Active Directory Domain Services Flashcards

Question

How can you create a variable that can be used as a password when creating a new AD user in PowerShell?

Answer 1

$password = "passw0rd!" | ConvertTo-SecureString -AsPlainText -Force The password must be contained in a secure string in order for it to be entered into the PowerShell cmdlet: New-ADUser -Name jsmith -AccountPassword $password

Answer 2

get-aduser -filter * -Properties lastlogondate,passwordlastset | ft name,lastlogonedate,passwordlastset get-aduser -filter {enabled -ne $true} | ft name

Answer 3

* -AccountDisabled -usersonly * - AccountInactive -TimeSpan 30.00:00:00 * -PasswordExpired * -PasswordNeverExpires * -LockedOut To any of these, add this to just get a simple list of names: • | ft name

Answer 4

On a domain controller, in Command Prompt: djoin /provision /domain example.local /machine newstation01 /savefile c:\anyname.txt * (Where domain is named example.local, and the computer to be joined is newstation01) * This creates the necessary file to be transferred to newstation01, and pre-creates the necessary computer object in AD. On the computer to be joined: djoin /requesttodj /loadfile c:\anyname.txt c:/windows /localos * Note, need to specify the Windows path on this machine, and specify that it is being performed on the local OS * As always, a reboot is required to complete the join.

Answer 5

Right-click and delete. Unless it was created with protection from accidental deletion, which is the DEFAULT setting. In that case, go to View > Advanced Features, then right-click the OU > Properties > Object > uncheck "Protect from accidental deletion", then right-click and delete. Note, deleting an OU will delete all of the objects it contains, so you may want to remove all objects from it first.

Answer 6

Redirects newly created AD objects to specified containers / OUs / domains. These set what will become the default location for newly created user objects, and computer objects, respectively.

Answer 7

* Global Groups are visible throughout the forest, but can contain only accounts and global groups from the same domain. * The group itself can be a member of Universal and Domain Local groups, and usually is. * Typically used to organize users who share the same responsibilities, access permissions, are part of the same dept, etc. * You tend not to assign permissions directly to Global Groups; rather, Domain Local groups are more appropriate for that.

Answer 8

Domain Local Groups are only visible in their own domain. * This is a way for you to single out objects that exist in a single domain, from objects that exist in other domains elsewhere in the forest. * For this reason, Domain Local Groups are used to grant rights and privileges onto the resources that reside in the same domain where that Local Group is located. * Domain Local Groups can contain other Domain Local Groups, but only from the same domain. * Users, computers, and all other group types from the same domain, as well as any trusted domain elsewhere in the forest, can be contained in the Domain Local Group. * Global Groups are generally for people, and Domain Local groups are generally for resources.

Answer 9

* Visible throughout forest, and can contain accounts, Global Groups, and other Universal Groups from any domain in the forest. * They cannot contain Domain Local Groups, because those are just local to an individual domain and are not visible elsewhere. * When you create or make any changes to or within a Universal Group, a Global Catalog has to track the change and replicate it to all other Global Catalogs in the forest. * For that reason, Universal Groups should tend to be used only for special cases where you need to nest Global Groups, like assigning permissions to resource in multiple domains. * Universal Groups also tend to be used as Distribution groups, to create Dist. lists for Exchange for recipients across all domains in the forest.

Answer 10

There are 5. 2 Group Types: * Security Groups * Distribution Groups And 3 Group Scopes: * Global Groups * Domain Local Groups * Universal Groups

Answer 11

Users, Global Groups, Local Groups, Access It describes the best practice for group nesting: * Users go in Global Groups * Global Groups go in Domain Local Groups * Assign permissions to Domain Local Groups This best practice isn't necessary for single-forest, single-domain environments, but if you ever need to expand past a single domain, you'll need to be able to provide users from outside one domain with access to resources within that domain.

Answer 12

Domain Local Groups can contain: * Domain Local Groups from the same domain * Global Groups from any domain * Universal Groups from any domain * Accounts from any domain

Answer 13

Universal Groups can contain: * Global Groups from any domain * Universal Groups from any domain * (No Domain Local Groups.)

