2008 R2 ADS Vocabulary - Session 1 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Planning Active Directory Structure

A

In Windows Server 2008 R2, an Active Directory (AD) is used to store objects such as users, computers, and devices on a network and to organize these objects in a secure, hierarchical structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Domain

A

A collection of computers and devices on a network that is controlled and managed as a unit, through common rules and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Forest

A

A domain tree or a grouping of multiple domain trees, each with a unique namespace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Namespace

A

A defined zone in which each name is unique and can be resolved to a unique object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

To create a new forest in a network,

A

you need to be a member of the Enterprise Admins group on the server. Additionally, you should ensure that the DNS infrastructure is planned in detail and know the full DNS name that must be assigned to the forest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Identifying the business requirements for a directory structure involves the following:

A
  • Identifying dependencies between the groups in an organization, in terms of accessing network resources
  • Determining whether each group wants to isolate its resources from other groups on the network
  • Determining the number of forests that need to be created in order to meet the organization’s demands
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Once you have identified business requirements and the needed number of forests, begin planning your domain design. You should first identify the following:

A

The factors that influence the domain design model, such as what resources are available and how extensive the network should be
The number of domains required in each forest, which is determined by the number of users, how frequently data changes across the network, and the speed of the links between the domains
Whether to upgrade the existing domains or deploy new ones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

To perform an unattended installation or removal of AD DS in Windows Server 2008 R2

A

you can use the dcpromo command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

THE ACTIVE DIRECTORY MIGRATION TOOL

The Functions of the ADMT

A

The Active Directory Migration Tool (ADMT) enables you to easily move users, groups, and computers from one domain to another. For example, when upgrading your server operating system from Windows Server 2003 to Windows Server 2008 R2, you use the ADMT to migrate objects from the original domain to the new domain.
Remember that migrating resources involves moving them, rather than copying them, from a source domain to a target domain, and preserving or modifying characteristics of the objects to make them accessible in the new domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ADMT features

Low Client Impact

A

The ADMT automatically installs client software on source clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ADMT features

Migration of Security Settings

A

It migrates Security Identifier (SID) history attributes to a new domain, so that the security structure of the original domain is maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ADMT features

Restructuring domains in the AD environment can involve using two types of migration

A

Interforest Migration

Intraforest Migration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ADMT features

Interforest Migration

A

Move resources between AD domains in different forests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ADMT features

Intraforest Migration

A

Move resources between AD domains in the same forest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ADMT features
The Migration Process
What tool should you use to keep sid history and passwords

A

Before you can migrate resources from a Microsoft Windows NT 4.0, Server 2000, or Server 2003 domain to Windows Server 2008 R2 AD DS, you should install the Password Expert Server (PES) service on a server in the source domain. This enables you to migrate passwords and SID history information. You first need to export the password key from the target domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ADMT features

The ADMT Role

A

As a systems administrator, you should also develop a migration test plan to enable you to test the validity of the migration plan systematically.
Once you have done this, you can use the test plan and the ADMT to check the results of the planned migration in a test environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The ADMT Reporting Wizard enables you to generate reports to assess the impact of a test migration. Each report is saved as a web page on the DC in the target domain, where the ADMT is installed. You can choose to generate the following reports:

A
  • Migrated User Accounts Report
  • Migrated Computer Accounts Report
  • Expired Accounts Report
  • Account References Report
  • Account Name Conflicts Report
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ADMT features
Upgrading an existing AD environment
What are the adprep commands

A

Using forestprep and domainprep

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Using forestprep and domainprep

A

AD DS are responsible for authenticating computer and user accounts to ensure the core security of a network environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In addition to providing a structure for AD replication, sites simplify the following:

A
  • Authentication
  • Service Location
  • Service Requests
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An AD site can contain

A

several domains, and a domain can contain several sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You can define the physical sections of a network environment by using

A

subnets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A subnet object is

A

a collection of computers and systems that are typically located near each other and that form separate partitions of the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A subnet can be compared to

