Chapter 11/12: Active Directory Services - Part 01/02

Question 1

Define an “AD Site”

Answer 1

Sites can be explained as physical locations that contain various AD objects. We
should be able to describe these objects using their boundaries

Question 2

What are the main AD site topologies?

Answer 2

• Single domain-single site
• Single domain-multiple sites - Sites are
  interconnected using physical network links
• Multiple domains-single site - Replications between domains will depend on the logical topology
• Multiple domains-multiple sites - replication will depend on the logical topology as well as the physical topology.

Question 3

What is the first step after deciding the AD site topology?

Answer 3

Configure subnets in each site

Question 4

Define a “Site Link”

Answer 4

Site links represent the physical connection between sites; however, site links don’t control the network level routing or connectivity between sites

Question 5

Define a “Site Link Bridge”

Answer 5

Site link bridges contain multiple site links. These allow transitive communication
between each site link under the bridge

Question 6

What are the two ways to manage AD sites?

Answer 6

One option is to use the AD Sites and Services MMC, and the other one is to use PowerShell cmdlets

Question 7

Once an AD Site is set, what is the next step?

Answer 7

Create site links

Question 8

Define “Site link cost”

Answer 8

defines the nearest resources if the on-site resource is not available

Question 9

How is “Site link cost” determined?

Answer 9

In a physical network, the quality of inter-site links is measured based on link speed,
latency, and availability; The site link that holds the lowest site cost value will be the first preference

Question 10

What is the equation to determine site cost?

Answer 10

Bandwidth(Kbps/Mbps) / (log10(bandwidth))

Might have to divide the outcome by the number of GB once above 1GB

Question 11

What are the two transport protocols that can be used for replication via site links?

Answer 11

1. The default is IP with synchronous replication
2. SMTP - only can be used between sites if the DCs are in different domains

Question 12

What is the default replication interval on a site link?

Answer 12

Every 180 minutes

Question 13

If the link between sites is slow, how should replication be implemented?

Answer 13

it is best to set the replication
after operating hours and during lunch hours. This will minimize the replication
traffic impact on slow links and allow the organization to use the link bandwidth
for other mission-critical traffic.

Question 14

Define “ Knowledge Consistency Checker (KCC)”

Answer 14

a built-in process that runs on
domain controllers and is responsible for generating replication topology. It will
configure the replication connection between domain controllers

Question 15

How does “Knowledge Consistency Checker (KCC)” manage replicaiton?

Answer 15

the KCC selects a domain controller as a bridgehead server, which sends and receives replication traffic for its site

Question 16

How does the Knowledge Consistency Checker (KCC) behave in a topology with multiple sites and domains?

Answer 16

If you have multiple domains in multiple sites, each domain should have its own bridgehead server

Question 17

How/Where is the bridgehead server seleted?

Answer 17

By opening the properties of the domain controller in AD sites and services

Question 18

After the sites and site links are setup, what is the next step?

Answer 18

Assign the subnets to each site.

Question 19

What are the two types of replication between sites?

Answer 19

1. Intra-site replication
2. Inter-site replication

Question 20

Describe “intra-site” replication

Answer 20

Replications happening within an AD site; ADs will be aware of a change within 15 seconds and an update will be replicated in less than a minute

Question 21

Describe “inter-site” replicaiton

Answer 21

Replication between two separate AD sites;

Question 22

Define an “Update Sequence Number (USN)”

Answer 22

a 64-bit number that is allocated to the domain controller during the DCPromo process

Question 23

What is the purpose of an “Update Sequence Number (USN)”?

Answer 23

When there is any object update, the USN allocated to the domain controller will be increased; As an example, let’s assume that domain controller A had an initial USN value of 2,000 assigned to it. If we add 5 user objects, the new USN will be 2,005. This number can only increase;
it cannot decrease.

Question 24

What is the purpose of an active directory trust?

Answer 24

An Active Directory trust allows you to connect two different Active Directory domains/forests together and allows users to share resources among them

Question 25

Describe a "one-way trust"

Answer 25

The first domain trusts another domain and allows users of the second domain to use resources in the first domain

Question 26

What are the 3 types of trust direction configurations?

Answer 26

1. Two-Way 2. One-Way incoming 3. One-Way outgoing

Question 27

What is the purpose of an one-way incoming trust?

Answer 27

Allows outgoing access

Question 28

What is the purpose of an one-way outgoing trust?