Answer 14

A command that lets you configure, manage and troubleshoot AD DS replication. * It can be used to force replication between two specific replication partners. * It can also be used to force the Knowledge Consistency Checker (KCC) to recalculate replication topology for a DC. * Can be used to find errors in replication, etc. * Can configure PRP, the replication policy for passwords to RODCs.

Answer 15

Knowledge Consistency Checker Automatically calculates the replication topology for DCs. Also involved in managing replication.

Answer 16

The Windows command-line backup and restore utility * Can be used to perform non-authoritative restores for AD. * With a non-authoritative restore, you restore from backup, but any updates made since the backup will be applied through replication. * Wbadmin can be used to back up the entire server, or just the system state, which includes the AD data.

Answer 17

A command-line management tool for AD DS and AD LDS. * A Command Line tool that can perform several low-level tasks for configuring AD. (Low-level, meaning, fundamental and underlying, not basic.) * It's been around since the beginning of AD, and is sometimes called the Swiss Army Knife of AD.

Answer 18

* With a non-authoritative restore, you restore from backup, but any updates made since the backup will be applied through replication. * Thus, items that have been deleted and need to be recovered cannot be restored non-authoritatively. * Objects restored through an authoritative restore take precedence, so replication will not delete the container and objects after they are restore. * So, generally: You can use a non-authoritative restore to recover a DC that has failed, to get it back up and running, and it will then be updated from other DCs. And an authoritative restore is useful for recovering objects and containers that have been deleted in error.

Answer 19

A management utility for AD LDS.

Answer 20

Distribution Group

Answer 21

Security Group

Answer 22

Domain Local Group

Answer 23

Global Group

Answer 24

Universal Group

Answer 25

Password Replication Policy The PRP defines AD identities that are explicitly allowed or denied replication to a Read-Only Domain Controller. Two domain groups exist by default: Allowed RODC Password Replication Group, and Denied RODC Password Replication Group. These groups can be modified, or existing users and groups added. The Denied group contains, by default, Administrators, Backup Operators, Account Operators, and Server Operators.

Answer 26

You must first extend the AD schema. This updates the AD application directory partitions to enable partition replication to RODCs. • adprep /rodcprep

Answer 27

A Command Line utility to delete a specified AD object, including containers. (It stands for Directory Service Remove)

Answer 28

Service Principal Name * An SPN is the name by which a client uniquely identifies an instance of a service. * If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. * A particular service instance may also have multiple SPNs, if there are multiple names that clients might use for authentication

Answer 29

* VAs, or Virtual Service Accounts, are automatically managed local accounts that cannot be created or deleted. * They emulate creating many unique instances of the Network Service account, with each service running its own instance. * These unique instances make auditing and tracking easier. * VAs do not require, nor support, password management. (Neither manual nor automatic.) * They access domain network resources by using the credentials of the computer they run on. * You cannot use the same virtual service account on multiple computers.

Answer 30

* Using Group Policy, it can ONLY be set in a GPO linked at the Domain-level. * And, there can only be one Account Policy defined for a given domain. * So, typically, Account Policy would be set in the "Default Domain Policy" GPO. * Even though the password policy settings can be linked to OUs, etc., they will not have any effect on AD users. They will only affect local user accounts on computers in that OU that process that policy. * For AD users, the Account Policies you configure are only applied when you configure them in a GPO linked at the Domain level.

Answer 31

* Password Policy * Account Lockout Policy * Kerberos Policy

Answer 32

Accessed by right-clicking on the domain name in Active Directory Users and Computers, then selecting "Delegate Control..." * It allows you to delegate granular management tasks to non-administrative users. * You grant designated users permission to perform specified tasks on designated users, groups, computers, OUs, and other objects store in ADDS. * Although it is very simple to use it to make a change, it is then very difficult to later figure out what changes were made / permissions granted to whom. You would need to dig into the AD database. So, you need to be very careful in making changes there.