A

a geographical area with several postal addresses that have the same postal code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A site is

A

a group of related subnets or well-connected IP subnets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

DNS Configuration

The DNS resolves

A

resolves the host names of computers in a network into IP addresses, and vice versa.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

DNS also resolves

A

Services, such as Active Directory’s Kerberos and LDAP services, using SRV records to multiple servers (domain controllers) which are then in turn resolved to their IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Once you have installed a new DNS server on a DC, you can configure it by doing the following:

A
  • Creating a forward or reverse lookup zone
  • Setting the types of updates it must allow
  • Specifying whether queries must be forwarded and to which servers
  • Creating root hints
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Operations Masters

Definition

A

To ensure consistency of the schema and to prevent conflicting updates into the AD database, AD employs the Flexible Single Master Operations (FSMO) role - or operations master.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

AD assigns the following two operations master roles to a DC in each forest (by default to the first domain controller in the forest root domain):

A
  • Domain Naming Master (Note: must be placed on a domain controller serving the global catalog)
  • Schema Master
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

AD assigns the following three operations master roles to a DC in each domain (by default to the first domain controller in each domain):

A
  • PDC Emulator
  • Infrastructure Master (Note: do not place the global catalog on a domain controller that hosts the domains Infrastructure master role unless all domain controllers in the domain are global catalog servers or the forest has only one domain.)
  • Relative Identifier (RID) Master
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

You can change the default configuration of the operations master roles by doing the following:
Transferring Roles

A

If an operations master is available and functional on a network, you can transfer an operations master role by moving it from one DC to another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

You can change the default configuration of the operations master roles by doing the following:
Seizing Roles

A

Seizing an operations master role involves assigning the role to another DC when the DC on which it is installed fails or is not available. You should only seize a role if the DC managing the role is permanently out of service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Trusts and Trust Relationships (Logical Topology)

Trust Types

A

Trust relationships are created between domains, and enable users in one domain to access the resources of another domain. Domain Admins group members can create and manage trust relationships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Once you have planned the required AD structure, you can begin creating it. Creating a new forest involves creating its first - or root - domain. There are three ways you can do this:

A

Using the Windows Interface
Using Unattended Installation parameters at the Command Line
Using an Answer File

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Creating a Forest or Domain

The easiest way to create a domain is to use the Windows interface. To create a domain, you must do the following:

A
  • Assign a static IP address to a Windows Server 2008 R2 server
  • Use a wizard to add the Active Directory Domain Services (AD DS) role to the server
  • Use a wizard to promote the server to a DC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Creating an Answer File

A

If you do not want to use the Windows interface, you can create a new forest by creating and running an answer file. A text editor of your choice can be used to create this answer file.
Specify a password that will be used for an offline administrator account in Directory Service Restore Mode.
After creating an answer file, you save it on the installation server, to a network shared folder, or to removable media for distribution.
To run the answer file, you use the dcpromo utility with the /unattend option, followed by the path to the answer file in double quotation marks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

You can add the DC that runs Windows Server 2008 R2 to an existing, non-Windows 2008 AD domain

A

by running the adprep /forestprep utility. You need to run this utility only once on the DC that holds the schema master operations master role. This command may be run by administrators belonging to the SchemaAdmin, EnterpriseAdmin, and Domain Admins groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Raising Functional Level

To enable Windows Server 2008 R2’s advanced AD DS features,

A

, you raise the functional level of the forest and the domain to Windows Server 2008 R2. To do this, you should be a member of the Domain Admins or Enterprise Admins groups.
You cannot reverse a change that raises the domain functional level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Joining a Client to a Domain

After configuring a domain, you can add

A

add a client machine to the domain by configuring the client’s system properties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

INSTALL WINDOWS SERVER 2008 R2

Using Installation Media

A

You can choose to install Windows Server 2008 R2 using the installation DVD. This method requires you to be present to work through the Install Windows Wizard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Options for an Unattended Installation

