AD-Q&A

8/9/2019 AD-Q&A

1/46

Windows Server 2008 & 2008 R2

Install Manage and Master OS

o

What is DNS?o The Domain Name System (DNS) is a hierarchical, distributed database that maps

logical host names to IP addresses

o What does a DNS server hold?

o A DNS server holds a database of hostnames and their corresponding IP addresses.

Clients query the DNS server to get the IP address of a given host.

o What was used before DNS?

o a hosts file saved on each host computer

o

o What makes up the DNS hierarchy?

o The DNS hierarchy is made up of the following components:

- . (dot) domain (also called the root domain)

- Top Level Domains (TLDs) (.com, .edu, .gov)

- Second-level and additional domains

- Hosts

o

o What is a FQDN?

o Fully Qualified Domain Name - includes the host name and the name of all domainsback to root.

o

o What makes DNS a distributed database?

o DNS is a distributed database because no one server holds all of the DNS

information. Instead, multiple servers hold portions of the data.

o

o What is a zone?

o Zones typically contain one or more domains, although additional servers might holdinformation for child domains.

o

o What do DNS servers do?

o DNS servers hold zone files and process name resolution requests from client

systems.

o

o What is a DNS forward lookup?

o A forward lookup uses the host name (or the FQDN) to find the IP address

o

8/9/2019 AD-Q&A

2/46

o What is a DNS reverse lookup?

o A reverse lookup uses the IP address to find the host name (or FQDN).

o

o What is an A record?o The A record maps a host name to an IP address and is used for forward lookups.

o

o What is a PRT record?

o The PTR record maps an IP address to a host name and is used for reverse lookups.

o

o What is a CNAME record?

o The CNAME record provides an alternate name (an alias) for a host.

o

o What is a SRV record?

o The SRV record identifies a service, such as an Active Directory domain controller.

o

o How are DNS records created?

o Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts

automatically register and update their corresponding records with the DNS server.

o

o What is the process followed when a client computer needs to find an IP address?

o - The client examines its HOSTS file for the IP address.

- If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address.

- If the IP address is not in the cache, the client sends the request to a DNS server.

o

o What is the process when a DNS server received a name resolution request?

o 1) The DNS server examines its local DNS cache for the IP address

2) If the IP address is not in the server cache, it checks its HOSTS file.

3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative.

4) Forwarding or Recursion

5) After the information is found or received from another server, the DNS server returns the result to

the client, and places the information in its server cache.

o

o What is an authoritative DNS server?

o a DNS server that has a full, complete copy of all the records for a particular zone.

o

o What is DNS Forwarding?

o Where the DNS server forwards the name resolution request to another DNS server,then waits for a response from that server

8/9/2019 AD-Q&A

3/46

o

o What is DNS Recursion

o Where the DNS server queries root domain servers, top-level domain server and

other DNS servers in an iterative manner until it finds the one that hosts the target domain.

o

o What is a caching-only DNS server?

o A caching-only DNS server has no zone information; it is not authoritative for any

domains. It uses information in its server cache, or forwarding or recursion, to respond to client

queries.

o

o Who can install DNS in Server 2008?

o Members of the Domain Admins group

o

o Which versions of server 2008 can have DNS installed on them?

o You can install DNS on any version of Windows Server 2008 except for the Windows

Server 2008 Web Server edition.

o

o What type of IP address must the DNS server have?

o Static

o

o How would you add the DNS role from a command prompt (or on a server core)?

o start /w ocsetup DNS-Server-Core-Role

o What command will give a list of installed services on a server?

o Run the oclist command to get a list of services (including DNS) installed on a server.

o

o What can be used to manage DNS on Server 2008?

o Use the DNS snap-in or the dnscmd command to manage DNS.o

o What is a primary DNS zone?

o the master copy of a zone database

o

o What are the properties of a primary zone?

o - The primary zone is the only writeable copy of the zone database.

- Changes to the zone can only be made to the primary zone.

- The server that holds the primary zone is called a primary server.

8/9/2019 AD-Q&A

4/46

- Each zone can have only a single primary zone server.

- Zone data is stored in a text file.

o

o What is a secondary DNS zone?

o A secondary zone is a read-only copy of the zone database.o

o What are the properties of a secondary DNS zone?

o - Changes cannot be made to the records in a secondary zone.

- A server that holds a secondary zone is called a secondary server.

- Secondary servers copy zone data from other servers through a process called zone transfer.

- Secondary servers can copy zone data from the primary server or other secondary servers.

- Zone data is stored in a text file.

o

o What is an Active Directory-integrated DNS zone?

o An Active Directory-integrated zone holds zone data in Active Directory instead of a

text file.

o

o What are the properties of an Active Directory-integrated DNS zone?

o - Active Directory-integrated zones are multi-master zones, meaning that changes to

the zone information can be made by multiple servers. Multiple servers hold read-write copies of the

zone data.

- Only DNS servers that are domain controllers can host Active Directory-integrated zones.- Storing zone data in Active Directory provides automatic replication, fault tolerance, and distributed

administration of DNS data.

- Replication of zone data occurs during Active Directory replication and is secured by Kerberos.

o

o What is a stub zone?

o A stub zone is a zone with only a partial copy of the zone database.

o

o What are the properties of a stub zone?

o - The stub zone only contains information about the name servers that are

authoritative for the zone; it does not contain information for other hosts.

- A stub zone is not authoritative for the zone; its purpose is to identify the name servers that can be

contacted for full zone information.

- The stub zone is dynamic, meaning that it will keep the list of name servers for the zone updated

automatically.

- Use a stub zone to forward name requests based on zones while keeping name server lists updated

automatically.

o

o What is the GlobalNames DNS zone?

8/9/2019 AD-Q&A

5/46

o The GlobalNames zone is a special zone in the DNS database that is used for single-

label name resolution.

o

o What is a GlobalNames DNS zone used for?

o - Allow clients to use simple host names without domain information for nameresolution. For example, to contact a server named web1.corp.us.westsim.private, users could simply

enter the single-label name web1.

- Allow DNS clients to contact NetBIOS-only hosts without the need for a WINS server.

- Allow IPv6-only hosts to contact NetBIOS hosts (IPv6 does not support the use of WINS).

o

o What are the features of a GlobalNames zone?

o - When users enter a single-label name, the client computer first tries to resolve the

name using DNS and the search suffix configuration. If that process fails, the GlobalNames zone is

checked (if it exists).- Using the GlobalNames zone does not require any changes to client machines.

- Dynamic updates are not supported on the GlobalNames zone. You must manually create each

record in the GlobalNames zone.

