2008 R2 ADS Vocabulary - Session 3 Flashcards

Question 1

Q

Group Policy Processing

Answer

A

You can apply Group Policy settings at the local, site, domain, and OU levels.

Question 2

Q

All group policies that can apply to a user or computer do so,

Answer

A

blending their settings However, settings from different policies may directly conflict with each other.

Question 3

Q

Group Policy Processing

To prevent conflicts, policy settings in GPOs at different levels are processed in a specific order. That order is as follows (LSDOUC):

Answer

A

Local GPOs
GPOs Linked to the Site
Domain -Level GPOs
GPOs Linked to OUs
GPOs linked to Child OUs

Question 4

Q

You can choose to alter the default processing order using a variety of methods, including the following:

Answer

A

Block Inheritance

Enforced

Question 5

Q

Block Inheritance

Answer

A

The Block Inheritance option prevents an OU or domain from inheriting GPOs from any of its parent containers. However, GPOs that are marked as Enforced are always inherited.

Question 6

Q

Enforced

Answer

A

The Enforced option is a GPO link option that ensures the settings in the policy are applied regardless of blocked inheritance or the order of processing of linked GPOs.

Question 7

Q

GPO Status

Answer

A

The GPO Status option can be used to troubleshoot a set of applied policies if the desired end result of the policies is not what it should be by choosing to Disable the User portion, Computer portion, or all of a GPO. Separately, a GPO Link can also be disabled.

Question 8

Q

Link Order

Answer

A

The Link Order option controls the precedence order of multiple GPOs that are linked to the same particular container. The lower the link order, the higher its precedence. The GPO link with the link order of 1 has the highest precedence in that container.

Question 9

Q

GPO Filtering

Answer

A

Each GPO is set to apply to members of the Authenticated Users group, which contains all domain Users and Computers. If this group is replaced with a smaller group, then the Group Policy will be filtered to apply to only those members of the container who also are members of the security group referenced.

Question 10

Q

WMI Filtering

Answer

A

In the GPMC console a WMI script can be created to test for the absence or presence of system properties or values, such as Operating System, Service Pack, free disk space, RAM capacity, etc. This WMI script can then be bound to a GPO. If the receiving client does not meet the criteria of the WMI filter it will not receive ANY of the GPO settings.

Question 11

Q

Loopback Processing (Merge or Replace)

Answer

A

There is a Computer GPO Administrative Template Setting that will override the User logon’s normal GPO loading behavior. In “Replace” mode, when a user logs on to a Loopback Mode computer, the GPOs loaded will be the policies in the LDAP path of the Computer, not the User. This can enforce a kiosk-like consistent configuration of settings. In “Merge” mode, the Users settings are loaded, but the Computers path settings are also loaded, with the Computer’s path settings overriding the User’s.

Question 12

Q

Slow Link Detection

Answer

A

If the computer detects a slow connection (by default less than 500kbps, but the threshold can be changed or disabled) than certain portions of Group Policy, such as software deployment, will be skipped in Group Policy processing. Other portions of Group Policy, such as Security settings, cannot be skipped.

Question 13

Q

Credential Caching

Answer

A

Users’ credentials are automatically cached locally, based on previous logon attempts, to enable the user to log on if a DC fails and authentication on the domain is not possible. If a user logs on using locally cached credentials, Group Policy settings are not applied..

Question 14

Q

The configuration of Loopback Processing, Slow link detection, what will be loaded or skipped for a slow link, and Loopback Processing Mode are all configured in the following Administrative Template path:

Answer

A

“Computer

Configuration \Administrative Templates \System \Group Policy”

Question 15

Q

Creating a GPO

Answer

A

The GPMC provides a user-friendly interface that an administrator can use to create, view, and manage GPOs in an organization.

Question 16

Q

Starter Group Policy objects derive from a Group Policy object (GPO),

Answer

A

), allowing administrators to store a collection configured Administrative Template settings.

Question 17

Q

. A New GPO built from a Starter GPO will begin with all of the Administrative Template policy settings and values that were defined by the

Answer

A

Starter GPO

Question 18

Q

Starter GPOs can be exported to

Answer

A

other environments as needed.

Question 19

Q

By default, only members in the Domain Admins, Enterprise Admins, or Group Policy Creator Owners (GPCO) groups ca

Answer

A

create new GPOs and edit existing ones

Question 20

Q

A member of the Domain Admins group can choose to delegate the authority for creating and managing a GPO to

Answer

A

other users or groups in that GPO’s domain.

Question 21

Q

THE GROUP POLICY MANAGEMENT CONSOLE

Installing and Customizing the GPMC

Answer

A

The GPMC is a Microsoft Management Console (MMC) snap-in that you use in Windows Server 2008 R2 to configure group policy settings throughout various forests in an organization.

