Install and configure Active Directory Domain Services

Question 1

What components is Active Directory made up of?

Answer 1

Domains, Forests, Sites, Domain Controllers, Organizational Units, FSMO (Flexible single master operation) Roles.

Question 2

What command sequence is used to transfer a FSMO role?

Answer 2

1. ntdsutil.exe
2. roles
3. connections
4. connect to server
5. quit
6. transfer role_name

Question 3

Which feature requires raising the forest and domain function levels to Server 2016?

Answer 3

Group Membership Expriation

Question 4

Which command creates the file required to deploy a new domain controller using the Install From Media (IFM) option?

Answer 4

ntdsutil

Question 5

Your Active Directory environment consists of two forests. Each forest contains two domains.

How many Active Directory schemas exist in this configuration?

Answer 5

2

Question 6

Which command configures Active Directory of Server Core?

Answer 6

Install-ADDSDomainController

Question 7

Which two Domain Controller options are enabled by default?

Answer 7

DNS

Global Catalog

Question 8

Which are two valid fields within a DNS SRV record?

Answer 8

Weight

Port

Question 9

Which Domain Controller attribute shows that a Global Catalog is active?

Answer 9

isGlobalCatalogReady

Question 10

Which FSMO role allocates blocks of uniquie IDs to Domain Controllers?

Answer 10

RID Master

Question 11

What commands would a create IFM data file?

Answer 11

1. ntdsutil
2. activate instance ntds
3. ifm
4. create sysvol full C:\IFM

Question 12

What is the max numbers of RODC that should be deployed in a site?

Answer 12

One

Question 13

What tool can be used to verify the Global Catalog?

Answer 13

ldp.exe

Question 14

What command will show which servers currently hold the FSMO role

Answer 14

netdom query fsmo

Question 15

You are attempting to prepopulate user credentials for users at a remote branch office where a RODC is deployed, however the credentials never replicate to the RODC.

Whay should you check?

Answer 15

Allowed RODC Passwrod Replication Group

Question 16

Which Forest Functional Level is required to deploy a RODC?

Answer 16

Server 20018

Question 17

What are the two Forest level FSMO roles

Answer 17

Schema master - responsible for having a single copy of the schema shared by all domains in the forest.

Domain naming master - ensures that unique domain names are used through the forest.

Question 18

What are the the three Domain level FSMO roles?

Answer 18

Relative identifier (RID) master - used to provide RID pools to domain controllers which in turn are used when creating new security principals.

Primary domain controller (PDC) emulator - responsible for time synchronization and password replication.

Infrastructure master - responsible for the consistency of references to objects between domains within a forest.

Question 19

What doe the Schema master do?

Answer 19

Responsible for having a single copy of the schema shared by all domains in the forest.

Question 20

What does the Domain naming master do?

Answer 20

Ensures that unique domain names are used through the forest.

Question 21

What does the Relative identifier (RID) master do?

Answer 21

Used to provide RID pools to domain controllers which in turn are used when creating new security principals.

Question 22

What does the Primary domain controller (PDC) emulator do?

Answer 22

Responsible for time synchronization and password replication.

Question 23

What does the Infrastructure master do?

Answer 23

Responsible for the consistency of references to objects between domains within a forest.

Question 24

Which cmdlet can be used to view inactive user accounts?

Answer 24

Search-ADAccount

Question 25

What cmdlet is used to install a RODC?

Answer 25

Install-ADDSDomainController -ReadOnly

Question 26

What PowerShell commands will create a first domain controller?

Answer 26

1. Install-WindowsFeature -Name ad-domain-services -IncludeManagementTools
2. Install-ADDSForest -DomainName “company.pri”
3. Enter a safe mode password

Question 27

What PowerShell command add another domain controller to a domain?

Answer 27

1. Install-WindowsFeature -Name ad-domain-services
2. Install-ADDSDomainController -DomainName “company.pri” -Credential (Get-Credential company\administrator)
3. Enter a safe mode password

Question 28

What PowerShell command will remove a domain controller from a domain?

Answer 28

Uninstall-ADDSDOmainController

Question 29

What are the steps for creating IFM media?

Answer 29

1. Launch NTDSUTIL
2. Enter: activate instance ntds
3. Enter ifm
4. Enter create sysvol full <target></target>

Question 30

What cmdlet will install ADDS from an IFM file?

Answer 30

Install-ADDSDomainController with the -InstallationMediaPath switch

Question 31

What is an Active Directory forest?

Answer 31

A forest is a collestion of AD Domains that share a common schema and are bound by an automatically created two-way trust relationship.

