Install and configure Active Directory Domain Services Flashcards
What components is Active Directory made up of?
Domains, Forests, Sites, Domain Controllers, Organizational Units, FSMO (Flexible single master operation) Roles.
What command sequence is used to transfer a FSMO role?
- ntdsutil.exe
- roles
- connections
- connect to server
- quit
- transfer role_name
Which feature requires raising the forest and domain function levels to Server 2016?
Group Membership Expriation
Which command creates the file required to deploy a new domain controller using the Install From Media (IFM) option?
ntdsutil
Your Active Directory environment consists of two forests. Each forest contains two domains.
How many Active Directory schemas exist in this configuration?
2
Which command configures Active Directory of Server Core?
Install-ADDSDomainController
Which two Domain Controller options are enabled by default?
DNS
Global Catalog
Which are two valid fields within a DNS SRV record?
Weight
Port
Which Domain Controller attribute shows that a Global Catalog is active?
isGlobalCatalogReady
Which FSMO role allocates blocks of uniquie IDs to Domain Controllers?
RID Master
What commands would a create IFM data file?
- ntdsutil
- activate instance ntds
- ifm
- create sysvol full C:\IFM
What is the max numbers of RODC that should be deployed in a site?
One
What tool can be used to verify the Global Catalog?
ldp.exe
What command will show which servers currently hold the FSMO role
netdom query fsmo
You are attempting to prepopulate user credentials for users at a remote branch office where a RODC is deployed, however the credentials never replicate to the RODC.
Whay should you check?
Allowed RODC Passwrod Replication Group
Which Forest Functional Level is required to deploy a RODC?
Server 20018
What are the two Forest level FSMO roles
Schema master - responsible for having a single copy of the schema shared by all domains in the forest.
Domain naming master - ensures that unique domain names are used through the forest.
What are the the three Domain level FSMO roles?
Relative identifier (RID) master - used to provide RID pools to domain controllers which in turn are used when creating new security principals.
Primary domain controller (PDC) emulator - responsible for time synchronization and password replication.
Infrastructure master - responsible for the consistency of references to objects between domains within a forest.
What doe the Schema master do?
Responsible for having a single copy of the schema shared by all domains in the forest.
What does the Domain naming master do?
Ensures that unique domain names are used through the forest.
What does the Relative identifier (RID) master do?
Used to provide RID pools to domain controllers which in turn are used when creating new security principals.
What does the Primary domain controller (PDC) emulator do?
Responsible for time synchronization and password replication.
What does the Infrastructure master do?
Responsible for the consistency of references to objects between domains within a forest.
Which cmdlet can be used to view inactive user accounts?
Search-ADAccount
What cmdlet is used to install a RODC?
Install-ADDSDomainController -ReadOnly
What PowerShell commands will create a first domain controller?
- Install-WindowsFeature -Name ad-domain-services -IncludeManagementTools
- Install-ADDSForest -DomainName “company.pri”
- Enter a safe mode password
What PowerShell command add another domain controller to a domain?
- Install-WindowsFeature -Name ad-domain-services
- Install-ADDSDomainController -DomainName “company.pri” -Credential (Get-Credential company\administrator)
- Enter a safe mode password
What PowerShell command will remove a domain controller from a domain?
Uninstall-ADDSDOmainController
What are the steps for creating IFM media?
- Launch NTDSUTIL
- Enter: activate instance ntds
- Enter ifm
- Enter create sysvol full <target></target>
What cmdlet will install ADDS from an IFM file?
Install-ADDSDomainController with the -InstallationMediaPath switch
What is an Active Directory forest?
A forest is a collestion of AD Domains that share a common schema and are bound by an automatically created two-way trust relationship.
What is an AD Domain?
A domain is a logical unit that contains users, groups, computers and other objects..
What group can manage multiple domains in a forest?
Enterprise Admins
What is a Tree?
A collection AD DS domains that share a common root domain and have a contigous namespace.
What is the AD DS schema?
A collection of objects types and their properties (aka attributes), that define what sort of objects you can create and manage within your AD DS forest.
What is an OU?
A container within a domain that contains users, groups, computers and other OU.
What is a container?
A collection of objects or collections grouped together. Cannot be linked to GPOs.
What is a site?
A logical representation of a physical location within your organisation.
What site is created when you install AD DS and create a forest?
Default-First-Site-Name
Why should you define subnets?
It makes it possible for the AD DS forest to determine the physical location of a computer in relation to services offered in the forest.
What are the three partitions in a domain?
Schema
Configuration
Domain
What is the Schema partition?
A forest-level partition, which changes rarely.
What does the schema partition contain?
The AD DS forest schema.
What is the Configuration partition?
A forest-level partition that changes rarely.
What does the Configuration partation contain?
Configuration data for the forest.
What is the Domain partition?
A writable copy of the domain which is stored on all domain controllers. It changes frequently.
What does the domain partition contain?
The actual objects , such as users and computers, which exist within your forest.
What is a Trust Relationship?
A sceurity agreement between two domains in an AD DS forest, or between a forest and an external security realm.
What cmdlet will install the necessary files for AD DS?
Install-WindowsFeature AD-Domain-Services
What cmdlet will perform AD DS promotion?
Install-ADDSDomainController -InstallDNS -DomainName <fqdn></fqdn>
What is the default location for the AD DS Database?
