2008 R2 ADS Vocabulary - Session 1 Flashcards

Question

A site is

Answer 1

a group of related subnets or well-connected IP subnets.

Answer 2

resolves the host names of computers in a network into IP addresses, and vice versa.

Answer 3

Services, such as Active Directory's Kerberos and LDAP services, using SRV records to multiple servers (domain controllers) which are then in turn resolved to their IP addresses.

Answer 4

* Creating a forward or reverse lookup zone * Setting the types of updates it must allow * Specifying whether queries must be forwarded and to which servers * Creating root hints

Answer 5

To ensure consistency of the schema and to prevent conflicting updates into the AD database, AD employs the Flexible Single Master Operations (FSMO) role - or operations master.

Answer 6

* Domain Naming Master (Note: must be placed on a domain controller serving the global catalog) * Schema Master

Answer 7

* PDC Emulator * Infrastructure Master (Note: do not place the global catalog on a domain controller that hosts the domains Infrastructure master role unless all domain controllers in the domain are global catalog servers or the forest has only one domain.) * Relative Identifier (RID) Master

Answer 8

If an operations master is available and functional on a network, you can transfer an operations master role by moving it from one DC to another.

Answer 9

Seizing an operations master role involves assigning the role to another DC when the DC on which it is installed fails or is not available. You should only seize a role if the DC managing the role is permanently out of service.

Answer 10

Trust relationships are created between domains, and enable users in one domain to access the resources of another domain. Domain Admins group members can create and manage trust relationships.

Answer 11

Using the Windows Interface Using Unattended Installation parameters at the Command Line Using an Answer File

Answer 12

* Assign a static IP address to a Windows Server 2008 R2 server * Use a wizard to add the Active Directory Domain Services (AD DS) role to the server * Use a wizard to promote the server to a DC

Answer 13

If you do not want to use the Windows interface, you can create a new forest by creating and running an answer file. A text editor of your choice can be used to create this answer file. Specify a password that will be used for an offline administrator account in Directory Service Restore Mode. After creating an answer file, you save it on the installation server, to a network shared folder, or to removable media for distribution. To run the answer file, you use the dcpromo utility with the /unattend option, followed by the path to the answer file in double quotation marks.

Answer 14

by running the adprep /forestprep utility. You need to run this utility only once on the DC that holds the schema master operations master role. This command may be run by administrators belonging to the SchemaAdmin, EnterpriseAdmin, and Domain Admins groups.

Answer 15

, you raise the functional level of the forest and the domain to Windows Server 2008 R2. To do this, you should be a member of the Domain Admins or Enterprise Admins groups. You cannot reverse a change that raises the domain functional level.

Answer 16

add a client machine to the domain by configuring the client's system properties

Answer 17

You can choose to install Windows Server 2008 R2 using the installation DVD. This method requires you to be present to work through the Install Windows Wizard.

Answer 18

is one that does not require user input during the installation process. So you do not need to be physically present while installation of the server is in progress.

Answer 19

you to deploy the WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files

Answer 20

* WDS Client Unattend File | * Image Unattend File

Answer 21

administrators and ensure high-level administrative control.

Answer 22

* Simple administration * Simple troubleshooting * A single security boundary

Answer 23

significant geographical distance between branches of an organization. In this case, using multiple domains can reduce traffic and limit maintenance delays.

Answer 24

adprep /forestprep adprep /domainprep /gpprep adprep /rodcprep

Answer 25

The adprep utility extends the AD schema and updates the necessary permissions to prepare a forest and a domain for a DC. It also prepares the Windows Server 2000 or Windows Server 2003 forest for a DC that runs Windows Server 2008 R2.

Answer 26

The adprep /domainprep command prepares the Windows Server 2000 or Windows Server 2003 domain for the DC that runs Windows Server 2008 R2.

Answer 27

The /gpprep command, which you can run with the adprep /domainprep command, minimizes the replication traffic created by updating file system and AD permissions on the existing Group Policy Objects (GPOs).

Answer 28

The adprep /rodcprep command sets up the domain for an RODC. To install a Windows Server 2008 R2 RODC, you must be a member of the Enterprise Admins group.

Answer 29

Configuring the Global Catalog

Answer 30

is an index of objects in AD DS.

Answer 31

to locate objects that are stored in other domains.

