Term
| What is the inetOrgPerson security principle used for |
|
Definition
| Third party directory services |
|
|
Term
|
Definition
| directory replication agent- replicates database between domain controllers |
|
|
Term
|
Definition
| an attribute the security identifier |
|
|
Term
|
Definition
| the pre-Windows Server 2000 logon name commonly called "user name" |
|
|
Term
|
Definition
| an attribute that is the has of a user password |
|
|
Term
| What is the "member" attribute |
|
Definition
| stores the membership list for a group object |
|
|
Term
| What are the directory partitions |
|
Definition
| Schema,Configuration,DNS,Domain Naming Context,Partial Attribute Set(Global Catalog |
|
|
Term
| What is the Schema partition |
|
Definition
| Defines the attributes and classes that can be stored in the directory |
|
|
Term
| What is the Domain Naming Context partition |
|
Definition
| contains data about objects within a domain(if you make changes to an object via ADUC then you are modifying the Domain NC) |
|
|
Term
| What is the Configuration partition |
|
Definition
| contains info about network configuration,domains,services, topology |
|
|
Term
| Where is the ntds.dit file stored |
|
Definition
|
|
Term
| Where is the SYSVOL folder stored |
|
Definition
|
|
Term
| What does the site object in ADDS represent |
|
Definition
| A portion of an enterprise network that has good connectivity |
|
|
Term
| How often does intrasite replication take place |
|
Definition
| 15-45 seconds(frequently) |
|
|
Term
| What two partitions are available to all DC's in a forest |
|
Definition
| Schema partition as it defines what objects and attributes can be stored in AD. The Configuration partition which contains info on the domains, services and topology of the forest |
|
|
Term
| What are the two forest-wide admin accounts for ADDS |
|
Definition
| Enterprise Admin and Schema Admin |
|
|
Term
|
Definition
| The GC contains a full copy of the all objects in its host domain as well as a "partial" set of objects and attributes for all other domains in a the forest. Remember that the GC is a read read-only copy |
|
|
Term
| Where is the DNS zone data sotred in an Active Directory Integrated Zone |
|
Definition
| In the DNS application partition |
|
|
Term
| Where can you raise the forest functional level and view the Domain Naming Operation Master |
|
Definition
| Right click AD Domains and Trusts in AD Domains and Trusts and select Operations Master |
|
|
Term
| Where can you raise the Domain Functional Level |
|
Definition
| In AD Domains and Trusts by right clicking on the domain(server icons) and choosing Raise Domain Level |
|
|
Term
| What does the AD Administrative Center require |
|
Definition
| ADWS installed, port 9389 open,RSAT installed on a client machine running Vista w/SP1 or Windows 7 |
|
|
Term
| Where can you add different UPN suffixes |
|
Definition
| In AD Domains and Trusts by right clicking on the AD Domains and Trusts and choosing Properties |
|
|
Term
| What are some of the tasks you can perform with AD Sites and Services |
|
Definition
| helps to manage replication, network topology(ISTG,KCC) |
|
|
Term
| 2008 R@ Supports PVD what is require for a user to use a Personal Virtual Desktop |
|
Definition
| Hyper-V, Remote Desktop Connection Manager, Remote Desktop Connection Broker server |
|
|
Term
| Where is the adprep tool located in Windows 2008 |
|
Definition
| The installation DVD sources\adprep |
|
|
Term
| Where is the adprep tool for Windows Server 2008R2 |
|
Definition
| The installation DVD support\adprep |
|
|
Term
| What are the FSMO Roles in AD |
|
Definition
| RID Master,Infrastructure Master,PDC Emulator(Domain) and Schema Master, Domain Naming Master(Forest) |
|
|
Term
| What does the The Relative ID Master perform |
|
Definition
| Allocates security RIDs to DCs to assign to new AD security principals (users, groups or computer objects). It also manages objects moving between domains |
|
|
Term
| What does the The PDC Emulator operations master role perform |
|
Definition
| processes all password changes in the domain. Failed authentication attempts due to a bad password at other domain controllers are forwarded to the PDC Emulator before rejection. |
|
|
Term
| What operation does the The Schema Master perform |
|
Definition
| maintains all modifications to the schema of the forest. The schema determines the types of objects permitted in the forest and the attributes of those objects. |
|
|
Term
| What function does the The Domain Naming Master perform |
|
Definition