Answer 28

Allowing incoming trust

Question 29

Describe a "trusting domain"

Answer 29

Allows access to its resources from users in a remote domain

Question 30

Describe a "transitive trust"

Answer 30

Extends the trust beyond the original trusting domain

Question 31

Describe a "non-transitive trust"

Answer 31

Non-transitive trusts only allow trust between the original domains

Question 32

Are forests trusts transitive or non-transitive by default?

Answer 32

Transitive

Question 33

Are AD external trusts transitive or non-transitive

Answer 33

Non-transitive

Question 34

What are the 6 types of active directory trusts?

Answer 34

1. Tree-Root Trusts This type of trust will be created automatically when a new domain tree is added to an Active Directory forest. These trusts are created in the root domain of each tree and are also two-way transitive trusts. 2. Parent-Child Trusts When a new child domain is added to an existing Active Directory environment, a new two-way transitive trust will automatically be established between the child domain and its parent domain. 3. Forest Trusts Forest trusts are created between two Active Directory forests. These need to be created manually. They are transitive trusts by default but, based on business requirements, they can be one-way or two-way trusts. 4. External Trusts External trusts are created between domains in different Active Directory forests. These trusts need to be created manually and by default will be non-transitive trusts. 5. Shortcut Trusts A shortcut trust is explicitly created between two domains in the same Active Directory forest or different forests to improve authentication times by shortening the authentication path. These trusts will be transitive and need to be created manually. 6. Realm Trusts A realm trust is used between an Active Directory forest and non-Windows Kerberos realms such as Unix and Linux. These trusts need to be created manually and can be one-way or two-way trusts. They can also be transitive or non-transitive trusts.

Question 35

What ports need to be open when creating a trust relationship between two domains?

Answer 35

Service Ports LDAP TCP 389 LDAPS (SSL) TCP 636 DNS TCP/UDP 53 RPC TCP 135 / TCP 1024-65535 SMB TCP 445 Kerberos TCP/UDP 88 Global Catalog TCP 3268 Global Catalog (SSL)TCP 3269

Question 36

What should be configured to allow a trusted/trusting domain or forest to resolve DNS names/records for the other domain?

Answer 36

Conditional forwarding

Question 37

How should conditional forwarding be configured before domain/forest trusts are established?

Answer 37

Define which DNS servers need to process DNS queries related to their domain

Question 38

What is the powershell command to establish conditional forwarding?

Answer 38

Add-DnsServerConditionalForwarderZone -Name "example.com" -ReplicationScope "Forest" -MasterServers x.x.x.x

Question 39

What configuration is best practice for a domain controller that is not physically secured well?

Answer 39

Read-only Domain Controller (RODC)

Question 40

What makes a RODC more secure than a regular domain controller?

Answer 40

An RODC does not store any passwords in its database and all the authentication requests against an object will be processed by the closest writable domain controller

Question 41

What is best practice for choosing the location of the ntds.dit AD database file?

Answer 41

It is recommended to use a separate partition/disk, to increase the database performance as well as the data protection

Question 42

What is the contents of the ntds.dit database file?

Answer 42

1. Schema table - includes data regarding the object classes, attributes, and the relationship between them 2. Link table - Object metadata; includes data about values referring to another object (Group membership) 3. Data table - includes all the data about users, groups, and any other data integrated with Active Directory

Question 43

Can the AD database be moved from its default/current location?

Answer 43

Yes

Question 44

Can deleted objects be recovered in AD?

Answer 44

Yes, by enabling the recycling bin feature

Question 45

What is the command to enable the AD recycling bin?

Answer 45

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target example.com

Question 46

What is the command to search for a deleted object in AD?

Answer 46

Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects

Question 47

What is the command to restore an object from the AD recycling bin?

Answer 47

Get-ADObject -Filter 'samaccountname -eq "ethomas"' -IncludeDeletedObjects | Restore-ADObject

Question 48

Describe an AD system state backup

Answer 48

Required in order to restore Active Directory in the event of a disaster where the database cannot be recovered using object-level recovery options

Question 49

What is the default option for configuring AD system state backups?

Answer 49

Windows Backup

Question 50

What are the PowerShell commands to configure AD system state backups?

Answer 50

$BKPolicy = New-WBPolicy Add-WBSystemState -Policy $BKPolicy $Bkpath = New-WBBackupTarget -VolumePath "F:" Add-WBBackupTarget -Policy $BKPolicy -Target $Bkpath

Question 51

How are system state backups restored?

Answer 51

Via Directory Services Restore Mode (DSRM); Reboot the system press "F8" key, and select "Directory Services Restore Mode" Once in safe mode, use PS command: $ADBackup = Get-WBBackupSet | select -Last 1 Start-WBSystemStateRecovery -BackupSet $ADBackup