Está en la página 1de 46

Windows Server 2008 & 2008 R2

Install Manage and Master OS

o
o

o
o

o
o
o

o
o

What is DNS?
The Domain Name System (DNS) is a hierarchical, distributed database that maps
logical host names to IP addresses
What does a DNS server hold?
A DNS server holds a database of hostnames and their corresponding IP addresses.
Clients query the DNS server to get the IP address of a given host.
What was used before DNS?
a hosts file saved on each host computer

What makes up the DNS hierarchy?
The DNS hierarchy is made up of the following components:
- . (dot) domain (also called the root domain)
- Top Level Domains (TLDs) (.com, .edu, .gov)
- Second-level and additional domains
- Hosts

o

o
o

What is a FQDN?
Fully Qualified Domain Name - includes the host name and the name of all domains
back to root.

o

o
o
o

o
o

What makes DNS a distributed database?
DNS is a distributed database because no one server holds all of the DNS
information. Instead, multiple servers hold portions of the data.

What is a zone?
Zones typically contain one or more domains, although additional servers might hold
information for child domains.

o

o
o

What do DNS servers do?
DNS servers hold zone files and process name resolution requests from client
systems.

o

o
o
o

What is a DNS forward lookup?
A forward lookup uses the host name (or the FQDN) to find the IP address


o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o

o

o
o

o

o
o
o

o
o

What is a DNS reverse lookup?
A reverse lookup uses the IP address to find the host name (or FQDN).

What is an A record?
The A record maps a host name to an IP address and is used for forward lookups.

What is a PRT record?
The PTR record maps an IP address to a host name and is used for reverse lookups.

What is a CNAME record?
The CNAME record provides an alternate name (an alias) for a host.

What is a SRV record?
The SRV record identifies a service, such as an Active Directory domain controller.

How are DNS records created?
Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts
automatically register and update their corresponding records with the DNS server.

What is the process followed when a client computer needs to find an IP address?
- The client examines its HOSTS file for the IP address.
- If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address.
- If the IP address is not in the cache, the client sends the request to a DNS server.

What is the process when a DNS server received a name resolution request?
1) The DNS server examines its local DNS cache for the IP address
2) If the IP address is not in the server cache, it checks its HOSTS file.
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative.
4) Forwarding or Recursion
5) After the information is found or received from another server, the DNS server returns the result to
the client, and places the information in its server cache.

What is an authoritative DNS server?
a DNS server that has a full, complete copy of all the records for a particular zone.

What is DNS Forwarding?
Where the DNS server forwards the name resolution request to another DNS server,
then waits for a response from that server

o

o
o
o

o
o

o

o
o
o

o
o
o

o
o
o

o
o


o
o
o

o
o
o

o
o
o

o
o

What is DNS Recursion
Where the DNS server queries root domain servers, top-level domain server and
other DNS servers in an iterative manner until it finds the one that hosts the target domain.

What is a caching-only DNS server?
A caching-only DNS server has no zone information; it is not authoritative for any
domains. It uses information in its server cache, or forwarding or recursion, to respond to client
queries.

Who can install DNS in Server 2008?
Members of the Domain Admins group

Which versions of server 2008 can have DNS installed on them?
You can install DNS on any version of Windows Server 2008 except for the Windows
Server 2008 Web Server edition.

What type of IP address must the DNS server have?
Static

How would you add the DNS role from a command prompt (or on a server core)?
start /w ocsetup DNS-Server-Core-Role

What command will give a list of installed services on a server?
Run the oclist command to get a list of services (including DNS) installed on a server.

What can be used to manage DNS on Server 2008?
Use the DNS snap-in or the dnscmd command to manage DNS.

What is a primary DNS zone?
the master copy of a zone database

What are the properties of a primary zone?
- The primary zone is the only writeable copy of the zone database.
- Changes to the zone can only be made to the primary zone.
- The server that holds the primary zone is called a primary server.

