2008 R2 ADS Vocabulary - Session 1

Question 1

Planning Active Directory Structure

Answer 1

In Windows Server 2008 R2, an Active Directory (AD) is used to store objects such as users, computers, and devices on a network and to organize these objects in a secure, hierarchical structure.

Question 2

Domain

Answer 2

A collection of computers and devices on a network that is controlled and managed as a unit, through common rules and procedures.

Question 3

Forest

Answer 3

A domain tree or a grouping of multiple domain trees, each with a unique namespace.

Question 4

Namespace

Answer 4

A defined zone in which each name is unique and can be resolved to a unique object.

Question 5

To create a new forest in a network,

Answer 5

you need to be a member of the Enterprise Admins group on the server. Additionally, you should ensure that the DNS infrastructure is planned in detail and know the full DNS name that must be assigned to the forest.

Question 6

Identifying the business requirements for a directory structure involves the following:

Answer 6

• Identifying dependencies between the groups in an organization, in terms of accessing network resources
• Determining whether each group wants to isolate its resources from other groups on the network
• Determining the number of forests that need to be created in order to meet the organization’s demands

Question 7

Once you have identified business requirements and the needed number of forests, begin planning your domain design. You should first identify the following:

Answer 7

The factors that influence the domain design model, such as what resources are available and how extensive the network should be
The number of domains required in each forest, which is determined by the number of users, how frequently data changes across the network, and the speed of the links between the domains
Whether to upgrade the existing domains or deploy new ones

Question 8

To perform an unattended installation or removal of AD DS in Windows Server 2008 R2

Answer 8

you can use the dcpromo command.

Question 9

THE ACTIVE DIRECTORY MIGRATION TOOL

The Functions of the ADMT

Answer 9

The Active Directory Migration Tool (ADMT) enables you to easily move users, groups, and computers from one domain to another. For example, when upgrading your server operating system from Windows Server 2003 to Windows Server 2008 R2, you use the ADMT to migrate objects from the original domain to the new domain.
Remember that migrating resources involves moving them, rather than copying them, from a source domain to a target domain, and preserving or modifying characteristics of the objects to make them accessible in the new domain.

Question 10

ADMT features

Low Client Impact

Answer 10

The ADMT automatically installs client software on source clients.

Question 11

ADMT features

Migration of Security Settings

Answer 11

It migrates Security Identifier (SID) history attributes to a new domain, so that the security structure of the original domain is maintained.

Question 12

ADMT features

Restructuring domains in the AD environment can involve using two types of migration

Answer 12

Interforest Migration

Intraforest Migration

Question 13

ADMT features

Interforest Migration

Answer 13

Move resources between AD domains in different forests.

Question 14

ADMT features

Intraforest Migration

Answer 14

Move resources between AD domains in the same forest.

Question 15

ADMT features
The Migration Process
What tool should you use to keep sid history and passwords

Answer 15

Before you can migrate resources from a Microsoft Windows NT 4.0, Server 2000, or Server 2003 domain to Windows Server 2008 R2 AD DS, you should install the Password Expert Server (PES) service on a server in the source domain. This enables you to migrate passwords and SID history information. You first need to export the password key from the target domain.

Question 16

ADMT features

The ADMT Role

Answer 16

As a systems administrator, you should also develop a migration test plan to enable you to test the validity of the migration plan systematically.
Once you have done this, you can use the test plan and the ADMT to check the results of the planned migration in a test environment.

Question 17

The ADMT Reporting Wizard enables you to generate reports to assess the impact of a test migration. Each report is saved as a web page on the DC in the target domain, where the ADMT is installed. You can choose to generate the following reports:

Answer 17

• Migrated User Accounts Report
• Migrated Computer Accounts Report
• Expired Accounts Report
• Account References Report
• Account Name Conflicts Report

Question 18

ADMT features
Upgrading an existing AD environment
What are the adprep commands

Answer 18

Using forestprep and domainprep

Question 19

Using forestprep and domainprep

Answer 19

AD DS are responsible for authenticating computer and user accounts to ensure the core security of a network environment.

Question 20

In addition to providing a structure for AD replication, sites simplify the following:

Answer 20

• Authentication
• Service Location
• Service Requests

Question 21

An AD site can contain

Answer 21

several domains, and a domain can contain several sites.

