2008 R2 ADS Vocabulary - Session 2

Question 1

DNS is a network service

Answer 1

which is used to resolve computer names to Internet Protocol (IP) addresses

Question 2

The DNS server stores DNS records in the form of

Answer 2

of a distributed database

Question 3

The DNS server receives queries that contain system names

Answer 3

, and resolves these queries to IP addresses using a process known as name resolution.

Question 4

In Windows Server networks, the DNS server service can be integrated with

Answer 4

AD DS role.

Question 5

, DNS data is stored in and replicated through the

Answer 5

Active Directory (AD), providing AD DS with a mechanism to easily locate domain controllers and ensuring secure multi-master replication of zone data.

Question 6

When a Windows-based Dynamic Host Configuration Protocol (DHCP) service is implemented in the network, it automatically

Answer 6

directs all DHCP clients and servers to register their names and corresponding IP addresses with the DNS server.

Question 7

(DHCP)

Answer 7

Dynamic Host Configuration Protocol

Question 8

A DNS zone represents

Answer 8

one or more contiguous DNS domains of the DNS namespace. It is used to delegate authority and to facilitate the administration of data associated with a namespace.

Question 9

A server known as the (DNS) authoritative server is used to

Answer 9

store all the information relating to a particular zone. The same DNS server can be authoritative for a number of DNS zones.

Question 10

The procedure for transferring data from an authoritative server to a secondary server is known as

Answer 10

a zone transfer.

Question 11

Windows Server 2008 R2 supports the following types of DNS zones

Answer 11

• Primary zone
• Secondary zone
• AD integrated zones
• Stub zone

Question 12

New features of the DNS server in Windows Server 2008 R2 include support for the following:

Answer 12

• The DNAME Resource Record
• Read-Only Domain Controllers (RODC5)
• Use of Internet Protocol version 6 (IPv6)
• The GlobalNames Zone

Question 13

Other key features of the Windows Server 2008 R2 DNS server are as follows:

Answer 13

• Integration with Microsoft Networking Services such as WINS, AD DS, and DHCP
• RFC-Compliant Dynamic Updates (clients add their own records to DNS)
• DNS zones that are integrated with AD DS support secure dynamic updates
• Global Query Block List

Question 14

Advanced DNS Features

Answer 14

Forwarding
Root hints
Server scavenging

Question 15

Forwarding (DNS)
• The DNS server first tries to resolve a DNS client’s query using the data available in the local network. If no such data exists locally,

Answer 15

, the server forwards the query to a DNS server in an external network. You can configure a DNS server to forward all the queries it receives from client machines, instead of performing the name resolution itself.

Question 16

• Forwarders are responsible for handling all the

Answer 16

External traffic in a network because they forward all queries that need to be resolved to external DNS servers

Question 17

All the DNS servers in a network forward unresolved queries

Answer 17

to forwarders.

Question 18

• Conditional forwarders are forwarders configured

Answer 18

to forward queries for specific domain names to external DNS servers. You use conditional forwarders to resolve queries between two organizations.

Question 19

Root hints

Answer 19

are queries that enable a server to respond to requests from servers of unknown domains or domains higher than the server that receives the request.

Question 20

• A DNS server used as a forwarder is automatically located by other servers in the local network. However, you need to use root hints

Answer 20

to resolve the names of external DNS servers through the Internet root servers.

Question 21

• A file named—————- implements root hints for the DNS server service.

Answer 21

Cache.dns

Question 22

Cache.dns is stored on the server

Answer 22

in the following location:%

systemroot%\System32\Dns.

Question 23

The DNS and resource records for the host are also a part of the

Answer 23

Cache.dns file

Question 24

• In a private network, you can use records that are similar to the Cache.dns file to point to

Answer 24

to internal root DNS servers.

Question 25

Server scavenging

• In Windows Server 2008 R2, the server scavenging feature is used to

Answer 25

to remove old records from the zone data on a DNS server.

Question 26

Scavenging removes stale records (records that have exceeded their refresh periods) from the zone data.