- Use the GlobalNames zone to replace WINS servers on your network only when you have a small

number of hosts that do not support DNS. For a large number of NetBIOS-only hosts, or to support

dynamic registration of single-label names, continue to use a WINS server.

o

o What is a forward lookup DNS zone?

o

A forward lookup zone provides hostname-to-IP address resolution. Clients query theDNS server with the hostname, and receive the IP address in return.

o

o What is a reverse lookup DNS zone?

o A reverse lookup zone provides IP address-to-hostname resolution. Clients query the

DNS server with the IP address, and receive the hostname in return.

o

o How many servers can hold the primary zone file?

o Only one server can hold the primary zone file. To place zone data on multiple

servers, configure secondary servers.

o

o Where does Windows store standard zone data?

o Windows stores standard zone data in the %windir%\System32\Dns directory. The file

is a text file with .dns added to the zone name.

o

o Which types of zone support dynamic updates?

o Primary and Active Directory-integrated zones support dynamic updates. Use an

Active Directory-integrated zone to use secure dynamic updates.o

8/9/2019 AD-Q&A

6/46

o What types of record does a reverse lookup zone hold?

o Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP

address to an A record.

o

o What type of zones can a reverse lookup zone be?

o A reverse lookup zone can be a primary zone, a secondary zone, or an Active

Directory integrated zone.

o

o What is the SOA (Start of Authority) record?

o The first record in any DNS database file is the SOA. It defines the general

parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a

zone. There is only one SOA record, and it is the first record in the zone database file. The SOA

record includes parameters such as the authoritative server and the zone file serial number.o

o What is an NS (Name Server) record?

o The NS resource record identifies all name servers that can perform name resolution

for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone

(all authoritative DNS servers).

o

o What is an A (Host Address) record?

o

The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is themost common resource record type.

o

o What is an AAAA (Quad A) record?

o The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address.

o

o What is an MX (Mail Exchanger) Record?

o The MX record identifies servers that can be used to deliver e-mail.

o What is a CNAME record?

o The CNAME record provides alternate names (or aliases) to hosts that already have a

host record. Using a single A record with multiple CNAME records means that when the IP address

changes, only the one A record needs to be modified.

o

o What is a DNAME record?

o The DNAME record provides alternate names (or aliases) to domains that already

have a host record.o

8/9/2019 AD-Q&A

7/46

o What is a SRV (Service Locator) record?

o The SRV record is used by Windows Server 2008 to register network services. This

allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically

creates these records as needed and during domain controller installation.

o

o What is a PTR (Pointer) record?

o In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e.

"points" to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse

lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.

o

o What are WINS and WINS-R records?

o Add these records to a zone when you want to allow DNS to use WINS resolution.

The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINSservers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse

query that is not resolvable through DNS.

o

o How can DNS records be automatically created on a DNS server?

o By using Dynamic DNS. Dynamic DNS is required to support Active Directory.

o

o When do dynamic updates occur?

o

- A network connection's IP address is added, deleted, or changed.- The DHCP server changes or renews an IP address lease.

- The client's DNS information is manually changed using ipconfig /registerdns.

- The client boots.

- A server is promoted to a domain controller.

o

o Which Windows clients support DDNS?

o Windows clients (2000 and above) create their A records with the DNS server.

Windows 9x/Me/NT clients do not support dynamic DNS.

o

o How does the DHCP server tie in with DDNS?

o The DHCP server registers the PTR record with the DNS server for clients capable of

dynamic updates. The DHCP server updates both the A and PTR records for clients that do not

support dynamic updates.

o

o Are dynamic updates enabled by default on a primary zone?

o Dynamic updates are not enabled on primary zones. You can enable dynamic

updates when you create the zone or modify the zone properties later to enable this feature.

o

8/9/2019 AD-Q&A

8/46

o Are dynamic updates enabled by default on an Active Directory-integrated zone?

o Dynamic updates are enabled on Active Directory-integrated zones. Note: When you

convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is

retained.

o

o What are secure dynamic updates?

o With secure dynamic updates, only domain members can create records, and only

the original client can modify or remove records.

o

o What is used to keep track of changes to a DNS zone?

o The zone serial number keeps track of changes to the zone. When you make

changes to the zone, the serial number is incremented.

o

o What is a DNS master server?

o A master server is the server from which the secondary copies the zone data. The

master server can be the primary server or another secondary server.

o

o What are the two types of zone transfer?

o Zone transfers can copy all records or only changed records:

- A full zone transfer (AXFR) copies all of the zone data with each zone transfer.

- A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default

method on Windows Server 2008.o

o Are zone transfers enabled in Server 2008 by default?

o By default, zone transfer in Windows Server 2008 is disabled for security reasons. To

use zone transfers, manually enable the feature in the DNS settings in Server Manager.

o

o How can you restrict the servers to which zone transfers are allowed?

o - Allow zone transfers only to servers that are listed as name servers.

- Allow zone transfers only to servers you specifically identify.

o

o How does a secondary server initiate a zone transfer?

o - The secondary server contacts the master server and compares the serial number

on the master with the serial number in its copy.

- If the serial number on the master is greater, the secondary initiates zone transfer.

- If the serial number is the same (or lower) on the master, no zone transfer takes place.

o

o What is DNS notify?

o Windows DNS servers support the use of DNS Notify. With DNS Notify, masterservers are configured with a list of slave DNS servers.

8/9/2019 AD-Q&A

9/46

o

o How does DNS notify work?

o - When a change takes place, the master notifies the slave servers that the zone has

changed.

- The secondary server then initiates zone transfer, first checking the serial number, then requestingchanges.

o

o What is a DNS caching server?

o A caching only server runs DNS but has no zones configured. Use a caching only

server to improve performance while eliminating zone transfers.

o

o How does an Active Directory-integrated zone store DNS information?

o An Active Directory-integrated zone stores DNS information in Active Directory ratherthan in a zone file. Zone information is copied automatically when Active Directory replicates.

o

o How can you secure zone transfers to secondary servers?

o Active Directory replication traffic is automatically secured. To secure zone transfers

to secondary servers, use IPsec between servers.

o

o How can you force an update of DNS zone data?

o

You can force an update of zone data through the DNS console or by using theDnscmd command

o How would you delegate control of an AD OU to a user?

o - Right Click on OU

- Delegate Control

- Choose User

- Choose the appropriate option- Finish

o

o What is an OU?

o An Organizational Unit (OU) is similar to a folder that subdivides and organizes

network resources within a domain.

o

o What are the different types of OU?

o Parent OUs are OUs that contain other OUs.Child OUs are OUs within other OUs.

8/9/2019 AD-Q&A

10/46

o

o What organisational structures can you not apply GPO's to?

o Generic Containers

o

o What is group policy inheritance?

o Through inheritance, settings applied to the domain or parent OUs apply to all child

OUs and objects within those OUs.

o

o How can you prevent objects from accidental deletion in AD?

o - On the Object tab, select the Protect object from accidental deletion check box.

(This option is only seen with Advanced Features selected from the View menu.)

- On the Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.o

o What setting should be set at creation to prevent an AD OU being accidentally

deleted?

o When you create an organizational unit, leave the Protect container from accidental

deletion check box selected. This is the default. Other types of objects do not have this default setting

and must be manually configured.

o

o

How would you delete an AD object that is protected from deletion?o To delete on abject that is protected, first clear the Protect container from accidental

deletion setting, then delete the object.

o

o What is delegation of authority?

o Delegating authority is the assignment of administrative tasks, such as resetting

passwords or creating new users, to appropriate users and groups.

o

o Describe some of the facts about delegating control :

o - You can delegate control of any part of an OU or object at any level with the

Delegation of Control Wizard or through the Authorization Manager console.

- An object-based design allows you to delegate control based on the types of objects in each OU. For

example, you can delegate control over specific object types (such as user objects).

- A task-based design allows you to delegate control based on the types of administrative tasks that

need to be done

o

o What is the Builtin Default Container?