Question 22

You can define the physical sections of a network environment by using

Answer 22

subnets.

Question 23

A subnet object is

Answer 23

a collection of computers and systems that are typically located near each other and that form separate partitions of the network.

Question 24

A subnet can be compared to

Answer 24

a geographical area with several postal addresses that have the same postal code.

Question 25

A site is

Answer 25

a group of related subnets or well-connected IP subnets.

Question 26

DNS Configuration

The DNS resolves

Answer 26

resolves the host names of computers in a network into IP addresses, and vice versa.

Question 27

DNS also resolves

Answer 27

Services, such as Active Directory’s Kerberos and LDAP services, using SRV records to multiple servers (domain controllers) which are then in turn resolved to their IP addresses.

Question 28

Once you have installed a new DNS server on a DC, you can configure it by doing the following:

Answer 28

• Creating a forward or reverse lookup zone
• Setting the types of updates it must allow
• Specifying whether queries must be forwarded and to which servers
• Creating root hints

Question 29

Operations Masters

Definition

Answer 29

To ensure consistency of the schema and to prevent conflicting updates into the AD database, AD employs the Flexible Single Master Operations (FSMO) role - or operations master.

Question 30

AD assigns the following two operations master roles to a DC in each forest (by default to the first domain controller in the forest root domain):

Answer 30

• Domain Naming Master (Note: must be placed on a domain controller serving the global catalog)
• Schema Master

Question 31

AD assigns the following three operations master roles to a DC in each domain (by default to the first domain controller in each domain):

Answer 31

• PDC Emulator
• Infrastructure Master (Note: do not place the global catalog on a domain controller that hosts the domains Infrastructure master role unless all domain controllers in the domain are global catalog servers or the forest has only one domain.)
• Relative Identifier (RID) Master

Question 32

You can change the default configuration of the operations master roles by doing the following:
Transferring Roles

Answer 32

If an operations master is available and functional on a network, you can transfer an operations master role by moving it from one DC to another.

Question 33

You can change the default configuration of the operations master roles by doing the following:
Seizing Roles

Answer 33

Seizing an operations master role involves assigning the role to another DC when the DC on which it is installed fails or is not available. You should only seize a role if the DC managing the role is permanently out of service.

Question 34

Trusts and Trust Relationships (Logical Topology)

Trust Types

Answer 34

Trust relationships are created between domains, and enable users in one domain to access the resources of another domain. Domain Admins group members can create and manage trust relationships.

Question 35

Once you have planned the required AD structure, you can begin creating it. Creating a new forest involves creating its first - or root - domain. There are three ways you can do this:

Answer 35

Using the Windows Interface
Using Unattended Installation parameters at the Command Line
Using an Answer File

Question 36

Creating a Forest or Domain

The easiest way to create a domain is to use the Windows interface. To create a domain, you must do the following:

Answer 36

• Assign a static IP address to a Windows Server 2008 R2 server
• Use a wizard to add the Active Directory Domain Services (AD DS) role to the server
• Use a wizard to promote the server to a DC

Question 37

Creating an Answer File

Answer 37

If you do not want to use the Windows interface, you can create a new forest by creating and running an answer file. A text editor of your choice can be used to create this answer file.
Specify a password that will be used for an offline administrator account in Directory Service Restore Mode.
After creating an answer file, you save it on the installation server, to a network shared folder, or to removable media for distribution.
To run the answer file, you use the dcpromo utility with the /unattend option, followed by the path to the answer file in double quotation marks.

Question 38

You can add the DC that runs Windows Server 2008 R2 to an existing, non-Windows 2008 AD domain

Answer 38

by running the adprep /forestprep utility. You need to run this utility only once on the DC that holds the schema master operations master role. This command may be run by administrators belonging to the SchemaAdmin, EnterpriseAdmin, and Domain Admins groups.

Question 39

Raising Functional Level

To enable Windows Server 2008 R2’s advanced AD DS features,

Answer 39

, you raise the functional level of the forest and the domain to Windows Server 2008 R2. To do this, you should be a member of the Domain Admins or Enterprise Admins groups.
You cannot reverse a change that raises the domain functional level.

