Active Directory Domain Services Flashcards

Question 1

Q

What is IFM? When would you use it?

Answer

A

Installation from Media

Allows you to promote a server to an AD Domain Controller, using a seed of the AD database from a file that has been exported from another DC.

You would only use this if there is extremely low bandwidth between remote domain controllers. This option allows you to, for example, mail a hard drive containing the data.

Once the seed has been imported, it performs a sync to update any changes since the seed was created.

Question 2

Q

What does this stand for?

FSMO role

Answer

A

Flexible Single Master Operation role

Question 3

Q

What is an RODC, and when would you use it?

Answer

A

Read-Only Domain Controller

There is only a single use-case for this: If you have a remote site where the domain controller cannot be physically secured.

An RODC only gets passwords replicated to it for specified users and computers.

Question 4

Q

What are the uses of Organizational Units in AD?

Answer

A

The only function they serve is in application of Group Policy.

There is no other reason to separate users and computers out into OUs.

Question 5

Q

What are the FSMO roles?

Answer

A

There are five:

PDC Emulator
RID Master
Infrastructure Master
Schema Master
Domain Naming Master

Question 6

Q

What is a SID?

Answer

A

Security ID

SIDs are numbers assocated with all AD objects.

Question 7

Q

What is a RID?

Answer

A

Relative ID

A RID is a superset of a SID; it consists of a sequential number that gets added onto each SID.

Question 8

Q

How do you join a computer to a domain, and rename the computer, with PowerShell?

Answer

A

Run this command on the computer to be joined to the domain and renamed:

Add-Computer -DomainName “example.local” -NewName Station01 -Restart

• This will also force a reboot, which is optional

Question 9

Q

What is command used to install AD?

Answer

A

PowerShell:

install-windowsfeature ad-domain-services

Question 10

Q

What is the command used to promote a server to a Domain Controller?

Answer

A

PowerShell:

Install-ADDSDomainController -DomainName “example.local” -Credential (Get-Credential example\administrator)

Question 11

Q

How do you use IFM to promote a server to a Domain Controller?

Answer

A

Add this option to the Install-ADDDSDomainController PowerShell command:

-InstallationMediaPath “c:\directory-of-IFM-data”

Question 12

Q

What is this command?

Get-ADDCCloningExcludedApplicationList

Answer

A

It will provide a list of all applications on the current machine that Windows has not positively verified to support cloning.

Question 13

Q

What is a GC?

Answer

A

Global Catalog

A partial, read-only copy of all the objects in the forest, intended to just hold the set of objects that are usually important. – For example, the schema attributes that an application or process is likely to need from some area elsewhere in the forest.

In a single-forest, single-domain setup; every DC tends to be a GC server. But, if you do have multiple domains in a forest, you may find not every DC is a GC.

Question 14

Q

What is this command, and how do you use it?

Move-ADDirectoryServerOperationMasterRole

Answer

A

This command is to gracefully transfer a FSMO role from one DC to another.

You would need the following parameters:

Move-ADDirectoryServerOperationMasterRole -Identity “newserver01” -OperationMasterRole [rolename]

Where [rolename] is the specific role you want to transfer, and newserver01 is the target server’s hostname.

Question 15

Q

How do you seize a FSMO role from one DC to another, and when would you do so?

Answer

A

Same cmdlet as the graceful transfer, except add this parameter:

-Force

This will attempt to transfer gracefully, but will force it if it cannot.
You can also use ntdsutil to seize roles.
You would ONLY seize a FSMO role if a DC has failed and cannot be online for a graceful transfer.

Question 16

Q

How do you promote a server to an RODC?

Answer

A

Using the same command as normal promotion to a DC:

Install-ADDSDomainController -DomainName “example.local” -Credential (Get-Credential example\administrator)

and add this parameter into that command:

-ReadOnlyReplica

Question 17

Q

What is this?

DCDIAG

Answer

A

A command-line utility

Has been around for a long time
Performs several tests on your AD domain, for health diagnostics
Allows you to analyze the state of DCs in a forest as an aid in troubleshooting.

Question 18

Q

How do you extend the AD Schema?