Answer 32

Only those aspects of each object that are commonly used - for instance when conducting a search - are referenced in the global catalog.

Answer 33

* Validating the object references of other domains in the forest * Providing universal group membership information in a multiple-domain environment * Providing authentication for user principal names (UPNs) * Resolving UPNs and completing the logon process if a user logs on by using the UPN of a different DC

Answer 34

created on its first DC, which is the root of the forest.

Answer 35

the object replication needs of the network relative to network traffic flow.

Answer 36

Universal Group Membership Caching

Answer 37

enabled to avoid having to remotely contact the GC after the first logon.

Answer 38

automatically every 8 hours by the remote DC.

Answer 39

a logical representation of the physical topology - or structure - of an organization's network.

Answer 40

servers and other objects related to AD replication.

Answer 41

describes the relationship between a trusting domain, which is the domain with the resources, and the trusted domain, which is the domain that requests the resources.

Answer 42

by a trust path, which is a series of trust relationships that are followed by an authentication request between two domains.

Answer 43

The access path between two different domains operates in one direction only.

Answer 44

Both domains trust each other, so access requests can travel in both directions.

Answer 45

is automatically established between the child domain and the parent domain.

Answer 46

extended beyond the two domains in which it is formed. This is useful for establishing trust relationships with multiple domains.

Answer 47

a two-way, transitive trust relationship is created between the new domain and its parent domain by default.

Answer 48

External Trusts Forest Trusts Realm Trusts Shortcut Trusts

Answer 49

Extern& trusts are nontransitive and can be used to create one-way or two-way trust relationships between two domains. This type of trust enables users to access resources that are stored on external domains located in separate forests. It also provides access to the resources present on a Windows NT domain.

Answer 50

Forest trusts are transitive and can be used to create one-way or two-way trust relationships. A forest trust can be created between two forest root domains to enable users to share resources across different forests. If two forests have a two-way trust relationship between them, a request to access resources made by either forest is acknowledged by the other forest.

Answer 51

Realm trusts can be transitive or nontransitive, and can be used to create one-way or two-way trust relationships.

Answer 52

Shortcut trusts are transitive, and can be used to establish a one-way or two-way trust relationship between domains in a Windows Server 2008 R2 forest. Useful when users belonging to a domain regularly log on to other domains within a forest. It makes the authentication process between domains faster and more efficient, especially if the domains are separated by two domain trees.

Answer 53

Replication is managed on a per-partition basis; portions of active directory replicate to different domain controllers differently.

Answer 54

(the definition of all forest objects and attributes)

Answer 55

(the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)

Answer 56

) replicate to all forest domain controllers.

Answer 57

(the users, groups, OUs, and other domain objects) is only replicated to the domain controllers of the same domain.

Answer 58

Intra-site replication is automatically configured by the Knowledge Consistency Checker (KCC) service and is performed as an activity-triggered process: when data changes, domain controllers automatically notify other domain controller partners in the same site of the change, and the other domain controllers can request to download that change.

Answer 59

Inter-site replication is configured manually be defining site objects (which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in). Within each site an Intersite Topology Generator (ISTG) is automatically chosen which identifies a Bridgehead server, which is the representative replication server for a directory partition. When possible, multiple partitions are replicated through the same Bridgehead server. If desired, an administrator can override automatic ISTG selection and choose the Bridgehead server for a site. However, the ISTG service will not provide failover if that server should go offline. Site objects are linked by site links objects, which define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost. If domains in a forest are not directly connected by sites in a site topology they will by default use automatic site link bridging to replicate according to the cost and schedule defined by the intermediate site links of the sites between them. If this mapping is inconsistent with the actual routing topology automatic site link bridging can be disabled and an explicit site link bridge can be manually created.

Answer 60

(which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in).

Answer 61

Intersite Topology Generator

Answer 62

which is the representative replication server for a directory partition.

Answer 63

which define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost.

Answer 64

If domains in a forest are not directly connected by sites in a site topology they will by default use

Answer 65

* "Replicate Now" on the replication connection object in Active Directory Sites and Services console * Cmdline: repadmin.exe utility

Answer 66

. It hosts read-only partitions of the database and provides security to data stored in that database.

Answer 67

improved security, faster logon times, and access to network resources that is more efficient.