Question 40

Joining a Client to a Domain

After configuring a domain, you can add

Answer 40

add a client machine to the domain by configuring the client’s system properties

Question 41

INSTALL WINDOWS SERVER 2008 R2

Using Installation Media

Answer 41

You can choose to install Windows Server 2008 R2 using the installation DVD. This method requires you to be present to work through the Install Windows Wizard.

Question 42

Options for an Unattended Installation

An unattended installation of Windows Server 2008 R2 is

Answer 42

is one that does not require user input during the installation process. So you do not need to be physically present while installation of the server is in progress.

Question 43

Windows Deployment Services

Answer 43

(WDS)

Question 44

Windows Deployment Services (WDS) enables

Answer 44

you to deploy the WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files

Question 45

Windows Deployment Services (WDS)
WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files:

Answer 45

• WDS Client Unattend File

* Image Unattend File

Question 46

Using the AD single-domain model, you can delegate tasks to

Answer 46

administrators and ensure high-level administrative control.

Question 47

Advantages of the single-domain model

Answer 47

• Simple administration
• Simple troubleshooting
• A single security boundary

Question 48

A multiple-domain model may be more suitable if there is

Answer 48

significant geographical distance between branches of an organization. In this case, using multiple domains can reduce traffic and limit maintenance delays.

Question 49

To prepare the existing network environment for integration with Windows Server 2008 and Server 2008 R2, use the following commands:

Answer 49

adprep /forestprep
adprep /domainprep
/gpprep
adprep /rodcprep

Question 50

adprep /forestprep

Answer 50

The adprep utility extends the AD schema and updates the necessary permissions to prepare a forest and a domain for a DC. It also prepares the Windows Server 2000 or Windows Server 2003 forest for a DC that runs Windows Server 2008 R2.

Question 51

adprep /domainprep

Answer 51

The adprep /domainprep command prepares the Windows Server 2000 or Windows Server 2003 domain for the DC that runs Windows Server 2008 R2.

Question 52

/gpprep

Answer 52

The /gpprep command, which you can run with the adprep /domainprep command, minimizes the replication traffic created by updating file system and AD permissions on the existing Group Policy Objects (GPOs).

Question 53

adprep /rodcprep

Answer 53

The adprep /rodcprep command sets up the domain for an RODC. To install a Windows Server 2008 R2 RODC, you must be a member of the Enterprise Admins group.

Question 54

Configuring the AD Physical Topology

Answer 54

Configuring the Global Catalog

Question 55

The global catalog

Answer 55

is an index of objects in AD DS.

Question 56

The global catalog is used to

Answer 56

to locate objects that are stored in other domains.

Question 57

Every object in the forest is partially referenced in the global catalog.

Answer 57

Only those aspects of each object that are commonly used - for instance when conducting a search - are referenced in the global catalog.

Question 58

The global catalog is used for the following purposes:

Answer 58

• Validating the object references of other domains in the forest
• Providing universal group membership information in a multiple-domain environment
• Providing authentication for user principal names (UPNs)
• Resolving UPNs and completing the logon process if a user logs on by using the UPN of a different DC

Question 59

When you install AD DS, the global catalog for a new forest is automatically

Answer 59

created on its first DC, which is the root of the forest.

Question 60

When planning the deployment of global catalogs, you must consider

Answer 60

the object replication needs of the network relative to network traffic flow.

Question 61

(UGMC)

Answer 61

Universal Group Membership Caching

Question 62

In a multi-domain environment with remote users with a local domain controller and a remote global catalog, UGMC can be enabled

Answer 62

enabled to avoid having to remotely contact the GC after the first logon.

Question 63

The user’s Universal Group memberships are cached and updated

Answer 63

automatically every 8 hours by the remote DC.

Question 64

Sites and Subnets

A site is

Answer 64

a logical representation of the physical topology - or structure - of an organization’s network.

Question 65

A site consists of

Answer 65

servers and other objects related to AD replication.

Question 66

The trust direction describes

Answer 66

describes the relationship between a trusting domain, which is the domain with the resources, and the trusted domain, which is the domain that requests the resources.

Question 67

A trust direction is defined by

Answer 67

by a trust path, which is a series of trust relationships that are followed by an authentication request between two domains.

Question 68

One-Way Trust

Answer 68

The access path between two different domains operates in one direction only.