Answer 26

• The DNS server stamps all records with the date and time at which they are added, and uses a process known as aging to determine whether a record exceeds the refresh time period specified for it.

Question 27

• You can configure server settings to periodically repeat scavenging to

Answer 27

free the zones from stale data

Question 28

A DNS lookup is a process for

Answer 28

converting the IP address of a computer into its host domain name, and vice versa

Question 29

A forward lookup zone is used to

Answer 29

to resolve domain names to their IP addresses.

Question 30

A reverse lookup zone is used to

Answer 30

to identify the domain name corresponding to an IP address.

Question 31

In a reverse lookup query,

Answer 31

a client sends a request to a DNS server for a pointer (PTR) resource record that corresponds to the IP address of a host.

Question 32

• You can add a forward lookup zone using

Answer 32

the DNS Manager or the dnscmd command-line utility.

Question 33

• You can add a reverse lookup zone using the

Answer 33

DNS Manager or the dnscmd command-line utility

Question 34

• During the creation of either of these zones, you also specify whether

Answer 34

the zone is AD integrated and its replication scope.

Question 35

If the zone is AD integrated then you can also

Answer 35

configure secure dynamic updates.

Question 36

Forwarders and Root Hints

Answer 36

You can reduce the workload on a DNS server by configuring it to answer requests related to local hosts and to forward requests for external domain names to an external DNS server. A DNS server that forwards queries for external resolution is known as a forwarder.

Question 37

Two types of queries are processed by DNS forwarding servers

Answer 37

• Recursive Queries

* Iterative Queries

Question 38

• Recursive Queries

Answer 38

are sent by the DNS client to the DNS server. In a recursive query, either the DNS client receives an error message such as “sorry, name not found” or it receives an exact answer for the IP address that it sends to the DNS server. If the DNS server is able to resolve the client query, it sends the resolved IP address to the client. If it cannot resolve a recursive query, it changes the recursive query to an iterative query by searching its list of forwarders and sending iterative queries to each of them.

Question 39

• Iterative Queries are queries

Answer 39

where the DNS server is asked either to resolve a query or to make a best guess referral to a DNS server that may be able to resolve it.

Question 40

Conditional forwarding means

Answer 40

the DNS server forwards queries to different forwarders according to the specific domain names that must be resolved.

Question 41

When the DNS server receives a query, it first

Answer 41

searches its zone data and cache to resolve the query. If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:

Question 42

If the search does not yield any result, the DNS server compares the domain name in the query with its list of domain name conditions:

Answer 42

• If it finds a matching condition, the query is forwarded to the IP address of the forwarder corresponding to the domain name.
• If no matching condition is found, the DNS server attempts to resolve the query using standard recursion.
• Root hints are used by a DNS server to resolve queries if forwarders are unavailable to it. In some DNS environments, root hints are used in place of forwarders. The difference is that a DNS server using forwarding will request recursion, whereas a DNS server using root hints will attempt to resolve a query recursively itself.

Question 43

Configuring Root Hints

Answer 43

on a DNS server, first open the DNS Manager and then select the root hints tab in server properties. This tab allows you to add a new root hint, remove a root hint, edit an existing root hint, or copy root hints from another server.

Question 44

Server Aging and Scavenging

Answer 44

Unmanaged decayed resource records can result in problems such as the following:
• Unnecessarily long zone transfers
• Degradation of the performance and response time of the DNS server
• Possible IP conflicts

Question 45

Configure aging and scavenging for a DNS server using the

Answer 45

DNS Manager console or the command line.

Question 46

Aging and scavenging are disabled by

Answer 46

default

Question 47

To use the aging and scavenging features,

Answer 47

enable the operations on the zone, at the DNS server, or manually by individual record.

Question 48

The scavenging and aging operations use the

Answer 48

the timestamps on resource records to determine when the records must be removed.

