2008 R2 ADS Vocabulary - Session 3 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Group Policy Processing

A

You can apply Group Policy settings at the local, site, domain, and OU levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

All group policies that can apply to a user or computer do so,

A

blending their settings However, settings from different policies may directly conflict with each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Group Policy Processing

To prevent conflicts, policy settings in GPOs at different levels are processed in a specific order. That order is as follows (LSDOUC):

A
Local GPOs
GPOs Linked to the Site
Domain -Level GPOs
GPOs Linked to OUs
GPOs linked to Child OUs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You can choose to alter the default processing order using a variety of methods, including the following:

A

Block Inheritance

Enforced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Block Inheritance

A

The Block Inheritance option prevents an OU or domain from inheriting GPOs from any of its parent containers. However, GPOs that are marked as Enforced are always inherited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Enforced

A

The Enforced option is a GPO link option that ensures the settings in the policy are applied regardless of blocked inheritance or the order of processing of linked GPOs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

GPO Status

A

The GPO Status option can be used to troubleshoot a set of applied policies if the desired end result of the policies is not what it should be by choosing to Disable the User portion, Computer portion, or all of a GPO. Separately, a GPO Link can also be disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Link Order

A

The Link Order option controls the precedence order of multiple GPOs that are linked to the same particular container. The lower the link order, the higher its precedence. The GPO link with the link order of 1 has the highest precedence in that container.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

GPO Filtering

A

Each GPO is set to apply to members of the Authenticated Users group, which contains all domain Users and Computers. If this group is replaced with a smaller group, then the Group Policy will be filtered to apply to only those members of the container who also are members of the security group referenced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

WMI Filtering

A

In the GPMC console a WMI script can be created to test for the absence or presence of system properties or values, such as Operating System, Service Pack, free disk space, RAM capacity, etc. This WMI script can then be bound to a GPO. If the receiving client does not meet the criteria of the WMI filter it will not receive ANY of the GPO settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Loopback Processing (Merge or Replace)

A

There is a Computer GPO Administrative Template Setting that will override the User logon’s normal GPO loading behavior. In “Replace” mode, when a user logs on to a Loopback Mode computer, the GPOs loaded will be the policies in the LDAP path of the Computer, not the User. This can enforce a kiosk-like consistent configuration of settings. In “Merge” mode, the Users settings are loaded, but the Computers path settings are also loaded, with the Computer’s path settings overriding the User’s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Slow Link Detection

A

If the computer detects a slow connection (by default less than 500kbps, but the threshold can be changed or disabled) than certain portions of Group Policy, such as software deployment, will be skipped in Group Policy processing. Other portions of Group Policy, such as Security settings, cannot be skipped.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Credential Caching

A

Users’ credentials are automatically cached locally, based on previous logon attempts, to enable the user to log on if a DC fails and authentication on the domain is not possible. If a user logs on using locally cached credentials, Group Policy settings are not applied..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The configuration of Loopback Processing, Slow link detection, what will be loaded or skipped for a slow link, and Loopback Processing Mode are all configured in the following Administrative Template path:

A

“Computer

Configuration \Administrative Templates \System \Group Policy”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Creating a GPO

A

The GPMC provides a user-friendly interface that an administrator can use to create, view, and manage GPOs in an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Starter Group Policy objects derive from a Group Policy object (GPO),

A

), allowing administrators to store a collection configured Administrative Template settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

. A New GPO built from a Starter GPO will begin with all of the Administrative Template policy settings and values that were defined by the

A

Starter GPO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Starter GPOs can be exported to

A

other environments as needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

By default, only members in the Domain Admins, Enterprise Admins, or Group Policy Creator Owners (GPCO) groups ca

A

create new GPOs and edit existing ones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A member of the Domain Admins group can choose to delegate the authority for creating and managing a GPO to

A

other users or groups in that GPO’s domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

THE GROUP POLICY MANAGEMENT CONSOLE

Installing and Customizing the GPMC

A

The GPMC is a Microsoft Management Console (MMC) snap-in that you use in Windows Server 2008 R2 to configure group policy settings throughout various forests in an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

GPMC

A

GROUP POLICY MANAGEMENT CONSOLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You can use the GPMC to perform several operations on GPOs, including the following:

A
  • Searching for GPOs in a forest
  • Backing up and restoring a GPO
  • Importing settings from a backed up GPO to an existing GPO in the same forest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The GPMC enables you to plan the deployment of

A

a Group Policy using the Resultant Set of Policies (RSoP) data simulation, which is used to view the combined effect of a set of GPOs on systems and users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You can also use the GPMC to obtain

A

RSoP data and to troubleshoot Group Policy deployments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

(RSoP)

A

the Resultant Set of Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

To launch the GPMC

A

use the Run dialog box, which you access by selecting Start - Run. Type gpmc.msc in the Open text box and click OK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The Group Policy Editor Window allows

A

administrators to navigate the topology of Computer and User settings in order to modify values that will be set in the particular group policy being edited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

GROUP POLICY OBJECT TEMPLATES

A

Administrative Templates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You are

A

doing it! You will pass with flying colors!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Two types of Group Policy settings are stored in each GPO