Question 22

Q

GPMC

Answer

A

GROUP POLICY MANAGEMENT CONSOLE

Question 23

Q

You can use the GPMC to perform several operations on GPOs, including the following:

Answer

A

Searching for GPOs in a forest
Backing up and restoring a GPO
Importing settings from a backed up GPO to an existing GPO in the same forest

Question 24

Q

The GPMC enables you to plan the deployment of

Answer

A

a Group Policy using the Resultant Set of Policies (RSoP) data simulation, which is used to view the combined effect of a set of GPOs on systems and users.

Question 25

Q

You can also use the GPMC to obtain

Answer

A

RSoP data and to troubleshoot Group Policy deployments.

Question 26

Q

(RSoP)

Answer

A

the Resultant Set of Policies

Question 27

Q

To launch the GPMC

Answer

A

use the Run dialog box, which you access by selecting Start - Run. Type gpmc.msc in the Open text box and click OK.

Question 28

Q

The Group Policy Editor Window allows

Answer

A

administrators to navigate the topology of Computer and User settings in order to modify values that will be set in the particular group policy being edited.

Question 29

Q

GROUP POLICY OBJECT TEMPLATES

Answer

A

Administrative Templates

Question 30

Q

You are

Answer

A

doing it! You will pass with flying colors!

Question 31

Q

Two types of Group Policy settings are stored in each GPO

Answer

A

user configuration and computer configuration settings

Question 32

Q

In Windows Server 2008 R2, registry-based policy settings are stored as

Answer

A

ADMX files, XML-based, containing language-specific settings.

Question 33

Q

In domain-based enterprises, ADMX files can be stored

Answer

A

stored in a central location, accessible to anyone with permission to create or edit GPOs.

Question 34

Q

You can filter administrative templates using either of these two views:

Answer

A

The local view for a template modifies the view only for that template
The global view modifies the view for all administrative templates

Question 35

Q

You can filter administrative templates based on their

Answer

A

type, using keywords, and - by using requirement filters - based on the platform or applications to which they apply.

Question 36

Q

You can use a starter GPO to create multiple GPOs with the same baseline configuration

Answer

A

each new GPO inherits the template settings from the starter GPO.

Question 37

Q

A security template is a

Answer

A

file that defines a security configuration that can be applied to a local computer, imported to a GPO, and used to analyze security.

Question 38

Q

Security Templates does not

Answer

A

It does not introduce new security parameters, but organizes the existing security attributes

Question 39

Q

Security Templates is a text file

Answer

A

It is a text-based file with an .inf extension that enables you to copy, paste, import, and export some or all the attributes of a template.

Question 40

Q

Security templates can be used with

Answer

A

Security Configuration and Analysis snap-ins to examine a system for security holes or policy violations.

Question 41

Q

You can use security templates to define the following:

Answer

A

Account Policies
Local Policies
Event Log Settings
Restricted Groups
System Services Settings
File and Registry Permissions

Question 42

Q

You can download and install the GPOAccelerator from

Answer

A

Microsoft to obtain the predefined templates.

Question 43

Q

The following are examples of the types of predefined security templates included with the GPOAccelerator:

Answer

A

Default Security (Setup security.inf)
Domain Controller Default Security (DC security.inf)
Compatible (Compatws.inf)
Secure (Secure*.inf)
Highly Secure (hisec*.inf)

Question 44

Q

The secedit command-line tool is the command-line version of the

Answer

A

Security Configuration and Analysis snap-in.

Question 45

Q

Configuring the .admx Central Store
Administrative templates are XML-based files with the file extension .admx that contain group policies settings definitions for

Answer

A

the Group Policy Editor in Windows Server 2008 R2

Question 46

Q

.adm files.

Answer

A

The .admx files have replaced the original administrative template files -

Question 47

Q

To take advantage of the benefits of .admx files, you must create a

Answer

A

“Central Store” in the SYSVOL folder of your domain controller.

Question 48

Q

The Central Store is a location that is checked first by the

Answer

A

the Group Policy Editor to define available settings for an administrator to configure.

Question 49

Q

The files that are in the Central Store are automatically

Answer

A

replicated to all domain controllers in the domain.

Question 50

Q

When new Administrative templates are added for software such as Microsoft Office, or updated for new versions of the operating system, the templates only need to

Answer

A

to be updated once in the central store and all domain controllers will replicate the new version of the editor template automatically.

