What is a DNS forward lookup? |
|
Definition
| A forward lookup uses the host name (or the FQDN) to find the IP address |
|
|
Term
| What is a DNS reverse lookup? |
|
Definition
| A reverse lookup uses the IP address to find the host name (or FQDN). |
|
|
Term
|
Definition
| The A record maps a host name to an IP address and is used for forward lookups. |
|
|
Term
|
Definition
| The PTR record maps an IP address to a host name and is used for reverse lookups. |
|
|
Term
|
Definition
| The CNAME record provides an alternate name (an alias) for a host. |
|
|
Term
|
Definition
| The SRV record identifies a service, such as an Active Directory domain controller. |
|
|
Term
| How are DNS records created? |
|
Definition
| Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts automatically register and update their corresponding records with the DNS server. |
|
|
Term
| What is the process followed when a client computer needs to find an IP address? |
|
Definition
- The client examines its HOSTS file for the IP address. _x000D_
- If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address. _x000D_
- If the IP address is not in the cache, the client sends the request to a DNS server. |
|
|
Term
| What is the process when a DNS server received a name resolution request? |
|
Definition
1) The DNS server examines its local DNS cache for the IP address _x000D_
2) If the IP address is not in the server cache, it checks its HOSTS file. _x000D_
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative. _x000D_
4) Forwarding or Recursion _x000D_
5) After the information is found or received from another server, the DNS server returns the result to the client, and places the information in its server cache. |
|
|
Term
| What is an authoritative DNS server? |
|
Definition
| a DNS server that has a full, complete copy of all the records for a particular zone. |
|
|
Term
|
Definition
| Where the DNS server forwards the name resolution request to another DNS server, then waits for a response from that server |
|
|
Term
|
Definition
| Where the DNS server queries root domain servers, top-level domain server and other DNS servers in an iterative manner until it finds the one that hosts the target domain. |
|
|
Term
| What is a caching-only DNS server? |
|
Definition
| A caching-only DNS server has no zone information; it is not authoritative for any domains. It uses information in its server cache, or forwarding or recursion, to respond to client queries. |
|
|
Term
| Who can install DNS in Server 2008? |
|
Definition
| Members of the Domain Admins group |
|
|
Term
| Which versions of server 2008 can have DNS installed on them? |
|
Definition
| You can install DNS on any version of Windows Server 2008 except for the Windows Server 2008 Web Server edition. |
|
|
Term
| What type of IP address must the DNS server have? |
|
Definition
|
|
Term
| How would you add the DNS role from a command prompt (or on a server core)? |
|
Definition
| start /w ocsetup DNS-Server-Core-Role |
|
|
Term
| What command will give a list of installed services on a server? |
|
Definition
| Run the oclist command to get a list of services (including DNS) installed on a server. |
|
|
Term
| What can be used to manage DNS on Server 2008? |
|
Definition
| Use the DNS snap-in or the dnscmd command to manage DNS. |
|
|
Term
| What is a primary DNS zone? |
|
Definition
| the master copy of a zone database |
|
|
Term
| What are the properties of a primary zone? |
|
Definition
- The primary zone is the only writeable copy of the zone database. _x000D_
- Changes to the zone can only be made to the primary zone. _x000D_
- The server that holds the primary zone is called a primary server. _x000D_
- Each zone can have only a single primary zone s |
|
|
Term
| What is a secondary DNS zone? |
|
Definition
| A secondary zone is a read-only copy of the zone database. |
|
|
Term
| What are the properties of a secondary DNS zone? |
|
Definition
- Changes cannot be made to the records in a secondary zone. _x000D_
- A server that holds a secondary zone is called a secondary server. _x000D_
- Secondary servers copy zone data from other servers through a process called zone transfer. _x000D_
- Secondary servers ca |
|
|
Term
| What is an Active Directory-integrated DNS zone? |
|
Definition
| An Active Directory-integrated zone holds zone data in Active Directory instead of a text file. |
|
|
Term
| What are the properties of an Active Directory-integrated DNS zone? |
|
Definition
- Active Directory-integrated zones are multi-master zones, meaning that changes to the zone information can be made by multiple servers. Multiple servers hold read-write copies of the zone data. _x000D_
- Only DNS servers that are domain controllers can host |
|
|
Term
|
Definition
| A stub zone is a zone with only a partial copy of the zone database. |
|
|
Term
| What are the properties of a stub zone? |
|
Definition
- The stub zone only contains information about the name servers that are authoritative for the zone; it does not contain information for other hosts. _x000D_
- A stub zone is not authoritative for the zone; its purpose is to identify the name servers that can |
|
|
Term
| What is the GlobalNames DNS zone? |
|
Definition
| The GlobalNames zone is a special zone in the DNS database that is used for single-label name resolution. |
|
|
Term
| What is a GlobalNames DNS zone used for? |
|
Definition
- Allow clients to use simple host names without domain information for name resolution. For example, to contact a server named web1.corp.us.westsim.private, users could simply enter the single-label name web1. _x000D_
- Allow DNS clients to contact NetBIOS-on |
|
|
Term
| What are the features of a GlobalNames zone? |
|
Definition
- When users enter a single-label name, the client computer first tries to resolve the name using DNS and the search suffix configuration. If that process fails, the GlobalNames zone is checked (if it exists). _x000D_
- Using the GlobalNames zone does not requ |
|
|
Term
| What is a forward lookup DNS zone? |
|
Definition
| A forward lookup zone provides hostname-to-IP address resolution. Clients query the DNS server with the hostname, and receive the IP address in return. |
|
|
Term
| What is a reverse lookup DNS zone? |
|
Definition
| A reverse lookup zone provides IP address-to-hostname resolution. Clients query the DNS server with the IP address, and receive the hostname in return. |
|
|
Term
| How many servers can hold the primary zone file? |
|
Definition
| Only one server can hold the primary zone file. To place zone data on multiple servers, configure secondary servers. |
|
|
Term
| Where does Windows store standard zone data? |
|
Definition
| Windows stores standard zone data in the %windir%\System32\Dns directory. The file is a text file with .dns added to the zone name. |
|
|
Term
| Which types of zone support dynamic updates? |
|
Definition
| Primary and Active Directory-integrated zones support dynamic updates. Use an Active Directory-integrated zone to use secure dynamic updates. |
|
|
Term
| What types of record does a reverse lookup zone hold? |
|
Definition
| Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP address to an A record. |
|
|
Term
| What type of zones can a reverse lookup zone be? |
|
Definition
| A reverse lookup zone can be a primary zone, a secondary zone, or an Active Directory integrated zone. |
|
|
Term
| What is the SOA (Start of Authority) record? |
|
Definition
| The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a zone. There is only one SOA record, and it is the first record in the zone database file. The SOA record includes parameters such as the authoritative server and the zone file serial number. |
|
|
Term
| What is an NS (Name Server) record? |
|
Definition
| The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone (all authoritative DNS servers). |
|
|
Term
| What is an A (Host Address) record? |
|
Definition
| The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is the most common resource record type. |
|
|
Term
| What is an AAAA (Quad A) record? |
|
Definition
| The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address. |
|
|
Term
| What is an MX (Mail Exchanger) Record? |
|
Definition
| The MX record identifies servers that can be used to deliver e-mail. |
|
|
Term
|
Definition
| The CNAME record provides alternate names (or aliases) to hosts that already have a host record. Using a single A record with multiple CNAME records means that when the IP address changes, only the one A record needs to be modified. |
|
|
Term
|
Definition
| The DNAME record provides alternate names (or aliases) to domains that already have a host record. |
|
|
Term
| What is a SRV (Service Locator) record? |
|
Definition
| The SRV record is used by Windows Server 2008 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically creates these records as needed and during domain controller installation. |
|
|
Term
| What is a PTR (Pointer) record? |
|
Definition
| In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. "points" to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace. |
|
|
Term
| What are WINS and WINS-R records? |
|
Definition
| Add these records to a zone when you want to allow DNS to use WINS resolution. The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINS servers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse query that is not resolvable through DNS. |
|
|
Term
| How can DNS records be automatically created on a DNS server? |
|
Definition
| By using Dynamic DNS. Dynamic DNS is required to support Active Directory. |
|
|
Term
| When do dynamic updates occur? |
|
Definition
- A network connection's IP address is added, deleted, or changed. _x000D_
- The DHCP server changes or renews an IP address lease. _x000D_
- The client's DNS information is manually changed using ipconfig /registerdns. _x000D_
- The client boots. _x000D_
- A server is promo |
|
|
Term
| Which Windows clients support DDNS? |
|
Definition
| Windows clients (2000 and above) create their A records with the DNS server. Windows 9x/Me/NT clients do not support dynamic DNS. |
|
|
Term
| How does the DHCP server tie in with DDNS? |
|
Definition
| The DHCP server registers the PTR record with the DNS server for clients capable of dynamic updates. The DHCP server updates both the A and PTR records for clients that do not support dynamic updates. |
|
|
Term
| Are dynamic updates enabled by default on a primary zone? |
|
Definition
| Dynamic updates are not enabled on primary zones. You can enable dynamic updates when you create the zone or modify the zone properties later to enable this feature. |
|
|
Term
| Are dynamic updates enabled by default on an Active Directory-integrated zone? |
|
Definition
| Dynamic updates are enabled on Active Directory-integrated zones. Note: When you convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is retained. |
|
|
Term
| What are secure dynamic updates? |
|
Definition
| With secure dynamic updates, only domain members can create records, and only the original client can modify or remove records. |
|
|
Term
| What is used to keep track of changes to a DNS zone? |
|
Definition
| The zone serial number keeps track of changes to the zone. When you make changes to the zone, the serial number is incremented. |
|
|
Term
| What is a DNS master server? |
|
Definition
| A master server is the server from which the secondary copies the zone data. The master server can be the primary server or another secondary server. |
|
|
Term
| What are the two types of zone transfer? |
|
Definition
Zone transfers can copy all records or only changed records: _x000D_
- A full zone transfer (AXFR) copies all of the zone data with each zone transfer. _x000D_
- A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default method on Windows Server 2008. |
|
|
Term
| Are zone transfers enabled in Server 2008 by default? |
|
Definition
| By default, zone transfer in Windows Server 2008 is disabled for security reasons. To use zone transfers, manually enable the feature in the DNS settings in Server Manager. |
|
|
Term
| How can you restrict the servers to which zone transfers are allowed? |
|
Definition
- Allow zone transfers only to servers that are listed as name servers. _x000D_
- Allow zone transfers only to servers you specifically identify. |
|
|
Term
| How does a secondary server initiate a zone transfer? |
|
Definition
- The secondary server contacts the master server and compares the serial number on the master with the serial number in its copy. _x000D_
- If the serial number on the master is greater, the secondary initiates zone transfer. _x000D_
- If the serial number is the |
|
|
Term
|
Definition
| Windows DNS servers support the use of DNS Notify. With DNS Notify, master servers are configured with a list of slave DNS servers. |
|
|
Term
| How does DNS notify work? |
|
Definition
- When a change takes place, the master notifies the slave servers that the zone has changed. _x000D_
- The secondary server then initiates zone transfer, first checking the serial number, then requesting changes. |
|
|
Term
| What is a DNS caching server? |
|
Definition
| A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers. |
|
|
Term
| How does an Active Directory-integrated zone store DNS information? |
|
Definition
| An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when Active Directory replicates. |
|
|
Term
| How can you secure zone transfers to secondary servers? |
|
Definition
| Active Directory replication traffic is automatically secured. To secure zone transfers to secondary servers, use IPsec between servers. |
|
|
Term
| How can you force an update of DNS zone data? |
|
Definition
| You can force an update of zone data through the DNS console or by using the Dnscmd command |
|
|
Term
|
Definition
| A cached copy of a user's logon credentials that have been stored on the user's local workstation. |
|
|
Term
|
Definition
| The time difference between any client or member server and the domain controllers in a domain. |
|
|
Term
|
Definition
| A role that has the quthority tomanage the creation and deletion of domains, domain trees, and application data partitions in the forest. Upon creation of any of these, the Domain Naming Master ensures that the name assigned is unique to the forest. |
|
|
Term
|
Definition
| Global catalog service that listens on port 3268 to respond to requests to search for an object in Active Directory. |
|
|
Term
|
Definition
| An attribute has been stored in the partial attribute set replicated to all global catalog servers in the forest. |
|
|
Term
|
Definition
| A domain-specific role that is responsible for reference updates from its domain objects to other domains. This assists in tracking which domains own which objects. |
|
|
Term
|
Definition
| A forced, ungraceful transfer of a role. This procedure is used only in the event of a catastrophic failure o a domain controller that holds an FSMO role. |
|
|
Term
|
Definition
| Move a role to a new domain controller. |
|
|
Term
|
Definition
| Memberships stored in the global catalog. A universal group can contain users, groups and computers from any domain in the forest. In addition, universal groups through their membership in domain local groups, can receive permissions for any resource anywhere in the forest. |
|
|
Term
| universal group membership caching |
|
Definition
| This feature stores universal group memberships on a local domain controller that can be used for logon to the domain, eliminating the need for frequent access to a global catalog server. |
|
|
Term
|
Definition
PAS
A partial copy of all objects from other domains within the same forest. This partial copy of forest-wide data includes a subset of each object's attributes. |
|
|
Term
| Primary Domain Controller Emulator |
|
Definition
PDC Emulator
A role that provides backward compatibility from Microsoft Windows NT 4.0 domains and other down-level clients. |
|
|
Term
|
Definition
RID
A variable length number that is assigned to objects as created and becomes part of the object's security identifier (SID). |
|
|
Term
| Relative Identifier Master |
|
Definition
RID Master
Role that is responsible for assigning relative identifiers to domain controllers in the domain. Relative identifiers are variable-length numbers assigned by a domain controller when a new object is created, |
|
|
Term
|
Definition
SID
A variable length number used to uniquely identify an object throughout the Active Directory domain. Part of the SID identifies the domain to which the object belongs and the other part is the RID. |
|
|
Term
|
Definition
Active Directory Domain Services
Windows Server 2008 service that provides a centralized authentication service for Microsoft networks. Provides the full-fledged directory service that is called Active Directory in Windows Server 2008 and previous versions of Windows Server. |
|
|
Term
|
Definition
Distinguished Name
The full name of the object that includes all hierarchical containers leading up to the root domain. The xxxxxxxxxxx begins with the object's common name and appends each succeeding parent contain object, reflecting the object's location in the Active Directory structure |
|
|
Term
|
Definition
Domain Controller
A server that stores the Active Directory database and authenticates users with the network during logon. |
|
|
Term
|
Definition
Knowledge Consistency Checker
An internal Active Directory process tha automatically creates and maintains the replication topology. The xxxxxxxxxxx operates based on the information provided by an administrator in the Active Directory Sites and Services snap-in, which is located in the Administrative Tools folder on the domain controller, or an administrative workstation that has the Administrative Tools installed. |
|
|
Term
|
Definition
Naming Context
An active Directory partition. |
|
|
Term
|
Definition
Domain Name System
The name resolution mechanism computers use for all Internet communications and for private networks that use the Active Directory domain services included with Microsoft Windows Server 2008, Windows Server 2003 and Windows 2000 Server. |
|
|
Term
|
Definition
Globally Unique Identifier
A 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed. |
|
|
Term
|
Definition
Lightweight Directory Access Protocol
The protocol that has become an industry standard that enables data exchange between directory services and applications. The xxxxxxxxx standard defines the naming of all objects in the Active Directory database and therefore, provides a directory that can be integrated with other directory services such as Novell eDeirectory, and Active Directory --aware applications, such as Microsoft Exchange. |
|
|
Term
|
Definition
Organizational Unit
A container that represents a logical grouping of resources that have similar security or administrative guidelines. |
|
|
Term
|
Definition
Read-Only Domain Controller
A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers within Active Directory. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
| A partition that allows information to be replicated to administratively chosen domain controllers. An example of information that is commonly stored in an application partition is DNS data. xxxxxxxxx offer control over the scope and placement of information that is to be replicated |
|
|
Term
|
Definition
| Characteristics associated with an object class in Active Directory that make the object class unique within the database. The list of xxxxxxxs is defined only once in the schema, but the same xxxxxxxx can be associated with more than one object class. |
|
|
Term
|
Definition
| The configuration partition contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest. |
|
|
Term
|
Definition
| An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a leaf object. |
|
|
Term
|
Definition
| Trust type that allows resources to be shared between Active Directory forests. |
|
|
Term
|
Definition
| Administration of an Organizational Unit is tasked to a department supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords. |
|
|
Term
|
Definition
| Allow businesses to define, manage, access, and secure network resources, including files, printers, people, and applications. |
|
|
Term
|
Definition
| A grouping of objects in Active Directory that can be namaged together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems. |
|
|
Term
|
Definition
| Active Directory domain partition that is replicated to each domain controller within a particular domain. Each domain's xxxxxxx contains information about the objects that are stored within that domain; users, groups, computers, printers, Organization Units, and more. |
|
|
Term
|
Definition
| In Active Directory, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Each Active Directory forest can contain one or more xxxxxxxs, each of which can, in turn, contain one or more domains. |
|
|
Term
|
Definition
| A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest |
|
|
Term
|
Definition
| The ability to respond gracefully to a software or hardware failure. In particular, a system is considered to be xxxxxxxx when it has the ability to continue providing authentication services after the failure of a domain controller. |
|
|
Term
|
Definition
| The largest container object within Active Directory. The xxxxxxxx container defines the fundamental security boundary within Active Directory, which means that a user can access resources across an entire Active Directory xxxxxxxx using a single logon/password combination. |
|
|
Term
|
Definition
| The first domain created within an Active Directory forest. |
|
|
Term
|
Definition
| Designed to offer support for Active Directory domain controllers running various supported operating systems by limiting functionality to specific software versions. As legacy domain controllers are decommissioned, administrators can modify the xxxxxxxxx to expose new functionality within Active Directory. Some features in Active Directory cannot be activated, for example, until all domain controllers in a forest are upgraded to a specific level. |
|
|
Term
|
Definition
| Occurs sehan a domain controller receives updates to the Active Directory database from other domain controllers on the network |
|
|
Term
|
Definition
| A unique number used to identify all devices on an IP network. xxxxxxxxxxs are four octets long an commonly expressed in dotted-decimal notation, such as 192.168.10.1. |
|
|
Term
|
Definition
| An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a container object. |
|
|
Term
|
Definition
| An improvement to replication that is available after the forest functional level has been raised to Windows Server 2003, or higher, enabling a single membership change to a group to trigger the replication of only the change to each member in the list, rather than the entire membership list. |
|
|
Term
|
Definition
| Active Directory DNS provides direction for network clients that need to know which server performs what function. |
|
|
Term
|
Definition
| Individual domain controllers in an Active Directory database may contain slightly different information, because it can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment. |
|
|
Term
|
Definition
| An element in Active Directory that refers to a resource. Xxxxxxxs can be container xxxxxxs or leaf xxxxxs. Containers are used to organize resources for security or organizational purposes; leaf xxxxxxs refer to the end-node resources, such as users,computers, and printers. |
|
|
Term
|
Definition
| Occurs when a domain controller transmits replication information to other domain controllers on the network. |
|
|
Term
|
Definition
| Portion of Active Directory database used to divide the database into manageable pieces. |
|
|
Term
|
Definition
1)An option that allows users to access network resources by searching the Active Directory database for the desired resource _x000D_
2) An option used to deploy applications. It allows users to install the applications that they consider useful to them. |
|
|
Term
|
Definition
| The process of keeping each domain controller in sync with changes made elsewhere on the network. |
|
|
Term
|
Definition
| Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality. |
|
|
Term
|
Definition
| Master database that contains definitions of all objects in the Active Directory. |
|
|
Term
|
Definition
| The partition that contains the rules and definitions used for creating and modifying, object classes and attributes within Active Directory. |
|
|
Term
|
Definition
| A manually created nontransitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path. |
|
|
Term
|
Definition
| One or more IP subnets connected by fast links. |
|
|
Term
|
Definition
| The locator records within DNS that allows clients to locate an Active Directory domain controller or global catalog. |
|
|
Term
|
Definition
| Enables administrators from a particular domain to grant access to their domain's resources to users in other domains. |
|
|
Term
|
Definition
| The building block of the DNS that maps a single IP address to a DNS hostname. |
|
|
Term
|
Definition
| Feature offered by Read-Only Domain Controllers (RODCs) that enables an administrator to configure a user as the local administrator of a specific RODC without making the user a Domain Admin with far-reaching authority over all domain controllers in the entire domain and full access to the Active Directory domain data. |
|
|
Term
|
Definition
| The dynamic update feature that places a timestamp on record, bases on the current server time, when the IP address is added. This is part of the aging ans scavenging process. |
|
|
Term
|
Definition
| The executable files needed to install Windows. |
|
|
Term
|
Definition
| The active Directory Installation Wizard. |
|
|
Term
|
Definition
| Domain name limited to 15 characters that is maintained for legacy compatibility with older applications that cannot use DNS for their name resolution. |
|
|
Term
|
Definition
| Enables the DNS database to be updated with the changed information when the Internet Protocol (IP) address if a host changes. |
|
|
Term
|
Definition
| Zones necessary for computer hostname-to-IP address mapping, which are used for name resolution by various services. |
|
|
Term
|
Definition
| A domain controller that contains a partial relica of every domain in Active Directory. The xxxxxxxxx stores those attributes most frequently used in search operations (such as a user's first and last names) and those attributes required t locate a full replica of the object. The Active Directory replication system builds the global catalog automatically. |
|
|
Term
| incremental zone transfers |
|
Definition
| Method of conserving bandwidth by transferring part of a zone. |
|
|
Term
|
Definition
Active Directory Lightweight Directory Services
Role that provides developers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema to support their applications. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
Directory Services Restore Mode
A Special startup mode used to run an offline defragmentation. |
|
|
Term
|
Definition
Flexible Single Master Operations
The specific server roles that work together to enable the multimaster functionality of Active Directory. |
|
|
Term
|
Definition
fully qualified domain name
The complete DNS name used to reference a host's location in the DNS structure. |
|
|
Term
|
Definition
Object Identifier
A unique string used to identify every class or attribute added to a schema. OIDs must be globally unique, and they are represented by a heriarchical dotted-decimal notation string. |
|
|
Term
|
Definition
pointer
The resource record that is the functional opposite of the A record, providing an IP address-to-name mapping for the system identified in the Name field using the inaddr.arpa domain name. |
|
|
Term
|
Definition
User Principal Name
A naming format that simplifies access to multiple services such as Active Directory and email. A xxxxxxxxx follows a naming convention that can reflect the forest root domain or another alias that follows the format of username@domain-name. |
|
|
Term
|
Definition
| A single occurence of an element. |
|
|
Term
|
Definition
| The amount of time or delay it takes to replicate information throughout the network. |
|
|
Term
|
Definition
| A command-line tool that is used to create, delete, verify, and reset trust relationships from the Windows Server 2008 command line. |
|
|
Term
|
Definition
| A command-line tool that is critical for working with DNS on Serve Core. |
|
|
Term
| Password Replication Policy |
|
Definition
| A list of user or group accounts whose passwords should be stored on a particular Read-Only Domain Controller (RODC) or should not be stored on the specific RODC. |
|
|
Term
|
Definition
| A mechanism to set up load balancing between multiple servers that are advertising the same SRV records. Clients will always use the record with the lowest numbered priority first. The will only use an SRV record with a higher-number priority if the lower-numbered priority record is unavailable. |
|
|
Term
| restartable Active Directory |
|
Definition
| Feature that enables administrators to place the NTDS.DIT file in an offline mode without rebooting the domain controller outright. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
| Zone that answer queries in which a client provides an IP address and DNS resolves the IP address to a hostpage. |
|
|
Term
|
Definition
| The process of removing records that were not refreshed or updated within specified time intervals. |
|
|
Term
|
Definition
| A special installation option that creates a minimal environment for running only specific services and roles. Server Core runs without the Windows Desktop shell, which means that it must be administered exclusively from the command line or using Group Policy. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
| A unility that enables ainistrators to view any other roles the server might be performing. The Server Manager utility launches automatically at startup after the Initial Configuration Tasks utility is closed. It can be accessed manually through the shortcut provided in the Administrative Tools folder or directly from the Start menu. |
|
|
Term
|
Definition
| To begin the Active Directory installation at a central location, such as a data center, and then allow a local administrator to complete the configuration. |
|
|
Term
|
Definition
| A shared folder that exists on all domain controllers and is used to store Group Policy Objects, login scripts, and other files that are replicated domain-wide. |
|
|
Term
|
Definition
| The length of time a record is valid., after which it needs to be reregistered. |
|
|
Term
|
Definition
| Running dcpromo from the command line using a specially formatted text file to specify the necessary installation options. |
|
|
Term
|
Definition
| A relative weighting for SRV records that have the same priority. For exampl, consider three SRV records with the same priority with relative weights of 60, 20 and 20. Because 60 + 20 + 20 +100, the record with the weight of 60 will be used 60/100, or 60%, of the time, whereas each of the other two records will be used 20/100, or 20 percent, of the time. |
|
|
Term
|
Definition
| The process fo replicating DNS information from the DNS server to another. |
|
|
Term
|
Definition
| Each replication transaction does not need to complete before another can start because the transaction can be stored until the destination server is available. |
|
|
Term
|
Definition
| The server at each site that acts as a gatekeeper in managing site-to-site replication. This allows intersite replication to update only one domain controller within a site. After a xxxxxxxx is updated, it updates the remainder of its domain controller partners with the newly replicated information. |
|
|
Term
|
Definition
| Method used by domain controllers to inform one another of when changes need to be replicated. Each domain controller will hold a change for 45 seconds before forwarding it, after which it will transmit the change to each of its replication partners in 3 second intervals. |
|
|
Term
|
Definition
| To reduce the size of transmitted data to decrease the use of network bandwidth. |
|
|
Term
|
Definition
| The link, created by the Knowledge Consistency Checker, between domain controllers that replicate with one another in a site. |
|
|
Term
|
Definition
| The amount of time required for replication so that all domain controllers in the environment contain the most up-to-date information. |
|
|
Term
|
Definition
| Value assigned to a site link object to define the push that relication will take. If more than one path can be used to replicate information, cost assignments will determine which path is chosen first. A lower-numbered cost value. |
|
|
Term
|
Definition
| A command-line tool used for monitoring Active Directory. |
|
|
Term
| dual counter-rotating ring |
|
Definition
| Created by the Knowledge Consistency Checker for the replication path. If one domain controller in the ring fails, traffic is routed in the opposite direction to allow replication to continue. |
|
|
Term
|
Definition
| A value assigned to a site link that determines how often information will be replicated over the site link. |
|
|
Term
|
Definition
Classless Inter-Domain Routing
Form of notation that shows the number of bits being used for the subnet mask. For example, for an IP address of 192.168.64.0 with a mask of 255.255.255.0, the CIDR representation would be 192.168.64.0/24. |
|
|
Term
|
Definition
Intersite Topology Generator
A process that selects a bridgehead server and maps the topology to be used for intersite replication. |
|
|
Term
|
Definition
linked-value replication
An improvement to replication that is available for use after the forest functional level has been raised to Windows Server 2003 or higher, enabling a single membership change to a group to trigger the replication of only this change to each member in the list, rather than the entire membership list. |
|
|
Term
|
Definition
Remote Procedure Calls over Internet Protocol
Default protocol used for all replication traffic. |
|
|
Term
|
Definition
Simple Mail Transport Protocol
Transport protocol used for intersite replication when a direct or reliable IP connection is unavailable. |
|
|
Term
|
Definition
update sequence number
A local value, maintained by each domain controller, that tracks the changes that are made at each DC, thus tracking which updates should be replicated to other domain controllers. |
|
|
Term
|
Definition
| The process of replicating Active Directory information between domain controllers within a site. |
|
|
Term
|
Definition
| The process of replicating Active Directory information from one site to another. |
|
|
Term
| preferred bridgehead servers |
|
Definition
| The administrator's list of servers to be used as bridgehead servers. A bridgehead server is the server at each site that acts as a gatekeeper in managing site-to-site replication. |
|
|
Term
|
Definition
| A command-line tool that can check replication sonsistency between replication partners, monitor replication status, display replication metadata, and force replication events and Knowledge Consistency Check (KCC) recalculation. |
|
|
Term
|
Definition
| Servers that inform each other when updates are necessary. The Knowledge Consistency Checker (KCC) selects one or more replication partners for each domain controller in the site. |
|
|
Term
|
Definition
| Defines the path used by replicatin traffic. |
|
|
Term
|
Definition
| Determines the time when a site link object is available to replicate information. |
|
|
Term
|
Definition
| Defines a chain of site links by which domain controllers from different sites can communicate. |
|
|
Term
|
Definition
| A connection between two or more sites that enables intersite replication |
|
|
Term
|
Definition
| An attribute set on an object to indicate when it was last updated. Timestamps are used to assist in the resolution of conflicts during replication. If a change was made to an attribute of the same object, the timestamp can help determine which object is the most up-to-date. |
|
|
Term
|
Definition
| Default characteristic of site links that use the same transport protocol. A domain controller inany site can connect to a domain controller in any other site by navigating a chain of site links. |
|
|
Term
|
Definition
| The change will be placed at the "beginning of the line" and it will be applied before any other changes that are waiting to be replicated. |
|
|
Term
|
Definition
| A value associated with each Active Directory attribute that keeps track of how many times that attribute has been changed. |
|
|
Term
|
Definition
| The network infrastructure between sites defined by fast and reliable IP subnets. |
|
|
Term
| What is a Certificate Revocation List (CRL) ? |
|
Definition
| A Certificate Revocation List (CRL) is a digitally signed list of unexpired certificates that a particular CA has revoked. |
|
|
Term
| AD CS supports two types of CRLs ? |
|
Definition
The AD CS supports two types of CRLs. _x000D_
_x000D_
A Base CRL is a full, initial set of revoked certificates. _x000D_
_x000D_
A Delta CRL lists only certificates that have been revoked since the last full Base CRL was implemented. |
|
|
Term
|
Definition
| CRL Distribution Point (CDP) |
|
|
Term
| What is a CRL Distribution Point (CDP) ? |
|
Definition
| A CRL Distribution Point (CDP) is a certificate extension that indicates where the CRL for a particular CA can be retrieved. |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol |
|
|
Term
|
Definition
| Using CDPs enables PKI administrators to locate and access a relevant CRL so they can manually update the entries it contains. These entries are valid only for a specified time period. |
|
|
Term
|
Definition
Active Directory (AD) : You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP. _x000D_
_x000D_
Accessing CRLs via a directory service uses more bandwidth than accessing CRLs directly because it requires that every client be able to authenticate to every server. Directories must be linked so that results can be located and passed back to the requesting PKI client. _x000D_
_x000D_
A local directory: _x000D_
You use the local directory of a CA server as the CDP to store CRLs on standalone CAs, which don't require AD or use certificate templates. By default, standalone CAs hold all certificate requests in a pending queue until a CA approves them. _x000D_
_x000D_
PKI users can access CRL data in a local directory via the Internet or an extranet, using HTTP or FTP. |
|
|
Term
|
Definition
| Online Certificate Status Protocol |
|
|
Term
|
Definition
| The OCSP enables you to manage and distribute the revocation status of a certificate via the Online Responder service. |
|
|
Term
|
Definition
| you use the OCSP to submit a certificate status request to an Online Responder. The Online Responder service uses the OCSP to issue a digitally signed certificate status response, based on the CRLs that are provided to it by CAs. |
|
|
Term
| configure an Online Responder |
|
Definition
You can use the following sets of properties to configure an Online Responder: _x000D_
_x000D_
Web Proxy _x000D_
Audit _x000D_
Security |
|
|
Term
| To validate whether AD replicated fine between to DCs run command ? |
|
Definition
|
|
Term
| If users at a Branch are to log onto a Domain using RODC ? |
|
Definition
| Password Replication Policy should be configured. |
|
|
Term
|
Definition
| Active Directory Certificate Services |
|
|
Term
|
Definition
| Public Key Infrastructure |
|
|
Term
|
Definition
| Certification Authorities |
|
|
Term
|
Definition
| A CA is used to issue digital certificates and the directories are used to store policies and certificates. |
|
|
Term
|
Definition
| Certificate Revocation List |
|
|
Term
|
Definition
| A CRL is a digitally signed list of unexpired certificates revoked by a CA. |
|
|
Term
| What are Certificate Templates ? |
|
Definition
| Certificate templates give instructions to users about procedures for creating and submitting a valid certificate request. This is an essential part of an enterprise CA and enables an administrator to recognize, configure, and issue certificates that have been pre-configured for selected tasks. |
|
|
Term
| Where are Certificate templates stored ? |
|
Definition
Certificate templates are stored in Active Directory Domain Services (AD DS). _x000D_
_x000D_
This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates. |
|
|
Term
| Benefits of using Certificate Templates ? |
|
Definition
consistent application of the certificate policy across the forest. _x000D_
_x000D_
There are default templates that can be used. |
|
|
Term
| Default Certificate Templates Available are ? |
|
Definition
Computer _x000D_
Cross Certification Authority _x000D_
Directory Email Replication _x000D_
CEP Encryption _x000D_
Code Signing _x000D_
Domain Controller _x000D_
Domain Controller Authentication _x000D_
EFS Recovery Agent |
|
|
Term
| How many versions of Certificate Templates are available ? |
|
Definition
Version 1 _x000D_
Version 2 _x000D_
Version 3 |
|
|
Term
| Explain Version 1 certificate Template ? |
|
Definition
Version 1certificate templates are available in a Windows Server 2000 PKI. When a CA is installed, these templates are created by default and cannot be removed or modified. However, you can create a duplicate copy of a version 1 template and change it to a modifiable version 2 or version 3 template. _x000D_
_x000D_
Version 1 templates are supported by CAs configured for Windows Server 2000 and Windows Server 2003 Standard Edition, which only support version 1 templates. |
|
|
Term
| Explain Version 2 certificate Template ? |
|
Definition
| Version 2 certificate templates enable you to customize the settings and permissions of a template based on your needs. These templates are only issued by Enterprise CAs installed on Windows Server 2003 Enterprise Edition or higher. |
|
|
Term
| Explain Version 2 certificate Template ? |
|
Definition
| Version 3 certificate templates enable an administrator to add the advanced Suite B cryptographic settings to their certificates. These settings contain advanced options for digital signatures, encryption, hashing, and key exchange. Administrators can only issue certificates based on version 3 certificate templates from CAs installed on Windows Server 2008 servers. These certificates can only be used on clients running Windows Server 2008 or Windows Vista. |
|
|
Term
| Windows Server 2000 and Windows Server 2003 Standard Edition CAs support which version of certificate templates? |
|
Definition
|
|
Term
| Windows Server 2003 Datacenter and Enterprise Edition CAs – support which version of certificate templates ? |
|
Definition
|
|
Term
| Windows Server 2008 CAs support which version of certificate templates ? |
|
Definition
| support for versions 1, 2, and 3 |
|
|
Term
| What are the permissions that you can assign to a certificate template ? |
|
Definition
The permissions that you can assign to a certificate template are : _x000D_
_x000D_
Full Control _x000D_
Enroll _x000D_
Autoenroll _x000D_
Read _x000D_
Write |
|
|
Term
| Note : Windows Server 2008 enables key archival and recovery to prevent potential loss of data that can result from the loss of a key. |
|
Definition
| Note : This process enables a Key Recovery Agent (KRA) to retrieve private keys, original certificates, and public keys from a database. |
|
|
Term
|
Definition
|
|
Term
| Note : Enterprise CAs can archive a user's private key in their database when certificates are issued. These private keys are encrypted and stored by a CA. |
|
Definition
| Note :A private key can be recovered at a later time by using the private key archive. |
|
|
Term
| How do you configure your environment for key archival ? |
|
Definition
To configure your environment for key archival, you will need to _x000D_
_x000D_
* configure a KRA certificate template and enroll the KRA for a KRA certificate _x000D_
_x000D_
* enable key archival for a CA |
|
|
Term
| How do you configure a KRA certificate template ? |
|
Definition
you need to add the certificate template to a CA. _x000D_
_x000D_
_x000D_
If the certificate is configured with Read and Enroll permissions, the new KRA can use the Certificates snap-in and the Certificate Import Wizard to create a KRA certificate. _x000D_
_x000D_
If the certificate is configured with the Autoenroll permission, it will be issued automatically the next time the user logs on to the network |
|
|
Term
| Restricted groups policy settings enable you to manage the membership of groups. |
|
Definition
| Restricted groups policy settings enable you to manage the membership of groups. |
|
|
Term
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail. |
|
Definition
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail. |
|
|
Term
Delegating Administration Using Restricted Groups Policies with the _x000D_
Member Of Setting. |
|
Definition
In Group Policy Management Editor, navigate to Computer Configuration\Policies\ _x000D_
Windows Settings\Security Settings\Restricted Groups. |
|
|
Term
You want to add a group to the local Administrators group on computers without _x000D_
removing accounts that already exist in the group. Describe the restricted groups _x000D_
policy you should create. |
|
Definition
| Create a restricted groups policy for the group you wish to add. Use the Member Of policy setting (This Group Is A Member Of) and specify Administrators |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Group Policy Management Console |
|
|
Term
|
Definition
| Group Policy Management Editor |
|
|
Term
|
Definition
A policy setting can have three states: _x000D_
_x000D_
Not Configured, _x000D_
Enabled, _x000D_
and Disabled. |
|
|
Term
| A single GPO can be linked to more than one site or OU. |
|
Definition
| A single GPO can be linked to more than one site or OU. |
|
|
Term
| What is the Scope of the GPO : Security Filters ? |
|
Definition
You can narrow the _x000D_
_x000D_
Security Filters that specify global security groups to which the GPO should or should not apply. |
|
|
Term
|
Definition
| Windows Management Instrumentation |
|
|
Term
| What do Windows Management Instrumentation (WMI) filters do for the scope of a GPO ? |
|
Definition
Windows Management Instrumentation (WMI) filters that specify a scope, _x000D_
using characteristics of a system such as operating system version or free disk space. |
|
|
Term
|
Definition
|
|
Term
| What is the Resultant Set of Policy (RSoP) ? |
|
Definition
Users or Computers are likely to be within the scope of multiple GPOs linked to the sites, domain, or OUs in which the users or computers exist. _x000D_
