2008 R2 ADS Vocabulary - Session 2 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

DNS is a network service

A

which is used to resolve computer names to Internet Protocol (IP) addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The DNS server stores DNS records in the form of

A

of a distributed database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The DNS server receives queries that contain system names

A

, and resolves these queries to IP addresses using a process known as name resolution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In Windows Server networks, the DNS server service can be integrated with

A

AD DS role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

, DNS data is stored in and replicated through the

A

Active Directory (AD), providing AD DS with a mechanism to easily locate domain controllers and ensuring secure multi-master replication of zone data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When a Windows-based Dynamic Host Configuration Protocol (DHCP) service is implemented in the network, it automatically

A

directs all DHCP clients and servers to register their names and corresponding IP addresses with the DNS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

(DHCP)

A

Dynamic Host Configuration Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A DNS zone represents

A

one or more contiguous DNS domains of the DNS namespace. It is used to delegate authority and to facilitate the administration of data associated with a namespace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A server known as the (DNS) authoritative server is used to

A

store all the information relating to a particular zone. The same DNS server can be authoritative for a number of DNS zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The procedure for transferring data from an authoritative server to a secondary server is known as

A

a zone transfer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Windows Server 2008 R2 supports the following types of DNS zones

A
  • Primary zone
  • Secondary zone
  • AD integrated zones
  • Stub zone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

New features of the DNS server in Windows Server 2008 R2 include support for the following:

A
  • The DNAME Resource Record
  • Read-Only Domain Controllers (RODC5)
  • Use of Internet Protocol version 6 (IPv6)
  • The GlobalNames Zone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Other key features of the Windows Server 2008 R2 DNS server are as follows:

A
  • Integration with Microsoft Networking Services such as WINS, AD DS, and DHCP
  • RFC-Compliant Dynamic Updates (clients add their own records to DNS)
  • DNS zones that are integrated with AD DS support secure dynamic updates
  • Global Query Block List
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Advanced DNS Features

A

Forwarding
Root hints
Server scavenging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Forwarding (DNS)
• The DNS server first tries to resolve a DNS client’s query using the data available in the local network. If no such data exists locally,

A

, the server forwards the query to a DNS server in an external network. You can configure a DNS server to forward all the queries it receives from client machines, instead of performing the name resolution itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

• Forwarders are responsible for handling all the

A

External traffic in a network because they forward all queries that need to be resolved to external DNS servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

All the DNS servers in a network forward unresolved queries

A

to forwarders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

• Conditional forwarders are forwarders configured

A

to forward queries for specific domain names to external DNS servers. You use conditional forwarders to resolve queries between two organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Root hints

A

are queries that enable a server to respond to requests from servers of unknown domains or domains higher than the server that receives the request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

• A DNS server used as a forwarder is automatically located by other servers in the local network. However, you need to use root hints

A

to resolve the names of external DNS servers through the Internet root servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

• A file named—————- implements root hints for the DNS server service.

A

Cache.dns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cache.dns is stored on the server

A

in the following location:%

systemroot%\System32\Dns.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The DNS and resource records for the host are also a part of the

A

Cache.dns file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

• In a private network, you can use records that are similar to the Cache.dns file to point to

A

to internal root DNS servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Server scavenging

• In Windows Server 2008 R2, the server scavenging feature is used to

A

to remove old records from the zone data on a DNS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Scavenging removes stale records (records that have exceeded their refresh periods) from the zone data.

A

• The DNS server stamps all records with the date and time at which they are added, and uses a process known as aging to determine whether a record exceeds the refresh time period specified for it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

• You can configure server settings to periodically repeat scavenging to

A

free the zones from stale data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A DNS lookup is a process for

A

converting the IP address of a computer into its host domain name, and vice versa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A forward lookup zone is used to

A

to resolve domain names to their IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A reverse lookup zone is used to

A

to identify the domain name corresponding to an IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

In a reverse lookup query,

A

a client sends a request to a DNS server for a pointer (PTR) resource record that corresponds to the IP address of a host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

• You can add a forward lookup zone using

A

the DNS Manager or the dnscmd command-line utility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

• You can add a reverse lookup zone using the

A

DNS Manager or the dnscmd command-line utility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

• During the creation of either of these zones, you also specify whether

A

the zone is AD integrated and its replication scope.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

