Maintaining AD DS - PowerShell Flashcards
Implementing Virtualized Domain Controllers Implementing Read Only Domain Controllers Administering AD DS Managing the AD DS Database
Ntdsutil
a command-line tool that provides management facilities for Active Directory Domain Services (AD DS)
How would you create a snapshot and mount it?
Snapshot:
- Ntdsutil
- Snapshot
- activate instance ntds
- Create
- quit x2
Mount Snapshot:
- Ntdsutil
- Snapshot
- activate instance ntds
- list all
- GUID from Snapshot
- quit x2
Connecting to Snapshot:
dsamain /dbpath C:$SNAP_(DateTime)_volumeC$\windows\ntds\ntds.dit /ldapport 5000
How do you unmount a snapshot?
UnMount:
- ntdsutil
- snapshot
- activate instance ntds
- list all
- unmount guid
- list all
- quit
- Quit
How do you reset the DSRM Admin Password?
To Reset the DSRM Administrator Password
- Click, Start, click Run, type ntdsutil, and then click OK.
- At the Ntdsutil command prompt, type set dsrm
- password.
- At the DSRM command prompt, type one of the following
- lines:
- To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.
- To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.
- At the DSRM command prompt, type q.
- At the Ntdsutil command prompt, type q to exit.
How do you create install media for a DC?
ntdsutil
activate instance ntds
ifm
create sysvol full <drive>:\<installationmediafolder></installationmediafolder></drive>
What does the following PowerShell CmdLet Do?
Add-ADCentralAccessPolicyMember
Adds central access rules to a central access policy in Active Directory.
What does the following PowerShell CmdLet Do?
Add-ADComputerServiceAccount
Adds one or more service accounts to an Active Directory computer.
What does the following PowerShell CmdLet Do?
Add-ADDomainControllerPasswordReplicationPolicy
Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.
What does the following PowerShell CmdLet Do?
Add-ADFineGrainedPasswordPolicySubject
Applies a fine-grained password policy to one more users and groups.
What does the following PowerShell CmdLet Do?
Add-ADGroupMember
Adds one or more members to an Active Directory group.
What does the following PowerShell CmdLet Do?
Add-ADPrincipalGroupMembership
Adds a member to one or more Active Directory groups.
What does the following PowerShell CmdLet Do?
Add-ADResourcePropertyListMember
Adds one or more resource properties to a resource property list in Active Directory.
What does the following PowerShell CmdLet Do?
Clear-ADAccountExpiration
Clears the expiration date for an Active Directory account.
What does the following PowerShell CmdLet Do?
Clear-ADClaimTransformLink
Removes a claims transformation from being applied to one or more cross-forest trust relationships in Active Directory.
What does the following PowerShell CmdLet Do?
Disable-ADAccount
Disables an Active Directory account.
What does the following PowerShell CmdLet Do?
Disable-ADOptionalFeature
Disables an Active Directory optional feature.
What does the following PowerShell CmdLet Do?
Enable-ADAccount
Enables an Active Directory account.
What does the following PowerShell CmdLet Do?
Enable-ADOptionalFeature
Enables an Active Directory optional feature.
What does the following PowerShell CmdLet Do?
Get-ADAccountAuthorizationGroup
Gets the accounts token group information.
What does the following PowerShell CmdLet Do?
Get-ADAccountResultantPasswordReplicationPolicy
Gets the resultant password replication policy for an Active Directory account.
What does the following PowerShell CmdLet Do?
Get-ADAuthenticationPolicy
Gets one or more Active Directory Domain Services authentication policies.
What does the following PowerShell CmdLet Do?
Get-ADAuthenticationPolicySilo
Gets one or more Active Directory Domain Services authentication policy silos.
What does the following PowerShell CmdLet Do?
Get-ADCentralAccessPolicy
Retrieves central access policies from Active Directory.
What does the following PowerShell CmdLet Do?
Get-ADCentralAccessRule
Retrieves central access rules from Active Directory.
What does the following PowerShell CmdLet Do?
Get-ADClaimTransformPolicy
Returns one or more Active Directory claim transform objects based on a specified filter.