Answer 33

Password Settings Obejct * By creating and using PSOs, you can have different password policies for different groups of users. * Without PSOs, you would need to have a different domain for each group of users that you wanted to have different password policies for. * (PSOs cannot be applied to OUs. They will work with Global Security groups, but no other group types)

Answer 34

This is for working with PSOs (Password Settings Objects). New-ADFineGrainedPasswordPolicy • This creates the PSO, and you would include parameters for how you want the policy configured Add-ADFineGrainedPasswordPolicy • With this, you would set what users and groups the PSO policy should apply to.

Answer 35

* PSO settings will override domain GPO settings. * PSOs applied directly to user objects will override PSOs applied to groups. * Every PSOs is assigned a "precedence value," which is just a relative number. PSOs with lower precedence values will override those with higher precedence values. * Note, only a single PSO can be assigned to a user at any time. (If more than one would apply, it goes by precedence value.)

Answer 36

It can only be done in ADAC (AD Administrative Center). Select the Domain > System > Password Settings Container Here, you can create and edit PSOs.

Answer 37

Active Directory Lightweight Directory Services

Answer 38

A container within AD, it can only be viewed by enabling "Advanced Features." * The LostAndFound container serves as a repository for AD objects that become orphaned due to conflicting AD replication changes. * Note that some methods, such as the Search-ADAccount cmdlet, have no provision for locating accounts stored in the LostAndFound container. * It can be accessed either by the MMC, PowerShell, or ADSI.

Answer 39

Active Directory Services Interface

Answer 40

The AD Recycle Bin stores deleted AD objects. * It is disabled by default. Once enabled, it does not work retroactively, and will only store deleted objects going forward from the time the Bin is enabled. * Once enabled, it cannot be disabled again. * The cmdlet is: Restore-ADObject

Answer 41

None. A Read-Only Domain Controller cannot support any operations master roles.

Answer 42

Generally, it may host any role, but there is one exception: In a multi-domain environment, the Infrastructure Master role CANNOT be hosted on a DC which hosts the global catalog, unless EVERY DC hosts the global catalog.

Answer 43

0 PDCEmulator 1 RIDMaster 2 InfrastructureMaster 3 SchemaMaster 4 DomainNamingMaster

Answer 44

* Domain trees are collections of domains that are grouped together in hierarchical structures. * Whenever you add a domain to a domain tree, it becomes a child domain of the tree root domain. * The domain to which a child domain is attached is called the parent domain. * If you want to create a new domain which is NOT a child of an existing domain, you must create a new domain tree. * If you create a new domain tree, it will be organized as a separate namespace than the existing domain tree, but will support the same schema and the same top-level administrative structure.

Answer 45

Install-ADDSDomain - NewDomainName example.local ...etc., with additional parameters possible.

Answer 46

A forest is a complete instance of Active Directory. Each forest acts as a top-level container, in that it houses all domain containers for that particular AD instance.

Answer 47

They share a common: * logical structure, * global catalog, * directory schema, * directory configuration, * and automatic two-way transitive trust relationships

Answer 48

Primary Domain Control Emulator One of the five FSMO roles. * It is an improvement on the pre-2000 Windows systems that required an actual Primary Domain Controller. * The Emulator continues to perform functions relating to password changes and login authentication. * It also tends to be the timekeeper for the domain; the authoritative time server that other domain controllers synchronize their time from.

Answer 49

Relative Identifier Master One of the five FSMO roles.

Answer 50

• You might experience an increase in support requests regarding password difficulties.

Answer 51

* You will still be able to create new objects in Active Directory, but only until the RID pool is exhausted. Once that happens, you cannot create new objects until the RID Master is back online. * You can't move objects from one domain to another without connecting to the RID Master.

Answer 52

One of the five FSMO roles. The DC that holds the Schema Master role is the only DC that can perform write operations to the directory schema. Those updates are then replicated from the schema master to all other DCs in the forest.

Answer 53

There is only one Schema Master and one Domain Naming Master per forest. The other roles are one-per-domain, so there many be multiple per forest. (RID Master, PDC Emulator, and Infrastructure Master) A single DC can hold all of the roles at once, but only once each per domain. (i.e., it cannot be the RID Master for two different domains.)