Answer

A

These four commands must be run in order, one after the other has completed.

adprep /forestprep
adprep /domainprep
adprep /rodcprep (if you need to deploy an RODC)
adprep /gpprep (if you also need to upgrade your Group Policy)

Question 19

Q

What are the possible Forest and Domain Functional Levels?

Answer

A

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Question 20

Q

How do you raise a domain and forest functional level?

Answer

A

Only after completing all prerequisite steps, the final step of actually raising the level

Right-click the domain in AD > Raise Domain Functional Level

Or, for the forest, it’s the same, except you right click the top level above the domain > Raise Forest Functional Level

Question 21

Q

How can you correct DNS errors regarding SRV records?

Answer

A

On the domain controller, run:

ipconfig -registerdns

Or, simply rebooting the server will also result in it re-registering its records with DNS.

Question 22

Q

What is ADAC?

Answer

A

Active Directory Administrative Center

The newer management interface for AD, based on Server Manager. Everything it does is actually running PowerShell commands underneath.

Question 23

Q

What is a template in AD?

Answer

A

A user that has been created and then disabled, which you use as a source to copy a new user from.

It’s an older method of simplifying user creation.

Question 24

Q

What fields can be preconfigured using a template in AD?

Answer

A

Group memberships

Home directories

Profile settings

Logon scripts

Logon hours

Password settings

Department name

Manager

Question 25

Q

How can you create a variable that can be used as a password when creating a new AD user in PowerShell?

Answer

A

$password = “passw0rd!” | ConvertTo-SecureString -AsPlainText -Force

The password must be contained in a secure string in order for it to be entered into the PowerShell cmdlet:

New-ADUser -Name jsmith -AccountPassword $password

Question 26

Q

How to use get-aduser cmdlet to determine inactive users?

Answer

A

get-aduser -filter * -Properties lastlogondate,passwordlastset | ft name,lastlogonedate,passwordlastset

get-aduser -filter {enabled -ne $true} | ft name

Question 27

Q

What are some useful parameters to use with the Search-ADAccount cmdlet?

Answer

A

-AccountDisabled -usersonly
- AccountInactive -TimeSpan 30.00:00:00
-PasswordExpired
-PasswordNeverExpires
-LockedOut

To any of these, add this to just get a simple list of names:

• | ft name

Question 28

Q

How do you implement an offline domain join?

Answer

A

On a domain controller, in Command Prompt:

djoin /provision /domain example.local /machine newstation01 /savefile c:\anyname.txt

(Where domain is named example.local, and the computer to be joined is newstation01)
This creates the necessary file to be transferred to newstation01, and pre-creates the necessary computer object in AD.

On the computer to be joined:

djoin /requesttodj /loadfile c:\anyname.txt c:/windows /localos

Note, need to specify the Windows path on this machine, and specify that it is being performed on the local OS
As always, a reboot is required to complete the join.

Question 29

Q

How do you delete an OU in ADUC?

Answer

A

Right-click and delete. Unless it was created with protection from accidental deletion, which is the DEFAULT setting.

In that case, go to View > Advanced Features, then right-click the OU > Properties > Object > uncheck “Protect from accidental deletion”, then right-click and delete.

Note, deleting an OU will delete all of the objects it contains, so you may want to remove all objects from it first.

Question 30

Q

What are redirusr and redircmp?

Answer

A

Redirects newly created AD objects to specified containers / OUs / domains.

These set what will become the default location for newly created user objects, and computer objects, respectively.

Question 31

Q

What is a Global Group, and how would you use one?

Answer

A

Global Groups are visible throughout the forest, but can contain only accounts and global groups from the same domain.
The group itself can be a member of Universal and Domain Local groups, and usually is.
Typically used to organize users who share the same responsibilities, access permissions, are part of the same dept, etc.
You tend not to assign permissions directly to Global Groups; rather, Domain Local groups are more appropriate for that.

Question 32

Q

What is a Domain Local Group, and how would you use one?

Answer

A

Domain Local Groups are only visible in their own domain.