A
  • user configuration and computer configuration settings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

In Windows Server 2008 R2, registry-based policy settings are stored as

A

ADMX files, XML-based, containing language-specific settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

In domain-based enterprises, ADMX files can be stored

A

stored in a central location, accessible to anyone with permission to create or edit GPOs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

You can filter administrative templates using either of these two views:

A
  • The local view for a template modifies the view only for that template
  • The global view modifies the view for all administrative templates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You can filter administrative templates based on their

A

type, using keywords, and - by using requirement filters - based on the platform or applications to which they apply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

You can use a starter GPO to create multiple GPOs with the same baseline configuration

A

each new GPO inherits the template settings from the starter GPO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A security template is a

A

file that defines a security configuration that can be applied to a local computer, imported to a GPO, and used to analyze security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Security Templates does not

A

It does not introduce new security parameters, but organizes the existing security attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Security Templates is a text file

A

It is a text-based file with an .inf extension that enables you to copy, paste, import, and export some or all the attributes of a template.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Security templates can be used with

A

Security Configuration and Analysis snap-ins to examine a system for security holes or policy violations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

You can use security templates to define the following:

A
  • Account Policies
  • Local Policies
  • Event Log Settings
  • Restricted Groups
  • System Services Settings
  • File and Registry Permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

You can download and install the GPOAccelerator from

A

Microsoft to obtain the predefined templates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

The following are examples of the types of predefined security templates included with the GPOAccelerator:

A
  • Default Security (Setup security.inf)
  • Domain Controller Default Security (DC security.inf)
  • Compatible (Compatws.inf)
  • Secure (Secure*.inf)
  • Highly Secure (hisec*.inf)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

The secedit command-line tool is the command-line version of the

A

Security Configuration and Analysis snap-in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Configuring the .admx Central Store
Administrative templates are XML-based files with the file extension .admx that contain group policies settings definitions for

A

the Group Policy Editor in Windows Server 2008 R2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

.adm files.

A

The .admx files have replaced the original administrative template files -

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

To take advantage of the benefits of .admx files, you must create a

A

“Central Store” in the SYSVOL folder of your domain controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

The Central Store is a location that is checked first by the

A

the Group Policy Editor to define available settings for an administrator to configure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

The files that are in the Central Store are automatically

A

replicated to all domain controllers in the domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

When new Administrative templates are added for software such as Microsoft Office, or updated for new versions of the operating system, the templates only need to

A

to be updated once in the central store and all domain controllers will replicate the new version of the editor template automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

The default location for .admx files is

A

the %SYSTEMROOT%\PolicyDefinitions folder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Domain Controllers can be configured to replicate their Administrative Template .admx files using a

A

“Central Store by creating a PolicyDefinitions folder (or copying the existing one) in following location: %SYSTEMROOT%\SYSVOL\domain\policies\

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

To copy the local server 2008 R2’s existing policies and create a Central Store:

A

xcopy /E “°/0SYSTEMROOT%\PolicyDefinitions” “%SYSTEMROOT%\SYSVOL\domain\Policies\PolicyDefinitions\

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Deploying Software Using Group Policy

A

Together with AD DS and the Windows Installer, you can use Group Policy to install, maintain, publish, and remove software across an organization, site, or domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Windows Installer is an

A

extensible software management and installation service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Using Group Policy, you can choose to

A

to advertise a software package by assigning it to particular users or computers, or by publishing it to users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Using Group Policy,

A

Assigning software to a computer installs it at next boot.
• Assigning software to a user only installs it at next logon if a special feature is enabled in the deployment settings. Normally this configuration will, at next logon, advertise shortcuts in the start menu, enable document invocation of the file type, and make the software available in add/remove programs (in Windows Vista and later, “Programs and Features”, “Install a program from the network”
• Publishing software to a user will only, at next logon, enable document invocation and software availability in the control panel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Configuring Software Packages

A

Using Group Policy, you can configure the properties of software before you deploy it. You can also use Group Policy to install patches or service packs (.msp), or to upgrade software you have already installed. Transform (.mst) files allow for a delployment of the same .msi file twice with different .mst files to two different installations (ie: One French dictionary, one English)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

PREVENTING SOFTWARE EXECUTION WITH GPOS

A

Software Restriction Policies:
Applocker :
Configuring Security Settings
Restricted Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Software Restriction Policies:

A

: Software Restriction Policies (SRP) are designed to control the installation and execution of executable programs — like a firewall it can block all software execution except what is allowed or allow all software execution except what is blocked. Rules can be defined by Hash Rule, Certificate Rule, Path rule, or Network zone rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Applocker :

A

More advanced software prevention technology, allows for auditing before deployment, import/export of rules, PowerShell management, flexible certificate value rules (ie: product name, but not version specific). Only applies to Windows 7 Enterprise & Ultimate and Server 2008 R2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Configuring Security Settings

A

Security templates in Windows Server 2008 R2 enable you to configure security-related policy settings. You can create custom security templates to suit your needs, or import and deploy an existing security template.
You use the Local Group Policy Editor to configure security for LGPOs. To configure security settings for AD GPOs, you use the Group Policy Management Editor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Restricted Groups