An unattended installation of Windows Server 2008 R2 is

A

is one that does not require user input during the installation process. So you do not need to be physically present while installation of the server is in progress.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Windows Deployment Services

A

(WDS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Windows Deployment Services (WDS) enables

A

you to deploy the WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Windows Deployment Services (WDS)
WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files:

A
  • WDS Client Unattend File

* Image Unattend File

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Using the AD single-domain model, you can delegate tasks to

A

administrators and ensure high-level administrative control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Advantages of the single-domain model

A
  • Simple administration
  • Simple troubleshooting
  • A single security boundary
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

A multiple-domain model may be more suitable if there is

A

significant geographical distance between branches of an organization. In this case, using multiple domains can reduce traffic and limit maintenance delays.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

To prepare the existing network environment for integration with Windows Server 2008 and Server 2008 R2, use the following commands:

A

adprep /forestprep
adprep /domainprep
/gpprep
adprep /rodcprep

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

adprep /forestprep

A

The adprep utility extends the AD schema and updates the necessary permissions to prepare a forest and a domain for a DC. It also prepares the Windows Server 2000 or Windows Server 2003 forest for a DC that runs Windows Server 2008 R2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

adprep /domainprep

A

The adprep /domainprep command prepares the Windows Server 2000 or Windows Server 2003 domain for the DC that runs Windows Server 2008 R2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

/gpprep

A

The /gpprep command, which you can run with the adprep /domainprep command, minimizes the replication traffic created by updating file system and AD permissions on the existing Group Policy Objects (GPOs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

adprep /rodcprep

A

The adprep /rodcprep command sets up the domain for an RODC. To install a Windows Server 2008 R2 RODC, you must be a member of the Enterprise Admins group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Configuring the AD Physical Topology

A

Configuring the Global Catalog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

The global catalog

A

is an index of objects in AD DS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

The global catalog is used to

A

to locate objects that are stored in other domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Every object in the forest is partially referenced in the global catalog.

A

Only those aspects of each object that are commonly used - for instance when conducting a search - are referenced in the global catalog.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

The global catalog is used for the following purposes:

A
  • Validating the object references of other domains in the forest
  • Providing universal group membership information in a multiple-domain environment
  • Providing authentication for user principal names (UPNs)
  • Resolving UPNs and completing the logon process if a user logs on by using the UPN of a different DC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

When you install AD DS, the global catalog for a new forest is automatically

A

created on its first DC, which is the root of the forest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

When planning the deployment of global catalogs, you must consider

A

the object replication needs of the network relative to network traffic flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

(UGMC)

A

Universal Group Membership Caching

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

In a multi-domain environment with remote users with a local domain controller and a remote global catalog, UGMC can be enabled

A

enabled to avoid having to remotely contact the GC after the first logon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

The user’s Universal Group memberships are cached and updated

A

automatically every 8 hours by the remote DC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Sites and Subnets

A site is

A

a logical representation of the physical topology - or structure - of an organization’s network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

A site consists of

A

servers and other objects related to AD replication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

The trust direction describes

A

describes the relationship between a trusting domain, which is the domain with the resources, and the trusted domain, which is the domain that requests the resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

A trust direction is defined by

A

by a trust path, which is a series of trust relationships that are followed by an authentication request between two domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

One-Way Trust

A

The access path between two different domains operates in one direction only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Two-Way Trust

A

Both domains trust each other, so access requests can travel in both directions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

When you create a child domain, a two-way trust relationship is

A

is automatically established between the child domain and the parent domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

A trust relationship can be transitive. A transitive trust relationship can be

A

extended beyond the two domains in which it is formed. This is useful for establishing trust relationships with multiple domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

When a new domain is created in a forest in Windows Server 2008 R2, what trust is established by default?

A

a two-way, transitive trust relationship is created between the new domain and its parent domain by default.