Question 69

Two-Way Trust

Answer 69

Both domains trust each other, so access requests can travel in both directions.

Question 70

When you create a child domain, a two-way trust relationship is

Answer 70

is automatically established between the child domain and the parent domain.

Question 71

A trust relationship can be transitive. A transitive trust relationship can be

Answer 71

extended beyond the two domains in which it is formed. This is useful for establishing trust relationships with multiple domains.

Question 72

When a new domain is created in a forest in Windows Server 2008 R2, what trust is established by default?

Answer 72

a two-way, transitive trust relationship is created between the new domain and its parent domain by default.

Question 73

Four different types of trusts in Windows Server 2008 R2

Answer 73

External Trusts
Forest Trusts
Realm Trusts
Shortcut Trusts

Question 74

External Trusts

Answer 74

Extern& trusts are nontransitive and can be used to create one-way or two-way trust relationships between two domains. This type of trust enables users to access resources that are stored on external domains located in separate forests. It also provides access to the resources present on a Windows NT domain.

Question 75

Forest Trusts

Answer 75

Forest trusts are transitive and can be used to create one-way or two-way trust relationships. A forest trust can be created between two forest root domains to enable users to share resources across different forests. If two forests have a two-way trust relationship between them, a request to access resources made by either forest is acknowledged by the other forest.

Question 76

Realm Trusts

Answer 76

Realm trusts can be transitive or nontransitive, and can be used to create one-way or two-way trust relationships.

Question 77

Shortcut Trusts

Answer 77

Shortcut trusts are transitive, and can be used to establish a one-way or two-way trust relationship between domains in a Windows Server 2008 R2 forest. Useful when users belonging to a domain regularly log on to other domains within a forest. It makes the authentication process between domains faster and more efficient, especially if the domains are separated by two domain trees.

Question 78

AD Replication

Answer 78

Replication is managed on a per-partition basis; portions of active directory replicate to different domain controllers differently.

Question 79

AD Replication

The schema partition

Answer 79

(the definition of all forest objects and attributes)

Question 80

AD Replication

configuration partition

Answer 80

(the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)

Question 81

The schema partition (the definition of all forest objects and attributes) and the configuration partition (the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)

Answer 81

) replicate to all forest domain controllers.

Question 82

The domain database partition

Answer 82

(the users, groups, OUs, and other domain objects) is only replicated to the domain controllers of the same domain.

Question 83

Intra-site Replication

Is checked by what?

Answer 83

Intra-site replication is automatically configured by the Knowledge Consistency Checker (KCC) service and is performed as an activity-triggered process: when data changes, domain controllers automatically notify other domain controller partners in the same site of the change, and the other domain controllers can request to download that change.

Question 84

Inter-site Replication

Answer 84

Inter-site replication is configured manually be defining site objects (which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in). Within each site an Intersite Topology Generator (ISTG) is automatically chosen which identifies a Bridgehead server, which is the representative replication server for a directory partition. When possible, multiple partitions are replicated through the same Bridgehead server. If desired, an administrator can override automatic ISTG selection and choose the Bridgehead server for a site. However, the ISTG service will not provide failover if that server should go offline. Site objects are linked by site links objects, which

define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost. If domains in a forest are not directly connected by sites in a site topology they will by default use automatic site link bridging to replicate according to the cost and schedule defined by the intermediate site links of the sites between them. If this mapping is inconsistent with the actual routing topology automatic site link bridging can be disabled and an explicit site link bridge can be manually created.

Question 85

site objects

Answer 85

(which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in).

Question 86

(ISTG)

Answer 86

Intersite Topology Generator

Question 87

Bridgehead server,

Answer 87

which is the representative replication server for a directory partition.

Question 88

site links objects

Answer 88

which

define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost.

Question 89

automatic site link bridging

Answer 89

If domains in a forest are not directly connected by sites in a site topology they will by default use

Question 90

Forcing Replication

Answer 90

• “Replicate Now” on the replication connection object in Active Directory Sites and Services console
• Cmdline: repadmin.exe utility

Question 91

Read-Only Domain Controllers

Answer 91

the RODC.

Question 92

RODC.

Answer 92

. It hosts read-only partitions of the database and provides security to data stored in that database.