This is a way for you to single out objects that exist in a single domain, from objects that exist in other domains elsewhere in the forest.
For this reason, Domain Local Groups are used to grant rights and privileges onto the resources that reside in the same domain where that Local Group is located.
Domain Local Groups can contain other Domain Local Groups, but only from the same domain.
Users, computers, and all other group types from the same domain, as well as any trusted domain elsewhere in the forest, can be contained in the Domain Local Group.
Global Groups are generally for people, and Domain Local groups are generally for resources.

Question 33

Q

What is a Universal Group, and how would you use one?

Answer

A

Visible throughout forest, and can contain accounts, Global Groups, and other Universal Groups from any domain in the forest.
They cannot contain Domain Local Groups, because those are just local to an individual domain and are not visible elsewhere.
When you create or make any changes to or within a Universal Group, a Global Catalog has to track the change and replicate it to all other Global Catalogs in the forest.
For that reason, Universal Groups should tend to be used only for special cases where you need to nest Global Groups, like assigning permissions to resource in multiple domains.
Universal Groups also tend to be used as Distribution groups, to create Dist. lists for Exchange for recipients across all domains in the forest.

Question 34

Q

What kinds of Groups are there?

Answer

A

There are 5.

2 Group Types:

Security Groups
Distribution Groups

And 3 Group Scopes:

Global Groups
Domain Local Groups
Universal Groups

Question 35

Q

What does UGLA stand for?

Answer

A

Users, Global Groups, Local Groups, Access

It describes the best practice for group nesting:

Users go in Global Groups
Global Groups go in Domain Local Groups
Assign permissions to Domain Local Groups

This best practice isn’t necessary for single-forest, single-domain environments, but if you ever need to expand past a single domain, you’ll need to be able to provide users from outside one domain with access to resources within that domain.

Question 36

Q

What can a Domain Local Group contain as members?

Answer

A

Domain Local Groups can contain:

Domain Local Groups from the same domain
Global Groups from any domain
Universal Groups from any domain
Accounts from any domain

Question 37

Q

What can a Universal Group contain as members?

Answer

A

Universal Groups can contain:

Global Groups from any domain
Universal Groups from any domain
(No Domain Local Groups.)

Question 38

Q

What is Repadmin, and what are some things you can do with it?

Answer

A

A command that lets you configure, manage and troubleshoot AD DS replication.

It can be used to force replication between two specific replication partners.
It can also be used to force the Knowledge Consistency Checker (KCC) to recalculate replication topology for a DC.
Can be used to find errors in replication, etc.
Can configure PRP, the replication policy for passwords to RODCs.

Question 39

Q

What is KCC?

Answer

A

Knowledge Consistency Checker

Automatically calculates the replication topology for DCs.

Also involved in managing replication.

Question 40

Q

What is Wbadmin, and how would you use it with AD?

Answer

A

The Windows command-line backup and restore utility

Can be used to perform non-authoritative restores for AD.
With a non-authoritative restore, you restore from backup, but any updates made since the backup will be applied through replication.
Wbadmin can be used to back up the entire server, or just the system state, which includes the AD data.

Question 41

Q

What is NtdsUtil?

Answer

A

A command-line management tool for AD DS and AD LDS.

A Command Line tool that can perform several low-level tasks for configuring AD. (Low-level, meaning, fundamental and underlying, not basic.)
It’s been around since the beginning of AD, and is sometimes called the Swiss Army Knife of AD.

Question 42

Q

What is the difference between an authoritative and a non-authoritative restore in AD?

Answer

A

With a non-authoritative restore, you restore from backup, but any updates made since the backup will be applied through replication.
Thus, items that have been deleted and need to be recovered cannot be restored non-authoritatively.
Objects restored through an authoritative restore take precedence, so replication will not delete the container and objects after they are restore.
So, generally: You can use a non-authoritative restore to recover a DC that has failed, to get it back up and running, and it will then be updated from other DCs. And an authoritative restore is useful for recovering objects and containers that have been deleted in error.

Question 43

Q

What is Dsmgmt?

Answer

A

A management utility for AD LDS.