Answer 54

One of the five FSMO roles. The Domain Naming Master is the only DC that can: * Add new domains to the forest. * Remove existing domains from the forest. * Add or remove cross-reference objects to external directories.

Answer 55

Remote Procedure Call

Answer 56

One of the five FSMO roles. The DC holding the infrastructure master role is responsible for updating cross-domain group-to-user references to reflect the username changes. The infrastructure master updates these references locally and uses replication to bring all other replicas of the domain up to date. If the infrastructure master is unavailable, these updates are delayed.

Answer 57

Directory Services Restore Mode A separate password is set for this mode whenever you create a domain controller. Whenever you need to perform a restore in AD (whether authoritative or non), you first need to reboot the computer into Directory Services Restore Mode. ( Not to be confused with the command line tool, dsrm, used for removing objects.)

Answer 58

* Stop the service: "Active Directory Domain Services" * Since it has dependencies, it will need to be forced. * Either of the following PS commands will work: stop-service "active directory domain services" -force stop-service ntds

Answer 59

* Seize operation master roles * Authoritative restores of AD objects and containers * Take Snapshots * Defragment the database * metadata cleanup

Answer 60

1. First, take the AD database offline. (This is done by stopping the AD service.) 2. Then, use ntdsutil to defrag / compact the database to a new location. 3. Delete the original database. 4. Copy the new database from its new location to the original location. 5. You can then bring AD back online by starting the AD service.

Answer 61

You can use the "metadata cleanup" tool in ntdsutil. Or, to do it manually: * Transfer / Seize FSMO Roles * Delete the DC computer object in ADUC * Delete the DC computer objects in AD Sits & Services * Delete the DC's DNS A records and SRV records

Answer 62

Common Name Organizational Unit Domain Component

Answer 63

Distributed File Services for Replication * Created with Server 2008 as a replacement for FRS * It's the replication service used to transfer content around

Answer 64

dfsrmig.exe /GetGlobalState • this checks if your migration was already done. It it shows anything other than "Eliminated," then the migration needs to be performed. If it needs to be done: * Validate FRS health * dfsrmig.exe /SetGlobalState 1 * wait a day or two for it to complete * dfsrmig.exe /SetGlobalState 2 * wait a day or two for it to complete * dfsrmig.exe /SetGlobalState 3 run again after each steps to confirm complete: • dfsrmig.exe /GetGlobalState

Answer 65

* The main reason, today, is for Exchange organizations. If using Exchange, it is limited to one organization per forest, so you would need multiple forests for multiple Exchange organizations. * You can use a multi-forest structure to isolate directory replication. * Mergers and acquisitions can result in multiple forests. * Sometimes users, or applications integrated into the AD schema, require different schemas, and would therefore need to exist in a separate forest. * To protect sensitive data.

Answer 66

A trust between two forests, which happens between the two domains that exist in each forest root. * The most commonly used trust that gets created * Links all domains of both forests. * Always transitive. * Configurable authentication, to be either forest-wide or selective.

Answer 67

A domain in one forest trusts a domain in a different forest * This does not happen at the root level, but in some other subdomain trusting another subdomain in a different forest. * It is always nontransitive. * It is always a one-way trust. (If you need trust both ways, you must create two one-way trusts.) * Not configured as often, because the use case is relatively rare.

Answer 68

A literal "shortcut" between two domains in the same forest. * Only needed if there is a large and complex forest with many subdomains and domain trees. * These two domains already have a transitive trust because they both trust the same root domain. But, the shortcut trust can speed authentication between far-reaching branches. It shortens the authentication path. * Rare because you don't tend to find forest structures that are so large that shortcuts are needed.

Answer 69

A trust to a non-Kerberos realm * For example, when a trust is needed between AD and a Linux or Unix environment that has its own LDAP services * Tend to be application based, if you have a need for a particular application to authenticate. * Non-transitive

Answer 70

A trust is a relationship that enables users in one domain to be authenticated by DCs in another domain.