Question 51

Q

The default location for .admx files is

Answer

A

the %SYSTEMROOT%\PolicyDefinitions folder

Question 52

Q

Domain Controllers can be configured to replicate their Administrative Template .admx files using a

Answer

A

“Central Store by creating a PolicyDefinitions folder (or copying the existing one) in following location: %SYSTEMROOT%\SYSVOL\domain\policies\

Question 53

Q

To copy the local server 2008 R2’s existing policies and create a Central Store:

Answer

A

xcopy /E “°/0SYSTEMROOT%\PolicyDefinitions” “%SYSTEMROOT%\SYSVOL\domain\Policies\PolicyDefinitions\

Question 54

Q

Deploying Software Using Group Policy

Answer

A

Together with AD DS and the Windows Installer, you can use Group Policy to install, maintain, publish, and remove software across an organization, site, or domain.

Question 55

Q

Windows Installer is an

Answer

A

extensible software management and installation service.

Question 56

Q

Using Group Policy, you can choose to

Answer

A

to advertise a software package by assigning it to particular users or computers, or by publishing it to users.

Question 57

Q

Using Group Policy,

Answer

A

Assigning software to a computer installs it at next boot.
• Assigning software to a user only installs it at next logon if a special feature is enabled in the deployment settings. Normally this configuration will, at next logon, advertise shortcuts in the start menu, enable document invocation of the file type, and make the software available in add/remove programs (in Windows Vista and later, “Programs and Features”, “Install a program from the network”
• Publishing software to a user will only, at next logon, enable document invocation and software availability in the control panel.

Question 58

Q

Configuring Software Packages

Answer

A

Using Group Policy, you can configure the properties of software before you deploy it. You can also use Group Policy to install patches or service packs (.msp), or to upgrade software you have already installed. Transform (.mst) files allow for a delployment of the same .msi file twice with different .mst files to two different installations (ie: One French dictionary, one English)

Question 59

Q

PREVENTING SOFTWARE EXECUTION WITH GPOS

Answer

A

Software Restriction Policies:
Applocker :
Configuring Security Settings
Restricted Groups

Question 60

Q

Software Restriction Policies:

Answer

A

: Software Restriction Policies (SRP) are designed to control the installation and execution of executable programs — like a firewall it can block all software execution except what is allowed or allow all software execution except what is blocked. Rules can be defined by Hash Rule, Certificate Rule, Path rule, or Network zone rule.

Question 61

Q

Applocker :

Answer

A

More advanced software prevention technology, allows for auditing before deployment, import/export of rules, PowerShell management, flexible certificate value rules (ie: product name, but not version specific). Only applies to Windows 7 Enterprise & Ultimate and Server 2008 R2

Question 62

Q

Configuring Security Settings

Answer

A

Security templates in Windows Server 2008 R2 enable you to configure security-related policy settings. You can create custom security templates to suit your needs, or import and deploy an existing security template.
You use the Local Group Policy Editor to configure security for LGPOs. To configure security settings for AD GPOs, you use the Group Policy Management Editor.

Question 63

Q

Restricted Groups

Answer

A

Restricted groups enable you to control the security and access settings for users in local and domain user groups. Using restricted groups, you can set desired membership for a user group without changing the parent group to which the user belongs. You can apply restricted group settings to a GPO as a group policy, provided the GPO is linked to AD.

Question 64

Q

CONFIGURE ACCOUNT POLICY USING GROUP POLICY OBJECTS

You can protect your network from unauthorized users by

Answer

A

Implementing an Account Lockout Policy
Securing it with Strong Passwords
Password & Lockout Policies
Fine Grained & Lockout Policies

Answer 65

A

An account lockout policy locks a user account after an incorrect password is entered a specific number of times over a specified time period. An account lockout policy reduces the possibility of an attack on your network by repeated logon attempts.

Answer 66

A

A strong password uses alphanumeric characters as well as symbols, such as punctuation, to make it more complex. This minimizes the risk of guessing the password.

Answer 67

A

Password Policies and Lockout Policies that are set at the Domain level will affect all domain users. These include password length, complexity, the number of failed attempts before an account is locked out, and the duration of a locked out account. Any of these account policies that are set at a non-domain level will only affect the behavior of local accounts of the computers within the containers that receive these settings.

Answer 68

A

If an administrator wishes to have a different set of password and lockout standards for some users, whether more or less stringent than the domain standard, Password Settings Objects (PSO) must be configured separately from Group Policies. This must be done using the ADSIedit utility by creating an msDS-PasswordSettings object in the “CN=System,CN=Password Settings Container” path. This will launch a wizard that will configure all of the standard settings except msDS-PSOAppliesTo, which must be configured manually to link the PSO to the user or group to which it should apply. User-linked PSOs supersede group-linked PS0s, and if more than one PSO is applies to the same user via groups, the msDS¬PasswordSettingsPrecedence attribute value of each PSO is compared – the PSO with the lowest value (highest precedence) wins and that PSO in its entirety will be applied to the user

Answer 69

A

In Windows Server 2008 R2, AD DS provides auditing features that enable you to monitor the movement, deletion, and modification of AD objects. AD DS maintains a log that stores old values for AD objects and their attributes, as well as new values when alterations are made.

