Upload
srinivas-kumar
View
223
Download
0
Embed Size (px)
Citation preview
8/9/2019 AD-Q&A
1/46
Windows Server 2008 & 2008 R2
Install Manage and Master OS
o
What is DNS?o The Domain Name System (DNS) is a hierarchical, distributed database that maps
logical host names to IP addresses
o What does a DNS server hold?
o A DNS server holds a database of hostnames and their corresponding IP addresses.
Clients query the DNS server to get the IP address of a given host.
o What was used before DNS?
o a hosts file saved on each host computer
o
o What makes up the DNS hierarchy?
o The DNS hierarchy is made up of the following components:
- . (dot) domain (also called the root domain)
- Top Level Domains (TLDs) (.com, .edu, .gov)
- Second-level and additional domains
- Hosts
o
o What is a FQDN?
o Fully Qualified Domain Name - includes the host name and the name of all domainsback to root.
o
o What makes DNS a distributed database?
o DNS is a distributed database because no one server holds all of the DNS
information. Instead, multiple servers hold portions of the data.
o
o What is a zone?
o Zones typically contain one or more domains, although additional servers might holdinformation for child domains.
o
o What do DNS servers do?
o DNS servers hold zone files and process name resolution requests from client
systems.
o
o What is a DNS forward lookup?
o A forward lookup uses the host name (or the FQDN) to find the IP address
o
8/9/2019 AD-Q&A
2/46
o What is a DNS reverse lookup?
o A reverse lookup uses the IP address to find the host name (or FQDN).
o
o What is an A record?o The A record maps a host name to an IP address and is used for forward lookups.
o
o What is a PRT record?
o The PTR record maps an IP address to a host name and is used for reverse lookups.
o
o What is a CNAME record?
o The CNAME record provides an alternate name (an alias) for a host.
o
o What is a SRV record?
o The SRV record identifies a service, such as an Active Directory domain controller.
o
o How are DNS records created?
o Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts
automatically register and update their corresponding records with the DNS server.
o
o What is the process followed when a client computer needs to find an IP address?
o - The client examines its HOSTS file for the IP address.
- If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address.
- If the IP address is not in the cache, the client sends the request to a DNS server.
o
o What is the process when a DNS server received a name resolution request?
o 1) The DNS server examines its local DNS cache for the IP address
2) If the IP address is not in the server cache, it checks its HOSTS file.
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative.
4) Forwarding or Recursion
5) After the information is found or received from another server, the DNS server returns the result to
the client, and places the information in its server cache.
o
o What is an authoritative DNS server?
o a DNS server that has a full, complete copy of all the records for a particular zone.
o
o What is DNS Forwarding?
o Where the DNS server forwards the name resolution request to another DNS server,then waits for a response from that server
8/9/2019 AD-Q&A
3/46
o
o What is DNS Recursion
o Where the DNS server queries root domain servers, top-level domain server and
other DNS servers in an iterative manner until it finds the one that hosts the target domain.
o
o What is a caching-only DNS server?
o A caching-only DNS server has no zone information; it is not authoritative for any
domains. It uses information in its server cache, or forwarding or recursion, to respond to client
queries.
o
o Who can install DNS in Server 2008?
o Members of the Domain Admins group
o
o Which versions of server 2008 can have DNS installed on them?
o You can install DNS on any version of Windows Server 2008 except for the Windows
Server 2008 Web Server edition.
o
o What type of IP address must the DNS server have?
o Static
o
o How would you add the DNS role from a command prompt (or on a server core)?
o start /w ocsetup DNS-Server-Core-Role
o What command will give a list of installed services on a server?
o Run the oclist command to get a list of services (including DNS) installed on a server.
o
o What can be used to manage DNS on Server 2008?
o Use the DNS snap-in or the dnscmd command to manage DNS.o
o What is a primary DNS zone?
o the master copy of a zone database
o
o What are the properties of a primary zone?
o - The primary zone is the only writeable copy of the zone database.
- Changes to the zone can only be made to the primary zone.
- The server that holds the primary zone is called a primary server.
8/9/2019 AD-Q&A
4/46
- Each zone can have only a single primary zone server.
- Zone data is stored in a text file.
o
o What is a secondary DNS zone?
o A secondary zone is a read-only copy of the zone database.o
o What are the properties of a secondary DNS zone?
o - Changes cannot be made to the records in a secondary zone.
- A server that holds a secondary zone is called a secondary server.
- Secondary servers copy zone data from other servers through a process called zone transfer.
- Secondary servers can copy zone data from the primary server or other secondary servers.
- Zone data is stored in a text file.
o
o What is an Active Directory-integrated DNS zone?
o An Active Directory-integrated zone holds zone data in Active Directory instead of a
text file.
o
o What are the properties of an Active Directory-integrated DNS zone?
o - Active Directory-integrated zones are multi-master zones, meaning that changes to
the zone information can be made by multiple servers. Multiple servers hold read-write copies of the
zone data.
- Only DNS servers that are domain controllers can host Active Directory-integrated zones.- Storing zone data in Active Directory provides automatic replication, fault tolerance, and distributed
administration of DNS data.
- Replication of zone data occurs during Active Directory replication and is secured by Kerberos.
o
o What is a stub zone?
o A stub zone is a zone with only a partial copy of the zone database.
o
o What are the properties of a stub zone?
o - The stub zone only contains information about the name servers that are
authoritative for the zone; it does not contain information for other hosts.
- A stub zone is not authoritative for the zone; its purpose is to identify the name servers that can be
contacted for full zone information.
- The stub zone is dynamic, meaning that it will keep the list of name servers for the zone updated
automatically.
- Use a stub zone to forward name requests based on zones while keeping name server lists updated
automatically.
o
o What is the GlobalNames DNS zone?
8/9/2019 AD-Q&A
5/46
o The GlobalNames zone is a special zone in the DNS database that is used for single-
label name resolution.
o
o What is a GlobalNames DNS zone used for?
o - Allow clients to use simple host names without domain information for nameresolution. For example, to contact a server named web1.corp.us.westsim.private, users could simply
enter the single-label name web1.
- Allow DNS clients to contact NetBIOS-only hosts without the need for a WINS server.
- Allow IPv6-only hosts to contact NetBIOS hosts (IPv6 does not support the use of WINS).
o
o What are the features of a GlobalNames zone?
o - When users enter a single-label name, the client computer first tries to resolve the
name using DNS and the search suffix configuration. If that process fails, the GlobalNames zone is
checked (if it exists).- Using the GlobalNames zone does not require any changes to client machines.
- Dynamic updates are not supported on the GlobalNames zone. You must manually create each
record in the GlobalNames zone.