Question 44

Q

For the -GroupCategory parameter, what type of group is identified as:

0

Answer

A

Distribution Group

Question 45

Q

For the -GroupCategory parameter, what type of group is identified as:

1

Answer

A

Security Group

Question 46

Q

For the -GroupScope parameter, what type of group is identified as:

0

Answer

A

Domain Local Group

Question 47

Q

For the -GroupScope parameter, what type of group is identified as:

1

Answer

A

Global Group

Question 48

Q

For the -GroupScope parameter, what type of group is identified as:

2

Answer

A

Universal Group

Question 49

Q

What is PRP, and how does it work?

Answer

A

Password Replication Policy

The PRP defines AD identities that are explicitly allowed or denied replication to a Read-Only Domain Controller.

Two domain groups exist by default: Allowed RODC Password Replication Group, and Denied RODC Password Replication Group. These groups can be modified, or existing users and groups added.

The Denied group contains, by default, Administrators, Backup Operators, Account Operators, and Server Operators.

Question 50

Q

What do you need to do before adding an RODC to your AD?

Answer

A

You must first extend the AD schema. This updates the AD application directory partitions to enable partition replication to RODCs.

• adprep /rodcprep

Question 51

Q

What is the dsrm command?

Answer

A

A Command Line utility to delete a specified AD object, including containers.

(It stands for Directory Service Remove)

Question 52

Q

What is an SPN?

Answer

A

Service Principal Name

An SPN is the name by which a client uniquely identifies an instance of a service.
If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN.
A particular service instance may also have multiple SPNs, if there are multiple names that clients might use for authentication

Question 53

Q

What is a Virtual Account?

Answer

A

VAs, or Virtual Service Accounts, are automatically managed local accounts that cannot be created or deleted.
They emulate creating many unique instances of the Network Service account, with each service running its own instance.
These unique instances make auditing and tracking easier.
VAs do not require, nor support, password management. (Neither manual nor automatic.)
They access domain network resources by using the credentials of the computer they run on.
You cannot use the same virtual service account on multiple computers.

Question 54

Q

Using Group Policy, how do you configure Account Policies for AD users?

Answer

A

Using Group Policy, it can ONLY be set in a GPO linked at the Domain-level.
And, there can only be one Account Policy defined for a given domain.
So, typically, Account Policy would be set in the “Default Domain Policy” GPO.
Even though the password policy settings can be linked to OUs, etc., they will not have any effect on AD users. They will only affect local user accounts on computers in that OU that process that policy.
For AD users, the Account Policies you configure are only applied when you configure them in a GPO linked at the Domain level.

Question 55

Q

In Group Policy, what categories of settings are configured in Account Policies?

Answer

A

Password Policy
Account Lockout Policy
Kerberos Policy

Question 56

Q

What is the Delegation of Control Wizard, and how do you use it?

Answer

A

Accessed by right-clicking on the domain name in Active Directory Users and Computers, then selecting “Delegate Control…”

It allows you to delegate granular management tasks to non-administrative users.
You grant designated users permission to perform specified tasks on designated users, groups, computers, OUs, and other objects store in ADDS.
Although it is very simple to use it to make a change, it is then very difficult to later figure out what changes were made / permissions granted to whom. You would need to dig into the AD database. So, you need to be very careful in making changes there.

Question 57

Q

What is a PSO, and what is it used for?

Answer

A

Password Settings Obejct

By creating and using PSOs, you can have different password policies for different groups of users.
Without PSOs, you would need to have a different domain for each group of users that you wanted to have different password policies for.
(PSOs cannot be applied to OUs. They will work with Global Security groups, but no other group types)

Question 58

Q

What is this PowerShell noun used for?

ADFineGrainedPasswordPolicy

Answer

A

This is for working with PSOs (Password Settings Objects).

New-ADFineGrainedPasswordPolicy

• This creates the PSO, and you would include parameters for how you want the policy configured

Add-ADFineGrainedPasswordPolicy

• With this, you would set what users and groups the PSO policy should apply to.

Question 59

Q

If there are conflicting password policies for a user, how are they applied?