8/9/2019 AD-Q&A

11/46

o The Builtin container holds default service administrator accounts and domain local

security groups. These groups are pre-assigned permissions needed to perform domain management

tasks.

o

o What is the Computers default container?o The Computers container holds all computers joined to the domain without a

computer account. It is the default location for new computer accounts created in the domain.

o

o What is the Domain Controllers detault container?

o The Domain Controllers OU is the default location for the computer accounts for

domain controllers.

o

o What is the LostAndFound default container?o The LostAndFound container holds objects moved or created at the same time an

Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted

on one domain controller while administrators at other domain controllers can add or move objects to

the deleted OU before the change has been replicated. During replication, new objects are placed in

the LostAndFound container.

o

o What is the NTDS Quotas default container?

o The NTDS Quotas container holds objects that contain limits on the number of

objects users and groups can own.o

o What is the Program Data default container?

o The Program Data container holds application-specific data created by other

programs. This container is empty until a program designed to store information in Active Directory

uses it.

o

o What is the System default container?

o The System container holds configuration information about the domain including

security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP

security policies.

o

o What is the Users default container?

o The Users container holds additional predefined user and group accounts (besides

those in the Builtin container). Users and groups are pre-assigned membership and permissions for

completing domain and forest management tasks.

o

o What is special about AD containers?o They are automatically created and cannot be deleted

8/9/2019 AD-Q&A

12/46

o

o What is special about the Domain Controllers OU

o It is the only default OU, and it can have a GPO applied, whereas the other default

containers cannot have a GPO applied

o

o How would you view hidden containers in AD Users and Computers?

o Click Advanced Features from the View menu

o

o Which containers are hidden by default in AD Users and Computers?

o - LostAndFound

- NTDS Quotas

- Program Data

- Systemo

o What is special about AD containers and how do they differ from OU's?

o They are automatically created and cannot have GPO's applied to them.

o

o What is the SAM database?

o A local database that allows users to access local resources on the machine

o

o What are the two types of user account?

o Local and Domain

o What is a local user account?

o A local user account is created and stored on a local system and is not distributed to

any other system.

- Local user accounts are created with the Computer Management console.

- The local Security Accounts Manager (SAM) manages the user account information.- Only local resources are accessible with local user accounts.

o

o What is a domain user account?

o A domain user account is created and centrally managed through Active Directory,

and is replicated between domain controllers in the domain.

o

o How can domain user accounts be created?

o Domain user accounts are created with Active Directory Users and Computers,command line tools, and PowerShell.

8/9/2019 AD-Q&A

13/46

o

o What is unique to each domain user account?

o Each domain user account has a unique security identifier (SID) to identify the user. A

user can log on to the domain from any computer that is a member of the domain and can access

resources on that computer or on other computers for which the domain user account haspermissions.

o

o How can external users with email accounts be represented in AD?

o External users which need an e-mail account, can be represented through a contact

object

o

o What is a contact object?

o an account that does not have any security permissions. Users represented ascontact objects cannot log on to the domain. Use contacts to add information about individuals, such

as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for

attributes of contact objects.

o

o What is the user or logon name?

o The user or logon name is the name of the user account

o

o

What is the user principle name (UPN)?o The User Principle Name (UPN) combines the user account name with the DNS

domain name

- The UPN format is also known as the SMTP address format.

- The DNS domain name in the UPN is known as the UPN suffix.

- By default, the domain that holds the user account is selected for the UPN suffix. However, you can

configure different UPN suffixes to use instead of the domain name.

o

o What is the LDAP Distinguished Name (DN)?

o The LDAP Distinguished Name (DN) references the domain and related container(s)

where the object resides. It has three basic attributes:

Domain Component (DC)

Organizational Unit (OU)

Common Name (CN)

o

o What is the Relative Distinguished Name (RDN)

o The Relative Distinguished Name (RDN) is used to identify the object within its

container. The RDN needs to be unique only within the objects container.

o

8/9/2019 AD-Q&A

14/46

o When would you use the ser cannot change password"option?

o when you want to maintain control over a Guest, service, or temporary account. For

example, many applications use service accounts for performing system tasks. The application must

be configured with the user account name and password. If you allow changing the user account

password for the service account, you would also need to change the password within every

application that uses that account.o

o How would you unlock an account?

o To unlock an account, go to the Account tab in the account object's Properties dialog

box, and select the Unlock Account box. Resetting the password on the account also unlocks a user

account.

o

o What should you do if a user account is accidentally deleted?

o Restore it from backup rather than creating a new one with the same name. Creatinga new account with the same name results in a user account with a different SID and will not

automatically assume the permissions and memberships of the previously deleted account.

o

o How would you add a User Principal Name (UPN) suffix to a forest?

o 1) Open Active Directory Domains and Trusts.

2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties.

3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab.

4) Click Add.

5) Click OK.o

o What is a computer account?

o A computer account is an Active Directory object that identifies a network computer.

The account in Active Directory is associated with a specific hardware device

o

o How would you prestage a computer account?

o From Active Directory Users and Computers, create a computer account. This

process is called prestaging computer accounts. From the workstation, join the domain. The

workstation will be associated with the computer account you created previously.

o

o Where is the computer account created when you join a workstation to the domain?

o In the Computers built-in container

o

o How would you control where computer accounts are placed when a computer joins

the domain?

o Create computer account ahead of time (pre-stage them)

o

8/9/2019 AD-Q&A

15/46

o Which groups have permissions to create a computer account?

o - Account Operators

- Domain Admins

- Enterprise Admins

o

o How many computers are the Authenticated Users group members allowed to join to

the domain (from a workstation)?

o 10 - this wil also create the computer account automatically if it doesn't already exist.

This ability comes from the Add workstations to a domain user right.

o

o How would you allow a specific user to join a specific computer to the domain?

o You can also allow specific users to join specific computers to a domain by selecting

The following user or group can join this computer to a domain when creating the computer account.

o

o How would you give other users permissions to create computer accounts in AD?

o By giving them the Create Computer Objects right over the Active Directory OU. This

permission does not have a limit on the number of accounts that can be created. Note: You must grant

this right to the domain or specific OUs.

o

o Will a computer receive group policy settings once the computer account is created?

o No, the computer must be joined to the domain before it receives any GPO settings or

AD receives any workstation-specific informationo

o What commands can be used to create computer accounts from a command prompt

or script?

o dsadd or netdom. (Use netdom join to jion a computer to the domain)

o

o What establishes a secure channel between a computer and the domain controller?

o The computer password (authomatically generated when the computer joins the

domain).

o Where is the computer account password saved?

o On the local computer and in AD. BY default, it is changed every 30 days

o

o What might cause a computer to fail to authenticate to the domain?

o If the two computer passwords (on the local machine and in AD) becomeunsychronised.

8/9/2019 AD-Q&A

16/46

This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with

another one using the same computer account name.

o

o How would you reset the computer account after a logon failure?o - Run the netdom reset command followed by the computer account name and the

domain.

- In Active Directory Users and Computers, right-click the computer account and select Reset

Account.

- Create a script in Visual Basic.

After resetting the computer account, you must rejoin the computer to the domain.

o

o What is a local group?o Local groups exist only on the local computer, and control access to local resources.

o

o What is a domain group?

o Domain groups exist in Active Directory, and can be used to control access to domain

and local resources. In an Enterprise environment, you will work mainly with domain groups.

o

o What is group scope?

o

Active Directory groups have a group scope. The scope defines the potential groupmembership and the resource access that can be controlled through the group. The following table

lists the different security group scopes and their membership and use.

o

o What membership can a global group have?

o Global groups can contain members within the same domain. These include:

- Global groups in the same domain (in native mode only).

- Users and computers within the same domain.

o

o What should a global group be used for?

o Use global groups to group users and computers within the domain who have similar

access needs.

o

o What membership can a domain local group have?

o Domain local groups can contain members from any domain in the forest. These

include:

- Domain local groups in the same domain (in native mode only).- Global groups within the forest.

8/9/2019 AD-Q&A

17/46

Universal groups within the forest (in native mode only).