- Use the GlobalNames zone to replace WINS servers on your network only when you have a small
number of hosts that do not support DNS. For a large number of NetBIOS-only hosts, or to support
dynamic registration of single-label names, continue to use a WINS server.
o
o What is a forward lookup DNS zone?
o
A forward lookup zone provides hostname-to-IP address resolution. Clients query theDNS server with the hostname, and receive the IP address in return.
o
o What is a reverse lookup DNS zone?
o A reverse lookup zone provides IP address-to-hostname resolution. Clients query the
DNS server with the IP address, and receive the hostname in return.
o
o How many servers can hold the primary zone file?
o Only one server can hold the primary zone file. To place zone data on multiple
servers, configure secondary servers.
o
o Where does Windows store standard zone data?
o Windows stores standard zone data in the %windir%\System32\Dns directory. The file
is a text file with .dns added to the zone name.
o
o Which types of zone support dynamic updates?
o Primary and Active Directory-integrated zones support dynamic updates. Use an
Active Directory-integrated zone to use secure dynamic updates.o
8/9/2019 AD-Q&A
6/46
o What types of record does a reverse lookup zone hold?
o Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP
address to an A record.
o
o What type of zones can a reverse lookup zone be?
o A reverse lookup zone can be a primary zone, a secondary zone, or an Active
Directory integrated zone.
o
o What is the SOA (Start of Authority) record?
o The first record in any DNS database file is the SOA. It defines the general
parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a
zone. There is only one SOA record, and it is the first record in the zone database file. The SOA
record includes parameters such as the authoritative server and the zone file serial number.o
o What is an NS (Name Server) record?
o The NS resource record identifies all name servers that can perform name resolution
for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone
(all authoritative DNS servers).
o
o What is an A (Host Address) record?
o
The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is themost common resource record type.
o
o What is an AAAA (Quad A) record?
o The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address.
o
o What is an MX (Mail Exchanger) Record?
o The MX record identifies servers that can be used to deliver e-mail.
o What is a CNAME record?
o The CNAME record provides alternate names (or aliases) to hosts that already have a
host record. Using a single A record with multiple CNAME records means that when the IP address
changes, only the one A record needs to be modified.
o
o What is a DNAME record?
o The DNAME record provides alternate names (or aliases) to domains that already
have a host record.o
8/9/2019 AD-Q&A
7/46
o What is a SRV (Service Locator) record?
o The SRV record is used by Windows Server 2008 to register network services. This
allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically
creates these records as needed and during domain controller installation.
o
o What is a PTR (Pointer) record?
o In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e.
"points" to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse
lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
o
o What are WINS and WINS-R records?
o Add these records to a zone when you want to allow DNS to use WINS resolution.
The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINSservers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse
query that is not resolvable through DNS.
o
o How can DNS records be automatically created on a DNS server?
o By using Dynamic DNS. Dynamic DNS is required to support Active Directory.
o
o When do dynamic updates occur?
o
- A network connection's IP address is added, deleted, or changed.- The DHCP server changes or renews an IP address lease.
- The client's DNS information is manually changed using ipconfig /registerdns.
- The client boots.
- A server is promoted to a domain controller.
o
o Which Windows clients support DDNS?
o Windows clients (2000 and above) create their A records with the DNS server.
Windows 9x/Me/NT clients do not support dynamic DNS.
o
o How does the DHCP server tie in with DDNS?
o The DHCP server registers the PTR record with the DNS server for clients capable of
dynamic updates. The DHCP server updates both the A and PTR records for clients that do not
support dynamic updates.
o
o Are dynamic updates enabled by default on a primary zone?
o Dynamic updates are not enabled on primary zones. You can enable dynamic
updates when you create the zone or modify the zone properties later to enable this feature.
o
8/9/2019 AD-Q&A
8/46
o Are dynamic updates enabled by default on an Active Directory-integrated zone?
o Dynamic updates are enabled on Active Directory-integrated zones. Note: When you
convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is
retained.
o
o What are secure dynamic updates?
o With secure dynamic updates, only domain members can create records, and only
the original client can modify or remove records.
o
o What is used to keep track of changes to a DNS zone?
o The zone serial number keeps track of changes to the zone. When you make
changes to the zone, the serial number is incremented.
o
o What is a DNS master server?
o A master server is the server from which the secondary copies the zone data. The
master server can be the primary server or another secondary server.
o
o What are the two types of zone transfer?
o Zone transfers can copy all records or only changed records:
- A full zone transfer (AXFR) copies all of the zone data with each zone transfer.
- A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default
method on Windows Server 2008.o
o Are zone transfers enabled in Server 2008 by default?
o By default, zone transfer in Windows Server 2008 is disabled for security reasons. To
use zone transfers, manually enable the feature in the DNS settings in Server Manager.
o
o How can you restrict the servers to which zone transfers are allowed?
o - Allow zone transfers only to servers that are listed as name servers.
- Allow zone transfers only to servers you specifically identify.
o
o How does a secondary server initiate a zone transfer?
o - The secondary server contacts the master server and compares the serial number
on the master with the serial number in its copy.
- If the serial number on the master is greater, the secondary initiates zone transfer.
- If the serial number is the same (or lower) on the master, no zone transfer takes place.
o
o What is DNS notify?
o Windows DNS servers support the use of DNS Notify. With DNS Notify, masterservers are configured with a list of slave DNS servers.
8/9/2019 AD-Q&A
9/46
o
o How does DNS notify work?
o - When a change takes place, the master notifies the slave servers that the zone has
changed.
- The secondary server then initiates zone transfer, first checking the serial number, then requestingchanges.
o
o What is a DNS caching server?
o A caching only server runs DNS but has no zones configured. Use a caching only
server to improve performance while eliminating zone transfers.
o
o How does an Active Directory-integrated zone store DNS information?
o An Active Directory-integrated zone stores DNS information in Active Directory ratherthan in a zone file. Zone information is copied automatically when Active Directory replicates.
o
o How can you secure zone transfers to secondary servers?
o Active Directory replication traffic is automatically secured. To secure zone transfers
to secondary servers, use IPsec between servers.
o
o How can you force an update of DNS zone data?
o
You can force an update of zone data through the DNS console or by using theDnscmd command
o How would you delegate control of an AD OU to a user?
o - Right Click on OU
- Delegate Control
- Choose User
- Choose the appropriate option- Finish
o
o What is an OU?
o An Organizational Unit (OU) is similar to a folder that subdivides and organizes
network resources within a domain.
o
o What are the different types of OU?
o Parent OUs are OUs that contain other OUs.Child OUs are OUs within other OUs.
8/9/2019 AD-Q&A
10/46
o
o What organisational structures can you not apply GPO's to?
o Generic Containers
o
o What is group policy inheritance?
o Through inheritance, settings applied to the domain or parent OUs apply to all child
OUs and objects within those OUs.
o
o How can you prevent objects from accidental deletion in AD?
o - On the Object tab, select the Protect object from accidental deletion check box.
(This option is only seen with Advanced Features selected from the View menu.)
- On the Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.o
o What setting should be set at creation to prevent an AD OU being accidentally
deleted?
o When you create an organizational unit, leave the Protect container from accidental
deletion check box selected. This is the default. Other types of objects do not have this default setting
and must be manually configured.
o
o
How would you delete an AD object that is protected from deletion?o To delete on abject that is protected, first clear the Protect container from accidental
deletion setting, then delete the object.
o
o What is delegation of authority?
o Delegating authority is the assignment of administrative tasks, such as resetting
passwords or creating new users, to appropriate users and groups.
o
o Describe some of the facts about delegating control :
o - You can delegate control of any part of an OU or object at any level with the
Delegation of Control Wizard or through the Authorization Manager console.
- An object-based design allows you to delegate control based on the types of objects in each OU. For
example, you can delegate control over specific object types (such as user objects).
- A task-based design allows you to delegate control based on the types of administrative tasks that
need to be done
o
o What is the Builtin Default Container?