What does the following PowerShell CmdLet Do?
Get-ADClaimType
Returns a claim type from Active Directory.
What does the following PowerShell CmdLet Do?
Get-ADComputer
Gets one or more Active Directory computers.
What does the following PowerShell CmdLet Do?
Get-ADComputerServiceAccount
Gets the service accounts hosted by a computer.
What does the following PowerShell CmdLet Do?
Get-ADDCCloningExcludedApplicationList
Gets a list of installed programs and services present on this domain controller that are not in the default or user defined inclusion list.
What does the following PowerShell CmdLet Do?
Get-ADDefaultDomainPasswordPolicy
Gets the default password policy for an Active Directory domain.
What does the following PowerShell CmdLet Do?
Get-ADDomain
Gets an Active Directory domain.
What does the following PowerShell CmdLet Do?
Get-ADDomainController
Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.
What does the following PowerShell CmdLet Do?
Get-ADDomainControllerPasswordReplicationPolicy
Gets the members of the allowed list or denied list of a read-only domain controller’s password replication policy.
What does the following PowerShell CmdLet Do?
Get-ADDomainControllerPasswordReplicationPolicyUsage
Gets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.
What does the following PowerShell CmdLet Do?
Get-ADFineGrainedPasswordPolicy
Gets one or more Active Directory fine-grained password policies.
What does the following PowerShell CmdLet Do?
Get-ADFineGrainedPasswordPolicySubject
Gets the users and groups to which a fine-grained password policy is applied.
What does the following PowerShell CmdLet Do?
Get-ADForest
Gets an Active Directory forest.
What does the following PowerShell CmdLet Do?
Get-ADGroup
Gets one or more Active Directory groups.
What does the following PowerShell CmdLet Do?
Get-ADGroupMember
Gets the members of an Active Directory group.
What does the following PowerShell CmdLet Do?
Get-ADObject
Gets one or more Active Directory objects.
What does the following PowerShell CmdLet Do?
Get-ADOptionalFeature
Gets one or more Active Directory optional features.
What does the following PowerShell CmdLet Do?
Get-ADOrganizationalUnit
Gets one or more Active Directory organizational units.
What does the following PowerShell CmdLet Do?
Get-ADPrincipalGroupMembership
Gets the Active Directory groups that have a specified user, computer, group, or service account.
What does the following PowerShell CmdLet Do?
Get-ADReplicationAttributeMetadata
Gets the replication metadata for one or more Active Directory replication partners.
What does the following PowerShell CmdLet Do?
Get-ADReplicationConnection
Returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter.
What does the following PowerShell CmdLet Do?
Get-ADReplicationFailure
Returns a collection of data describing an Active Directory replication failure.
What does the following PowerShell CmdLet Do?
Get-ADReplicationPartnerMetadata
Returns the replication metadata for a set of one or more replication partners.
What does the following PowerShell CmdLet Do?
Get-ADReplicationQueueOperation
Returns the contents of the replication queue for a specified server.
What does the following PowerShell CmdLet Do?
Get-ADReplicationSite
Returns a specific Active Directory replication site or a set of replication site objects based on a specified filter.
What does the following PowerShell CmdLet Do?
Get-ADReplicationSiteLink
Returns a specific Active Directory site link or a set of site links based on a specified filter.
What does the following PowerShell CmdLet Do?
Get-ADReplicationSiteLinkBridge
Gets a specific Active Directory site link bridge or a set of site link bridge objects based on a specified filter.
What does the following PowerShell CmdLet Do?
Get-ADReplicationSubnet
Gets one or more Active Directory subnets.
What does the following PowerShell CmdLet Do?
Get-ADReplicationUpToDatenessVectorTable
Displays the highest Update Sequence Number (USN) for the specified domain controller.
What does the following PowerShell CmdLet Do?
Get-ADResourceProperty
Gets one or more resource properties.
What does the following PowerShell CmdLet Do?
Get-ADResourcePropertyList
Gets resource property lists from Active Directory.
What does the following PowerShell CmdLet Do?
Get-ADResourcePropertyValueType
Gets a resource property value type from Active Directory.