| Tracks the names of all domains in the forest and is required to add new domains to the forest or delete existing domains from the forest. It is also responsible for group membership. |
|
|
Term
|
Definition
| intergrated scripting environment |
|
|
Term
| What Operating Systems have Windows Powershell 2.0 built-in them by default |
|
Definition
| ONLY 2008R2 and Windows 7(available to download for 2003 w/SP2,XP w/SP3,Vista w/SP1,2008 w/SP1) |
|
|
Term
| What does Windows Powershell require |
|
Definition
| .NET Framework 2.0 w/SP1 and Powershell ISE requires .NET 3.5 w/SP1 |
|
|
Term
| What does Mulitmaster Replication mean |
|
Definition
| All copies of the database are writable |
|
|
Term
| What is the minimum supported funtional level in Windows Server 2008 |
|
Definition
| Windows Server 2000 Native Mode |
|
|
Term
| What is the minimum supported functional level in Windows Server 2008R2 |
|
Definition
|
|
Term
| Where specifically is the zone data stored in an Active Directory Integrated Zone |
|
Definition
| in an application partition |
|
|
Term
| Active Directory relies on what service |
|
Definition
| Active Directory Web Services |
|
|
Term
| What is this command used for in Powershell 2.0 "Get-ADuser -Filter "-Name -eq 'John U'" |
|
Definition
| The Get command(verb portion of the cmdlet)retrives info from ADDS/ADLDS. The -filter option allows you to refine your query to the name of the user |
|
|
Term
| Name some of the funtions of the Active Directory Module for PS |
|
Definition
| Computer Management,User management,group management, OU Management,password policy management manage the forest and domain, |
|
|
Term
| What does the -moveADObject -TargetPath |
|
Definition
| after using the get-ADUser -filter 'Name -eq TestUser' to connect to the object this will move the user to the desired target path(the dn) |
|
|
Term
| What does the get-ADGroup -filter "Name -eq "Domain Admins" do |
|
Definition
| Will allow you to view the membership of the group Domain Admins |
|
|
Term
| What does the Add-ADGroupMember "Marketing" TestUser |
|
Definition
| This cmdlet will allow you to add a user named TestUser to the Marketing group |
|
|
Term
| What are some of the common parameters of the New-ADUser -Name cmdlet |
|
Definition
| -SAMAccount,-AccountPassword,-Enabled,-Path(default is the built-in User container) |
|
|
Term
| What is the default UPN suffix |
|
Definition
| The DNS name of the domain (contoso.com/nwtraders.com) |
|
|
Term
| What Powershell command can you run to reset a users password |
|
Definition
Set-ADAccountPassword –identity ‘cn=amy strand, ou=IT, dc=contoso, dc=com’ –Reset –
NewPassword (ConvertTo-SecureString –AsPlainText “Pa$$w0rd2” –Force) |
|
|
Term
| What cmdlet can you use to unlock a user account |
|
Definition
| Unlock-ADAccount –identity ‘cn=amy strand, ou=IT, dc=contoso, dc=com’ |
|
|
Term
| How to you enable a user account via Powershell |
|
Definition
| Enable-ADAccount –identity |
|
|
Term
| What cmdlet can you use to disable a user account |
|
Definition
| Enable-ADAccount –identity |
|
|
Term
| How can you modify a user object with Powershell |
|
Definition
| Get-ADUser UserName | Set-ADUser [-parameter value…] |
|
|
Term
| How would you modify users via Powershell |
|
Definition
Get-ADUser –Filter ‘Name –like “*”’ –SearchBase “OU=Production, DC=Contoso, DC=Com”|Set-
ADuser –Department “Production” –Company “Contoso, Ltd” |
|
|
Term
| How can you ensure that a user template shows up first in an OU |
|
Definition
| put a "_" in front of the user template name (_Marketing) |
|
|
Term
| When you copy a user template what Tab doesnt copy over |
|
Definition
|
|
Term
| Can you use CSVDE to create object in ADDS |
|
Definition
| Yes- by importing a .csv file(Remember that the default is to export so specify the -i parameter to import |
|
|
Term
| Can you import passwords with CSVDE |
|
Definition
| No- the password cannot be imported which means that the account will be disabled. After you set the password you can enable the account |
|
|
Term
| How can you use Powershell to automate user object creation |
|
Definition
| Import-CSV Users.csv| forEach New-ADUser (pay attention to where the pipe command is) |
|
|
Term
| Why would you use LDIFE over CSVDE? |
|
Definition
| LDIFE can import/export AND modify objects as well as modify passwords |
|
|
Term
| What edition of Server introduces managed services account |
|
Definition
| Windows Server 2008 R2, Windows 7 |
|
|
Term
| What are the requirements for managed service accounts |
|
Definition
| Managed Service account must run on Server 2008 R2, .NET Framework 3.5.x, AD Module for Powershell,Minimum of Windows 2003 Functional Level(How ever if you SPN management to be automatic then you will want the 2008 R2 domain functional level |