Question 32

What is an AD Domain?

Answer 32

A domain is a logical unit that contains users, groups, computers and other objects..

Question 33

What group can manage multiple domains in a forest?

Answer 33

Enterprise Admins

Question 34

What is a Tree?

Answer 34

A collection AD DS domains that share a common root domain and have a contigous namespace.

Question 35

What is the AD DS schema?

Answer 35

A collection of objects types and their properties (aka attributes), that define what sort of objects you can create and manage within your AD DS forest.

Question 36

What is an OU?

Answer 36

A container within a domain that contains users, groups, computers and other OU.

Question 37

What is a container?

Answer 37

A collection of objects or collections grouped together. Cannot be linked to GPOs.

Question 38

What is a site?

Answer 38

A logical representation of a physical location within your organisation.

Question 39

What site is created when you install AD DS and create a forest?

Answer 39

Default-First-Site-Name

Question 40

Why should you define subnets?

Answer 40

It makes it possible for the AD DS forest to determine the physical location of a computer in relation to services offered in the forest.

Question 41

What are the three partitions in a domain?

Answer 41

Schema

Configuration

Domain

Question 42

What is the Schema partition?

Answer 42

A forest-level partition, which changes rarely.

Question 43

What does the schema partition contain?

Answer 43

The AD DS forest schema.

Question 44

What is the Configuration partition?

Answer 44

A forest-level partition that changes rarely.

Question 45

What does the Configuration partation contain?

Answer 45

Configuration data for the forest.

Question 46

What is the Domain partition?

Answer 46

A writable copy of the domain which is stored on all domain controllers. It changes frequently.

Question 47

What does the domain partition contain?

Answer 47

The actual objects , such as users and computers, which exist within your forest.

Question 48

What is a Trust Relationship?

Answer 48

A sceurity agreement between two domains in an AD DS forest, or between a forest and an external security realm.

Question 49

What cmdlet will install the necessary files for AD DS?

Answer 49

Install-WindowsFeature AD-Domain-Services

Question 50

What cmdlet will perform AD DS promotion?

Answer 50

Install-ADDSDomainController -InstallDNS -DomainName <fqdn></fqdn>

Question 51

What is the default location for the AD DS Database?

Answer 51

C:\Windows\NTDS

Question 52

What is the default location for the AD DS log files?

Answer 52

C:\Windows\NTDS

Question 53

What is the default location for the SYSVOL folder?

Answer 53

C:\Windows\SYSVOL

Question 54

What level of permission is required to add a new domain controller to an existing domain?

Answer 54

Domain Admin

Question 55

What level of permission is required to add a new domain controller in a new domain as part of an existing domain tree or as part of a new domain tree?

Answer 55

Enterprise Admins

Question 56

How do you remove a domain controller from a domain?

Answer 56

Remove the Active Directory Domain Services feature from the computer.

Question 57

What cmdlets will remove a domain controller from a domain?

Answer 57

Uninstall-ADDSDomainController

Uninstall-WindowsFeature AD-Domain-Services

Question 58

What is the Global Catalog?

Answer 58

A partial read only copy of all objects in the forestand it hosts a subset of all AD DS account schema attributes

Question 59

Where is adprep.exe located?

Answer 59

Server 2016 media in directory:

\Support\Adprep

Question 60

What cmdlets will retrieve information about the current Schema and Domain naming master role holders?

Answer 60

Get-ADForest

Get-ADDomain

Question 61

What does the PDC emulator role do?

Answer 61

Acts as a time source in the domain.

Propagates password changes

Provides a primary source for GPOs for editing purposes

Question 62

What does the Infrastructure master role do?

Answer 62

Maintains inter-domain references, and consequently, this role is only relevant in multidomain forests.

Question 63

What does the RID master role do?

Answer 63

Provides blocks of IDs to each of the domain controllers in its domain.

Question 64

What cmdlet will move an operations master role

Answer 64

Move-ADDirectoryServiceOperationsRole -Identity - OperationMasterRole <identifier></identifier>

Use -Force is DC hosting role is offline

NTDSUTIL.exe

Question 65

What are the identifier numbers of the operations master role

Answer 65

0 - PDC Emulator

1 - RID Master

2 - Infrastructure Master

3 - Schema Master

4 - Domain Naming Master

Question 66

What AD group can be used instead of Administrators to create users and computers?

Answer 66

Account Operators group

Question 67

Define UPN?

Answer 67

User Principal Name.

The user name.

Question 68

What is best practice when it comes to template accounts?

Answer 68

Prevent use of the account by:

Disable the account

Set: User Cannot Change Password.