Question 49

A DNS server sets the data time value to start scavenging on a per zone basis when

Answer 49

• Users enable dynamic updates for the zone
• A primary zone that is enabled to use scavenging is loaded by a DNS server
• A DNS server starts
• A zone resumes its service after it has been paused
• The administrator manually activates the Scavenge stale resource records function

Question 50

When setting aging and scavenging properties, you need to specify the

Answer 50

duration for which the server must not refresh its records. This prevents unnecessary updates to existing records, thereby reducing replication traffic.

Question 51

You also need to set the refresh interval at which the server must refresh its records. The refresh interval is the (DNS Scavenging)

Answer 51

period needed between when a no-refresh interval expires and when a record is considered stale.

Question 52

Configuring Zone Delegation

Zone delegation involves

Answer 52

delegating authority for a particular subdomain to a different zone, either on the same DNS server or on another DNS server. It is what enables you to divide a DNS server into one or more zones. New zones can be distributed and replicated on other DNS servers to meet the requirements of an organization.

Question 53

In addition, zone delegation helps

Answer 53

distribute the load of traffic among various servers, improves DNS name resolution performance, and creates a fault tolerant environment.

Question 54

Zone delegation is configured using the

Answer 54

DNS Manager console.

Question 55

Round Robin and Recursion

Using the DNS Round Robin technique, a DNS server

Answer 55

rotates the DNS records for each incoming DNS request so that successive visitors are directed to different web servers. This option is enabled by default in Windows Server 2008 R2.

Question 56

Although Round Robin DNS is easy to implement, it has some drawbacks:

Answer 56

• It does not offer any failover functionality
• It does not control the order in which connections are rotated
• Attackers may exploit the process of DNS recursion to damage a network using an amplifier attack

Question 57

CONFIGURE ZONES

A zone is a

Answer 57

contiguous portion of a domain of the DNS namespace

Question 58

There are three types of zones:

Answer 58

primary, secondary, and stub.

Question 59

The DDNS is an important part of the AD because the domain controller of the AD

Answer 59

registers its service location resource records, which are used to locate AD domain controllers, in DNS to enable other computers in a forest or a domain to search for these records.

Question 60

Dynamic Domain Name System

Answer 60

(DDNS)

Question 61

(DDNS) is used

Answer 61

enables name resolution for computers with dynamic IP addresses (addresses that are assigned automatically through DHCP).

Question 62

(SDDNS)

Answer 62

Secure Dynamic Domain Name System

Question 63

(SDDNS) is used

Answer 63

only for zones that are integrated into AD, where only members of the domain can dynamically update DNS records.

Question 64

Non-dynamic Domain Name System

Answer 64

System (NDDNS)

Question 65

System (NDDNS)
In Windows Server 2008 R2, use a Non-dynamic Domain Name System (NDDNS) to work with existing DNS servers. In this system, database entries are

Answer 65

are static and must be created and updated manually.

Question 66

Database entries in the DDNS take precedence over

Answer 66

those in the NDDNS.

Question 67

To configure dynamic updates, choose one of three options:

Answer 67

• Allow Only Secure Dynamic Updates
• Allow Both Non-Secure and Secure Dynamic Updates
• Do Not Allow Dynamic Updates

Question 68

Configuring DNS Zones

Answer 68

A DNS namespace can be divided into zones, each of which stores name information for one or more DNS domains. Forward lookup zones resolve names into IP addresses, and reverse lookup zones resolve IP addresses into names.
Initially, a zone has a single DNS domain name. You can add subdomains as members of the same zone, or add subdomains and delegate them to a new zone created for these subdomains.

Question 69

You can configure a single DNS server to manage

Answer 69

one or multiple zones. You can also choose to partition domains across multiple zone files, distribute management of the domain across various groups, and make data replication more efficient.

Question 70

A DNS server can host three types of zones:

Answer 70

Primary Zone
Secondary Zone
Stub Zone

Question 71

Primary Zone

Answer 71

A primary zone is the main source of information relating to a zone and it is hosted by the master server.

Question 72

Secondary Zone

Answer 72

A secondary zone is a read-only copy of the data in a primary zone and it is hosted on a separate server.

Question 73

Stub Zone

Answer 73

A stub zone contains only resource records that are necessary to identify the authoritative DNS servers for a zone. It contains NS, SOA, and glue (A or AAAA) records.