Question 93

An RODC provides

Answer 93

improved security, faster logon times, and access to network resources that is more efficient.

Question 94

RODCs have the following features:

Answer 94

Support for a Read-Only Domain Name System (DNS)
Support for Administrator Role Separation
Unidirectional Replication with a Writable DC
Storage of a Read-Only AD DS Database
Support for Credential Caching
Creating an RODC Account
Connecting a Server Running AD DS to the RODC Account
RODC Operation
Role Separation and Read-Only DNS Role separation
Read-Only DNS

Question 95

Support for a Read-Only Domain Name System (DNS)

Answer 95

In response to a client request to update a DNS record, the RODC DNS server returns the address of another DNS server on a DC that is not read-only. This DC then performs the update and the RODC DNS server replicates the updated DNS record to other DCs. This replication is performed only for the updated DNS record, not for the domain data or the entire list of changed zones.

Question 96

Support for Administrator Role Separation

Answer 96

You can delegate local administrative permissions for an RODC to a domain user, without giving the user administrative permissions over the domain in which the RODC is installed. This enables a user to perform administrative operations such as installing software on the RODC and maintaining security.

Question 97

Unidirectional Replication with a Writable DC

Answer 97

Replication occurs only from the writable DC to the RODC. If data corruption or malicious changes are made at the remote location, they will not replicate the rest of the domain or forest.

Question 98

Storage of a Read-Only AD DS Database

Answer 98

An RODC database includes all the AD attributes and objects that are stored in the database of a writable DC but for account passwords.
Data stored in an RODC is read-only. Any changes must be made on a writable DC, which then replicates the updated data to the RODC database.

Question 99

Support for Credential Caching

Answer 99

An RODC stores only its local computer and KRBTGT account details, which is used for Kerberos authentication.
When a client requests authentication, the RODC forwards the request to a writable DC. The writable DC then determines if the credentials should be cached on the RODC. The credentials are then cached for future requests, enabling faster logon times and reducing bandwidth used for authentication.

Question 100

Installing an RODC in a domain involves two main steps:

Answer 100

Creating an RODC Account

Connecting a Server Running AD DS to the RODC Account

Question 101

Creating an RODC Account

Answer 101

To create an RODC account in AD DS, you need to be a member of the Domain Administrators group. In addition to assigning an account name, you need to specify the site for which the account must be created.
You can also choose to specify the user or group authorized to perform the next installation step. If you do not do this, then only a member of the Enterprise Admins or Domain Admins groups will be able to complete the installation.

Question 102

Connecting a Server Running AD DS to the RODC Account

Answer 102

Once you have created an RODC account, you need to install AD DS on the server that will act as the RODC, and then link the server to the RODC account.
Domain data that must reside locally on the server, such as databases and log files, must be replicated to the RODC. One way of doing this is to use the Install From Media (IFM) feature to install the source files directly. Alternatively, you can replicate the source files to the RODC from any other DC over the network.

Question 103

RODC Operation

Answer 103

When a branch office user logs on, the RODC requests the user’s credentials from the hub site writable DC. The hub DC consults the RODC’s password replication policy and, if allowed, forwards the user’s credentials which are then stored in the RODC’s cache.

Question 104

Role separation

Answer 104

Allows the authorization of remote users and groups to perform specific administrative tasks through different roles without granting administrative permissions for the domain or other DCs.

Question 105

Read-Only DNS

Answer 105

Application directory partitions, including ForestDNSZones and DomainDNSZones partitions are replicated to the RODC. DNS updates are not written directly to the RODC.

Question 106

Installing an RODC in a Forest

Prerequisites:

Answer 106

An existing Windows Server 2008 R2 DC that contains the PDC emulator FSMO role.
An existing Windows Server 2008 R2 DC that contains the GC. The RODC forwards all replication requests to this server for authentication.
Domain and forest functional levels must be raised to windows server 2003 or higher. (Not 2008!)
Adprep /rodcprep command must be run to update permissions on all DNS application directory partitions. Enterprise admins rights are required.

Question 107

Installing an RODC in a Forest

Installation:

Answer 107

The AD DS role must be added to the server using the Server Manager Roles Wizard. AD DS is installed using the Active Directory Domain Services Installation Wizard.