Answer 68

Support for a Read-Only Domain Name System (DNS) Support for Administrator Role Separation Unidirectional Replication with a Writable DC Storage of a Read-Only AD DS Database Support for Credential Caching Creating an RODC Account Connecting a Server Running AD DS to the RODC Account RODC Operation Role Separation and Read-Only DNS Role separation Read-Only DNS

Answer 69

In response to a client request to update a DNS record, the RODC DNS server returns the address of another DNS server on a DC that is not read-only. This DC then performs the update and the RODC DNS server replicates the updated DNS record to other DCs. This replication is performed only for the updated DNS record, not for the domain data or the entire list of changed zones.

Answer 70

You can delegate local administrative permissions for an RODC to a domain user, without giving the user administrative permissions over the domain in which the RODC is installed. This enables a user to perform administrative operations such as installing software on the RODC and maintaining security.

Answer 71

Replication occurs only from the writable DC to the RODC. If data corruption or malicious changes are made at the remote location, they will not replicate the rest of the domain or forest.

Answer 72

An RODC database includes all the AD attributes and objects that are stored in the database of a writable DC but for account passwords. Data stored in an RODC is read-only. Any changes must be made on a writable DC, which then replicates the updated data to the RODC database.

Answer 73

An RODC stores only its local computer and KRBTGT account details, which is used for Kerberos authentication. When a client requests authentication, the RODC forwards the request to a writable DC. The writable DC then determines if the credentials should be cached on the RODC. The credentials are then cached for future requests, enabling faster logon times and reducing bandwidth used for authentication.

Answer 74

Creating an RODC Account | Connecting a Server Running AD DS to the RODC Account

Answer 75

To create an RODC account in AD DS, you need to be a member of the Domain Administrators group. In addition to assigning an account name, you need to specify the site for which the account must be created. You can also choose to specify the user or group authorized to perform the next installation step. If you do not do this, then only a member of the Enterprise Admins or Domain Admins groups will be able to complete the installation.

Answer 76

Once you have created an RODC account, you need to install AD DS on the server that will act as the RODC, and then link the server to the RODC account. Domain data that must reside locally on the server, such as databases and log files, must be replicated to the RODC. One way of doing this is to use the Install From Media (IFM) feature to install the source files directly. Alternatively, you can replicate the source files to the RODC from any other DC over the network.

Answer 77

When a branch office user logs on, the RODC requests the user's credentials from the hub site writable DC. The hub DC consults the RODC's password replication policy and, if allowed, forwards the user's credentials which are then stored in the RODC's cache.

Answer 78

Allows the authorization of remote users and groups to perform specific administrative tasks through different roles without granting administrative permissions for the domain or other DCs.

Answer 79

Application directory partitions, including ForestDNSZones and DomainDNSZones partitions are replicated to the RODC. DNS updates are not written directly to the RODC.

Answer 80

An existing Windows Server 2008 R2 DC that contains the PDC emulator FSMO role. An existing Windows Server 2008 R2 DC that contains the GC. The RODC forwards all replication requests to this server for authentication. Domain and forest functional levels must be raised to windows server 2003 or higher. (Not 2008!) Adprep /rodcprep command must be run to update permissions on all DNS application directory partitions. Enterprise admins rights are required.

Answer 81

The AD DS role must be added to the server using the Server Manager Roles Wizard. AD DS is installed using the Active Directory Domain Services Installation Wizard.

Answer 82

Universal groups Group Nesting Group Conversion SID History (Security Identifier)

Answer 83

``` LastLogonTimeStamp inetOrgPerson Domain Controller Rename - netdome (has to be installed on a DC) Container Redirection Authorization Manager constrained Delegation Selective Authentication ```

Answer 84

``` Sysvol Replication (DFS-DFGS) Advanced Encryption Sytem (AES 128 and 256) Last Interactive Logon Fine-grained passwords Access Base Enumeration ```