Answer 70

A

Global audit policy
An SACL
A control schema

Answer 71

A

Audit Logon Events
Audit Account Logon Events
Audit System Events
Audit Account Management
Audit Privilege Use
Audit Directory Service Access
Audit Object Access
Audit Policy Change
Audit Process Tracking

Answer 72

A

specific events, which returns less data that is easier to analyze.

Answer 73

A

You can use the auditpol command to display the current audit policy, display selectable policy elements and to set audit policy subcategories. You can disable auditing for the subcategories for which you do not want auditing set, using this command or enable filtered auditing categories for only a user or group. (ie: only observe the logons of the helpdesk group) This command works locally, so the only way to deploy it with group policy is to create an auditpol script and deploy that with the GPO.

Answer 74

A

Install windows server
Install DNS if not already one on network
Install ADS (dcpromo.exe) to add the AD DS role and promote the server
Promote server to a DC which manages security authentications from the domain requests
run dcpromo from run line
choose “Create a new domain in a forest
Enter FQDN
Choose windows server function level
9.

Answer 75

A

Set the Install DNS parameter to yes to install dns server role
New Domain Value to yes to say new domain is first dc in the new forest
DomainNetBiosName is unique so clients without AD DS can access server
Forest function level 3 sets it to 2008

Example:

DCINSTALL
InstallDNS=[yes|no}
NewDomain={forest|tree|child}
NewDomainDNSName=FQDN_of_the_DNS_Server
DomainNetBiosName=NetBios_name
REplicaOrNewDomain=[replica|readonlyreplica|domain}
FroestLevel={0|2|3}
DomainLevel={)|2|3}
DatabasePath=%systemroot%\NTDS
LogPath=%systemroot%NTDS
RebootONCompletion={yes|no}
SYSVOLPath=%systemroot%\SYSVOL
SafeModeAdminPassword={password|none}

Answer 76

A

save it, run from cmd prompt by using the dcpromo utility with /unattend option followed by the path.

dcpromo /unattend: “c:\documents\answerfile”

to add the dc to an existing non 2008 AD Domain, prepare adprep /forestprep utility, only once on the dc that holds the schema master operations master role for every 2008 forest

admins belonging to SchemaAdmin or EnterpriseAdmin, Domain Admins can run the utility

Answer 77

A

Active Directory Domains and Trusts
right click your domain from the list and choose Raise Domain Functional Level
Choose function level from drop down list
and click the Raise Button
choose change settings in right hand side of window

Answer 78

A

Computer, right click and choose properties,

Answer 79

A

Windows Automated Installation Kit

Answer 80

A

System Image Manager in conjunction with WAIK

Answer 81

A

WAIK then SIM then WDS to deploy the client
two unattended files are needed:
WDS Client unattend file - permissions, etc
Image Unattend File - o/s options

Answer 82

A

dcpromo /? [{Promotion|CreateDCAccount|UseExistingAccount|Demotion}]

returns all options during install of AD DS
CreateDCAccount - returns all parameters you can specify while createing a read only DC RODC Account
UseExistingAccount - to specify while attaching a server to a read only domain controller account RODC
Demotion - all parameters you can specify while removing AD DS from a domain controller

Answer 83

A

copy the client unattend file to the RemoteInstallWDSClient Unattend folder

Then open the Windows Deployment Services Microsoft Management Console MMC snap in from the start menu\admin tools

Right Click on the domain you want to add the file to and choose properties

Choose Client Tab and check enable unattend installation and attach the file

Answer 84

A

use WDSUTIL command

WDSUTIL/Set-DEvice /Device:Device name>
[/ID:] [/ReferralServer:] 
[/BootProgram:] [/WDSClientUnattend:]
[/User:][/JoinRights:{joinONly|Full}]
[/Joindomain:[Yes|No}] [/BootImagePath:]
[/Domain:] [/ResetAccount]

Answer 85

A

c:\users\amdinistrator.easynomad>WDSUTIL /Set-Device /Device:”Comuter12” /ID:”00-B0-57-58-2G-DV”
/WDSClientUnattend:”C:\WDSUserUnattend\unattend.xml”

Answer 86

A

Active Directory Migration tool

Answer 87

A

Interforest migration - move resources between AD Domians in different forests

intraforest migration - move resource between AD domains in the same forest. aka for merging domains is known as grafting and the process of removing objects is known as pruning

Answer 88

A

Passwrod Expert Server Service - use before migration to other server levels

Allows you to migrate passwords and SID history information, you first need to export the password key from the target domain

Answer 89

A

program that loads ADMT

Answer 90

A

Assign proper permissions
Create the target organizational unit (OU) structure
Create two-way trusts

Answer 91

A

Migrated User Account
Migrated Computer Accounts
Expired Accounts 
Account References
Account Name Conflicts