Question 108

DC Function Level Server 2000

Answer 108

Universal groups
Group Nesting
Group Conversion
SID History (Security Identifier)

Question 109

DC Function Level Server 2003

Answer 109

LastLogonTimeStamp
inetOrgPerson
Domain Controller Rename - netdome (has to be installed on a DC)
Container Redirection
Authorization Manager
constrained Delegation
Selective Authentication

Question 110

DC Function Level Server 2008

Answer 110

Sysvol Replication (DFS-DFGS)
Advanced Encryption Sytem (AES 128 and 256)
Last Interactive Logon
Fine-grained passwords
Access Base Enumeration

Question 111

DC Function Level 2008 R2

Answer 111

Authentication Mechanism Assurance

Question 112

Forest AD Features 2000 Native

Answer 112

Universal Group Caching

Question 113

Forest AD Features Server 2003

Answer 113

Forest Trusts
Domain Rename 
RODC  - Read Only Domain Controllers
Linked Value Replication
User Object Conversion
Schema Modification
DynamicObjects
Knowledge Consistency Checker
Group Sites

Question 114

Forest AD Features Server 2008

Answer 114

No new forest features

Question 115

Forest AD Features Server 2008 R2

Answer 115

Active Directory Recycle Bin

Question 116

Universal Groups

Answer 116

are enabled for both distribution groups and security groups

Question 117

Group Nesting

Answer 117

Groups can contain other groups

Question 118

Group Conversion

Answer 118

A security group can be converted to a distribution group and vice versa

Question 119

Security Identifier (SID) History

Answer 119

Active Directory users, compouters and groups have an associated SIB whch is used during resource access. SID history allows a user’s old SID to be used in an upgraded domain alongside the new SID - access to resources on the older system is therefore retained even thoug the user now has a new SID

Question 120

LastLogonTimeStamp

Answer 120

attribute is updated with the last logon time of the user or computer and is replicated throughout the domain

Question 121

inetOrgPerson

Answer 121

the ability to set the userPassword attribute as the effective password on (the vocab word) and user objects

Question 122

Domain Controller Rename

Answer 122

Netdom.exe can be used to rename domain controllers

Question 123

Container Redirection

Answer 123

allows you to direct new user and computer accounts to containers (organizational units) other than the default users and computers containers

Question 124

Authorization Manager

Answer 124

Can store its authorization policies in AD DS

Question 125

Constrained Delegation

Answer 125

Can be used to restrict user credential delegation to specific destination services only

Question 126

Selective Authentication

Answer 126

you can be specific about which users and groups from a trusted forest are allowed to authenticate to resources on servers in a trusting forest (lesson 4 module 1)

Question 127

SYSVOL Replication

Answer 127

DFS (DFGS) replication support provides more robust and detailed replication of (vocab word) contents

Question 128

Advanced Encryption System

Answer 128

DFS support for access-based enumeration (AES 128 and AES 256) and increased scalability

Question 129

Last Interactive Logon

Answer 129

Hosts the following information: the total number of failed logons, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt, and the time of the last successful logon attempt at a t2008 Server or Vista/win 7 client

Question 130

Fine-Grained Passwords

Answer 130

Administrators can specify unique password and account lockout policies for users or groups in the domain.

Question 131

Access Base Enumeration

Answer 131

Presents a view of aDFS namespace to a user that shows only the folders in the namespace to which the user has a t least read permission - folders that the user is not permitted to read remain hidden

Question 132

Universal Group Caching

Answer 132

at a remote location that do not have access to a global catalog

Question 133

Application Directory Partitions

Answer 133

Introduction of configuratble replicable of application partitions with Active Directory

Question 134

Forest Trusts

Answer 134

Allows you to establish inter forest trusts

Question 135

RODC - Read Only Domain Controller

Answer 135

A DC which host a read-only copy of the AD database and that can be strategically placed in a remote office to provide user authentication and group membership

Question 136

Linked Value Replication

Answer 136

Linked value replication, replicates an individual group membership change rather than the entire multi-values member attribute.