- Each zone can have only a single primary zone server.
- Zone data is stored in a text file.
o

o
o
o

o
o

What is a secondary DNS zone?
A secondary zone is a read-only copy of the zone database.

What are the properties of a secondary DNS zone?
- Changes cannot be made to the records in a secondary zone.
- A server that holds a secondary zone is called a secondary server.
- Secondary servers copy zone data from other servers through a process called zone transfer.
- Secondary servers can copy zone data from the primary server or other secondary servers.
- Zone data is stored in a text file.

o

o
o

What is an Active Directory-integrated DNS zone?
An Active Directory-integrated zone holds zone data in Active Directory instead of a
text file.

o

o
o

o

o
o
o

o
o

o

o

What are the properties of an Active Directory-integrated DNS zone?
- Active Directory-integrated zones are multi-master zones, meaning that changes to
the zone information can be made by multiple servers. Multiple servers hold read-write copies of the
zone data.
- Only DNS servers that are domain controllers can host Active Directory-integrated zones.
- Storing zone data in Active Directory provides automatic replication, fault tolerance, and distributed
administration of DNS data.
- Replication of zone data occurs during Active Directory replication and is secured by Kerberos.

What is a stub zone?
A stub zone is a zone with only a partial copy of the zone database.

What are the properties of a stub zone?
- The stub zone only contains information about the name servers that are
authoritative for the zone; it does not contain information for other hosts.
- A stub zone is not authoritative for the zone; its purpose is to identify the name servers that can be
contacted for full zone information.
- The stub zone is dynamic, meaning that it will keep the list of name servers for the zone updated
automatically.
- Use a stub zone to forward name requests based on zones while keeping name server lists updated
automatically.

What is the GlobalNames DNS zone?

Which types of zone support dynamic updates? Primary and Active Directory-integrated zones support dynamic updates. Use an Active Directory-integrated zone to use secure dynamic updates.Use the GlobalNames zone to replace WINS servers on your network only when you have a small number of hosts that do not support DNS. Clients query the DNS server with the hostname. and receive the hostname in return. continue to use a WINS server. How many servers can hold the primary zone file? Only one server can hold the primary zone file.us.dns added to the zone name.Using the GlobalNames zone does not require any changes to client machines. To place zone data on multiple servers. . What is a forward lookup DNS zone? A forward lookup zone provides hostname-to-IP address resolution. .Allow IPv6-only hosts to contact NetBIOS hosts (IPv6 does not support the use of WINS).Allow DNS clients to contact NetBIOS-only hosts without the need for a WINS server.Allow clients to use simple host names without domain information for name resolution. . configure secondary servers. to contact a server named web1. If that process fails. For example. .private. What is a GlobalNames DNS zone used for? . and receive the IP address in return.corp. What is a reverse lookup DNS zone? A reverse lookup zone provides IP address-to-hostname resolution. Where does Windows store standard zone data? Windows stores standard zone data in the %windir%\System32\Dns directory. users could simply enter the single-label name web1. You must manually create each record in the GlobalNames zone. .Dynamic updates are not supported on the GlobalNames zone. .o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o The GlobalNames zone is a special zone in the DNS database that is used for singlelabel name resolution. For a large number of NetBIOS-only hosts.westsim. What are the features of a GlobalNames zone? . or to support dynamic registration of single-label names. the client computer first tries to resolve the name using DNS and the search suffix configuration. The file is a text file with . Clients query the DNS server with the IP address. the GlobalNames zone is checked (if it exists).When users enter a single-label name.