73
Q

Four different types of trusts in Windows Server 2008 R2

A

External Trusts
Forest Trusts
Realm Trusts
Shortcut Trusts

74
Q

External Trusts

A

Extern& trusts are nontransitive and can be used to create one-way or two-way trust relationships between two domains. This type of trust enables users to access resources that are stored on external domains located in separate forests. It also provides access to the resources present on a Windows NT domain.

75
Q

Forest Trusts

A

Forest trusts are transitive and can be used to create one-way or two-way trust relationships. A forest trust can be created between two forest root domains to enable users to share resources across different forests. If two forests have a two-way trust relationship between them, a request to access resources made by either forest is acknowledged by the other forest.

76
Q

Realm Trusts

A

Realm trusts can be transitive or nontransitive, and can be used to create one-way or two-way trust relationships.

77
Q

Shortcut Trusts

A

Shortcut trusts are transitive, and can be used to establish a one-way or two-way trust relationship between domains in a Windows Server 2008 R2 forest. Useful when users belonging to a domain regularly log on to other domains within a forest. It makes the authentication process between domains faster and more efficient, especially if the domains are separated by two domain trees.

78
Q

AD Replication

A

Replication is managed on a per-partition basis; portions of active directory replicate to different domain controllers differently.

79
Q

AD Replication

The schema partition

A

(the definition of all forest objects and attributes)

80
Q

AD Replication

configuration partition

A

(the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)

81
Q

The schema partition (the definition of all forest objects and attributes) and the configuration partition (the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)

A

) replicate to all forest domain controllers.

82
Q

The domain database partition

A

(the users, groups, OUs, and other domain objects) is only replicated to the domain controllers of the same domain.

83
Q

Intra-site Replication

Is checked by what?

A

Intra-site replication is automatically configured by the Knowledge Consistency Checker (KCC) service and is performed as an activity-triggered process: when data changes, domain controllers automatically notify other domain controller partners in the same site of the change, and the other domain controllers can request to download that change.

84
Q

Inter-site Replication

A

Inter-site replication is configured manually be defining site objects (which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in). Within each site an Intersite Topology Generator (ISTG) is automatically chosen which identifies a Bridgehead server, which is the representative replication server for a directory partition. When possible, multiple partitions are replicated through the same Bridgehead server. If desired, an administrator can override automatic ISTG selection and choose the Bridgehead server for a site. However, the ISTG service will not provide failover if that server should go offline. Site objects are linked by site links objects, which

define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost. If domains in a forest are not directly connected by sites in a site topology they will by default use automatic site link bridging to replicate according to the cost and schedule defined by the intermediate site links of the sites between them. If this mapping is inconsistent with the actual routing topology automatic site link bridging can be disabled and an explicit site link bridge can be manually created.

85
Q

site objects

A

(which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in).

86
Q

(ISTG)

A

Intersite Topology Generator

87
Q

Bridgehead server,

A

which is the representative replication server for a directory partition.

88
Q

site links objects

A

which

define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost.

89
Q

automatic site link bridging

A

If domains in a forest are not directly connected by sites in a site topology they will by default use

90
Q

Forcing Replication

A
  • “Replicate Now” on the replication connection object in Active Directory Sites and Services console
  • Cmdline: repadmin.exe utility
91
Q

Read-Only Domain Controllers

A

the RODC.

92
Q

RODC.

A

. It hosts read-only partitions of the database and provides security to data stored in that database.

93
Q

An RODC provides

A

improved security, faster logon times, and access to network resources that is more efficient.

94
Q

RODCs have the following features:

A

Support for a Read-Only Domain Name System (DNS)
Support for Administrator Role Separation
Unidirectional Replication with a Writable DC
Storage of a Read-Only AD DS Database
Support for Credential Caching
Creating an RODC Account
Connecting a Server Running AD DS to the RODC Account
RODC Operation
Role Separation and Read-Only DNS Role separation
Read-Only DNS

95
Q

Support for a Read-Only Domain Name System (DNS)

A

In response to a client request to update a DNS record, the RODC DNS server returns the address of another DNS server on a DC that is not read-only. This DC then performs the update and the RODC DNS server replicates the updated DNS record to other DCs. This replication is performed only for the updated DNS record, not for the domain data or the entire list of changed zones.