Question 69

What cmdlet will reset a users password

Answer 69

Set-ADAccountPassword -Identity ‘Path to user object’

-Reset -NewPassword (Password)

Question 70

What cmdlet will move an object?

Answer 70

Move-ADObject -Identity <container> -TargetPath -<path></path></container>

Question 71

What command line tool can be used to mange users and computers other than PowerShell

Answer 71

dsmod.exe

Question 72

What cmdlet creates user accounts?

Answer 72

New-ADUser

Question 73

What cmdlet modifies the properties of user accounts?

Answer 73

Set-ADUser

Question 74

What cmdlet deletes user accounts?

Answer 74

Remove-ADUser

Question 75

What cmdlet resets the password of a user account?

Answer 75

Set-ADAccountPassword

Question 76

What cmdlet modifies the expiration date of a user account?

Answer 76

Set-ADAccountExpiration

Question 77

What cmdlet unlocks a user account?

Answer 77

Unlock-ADAccount

Question 78

What cmdlet enables a user account?

Answer 78

Enable-ADAccount

Question 79

What cmdlet disables a user account?

Answer 79

Disable-ADAccount

Question 80

What groups have permissions to create computers in any OU?

Answer 80

Enterprise Admins

Domain Admins

Administrators

Account Operators

Question 81

Where would you change the maximum numbers of computers a standard user can add to a domain?

Answer 81

Active Directory Services Interfaces Editor

ADSI Edit

Question 82

What cmdlet creates a new computer account?

Answer 82

New-ADComputer

Question 83

What cmdlet displays the properties of a computer account?

Answer 83

Get-ADComputer

Question 84

What cmdlet modifies the properties of a computer account?

Answer 84

Set-ADComputer

Question 85

What cmdlet deletes a computer account?

Answer 85

Remove-ADComputer

Question 86

What cmdlet verifies or repairs the trust relationship between a compter and the domain?

Answer 86

Test-ComputerSecureChannel

Question 87

What cmdlet resets the password for a computer account?

Answer 87

Reset-ComputerMachinePassword -Repair

Question 88

Where are universal groups membership lists maintained?

Answer 88

Global Catalog

Question 89

What cmdlet creates a new group?

Answer 89

New-ADGroup

Question 90

What cmdlet modifies the properties of groups?

Answer 90

Set-ADGroup

Question 91

What cmdlet displays the properties of groups?

Answer 91

Get-ADGroup

Question 92

What cmdlet deletes groups?

Answer 92

Remove-ADGroup

Question 93

What cmdlet adds members to groups?

Answer 93

Add-ADGroupMember

Question 94

What cmdlet displays the members of a group?

Answer 94

Get-ADGroupMember

Question 95

What cmdlet removes members from a group?

Answer 95

Remove-ADGroupMember

Question 96

What cmdlet adds group membership to objects?

Answer 96

Add-ADPrincipalGroupMembership

Question 97

What cmdlet displays group membership of objects?

Answer 97

Get-ADPrincipalGroupMembership

Question 98

What cmdlet removes group membership from an object?

Answer 98

Remove-ADPrincipalGroupMembership

Question 99

What cmdlet will create OUs?

Answer 99

New-ADOrganizationalUnit

Question 100

What cmdlet modifies the properties of OUs?

Answer 100

Set-ADOrganizationalUnit

Question 101

What cmdlet displays the properties of OUs?

Answer 101

Get-ADOrganizationalUnit

Question 102

What cmdlet will delete OUs?

Answer 102

Remove-ADOrganizationalUnit

Question 103

What three accounts should be used for services instead of a standard account

Answer 103

NT AUTHORITY\SYSTEM

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\NETWORK SERVICE

Question 104

Where are MSAs stored in ActiveDirectory

Answer 104

Managed Service Accounts container.

Advanced Feature view must be enbaled.

Question 105

What is a SPN?

Answer 105

Service Principal Name

A unique identifier for a specific service instance and are used to associate a service instance with a service account.

Question 106

What do you need to create a gMSA

Answer 106

• Client computers must run at least Windows 8
• You must create a key distribution services (KDS) root key for your domain
• At least one domain controller must be running Windows Server 2012 or later

Question 107

What cmdlet will create a key distribution services (KDS) root key.

Answer 107

Add-KdsRootKey –EffectiveImmediately

Question 108

How long before a key distribution services (KDS) becomes active?

Answer 108

10 hours.

This is to allow AD DS to replicate the change throughout your forest.

Question 109

What site is created when you first install AD DS and create your forest?

Answer 109

Default-First-Site-Name