or an Active Directory integrated zone. What is a CNAME record? The CNAME record provides alternate names (or aliases) to hosts that already have a host record. a secondary zone. What is the SOA (Start of Authority) record? The first record in any DNS database file is the SOA. and it is assigned to the DNS server hosting the primary copy of a zone. What is an AAAA (Quad A) record? The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address. there is an entry for the primary server and all secondary servers for the zone (all authoritative DNS servers). This is the most common resource record type. What is an NS (Name Server) record? The NS resource record identifies all name servers that can perform name resolution for the zone. only the one A record needs to be modified. What is a DNAME record? The DNAME record provides alternate names (or aliases) to domains that already have a host record. What is an MX (Mail Exchanger) Record? The MX record identifies servers that can be used to deliver e-mail. It defines the general parameters for the DNS zone. The PTR record maps the IP address to an A record. Typically. What type of zones can a reverse lookup zone be? A reverse lookup zone can be a primary zone. Using a single A record with multiple CNAME records means that when the IP address changes. and it is the first record in the zone database file. o o o  o o o  o o o  o o o  o o o  o o o  o o  o o o  o o o What types of record does a reverse lookup zone hold? Reverse lookup zones hold PTR (pointer) records. . There is only one SOA record. What is an A (Host Address) record? The A record maps an IPv4 (32-bit) DNS host name to an IP address. The SOA record includes parameters such as the authoritative server and the zone file serial number.

You can enable dynamic updates when you create the zone or modify the zone properties later to enable this feature. What are WINS and WINS-R records? Add these records to a zone when you want to allow DNS to use WINS resolution. This allows clients to find services (such as domain controllers) through DNS.A network connection's IP address is added. The WINS-R resource record allows the resolution of a reverse query that is not resolvable through DNS. "points" to an A record). .The client boots.The DHCP server changes or renews an IP address lease.A server is promoted to a domain controller. Dynamic DNS is required to support Active Directory. The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINS servers in the WINS resource record. or changed. Which Windows clients support DDNS? Windows clients (2000 and above) create their A records with the DNS server. the PTR record maps an IP address to a host name (i. Windows 9x/Me/NT clients do not support dynamic DNS. o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  What is a SRV (Service Locator) record? The SRV record is used by Windows Server 2008 to register network services. Where IPv4 PTR records are created in the in-addr. . . reverse lookup zones for IPv6 addresses should be created in the ip6. deleted.The client's DNS information is manually changed using ipconfig /registerdns. Windows 2008 automatically creates these records as needed and during domain controller installation.e. When do dynamic updates occur? . . What is a PTR (Pointer) record? In a reverse lookup zone. The DHCP server updates both the A and PTR records for clients that do not support dynamic updates. How does the DHCP server tie in with DDNS? The DHCP server registers the PTR record with the DNS server for clients capable of dynamic updates. How can DNS records be automatically created on a DNS server? By using Dynamic DNS. Are dynamic updates enabled by default on a primary zone? Dynamic updates are not enabled on primary zones.arpa namespace. .arpa namespace.

manually enable the feature in the DNS settings in Server Manager. Are zone transfers enabled in Server 2008 by default? By default. With DNS Notify.Allow zone transfers only to servers that are listed as name servers. and only the original client can modify or remove records. the current dynamic update setting is retained. . Note: When you convert a primary zone to an Active Directory-integrated zone.Allow zone transfers only to servers you specifically identify. This is the default method on Windows Server 2008. . What are the two types of zone transfer? Zone transfers can copy all records or only changed records: . How can you restrict the servers to which zone transfers are allowed? . the secondary initiates zone transfer. zone transfer in Windows Server 2008 is disabled for security reasons.If the serial number on the master is greater.A full zone transfer (AXFR) copies all of the zone data with each zone transfer. only domain members can create records. What are secure dynamic updates? With secure dynamic updates. What is DNS notify? Windows DNS servers support the use of DNS Notify. the serial number is incremented. . . How does a secondary server initiate a zone transfer? . master servers are configured with a list of slave DNS servers. To use zone transfers. What is used to keep track of changes to a DNS zone? The zone serial number keeps track of changes to the zone. The master server can be the primary server or another secondary server.o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o Are dynamic updates enabled by default on an Active Directory-integrated zone? Dynamic updates are enabled on Active Directory-integrated zones. . no zone transfer takes place.A partial (or incremental) zone transfer (IXFR) copies only the changed records. When you make changes to the zone. What is a DNS master server? A master server is the server from which the secondary copies the zone data.The secondary server contacts the master server and compares the serial number on the master with the serial number in its copy.If the serial number is the same (or lower) on the master.