Answer 85

Authentication Mechanism Assurance

Answer 86

Universal Group Caching

Answer 87

``` Forest Trusts Domain Rename RODC - Read Only Domain Controllers Linked Value Replication User Object Conversion Schema Modification DynamicObjects Knowledge Consistency Checker Group Sites ```

Answer 88

No new forest features

Answer 89

Active Directory Recycle Bin

Answer 90

are enabled for both distribution groups and security groups

Answer 91

Groups can contain other groups

Answer 92

A security group can be converted to a distribution group and vice versa

Answer 93

Active Directory users, compouters and groups have an associated SIB whch is used during resource access. SID history allows a user's old SID to be used in an upgraded domain alongside the new SID - access to resources on the older system is therefore retained even thoug the user now has a new SID

Answer 94

attribute is updated with the last logon time of the user or computer and is replicated throughout the domain

Answer 95

the ability to set the userPassword attribute as the effective password on (the vocab word) and user objects

Answer 96

Netdom.exe can be used to rename domain controllers

Answer 97

allows you to direct new user and computer accounts to containers (organizational units) other than the default users and computers containers

Answer 98

Can store its authorization policies in AD DS

Answer 99

Can be used to restrict user credential delegation to specific destination services only

Answer 100

you can be specific about which users and groups from a trusted forest are allowed to authenticate to resources on servers in a trusting forest (lesson 4 module 1)

Answer 101

DFS (DFGS) replication support provides more robust and detailed replication of (vocab word) contents

Answer 102

DFS support for access-based enumeration (AES 128 and AES 256) and increased scalability

Answer 103

Hosts the following information: the total number of failed logons, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt, and the time of the last successful logon attempt at a t2008 Server or Vista/win 7 client

Answer 104

Administrators can specify unique password and account lockout policies for users or groups in the domain.

Answer 105

Presents a view of aDFS namespace to a user that shows only the folders in the namespace to which the user has a t least read permission - folders that the user is not permitted to read remain hidden

Answer 106

at a remote location that do not have access to a global catalog

Answer 107

Introduction of configuratble replicable of application partitions with Active Directory

Answer 108

Allows you to establish inter forest trusts

Answer 109

A DC which host a read-only copy of the AD database and that can be strategically placed in a remote office to provide user authentication and group membership

Answer 110

Linked value replication, replicates an individual group membership change rather than the entire multi-values member attribute.

Answer 111

The ability to convert an inetOrgPerson object instance into a User object instance and to complete the conversion in the opposite direction

Answer 112

Allows an administrator to deactivate or alter schema object classes and attributes

Answer 113

Used by developers and application, the schema allows instances of the dynamic auxillary class in domain directory partitions

Answer 114

Enable AD DS to support replication in forests with more than 100 sites

Answer 115

The introduction of application basic groups and LDAP query groups

Answer 116

provides the ability to restore deleted objects in ther entirety while (vocab word) is running

Answer 117

1. member of Domain Admin or Enterprise Admin | 2. PDC Emulator DC must be accessible

Answer 118

One Domain Controller, the new level will be replicated to each controller in the (vocab word).

Answer 119

Start, admin tools, acitve Directory Domains and Trusts, right click on domain, Raise domain function level box and select - same for forest but choose the Raise Forest Function Level option box

Answer 120

extends the active directory schema to support upgraded server installation

Answer 121

1. 2008 installation disk in \sources\adprep 2. 2008 R2 installation disk in \support\adprep 32bit and 64 bit version

Answer 122

elevated command prompt

Answer 123

``` Updating the Active Directory Schema Updatiang security descriptors, Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder, Creating new objects as required Creating new containers as required ```

Answer 124

adprep /forestprep adprep /domainprep adprep /domainprep /gpprep adprep /rodcprep

Answer 125

prepares a forest for the intor of a DC that runs Server 2008 and R2. The command is run on the DC that hosts the Schema Master Role.

Answer 126

prepares a domain for the intro of a DC that runs 2008 or 2008 R2. command should be run after the forestprep command is complete and afterer the changes have replicated to all the domain controllers in the forest. The command should be run on each domain where you plan to add a DC that runs 2008 or $2 . You must run this command on the DC that host the DC infrastructure master role

Answer 127

Similar to the /doaminprep command but adds only the inheritable access control entries (ACE's) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACE's give enterprise domain controllers read access permissions on GPOs - these permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy. The command must be run on the domain controller that hosts the domain's infrastructure master role.

Answer 128

Updates permissions on application directory partitions (including DNS Services) to enable replication of the partitions to REad Only Domain Controllers (RODCs) - the operation runs remotely and contacts the domain controller hosting the infrastructure master in each domain to update the permissions. The command must be run from any domain controller.