A

Restricted groups enable you to control the security and access settings for users in local and domain user groups. Using restricted groups, you can set desired membership for a user group without changing the parent group to which the user belongs. You can apply restricted group settings to a GPO as a group policy, provided the GPO is linked to AD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

CONFIGURE ACCOUNT POLICY USING GROUP POLICY OBJECTS

You can protect your network from unauthorized users by

A

Implementing an Account Lockout Policy
Securing it with Strong Passwords
Password & Lockout Policies
Fine Grained & Lockout Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Implementing an Account Lockout Policy

A

An account lockout policy locks a user account after an incorrect password is entered a specific number of times over a specified time period. An account lockout policy reduces the possibility of an attack on your network by repeated logon attempts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Securing it with Strong Passwords

A

A strong password uses alphanumeric characters as well as symbols, such as punctuation, to make it more complex. This minimizes the risk of guessing the password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Password & Lockout Policies

A

Password Policies and Lockout Policies that are set at the Domain level will affect all domain users. These include password length, complexity, the number of failed attempts before an account is locked out, and the duration of a locked out account. Any of these account policies that are set at a non-domain level will only affect the behavior of local accounts of the computers within the containers that receive these settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Fine Grained & Lockout Policies

A

If an administrator wishes to have a different set of password and lockout standards for some users, whether more or less stringent than the domain standard, Password Settings Objects (PSO) must be configured separately from Group Policies. This must be done using the ADSIedit utility by creating an msDS-PasswordSettings object in the “CN=System,CN=Password Settings Container” path. This will launch a wizard that will configure all of the standard settings except msDS-PSOAppliesTo, which must be configured manually to link the PSO to the user or group to which it should apply. User-linked PSOs supersede group-linked PS0s, and if more than one PSO is applies to the same user via groups, the msDS¬PasswordSettingsPrecedence attribute value of each PSO is compared – the PSO with the lowest value (highest precedence) wins and that PSO in its entirety will be applied to the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

The AD DS Auditing Features

A

In Windows Server 2008 R2, AD DS provides auditing features that enable you to monitor the movement, deletion, and modification of AD objects. AD DS maintains a log that stores old values for AD objects and their attributes, as well as new values when alterations are made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

The controls used to incorporate auditing features in Windows Server 2008 R2 are:

A
  • Global audit policy
  • An SACL
  • A control schema
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Audit policies are security templates that must be enabled for particular auditing activities to be carried out. The following are audit policies that you can choose to configure:

A
  • Audit Logon Events
  • Audit Account Logon Events
  • Audit System Events
  • Audit Account Management
  • Audit Privilege Use
  • Audit Directory Service Access
  • Audit Object Access
  • Audit Policy Change
  • Audit Process Tracking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Windows Server 2008 R2 introduces audit policy subcategories. This allows for auditing more

A

specific events, which returns less data that is easier to analyze.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Configuring Audit Policies subcategories

A

You can use the auditpol command to display the current audit policy, display selectable policy elements and to set audit policy subcategories. You can disable auditing for the subcategories for which you do not want auditing set, using this command or enable filtered auditing categories for only a user or group. (ie: only observe the logons of the helpdesk group) This command works locally, so the only way to deploy it with group policy is to create an auditpol script and deploy that with the GPO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Steps to configure a domain

A
  1. Install windows server
  2. Install DNS if not already one on network
  3. Install ADS (dcpromo.exe) to add the AD DS role and promote the server
  4. Promote server to a DC which manages security authentications from the domain requests
  5. run dcpromo from run line
  6. choose “Create a new domain in a forest
  7. Enter FQDN
  8. Choose windows server function level
    9.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Answer File that will install a new forest root domain consists of three parts

A
  1. Set the Install DNS parameter to yes to install dns server role
    New Domain Value to yes to say new domain is first dc in the new forest
  2. DomainNetBiosName is unique so clients without AD DS can access server
  3. Forest function level 3 sets it to 2008

Example:

DCINSTALL
InstallDNS=[yes|no}
NewDomain={forest|tree|child}
NewDomainDNSName=FQDN_of_the_DNS_Server
DomainNetBiosName=NetBios_name
REplicaOrNewDomain=[replica|readonlyreplica|domain}
FroestLevel={0|2|3}
DomainLevel={)|2|3}
DatabasePath=%systemroot%\NTDS
LogPath=%systemroot%NTDS
RebootONCompletion={yes|no}
SYSVOLPath=%systemroot%\SYSVOL
SafeModeAdminPassword={password|none}
76
Q

To run installation File on windows 2008

A

save it, run from cmd prompt by using the dcpromo utility with /unattend option followed by the path.

dcpromo /unattend: “c:\documents\answerfile”

to add the dc to an existing non 2008 AD Domain, prepare adprep /forestprep utility, only once on the dc that holds the schema master operations master role for every 2008 forest

admins belonging to SchemaAdmin or EnterpriseAdmin, Domain Admins can run the utility