96
Q

Support for Administrator Role Separation

A

You can delegate local administrative permissions for an RODC to a domain user, without giving the user administrative permissions over the domain in which the RODC is installed. This enables a user to perform administrative operations such as installing software on the RODC and maintaining security.

97
Q

Unidirectional Replication with a Writable DC

A

Replication occurs only from the writable DC to the RODC. If data corruption or malicious changes are made at the remote location, they will not replicate the rest of the domain or forest.

98
Q

Storage of a Read-Only AD DS Database

A

An RODC database includes all the AD attributes and objects that are stored in the database of a writable DC but for account passwords.
Data stored in an RODC is read-only. Any changes must be made on a writable DC, which then replicates the updated data to the RODC database.

99
Q

Support for Credential Caching

A

An RODC stores only its local computer and KRBTGT account details, which is used for Kerberos authentication.
When a client requests authentication, the RODC forwards the request to a writable DC. The writable DC then determines if the credentials should be cached on the RODC. The credentials are then cached for future requests, enabling faster logon times and reducing bandwidth used for authentication.

100
Q

Installing an RODC in a domain involves two main steps:

A

Creating an RODC Account

Connecting a Server Running AD DS to the RODC Account

101
Q

Creating an RODC Account

A

To create an RODC account in AD DS, you need to be a member of the Domain Administrators group. In addition to assigning an account name, you need to specify the site for which the account must be created.
You can also choose to specify the user or group authorized to perform the next installation step. If you do not do this, then only a member of the Enterprise Admins or Domain Admins groups will be able to complete the installation.

102
Q

Connecting a Server Running AD DS to the RODC Account

A

Once you have created an RODC account, you need to install AD DS on the server that will act as the RODC, and then link the server to the RODC account.
Domain data that must reside locally on the server, such as databases and log files, must be replicated to the RODC. One way of doing this is to use the Install From Media (IFM) feature to install the source files directly. Alternatively, you can replicate the source files to the RODC from any other DC over the network.

103
Q

RODC Operation

A

When a branch office user logs on, the RODC requests the user’s credentials from the hub site writable DC. The hub DC consults the RODC’s password replication policy and, if allowed, forwards the user’s credentials which are then stored in the RODC’s cache.

104
Q

Role separation

A

Allows the authorization of remote users and groups to perform specific administrative tasks through different roles without granting administrative permissions for the domain or other DCs.

105
Q

Read-Only DNS

A

Application directory partitions, including ForestDNSZones and DomainDNSZones partitions are replicated to the RODC. DNS updates are not written directly to the RODC.

106
Q

Installing an RODC in a Forest

Prerequisites:

A

An existing Windows Server 2008 R2 DC that contains the PDC emulator FSMO role.
An existing Windows Server 2008 R2 DC that contains the GC. The RODC forwards all replication requests to this server for authentication.
Domain and forest functional levels must be raised to windows server 2003 or higher. (Not 2008!)
Adprep /rodcprep command must be run to update permissions on all DNS application directory partitions. Enterprise admins rights are required.

107
Q

Installing an RODC in a Forest

Installation:

A

The AD DS role must be added to the server using the Server Manager Roles Wizard. AD DS is installed using the Active Directory Domain Services Installation Wizard.