first checking the serial number. then requesting changes. the master notifies the slave servers that the zone has changed. How does an Active Directory-integrated zone store DNS information? An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file.Delegate Control . o  o o o  o o o  o o o  o o  o o o  o o o  o o What is a DNS caching server? A caching only server runs DNS but has no zones configured.When a change takes place. Use a caching only server to improve performance while eliminating zone transfers. Zone information is copied automatically when Active Directory replicates. . How can you secure zone transfers to secondary servers? Active Directory replication traffic is automatically secured.Finish What is an OU? An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.The secondary server then initiates zone transfer.Right Click on OU .Choose User . Child OUs are OUs within other OUs. What are the different types of OU? Parent OUs are OUs that contain other OUs. To secure zone transfers to secondary servers.o  o o How does DNS notify work? . How can you force an update of DNS zone data? You can force an update of zone data through the DNS console or by using the Dnscmd command How would you delegate control of an AD OU to a user? .Choose the appropriate option . . use IPsec between servers.

o  o What setting should be set at creation to prevent an AD OU being accidentally deleted? o o  o o o  o o o  o o When you create an organizational unit. select the Protect object from accidental deletion check box. Other types of objects do not have this default setting and must be manually configured. such as resetting passwords or creating new users.You can delegate control of any part of an OU or object at any level with the Delegation of Control Wizard or through the Authorization Manager console. leave the Protect container from accidental deletion check box selected. For example. What is delegation of authority? Delegating authority is the assignment of administrative tasks.An object-based design allows you to delegate control based on the types of objects in each OU. (This option is only seen with Advanced Features selected from the View menu. to appropriate users and groups. . settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs. you can delegate control over specific object types (such as user objects).A task-based design allows you to delegate control based on the types of administrative tasks that need to be done o  o What is the Builtin Default Container? . first clear the Protect container from accidental deletion setting.o  o o o  o o o  o o What organisational structures can you not apply GPO's to? Generic Containers What is group policy inheritance? Through inheritance.) . How can you prevent objects from accidental deletion in AD? . .On the Security tab. Describe some of the facts about delegating control : . then delete the object.On the Object tab. select the Deny Delete All Child Objects advanced permission for Everyone. How would you delete an AD object that is protected from deletion? To delete on abject that is protected. This is the default.

What is the System default container? The System container holds configuration information about the domain including security groups and permissions. Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks. new objects are placed in the LostAndFound container. It is the default location for new computer accounts created in the domain. the domain SYSVOL share. These groups are pre-assigned permissions needed to perform domain management tasks. What is special about AD containers? They are automatically created and cannot be deleted . the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated.o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o The Builtin container holds default service administrator accounts and domain local security groups. What is the Users default container? The Users container holds additional predefined user and group accounts (besides those in the Builtin container). What is the Computers default container? The Computers container holds all computers joined to the domain without a computer account. Because of Active Directory replication. This container is empty until a program designed to store information in Active Directory uses it. What is the Domain Controllers detault container? The Domain Controllers OU is the default location for the computer accounts for domain controllers. What is the Program Data default container? The Program Data container holds application-specific data created by other programs. What is the NTDS Quotas default container? The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own. What is the LostAndFound default container? The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. and IP security policies. DFS configuration information. During replication.