- Users and computers within the forest.

o

o What membership can a universal group have?

o Universal groups can contain members from any domain in the forest. These include:

- Universal groups within the forest.

- Global groups within the forest.

- Users and computers within the forest.

o

o What resources can global groups permission?

o Global groups can be assigned permissions to resources anywhere in the forest.

o

o What resources can domain local groups permission?

o Domain local groups can be assigned permissions within a domain.

o

o What resources can universal groups permission?

o Universal groups can be assigned permissions to resources anywhere in the forest.

o

o What should global groups be used for?

o

Create global groups to organize users (e.g., Sales or Development).o

o What should domain local groups be used for?

o Create domain local groups representative of the domain controller resources to

which you want to control access, and then assign permissions on the resource to the group.

o

o What should universal groups be used for?

o Universal group membership should be relatively stable. For this reason, you should

only add global or universal groups to universal groups. Avoid adding user accounts directly to

universal groups.

o

o What is a security group?

o A security group is one that can be used to manage rights and permissions.

- Group members get the permissions that are granted to the group.

- A security group represents an object with a security identifier (SID), which through the member

attribute, collects other objects, such as users, computers, contacts, and other groups.

o

o Which type of AD group should be used for assiging permissions?

8/9/2019 AD-Q&A

18/46

o Security

o

o What is a ditribution group?

o A distribution group is used to maintain a list of users and is typically used for sending

e-mails to all group members. Distribution groups cannot be used for assigning permissions.o

o What happens if you convert a security group to a distribution group?

o This would remove the permissions assigned to the group.

This could prevent or allow unwanted access.

o

o How would you convert a global group to a domain local group?

o First convert to a universal group, then to a domain local.o

o Can you convert a global group nested in another global group into a universal

group?

o No - a universal group cannot be a member of a global group

o

o Can you make a universal group a member of a global group?

o No

o

o What happens when a group is deleted?

o All information about the group - including any permissions assigned - is deleted.

o

o How can you recover a deleted group?

o - Re-create the group, add all the original group members, and reassign any

permissions granted to the group.

- Restore the group from a recent backup.

o What directory format does Active Directory use?

o X500

o

o What do AD tree structures share?

o The same contiguous name space?

o

o What is an RODC?o A Read Only Domain Controller

8/9/2019 AD-Q&A

19/46

o

o Do different forests share the same name space?

o No

o

o What is NTDS.dit?

o The AD database

o

o What is a domain?

o A domain is an administratively-defined collection of network resources that share a

common directory database and security policies

o

o What is an AD object attribute?o Information about the object such as a user's name, phone number, and email

address) which is used for locating and securing resources.

o

o What does an object schema identify?

o The schema identifies the object classes (the type of objects) that exist in the tree and

the attributes (properties) of the object.

o

o

What does AD use DNS for?o Active Directory uses DNS for locating and naming objects.

o

o Name the OU structure

o First-level OUs can be called parents.

Second-level OUs can be called children.

OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).

o

o What is an AD tree?

o A tree is a group of related domains that share the same contiguous DNS name

space.

o

o What is an AD forest?

o A forest is a collection of related domain trees. The forest establishes the relationship

between trees that have different DNS name spaces.

o

o What is the forest root domain?

o The forest root domain is the top-level domain in the top tree. It is the first domaincreated in the Active Directory forest.

8/9/2019 AD-Q&A

20/46

o

o What is the tree root domain?

o The tree root domain is the highest level domain in a tree.

o

o What is a child domain?

o Each domain in the tree that is connected to the tree root domain is called a child

domain.

o

o What is a domain tree?

o A domain tree is a group of domains based on the same name space. Domains in a

tree:

- Are connected with a two-way transitive trust.

- Share a common schema.- Have common global catalogs.

o

o What is a domain controller?

o A domain controller is a server that holds a copy of the Active Directory database that

can be written to

o

o What is replication?

o

Replication is the process of copying changes to Active Directory between the domaincontrollers.

o

o What two objects does AD use to represent the physical structure of the network?

o - A subnet represents a physical network segment. Each subnet possesses its own

unique network address space.

- A site represents a group of well-connected networks (networks that are connected with high-speed

links).

o

o What manages AD replication between locations?

o Sites and subnets are used to manage Active Directory replication between locations.

o

o What does an AD site differ from a domain?

o A site differs from a domain in that it represents the physical structure of your network,

while a domain represents the logical structure of your organization.

o

o How are clients assigned to AD sites?

o Clients are assigned to sites dynamically according to their Internet Protocol (IP)address and subnet mask.

8/9/2019 AD-Q&A

21/46

o

o How are domain controllers assigned to AD sites?

o Domain controllers are assigned to sites according to the location of their associated

server object in Active Directory.

o

o What is the structure of the NTDS.dit file?

o - The data table contains all the information in the Active Directory data store: users,

groups, application-specific data, and any other data that is stored in Active Directory after its

installation.

- The link table contains data that represents linked attributes, which contain values that refer to other

objects in Active Directory.

- The security descriptor (SD) table contains data that represents inherited security descriptors foreach object.

o

o What does the Global Catalog server do?

o Responsible for replicating a subset of attributes throughout Active Directory

o What are FSMO roles/What do they do?

o Flexible Single-Master Operation roles are specialized domain controller tasks

assigned to a domain controller in the domain or forest. Operations master roles are useful because

certain domain and enterprise-wide operations are not well suited for the multi-master replication

performed by Active Directory to replicate objects and attributes

o

o What are the FSMO roles?

o - Schema Master

- Domain Naming Master

- RID Master (Relative Identifier)

- PDC Emulator

- Infrastructure Mastero

o What does the schema master do?

o Maintains the schema (the mapping of all the different object types)

o

o What does the RID master do?

o The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that

are used by the domain controller when creating new security principles (such as user, group, or

computer accounts).o

8/9/2019 AD-Q&A

22/46

o What does the PDC Emulator do?

o The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and

performs other tasks normally associated with NT domain controllers. (eg - time services)

o

o What does the Infrastructure Master do?

o Provides a mapping of all the container objects in AD. The infrastructure master is

responsible for updating changes made to objects.

o

o Which level do the Schema and Domain Naming Master roles operate at?

o The Forest Level

o

o What level do the RID, PDC and Infrastructure Master roles operate at?o The domain level

o

o What is the Global Catalog?

o The Global Catalog (GC) is a database that contains a partial replica of every object

from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog

server. The Global Catalog facilitates faster searches because different domain controllers do not

have to be referenced.

o

o What is an Operations Master?

o A domain controller that performs an operations master role is known as an

operations master or operations master role owner.

o

o What does the Domain Naming Master do?

o The domain naming master adds new domains to and removes existing domains from

the forest.

o

o What is a functional level?

o A functional level is a set of operation constraints that determine the functions that

can be performed by an Active Directory domain or forest

o

o What does a functional level define?

o - Which Active Directory Domain Services (AD DS) features are available to the

domain or forest.

- Which Windows Server operating systems can be run on domain controllers in the domain or forest.

Functional levels do not affect which operating systems you can run on workstations and servers thatare joined to the domain or forest.

