Active Directory Foundations

Question 1

Schema Master

Answer 1

Performs updates to AD scheme.

Updates include ADPPREP /FORESTPREP, Microsoft exchange, and other applications that mud modify the Ad scheme.

Must be online when scheme updates are performed.

Generally placed on the forest root PDC.

Question 2

Domain Naming Master

Answer 2

Responsible for naming domains.

Add and removes domains and application partitions to and from the AD forest.

Must be online when domains and application partitions in a forest are added or removed.

Generally placed on the forest root PDC.

Question 3

PDC emulator

Answer 3

Manages password changes for computer and user accounts on replica domain controllers.

Consulted by replica domain controllers where service authentication requests have mismatched passwords.

Target D.C for GP updates.

Target D.C. for legacy applications that perform writable operations and for some admin tools.

Must be online and accessible at all times.

Generally places on higher-performance hardware in a reliable hub site alongside other DCs.

Question 4

RID Master

Answer 4

Relative IDs.
SID = RID + Domain ID
Allocates and standby RID pools to replica DCs in the same domain.

Must be online for newly-promoted DCs to obtain a local RID pool or when existing DCs must update their current or standby RID pool application.

Generally placed on the forest root PDC.

Question 5

Infrastructure Master

Answer 5

Updates cross-domain references and platforms/tombstones from the Global catalog.

A separate infrastructure Master is created for each application partitions including the default forest-wide and domain-wide application partitions.

Long list of numbers and translate SID into friendly name.

Maintain cross domain references.

Question 6

Infrastructure Master Situation

Answer 6

In a single-domain forest, the infrastructure Master can be placed on any D.C.

In a multi-domain forest, the infrastructure Master is generally placed on a D.C. That is not a global catalog.

Except in the case where all DCs in the forest are Global catalogs. In this case the infrastructure Master can be placed on any D.C.

Question 7

Promote a Domain Controller

Answer 7

Install the ADDS roles after DNS checks out for the domain.

Or power shell:

Install-WindowsFeature -Name ad-domain-services -IncludeManagementTools

Question 8

DC Promotion Configuration

Answer 8

• add a domain controller to an existing domain.
• add a new domain to an existing forest.
• add new forest.

Then specify the domain information.

Question 9

Tree domain

Answer 9

Gives you the ability to create a noncontiguous domain name.

Question 10

Child domain

Answer 10

Contiguous naming for the domain.

Domain: company.pri
New domain in existing forest: taco.company.pri

Question 11

New forest and domain configuration

Answer 11

Functional Level: define set of capabilities that existed at the time that that version of the OS was released. Certain types of activities at forest level.

Use highest functional level. May have to set the level below due to legacy applications.

Question 12

Domain controller and DNS

Answer 12

Always install DNS before installing ADDS roles.

Question 13

Directory Services Restore Mode or DSRM

Answer 13

Special password you enter once except when you need to perform a authoritative restore of AD database.

Look into 3rd party tools to recover AD.

Question 14

DNS Delegation

Answer 14

Allow us to create appropriate delegation. To have the folder structure the srv records require.

Question 15

Netbios Domain

Answer 15

“Company”

The word before the .pri.

(Company.pri)

15 characters or less.

Question 16

Paths to Store AD DS database, log files, and Sysvol

Answer 16

Look into storing on other disk drives instead of all being on the C drive. Especially in production.

Question 17

Remove a Domain controller from domain

Answer 17

Choose remove roles and features in server manager. Uncheck AD DS. Demote the domain controller to remove the records from the database.

May have to force the removal of a D.C. But clean removal is desired.

Power shell:

Question 18

Install domain controller in remote location with a bad network.

Answer 18

Install from media. Snapshot of AD database on existing domain controller.

Open up command prompt:

Ntdsutil: activate instance ntds

ntdsutil: ifm

Ifm: create full c:\users\desktop

-creates a snapshot file.

Ntdsutil.dit file which contains the AD Database.

Go through typical domain controller addition settings.

Additional options. Choose to install from media.

After installation from media, due to being days behind prod, choose to replicate from a close location.

Question 19

Install ADDS on server core

Answer 19

> powershell

> install-windowsfeature -name ad-domain-services

> install-addsdomaincontroller -domainname company.pri -credential (get-credential company\administrator)

• admin pass
• dsrm pass

Choose a configure as domain controller

Question 20

Upgrade a domain controller

Answer 20

• Get healthy and ensure AD has no errors or logs.
• Test and verify the replication.

Extend the schema for your forest. ADPrep.
-ADPrep extends the schema with .ldf files in the exe.

• Upgrade DCs to new OS.
• Relocate FSMO roles if necessary
• Raise domain/forest functional level in domains and trusts

Question 21

ADPrep for a domain controller upgrade

Answer 21

/forestprep - update forest info. Happens first.

/domainprep - happens once in each domain in that forest.

/rodcprep- update perms on rodcs

/gpprep

Question 22

SRV Records

Answer 22

Allow clients to locate the different AD services and different AD servers to locate each other.

Question 23

Dynamic DNS updates

Answer 23

Each D.C. Will automatically enter DNS records.

Question 24

DNS registration issues

Answer 24

Ipconfig -registerdns on DCs missing records. Dynamic DNS has to be enabled

Question 25

DNS not dynamic (unix DNS)

Answer 25

Windows\system32\config

Net logon.dns

Send this file to register D.C. in DNS.

Question 26

Configure D.C. As global catalog

Answer 26

AD sites and services.

Sites are a geographic for a D.C.

NTDS settings on NTD database services. Double click properties and check global catalog.

Make all DCs GCs

Question 27

Global Catalog

Answer 27

Propagate requests down to the DC at other sites. Requires enough bandwidth.

Question 28

IAAS to get D.C. In Azure

Answer 28

Create VM in azure, and install adds.

Question 29

Azure VM deployment

Answer 29

Make connection to VPN to get on internal network due to Azure being in the cloud.

Question 30

Azure App that requires connectivity to corporate

Answer 30

Connect cloud D.C. To internal D.C. With a virtual network.

It is desirable for apps to leverage the existing corporate windows server AD DS and provide SSO.

Users will need to access all directly from internet.

Question 31

AD domain

Answer 31

The boundary of authentication for a set of users and computers and the resources they use.

Create multiple domains with a tree domain with sub domains.

Question 32

Forests

Answer 32

Forest trusts are used to connect other forests or domains.

Allows to access resources in other domain.

It’s possible to access resources in other forests from other sub domains.

Connect with trusts. You can bridge one AD to another with a trust.

Question 33

AD Sites

Answer 33

Geographic sites that a domain extends to.

Defined by subnet configured on each site.

AD defines the geographic constraint.

May not coincide with actual different sites.

Changes to AD at sites, maybe need to slow down propagation to change in other locations. You can slow the network bandwidth usage.

Sites pull all of these sites together. May need to define the cost of the connection will be. Throttle down how much AD content is streaming on expensive connections.

Question 34

Domain Controllers

Answer 34

The host of Active directory and contain the AD database. Each D.C. Has equal copy of AD database. Everyone has a shared vision of what that database is.

Minimum 2 DCs required for redundancy.

Question 35

Global Catalogs

Answer 35

Provides a subset of the total AD domain database. Services the authentication of clients. GC can be installed about everywhere. Apply onto a D.C.

Question 36

Organizational Units

Answer 36

Designed as a mechanism for the division of user and computer accounts for the purposes of IT and IT alone.