What does the following PowerShell CmdLet Do?
Get-ADRootDSE
Gets the root of a directory server information tree.
What does the following PowerShell CmdLet Do?
Get-ADServiceAccount
Gets one or more Active Directory managed service accounts or group managed service accounts.
What does the following PowerShell CmdLet Do?
Get-ADTrust
Gets all trusted domain objects in the directory.
What does the following PowerShell CmdLet Do?
Get-ADUser
Gets one or more Active Directory users.
What does the following PowerShell CmdLet Do?
Get-ADUserResultantPasswordPolicy
Gets the resultant password policy for a user.
What does the following PowerShell CmdLet Do?
Grant-ADAuthenticationPolicySiloAccess
Grants permission to join an authentication policy silo.
What does the following PowerShell CmdLet Do?
Install-ADServiceAccount
Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer.
What does the following PowerShell CmdLet Do?
Move-ADDirectoryServer
Moves a directory server in Active Directory to a new site.
What does the following PowerShell CmdLet Do?
Move-ADDirectoryServerOperationMasterRole
Moves operation master roles to an Active Directory directory server.
What does the following PowerShell CmdLet Do?
Move-ADObject
Moves an Active Directory object or a container of objects to a different container or domain.
What does the following PowerShell CmdLet Do?
New-ADAuthenticationPolicy
Creates an Active Directory Domain Services authentication policy object.
What does the following PowerShell CmdLet Do?
New-ADAuthenticationPolicySilo
Creates an Active Directory Domain Services authentication policy silo object.
What does the following PowerShell CmdLet Do?
New-ADCentralAccessPolicy
Creates a new central access policy in Active Directory containing a set of central access rules.
What does the following PowerShell CmdLet Do?
New-ADCentralAccessRule
Creates a central access rule in Active Directory.
What does the following PowerShell CmdLet Do?
New-ADClaimTransformPolicy
Creates a new claim transformation policy object in Active Directory.
What does the following PowerShell CmdLet Do?
New-ADClaimType
Creates a new claim type in Active Directory.
What does the following PowerShell CmdLet Do?
New-ADComputer
Creates a new Active Directory computer object.
What does the following PowerShell CmdLet Do?
New-ADDCCloneConfigFile
Performs prerequisite checks for cloning a domain controller and generates a clone configuration file if all checks succeed.
What does the following PowerShell CmdLet Do?
New-ADFineGrainedPasswordPolicy
Creates a new Active Directory fine-grained password policy.
What does the following PowerShell CmdLet Do?
New-ADGroup
Creates an Active Directory group.
What does the following PowerShell CmdLet Do?
New-ADObject
Creates an Active Directory object.
What does the following PowerShell CmdLet Do?
New-ADOrganizationalUnit
Creates an Active Directory organizational unit.
What does the following PowerShell CmdLet Do?
New-ADReplicationSite
Creates an Active Directory replication site in the directory.
What does the following PowerShell CmdLet Do?
New-ADReplicationSiteLink
Creates a new Active Directory site link for in managing replication.
What does the following PowerShell CmdLet Do?
New-ADReplicationSiteLinkBridge
Creates a site link bridge in Active Directory for replication.
What does the following PowerShell CmdLet Do?
New-ADReplicationSubnet
Creates an Active Directory replication subnet object.
What does the following PowerShell CmdLet Do?
New-ADResourceProperty
Creates a resource property in Active Directory.
What does the following PowerShell CmdLet Do?
New-ADResourcePropertyList
Creates a resource property list in Active Directory.
What does the following PowerShell CmdLet Do?
New-ADServiceAccount
Creates a new Active Directory managed service account or group managed service account object.
What does the following PowerShell CmdLet Do?
New-ADUser
Creates an Active Directory user.
What does the following PowerShell CmdLet Do?
Remove-ADAuthenticationPolicy
Removes an Active Directory Domain Services authentication policy object.
What does the following PowerShell CmdLet Do?
Remove-ADAuthenticationPolicySilo
Removes an Active Directory Domain Services authentication policy silo object.