_x000D_
This leads to the possibility that policy settings might be configured differently in multiple GPOs. _x000D_
_x000D_
You must be able to understand and evaluate the Resultant Set of Policy (RSoP), which determines the settings that are applied by a client when the settings are configured divergently in more than one GPO. |
|
|
Term
| Refresh settings for Policy settings in the Computer Configuration node ? |
|
Definition
Policy settings in the Computer Configuration node are applied at _x000D_
system startup and every 90–120 minutes thereafter. |
|
|
Term
| Policy Refresh settings User Configuration policy settings ? |
|
Definition
User Configuration policy settings are _x000D_
applied at logon and every 90–120 minutes thereafter. |
|
|
Term
| Manual Refresh of Group policy settings is done using ? |
|
Definition
gpupdate.exe _x000D_
/force _x000D_
/logoff _x000D_
/target: { computer | user } _x000D_
/wait: value _x000D_
/boot |
|
|
Term
| What are the tools associated with Group Policy Updation ? |
|
Definition
Gpupdate _x000D_
Secedit _x000D_
FLEX COMMAND _x000D_
_x000D_
FLEX COMMAND: Help in group updates of workstation. It can be applied directly to OUs etc |
|
|
Term
|
Definition
|
|
Term
| Security settings are reapplied every 16 hours even if a GPO has not changed. |
|
Definition
| Security settings are reapplied every 16 hours even if a GPO has not changed. |
|
|
Term
| Always Wait For Network At Startup And Logon policy setting |
|
Definition
| Without this setting, by default, Windows XP and Windows Vista clients perform only background refreshes, meaning that a client might start up and a user might log on without receiving the latest policies from the domain. |
|
|
Term
|
Definition
| Group Policy Software Installation |
|
|
Term
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network. |
|
Definition
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network. |
|
|
Term
| If a user is disconnected from the Enterprise network does group policy still apply itself ? |
|
Definition
| Yes, The previously applied group policy settings are still applied. |
|
|
Term
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment. |
|
Definition
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment. |
|
|
Term
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured |
|
Definition
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured |
|
|
Term
When AD DS is installed, _x000D_
two default GPOs are created _x000D_
_x000D_
â– Default Domain Policy _x000D_
â– Default Domain Controllers Policy |
|
Definition
â– Default Domain Policy : This GPO is linked to the domain and has no security group or WMI filters. _x000D_
_x000D_
â– Default Domain Controllers Policy : This GPO is linked to the Domain Controllers OU. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers. |
|
|
Term
|
Definition
| globally unique identifier |
|
|
Term
| By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been updated |
|
Definition
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the _x000D_
GPO has been updated |
|
|
Term
| Describe the default Group Policy processing behavior, including refresh intervals and CSE application of policy settings |
|
Definition
Every 90–120 minutes, the Group Policy Client service determines which GPOs are scoped to the user or computer and downloads any GPOs that have been updated, based on the GPOs’ version numbers. _x000D_
_x000D_
CSEs process the policies in the GPOs according to their policy processing configuration. _x000D_
_x000D_
By default, most CSEs apply policy settings only if a GPO has been updated. _x000D_
_x000D_
Some CSEs also do not apply settings if a slow link is detected. |
|
|
Term
|
Definition
| Directory Replication Agent |
|
|
Term
|
Definition
The GPC is an Active Directory object stored in the Group Policy Objects container _x000D_
within the domain naming context of the directory. Like all Active Directory objects, each GPC _x000D_
includes a globally unique identifier (GUID) attribute that uniquely identifies the object _x000D_
within Active Directory. The GPC defines basic attributes of the GPO, but it does not contain _x000D_
any of the settings. The settings are contained in the GPT, a collection of files stored in the SYSVOL _x000D_
of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\GPO GUID _x000D_
path, where GPO GUID is the GUID of the GPC. When you make changes to the settings of a _x000D_
GPO, the changes are saved to the GPT of the server from which the GPO was opened |
|
|
Term
| Scripting Languages that can be used to write code for Group Policy in Windows Server 2008 |
|
Definition
| Microsoft Visual Basic, Scripting Edition (VBScript), Microsoft JScript, Perl, and Microsoft MS DOS style batch files (.bat and .cmd). |
|
|
Term
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT) |
|
Definition
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT) |
|
|
Term
|
Definition
| Knowledge Consistency Checker |
|
|
Term
| How is Group Policy Container GPC of GPO replicated ? |
|
Definition
| The GPC in Active Directory is replicated by the Directory Replication Agent (DRA) using a topology generated by the Knowledge Consistency Checker (KCC). |
|
|
Term
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism. |
|
Definition
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, _x000D_
you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism. |
|
|
Term
| What does the Group Policy Verification Tool Gpotool.exe do ? |
|
Definition
Gpotool.exe is used to troubleshoot GPO status, _x000D_
including problems caused by the replication _x000D_
of GPOs, leading to inconsistent versions of a GPC and GPT |
|
|
Term
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings. |
|
Definition
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings. |
|
|
Term
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k |
|
Definition
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k |
|
|
Term
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key. |
|
Definition
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key. |
|
|
Term
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files |
|
Definition
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files |
|
|
Term
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings |
|
Definition
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings |
|
|
Term
| Starter GPOs can contain only Administrative Templates policy settings. |
|
Definition
| Starter GPOs can contain only Administrative Templates policy settings. |
|
|
Term
| You can centralize the management of administrative templates by creating a central store |
|
Definition
| You can centralize the management of administrative templates by creating a central store |
|
|
Term
| Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings |
|
Definition
| Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings |
|
|
Term
1. Litware, Inc., has three business units, _x000D_
each represented by an OU in the litwareinc.com domain. _x000D_
The business unit administrators want the ability to manage Group Policy for the users and computers in their OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for their business units? (Choose all _x000D_
that apply. Each correct answer is a part of the solution.) _x000D_
_x000D_
A. Copy administrative templates from the central store to the Policy Definitions folder on the administrators’ Windows Vista workstations. _x000D_
_x000D_
B. Add business unit administrators to the Group Policy Creator Owners group. _x000D_
_x000D_
C. Delegate Link GPOs permission to the administrators in the litwareinc.com domain. _x000D_
_x000D_
D. Delegate Link GPOs permission to the each business unit’s administrators in the business unit’s OU. |
|
Definition
1. Correct Answers: B and D _x000D_
_x000D_
A. Incorrect: The central store is used to centralize administrative templates so that they do not have to be maintained on administrators’ workstations. _x000D_
_x000D_
B. Correct: To create GPOs, the business unit administrators must have permission to access the Group Policy Objects container. By default, the Group Policy Creator Owners group has permission, so adding the administrators to this group will _x000D_
allow them to create new GPOs. _x000D_
_x000D_
C. Incorrect: Business unit administrators require permission to link GPOs only to their business unit OU, not to the entire domain. Therefore, delegating permission to link GPOs to the domain grants too much permission to the administrators. _x000D_
_x000D_
D. Correct: After creating a GPO, business unit administrators must be able to scope the GPO to users and computers in their OU; therefore, they must have the Link GPOs permission. |
|
|
Term
You are an administrator at Contoso, Ltd. At a recent conference, you had a conversation _x000D_
with administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations _x000D_
you have deployed using a GPO. The Fabrikam administrators have asked _x000D_
you to copy the GPO to their domain. Which steps can you and the Fabrikam administrators _x000D_
perform? _x000D_
A. Right-click the Contoso GPO and choose Save Report. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import. _x000D_
B. Right-click the Contoso GPO and choose Back Up. Right-click the Group Policy _x000D_
Objects container in the Fabrikam domain and choose Restore From Backup. _x000D_
C. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Paste. _x000D_
D. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import Settings. |
|
Definition
Correct Answer: D _x000D_
A. Incorrect: A saved report is an HTML or XML description of a GPO and its settings. _x000D_
It cannot be imported into another GPO. _x000D_
B. Incorrect: The Restore From Backup command is used to restore a GPO in its _x000D_
entirety. _x000D_
C. Incorrect: You cannot paste settings into a GPO. _x000D_
D. Correct: You can import settings to an existing GPO from the backed-up settings _x000D_
of another GPO. |
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is a single Active Directory domain in the _x000D_
company network. Windows Server 2008 is run by all domain controllers that are configured as DNS servers. A _x000D_
domain controller named DC01 has a standard primary zone for wiikigo.com. A domain controller named DC02 _x000D_
has a standard secondary zone for wiikigo.com. You have to make sure that the replication of the wiikigo.com _x000D_
zone is encrypted. You must not lose any zone data. So what action should you perform? _x000D_
_x000D_
A. The zone transfer settings of the standard primary zone should be configured. The Master Servers lists on _x000D_
the secondary zone should be modified. _x000D_
_x000D_
B. The interface that the DNS server listens on should be modified on both servers. _x000D_
_x000D_
C. The primary zone should be converted into an Active Directory-integrated zone. The secondary zone should _x000D_
be deleted. _x000D_
_x000D_
D. The primary zone should be converted into an Active Directory-integrated stub zone. The secondary zone _x000D_
should be deleted. |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an organizational unit named Production in _x000D_
your company. The Production organizational unit has a child organizational unit named R D. After a GPO _x000D_
named Software Deployment is created by you, you link it to the Production organizational unit. You create a _x000D_
shadow group for the R D organizational unit. You have to deploy an application to users in the Production _x000D_
organizational unit. You also need to make sure that the application is not deployed to users in the R D _x000D_
organizational unit. What are two possible ways to achieve this goal? _x000D_
_x000D_
A. In order to achieve this goal, security filtering on the Software Deployment GPO should be configured to _x000D_
Deny Apply group policy for the R D security group. _x000D_
_x000D_
B. In order to achieve this goal, the Enforce setting should be configured on the software deployment GPO. _x000D_
_x000D_
C. In order to achieve this goal, the Block Inheritance setting should be configured on the R D organizational _x000D_
unit. _x000D_
_x000D_
D. In order to achieve this goal, the Block Inheritance setting should be configured on the Production _x000D_
organizational unit. |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. You have a domain controller named DC01. Windows _x000D_
Server 2008 is run by this domain controller. DC01 is configured as a DNS server for wiikigo.com. You have the _x000D_
DNS Server server role installed on a member server which is named Server01 and then you create a standard _x000D_
secondary zone for wiikigo.com. DC01 is configured as the master server for the zone. You have to make sure _x000D_
that Server01 receives zone updates from DC01. What action should you perform? _x000D_
_x000D_
A. The zone transfer settings for the wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
B. The Server01 computer account should be added to the DNSUpdateProxy group. _x000D_
_x000D_
C. A conditional forwarder should be added on S01. _x000D_
70-640 3D. The permissions of wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
D. The permissions of wiikigo.com zone should be modified on DC01. |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There are two domain controllers named DC01 and _x000D_
DC02 in your company. All domain and forest operations master roles are hosted by DC01. _x000D_
A problem occurred that DC01 fails. _x000D_
Since you are the technical support, you are required to reinstall the operating system to rebuild DC01. In _x000D_
addition, you are required to have all operations master roles rollbacked to their original state. A metadate _x000D_
cleanup is performed and all references of DC01 are removed. Which action should be performed to achieve _x000D_
the goal? (Choose three from the options below, and then put them in a correct order) _x000D_
1/ Operations master roles should be transferred from DC01 to DC02. _x000D_
2/ Operations master roles should be transferred from DC02 to DC01. _x000D_
3/ Operations master roles should be seized from DC01 to DC02. _x000D_
4/ Operations master roles should be seized from DC02 to DC01 _x000D_
5/ DC01 should be rebuilt as a replica domain controller. _x000D_
6/ DC02 should be rebuilt as a domain controller. _x000D_
_x000D_
A. 3->5->2 _x000D_
B. 3->6->1 _x000D_
C. 4->5->2 _x000D_
D. 4->6->1 |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the company. Not _x000D_
all domain controllers in the forest are configured as Global Catalog Servers. One root domain and one child _x000D_
domain is contained in your domain structure. You modify the folder permissions on a file server that is in the _x000D_
child domain. You find that some Access Control entries start with S-1-5-21 and that no account name is listed. _x000D_
You have to list the account names. So what action should you perform? _x000D_
_x000D_
A. The schema should be modified to enable replication of the friendlynames attribute to the Global Catalog. _x000D_
_x000D_
B. The RID master role in the child domain should be moved to a domain controller that holds the Global _x000D_
Catalog. _x000D_
_x000D_
C. The infrastructure master role in the child domain should be moved to a domain controller that does not _x000D_
hold the Global Catalog. _x000D_
_x000D_
D. The RID master role in the child domain should be moved to a domain controller that does not hold the _x000D_
Global Catalog. |
|
Definition
|
|
Term
| How would you delegate control of an AD OU to a user? |
|
Definition
- Right Click on OU _x000D_
- Delegate Control _x000D_
- Choose User _x000D_
- Choose the appropriate option _x000D_
- Finish |
|
|
Term
|
Definition
| An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain. |
|
|
Term
| What are the different types of OU? |
|
Definition
Parent OUs are OUs that contain other OUs. _x000D_
Child OUs are OUs within other OUs. |
|
|
Term
| What organisational structures can you not apply GPO's to? |
|
Definition
|
|
Term
| What is group policy inheritance? |
|
Definition
| Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs. |
|
|
Term
| How can you prevent objects from accidental deletion in AD? |
|
Definition
- On the Object tab, select the Protect object from accidental deletion check box. (This option is only seen with Advanced Features selected from the View menu.) _x000D_
_x000D_
- On the Security tab, select the Deny Delete All Child Objects advanced permission for |
|
|
Term
| What setting should be set at creation to prevent an AD OU being accidentally deleted? |
|
Definition
| When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured. |
|
|
Term
| How would you delete an AD object that is protected from deletion? |
|
Definition
| To delete on abject that is protected, first clear the Protect container from accidental deletion setting, then delete the object. |
|
|
Term
| What is delegation of authority? |
|
Definition
| Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups. |
|
|
Term
| Describe some of the facts about delegating control : |
|
Definition
- You can delegate control of any part of an OU or object at any level with the Delegation of Control Wizard or through the Authorization Manager console. _x000D_
_x000D_
- An object-based design allows you to delegate control based on the types of objects in each |
|
|
Term
| What is the Builtin Default Container? |
|
Definition
| The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks. |
|
|
Term
| What is the Computers default container? |
|
Definition
| The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain. |
|
|
Term
| What is the Domain Controllers detault container? |
|
Definition
| The Domain Controllers OU is the default location for the computer accounts for domain controllers. |
|
|
Term
| What is the LostAndFound default container? |
|
Definition
| The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container. |
|
|
Term
| What is the NTDS Quotas default container? |
|
Definition
| The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own. |
|
|
Term
| What is the Program Data default container? |
|
Definition
| The Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it. |
|
|
Term
| What is the System default container? |
|
Definition
| The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies. |
|
|
Term
| What is the Users default container? |
|
Definition
| The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks. |
|
|
Term
| What is special about AD containers? |
|
Definition
| They are automatically created and cannot be deleted |
|
|
Term
| What is special about the Domain Controllers OU |
|
Definition
| It is the only default OU, and it can have a GPO applied, whereas the other default containers cannot have a GPO applied |
|
|
Term
| How would you view hidden containers in AD Users and Computers? |
|
Definition
| Click Advanced Features from the View menu |
|
|
Term
| Which containers are hidden by default in AD Users and Computers? |
|
Definition
- LostAndFound _x000D_
- NTDS Quotas _x000D_
- Program Data _x000D_
- System |
|
|
Term
| What is special about AD containers and how do they differ from OU's? |
|
Definition
| They are automatically created and cannot have GPO's applied to them. |
|
|
Term
| What is the SAM database? |
|
Definition
| A local database that allows users to access local resources on the machine |
|
|
Term
| What are the two types of user account? |
|
Definition
|
|
Term
| What is a local user account? |
|
Definition
A local user account is created and stored on a local system and is not distributed to any other system. _x000D_
_x000D_
- Local user accounts are created with the Computer Management console. _x000D_
- The local Security Accounts Manager (SAM) manages the user account information. _x000D_
- Only local resources are accessible with local user accounts. |
|
|
Term
| What is a domain user account? |
|
Definition
| A domain user account is created and centrally managed through Active Directory, and is replicated between domain controllers in the domain. |
|
|
Term
| How can domain user accounts be created? |
|
Definition
| Domain user accounts are created with Active Directory Users and Computers, command line tools, and PowerShell. |
|
|
Term
| What is unique to each domain user account? |
|
Definition
| Each domain user account has a unique security identifier (SID) to identify the user. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions. |
|
|
Term
| How can external users with email accounts be represented in AD? |
|
Definition
| External users which need an e-mail account, can be represented through a contact object |
|
|
Term
| What is a contact object? |
|
Definition
| an account that does not have any security permissions. Users represented as contact objects cannot log on to the domain. Use contacts to add information about individuals, such as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for attributes of contact objects. |
|
|
Term
| What is the user or logon name? |
|
Definition
| The user or logon name is the name of the user account |
|
|
Term
| What is the user principle name (UPN)? |
|
Definition
The User Principle Name (UPN) combines the user account name with the DNS domain name _x000D_
_x000D_
- The UPN format is also known as the SMTP address format. _x000D_
- The DNS domain name in the UPN is known as the UPN suffix. _x000D_
- By default, the domain that holds the user account is selected for the UPN suffix. However, you can configure different UPN suffixes to use instead of the domain name. |
|
|
Term
| What is the LDAP Distinguished Name (DN)? |
|
Definition
The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. It has three basic attributes: _x000D_
Domain Component (DC) _x000D_
Organizational Unit (OU) _x000D_
Common Name (CN) |
|
|
Term
| What is the Relative Distinguished Name (RDN) |
|
Definition
| The Relative Distinguished Name (RDN) is used to identify the object within its container. The RDN needs to be unique only within the object’s container. |
|
|
Term
| When would you use the Ãœser cannot change password"option? |
|
Definition
| when you want to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that uses that account. |
|
|
Term
| How would you unlock an account? |
|
Definition
| To unlock an account, go to the Account tab in the account object's Properties dialog box, and select the Unlock Account box. Resetting the password on the account also unlocks a user account. |
|
|
Term
| What should you do if a user account is accidentally deleted? |
|
Definition
| Restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account. |
|
|
Term
| How would you add a User Principal Name (UPN) suffix to a forest? |
|
Definition
1) Open Active Directory Domains and Trusts. _x000D_
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties. _x000D_
3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab. _x000D_
4) Click Add. _x000D_
5) Click OK. |
|
|
Term
| What is a computer account? |
|
Definition
| A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device |
|
|
Term
| How would you prestage a computer account? |
|
Definition
| From Active Directory Users and Computers, create a computer account. This process is called prestaging computer accounts. From the workstation, join the domain. The workstation will be associated with the computer account you created previously. |
|
|
Term
| Where is the computer account created when you join a workstation to the domain? |
|
Definition
| In the Computers built-in container |
|
|
Term
| How would you control where computer accounts are placed when a computer joins the domain? |
|
Definition
| Create computer account ahead of time (pre-stage them) |
|
|
Term
| Which groups have permissions to create a computer account? |
|
Definition
- Account Operators _x000D_
- Domain Admins _x000D_
- Enterprise Admins |
|
|
Term
| How many computers are the Authenticated Users group members allowed to join to the domain (from a workstation)? |
|
Definition
| 10 - this wil also create the computer account automatically if it doesn't already exist. This ability comes from the Add workstations to a domain user right. |
|
|
Term
| How would you allow a specific user to join a specific computer to the domain? |
|
Definition
| You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account. |
|
|
Term
| How would you give other users permissions to create computer accounts in AD? |
|
Definition
| By giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs. |
|
|
Term
| Will a computer receive group policy settings once the computer account is created? |
|
Definition
| No, the computer must be joined to the domain before it receives any GPO settings or AD receives any workstation-specific information |
|
|
Term
| What commands can be used to create computer accounts from a command prompt or script? |
|
Definition
| dsadd or netdom. (Use netdom join to jion a computer to the domain) |
|
|
Term
| What establishes a secure channel between a computer and the domain controller? |
|
Definition
| The computer password (authomatically generated when the computer joins the domain). |
|
|
Term
| Where is the computer account password saved? |
|
Definition
| On the local computer and in AD. BY default, it is changed every 30 days |
|
|
Term
| What might cause a computer to fail to authenticate to the domain? |
|
Definition
If the two computer passwords (on the local machine and in AD) become unsychronised. _x000D_
_x000D_
This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name. |
|
|
Term
| How would you reset the computer account after a logon failure? |
|
Definition
- Run the netdom reset command followed by the computer account name and the domain. _x000D_
- In Active Directory Users and Computers, right-click the computer account and select Reset Account. _x000D_
- Create a script in Visual Basic. _x000D_
_x000D_
After resetting the c |
|
|
Term
|
Definition
| Local groups exist only on the local computer, and control access to local resources. |
|
|
Term
|
Definition
| Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups. |
|
|
Term
|
Definition
| Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use. |
|
|
Term
| What membership can a global group have? |
|
Definition
Global groups can contain members within the same domain. These include: _x000D_
_x000D_
- Global groups in the same domain (in native mode only). _x000D_
- Users and computers within the same domain. |
|
|
Term
| What should a global group be used for? |
|
Definition
| Use global groups to group users and computers within the domain who have similar access needs. |
|
|
Term
| What membership can a domain local group have? |
|
Definition
Domain local groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
- Domain local groups in the same domain (in native mode only). _x000D_
- Global groups within the forest. _x000D_
Universal groups within the forest (in native mode only). _x000D_
- Users and computers within the forest. |
|
|
Term
| What membership can a universal group have? |
|
Definition
Universal groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
- Universal groups within the forest. _x000D_
- Global groups within the forest. _x000D_
- Users and computers within the forest. |
|
|
Term
| What resources can global groups permission? |
|
Definition
| Global groups can be assigned permissions to resources anywhere in the forest. |
|
|
Term
| What resources can domain local groups permission? |
|
Definition
| Domain local groups can be assigned permissions within a domain. |
|
|
Term
| What resources can universal groups permission? |
|
Definition
| Universal groups can be assigned permissions to resources anywhere in the forest. |
|
|
Term
| What should global groups be used for? |
|
Definition
| Create global groups to organize users (e.g., Sales or Development). |
|
|
Term
| What should domain local groups be used for? |
|
Definition
| Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group. |
|
|
Term
| What should universal groups be used for? |
|
Definition
| Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups. |
|
|
Term
| What is a security group? |
|
Definition
A security group is one that can be used to manage rights and permissions. _x000D_
_x000D_
- Group members get the permissions that are granted to the group. _x000D_
- A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts, and other groups. |
|
|
Term
| Which type of AD group should be used for assiging permissions? |
|
Definition
|
|
Term
| What is a ditribution group? |
|
Definition
| A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions. |
|
|
Term
| What happens if you convert a security group to a distribution group? |
|
Definition
This would remove the permissions assigned to the group. _x000D_
_x000D_
This could prevent or allow unwanted access. |
|
|
Term
| How would you convert a global group to a domain local group? |
|
Definition
| First convert to a universal group, then to a domain local. |
|
|
Term
| Can you convert a global group nested in another global group into a universal group? |
|
Definition
| No - a universal group cannot be a member of a global group |
|
|
Term
| Can you make a universal group a member of a global group? |
|
Definition
|
|
Term
| What happens when a group is deleted? |
|
Definition
| All information about the group - including any permissions assigned - is deleted. |
|
|
Term
| How can you recover a deleted group? |
|
Definition
- Re-create the group, add all the original group members, and reassign any permissions granted to the group. _x000D_
- Restore the group from a recent backup. |
|
|
Term
| When are the default local groups created? |
|
Definition
| During Windows installation |
|
|
Term
| Can you rename or delete the default local groups? |
|
Definition
CAN rename them _x000D_
_x000D_
CANNOT delete them |
|
|
Term
| What is the Administrators default local group? |
|
Definition
| Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator. |
|
|
Term
| What is the Backup Operators default local group? |
|
Definition
| Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings. |
|
|
Term
| What is the User default local group? |
|
Definition
Members of the Users group: _x000D_
_x000D_
- Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications. _x000D_
- Cannot share directories or install printers if the driver is not yet installed. _x000D_
- Cannot view or modify system files. |
|
|
Term
| What group do "limited use"accounts become a member of automatically |
|
Definition
| Users default local group |
|
|
Term
| What is the Power Users default local group? |
|
Definition
| Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows |
|
|
Term
| What is the Guests default local group? |
|
Definition
| Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off. |
|
|
Term
| What is the Administrators default domain group? |
|
Definition
| Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right. |
|
|
Term
| What is the Server Operators default domain group? |
|
Definition
| Log on locally, back up and restore files and directories, change the system time, and force a local or remote shutdown. Can also create and delete shared resources, format the hard disk, and start and stop some services. Abilities extend to domain controllers. |
|
|
Term
| What is the Backup Operators default domain group? |
|
Definition
| Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings. |
|
|
Term
| What is the Account Operators default domain group? |
|
Definition
| Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups. |
|
|
Term
| What is the Guests default domain group? |
|
Definition
| The domain Guest account is a member of this group. The group does not have any default rights. |
|
|
Term
| What is the Network Configuration Operators default domain group? |
|
Definition
| Change TCP/IP settings including changes on domain controllers. |
|
|
Term
| What is the Print Operators default domain group? |
|
Definition
| Create, share, manage, and delete printers on domain controllers. Manage Active Directory printer objects. Log on locally, add or remove device drivers, and shut down domain controllers. |
|
|
Term
| What is the Users default domain group? |
|
Definition
| Perform common tasks such as running applications, using local and remote printers, and locking workstations. By default, all domain members are members of this group. |
|
|
Term
| Which default domain groups are created in the Built-In Container? |
|
Definition
Administrators _x000D_
Server Operators _x000D_
Backup Operators _x000D_
Account Operators _x000D_
Guests _x000D_
Network Configuration Operators _x000D_
Print Operators _x000D_
Users |
|
|
Term
| What default domain groups are created in the Users container in AD? |
|
Definition
Domain Admins _x000D_
Domain Computers _x000D_
Comain Controllers _x000D_
Comain Guests _x000D_
Domain Users _x000D_
Enterprise Admins _x000D_
Schema Admins _x000D_
Read-Only Domain Controllers _x000D_
DHCP Administrators _x000D_
Cert Publishers |
|
|
Term
| What is the Domain Admins default domain group? |
|
Definition
| Full control over the domain. This group is a member of the Administrators group on all computers when they are joined to the domain. This means that members of the Domain Admins group can perform all tasks on any computer in the domain (including domain controllers). |
|
|
Term
| What is the Domain Computers default domain group? |
|
Definition
| Contains all computers that are a member of the domain. When you join a computer to the domain, it becomes a member of this group. |
|
|
Term
| What is the Domain Controllers default domain group? |
|
Definition
| Contains all domain controllers. When a computer is made a domain controller, it is added to this group. |
|
|
Term
| What is the Domain Guests default domain group? |
|
Definition
| Contains all domain guests. It does not have any default rights |
|
|
Term
| What is the Domain Users default domain group? |
|
Definition
| Contains all domain users. This group can be used to give access to all users in a domain. |
|
|
Term
| What is the Enterprise Admins default domain group? |
|
Definition
| Full control over all domains in the forest. This group is a member of the Administrators group on all computers in the forest, allowing them to perform any task on any computer in the forest. |
|
|
Term
| What is the Schema Admins default domain group? |
|
Definition
| Full control over the Active Directory schema. By default, the Administrator account is a member of this group. |
|
|
Term
| What is the Read-Only Domain Controllers default domain group? |
|
Definition
| Contains all members who have administrative access to the Read-Only Domain Controllers in the domain. |
|
|
Term
| What is the DHCP Administrators default domain group? |
|
Definition
| Contains all members who have administrative access to the DHCP service. |
|
|
Term
| What is the Cert Publishers default domain group? |
|
Definition
| Contains all members which are permitted to publish certificates to the directory. |
|
|
Term
| Describe the AGDLP strategy |
|
Definition
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups |
|
|
Term
| When is the AGDLP strategy used? |
|
Definition
| Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode). |
|
|
Term
|
Definition
| Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level. |
|
|
Term
| When is the AGUDLP strategy used? |
|
Definition
| Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains. |
|
|
Term
| Describe the AGUDLP strategy |
|
Definition
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
U: Into Universal groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups |
|
|
Term
| When is the ALP strategy used? |
|
Definition
Used on workstations and member servers. _x000D_
_x000D_
ALP is best used in a workgroup environment, not in a domain. |
|
|
Term
| Describe the ALP strategy |
|
Definition
A: Place user Accounts _x000D_
L: Into Local groups _x000D_
P: Assign Permissions to the local groups |
|
|
Term
| When should universal groups be used? |
|
Definition
| Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups. |
|
|
Term
| What group should be used if both the users and resources are located in Multiple Domains? |
|
Definition
|
|
Term
| What groups should not be used in a single domain design? |
|
Definition
|
|
Term
| How can you start AD Users and Computers? |
|
Definition
- Server Manager _x000D_
- Administrative Tools (from the Control Panel or Start menu) _x000D_
- Running dsa.msc |
|
|
Term
|
Definition
| Active Directory Service Interfaces Editor (ADSI Edit) acts as a low-level GUI editor for common administrative tasks such as adding, deleting, and moving objects. |
|
|
Term
| What can you use ADSI Edit for? |
|
Definition
| You can use ADSI Edit to query, view, and edit attributes that are not exposed through other MMC snap-ins (such as Active Directory Users and Computers). |
|
|
Term
| What does the command ds add do? |
|
Definition
| Dsadd creates a new object in Active Directory. |
|
|
Term
| What does the command dsquery do? |
|
Definition
| Dsquery finds objects that match the search criteria (allows a search through the whole forest). The command returns a list of objects that match the search criteria. Use Dsquery * to search all object types. |
|
|
Term
| What does the Dsget command do? |
|
Definition
| Dsget retrieves property information about an object. Use the -expand switch to show nested group membership for users. |
|
|
Term
| What does the dsmod command do? |
|
Definition
| Dsmod modifies or changes the properties of an object. |
|
|
Term
| What does the dsrm command do? |
|
Definition
| Dsrm removes (deletes) objects. Use the -subtree option to delete a container object and all objects below that object. |
|
|
Term
| What does the movetree command do? |
|
Definition
| Movetree moves an OU and its objects (it does not move computer objects). |
|
|
Term
| What does the netdom command do? |
|
Definition
| Netdom adds computer objects, joins a computer to a domain, and moves computer objects. |
|
|
Term
|
Definition
| The Csvde command imports and exports Active Directory objects using a comma-separated list file. |
|
|
Term
|
Definition
| Csvde can read existing information from Active Directory (export) or create new objects in Active Directory (import). |
|
|
Term
|
Definition
| You cannot use Csvde to modify existing objects in Active Directory. |
|
|
Term
| What are some common uses for CSvde? |
|
Definition
- Using Csvde to export objects from one Active Directory system (or an Exchange 5.5 database) and import them into a different Active Directory database. _x000D_
- Using a database program to create a CSV file, modifying the file, and importing the objects in |
|
|
Term
| Will Csvde import passwords for user accounts? |
|
Definition
|
|
Term
| What does the Ldifde command do? |
|
Definition
| The Ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. |
|
|
Term
| What are some common uses for Ldifde? |
|
Definition
- Using Ldifde to export a set of Active Directory objects, modifying various attributes, and then re-importing the file to change the attributes. _x000D_
- Exporting or importing data that exists on non-Active Directory LDAP directories. |
|
|
Term
| How can you manage passwords with Ldifde? |
|
Definition
| Passwords are not exported with user accounts. You can change passwords for existing account with a .ldif file but you cannot create new user accounts with a password. |
|
|
Term
| How would you export a user account and then import it with a password with Ldifde? |
|
Definition
1) Export the user accounts. The unicodePwd field will be blank. _x000D_
2) Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next logon. _x000D_
3) Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account. _x000D_
4) Run Ldifde using the file with the passwords to modify the existing user accounts. |
|
|
Term
| What does the Ldp command do? |
|
Definition
| The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying results. |
|
|
Term
| What is the Active Directory Migration Tool? |
|
Definition
| The Active Directory Migration Tool (ADMT) is a GUI-based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another. |
|
|
Term
| Where can you move AD objects with ADMT? |
|
Definition
| You can move objects to different domains within the same forest (intraforest), or to domains in other forests (interforest). |
|
|
Term
| What must be in place for an interforest migration in ADMT? |
|
Definition
| The target forest must trust the source forest. |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Cscript C:\windows\system32\slmgr.vbs-ato |
|
|
Term
| add server Core roles, components or features |
|
Definition
| Ocsetup.exe <component> /switch |
|
|
Term
|
Definition
| Active Directory Services Interface used by Windows PowerShell |
|
|
Term
|
Definition
| The mechanism by which an identity is validated by comparing secrets such as passwords provided by the user or computer to secrets maintained in the identity store |
|
|
Term
|
Definition
|
|
Term
|
Definition
| a command-line tool that imports or exports Active Directory objects from or to a comma-delimited text file. |
|
|
Term
|
Definition
| Discretionary access control list |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| An administrative unit of Active Directory. With a domain , all domain controllers replicate information about objects such as users,, groups and computers in the domain |
|
|
Term
|
Definition
| Most of the DS commands take two modifies after the command itself: the object type and the object's DN |
|
|
Term
|
Definition
| creates an object in the directory IE dsadd user "user DN" -samid pre-windows 2000 logon name -pwd {Password | *} -mustchpwd yes |
|
|
Term
|
Definition
| returns specified attributes of an object |
|
|
Term
|
Definition
| Modifies specified attributes of an object |
|
|
Term
|
Definition
| moves and object to a new container or OU |
|
|
Term
|
Definition
| performs a query based on parameters provided at the command line and returns a list of matching objects |
|
|
Term
|
Definition
| Removes and object, all objects in the subtree beneath a container object or both |
|
|
Term
|
Definition
| the boundary of an instance of Active Directory. A forest contains one or more domains. All domains in the forest replicate the schema and configuration partitions of the directory. |
|
|
Term
|
Definition
| the first domain created in a forest |
|
|
Term
|
Definition
| A setting that determines which features of Active Directory are enabled within a domain or forest. The functional level limits the versions of Windows that can be used by domain controllers in a domain or forest. |
|
|
Term
| global catalog or partial attribute set |
|
Definition
| A partition of the Active Directory data store that contains a subset of attributes for every object in the Active Directory forest. The global catalog is used for efficient object queries and location. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| A database of information regarding users, groups, computers, and other security principals. Attributes stored in an identity store include user names and passwords |
|
|
Term
|
Definition
| Netdom join %computername% /domain: |
|
|
Term
|
Definition
| A standard protocol used by Active Directory for authentication |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol Data Interchange Format is a draft internet standard for file format that can perform batch imports and exports of active directory objects including users. -i import -f filename to import to or from |
|
|
Term
|
Definition
| Microsoft Management Console |
|
|
Term
|
Definition
| A folder on a disk - a hierarchy that can be navigated Like a disk volume letter name or Mapped drive. |
|
|
Term
|
Definition
| are administrative containers within Active Directory that are used to collect objects that share common requirements for administration, configuration or visibility. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Namespaces are created by providers, which can be thought of as drivers. Example file system has a provider as does the registry. Powershell can access and manipulate in the namespaces of those providers. |
|
|
Term
|
Definition
| Windows Powershell namespaces from any provider can be represented as PSDrives Windows PowerShell automatically creates a PS Drive for each drive latter already defined by Windows |
|
|
Term
|
Definition
| System Access Control List |
|
|
Term
|
Definition
| Security Account Manager ID |
|
|
Term
|
Definition
| a definition of the attributes and objects classes supported by Active Directory. |
|
|
Term
|
Definition
| connect to the container (OU), create the object (user), populate its properties, (display name), commit the changes |
|
|
Term
| set a static IPv4 configuration |
|
Definition
|
|
Term
|
Definition
| An active Directory object that represents a portion of the network with reliable connectivity. Within a site, domain controllers replicate updates within seconds, and clients attempt to use the services within their site before obtaining the services from other sites |
|
|
Term
|
Definition
| Transmission Control Protocol/Internet Protocol |
|
|
Term
|
Definition
| Is a translator between .NET framework and Windows PowerShell. To connect to an active directory object, you submit an LDAP query string LDAP://OU=People,DC=contoso,dc=com" |
|
|
Term
|
Definition
| User Principle Name The logon name plus the UPN suffix which by default is the domain to which you would logon ie: lflemingjm@hqda.army.mil Unique to entire forest. Email unique to the world! |
|
|
Term
|
Definition
| Windows Management Interface |
|
|
Term
| Which properties can be modified for multiple users simultaneously |
|
Definition
| General, Account, Address, Profile, Organization Tabs |
|
|
Term
| What are the distinctions between name of a user object and an account |
|
Definition
| User Object Names sAMAccountName, User PrincipalName (UPN), display name and RDN. Account properties=an identity to which permissions and rights can be assigned. |
|
|
Term
| sAMAcccountName Attribute |
|
Definition
| (preWindows 2000 logo name) must be unique for the ENTIRE domain |
|
|
Term
|
Definition
| Relative Distinguished Name of an object. Must be unique in an OU. |
|
|
Term
|
Definition
| How users are listed in the GAL |
|
|
Term
|
Definition
| Set objUser = GetObject"LDAP://UserDN") objUser.IsAccountLocked = False objUser.SetInfo() |
|
|
Term
|
Definition
| the most important LDAP attribute CN="josephine fleming",ou=people,dc=contoso,dc=com |
|
|
Term
|
Definition
| Security Identifier is created by the Windows 2000 security subsystem and assigned to security principal objects |