8/9/2019 AD-Q&A
11/46
o The Builtin container holds default service administrator accounts and domain local
security groups. These groups are pre-assigned permissions needed to perform domain management
tasks.
o
o What is the Computers default container?o The Computers container holds all computers joined to the domain without a
computer account. It is the default location for new computer accounts created in the domain.
o
o What is the Domain Controllers detault container?
o The Domain Controllers OU is the default location for the computer accounts for
domain controllers.
o
o What is the LostAndFound default container?o The LostAndFound container holds objects moved or created at the same time an
Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted
on one domain controller while administrators at other domain controllers can add or move objects to
the deleted OU before the change has been replicated. During replication, new objects are placed in
the LostAndFound container.
o
o What is the NTDS Quotas default container?
o The NTDS Quotas container holds objects that contain limits on the number of
objects users and groups can own.o
o What is the Program Data default container?
o The Program Data container holds application-specific data created by other
programs. This container is empty until a program designed to store information in Active Directory
uses it.
o
o What is the System default container?
o The System container holds configuration information about the domain including
security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP
security policies.
o
o What is the Users default container?
o The Users container holds additional predefined user and group accounts (besides
those in the Builtin container). Users and groups are pre-assigned membership and permissions for
completing domain and forest management tasks.
o
o What is special about AD containers?o They are automatically created and cannot be deleted
8/9/2019 AD-Q&A
12/46
o
o What is special about the Domain Controllers OU
o It is the only default OU, and it can have a GPO applied, whereas the other default
containers cannot have a GPO applied
o
o How would you view hidden containers in AD Users and Computers?
o Click Advanced Features from the View menu
o
o Which containers are hidden by default in AD Users and Computers?
o - LostAndFound
- NTDS Quotas
- Program Data
- Systemo
o What is special about AD containers and how do they differ from OU's?
o They are automatically created and cannot have GPO's applied to them.
o
o What is the SAM database?
o A local database that allows users to access local resources on the machine
o
o What are the two types of user account?
o Local and Domain
o What is a local user account?
o A local user account is created and stored on a local system and is not distributed to
any other system.
- Local user accounts are created with the Computer Management console.
- The local Security Accounts Manager (SAM) manages the user account information.- Only local resources are accessible with local user accounts.
o
o What is a domain user account?
o A domain user account is created and centrally managed through Active Directory,
and is replicated between domain controllers in the domain.
o
o How can domain user accounts be created?
o Domain user accounts are created with Active Directory Users and Computers,command line tools, and PowerShell.
8/9/2019 AD-Q&A
13/46
o
o What is unique to each domain user account?
o Each domain user account has a unique security identifier (SID) to identify the user. A
user can log on to the domain from any computer that is a member of the domain and can access
resources on that computer or on other computers for which the domain user account haspermissions.
o
o How can external users with email accounts be represented in AD?
o External users which need an e-mail account, can be represented through a contact
object
o
o What is a contact object?
o an account that does not have any security permissions. Users represented ascontact objects cannot log on to the domain. Use contacts to add information about individuals, such
as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for
attributes of contact objects.
o
o What is the user or logon name?
o The user or logon name is the name of the user account
o
o
What is the user principle name (UPN)?o The User Principle Name (UPN) combines the user account name with the DNS
domain name
- The UPN format is also known as the SMTP address format.
- The DNS domain name in the UPN is known as the UPN suffix.
- By default, the domain that holds the user account is selected for the UPN suffix. However, you can
configure different UPN suffixes to use instead of the domain name.
o
o What is the LDAP Distinguished Name (DN)?
o The LDAP Distinguished Name (DN) references the domain and related container(s)
where the object resides. It has three basic attributes:
Domain Component (DC)
Organizational Unit (OU)
Common Name (CN)
o
o What is the Relative Distinguished Name (RDN)
o The Relative Distinguished Name (RDN) is used to identify the object within its
container. The RDN needs to be unique only within the objects container.
o
8/9/2019 AD-Q&A
14/46
o When would you use the ser cannot change password"option?
o when you want to maintain control over a Guest, service, or temporary account. For
example, many applications use service accounts for performing system tasks. The application must
be configured with the user account name and password. If you allow changing the user account
password for the service account, you would also need to change the password within every
application that uses that account.o
o How would you unlock an account?
o To unlock an account, go to the Account tab in the account object's Properties dialog
box, and select the Unlock Account box. Resetting the password on the account also unlocks a user
account.
o
o What should you do if a user account is accidentally deleted?
o Restore it from backup rather than creating a new one with the same name. Creatinga new account with the same name results in a user account with a different SID and will not
automatically assume the permissions and memberships of the previously deleted account.
o
o How would you add a User Principal Name (UPN) suffix to a forest?
o 1) Open Active Directory Domains and Trusts.
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties.
3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab.
4) Click Add.
5) Click OK.o
o What is a computer account?
o A computer account is an Active Directory object that identifies a network computer.
The account in Active Directory is associated with a specific hardware device
o
o How would you prestage a computer account?
o From Active Directory Users and Computers, create a computer account. This
process is called prestaging computer accounts. From the workstation, join the domain. The
workstation will be associated with the computer account you created previously.
o
o Where is the computer account created when you join a workstation to the domain?
o In the Computers built-in container
o
o How would you control where computer accounts are placed when a computer joins
the domain?
o Create computer account ahead of time (pre-stage them)
o
8/9/2019 AD-Q&A
15/46
o Which groups have permissions to create a computer account?
o - Account Operators
- Domain Admins
- Enterprise Admins
o
o How many computers are the Authenticated Users group members allowed to join to
the domain (from a workstation)?
o 10 - this wil also create the computer account automatically if it doesn't already exist.
This ability comes from the Add workstations to a domain user right.
o
o How would you allow a specific user to join a specific computer to the domain?
o You can also allow specific users to join specific computers to a domain by selecting
The following user or group can join this computer to a domain when creating the computer account.
o
o How would you give other users permissions to create computer accounts in AD?
o By giving them the Create Computer Objects right over the Active Directory OU. This
permission does not have a limit on the number of accounts that can be created. Note: You must grant
this right to the domain or specific OUs.
o
o Will a computer receive group policy settings once the computer account is created?
o No, the computer must be joined to the domain before it receives any GPO settings or
AD receives any workstation-specific informationo
o What commands can be used to create computer accounts from a command prompt
or script?
o dsadd or netdom. (Use netdom join to jion a computer to the domain)
o
o What establishes a secure channel between a computer and the domain controller?
o The computer password (authomatically generated when the computer joins the
domain).
o Where is the computer account password saved?
o On the local computer and in AD. BY default, it is changed every 30 days
o
o What might cause a computer to fail to authenticate to the domain?
o If the two computer passwords (on the local machine and in AD) becomeunsychronised.
8/9/2019 AD-Q&A
16/46
This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with
another one using the same computer account name.
o
o How would you reset the computer account after a logon failure?o - Run the netdom reset command followed by the computer account name and the
domain.
- In Active Directory Users and Computers, right-click the computer account and select Reset
Account.
- Create a script in Visual Basic.
After resetting the computer account, you must rejoin the computer to the domain.
o
o What is a local group?o Local groups exist only on the local computer, and control access to local resources.
o
o What is a domain group?
o Domain groups exist in Active Directory, and can be used to control access to domain
and local resources. In an Enterprise environment, you will work mainly with domain groups.
o
o What is group scope?
o
Active Directory groups have a group scope. The scope defines the potential groupmembership and the resource access that can be controlled through the group. The following table
lists the different security group scopes and their membership and use.
o
o What membership can a global group have?
o Global groups can contain members within the same domain. These include:
- Global groups in the same domain (in native mode only).
- Users and computers within the same domain.
o
o What should a global group be used for?
o Use global groups to group users and computers within the domain who have similar
access needs.
o
o What membership can a domain local group have?
o Domain local groups can contain members from any domain in the forest. These
include:
- Domain local groups in the same domain (in native mode only).- Global groups within the forest.
8/9/2019 AD-Q&A
17/46
Universal groups within the forest (in native mode only).