|
|
Term
| What are the two distinct types of groups the help to effectively manage complex enterprises |
|
Definition
| Role-Based Groups(Business Roles) and Rule-Based Groups(Access Management) |
|
|
Term
| What is the order for group scope management |
|
Definition
| Local,Global,Domain Local,Universal(L,G,D,U) |
|
|
Term
| What are the defining characteristics of the four different group scopes |
|
Definition
| What it can contain,What can it belong to,where it can be used |
|
|
Term
| What is the domain naming context |
|
Definition
| stores all the objects in the domain(users,computers,groups and others). Every DC in the domain has a writable copy of the domain naming context. Every GC in the forest has a read-only copy of the domain naming context for the GC's domain and a partial reade-only copy of every other domain naming context for all domains |
|
|
Term
| What groups can be added to Domain Local Groups |
|
Definition
| Users, Computers, global groups in the domain and likewise the same with any domain in the forest(as well as the same for trusted domains),Universal groups from any domain in the forest |
|
|
Term
| What is the primary purpose of a domain local group |
|
Definition
| To group together security principles together that share the same access needs(rule-based management) |
|
|
Term
| What groups can be apart of the Global Groups |
|
Definition
| Only u,c,gg from the same domain |
|
|
Term
| What is the availabilty of the Global Group |
|
Definition
| Global Groups can be nested in any Universal or Domain Local Group(IGDLA,IGUDLA) |
|
|
Term
|
Definition
| Think of the Universal groups as giving you the ability to group together Forest Wide Roles(Company_Regional Managers) |
|
|
Term
|
Definition
| I_dentities are grouped together into G_lobal groups which collect members based on their roles, which are members of D_omain Local groups which collect members together based on their A_cess needs |
|
|
Term
| What permissions/rights can the Server Operator |
|
Definition
| (Builtin container in every domain)Logon locally,start stop services, shutdown domain controls,perform backup/restore operations,format disks, create,delete shares |
|
|
Term
| What permissions does the Account Operators group have |
|
Definition
| create,modify,delete, all user/computer/group account in any OU EXCEPT the Domain Controllers OU. Cannot modify the Admins/Domain Admins groups or accounts. Can logon locally to DC's |
|
|
Term
| What are the permissions of the Backup Operators group |
|
Definition
| Perform Backup/Restore operations. Logon locally |
|
|
Term
| What permissions does the Print Operators group have |
|
Definition
| Manage print queues on DC's and shut down DC's. Logon Locally to the DC's |
|
|
Term
| What are the two defining characteristics a distribution group |
|
Definition
| Cannot be assigned a SID so it cannot be assigned permissions, used for email applications |
|
|
Term
| What are the defining characteristics of a security group |
|
Definition
| Can be assigned a SID(so you can assign permissions to this group type),Can be assign email |
|
|
Term
| How do you create a new group via AD Module Powershell |
|
Definition
|
|
Term
| How would you modify Universal Membership Cache |
|
Definition
|
|
Term
| Name the 2003 Domain Functional Level features |
|
Definition
| set the UserPassword Attribute on both users and inetOrgPerson(non-Windows based users),last logon tracking(lastLogonTimestamp),Netdom(domain rename),user/computer redirection(from defaults),Authorization manager(application authorization), Selective authentication(allow other users from from trusted domains access to specific servers),RODCs(must run adprep /rodcprep |
|
|
Term
| Name some of the features of the Windows Server 2008 functional level |
|
Definition
| DFS-R replication of the SYSVOL,AES128 and AES256 for Kerberos,detailed interactive logon information,frin grain password policy |
|
|
Term
| Windows Server 2008 R2 domain functional level |
|
Definition
| Authenitcation mechanism Assurance |
|
|
Term
| Where can you raise the domain functional level |
|
Definition
| Active Directory Domains and Trusts and ADUC>Right-click the domain and choose Raise Domain Functional Level |
|
|
Term
| Windows Server 2003 Forest Functional Levels |
|
Definition
| Link-value Replication,Support for RODCs(must be running 2008 Server),Improved KCC and ISTG,Conversion of the inetOrgPerson into a User class,deactivation/redefinition of object classes |
|
|
Term
| Raising the forest functional level |
|
Definition
| Via Active Directory Domains and Trusts |
|
|