|
|
Term
|
Definition
| in the context of programming or scripting, an action performed on an object. |
|
|
Term
|
Definition
| In the context of programming or scripting, a data structure that represents a system resource. Objects expose properties or attributes, methods or actions. |
|
|
Term
|
Definition
| Assignment of an administrative task.Delegation within Active Directory is achieved by modifying the DACL of an abject. |
|
|
Term
|
Definition
| A view of Active Directory objects base on search criteria. |
|
|
Term
|
Definition
| An IP (Internet Protocol) address isa 32 bit binary unique number identifier for a node or host connection on an IP network. usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets) separated by decimal points. This is known as "dotted decimal" notation. |
|
|
Term
| Group policy Member Of setting |
|
Definition
| Member of settings are cumulative |
|
|
Term
| Group[ Policy by Members settings |
|
Definition
| GPOs that use the Members setting, only the member setting with the highest GPO processing will be applied and its list of members will prevail, |
|
|
Term
|
Definition
| A setting that configures the logging of security-related activities |
|
|
Term
|
Definition
| An assignment of administrative responsibility. A grant of permission to perform an administrative task |
|
|
Term
| Extensible Markup Language |
|
Definition
| (XML) an abbreviated version of the Standard Generalized Markup Language (SGML) XML enables the flexible development of user-defined doc types, providing non-proprietary, persistent, and verifiable file format for the storage and transmission of text and data both on and off the Internet |
|
|
Term
|
Definition
| A hardware or software product designed to isolate a system or network from another network. Traditionally used to protect a private network from intrusion from the Internet. A firewall inspects inbound or outbound packets or both and determines, based on rules, which packets to allow to the other side of the firewall. |
|
|
Term
|
Definition
| The Primary access protocol for Active Directory. |
|
|
Term
|
Definition
| used to configure the membership of groups, security settings, software management and auditing |
|
|
Term
|
Definition
| Resultant Set of Policies |
|
|
Term
|
Definition
| A Group Policy Object is, by itself, just a collection of configuration instructions that will be processed by the CSEs (Client Side Extensions) of computers. |
|
|
Term
|
Definition
| Start of Authority, and important record type in the Domain Name System. |
|
|
Term
|
Definition
| Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation |
|
|
Term
| Will, the administrator for your organization, has decided to implement certificates for all of your internal users. What type of root certificate authority (CA) would he implement? |
|
Definition
|
|
Term
| You are hired as a contractor for a new organization that has no network currently in place. You decide to implement an Active Directory domain and the Active Directory Domain Services (AD DS). Which of the follow are requirements to install Active Directory? |
|
Definition
|
|
Term
| You have decided to implement certificate authority (CA) servers and you want all of your users to receive their certificates automatically without any user intervention. What two ways can you accomplish this goal? |
|
Definition
Autoenrollment _x000D_
GPO enrollment |
|
|
Term
| What role provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems? |
|
Definition
| Active Directory Federation Services (AD FS) |
|
|
Term
| You have decided to place DNS on a read-only domain controller (RODC). What type of DNS zone do you now have? |
|
Definition
|
|
Term
| What AD role allows administrators to configure services for issuing and managing public key certificates, which help organizations implement network security? |
|
Definition
| Active Directory Certificate Services (AD CS) |
|
|
Term
| What role gives administrators the ability to enroll users into the certificate services program and allows for the issue and management of certificate requests? |
|
Definition
|
|
Term
| You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your Internet users. What type of certificate authority do you need to set up? |
|
Definition
| Stand Alone Subordinate CA |
|
|
Term
| Alexandria, the network administrator, has just hired a new junior administrator named Paige. Paige needs to be able to recover keys from the certificate authority server. What role does Alexandria need to give Paige so that she can recover keys? |
|
Definition
|
|
Term
| What file outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the numerous properties that are associated with the Federation Service? |
|
Definition
|
|
Term
| What is the Lightweight Directory Access Protocol (LDAP) directory service that allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires? |
|
Definition
| Active Directory Lightweight Directory Services (AD LDS) |
|
|
Term
| You are the administrator of a network. Your company has decided to use server virtualization to help save money and add fault tolerance to your servers. What role-based utility is included with Windows Server 2008 making this possible? |
|
Definition
|
|
Term
| Your manager has explained to you that due to security requirements, you need to secure documents and emails using Microsoft Office 2007 Enterprise. What service do you need to install to help secure documents and emails? |
|
Definition
| Active Directory Rights Management Service (AD RMS) |
|
|
Term
| Your company has one main location and five remote sites. One of the remote sites is having a problem with Active Directory and DNS being hacked into. What can you use to help solve this problem? |
|
Definition
Implement a _x000D_
Read-only domain controller and a _x000D_
Read-only DNS server |
|
|
Term
| Your company has one main location and one remote site. The remote site is 300 miles from the main location and it has no IT staff on site. What type of domain controller can you install so that a normal user can have the rights to manage it? |
|
Definition
| Read-only domain controller (RODC) |
|
|
Term
| You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your internal users. What type of certificate authority do you need to set up? |
|
Definition
| Enterprise Subordinate CA |
|
|
Term
| Your company has decided to install a certificate authority (CA). After you install the CA, you publish the certificate revocation list (CRL) to a central location for all CAs to use. What is this central location called? |
|
Definition
|
|
Term
| Your company currently uses Windows Server 2008 domain controllers. Your company wants to use multiple account lockout policies depending on what department people are in. What does Windows Server 2008 offer so that you can do this? |
|
Definition
| Fine-grained password policy |
|
|
Term
| You have decided to implement certificate authority servers. You have routers located on your network. What component allows systems to receive a certificate even though they do not have an Active Directory account? |
|
Definition
| Network Device Enrollment Service |
|
|
Term
| What operations can you perform using the Active Directory Users And Computers tool if you need to reorganise AD based on an Organisation change? |
|
Definition
Rename an organizational unit _x000D_
Query for resources _x000D_
Rename a group _x000D_
Create a computer account |
|
|
Term
| In order to restrict security for the Texas OU, you remove some permissions at that level. Later, a junior systems administrator mentions that she is no longer able to make changes to objects within the Austin OU (which is located within the Texas OU). What is the most likely cause? |
|
Definition
|
|
Term
| Isabel wants to check for any objects that have not been properly replicated among domain controllers. If possible, she would like to restore these objects to their proper place within the relevant Active Directory domains. What 2 steps does she need to do to accomplish this? |
|
Definition
Select the Advanced Features item in the View menu _x000D_
Examine the contents of the LostAndFound folder using the Active Directory Users And Computers tool. |
|
|
Term
The domain contains over 200,000 objects and hundreds of OUs and takes a long time to load. _x000D_
What can you do to speed things up if you only want to view Computer objects? |
|
Definition
| Use the Filter option in the Active Directory Users And Computers tool to restrict the display of objects. |
|
|
Term
| Jane, a consultant, has recommended that the Windows NT 4 domains be consolidated into a single Active Directory domain. Which of the following statements provide a valid justification to support Jane's proposal? |
|
Definition
In general, OU structure is more flexible than domain structure. _x000D_
It is possible to create a distributed system administration structure for OUs by using delegation. |
|
|
Term
| operations are represented as common tasks within the Delegation of Control Wizard? |
|
Definition
Reset passwords on user accounts. _x000D_
_x000D_
Manage Group Policy links. _x000D_
_x000D_
Modify the membership of a group. _x000D_
_x000D_
Create, delete, and manage groups. |
|
|
Term
| New Helpdesk Op. How do you allow them to only change certain objects in the directory in certain OUs? |
|
Definition
| Use the Delegation of Control Wizard to assign the necessary permissions on the OU that he or she is to administer. |
|
|
Term
| You are planning an OU design. What 3 pieces of information should be considered or consulted? |
|
Definition
Business organizational requirements _x000D_
_x000D_
System administration requirements _x000D_
_x000D_
Security requirements |
|
|
Term
| You want to allow the Super Users group to create and edit new objects within the Corporate OU. What option would you choose in the Delegation Wizard? |
|
Definition
| Create A Custom Task To Delegate |
|
|
Term
| A systems administrator is using the Active Directory Users And Computers tool to view the objects within an OU. He has previously created many users, groups, and computers within this OU, but now only the users are showing. What is a possible explanation for this? |
|
Definition
| Filtering options have been set that specify that only User objects should be shown. |
|
|
Term
| Two large AD Sites with 15 DCs each. Too much replication traffic between sites. What can you create at each site to reduce the bandwidth usage? |
|
Definition
| Create preferred Bridgehead Servers at each site to funnel the traffic between 2 servers only. |
|
|
Term
| What does not need to be manually created when you are setting up a replication scenario involving three domains and three sites? |
|
Definition
Connection objects. _x000D_
Automatically created by the Active Directory replication engine. |
|
|
Term
| What services of Active Directory is responsible for maintaining the replication topology? |
|
Definition
| Knowledge Consistency Checker service. |
|
|
Term
| What Active Directory objects are responsible for representing a transitive relationship between sites? |
|
Definition
Site link bridges _x000D_
Default Transitive On. |
|
|
Term
| ______ is the protocol to use for links where the link is randomly unavailable and replication traffic must be sent whether the other end is connected or not. |
|
Definition
SMTP _x000D_
Uses Store and Forward method to ensure that information is not lost if a connection cannot be established. |
|
|
Term
| You have 7 sites with different speed links. You want to keep the number of domains to a minimum. What is the smallest number of domains you can have that cover all 7 sites? |
|
Definition
|
|
Term
| Changes to AD objects are only being replicated to some DCs and not all. Regarding the network links themselves what could be causing this problem? |
|
Definition
Network connectivity is unavailable _x000D_
A WAN connection has failed |
|
|
Term
| Changes to AD objects are only being replicated to some DCs and not all because of a possible configuration problem with a DC or Sites. What are 4 of the possible errors that have been made? |
|
Definition
Connection objects are not properly configured. _x000D_
Sites are not properly configured. _x000D_
Site links are not properly configured _x000D_
One of the domain controllers is configured for manual replication updates. |
|
|
Term
| A systems administrator suspects that there is an error in the replication configuration. How can he look for specific error messages related to replication? |
|
Definition
| By going to Event Viewer -> Directory Service log |
|
|
Term
One site, 50 DCs. What the? _x000D_
How can replication traffic be reduced and controlled, and how can the structure of AD more accurately reflect the structure of the network? |
|
Definition
Create multiple site links. _x000D_
Configure one server at each of the new sites to act as a bridgehead server. |
|
|
Term
1. What tool do you use to: _x000D_
Determine replication data transfer statistics. _x000D_
2. Collect information about multiple Active Directory domain controllers at the same time. _x000D_
3. Measure other performance statistics, such as server CPU utilization. |
|
Definition
|
|
Term
| What Active Directory objects should you modify to define the network boundaries for Active Directory sites? |
|
Definition
| Subnets - Define AD Site boundaries. |
|
|
Term
|
Definition
v to disclose something secret _x000D_
_x000D_
• She believed she had been fired because she had threatened to divulge information about the company's mismanagement. _x000D_
_x000D_
• It is a basic tenet of most secret societies that members are not allowed to divulge anything about the initiation rites to outsiders. _x000D_
_x000D_
• His journal divulged a side of his personality that no one had ever seen. |
|
|
Term
Configure the costs for each link with these rules _x000D_
1. ISDN must have default site cost link _x000D_
2. Austin must use San Jose for replication |
|
Definition
| The ISDN line is required to have the default cost of 100. That means that the T1 line's cost must be lower than 100 for this connection to be used by preference, and the only choice is 50. That leaves costs of 150 and 200 for the Austin links. Because Austin will never get replication information from Chicago, that link's cost should be 200. That only leaves 150 for the cost of the link between Austin and San Jose. |
|
|
Term
| What is the default Site Link Cost? |
|
Definition
|
|
Term
| You want to create a new site called San Jose. Where do you do this? |
|
Definition
| AD S&S - Sites - New Site |
|
|
Term
Two sites connected via a T1 line and a dial up line for redundancy. _x000D_
You want to use the T1 line mainly. What do you do to ensure this occurs? |
|
Definition
| Lower the cost of the T1 Line |
|
|
Term
| Only 1 GC for 3 Sites. HQ with 100 users is connected to other 2 sites (each have 20 users) via fast T1 connections. Where would you place the GC? |
|
Definition
At HQ. _x000D_
Though ideally one GC per site. |
|
|
Term
| How do you specify a server as a bridgehead server? |
|
Definition
| AD S&S - DC properties - Select protocol- and click Add |
|
|
Term
| The company has three domain controllers, each of which has Knowledge Consistency Checker (KCC) errors consistently popping up in the directory services Event Viewer log. What does this indicate? |
|
Definition
|
|
Term
| You need to keep track of licensing with the licensing server. Where can you configure the licensing server so that as the system administrator you can ensure you are compliant? |
|
Definition
| Configure licensing in the Active Directory Sites And Services tool. |
|
|
Term
| You decide to create a trust relationship between Domain A and Domain B. Before you take any other actions, can users in Domain A use resources from Domain B yet? |
|
Definition
No. _x000D_
A trust relationship only allows for the possibility of sharing resources between domains; it does not explicitly provide any permissions. In order to allow users to access resources in another domain, you must configure the appropriate permissions. |
|
|
Term
Plans are to deploy four Active Directory domains with the following requirements: _x000D_
minimize the number of servers _x000D_
enough fault tolerance to survive the complete failure of one domain controller. _x000D_
What is the minimum number of domain controllers to deploy initially? |
|
Definition
8 _x000D_
Two per domain for fault tolerance |
|
|
Term
| What server configurations can be directly promoted to become a domain controller for a new domain? |
|
Definition
Member servers _x000D_
Stand-alone servers |
|
|
Term
Server1: Schema Master _x000D_
Server2: RID Master _x000D_
Server3: Windows NT 4 BDC _x000D_
Server4: Infrastructure Master _x000D_
Server5: PDC Emulator Master _x000D_
Entire environment migrating to Windows Server 2008. Which Server not needed? |
|
Definition
| Server3: Windows NT 4 BDC |
|
|
Term
| Implicit trusts created between domains are known as ______ |
|
Definition
|
|
Term
Need to add field to the properties of a User object. _x000D_
On what servers can the change be made? |
|
Definition
| The Schema Master is the only server within Active Directory on which changes to the schema can be made. |
|
|
Term
| What are several Active Directory domains that share a contiguous namespace called? |
|
Definition
|
|
Term
Accidentally demoted the last domain controller of your ADTest.com domain. _x000D_
Want a complete undo. Possible? |
|
Definition
| Once the last domain controller in an environment has been removed, there is no way to recreate the same domain. If adequate backups had been performed, you may have been able to recover information by rebuilding the server |
|
|
Term
| Items that depend on the DNS namespace are .... |
|
Definition
Domains _x000D_
trees _x000D_
forests _x000D_
DNS zones |
|
|
Term
| Which types of computers contain a copy of the Global Catalog (GC)? |
|
Definition
| Specified Active Directory domain controllers |
|
|
Term
| Which pieces of information should you have before you use the Active Directory Installation Wizard to install a new subdomain? |
|
Definition
name of the child domain _x000D_
name of the parent domain _x000D_
DNS configuration information _x000D_
NetBIOS name for the server |
|
|
Term
| Which type of trust is automatically created between the domains in a domain tree? |
|
Definition
|
|
Term
| A systems administrator wants to remove a domain controller from a domain. What is the easiest way to perform the task? |
|
Definition
| Use the Active Directory Installation Wizard to demote the domain controller. |
|
|
Term
| Regarding the sharing of resources between forests... |
|
Definition
| A trust relationship must exist before resources can be shared between forests. |
|
|
Term
New remote location with very slow WAN link. Needs following specs: _x000D_
Fast logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware _x000D_
What can you implement to achieve the above requirements? |
|
Definition
| Universal group membership caching stores information locally once a user attempts to log on for the first time. |
|
|
Term
| Of the five main single master functions, two apply to an entire Active Directory forest. What are the three that apply to just the domain? |
|
Definition
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master |
|
|
Term
| When deploying Active Directory, you decide to create a new domain tree. What do you need to do to create this? |
|
Definition
| Promote a Windows Server 2008 computer to a domain controller and select the option that makes this domain controller the first machine in a new domain that is a child of an existing one. |
|
|
Term
| 7 Reasons for Using Multiple Domains |
|
Definition
Scalability _x000D_
Reducing replication traffic _x000D_
Meeting Business needs hierarchy - easier data managment _x000D_
Decentralized administration _x000D_
Multiple DNS or domain namesLegality |
|
|
Term
| What are some of the Drawbacks of Multiple Domains? |
|
Definition
Administrative inconsistency _x000D_
Increased management _x000D_
Decreased flexibility |
|
|
Term
| Min Requirements for DC numbers |
|
Definition
|
|
Term
| Recommended Req's for DC numbers |
|
Definition
|
|
Term
| Reasons for adding extra DCs |
|
Definition
Fault tolerance and reliability _x000D_
Performance |
|
|
Term
| Main requirement for joining a new domain to an existing forest |
|
Definition
| Domain does not share a namespace with the existing Active Directory domain. |
|
|
Term
| If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do first? |
|
Definition
Prepare the domain by running: _x000D_
adprep /forestprep _x000D_
adprep /domainprep |
|
|
Term
| What naming information do you need prior to joining a domain to a new tree? |
|
Definition
name of the parent domain _x000D_
name of the child domain _x000D_
NetBIOS name for the new server |
|
|
Term
| What other information (other than the 3 names) do you need prior to joining a domain to a new tree? |
|
Definition
DNS configuration _x000D_
domain administrator username and password |
|
|
Term
| DcPromo option selected to create a new domain tree. |
|
Definition
| " makes this domain controller the first machine in a new domain that is a child of an existing domain" |
|
|
Term
| DcPromo option selected to create a new domain tree. |
|
Definition
| makes this domain controller the first machine in a new domain that is a child of an existing domain |
|
|
Term
| 3 Features common to all Domains in a Forest |
|
Definition
Schema _x000D_
GC _x000D_
Configuration Info |
|
|
Term
| Type of trust between the Forest Root Domain and all the rest of the domains in the forest |
|
Definition
|
|
Term
| How is a new Domain Tree created? |
|
Definition
| Created top down - forest root domain - then child domains |
|
|
Term
| How do you move a DC between domains? |
|
Definition
1. Demote it. _x000D_
2. Move it. _x000D_
3. Promote it |
|
|
Term
| True of False? A Trust grants all users in one domain access to the other domains. |
|
Definition
False. _x000D_
Trust only provides the foundation. _x000D_
Rights must be granted to resources once Trust is established. |
|
|
Term
| What 2 features of AD to ALL Trees and Forests share? |
|
Definition
Schema and _x000D_
Global Catalog |
|
|
Term
| What do you always have even if you only have 1 Domain? |
|
Definition
|
|
Term
| What do you need to ensure is done before you remove the last DC from a Domain? |
|
Definition
Computers no longer log on to this domain _x000D_
No user accounts are needed _x000D_
All encrypted data is decrypted _x000D_
All cryptographic keys are backed up |
|
|
Term
| What are the 2 Forest Operation Master Roles? |
|
Definition
Schema Master _x000D_
Domain Naming Master |
|
|
Term
| What tool is used to manage the Forest Operation Master roles? |
|
Definition
|
|
Term
| What are the 3 Domain Operation master Roles? |
|
Definition
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master |
|
|
Term
| The Schema master holds ___ |
|
Definition
| a master copy of the AD Schema |
|
|
Term
| Where can changes to the AD Schema be made? |
|
Definition
| Only on the Schema Master |
|
|
Term
| The Domain Naming Master __ |
|
Definition
| tracks domains within the AD Forest |
|
|
Term
| What does the RID Master do? |
|
Definition
| Creates a unique RID for every AD object |
|
|
Term
| PDC Emulator is responsible for __ |
|
Definition
| Maintaining backward compatibility with NT DCs - used only in Mixed Mode domains. |
|
|
Term
| In a Forest running at 2k Native or later what role does the PDC play? |
|
Definition
| Acts as default DC if another is not available |
|
|
Term
| The Infrastructure Master ensures |
|
Definition
| Ensures that group membership info stays current between DCs |
|
|
Term
| How do you assign the Domain Naming Master Role? |
|
Definition
Open AD D&T _x000D_
AD D&T Properties _x000D_
Select Operations Master _x000D_
Click Change |
|
|
Term
| How do you assign all of the RID, PDC and Infrastructure Roles? |
|
Definition
Open AD U _x000D_
right-click Domain _x000D_
Select Operation Masters _x000D_
Click Change |
|
|
Term
| What is a transitive trust? |
|
Definition
Implied trusts. _x000D_
If domain A trusts domain B AND _x000D_
domain B trusts domain C THEN _x000D_
domain A trusts domain C |
|
|
Term
| What are External Trusts used for? |
|
Definition
| Used to provide access to external domain (NT) that can't use forest trusts |
|
|
Term
| What type of trust are External Trusts? |
|
Definition
| Non-transitive and either 1-way or 2-way (manually created) |
|
|
Term
| On External Trusts, what is enabled by default to prevent hackers from using SID info to gain access? |
|
Definition
Default SID filtering _x000D_
SID History cleaned of SID history attributes that are not members of the trusted domain. |
|
|
Term
| When is a Realm Trust used? |
|
Definition
| Used to connect to non-Windows domain using Kerberos |
|
|
Term
| What types of Realm Trusts are there? |
|
Definition
Either Transitive or Non-Transitive _x000D_
And either 1-way or 2-way |
|
|
Term
| Where do you configure Trust Releationships? |
|
Definition
| AD D&T - Domain Properties - Trusts Tab |
|
|
Term
| What happens when Selective authentication is used with Cross Forest Trusts? |
|
Definition
| users can't authenticate to DC or resource server unless explicitly enabled |
|
|
Term
| What is a manually created Trust called? |
|
Definition
|
|
Term
| What is a Cross Forest Trust used for? |
|
Definition
| To Share resources between forests |
|
|
Term
| What is the restriction on Cross Forest Trusts? |
|
Definition
| They cannot be Non-transitive. |
|
|
Term
| Where would you go to enable Selective Authentication? |
|
Definition
| Trust properties - Selective Authentication |
|
|
Term
| Where would you add a UPN suffix? |
|
Definition
| AD D&T - Properties - UPN Suffixes |
|
|
Term
| You need to add another Global Catalog server to an existing domain. Where would you go to do this? |
|
Definition
AD S&S _x000D_
- DC _x000D_
- NTDS Settings Properties _x000D_
- GC Checkbox |
|
|
Term
| What happens when Universal Group Membership Caching is enabled on a W2k8 DC? |
|
Definition
1. User logs on - Universal Groups cached from GC _x000D_
2. Next time user logs on - no need to contact GC |
|
|
Term
| The benefits of Universal Group Membership Caching are: |
|
Definition
Faster logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware |
|
|
Term
| On a W2k8 DC how do you enable Universal Group Membership Caching? |
|
Definition
AD S&S _x000D_
- Sites _x000D_
- DefaulFirstSite _x000D_
- NTDS Settings - Properties _x000D_
- checkbox |
|
|
Term
| What forest and function levels does the network need for you to install RODC's? |
|
Definition
| Windows 2003 functional Level or above |
|
|
Term
| How many domains can a DC have or belong to at any one time? |
|
Definition
|
|
Term
Functional level if you have the following servers in your domain: _x000D_
2003 server _x000D_
2000 Server _x000D_
2008 server |
|
Definition
|
|
Term
| Which NTFS feature can you implement to limit the amount of disk space occupied by users? |
|
Definition
|
|
Term
| What two steps need to be done to convert a disk volume from FAT to NTFS? |
|
Definition
|
|
Term
| What 2 protocols are required to support AD? |
|
Definition
|
|
Term
| Command used to promote or demote a DC? |
|
Definition
|
|
Term
| Your organisation needs one set of credentials for multiple forests. What 2008 role do you install? |
|
Definition
|
|
Term
| How do you test that DNS forward lookups are working properly prior to installing AD? |
|
Definition
ping hostname _x000D_
IP returned |
|
|
Term
What FS with these req's? _x000D_
file-level security _x000D_
efficient use of space on large partitions. _x000D_
domain controller Sysvol must be stored |
|
Definition
|
|
Term
| You have decided that you must convert the system partition on your Windows Server 2008 from the FAT32 filesystem to NTFS. Which 2 steps must you take in order to convert the filesystem? |
|
Definition
CONVERT /FS:NTFS _x000D_
Reboot the computer |
|
|
Term
| Name 3 protocols need for AD to work properly |
|
Definition
LDAP _x000D_
DNS _x000D_
TCP/IP |
|
|
Term
2 sites with non-communicative DCs. Names: _x000D_
server1.yourcompany.com and server1.yourcompany.com _x000D_
Problem? |
|
Definition
| Yes each server needs a unique FQDN. |
|
|
Term
| How can you increase the space on a volume without backup, recreate restoring? |
|
Definition
| Use NTFS mounts to map new volume to existing volume. |
|
|
Term
| What file system reqs exist for installation of AD? |
|
Definition
NTFS volume. _x000D_
Greater than 4GB |
|
|
Term
| What 5 connectivity tests should you do prior to installing AD? (assume second site connected via VPN) |
|
Definition
Test NW adapater - drivers & config _x000D_
Check IPconfig _x000D_
Test Internet access _x000D_
Check LAN access _x000D_
Check Client Access _x000D_
Check WAN Access |
|
|
Term
| How do you check the configuration of the TCP/IP protocol and output it to a text file? |
|
Definition
| ipconfig /all > ipcfg.txt |
|
|
Term
| What are the 3 forest functional levels in W2k8? |
|
Definition
2k Native (default) _x000D_
2k3 _x000D_
2k8 |
|
|
Term
| 5 New features in W2k8 Functional Level but not in W2k3? |
|
Definition
Fine-grained password policies. _x000D_
Read-only domain controller (RODC). _x000D_
Last interactive logon information. _x000D_
Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. _x000D_
Distributed File System replication support for Sysvol. |
|
|
Term
| What is a Defunct Schema Class? |
|
Definition
| A Class of objects that has been marked as non-usable. |
|
|
Term
|
Definition
| Provides way of querying names and IP addresses, replicating the info in the DB as well as the schema |
|
|
Term
| Name 7 different common DNS records. |
|
Definition
| SOA, NS, A, CNAME, PTR, MX, and SRV |
|
|
Term
|
Definition
Start of Authority Record. _x000D_
defines the general parameters for the DNS zone, including who the authoritative server is |
|
|
Term
|
Definition
Name Server _x000D_
list name servers for a domain; allow other name servers to look up names |
|
|
Term
|
Definition
Address Record for Host _x000D_
links hostname to ip address |
|
|
Term
|
Definition
Pointer Record. _x000D_
Links IP address to hostname for reverse lookups |
|
|
Term
|
Definition
Mail Exchange record _x000D_
Lists mail server who can accept mail for domain |
|
|
Term
|
Definition
Service record _x000D_
Maps service (eg DC ) to IP address |
|
|
Term
| Name the 3 queries types when DNS is used to resolve names or IP's |
|
Definition
| Iterative, Recursive, and Inverse |
|
|
Term
| What is an Iterative query? |
|
Definition
| Client asks Server. Server responds with best possible answer |
|
|
Term
| What is a Recursive query? |
|
Definition
| Client queries server, server doesn't know, asks each server up the line until answer is returned to client via server. |
|
|
Term
| What is an Inverse query? |
|
Definition
| Client queries IP address instead of name. |
|
|
Term
| A zone used to resolve names to IP addresses is a _________? |
|
Definition
|
|
Term
| A zone used to resolve IP addresses to names is a ________? |
|
Definition
|
|
Term
| How do you create new zones? |
|
Definition
| with the New Zone wizard. |
|
|
Term
| Where do you configure a zone for Dynamic updates? |
|
Definition
| Properties of the forward/reverse lookup zone - General Tab - Dynamic updates - None/Secure Only/Nonsecure and secure |
|
|
Term
| What is the default setting for Dynamic updates |
|
Definition
|
|
Term
| Name 5 tools used to troubleshoot DNS problems? |
|
Definition
DNS Snap-in _x000D_
DSS event log _x000D_
NSLookup _x000D_
Ipconfig _x000D_
DNS server log file |
|
|
Term
Multiple sites across Australia. _x000D_
Single AD tree required. _x000D_
What DNS and AD structures do you implement to ensure good performance? |
|
Definition
| Install a DNS server at each regional location and create a single domain name for all the regions for resolution of local resources. |
|
|
Term
3 Unix DNS, print & fax servers. _x000D_
New AD domain with integrated DNS replaces Unix DNS server. _x000D_
Can't print or fax. What gives? |
|
Definition
| You need to manually add A resource records for the Unix machines. |
|
|
Term
| How do you configure a DNS server so that it only answers queries from hosts on your intranet and no where else? |
|
Definition
Configuring his server as a root server and leaving out root hints for the top-level domains _x000D_
And _x000D_
Leaving forwarding turned off |
|
|
Term
| What must you do so that your customers can utilize all mirrored web servers? |
|
Definition
| Enable Round Robin DNS to balance out the load across all the servers you have mirrored and configured in the DNS |
|
|
Term
| You have multiple remote locations by slow satellite links.Need to install DNS into these offices so that clients can locate authoritative DNS servers in the main location. What type of DNS zones should be installed in the remote locations? |
|
Definition
| Stub Zones - Contain: NS, A and SOA records |
|
|
Term
You have 5 W2k8 DC's. All run as primary DNS zones. Need to ensure all hold same database and use only secure updates. _x000D_
What do you do? |
|
Definition
| Upgrade all servers to Active Directory Integrated servers. |
|
|
Term
Six Offices. Need single AD tree. _x000D_
How do you deploy DNS to enable efficient and responsive name/IP resolutions for this environment? |
|
Definition
| Create a single second-level name and deploy a DNS server at each location in the network |
|
|
Term
| What are the two main server types in an NT domain? |
|
Definition
|
|
Term
| Two types of domains in and NT - Multi-master domain topology? |
|
Definition
Master Domain _x000D_
(trust) _x000D_
Resource Domain |
|
|
Term
| 3 Advantages of old NT over workgroups? |
|
Definition
Centralised Admin _x000D_
Database replication _x000D_
Could scale to 1000's of users |
|
|
Term
| 4 Limitations of NT model? |
|
Definition
Didn't scale/work well for very/large org _x000D_
Trust relationships needed a lot of work _x000D_
Excessive replication BAD for low-bandwidth WAN links _x000D_
Difficult to delegate admin duties |
|
|
Term
|
Definition
LDAP for transferring information _x000D_
Reliance on DNS for name resolution _x000D_
Ability to extend the schema |
|
|
Term
|
Definition
Create security boundaries to protect resources and ease of administration _x000D_
Ease admin of usrs, grps, comps etc _x000D_
Provide central DB of NW obj's |
|
|
Term
| Type of server for remote locale with questionable security? |
|
Definition
| Read-only domain Controller |
|
|
Term
True or False: _x000D_
Two objects can have the same relative distinguished name |
|
Definition
True. _x000D_
Jane Doe can be in AD twice (or more) in different OU's |
|
|
Term
True of False?: _x000D_
Two objects can have the same distinguished name. |
|
Definition
False. _x000D_
DN is unique to each AD object |
|
|
Term
| AD Trust Relationships - 3 truths |
|
Definition
1. Trusts are transitive _x000D_
2. By default, trusts are two-way relationships. _x000D_
3. Trusts are used to allow the authentication of users between domains. |
|
|
Term
| Protocol used to query AD |
|
Definition
|
|
Term
| Policy that allows for different password and account lockout policies for different sets of users in the same domain? |
|
Definition
| Fine-grained password policy |
|
|
Term
| What is the Server role that allows/provides for single sign-on capability for multiple apps? |
|
Definition
|
|
Term
| Advantages of using Server 2008 AD Certificate Services? |
|
Definition
Web enrollment _x000D_
Network Device Enrollment Service _x000D_
Online Responder |
|
|
Term
| Which role allows a user to secure an email while using Microsoft Office 2007 Outlook? |
|
Definition
| AD Rights Management Services (AD RMS) |
|
|
Term
| Identity and access (IDA) has five distinct categories. What are they? |
|
Definition
Directory services, _x000D_
strong authentication, Federated Identities, information protection, _x000D_
and Identity Lifecycle Management |
|
|
Term
| Another administrator has changed a user's group settings. What is the easiest way to get the original setting back for the user? |
|
Definition
Perform Auditing. _x000D_
Review logs. _x000D_
Undo what he did - the dunce! |
|
|
Term
| What is the feature of AD that allows info to remain in sync between DC's? |
|
Definition
|
|
Term
| Which component of AD should you implement at remote sites to improve the performance of searches conducted for objects in all domains? |
|
Definition
|
|
Term
| Name of the server that is a repository of Active Directory topology and schema information for Active Directory? |
|
Definition
|
|
Term
| You need to install the Active Directory Federation Services. What application do you use to do the install? |
|
Definition
|
|
Term
| What term is used to refer to the actual structure that contains the information stored within Active Directory? |
|
Definition
|
|
Term
NW admin for a 200-node network. Only 30 need a new app. _x000D_
What can you do? |
|
Definition
Create an OU with the 30 in it. _x000D_
Deploy app/update to the OU |
|
|
Term
| Used to create a logical structure in AD is an ______? |
|
Definition
|
|
Term
|
Definition
Heirarchical Organisation _x000D_
Extensible Schema _x000D_
Centralised Data Storage _x000D_
Replication - DNS & AD _x000D_
Ease of Admin _x000D_
Network Security _x000D_
Scalability _x000D_
Search |
|
|
Term
|
Definition
| a minimal install of Windows Server 2008, without GUI or .NET Framework |
|
|
Term
| What are the hardware requirements for Server Core? |
|
Definition
|
|
Term
| What are 2 advantages of Server Core? |
|
Definition
| more secure (fewer services and components) and requires less management |
|
|
Term
| What 9 server roles are supported in Core? |
|
Definition
| AD Domain Services (AD DS), AD Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, file server, print server, Streaming Media Services, IIS (doesn't support ASP.NET), Hyper-V (server virtualization) |
|
|
Term
| What 11 optional features are available in Server Core? |
|
Definition
| failover cluster, network load balancing, subsystem for UNIX, windows backup, multipath I/O, removeable storage management, Windows Bitlocker drive encryption, SNMP, WINS, Telnet, QoS |
|
|
Term
| What command is used to change the administrator password? |
|
Definition
|
|
Term
| What command is used in Core to set IPv4 configuration? |
|
Definition
|
|
Term
| What command is used to join a domain? |
|
Definition
|
|
Term
| What command is used in Core to add roles, components, and features? |
|
Definition
|
|
Term
| What command is used in Core to view roles, components, and features? |
|
Definition
|
|
Term
| What command is used in Core to enable Remote Desktop? |
|
Definition
| cscript c:\windows\system32\scregedit.wsf /AR0 |
|
|
Term
| What command is used to promote a domain controller? |
|
Definition
|
|
Term
| What command is used in Core to configure DNS? |
|
Definition
|
|
Term
| What command is used in Core to configure DFS? |
|
Definition
|
|
Term
| What command is used to add Active Directory Domain services? |
|
Definition
|
|
Term
| What is the one AD server role available in Core that can't be added with ocsetup.exe? |
|
Definition
| AD Domain Services (added with dcpromo.exe) |
|
|
Term
| What command is used to remove a domain controller? |
|
Definition
|
|
Term
| What piece of information is required when removing a domain controller? |
|
Definition
| the password of the local admin account |
|
|
Term
| What 2 directory partitions do all domains in a forest share? |
|
Definition
|
|
Term
| How does Dynamic DNS (DDNS) differ from standard DNS? |
|
Definition
| DDNS allows real-time DNS updates |
|
|
Term
| What command will send DNS registration info to a DNS server? |
|
Definition
|
|
Term
| How is DNS information replicated in DDNS? |
|
Definition
|
|
Term
| How was DNS information replicated in standard DNS? |
|
Definition
| through manual copies of the zone file |
|
|
Term
| What two name resolution technologies does DDNS cover? |
|
Definition
|
|
Term
| When does DDNS update the record? |
|
Definition
| when a client leases an IP address |
|
|
Term
| What is Scope Option 003? |
|
Definition
|
|
Term
| What is Scope Option 006? |
|
Definition
|
|
Term
| What is the scope for default gateway? |
|
Definition
|
|
Term
| What is the scope for preferred DNS server? |
|
Definition
|
|
Term
| Where does non-dynamic DNS store data? |
|
Definition
| in a text file located at %SystemRoot%\System32\DNS |
|
|
Term
| What are the 3 types of DNS zones? |
|
Definition
| primary, secondary, and stub zone |
|
|
Term
| What is a primary DNS zone? |
|
Definition
| a DNS zone which stores a copy of the zone that can be directly updated |
|
|
Term
| What is a secondary DNS zone? |
|
Definition
| a copy of a primary DNS zone |
|
|
Term
| What are secondary DNS zones used for? |
|
Definition
| load balancing, fault tolerance, and increasing capacity |
|
|
Term
|
Definition
| a copy of a DNS zone containing only NS, SOA, and sometimes glue A records; it is not authoritative |
|
|
Term
| What limitation exists on a DNS server storing its data in AD? |
|
Definition
| the DNS server must be a DC |
|
|
Term
|
Definition
| a DNS system where updates occur over a secure channel |
|
|
Term
| How does secure DNS work? |
|
Definition
| when a DNS transfer is initiated, the DNS server verifies that the DNS server sending the update is on an approved list |
|
|
Term
| What is the purpose of secure DNS? |
|
Definition
| to prevent poison entries |
|
|
Term
| How is secure DNS set up in an Active Directory domain? |
|
Definition
| it is set up automatically |
|
|
Term
| What are 3 reasons to use a stub zone? |
|
Definition
| keep delegated zone info current, improve name resolution, simplify administration |
|
|
Term
| What does a Start of Authority (SOA) record do? |
|
Definition
| specifies the DNS server in charge of a zone |
|
|
Term
| What 4 items does an SOA record specify? |
|
Definition
| primary server for the zone, zone administrator's email address, secondary zone expiration values, minimum default TTL values |
|
|
Term
| What is the Global Name Zone designed to do? |
|
Definition
|
|
Term
|
Definition
|
|
Term
| What 3 types of records are stored in a Forward Lookup Zone? |
|
Definition
| LDAP, Global Catalog, and Name Server records |
|
|
Term
| How can repopulation be forced if a Forward Lookup Zone does not appear in AD? |
|
Definition
| use net stop logon and net start logon |
|
|
Term
| What do Forward Lookup Zones do? |
|
Definition
| store domain name-to-IP address mappings |
|
|
Term
| What do Reverse Lookup Zones do? |
|
Definition
| store IP address-to-domain name mappings |
|
|
Term
| At what 3 times are Reverse Lookup Zones populated? |
|
Definition
| when IP addresses are leased, when machines are restarted, when ipconfig /registerdns is executed |
|
|
Term
|
Definition
| provide a link between DNS servers and top-level DNS servers |
|
|
Term
| What are 3 reasons to divide namespaces into more than 1 zone? |
|
Definition
| delegate responsibility, break up large namespaces for management, extend namespace to add subdomains |
|
|
Term
| When creating subdomains, what needs to be done to make sure that all zone records stay current? |
|
Definition
| delegation records need to be added to other DNS servers to point to the authoritative server |
|
|
Term
| How does round robin DNS work? |
|
Definition
| when an IP address for a server in a round robin pool is given out, that address is moved to the bottom of the list |
|
|
Term
| What sort of servers most often utilize round robin DNS? |
|
Definition
|
|
Term
|
Definition
| forwarding requests to other servers for fulfillment |
|
|
Term
| When is DNS recursion usually disabled? |
|
Definition
| When the network is sensitive |
|
|
Term
| What is server scavenging? |
|
Definition
| process of getting rid of stale DNS records |
|
|
Term
| What 2 containers are created when DNS is integrated with AD? |
|
Definition
| forestDNSzone and domainDNSzone |
|
|
Term
| What do incremental zone transfers do? |
|
Definition
| replicate only changes to DNS (rather than all records) |
|
|
Term
| Does DNS work on a push or pull basis? |
|
Definition
| pull: when changes are made, the DNS server notifies other servers that changes are available |
|
|
Term
| What directory format does Active Directory use? |
|
Definition
|
|
Term
| What do AD tree structures share? |
|
Definition
| The same contiguous name space? |
|
|
Term
|
Definition
| A Read Only Domain Controller |
|
|
Term
| Do different forests share the same name space? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| A domain is an administratively-defined collection of network resources that share a common directory database and security policies |
|
|
Term
| What is an AD object attribute? |
|
Definition
| Information about the object such as a user's name, phone number, and email address) which is used for locating and securing resources. |
|
|
Term
| What does an object schema identify? |
|
Definition
| The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object. |
|
|
Term
| What does AD use DNS for? |
|
Definition
| Active Directory uses DNS for locating and naming objects. |
|
|
Term
|
Definition
First-level OUs can be called parents. _x000D_
Second-level OUs can be called children. _x000D_
OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers). |
|
|
Term
|
Definition
| A tree is a group of related domains that share the same contiguous DNS name space. |
|
|
Term
|
Definition
| A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces. |
|
|
Term
| What is the forest root domain? |
|
Definition
| The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest. |
|
|
Term
| What is the tree root domain? |
|
Definition
| The tree root domain is the highest level domain in a tree. |
|
|
Term
|
Definition
| Each domain in the tree that is connected to the tree root domain is called a child domain. |
|
|
Term
|
Definition
A domain tree is a group of domains based on the same name space. Domains in a tree: _x000D_
- Are connected with a two-way transitive trust. _x000D_
- Share a common schema. _x000D_
- Have common global catalogs. |
|
|
Term
| What is a domain controller? |
|
Definition
| A domain controller is a server that holds a copy of the Active Directory database that can be written to |
|
|
Term
|
Definition
| Replication is the process of copying changes to Active Directory between the domain controllers. |
|
|
Term
| What two objects does AD use to represent the physical structure of the network? |