Question 74

DNS Integration with AD DS

Answer 74

When you use AD-integrated zone storage, the zone information is saved in the AD tree under a domain or application directory partition.

Question 75

Advantages of integrating AD DS and DNS include the following:

Answer 75

• Automatic replication for new zones
• Streamlined administration
• Faster and more efficient replication
• Multi-master data replication
• Enhanced security

Question 76

In the multi-master update model of the AD DS,

Answer 76

any primary DNS server for an AD-integrated zone can process requests from DNS clients to update the zone, as long as a domain controller is available on the network.

Question 77

To secure standard or AD-integrated DNS zones, you can do the following:

Answer 77

• Allow only secure dynamic updates
• Configure the Discretionary Access Control List (DACL) for a zone
• Restrict zone transfers
• Ensure secure zone delegation

Question 78

When clients make a request for a server using a hostname without an FQDN (\server5 or http://intranet) it can be challenging to provide consistent name resolution, especially in a multi-domain environment. The Global Name Zone (GNZ) solves this problem by being a

Answer 78

failover zone during lookup. If the name being requested is not the requested domain, the GNZ is checked. And since this domain can be replicated forest-wide, it can hold a consistent definition of servers that need to be available universally.

Question 79

To create a GNZ

Answer 79

Create a new forward lookup zone in the DNS manager named GlobalNames
In an elevated command prompt run the following command: dnscmd /config /enableglobalnamessupport

Question 80

For protection, the Global Query Block List can be defined to

Answer 80

to prevent dynamic update entries from being added to any zones that should not be (specifically rogue ISATAP and WPAD servers)

Question 81

The DNS can be divided into zones that use zone transfers to replicate and synchronize copies of zone data on multiple DNS servers:

Answer 81

• Both primary and secondary DNS servers can perform zone transfers.

Question 82

During a zone transfer, the primary server responds to a request from the secondary, or destination, server by

Answer 82

providing all the information required for a zone transfer.

Question 83

A master DNS server can be used as

Answer 83

as primary and secondary DNS servers. If it is used as the primary DNS server for a transfer, the DNS server that hosts the primary zone directly performs the zone transfer.

Question 84

If the master server is used as a secondary server, the zone transfer is

Answer 84

is performed by a read-only secondary zone file.

Question 85

. A zone transfer can occur when

Answer 85

• The refresh interval has expired for a zone
• A notification to make changes in the zone file is sent by the primary server to a secondary server
• A secondary server queries the primary DNS server for a change in the zone
• A DNS console at a secondary server for the zone manually initiates a transfer from the primary server

Question 86

A zone transfer may be either

Answer 86

• A full zone transfer

* An incremental zone transfer (IXFR)

Question 87

IXFR are faster and create less traffic than full zone transfers, and they are used as the

Answer 87

standard transfer type in Windows Server 2008 R2.

Question 88

A full zone transfer is required, for example,

Answer 88

when you configure a new secondary DNS server to store a copy of the zone data on a primary server.

Question 89

The transferred zone has a version number and a refresh interval specified in SOA RR properties. This is to

Answer 89

to enable subsequent incremental transfers.

Question 90

The following steps occur to complete an incremental zone transfer:

Answer 90

• A SOA query is sent to the primary server by the secondary server to renew the zone after the refresh interval expires.
• The primary server responds to the SOA query by sending a serial number that specifies the current state of the primary server’s zone data.
• The secondary server checks the serial number against its local serial number. If the sequence number in the response is greater than the local number then a zone transfer is required.
• The secondary server sends an IXFR or AXFR query to request a zone transfer to the primary server that has the current value of the zone.
• The primary server responds with a transfer according to the query the secondary server has sent - a full transfer, or if the zone has a history of recent changes, an incremental zone transfer.

Question 91

Application Directory Partitions

DNS zones can be stored in

Answer 91

a domain or in application directory partitions of AD DS.

Question 92

Application directory partitions store zone data and ensure that it is replicated with the required scope: for example

Answer 92

, to all DNS servers across a forest or to all domain controllers in a domain.