77
Q

To raise functional level

A

Active Directory Domains and Trusts
right click your domain from the list and choose Raise Domain Functional Level
Choose function level from drop down list
and click the Raise Button
choose change settings in right hand side of window

78
Q

To add a computer to the domain

A

Computer, right click and choose properties,

79
Q

WAIK from Microsoft Download Center

A

Windows Automated Installation Kit

80
Q

SIM

A

System Image Manager in conjunction with WAIK

81
Q

WDS to autmate Deployment

A

WAIK then SIM then WDS to deploy the client
two unattended files are needed:
WDS Client unattend file - permissions, etc
Image Unattend File - o/s options

82
Q

dc promo prompts

A

dcpromo /? [{Promotion|CreateDCAccount|UseExistingAccount|Demotion}]

returns all options during install of AD DS
CreateDCAccount - returns all parameters you can specify while createing a read only DC RODC Account
UseExistingAccount - to specify while attaching a server to a read only domain controller account RODC
Demotion - all parameters you can specify while removing AD DS from a domain controller

83
Q

Create a client unattend install

A

copy the client unattend file to the RemoteInstallWDSClient Unattend folder

Then open the Windows Deployment Services Microsoft Management Console MMC snap in from the start menu\admin tools

Right Click on the domain you want to add the file to and choose properties

Choose Client Tab and check enable unattend installation and attach the file

84
Q

To associate a client unattend file with a particular computer go to cmd prompt in admin level

A

use WDSUTIL command

WDSUTIL/Set-DEvice /Device:Device name>
[/ID:] [/ReferralServer:] 
[/BootProgram:] [/WDSClientUnattend:]
[/User:][/JoinRights:{joinONly|Full}]
[/Joindomain:[Yes|No}] [/BootImagePath:]
[/Domain:] [/ResetAccount]
85
Q

WDSUTIL Example

A

c:\users\amdinistrator.easynomad>WDSUTIL /Set-Device /Device:”Comuter12” /ID:”00-B0-57-58-2G-DV”
/WDSClientUnattend:”C:\WDSUserUnattend\unattend.xml”

86
Q

ADMT

A

Active Directory Migration tool

87
Q

Restructuring Domains with ADMT in the AD environment can involve two types of migration

A

Interforest migration - move resources between AD Domians in different forests

intraforest migration - move resource between AD domains in the same forest. aka for merging domains is known as grafting and the process of removing objects is known as pruning

88
Q

PES

A

Passwrod Expert Server Service - use before migration to other server levels

Allows you to migrate passwords and SID history information, you first need to export the password key from the target domain

89
Q

admtsetup.exe

A

program that loads ADMT

90
Q

Before running ADMT you must

A
  1. Assign proper permissions
  2. Create the target organizational unit (OU) structure
  3. Create two-way trusts
91
Q

ADMT Reports

created in the windows\admt\logs folder on the dc where you installed the admt in the target domain

You can use the retry task wizard to troubleshoot migration failures

A
Migrated User Account
Migrated Computer Accounts
Expired Accounts 
Account References
Account Name Conflicts
92
Q

To use adprep

A

copy the contents of the \soruces\adprep folder to an adprep folder on the schema master from the 2008 dvd

run the utility from cmd and the adprep folder

c:\adprep>adprep /forestprep

adprep /domainprep to prepare forest for 2008 dc

93
Q

Installing the infrastructure master role in a multiple domain environment will on the same server as the global catalog server

A

can cause conflicts

94
Q

ldp tool (LDAP)

A

start, run

ldp and ok

95
Q

By default replication is scheduled between sites every

A

3 hours or 180 minutes

96
Q

Setup of DNS allows you to configure it by

A

Creating a forward or reverse look up zone
Setting the types of updates it must allow
Specifying whether queries must be forwarded and to which servers
Create Root Hints

97
Q

Multimaster Replication is

A

when schema objects like attributes, classes, andtoher objects are updated on a domain these updates are replicated to all the other DC’s in the directory schema

It prevents separate DCs within a directory schema from holding inconsistent entries

98
Q

FSMO flexible single Master Operations Role/Operations master

A

to ensure consistency of the schema dnto prevent conflicting updates into the AD database AD employees this Role. The DC containing roles that affect only the domain in which it’slcoate dor only the forest in which that domain is contained

99
Q

AD assigns the following five operations master roles to a dc in each forest

A
  1. Domain Naming Master
  2. Schema Master
  3. Primary Domain Controller (PDC) Emulator - handles account lockouts and password changes
  4. Infrastructure Master - keeps GUIDs and SIDs updated across DCs
  5. Relative Identifier (RID) Master - per domain role, on a DC in each domain, it assigns a block of RIDS to each DC that uniquely identifies a group in a domain.
100
Q

FSMO to configure do the following:

A
  1. Leave the operations master roles on the first DC in the regional domain
  2. Ensure that the regional DC is not a global catalog server
  3. Deploy another domain controller to the domain on which the first domain controller is deployed. This additional DC will be the standby operations master
  4. Host the primar Domain Controller (PDC) emulator operations master role on a powerfule and reliable domain controller. This ensures that it has the availability and capacity to handle the workload.
101
Q

You change the default installation of the operations master roles by:

A
  1. Transferring Roles
  2. Seizing Roles - used when dc is permanently out of service you transfer the role. Preferred method is transferring not siezing
102
Q

Recommended best practice for operation roles placement in a large domain

A

Domain naming master and the schema master role should remain together on the same domain server

Relative ID Master and the PDC emulator should stay together as well. If you experience performance issues then the PDC can be placed on a third DC

The domain naming role is on the same server as a global catalog server because it contains the info on objects and the role needs that info.