Answer 71

All trusts between domains within a forest are transitive, two-way trusts. This trust is configured automatically when the subdomain is created.

Answer 72

All trusts have direction. • A trust can can be one-way, or bi-directional. If one-way: * The "trusting" domain contains resources to be accessed, and the "trusted" domain contains security principles (ex. users). * The direction of trust is the opposite to the direction of access. * "ing" > "ed"

Answer 73

If a trust is transitive, this means: If Domain B trusts Domain A, and Domain C also trusts Domain A, then Domains B and C will trust each other.

Answer 74

Either of these: • DNS Stub Zone - Better used if there is poor communication between your forest and the other forest. Does not cache any info on local DNS server, it's up to the clients to locate resources. The DNS Stub zone just provides a referral. • DNS Conditional Forwarder - More useful if there is good communication. Requires you to know what the other domain's DNS server is, and if it changes, you need to change the forwarder manually. Has better performance for clients attempting to access resources, because you can cache the information on your local DNS server.

Answer 75

Also called SID Filter Quarantining * In an AD trust relationship, there is the possibility that an external trusted user may have the same SID as a user in the trusting domain, which could allow them to gain privileges and access. This could happen either maliciously or inadvertently. * To prevent this, SID filtering discards SIDs from trusted domain users that have a high likelihood of exploit in the trusting domain. * Enabled by default in Server 2012 R2 and 2016 for forest trusts.

Answer 76

User Principle Name You can add additional UPN suffixes for logging in. This could allow, for example, a login syntax similar to a user's e-mail address, or to allow logins using a parent domain name. In trust relationships, Name Suffixes are configured to be routed across the trust, but can be disabled individually as needed.

Answer 77

Just for replication purposes, across poor connections. It was created during a time that site-to-site throughput was not always very good. You used to need to configure a "cost" for each site-to-site connection, to control how replication flowed. Nowadays, there is not generally much problem in site-to-site connections, and additionally, the KCC is very good at automatically configuring DC-to-DC replication topology. You just need to configure the site's name and subnet.

Answer 78

Server 2012 and up.

Answer 79

You need at virtualized domain controller to start with. * Cloning employs the Generation ID schema attribute, and an XML configuration file, to support rapid DC deployment. * The cloned DC contacts the PDC Emulator Role holder, and the DCCloneConfig.xml configuration file, to provision itself as a replica of its source virtual DC. * Upon initial startup, the cloned DC generates unique metadata to distinguish itself from its source.

Answer 80

To offline domain join: * Windows 7 and later * Server 2008 R2 and later To offline domain join as DirectAccess clients: * Windows 8 and later * Server 2012 and later The target domain controller: * Server 2008 R2 and later * Earlier versions are also supported, but you must include the /downlevel option with Djoin

Answer 81

Managed Service Account * Also referred to as a Standalone Managed Service Account, to distinguish from Group Managed Service Account. * A special-purpose service account that lets Active Directory control password changes for the service identity, and makes it easier to register Kerberos service principal names (SPNs) in Active Directory. * A single MSA cannot be used on multiple servers.

Answer 82

Group Managed Service Account * Like an MSA, however, the same gMSA account can be used on multiple servers. * The domain handles password creation and maintenance, including synchronization, through Key Distribution Services (KDS). * Thus, it requires installing KDC / creating a KDS root key before creating a gMSA account.

Answer 83

* You can only install a DC using IFM if it is running the same OS version as the source of the installation media. * The source and destination DCs can be either 32-bit or 64-bit, mixed or matched, it doesn't matter, as long as they are the same OS version. * You can use an RODC to create installation media for other RODCs, but not for full DCs. Only a full DC can create media for a full DC.

Answer 84

A default Security Group in AD Members have privileges to create, manage, and delete OUs, users, and groups.

Answer 85

A part of AD Replication, bridgehead servers are domain controllers that have been configured to manage replication between sites if there is a site link defined. They are configured automatically when a site link is defined, but the selection of DCs to be bridgeheads can be reconfigured.