8/9/2019 AD-Q&A

23/46

o

o Which domain functional levels does Server 2008 support?

o Windows 2000 Native

Windows Server 2003

Windows Server 2008o

o Which forest functional levels does Server 2008 support?

o Windows 2000

Windows Server 2003

Windows Server 2008

o

o What is a group policy?

o A policy is a set of configuration settings that must be applied to users or computers.Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of

files that includes registry settings, scripts, templates, and software-specific configuration values.

o

o What are new services in AD 2008?

o - AD Domain Services

- AD Lightweight Directory Services

- AD Certificate Services

- AD Federation Services

- AD Rights Management Serviceso

o What is an AD role?

o A role is a set of software features that provides a specific server function. Examples

of roles include DNS server, DHCP server, File Server, and Print Server.

o

o What is an AD role service?

o Role services are specific programs that provide the functions of a role. Some roles,

like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as

the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs,

with each role service being a sub-component of the role.

o

o What is an AD feature?

o A feature is a software program not directly related to a server role but which adds

functionality to the entire server. Features include management tools, communication protocols or

clients, and clustering support.

o

o What is Active Directory Domain Services (AD DS)

8/9/2019 AD-Q&A

24/46

o AD DS is a distributed database that stores and manages information about network

resources, such as users, computers, and printers. The AD DS role:

- Helps administrators securely manage information.

- Facilitates resource sharing and collaboration between users.

- Is required to be installed on the network to install directory-enabled applications such as Microsoft

Exchange Server and for applying other Windows Server technologies, such as Group Policy.o

o What is Active Directory Lightweight Directory Service (AD LDS)

o Active Directory Lightweight Directory Services (AD LDS), formerly known as Active

Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a

directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active

Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS

database.

o

o What is Active Directory Federation Services (AD FS)

o AD FS is a feature which enables secure access to web applications outside of a

user's home domain or forest. The AD FS role:

- Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web

applications using a single user account.

- Securely federates (shares) user identities and access rights in the form of digital claims between

partner organizations.

o

o What is Active Directory Rights Management Service (AD RMS)

o AD RMS is a feature which safeguards digital information from unauthorized use. The

AD RMS role:

- Can define exactly how a recipient can use information, specifying who can open, modify, print,

forward, and/or take other actions.

- Allows organizations to create custom usage rights templates (such as "Confidential - Read Only")

that can be applied directly to information such as product specifications, financial reports, e-mail

messages, and customer data.

o

o What is Active Directory Certificate Services (AD CS)

o AD CS is an identity and access control feature that creates and manages public key

certificates used in software security systems. The AD CS role:

- Provides customizable services for creating and managing public key certificates.

- Enhances security by binding the identity of a person, device, or service to a corresponding private

key.

- Includes features that allow you to manage certificate enrollment and revocation in a variety of

scalable environments

8/9/2019 AD-Q&A

25/46

o Name some things that AD Certificate Services supports

o Digital signatures

Encrypting File System (EFS)

Internet Protocol security (IPsec)

Secure/Multipurpose Internet Mail Extensions (S/MIME)Secure Socket Layer/Transport Layer Security (SSL/TLS)

Secure wireless networks

Smart card logon

Virtual Private Networks (VPN)

o

o What AD roles are not supported on Server 2008 Standard?

o AD FS requires the DataCenter or Enterprise editions for deployment.

o

o WHich server roles can Server 2008 core run?

o Active Directory

Active Directory Lightweight Directory Services (AD LDS)

Dynamic Host Configuration Protocol (DHCP) Server

DNS Server

File Server

Print Server

Media Services

Web Server (IIS)

o

o What are the limitations of Server 2008 core?

o There is no Windows Shell.

There is no managed code support (no .NET framework). All code has to be native Windows API

code.

There is only MSI support for unattended mode installs.

o

o What methods can you use to manage a Server 2008 core system?

o Log on and use the command prompt.

Log on using Remote Desktop to gain access to the command prompt.Use Windows Remote Shell (winrm).

Run Server Manager or another tool on another computer and connect to the server core system. This

method allows you to use a GUI interface for managing the server core system.

o

o How would you add server roles to a Server 2008 core system?

o Run start /w ocsetup to add server roles to the server core system. Switches for the

role or service must be typed exactly as they are listed, and role names are case-sensitive.

o

8/9/2019 AD-Q&A

26/46

o How would you see a list of roles, role services and features that can be installed on

Server 2008 core?

o run the oclist command

Cards

Term

What are the building blocks of active directory

Definition

Domains, trees, forest, organizational units

Term

how is the physical location of objects in AD

represented

Definition

all objects in a given site

Term

What is a domain

Definition

A logical grouping of computers that share a

database and security

Term

what is a tree in AD

Definition

A parent domain with child domains that reflectname of parent domain

Term

How are domains in a tree linked

Definition

2way transitive trust relationships !they can

access eachothers info"

Term

what is a forest in AD

Definition

a group of domains that do not share a adjoining

name space#

Term

$orest root domain

Definition

first domian created when you create AD

structure#

Term

What are an %& !organizational unit"

Definition

logical subgroup within a domain, used to locate

single workgroup, section, or department

8/9/2019 AD-Q&A

27/46

Term

What is a site in AD

Definition

'ites group resources in a forest according to

location of subnet

Term

Why does AD us sites

Definition

(ontrol replication of data in ADD) and apply

policies to users and domains and delegate

administratife control to objects in a single

physical location

Term

What are some of the other things that site enable

Definition

*nable users to be authenticated by domain

controller in same physical location#

Term

What is a domain controller

Definition

Domain controllers authenticate users logging

onto their domain, and servers as centers to

administer AD in Windows 'erver 2++

Term

What is a domain controller

Definition

Domain controllers authenticate users logging

onto their domain, and servers as centers to

administer AD in Windows 'erver 2++

Term

What does a domain controller store

Definition

A complete copy of all objects within domain,

schema, config info relevent to forest where

domain is located#

!All domian controller hold master copy of ADD)

Term

What is the global catalog

Definition

*nables domain in same forest to access resources

in any domain in that particular forest#

Term

What does -lobal catalog provide

Definition

.rovides info on universal group membership on

any domain in forest, and allows users to log onto

a domain other than their own domain useing the

&./

Term Definition

8/9/2019 AD-Q&A

28/46

What is the &./ 0he &./ !&ser principal name" is a user name in

format of an email address#

Term

What is $'1%

Definition

$leible singlemaster operatons servers,

restricted domain controllers

Term

What are the $'1%3s

Definition

4# schema master

2# Domain naming master

5# .D( emulator !.rimary domain

controller"

6# 7nfrastructure master

8# 97D masster !9elative 7dentifier

Term

How is '7D different from 97D

Definition

'7D is a security identifier common to all objects

in its domain and 97D is a relative identifer that

uni:ue to objects in domain, makes sure no 2

objects has same 97D

Term

What is a server role

Definition

A specific function that server performs on the/W#

Term

What is a feature

Definition

An optional components that adds a certain

feature, #/*0 $ramework 5#+, )it;ocker Drive

*ncryption

Term

How do you add features to a role

Definition

4# 7nitial config

2# 'erver 1anager

5# command line

Term

What is 9%D( and how does it function

Definition

4# 9eadonly domain controller

2# Has a read only copy of the ADD)

5# very useful for branch office

deployment and high security

8/9/2019 AD-Q&A

29/46

Term

What is the server core and its function

Definition

A stripped down version of server 2++ without a

-&7, taskbar, or start menu

Term

Why use a server core

Definition

4# ;ess HW and memory

2# 1ore secure because it present

smaller attack footprint

Term

What is AD ('

Definition

4# Active Directory (ertificate 'ervice

2# customizable services for creating and

managing public key certificates used in software

security systems that employ public keytechnologies#

Term

'erver 1anager 11( !1icrosoft 1anagement

(onsole"