If the zone is AD integrated then you can also

A

configure secure dynamic updates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Forwarders and Root Hints

A

You can reduce the workload on a DNS server by configuring it to answer requests related to local hosts and to forward requests for external domain names to an external DNS server. A DNS server that forwards queries for external resolution is known as a forwarder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Two types of queries are processed by DNS forwarding servers

A
  • Recursive Queries

* Iterative Queries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

• Recursive Queries

A

are sent by the DNS client to the DNS server. In a recursive query, either the DNS client receives an error message such as “sorry, name not found” or it receives an exact answer for the IP address that it sends to the DNS server. If the DNS server is able to resolve the client query, it sends the resolved IP address to the client. If it cannot resolve a recursive query, it changes the recursive query to an iterative query by searching its list of forwarders and sending iterative queries to each of them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

• Iterative Queries are queries

A

where the DNS server is asked either to resolve a query or to make a best guess referral to a DNS server that may be able to resolve it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Conditional forwarding means

A

the DNS server forwards queries to different forwarders according to the specific domain names that must be resolved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

When the DNS server receives a query, it first

A

searches its zone data and cache to resolve the query. If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:

A
  • If it finds a matching condition, the query is forwarded to the IP address of the forwarder corresponding to the domain name.
  • If no matching condition is found, the DNS server attempts to resolve the query using standard recursion.
  • Root hints are used by a DNS server to resolve queries if forwarders are unavailable to it. In some DNS environments, root hints are used in place of forwarders. The difference is that a DNS server using forwarding will request recursion, whereas a DNS server using root hints will attempt to resolve a query recursively itself.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Configuring Root Hints

A

on a DNS server, first open the DNS Manager and then select the root hints tab in server properties. This tab allows you to add a new root hint, remove a root hint, edit an existing root hint, or copy root hints from another server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Server Aging and Scavenging

A

Unmanaged decayed resource records can result in problems such as the following:
• Unnecessarily long zone transfers
• Degradation of the performance and response time of the DNS server
• Possible IP conflicts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Configure aging and scavenging for a DNS server using the

A

DNS Manager console or the command line.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Aging and scavenging are disabled by

A

default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

To use the aging and scavenging features,

A

enable the operations on the zone, at the DNS server, or manually by individual record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

The scavenging and aging operations use the

A

the timestamps on resource records to determine when the records must be removed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

A DNS server sets the data time value to start scavenging on a per zone basis when

A
  • Users enable dynamic updates for the zone
  • A primary zone that is enabled to use scavenging is loaded by a DNS server
  • A DNS server starts
  • A zone resumes its service after it has been paused
  • The administrator manually activates the Scavenge stale resource records function
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

When setting aging and scavenging properties, you need to specify the

A

duration for which the server must not refresh its records. This prevents unnecessary updates to existing records, thereby reducing replication traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

You also need to set the refresh interval at which the server must refresh its records. The refresh interval is the (DNS Scavenging)

A

period needed between when a no-refresh interval expires and when a record is considered stale.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Configuring Zone Delegation

Zone delegation involves

A

delegating authority for a particular subdomain to a different zone, either on the same DNS server or on another DNS server. It is what enables you to divide a DNS server into one or more zones. New zones can be distributed and replicated on other DNS servers to meet the requirements of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

In addition, zone delegation helps

A

distribute the load of traffic among various servers, improves DNS name resolution performance, and creates a fault tolerant environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Zone delegation is configured using the

A

DNS Manager console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Round Robin and Recursion

Using the DNS Round Robin technique, a DNS server

A

rotates the DNS records for each incoming DNS request so that successive visitors are directed to different web servers. This option is enabled by default in Windows Server 2008 R2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Although Round Robin DNS is easy to implement, it has some drawbacks:

A
  • It does not offer any failover functionality
  • It does not control the order in which connections are rotated
  • Attackers may exploit the process of DNS recursion to damage a network using an amplifier attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

CONFIGURE ZONES

A zone is a

A

contiguous portion of a domain of the DNS namespace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

There are three types of zones:

A

primary, secondary, and stub.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

The DDNS is an important part of the AD because the domain controller of the AD

A

registers its service location resource records, which are used to locate AD domain controllers, in DNS to enable other computers in a forest or a domain to search for these records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Dynamic Domain Name System

A

(DDNS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

(DDNS) is used

A

enables name resolution for computers with dynamic IP addresses (addresses that are assigned automatically through DHCP).