- Users and computers within the forest.
o
o What membership can a universal group have?
o Universal groups can contain members from any domain in the forest. These include:
- Universal groups within the forest.
- Global groups within the forest.
- Users and computers within the forest.
o
o What resources can global groups permission?
o Global groups can be assigned permissions to resources anywhere in the forest.
o
o What resources can domain local groups permission?
o Domain local groups can be assigned permissions within a domain.
o
o What resources can universal groups permission?
o Universal groups can be assigned permissions to resources anywhere in the forest.
o
o What should global groups be used for?
o
Create global groups to organize users (e.g., Sales or Development).o
o What should domain local groups be used for?
o Create domain local groups representative of the domain controller resources to
which you want to control access, and then assign permissions on the resource to the group.
o
o What should universal groups be used for?
o Universal group membership should be relatively stable. For this reason, you should
only add global or universal groups to universal groups. Avoid adding user accounts directly to
universal groups.
o
o What is a security group?
o A security group is one that can be used to manage rights and permissions.
- Group members get the permissions that are granted to the group.
- A security group represents an object with a security identifier (SID), which through the member
attribute, collects other objects, such as users, computers, contacts, and other groups.
o
o Which type of AD group should be used for assiging permissions?
8/9/2019 AD-Q&A
18/46
o Security
o
o What is a ditribution group?
o A distribution group is used to maintain a list of users and is typically used for sending
e-mails to all group members. Distribution groups cannot be used for assigning permissions.o
o What happens if you convert a security group to a distribution group?
o This would remove the permissions assigned to the group.
This could prevent or allow unwanted access.
o
o How would you convert a global group to a domain local group?
o First convert to a universal group, then to a domain local.o
o Can you convert a global group nested in another global group into a universal
group?
o No - a universal group cannot be a member of a global group
o
o Can you make a universal group a member of a global group?
o No
o
o What happens when a group is deleted?
o All information about the group - including any permissions assigned - is deleted.
o
o How can you recover a deleted group?
o - Re-create the group, add all the original group members, and reassign any
permissions granted to the group.
- Restore the group from a recent backup.
o What directory format does Active Directory use?
o X500
o
o What do AD tree structures share?
o The same contiguous name space?
o
o What is an RODC?o A Read Only Domain Controller
8/9/2019 AD-Q&A
19/46
o
o Do different forests share the same name space?
o No
o
o What is NTDS.dit?
o The AD database
o
o What is a domain?
o A domain is an administratively-defined collection of network resources that share a
common directory database and security policies
o
o What is an AD object attribute?o Information about the object such as a user's name, phone number, and email
address) which is used for locating and securing resources.
o
o What does an object schema identify?
o The schema identifies the object classes (the type of objects) that exist in the tree and
the attributes (properties) of the object.
o
o
What does AD use DNS for?o Active Directory uses DNS for locating and naming objects.
o
o Name the OU structure
o First-level OUs can be called parents.
Second-level OUs can be called children.
OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).
o
o What is an AD tree?
o A tree is a group of related domains that share the same contiguous DNS name
space.
o
o What is an AD forest?
o A forest is a collection of related domain trees. The forest establishes the relationship
between trees that have different DNS name spaces.
o
o What is the forest root domain?
o The forest root domain is the top-level domain in the top tree. It is the first domaincreated in the Active Directory forest.
8/9/2019 AD-Q&A
20/46
o
o What is the tree root domain?
o The tree root domain is the highest level domain in a tree.
o
o What is a child domain?
o Each domain in the tree that is connected to the tree root domain is called a child
domain.
o
o What is a domain tree?
o A domain tree is a group of domains based on the same name space. Domains in a
tree:
- Are connected with a two-way transitive trust.
- Share a common schema.- Have common global catalogs.
o
o What is a domain controller?
o A domain controller is a server that holds a copy of the Active Directory database that
can be written to
o
o What is replication?
o
Replication is the process of copying changes to Active Directory between the domaincontrollers.
o
o What two objects does AD use to represent the physical structure of the network?
o - A subnet represents a physical network segment. Each subnet possesses its own
unique network address space.
- A site represents a group of well-connected networks (networks that are connected with high-speed
links).
o
o What manages AD replication between locations?
o Sites and subnets are used to manage Active Directory replication between locations.
o
o What does an AD site differ from a domain?
o A site differs from a domain in that it represents the physical structure of your network,
while a domain represents the logical structure of your organization.
o
o How are clients assigned to AD sites?
o Clients are assigned to sites dynamically according to their Internet Protocol (IP)address and subnet mask.
8/9/2019 AD-Q&A
21/46
o
o How are domain controllers assigned to AD sites?
o Domain controllers are assigned to sites according to the location of their associated
server object in Active Directory.
o
o What is the structure of the NTDS.dit file?
o - The data table contains all the information in the Active Directory data store: users,
groups, application-specific data, and any other data that is stored in Active Directory after its
installation.
- The link table contains data that represents linked attributes, which contain values that refer to other
objects in Active Directory.
- The security descriptor (SD) table contains data that represents inherited security descriptors foreach object.
o
o What does the Global Catalog server do?
o Responsible for replicating a subset of attributes throughout Active Directory
o What are FSMO roles/What do they do?
o Flexible Single-Master Operation roles are specialized domain controller tasks
assigned to a domain controller in the domain or forest. Operations master roles are useful because
certain domain and enterprise-wide operations are not well suited for the multi-master replication
performed by Active Directory to replicate objects and attributes
o
o What are the FSMO roles?
o - Schema Master
- Domain Naming Master
- RID Master (Relative Identifier)
- PDC Emulator
- Infrastructure Mastero
o What does the schema master do?
o Maintains the schema (the mapping of all the different object types)
o
o What does the RID master do?
o The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that
are used by the domain controller when creating new security principles (such as user, group, or
computer accounts).o
8/9/2019 AD-Q&A
22/46
o What does the PDC Emulator do?
o The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and
performs other tasks normally associated with NT domain controllers. (eg - time services)
o
o What does the Infrastructure Master do?
o Provides a mapping of all the container objects in AD. The infrastructure master is
responsible for updating changes made to objects.
o
o Which level do the Schema and Domain Naming Master roles operate at?
o The Forest Level
o
o What level do the RID, PDC and Infrastructure Master roles operate at?o The domain level
o
o What is the Global Catalog?
o The Global Catalog (GC) is a database that contains a partial replica of every object
from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog
server. The Global Catalog facilitates faster searches because different domain controllers do not
have to be referenced.
o
o What is an Operations Master?
o A domain controller that performs an operations master role is known as an
operations master or operations master role owner.
o
o What does the Domain Naming Master do?
o The domain naming master adds new domains to and removes existing domains from
the forest.
o
o What is a functional level?
o A functional level is a set of operation constraints that determine the functions that
can be performed by an Active Directory domain or forest
o
o What does a functional level define?
o - Which Active Directory Domain Services (AD DS) features are available to the
domain or forest.
- Which Windows Server operating systems can be run on domain controllers in the domain or forest.
Functional levels do not affect which operating systems you can run on workstations and servers thatare joined to the domain or forest.