Question 93

DNS-specific application directory partitions are created automatically in each domain of the forest when

Answer 93

when a DNS service or AD is installed or upgraded on a domain controller.

Question 94

The following two DNS-specific application directory partitions are created when AD is installed or upgraded on a domain controller:

Answer 94

• ForestDNSZone

* DomainDNSZones

Question 95

The Choose Zone Replication Scope dialog box enables you to choose from one of four zone replication scopes:

Answer 95

• To all DNS servers in this forest
• To all DNS servers in this domain
• To all domain controllers in this domain
• To all domain controllers in the scope of this directory partition

Question 96

You can create a custom application directory domain partitions and enlist specific AD-integrated DNS servers to participate in custom replication by using the dnscmd command-line utility.

Answer 96

dnscmd /createdirectorypartition

dnscmd /EnlistDirectoryPartition

Question 97

Custom Application Directory Partitions Create it then you need to change the replication scope of the DNS zones to enable them to

Answer 97

to use the new application directory partition for replication using dnscmd or the DNS management console.

Question 98

Introducing Active Directory objects

Answer 98

In Active directory, administrators create and manage security principals such as users.

Question 99

The roles of a user account are as follows:

Answer 99

Authenticate a User Identity

Provide Access to Domain Resources

Question 100

Authenticate a User Identity

Answer 100

You can log on to several computers in the domain by using a user account that can be authenticated by a DC. You can enhance the security of the domain by not enabling multiple users to share a single account.

Question 101

Provide Access to Domain Resources

Answer 101

When you are authenticated by the domain, you are allowed or denied access to the domain resources based on the permissions you are granted.

Question 102

In AD computers also manage computer accounts to allow trusted access by the user accounts and group accounts (which are used to define more efficient access to resources) as well as Organizational Units (OUs) (which look and act like folders, allowing you to define the structure of AD) Use the following guidelines to design an OU delegation:

Answer 102

• Identify and create administrative groups to which rights need to be delegated
• Identify users or groups to which rights need to be delegated in the OU and place them in the administrative group
• Create objects that need to be controlled and place them in the OU
• In the administrative group, delegate administrative tasks to the OU

Question 103

In Active Directory you can also create contact objects and create distribution groups which

Answer 103

cannot be assigned permissions but can be used as identity components for lookup. Creation of all these objects can be done in Active Directory Users and Computers.

Question 104

Active Directory objects have Lightweight Directory Access Protocol (LDAP) standard distinguished names (DN). An example might be

Answer 104

“CN=John J. Anderson,OU=entAccounts,DC=easynomadtravel,DC=int” where “CN=John J. Anderson” represents the common name of the individual user account, “OU=entAccounts “ represents the organizational unit in which the user is held, and “DC=easynomadtravel,DC=int” represents the DNS name of the user’s domain.

Question 105

Searching for different objects can be done using the

Answer 105

Active Directory object search interface, the saved query interface, or the dsquery.exe command-line utility.

Question 106

Active Directory user and computer objects are security principals, but they are also securables

Answer 106

– they have an associated ACL

Question 107

. Users can be delegated permission to manage objects that reside in an OU, including other users. By default, object permission applied at the OU level are

Answer 107

are inherited by any hosted objects – this inheritance can be filtered, and specific permission can also be applied to override any inherited permissions.

Question 108

A deny setting always takes precedence over

Answer 108

over an allow permission, unless an allow permission is specifically set.

Question 109

The Delegation of Control Wizard is used to semi-automate the process of

Answer 109

delegating permissions and permission sets to users.

Question 110

Automate creation of Active Directory objects

To create a new user account you can

Answer 110

can copy another user account using the ADUC interface. Many properties, such as group membership, will be copied to the new account. A dedicated account could be created specifically as a blueprint for new user accounts.