What does the following PowerShell CmdLet Do?
Remove-ADCentralAccessPolicy
Removes a central access policy from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADCentralAccessPolicyMember
Removes central access rules from a central access policy in Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADCentralAccessRule
Removes a central access rule from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADClaimTransformPolicy
Removes a claim transformation policy object from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADClaimType
Removes a claim type from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADComputer
Removes an Active Directory computer.
What does the following PowerShell CmdLet Do?
Remove-ADComputerServiceAccount
Removes one or more service accounts from a computer.
What does the following PowerShell CmdLet Do?
Remove-ADDomainControllerPasswordReplicationPolicy
Removes users, computers, and groups from the allowed or denied list of a read-only domain controller password replication policy.
What does the following PowerShell CmdLet Do?
Remove-ADFineGrainedPasswordPolicy
Removes an Active Directory fine-grained password policy.
What does the following PowerShell CmdLet Do?
Remove-ADFineGrainedPasswordPolicySubject
Removes one or more users from a fine-grained password policy.
What does the following PowerShell CmdLet Do?
Remove-ADGroup
Removes an Active Directory group.
What does the following PowerShell CmdLet Do?
Remove-ADGroupMember
Removes one or more members from an Active Directory group.
What does the following PowerShell CmdLet Do?
Remove-ADObject
Removes an Active Directory object.
What does the following PowerShell CmdLet Do?
Remove-ADOrganizationalUnit
Removes an Active Directory organizational unit.
What does the following PowerShell CmdLet Do?
Remove-ADPrincipalGroupMembership
Removes a member from one or more Active Directory groups.
What does the following PowerShell CmdLet Do?
Remove-ADReplicationSite
Deletes the specified replication site object from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADReplicationSiteLink
Deletes an Active Directory site link used to manage replication.
What does the following PowerShell CmdLet Do?
Remove-ADReplicationSiteLinkBridge
Deletes a replication site link bridge from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADReplicationSubnet
Deletes the specified Active Directory replication subnet object from the directory.
What does the following PowerShell CmdLet Do?
Remove-ADResourceProperty
Removes a resource property from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADResourcePropertyList
Removes one or more resource property lists from Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADResourcePropertyListMember
Removes one or more resource properties from a resource property list in Active Directory.
What does the following PowerShell CmdLet Do?
Remove-ADServiceAccount
Removes an Active Directory managed service account or group managed service account object.
What does the following PowerShell CmdLet Do?
Remove-ADUser
Removes an Active Directory user.
What does the following PowerShell CmdLet Do?
Rename-ADObject
Changes the name of an Active Directory object.
What does the following PowerShell CmdLet Do?
Reset-ADServiceAccountPassword
Resets the password for a standalone managed service account.
What does the following PowerShell CmdLet Do?
Restore-ADObject
Restores an Active Directory object.
What does the following PowerShell CmdLet Do?
Revoke-ADAuthenticationPolicySiloAccess
Revokes membership in an authentication policy silo for the specified account.
What does the following PowerShell CmdLet Do?
Search-ADAccount
Gets Active Directory user, computer, or service accounts.
What does the following PowerShell CmdLet Do?
Set-ADAccountAuthenticationPolicySilo
Modifies the authentication policy or authentication policy silo of an account.
What does the following PowerShell CmdLet Do?
Set-ADAccountControl
Modifies user account control (UAC) values for an Active Directory account.
What does the following PowerShell CmdLet Do?
Set-ADAccountExpiration
Sets the expiration date for an Active Directory account.
What does the following PowerShell CmdLet Do?
Set-ADAccountPassword
Modifies the password of an Active Directory account.
What does the following PowerShell CmdLet Do?
Set-ADAuthenticationPolicy
Modifies an Active Directory Domain Services authentication policy object.
What does the following PowerShell CmdLet Do?
Set-ADAuthenticationPolicySilo
Modifies an Active Directory Domain Services authentication policy silo object.
What does the following PowerShell CmdLet Do?