8/9/2019 AD-Q&A
23/46
o
o Which domain functional levels does Server 2008 support?
o Windows 2000 Native
Windows Server 2003
Windows Server 2008o
o Which forest functional levels does Server 2008 support?
o Windows 2000
Windows Server 2003
Windows Server 2008
o
o What is a group policy?
o A policy is a set of configuration settings that must be applied to users or computers.Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of
files that includes registry settings, scripts, templates, and software-specific configuration values.
o
o What are new services in AD 2008?
o - AD Domain Services
- AD Lightweight Directory Services
- AD Certificate Services
- AD Federation Services
- AD Rights Management Serviceso
o What is an AD role?
o A role is a set of software features that provides a specific server function. Examples
of roles include DNS server, DHCP server, File Server, and Print Server.
o
o What is an AD role service?
o Role services are specific programs that provide the functions of a role. Some roles,
like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as
the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs,
with each role service being a sub-component of the role.
o
o What is an AD feature?
o A feature is a software program not directly related to a server role but which adds
functionality to the entire server. Features include management tools, communication protocols or
clients, and clustering support.
o
o What is Active Directory Domain Services (AD DS)
8/9/2019 AD-Q&A
24/46
o AD DS is a distributed database that stores and manages information about network
resources, such as users, computers, and printers. The AD DS role:
- Helps administrators securely manage information.
- Facilitates resource sharing and collaboration between users.
- Is required to be installed on the network to install directory-enabled applications such as Microsoft
Exchange Server and for applying other Windows Server technologies, such as Group Policy.o
o What is Active Directory Lightweight Directory Service (AD LDS)
o Active Directory Lightweight Directory Services (AD LDS), formerly known as Active
Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a
directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active
Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS
database.
o
o What is Active Directory Federation Services (AD FS)
o AD FS is a feature which enables secure access to web applications outside of a
user's home domain or forest. The AD FS role:
- Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web
applications using a single user account.
- Securely federates (shares) user identities and access rights in the form of digital claims between
partner organizations.
o
o What is Active Directory Rights Management Service (AD RMS)
o AD RMS is a feature which safeguards digital information from unauthorized use. The
AD RMS role:
- Can define exactly how a recipient can use information, specifying who can open, modify, print,
forward, and/or take other actions.
- Allows organizations to create custom usage rights templates (such as "Confidential - Read Only")
that can be applied directly to information such as product specifications, financial reports, e-mail
messages, and customer data.
o
o What is Active Directory Certificate Services (AD CS)
o AD CS is an identity and access control feature that creates and manages public key
certificates used in software security systems. The AD CS role:
- Provides customizable services for creating and managing public key certificates.
- Enhances security by binding the identity of a person, device, or service to a corresponding private
key.
- Includes features that allow you to manage certificate enrollment and revocation in a variety of
scalable environments
8/9/2019 AD-Q&A
25/46
o Name some things that AD Certificate Services supports
o Digital signatures
Encrypting File System (EFS)
Internet Protocol security (IPsec)
Secure/Multipurpose Internet Mail Extensions (S/MIME)Secure Socket Layer/Transport Layer Security (SSL/TLS)
Secure wireless networks
Smart card logon
Virtual Private Networks (VPN)
o
o What AD roles are not supported on Server 2008 Standard?
o AD FS requires the DataCenter or Enterprise editions for deployment.
o
o WHich server roles can Server 2008 core run?
o Active Directory
Active Directory Lightweight Directory Services (AD LDS)
Dynamic Host Configuration Protocol (DHCP) Server
DNS Server
File Server
Print Server
Media Services
Web Server (IIS)
o
o What are the limitations of Server 2008 core?
o There is no Windows Shell.
There is no managed code support (no .NET framework). All code has to be native Windows API
code.
There is only MSI support for unattended mode installs.
o
o What methods can you use to manage a Server 2008 core system?
o Log on and use the command prompt.
Log on using Remote Desktop to gain access to the command prompt.Use Windows Remote Shell (winrm).
Run Server Manager or another tool on another computer and connect to the server core system. This
method allows you to use a GUI interface for managing the server core system.
o
o How would you add server roles to a Server 2008 core system?
o Run start /w ocsetup to add server roles to the server core system. Switches for the
role or service must be typed exactly as they are listed, and role names are case-sensitive.
o
8/9/2019 AD-Q&A
26/46
o How would you see a list of roles, role services and features that can be installed on
Server 2008 core?
o run the oclist command
Cards
Term
What are the building blocks of active directory
Definition
Domains, trees, forest, organizational units
Term
how is the physical location of objects in AD
represented
Definition
all objects in a given site
Term
What is a domain
Definition
A logical grouping of computers that share a
database and security
Term
what is a tree in AD
Definition
A parent domain with child domains that reflectname of parent domain
Term
How are domains in a tree linked
Definition
2way transitive trust relationships !they can
access eachothers info"
Term
what is a forest in AD
Definition
a group of domains that do not share a adjoining
name space#
Term
$orest root domain
Definition
first domian created when you create AD
structure#
Term
What are an %& !organizational unit"
Definition
logical subgroup within a domain, used to locate
single workgroup, section, or department
8/9/2019 AD-Q&A
27/46
Term
What is a site in AD
Definition
'ites group resources in a forest according to
location of subnet
Term
Why does AD us sites
Definition
(ontrol replication of data in ADD) and apply
policies to users and domains and delegate
administratife control to objects in a single
physical location
Term
What are some of the other things that site enable
Definition
*nable users to be authenticated by domain
controller in same physical location#
Term
What is a domain controller
Definition
Domain controllers authenticate users logging
onto their domain, and servers as centers to
administer AD in Windows 'erver 2++
Term
What is a domain controller
Definition
Domain controllers authenticate users logging
onto their domain, and servers as centers to
administer AD in Windows 'erver 2++
Term
What does a domain controller store
Definition
A complete copy of all objects within domain,
schema, config info relevent to forest where
domain is located#
!All domian controller hold master copy of ADD)
Term
What is the global catalog
Definition
*nables domain in same forest to access resources
in any domain in that particular forest#
Term
What does -lobal catalog provide
Definition
.rovides info on universal group membership on
any domain in forest, and allows users to log onto
a domain other than their own domain useing the
&./
Term Definition
8/9/2019 AD-Q&A
28/46
What is the &./ 0he &./ !&ser principal name" is a user name in
format of an email address#
Term
What is $'1%
Definition
$leible singlemaster operatons servers,
restricted domain controllers
Term
What are the $'1%3s
Definition
4# schema master
2# Domain naming master
5# .D( emulator !.rimary domain
controller"
6# 7nfrastructure master
8# 97D masster !9elative 7dentifier
Term
How is '7D different from 97D