Answer 86

* Used for AD Replication between domain controllers in different sites. * Each site link has a "cost" associated to it, making one more preferable than another * The site link includes replication schedules and protocols used

Answer 87

Restore-ADObject

Answer 88

Used to create a Managed Service Account, or a Group Managed Service Account. Maybe others.

Answer 89

* Changing user passwords, and requiring the user to change it on next login * Resetting connection to domain

Answer 90

A standalone managed service account will isolate domain accounts in crucial applications. Pros: * You can create a class of domain accounts for services on local computers * The network passwords for these accounts are automatically reset, unlike domain accounts * There is no need to manually administer the SPN * Administrative tasks for these accounts can be delegated to non-administrators Cons: * They cannot be shared between multiple computers, or in server clusters where a service is replicated across nodes. * Not supported for scheduled tasks, Exchange, SQL

Answer 91

Provides the same benefits of a Standalone Managed Service Account, but extends the functionality over multiple servers. So, they can be used for services that run on a server farm, or systems using NLB. The passwords for gMSAs are created and managed through Key Distribution Service (KDS) (kdssvc.dll), so you will need to install and KDS Root Key before you can create your first gMSA.

Answer 92

A Shadow Group is a global security group that is logically mapped to an OU. This could be used, for example, to enforce a PSO for an entire OU, since OUs can't be selected directly whereas groups can.

Answer 93

Yes, an admin can make changes, but it will be reverted at the next replication from a read-write DC.

Answer 94

* The DC's site configuration in AD does not change automatically when physically connected to the new location. * Nor does it change automatically when the IP Address and subnet are changed to fit the new location. * Also, ensure that the DC is not the Preferred Bridgehead Server in its existing site prior to moving it.

Answer 95

Distinguished Name The DN of an AD entry/object is the fully qualified path of names that trace the entry back to the root of the tree. So, it starts with the CN (common name) of the object, followed by the names of container objects and domains. An example DN: cn=John Doe,ou=SalesUsers,dc=company,DC=pri

Answer 96

Relative Distinguished Name A partial path to an entry relative to another entry in the tree. (Essentially, a partial DN)

Answer 97

A legacy attribute of AD objects, used to support previous versions of Windows, prior to Windows 2000. Every SAM account name must be unique in the domain (because there is no hierarchy in the name that includes OUs, etc.) When viewing an object an ADUC, the attribute will be labeled "User logon name (pre-Windows 2000)"

Answer 98

Get-ADObject -IncludeDeletedObjects

Answer 99

* When an object in AD is deleted, it is marked as deleted but is not physically removed for the "tombstone lifetime," which is 180 days by default. * All linked attributes are physically removed, and non-linked attributes are cleared. * To object is invisible to most AD processes. * Tombstone recovery, aka Tombstone reanimation, restores the object, but it does not recover its attributes.

Answer 100

The only group type supported for use with PSOs is: Global Security

Answer 101

Move-ADDirectoryServer

Answer 102

By creating two one-way external trusts. | External trusts can only be created as one-way trusts.

Answer 103

For setting a user's password, if you do not specify -Reset, then you must provide both the old password and the new password. When you specify -Reset, you only need to enter the new password.

Answer 104

* This is the first command in migrating SYSVOL replication from FRS to DFS Replication. * It is run on the domain PDC emulator. * It places DCs in the Prepared state. * From here, you can still roll back to FRS, because you have not yet migrated.

Answer 105

* This is the second command in migrating SYSVOL replication from FRS to DFS Replication. * It is run on the domain PDC emulator. * It switches DCs to the Redirected state, wherein they begin using DFS replication. * From here, you can still roll back to FRS.

Answer 106

* This is the final command in migrating SYSVOL replication from FRS to DFS Replication. * It is run on the domain PDC emulator. * It configured the Eliminated state and removes all support for FRS replciation. * From here, you can NOT roll back to using FRS.

Active Directory Domain Services Flashcards

Install, Configure, Manage, and Maintain Activity Directory Domain Services