Answer 92

A

copy the contents of the \soruces\adprep folder to an adprep folder on the schema master from the 2008 dvd

run the utility from cmd and the adprep folder

c:\adprep>adprep /forestprep

adprep /domainprep to prepare forest for 2008 dc

Answer 93

A

can cause conflicts

Answer 94

A

start, run

ldp and ok

Answer 95

A

3 hours or 180 minutes

Answer 96

A

Creating a forward or reverse look up zone
Setting the types of updates it must allow
Specifying whether queries must be forwarded and to which servers
Create Root Hints

Answer 97

A

when schema objects like attributes, classes, andtoher objects are updated on a domain these updates are replicated to all the other DC’s in the directory schema

It prevents separate DCs within a directory schema from holding inconsistent entries

Answer 98

A

to ensure consistency of the schema dnto prevent conflicting updates into the AD database AD employees this Role. The DC containing roles that affect only the domain in which it’slcoate dor only the forest in which that domain is contained

Answer 99

A

Domain Naming Master
Schema Master
Primary Domain Controller (PDC) Emulator - handles account lockouts and password changes
Infrastructure Master - keeps GUIDs and SIDs updated across DCs
Relative Identifier (RID) Master - per domain role, on a DC in each domain, it assigns a block of RIDS to each DC that uniquely identifies a group in a domain.

Answer 100

A

Leave the operations master roles on the first DC in the regional domain
Ensure that the regional DC is not a global catalog server
Deploy another domain controller to the domain on which the first domain controller is deployed. This additional DC will be the standby operations master
Host the primar Domain Controller (PDC) emulator operations master role on a powerfule and reliable domain controller. This ensures that it has the availability and capacity to handle the workload.

Answer 101

A

Transferring Roles
Seizing Roles - used when dc is permanently out of service you transfer the role. Preferred method is transferring not siezing

Answer 102

A

Domain naming master and the schema master role should remain together on the same domain server

Relative ID Master and the PDC emulator should stay together as well. If you experience performance issues then the PDC can be placed on a third DC

The domain naming role is on the same server as a global catalog server because it contains the info on objects and the role needs that info.

Answer 103

A

Global Catalog Server - if installed on a global catalog server it will not find the object references

Answer 104

A

persistent connection to ensure that it is automatically performed after a specified interval. Use Active Directory Sites and Services snap in to configure interval

You can also use on-demand connection with reciprocal replication. Two way process between a receiver and a sender - Use the AD Service Interfaces (ADSI) Edit tool on a dc to configure this

Answer 105

A

Change Domain Master Right - Enterprise Group by Default
change Schema Master Right - Schema Admin Group by default
Change PDC Right - Domain Admins
Change RID Master Right - Domain Admins
Change Infrastructure Master Right - Domain Admins

Answer 106

A

It acts as a security principal in the same way as other user classes. This object enables an administrator to easily migrate user accounts form third party directories into the AD

Create it by going into the Active Directory Users and Computers, access server folders and right click on users and choose new then choose InetOrgPerson - when creating “user has to change password at next logon is default” and you have to uncheck disabled

Answer 107

A

remove AD DS , if you remove the last DC you have to remove the whole environment

You can use:

the windows interface
unattended installation parameters
an answer file

Answer 108

A

DCINSTALL
username=Administrator
userdomain=easynomadtravel.com
password=passwrod123
administratorpassword=password123
removeapplicationpartitions=yes
removeDNSDelegation=yes
DNSDElegationUserName=Administrator
DNSDelegationPassword=password123

Answer 109

A

Kerberos 5

Answer 110

A

can be extended beyond the two domains in which it is formed - used to establish trust in multiple domain environments, flows from the bottom to the top in a domain heiracrch and has trusts between all domains. child gets trust upward whcih allows the trust path to expand. This trust is established by default in 2008 forest with a new domain creation

Answer 111

A

limited to the two domains it exists between, it cannot be extended to any other domains, one-way trusts by default you can make it a two way by creating two one-way trusts.

Answer 112

A

one way trust

Answer 113

A

External Trusts
Forest Trusts
Realm Trust
Shortcut Trust

Answer 114

A

nontransitive
one and two way
enables users to access resoruces that are stored on external domains located in separate forests. Also provides resources present on a NT domain

ADDS creates a foreign security principal object in the internal domain to represent a security principal from the trusted external domain. the Foreign secuirty principal becomes a member of the internal domains local groups and is allowed to access the Domains resources

Answer 115

A

Transitive
one way or two way
creatd between 2 forest root domains to enable users to share resources across differernt forests

Good for merger or acquisition scenarios and for application service providers

Answer 116

A

transitive or non-transitive
one way and two way
Windows server 2008 domain and a non windows kerberos realm.