Question 111

The DS suite of command line tools can be deployed to manage user, computer, group and OU objects –

Answer 111

object can be created, deleted, moved and copied and their associated attribute values can be modified, including the user account password

Question 112

The DS suite of command line tools

Answer 112

• Dsadd – create a new Active Directory object
• Dsget – returns Active Directory object attribute values
• Dsmod – modifies Active Directory object attribute values
• Dsmove – moves an Active Directory object within the directory
• Dsrm – removes an Active Directory object
• Dsquery – searches for Active Directory objects and returns a result set

Question 113

The CSVDE command utility can be deployed to import

Answer 113

a comma-delimited text file – a *.cve file – of user and computer accounts and their properties – it cannot be used to modify existing objects and their properties.

Question 114

CSVDE can also export

Answer 114

Active Directory details – the default mode.

C: \ > csvde –f sk-newusers.cve

Question 115

The LDIFDE utility can be used for

Answer 115

adding, modifying, and removing user and computer accounts (the modifying and deleting is specified by importing an .Idf file with modify commands) – a *.ldf is used to provided the object detail. LDIFDE supports importing user passwords, and operates in export mode by default.
• C: \ > Idifde –f c:\myADdata\myLDlFmods.ldf

Question 116

Windows PowerShell cmdlets can be used to

Answer 116

automate the creation of user and compute account PS C:> New-ADUser –Name “Jack B. Yeats” –SAMAccountName jbyeats

Question 117

The netdom.exe command can use used to

Answer 117

to create a domain computer account and join a computer to a domain. NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]

Question 118

Computers joined to a domain from system properties without an explicit /OU path will appear in the default Computers container of AD unless

Answer 118

unless the redircmp.exe command has been used to specify an alternate container.
C:>redircmp

Question 119

In a Windows 7 – Server 2008 R2 environment, you can deploy an offline domain join using

Answer 119

djoin.exe
• djoin /provision /domain /machine /machineou
• /savefile offblob.txt

Question 120

Maintain Active Directory accounts

Answer 120

Active Directory user accounts can be renamed, locked/unlocked, moved, disabled and deleted

Question 121

Active Directory user account passwords can be reset by

Answer 121

an administrator at any time, or changed by a user.

Question 122

Maintain Active Directory accounts

Administrators can manage these propreties in the

Answer 122

in the ADUC mmc or with DS commands or PowerShell.

Question 123

The Active Directory user account Accounts properties allow an administrator to limit a user in the following ways:

Answer 123

• allowable domain log on period for an individual user
• allowable computers to log on to
• allowable dates before an account is expired
• other various defined allowable account settings (allowed log on without smart card, etc)

Question 124

An Active Directory user accounts has an associated list

Answer 124

of attributes can be managed directly using the Users and Computers console, or using command-line utilities.

Question 125

The attribute values of multiple user accounts can be alter at the

Answer 125

same time using the Users and Computers console (ctrl or shift clicking), dsquery piped to dsmod, or Windows PowerShell cmdlets – the list of configurable attributes is limited to certain attributes.

Question 126

Users Accounts have many important security related properties on the “account” tab:

Answer 126

User Must Change Password at Next Logon
User Cannot Change Password
Password Never Expires
Store Passwords by Using Reversible Encryption
Account is Disabled
Smart Card is Required for Interactive Logon

Question 127

User Must Change Password at Next Logon

Answer 127

The “User must change password at next logon” option will force a user to change the password the next time they log on to the network. You can activate this option to ensure that no one except the user knows the password.

Question 128

User Cannot Change Password

Answer 128

The “User cannot change password” option prevents users from changing their passwords. You will need to enable this option when you want to maintain control over specific user accounts.

Question 129

Password Never Expires

Answer 129

The “Password never expires” option prevents the expiry of user passwords. It is recommended that you do not set this option and that you enforce regular password changes for your user accounts.

Question 130

Store Passwords by Using Reversible Encryption

Answer 130

The “Store passwords by using reversible encryption” option is necessary to support applications that require knowledge of the password of the user account for authentication purposes. This option will enable you to log on to a Windows network from a Mac-based network by using an Apple computer.

Question 131

Account is Disabled

Answer 131

The “Account is disabled” setting prevents a user from logging on to the network.