Definition

4# Adds roles, role server, < server

features

2# =iew, manage, modify config of

installed roles and features#

5# (an open by compmgmt#msc at 9&/

2#

Term

What is the -&7

Definition

4# -rafical &ser 7nterface

2# A -&7 lets you interact with your computer

using pictures and symbols

Term

How do you get to the server manager command

line

Definition

'tart

9un

(1D

'erver1anager(md#ee

0erm

'chema

Definition

>>>>> is an Active Directory component that

defines all the objects and attributes that the

directory service uses to store data, and it

includes a list of properties that can be used to

describe the objects# ?ou can think of it as a set ofblueprints for each of the objects# a >>>>>>

8/9/2019 AD-Q&A

30/46

definition for a user object can be used to create a

user object#

0erm

%bjects

Definition

>>>>>> are 9ealworld items in Active Directorysuch as@ computers, users, printers and groups#

0hese >>>>>>> can be managed with AD D'

!Active Directory Domain 'ervices" All >>>>>>>

have properties that can be configured#

0erm

-lobal (atalog

Definition

>>>>>> >>>>>> is a listing of all objects in the

entire forest# 7t is searchable and used by

different applications to search AD Domain

'ervices for specific objects# 7t is hosted on the

domain controllers that are designated as the>>>>>> >>>>>> server# 0here is only one per

forest#

/ote@ to prevent it from becoming too large the

properties are limited to a subset#

*ample@ users may have 4++ properties but only

4+ are included#

0erm

;DA. !;ightweight Directory Access .rotocol"

Definition

Active Directory uses the > > > > to uni:uely

identify each object within the directory#!D/@

Distinguished name#

/ote@ (/@ (ommon name

/ote@ D' is Domain service AA Domain

(ontroller

0erm

%perations master roles

Definition

0he five >>>>> >>>>> roles are assigned

automatically when the first domain controller in

a given domain is created $orestwide >>>>>>

>>>>>> roles must appear only once in every

forest# Domainwide >>>>>> >>>>>> roles mustappear once in every domain in the forest#

*very forest must have the following roles@

'chema master

Domain naming master

*very domain in the forest must have the

following roles@

9elative 7D !97D" master

.rimary domain controller !.D(" emulator

master#

7nfrastructure master

8/9/2019 AD-Q&A

31/46

0hese roles must be uni:ue in each domain# 0his

means that each domain in the forest can have

only one 97D master, .D( emulator master, and

infrastructure master#

0erm

'chema master

Definition

0he >>>>>> >>>>>> domain controller controls all

updates and modifications to the schema# 0o

update the schema of a forest, you must have

access to the >>>>>> >>>>>># 0here can be only

one in the entire forest#

0erm

Domain naming master

Definition

%ne of five

$orestwide operations master roles#

0he domain controller holding the >>>>>> >>>>>>>>>>>>role controls the addition or removal of

domains in the forest# 0here can be only one in

the entire forest#

0erm

97D master 9elative 7D !97D" master

Definition

%ne of five


0he >>>>> master allocates se:uences of relative

7Ds to each of the various domain controllers in

its domain# At any time, there can be only one

domain controller acting as the >>>>> master in

each domain in the forest#

Whenever a domain controller creates a user,

group, or computer object, it assigns the object a

uni:ue security 7D !'7D"# 0he '7D consists of a

domain '7D, which is the same for all '7Ds

created in the domain, and a !> > >", which is

uni:ue for each '7D created in the domain#

0o move an object between domains !using1ovetree#ee", you must initiate the move on the

domain controller acting as the !> > >"master of

the domain that currently contains the object#

0erm

.D( emulator operations master

Definition

%ne of five


0he .D( >>>>> >>>>>> master processes

password changes from client computers and

replicates these updates to all domain controllers

throughout the domain# At any time, there can be

8/9/2019 AD-Q&A

32/46

only one domain controller acting as the >>>

>>>>>> master in each domain in the forest#

0he domain controller configured with the .D(

>>>>>> >>>>>> master role supports two

authentication protocols@

0he erberos =8 protocol

0he /0;1 protocol

/ote@ .D( .rimary Domain (ontroler

0erm

7nfrastructure master

Definition

%ne of five


At any time, there can be only one domain

controller acting as the >>>>>> >>>>>> in each

domain# 0he >>>>>> >>>>>> is responsible for

updating references from objects in its domain toobjects in other domains# 0he >>>>>> >>>>>>

compares its data with that of a global catalog#

-lobal catalogs receive regular updates for

objects in all domains through replication, so the

global catalog data will always be up to date# 7f

the >>>>>> >>>>>> finds data that is out of date, it

re:uests the updated data from a global catalog#

0he infrastructure master then replicates that

updated data to the other domain controllers in

the domain#

0he >>>>>> >>>>>> is also responsible forupdating the grouptouser references whenever

the members of groups are renamed or changed#

0erm

%& !%rganizational unit"

Definition

>>>>>> >>>>>> are used to organize objects within

Active Directory# you can think of an > > simply

as a container for the objects within AD#

?ou can delegate permissions to an > > and you

can link -roup .olicy to an > >#

0erm

Distribution group and

'ecurity group

Definition

Active Directory has two basic group types# 0hey

are@

>>>>>> group and

>>>>>> group

0erm

Distribution group

Definition

%ne of two AD basic group types@

A >>>>>> >>>>>> is used to group a number of

objects together that will be addressed

collectively# A mail server can present the >>>>>>

8/9/2019 AD-Q&A

33/46

>>>>> to users as a email destination#

0erm

'ecurity group

Definition

%ne of two AD basic group types@

A >>>>>> >>>>>> is used to assign permissions orrights to an object or a set of objects# 0his allows

AD to become not only your single authentication

mechanism for your network but also your

authorization mechanism#

0erm

Domain local group

Definition

%ne of three AD basic group scopes@

A >>>>>> >>>>> >>>>> is intended to be used only

within the domain that it was created in# 7t can

contain userBcomputer accounts, global groups

and universal groups from any domain in theforest and domain local groups from the same

domain#

0erm

-lobal group

Definition


0his is the default scope when you create a group

in AD# A >>>>> >>>>> can be used by computers

within the domain that it is a member of and by

members of other domains in the AD forest# 7t can

contain userBcomputer accounts from the domain

that the >>>>> >>>>> is created in#

0erm

&niversal group

Definition


A >>>>>> >>>>> is stored on domain controllers

that are configured as global catalogs# 0his

implies that the >>>>>> >>>>> is replicated to

domains across the entire forest# 0hat allows a

>>>>>> >>>>> not only to be used by all computers

in the forest but also to contain members from

any domain within the forest# 'ingledomainnetworks do not really need >>>>>> >>>>>s

because there isn3t much use for them# >>>>>>

>>>>>s can contain userBcomputer accounts,

global groups, and other >>>>>> >>>>>s from any

domain in the forest#

0erm

*ternal trust !/ontransitive"

Definition

%ne of four domain trusts#

>>>>>> >>>>> are domaintodomain trust# 7f you

want a domain in a forest to trust a domain

outside the forest!eternal domain"then you build

8/9/2019 AD-Q&A

34/46

an >>>>>> >>>>>#

0erm

'hortcut trust !0ransitive"

Definition

%ne of four domain trusts#

>>>>>> >>>>> speed up authentication# 7t is atransitive trust between a domain in the same

domain tree or forest that shortens the trust path

in a large and comple domain tree or forest#

0erm

$orest trust !0ransitive"

Definition

%ne of four domain trusts# >>>>>> >>>>> is a

transitive trust between a forest root domain and

a second forest root domain# %nce done every

domain in the first forest trust every domain in

the second forest#

0erm

9ealm trust !/ontransitive"