Answer

A

PSO settings will override domain GPO settings.
PSOs applied directly to user objects will override PSOs applied to groups.
Every PSOs is assigned a “precedence value,” which is just a relative number. PSOs with lower precedence values will override those with higher precedence values.
Note, only a single PSO can be assigned to a user at any time. (If more than one would apply, it goes by precedence value.)

Question 60

Q

How do you configure PSOs using the GUI?

Answer

A

It can only be done in ADAC (AD Administrative Center).

Select the Domain > System > Password Settings Container

Here, you can create and edit PSOs.

Question 61

Q

What is AD LDS?

Answer

A

Active Directory Lightweight Directory Services

Question 62

Q

What is the LostAndFound in AD, and how is it used?

Answer

A

A container within AD, it can only be viewed by enabling “Advanced Features.”

The LostAndFound container serves as a repository for AD objects that become orphaned due to conflicting AD replication changes.
Note that some methods, such as the Search-ADAccount cmdlet, have no provision for locating accounts stored in the LostAndFound container.
It can be accessed either by the MMC, PowerShell, or ADSI.

Question 63

Q

What is ADSI?

Answer

A

Active Directory Services Interface

Question 64

Q

What is the Active Directory Recycle Bin, and how is it used?

Answer

A

The AD Recycle Bin stores deleted AD objects.

It is disabled by default. Once enabled, it does not work retroactively, and will only store deleted objects going forward from the time the Bin is enabled.
Once enabled, it cannot be disabled again.
The cmdlet is: Restore-ADObject

Answer 65

A

None. A Read-Only Domain Controller cannot support any operations master roles.

Answer 66

A

Generally, it may host any role, but there is one exception:

In a multi-domain environment, the Infrastructure Master role CANNOT be hosted on a DC which hosts the global catalog, unless EVERY DC hosts the global catalog.

Answer 67

A

0 PDCEmulator

1 RIDMaster

2 InfrastructureMaster

3 SchemaMaster

4 DomainNamingMaster

Answer 68

A

Domain trees are collections of domains that are grouped together in hierarchical structures.
Whenever you add a domain to a domain tree, it becomes a child domain of the tree root domain.
The domain to which a child domain is attached is called the parent domain.
If you want to create a new domain which is NOT a child of an existing domain, you must create a new domain tree.
If you create a new domain tree, it will be organized as a separate namespace than the existing domain tree, but will support the same schema and the same top-level administrative structure.

Answer 69

A

Install-ADDSDomain - NewDomainName example.local

…etc., with additional parameters possible.

Answer 70

A

A forest is a complete instance of Active Directory.

Each forest acts as a top-level container, in that it houses all domain containers for that particular AD instance.

Answer 71

A

They share a common:

logical structure,
global catalog,
directory schema,
directory configuration,
and automatic two-way transitive trust relationships

Answer 72

A

Primary Domain Control Emulator

One of the five FSMO roles.

It is an improvement on the pre-2000 Windows systems that required an actual Primary Domain Controller.
The Emulator continues to perform functions relating to password changes and login authentication.
It also tends to be the timekeeper for the domain; the authoritative time server that other domain controllers synchronize their time from.

Answer 73

A

Relative Identifier Master

One of the five FSMO roles.

Answer 74

A

• You might experience an increase in support requests regarding password difficulties.

Answer 75

A

You will still be able to create new objects in Active Directory, but only until the RID pool is exhausted. Once that happens, you cannot create new objects until the RID Master is back online.
You can’t move objects from one domain to another without connecting to the RID Master.

Answer 76

A

One of the five FSMO roles.

The DC that holds the Schema Master role is the only DC that can perform write operations to the directory schema.

Those updates are then replicated from the schema master to all other DCs in the forest.

Answer 77

A

There is only one Schema Master and one Domain Naming Master per forest.

The other roles are one-per-domain, so there many be multiple per forest.
(RID Master, PDC Emulator, and Infrastructure Master)

A single DC can hold all of the roles at once, but only once each per domain. (i.e., it cannot be the RID Master for two different domains.)

Answer 78

A

One of the five FSMO roles.