62
Q

(SDDNS)

A

Secure Dynamic Domain Name System

63
Q

(SDDNS) is used

A

only for zones that are integrated into AD, where only members of the domain can dynamically update DNS records.

64
Q

Non-dynamic Domain Name System

A

System (NDDNS)

65
Q

System (NDDNS)
In Windows Server 2008 R2, use a Non-dynamic Domain Name System (NDDNS) to work with existing DNS servers. In this system, database entries are

A

are static and must be created and updated manually.

66
Q

Database entries in the DDNS take precedence over

A

those in the NDDNS.

67
Q

To configure dynamic updates, choose one of three options:

A
  • Allow Only Secure Dynamic Updates
  • Allow Both Non-Secure and Secure Dynamic Updates
  • Do Not Allow Dynamic Updates
68
Q

Configuring DNS Zones

A

A DNS namespace can be divided into zones, each of which stores name information for one or more DNS domains. Forward lookup zones resolve names into IP addresses, and reverse lookup zones resolve IP addresses into names.
Initially, a zone has a single DNS domain name. You can add subdomains as members of the same zone, or add subdomains and delegate them to a new zone created for these subdomains.

69
Q

You can configure a single DNS server to manage

A

one or multiple zones. You can also choose to partition domains across multiple zone files, distribute management of the domain across various groups, and make data replication more efficient.

70
Q

A DNS server can host three types of zones:

A

Primary Zone
Secondary Zone
Stub Zone

71
Q

Primary Zone

A

A primary zone is the main source of information relating to a zone and it is hosted by the master server.

72
Q

Secondary Zone

A

A secondary zone is a read-only copy of the data in a primary zone and it is hosted on a separate server.

73
Q

Stub Zone

A

A stub zone contains only resource records that are necessary to identify the authoritative DNS servers for a zone. It contains NS, SOA, and glue (A or AAAA) records.

74
Q

DNS Integration with AD DS

A

When you use AD-integrated zone storage, the zone information is saved in the AD tree under a domain or application directory partition.

75
Q

Advantages of integrating AD DS and DNS include the following:

A
  • Automatic replication for new zones
  • Streamlined administration
  • Faster and more efficient replication
  • Multi-master data replication
  • Enhanced security
76
Q

In the multi-master update model of the AD DS,

A

any primary DNS server for an AD-integrated zone can process requests from DNS clients to update the zone, as long as a domain controller is available on the network.

77
Q

To secure standard or AD-integrated DNS zones, you can do the following:

A
  • Allow only secure dynamic updates
  • Configure the Discretionary Access Control List (DACL) for a zone
  • Restrict zone transfers
  • Ensure secure zone delegation
78
Q

When clients make a request for a server using a hostname without an FQDN (\server5 or http://intranet) it can be challenging to provide consistent name resolution, especially in a multi-domain environment. The Global Name Zone (GNZ) solves this problem by being a

A

failover zone during lookup. If the name being requested is not the requested domain, the GNZ is checked. And since this domain can be replicated forest-wide, it can hold a consistent definition of servers that need to be available universally.

79
Q

To create a GNZ

A

Create a new forward lookup zone in the DNS manager named GlobalNames
In an elevated command prompt run the following command: dnscmd /config /enableglobalnamessupport

80
Q

For protection, the Global Query Block List can be defined to

A

to prevent dynamic update entries from being added to any zones that should not be (specifically rogue ISATAP and WPAD servers)

81
Q

The DNS can be divided into zones that use zone transfers to replicate and synchronize copies of zone data on multiple DNS servers:

A

• Both primary and secondary DNS servers can perform zone transfers.

82
Q

During a zone transfer, the primary server responds to a request from the secondary, or destination, server by

A

providing all the information required for a zone transfer.

83
Q

A master DNS server can be used as

A

as primary and secondary DNS servers. If it is used as the primary DNS server for a transfer, the DNS server that hosts the primary zone directly performs the zone transfer.

84
Q

If the master server is used as a secondary server, the zone transfer is

A

is performed by a read-only secondary zone file.