Definition

>>>>> >>>>> allow trust relationships with &ni

systems that use erberos for authentication#

!What 1icrosoft calls domains &ni call realms#"

0erm

0ransitive trust !&nderstanding 0rust

0ransitivity"

Definition

>>>>>> >>>>> determines whether a trust can be

etended outside the two domains between which

the trust was formed# ?ou can use a >>>>>> >>>>>

to etend trust relationships with other domains#?ou can use a nontransitive trust to deny trust

relationships with other domains#

http@BBtechnet#microsoft#comBen

usBlibraryBccC8642#asp

0erm

$orest

Definition

7n accordance with D/' naming standards,

Active Directory domains are created in an

inverted tree structure#

When it is necessary for domains in the sameorganization to have different namespaces, create

a separate tree for each namespace# 0wo or more

trees with different names makes a forest#

8/9/2019 AD-Q&A

35/46

0erm

NAME RESOLUTION METHODSDomain Name System(DNS)

Definition

/A1* 9*'%;&07%/ 1*0H%D

>>>>> >>>>> >>>>> !> > > "

.referred 1ethod for name resolution

'upports 7.v6 and 7.v

0erm

/A1* 9*'%;&07%/ 1*0H%D'

Definition

$eatures@

E*nabled by default

E'upports most older versions of Windows

E'upport ;1H%'0' local resolution

E(an use a W7/' server

Drawbacks@

E%nly supports 7.v6

E&ses broadcasts

E48 (haracter 1aimum

E;ocal 'ubnet only without W7/'

0erm

/A1* 9*'%;&07%/ 1*0H%D@ ;7/

;A?*9 1&;07(A'0 /A1* 9*'%;&07%/

!;;1/9"

%perating 'ystem 'upport

EWindows =ista and Windows C

EWindows 'erver 2++ and 92

Definition

/A1* 9*'%;&07%/ 1*0H%D@

>>>> >>>>> >>>>> >>>>> >>>>> !> > > > >"

Drawbacks@

EWorks within local subnet only

EDifferences in behavior based on operating

system

E/o support for Windows F., Windows 'erver

2++5 and earlier

8/9/2019 AD-Q&A

36/46

EDisabled via -roup .olicy

E7.v must be enabled

$eatures@

E1ulticast

E7.v6 and 7.v /ame resolution

E;ow overhead

E'maller attack surface

E'hould be used before /et)7%' when both

;;1/9 and /et)7%' are available#

0erm

$&;;? G&A;7$7*D D%1A7/ /A1* !$GD/"

Definition

>>>> >>>> >>>> >>>> !> > > >"

9eferences a host@

EHostname

EDoname name

E0op ;evel DomainE(an (ontain 'ubdomains

0erm

'teps 4 8 D/' 9e:uest .rocess

Definition

'tep 4@ *nter www#microsoft#com in your browser

and hit enter#

'tep 2@ A D/' :uery is sent to the local resolver

on the .(# 0he local resolver check the local D/'

cache#

'tep 5@ 7f there is no match in step 2 a :uery issent to the primary D/' server if one is

configured and it is available#

'tep 6@ 0he D/' server checks to see if it can

authoritatively answer the :uery# 0his means

does the D/' server have a zone configured and

a resource record that answers the :ueryIJ

'tep 8@ 7f no match was found in step 6 the D/'

server checks its local D/' cache#

0erm

9ecursion

Definition

>>>>>>>>>>@

K(lient sends a >>>>>>>> re:uest to a D/' server

KD/' server completes :uery on behalf of the

D/' client and sends result back to client#

0erm

7teration

Definition

>>>>>>>>>>@

&sed by D/' server when contacting other D/'

servers

K9eceives referral from one server and directly

:ueries the server listed in the referral#K%ne D/' server does most of the work

8/9/2019 AD-Q&A

37/46

0erm

9oot Hints

Definition

>>>> >>>>>

K&sed during recursion

K-ives D/' a starting point

K(an be modified for private namespacesK'tored in Windows L'ystem52 LD/'L(ache#dns

K;oaded when D/' service starts

0erm

'teps M D/' 9e:uest .rocess

Definition

'tep @ )ased on the configuration of the D/'

server a :uery is sent to a root server#

'tep C@ 0he root server responds with a referral

to a top level D/' server#

'tep @ 0he original D/' server that the :uery

was first sent to takes the referral and sends a

re:uest to the top level D/' server# 7n this

eample #com#

'tep M@ 0he #com# D/' server sends a referral to

the microsoft#com D/' server#

0erm

'teps 4+ 42 D/' 9e:uest .rocess

Definition

'tep 4+@ Again the original D/' server takes the

referral and sends a :uery to the microsoft#com

D/' server#

'tep 44@ 'ince the D/' server is authoritative for

microsoft#com it is able to respond with the Hostresource record that contains the 7. address for

www#microsoft#com#

'tep 42@ 0he original D/' server responds to the

client :uery with the 7. address to

www#microsoft#com

0erm

$orward and 9everse ;ookup Nones

Definition

>>>>> < >>>>>> ;ook up Nones

$orward ;ookup

E0ranslates a name to an 7. address

E1ost commonly used zone type

9everse ;ookup

E0ranslates an 7. address to a name

ENone name ends with inaddr#arpa

0erm

D/' $orwarders

Definition

D/' >>>>>>>>> forwards D/' :uery to another

D/' server instead of using 9oot Hints#

9e:uest .rocess is@

KD/' 'erver receives :ueryKD/' 'erver checks locally hosted zones

8/9/2019 AD-Q&A

38/46

KD/' 'erver checks local server cache

KD/' 'erver forwards :uery to first D/' server

listed on the >>>>>>> tab

0erm

(onditional $orwarders

Definition

>>>>>> $orwarders@

K$orwards :ueries for a specific domain name to

specific D/' servers

K%ften used to improve performance for D/'

resolution of partner domain names and

resources

0erm

5 D/' None 0ypes

.rimary

'econdary'tub

Definition

0here are 5 D/' None 0ypes

0erm

9esource 9ecords

Definition

>>>>>> >>>>>> are@

Database entries used to answer :ueries

K'%A O 'tart of Authority

K/' O /ame 'erver

KA or AAAA !H%'0"

K.09 !.ointer"

K(/A1* !Alias" O (anonical /ames

K'9= !'ervice ;ocator"

K1F !1ail *changer"

0erm

/A0

Definition

/etwork Address 0ranslation

AD Trees & Forests

o You decide to create a trust relationship between Domain A and Domain B. Before

you take any other actions, can users in Domain A use resources from Domain B yet?

o No.

A trust relationship only allows for the possibility of sharing resources between domains; it does not

explicitly provide any permissions. In order to allow users to access resources in another domain, you

must configure the appropriate permissions.

o

o Plans are to deploy four Active Directory domains with the following requirements:

minimize the number of servers

8/9/2019 AD-Q&A

39/46

enough fault tolerance to survive the complete failure of one domain controller.

What is the minimum number of domain controllers to deploy initially?

o 8

Two per domain for fault tolerance

o

o What server configurations can be directly promoted to become a domain controller

for a new domain?

o Member servers

Stand-alone servers

o

o Server1: Schema Master

Server2: RID Master

Server3: Windows NT 4 BDC

Server4: Infrastructure MasterServer5: PDC Emulator Master

Entire environment migrating to Windows Server 2008. Which Server not needed?

o Server3: Windows NT 4 BDC

o

o Implicit trusts created between domains are known as ______

o transitive trusts.

o

o

Need to add field to the properties of a User object.On what servers can the change be made?

o The Schema Master is the only server within Active Directory on which changes to

the schema can be made.

o

o What are several Active Directory domains that share a contiguous namespace

called?

o A tree

o

o Accidentally demoted the last domain controller of your ADTest.com domain.