The Domain Naming Master is the only DC that can:

Add new domains to the forest.
Remove existing domains from the forest.
Add or remove cross-reference objects to external directories.

Answer 79

A

Remote Procedure Call

Answer 80

A

One of the five FSMO roles.

The DC holding the infrastructure master role is responsible for updating cross-domain group-to-user references to reflect the username changes.

The infrastructure master updates these references locally and uses replication to bring all other replicas of the domain up to date.

If the infrastructure master is unavailable, these updates are delayed.

Answer 81

A

Directory Services Restore Mode

A separate password is set for this mode whenever you create a domain controller.

Whenever you need to perform a restore in AD (whether authoritative or non), you first need to reboot the computer into Directory Services Restore Mode.

( Not to be confused with the command line tool, dsrm, used for removing objects.)

Answer 82

A

Stop the service: “Active Directory Domain Services”
Since it has dependencies, it will need to be forced.
Either of the following PS commands will work:

stop-service “active directory domain services” -force

stop-service ntds

Answer 83

A

Seize operation master roles
Authoritative restores of AD objects and containers
Take Snapshots
Defragment the database
metadata cleanup

Answer 84

A

First, take the AD database offline. (This is done by stopping the AD service.)
Then, use ntdsutil to defrag / compact the database to a new location.
Delete the original database.
Copy the new database from its new location to the original location.
You can then bring AD back online by starting the AD service.

Answer 85

A

You can use the “metadata cleanup” tool in ntdsutil.

Or, to do it manually:

Transfer / Seize FSMO Roles
Delete the DC computer object in ADUC
Delete the DC computer objects in AD Sits & Services
Delete the DC’s DNS A records and SRV records

Answer 86

A

Common Name

Organizational Unit

Domain Component

Answer 87

A

Distributed File Services for Replication

Created with Server 2008 as a replacement for FRS
It’s the replication service used to transfer content around

Answer 88

A

dfsrmig.exe /GetGlobalState

• this checks if your migration was already done. It it shows anything other than “Eliminated,” then the migration needs to be performed.

If it needs to be done:

Validate FRS health
dfsrmig.exe /SetGlobalState 1
wait a day or two for it to complete
dfsrmig.exe /SetGlobalState 2
wait a day or two for it to complete
dfsrmig.exe /SetGlobalState 3

run again after each steps to confirm complete:

• dfsrmig.exe /GetGlobalState

Answer 89

A

The main reason, today, is for Exchange organizations. If using Exchange, it is limited to one organization per forest, so you would need multiple forests for multiple Exchange organizations.
You can use a multi-forest structure to isolate directory replication.
Mergers and acquisitions can result in multiple forests.
Sometimes users, or applications integrated into the AD schema, require different schemas, and would therefore need to exist in a separate forest.
To protect sensitive data.

Answer 90

A

A trust between two forests, which happens between the two domains that exist in each forest root.

The most commonly used trust that gets created
Links all domains of both forests.
Always transitive.
Configurable authentication, to be either forest-wide or selective.

Answer 91

A

A domain in one forest trusts a domain in a different forest

This does not happen at the root level, but in some other subdomain trusting another subdomain in a different forest.
It is always nontransitive.
It is always a one-way trust. (If you need trust both ways, you must create two one-way trusts.)
Not configured as often, because the use case is relatively rare.

Answer 92

A

A literal “shortcut” between two domains in the same forest.

Only needed if there is a large and complex forest with many subdomains and domain trees.
These two domains already have a transitive trust because they both trust the same root domain. But, the shortcut trust can speed authentication between far-reaching branches. It shortens the authentication path.
Rare because you don’t tend to find forest structures that are so large that shortcuts are needed.

Answer 93

A

A trust to a non-Kerberos realm

For example, when a trust is needed between AD and a Linux or Unix environment that has its own LDAP services
Tend to be application based, if you have a need for a particular application to authenticate.
Non-transitive

Answer 94

A

A trust is a relationship that enables users in one domain to be authenticated by DCs in another domain.

Answer 95

A

All trusts between domains within a forest are transitive, two-way trusts.

This trust is configured automatically when the subdomain is created.

Answer 96

A

All trusts have direction.