This provides cross platform operability with security services based on other versions of the kerberos 5 protocol

Answer 117

A

transitive
one way or two way in 2008
used when users belonging to a domain regualarly lo on to other domains within a forest. Makes the authentication process between domains faster and more efficient especially if separated by two domain trees. Normally authentication request first travels a trust path between domains, can take time so a shortcut shortens path

Answer 118

A

enables you to manage domain trusts relationships

Answer 119

A

A limited number of users
Low physical server security
low bandwidth connections to a hub site
Lack of information technology knowledge
by default doesn’t contain accunt passwords or enable any user or admin to update the database directly

Answer 120

A

Improved Security
Improved Connectivity
Improved Efficiency

Answer 121

A

Password Replication Policy used in RODC

Answer 122

A

any object in this set is not allowed to replicate to the RODC. It is a dynamic set of attributes in the schema for the domain

Can be labeled confidential. this removes the permissions that are necesary to read the credential like data

Answer 123

A

Key Distribution Center (an RODC serves as one) and manages ticket requests form computer and user accounts at the remote site. Account storage does not happen by default but you can enable it

Answer 124

A

can have them if they belong to different domains

Answer 125

A

cannot create the “krbtgt” account to perform the RODC operations on anything but 2008, has to be on a PDC emulator.

Global Catalog Server
PRP Password Replicaiton Policy
Has to have AD DS installed

Has to be on servers 2003 or higher

Answer 126

A

updates the permisions on all the DNS apps directory partitions in the forest. . this will ensure the required directory partitions will be replicated to all RODCs that are also DNS servers

Answer 127

A

Installed

Answer 128

A

improved installation and administration - installed as a server role
integration with Active Directory Federation Services (AD FS)

Self-Enrollment of AD RMS Servers
New AD RMS Administrative Roles
1. Administrator
2. Template Administrator
3. Auditors

Answer 129

A

must have write rights to the AD DS container
RMS registers the service connectionpoint (SCP) during installto ensure the cluster will be created in AD DS

Should have its own database for logging and configuration information

Answer 130

A

licensing rights protected information
acquiring licenses to decrypt rights-protected content and applying usage policies
Creating rights-protected files and templates

Answer 131

A

AD LDS  (ldap)
AD FS
AD CS (certificate Services)

Answer 132

A

A directory Service Solution
Compatibility with AD DS
Multiple Independent Instances
Security Principles and Access Controls

Answer 133

A

Installation - new validation checks that occur during the install to ensure required components are present

Application support - integrated with office sharepoint 2007 and AD RMS, improve compatibility

Establishment of federated trusts don’t need to create a trust for external forests. you can export and import trust policy settings to an xml file which includes everything to create a federated trust which reduces configuration

Answer 134

A

Binds a user’s identity to a public key for encryption

Repsonsible for issuing certs to users, computers and services

Certificate revocation list or CRL isused to track and revoke certs that have expired. an online responder decodes the revocation statust

after evaluation the online responder sends back a signed repsonse

Answer 135

A

Public Key identifier

system of digital certs, CAs, registration authorities that verify

Answer 136

A

Serial Number
Version
Signature Algorithm Identifier
Issuer Name
Validity Period
Subject Name

Answer 137

A

Authentication
encryption
digital signatures

Answer 138

A

certs issued by subordinate CAs are considered to be trusted if theos issued by a root CA are trusted.

Answer 139

A

Enterprise CA - can be a root or suborndiante, only one root enterprise ca is permissable in a root heirachy. advanced CAs and customizable certifcate templates and publish their certificates and CRLs to the AD
Standalone CA - basic certs cannot be modified, may or may not be intergrated with AD DS. Info is stored localy and do not respond to cerficate enrollment autmatically. Requests wait in a queue and the admin must approve or deny them manually. Can be a root and have subordinate CA.

Answer 140

A

Root CA Role is first ( by installing Active Directory Certificate Services)
Certificate Authority

Answer 141

A

support for cyrptography next generation
use of Online certificate status protocol (OCSP)
The Network Device Enrollment Service (NDES)
Web Enrollment
Support for Policy Settings
A Restricted Enrollment Agent
Support for Enterprise PKI Management

Server Core 2008 does not support AD CS

Answer 142

A

enhanced admin and install features (server role, automatically configures the windows internal db as the ADRMS config and logging database)
Self Enrollment
Intergration with AD FS
Improved Delegation
Licensing of rights protected information (RAC -Rights Account Certificates)

Answer 143

A

to create AD security groups for each of the RMS administrative roles and to add them to their respective local security groups

Good to separate db server as the ad rms logging database in which you store all configuration and logging information

To use AD FS yo must have federated trusts and external partners before you install AD RMS

Need to log off windows after installation before you will be able to use it and access the Rights management console