LostAndFound . . .The local Security Accounts Manager (SAM) manages the user account information.Program Data . How can domain user accounts be created? Domain user accounts are created with Active Directory Users and Computers.NTDS Quotas . .o  o o What is special about the Domain Controllers OU It is the only default OU. and is replicated between domain controllers in the domain. . whereas the other default containers cannot have a GPO applied o  o o o  o o How would you view hidden containers in AD Users and Computers? Click Advanced Features from the View menu Which containers are hidden by default in AD Users and Computers? . and PowerShell.Only local resources are accessible with local user accounts.Local user accounts are created with the Computer Management console. command line tools. What is the SAM database? A local database that allows users to access local resources on the machine What are the two types of user account? Local and Domain What is a local user account? A local user account is created and stored on a local system and is not distributed to any other system. o  o o o  o o What is a domain user account? A domain user account is created and centrally managed through Active Directory.System o  o o o  o o o  o o  o o What is special about AD containers and how do they differ from OU's? They are automatically created and cannot have GPO's applied to them. and it can have a GPO applied.

By default. o  o o o  o o What is the user or logon name? The user or logon name is the name of the user account What is the user principle name (UPN)? The User Principle Name (UPN) combines the user account name with the DNS domain name . Use contacts to add information about individuals. the domain that holds the user account is selected for the UPN suffix. Users represented as contact objects cannot log on to the domain. However. The RDN needs to be unique only within the object’s container. can search for attributes of contact objects. such as e-mail or phone number. o  o o o  o o o  What is the LDAP Distinguished Name (DN)? The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. .o  o o What is unique to each domain user account? Each domain user account has a unique security identifier (SID) to identify the user. . to Active Directory. such as Exchange. o  o o How can external users with email accounts be represented in AD? External users which need an e-mail account.The DNS domain name in the UPN is known as the UPN suffix. you can configure different UPN suffixes to use instead of the domain name. can be represented through a contact object o  o o What is a contact object? an account that does not have any security permissions. . A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions. Applications.The UPN format is also known as the SMTP address format. It has three basic attributes: Domain Component (DC) Organizational Unit (OU) Common Name (CN) What is the Relative Distinguished Name (RDN) The Relative Distinguished Name (RDN) is used to identify the object within its container.

For example. What is a computer account? A computer account is an Active Directory object that identifies a network computer. This process is called prestaging computer accounts. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account. If you allow changing the user account password for the service account. join the domain. o  o o o  o Where is the computer account created when you join a workstation to the domain? In the Computers built-in container How would you control where computer accounts are placed when a computer joins the domain? o o  Create computer account ahead of time (pre-stage them) . 5) Click OK.o o o  o o o  o o o  o o o  o o o  o o When would you use the Üser cannot change password"option? when you want to maintain control over a Guest. many applications use service accounts for performing system tasks. How would you unlock an account? To unlock an account. From the workstation. How would you add a User Principal Name (UPN) suffix to a forest? 1) Open Active Directory Domains and Trusts. or temporary account. 3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab. then select Properties. go to the Account tab in the account object's Properties dialog box. 4) Click Add. 2) Right-click Active Directory Domains and Trusts in the Tree window pane. The account in Active Directory is associated with a specific hardware device How would you prestage a computer account? From Active Directory Users and Computers. Resetting the password on the account also unlocks a user account. The workstation will be associated with the computer account you created previously. service. create a computer account. The application must be configured with the user account name and password. you would also need to change the password within every application that uses that account. and select the Unlock Account box. What should you do if a user account is accidentally deleted? Restore it from backup rather than creating a new one with the same name.

Domain Admins .  o o o  o o Where is the computer account password saved? On the local computer and in AD. How would you give other users permissions to create computer accounts in AD? By giving them the Create Computer Objects right over the Active Directory OU. it is changed every 30 days What might cause a computer to fail to authenticate to the domain? If the two computer passwords (on the local machine and in AD) become unsychronised. . This permission does not have a limit on the number of accounts that can be created. the computer must be joined to the domain before it receives any GPO settings or AD receives any workstation-specific information o  o What commands can be used to create computer accounts from a command prompt or script? o o  o o dsadd or netdom. Note: You must grant this right to the domain or specific OUs.Enterprise Admins How many computers are the Authenticated Users group members allowed to join to the domain (from a workstation)? 10 . Will a computer receive group policy settings once the computer account is created? No. BY default.Account Operators . How would you allow a specific user to join a specific computer to the domain? You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.o o o  o o o  o o o  o o o  o o Which groups have permissions to create a computer account? . This ability comes from the Add workstations to a domain user right. (Use netdom join to jion a computer to the domain) What establishes a secure channel between a computer and the domain controller? The computer password (authomatically generated when the computer joins the domain).this wil also create the computer account automatically if it doesn't already exist.