85
Q

. A zone transfer can occur when

A
  • The refresh interval has expired for a zone
  • A notification to make changes in the zone file is sent by the primary server to a secondary server
  • A secondary server queries the primary DNS server for a change in the zone
  • A DNS console at a secondary server for the zone manually initiates a transfer from the primary server
86
Q

A zone transfer may be either

A
  • A full zone transfer

* An incremental zone transfer (IXFR)

87
Q

IXFR are faster and create less traffic than full zone transfers, and they are used as the

A

standard transfer type in Windows Server 2008 R2.

88
Q

A full zone transfer is required, for example,

A

when you configure a new secondary DNS server to store a copy of the zone data on a primary server.

89
Q

The transferred zone has a version number and a refresh interval specified in SOA RR properties. This is to

A

to enable subsequent incremental transfers.

90
Q

The following steps occur to complete an incremental zone transfer:

A
  • A SOA query is sent to the primary server by the secondary server to renew the zone after the refresh interval expires.
  • The primary server responds to the SOA query by sending a serial number that specifies the current state of the primary server’s zone data.
  • The secondary server checks the serial number against its local serial number. If the sequence number in the response is greater than the local number then a zone transfer is required.
  • The secondary server sends an IXFR or AXFR query to request a zone transfer to the primary server that has the current value of the zone.
  • The primary server responds with a transfer according to the query the secondary server has sent - a full transfer, or if the zone has a history of recent changes, an incremental zone transfer.
91
Q

Application Directory Partitions

DNS zones can be stored in

A

a domain or in application directory partitions of AD DS.

92
Q

Application directory partitions store zone data and ensure that it is replicated with the required scope: for example

A

, to all DNS servers across a forest or to all domain controllers in a domain.

93
Q

DNS-specific application directory partitions are created automatically in each domain of the forest when

A

when a DNS service or AD is installed or upgraded on a domain controller.

94
Q

The following two DNS-specific application directory partitions are created when AD is installed or upgraded on a domain controller:

A
  • ForestDNSZone

* DomainDNSZones

95
Q

The Choose Zone Replication Scope dialog box enables you to choose from one of four zone replication scopes:

A
  • To all DNS servers in this forest
  • To all DNS servers in this domain
  • To all domain controllers in this domain
  • To all domain controllers in the scope of this directory partition
96
Q

You can create a custom application directory domain partitions and enlist specific AD-integrated DNS servers to participate in custom replication by using the dnscmd command-line utility.

A

dnscmd /createdirectorypartition

dnscmd /EnlistDirectoryPartition

97
Q

Custom Application Directory Partitions Create it then you need to change the replication scope of the DNS zones to enable them to

A

to use the new application directory partition for replication using dnscmd or the DNS management console.

98
Q

Introducing Active Directory objects

A

In Active directory, administrators create and manage security principals such as users.

99
Q

The roles of a user account are as follows:

A

Authenticate a User Identity

Provide Access to Domain Resources

100
Q

Authenticate a User Identity

A

You can log on to several computers in the domain by using a user account that can be authenticated by a DC. You can enhance the security of the domain by not enabling multiple users to share a single account.

101
Q

Provide Access to Domain Resources

A

When you are authenticated by the domain, you are allowed or denied access to the domain resources based on the permissions you are granted.

102
Q

In AD computers also manage computer accounts to allow trusted access by the user accounts and group accounts (which are used to define more efficient access to resources) as well as Organizational Units (OUs) (which look and act like folders, allowing you to define the structure of AD) Use the following guidelines to design an OU delegation:

A
  • Identify and create administrative groups to which rights need to be delegated
  • Identify users or groups to which rights need to be delegated in the OU and place them in the administrative group
  • Create objects that need to be controlled and place them in the OU
  • In the administrative group, delegate administrative tasks to the OU
103
Q

In Active Directory you can also create contact objects and create distribution groups which

A

cannot be assigned permissions but can be used as identity components for lookup. Creation of all these objects can be done in Active Directory Users and Computers.

104
Q

Active Directory objects have Lightweight Directory Access Protocol (LDAP) standard distinguished names (DN). An example might be

A

“CN=John J. Anderson,OU=entAccounts,DC=easynomadtravel,DC=int” where “CN=John J. Anderson” represents the common name of the individual user account, “OU=entAccounts “ represents the organizational unit in which the user is held, and “DC=easynomadtravel,DC=int” represents the DNS name of the user’s domain.

105
Q

Searching for different objects can be done using the

A

Active Directory object search interface, the saved query interface, or the dsquery.exe command-line utility.