Definition
'7D is a security identifier common to all objects
in its domain and 97D is a relative identifer that
uni:ue to objects in domain, makes sure no 2
objects has same 97D
Term
What is a server role
Definition
A specific function that server performs on the/W#
Term
What is a feature
Definition
An optional components that adds a certain
feature, #/*0 $ramework 5#+, )it;ocker Drive
*ncryption
Term
How do you add features to a role
Definition
4# 7nitial config
2# 'erver 1anager
5# command line
Term
What is 9%D( and how does it function
Definition
4# 9eadonly domain controller
2# Has a read only copy of the ADD)
5# very useful for branch office
deployment and high security
8/9/2019 AD-Q&A
29/46
Term
What is the server core and its function
Definition
A stripped down version of server 2++ without a
-&7, taskbar, or start menu
Term
Why use a server core
Definition
4# ;ess HW and memory
2# 1ore secure because it present
smaller attack footprint
Term
What is AD ('
Definition
4# Active Directory (ertificate 'ervice
2# customizable services for creating and
managing public key certificates used in software
security systems that employ public keytechnologies#
Term
'erver 1anager 11( !1icrosoft 1anagement
(onsole"
Definition
4# Adds roles, role server, < server
features
2# =iew, manage, modify config of
installed roles and features#
5# (an open by compmgmt#msc at 9&/
2#
Term
What is the -&7
Definition
4# -rafical &ser 7nterface
2# A -&7 lets you interact with your computer
using pictures and symbols
Term
How do you get to the server manager command
line
Definition
'tart
9un
(1D
'erver1anager(md#ee
0erm
'chema
Definition
>>>>> is an Active Directory component that
defines all the objects and attributes that the
directory service uses to store data, and it
includes a list of properties that can be used to
describe the objects# ?ou can think of it as a set ofblueprints for each of the objects# a >>>>>>
8/9/2019 AD-Q&A
30/46
definition for a user object can be used to create a
user object#
0erm
%bjects
Definition
>>>>>> are 9ealworld items in Active Directorysuch as@ computers, users, printers and groups#
0hese >>>>>>> can be managed with AD D'
!Active Directory Domain 'ervices" All >>>>>>>
have properties that can be configured#
0erm
-lobal (atalog
Definition
>>>>>> >>>>>> is a listing of all objects in the
entire forest# 7t is searchable and used by
different applications to search AD Domain
'ervices for specific objects# 7t is hosted on the
domain controllers that are designated as the>>>>>> >>>>>> server# 0here is only one per
forest#
/ote@ to prevent it from becoming too large the
properties are limited to a subset#
*ample@ users may have 4++ properties but only
4+ are included#
0erm
;DA. !;ightweight Directory Access .rotocol"
Definition
Active Directory uses the > > > > to uni:uely
identify each object within the directory#!D/@
Distinguished name#
/ote@ (/@ (ommon name
/ote@ D' is Domain service AA Domain
(ontroller
0erm
%perations master roles
Definition
0he five >>>>> >>>>> roles are assigned
automatically when the first domain controller in
a given domain is created $orestwide >>>>>>
>>>>>> roles must appear only once in every
forest# Domainwide >>>>>> >>>>>> roles mustappear once in every domain in the forest#
*very forest must have the following roles@
'chema master
Domain naming master
*very domain in the forest must have the
following roles@
9elative 7D !97D" master
.rimary domain controller !.D(" emulator
master#
7nfrastructure master
8/9/2019 AD-Q&A
31/46
0hese roles must be uni:ue in each domain# 0his
means that each domain in the forest can have
only one 97D master, .D( emulator master, and
infrastructure master#
0erm
'chema master
Definition
0he >>>>>> >>>>>> domain controller controls all
updates and modifications to the schema# 0o
update the schema of a forest, you must have
access to the >>>>>> >>>>>># 0here can be only
one in the entire forest#
0erm
Domain naming master
Definition
%ne of five
$orestwide operations master roles#
0he domain controller holding the >>>>>> >>>>>>>>>>>>role controls the addition or removal of
domains in the forest# 0here can be only one in
the entire forest#
0erm
97D master 9elative 7D !97D" master
Definition
%ne of five
$orestwide operations master roles#
0he >>>>> master allocates se:uences of relative
7Ds to each of the various domain controllers in
its domain# At any time, there can be only one
domain controller acting as the >>>>> master in
each domain in the forest#
Whenever a domain controller creates a user,
group, or computer object, it assigns the object a
uni:ue security 7D !'7D"# 0he '7D consists of a
domain '7D, which is the same for all '7Ds
created in the domain, and a !> > >", which is
uni:ue for each '7D created in the domain#
0o move an object between domains !using1ovetree#ee", you must initiate the move on the
domain controller acting as the !> > >"master of
the domain that currently contains the object#
0erm
.D( emulator operations master
Definition
%ne of five
$orestwide operations master roles#
0he .D( >>>>> >>>>>> master processes
password changes from client computers and
replicates these updates to all domain controllers
throughout the domain# At any time, there can be
8/9/2019 AD-Q&A
32/46
only one domain controller acting as the >>>
>>>>>> master in each domain in the forest#
0he domain controller configured with the .D(
>>>>>> >>>>>> master role supports two
authentication protocols@
0he erberos =8 protocol
0he /0;1 protocol
/ote@ .D( .rimary Domain (ontroler
0erm
7nfrastructure master
Definition
%ne of five
$orestwide operations master roles#
At any time, there can be only one domain
controller acting as the >>>>>> >>>>>> in each
domain# 0he >>>>>> >>>>>> is responsible for
updating references from objects in its domain toobjects in other domains# 0he >>>>>> >>>>>>
compares its data with that of a global catalog#
-lobal catalogs receive regular updates for
objects in all domains through replication, so the
global catalog data will always be up to date# 7f
the >>>>>> >>>>>> finds data that is out of date, it
re:uests the updated data from a global catalog#
0he infrastructure master then replicates that
updated data to the other domain controllers in
the domain#
0he >>>>>> >>>>>> is also responsible forupdating the grouptouser references whenever
the members of groups are renamed or changed#
0erm
%& !%rganizational unit"
Definition
>>>>>> >>>>>> are used to organize objects within
Active Directory# you can think of an > > simply
as a container for the objects within AD#
?ou can delegate permissions to an > > and you
can link -roup .olicy to an > >#
0erm
Distribution group and
'ecurity group
Definition
Active Directory has two basic group types# 0hey
are@
>>>>>> group and
>>>>>> group
0erm
Distribution group
Definition
%ne of two AD basic group types@
A >>>>>> >>>>>> is used to group a number of
objects together that will be addressed
collectively# A mail server can present the >>>>>>
8/9/2019 AD-Q&A
33/46
>>>>> to users as a email destination#
0erm
'ecurity group
Definition
%ne of two AD basic group types@
A >>>>>> >>>>>> is used to assign permissions orrights to an object or a set of objects# 0his allows
AD to become not only your single authentication
mechanism for your network but also your
authorization mechanism#
0erm
Domain local group
Definition
%ne of three AD basic group scopes@
A >>>>>> >>>>> >>>>> is intended to be used only
within the domain that it was created in# 7t can
contain userBcomputer accounts, global groups
and universal groups from any domain in theforest and domain local groups from the same
domain#
0erm
-lobal group
Definition
%ne of three AD basic group scopes@
0his is the default scope when you create a group
in AD# A >>>>> >>>>> can be used by computers
within the domain that it is a member of and by
members of other domains in the AD forest# 7t can
contain userBcomputer accounts from the domain
that the >>>>> >>>>> is created in#
0erm
&niversal group
Definition
%ne of three AD basic group scopes@
A >>>>>> >>>>> is stored on domain controllers
that are configured as global catalogs# 0his
implies that the >>>>>> >>>>> is replicated to