Question 137

User Object Conversion

Answer 137

The ability to convert an inetOrgPerson object instance into a User object instance and to complete the conversion in the opposite direction

Question 138

Schema Modifications

Answer 138

Allows an administrator to deactivate or alter schema object classes and attributes

Question 139

dynamicObjects

Answer 139

Used by developers and application, the schema allows instances of the dynamic auxillary class in domain directory partitions

Question 140

Knowledge Consistency Checker

Answer 140

Enable AD DS to support replication in forests with more than 100 sites

Question 141

Group Types

Answer 141

The introduction of application basic groups and LDAP query groups

Question 142

AD Recycle Bin

Answer 142

provides the ability to restore deleted objects in ther entirety while (vocab word) is running

Question 143

Raise DC Level 2 things must be in place

Answer 143

1. member of Domain Admin or Enterprise Admin

2. PDC Emulator DC must be accessible

Question 144

Function Level on the Forest Level needs to be set on how many DC?

Answer 144

One Domain Controller, the new level will be replicated to each controller in the (vocab word).

Question 145

How to raise function level steps

Answer 145

Start, admin tools, acitve Directory Domains and Trusts, right click on domain, Raise domain function level box and select - same for forest but choose the Raise Forest Function Level option box

Question 146

ADS has to be extended to support the inclusion of a (_____________) DC

Answer 146

2008 R2

Question 147

Adprep.exe

Answer 147

extends the active directory schema to support upgraded server installation

Question 148

where is adprep.exe found?

Answer 148

1. 2008 installation disk in \sources\adprep
2. 2008 R2 installation disk in \support\adprep
   32bit and 64 bit version

Question 149

adprep.exe must be executed from an

Answer 149

elevated command prompt

Question 150

adprep.exe parameters are used to complete the following tasks:

Answer 150

Updating the Active Directory Schema
Updatiang security descriptors, 
Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder,
Creating new objects as required
Creating new containers as required

Question 151

adprep commands

Answer 151

adprep /forestprep
adprep /domainprep
adprep /domainprep /gpprep
adprep /rodcprep

Question 152

adprep /forestprep

Answer 152

prepares a forest for the intor of a DC that runs Server 2008 and R2. The command is run on the DC that hosts the Schema Master Role.

Question 153

adprep /domainprep

Answer 153

prepares a domain for the intro of a DC that runs 2008 or 2008 R2. command should be run after the forestprep command is complete and afterer the changes have replicated to all the domain controllers in the forest. The command should be run on each domain where you plan to add a DC that runs 2008 or $2 . You must run this command on the DC that host the DC infrastructure master role

Question 154

adprep /domainprep /gpprep

Answer 154

Similar to the /doaminprep command but adds only the inheritable access control entries (ACE’s) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACE’s give enterprise domain controllers read access permissions on GPOs - these permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy. The command must be run on the domain controller that hosts the domain’s infrastructure master role.

Question 155

adprep /rodcprep

Answer 155

Updates permissions on application directory partitions (including DNS Services) to enable replication of the partitions to REad Only Domain Controllers (RODCs) - the operation runs remotely and contacts the domain controller hosting the infrastructure master in each domain to update the permissions. The command must be run from any domain controller.

Question 156

If you are adding a RODC to the forest

Answer 156

run adprep /rodcprep immediately after the running of adprep /forestprep command and both must be run on the DC with Schema and Infrastructure Masters running

Question 157

Adprep /rodcprep can run from

Answer 157

any computer, runs remotely but it must be able to contact the forest’s domain naming master to obtain a list of forest application directory partitions. It then must contact the infrastructure master in each domain for each of the application directory partitions. If an infrastructure master is unavailable, the (vocab word) command will fail and you must rerun until success is achieved.

Question 158

Need to find what computer hosts the various operation master roles

Answer 158

using and elevated command prompt on a comaputer with netdom.exe toll installed (usually a DC) then press the enter key

ie: c:\netdom query fsmo

Question 159

ADMT is a free tool used to

Answer 159

move migrate user accounts, groups, computers and other Active Directory object between Active directory domains and forests.

Question 160

ADMT V3.0

Answer 160

windows NT 4.0 and Active Directory Forests Domains.