Set-ADCentralAccessPolicy
Modifies a central access policy in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADCentralAccessRule
Modifies a central access rule in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADClaimTransformLink
Applies a claims transformation to one or more cross-forest trust relationships in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADClaimTransformPolicy
Sets the properties of a claims transformation policy in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADClaimType
Modify a claim type in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADComputer
Modifies an Active Directory computer object.
What does the following PowerShell CmdLet Do?
Set-ADDefaultDomainPasswordPolicy
Modifies the default password policy for an Active Directory domain.
What does the following PowerShell CmdLet Do?
Set-ADDomain
Modifies an Active Directory domain.
What does the following PowerShell CmdLet Do?
Set-ADDomainMode
Sets the domain mode for an Active Directory domain.
What does the following PowerShell CmdLet Do?
Set-ADFineGrainedPasswordPolicy
Modifies an Active Directory fine-grained password policy.
What does the following PowerShell CmdLet Do?
Set-ADForest
Modifies an Active Directory forest.
What does the following PowerShell CmdLet Do?
Set-ADForestMode
Sets the forest mode for an Active Directory forest.
What does the following PowerShell CmdLet Do?
Set-ADGroup
Modifies an Active Directory group.
What does the following PowerShell CmdLet Do?
Set-ADObject
Modifies an Active Directory object.
What does the following PowerShell CmdLet Do?
Set-ADOrganizationalUnit
Modifies an Active Directory organizational unit.
What does the following PowerShell CmdLet Do?
Set-ADReplicationConnection
Sets properties on Active Directory replication connections.
What does the following PowerShell CmdLet Do?
Set-ADReplicationSite
Sets the replication properties for an Active Directory site.
What does the following PowerShell CmdLet Do?
Set-ADReplicationSiteLink
Sets the properties for an Active Directory site link.
What does the following PowerShell CmdLet Do?
Set-ADReplicationSiteLinkBridge
Sets the properties of a replication site link bridge in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADReplicationSubnet
Sets the properties of an Active Directory replication subnet object.
What does the following PowerShell CmdLet Do?
Set-ADResourceProperty
Modifies a resource property in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADResourcePropertyList
Modifies a resource property list in Active Directory.
What does the following PowerShell CmdLet Do?
Set-ADServiceAccount
Modifies an Active Directory managed service account or group managed service account object.
What does the following PowerShell CmdLet Do?
Set-ADUser
Modifies an Active Directory user.
What does the following PowerShell CmdLet Do?
Show-ADAuthenticationPolicyExpression
Displays the Edit Access Control Conditions window update or create security descriptor definition language (SDDL) security descriptors.
What does the following PowerShell CmdLet Do?
Sync-ADObject
Replicates a single object between any two domain controllers that have partitions in common.
What does the following PowerShell CmdLet Do?
Test-ADServiceAccount
Tests a managed service account from a computer.
What does the following PowerShell CmdLet Do?
Uninstall-ADServiceAccount
Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.
What does the following PowerShell CmdLet Do?
Unlock-ADAccount
Unlocks an Active Directory account.
For PSO prciedence what applies?
The lowest number
i.e. 1 will always apply over 10
What are the 2 Forest Wide FSMO Roles?
What are the 3 Domain Wide FSMO Roles?
- Forest Wide FSMO Roles
- Schema Master
- Domain Naming Master
- Domain Wide FSMO Roles
- PDC Emulator
- RID Master
- Infrastructure Master
What does the 2 Forest Wide FSMO Roles do?
What does the 3 Domain Wide FSMO Roles do?
- Forest Wide FSMO Roles
- Schema Master
- Editable copy of the Active Directory Schema
- Domain Naming Master
- Responsible for adding/removing namespaces to the forest tree
- Schema Master
- Domain Wide FSMO Roles
- PDC Emulator
- Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator
- Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator
- Account lockout is processed on the PDC emulator
- Acts as PDC for older systems
- RID Master
- Responsible for process RID Pools. Each DC will request RIDs when it falls below a certain threshold. (Requests when at 250 and given another 500)
- Infrastructure Master
- The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference.
- Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest
- PDC Emulator
What are the three states of Active Directory Domain Services?
- Started
- Stopped
- DSRM