• A trust can can be one-way, or bi-directional.

If one-way:

The “trusting” domain contains resources to be accessed, and the “trusted” domain contains security principles (ex. users).
The direction of trust is the opposite to the direction of access.
“ing” > “ed”

Answer 97

A

If a trust is transitive, this means:

If Domain B trusts Domain A,

and Domain C also trusts Domain A,

then Domains B and C will trust each other.

Answer 98

A

Either of these:

• DNS Stub Zone

Better used if there is poor communication between your forest and the other forest. Does not cache any info on local DNS server, it’s up to the clients to locate resources. The DNS Stub zone just provides a referral.

• DNS Conditional Forwarder

More useful if there is good communication. Requires you to know what the other domain’s DNS server is, and if it changes, you need to change the forwarder manually. Has better performance for clients attempting to access resources, because you can cache the information on your local DNS server.

Answer 99

A

Also called SID Filter Quarantining

In an AD trust relationship, there is the possibility that an external trusted user may have the same SID as a user in the trusting domain, which could allow them to gain privileges and access. This could happen either maliciously or inadvertently.
To prevent this, SID filtering discards SIDs from trusted domain users that have a high likelihood of exploit in the trusting domain.
Enabled by default in Server 2012 R2 and 2016 for forest trusts.

Answer 100

A

User Principle Name

You can add additional UPN suffixes for logging in. This could allow, for example, a login syntax similar to a user’s e-mail address, or to allow logins using a parent domain name.

In trust relationships, Name Suffixes are configured to be routed across the trust, but can be disabled individually as needed.

Answer 101

A

Just for replication purposes, across poor connections. It was created during a time that site-to-site throughput was not always very good.

You used to need to configure a “cost” for each site-to-site connection, to control how replication flowed.

Nowadays, there is not generally much problem in site-to-site connections, and additionally, the KCC is very good at automatically configuring DC-to-DC replication topology. You just need to configure the site’s name and subnet.

Answer 102

A

Server 2012 and up.

Answer 103

A

You need at virtualized domain controller to start with.

Cloning employs the Generation ID schema attribute, and an XML configuration file, to support rapid DC deployment.
The cloned DC contacts the PDC Emulator Role holder, and the DCCloneConfig.xml configuration file, to provision itself as a replica of its source virtual DC.
Upon initial startup, the cloned DC generates unique metadata to distinguish itself from its source.

Answer 104

A

To offline domain join:

Windows 7 and later
Server 2008 R2 and later

To offline domain join as DirectAccess clients:

Windows 8 and later
Server 2012 and later

The target domain controller:

Server 2008 R2 and later
Earlier versions are also supported, but you must include the /downlevel option with Djoin

Answer 105

A

Managed Service Account

Also referred to as a Standalone Managed Service Account, to distinguish from Group Managed Service Account.
A special-purpose service account that lets Active Directory control password changes for the service identity, and makes it easier to register Kerberos service principal names (SPNs) in Active Directory.
A single MSA cannot be used on multiple servers.

Answer 106

A

Group Managed Service Account

Like an MSA, however, the same gMSA account can be used on multiple servers.
The domain handles password creation and maintenance, including synchronization, through Key Distribution Services (KDS).
Thus, it requires installing KDC / creating a KDS root key before creating a gMSA account.

Answer 107

A

You can only install a DC using IFM if it is running the same OS version as the source of the installation media.
The source and destination DCs can be either 32-bit or 64-bit, mixed or matched, it doesn’t matter, as long as they are the same OS version.
You can use an RODC to create installation media for other RODCs, but not for full DCs. Only a full DC can create media for a full DC.

Answer 108

A

A default Security Group in AD

Members have privileges to create, manage, and delete OUs, users, and groups.

Answer 109

A

A part of AD Replication, bridgehead servers are domain controllers that have been configured to manage replication between sites if there is a site link defined.

They are configured automatically when a site link is defined, but the selection of DCs to be bridgeheads can be reconfigured.