103
Q

The infrastructure Master role must not be assigned along with what type of server?

It updates object references outside of the domain it is installed on and replicates the data to other DC

A

Global Catalog Server - if installed on a global catalog server it will not find the object references

104
Q

AD replication can be configured using to ensure replication to the other DCs

A

persistent connection to ensure that it is automatically performed after a specified interval. Use Active Directory Sites and Services snap in to configure interval

You can also use on-demand connection with reciprocal replication. Two way process between a receiver and a sender - Use the AD Service Interfaces (ADSI) Edit tool on a dc to configure this

105
Q

In order to change roles assigned to a DC (operation roles) you must have the following rights

A

Change Domain Master Right - Enterprise Group by Default
change Schema Master Right - Schema Admin Group by default
Change PDC Right - Domain Admins
Change RID Master Right - Domain Admins
Change Infrastructure Master Right - Domain Admins

106
Q

What service will stop the operations master from performing its job?

A

DNS

107
Q

InetOrgPerson object is derived from the user class

A

It acts as a security principal in the same way as other user classes. This object enables an administrator to easily migrate user accounts form third party directories into the AD

Create it by going into the Active Directory Users and Computers, access server folders and right click on users and choose new then choose InetOrgPerson - when creating “user has to change password at next logon is default” and you have to uncheck disabled

108
Q

To easily remove a DC from a domain

A

remove AD DS , if you remove the last DC you have to remove the whole environment

You can use:

  1. the windows interface
  2. unattended installation parameters
  3. an answer file
109
Q

remove a dc from a domain answer file

A
DCINSTALL
username=Administrator
userdomain=easynomadtravel.com
password=passwrod123
administratorpassword=password123
removeapplicationpartitions=yes
removeDNSDelegation=yes
DNSDElegationUserName=Administrator
DNSDelegationPassword=password123
110
Q

What is the default protocol for trusts in server 2003, 2008 and vista

A

Kerberos 5

111
Q

Transitive Trust

A

can be extended beyond the two domains in which it is formed - used to establish trust in multiple domain environments, flows from the bottom to the top in a domain heiracrch and has trusts between all domains. child gets trust upward whcih allows the trust path to expand. This trust is established by default in 2008 forest with a new domain creation

112
Q

Nontransitive trust

A

limited to the two domains it exists between, it cannot be extended to any other domains, one-way trusts by default you can make it a two way by creating two one-way trusts.

113
Q

NT by default has a nontransitive

A

one way trust

114
Q

4 different types of trusts in 2008

A

External Trusts
Forest Trusts
Realm Trust
Shortcut Trust

115
Q

External Trusts

A

nontransitive
one and two way
enables users to access resoruces that are stored on external domains located in separate forests. Also provides resources present on a NT domain

ADDS creates a foreign security principal object in the internal domain to represent a security principal from the trusted external domain. the Foreign secuirty principal becomes a member of the internal domains local groups and is allowed to access the Domains resources

116
Q

Forest Trusts

A

Transitive
one way or two way
creatd between 2 forest root domains to enable users to share resources across differernt forests

Good for merger or acquisition scenarios and for application service providers

117
Q

Realm Trusts

A

transitive or non-transitive
one way and two way
Windows server 2008 domain and a non windows kerberos realm.

This provides cross platform operability with security services based on other versions of the kerberos 5 protocol

118
Q

Shortcut trust

A

transitive
one way or two way in 2008
used when users belonging to a domain regualarly lo on to other domains within a forest. Makes the authentication process between domains faster and more efficient especially if separated by two domain trees. Normally authentication request first travels a trust path between domains, can take time so a shortcut shortens path

119
Q

Netdom command line tool

netdom trust

A

enables you to manage domain trusts relationships

120
Q

RODC contains the following characteristics

A
  1. A limited number of users
  2. Low physical server security
  3. low bandwidth connections to a hub site
  4. Lack of information technology knowledge
  5. by default doesn’t contain accunt passwords or enable any user or admin to update the database directly
121
Q

Benefits of RODC are

A

Improved Security
Improved Connectivity
Improved Efficiency

122
Q

PRP

A

Password Replication Policy used in RODC

123
Q

RODC Filtered attribute set

A

any object in this set is not allowed to replicate to the RODC. It is a dynamic set of attributes in the schema for the domain

Can be labeled confidential. this removes the permissions that are necesary to read the credential like data

124
Q

KDC

A

Key Distribution Center (an RODC serves as one) and manages ticket requests form computer and user accounts at the remote site. Account storage does not happen by default but you can enable it

125
Q

Multiple RODCs at same site

A

can have them if they belong to different domains

126
Q

Before you deploy RODC in a network you need to install 2008 server

A

cannot create the “krbtgt” account to perform the RODC operations on anything but 2008, has to be on a PDC emulator.