domains across the entire forest# 0hat allows a
>>>>>> >>>>> not only to be used by all computers
in the forest but also to contain members from
any domain within the forest# 'ingledomainnetworks do not really need >>>>>> >>>>>s
because there isn3t much use for them# >>>>>>
>>>>>s can contain userBcomputer accounts,
global groups, and other >>>>>> >>>>>s from any
domain in the forest#
0erm
*ternal trust !/ontransitive"
Definition
%ne of four domain trusts#
>>>>>> >>>>> are domaintodomain trust# 7f you
want a domain in a forest to trust a domain
outside the forest!eternal domain"then you build
8/9/2019 AD-Q&A
34/46
an >>>>>> >>>>>#
0erm
'hortcut trust !0ransitive"
Definition
%ne of four domain trusts#
>>>>>> >>>>> speed up authentication# 7t is atransitive trust between a domain in the same
domain tree or forest that shortens the trust path
in a large and comple domain tree or forest#
0erm
$orest trust !0ransitive"
Definition
%ne of four domain trusts# >>>>>> >>>>> is a
transitive trust between a forest root domain and
a second forest root domain# %nce done every
domain in the first forest trust every domain in
the second forest#
0erm
9ealm trust !/ontransitive"
Definition
>>>>> >>>>> allow trust relationships with &ni
systems that use erberos for authentication#
!What 1icrosoft calls domains &ni call realms#"
0erm
0ransitive trust !&nderstanding 0rust
0ransitivity"
Definition
>>>>>> >>>>> determines whether a trust can be
etended outside the two domains between which
the trust was formed# ?ou can use a >>>>>> >>>>>
to etend trust relationships with other domains#?ou can use a nontransitive trust to deny trust
relationships with other domains#
http@BBtechnet#microsoft#comBen
usBlibraryBccC8642#asp
0erm
$orest
Definition
7n accordance with D/' naming standards,
Active Directory domains are created in an
inverted tree structure#
When it is necessary for domains in the sameorganization to have different namespaces, create
a separate tree for each namespace# 0wo or more
trees with different names makes a forest#
8/9/2019 AD-Q&A
35/46
0erm
NAME RESOLUTION METHODSDomain Name System(DNS)
Definition
/A1* 9*'%;&07%/ 1*0H%D
>>>>> >>>>> >>>>> !> > > "
.referred 1ethod for name resolution
'upports 7.v6 and 7.v
0erm
/A1* 9*'%;&07%/ 1*0H%D'
Definition
$eatures@
E*nabled by default
E'upports most older versions of Windows
E'upport ;1H%'0' local resolution
E(an use a W7/' server
Drawbacks@
E%nly supports 7.v6
E&ses broadcasts
E48 (haracter 1aimum
E;ocal 'ubnet only without W7/'
0erm
/A1* 9*'%;&07%/ 1*0H%D@ ;7/
;A?*9 1&;07(A'0 /A1* 9*'%;&07%/
!;;1/9"
%perating 'ystem 'upport
EWindows =ista and Windows C
EWindows 'erver 2++ and 92
Definition
/A1* 9*'%;&07%/ 1*0H%D@
>>>> >>>>> >>>>> >>>>> >>>>> !> > > > >"
Drawbacks@
EWorks within local subnet only
EDifferences in behavior based on operating
system
E/o support for Windows F., Windows 'erver
2++5 and earlier
8/9/2019 AD-Q&A
36/46
EDisabled via -roup .olicy
E7.v must be enabled
$eatures@
E1ulticast
E7.v6 and 7.v /ame resolution
E;ow overhead
E'maller attack surface
E'hould be used before /et)7%' when both
;;1/9 and /et)7%' are available#
0erm
$&;;? G&A;7$7*D D%1A7/ /A1* !$GD/"
Definition
>>>> >>>> >>>> >>>> !> > > >"
9eferences a host@
EHostname
EDoname name
E0op ;evel DomainE(an (ontain 'ubdomains
0erm
'teps 4 8 D/' 9e:uest .rocess
Definition
'tep 4@ *nter www#microsoft#com in your browser
and hit enter#
'tep 2@ A D/' :uery is sent to the local resolver
on the .(# 0he local resolver check the local D/'
cache#
'tep 5@ 7f there is no match in step 2 a :uery issent to the primary D/' server if one is
configured and it is available#
'tep 6@ 0he D/' server checks to see if it can
authoritatively answer the :uery# 0his means
does the D/' server have a zone configured and
a resource record that answers the :ueryIJ
'tep 8@ 7f no match was found in step 6 the D/'
server checks its local D/' cache#
0erm
9ecursion
Definition
>>>>>>>>>>@
K(lient sends a >>>>>>>> re:uest to a D/' server
KD/' server completes :uery on behalf of the
D/' client and sends result back to client#
0erm
7teration
Definition
>>>>>>>>>>@
&sed by D/' server when contacting other D/'
servers
K9eceives referral from one server and directly
:ueries the server listed in the referral#K%ne D/' server does most of the work
8/9/2019 AD-Q&A
37/46
0erm
9oot Hints
Definition
>>>> >>>>>
K&sed during recursion
K-ives D/' a starting point
K(an be modified for private namespacesK'tored in Windows L'ystem52 LD/'L(ache#dns
K;oaded when D/' service starts
0erm
'teps M D/' 9e:uest .rocess
Definition
'tep @ )ased on the configuration of the D/'
server a :uery is sent to a root server#
'tep C@ 0he root server responds with a referral
to a top level D/' server#
'tep @ 0he original D/' server that the :uery
was first sent to takes the referral and sends a
re:uest to the top level D/' server# 7n this
eample #com#
'tep M@ 0he #com# D/' server sends a referral to
the microsoft#com D/' server#
0erm
'teps 4+ 42 D/' 9e:uest .rocess
Definition
'tep 4+@ Again the original D/' server takes the
referral and sends a :uery to the microsoft#com
D/' server#
'tep 44@ 'ince the D/' server is authoritative for
microsoft#com it is able to respond with the Hostresource record that contains the 7. address for
www#microsoft#com#
'tep 42@ 0he original D/' server responds to the
client :uery with the 7. address to
www#microsoft#com
0erm
$orward and 9everse ;ookup Nones
Definition
>>>>> < >>>>>> ;ook up Nones
$orward ;ookup
E0ranslates a name to an 7. address
E1ost commonly used zone type
9everse ;ookup
E0ranslates an 7. address to a name
ENone name ends with inaddr#arpa
0erm
D/' $orwarders
Definition
D/' >>>>>>>>> forwards D/' :uery to another
D/' server instead of using 9oot Hints#
9e:uest .rocess is@
KD/' 'erver receives :ueryKD/' 'erver checks locally hosted zones
8/9/2019 AD-Q&A
38/46
KD/' 'erver checks local server cache
KD/' 'erver forwards :uery to first D/' server
listed on the >>>>>>> tab
0erm
(onditional $orwarders
Definition
>>>>>> $orwarders@
K$orwards :ueries for a specific domain name to
specific D/' servers
K%ften used to improve performance for D/'
resolution of partner domain names and
resources
0erm
5 D/' None 0ypes
.rimary
'econdary'tub
Definition
0here are 5 D/' None 0ypes
0erm
9esource 9ecords
Definition
>>>>>> >>>>>> are@
Database entries used to answer :ueries
K'%A O 'tart of Authority
K/' O /ame 'erver
KA or AAAA !H%'0"
K.09 !.ointer"
K(/A1* !Alias" O (anonical /ames
K'9= !'ervice ;ocator"
K1F !1ail *changer"
0erm
/A0
Definition
/etwork Address 0ranslation
AD Trees & Forests
o You decide to create a trust relationship between Domain A and Domain B. Before
you take any other actions, can users in Domain A use resources from Domain B yet?
o No.
A trust relationship only allows for the possibility of sharing resources between domains; it does not
explicitly provide any permissions. In order to allow users to access resources in another domain, you
must configure the appropriate permissions.
o
o Plans are to deploy four Active Directory domains with the following requirements:
minimize the number of servers
8/9/2019 AD-Q&A
39/46
enough fault tolerance to survive the complete failure of one domain controller.
What is the minimum number of domain controllers to deploy initially?
o 8
Two per domain for fault tolerance
o
o What server configurations can be directly promoted to become a domain controller
for a new domain?
o Member servers
Stand-alone servers
o
o Server1: Schema Master
Server2: RID Master
Server3: Windows NT 4 BDC
Server4: Infrastructure MasterServer5: PDC Emulator Master
Entire environment migrating to Windows Server 2008. Which Server not needed?
o Server3: Windows NT 4 BDC
o
o Implicit trusts created between domains are known as ______
o transitive trusts.
o
o
Need to add field to the properties of a User object.On what servers can the change be made?
o The Schema Master is the only server within Active Directory on which changes to
the schema can be made.
o
o What are several Active Directory domains that share a contiguous namespace
called?
o A tree
o
o Accidentally demoted the last domain controller of your ADTest.com domain.