|
Definition
- A subnet represents a physical network segment. Each subnet possesses its own unique network address space. _x000D_
- A site represents a group of well-connected networks (networks that are connected with high-speed links). |
|
|
Term
| What manages AD replication between locations? |
|
Definition
| Sites and subnets are used to manage Active Directory replication between locations. |
|
|
Term
| What does an AD site differ from a domain? |
|
Definition
| A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization. |
|
|
Term
| How are clients assigned to AD sites? |
|
Definition
| Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask. |
|
|
Term
| How are domain controllers assigned to AD sites? |
|
Definition
| Domain controllers are assigned to sites according to the location of their associated server object in Active Directory. |
|
|
Term
| What is the structure of the NTDS.dit file? |
|
Definition
- The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation. _x000D_
_x000D_
- The link table contains data that represents |
|
|
Term
| What does the Global Catalog server do? |
|
Definition
| Responsible for replicating a subset of attributes throughout Active Directory |
|
|
Term
| What are FSMO roles/What do they do? |
|
Definition
| Flexible Single-Master Operation roles are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes |
|
|
Term
|
Definition
- Schema Master _x000D_
- Domain Naming Master _x000D_
- RID Master (Relative Identifier) _x000D_
- PDC Emulator _x000D_
- Infrastructure Master |
|
|
Term
| What does the schema master do? |
|
Definition
| Maintains the schema (the mapping of all the different object types) |
|
|
Term
| What does the RID master do? |
|
Definition
| The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts). |
|
|
Term
| What does the PDC Emulator do? |
|
Definition
| The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers. (eg - time services) |
|
|
Term
| What does the Infrastructure Master do? |
|
Definition
| Provides a mapping of all the container objects in AD. The infrastructure master is responsible for updating changes made to objects. |
|
|
Term
| Which level do the Schema and Domain Naming Master roles operate at? |
|
Definition
|
|
Term
| What level do the RID, PDC and Infrastructure Master roles operate at? |
|
Definition
|
|
Term
| What is the Global Catalog? |
|
Definition
| The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced. |
|
|
Term
| What is an Operations Master? |
|
Definition
| A domain controller that performs an operations master role is known as an operations master or operations master role owner. |
|
|
Term
| What does the Domain Naming Master do? |
|
Definition
| The domain naming master adds new domains to and removes existing domains from the forest. |
|
|
Term
| What is a functional level? |
|
Definition
| A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest |
|
|
Term
| What does a functional level define? |
|
Definition
- Which Active Directory Domain Services (AD DS) features are available to the domain or forest. _x000D_
_x000D_
- Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating syste |
|
|
Term
| Which domain functional levels does Server 2008 support? |
|
Definition
Windows 2000 Native _x000D_
Windows Server 2003 _x000D_
Windows Server 2008 |
|
|
Term
| Which forest functional levels does Server 2008 support? |
|
Definition
Windows 2000 _x000D_
Windows Server 2003 _x000D_
Windows Server 2008 |
|
|
Term
|
Definition
| A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values. |
|
|
Term
| What are new services in AD 2008? |
|
Definition
- AD Domain Services _x000D_
- AD Lightweight Directory Services _x000D_
- AD Certificate Services _x000D_
- AD Federation Services _x000D_
- AD Rights Management Services |
|
|
Term
|
Definition
| A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server. |
|
|
Term
| What is an AD role service? |
|
Definition
| Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role. |
|
|
Term
|
Definition
| A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support. |
|
|
Term
| What is Active Directory Domain Services (AD DS) |
|
Definition
AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role: _x000D_
- Helps administrators securely manage information. _x000D_
- Facilitates resource sharing and collaboration between users. _x000D_
- Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies, such as Group Policy. |
|
|
Term
| What is Active Directory Lightweight Directory Service (AD LDS) |
|
Definition
| Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database. |
|
|
Term
| What is Active Directory Federation Services (AD FS) |
|
Definition
AD FS is a feature which enables secure access to web applications outside of a user's home domain or forest. The AD FS role: _x000D_
_x000D_
- Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. _x000D_
- Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations. |
|
|
Term
| What is Active Directory Rights Management Service (AD RMS) |
|
Definition
AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role: _x000D_
_x000D_
- Can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions. _x000D_
- Allows organizations to create custom usage rights templates (such as "Confidential - Read Only") that can be applied directly to information such as product specifications, financial reports, e-mail messages, and customer data. |
|
|
Term
| What is Active Directory Certificate Services (AD CS) |
|
Definition
AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role: _x000D_
_x000D_
- Provides customizable services for creating and managing public key certificates. _x000D_
- Enhances security by binding the identity of a person, device, or service to a corresponding private key. _x000D_
- Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. |
|
|
Term
| Name some things that AD Certificate Services supports |
|
Definition
Digital signatures _x000D_
Encrypting File System (EFS) _x000D_
Internet Protocol security (IPsec) _x000D_
Secure/Multipurpose Internet Mail Extensions (S/MIME) _x000D_
Secure Socket Layer/Transport Layer Security (SSL/TLS) _x000D_
Secure wireless networks _x000D_
Smart card logon _x000D_
Virtual Private Networks (VPN) |
|
|
Term
| What AD roles are not supported on Server 2008 Standard? |
|
Definition
| AD FS requires the DataCenter or Enterprise editions for deployment. |
|
|
Term
| WHich server roles can Server 2008 core run? |
|
Definition
Active Directory _x000D_
Active Directory Lightweight Directory Services (AD LDS) _x000D_
Dynamic Host Configuration Protocol (DHCP) Server _x000D_
DNS Server _x000D_
File Server _x000D_
Print Server _x000D_
Media Services _x000D_
Web Server (IIS) |
|
|
Term
| What are the limitations of Server 2008 core? |
|
Definition
There is no Windows Shell. _x000D_
There is no managed code support (no .NET framework). All code has to be native Windows API code. _x000D_
There is only MSI support for unattended mode installs. |
|
|
Term
| What methods can you use to manage a Server 2008 core system? |
|
Definition
Log on and use the command prompt. _x000D_
Log on using Remote Desktop to gain access to the command prompt. _x000D_
Use Windows Remote Shell (winrm). _x000D_
Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system. |
|
|
Term
| How would you add server roles to a Server 2008 core system? |
|
Definition
| Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive. |
|
|
Term
| How would you see a list of roles, role services and features that can be installed on Server 2008 core? |
|
Definition
|
|
Term
| What does AD Domain Services (AD DS) do? |
|
Definition
| provides Identity and Access (IDA) solutions for enterprise networks |
|
|
Term
|
Definition
|
|
Term
| What 4 things should an IDA infrastructure do? |
|
Definition
| store information about users, groups, computers, and objects; authenticate identities; control access; provide and audit trail |
|
|
Term
| What 5 technologies comprise a Microsoft IDA solution? |
|
Definition
AD Domain Services; AD Lightweight Directory Services; AD Certificate Services; AD Rights Management Services _x000D_
*AD Federation Services |
|
|
Term
| What part of IDA does AD Domain Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Lightweight Directory Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Certificate Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Rights Management Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Federation Services provide? |
|
Definition
| partnership with external organizations |
|
|
Term
| What did AD Lightweight Directory Services used to be called? |
|
Definition
| Active Directory Application Mode |
|
|
Term
| What does AD Lightweight Directory Services do? |
|
Definition
| stores and replicates application-related database information |
|
|
Term
| What best practice should be used when using AD Certificate Services to provide certificate services to external communities? |
|
Definition
| get a root certificate from a trusted third-party CA |
|
|
Term
| What does AD Rights Management Services do? |
|
Definition
| provides persistent rights management, even after authentication (similar to Acrobat controls) |
|
|
Term
| What 5 components does AD Rights Management Services require to function? |
|
Definition
| AD domain with Server 2000 SP3 or higher DC's, IIS, database server AD RMS client, RMS-enabled browser |
|
|
Term
| What does AD Federation Services do? |
|
Definition
| allows organizations to project rights and access controls across organizational boundaries |
|
|
Term
|
Definition
| a set of rules that defines classes of objects and attributes in a directory |
|
|
Term
| What do replication services do? |
|
Definition
| distribute directory data across a network |
|
|
Term
| What does a global catalog contain? |
|
Definition
| limited information about every object in the directory |
|
|
Term
| What is another name for a global catalog? |
|
Definition
|
|
Term
| What command is used to launch configuration of a domain controller? |
|
Definition
|
|
Term
| What are the components of an AD infrastructure? |
|
Definition
| AD data store, DC's, domains, forest, trees, functional level, OU's, sites |
|
|
Term
| What is the directory also known as? |
|
Definition
|
|
Term
| How is the directory stored? |
|
Definition
| as a single file (Ntds.dit) |
|
|
Term
| Where is the directory located by default? |
|
Definition
| %SystemRoot%\Ntds folder on all domain controllers |
|
|
Term
| What 4 partitions are usually found in the AD data store? |
|
Definition
| schema, configuration, global catalog, domain naming context |
|
|
Term
| What important authentication service is run by all domain controllers? |
|
Definition
| Kerberos Key Distribution Center (KDC) |
|
|
Term
| Where can a user receive authentication from? |
|
Definition
|
|
Term
| What serves as a scope for administrative policies (password expiration, etc.)? |
|
Definition
|
|
Term
| What is considered best practice when replication cannot occur reliably between domain controllers? |
|
Definition
| place them in separate domains |
|
|
Term
|
Definition
| a collection of one or more Active Directory domains |
|
|
Term
| What is the first domain in a forest known as? |
|
Definition
|
|
Term
| What entity defines a security boundary? |
|
Definition
|
|
Term
| What is a security boundary? |
|
Definition
| an entity outside which no data is replicated |
|
|
Term
|
Definition
|
|
Term
| What determines whether domains are part of the same tree? |
|
Definition
| whether those domains are part of a contiguous DNS namespace |
|
|
Term
| What are the 3 domain functional levels? |
|
Definition
| Windows 2000 native, Windows Server 2003, and Windows Server 2008 |
|
|
Term
| What are the 2 forest functional levels? |
|
Definition
| Windows Server 2003 and Windows Server 2008 |
|
|
Term
| What requirement exists for the Windows Server 2008 domain functional level? |
|
Definition
| all DC's must be running Server 2008 |
|
|
Term
| What requirement exists for the Windows Server 2008 forest functional level? |
|
Definition
| all domains must be Windows Server 2008 domains |
|
|
Term
| What MMC is used to administer roles? |
|
Definition
|
|
Term
| What are the two primary steps in creating a new DC? |
|
Definition
| add roles through Server Manager and promote server to DC |
|
|
Term
| What command-line command can be used to promote a server to DC? |
|
Definition
|
|
Term
| What two names do all DC's require? |
|
Definition
| a valid DNS name and a valid NetBIOS name |
|
|
Term
|
Definition
| A command-line tool that enables administrators to create and display a Resultant Set of Policy (RSoP) query from the command line. |
|
|
Term
|
Definition
| A Group Policy Management feature that uses the Resultant Set of Policy snap-in to simulate the effect of a policy on the user environment. |
|
|
Term
|
Definition
| A feature in Group Policy Management that is equivalent to the Logging mode within Resultant Set of Policy MMC snap-in. Rather than simulating policy effects like the Group Policy Modeling Qizard, Group Policy Results obtains Resultant Set of Policy (RSoP) information from the client computer to show the actual effects that policies have on the client computer and user environment. |
|
|
Term
|
Definition
| The Resultant Set of Policy (RSoP) mode that queries existing policies in the hierarchy that are linked to sites, domains, domain controllers, and Organization Units. This mode is useful for documenting and understanding how combined policies are affecting users and computers. The results are returned in an MMC window that can be saved for later reference. |
|
|
Term
|
Definition
| The Resultant Set of Policy (RSoP) mode that allows administrators to simulate the effect of policy settings prior to implementing them on a computer or user. |
|
|
Term
|
Definition
| A filtering method that method uses filters written in the WMI Query Language (WQL) to control GPO application. |
|
|
Term
|
Definition
Common Information Management Object Model
A database used through Windows Management Instrumentation that contains information gathered when a computer starts and becomes part of the network. This information includes hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, scripts, Folder Redirection settings, and Security settings. |
|
|
Term
|
Definition
REsultant Set of Policy
Query engine that looks at GPOs and then reports its findings. Use this tool to determine the effective settings for a user or a computer based on the combination of the local, site, domain, domain controller, and OU policies. |
|
|
Term
|
Definition
Windows Management Instrumentation
A component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. It allows administrators to create queries based on hardware, software, operating systems, and services. |
|
|
Term
|
Definition
WMI Query Language
A language that is similar to structured query language (SQL). |
|
|
Term
|
Definition
| An option used to deploy required applications to pertinent users and computers. |
|
|
Term
|
Definition
| Stategy for enforcing restrictions that prevents any applicationfrom running that requires administrative rights but allows programs to run that only require resources that are accessible by normal users. |
|
|
Term
|
Definition
| A software restiction rule that uses the signing certificate of an application to allow software from a trusted source to run or to prevent software that does not come from a trusted source from running. Certificate rules also can be used to run programs in disallowed areas of the operating system. |
|
|
Term
|
Definition
| Strategy for enforcing restictions that prevents all applications from running except those that are specifically allowed. |
|
|
Term
|
Definition
| The shared folder that is a network location from which users can download software. Also known as the software distribution point. |
|
|
Term
| file-activated installation |
|
Definition
| A method of distributing applications whereby an application is installed when a user opens a file associated with an application that does not currently exist. |
|
|
Term
|
Definition
| A series of bytes with a fixed length that uniquely identifies a program or file. |
|
|
Term
|
Definition
| A formula that generates a hash value. |
|
|
Term
|
Definition
| A sotrware-restriction rule applied to an appllication executable that will check the file's hash value and prevent the application from running if the hash value is incorrect. |
|
|
Term
|
Definition
| A value generated by a formula that makes it nearly impossible for another program to have the same hash. |
|
|
Term
| Install This Application At Logon |
|
Definition
| A deployment option that allows the application to be installed immediately, rahter than advertising on the Start menu. |
|
|
Term
|
Definition
| A relational database file that is copied to the target computer system, with the program files it deploys. In addition to providing installation information, this database file assits in the self-healing process for damaged applications and clean application removal. |
|
|
Term
|
Definition
| A software restiction rule that allows only Windows Installer packages to be installed if they come from a trusted area of the network. |
|
|
Term
|
Definition
| Windows Installer files with the .msp extension that are used to apply service packs and hotfixes to installed soft |
|
|
Term
|
Definition
| A software restriction rule that identifies software by specifiying the directory path where the application is stored in the file system. |
|
|
Term
|
Definition
1) An option that allows users to access network resoufces by searching the Active Directory database for the desired resource. (See lesson 1). _x000D_
2) An option used to deploy application. It allows users to install the applications that they consider useful to them. (See lesson 9) |
|
|
Term
|
Definition
| The process of preparing software for .msi distribution, which includes taking a snapshot of a clean computer system before the application is installed, installing the application as desired and taking a snapshot of the computer after the application is installed. |
|
|
Term
|
Definition
| A function that allows software to detect and correct problems, such as missing or deleted files. |
|
|
Term
|
Definition
| A process that takes place from the time anapplication is evaluated for deployment in an organization until the time when it is deemed old or no longer suitable for use. |
|
|
Term
|
Definition
| Stategy for enforcing restictions that allows all applications to run, except those that are specifically excluded. |
|
|
Term
|
Definition
| A non-Windows Installer package that can be created in a text editor. |
|
|
Term
|
Definition
Software Development Live Cycle
A structured process used to develop information systems software, projects, or components; phases include analysis, design, implementation and maintenance. |
|
|
Term
|
Definition
| A subcategory in the Account Policies category that specifies the number of unsuccessful logon attempts that, if made within a contiguous timeframe, might constitute a potential security threat from an intrruder. An Account Lockout Policy can be set to lock the account in question after a specified number ofinvalid attempts. Additionally, the policy specifies how long the account will remain locked. |
|
|
Term
|
Definition
| Setting that logs events related to successful user logons to a domain. |
|
|
Term
| account management events |
|
Definition
| Setting that triggers an event that is written based on changes to account properties and group properties. Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling. |
|
|
Term
|
Definition
| Th section of GPO Local Policies that enables administrators to log successful and failed security events, such as logon events, account access, and object access. |
|
|
Term
|
Definition
| Tracking events that take place on the local computer. |
|
|
Term
|
Definition
| A setting that limits the amount of space available on the server for user data. |
|
|
Term
|
Definition
| Group Policy setting that indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password. |
|
|
Term
|
Definition
| A command-line tool used to force a manual Group Policy refresh. Thistool was introduced in Windows Server 2003, and it is used in Windows Server 2003, and it is used in Windows Server 2003 and Windows Server 2008 to replace the secedit/refreshpolicy command that was used in Windows 2000. |
|
|
Term
|
Definition
| For domain accounts only, this policy enables administrators to configure settings that govern how Active Directory authentication functions. |
|
|
Term
|
Definition
| Policies that enable administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log. |
|
|
Term
|
Definition
| The setting logs events related to successful user logons on a computer. |
|
|
Term
|
Definition
| A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as a Password Setting Object (PSO). |
|
|
Term
|
Definition
| A separate Group Policy category that can allow files to be available to users, even when users are disconnected from the network. |
|
|
Term
|
Definition
| A subcategovy in the Account Policies category that enforces password length, password history and so on. Password Policies can be applied to domain and local user accoutns. |
|
|
Term
|
Definition
| By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishement or removal of trust relationships, IPSec policy agent changes, and grants or removals of system access privileges. |
|
|
Term
|
Definition
| A subcategory in the Account Policies category that enforces password length, password history, and so on. Password Policies can be applied to domain and local user accounts. |
|
|
Term
|
Definition
| By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishment or removal of trust relationsips, IPSec policy agent changes, and grants or removals of system access privileges. |
|
|
Term
|
Definition
| The available period that each background refresh process that can set to ranges from 0 to 64,800 minutes (45 days). |
|
|
Term
|
Definition
| Policy settings that enables an administrator to specify group membership lists. |
|
|
Term
|
Definition
| A subcategory of the Local Policies setting area of a Group Policy Object that includes security settings related to interactive log on, digital signing of data, restrictions for access to floppy and CD-ROM drives, unsigned driver installation behavior, and logon dialog box behavior. |
|
|
Term
|
Definition
| Events that rigger a log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled an can no longer append entries; security log cleaning; or any event that affects system security or the security log. In the Default Domain Controllers GPO, this setting is set tolog success by default. |
|
|
Term
|
Definition
| The category that is used to configure the startup and security settings for services running on a computer. |
|
|
Term
|
Definition
| An Administrative Template setting that continues to apply until it is revised using a policy that overwrites the setting. |
|
|
Term
|
Definition
| A subcategory of the Local Policies setting area of a Group Policy Object that includes settings for items that pertain to rights needed by users to perform system-related tasks. |
|
|
Term
|
Definition
Fine-Grained Password Policies
A policy that can be applied to one or more users or groups of users, allowing the administrator to specify a more or less stringent password policy for the subset than the password policy defined for the entire domain. |
|
|
Term
|
Definition
Key Distribution Center
Used to issue Kerberos tickets to users for domain accesss. |
|
|
Term
|
Definition
Password Settings Object
A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as msDS-PasswordSettings. |
|
|
Term
|
Definition
| Files used to generate the user interface for the Group Policy settings that can be set using the Group Policy Management Editor. |
|
|
Term
|
Definition
| Windows Server 2008 Administrative Templates using the .admx extension. |
|
|
Term
|
Definition
| A method of processing multiple scripts at the same time, without waiting for the outcome of a previously launched script to occur. |
|
|
Term
|
Definition
| A setting on a contianer object, such as a site, domain, or Organizational Unit, that will block all policies from parent containers from flowing to this container. It is not policy specific; it applies to all policies applied at parent levels. |
|
|
Term
|
Definition
| Single location in a SYSVOL directory containing Administrative Templates with the .admx extension. |
|
|
Term
| Default Domain Controller Policy |
|
Definition
| A policy linked to the Domain Controllers OU; its settings affect all domain controllers in the domain. |
|
|
Term
|
Definition
| A type of Group Policy Object associated with a domain. |
|
|
Term
|
Definition
| A setting on an individual GPO link that forces a particular GPO's settings to flow down through the Active Directory, without being blocked by any child Organizational Units. |
|
|
Term
|
Definition
| A setting that allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network. |
|
|
Term
|
Definition
| The process of applying Group Policy to all domains and the child objects contained within them. |
|
|
Term
|
Definition
Group Policy container
An Active Directory object that stores the properties of the GPO. |
|
|
Term
|
Definition
Group Policy Management Console
The Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings. |
|
|
Term
|
Definition
Group Policy Object
Objects that contain all of the Group Policy settings that will be implemented on all user and computer objects within a site, domain, or OU. |
|
|
Term
|
Definition
Group Policy template
A folder located in the Policies subfolder of the SYSVOL share that stores policy setting, such as security settings and script files. |
|
|
Term
|
Definition
Return on investment
The amount of money gained (or lost) relative to the amount of money that was invested in a particular project or technology. Can be measured by tangible benefits, such as implementation costs and ongoing support. In addition, it can also be measured by intangible benefits, such as increased user ptoductivity, and other factors that are difficult to measure from a financial standpoint. |
|
|
Term
|
Definition
Total cost of ownership
A value used to assess the cost of implementaing computer software or hardware, both in terms of direct and indirect costs. TCO can be calculated based on how much ownership costs over the lifetime of a business resource. |
|
|
Term
|
Definition
Windows Deployment Services
A managed setting that can be defined or changed through Group Policies. This setting assists in rebuilding or deploying workstations quickly and efficiently in an eveterprise environment. |
|
|
Term
| Group Policy Management Editor |
|
Definition
| The Microsoft Management console (MMC) fsnap-in that is used to create and modify Group Policies and their settings. |
|
|
Term
|
Definition
| A process that applies Group Policy setting sto various containers within Active Directory. |
|
|
Term
|
Definition
| A type of Group Policy Object associated with the local computer. |
|
|
Term
|
Definition
| A Group Policy option that provides an alternative method of obtaining the ordered list of GPOs to be processed for the user. When set to Enabled, this setting has two options: Merge and Replace. |
|
|
Term
|
Definition
| The sequence used to process policies: local policies, site policies, domain policies and then Organization Unit policies. |
|
|
Term
|
Definition
| A Loopback Processing option. After all user policies run, the computer policy settings are reapplied, which allows all current GPO setting sto merge with the reapplied computer policy settings. In instances where conflicts arise between computer and user settings, the computer policy supersedes the user policy. This occurs before the desktop is presented to the user. |
|
|
Term
|
Definition
| A new feature in Windows Vista where by administrators can specify a different local GPO for administrators and create specific GPO settings for one or more local users configured on a wrokstation. |
|
|
Term
|
Definition
| A subcategory of Group Policy settings. |
|
|
Term
|
Definition
| This feature works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible. |
|
|
Term
|
Definition
| Settings that provide a consistent, sevure, manageable environment that addresses the users' needs and the organization's administrative goals. |
|
|
Term
|
Definition
| A Loopback Processing option. This option overwrites the GPO list for a user object with the GPO list for the user's logon computer. This means that the computer policy settings remove any conflicting user policy settings. |
|
|
Term
|
Definition
| A managed setting that can be defined or changed through Group Policies. Scripts, including logon, logoff, startup, and shutdown commands, can assist in configurint the user environment. |
|
|
Term
| securtity group filtering |
|
Definition
An advanced technique that enables you to apply GPO setting to only one or more users or groups within a container by selectively granting the "Apply _x000D_
Group Policy" permissions to one or more user or security groups. |
|
|
Term
|
Definition
| A subnode within the Computer Configuration and User Configuration nodes. The Software Settings folder located under the under the User Configuration node contains settings that are appplied to users designated by the Group Policy, regardless of the computer from which they log on to Active Directory. |
|
|
Term
|
Definition
| A type of Group Policy that enables administrators to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO. Starter GPOs area new feature in Windows Server 2008. |
|
|
Term
|
Definition
| Processing method whereby each policy must be read and applied completely before the next policy can be invoked. |
|
|
Term
|
Definition
| A Group Policy setting that enables administrators to customize the configuration of a user's desktop, environment, and security settings. Enforced policies are based on the user rather than on the computer used. |
|
|
Term
|
Definition
| A subnode within the Computer Configuration and User Configuration nodes. The Windows Settings folder located under the Computer Computer Configuration node in the Group Policy Management Editor contains security settings and scripts that apply to all users who log on to Active Directory from that specific computer. The Windows Settings folder located under the User Configuration node contains settings related to folder redirection, security settings and scripts that are applied to associated users. |
|
|
Term
| What is the order of group policies? |
|
Definition
1 Local Policies _x000D_
2 Site Policies _x000D_
3 Domain Policies _x000D_
4 OU Policies _x000D_
_x000D_
LSDOU |
|
|
Term
| Comma-Separated Value Directory Exchange |
|
Definition
CSVDE
The command line utility used to import or export Active Directory information from a comma-separated value (.csv) file. |
|
|
Term
|
Definition
CSV
Format that contains a comma between each value. The CSV format can be used to import and export information from other third-party applications |
|
|
Term
| LDAP Data Interchange Format |
|
Definition
LDIF
The format for the data file containing the object records to be created. |
|
|
Term
| LDAP Data Interchange Format Directory Exchange |
|
Definition
LDIFDE
A command-line utility used to import or export Active Directory information and create, modify, and delete Active Directory objects. |
|
|
Term
|
Definition
SAM
A database containing userr accounts and security information that is located on a server. |
|
|
Term
|
Definition
WSH
Allows scripts to be run from a Windows desktop or a command prompt. The runtime programs provided to do this are WScript.exe and CScript.exe, respectively. |
|
|
Term
|
Definition
| Created when a user logs on, this value identifies the user and all of the user's group memberships. Like a club membership card, it verifies a user's permissions when the user attempts to access a local or network resource. |
|
|
Term
|
Definition
| Special identity that refers to users who have not supplied a username and password. |
|
|
Term
|
Definition
| To gain access to the network, prospective network users must identify themselves to a network using specific user accounts. |
|
|
Term
|
Definition
| The process of confirming a user's identity using a known value, such as a password, a pin number on a smart card, or, in the case of biometric authentication, the user's fingerprint or hand print. |
|
|
Term
|
Definition
| The process of confirming that an authenticated user has the correct permissions to access one or more network resources. |
|
|
Term
|
Definition
| Files, typically configured with either a .bat extension or a .cmd extension, that can be used to automate many routine or repetitive tasks. |
|
|
Term
|
Definition
| The accounts automatically created when Microsoft Windows Server 2008 is installed. By default, two built-in user accounts are created on a Windows Server 2008 computer: the Administrator account and the Guest account. |
|
|
Term
|
Definition
| Non-security-related groups created for the distribution of information to one or more persons. |
|
|
Term
|
Definition
| The accounts used to access Active Directory or network-based resources, such as shared folders or printers. |
|
|
Term
|
Definition
| A group used to assign permissions to resources that reside only in the same domain as the domain local group. They can contain user accounts, computer accounts, global groups, and universal groups from any domain, in addition to other domain local groups from the same domain. |
|
|
Term
|
Definition
| A command-line tool used to create, delete, view, and modify Active Directory objects, including users, groups and Organizational Units. |
|
|
Term
|
Definition
| A special identity group that contains all authenticated users and domain guests. |
|
|
Term
|
Definition
| A group used to grant or deny permissions to any resource located in any domain in the forest. Global groups can contain user accounts, computer accounts, and/or other global groups only from within the same domain as the global group. |
|
|
Term
|
Definition
| A collection of user or computer accounts that is used to simplify the assignment of permissions to network resources. |
|
|
Term
|
Definition
| The process of configuring one or more groups as members of another group. |
|
|
Term
|
Definition
| Group characteristic that controls which objects the group can contain, limiting the objects to the same domain or permitting objects from remote domains as well, and controls the location in the domain or forest where the group can be used. |
|
|
Term
|
Definition
| Group characteristic that defines how a group is to be used within Active Directory. |
|
|
Term
|
Definition
| The first line of the imported or exported text file that uses proper attribute names. |
|
|
Term
|
Definition
| The accounts used to access the local computer only. They are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers, not do these accounts have domain access. |
|
|
Term
|
Definition
| A collection of user accounts that are local to one specific workstation or member server. Local groups are created in the security database of a local computer and are not replicated to Active Directory or to any other computers on the network. |
|
|
Term
|
Definition
| An object placed inside another object of the same type. |
|
|
Term
|
Definition
| When a group is placed in a second group, the members of the first group become members of the second group. |
|
|
Term
|
Definition
| Each user's login name--the portion to the left of the '@' within a User Principle Name. The SAM account name must be unique across a domain. |
|
|
Term
|
Definition
| Security-related groups created for purposes of granting resource access permissions to multiple users. |
|
|
Term
|
Definition
| Group used to define permission assignments. Adminitrators cannot manually modify the group membership of special identity groups, nor can they view their membership lists. |
|
|
Term
| Active Directory Migration Tool |
|
Definition
ADMT
A free tool used to move objects between domains. |
|
|
Term
| Delegation of Control Wizard |
|
Definition
| A simple interface used to delegate permissions for domains, Organizational Units, and containers. |
|
|
Term
|
Definition
| Automated pass-word-cracking tools that try every possible combination of characters until the correct sequence of characters is finally discoverer. |
|
|
Term
|
Definition
| User interface enabling the user to drag on object and drop it on a target. This feature was introduced in Windows Server 2003. |
|
|
Term
|
Definition
| A command-line utility used to move an object from one location to another. |
|
|
Term
|
Definition
| An alphanumeric sequence of characters entered with a username to access a server, workstation, or shared resource. |
|
|
Term
|
Definition
| An attempt to discover a user's password. |
|
|
Term
| personal identification number |
|
Definition
PIN
Typically consists of at least four characters or digits that are entered while presenting a physical access token, such as an ATM card or a smart card. |
|
|
Term
|
Definition
| Option that enables administrators to maintain their primary logon as a standard user and create a secondary session for access to an administrative tool. |
|
|
Term
|
Definition
| A command-line tool that enables administrators to log on with alternate credentials. |
|
|
Term
|
Definition
| A feature that provides the ability to log on with an alternate set of credentials to that of the primary logon. |
|
|
Term
|
Definition
| A password that follows guidelines that make it difficult for a potential hacker to determine that user's password. Password guidelines include a minimum required password length, a password history, requiring multiple types of characters within a password, and setting a minimum password age. |
|
|
Term
|
Definition
|
|
Term
| What are the Sytem Requirements to run AD RMS? |
|
Definition
-Pentium 4.3 GHz or higher _x000D_
-512MB RAM _x000D_
-40GB HDD _x000D_
-OS of Windows Server 2008 except Web Edition or Itanium Based systems _x000D_
-FAT32 or NTFS file system _x000D_
-Message Queing _x000D_
-IIS with ASP.NET enabled web service |
|
|
Term
| What is a Server License certificate (SLC)? |
|
Definition
| it is a self-signed certificate generated during the AD RMS cetup of the frst server in a root cluster. |
|
|
Term
| What is a Rights Account Certificate (RAC)? |
|
Definition
issued to trusted users who have an email enabled account in AD DS. _x000D_
-RACs are generated when the user first tries to open rights-protected content. _x000D_
-have a duration of 365 days _x000D_
-Temp RACs do not tie the user to a specific computer and are valid for only 15 minutes _x000D_
-contains the public key of the user as well as his or her private key. |
|
|
Term
| What is a Client Licensor certificate (CLC)? |
|
Definition
After the user has a RAC and launches an AD RMS-enabled application the application automatically sends a request for a CLC to the AD RMS cluster. _x000D_
-includes the client licensor public key, the client licensor private key that is encyrpted by the user's public key, and the AD RMS cluster's public key. |
|
|
Term
| What is a Machine Certificate? |
|
Definition
The first time an AD RMS enabled applicaton is used a machine certificate is created. _x000D_
-contains the public key for the activated computer. Private key is containted within the lockbox on the computer. |
|
|
Term
| What is a Publishing License? |
|
Definition
created when the user saves content in a rights protected mode. the license lists which users can use the content and under which conditions as well s the rights each user has to the content. _x000D_
-includes the symmetric content key for decrypting content as well as the public key of the cluster. |
|
|
Term
|
Definition
| The use license is assigned to a user wh opens rights-protected content. |
|
|
Term
| What is a Federated Web SSO? |
|
Definition
usually spans firewalls because it links applications contained within an extranet in a resource organization to the internal directory stores of account organizations. _x000D_
The only trust that exists in this model is the federation trust.. It is always a one-way trust from the resource organization to the account organizations. _x000D_
-This is the most common deployement scenario. |
|
|
Term
| What is a Federated Web SSO with Forest Trust? |
|
Definition
the organization uses two AD DS forests. One is internal and the is an external forest located with in a perimeter network. _x000D_
-internal users have access to the applications from both the internal newtork and internet. _x000D_
-external users have access to the applications only from the internet |
|
|
Term
|
Definition
| use when all the users for an extranet application are external and do not have accounts within an AD DS domain. |
|
|
Term
| What kind of certificate does a Federation server need in an AD FS environment? |
|
Definition
| server authentication certificate and a token signing certificate |
|
|
Term
| What kind of certificate does a Federation Service Proxy use? |
|
Definition
must have a server authentication certificate to support SSL-encrypted communications with Web clients _x000D_
-must also have a client authentication certificate to authenticate the federation server during communications. |
|
|
Term
| What kind of certificate des an AD FS Web Agent use? |
|
Definition
| server authentication certificate to secure its communications with web clients. |
|
|
Term
| Is publisng CA configuration to AD DS directories optional or mandatory for a Standalone CA? |
|
Definition
optional _x000D_
_x000D_
Mandatory for Enterprise |
|
|
Term
|
Definition
| An administratively defined collection of network resources that share a common directory database and security policies. |
|
|
Term
|
Definition
Within an active directory, each resource is identified as an object. _x000D_
_x000D_
-Each object contains attributes _x000D_
-Active Directory uses DNS for locating and naming objects _x000D_
-Container objects hold or group other objects, either other containers or leaf objects |
|
|
Term
|
Definition
| The schema identifies the object classes that exist in the tree and the attributes of the object. |
|
|
Term
|
Definition
An organizational unit is like folder that subdivides and organizes network resources within a domain. _x000D_
-is a container object _x000D_
-can be used to logically organize network resources _x000D_
simplifies security administration _x000D_
-first level ous are called parents _x000D_
-second level ous are called children _x000D_
-ous can contain other ous or any type of leaf object. |
|
|
Term
| What are Generic Containers? |
|
Definition
used to organize Active Directory objects. _x000D_
-created by default _x000D_
-cannot be created, moved, renamed, or deleted. _x000D_
-have very few editable properties. |
|
|
Term
|
Definition
| A group of related domains tha share the same contiguous DNS name space. |
|
|
Term
|
Definition
| a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces. |
|
|
Term
| What is a Domain Controller? |
|
Definition
| a server that holds a copy of the Active directory database that can be written to. |
|
|
Term
| What is a Global Catalog? |
|
Definition
| A database that contains a partial replica of every object from every domain within a forest. |
|
|
Term
|
Definition
| a distributed database that stores and manages information about network resources, such as users, computers and printers. |
|
|
Term
|
Definition
An LDAP directory service that you can use to create a directory store for use by directory-enabled applications. _x000D_
-formerly known as ADAM. |
|
|
Term
|
Definition
a feature that enables secure access to web applications outside of a user's home domain or forest. _x000D_
-provides web SSO |
|
|
Term
|
Definition
| a feature that safeguards digital information from unauthorized use. |
|
|
Term
|
Definition
| an identity and access control feature that creates and manages public key certificates used in software security systems. |
|
|
Term
| What are the steps to prevent objects from accidental deletion? |
|
Definition
In AD Users and Computers or Active Directory Sites and Services...do either or... _x000D_
-On the object tab, select the Protect object from accidental deletion check box. _x000D_
-On Security tab, select the Deny Delete All Child Objects advanced permission for Everyone. |
|
|
Term
| Where does Windows store standard zone data? |
|
Definition
|
|
Term
| How do you change the replication scope for a zone using an application partition? |
|
Definition
dnscmd/zonechangedirectorypartition _x000D_
_x000D_
/foest _x000D_
/domain |
|
|
Term
| How do you perform and offline domain join? |
|
Definition
Djoin.exe/provision then copy resulting file to the computer that you want to join to the domain. _x000D_
run Djoin.exe/requestI=ODJ |
|
|
Term
| Can you convert a group from global to domain local or domain global? |
|
Definition
| No. Not directly. First convert the group to a universal group and apply the changes, then convert the group to the desired scope. |
|
|
Term
| What are the requirements to join a computer to a domain? |
|
Definition
| You must be a member of the Administrators group on the local computer or be given necessary rights. |
|
|
Term
| What utilities do you use to create computer accounts from a command prompt or script? |
|
Definition
|
|
Term
| What is a managed service account? |
|
Definition
a new account type available in Windows Server 2008 R2 and Windows 7. Provides the same benefits of using a domain user account with these improvements. _x000D_
-passwords managed and reset automatically _x000D_
-when running at Win Server 2008 R2 functional level the SPN does not need to be managed as with local accounts. |
|
|
Term
| What is a Virtual Account? |
|
Definition
| a new account type that are not created deleted. |
|
|
Term
|
Definition
a strategy to manage users, groups, and permissions. _x000D_
-A place user accounts _x000D_
-G into Global groups _x000D_
-DL into Domain Local groups _x000D_
-P assign permissions to domain local groups. _x000D_
_x000D_
Used in mixed mode. Universal groups not available in mixed mode. |
|
|
Term
|
Definition
Same as AGDLP except Universal groups are used. _x000D_
_x000D_
Used in nateve mode where this more than one domain and you need to grand access to similar groups defined in multiple domains. |
|
|
Term
| What do you use Active Directory Users and Computers for? |
|
Definition