  1. Global Catalog Server
  2. PRP Password Replicaiton Policy
    Has to have AD DS installed

Has to be on servers 2003 or higher

127
Q

run adprep /rodcprep command

Enterprise Admin Group to run

A

updates the permisions on all the DNS apps directory partitions in the forest. . this will ensure the required directory partitions will be replicated to all RODCs that are also DNS servers

128
Q

DNS and Global Catalog on the RODC is installed or not installed by default

A

Installed

129
Q

AD RMS new features in 2008

A

improved installation and administration - installed as a server role
integration with Active Directory Federation Services (AD FS)

Self-Enrollment of AD RMS Servers
New AD RMS Administrative Roles
1. Administrator
2. Template Administrator
3. Auditors
130
Q

AD RMS installation

A

must have write rights to the AD DS container
RMS registers the service connectionpoint (SCP) during installto ensure the cluster will be created in AD DS

Should have its own database for logging and configuration information

131
Q

AD RMS Processes

A

licensing rights protected information
acquiring licenses to decrypt rights-protected content and applying usage policies
Creating rights-protected files and templates

132
Q

AD Server Roles to include

A
AD LDS  (ldap)
AD FS
AD CS (certificate Services)
133
Q

AD LDS features

A

A directory Service Solution
Compatibility with AD DS
Multiple Independent Instances
Security Principles and Access Controls

134
Q

AD FS new features that reduce admin support to key apps

A

Installation - new validation checks that occur during the install to ensure required components are present

Application support - integrated with office sharepoint 2007 and AD RMS, improve compatibility

Establishment of federated trusts don’t need to create a trust for external forests. you can export and import trust policy settings to an xml file which includes everything to create a federated trust which reduces configuration

135
Q

AD CS

A

Binds a user’s identity to a public key for encryption

Repsonsible for issuing certs to users, computers and services

Certificate revocation list or CRL isused to track and revoke certs that have expired. an online responder decodes the revocation statust

after evaluation the online responder sends back a signed repsonse

136
Q

PKI

A

Public Key identifier

system of digital certs, CAs, registration authorities that verify

137
Q

Every Certificate has the following values

A
Serial Number
Version
Signature Algorithm Identifier
Issuer Name
Validity Period
Subject Name
138
Q

Secure communication requires

A

Authentication
encryption
digital signatures

139
Q

Certificate Chain

A

certs issued by subordinate CAs are considered to be trusted if theos issued by a root CA are trusted.

140
Q

server 2008 can be configured as the following CA types

A

Enterprise CA - can be a root or suborndiante, only one root enterprise ca is permissable in a root heirachy. advanced CAs and customizable certifcate templates and publish their certificates and CRLs to the AD
Standalone CA - basic certs cannot be modified, may or may not be intergrated with AD DS. Info is stored localy and do not respond to cerficate enrollment autmatically. Requests wait in a queue and the admin must approve or deny them manually. Can be a root and have subordinate CA.

141
Q

AD CS Configuration

A

Root CA Role is first ( by installing Active Directory Certificate Services)
Certificate Authority

142
Q

AD CS Features include

A

support for cyrptography next generation
use of Online certificate status protocol (OCSP)
The Network Device Enrollment Service (NDES)
Web Enrollment
Support for Policy Settings
A Restricted Enrollment Agent
Support for Enterprise PKI Management

Server Core 2008 does not support AD CS

143
Q

AD RMS includes

A

enhanced admin and install features (server role, automatically configures the windows internal db as the ADRMS config and logging database)
Self Enrollment
Intergration with AD FS
Improved Delegation
Licensing of rights protected information (RAC -Rights Account Certificates)

144
Q

AD RMS and AD DS good practice

A

to create AD security groups for each of the RMS administrative roles and to add them to their respective local security groups

Good to separate db server as the ad rms logging database in which you store all configuration and logging information

To use AD FS yo must have federated trusts and external partners before you install AD RMS

Need to log off windows after installation before you will be able to use it and access the Rights management console

145
Q

AD FS (SSO -single sign on)

A

is a server role that allows users to access apps in another forest or network without providing a web server with secondary credentials

It establishes trust between two organizations and allows users to access using single sign on

146
Q

B2B

A

Business to Business (AD FS)
Resource Org - provide resources to users
Account Org - manage users and rights using cookies

147
Q

AD FS has 2 types of services

A

Federation and Web Agent Services using security tokens

148
Q

Security Token usually has the following info

A

name, password, key, certificate, group and privileges

149
Q

Claim Aware Agent

A

AD FS has this and enables you to query the AD DS security token

150
Q

AD FS Configuration for servers

A

minimal - AD DS DC and one or more servers running AD FS role in each domain

After servers join domain you run AD FS role installation using the domain admin account

151
Q

The following steps have to be completed when installing AD FS

A
  1. Install AD FS and AD FS WEb Agetns
  2. Configure IIS on the federation servers
  3. Create and Export the required certifcates to configure the web and federation servers
  4. Configure the federation services on servers in both the resource and account domain.
  5. After install you need to configure IIS to require SSL on the resource and account domains Federation servers.
    a. admin tools, IIS Manager
    b. click on AD FS Server in the connections panel
    c. double click the default website
    d. scroll to the SSL Setttings icon
    e. choose your SSL or 128 Bit SSL and whether to accept client certificates
  6. Now you need to creat a self signed server certificate in the IIS Manager
152
Q

After configuring AD FS and the IIS security level you need to create and export the required certs to configure the web and federation servers.