Answer 144

A

is a server role that allows users to access apps in another forest or network without providing a web server with secondary credentials

It establishes trust between two organizations and allows users to access using single sign on

Answer 145

A

Business to Business (AD FS)
Resource Org - provide resources to users
Account Org - manage users and rights using cookies

Answer 146

A

Federation and Web Agent Services using security tokens

Answer 147

A

name, password, key, certificate, group and privileges

Answer 148

A

AD FS has this and enables you to query the AD DS security token

Answer 149

A

minimal - AD DS DC and one or more servers running AD FS role in each domain

After servers join domain you run AD FS role installation using the domain admin account

Answer 150

A

Install AD FS and AD FS WEb Agetns
Configure IIS on the federation servers
Create and Export the required certifcates to configure the web and federation servers
Configure the federation services on servers in both the resource and account domain.
After install you need to configure IIS to require SSL on the resource and account domains Federation servers.
a. admin tools, IIS Manager
b. click on AD FS Server in the connections panel
c. double click the default website
d. scroll to the SSL Setttings icon
e. choose your SSL or 128 Bit SSL and whether to accept client certificates
Now you need to creat a self signed server certificate in the IIS Manager

Answer 151

A

Create a self signed server authentication cert for the web server
a. select the server in the connections panel of the IIS Manager Console
b. Choose the Server Certificates Icon
c. Create Self Signed Certificate and input name and ok and it is created
d. Export the token signing certs fromt eh FS of the account domain to a file and then imported into the resurce domain’s FS
admin tools, AD FS, right click on server and choose properties, view or select cert, choose details tab and copy to file and follow the export wizard.
In order to allow trusted communications between the web server and Federation server of the resource domain you need to export the server authentication cert from the federation server to a file
a. go to IIS Manager Console
b. Server Certificates Icon
c. R. Click on web srver and select Export from menu, follow the wizard
next import the server authentication cert for a FS to the Web Server
a. run mmc from the run box
b. File - Add/Remove Snap In
c. Choose Certificates and Add button
Export the accunt domains federation server token signing cert to a file on the FS Account Domain and needs to be imported to the resources domains federation server to allow trusted communications.

Answer 152

A

Https over a particular port and the appropriate SSL

click on bindings on the right hand menu after clicking on the server name in the left.
Put info in and click ok.
Then configure Claims aware application

r. click on default website and choose add application
a. save the file in a folder under c:\inetpub\wwwroot folder and make a new folder - create the default.aspx, web.config and default.aspx.cs files and put them in the new folder in the IIS Management Console

Answer 153

A

Configure the trust policy for the server
Create group claims for the appropriate claims aware application
Add and Configure and AD DS Account Store.

Answer 154

A

Integration with AD FS
The self enrollment of AD RMS servers
An imporved installation and administration experience
AD RMS administrative roles

Answer 155

A

install it and enable the service

enables you to manage system performance by managing the allocation of resources, to ensure optimal performance it uses specific algorithms to allocate resources to the processes

install from Server manager, feature

to activate, services find in the list and start service

then go into server manager, diagnostic node and choose reliability and Performance node which collect data through 3 tools:
Resource overview
Perfomance Monitor
Reliability Monitor

Answer 156

A

start, run rsop.msc

run in 2 modes
Logging - only monitor users and the computers they are logged onto
Planning - you can use simultaions to view the RSoP for policy settings that you want to apply to users nad computers. this enables you to test the effects of policies before you apply them.

active directory for users and computers,
users and pick user
Action, All tasks, Resultant Set of Policy(planning) option results display in the RSOP node console

Answer 157

A

online maintenance tasks

an offline when offline

can use AD restore mode from other server versions but 2008 supports it. F8 during bootup. 2008 has a better way, go into services and stop AD DS

AD DS and DNS will no longer function but DHCP will.

Answer 158

A

online - default runs every 12 hours on the ad database, not to the file system ntds.dit file

Offline (aka compaction) removes white space form AD DB and File system , ntds.dit file, this process can free up space

to start it use the cmd ntdsutil.exe
next prompt type acitvate instance ntds enter
next prompt type files enter
next specify location of where the compact ntds.dit file drive:\path - if path has spaces double quote it and only need to specify a drive letter if you are using a shared folder on a remote computer

to compact type compact to drive:\path

exit utility by type quit at the file maintenance prompt and the ntdsutil prompt

then remove the oldlog files for ntds.dit, use the del command with the path location del drive:\pathtologfiles*log and then copy the defraged ntds.dit file to the local windows\ntds folder

best practice is rename old file first before overwriting so you can revert back if needed. copy drive:\ntds.dit originaldrive:\path\ntds.dit

then ensure the integrity of file

ntdsutil, active instance ntds
file maintenance prompt: by ntdsutil:files
and type integrity

process is complete and restart AD DS service

Answer 159

A

ntds.dis files and transaction logs are stored ont eh same hard disk, by default, the %systeroot%\ntds it is perferable that you store these two types on different hard drives for performance

if on 2 hard drive partitions you will need 500 mb or 20% of total size of files

on same hdd partition you will need 1 GB or 20% of the combined file size of free space

once size is confirmed backup the system state data using windows server backup utility

Answer 160

A

this utility will update the HKEY_Local_machien\system\currentcontrolset\services\ntds\registry key.