Answer 129

run adprep /rodcprep immediately after the running of adprep /forestprep command and both must be run on the DC with Schema and Infrastructure Masters running

Answer 130

any computer, runs remotely but it must be able to contact the forest's domain naming master to obtain a list of forest application directory partitions. It then must contact the infrastructure master in each domain for each of the application directory partitions. If an infrastructure master is unavailable, the (vocab word) command will fail and you must rerun until success is achieved.

Answer 131

using and elevated command prompt on a comaputer with netdom.exe toll installed (usually a DC) then press the enter key ie: c:\netdom query fsmo

Answer 132

move migrate user accounts, groups, computers and other Active Directory object between Active directory domains and forests.

Answer 133

windows NT 4.0 and Active Directory Forests Domains.

Answer 134

used to migrate 2003, 2008, 2008 R2 forest Domains

Answer 135

Preservation of object SID Histories Can migrate computer accounts, including domain controllers Can migrate user accounts/profiles Accommodates the use of a SQL database to host migration data Accommodate pre - testing before commitment Provides a measure of rollback Migration is secured using encryption

Answer 136

can be performed between domains in the same forest - intra forest migration, or between domains in different forests - inter-forest migration. During inter-forest restructurieng or migration, the source domain remains intact - migrated object are copied, while both domains remain operational during restructuring.

Answer 137

user, groups, service accounts, computers migrations. The console provides a convenient interface or use can use the command line interface using the admt.exe utility and parameters or include text files containibg ines of migration options and parameters.

Answer 138

provides analysis reports and log files which can be used to iron out any issues prior to any final migration.

Answer 139

every security principal (user, group, computer, etc) in an AD domain has an associated security identifier that is unique to a domain. When a user attempts to access an Active Directory resource, for example a file, the Access Control List (ACL) for the file checks its Access Control Entries (ACEs) to check the level of access the associated SID has for the resource, or whether the SID is denied access to the the resource. When a security principal is deleted, the asscoiated SID is never reassigned and remains unused.

Answer 140

All Active Directory resources have an associated ACL, which maintains a list of access control entries (ACEs) that link specific resource permissions with the SID of an Active Directory Security Principal - user, group, computer, etc - the ACE entries can include the extent of an allow permission or deny permission

Answer 141

in addition to the SID attribute, an AD Security principal also has an associated sIDHistory attribute which maintains a list of previously held SIDs. If a user is moved from one domain to another, a new principle SID is defined for the use and the old domain SID is added to the sIDHistory attribute. When a user attempts to accesss a system resource in the source domain, both the new SID and any older SIDs are used when mapping permissions on the resource ACE list of the source domain - by doing this, the user maintains access levels to any resource in the new domain, while at the same time retaining aceess to resources in the source domain.

Answer 142

this allows you to replace an orginal SID of a migrated security principal's with the new SID on the ACEs of all resources in the original source domain - this achieves the same effect as the sIDHistory attribute. In general, sIDHIstory is uused to maintain access and functionality during igration and the security translation is then performed to complet the rprocess

Answer 143

``` File and folder permissions Printer Permissions Share Permissions Registry Permissions User Rights Group Membership ```

Answer 144

legacy machines - the older machines

Answer 145

to demote a domain controller and to remove active directory

Answer 146

Server 2003 or better

Answer 147

server roles and fetures and a non-GUI management interface. Server Core is designed to improve security, operate on reduced hardware resources and is managed via command line utilities and windows powershell but can be managed from the GUI of a remote server

Answer 148

is deployed to minimize response latency for usder requiring frequent authentiction or resource access on a domain which is either deeply nested or the end of a slow communications link. A shortcut trust can be configured as a one-way trust

Answer 149

a forest defines the security boundary of Active Directory implementation a forest trust allos you to establish a two way transitive trust between forests. Forest trust were introduced in Server 2003 and both forests must be operating at this functional level or higher to avail of forest trusts. The forest trust established transitive trust between all domains in each foret - the trust can be defined as a one-way incoming or outgoing or two way. UPNs can be used for authentication in either forest.

Answer 150

are deployed to establish a one way trust with 2000 doain and a 2008 $2 domain or between two indivdiaul 2008 R2 Active Directory domains in seperate forests - typically a business partner or project collaboration partner.

Answer 151

allows trust between Windows 200 R2 Active Directory and a Unix Platform

Answer 152

User Principal Name - are stored in the global catalog and are deployed to avaoid the use of multiple user domain logons. Using a upn logon a user can logon to any domain ,, DC within a forest.