108
Q

DC Function Level Server 2000

A

Universal groups
Group Nesting
Group Conversion
SID History (Security Identifier)

109
Q

DC Function Level Server 2003

A
LastLogonTimeStamp
inetOrgPerson
Domain Controller Rename - netdome (has to be installed on a DC)
Container Redirection
Authorization Manager
constrained Delegation
Selective Authentication
110
Q

DC Function Level Server 2008

A
Sysvol Replication (DFS-DFGS)
Advanced Encryption Sytem (AES 128 and 256)
Last Interactive Logon
Fine-grained passwords
Access Base Enumeration
111
Q

DC Function Level 2008 R2

A

Authentication Mechanism Assurance

112
Q

Forest AD Features 2000 Native

A

Universal Group Caching

113
Q

Forest AD Features Server 2003

A
Forest Trusts
Domain Rename 
RODC  - Read Only Domain Controllers
Linked Value Replication
User Object Conversion
Schema Modification
DynamicObjects
Knowledge Consistency Checker
Group Sites
114
Q

Forest AD Features Server 2008

A

No new forest features

115
Q

Forest AD Features Server 2008 R2

A

Active Directory Recycle Bin

116
Q

Universal Groups

A

are enabled for both distribution groups and security groups

117
Q

Group Nesting

A

Groups can contain other groups

118
Q

Group Conversion

A

A security group can be converted to a distribution group and vice versa

119
Q

Security Identifier (SID) History

A

Active Directory users, compouters and groups have an associated SIB whch is used during resource access. SID history allows a user’s old SID to be used in an upgraded domain alongside the new SID - access to resources on the older system is therefore retained even thoug the user now has a new SID

120
Q

LastLogonTimeStamp

A

attribute is updated with the last logon time of the user or computer and is replicated throughout the domain

121
Q

inetOrgPerson

A

the ability to set the userPassword attribute as the effective password on (the vocab word) and user objects

122
Q

Domain Controller Rename

A

Netdom.exe can be used to rename domain controllers

123
Q

Container Redirection

A

allows you to direct new user and computer accounts to containers (organizational units) other than the default users and computers containers

124
Q

Authorization Manager

A

Can store its authorization policies in AD DS

125
Q

Constrained Delegation

A

Can be used to restrict user credential delegation to specific destination services only

126
Q

Selective Authentication

A

you can be specific about which users and groups from a trusted forest are allowed to authenticate to resources on servers in a trusting forest (lesson 4 module 1)

127
Q

SYSVOL Replication

A

DFS (DFGS) replication support provides more robust and detailed replication of (vocab word) contents

128
Q

Advanced Encryption System

A

DFS support for access-based enumeration (AES 128 and AES 256) and increased scalability

129
Q

Last Interactive Logon

A

Hosts the following information: the total number of failed logons, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt, and the time of the last successful logon attempt at a t2008 Server or Vista/win 7 client

130
Q

Fine-Grained Passwords

A

Administrators can specify unique password and account lockout policies for users or groups in the domain.

131
Q

Access Base Enumeration

A

Presents a view of aDFS namespace to a user that shows only the folders in the namespace to which the user has a t least read permission - folders that the user is not permitted to read remain hidden

132
Q

Universal Group Caching

A

at a remote location that do not have access to a global catalog

133
Q

Application Directory Partitions

A

Introduction of configuratble replicable of application partitions with Active Directory

134
Q

Forest Trusts

A

Allows you to establish inter forest trusts

135
Q

RODC - Read Only Domain Controller

A

A DC which host a read-only copy of the AD database and that can be strategically placed in a remote office to provide user authentication and group membership

136
Q

Linked Value Replication

A

Linked value replication, replicates an individual group membership change rather than the entire multi-values member attribute.

137
Q

User Object Conversion

A

The ability to convert an inetOrgPerson object instance into a User object instance and to complete the conversion in the opposite direction

138
Q

Schema Modifications

A

Allows an administrator to deactivate or alter schema object classes and attributes

139
Q

dynamicObjects

A

Used by developers and application, the schema allows instances of the dynamic auxillary class in domain directory partitions

140
Q

Knowledge Consistency Checker

A

Enable AD DS to support replication in forests with more than 100 sites

141
Q

Group Types

A

The introduction of application basic groups and LDAP query groups

142
Q

AD Recycle Bin

A

provides the ability to restore deleted objects in ther entirety while (vocab word) is running

143
Q

Raise DC Level 2 things must be in place

A
  1. member of Domain Admin or Enterprise Admin

2. PDC Emulator DC must be accessible

144
Q

Function Level on the Forest Level needs to be set on how many DC?