A
  1. Create a self signed server authentication cert for the web server
    a. select the server in the connections panel of the IIS Manager Console
    b. Choose the Server Certificates Icon
    c. Create Self Signed Certificate and input name and ok and it is created
    d. Export the token signing certs fromt eh FS of the account domain to a file and then imported into the resurce domain’s FS
  2. admin tools, AD FS, right click on server and choose properties, view or select cert, choose details tab and copy to file and follow the export wizard.
  3. In order to allow trusted communications between the web server and Federation server of the resource domain you need to export the server authentication cert from the federation server to a file
    a. go to IIS Manager Console
    b. Server Certificates Icon
    c. R. Click on web srver and select Export from menu, follow the wizard
  4. next import the server authentication cert for a FS to the Web Server
    a. run mmc from the run box
    b. File - Add/Remove Snap In
    c. Choose Certificates and Add button
  5. Export the accunt domains federation server token signing cert to a file on the FS Account Domain and needs to be imported to the resources domains federation server to allow trusted communications.
153
Q

After installing FS and IIS and setting up certificates and trust you need to configure the IIS server further to enable secure certs using data encryption

A

Https over a particular port and the appropriate SSL

  1. click on bindings on the right hand menu after clicking on the server name in the left.
    Put info in and click ok.
  2. Then configure Claims aware application

r. click on default website and choose add application
a. save the file in a folder under c:\inetpub\wwwroot folder and make a new folder - create the default.aspx, web.config and default.aspx.cs files and put them in the new folder in the IIS Management Console

154
Q

To create an AD FS Server you need to :

A
  1. Configure the trust policy for the server
  2. Create group claims for the appropriate claims aware application
  3. Add and Configure and AD DS Account Store.
155
Q

What features of AD RMS are included in server 2008

A
  1. Integration with AD FS
    The self enrollment of AD RMS servers
    An imporved installation and administration experience
    AD RMS administrative roles
156
Q

To use WSRM you need to

A

install it and enable the service

enables you to manage system performance by managing the allocation of resources, to ensure optimal performance it uses specific algorithms to allocate resources to the processes

install from Server manager, feature

to activate, services find in the list and start service

then go into server manager, diagnostic node and choose reliability and Performance node which collect data through 3 tools:
Resource overview
Perfomance Monitor
Reliability Monitor

157
Q

RSop access

A

start, run rsop.msc

run in 2 modes
Logging - only monitor users and the computers they are logged onto
Planning - you can use simultaions to view the RSoP for policy settings that you want to apply to users nad computers. this enables you to test the effects of policies before you apply them.

active directory for users and computers,
users and pick user
Action, All tasks, Resultant Set of Policy(planning) option results display in the RSOP node console

158
Q

AD DS maintenance task when AD DS is running is known as

A

online maintenance tasks

an offline when offline

can use AD restore mode from other server versions but 2008 supports it. F8 during bootup. 2008 has a better way, go into services and stop AD DS

AD DS and DNS will no longer function but DHCP will.

159
Q

defragmentation

A

online - default runs every 12 hours on the ad database, not to the file system ntds.dit file

Offline (aka compaction) removes white space form AD DB and File system , ntds.dit file, this process can free up space

to start it use the cmd ntdsutil.exe
next prompt type acitvate instance ntds enter
next prompt type files enter
next specify location of where the compact ntds.dit file drive:\path - if path has spaces double quote it and only need to specify a drive letter if you are using a shared folder on a remote computer

to compact type compact to drive:\path

exit utility by type quit at the file maintenance prompt and the ntdsutil prompt

then remove the oldlog files for ntds.dit, use the del command with the path location del drive:\pathtologfiles*log and then copy the defraged ntds.dit file to the local windows\ntds folder

best practice is rename old file first before overwriting so you can revert back if needed. copy drive:\ntds.dit originaldrive:\path\ntds.dit

then ensure the integrity of file

ntdsutil, active instance ntds
file maintenance prompt: by ntdsutil:files
and type integrity

process is complete and restart AD DS service

160
Q

ntds.dit db file stores the directory data for AD DS, any changes made to the AD are saved to the transactionlog files before they are saved to the directory data db and the ntds.dit file

A

ntds.dis files and transaction logs are stored ont eh same hard disk, by default, the %systeroot%\ntds it is perferable that you store these two types on different hard drives for performance

if on 2 hard drive partitions you will need 500 mb or 20% of total size of files

on same hdd partition you will need 1 GB or 20% of the combined file size of free space

once size is confirmed backup the system state data using windows server backup utility

161
Q

to move the ntds.dit and simutaneously ensure that the registry is updated use the ntdsutil.exe

A

this utility will update the HKEY_Local_machien\system\currentcontrolset\services\ntds\registry key.