Answer 110

A

Used for AD Replication between domain controllers in different sites.
Each site link has a “cost” associated to it, making one more preferable than another
The site link includes replication schedules and protocols used

Answer 111

A

Restore-ADObject

Answer 112

A

Used to create a Managed Service Account, or a Group Managed Service Account. Maybe others.

Answer 113

A

Changing user passwords, and requiring the user to change it on next login
Resetting connection to domain

Answer 114

A

A standalone managed service account will isolate domain accounts in crucial applications.

Pros:

You can create a class of domain accounts for services on local computers
The network passwords for these accounts are automatically reset, unlike domain accounts
There is no need to manually administer the SPN
Administrative tasks for these accounts can be delegated to non-administrators

Cons:

They cannot be shared between multiple computers, or in server clusters where a service is replicated across nodes.
Not supported for scheduled tasks, Exchange, SQL

Answer 115

A

Provides the same benefits of a Standalone Managed Service Account, but extends the functionality over multiple servers.

So, they can be used for services that run on a server farm, or systems using NLB.

The passwords for gMSAs are created and managed through Key Distribution Service (KDS) (kdssvc.dll), so you will need to install and KDS Root Key before you can create your first gMSA.

Answer 116

A

A Shadow Group is a global security group that is logically mapped to an OU.

This could be used, for example, to enforce a PSO for an entire OU, since OUs can’t be selected directly whereas groups can.

Answer 117

A

Yes, an admin can make changes, but it will be reverted at the next replication from a read-write DC.

Answer 118

A

The DC’s site configuration in AD does not change automatically when physically connected to the new location.
Nor does it change automatically when the IP Address and subnet are changed to fit the new location.
Also, ensure that the DC is not the Preferred Bridgehead Server in its existing site prior to moving it.

Answer 119

A

Distinguished Name

The DN of an AD entry/object is the fully qualified path of names that trace the entry back to the root of the tree.

So, it starts with the CN (common name) of the object, followed by the names of container objects and domains.

An example DN:

cn=John Doe,ou=SalesUsers,dc=company,DC=pri

Answer 120

A

Relative Distinguished Name

A partial path to an entry relative to another entry in the tree.

(Essentially, a partial DN)

Answer 121

A

A legacy attribute of AD objects, used to support previous versions of Windows, prior to Windows 2000.

Every SAM account name must be unique in the domain (because there is no hierarchy in the name that includes OUs, etc.)

When viewing an object an ADUC, the attribute will be labeled “User logon name (pre-Windows 2000)”

Answer 122

A

Get-ADObject -IncludeDeletedObjects

Answer 123

A

When an object in AD is deleted, it is marked as deleted but is not physically removed for the “tombstone lifetime,” which is 180 days by default.
All linked attributes are physically removed, and non-linked attributes are cleared.
To object is invisible to most AD processes.
Tombstone recovery, aka Tombstone reanimation, restores the object, but it does not recover its attributes.

Answer 124

A

The only group type supported for use with PSOs is:

Global Security

Answer 125

A

Move-ADDirectoryServer

Answer 126

A

By creating two one-way external trusts.

External trusts can only be created as one-way trusts.

Answer 127

A

For setting a user’s password, if you do not specify -Reset, then you must provide both the old password and the new password.

When you specify -Reset, you only need to enter the new password.

Answer 128

A

This is the first command in migrating SYSVOL replication from FRS to DFS Replication.
It is run on the domain PDC emulator.
It places DCs in the Prepared state.
From here, you can still roll back to FRS, because you have not yet migrated.

Answer 129

A

This is the second command in migrating SYSVOL replication from FRS to DFS Replication.
It is run on the domain PDC emulator.
It switches DCs to the Redirected state, wherein they begin using DFS replication.
From here, you can still roll back to FRS.

Answer 130

A

This is the final command in migrating SYSVOL replication from FRS to DFS Replication.
It is run on the domain PDC emulator.
It configured the Eliminated state and removes all support for FRS replciation.
From here, you can NOT roll back to using FRS.

Brainscape's Knowledge GenomeTM

Active Directory Domain Services Flashcards

Install, Configure, Manage, and Maintain Activity Directory Domain Services

Brainscape's Knowledge Genome^TM