| Use it to create, organize, and delete objects in Active Directory. |
|
|
Term
| How do you access Active Directory Users and Computers? |
|
Definition
-Server Manager _x000D_
-Admin Tools _x000D_
-Running dsa.msc |
|
|
Term
|
Definition
It is the Active Directory Service Interfaces Editor. _x000D_
-use it to query, view, and edit attributes that are not exposed through other MMC snap-ins. |
|
|
Term
|
Definition
| creates a new object in Active Directory |
|
|
Term
| What is Dsquery used for? |
|
Definition
| finds objects that match the search criteria. Returns a list of objects that match the search criteria. |
|
|
Term
|
Definition
| retrieves property info about an object. |
|
|
Term
|
Definition
used to import and export Active Directory objects using a comma-seperated list file. _x000D_
-PASSWORD ARE NOT EXPORTED. |
|
|
Term
|
Definition
imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. _x000D_
-passwords are NOT exported. |
|
|
Term
|
Definition
| a command line environment designed for automating administration and maintenance for Windows Server 2008 and Windows Server 2008 R2. |
|
|
Term
| What is the general syntax of Powershell cmdlts? |
|
Definition
|
|
Term
|
Definition
allows you to search for and view the properties of multiple Active Directory objects. _x000D_
-GUI based |
|
|
Term
|
Definition
-Active Directory Migration tool. _x000D_
GUI based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another. |
|
|
Term
| What is the Active Directory Administrative Center? |
|
Definition
an Active Directory management GUI tool built on Windows Powershell. _x000D_
-Creates or manages new or existing user accounts groups, computer accounts, organizational units and containers _x000D_
-Connect to one or several domains or domain controllers in the same instance of AD Admin Center. _x000D_
-Change domain and forest functional levels _x000D_
-Filter Active Directory data by using queries. |
|
|
Term
|
Definition
-Start of Authority record. _x000D_
-first record in any DNS database file. _x000D_
-defines general paremeters for DNS zone. _x000D_
-only one SOA |
|
|
Term
|
Definition
-Name Server _x000D_
-identifies all name servers that can perform name resolution for the zone. |
|
|
Term
|
Definition
| maps an IPv4 DNS host name to an IP address. |
|
|
Term
|
Definition
| maps an IPv6 DNS host name to an IP address. |
|
|
Term
|
Definition
| provides alternative names to hosts that already have a host record. |
|
|
Term
|
Definition
| provides alternative names to domains that already have a host record. |
|
|
Term
|
Definition
| used by Windows Server 2008 to register network services. |
|
|
Term
|
Definition
| in a reverse lookup zone, the PTR reodrd maps an IP address to a host name. |
|
|
Term
| What does a full zone transfer copy? |
|
Definition
| It copies all of the zone data with each zone transfer. |
|
|
Term
| Who initiates a zone transfer? |
|
Definition
| the secondary server ALWAYs initiates the zone transfer. |
|
|
Term
| How do you improve DNS performance? |
|
Definition
| place multiple DNS servers on your network. |
|
|
Term
| What does a caching only server do? |
|
Definition
runs DNS but has no zones configured. _x000D_
-Use a caching only server to improve performance while eliminating zone transfers. |
|
|
Term
| When can you disable zone transfers? |
|
Definition
| If a zone is AD-integrated and has no secondary servers, you can disable zone transfers. |
|
|
Term
|
Definition
| a DNS server that can be used by another DNS server to resolve queries for records that cannot be resolved through the cache. |
|
|
Term
| What is a secondary zone? |
|
Definition
| you can eliminate the need for a forwarder for a specific zone by adding a secondary zone to the server. |
|
|
Term
|
Definition
a zone with only a partial copy of the zone database. It holds only the following _x000D_
-SOA record for the zone _x000D_
-NS records for all authoritative DNS servers for the zone. _x000D_
-A records for authoritative name servers identified in the NS records. |
|
|
Term
| What is a conditional forwarder? |
|
Definition
| a forwarder that is used for a specific domain. |
|
|
Term
| When should you use a conditional forwarder? |
|
Definition
| use a conditional forwarder to eliminate all zone transfer traffic, or in conditions where you are not allowed to transfer data from a zone. |
|
|
Term
|
Definition
| the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. |
|
|
Term
|
Definition
| pointers to top level DNS servers on the internet. |
|
|
Term
|
Definition
| a local balancing mechanism used by DNS servers to share and distribute network resorce loads. |
|
|
Term
| What is Background Zone Loading? |
|
Definition
| DNS servers loads zone data from AD DS in the background while the server restarts. |
|
|
Term
|
Definition
-Read Only Domain Controller _x000D_
-an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. |
|
|
Term
| What is the No-refresh interval? |
|
Definition
| the time between the record's last refresh and when it can next be refreshed. |
|
|
Term
| What is the refresh-interval? |
|
Definition
| identifies a period of time when a record can be refreshed. It begins when the no-refresh interval ends. |
|
|
Term
| What is the command adprep/forestprep used for? |
|
Definition
used to update the Windows Server 2003 or Windows 2000 Server Active Directory schema for Windows Server 2008 or Windows Server 2008 R2. _x000D_
-run it only once in the forest _x000D_
-run on the domain controller that holds the schema master. _x000D_
-must be a member of the Admins group, Schema Admnis group, and the Domain Admins group. |
|
|
Term
| What is the adprep/rodcprep used for? |
|
Definition
use if you plan on installing an RODC in any domain in the forest. _x000D_
-run only once in the forest. _x000D_
-can run this command on any computer in the forest. _x000D_
-must be a member of the Enterprise Admins. |
|
|
Term
| When installing a new Windows Server 2008 or 2008 R2, what must the first domain controller be? |
|
Definition
| It must be a Global catalog server. |
|
|
Term
| What are the methods that can be used for installing AD DS? |
|
Definition
-Active Directory Domain Services Installation Wizard _x000D_
-Command line (dcpromo) _x000D_
-Answer file _x000D_
-AD DS installation (media) (use ntdsutil.exe) |
|
|
Term
| What command is used to remove AD DS? |
|
Definition
|
|
Term
| What do you do if you are removing the last domain controller from a FOREST? |
|
Definition
| wizard...select Delete the domain and forest |
|
|
Term
| What is available at 2000 Native Domain functional level? |
|
Definition
-universal groups are available for security and distribution _x000D_
-group nesting _x000D_
-Group converting _x000D_
-Security Identifyer history |
|
|
Term
| What is available at the 2008 domain functional level? |
|
Definition
includes all features available in 2003 and adds following... _x000D_
-DFS for SYSVOL _x000D_
-AES _x000D_
-Last Interactive Logon Info. _x000D_
-Fine-grained password policies that allow you to specify password and account lockout policies for users and global security groups in a domain. |
|
|
Term
| What is available at the 2008 R2 domain functional level? |
|
Definition
includes all previous features and adds... _x000D_
-Authentication Mechanism Assurance (AMA) allowing you to control access to network resources based on the type of certificate used during logon. _x000D_
-Automatic Service Principle Name (SPN) management when using managed service and virtual accounts. |
|
|
Term
| What forest functional level must you be at to use the Active Directory Recycle Bin? |
|
Definition
|
|
Term
| What is a Site Link Bridge? |
|
Definition
a collection of two or more site links that can be grouped as a single logical link. _x000D_
-enabled by default _x000D_
-if disabled, you must manually specify site link bridges |
|
|
Term
| What is a Bridgehead server? |
|
Definition
a domain controller in a site that replicates with domain controllers in other sites. _x000D_
-REPLICATION WITHIN A SITE DOES NOT USE BRIDGEHEAD SERVERS |
|
|
Term
| What can be used to allow replication within mail messages in environments where WAN links are not available? |
|
Definition
SMTP _x000D_
-cannot replicate only the configuration and schema directory partitions and global catalog read only replicas. _x000D_
-requires an enterprise CAwhen you use it over site links. |
|
|
Term
|
Definition
a number assigned to a site link that identifies the overall relative cost of using that site link. _x000D_
-default is 100 _x000D_
-the lower the number, the more preferred the site link. |
|
|
Term
| What commands can you use to force replication? |
|
Definition
-Replicate now _x000D_
-repadmin.exe/replicate |
|
|
Term
| What are the stages of of DFS migration? |
|
Definition
1. Not initiated _x000D_
2. Global state 0...this stage DFS replication has not started yet. FRS is still being used _x000D_
3. Global State 1...DFS begins to replicate but FRS is still the main replication method. _x000D_
4. Global State 2....FRS continues to replicate but DFS becomes master _x000D_
5. Global State 3...FRS completely stops and DFS becomes sole source of replication. |
|
|
Term
| What does the schema master do? |
|
Definition
| Maintains the AD schema for the forest. |
|
|
Term
| What does the Domain Naming Master do? |
|
Definition
Adds new domains to and removes existing domains from the forest. _x000D_
-ensures that domain names are unique |
|
|
Term
| What does the RID master do? |
|
Definition
| It allocates pools or blocks of numbers that are used by the domain controller when creating new security principles. |
|
|
Term
| What does the PDC emulator do? |
|
Definition
| acts like a Windows NT 4.0 Primary Domain Controller. It performs other tasks normally associated with NT domain controllers. |
|
|
Term
| What is the Infrastructure Master responsible for? |
|
Definition
| It is responsible for updating changes made to objects. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| The Domain Name System (DNS) is a hierarchical, distributed database that maps logical host names to IP addresses |
|
|
Term
| What does a DNS server hold? |
|
Definition
| A DNS server holds a database of hostnames and their corresponding IP addresses. Clients query the DNS server to get the IP address of a given host. |
|
|
Term
| What was used before DNS? |
|
Definition
| a hosts file saved on each host computer |
|
|
Term
| What makes up the DNS hierarchy? |
|
Definition
The DNS hierarchy is made up of the following components: _x000D_
- . (dot) domain (also called the root domain) _x000D_
- Top Level Domains (TLDs) (.com, .edu, .gov) _x000D_
- Second-level and additional domains _x000D_
- Hosts |
|
|
Term
|
Definition
| Fully Qualified Domain Name - includes the host name and the name of all domains back to root. |
|
|
Term
| What makes DNS a distributed database? |
|
Definition
| DNS is a distributed database because no one server holds all of the DNS information. Instead, multiple servers hold portions of the data. |
|
|
Term
|
Definition
| Zones typically contain one or more domains, although additional servers might hold information for child domains. |
|
|
Term
|
Definition
| DNS servers hold zone files and process name resolution requests from client systems. |
|
|
Term
| What is a DNS forward lookup? |
|
Definition
| A forward lookup uses the host name (or the FQDN) to find the IP address |
|
|
Term
| What is a DNS reverse lookup? |
|
Definition
| A reverse lookup uses the IP address to find the host name (or FQDN). |
|
|
Term
|
Definition
| The A record maps a host name to an IP address and is used for forward lookups. |
|
|
Term
|
Definition
| The PTR record maps an IP address to a host name and is used for reverse lookups. |
|
|
Term
|
Definition
| The CNAME record provides an alternate name (an alias) for a host. |
|
|
Term
|
Definition
| The SRV record identifies a service, such as an Active Directory domain controller. |
|
|
Term
| How are DNS records created? |
|
Definition
| Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts automatically register and update their corresponding records with the DNS server. |
|
|
Term
| What is the process followed when a client computer needs to find an IP address? |
|
Definition
- The client examines its HOSTS file for the IP address. _x000D_
- If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address. _x000D_
- If the IP address is not in the cache, the client sends the request to a DNS server. |
|
|
Term
| What is the process when a DNS server received a name resolution request? |
|
Definition
1) The DNS server examines its local DNS cache for the IP address _x000D_
2) If the IP address is not in the server cache, it checks its HOSTS file. _x000D_
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative. _x000D_
4) Forwarding or Recursion _x000D_
5) After the information is found or received from another server, the DNS server returns the result to the client, and places the information in its server cache. |
|
|
Term
| What is an authoritative DNS server? |
|
Definition
| a DNS server that has a full, complete copy of all the records for a particular zone. |
|
|
Term
|
Definition
| Where the DNS server forwards the name resolution request to another DNS server, then waits for a response from that server |
|
|
Term
|
Definition
| Where the DNS server queries root domain servers, top-level domain server and other DNS servers in an iterative manner until it finds the one that hosts the target domain. |
|
|
Term
| What is a caching-only DNS server? |
|
Definition
| A caching-only DNS server has no zone information; it is not authoritative for any domains. It uses information in its server cache, or forwarding or recursion, to respond to client queries. |
|
|
Term
| Who can install DNS in Server 2008? |
|
Definition
| Members of the Domain Admins group |
|
|
Term
| Which versions of server 2008 can have DNS installed on them? |
|
Definition
| You can install DNS on any version of Windows Server 2008 except for the Windows Server 2008 Web Server edition. |
|
|
Term
| What type of IP address must the DNS server have? |
|
Definition
|
|
Term
| How would you add the DNS role from a command prompt (or on a server core)? |
|
Definition
| start /w ocsetup DNS-Server-Core-Role |
|
|
Term
| What command will give a list of installed services on a server? |
|
Definition
| Run the oclist command to get a list of services (including DNS) installed on a server. |
|
|
Term
| What can be used to manage DNS on Server 2008? |
|
Definition
| Use the DNS snap-in or the dnscmd command to manage DNS. |
|
|
Term
| What is a primary DNS zone? |
|
Definition
| the master copy of a zone database |
|
|
Term
| What is a secondary DNS zone? |
|
Definition
| A secondary zone is a read-only copy of the zone database. |
|
|
Term
| What is an Active Directory-integrated DNS zone? |
|
Definition
| An Active Directory-integrated zone holds zone data in Active Directory instead of a text file. |
|
|
Term
|
Definition
| A stub zone is a zone with only a partial copy of the zone database. |
|
|
Term
| What is the GlobalNames DNS zone? |
|
Definition
| The GlobalNames zone is a special zone in the DNS database that is used for single-label name resolution. |
|
|
Term
| What is a forward lookup DNS zone? |
|
Definition
| A forward lookup zone provides hostname-to-IP address resolution. Clients query the DNS server with the hostname, and receive the IP address in return. |
|
|
Term
| What is a reverse lookup DNS zone? |
|
Definition
| A reverse lookup zone provides IP address-to-hostname resolution. Clients query the DNS server with the IP address, and receive the hostname in return. |
|
|
Term
| How many servers can hold the primary zone file? |
|
Definition
| Only one server can hold the primary zone file. To place zone data on multiple servers, configure secondary servers. |
|
|
Term
| Where does Windows store standard zone data? |
|
Definition
| Windows stores standard zone data in the %windir%\System32\Dns directory. The file is a text file with .dns added to the zone name. |
|
|
Term
| Which types of zone support dynamic updates? |
|
Definition
| Primary and Active Directory-integrated zones support dynamic updates. Use an Active Directory-integrated zone to use secure dynamic updates. |
|
|
Term
| What types of record does a reverse lookup zone hold? |
|
Definition
| Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP address to an A record. |
|
|
Term
| What type of zones can a reverse lookup zone be? |
|
Definition
| A reverse lookup zone can be a primary zone, a secondary zone, or an Active Directory integrated zone. |
|
|
Term
| What is the SOA (Start of Authority) record? |
|
Definition
| The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a zone. There is only one SOA record, and it is the first record in the zone database file. The SOA record includes parameters such as the authoritative server and the zone file serial number. |
|
|
Term
| What is an NS (Name Server) record? |
|
Definition
| The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone (all authoritative DNS servers). |
|
|
Term
| What is an A (Host Address) record? |
|
Definition
| The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is the most common resource record type. |
|
|
Term
| What is an AAAA (Quad A) record? |
|
Definition
| The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address. |
|
|
Term
| What is an MX (Mail Exchanger) Record? |
|
Definition
| The MX record identifies servers that can be used to deliver e-mail. |
|
|
Term
|
Definition
| The CNAME record provides alternate names (or aliases) to hosts that already have a host record. Using a single A record with multiple CNAME records means that when the IP address changes, only the one A record needs to be modified. |
|
|
Term
|
Definition
| The DNAME record provides alternate names (or aliases) to domains that already have a host record. |
|
|
Term
| What is a SRV (Service Locator) record? |
|
Definition
| The SRV record is used by Windows Server 2008 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically creates these records as needed and during domain controller installation. |
|
|
Term
| What is a PTR (Pointer) record? |
|
Definition
| In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. "points" to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace. |
|
|
Term
| What are WINS and WINS-R records? |
|
Definition
| Add these records to a zone when you want to allow DNS to use WINS resolution. The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINS servers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse query that is not resolvable through DNS. |
|
|
Term
| How can DNS records be automatically created on a DNS server? |
|
Definition
| By using Dynamic DNS. Dynamic DNS is required to support Active Directory. |
|
|
Term
| Which Windows clients support DDNS? |
|
Definition
| Windows clients (2000 and above) create their A records with the DNS server. Windows 9x/Me/NT clients do not support dynamic DNS. |
|
|
Term
| How does the DHCP server tie in with DDNS? |
|
Definition
| The DHCP server registers the PTR record with the DNS server for clients capable of dynamic updates. The DHCP server updates both the A and PTR records for clients that do not support dynamic updates. |
|
|
Term
| Are dynamic updates enabled by default on a primary zone? |
|
Definition
| Dynamic updates are not enabled on primary zones. You can enable dynamic updates when you create the zone or modify the zone properties later to enable this feature. |
|
|
Term
| Are dynamic updates enabled by default on an Active Directory-integrated zone? |
|
Definition
| Dynamic updates are enabled on Active Directory-integrated zones. Note: When you convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is retained. |
|
|
Term
| What are secure dynamic updates? |
|
Definition
| With secure dynamic updates, only domain members can create records, and only the original client can modify or remove records. |
|
|
Term
| What is used to keep track of changes to a DNS zone? |
|
Definition
| The zone serial number keeps track of changes to the zone. When you make changes to the zone, the serial number is incremented. |
|
|
Term
| What is a DNS master server? |
|
Definition
| A master server is the server from which the secondary copies the zone data. The master server can be the primary server or another secondary server. |
|
|
Term
| What are the two types of zone transfer? |
|
Definition
Zone transfers can copy all records or only changed records: _x000D_
- A full zone transfer (AXFR) copies all of the zone data with each zone transfer. _x000D_
- A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default method on Windows Server 2008. |
|
|
Term
| Are zone transfers enabled in Server 2008 by default? |
|
Definition
| By default, zone transfer in Windows Server 2008 is disabled for security reasons. To use zone transfers, manually enable the feature in the DNS settings in Server Manager. |
|
|
Term
| How can you restrict the servers to which zone transfers are allowed? |
|
Definition
- Allow zone transfers only to servers that are listed as name servers. _x000D_
- Allow zone transfers only to servers you specifically identify. |
|
|
Term
|
Definition
| Windows DNS servers support the use of DNS Notify. With DNS Notify, master servers are configured with a list of slave DNS servers. |
|
|
Term
| How does DNS notify work? |
|
Definition
- When a change takes place, the master notifies the slave servers that the zone has changed. _x000D_
- The secondary server then initiates zone transfer, first checking the serial number, then requesting changes. |
|
|
Term
| What is a DNS caching server? |
|
Definition
| A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers. |
|
|
Term
| How does an Active Directory-integrated zone store DNS information? |
|
Definition
| An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when Active Directory replicates. |
|
|
Term
| How can you secure zone transfers to secondary servers? |
|
Definition
| Active Directory replication traffic is automatically secured. To secure zone transfers to secondary servers, use IPsec between servers. |
|
|
Term
| How can you force an update of DNS zone data? |
|
Definition
| You can force an update of zone data through the DNS console or by using the Dnscmd command |
|
|
Term
|
Definition
| A cached copy of a user's logon credentials that have been stored on the user's local workstation. |
|
|
Term
|
Definition
| The time difference between any client or member server and the domain controllers in a domain. |
|
|
Term
|
Definition
| A role that has the quthority tomanage the creation and deletion of domains, domain trees, and application data partitions in the forest. Upon creation of any of these, the Domain Naming Master ensures that the name assigned is unique to the forest. |
|
|
Term
|
Definition
| Global catalog service that listens on port 3268 to respond to requests to search for an object in Active Directory. |
|
|
Term
|
Definition
| An attribute has been stored in the partial attribute set replicated to all global catalog servers in the forest. |
|
|
Term
|
Definition
| A domain-specific role that is responsible for reference updates from its domain objects to other domains. This assists in tracking which domains own which objects. |
|
|
Term
|
Definition
| A forced, ungraceful transfer of a role. This procedure is used only in the event of a catastrophic failure o a domain controller that holds an FSMO role. |
|
|
Term
|
Definition
| Move a role to a new domain controller. |
|
|
Term
|
Definition
| Memberships stored in the global catalog. A universal group can contain users, groups and computers from any domain in the forest. In addition, universal groups through their membership in domain local groups, can receive permissions for any resource anywhere in the forest. |
|
|
Term
| universal group membership caching |
|
Definition
| This feature stores universal group memberships on a local domain controller that can be used for logon to the domain, eliminating the need for frequent access to a global catalog server. |
|
|
Term
|
Definition
PAS
A partial copy of all objects from other domains within the same forest. This partial copy of forest-wide data includes a subset of each object's attributes. |
|
|
Term
| Primary Domain Controller Emulator |
|
Definition
PDC Emulator
A role that provides backward compatibility from Microsoft Windows NT 4.0 domains and other down-level clients. |
|
|
Term
|
Definition
RID
A variable length number that is assigned to objects as created and becomes part of the object's security identifier (SID). |
|
|
Term
| Relative Identifier Master |
|
Definition
RID Master
Role that is responsible for assigning relative identifiers to domain controllers in the domain. Relative identifiers are variable-length numbers assigned by a domain controller when a new object is created, |
|
|
Term
|
Definition
SID
A variable length number used to uniquely identify an object throughout the Active Directory domain. Part of the SID identifies the domain to which the object belongs and the other part is the RID. |
|
|
Term
|
Definition
Active Directory Domain Services
Windows Server 2008 service that provides a centralized authentication service for Microsoft networks. Provides the full-fledged directory service that is called Active Directory in Windows Server 2008 and previous versions of Windows Server. |
|
|
Term
|
Definition
Distinguished Name
The full name of the object that includes all hierarchical containers leading up to the root domain. The xxxxxxxxxxx begins with the object's common name and appends each succeeding parent contain object, reflecting the object's location in the Active Directory structure |
|
|
Term
|
Definition
Domain Controller
A server that stores the Active Directory database and authenticates users with the network during logon. |
|
|
Term
|
Definition
Knowledge Consistency Checker
An internal Active Directory process tha automatically creates and maintains the replication topology. The xxxxxxxxxxx operates based on the information provided by an administrator in the Active Directory Sites and Services snap-in, which is located in the Administrative Tools folder on the domain controller, or an administrative workstation that has the Administrative Tools installed. |
|
|
Term
|
Definition
Naming Context
An active Directory partition. |
|
|
Term
|
Definition
Domain Name System
The name resolution mechanism computers use for all Internet communications and for private networks that use the Active Directory domain services included with Microsoft Windows Server 2008, Windows Server 2003 and Windows 2000 Server. |
|
|
Term
|
Definition
Globally Unique Identifier
A 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed. |
|
|
Term
|
Definition
Lightweight Directory Access Protocol
The protocol that has become an industry standard that enables data exchange between directory services and applications. The xxxxxxxxx standard defines the naming of all objects in the Active Directory database and therefore, provides a directory that can be integrated with other directory services such as Novell eDeirectory, and Active Directory --aware applications, such as Microsoft Exchange. |
|
|
Term
|
Definition
Organizational Unit
A container that represents a logical grouping of resources that have similar security or administrative guidelines. |
|
|
Term
|
Definition
Read-Only Domain Controller
A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers within Active Directory. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
| A partition that allows information to be replicated to administratively chosen domain controllers. An example of information that is commonly stored in an application partition is DNS data. xxxxxxxxx offer control over the scope and placement of information that is to be replicated |
|
|
Term
|
Definition
| Characteristics associated with an object class in Active Directory that make the object class unique within the database. The list of xxxxxxxs is defined only once in the schema, but the same xxxxxxxx can be associated with more than one object class. |
|
|
Term
|
Definition
| The configuration partition contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest. |
|
|
Term
|
Definition
| An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a leaf object. |
|
|
Term
|
Definition
| Trust type that allows resources to be shared between Active Directory forests. |
|
|
Term
|
Definition
| Administration of an Organizational Unit is tasked to a department supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords. |
|
|
Term
|
Definition
| Allow businesses to define, manage, access, and secure network resources, including files, printers, people, and applications. |
|
|
Term
|
Definition
| A grouping of objects in Active Directory that can be namaged together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems. |
|
|
Term
|
Definition
| Active Directory domain partition that is replicated to each domain controller within a particular domain. Each domain's xxxxxxx contains information about the objects that are stored within that domain; users, groups, computers, printers, Organization Units, and more. |
|
|
Term
|
Definition
| In Active Directory, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Each Active Directory forest can contain one or more xxxxxxxs, each of which can, in turn, contain one or more domains. |
|
|
Term
|
Definition
| A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest |
|
|
Term
|
Definition
| The ability to respond gracefully to a software or hardware failure. In particular, a system is considered to be xxxxxxxx when it has the ability to continue providing authentication services after the failure of a domain controller. |
|
|
Term
|
Definition
| The largest container object within Active Directory. The xxxxxxxx container defines the fundamental security boundary within Active Directory, which means that a user can access resources across an entire Active Directory xxxxxxxx using a single logon/password combination. |
|
|
Term
|
Definition
| The first domain created within an Active Directory forest. |
|
|
Term
|
Definition
| Designed to offer support for Active Directory domain controllers running various supported operating systems by limiting functionality to specific software versions. As legacy domain controllers are decommissioned, administrators can modify the xxxxxxxxx to expose new functionality within Active Directory. Some features in Active Directory cannot be activated, for example, until all domain controllers in a forest are upgraded to a specific level. |
|
|
Term
|
Definition
| Occurs sehan a domain controller receives updates to the Active Directory database from other domain controllers on the network |
|
|
Term
|
Definition
| A unique number used to identify all devices on an IP network. xxxxxxxxxxs are four octets long an commonly expressed in dotted-decimal notation, such as 192.168.10.1. |
|
|
Term
|
Definition
| An object, such as a domain or an Organizational Unit, that is used to organize other objects. Also known as a container object. |
|
|
Term
|
Definition
| An improvement to replication that is available after the forest functional level has been raised to Windows Server 2003, or higher, enabling a single membership change to a group to trigger the replication of only the change to each member in the list, rather than the entire membership list. |
|
|
Term
|
Definition
| Active Directory DNS provides direction for network clients that need to know which server performs what function. |
|
|
Term
|
Definition
| Individual domain controllers in an Active Directory database may contain slightly different information, because it can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment. |
|
|
Term
|
Definition
| An element in Active Directory that refers to a resource. Xxxxxxxs can be container xxxxxxs or leaf xxxxxs. Containers are used to organize resources for security or organizational purposes; leaf xxxxxxs refer to the end-node resources, such as users,computers, and printers. |
|
|
Term
|
Definition
| Occurs when a domain controller transmits replication information to other domain controllers on the network. |
|
|
Term
|
Definition
| Portion of Active Directory database used to divide the database into manageable pieces. |
|
|
Term
|
Definition
1)An option that allows users to access network resources by searching the Active Directory database for the desired resource _x000D_
2) An option used to deploy applications. It allows users to install the applications that they consider useful to them. |
|
|
Term
|
Definition
| The process of keeping each domain controller in sync with changes made elsewhere on the network. |
|
|
Term
|
Definition
| Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality. |
|
|
Term
|
Definition
| Master database that contains definitions of all objects in the Active Directory. |
|
|
Term
|
Definition
| The partition that contains the rules and definitions used for creating and modifying, object classes and attributes within Active Directory. |
|
|
Term
|
Definition
| A manually created nontransitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path. |
|
|
Term
|
Definition
| One or more IP subnets connected by fast links. |
|
|
Term
|
Definition
| The locator records within DNS that allows clients to locate an Active Directory domain controller or global catalog. |
|
|
Term
|
Definition
| Enables administrators from a particular domain to grant access to their domain's resources to users in other domains. |
|
|
Term
|
Definition
| The building block of the DNS that maps a single IP address to a DNS hostname. |
|
|
Term
|
Definition
| Feature offered by Read-Only Domain Controllers (RODCs) that enables an administrator to configure a user as the local administrator of a specific RODC without making the user a Domain Admin with far-reaching authority over all domain controllers in the entire domain and full access to the Active Directory domain data. |
|
|
Term
|
Definition
| The dynamic update feature that places a timestamp on record, bases on the current server time, when the IP address is added. This is part of the aging ans scavenging process. |
|
|
Term
|
Definition
| The executable files needed to install Windows. |
|
|
Term
|
Definition
| The active Directory Installation Wizard. |
|
|
Term
|
Definition
| Domain name limited to 15 characters that is maintained for legacy compatibility with older applications that cannot use DNS for their name resolution. |
|
|
Term
|
Definition
| Enables the DNS database to be updated with the changed information when the Internet Protocol (IP) address if a host changes. |
|
|
Term
|
Definition
| Zones necessary for computer hostname-to-IP address mapping, which are used for name resolution by various services. |
|
|
Term
|
Definition
| A domain controller that contains a partial relica of every domain in Active Directory. The xxxxxxxxx stores those attributes most frequently used in search operations (such as a user's first and last names) and those attributes required t locate a full replica of the object. The Active Directory replication system builds the global catalog automatically. |
|
|
Term
| incremental zone transfers |
|
Definition
| Method of conserving bandwidth by transferring part of a zone. |
|
|
Term
|
Definition
Active Directory Lightweight Directory Services
Role that provides developers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema to support their applications. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
Directory Services Restore Mode
A Special startup mode used to run an offline defragmentation. |
|
|
Term
|
Definition
Flexible Single Master Operations
The specific server roles that work together to enable the multimaster functionality of Active Directory. |
|
|
Term
|
Definition
fully qualified domain name
The complete DNS name used to reference a host's location in the DNS structure. |
|
|
Term
|
Definition
Object Identifier
A unique string used to identify every class or attribute added to a schema. OIDs must be globally unique, and they are represented by a heriarchical dotted-decimal notation string. |
|
|
Term
|
Definition
pointer
The resource record that is the functional opposite of the A record, providing an IP address-to-name mapping for the system identified in the Name field using the inaddr.arpa domain name. |
|
|
Term
|
Definition
User Principal Name
A naming format that simplifies access to multiple services such as Active Directory and email. A xxxxxxxxx follows a naming convention that can reflect the forest root domain or another alias that follows the format of username@domain-name. |
|
|
Term
|
Definition
| A single occurence of an element. |
|
|
Term
|
Definition
| The amount of time or delay it takes to replicate information throughout the network. |
|
|
Term
|
Definition
| A command-line tool that is used to create, delete, verify, and reset trust relationships from the Windows Server 2008 command line. |
|
|
Term
|
Definition
| A command-line tool that is critical for working with DNS on Serve Core. |
|
|
Term
| Password Replication Policy |
|
Definition
| A list of user or group accounts whose passwords should be stored on a particular Read-Only Domain Controller (RODC) or should not be stored on the specific RODC. |
|
|
Term
|
Definition
| A mechanism to set up load balancing between multiple servers that are advertising the same SRV records. Clients will always use the record with the lowest numbered priority first. The will only use an SRV record with a higher-number priority if the lower-numbered priority record is unavailable. |
|
|
Term
| restartable Active Directory |
|
Definition
| Feature that enables administrators to place the NTDS.DIT file in an offline mode without rebooting the domain controller outright. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
| Zone that answer queries in which a client provides an IP address and DNS resolves the IP address to a hostpage. |
|
|
Term
|
Definition
| The process of removing records that were not refreshed or updated within specified time intervals. |
|
|
Term
|
Definition
| A special installation option that creates a minimal environment for running only specific services and roles. Server Core runs without the Windows Desktop shell, which means that it must be administered exclusively from the command line or using Group Policy. This feature was introduced in Windows Server 2008. |
|
|
Term
|
Definition
| A unility that enables ainistrators to view any other roles the server might be performing. The Server Manager utility launches automatically at startup after the Initial Configuration Tasks utility is closed. It can be accessed manually through the shortcut provided in the Administrative Tools folder or directly from the Start menu. |
|
|
Term
|
Definition
| To begin the Active Directory installation at a central location, such as a data center, and then allow a local administrator to complete the configuration. |
|
|
Term
|
Definition
| A shared folder that exists on all domain controllers and is used to store Group Policy Objects, login scripts, and other files that are replicated domain-wide. |
|
|
Term
|
Definition
| The length of time a record is valid., after which it needs to be reregistered. |
|
|
Term
|
Definition
| Running dcpromo from the command line using a specially formatted text file to specify the necessary installation options. |
|
|
Term
|
Definition
| A relative weighting for SRV records that have the same priority. For exampl, consider three SRV records with the same priority with relative weights of 60, 20 and 20. Because 60 + 20 + 20 +100, the record with the weight of 60 will be used 60/100, or 60%, of the time, whereas each of the other two records will be used 20/100, or 20 percent, of the time. |
|
|
Term
|
Definition
| The process fo replicating DNS information from the DNS server to another. |
|
|
Term
|
Definition
| Each replication transaction does not need to complete before another can start because the transaction can be stored until the destination server is available. |
|
|
Term
|
Definition
| The server at each site that acts as a gatekeeper in managing site-to-site replication. This allows intersite replication to update only one domain controller within a site. After a xxxxxxxx is updated, it updates the remainder of its domain controller partners with the newly replicated information. |
|
|
Term
|
Definition
| Method used by domain controllers to inform one another of when changes need to be replicated. Each domain controller will hold a change for 45 seconds before forwarding it, after which it will transmit the change to each of its replication partners in 3 second intervals. |
|
|
Term
|
Definition
| To reduce the size of transmitted data to decrease the use of network bandwidth. |
|
|
Term
|
Definition
| The link, created by the Knowledge Consistency Checker, between domain controllers that replicate with one another in a site. |
|
|
Term
|
Definition
| The amount of time required for replication so that all domain controllers in the environment contain the most up-to-date information. |
|
|
Term
|
Definition
| Value assigned to a site link object to define the push that relication will take. If more than one path can be used to replicate information, cost assignments will determine which path is chosen first. A lower-numbered cost value. |
|
|
Term
|
Definition
| A command-line tool used for monitoring Active Directory. |
|
|
Term
| dual counter-rotating ring |
|
Definition
| Created by the Knowledge Consistency Checker for the replication path. If one domain controller in the ring fails, traffic is routed in the opposite direction to allow replication to continue. |
|
|
Term
|
Definition
| A value assigned to a site link that determines how often information will be replicated over the site link. |
|
|
Term
|
Definition
Classless Inter-Domain Routing
Form of notation that shows the number of bits being used for the subnet mask. For example, for an IP address of 192.168.64.0 with a mask of 255.255.255.0, the CIDR representation would be 192.168.64.0/24. |
|
|
Term
|
Definition
Intersite Topology Generator
A process that selects a bridgehead server and maps the topology to be used for intersite replication. |
|
|
Term
|
Definition
linked-value replication
An improvement to replication that is available for use after the forest functional level has been raised to Windows Server 2003 or higher, enabling a single membership change to a group to trigger the replication of only this change to each member in the list, rather than the entire membership list. |
|
|
Term
|
Definition
Remote Procedure Calls over Internet Protocol
Default protocol used for all replication traffic. |
|
|
Term
|
Definition
Simple Mail Transport Protocol
Transport protocol used for intersite replication when a direct or reliable IP connection is unavailable. |
|
|
Term
|
Definition
update sequence number
A local value, maintained by each domain controller, that tracks the changes that are made at each DC, thus tracking which updates should be replicated to other domain controllers. |
|
|
Term
|
Definition
| The process of replicating Active Directory information between domain controllers within a site. |
|
|
Term
|
Definition
| The process of replicating Active Directory information from one site to another. |
|
|
Term
| preferred bridgehead servers |
|
Definition
| The administrator's list of servers to be used as bridgehead servers. A bridgehead server is the server at each site that acts as a gatekeeper in managing site-to-site replication. |
|
|
Term
|
Definition
| A command-line tool that can check replication sonsistency between replication partners, monitor replication status, display replication metadata, and force replication events and Knowledge Consistency Check (KCC) recalculation. |
|
|
Term
|
Definition
| Servers that inform each other when updates are necessary. The Knowledge Consistency Checker (KCC) selects one or more replication partners for each domain controller in the site. |
|
|
Term
|
Definition
| Defines the path used by replicatin traffic. |
|
|
Term
|
Definition
| Determines the time when a site link object is available to replicate information. |
|
|
Term
|
Definition
| Defines a chain of site links by which domain controllers from different sites can communicate. |
|
|
Term
|
Definition
| A connection between two or more sites that enables intersite replication |
|
|
Term
|
Definition
| An attribute set on an object to indicate when it was last updated. Timestamps are used to assist in the resolution of conflicts during replication. If a change was made to an attribute of the same object, the timestamp can help determine which object is the most up-to-date. |
|
|
Term
|
Definition
| Default characteristic of site links that use the same transport protocol. A domain controller inany site can connect to a domain controller in any other site by navigating a chain of site links. |
|
|
Term
|
Definition
| The change will be placed at the "beginning of the line" and it will be applied before any other changes that are waiting to be replicated. |
|
|
Term
|
Definition
| A value associated with each Active Directory attribute that keeps track of how many times that attribute has been changed. |
|
|
Term
|
Definition
| The network infrastructure between sites defined by fast and reliable IP subnets. |
|
|
Term
| What is a Certificate Revocation List (CRL) ? |
|
Definition
| A Certificate Revocation List (CRL) is a digitally signed list of unexpired certificates that a particular CA has revoked. |
|
|
Term
| AD CS supports two types of CRLs ? |
|
Definition
The AD CS supports two types of CRLs. _x000D_
_x000D_
A Base CRL is a full, initial set of revoked certificates. _x000D_
_x000D_
A Delta CRL lists only certificates that have been revoked since the last full Base CRL was implemented. |
|
|
Term
|
Definition
| CRL Distribution Point (CDP) |
|
|
Term
| What is a CRL Distribution Point (CDP) ? |
|
Definition
| A CRL Distribution Point (CDP) is a certificate extension that indicates where the CRL for a particular CA can be retrieved. |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol |
|
|
Term
|
Definition
| Using CDPs enables PKI administrators to locate and access a relevant CRL so they can manually update the entries it contains. These entries are valid only for a specified time period. |
|
|
Term
|
Definition
Active Directory (AD) : You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP. _x000D_
_x000D_