Question 132

Smart Card is Required for Interactive Logon

Answer 132

The “Smart card is required for interactive logon” option requires you to use a smart card to interactively log on to the network. You need to have a smart card reader attached to your computer and a valid personal identification number (PIN) for your smart card. When you enable this option, your user account password is set to a random and complex value, and the “Password never expires” account option is enabled.

Question 133

Account is Sensitive and Cannot be Delegated

The “Account is sensitive and cannot be delegated” option can be used if

Answer 133

a guest account or temporary account should not be assigned for delegation by another account.

Question 134

Active Directory security groups are deployed to

Answer 134

to manage access to Active Directory environment resources like folder, files and printers and to provide email group distribution.

Question 135

Active Directory distribution groups are for

Answer 135

email only.

Question 136

Both group types (AD Security and distribution Groups) support the three available defined scopes –

Answer 136

domain local, global, or universal. A group can be converted from group type to another if needed.

Question 137

For the greatest degree of flexibility to add more users to a group in any domain in the forest and to apply a group to a resource on any server in the domain, the recommended practice is to

Answer 137

to follow the AGDLP (IGDLA) and AGUDLP (IGUDLA) methods of group nesting.

Question 138

Global groups have

Answer 138

limited membership (can only contain users and other global groups from its parent domain). However, the Global group has unlimited visibility (can be seen, used, given permissions, and nested in domain local groups in all domains in the forest or trusting forests or domains)

Question 139

The Domain Local group has

Answer 139

unlimited membership (can include security principals (user, computer and group) from anywhere within its forest and from an external forest where external trust exists.) However, the Domain Local group has limited visibility. (It can only be seen on servers within the parent domain, and can only be nested within other Domain local groups (and almost never is))

Question 140

Universal groups are used in

Answer 140

multi-domain forests and can contain global groups from any domain in the forest. They have unlimited membership and unlimited visibility. The typical use of a Universal group would be to condense the same Global group from multiple domains into a single referenced entity

Question 141

Universal Example :

Answer 141

3 domains have Global Groups called Sales. Each domain also has a Domain Local group called SalesReportReaders. Without Universal groups there would have to be 3 globals nested in each domain local. If there was a change, such as a new domain with a Sales global group in the future, all three of the domains would need to update their Domain Local group. With a Universal Group, all the Sales Globals can be nested in the Universal, and the Universal can be nested in the Domain Locals. As long as the new domain is also nested in the new Universal as well, business continuity is maintained. )One note: Universal Groups are replicated within a forest in the global catalog, so changes to the content of a universal group should be minimized (ie: avoid adding individual users, add groups)

Question 142

Group creation and attribute manipulation can be performed using command-line tools such as

Answer 142

DSadd, DSMod, CSVDE, LDIFDE, PowerShell (New-ADGroup, Add-ADGroupMember)

Question 143

Shadow Group : The term Shadow group is simply a term for

Answer 143

a group that has the same membership as the contents of an organizational unit. There is no unscripted way to create a Shadow group.

Question 144

Default groups and special identities are automatically created when a root domain controller is installed in a forest and during the creation of any further child or forest domains –

Answer 144

they are scoped mainly at the domain level, and are design to ease the management of Active Directory, and to simplify resource access.

Question 145

• Anonymous logon

Answer 145

a user that gains access with a user name or password. Usually associated with remote
access, in Server 2008 and 2008 R2, this user type is not a member of the Everyone special identity group

Question 146

• Authenticated users

Answer 146

– a user that has a valid name and password, and is authenticated to work on the network

Question 147

• Everyone —

Answer 147

on Windows 2003+ system all authenticated Users and Domain guests Note: The domain guest account is usually turned off

Question 148

• Interactive —

Answer 148

a user account that is connect directly to the local computer, or via remote desktop connection

Question 149

• Network

Answer 149

— a user that is currently connected to a resource on this computer that is connecting from another network computer

Question 150

• Creator Owner

Answer 150

The user that created a particular object

Question 151

• Self —

Answer 151

a placeholder for you the current user