106
Q

Active Directory user and computer objects are security principals, but they are also securables

A

– they have an associated ACL

107
Q

. Users can be delegated permission to manage objects that reside in an OU, including other users. By default, object permission applied at the OU level are

A

are inherited by any hosted objects – this inheritance can be filtered, and specific permission can also be applied to override any inherited permissions.

108
Q

A deny setting always takes precedence over

A

over an allow permission, unless an allow permission is specifically set.

109
Q

The Delegation of Control Wizard is used to semi-automate the process of

A

delegating permissions and permission sets to users.

110
Q

Automate creation of Active Directory objects

To create a new user account you can

A

can copy another user account using the ADUC interface. Many properties, such as group membership, will be copied to the new account. A dedicated account could be created specifically as a blueprint for new user accounts.

111
Q

The DS suite of command line tools can be deployed to manage user, computer, group and OU objects –

A

object can be created, deleted, moved and copied and their associated attribute values can be modified, including the user account password

112
Q

The DS suite of command line tools

A
  • Dsadd – create a new Active Directory object
  • Dsget – returns Active Directory object attribute values
  • Dsmod – modifies Active Directory object attribute values
  • Dsmove – moves an Active Directory object within the directory
  • Dsrm – removes an Active Directory object
  • Dsquery – searches for Active Directory objects and returns a result set
113
Q

The CSVDE command utility can be deployed to import

A

a comma-delimited text file – a *.cve file – of user and computer accounts and their properties – it cannot be used to modify existing objects and their properties.

114
Q

CSVDE can also export

A

Active Directory details – the default mode.

C: \ > csvde –f sk-newusers.cve

115
Q

The LDIFDE utility can be used for

A

adding, modifying, and removing user and computer accounts (the modifying and deleting is specified by importing an .Idf file with modify commands) – a *.ldf is used to provided the object detail. LDIFDE supports importing user passwords, and operates in export mode by default.
• C: \ > Idifde –f c:\myADdata\myLDlFmods.ldf

116
Q

Windows PowerShell cmdlets can be used to

A

automate the creation of user and compute account PS C:> New-ADUser –Name “Jack B. Yeats” –SAMAccountName jbyeats

117
Q

The netdom.exe command can use used to

A

to create a domain computer account and join a computer to a domain. NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]

118
Q

Computers joined to a domain from system properties without an explicit /OU path will appear in the default Computers container of AD unless

A

unless the redircmp.exe command has been used to specify an alternate container.
C:>redircmp

119
Q

In a Windows 7 – Server 2008 R2 environment, you can deploy an offline domain join using

A

djoin.exe
• djoin /provision /domain /machine /machineou
• /savefile offblob.txt

120
Q

Maintain Active Directory accounts

A

Active Directory user accounts can be renamed, locked/unlocked, moved, disabled and deleted

121
Q

Active Directory user account passwords can be reset by

A

an administrator at any time, or changed by a user.

122
Q

Maintain Active Directory accounts

Administrators can manage these propreties in the

A

in the ADUC mmc or with DS commands or PowerShell.

123
Q

The Active Directory user account Accounts properties allow an administrator to limit a user in the following ways:

A
  • allowable domain log on period for an individual user
  • allowable computers to log on to
  • allowable dates before an account is expired
  • other various defined allowable account settings (allowed log on without smart card, etc)
124
Q

An Active Directory user accounts has an associated list

A

of attributes can be managed directly using the Users and Computers console, or using command-line utilities.

125
Q

The attribute values of multiple user accounts can be alter at the

A

same time using the Users and Computers console (ctrl or shift clicking), dsquery piped to dsmod, or Windows PowerShell cmdlets – the list of configurable attributes is limited to certain attributes.

126
Q

Users Accounts have many important security related properties on the “account” tab:

A

User Must Change Password at Next Logon
User Cannot Change Password
Password Never Expires
Store Passwords by Using Reversible Encryption
Account is Disabled
Smart Card is Required for Interactive Logon

127
Q

User Must Change Password at Next Logon

A

The “User must change password at next logon” option will force a user to change the password the next time they log on to the network. You can activate this option to ensure that no one except the user knows the password.

128
Q

User Cannot Change Password

A

The “User cannot change password” option prevents users from changing their passwords. You will need to enable this option when you want to maintain control over specific user accounts.