Question 161

ADMT V3.2

Answer 161

used to migrate 2003, 2008, 2008 R2 forest Domains

Question 162

ADMT has these features

Answer 162

Preservation of object SID Histories
Can migrate computer accounts, including domain controllers
Can migrate user accounts/profiles
Accommodates the use of a SQL database to host migration data
Accommodate pre - testing before commitment
Provides a measure of rollback
Migration is secured using encryption

Question 163

ADMT v3.2 Forest Migration capabilities

Answer 163

can be performed between domains in the same forest - intra forest migration, or between domains in different forests - inter-forest migration. During inter-forest restructurieng or migration, the source domain remains intact - migrated object are copied, while both domains remain operational during restructuring.

Question 164

ADMT v3.2 provides wizards that automate migration tasks

Answer 164

user, groups, service accounts, computers migrations. The console provides a convenient interface or use can use the command line interface using the admt.exe utility and parameters or include text files containibg ines of migration options and parameters.

Question 165

ADMT v3.2 allows you to test, simulate migration

Answer 165

provides analysis reports and log files which can be used to iron out any issues prior to any final migration.

Question 166

SIDs

Answer 166

every security principal (user, group, computer, etc) in an AD domain has an associated security identifier that is unique to a domain. When a user attempts to access an Active Directory resource, for example a file, the Access Control List (ACL) for the file checks its Access Control Entries (ACEs) to check the level of access the associated SID has for the resource, or whether the SID is denied access to the the resource. When a security principal is deleted, the asscoiated SID is never reassigned and remains unused.

Question 167

ACLs

Answer 167

All Active Directory resources have an associated ACL, which maintains a list of access control entries (ACEs) that link specific resource permissions with the SID of an Active Directory Security Principal - user, group, computer, etc - the ACE entries can include the extent of an allow permission or deny permission

Question 168

sIDHistory

Answer 168

in addition to the SID attribute, an AD Security principal also has an associated sIDHistory attribute which maintains a list of previously held SIDs. If a user is moved from one domain to another, a new principle SID is defined for the use and the old domain SID is added to the sIDHistory attribute. When a user attempts to accesss a system resource in the source domain, both the new SID and any older SIDs are used when mapping permissions on the resource ACE list of the source domain - by doing this, the user maintains access levels to any resource in the new domain, while at the same time retaining aceess to resources in the source domain.

Question 169

ADMT Tool also includes Security Translation Wizard

Answer 169

this allows you to replace an orginal SID of a migrated security principal’s with the new SID on the ACEs of all resources in the original source domain - this achieves the same effect as the sIDHistory attribute. In general, sIDHIstory is uused to maintain access and functionality during igration and the security translation is then performed to complet the rprocess

Question 170

ADMT Security Translation Wizard can translate:

Answer 170

File and folder permissions
Printer Permissions
Share Permissions
Registry Permissions
User Rights
Group Membership

Question 171

adprep is run on

Answer 171

legacy machines - the older machines

Question 172

dcpromo is used for

Answer 172

to demote a domain controller and to remove active directory

Question 173

RODC can be installed on forest operating at a forest functional level of

Answer 173

Server 2003 or better

Question 174

Server core is a fully functional version of windows server which characterized by a reduce set of

Answer 174

server roles and fetures and a non-GUI management interface. Server Core is designed to improve security, operate on reduced hardware resources and is managed via command line utilities and windows powershell but can be managed from the GUI of a remote server

Question 175

Shortcut Trust

Answer 175

is deployed to minimize response latency for usder requiring frequent authentiction or resource access on a domain which is either deeply nested or the end of a slow communications link. A shortcut trust can be configured as a one-way trust

Question 176

Forest Trust

Answer 176

a forest defines the security boundary of Active Directory implementation a forest trust allos you to establish a two way transitive trust between forests. Forest trust were introduced in Server 2003 and both forests must be operating at this functional level or higher to avail of forest trusts. The forest trust established transitive trust between all domains in each foret - the trust can be defined as a one-way incoming or outgoing or two way. UPNs can be used for authentication in either forest.

Question 177

External Trust

Answer 177

are deployed to establish a one way trust with 2000 doain and a 2008 $2 domain or between two indivdiaul 2008 R2 Active Directory domains in seperate forests - typically a business partner or project collaboration partner.

Question 178

Realm

Answer 178

allows trust between Windows 200 R2 Active Directory and a Unix Platform

Question 179

UPN

Answer 179

User Principal Name - are stored in the global catalog and are deployed to avaoid the use of multiple user domain logons. Using a upn logon a user can logon to any domain ,, DC within a forest.