A

One Domain Controller, the new level will be replicated to each controller in the (vocab word).

145
Q

How to raise function level steps

A

Start, admin tools, acitve Directory Domains and Trusts, right click on domain, Raise domain function level box and select - same for forest but choose the Raise Forest Function Level option box

146
Q

ADS has to be extended to support the inclusion of a (_____________) DC

A

2008 R2

147
Q

Adprep.exe

A

extends the active directory schema to support upgraded server installation

148
Q

where is adprep.exe found?

A
  1. 2008 installation disk in \sources\adprep
  2. 2008 R2 installation disk in \support\adprep
    32bit and 64 bit version
149
Q

adprep.exe must be executed from an

A

elevated command prompt

150
Q

adprep.exe parameters are used to complete the following tasks:

A
Updating the Active Directory Schema
Updatiang security descriptors, 
Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder,
Creating new objects as required
Creating new containers as required
151
Q

adprep commands

A

adprep /forestprep
adprep /domainprep
adprep /domainprep /gpprep
adprep /rodcprep

152
Q

adprep /forestprep

A

prepares a forest for the intor of a DC that runs Server 2008 and R2. The command is run on the DC that hosts the Schema Master Role.

153
Q

adprep /domainprep

A

prepares a domain for the intro of a DC that runs 2008 or 2008 R2. command should be run after the forestprep command is complete and afterer the changes have replicated to all the domain controllers in the forest. The command should be run on each domain where you plan to add a DC that runs 2008 or $2 . You must run this command on the DC that host the DC infrastructure master role

154
Q

adprep /domainprep /gpprep

A

Similar to the /doaminprep command but adds only the inheritable access control entries (ACE’s) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACE’s give enterprise domain controllers read access permissions on GPOs - these permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy. The command must be run on the domain controller that hosts the domain’s infrastructure master role.

155
Q

adprep /rodcprep

A

Updates permissions on application directory partitions (including DNS Services) to enable replication of the partitions to REad Only Domain Controllers (RODCs) - the operation runs remotely and contacts the domain controller hosting the infrastructure master in each domain to update the permissions. The command must be run from any domain controller.

156
Q

If you are adding a RODC to the forest

A

run adprep /rodcprep immediately after the running of adprep /forestprep command and both must be run on the DC with Schema and Infrastructure Masters running

157
Q

Adprep /rodcprep can run from

A

any computer, runs remotely but it must be able to contact the forest’s domain naming master to obtain a list of forest application directory partitions. It then must contact the infrastructure master in each domain for each of the application directory partitions. If an infrastructure master is unavailable, the (vocab word) command will fail and you must rerun until success is achieved.

158
Q

Need to find what computer hosts the various operation master roles

A

using and elevated command prompt on a comaputer with netdom.exe toll installed (usually a DC) then press the enter key

ie: c:\netdom query fsmo

159
Q

ADMT is a free tool used to

A

move migrate user accounts, groups, computers and other Active Directory object between Active directory domains and forests.

160
Q

ADMT V3.0

A

windows NT 4.0 and Active Directory Forests Domains.

161
Q

ADMT V3.2

A

used to migrate 2003, 2008, 2008 R2 forest Domains

162
Q

ADMT has these features

A

Preservation of object SID Histories
Can migrate computer accounts, including domain controllers
Can migrate user accounts/profiles
Accommodates the use of a SQL database to host migration data
Accommodate pre - testing before commitment
Provides a measure of rollback
Migration is secured using encryption

163
Q

ADMT v3.2 Forest Migration capabilities

A

can be performed between domains in the same forest - intra forest migration, or between domains in different forests - inter-forest migration. During inter-forest restructurieng or migration, the source domain remains intact - migrated object are copied, while both domains remain operational during restructuring.