C:\Windows\NTDS
What is the default location for the AD DS log files?
C:\Windows\NTDS
What is the default location for the SYSVOL folder?
C:\Windows\SYSVOL
What level of permission is required to add a new domain controller to an existing domain?
Domain Admin
What level of permission is required to add a new domain controller in a new domain as part of an existing domain tree or as part of a new domain tree?
Enterprise Admins
How do you remove a domain controller from a domain?
Remove the Active Directory Domain Services feature from the computer.
What cmdlets will remove a domain controller from a domain?
Uninstall-ADDSDomainController
Uninstall-WindowsFeature AD-Domain-Services
What is the Global Catalog?
A partial read only copy of all objects in the forestand it hosts a subset of all AD DS account schema attributes
Where is adprep.exe located?
Server 2016 media in directory:
\Support\Adprep
What cmdlets will retrieve information about the current Schema and Domain naming master role holders?
Get-ADForest
Get-ADDomain
What does the PDC emulator role do?
Acts as a time source in the domain.
Propagates password changes
Provides a primary source for GPOs for editing purposes
What does the Infrastructure master role do?
Maintains inter-domain references, and consequently, this role is only relevant in multidomain forests.
What does the RID master role do?
Provides blocks of IDs to each of the domain controllers in its domain.
What cmdlet will move an operations master role
Move-ADDirectoryServiceOperationsRole -Identity - OperationMasterRole <identifier></identifier>
Use -Force is DC hosting role is offline
NTDSUTIL.exe
What are the identifier numbers of the operations master role
0 - PDC Emulator
1 - RID Master
2 - Infrastructure Master
3 - Schema Master
4 - Domain Naming Master
What AD group can be used instead of Administrators to create users and computers?
Account Operators group
Define UPN?
User Principal Name.
The user name.
What is best practice when it comes to template accounts?
Prevent use of the account by:
Disable the account
Set: User Cannot Change Password.
What cmdlet will reset a users password
Set-ADAccountPassword -Identity ‘Path to user object’
-Reset -NewPassword (Password)
What cmdlet will move an object?
Move-ADObject -Identity <container> -TargetPath -<path></path></container>
What command line tool can be used to mange users and computers other than PowerShell
dsmod.exe
What cmdlet creates user accounts?
New-ADUser
What cmdlet modifies the properties of user accounts?
Set-ADUser
What cmdlet deletes user accounts?
Remove-ADUser
What cmdlet resets the password of a user account?
Set-ADAccountPassword
What cmdlet modifies the expiration date of a user account?
Set-ADAccountExpiration
What cmdlet unlocks a user account?
Unlock-ADAccount
What cmdlet enables a user account?
Enable-ADAccount
What cmdlet disables a user account?
Disable-ADAccount
What groups have permissions to create computers in any OU?
Enterprise Admins
Domain Admins
Administrators
Account Operators
Where would you change the maximum numbers of computers a standard user can add to a domain?
Active Directory Services Interfaces Editor
ADSI Edit
What cmdlet creates a new computer account?
New-ADComputer
What cmdlet displays the properties of a computer account?
Get-ADComputer
What cmdlet modifies the properties of a computer account?
Set-ADComputer
What cmdlet deletes a computer account?
Remove-ADComputer
What cmdlet verifies or repairs the trust relationship between a compter and the domain?
Test-ComputerSecureChannel
What cmdlet resets the password for a computer account?
Reset-ComputerMachinePassword -Repair
Where are universal groups membership lists maintained?
Global Catalog
What cmdlet creates a new group?
New-ADGroup
What cmdlet modifies the properties of groups?
Set-ADGroup
What cmdlet displays the properties of groups?
Get-ADGroup
What cmdlet deletes groups?
Remove-ADGroup
What cmdlet adds members to groups?
Add-ADGroupMember
What cmdlet displays the members of a group?
Get-ADGroupMember
What cmdlet removes members from a group?
Remove-ADGroupMember
What cmdlet adds group membership to objects?
Add-ADPrincipalGroupMembership
What cmdlet displays group membership of objects?
Get-ADPrincipalGroupMembership
What cmdlet removes group membership from an object?
Remove-ADPrincipalGroupMembership
What cmdlet will create OUs?
New-ADOrganizationalUnit
What cmdlet modifies the properties of OUs?
Set-ADOrganizationalUnit
What cmdlet displays the properties of OUs?
Get-ADOrganizationalUnit
What cmdlet will delete OUs?
Remove-ADOrganizationalUnit
What three accounts should be used for services instead of a standard account
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
Where are MSAs stored in ActiveDirectory
Managed Service Accounts container.
Advanced Feature view must be enbaled.
What is a SPN?
Service Principal Name
A unique identifier for a specific service instance and are used to associate a service instance with a service account.
What do you need to create a gMSA
- Client computers must run at least Windows 8
- You must create a key distribution services (KDS) root key for your domain
- At least one domain controller must be running Windows Server 2012 or later
What cmdlet will create a key distribution services (KDS) root key.
Add-KdsRootKey –EffectiveImmediately
How long before a key distribution services (KDS) becomes active?
10 hours.
This is to allow AD DS to replicate the change throughout your forest.
What site is created when you first install AD DS and create your forest?
Default-First-Site-Name