Accessing CRLs via a directory service uses more bandwidth than accessing CRLs directly because it requires that every client be able to authenticate to every server. Directories must be linked so that results can be located and passed back to the requesting PKI client. _x000D_
_x000D_
A local directory: _x000D_
You use the local directory of a CA server as the CDP to store CRLs on standalone CAs, which don't require AD or use certificate templates. By default, standalone CAs hold all certificate requests in a pending queue until a CA approves them. _x000D_
_x000D_
PKI users can access CRL data in a local directory via the Internet or an extranet, using HTTP or FTP. |
|
|
Term
|
Definition
| Online Certificate Status Protocol |
|
|
Term
|
Definition
| The OCSP enables you to manage and distribute the revocation status of a certificate via the Online Responder service. |
|
|
Term
|
Definition
| you use the OCSP to submit a certificate status request to an Online Responder. The Online Responder service uses the OCSP to issue a digitally signed certificate status response, based on the CRLs that are provided to it by CAs. |
|
|
Term
| configure an Online Responder |
|
Definition
You can use the following sets of properties to configure an Online Responder: _x000D_
_x000D_
Web Proxy _x000D_
Audit _x000D_
Security |
|
|
Term
| To validate whether AD replicated fine between to DCs run command ? |
|
Definition
|
|
Term
| If users at a Branch are to log onto a Domain using RODC ? |
|
Definition
| Password Replication Policy should be configured. |
|
|
Term
|
Definition
| Active Directory Certificate Services |
|
|
Term
|
Definition
| Public Key Infrastructure |
|
|
Term
|
Definition
| Certification Authorities |
|
|
Term
|
Definition
| A CA is used to issue digital certificates and the directories are used to store policies and certificates. |
|
|
Term
|
Definition
| Certificate Revocation List |
|
|
Term
|
Definition
| A CRL is a digitally signed list of unexpired certificates revoked by a CA. |
|
|
Term
| What are Certificate Templates ? |
|
Definition
| Certificate templates give instructions to users about procedures for creating and submitting a valid certificate request. This is an essential part of an enterprise CA and enables an administrator to recognize, configure, and issue certificates that have been pre-configured for selected tasks. |
|
|
Term
| Where are Certificate templates stored ? |
|
Definition
Certificate templates are stored in Active Directory Domain Services (AD DS). _x000D_
_x000D_
This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates. |
|
|
Term
| Benefits of using Certificate Templates ? |
|
Definition
consistent application of the certificate policy across the forest. _x000D_
_x000D_
There are default templates that can be used. |
|
|
Term
| Default Certificate Templates Available are ? |
|
Definition
Computer _x000D_
Cross Certification Authority _x000D_
Directory Email Replication _x000D_
CEP Encryption _x000D_
Code Signing _x000D_
Domain Controller _x000D_
Domain Controller Authentication _x000D_
EFS Recovery Agent |
|
|
Term
| How many versions of Certificate Templates are available ? |
|
Definition
Version 1 _x000D_
Version 2 _x000D_
Version 3 |
|
|
Term
| Explain Version 1 certificate Template ? |
|
Definition
Version 1certificate templates are available in a Windows Server 2000 PKI. When a CA is installed, these templates are created by default and cannot be removed or modified. However, you can create a duplicate copy of a version 1 template and change it to a modifiable version 2 or version 3 template. _x000D_
_x000D_
Version 1 templates are supported by CAs configured for Windows Server 2000 and Windows Server 2003 Standard Edition, which only support version 1 templates. |
|
|
Term
| Explain Version 2 certificate Template ? |
|
Definition
| Version 2 certificate templates enable you to customize the settings and permissions of a template based on your needs. These templates are only issued by Enterprise CAs installed on Windows Server 2003 Enterprise Edition or higher. |
|
|
Term
| Explain Version 2 certificate Template ? |
|
Definition
| Version 3 certificate templates enable an administrator to add the advanced Suite B cryptographic settings to their certificates. These settings contain advanced options for digital signatures, encryption, hashing, and key exchange. Administrators can only issue certificates based on version 3 certificate templates from CAs installed on Windows Server 2008 servers. These certificates can only be used on clients running Windows Server 2008 or Windows Vista. |
|
|
Term
| Windows Server 2000 and Windows Server 2003 Standard Edition CAs support which version of certificate templates? |
|
Definition
|
|
Term
| Windows Server 2003 Datacenter and Enterprise Edition CAs – support which version of certificate templates ? |
|
Definition
|
|
Term
| Windows Server 2008 CAs support which version of certificate templates ? |
|
Definition
| support for versions 1, 2, and 3 |
|
|
Term
| What are the permissions that you can assign to a certificate template ? |
|
Definition
The permissions that you can assign to a certificate template are : _x000D_
_x000D_
Full Control _x000D_
Enroll _x000D_
Autoenroll _x000D_
Read _x000D_
Write |
|
|
Term
| Note : Windows Server 2008 enables key archival and recovery to prevent potential loss of data that can result from the loss of a key. |
|
Definition
| Note : This process enables a Key Recovery Agent (KRA) to retrieve private keys, original certificates, and public keys from a database. |
|
|
Term
|
Definition
|
|
Term
| Note : Enterprise CAs can archive a user's private key in their database when certificates are issued. These private keys are encrypted and stored by a CA. |
|
Definition
| Note :A private key can be recovered at a later time by using the private key archive. |
|
|
Term
| How do you configure your environment for key archival ? |
|
Definition
To configure your environment for key archival, you will need to _x000D_
_x000D_
* configure a KRA certificate template and enroll the KRA for a KRA certificate _x000D_
_x000D_
* enable key archival for a CA |
|
|
Term
| How do you configure a KRA certificate template ? |
|
Definition
you need to add the certificate template to a CA. _x000D_
_x000D_
_x000D_
If the certificate is configured with Read and Enroll permissions, the new KRA can use the Certificates snap-in and the Certificate Import Wizard to create a KRA certificate. _x000D_
_x000D_
If the certificate is configured with the Autoenroll permission, it will be issued automatically the next time the user logs on to the network |
|
|
Term
| Restricted groups policy settings enable you to manage the membership of groups. |
|
Definition
| Restricted groups policy settings enable you to manage the membership of groups. |
|
|
Term
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail. |
|
Definition
Remember that _x000D_
Member Of settings are cumulative and that if GPOs use the Members setting, only the Members _x000D_
setting with the highest GPO processing priority will be applied, and its list of members will prevail. |
|
|
Term
Delegating Administration Using Restricted Groups Policies with the _x000D_
Member Of Setting. |
|
Definition
In Group Policy Management Editor, navigate to Computer Configuration\Policies\ _x000D_
Windows Settings\Security Settings\Restricted Groups. |
|
|
Term
You want to add a group to the local Administrators group on computers without _x000D_
removing accounts that already exist in the group. Describe the restricted groups _x000D_
policy you should create. |
|
Definition
| Create a restricted groups policy for the group you wish to add. Use the Member Of policy setting (This Group Is A Member Of) and specify Administrators |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Group Policy Management Console |
|
|
Term
|
Definition
| Group Policy Management Editor |
|
|
Term
|
Definition
A policy setting can have three states: _x000D_
_x000D_
Not Configured, _x000D_
Enabled, _x000D_
and Disabled. |
|
|
Term
| A single GPO can be linked to more than one site or OU. |
|
Definition
| A single GPO can be linked to more than one site or OU. |
|
|
Term
| What is the Scope of the GPO : Security Filters ? |
|
Definition
You can narrow the _x000D_
_x000D_
Security Filters that specify global security groups to which the GPO should or should not apply. |
|
|
Term
|
Definition
| Windows Management Instrumentation |
|
|
Term
| What do Windows Management Instrumentation (WMI) filters do for the scope of a GPO ? |
|
Definition
Windows Management Instrumentation (WMI) filters that specify a scope, _x000D_
using characteristics of a system such as operating system version or free disk space. |
|
|
Term
|
Definition
|
|
Term
| What is the Resultant Set of Policy (RSoP) ? |
|
Definition
Users or Computers are likely to be within the scope of multiple GPOs linked to the sites, domain, or OUs in which the users or computers exist. _x000D_
_x000D_
This leads to the possibility that policy settings might be configured differently in multiple GPOs. _x000D_
_x000D_
You must be able to understand and evaluate the Resultant Set of Policy (RSoP), which determines the settings that are applied by a client when the settings are configured divergently in more than one GPO. |
|
|
Term
| Refresh settings for Policy settings in the Computer Configuration node ? |
|
Definition
Policy settings in the Computer Configuration node are applied at _x000D_
system startup and every 90–120 minutes thereafter. |
|
|
Term
| Policy Refresh settings User Configuration policy settings ? |
|
Definition
User Configuration policy settings are _x000D_
applied at logon and every 90–120 minutes thereafter. |
|
|
Term
| Manual Refresh of Group policy settings is done using ? |
|
Definition
gpupdate.exe _x000D_
/force _x000D_
/logoff _x000D_
/target: { computer | user } _x000D_
/wait: value _x000D_
/boot |
|
|
Term
| What are the tools associated with Group Policy Updation ? |
|
Definition
Gpupdate _x000D_
Secedit _x000D_
FLEX COMMAND _x000D_
_x000D_
FLEX COMMAND: Help in group updates of workstation. It can be applied directly to OUs etc |
|
|
Term
|
Definition
|
|
Term
| Security settings are reapplied every 16 hours even if a GPO has not changed. |
|
Definition
| Security settings are reapplied every 16 hours even if a GPO has not changed. |
|
|
Term
| Always Wait For Network At Startup And Logon policy setting |
|
Definition
| Without this setting, by default, Windows XP and Windows Vista clients perform only background refreshes, meaning that a client might start up and a user might log on without receiving the latest policies from the domain. |
|
|
Term
|
Definition
| Group Policy Software Installation |
|
|
Term
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network. |
|
Definition
startup,logon, logoff, and shutdown scripts will not run _x000D_
if the user is disconnected from the Enterprise Network. |
|
|
Term
| If a user is disconnected from the Enterprise network does group policy still apply itself ? |
|
Definition
| Yes, The previously applied group policy settings are still applied. |
|
|
Term
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment. |
|
Definition
The local GPO exists whether or not _x000D_
the computer is part of domain, workgroup, _x000D_
or a non-networked environment. |
|
|
Term
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured |
|
Definition
By default, only the Security Settings policies _x000D_
are configured on a system’s local GPO. _x000D_
_x000D_
All other policies are set at Not Configured |
|
|
Term
When AD DS is installed, _x000D_
two default GPOs are created _x000D_
_x000D_
â– Default Domain Policy _x000D_
â– Default Domain Controllers Policy |
|
Definition
â– Default Domain Policy : This GPO is linked to the domain and has no security group or WMI filters. _x000D_
_x000D_
â– Default Domain Controllers Policy : This GPO is linked to the Domain Controllers OU. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers. |
|
|
Term
|
Definition
| globally unique identifier |
|
|
Term
| By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been updated |
|
Definition
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the _x000D_
GPO has been updated |
|
|
Term
| Describe the default Group Policy processing behavior, including refresh intervals and CSE application of policy settings |
|
Definition
Every 90–120 minutes, the Group Policy Client service determines which GPOs are scoped to the user or computer and downloads any GPOs that have been updated, based on the GPOs’ version numbers. _x000D_
_x000D_
CSEs process the policies in the GPOs according to their policy processing configuration. _x000D_
_x000D_
By default, most CSEs apply policy settings only if a GPO has been updated. _x000D_
_x000D_
Some CSEs also do not apply settings if a slow link is detected. |
|
|
Term
|
Definition
| Directory Replication Agent |
|
|
Term
|
Definition
The GPC is an Active Directory object stored in the Group Policy Objects container _x000D_
within the domain naming context of the directory. Like all Active Directory objects, each GPC _x000D_
includes a globally unique identifier (GUID) attribute that uniquely identifies the object _x000D_
within Active Directory. The GPC defines basic attributes of the GPO, but it does not contain _x000D_
any of the settings. The settings are contained in the GPT, a collection of files stored in the SYSVOL _x000D_
of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\GPO GUID _x000D_
path, where GPO GUID is the GUID of the GPC. When you make changes to the settings of a _x000D_
GPO, the changes are saved to the GPT of the server from which the GPO was opened |
|
|
Term
| Scripting Languages that can be used to write code for Group Policy in Windows Server 2008 |
|
Definition
| Microsoft Visual Basic, Scripting Edition (VBScript), Microsoft JScript, Perl, and Microsoft MS DOS style batch files (.bat and .cmd). |
|
|
Term
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT) |
|
Definition
GPO is actually two components: a _x000D_
Group Policy Container (GPC) _x000D_
and Group Policy Template (GPT) |
|
|
Term
|
Definition
| Knowledge Consistency Checker |
|
|
Term
| How is Group Policy Container GPC of GPO replicated ? |
|
Definition
| The GPC in Active Directory is replicated by the Directory Replication Agent (DRA) using a topology generated by the Knowledge Consistency Checker (KCC). |
|
|
Term
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism. |
|
Definition
The GPT in the SYSVOL is replicated using one of two technologies. _x000D_
_x000D_
The File Replication Servicev(FRS) is used to replicate SYSVOL in domains running Windows Server 2008, Windows _x000D_
Server 2003, and Windows 2000. _x000D_
_x000D_
If all domain controllers are running Windows Server 2008, _x000D_
you can configure SYSVOL replication, using Distributed File System Replication (DFS-R), a much more efficient and robust mechanism. |
|
|
Term
| What does the Group Policy Verification Tool Gpotool.exe do ? |
|
Definition
Gpotool.exe is used to troubleshoot GPO status, _x000D_
including problems caused by the replication _x000D_
of GPOs, leading to inconsistent versions of a GPC and GPT |
|
|
Term
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings. |
|
Definition
In both the Computer Configuration and User Configuration nodes, _x000D_
the Administrative Templates node contains _x000D_
registry-based Group Policy settings. |
|
|
Term
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k |
|
Definition
Policies in the Administrative Templates node in the Computer Configuration node modify _x000D_
registry values in the HKEY_LOCAL_MACHINE (HKLM) k |
|
|
Term
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key. |
|
Definition
Policies in the Administrative Templates node in the _x000D_
User Configuration node modify registry values in the HKEY_CURRENT_USER (HKCU) key. |
|
|
Term
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files |
|
Definition
ADM and ADMX/ADML administrative templates can coexist. _x000D_
These are administrative templates files |
|
|
Term
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings |
|
Definition
Another new Group Policy feature in Windows Server 2008 is starter GPOs. _x000D_
A starter GPO contains Administrative Template settings |
|
|
Term
| Starter GPOs can contain only Administrative Templates policy settings. |
|
Definition
| Starter GPOs can contain only Administrative Templates policy settings. |
|
|
Term
| You can centralize the management of administrative templates by creating a central store |
|
Definition
| You can centralize the management of administrative templates by creating a central store |
|
|
Term
| Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings |
|
Definition
| Windows Server 2008 also adds the ability to attach comments to GPOs and policy settings |
|
|
Term
1. Litware, Inc., has three business units, _x000D_
each represented by an OU in the litwareinc.com domain. _x000D_
The business unit administrators want the ability to manage Group Policy for the users and computers in their OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for their business units? (Choose all _x000D_
that apply. Each correct answer is a part of the solution.) _x000D_
_x000D_
A. Copy administrative templates from the central store to the Policy Definitions folder on the administrators’ Windows Vista workstations. _x000D_
_x000D_
B. Add business unit administrators to the Group Policy Creator Owners group. _x000D_
_x000D_
C. Delegate Link GPOs permission to the administrators in the litwareinc.com domain. _x000D_
_x000D_
D. Delegate Link GPOs permission to the each business unit’s administrators in the business unit’s OU. |
|
Definition
1. Correct Answers: B and D _x000D_
_x000D_
A. Incorrect: The central store is used to centralize administrative templates so that they do not have to be maintained on administrators’ workstations. _x000D_
_x000D_
B. Correct: To create GPOs, the business unit administrators must have permission to access the Group Policy Objects container. By default, the Group Policy Creator Owners group has permission, so adding the administrators to this group will _x000D_
allow them to create new GPOs. _x000D_
_x000D_
C. Incorrect: Business unit administrators require permission to link GPOs only to their business unit OU, not to the entire domain. Therefore, delegating permission to link GPOs to the domain grants too much permission to the administrators. _x000D_
_x000D_
D. Correct: After creating a GPO, business unit administrators must be able to scope the GPO to users and computers in their OU; therefore, they must have the Link GPOs permission. |
|
|
Term
You are an administrator at Contoso, Ltd. At a recent conference, you had a conversation _x000D_
with administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations _x000D_
you have deployed using a GPO. The Fabrikam administrators have asked _x000D_
you to copy the GPO to their domain. Which steps can you and the Fabrikam administrators _x000D_
perform? _x000D_
A. Right-click the Contoso GPO and choose Save Report. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import. _x000D_
B. Right-click the Contoso GPO and choose Back Up. Right-click the Group Policy _x000D_
Objects container in the Fabrikam domain and choose Restore From Backup. _x000D_
C. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Paste. _x000D_
D. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam _x000D_
domain, right-click it, and choose Import Settings. |
|
Definition
Correct Answer: D _x000D_
A. Incorrect: A saved report is an HTML or XML description of a GPO and its settings. _x000D_
It cannot be imported into another GPO. _x000D_
B. Incorrect: The Restore From Backup command is used to restore a GPO in its _x000D_
entirety. _x000D_
C. Incorrect: You cannot paste settings into a GPO. _x000D_
D. Correct: You can import settings to an existing GPO from the backed-up settings _x000D_
of another GPO. |
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is a single Active Directory domain in the _x000D_
company network. Windows Server 2008 is run by all domain controllers that are configured as DNS servers. A _x000D_
domain controller named DC01 has a standard primary zone for wiikigo.com. A domain controller named DC02 _x000D_
has a standard secondary zone for wiikigo.com. You have to make sure that the replication of the wiikigo.com _x000D_
zone is encrypted. You must not lose any zone data. So what action should you perform? _x000D_
_x000D_
A. The zone transfer settings of the standard primary zone should be configured. The Master Servers lists on _x000D_
the secondary zone should be modified. _x000D_
_x000D_
B. The interface that the DNS server listens on should be modified on both servers. _x000D_
_x000D_
C. The primary zone should be converted into an Active Directory-integrated zone. The secondary zone should _x000D_
be deleted. _x000D_
_x000D_
D. The primary zone should be converted into an Active Directory-integrated stub zone. The secondary zone _x000D_
should be deleted. |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an organizational unit named Production in _x000D_
your company. The Production organizational unit has a child organizational unit named R D. After a GPO _x000D_
named Software Deployment is created by you, you link it to the Production organizational unit. You create a _x000D_
shadow group for the R D organizational unit. You have to deploy an application to users in the Production _x000D_
organizational unit. You also need to make sure that the application is not deployed to users in the R D _x000D_
organizational unit. What are two possible ways to achieve this goal? _x000D_
_x000D_
A. In order to achieve this goal, security filtering on the Software Deployment GPO should be configured to _x000D_
Deny Apply group policy for the R D security group. _x000D_
_x000D_
B. In order to achieve this goal, the Enforce setting should be configured on the software deployment GPO. _x000D_
_x000D_
C. In order to achieve this goal, the Block Inheritance setting should be configured on the R D organizational _x000D_
unit. _x000D_
_x000D_
D. In order to achieve this goal, the Block Inheritance setting should be configured on the Production _x000D_
organizational unit. |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. You have a domain controller named DC01. Windows _x000D_
Server 2008 is run by this domain controller. DC01 is configured as a DNS server for wiikigo.com. You have the _x000D_
DNS Server server role installed on a member server which is named Server01 and then you create a standard _x000D_
secondary zone for wiikigo.com. DC01 is configured as the master server for the zone. You have to make sure _x000D_
that Server01 receives zone updates from DC01. What action should you perform? _x000D_
_x000D_
A. The zone transfer settings for the wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
B. The Server01 computer account should be added to the DNSUpdateProxy group. _x000D_
_x000D_
C. A conditional forwarder should be added on S01. _x000D_
70-640 3D. The permissions of wiikigo.com zone should be modified on DC01. _x000D_
_x000D_
D. The permissions of wiikigo.com zone should be modified on DC01. |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There are two domain controllers named DC01 and _x000D_
DC02 in your company. All domain and forest operations master roles are hosted by DC01. _x000D_
A problem occurred that DC01 fails. _x000D_
Since you are the technical support, you are required to reinstall the operating system to rebuild DC01. In _x000D_
addition, you are required to have all operations master roles rollbacked to their original state. A metadate _x000D_
cleanup is performed and all references of DC01 are removed. Which action should be performed to achieve _x000D_
the goal? (Choose three from the options below, and then put them in a correct order) _x000D_
1/ Operations master roles should be transferred from DC01 to DC02. _x000D_
2/ Operations master roles should be transferred from DC02 to DC01. _x000D_
3/ Operations master roles should be seized from DC01 to DC02. _x000D_
4/ Operations master roles should be seized from DC02 to DC01 _x000D_
5/ DC01 should be rebuilt as a replica domain controller. _x000D_
6/ DC02 should be rebuilt as a domain controller. _x000D_
_x000D_
A. 3->5->2 _x000D_
B. 3->6->1 _x000D_
C. 4->5->2 _x000D_
D. 4->6->1 |
|
Definition
|
|
Term
You work as a technology specialist in an international company named Wiikigo. Your major job is to configure _x000D_
Windows Server 2008 Active Directory. And you are experienced in configuring the Active Directory _x000D_
infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the company. Not _x000D_
all domain controllers in the forest are configured as Global Catalog Servers. One root domain and one child _x000D_
domain is contained in your domain structure. You modify the folder permissions on a file server that is in the _x000D_
child domain. You find that some Access Control entries start with S-1-5-21 and that no account name is listed. _x000D_
You have to list the account names. So what action should you perform? _x000D_
_x000D_
A. The schema should be modified to enable replication of the friendlynames attribute to the Global Catalog. _x000D_
_x000D_
B. The RID master role in the child domain should be moved to a domain controller that holds the Global _x000D_
Catalog. _x000D_
_x000D_
C. The infrastructure master role in the child domain should be moved to a domain controller that does not _x000D_
hold the Global Catalog. _x000D_
_x000D_
D. The RID master role in the child domain should be moved to a domain controller that does not hold the _x000D_
Global Catalog. |
|
Definition
|
|
Term
| How would you delegate control of an AD OU to a user? |
|
Definition
- Right Click on OU _x000D_
- Delegate Control _x000D_
- Choose User _x000D_
- Choose the appropriate option _x000D_
- Finish |
|
|
Term
|
Definition
| An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain. |
|
|
Term
| What are the different types of OU? |
|
Definition
Parent OUs are OUs that contain other OUs. _x000D_
Child OUs are OUs within other OUs. |
|
|
Term
| What organisational structures can you not apply GPO's to? |
|
Definition
|
|
Term
| What is group policy inheritance? |
|
Definition
| Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs. |
|
|
Term
| What setting should be set at creation to prevent an AD OU being accidentally deleted? |
|
Definition
| When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured. |
|
|
Term
| How would you delete an AD object that is protected from deletion? |
|
Definition
| To delete on abject that is protected, first clear the Protect container from accidental deletion setting, then delete the object. |
|
|
Term
| What is delegation of authority? |
|
Definition
| Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups. |
|
|
Term
| What is the Builtin Default Container? |
|
Definition
| The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks. |
|
|
Term
| What is the Computers default container? |
|
Definition
| The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain. |
|
|
Term
| What is the Domain Controllers detault container? |
|
Definition
| The Domain Controllers OU is the default location for the computer accounts for domain controllers. |
|
|
Term
| What is the LostAndFound default container? |
|
Definition
| The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container. |
|
|
Term
| What is the NTDS Quotas default container? |
|
Definition
| The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own. |
|
|
Term
| What is the Program Data default container? |
|
Definition
| The Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it. |
|
|
Term
| What is the System default container? |
|
Definition
| The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies. |
|
|
Term
| What is the Users default container? |
|
Definition
| The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks. |
|
|
Term
| What is special about AD containers? |
|
Definition
| They are automatically created and cannot be deleted |
|
|
Term
| What is special about the Domain Controllers OU |
|
Definition
| It is the only default OU, and it can have a GPO applied, whereas the other default containers cannot have a GPO applied |
|
|
Term
| How would you view hidden containers in AD Users and Computers? |
|
Definition
| Click Advanced Features from the View menu |
|
|
Term
| Which containers are hidden by default in AD Users and Computers? |
|
Definition
- LostAndFound _x000D_
- NTDS Quotas _x000D_
- Program Data _x000D_
- System |
|
|
Term
| What is special about AD containers and how do they differ from OU's? |
|
Definition
| They are automatically created and cannot have GPO's applied to them. |
|
|
Term
| What is the SAM database? |
|
Definition
| A local database that allows users to access local resources on the machine |
|
|
Term
| What are the two types of user account? |
|
Definition
|
|
Term
| What is a local user account? |
|
Definition
A local user account is created and stored on a local system and is not distributed to any other system. _x000D_
_x000D_
- Local user accounts are created with the Computer Management console. _x000D_
- The local Security Accounts Manager (SAM) manages the user account information. _x000D_
- Only local resources are accessible with local user accounts. |
|
|
Term
| What is a domain user account? |
|
Definition
| A domain user account is created and centrally managed through Active Directory, and is replicated between domain controllers in the domain. |
|
|
Term
| How can domain user accounts be created? |
|
Definition
| Domain user accounts are created with Active Directory Users and Computers, command line tools, and PowerShell. |
|
|
Term
| What is unique to each domain user account? |
|
Definition
| Each domain user account has a unique security identifier (SID) to identify the user. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions. |
|
|
Term
| How can external users with email accounts be represented in AD? |
|
Definition
| External users which need an e-mail account, can be represented through a contact object |
|
|
Term
| What is a contact object? |
|
Definition
| an account that does not have any security permissions. Users represented as contact objects cannot log on to the domain. Use contacts to add information about individuals, such as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for attributes of contact objects. |
|
|
Term
| What is the user or logon name? |
|
Definition
| The user or logon name is the name of the user account |
|
|
Term
| What is the user principle name (UPN)? |
|
Definition
The User Principle Name (UPN) combines the user account name with the DNS domain name _x000D_
_x000D_
- The UPN format is also known as the SMTP address format. _x000D_
- The DNS domain name in the UPN is known as the UPN suffix. _x000D_
- By default, the domain that holds the user account is selected for the UPN suffix. However, you can configure different UPN suffixes to use instead of the domain name. |
|
|
Term
| What is the LDAP Distinguished Name (DN)? |
|
Definition
The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. It has three basic attributes: _x000D_
Domain Component (DC) _x000D_
Organizational Unit (OU) _x000D_
Common Name (CN) |
|
|
Term
| What is the Relative Distinguished Name (RDN) |
|
Definition
| The Relative Distinguished Name (RDN) is used to identify the object within its container. The RDN needs to be unique only within the object’s container. |
|
|
Term
| When would you use the Ãœser cannot change password"option? |
|
Definition
| when you want to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that uses that account. |
|
|
Term
| How would you unlock an account? |
|
Definition
| To unlock an account, go to the Account tab in the account object's Properties dialog box, and select the Unlock Account box. Resetting the password on the account also unlocks a user account. |
|
|
Term
| What should you do if a user account is accidentally deleted? |
|
Definition
| Restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account. |
|
|
Term
| How would you add a User Principal Name (UPN) suffix to a forest? |
|
Definition
1) Open Active Directory Domains and Trusts. _x000D_
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties. _x000D_
3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab. _x000D_
4) Click Add. _x000D_
5) Click OK. |
|
|
Term
| What is a computer account? |
|
Definition
| A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device |
|
|
Term
| How would you prestage a computer account? |
|
Definition
| From Active Directory Users and Computers, create a computer account. This process is called prestaging computer accounts. From the workstation, join the domain. The workstation will be associated with the computer account you created previously. |
|
|
Term
| Where is the computer account created when you join a workstation to the domain? |
|
Definition
| In the Computers built-in container |
|
|
Term
| How would you control where computer accounts are placed when a computer joins the domain? |
|
Definition
| Create computer account ahead of time (pre-stage them) |
|
|
Term
| Which groups have permissions to create a computer account? |
|
Definition
- Account Operators _x000D_
- Domain Admins _x000D_
- Enterprise Admins |
|
|
Term
| How many computers are the Authenticated Users group members allowed to join to the domain (from a workstation)? |
|
Definition
| 10 - this wil also create the computer account automatically if it doesn't already exist. This ability comes from the Add workstations to a domain user right. |
|
|
Term
| How would you allow a specific user to join a specific computer to the domain? |
|
Definition
| You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account. |
|
|
Term
| How would you give other users permissions to create computer accounts in AD? |
|
Definition
| By giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs. |
|
|
Term
| Will a computer receive group policy settings once the computer account is created? |
|
Definition
| No, the computer must be joined to the domain before it receives any GPO settings or AD receives any workstation-specific information |
|
|
Term
| What commands can be used to create computer accounts from a command prompt or script? |
|
Definition
| dsadd or netdom. (Use netdom join to jion a computer to the domain) |
|
|
Term
| What establishes a secure channel between a computer and the domain controller? |
|
Definition
| The computer password (authomatically generated when the computer joins the domain). |
|
|
Term
| Where is the computer account password saved? |
|
Definition
| On the local computer and in AD. BY default, it is changed every 30 days |
|
|
Term
| What might cause a computer to fail to authenticate to the domain? |
|
Definition
If the two computer passwords (on the local machine and in AD) become unsychronised. _x000D_
_x000D_
This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name. |
|
|
Term
|
Definition
| Local groups exist only on the local computer, and control access to local resources. |
|
|
Term
|
Definition
| Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups. |
|
|
Term
|
Definition
| Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use. |
|
|
Term
| What membership can a global group have? |
|
Definition
Global groups can contain members within the same domain. These include: _x000D_
_x000D_
- Global groups in the same domain (in native mode only). _x000D_
- Users and computers within the same domain. |
|
|
Term
| What should a global group be used for? |
|
Definition
| Use global groups to group users and computers within the domain who have similar access needs. |
|
|
Term
| What membership can a domain local group have? |
|
Definition
Domain local groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
- Domain local groups in the same domain (in native mode only). _x000D_
- Global groups within the forest. _x000D_
Universal groups within the forest (in native mode only). _x000D_
- Users and computers within the forest. |
|
|
Term
| What membership can a universal group have? |
|
Definition
Universal groups can contain members from any domain in the forest. These include: _x000D_
_x000D_
- Universal groups within the forest. _x000D_
- Global groups within the forest. _x000D_
- Users and computers within the forest. |
|
|
Term
| What resources can global groups permission? |
|
Definition
| Global groups can be assigned permissions to resources anywhere in the forest. |
|
|
Term
| What resources can domain local groups permission? |
|
Definition
| Domain local groups can be assigned permissions within a domain. |
|
|
Term
| What resources can universal groups permission? |
|
Definition
| Universal groups can be assigned permissions to resources anywhere in the forest. |
|
|
Term
| What should global groups be used for? |
|
Definition
| Create global groups to organize users (e.g., Sales or Development). |
|
|
Term
| What should domain local groups be used for? |
|
Definition
| Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group. |
|
|
Term
| What should universal groups be used for? |
|
Definition
| Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups. |
|
|
Term
| What is a security group? |
|
Definition
A security group is one that can be used to manage rights and permissions. _x000D_
_x000D_
- Group members get the permissions that are granted to the group. _x000D_
- A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts, and other groups. |
|
|
Term
| Which type of AD group should be used for assiging permissions? |
|
Definition
|
|
Term
| What is a ditribution group? |
|
Definition
| A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions. |
|
|
Term
| What happens if you convert a security group to a distribution group? |
|
Definition
This would remove the permissions assigned to the group. _x000D_
_x000D_
This could prevent or allow unwanted access. |
|
|
Term
| How would you convert a global group to a domain local group? |
|
Definition
| First convert to a universal group, then to a domain local. |
|
|
Term
| Can you convert a global group nested in another global group into a universal group? |
|
Definition
| No - a universal group cannot be a member of a global group |
|
|
Term
| Can you make a universal group a member of a global group? |
|
Definition
|
|
Term
| What happens when a group is deleted? |
|
Definition
| All information about the group - including any permissions assigned - is deleted. |
|
|
Term
| How can you recover a deleted group? |
|
Definition
- Re-create the group, add all the original group members, and reassign any permissions granted to the group. _x000D_
- Restore the group from a recent backup. |
|
|
Term
| When are the default local groups created? |
|
Definition
| During Windows installation |
|
|
Term
| Can you rename or delete the default local groups? |
|
Definition
CAN rename them _x000D_
_x000D_
CANNOT delete them |
|
|
Term
| What is the Administrators default local group? |
|
Definition
| Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator. |
|
|
Term
| What is the Backup Operators default local group? |
|
Definition
| Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings. |
|
|
Term
| What is the User default local group? |
|
Definition
Members of the Users group: _x000D_
_x000D_
- Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications. _x000D_
- Cannot share directories or install printers if the driver is not yet installed. _x000D_
- Cannot view or modify system files. |
|
|
Term
| What group do "limited use"accounts become a member of automatically |
|
Definition
| Users default local group |
|
|
Term
| What is the Power Users default local group? |
|
Definition
| Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows |
|
|
Term
| What is the Guests default local group? |
|
Definition
| Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off. |
|
|
Term
| What is the Administrators default domain group? |
|
Definition
| Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right. |
|
|
Term
| What is the Server Operators default domain group? |
|
Definition
| Log on locally, back up and restore files and directories, change the system time, and force a local or remote shutdown. Can also create and delete shared resources, format the hard disk, and start and stop some services. Abilities extend to domain controllers. |
|
|
Term
| What is the Backup Operators default domain group? |
|
Definition
| Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings. |
|
|
Term
| What is the Account Operators default domain group? |
|
Definition
| Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups. |
|
|
Term
| What is the Guests default domain group? |
|
Definition
| The domain Guest account is a member of this group. The group does not have any default rights. |
|
|
Term
| What is the Network Configuration Operators default domain group? |
|
Definition
| Change TCP/IP settings including changes on domain controllers. |
|
|
Term
| What is the Print Operators default domain group? |
|
Definition
| Create, share, manage, and delete printers on domain controllers. Manage Active Directory printer objects. Log on locally, add or remove device drivers, and shut down domain controllers. |
|
|
Term
| What is the Users default domain group? |
|
Definition
| Perform common tasks such as running applications, using local and remote printers, and locking workstations. By default, all domain members are members of this group. |
|
|
Term
| Which default domain groups are created in the Built-In Container? |
|
Definition
Administrators _x000D_
Server Operators _x000D_
Backup Operators _x000D_
Account Operators _x000D_
Guests _x000D_
Network Configuration Operators _x000D_
Print Operators _x000D_
Users |
|
|
Term
| What default domain groups are created in the Users container in AD? |
|
Definition
Domain Admins _x000D_
Domain Computers _x000D_
Comain Controllers _x000D_
Comain Guests _x000D_
Domain Users _x000D_
Enterprise Admins _x000D_
Schema Admins _x000D_
Read-Only Domain Controllers _x000D_
DHCP Administrators _x000D_
Cert Publishers |
|
|
Term
| What is the Domain Admins default domain group? |
|
Definition
| Full control over the domain. This group is a member of the Administrators group on all computers when they are joined to the domain. This means that members of the Domain Admins group can perform all tasks on any computer in the domain (including domain controllers). |
|
|
Term
| What is the Domain Computers default domain group? |
|
Definition
| Contains all computers that are a member of the domain. When you join a computer to the domain, it becomes a member of this group. |
|
|
Term
| What is the Domain Controllers default domain group? |
|
Definition
| Contains all domain controllers. When a computer is made a domain controller, it is added to this group. |
|
|
Term
| What is the Domain Guests default domain group? |
|
Definition
| Contains all domain guests. It does not have any default rights |
|
|
Term
| What is the Domain Users default domain group? |
|
Definition
| Contains all domain users. This group can be used to give access to all users in a domain. |
|
|
Term
| What is the Enterprise Admins default domain group? |
|
Definition
| Full control over all domains in the forest. This group is a member of the Administrators group on all computers in the forest, allowing them to perform any task on any computer in the forest. |
|
|
Term
| What is the Schema Admins default domain group? |
|
Definition
| Full control over the Active Directory schema. By default, the Administrator account is a member of this group. |
|
|
Term
| What is the Read-Only Domain Controllers default domain group? |
|
Definition
| Contains all members who have administrative access to the Read-Only Domain Controllers in the domain. |
|
|
Term
| What is the DHCP Administrators default domain group? |
|
Definition
| Contains all members who have administrative access to the DHCP service. |
|
|
Term
| What is the Cert Publishers default domain group? |
|
Definition
| Contains all members which are permitted to publish certificates to the directory. |
|
|
Term
| Describe the AGDLP strategy |
|
Definition
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups |
|
|
Term
| When is the AGDLP strategy used? |
|
Definition
| Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode). |
|
|
Term
|
Definition
| Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level. |
|
|
Term
| When is the AGUDLP strategy used? |
|
Definition
| Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains. |
|
|
Term
| Describe the AGUDLP strategy |
|
Definition
A: Place user Accounts _x000D_
G: Into Global groups _x000D_
U: Into Universal groups _x000D_
DL: Into Domain Local groups _x000D_
P: Assign Permissions to domain local groups |
|
|
Term
| When is the ALP strategy used? |
|
Definition
Used on workstations and member servers. _x000D_
_x000D_
ALP is best used in a workgroup environment, not in a domain. |
|
|
Term
| Describe the ALP strategy |
|
Definition
A: Place user Accounts _x000D_
L: Into Local groups _x000D_
P: Assign Permissions to the local groups |
|
|
Term
| When should universal groups be used? |
|
Definition
| Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups. |
|
|
Term
| What group should be used if both the users and resources are located in Multiple Domains? |
|
Definition
|
|
Term
| What groups should not be used in a single domain design? |
|
Definition
|
|
Term
| How can you start AD Users and Computers? |
|
Definition
- Server Manager _x000D_
- Administrative Tools (from the Control Panel or Start menu) _x000D_
- Running dsa.msc |
|
|
Term
|
Definition
| Active Directory Service Interfaces Editor (ADSI Edit) acts as a low-level GUI editor for common administrative tasks such as adding, deleting, and moving objects. |
|
|
Term
| What can you use ADSI Edit for? |
|
Definition
| You can use ADSI Edit to query, view, and edit attributes that are not exposed through other MMC snap-ins (such as Active Directory Users and Computers). |
|
|
Term
| What does the command ds add do? |
|
Definition
| Dsadd creates a new object in Active Directory. |
|
|
Term
| What does the command dsquery do? |
|
Definition
| Dsquery finds objects that match the search criteria (allows a search through the whole forest). The command returns a list of objects that match the search criteria. Use Dsquery * to search all object types. |
|
|
Term
| What does the Dsget command do? |
|
Definition
| Dsget retrieves property information about an object. Use the -expand switch to show nested group membership for users. |