129
Q

Password Never Expires

A

The “Password never expires” option prevents the expiry of user passwords. It is recommended that you do not set this option and that you enforce regular password changes for your user accounts.

130
Q

Store Passwords by Using Reversible Encryption

A

The “Store passwords by using reversible encryption” option is necessary to support applications that require knowledge of the password of the user account for authentication purposes. This option will enable you to log on to a Windows network from a Mac-based network by using an Apple computer.

131
Q

Account is Disabled

A

The “Account is disabled” setting prevents a user from logging on to the network.

132
Q

Smart Card is Required for Interactive Logon

A

The “Smart card is required for interactive logon” option requires you to use a smart card to interactively log on to the network. You need to have a smart card reader attached to your computer and a valid personal identification number (PIN) for your smart card. When you enable this option, your user account password is set to a random and complex value, and the “Password never expires” account option is enabled.

133
Q

Account is Sensitive and Cannot be Delegated

The “Account is sensitive and cannot be delegated” option can be used if

A

a guest account or temporary account should not be assigned for delegation by another account.

134
Q

Active Directory security groups are deployed to

A

to manage access to Active Directory environment resources like folder, files and printers and to provide email group distribution.

135
Q

Active Directory distribution groups are for

A

email only.

136
Q

Both group types (AD Security and distribution Groups) support the three available defined scopes –

A

domain local, global, or universal. A group can be converted from group type to another if needed.

137
Q

For the greatest degree of flexibility to add more users to a group in any domain in the forest and to apply a group to a resource on any server in the domain, the recommended practice is to

A

to follow the AGDLP (IGDLA) and AGUDLP (IGUDLA) methods of group nesting.

138
Q

Global groups have

A

limited membership (can only contain users and other global groups from its parent domain). However, the Global group has unlimited visibility (can be seen, used, given permissions, and nested in domain local groups in all domains in the forest or trusting forests or domains)

139
Q

The Domain Local group has

A

unlimited membership (can include security principals (user, computer and group) from anywhere within its forest and from an external forest where external trust exists.) However, the Domain Local group has limited visibility. (It can only be seen on servers within the parent domain, and can only be nested within other Domain local groups (and almost never is))

140
Q

Universal groups are used in

A

multi-domain forests and can contain global groups from any domain in the forest. They have unlimited membership and unlimited visibility. The typical use of a Universal group would be to condense the same Global group from multiple domains into a single referenced entity

141
Q

Universal Example :

A

3 domains have Global Groups called Sales. Each domain also has a Domain Local group called SalesReportReaders. Without Universal groups there would have to be 3 globals nested in each domain local. If there was a change, such as a new domain with a Sales global group in the future, all three of the domains would need to update their Domain Local group. With a Universal Group, all the Sales Globals can be nested in the Universal, and the Universal can be nested in the Domain Locals. As long as the new domain is also nested in the new Universal as well, business continuity is maintained. )One note: Universal Groups are replicated within a forest in the global catalog, so changes to the content of a universal group should be minimized (ie: avoid adding individual users, add groups)

142
Q

Group creation and attribute manipulation can be performed using command-line tools such as

A

DSadd, DSMod, CSVDE, LDIFDE, PowerShell (New-ADGroup, Add-ADGroupMember)

143
Q

Shadow Group : The term Shadow group is simply a term for

A

a group that has the same membership as the contents of an organizational unit. There is no unscripted way to create a Shadow group.

144
Q

Default groups and special identities are automatically created when a root domain controller is installed in a forest and during the creation of any further child or forest domains –

A

they are scoped mainly at the domain level, and are design to ease the management of Active Directory, and to simplify resource access.

145
Q

• Anonymous logon

A

a user that gains access with a user name or password. Usually associated with remote
access, in Server 2008 and 2008 R2, this user type is not a member of the Everyone special identity group

146
Q

• Authenticated users

A

– a user that has a valid name and password, and is authenticated to work on the network

147
Q

• Everyone —

A

on Windows 2003+ system all authenticated Users and Domain guests Note: The domain guest account is usually turned off

148
Q

• Interactive —

A

a user account that is connect directly to the local computer, or via remote desktop connection

149
Q

• Network

A

— a user that is currently connected to a resource on this computer that is connecting from another network computer

150
Q

• Creator Owner

A

The user that created a particular object

151
Q

• Self —

A

a placeholder for you the current user