Want a complete undo. Possible?
o Once the last domain controller in an environment has been removed, there is no way
to recreate the same domain. If adequate backups had been performed, you may have been able to
recover information by rebuilding the server
o
o Items that depend on the DNS namespace are ....
o Domains
trees
forestsDNS zones
8/9/2019 AD-Q&A
40/46
o
o Which types of computers contain a copy of the Global Catalog (GC)?
o Specified Active Directory domain controllers
o
o Which pieces of information should you have before you use the Active Directory
Installation Wizard to install a new subdomain?
o name of the child domain
name of the parent domain
DNS configuration information
NetBIOS name for the server
o
o Which type of trust is automatically created between the domains in a domain tree?
o Transitive two-wayo
o A systems administrator wants to remove a domain controller from a domain. What is
the easiest way to perform the task?
o Use the Active Directory Installation Wizard to demote the domain controller.
o
o Regarding the sharing of resources between forests...
o A trust relationship must exist before resources can be shared between forests.
o
o New remote location with very slow WAN link. Needs following specs:
Fast logon times
Reduced network bandwidth
Ability to use existing hardware
What can you implement to achieve the above requirements?
o Universal group membership caching stores information locally once a user attempts
to log on for the first time.
o
o Of the five main single master functions, two apply to an entire Active Directory forest.
What are the three that apply to just the domain?
o RID Master
PDC Emulator Master
Infrastructure Master
o
o When deploying Active Directory, you decide to create a new domain tree. What do
you need to do to create this?
o Promote a Windows Server 2008 computer to a domain controller and select the
option that makes this domain controller the first machine in a new domain that is a child of an existingone.
8/9/2019 AD-Q&A
41/46
o
o 7 Reasons for Using Multiple Domains
o Scalability
Reducing replication traffic
Meeting Business needs hierarchy - easier data managmentDecentralized administration
Multiple DNS or domain namesLegality
o
o What are some of the Drawbacks of Multiple Domains?
o Administrative inconsistency
Increased management
Decreased flexibility
o
o Min Requirements for DC numbers
o 2 DCs per Domain
o
o Recommended Req's for DC numbers
o 2 DCs per Site
o
o Reasons for adding extra DCs
o
Fault tolerance and reliabilityPerformance
o
o Main requirement for joining a new domain to an existing forest
o Domain does not share a namespace with the existing Active Directory domain.
o
o If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do
first?
o Prepare the domain by running:
adprep /forestprep
adprep /domainprep
o
o What naming information do you need prior to joining a domain to a new tree?
o name of the parent domain
name of the child domain
NetBIOS name for the new server
8/9/2019 AD-Q&A
42/46
o What other information (other than the 3 names) do you need prior to joining a
domain to a new tree?
o DNS configuration
domain administrator username and password
o
o DcPromo option selected to create a new domain tree.
o " makes this domain controller the first machine in a new domain that is a child of an
existing domain"
o
o DcPromo option selected to create a new domain tree.
o makes this domain controller the first machine in a new domain that is a child of an
existing domain
o
o 3 Features common to all Domains in a Forest
o Schema
GC
Configuration Info
o
o Type of trust between the Forest Root Domain and all the rest of the domains in the
forest
o 2-way Transitive
o
o How is a new Domain Tree created?
o Created top down - forest root domain - then child domains
o
o How do you move a DC between domains?
o 1. Demote it.
2. Move it.
3. Promote it
o
o True of False? A Trust grants all users in one domain access to the other domains.
o False.
Trust only provides the foundation.
Rights must be granted to resources once Trust is established.
o
o What 2 features of AD to ALL Trees and Forests share?
o Schema and
Global Catalog
o
8/9/2019 AD-Q&A
43/46
o What do you always have even if you only have 1 Domain?
o A Tree and a Forest
o
o What do you need to ensure is done before you remove the last DC from a Domain?
o Computers no longer log on to this domainNo user accounts are needed
All encrypted data is decrypted
All cryptographic keys are backed up
o
o What are the 2 Forest Operation Master Roles?
o Schema Master
Domain Naming Master
o
o What tool is used to manage the Forest Operation Master roles?
o AD Domains & Trusts
o
o What are the 3 Domain Operation master Roles?
o RID Master
PDC Emulator Master
Infrastructure Master
o
o The Schema master holds ___
o a master copy of the AD Schema
o
o Where can changes to the AD Schema be made?
o Only on the Schema Master
o
o The Domain Naming Master __
o tracks domains within the AD Forest
o
o What does the RID Master do?
o Creates a unique RID for every AD object
o
o PDC Emulator is responsible for __
o Maintaining backward compatibility with NT DCs - used only in Mixed Mode domains.
o
o In a Forest running at 2k Native or later what role does the PDC play?o Acts as default DC if another is not available
8/9/2019 AD-Q&A
44/46
o
o The Infrastructure Master ensures
o Ensures that group membership info stays current between DCs
o
o How do you assign the Domain Naming Master Role?
o Open AD D&T
AD D&T Properties
Select Operations Master
Click Change
o
o How do you assign all of the RID, PDC and Infrastructure Roles?
o Open AD U&C
right-click DomainSelect Operation Masters
Click Change
o
o What is a transitive trust?
o Implied trusts.
If domain A trusts domain B AND
domain B trusts domain C THEN
domain A trusts domain C
o
o What are External Trusts used for?
o Used to provide access to external domain (NT) that can't use forest trusts
o What type of trust are External Trusts?
o Non-transitive and either 1-way or 2-way (manually created)
o
o On External Trusts, what is enabled by default to prevent hackers from using SID infoto gain access?
o Default SID filtering
SID History cleaned of SID history attributes that are not members of the trusted domain.
o
o When is a Realm Trust used?
o Used to connect to non-Windows domain using Kerberos
o
o What types of Realm Trusts are there?
8/9/2019 AD-Q&A
45/46
o Either Transitive or Non-Transitive
And either 1-way or 2-way
o
o Where do you configure Trust Releationships?
o AD D&T - Domain Properties - Trusts Tabo
o What happens when Selective authentication is used with Cross Forest Trusts?
o users can't authenticate to DC or resource server unless explicitly enabled
o
o What is a manually created Trust called?
o Shortcut trusts
o
o What is a Cross Forest Trust used for?
o To Share resources between forests
o
o What is the restriction on Cross Forest Trusts?
o They cannot be Non-transitive.
o
o Where would you go to enable Selective Authentication?
o Trust properties - Selective Authenticationo
o Where would you add a UPN suffix?
o AD D&T - Properties - UPN Suffixes
o
o Where would you add a UPN suffix?
o AD D&T - Properties - UPN Suffixes
o
o You need to add another Global Catalog server to an existing domain. Where would
you go to do this?
o AD S&S
- DC
- NTDS Settings Properties
- GC Checkbox
o
o What happens when Universal Group Membership Caching is enabled on a W2k8
DC?
o 1. User logs on - Universal Groups cached from GC2. Next time user logs on - no need to contact GC
8/9/2019 AD-Q&A
46/46
o
o The benefits of Universal Group Membership Caching are:
o Faster logon times
Reduced network bandwidth
Ability to use existing hardwareo
o On a W2k8 DC how do you enable Universal Group Membership Caching?
o AD S&S
- Sites
- DefaulFirstSite
- NTDS Settings - Properties
- checkbox