164
Q

ADMT v3.2 provides wizards that automate migration tasks

A

user, groups, service accounts, computers migrations. The console provides a convenient interface or use can use the command line interface using the admt.exe utility and parameters or include text files containibg ines of migration options and parameters.

165
Q

ADMT v3.2 allows you to test, simulate migration

A

provides analysis reports and log files which can be used to iron out any issues prior to any final migration.

166
Q

SIDs

A

every security principal (user, group, computer, etc) in an AD domain has an associated security identifier that is unique to a domain. When a user attempts to access an Active Directory resource, for example a file, the Access Control List (ACL) for the file checks its Access Control Entries (ACEs) to check the level of access the associated SID has for the resource, or whether the SID is denied access to the the resource. When a security principal is deleted, the asscoiated SID is never reassigned and remains unused.

167
Q

ACLs

A

All Active Directory resources have an associated ACL, which maintains a list of access control entries (ACEs) that link specific resource permissions with the SID of an Active Directory Security Principal - user, group, computer, etc - the ACE entries can include the extent of an allow permission or deny permission

168
Q

sIDHistory

A

in addition to the SID attribute, an AD Security principal also has an associated sIDHistory attribute which maintains a list of previously held SIDs. If a user is moved from one domain to another, a new principle SID is defined for the use and the old domain SID is added to the sIDHistory attribute. When a user attempts to accesss a system resource in the source domain, both the new SID and any older SIDs are used when mapping permissions on the resource ACE list of the source domain - by doing this, the user maintains access levels to any resource in the new domain, while at the same time retaining aceess to resources in the source domain.

169
Q

ADMT Tool also includes Security Translation Wizard

A

this allows you to replace an orginal SID of a migrated security principal’s with the new SID on the ACEs of all resources in the original source domain - this achieves the same effect as the sIDHistory attribute. In general, sIDHIstory is uused to maintain access and functionality during igration and the security translation is then performed to complet the rprocess

170
Q

ADMT Security Translation Wizard can translate:

A
File and folder permissions
Printer Permissions
Share Permissions
Registry Permissions
User Rights
Group Membership
171
Q

adprep is run on

A

legacy machines - the older machines

172
Q

dcpromo is used for

A

to demote a domain controller and to remove active directory

173
Q

RODC can be installed on forest operating at a forest functional level of

A

Server 2003 or better

174
Q

Server core is a fully functional version of windows server which characterized by a reduce set of

A

server roles and fetures and a non-GUI management interface. Server Core is designed to improve security, operate on reduced hardware resources and is managed via command line utilities and windows powershell but can be managed from the GUI of a remote server

175
Q

Shortcut Trust

A

is deployed to minimize response latency for usder requiring frequent authentiction or resource access on a domain which is either deeply nested or the end of a slow communications link. A shortcut trust can be configured as a one-way trust

176
Q

Forest Trust

A

a forest defines the security boundary of Active Directory implementation a forest trust allos you to establish a two way transitive trust between forests. Forest trust were introduced in Server 2003 and both forests must be operating at this functional level or higher to avail of forest trusts. The forest trust established transitive trust between all domains in each foret - the trust can be defined as a one-way incoming or outgoing or two way. UPNs can be used for authentication in either forest.

177
Q

External Trust

A

are deployed to establish a one way trust with 2000 doain and a 2008 $2 domain or between two indivdiaul 2008 R2 Active Directory domains in seperate forests - typically a business partner or project collaboration partner.

178
Q

Realm

A

allows trust between Windows 200 R2 Active Directory and a Unix Platform

179
Q

UPN

A

User Principal Name - are stored in the global catalog and are deployed to avaoid the use of multiple user domain logons. Using a upn logon a user can logon to any domain ,, DC within a forest.