If you don’t use the utility to move ntds.dit file you could corrupt the file without the registry changes to reflect the logs.

162
Q

check sizes of files

A
cmd
cd\
cd:\temp
dir
find files and sizes and add them together
163
Q

to move the files ntds.dit and logs

A

stop AD DS
ntdsutilproompt and acitvate the ntds instance, then access the file maintenance prompt

type - move db to path
move logs to path

then perform a backup of the system state

setup permissions on the new folders holding the files Administrator group and system folder both need full control and don’t allow inherited permissions from the parent to overwrite your changes.

164
Q

server 2008 backup

on all versions except Standard Core install - need to use the command utility

backups automatically include the sys volume

A

from mmc

wbadmin command line tool

on DC critical items (not including data volumes)- boot files, OS, registry, SYSVOLtree,

AD db and log files

can backup to:

shared folder
dvd or other removable or optical media - has to be 1 gig or more available or it won’t detect that it is available and you also cannot recover individual items
internal hdd - can do everything from these including system state
external hdd - can do everything from these including system state and move to another location for disaster recovery protection

165
Q

VSS - Windows Server Backup uses Volume Shadow Copy Service

A

does snapshots.

Have to have configure backup once the first full backup completes ONly data that has changed since the last backup is then saved

use copy and not full if you want to keep log files intact.

Allows for point in time or shadow copies of data

Shadow Copies fo Shared Folders Feature - access and recover previously saved versions of files or folders on a file server. - NOT single files or folders on ly volumes of data - access via the mmc

166
Q

limitations of Windows Server Backup

A

Support only for NTFS
need to reconfigure settings when upgrading
use of a separate disk for scheduled backups
lack of support for tape as a storage medium
incompatibility with Ntbackup.exe

167
Q

wbadmin

A

wbadmin start systemstaebackup -backupTarget: VolumeName [-quiet]
and has to be on local attached disk to backup system state

168
Q

Simplified Restoration

A

can choose individual items to restore
manage data retrieval from full and incremental,

in 2008 you can select the backup to restore by date

169
Q

Simplified OS recovery

A

RE - Windows Recovery Environment tools

RE and Windows Server backup allows for OS recovery

170
Q

Shadow Copies of Shared Folders allows you to :

A

Recover a file that has been accidentally deleted.
Recover a file that has been overwritten
Compare versions of a file

171
Q

3 windows RE tools

A

Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Allows you to access the command prompt on a server that won’t boot normally

172
Q

Before you can perform a full server recovery you need:

A
  1. full server backup on hdd, dvd or network share
  2. OS DVD or installed the Windows RE on a separate partition to the DCs critical partitions
  3. Ensure that new hardware has enough space to store all recovered data if restoring to a new machine
173
Q

unathorative restore

A

for a single DC, replication occurs and the restored DC is updated with the current AD data on other DCs

On DFSR - Distributed File System REplication is done by default

to use the command line utility, restart the DC and F8 to advance options

IN order to restore AD db you select Directory Services Restore Mode

When prompted to log into windows, choose locally rather than logging on to the domain

systemstaterecovery to choose unathoratative

wbadmin get versions

174
Q

Bcdedit.exe

A

can configure the server to automatically boot to Directory Services Recovery Mode

175
Q

after restored a AD DS on a DC you need to do the following to verify the process was successfuly

when the DC is rebooted, both the AD DS and AD CS automatically detect the recovered data, perform an integrity check and re-index the AD database

A
  1. restored directory contains all the user objects ans group objects that were present at the time the backup was created
  2. all the mmebers of an FRS replica set and the cert issued by AD CSs are present in the restored backup
  3. Synchronization of the Windows Time service (W32tiem) is correctd
  4. the Netlogon and Sysvol folders are shared properly
  5. preferred DNS server address is configured properly
  6. host (A) and Service (SRV) resource reocrds are registered correctly in the DNS
176
Q

wbadmin get versions

A

obtain info on backps availabe

177
Q

systemstaterecover

A

want to restore the system data for the DC named IW-DC7

178
Q

Authoritative Restore

A

used with multiple DCs
Sysvol - use -authsysvol switch with the recovery command

Don’t want to use this with a full restore of a DC

can do items in the AD
version number of the OU is changed to identify the object as more recent. this info will then be propogated to other DCs in domain and restored to AD DS

authoritative restore: restore object “OU=test,DC=easy,DC=com”re

179
Q

net stop ntds command

A

stops the AD Service from a command prompt

180
Q

ntdsutil

A

manage and control master roles, schema , AD, has to be used from an elevated command line prompt

181
Q

netdom

A

to manage domains and trusts in AD

182
Q

dsdbutil

A

database maintenance in AD

183
Q

dnscmd

A

manage dns

184
Q

dsadd

A

used to add users, objects, OU, computers to AD DS

185
Q

windows logs in event viewer

A

applicaton, security, setup, system and forwarded events

186
Q

security logs in event viewer

A

record events related to audit policies, file and folder access or user logon and network shares