If you don’t use the utility to move ntds.dit file you could corrupt the file without the registry changes to reflect the logs.

Answer 161

A

cmd
cd\
cd:\temp
dir
find files and sizes and add them together

Answer 162

A

stop AD DS
ntdsutilproompt and acitvate the ntds instance, then access the file maintenance prompt

type - move db to path
move logs to path

then perform a backup of the system state

setup permissions on the new folders holding the files Administrator group and system folder both need full control and don’t allow inherited permissions from the parent to overwrite your changes.

Answer 163

A

from mmc

wbadmin command line tool

on DC critical items (not including data volumes)- boot files, OS, registry, SYSVOLtree,

AD db and log files

can backup to:

shared folder
dvd or other removable or optical media - has to be 1 gig or more available or it won’t detect that it is available and you also cannot recover individual items
internal hdd - can do everything from these including system state
external hdd - can do everything from these including system state and move to another location for disaster recovery protection

Answer 164

A

does snapshots.

Have to have configure backup once the first full backup completes ONly data that has changed since the last backup is then saved

use copy and not full if you want to keep log files intact.

Allows for point in time or shadow copies of data

Shadow Copies fo Shared Folders Feature - access and recover previously saved versions of files or folders on a file server. - NOT single files or folders on ly volumes of data - access via the mmc

Answer 165

A

Support only for NTFS
need to reconfigure settings when upgrading
use of a separate disk for scheduled backups
lack of support for tape as a storage medium
incompatibility with Ntbackup.exe

Answer 166

A

wbadmin start systemstaebackup -backupTarget: VolumeName [-quiet]
and has to be on local attached disk to backup system state

Answer 167

A

can choose individual items to restore
manage data retrieval from full and incremental,

in 2008 you can select the backup to restore by date

Answer 168

A

RE - Windows Recovery Environment tools

RE and Windows Server backup allows for OS recovery

Answer 169

A

Recover a file that has been accidentally deleted.
Recover a file that has been overwritten
Compare versions of a file

Answer 170

A

Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Allows you to access the command prompt on a server that won’t boot normally

Answer 171

A

full server backup on hdd, dvd or network share
OS DVD or installed the Windows RE on a separate partition to the DCs critical partitions
Ensure that new hardware has enough space to store all recovered data if restoring to a new machine

Answer 172

A

for a single DC, replication occurs and the restored DC is updated with the current AD data on other DCs

On DFSR - Distributed File System REplication is done by default

to use the command line utility, restart the DC and F8 to advance options

IN order to restore AD db you select Directory Services Restore Mode

When prompted to log into windows, choose locally rather than logging on to the domain

systemstaterecovery to choose unathoratative

wbadmin get versions

Answer 173

A

can configure the server to automatically boot to Directory Services Recovery Mode

Answer 174

A

restored directory contains all the user objects ans group objects that were present at the time the backup was created
all the mmebers of an FRS replica set and the cert issued by AD CSs are present in the restored backup
Synchronization of the Windows Time service (W32tiem) is correctd
the Netlogon and Sysvol folders are shared properly
preferred DNS server address is configured properly
host (A) and Service (SRV) resource reocrds are registered correctly in the DNS

Answer 175

A

obtain info on backps availabe

Answer 176

A

want to restore the system data for the DC named IW-DC7

Answer 177

A

used with multiple DCs
Sysvol - use -authsysvol switch with the recovery command

Don’t want to use this with a full restore of a DC

can do items in the AD
version number of the OU is changed to identify the object as more recent. this info will then be propogated to other DCs in domain and restored to AD DS

authoritative restore: restore object “OU=test,DC=easy,DC=com”re

Answer 178

A

stops the AD Service from a command prompt

Answer 179

A

manage and control master roles, schema , AD, has to be used from an elevated command line prompt

Answer 180

A

to manage domains and trusts in AD

Answer 181

A

database maintenance in AD

Answer 182

A

manage dns

Answer 183

A

used to add users, objects, OU, computers to AD DS

Answer 184

A

applicaton, security, setup, system and forwarded events

Answer 185

A

record events related to audit policies, file and folder access or user logon and network shares

Brainscape's Knowledge GenomeTM

2008 R2 ADS Vocabulary - Session 3 Flashcards

Brainscape's Knowledge Genome^TM