|
|
Term
| What does the dsmod command do? |
|
Definition
| Dsmod modifies or changes the properties of an object. |
|
|
Term
| What does the dsrm command do? |
|
Definition
| Dsrm removes (deletes) objects. Use the -subtree option to delete a container object and all objects below that object. |
|
|
Term
| What does the movetree command do? |
|
Definition
| Movetree moves an OU and its objects (it does not move computer objects). |
|
|
Term
| What does the netdom command do? |
|
Definition
| Netdom adds computer objects, joins a computer to a domain, and moves computer objects. |
|
|
Term
|
Definition
| The Csvde command imports and exports Active Directory objects using a comma-separated list file. |
|
|
Term
|
Definition
| Csvde can read existing information from Active Directory (export) or create new objects in Active Directory (import). |
|
|
Term
|
Definition
| You cannot use Csvde to modify existing objects in Active Directory. |
|
|
Term
| Will Csvde import passwords for user accounts? |
|
Definition
|
|
Term
| What does the Ldifde command do? |
|
Definition
| The Ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. |
|
|
Term
| What are some common uses for Ldifde? |
|
Definition
- Using Ldifde to export a set of Active Directory objects, modifying various attributes, and then re-importing the file to change the attributes. _x000D_
- Exporting or importing data that exists on non-Active Directory LDAP directories. |
|
|
Term
| How can you manage passwords with Ldifde? |
|
Definition
| Passwords are not exported with user accounts. You can change passwords for existing account with a .ldif file but you cannot create new user accounts with a password. |
|
|
Term
| How would you export a user account and then import it with a password with Ldifde? |
|
Definition
1) Export the user accounts. The unicodePwd field will be blank. _x000D_
2) Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next logon. _x000D_
3) Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account. _x000D_
4) Run Ldifde using the file with the passwords to modify the existing user accounts. |
|
|
Term
| What does the Ldp command do? |
|
Definition
| The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying results. |
|
|
Term
| What is the Active Directory Migration Tool? |
|
Definition
| The Active Directory Migration Tool (ADMT) is a GUI-based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another. |
|
|
Term
| Where can you move AD objects with ADMT? |
|
Definition
| You can move objects to different domains within the same forest (intraforest), or to domains in other forests (interforest). |
|
|
Term
| What must be in place for an interforest migration in ADMT? |
|
Definition
| The target forest must trust the source forest. |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Cscript C:\windows\system32\slmgr.vbs-ato |
|
|
Term
| add server Core roles, components or features |
|
Definition
| Ocsetup.exe <component> /switch |
|
|
Term
|
Definition
| Active Directory Services Interface used by Windows PowerShell |
|
|
Term
|
Definition
| The mechanism by which an identity is validated by comparing secrets such as passwords provided by the user or computer to secrets maintained in the identity store |
|
|
Term
|
Definition
|
|
Term
|
Definition
| a command-line tool that imports or exports Active Directory objects from or to a comma-delimited text file. |
|
|
Term
|
Definition
| Discretionary access control list |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| An administrative unit of Active Directory. With a domain , all domain controllers replicate information about objects such as users,, groups and computers in the domain |
|
|
Term
|
Definition
| Most of the DS commands take two modifies after the command itself: the object type and the object's DN |
|
|
Term
|
Definition
| creates an object in the directory IE dsadd user "user DN" -samid pre-windows 2000 logon name -pwd {Password | *} -mustchpwd yes |
|
|
Term
|
Definition
| returns specified attributes of an object |
|
|
Term
|
Definition
| Modifies specified attributes of an object |
|
|
Term
|
Definition
| moves and object to a new container or OU |
|
|
Term
|
Definition
| performs a query based on parameters provided at the command line and returns a list of matching objects |
|
|
Term
|
Definition
| Removes and object, all objects in the subtree beneath a container object or both |
|
|
Term
|
Definition
| the boundary of an instance of Active Directory. A forest contains one or more domains. All domains in the forest replicate the schema and configuration partitions of the directory. |
|
|
Term
|
Definition
| the first domain created in a forest |
|
|
Term
|
Definition
| A setting that determines which features of Active Directory are enabled within a domain or forest. The functional level limits the versions of Windows that can be used by domain controllers in a domain or forest. |
|
|
Term
| global catalog or partial attribute set |
|
Definition
| A partition of the Active Directory data store that contains a subset of attributes for every object in the Active Directory forest. The global catalog is used for efficient object queries and location. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| A database of information regarding users, groups, computers, and other security principals. Attributes stored in an identity store include user names and passwords |
|
|
Term
|
Definition
| Netdom join %computername% /domain: |
|
|
Term
|
Definition
| A standard protocol used by Active Directory for authentication |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol Data Interchange Format is a draft internet standard for file format that can perform batch imports and exports of active directory objects including users. -i import -f filename to import to or from |
|
|
Term
|
Definition
| Microsoft Management Console |
|
|
Term
|
Definition
| A folder on a disk - a hierarchy that can be navigated Like a disk volume letter name or Mapped drive. |
|
|
Term
|
Definition
| are administrative containers within Active Directory that are used to collect objects that share common requirements for administration, configuration or visibility. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Namespaces are created by providers, which can be thought of as drivers. Example file system has a provider as does the registry. Powershell can access and manipulate in the namespaces of those providers. |
|
|
Term
|
Definition
| Windows Powershell namespaces from any provider can be represented as PSDrives Windows PowerShell automatically creates a PS Drive for each drive latter already defined by Windows |
|
|
Term
|
Definition
| System Access Control List |
|
|
Term
|
Definition
| Security Account Manager ID |
|
|
Term
|
Definition
| a definition of the attributes and objects classes supported by Active Directory. |
|
|
Term
|
Definition
| connect to the container (OU), create the object (user), populate its properties, (display name), commit the changes |
|
|
Term
| set a static IPv4 configuration |
|
Definition
|
|
Term
|
Definition
| An active Directory object that represents a portion of the network with reliable connectivity. Within a site, domain controllers replicate updates within seconds, and clients attempt to use the services within their site before obtaining the services from other sites |
|
|
Term
|
Definition
| Transmission Control Protocol/Internet Protocol |
|
|
Term
|
Definition
| Is a translator between .NET framework and Windows PowerShell. To connect to an active directory object, you submit an LDAP query string LDAP://OU=People,DC=contoso,dc=com" |
|
|
Term
|
Definition
| User Principle Name The logon name plus the UPN suffix which by default is the domain to which you would logon ie: lflemingjm@hqda.army.mil Unique to entire forest. Email unique to the world! |
|
|
Term
|
Definition
| Windows Management Interface |
|
|
Term
| Which properties can be modified for multiple users simultaneously |
|
Definition
| General, Account, Address, Profile, Organization Tabs |
|
|
Term
| What are the distinctions between name of a user object and an account |
|
Definition
| User Object Names sAMAccountName, User PrincipalName (UPN), display name and RDN. Account properties=an identity to which permissions and rights can be assigned. |
|
|
Term
| sAMAcccountName Attribute |
|
Definition
| (preWindows 2000 logo name) must be unique for the ENTIRE domain |
|
|
Term
|
Definition
| Relative Distinguished Name of an object. Must be unique in an OU. |
|
|
Term
|
Definition
| How users are listed in the GAL |
|
|
Term
|
Definition
| Set objUser = GetObject"LDAP://UserDN") objUser.IsAccountLocked = False objUser.SetInfo() |
|
|
Term
|
Definition
| the most important LDAP attribute CN="josephine fleming",ou=people,dc=contoso,dc=com |
|
|
Term
|
Definition
| Security Identifier is created by the Windows 2000 security subsystem and assigned to security principal objects |
|
|
Term
|
Definition
| in the context of programming or scripting, an action performed on an object. |
|
|
Term
|
Definition
| In the context of programming or scripting, a data structure that represents a system resource. Objects expose properties or attributes, methods or actions. |
|
|
Term
|
Definition
| Assignment of an administrative task.Delegation within Active Directory is achieved by modifying the DACL of an abject. |
|
|
Term
|
Definition
| A view of Active Directory objects base on search criteria. |
|
|
Term
|
Definition
| An IP (Internet Protocol) address isa 32 bit binary unique number identifier for a node or host connection on an IP network. usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets) separated by decimal points. This is known as "dotted decimal" notation. |
|
|
Term
| Group policy Member Of setting |
|
Definition
| Member of settings are cumulative |
|
|
Term
| Group[ Policy by Members settings |
|
Definition
| GPOs that use the Members setting, only the member setting with the highest GPO processing will be applied and its list of members will prevail, |
|
|
Term
|
Definition
| A setting that configures the logging of security-related activities |
|
|
Term
|
Definition
| An assignment of administrative responsibility. A grant of permission to perform an administrative task |
|
|
Term
| Extensible Markup Language |
|
Definition
| (XML) an abbreviated version of the Standard Generalized Markup Language (SGML) XML enables the flexible development of user-defined doc types, providing non-proprietary, persistent, and verifiable file format for the storage and transmission of text and data both on and off the Internet |
|
|
Term
|
Definition
| A hardware or software product designed to isolate a system or network from another network. Traditionally used to protect a private network from intrusion from the Internet. A firewall inspects inbound or outbound packets or both and determines, based on rules, which packets to allow to the other side of the firewall. |
|
|
Term
|
Definition
| The Primary access protocol for Active Directory. |
|
|
Term
|
Definition
| used to configure the membership of groups, security settings, software management and auditing |
|
|
Term
|
Definition
| Resultant Set of Policies |
|
|
Term
|
Definition
| A Group Policy Object is, by itself, just a collection of configuration instructions that will be processed by the CSEs (Client Side Extensions) of computers. |
|
|
Term
|
Definition
| Start of Authority, and important record type in the Domain Name System. |
|
|
Term
|
Definition
| Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation |
|
|
Term
| Will, the administrator for your organization, has decided to implement certificates for all of your internal users. What type of root certificate authority (CA) would he implement? |
|
Definition
|
|
Term
| You are hired as a contractor for a new organization that has no network currently in place. You decide to implement an Active Directory domain and the Active Directory Domain Services (AD DS). Which of the follow are requirements to install Active Directory? |
|
Definition
|
|
Term
| You have decided to implement certificate authority (CA) servers and you want all of your users to receive their certificates automatically without any user intervention. What two ways can you accomplish this goal? |
|
Definition
Autoenrollment _x000D_
GPO enrollment |
|
|
Term
| What role provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems? |
|
Definition
| Active Directory Federation Services (AD FS) |
|
|
Term
| You have decided to place DNS on a read-only domain controller (RODC). What type of DNS zone do you now have? |
|
Definition
|
|
Term
| What AD role allows administrators to configure services for issuing and managing public key certificates, which help organizations implement network security? |
|
Definition
| Active Directory Certificate Services (AD CS) |
|
|
Term
| What role gives administrators the ability to enroll users into the certificate services program and allows for the issue and management of certificate requests? |
|
Definition
|
|
Term
| You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your Internet users. What type of certificate authority do you need to set up? |
|
Definition
| Stand Alone Subordinate CA |
|
|
Term
| Alexandria, the network administrator, has just hired a new junior administrator named Paige. Paige needs to be able to recover keys from the certificate authority server. What role does Alexandria need to give Paige so that she can recover keys? |
|
Definition
|
|
Term
| What file outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the numerous properties that are associated with the Federation Service? |
|
Definition
|
|
Term
| What is the Lightweight Directory Access Protocol (LDAP) directory service that allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires? |
|
Definition
| Active Directory Lightweight Directory Services (AD LDS) |
|
|
Term
| You are the administrator of a network. Your company has decided to use server virtualization to help save money and add fault tolerance to your servers. What role-based utility is included with Windows Server 2008 making this possible? |
|
Definition
|
|
Term
| Your manager has explained to you that due to security requirements, you need to secure documents and emails using Microsoft Office 2007 Enterprise. What service do you need to install to help secure documents and emails? |
|
Definition
| Active Directory Rights Management Service (AD RMS) |
|
|
Term
| Your company has one main location and five remote sites. One of the remote sites is having a problem with Active Directory and DNS being hacked into. What can you use to help solve this problem? |
|
Definition
Implement a _x000D_
Read-only domain controller and a _x000D_
Read-only DNS server |
|
|
Term
| Your company has one main location and one remote site. The remote site is 300 miles from the main location and it has no IT staff on site. What type of domain controller can you install so that a normal user can have the rights to manage it? |
|
Definition
| Read-only domain controller (RODC) |
|
|
Term
| You have decided to implement a certificate authority on your network. You have hired a third-party company to create and issue you the certificates you need to hand out to your internal users. What type of certificate authority do you need to set up? |
|
Definition
| Enterprise Subordinate CA |
|
|
Term
| Your company has decided to install a certificate authority (CA). After you install the CA, you publish the certificate revocation list (CRL) to a central location for all CAs to use. What is this central location called? |
|
Definition
|
|
Term
| Your company currently uses Windows Server 2008 domain controllers. Your company wants to use multiple account lockout policies depending on what department people are in. What does Windows Server 2008 offer so that you can do this? |
|
Definition
| Fine-grained password policy |
|
|
Term
| You have decided to implement certificate authority servers. You have routers located on your network. What component allows systems to receive a certificate even though they do not have an Active Directory account? |
|
Definition
| Network Device Enrollment Service |
|
|
Term
| What operations can you perform using the Active Directory Users And Computers tool if you need to reorganise AD based on an Organisation change? |
|
Definition
Rename an organizational unit _x000D_
Query for resources _x000D_
Rename a group _x000D_
Create a computer account |
|
|
Term
| In order to restrict security for the Texas OU, you remove some permissions at that level. Later, a junior systems administrator mentions that she is no longer able to make changes to objects within the Austin OU (which is located within the Texas OU). What is the most likely cause? |
|
Definition
|
|
Term
| Isabel wants to check for any objects that have not been properly replicated among domain controllers. If possible, she would like to restore these objects to their proper place within the relevant Active Directory domains. What 2 steps does she need to do to accomplish this? |
|
Definition
Select the Advanced Features item in the View menu _x000D_
Examine the contents of the LostAndFound folder using the Active Directory Users And Computers tool. |
|
|
Term
The domain contains over 200,000 objects and hundreds of OUs and takes a long time to load. _x000D_
What can you do to speed things up if you only want to view Computer objects? |
|
Definition
| Use the Filter option in the Active Directory Users And Computers tool to restrict the display of objects. |
|
|
Term
| Jane, a consultant, has recommended that the Windows NT 4 domains be consolidated into a single Active Directory domain. Which of the following statements provide a valid justification to support Jane's proposal? |
|
Definition
In general, OU structure is more flexible than domain structure. _x000D_
It is possible to create a distributed system administration structure for OUs by using delegation. |
|
|
Term
| operations are represented as common tasks within the Delegation of Control Wizard? |
|
Definition
Reset passwords on user accounts. _x000D_
_x000D_
Manage Group Policy links. _x000D_
_x000D_
Modify the membership of a group. _x000D_
_x000D_
Create, delete, and manage groups. |
|
|
Term
| New Helpdesk Op. How do you allow them to only change certain objects in the directory in certain OUs? |
|
Definition
| Use the Delegation of Control Wizard to assign the necessary permissions on the OU that he or she is to administer. |
|
|
Term
| You are planning an OU design. What 3 pieces of information should be considered or consulted? |
|
Definition
Business organizational requirements _x000D_
_x000D_
System administration requirements _x000D_
_x000D_
Security requirements |
|
|
Term
| You want to allow the Super Users group to create and edit new objects within the Corporate OU. What option would you choose in the Delegation Wizard? |
|
Definition
| Create A Custom Task To Delegate |
|
|
Term
| A systems administrator is using the Active Directory Users And Computers tool to view the objects within an OU. He has previously created many users, groups, and computers within this OU, but now only the users are showing. What is a possible explanation for this? |
|
Definition
| Filtering options have been set that specify that only User objects should be shown. |
|
|
Term
| Two large AD Sites with 15 DCs each. Too much replication traffic between sites. What can you create at each site to reduce the bandwidth usage? |
|
Definition
| Create preferred Bridgehead Servers at each site to funnel the traffic between 2 servers only. |
|
|
Term
| What does not need to be manually created when you are setting up a replication scenario involving three domains and three sites? |
|
Definition
Connection objects. _x000D_
Automatically created by the Active Directory replication engine. |
|
|
Term
| What services of Active Directory is responsible for maintaining the replication topology? |
|
Definition
| Knowledge Consistency Checker service. |
|
|
Term
| What Active Directory objects are responsible for representing a transitive relationship between sites? |
|
Definition
Site link bridges _x000D_
Default Transitive On. |
|
|
Term
| ______ is the protocol to use for links where the link is randomly unavailable and replication traffic must be sent whether the other end is connected or not. |
|
Definition
SMTP _x000D_
Uses Store and Forward method to ensure that information is not lost if a connection cannot be established. |
|
|
Term
| You have 7 sites with different speed links. You want to keep the number of domains to a minimum. What is the smallest number of domains you can have that cover all 7 sites? |
|
Definition
|
|
Term
| Changes to AD objects are only being replicated to some DCs and not all. Regarding the network links themselves what could be causing this problem? |
|
Definition
Network connectivity is unavailable _x000D_
A WAN connection has failed |
|
|
Term
| Changes to AD objects are only being replicated to some DCs and not all because of a possible configuration problem with a DC or Sites. What are 4 of the possible errors that have been made? |
|
Definition
Connection objects are not properly configured. _x000D_
Sites are not properly configured. _x000D_
Site links are not properly configured _x000D_
One of the domain controllers is configured for manual replication updates. |
|
|
Term
| A systems administrator suspects that there is an error in the replication configuration. How can he look for specific error messages related to replication? |
|
Definition
| By going to Event Viewer -> Directory Service log |
|
|
Term
One site, 50 DCs. What the? _x000D_
How can replication traffic be reduced and controlled, and how can the structure of AD more accurately reflect the structure of the network? |
|
Definition
Create multiple site links. _x000D_
Configure one server at each of the new sites to act as a bridgehead server. |
|
|
Term
1. What tool do you use to: _x000D_
Determine replication data transfer statistics. _x000D_
2. Collect information about multiple Active Directory domain controllers at the same time. _x000D_
3. Measure other performance statistics, such as server CPU utilization. |
|
Definition
|
|
Term
| What Active Directory objects should you modify to define the network boundaries for Active Directory sites? |
|
Definition
| Subnets - Define AD Site boundaries. |
|
|
Term
|
Definition
v to disclose something secret _x000D_
_x000D_
• She believed she had been fired because she had threatened to divulge information about the company's mismanagement. _x000D_
_x000D_
• It is a basic tenet of most secret societies that members are not allowed to divulge anything about the initiation rites to outsiders. _x000D_
_x000D_
• His journal divulged a side of his personality that no one had ever seen. |
|
|
Term
Configure the costs for each link with these rules _x000D_
1. ISDN must have default site cost link _x000D_
2. Austin must use San Jose for replication |
|
Definition
| The ISDN line is required to have the default cost of 100. That means that the T1 line's cost must be lower than 100 for this connection to be used by preference, and the only choice is 50. That leaves costs of 150 and 200 for the Austin links. Because Austin will never get replication information from Chicago, that link's cost should be 200. That only leaves 150 for the cost of the link between Austin and San Jose. |
|
|
Term
| What is the default Site Link Cost? |
|
Definition
|
|
Term
| You want to create a new site called San Jose. Where do you do this? |
|
Definition
| AD S&S - Sites - New Site |
|
|
Term
Two sites connected via a T1 line and a dial up line for redundancy. _x000D_
You want to use the T1 line mainly. What do you do to ensure this occurs? |
|
Definition
| Lower the cost of the T1 Line |
|
|
Term
| Only 1 GC for 3 Sites. HQ with 100 users is connected to other 2 sites (each have 20 users) via fast T1 connections. Where would you place the GC? |
|
Definition
At HQ. _x000D_
Though ideally one GC per site. |
|
|
Term
| How do you specify a server as a bridgehead server? |
|
Definition
| AD S&S - DC properties - Select protocol- and click Add |
|
|
Term
| The company has three domain controllers, each of which has Knowledge Consistency Checker (KCC) errors consistently popping up in the directory services Event Viewer log. What does this indicate? |
|
Definition
|
|
Term
| You need to keep track of licensing with the licensing server. Where can you configure the licensing server so that as the system administrator you can ensure you are compliant? |
|
Definition
| Configure licensing in the Active Directory Sites And Services tool. |
|
|
Term
| You decide to create a trust relationship between Domain A and Domain B. Before you take any other actions, can users in Domain A use resources from Domain B yet? |
|
Definition
No. _x000D_
A trust relationship only allows for the possibility of sharing resources between domains; it does not explicitly provide any permissions. In order to allow users to access resources in another domain, you must configure the appropriate permissions. |
|
|
Term
Plans are to deploy four Active Directory domains with the following requirements: _x000D_
minimize the number of servers _x000D_
enough fault tolerance to survive the complete failure of one domain controller. _x000D_
What is the minimum number of domain controllers to deploy initially? |
|
Definition
8 _x000D_
Two per domain for fault tolerance |
|
|
Term
| What server configurations can be directly promoted to become a domain controller for a new domain? |
|
Definition
Member servers _x000D_
Stand-alone servers |
|
|
Term
Server1: Schema Master _x000D_
Server2: RID Master _x000D_
Server3: Windows NT 4 BDC _x000D_
Server4: Infrastructure Master _x000D_
Server5: PDC Emulator Master _x000D_
Entire environment migrating to Windows Server 2008. Which Server not needed? |
|
Definition
| Server3: Windows NT 4 BDC |
|
|
Term
| Implicit trusts created between domains are known as ______ |
|
Definition
|
|
Term
Need to add field to the properties of a User object. _x000D_
On what servers can the change be made? |
|
Definition
| The Schema Master is the only server within Active Directory on which changes to the schema can be made. |
|
|
Term
| What are several Active Directory domains that share a contiguous namespace called? |
|
Definition
|
|
Term
Accidentally demoted the last domain controller of your ADTest.com domain. _x000D_
Want a complete undo. Possible? |
|
Definition
| Once the last domain controller in an environment has been removed, there is no way to recreate the same domain. If adequate backups had been performed, you may have been able to recover information by rebuilding the server |
|
|
Term
| Items that depend on the DNS namespace are .... |
|
Definition
Domains _x000D_
trees _x000D_
forests _x000D_
DNS zones |
|
|
Term
| Which types of computers contain a copy of the Global Catalog (GC)? |
|
Definition
| Specified Active Directory domain controllers |
|
|
Term
| Which pieces of information should you have before you use the Active Directory Installation Wizard to install a new subdomain? |
|
Definition
name of the child domain _x000D_
name of the parent domain _x000D_
DNS configuration information _x000D_
NetBIOS name for the server |
|
|
Term
| Which type of trust is automatically created between the domains in a domain tree? |
|
Definition
|
|
Term
| A systems administrator wants to remove a domain controller from a domain. What is the easiest way to perform the task? |
|
Definition
| Use the Active Directory Installation Wizard to demote the domain controller. |
|
|
Term
| Regarding the sharing of resources between forests... |
|
Definition
| A trust relationship must exist before resources can be shared between forests. |
|
|
Term
New remote location with very slow WAN link. Needs following specs: _x000D_
Fast logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware _x000D_
What can you implement to achieve the above requirements? |
|
Definition
| Universal group membership caching stores information locally once a user attempts to log on for the first time. |
|
|
Term
| Of the five main single master functions, two apply to an entire Active Directory forest. What are the three that apply to just the domain? |
|
Definition
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master |
|
|
Term
| When deploying Active Directory, you decide to create a new domain tree. What do you need to do to create this? |
|
Definition
| Promote a Windows Server 2008 computer to a domain controller and select the option that makes this domain controller the first machine in a new domain that is a child of an existing one. |
|
|
Term
| 7 Reasons for Using Multiple Domains |
|
Definition
Scalability _x000D_
Reducing replication traffic _x000D_
Meeting Business needs hierarchy - easier data managment _x000D_
Decentralized administration _x000D_
Multiple DNS or domain namesLegality |
|
|
Term
| What are some of the Drawbacks of Multiple Domains? |
|
Definition
Administrative inconsistency _x000D_
Increased management _x000D_
Decreased flexibility |
|
|
Term
| Min Requirements for DC numbers |
|
Definition
|
|
Term
| Recommended Req's for DC numbers |
|
Definition
|
|
Term
| Reasons for adding extra DCs |
|
Definition
Fault tolerance and reliability _x000D_
Performance |
|
|
Term
| Main requirement for joining a new domain to an existing forest |
|
Definition
| Domain does not share a namespace with the existing Active Directory domain. |
|
|
Term
| If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do first? |
|
Definition
Prepare the domain by running: _x000D_
adprep /forestprep _x000D_
adprep /domainprep |
|
|
Term
| What naming information do you need prior to joining a domain to a new tree? |
|
Definition
name of the parent domain _x000D_
name of the child domain _x000D_
NetBIOS name for the new server |
|
|
Term
| What other information (other than the 3 names) do you need prior to joining a domain to a new tree? |
|
Definition
DNS configuration _x000D_
domain administrator username and password |
|
|
Term
| DcPromo option selected to create a new domain tree. |
|
Definition
| " makes this domain controller the first machine in a new domain that is a child of an existing domain" |
|
|
Term
| DcPromo option selected to create a new domain tree. |
|
Definition
| makes this domain controller the first machine in a new domain that is a child of an existing domain |
|
|
Term
| 3 Features common to all Domains in a Forest |
|
Definition
Schema _x000D_
GC _x000D_
Configuration Info |
|
|
Term
| Type of trust between the Forest Root Domain and all the rest of the domains in the forest |
|
Definition
|
|
Term
| How is a new Domain Tree created? |
|
Definition
| Created top down - forest root domain - then child domains |
|
|
Term
| How do you move a DC between domains? |
|
Definition
1. Demote it. _x000D_
2. Move it. _x000D_
3. Promote it |
|
|
Term
| True of False? A Trust grants all users in one domain access to the other domains. |
|
Definition
False. _x000D_
Trust only provides the foundation. _x000D_
Rights must be granted to resources once Trust is established. |
|
|
Term
| What 2 features of AD to ALL Trees and Forests share? |
|
Definition
Schema and _x000D_
Global Catalog |
|
|
Term
| What do you always have even if you only have 1 Domain? |
|
Definition
|
|
Term
| What do you need to ensure is done before you remove the last DC from a Domain? |
|
Definition
Computers no longer log on to this domain _x000D_
No user accounts are needed _x000D_
All encrypted data is decrypted _x000D_
All cryptographic keys are backed up |
|
|
Term
| What are the 2 Forest Operation Master Roles? |
|
Definition
Schema Master _x000D_
Domain Naming Master |
|
|
Term
| What tool is used to manage the Forest Operation Master roles? |
|
Definition
|
|
Term
| What are the 3 Domain Operation master Roles? |
|
Definition
RID Master _x000D_
PDC Emulator Master _x000D_
Infrastructure Master |
|
|
Term
| The Schema master holds ___ |
|
Definition
| a master copy of the AD Schema |
|
|
Term
| Where can changes to the AD Schema be made? |
|
Definition
| Only on the Schema Master |
|
|
Term
| The Domain Naming Master __ |
|
Definition
| tracks domains within the AD Forest |
|
|
Term
| What does the RID Master do? |
|
Definition
| Creates a unique RID for every AD object |
|
|
Term
| PDC Emulator is responsible for __ |
|
Definition
| Maintaining backward compatibility with NT DCs - used only in Mixed Mode domains. |
|
|
Term
| In a Forest running at 2k Native or later what role does the PDC play? |
|
Definition
| Acts as default DC if another is not available |
|
|
Term
| The Infrastructure Master ensures |
|
Definition
| Ensures that group membership info stays current between DCs |
|
|
Term
| How do you assign the Domain Naming Master Role? |
|
Definition
Open AD D&T _x000D_
AD D&T Properties _x000D_
Select Operations Master _x000D_
Click Change |
|
|
Term
| How do you assign all of the RID, PDC and Infrastructure Roles? |
|
Definition
Open AD U _x000D_
right-click Domain _x000D_
Select Operation Masters _x000D_
Click Change |
|
|
Term
| What is a transitive trust? |
|
Definition
Implied trusts. _x000D_
If domain A trusts domain B AND _x000D_
domain B trusts domain C THEN _x000D_
domain A trusts domain C |
|
|
Term
| What are External Trusts used for? |
|
Definition
| Used to provide access to external domain (NT) that can't use forest trusts |
|
|
Term
| What type of trust are External Trusts? |
|
Definition
| Non-transitive and either 1-way or 2-way (manually created) |
|
|
Term
| On External Trusts, what is enabled by default to prevent hackers from using SID info to gain access? |
|
Definition
Default SID filtering _x000D_
SID History cleaned of SID history attributes that are not members of the trusted domain. |
|
|
Term
| When is a Realm Trust used? |
|
Definition
| Used to connect to non-Windows domain using Kerberos |
|
|
Term
| What types of Realm Trusts are there? |
|
Definition
Either Transitive or Non-Transitive _x000D_
And either 1-way or 2-way |
|
|
Term
| Where do you configure Trust Releationships? |
|
Definition
| AD D&T - Domain Properties - Trusts Tab |
|
|
Term
| What happens when Selective authentication is used with Cross Forest Trusts? |
|
Definition
| users can't authenticate to DC or resource server unless explicitly enabled |
|
|
Term
| What is a manually created Trust called? |
|
Definition
|
|
Term
| What is a Cross Forest Trust used for? |
|
Definition
| To Share resources between forests |
|
|
Term
| What is the restriction on Cross Forest Trusts? |
|
Definition
| They cannot be Non-transitive. |
|
|
Term
| Where would you go to enable Selective Authentication? |
|
Definition
| Trust properties - Selective Authentication |
|
|
Term
| Where would you add a UPN suffix? |
|
Definition
| AD D&T - Properties - UPN Suffixes |
|
|
Term
| You need to add another Global Catalog server to an existing domain. Where would you go to do this? |
|
Definition
AD S&S _x000D_
- DC _x000D_
- NTDS Settings Properties _x000D_
- GC Checkbox |
|
|
Term
| What happens when Universal Group Membership Caching is enabled on a W2k8 DC? |
|
Definition
1. User logs on - Universal Groups cached from GC _x000D_
2. Next time user logs on - no need to contact GC |
|
|
Term
| The benefits of Universal Group Membership Caching are: |
|
Definition
Faster logon times _x000D_
Reduced network bandwidth _x000D_
Ability to use existing hardware |
|
|
Term
| On a W2k8 DC how do you enable Universal Group Membership Caching? |
|
Definition
AD S&S _x000D_
- Sites _x000D_
- DefaulFirstSite _x000D_
- NTDS Settings - Properties _x000D_
- checkbox |
|
|
Term
| What forest and function levels does the network need for you to install RODC's? |
|
Definition
| Windows 2003 functional Level or above |
|
|
Term
| How many domains can a DC have or belong to at any one time? |
|
Definition
|
|
Term
Functional level if you have the following servers in your domain: _x000D_
2003 server _x000D_
2000 Server _x000D_
2008 server |
|
Definition
|
|
Term
| Which NTFS feature can you implement to limit the amount of disk space occupied by users? |
|
Definition
|
|
Term
| What two steps need to be done to convert a disk volume from FAT to NTFS? |
|
Definition
|
|
Term
| What 2 protocols are required to support AD? |
|
Definition
|
|
Term
| Command used to promote or demote a DC? |
|
Definition
|
|
Term
| Your organisation needs one set of credentials for multiple forests. What 2008 role do you install? |
|
Definition
|
|
Term
| How do you test that DNS forward lookups are working properly prior to installing AD? |
|
Definition
ping hostname _x000D_
IP returned |
|
|
Term
What FS with these req's? _x000D_
file-level security _x000D_
efficient use of space on large partitions. _x000D_
domain controller Sysvol must be stored |
|
Definition
|
|
Term
| You have decided that you must convert the system partition on your Windows Server 2008 from the FAT32 filesystem to NTFS. Which 2 steps must you take in order to convert the filesystem? |
|
Definition
CONVERT /FS:NTFS _x000D_
Reboot the computer |
|
|
Term
| Name 3 protocols need for AD to work properly |
|
Definition
LDAP _x000D_
DNS _x000D_
TCP/IP |
|
|
Term
2 sites with non-communicative DCs. Names: _x000D_
server1.yourcompany.com and server1.yourcompany.com _x000D_
Problem? |
|
Definition
| Yes each server needs a unique FQDN. |
|
|
Term
| How can you increase the space on a volume without backup, recreate restoring? |
|
Definition
| Use NTFS mounts to map new volume to existing volume. |
|
|
Term
| What file system reqs exist for installation of AD? |
|
Definition
NTFS volume. _x000D_
Greater than 4GB |
|
|
Term
| What 5 connectivity tests should you do prior to installing AD? (assume second site connected via VPN) |
|
Definition
Test NW adapater - drivers & config _x000D_
Check IPconfig _x000D_
Test Internet access _x000D_
Check LAN access _x000D_
Check Client Access _x000D_
Check WAN Access |
|
|
Term
| How do you check the configuration of the TCP/IP protocol and output it to a text file? |
|
Definition
| ipconfig /all > ipcfg.txt |
|
|
Term
| What are the 3 forest functional levels in W2k8? |
|
Definition
2k Native (default) _x000D_
2k3 _x000D_
2k8 |
|
|
Term
| 5 New features in W2k8 Functional Level but not in W2k3? |
|
Definition
Fine-grained password policies. _x000D_
Read-only domain controller (RODC). _x000D_
Last interactive logon information. _x000D_
Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. _x000D_
Distributed File System replication support for Sysvol. |
|
|
Term
| What is a Defunct Schema Class? |
|
Definition
| A Class of objects that has been marked as non-usable. |
|
|
Term
|
Definition
| Provides way of querying names and IP addresses, replicating the info in the DB as well as the schema |
|
|
Term
| Name 7 different common DNS records. |
|
Definition
| SOA, NS, A, CNAME, PTR, MX, and SRV |
|
|
Term
|
Definition
Start of Authority Record. _x000D_
defines the general parameters for the DNS zone, including who the authoritative server is |
|
|
Term
|
Definition
Name Server _x000D_
list name servers for a domain; allow other name servers to look up names |
|
|
Term
|
Definition
Address Record for Host _x000D_
links hostname to ip address |
|
|
Term
|
Definition
Pointer Record. _x000D_
Links IP address to hostname for reverse lookups |
|
|
Term
|
Definition
Mail Exchange record _x000D_
Lists mail server who can accept mail for domain |
|
|
Term
|
Definition
Service record _x000D_
Maps service (eg DC ) to IP address |
|
|
Term
| Name the 3 queries types when DNS is used to resolve names or IP's |
|
Definition
| Iterative, Recursive, and Inverse |
|
|
Term
| What is an Iterative query? |
|
Definition
| Client asks Server. Server responds with best possible answer |
|
|
Term
| What is a Recursive query? |
|
Definition
| Client queries server, server doesn't know, asks each server up the line until answer is returned to client via server. |
|
|
Term
| What is an Inverse query? |
|
Definition
| Client queries IP address instead of name. |
|
|
Term
| A zone used to resolve names to IP addresses is a _________? |
|
Definition
|
|
Term
| A zone used to resolve IP addresses to names is a ________? |
|
Definition
|
|
Term
| How do you create new zones? |
|
Definition
| with the New Zone wizard. |
|
|
Term
| Where do you configure a zone for Dynamic updates? |
|
Definition
| Properties of the forward/reverse lookup zone - General Tab - Dynamic updates - None/Secure Only/Nonsecure and secure |
|
|
Term
| What is the default setting for Dynamic updates |
|
Definition
|
|
Term
| Name 5 tools used to troubleshoot DNS problems? |
|
Definition
DNS Snap-in _x000D_
DSS event log _x000D_
NSLookup _x000D_
Ipconfig _x000D_
DNS server log file |
|
|
Term
Multiple sites across Australia. _x000D_
Single AD tree required. _x000D_
What DNS and AD structures do you implement to ensure good performance? |
|
Definition
| Install a DNS server at each regional location and create a single domain name for all the regions for resolution of local resources. |
|
|
Term
3 Unix DNS, print & fax servers. _x000D_
New AD domain with integrated DNS replaces Unix DNS server. _x000D_
Can't print or fax. What gives? |
|
Definition
| You need to manually add A resource records for the Unix machines. |
|
|
Term
| How do you configure a DNS server so that it only answers queries from hosts on your intranet and no where else? |
|
Definition
Configuring his server as a root server and leaving out root hints for the top-level domains _x000D_
And _x000D_
Leaving forwarding turned off |
|
|
Term
| What must you do so that your customers can utilize all mirrored web servers? |
|
Definition
| Enable Round Robin DNS to balance out the load across all the servers you have mirrored and configured in the DNS |
|
|
Term
| You have multiple remote locations by slow satellite links.Need to install DNS into these offices so that clients can locate authoritative DNS servers in the main location. What type of DNS zones should be installed in the remote locations? |
|
Definition
| Stub Zones - Contain: NS, A and SOA records |
|
|
Term
You have 5 W2k8 DC's. All run as primary DNS zones. Need to ensure all hold same database and use only secure updates. _x000D_
What do you do? |
|
Definition
| Upgrade all servers to Active Directory Integrated servers. |
|
|
Term
Six Offices. Need single AD tree. _x000D_
How do you deploy DNS to enable efficient and responsive name/IP resolutions for this environment? |
|
Definition
| Create a single second-level name and deploy a DNS server at each location in the network |
|
|
Term
| What are the two main server types in an NT domain? |
|
Definition
|
|
Term
| Two types of domains in and NT - Multi-master domain topology? |
|
Definition
Master Domain _x000D_
(trust) _x000D_
Resource Domain |
|
|
Term
| 3 Advantages of old NT over workgroups? |
|
Definition
Centralised Admin _x000D_
Database replication _x000D_
Could scale to 1000's of users |
|
|
Term
| 4 Limitations of NT model? |
|
Definition
Didn't scale/work well for very/large org _x000D_
Trust relationships needed a lot of work _x000D_
Excessive replication BAD for low-bandwidth WAN links _x000D_
Difficult to delegate admin duties |
|
|
Term
|
Definition
LDAP for transferring information _x000D_
Reliance on DNS for name resolution _x000D_
Ability to extend the schema |
|
|
Term
|
Definition
Create security boundaries to protect resources and ease of administration _x000D_
Ease admin of usrs, grps, comps etc _x000D_
Provide central DB of NW obj's |
|
|
Term
| Type of server for remote locale with questionable security? |
|
Definition
| Read-only domain Controller |
|
|
Term
True or False: _x000D_
Two objects can have the same relative distinguished name |
|
Definition
True. _x000D_
Jane Doe can be in AD twice (or more) in different OU's |
|
|
Term
True of False?: _x000D_
Two objects can have the same distinguished name. |
|
Definition
False. _x000D_
DN is unique to each AD object |
|
|
Term
| AD Trust Relationships - 3 truths |
|
Definition
1. Trusts are transitive _x000D_
2. By default, trusts are two-way relationships. _x000D_
3. Trusts are used to allow the authentication of users between domains. |
|
|
Term
| Protocol used to query AD |
|
Definition
|
|
Term
| Policy that allows for different password and account lockout policies for different sets of users in the same domain? |
|
Definition
| Fine-grained password policy |
|
|
Term
| What is the Server role that allows/provides for single sign-on capability for multiple apps? |
|
Definition
|
|
Term
| Advantages of using Server 2008 AD Certificate Services? |
|
Definition
Web enrollment _x000D_
Network Device Enrollment Service _x000D_
Online Responder |
|
|
Term
| Which role allows a user to secure an email while using Microsoft Office 2007 Outlook? |
|
Definition
| AD Rights Management Services (AD RMS) |
|
|
Term
| Identity and access (IDA) has five distinct categories. What are they? |
|
Definition
Directory services, _x000D_
strong authentication, Federated Identities, information protection, _x000D_
and Identity Lifecycle Management |
|
|
Term
| Another administrator has changed a user's group settings. What is the easiest way to get the original setting back for the user? |
|
Definition
Perform Auditing. _x000D_
Review logs. _x000D_
Undo what he did - the dunce! |
|
|
Term
| What is the feature of AD that allows info to remain in sync between DC's? |
|
Definition
|
|
Term
| Which component of AD should you implement at remote sites to improve the performance of searches conducted for objects in all domains? |
|
Definition
|
|
Term
| Name of the server that is a repository of Active Directory topology and schema information for Active Directory? |
|
Definition
|
|
Term
| You need to install the Active Directory Federation Services. What application do you use to do the install? |
|
Definition
|
|
Term
| What term is used to refer to the actual structure that contains the information stored within Active Directory? |
|
Definition
|
|
Term
NW admin for a 200-node network. Only 30 need a new app. _x000D_
What can you do? |
|
Definition
Create an OU with the 30 in it. _x000D_
Deploy app/update to the OU |
|
|
Term
| Used to create a logical structure in AD is an ______? |
|
Definition
|
|
Term
|
Definition
Heirarchical Organisation _x000D_
Extensible Schema _x000D_
Centralised Data Storage _x000D_
Replication - DNS & AD _x000D_
Ease of Admin _x000D_
Network Security _x000D_
Scalability _x000D_
Search |
|
|
Term
|
Definition
| a minimal install of Windows Server 2008, without GUI or .NET Framework |
|
|
Term
| What are the hardware requirements for Server Core? |