Want a complete undo. Possible?

o Once the last domain controller in an environment has been removed, there is no way

to recreate the same domain. If adequate backups had been performed, you may have been able to

recover information by rebuilding the server

o

o Items that depend on the DNS namespace are ....

o Domains

trees

forestsDNS zones

8/9/2019 AD-Q&A

40/46

o

o Which types of computers contain a copy of the Global Catalog (GC)?

o Specified Active Directory domain controllers

o

o Which pieces of information should you have before you use the Active Directory

Installation Wizard to install a new subdomain?

o name of the child domain

name of the parent domain

DNS configuration information

NetBIOS name for the server

o

o Which type of trust is automatically created between the domains in a domain tree?

o Transitive two-wayo

o A systems administrator wants to remove a domain controller from a domain. What is

the easiest way to perform the task?

o Use the Active Directory Installation Wizard to demote the domain controller.

o

o Regarding the sharing of resources between forests...

o A trust relationship must exist before resources can be shared between forests.

o

o New remote location with very slow WAN link. Needs following specs:

Fast logon times

Reduced network bandwidth

Ability to use existing hardware

What can you implement to achieve the above requirements?

o Universal group membership caching stores information locally once a user attempts

to log on for the first time.

o

o Of the five main single master functions, two apply to an entire Active Directory forest.

What are the three that apply to just the domain?

o RID Master

PDC Emulator Master

Infrastructure Master

o

o When deploying Active Directory, you decide to create a new domain tree. What do

you need to do to create this?

o Promote a Windows Server 2008 computer to a domain controller and select the

option that makes this domain controller the first machine in a new domain that is a child of an existingone.

8/9/2019 AD-Q&A

41/46

o

o 7 Reasons for Using Multiple Domains

o Scalability

Reducing replication traffic

Meeting Business needs hierarchy - easier data managmentDecentralized administration

Multiple DNS or domain namesLegality

o

o What are some of the Drawbacks of Multiple Domains?

o Administrative inconsistency

Increased management

Decreased flexibility

o

o Min Requirements for DC numbers

o 2 DCs per Domain

o

o Recommended Req's for DC numbers

o 2 DCs per Site

o

o Reasons for adding extra DCs

o

Fault tolerance and reliabilityPerformance

o

o Main requirement for joining a new domain to an existing forest

o Domain does not share a namespace with the existing Active Directory domain.

o

o If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do

first?

o Prepare the domain by running:

adprep /forestprep

adprep /domainprep

o

o What naming information do you need prior to joining a domain to a new tree?

o name of the parent domain

name of the child domain

NetBIOS name for the new server

8/9/2019 AD-Q&A

42/46

o What other information (other than the 3 names) do you need prior to joining a

domain to a new tree?

o DNS configuration

domain administrator username and password

o

o DcPromo option selected to create a new domain tree.

o " makes this domain controller the first machine in a new domain that is a child of an

existing domain"

o

o DcPromo option selected to create a new domain tree.

o makes this domain controller the first machine in a new domain that is a child of an

existing domain

o

o 3 Features common to all Domains in a Forest

o Schema

GC

Configuration Info

o

o Type of trust between the Forest Root Domain and all the rest of the domains in the

forest

o 2-way Transitive

o

o How is a new Domain Tree created?

o Created top down - forest root domain - then child domains

o

o How do you move a DC between domains?

o 1. Demote it.

2. Move it.

3. Promote it

o

o True of False? A Trust grants all users in one domain access to the other domains.

o False.

Trust only provides the foundation.

Rights must be granted to resources once Trust is established.

o

o What 2 features of AD to ALL Trees and Forests share?

o Schema and

Global Catalog

o

8/9/2019 AD-Q&A

43/46

o What do you always have even if you only have 1 Domain?

o A Tree and a Forest

o

o What do you need to ensure is done before you remove the last DC from a Domain?

o Computers no longer log on to this domainNo user accounts are needed

All encrypted data is decrypted

All cryptographic keys are backed up

o

o What are the 2 Forest Operation Master Roles?

o Schema Master

Domain Naming Master

o

o What tool is used to manage the Forest Operation Master roles?

o AD Domains & Trusts

o

o What are the 3 Domain Operation master Roles?

o RID Master

PDC Emulator Master

Infrastructure Master

o

o The Schema master holds ___

o a master copy of the AD Schema

o

o Where can changes to the AD Schema be made?

o Only on the Schema Master

o

o The Domain Naming Master __

o tracks domains within the AD Forest

o

o What does the RID Master do?

o Creates a unique RID for every AD object

o

o PDC Emulator is responsible for __

o Maintaining backward compatibility with NT DCs - used only in Mixed Mode domains.

o

o In a Forest running at 2k Native or later what role does the PDC play?o Acts as default DC if another is not available

8/9/2019 AD-Q&A

44/46

o

o The Infrastructure Master ensures

o Ensures that group membership info stays current between DCs

o

o How do you assign the Domain Naming Master Role?

o Open AD D&T

AD D&T Properties

Select Operations Master

Click Change

o

o How do you assign all of the RID, PDC and Infrastructure Roles?

o Open AD U&C

right-click DomainSelect Operation Masters

Click Change

o

o What is a transitive trust?

o Implied trusts.

If domain A trusts domain B AND

domain B trusts domain C THEN

domain A trusts domain C

o

o What are External Trusts used for?

o Used to provide access to external domain (NT) that can't use forest trusts

o What type of trust are External Trusts?

o Non-transitive and either 1-way or 2-way (manually created)

o

o On External Trusts, what is enabled by default to prevent hackers from using SID infoto gain access?

o Default SID filtering

SID History cleaned of SID history attributes that are not members of the trusted domain.

o

o When is a Realm Trust used?

o Used to connect to non-Windows domain using Kerberos

o

o What types of Realm Trusts are there?

8/9/2019 AD-Q&A

45/46

o Either Transitive or Non-Transitive

And either 1-way or 2-way

o

o Where do you configure Trust Releationships?

o AD D&T - Domain Properties - Trusts Tabo

o What happens when Selective authentication is used with Cross Forest Trusts?

o users can't authenticate to DC or resource server unless explicitly enabled

o

o What is a manually created Trust called?

o Shortcut trusts

o

o What is a Cross Forest Trust used for?

o To Share resources between forests

o

o What is the restriction on Cross Forest Trusts?

o They cannot be Non-transitive.

o

o Where would you go to enable Selective Authentication?

o Trust properties - Selective Authenticationo

o Where would you add a UPN suffix?

o AD D&T - Properties - UPN Suffixes

o

o Where would you add a UPN suffix?

o AD D&T - Properties - UPN Suffixes

o

o You need to add another Global Catalog server to an existing domain. Where would

you go to do this?

o AD S&S

- DC

- NTDS Settings Properties

- GC Checkbox

o

o What happens when Universal Group Membership Caching is enabled on a W2k8

DC?

o 1. User logs on - Universal Groups cached from GC2. Next time user logs on - no need to contact GC

8/9/2019 AD-Q&A

46/46

o

o The benefits of Universal Group Membership Caching are:

o Faster logon times

Reduced network bandwidth

Ability to use existing hardwareo

o On a W2k8 DC how do you enable Universal Group Membership Caching?

o AD S&S

- Sites

- DefaulFirstSite

- NTDS Settings - Properties

- checkbox

Documents

AD-Q&A