|
Definition
|
|
Term
| What are 2 advantages of Server Core? |
|
Definition
| more secure (fewer services and components) and requires less management |
|
|
Term
| What 9 server roles are supported in Core? |
|
Definition
| AD Domain Services (AD DS), AD Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, file server, print server, Streaming Media Services, IIS (doesn't support ASP.NET), Hyper-V (server virtualization) |
|
|
Term
| What 11 optional features are available in Server Core? |
|
Definition
| failover cluster, network load balancing, subsystem for UNIX, windows backup, multipath I/O, removeable storage management, Windows Bitlocker drive encryption, SNMP, WINS, Telnet, QoS |
|
|
Term
| What command is used to change the administrator password? |
|
Definition
|
|
Term
| What command is used in Core to set IPv4 configuration? |
|
Definition
|
|
Term
| What command is used to join a domain? |
|
Definition
|
|
Term
| What command is used in Core to add roles, components, and features? |
|
Definition
|
|
Term
| What command is used in Core to view roles, components, and features? |
|
Definition
|
|
Term
| What command is used in Core to enable Remote Desktop? |
|
Definition
| cscript c:\windows\system32\scregedit.wsf /AR0 |
|
|
Term
| What command is used to promote a domain controller? |
|
Definition
|
|
Term
| What command is used in Core to configure DNS? |
|
Definition
|
|
Term
| What command is used in Core to configure DFS? |
|
Definition
|
|
Term
| What command is used to add Active Directory Domain services? |
|
Definition
|
|
Term
| What is the one AD server role available in Core that can't be added with ocsetup.exe? |
|
Definition
| AD Domain Services (added with dcpromo.exe) |
|
|
Term
| What command is used to remove a domain controller? |
|
Definition
|
|
Term
| What piece of information is required when removing a domain controller? |
|
Definition
| the password of the local admin account |
|
|
Term
| What 2 directory partitions do all domains in a forest share? |
|
Definition
|
|
Term
| How does Dynamic DNS (DDNS) differ from standard DNS? |
|
Definition
| DDNS allows real-time DNS updates |
|
|
Term
| What command will send DNS registration info to a DNS server? |
|
Definition
|
|
Term
| How is DNS information replicated in DDNS? |
|
Definition
|
|
Term
| How was DNS information replicated in standard DNS? |
|
Definition
| through manual copies of the zone file |
|
|
Term
| What two name resolution technologies does DDNS cover? |
|
Definition
|
|
Term
| When does DDNS update the record? |
|
Definition
| when a client leases an IP address |
|
|
Term
| What is Scope Option 003? |
|
Definition
|
|
Term
| What is Scope Option 006? |
|
Definition
|
|
Term
| What is the scope for default gateway? |
|
Definition
|
|
Term
| What is the scope for preferred DNS server? |
|
Definition
|
|
Term
| Where does non-dynamic DNS store data? |
|
Definition
| in a text file located at %SystemRoot%\System32\DNS |
|
|
Term
| What are the 3 types of DNS zones? |
|
Definition
| primary, secondary, and stub zone |
|
|
Term
| What is a primary DNS zone? |
|
Definition
| a DNS zone which stores a copy of the zone that can be directly updated |
|
|
Term
| What is a secondary DNS zone? |
|
Definition
| a copy of a primary DNS zone |
|
|
Term
| What are secondary DNS zones used for? |
|
Definition
| load balancing, fault tolerance, and increasing capacity |
|
|
Term
|
Definition
| a copy of a DNS zone containing only NS, SOA, and sometimes glue A records; it is not authoritative |
|
|
Term
| What limitation exists on a DNS server storing its data in AD? |
|
Definition
| the DNS server must be a DC |
|
|
Term
|
Definition
| a DNS system where updates occur over a secure channel |
|
|
Term
| How does secure DNS work? |
|
Definition
| when a DNS transfer is initiated, the DNS server verifies that the DNS server sending the update is on an approved list |
|
|
Term
| What is the purpose of secure DNS? |
|
Definition
| to prevent poison entries |
|
|
Term
| How is secure DNS set up in an Active Directory domain? |
|
Definition
| it is set up automatically |
|
|
Term
| What are 3 reasons to use a stub zone? |
|
Definition
| keep delegated zone info current, improve name resolution, simplify administration |
|
|
Term
| What does a Start of Authority (SOA) record do? |
|
Definition
| specifies the DNS server in charge of a zone |
|
|
Term
| What 4 items does an SOA record specify? |
|
Definition
| primary server for the zone, zone administrator's email address, secondary zone expiration values, minimum default TTL values |
|
|
Term
| What is the Global Name Zone designed to do? |
|
Definition
|
|
Term
|
Definition
|
|
Term
| What 3 types of records are stored in a Forward Lookup Zone? |
|
Definition
| LDAP, Global Catalog, and Name Server records |
|
|
Term
| How can repopulation be forced if a Forward Lookup Zone does not appear in AD? |
|
Definition
| use net stop logon and net start logon |
|
|
Term
| What do Forward Lookup Zones do? |
|
Definition
| store domain name-to-IP address mappings |
|
|
Term
| What do Reverse Lookup Zones do? |
|
Definition
| store IP address-to-domain name mappings |
|
|
Term
| At what 3 times are Reverse Lookup Zones populated? |
|
Definition
| when IP addresses are leased, when machines are restarted, when ipconfig /registerdns is executed |
|
|
Term
|
Definition
| provide a link between DNS servers and top-level DNS servers |
|
|
Term
| What are 3 reasons to divide namespaces into more than 1 zone? |
|
Definition
| delegate responsibility, break up large namespaces for management, extend namespace to add subdomains |
|
|
Term
| When creating subdomains, what needs to be done to make sure that all zone records stay current? |
|
Definition
| delegation records need to be added to other DNS servers to point to the authoritative server |
|
|
Term
| How does round robin DNS work? |
|
Definition
| when an IP address for a server in a round robin pool is given out, that address is moved to the bottom of the list |
|
|
Term
| What sort of servers most often utilize round robin DNS? |
|
Definition
|
|
Term
|
Definition
| forwarding requests to other servers for fulfillment |
|
|
Term
| When is DNS recursion usually disabled? |
|
Definition
| When the network is sensitive |
|
|
Term
| What is server scavenging? |
|
Definition
| process of getting rid of stale DNS records |
|
|
Term
| What 2 containers are created when DNS is integrated with AD? |
|
Definition
| forestDNSzone and domainDNSzone |
|
|
Term
| What do incremental zone transfers do? |
|
Definition
| replicate only changes to DNS (rather than all records) |
|
|
Term
| Does DNS work on a push or pull basis? |
|
Definition
| pull: when changes are made, the DNS server notifies other servers that changes are available |
|
|
Term
| What directory format does Active Directory use? |
|
Definition
|
|
Term
| What do AD tree structures share? |
|
Definition
| The same contiguous name space? |
|
|
Term
|
Definition
| A Read Only Domain Controller |
|
|
Term
| Do different forests share the same name space? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| A domain is an administratively-defined collection of network resources that share a common directory database and security policies |
|
|
Term
| What is an AD object attribute? |
|
Definition
| Information about the object such as a user's name, phone number, and email address) which is used for locating and securing resources. |
|
|
Term
| What does an object schema identify? |
|
Definition
| The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object. |
|
|
Term
| What does AD use DNS for? |
|
Definition
| Active Directory uses DNS for locating and naming objects. |
|
|
Term
|
Definition
First-level OUs can be called parents. _x000D_
Second-level OUs can be called children. _x000D_
OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers). |
|
|
Term
|
Definition
| A tree is a group of related domains that share the same contiguous DNS name space. |
|
|
Term
|
Definition
| A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces. |
|
|
Term
| What is the forest root domain? |
|
Definition
| The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest. |
|
|
Term
| What is the tree root domain? |
|
Definition
| The tree root domain is the highest level domain in a tree. |
|
|
Term
|
Definition
| Each domain in the tree that is connected to the tree root domain is called a child domain. |
|
|
Term
|
Definition
A domain tree is a group of domains based on the same name space. Domains in a tree: _x000D_
- Are connected with a two-way transitive trust. _x000D_
- Share a common schema. _x000D_
- Have common global catalogs. |
|
|
Term
| What is a domain controller? |
|
Definition
| A domain controller is a server that holds a copy of the Active Directory database that can be written to |
|
|
Term
|
Definition
| Replication is the process of copying changes to Active Directory between the domain controllers. |
|
|
Term
| What two objects does AD use to represent the physical structure of the network? |
|
Definition
- A subnet represents a physical network segment. Each subnet possesses its own unique network address space. _x000D_
- A site represents a group of well-connected networks (networks that are connected with high-speed links). |
|
|
Term
| What manages AD replication between locations? |
|
Definition
| Sites and subnets are used to manage Active Directory replication between locations. |
|
|
Term
| What does an AD site differ from a domain? |
|
Definition
| A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization. |
|
|
Term
| How are clients assigned to AD sites? |
|
Definition
| Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask. |
|
|
Term
| How are domain controllers assigned to AD sites? |
|
Definition
| Domain controllers are assigned to sites according to the location of their associated server object in Active Directory. |
|
|
Term
| What does the Global Catalog server do? |
|
Definition
| Responsible for replicating a subset of attributes throughout Active Directory |
|
|
Term
| What are FSMO roles/What do they do? |
|
Definition
| Flexible Single-Master Operation roles are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes |
|
|
Term
|
Definition
- Schema Master _x000D_
- Domain Naming Master _x000D_
- RID Master (Relative Identifier) _x000D_
- PDC Emulator _x000D_
- Infrastructure Master |
|
|
Term
| What does the schema master do? |
|
Definition
| Maintains the schema (the mapping of all the different object types) |
|
|
Term
| What does the RID master do? |
|
Definition
| The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts). |
|
|
Term
| What does the PDC Emulator do? |
|
Definition
| The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers. (eg - time services) |
|
|
Term
| What does the Infrastructure Master do? |
|
Definition
| Provides a mapping of all the container objects in AD. The infrastructure master is responsible for updating changes made to objects. |
|
|
Term
| Which level do the Schema and Domain Naming Master roles operate at? |
|
Definition
|
|
Term
| What level do the RID, PDC and Infrastructure Master roles operate at? |
|
Definition
|
|
Term
| What is the Global Catalog? |
|
Definition
| The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced. |
|
|
Term
| What is an Operations Master? |
|
Definition
| A domain controller that performs an operations master role is known as an operations master or operations master role owner. |
|
|
Term
| What does the Domain Naming Master do? |
|
Definition
| The domain naming master adds new domains to and removes existing domains from the forest. |
|
|
Term
| What is a functional level? |
|
Definition
| A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest |
|
|
Term
| Which domain functional levels does Server 2008 support? |
|
Definition
Windows 2000 Native _x000D_
Windows Server 2003 _x000D_
Windows Server 2008 |
|
|
Term
| Which forest functional levels does Server 2008 support? |
|
Definition
Windows 2000 _x000D_
Windows Server 2003 _x000D_
Windows Server 2008 |
|
|
Term
|
Definition
| A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values. |
|
|
Term
| What are new services in AD 2008? |
|
Definition
- AD Domain Services _x000D_
- AD Lightweight Directory Services _x000D_
- AD Certificate Services _x000D_
- AD Federation Services _x000D_
- AD Rights Management Services |
|
|
Term
|
Definition
| A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server. |
|
|
Term
| What is an AD role service? |
|
Definition
| Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role. |
|
|
Term
|
Definition
| A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support. |
|
|
Term
| What is Active Directory Domain Services (AD DS) |
|
Definition
AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role: _x000D_
- Helps administrators securely manage information. _x000D_
- Facilitates resource sharing and collaboration between users. _x000D_
- Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies, such as Group Policy. |
|
|
Term
| What is Active Directory Lightweight Directory Service (AD LDS) |
|
Definition
| Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database. |
|
|
Term
| What is Active Directory Federation Services (AD FS) |
|
Definition
AD FS is a feature which enables secure access to web applications outside of a user's home domain or forest. The AD FS role: _x000D_
_x000D_
- Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. _x000D_
- Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations. |
|
|
Term
| What is Active Directory Rights Management Service (AD RMS) |
|
Definition
AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role: _x000D_
_x000D_
- Can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions. _x000D_
- Allows organizations to create custom usage rights templates (such as "Confidential - Read Only") that can be applied directly to information such as product specifications, financial reports, e-mail messages, and customer data. |
|
|
Term
| What is Active Directory Certificate Services (AD CS) |
|
Definition
AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role: _x000D_
_x000D_
- Provides customizable services for creating and managing public key certificates. _x000D_
- Enhances security by binding the identity of a person, device, or service to a corresponding private key. _x000D_
- Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. |
|
|
Term
| Name some things that AD Certificate Services supports |
|
Definition
Digital signatures _x000D_
Encrypting File System (EFS) _x000D_
Internet Protocol security (IPsec) _x000D_
Secure/Multipurpose Internet Mail Extensions (S/MIME) _x000D_
Secure Socket Layer/Transport Layer Security (SSL/TLS) _x000D_
Secure wireless networks _x000D_
Smart card logon _x000D_
Virtual Private Networks (VPN) |
|
|
Term
| What AD roles are not supported on Server 2008 Standard? |
|
Definition
| AD FS requires the DataCenter or Enterprise editions for deployment. |
|
|
Term
| WHich server roles can Server 2008 core run? |
|
Definition
Active Directory _x000D_
Active Directory Lightweight Directory Services (AD LDS) _x000D_
Dynamic Host Configuration Protocol (DHCP) Server _x000D_
DNS Server _x000D_
File Server _x000D_
Print Server _x000D_
Media Services _x000D_
Web Server (IIS) |
|
|
Term
| What are the limitations of Server 2008 core? |
|
Definition
There is no Windows Shell. _x000D_
There is no managed code support (no .NET framework). All code has to be native Windows API code. _x000D_
There is only MSI support for unattended mode installs. |
|
|
Term
| What methods can you use to manage a Server 2008 core system? |
|
Definition
Log on and use the command prompt. _x000D_
Log on using Remote Desktop to gain access to the command prompt. _x000D_
Use Windows Remote Shell (winrm). _x000D_
Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system. |
|
|
Term
| How would you add server roles to a Server 2008 core system? |
|
Definition
| Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive. |
|
|
Term
| How would you see a list of roles, role services and features that can be installed on Server 2008 core? |
|
Definition
|
|
Term
| What does AD Domain Services (AD DS) do? |
|
Definition
| provides Identity and Access (IDA) solutions for enterprise networks |
|
|
Term
|
Definition
|
|
Term
| What 4 things should an IDA infrastructure do? |
|
Definition
| store information about users, groups, computers, and objects; authenticate identities; control access; provide and audit trail |
|
|
Term
| What 5 technologies comprise a Microsoft IDA solution? |
|
Definition
AD Domain Services; AD Lightweight Directory Services; AD Certificate Services; AD Rights Management Services _x000D_
*AD Federation Services |
|
|
Term
| What part of IDA does AD Domain Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Lightweight Directory Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Certificate Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Rights Management Services provide? |
|
Definition
|
|
Term
| What part of IDA does AD Federation Services provide? |
|
Definition
| partnership with external organizations |
|
|
Term
| What did AD Lightweight Directory Services used to be called? |
|
Definition
| Active Directory Application Mode |
|
|
Term
| What does AD Lightweight Directory Services do? |
|
Definition
| stores and replicates application-related database information |
|
|
Term
| What best practice should be used when using AD Certificate Services to provide certificate services to external communities? |
|
Definition
| get a root certificate from a trusted third-party CA |
|
|
Term
| What does AD Rights Management Services do? |
|
Definition
| provides persistent rights management, even after authentication (similar to Acrobat controls) |
|
|
Term
| What 5 components does AD Rights Management Services require to function? |
|
Definition
| AD domain with Server 2000 SP3 or higher DC's, IIS, database server AD RMS client, RMS-enabled browser |
|
|
Term
| What does AD Federation Services do? |
|
Definition
| allows organizations to project rights and access controls across organizational boundaries |
|
|
Term
|
Definition
| a set of rules that defines classes of objects and attributes in a directory |
|
|
Term
| What do replication services do? |
|
Definition
| distribute directory data across a network |
|
|
Term
| What does a global catalog contain? |
|
Definition
| limited information about every object in the directory |
|
|
Term
| What is another name for a global catalog? |
|
Definition
|
|
Term
| What command is used to launch configuration of a domain controller? |
|
Definition
|
|
Term
| What are the components of an AD infrastructure? |
|
Definition
| AD data store, DC's, domains, forest, trees, functional level, OU's, sites |
|
|
Term
| What is the directory also known as? |
|
Definition
|
|
Term
| How is the directory stored? |
|
Definition
| as a single file (Ntds.dit) |
|
|
Term
| Where is the directory located by default? |
|
Definition
| %SystemRoot%\Ntds folder on all domain controllers |
|
|
Term
| What 4 partitions are usually found in the AD data store? |
|
Definition
| schema, configuration, global catalog, domain naming context |
|
|
Term
| What important authentication service is run by all domain controllers? |
|
Definition
| Kerberos Key Distribution Center (KDC) |
|
|
Term
| Where can a user receive authentication from? |
|
Definition
|
|
Term
| What serves as a scope for administrative policies (password expiration, etc.)? |
|
Definition
|
|
Term
| What is considered best practice when replication cannot occur reliably between domain controllers? |
|
Definition
| place them in separate domains |
|
|
Term
|
Definition
| a collection of one or more Active Directory domains |
|
|
Term
| What is the first domain in a forest known as? |
|
Definition
|
|
Term
| What entity defines a security boundary? |
|
Definition
|
|
Term
| What is a security boundary? |
|
Definition
| an entity outside which no data is replicated |
|
|
Term
|
Definition
|
|
Term
| What determines whether domains are part of the same tree? |
|
Definition
| whether those domains are part of a contiguous DNS namespace |
|
|
Term
| What are the 3 domain functional levels? |
|
Definition
| Windows 2000 native, Windows Server 2003, and Windows Server 2008 |
|
|
Term
| What are the 2 forest functional levels? |
|
Definition
| Windows Server 2003 and Windows Server 2008 |
|
|
Term
| What requirement exists for the Windows Server 2008 domain functional level? |
|
Definition
| all DC's must be running Server 2008 |
|
|
Term
| What requirement exists for the Windows Server 2008 forest functional level? |
|
Definition
| all domains must be Windows Server 2008 domains |
|
|
Term
| What MMC is used to administer roles? |
|
Definition
|
|
Term
| What are the two primary steps in creating a new DC? |
|
Definition
| add roles through Server Manager and promote server to DC |
|
|
Term
| What command-line command can be used to promote a server to DC? |
|
Definition
|
|
Term
| What two names do all DC's require? |
|
Definition
| a valid DNS name and a valid NetBIOS name |
|
|
Term
|
Definition
| A command-line tool that enables administrators to create and display a Resultant Set of Policy (RSoP) query from the command line. |
|
|
Term
|
Definition
| A Group Policy Management feature that uses the Resultant Set of Policy snap-in to simulate the effect of a policy on the user environment. |
|
|
Term
|
Definition
| A feature in Group Policy Management that is equivalent to the Logging mode within Resultant Set of Policy MMC snap-in. Rather than simulating policy effects like the Group Policy Modeling Qizard, Group Policy Results obtains Resultant Set of Policy (RSoP) information from the client computer to show the actual effects that policies have on the client computer and user environment. |
|
|
Term
|
Definition
| The Resultant Set of Policy (RSoP) mode that queries existing policies in the hierarchy that are linked to sites, domains, domain controllers, and Organization Units. This mode is useful for documenting and understanding how combined policies are affecting users and computers. The results are returned in an MMC window that can be saved for later reference. |
|
|
Term
|
Definition
| The Resultant Set of Policy (RSoP) mode that allows administrators to simulate the effect of policy settings prior to implementing them on a computer or user. |
|
|
Term
|
Definition
| A filtering method that method uses filters written in the WMI Query Language (WQL) to control GPO application. |
|
|
Term
|
Definition
Common Information Management Object Model
A database used through Windows Management Instrumentation that contains information gathered when a computer starts and becomes part of the network. This information includes hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, scripts, Folder Redirection settings, and Security settings. |
|
|
Term
|
Definition
REsultant Set of Policy
Query engine that looks at GPOs and then reports its findings. Use this tool to determine the effective settings for a user or a computer based on the combination of the local, site, domain, domain controller, and OU policies. |
|
|
Term
|
Definition
Windows Management Instrumentation
A component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. It allows administrators to create queries based on hardware, software, operating systems, and services. |
|
|
Term
|
Definition
WMI Query Language
A language that is similar to structured query language (SQL). |
|
|
Term
|
Definition
| An option used to deploy required applications to pertinent users and computers. |
|
|
Term
|
Definition
| Stategy for enforcing restrictions that prevents any applicationfrom running that requires administrative rights but allows programs to run that only require resources that are accessible by normal users. |
|
|
Term
|
Definition
| A software restiction rule that uses the signing certificate of an application to allow software from a trusted source to run or to prevent software that does not come from a trusted source from running. Certificate rules also can be used to run programs in disallowed areas of the operating system. |
|
|
Term
|
Definition
| Strategy for enforcing restictions that prevents all applications from running except those that are specifically allowed. |
|
|
Term
|
Definition
| The shared folder that is a network location from which users can download software. Also known as the software distribution point. |
|
|
Term
| file-activated installation |
|
Definition
| A method of distributing applications whereby an application is installed when a user opens a file associated with an application that does not currently exist. |
|
|
Term
|
Definition
| A series of bytes with a fixed length that uniquely identifies a program or file. |
|
|
Term
|
Definition
| A formula that generates a hash value. |
|
|
Term
|
Definition
| A sotrware-restriction rule applied to an appllication executable that will check the file's hash value and prevent the application from running if the hash value is incorrect. |
|
|
Term
|
Definition
| A value generated by a formula that makes it nearly impossible for another program to have the same hash. |
|
|
Term
| Install This Application At Logon |
|
Definition
| A deployment option that allows the application to be installed immediately, rahter than advertising on the Start menu. |
|
|
Term
|
Definition
| A relational database file that is copied to the target computer system, with the program files it deploys. In addition to providing installation information, this database file assits in the self-healing process for damaged applications and clean application removal. |
|
|
Term
|
Definition
| A software restiction rule that allows only Windows Installer packages to be installed if they come from a trusted area of the network. |
|
|
Term
|
Definition
| Windows Installer files with the .msp extension that are used to apply service packs and hotfixes to installed soft |
|
|
Term
|
Definition
| A software restriction rule that identifies software by specifiying the directory path where the application is stored in the file system. |
|
|
Term
|
Definition
1) An option that allows users to access network resoufces by searching the Active Directory database for the desired resource. (See lesson 1). _x000D_
2) An option used to deploy application. It allows users to install the applications that they consider useful to them. (See lesson 9) |
|
|
Term
|
Definition
| The process of preparing software for .msi distribution, which includes taking a snapshot of a clean computer system before the application is installed, installing the application as desired and taking a snapshot of the computer after the application is installed. |
|
|
Term
|
Definition
| A function that allows software to detect and correct problems, such as missing or deleted files. |
|
|
Term
|
Definition
| A process that takes place from the time anapplication is evaluated for deployment in an organization until the time when it is deemed old or no longer suitable for use. |
|
|
Term
|
Definition
| Stategy for enforcing restictions that allows all applications to run, except those that are specifically excluded. |
|
|
Term
|
Definition
| A non-Windows Installer package that can be created in a text editor. |
|
|
Term
|
Definition
Software Development Live Cycle
A structured process used to develop information systems software, projects, or components; phases include analysis, design, implementation and maintenance. |
|
|
Term
|
Definition
| A subcategory in the Account Policies category that specifies the number of unsuccessful logon attempts that, if made within a contiguous timeframe, might constitute a potential security threat from an intrruder. An Account Lockout Policy can be set to lock the account in question after a specified number ofinvalid attempts. Additionally, the policy specifies how long the account will remain locked. |
|
|
Term
|
Definition
| Setting that logs events related to successful user logons to a domain. |
|
|
Term
| account management events |
|
Definition
| Setting that triggers an event that is written based on changes to account properties and group properties. Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling. |
|
|
Term
|
Definition
| Th section of GPO Local Policies that enables administrators to log successful and failed security events, such as logon events, account access, and object access. |
|
|
Term
|
Definition
| Tracking events that take place on the local computer. |
|
|
Term
|
Definition
| A setting that limits the amount of space available on the server for user data. |
|
|
Term
|
Definition
| Group Policy setting that indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password. |
|
|
Term
|
Definition
| A command-line tool used to force a manual Group Policy refresh. Thistool was introduced in Windows Server 2003, and it is used in Windows Server 2003, and it is used in Windows Server 2003 and Windows Server 2008 to replace the secedit/refreshpolicy command that was used in Windows 2000. |
|
|
Term
|
Definition
| For domain accounts only, this policy enables administrators to configure settings that govern how Active Directory authentication functions. |
|
|
Term
|
Definition
| Policies that enable administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log. |
|
|
Term
|
Definition
| The setting logs events related to successful user logons on a computer. |
|
|
Term
|
Definition
| A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as a Password Setting Object (PSO). |
|
|
Term
|
Definition
| A separate Group Policy category that can allow files to be available to users, even when users are disconnected from the network. |
|
|
Term
|
Definition
| A subcategovy in the Account Policies category that enforces password length, password history and so on. Password Policies can be applied to domain and local user accoutns. |
|
|
Term
|
Definition
| By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishement or removal of trust relationships, IPSec policy agent changes, and grants or removals of system access privileges. |
|
|
Term
|
Definition
| A subcategory in the Account Policies category that enforces password length, password history, and so on. Password Policies can be applied to domain and local user accounts. |
|
|
Term
|
Definition
| By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by events such as user rights assignment changes, establishment or removal of trust relationsips, IPSec policy agent changes, and grants or removals of system access privileges. |
|
|
Term
|
Definition
| The available period that each background refresh process that can set to ranges from 0 to 64,800 minutes (45 days). |
|
|
Term
|
Definition
| Policy settings that enables an administrator to specify group membership lists. |
|
|
Term
|
Definition
| A subcategory of the Local Policies setting area of a Group Policy Object that includes security settings related to interactive log on, digital signing of data, restrictions for access to floppy and CD-ROM drives, unsigned driver installation behavior, and logon dialog box behavior. |
|
|
Term
|
Definition
| Events that rigger a log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled an can no longer append entries; security log cleaning; or any event that affects system security or the security log. In the Default Domain Controllers GPO, this setting is set tolog success by default. |
|
|
Term
|
Definition
| The category that is used to configure the startup and security settings for services running on a computer. |
|
|
Term
|
Definition
| An Administrative Template setting that continues to apply until it is revised using a policy that overwrites the setting. |
|
|
Term
|
Definition
| A subcategory of the Local Policies setting area of a Group Policy Object that includes settings for items that pertain to rights needed by users to perform system-related tasks. |
|
|
Term
|
Definition
Fine-Grained Password Policies
A policy that can be applied to one or more users or groups of users, allowing the administrator to specify a more or less stringent password policy for the subset than the password policy defined for the entire domain. |
|
|
Term
|
Definition
Key Distribution Center
Used to issue Kerberos tickets to users for domain accesss. |
|
|
Term
|
Definition
Password Settings Object
A new object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also know as msDS-PasswordSettings. |
|
|
Term
|
Definition
| Files used to generate the user interface for the Group Policy settings that can be set using the Group Policy Management Editor. |
|
|
Term
|
Definition
| Windows Server 2008 Administrative Templates using the .admx extension. |
|
|
Term
|
Definition
| A method of processing multiple scripts at the same time, without waiting for the outcome of a previously launched script to occur. |
|
|
Term
|
Definition
| A setting on a contianer object, such as a site, domain, or Organizational Unit, that will block all policies from parent containers from flowing to this container. It is not policy specific; it applies to all policies applied at parent levels. |
|
|
Term
|
Definition
| Single location in a SYSVOL directory containing Administrative Templates with the .admx extension. |
|
|
Term
| Default Domain Controller Policy |
|
Definition
| A policy linked to the Domain Controllers OU; its settings affect all domain controllers in the domain. |
|
|
Term
|
Definition
| A type of Group Policy Object associated with a domain. |
|
|
Term
|
Definition
| A setting on an individual GPO link that forces a particular GPO's settings to flow down through the Active Directory, without being blocked by any child Organizational Units. |
|
|
Term
|
Definition
| A setting that allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network. |
|
|
Term
|
Definition
| The process of applying Group Policy to all domains and the child objects contained within them. |
|
|
Term
|
Definition
Group Policy container
An Active Directory object that stores the properties of the GPO. |
|
|
Term
|
Definition
Group Policy Management Console
The Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings. |
|
|
Term
|
Definition
Group Policy Object
Objects that contain all of the Group Policy settings that will be implemented on all user and computer objects within a site, domain, or OU. |
|
|
Term
|
Definition
Group Policy template
A folder located in the Policies subfolder of the SYSVOL share that stores policy setting, such as security settings and script files. |
|
|
Term
|
Definition
Return on investment
The amount of money gained (or lost) relative to the amount of money that was invested in a particular project or technology. Can be measured by tangible benefits, such as implementation costs and ongoing support. In addition, it can also be measured by intangible benefits, such as increased user ptoductivity, and other factors that are difficult to measure from a financial standpoint. |
|
|
Term
|
Definition
Total cost of ownership
A value used to assess the cost of implementaing computer software or hardware, both in terms of direct and indirect costs. TCO can be calculated based on how much ownership costs over the lifetime of a business resource. |
|
|
Term
|
Definition
Windows Deployment Services
A managed setting that can be defined or changed through Group Policies. This setting assists in rebuilding or deploying workstations quickly and efficiently in an eveterprise environment. |
|
|
Term
| Group Policy Management Editor |
|
Definition
| The Microsoft Management console (MMC) fsnap-in that is used to create and modify Group Policies and their settings. |
|
|
Term
|
Definition
| A process that applies Group Policy setting sto various containers within Active Directory. |
|
|
Term
|
Definition
| A type of Group Policy Object associated with the local computer. |
|
|
Term
|
Definition
| A Group Policy option that provides an alternative method of obtaining the ordered list of GPOs to be processed for the user. When set to Enabled, this setting has two options: Merge and Replace. |
|
|
Term
|
Definition
| The sequence used to process policies: local policies, site policies, domain policies and then Organization Unit policies. |
|
|
Term
|
Definition
| A Loopback Processing option. After all user policies run, the computer policy settings are reapplied, which allows all current GPO setting sto merge with the reapplied computer policy settings. In instances where conflicts arise between computer and user settings, the computer policy supersedes the user policy. This occurs before the desktop is presented to the user. |
|
|
Term
|
Definition
| A new feature in Windows Vista where by administrators can specify a different local GPO for administrators and create specific GPO settings for one or more local users configured on a wrokstation. |
|
|
Term
|
Definition
| A subcategory of Group Policy settings. |
|
|
Term
|
Definition
| This feature works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible. |
|
|
Term
|
Definition
| Settings that provide a consistent, sevure, manageable environment that addresses the users' needs and the organization's administrative goals. |
|
|
Term
|
Definition
| A Loopback Processing option. This option overwrites the GPO list for a user object with the GPO list for the user's logon computer. This means that the computer policy settings remove any conflicting user policy settings. |
|
|
Term
|
Definition
| A managed setting that can be defined or changed through Group Policies. Scripts, including logon, logoff, startup, and shutdown commands, can assist in configurint the user environment. |
|
|
Term
| securtity group filtering |
|
Definition
An advanced technique that enables you to apply GPO setting to only one or more users or groups within a container by selectively granting the "Apply _x000D_
Group Policy" permissions to one or more user or security groups. |
|
|
Term
|
Definition
| A subnode within the Computer Configuration and User Configuration nodes. The Software Settings folder located under the under the User Configuration node contains settings that are appplied to users designated by the Group Policy, regardless of the computer from which they log on to Active Directory. |
|
|
Term
|
Definition
| A type of Group Policy that enables administrators to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO. Starter GPOs area new feature in Windows Server 2008. |
|
|
Term
|
Definition
| Processing method whereby each policy must be read and applied completely before the next policy can be invoked. |
|
|
Term
|
Definition
| A Group Policy setting that enables administrators to customize the configuration of a user's desktop, environment, and security settings. Enforced policies are based on the user rather than on the computer used. |
|
|
Term
|
Definition
| A subnode within the Computer Configuration and User Configuration nodes. The Windows Settings folder located under the Computer Computer Configuration node in the Group Policy Management Editor contains security settings and scripts that apply to all users who log on to Active Directory from that specific computer. The Windows Settings folder located under the User Configuration node contains settings related to folder redirection, security settings and scripts that are applied to associated users. |
|
|
Term
| What is the order of group policies? |
|
Definition
1 Local Policies _x000D_
2 Site Policies _x000D_
3 Domain Policies _x000D_
4 OU Policies _x000D_
_x000D_
LSDOU |
|
|
Term
| Comma-Separated Value Directory Exchange |
|
Definition
CSVDE
The command line utility used to import or export Active Directory information from a comma-separated value (.csv) file. |
|
|
Term
|
Definition
CSV
Format that contains a comma between each value. The CSV format can be used to import and export information from other third-party applications |
|
|
Term
| LDAP Data Interchange Format |
|
Definition
LDIF
The format for the data file containing the object records to be created. |
|
|
Term
| LDAP Data Interchange Format Directory Exchange |
|
Definition
LDIFDE
A command-line utility used to import or export Active Directory information and create, modify, and delete Active Directory objects. |
|
|
Term
|
Definition
SAM
A database containing userr accounts and security information that is located on a server. |
|
|
Term
|
Definition
WSH
Allows scripts to be run from a Windows desktop or a command prompt. The runtime programs provided to do this are WScript.exe and CScript.exe, respectively. |
|
|
Term
|
Definition
| Created when a user logs on, this value identifies the user and all of the user's group memberships. Like a club membership card, it verifies a user's permissions when the user attempts to access a local or network resource. |
|
|
Term
|
Definition
| Special identity that refers to users who have not supplied a username and password. |
|
|
Term
|
Definition
| To gain access to the network, prospective network users must identify themselves to a network using specific user accounts. |
|
|
Term
|
Definition
| The process of confirming a user's identity using a known value, such as a password, a pin number on a smart card, or, in the case of biometric authentication, the user's fingerprint or hand print. |
|
|
Term
|
Definition
| The process of confirming that an authenticated user has the correct permissions to access one or more network resources. |
|
|
Term
|
Definition
| Files, typically configured with either a .bat extension or a .cmd extension, that can be used to automate many routine or repetitive tasks. |
|
|
Term
|
Definition
| The accounts automatically created when Microsoft Windows Server 2008 is installed. By default, two built-in user accounts are created on a Windows Server 2008 computer: the Administrator account and the Guest account. |
|
|
Term
|
Definition
| Non-security-related groups created for the distribution of information to one or more persons. |
|
|
Term
|
Definition
| The accounts used to access Active Directory or network-based resources, such as shared folders or printers. |
|
|
Term
|
Definition
| A group used to assign permissions to resources that reside only in the same domain as the domain local group. They can contain user accounts, computer accounts, global groups, and universal groups from any domain, in addition to other domain local groups from the same domain. |
|
|
Term
|
Definition
| A command-line tool used to create, delete, view, and modify Active Directory objects, including users, groups and Organizational Units. |
|
|
Term
|
Definition
| A special identity group that contains all authenticated users and domain guests. |
|
|
Term
|
Definition
| A group used to grant or deny permissions to any resource located in any domain in the forest. Global groups can contain user accounts, computer accounts, and/or other global groups only from within the same domain as the global group. |
|
|
Term
|
Definition
| A collection of user or computer accounts that is used to simplify the assignment of permissions to network resources. |
|
|
Term
|
Definition
| The process of configuring one or more groups as members of another group. |
|
|
Term
|
Definition
| Group characteristic that controls which objects the group can contain, limiting the objects to the same domain or permitting objects from remote domains as well, and controls the location in the domain or forest where the group can be used. |
|
|
Term
|
Definition
| Group characteristic that defines how a group is to be used within Active Directory. |
|
|
Term
|
Definition
| The first line of the imported or exported text file that uses proper attribute names. |
|
|
Term
|
Definition
| The accounts used to access the local computer only. They are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers, not do these accounts have domain access. |
|
|
Term
|
Definition
| A collection of user accounts that are local to one specific workstation or member server. Local groups are created in the security database of a local computer and are not replicated to Active Directory or to any other computers on the network. |
|
|
Term
|
Definition
| An object placed inside another object of the same type. |
|
|
Term
|
Definition
| When a group is placed in a second group, the members of the first group become members of the second group. |
|
|
Term
|
Definition
| Each user's login name--the portion to the left of the '@' within a User Principle Name. The SAM account name must be unique across a domain. |
|
|
Term
|
Definition
| Security-related groups created for purposes of granting resource access permissions to multiple users. |
|
|
Term
|
Definition
| Group used to define permission assignments. Adminitrators cannot manually modify the group membership of special identity groups, nor can they view their membership lists. |
|
|
Term
| Active Directory Migration Tool |
|
Definition
ADMT
A free tool used to move objects between domains. |
|
|
Term
| Delegation of Control Wizard |
|
Definition
| A simple interface used to delegate permissions for domains, Organizational Units, and containers. |
|
|
Term
|
Definition
| Automated pass-word-cracking tools that try every possible combination of characters until the correct sequence of characters is finally discoverer. |
|
|
Term
|
Definition
| User interface enabling the user to drag on object and drop it on a target. This feature was introduced in Windows Server 2003. |
|
|
Term
|
Definition
| A command-line utility used to move an object from one location to another. |
|
|
Term
|
Definition
| An alphanumeric sequence of characters entered with a username to access a server, workstation, or shared resource. |
|
|
Term
|
Definition
| An attempt to discover a user's password. |
|
|
Term
| personal identification number |
|
Definition
PIN
Typically consists of at least four characters or digits that are entered while presenting a physical access token, such as an ATM card or a smart card. |
|
|
Term
|
Definition
| Option that enables administrators to maintain their primary logon as a standard user and create a secondary session for access to an administrative tool. |
|
|
Term
|
Definition
| A command-line tool that enables administrators to log on with alternate credentials. |
|
|
Term
|
Definition
| A feature that provides the ability to log on with an alternate set of credentials to that of the primary logon. |
|
|
Term
|
Definition
| A password that follows guidelines that make it difficult for a potential hacker to determine that user's password. Password guidelines include a minimum required password length, a password history, requiring multiple types of characters within a password, and setting a minimum password age. |
|
|