These include: . .Run the netdom reset command followed by the computer account name and the domain.Domain local groups in the same domain (in native mode only). After resetting the computer account. What is a domain group? Domain groups exist in Active Directory. you must rejoin the computer to the domain. o  o o What should a global group be used for? Use global groups to group users and computers within the domain who have similar access needs. you will work mainly with domain groups. What is group scope? Active Directory groups have a group scope. o  o o What membership can a domain local group have? Domain local groups can contain members from any domain in the forest. right-click the computer account and select Reset Account.Create a script in Visual Basic. The following table lists the different security group scopes and their membership and use.Users and computers within the same domain. o  o o What membership can a global group have? Global groups can contain members within the same domain. These include: . or if you are replacing the computer with another one using the same computer account name. . and can be used to control access to domain and local resources.In Active Directory Users and Computers. . o  o o How would you reset the computer account after a logon failure? . .Global groups in the same domain (in native mode only). The scope defines the potential group membership and the resource access that can be controlled through the group.Global groups within the forest. . and control access to local resources.This problem will also occur if you have rebuilt the computer. o  o o o  o o o  o o What is a local group? Local groups exist only on the local computer. In an Enterprise environment.

which through the member attribute. such as users. Avoid adding user accounts directly to universal groups. What should global groups be used for? Create global groups to organize users (e. . What is a security group? A security group is one that can be used to manage rights and permissions. and other groups. collects other objects. What resources can universal groups permission? Universal groups can be assigned permissions to resources anywhere in the forest. . What should universal groups be used for? Universal group membership should be relatively stable. computers.Universal groups within the forest.Users and computers within the forest. contacts. . and then assign permissions on the resource to the group.. These include: . What should domain local groups be used for? Create domain local groups representative of the domain controller resources to which you want to control access. . For this reason. o  o Which type of AD group should be used for assiging permissions? . .Universal groups within the forest (in native mode only). o  o o o  o o o  o o o  o o o  o o o  o o o  o o What resources can global groups permission? Global groups can be assigned permissions to resources anywhere in the forest.Global groups within the forest.g. Sales or Development).Group members get the permissions that are granted to the group. o  o o What membership can a universal group have? Universal groups can contain members from any domain in the forest. What resources can domain local groups permission? Domain local groups can be assigned permissions within a domain.A security group represents an object with a security identifier (SID). you should only add global or universal groups to universal groups.Users and computers within the forest.

o  o o o  o How would you convert a global group to a domain local group? First convert to a universal group. . add all the original group members.o o  o o Security What is a ditribution group? A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions. then to a domain local.is deleted. This could prevent or allow unwanted access.including any permissions assigned .a universal group cannot be a member of a global group Can you make a universal group a member of a global group? No What happens when a group is deleted? All information about the group . o  o o What happens if you convert a security group to a distribution group? This would remove the permissions assigned to the group. Can you convert a global group nested in another global group into a universal group? o o  o o o  o o o  o o  o o o  o o o  o o No .Restore the group from a recent backup. What directory format does Active Directory use? X500 What do AD tree structures share? The same contiguous name space? What is an RODC? A Read Only Domain Controller . How can you recover a deleted group? .Re-create the group. and reassign any permissions granted to the group.

o  o o o  o o What is an AD forest? A forest is a collection of related domain trees. and printers). It is the first domain created in the Active Directory forest.dit? The AD database What is a domain? A domain is an administratively-defined collection of network resources that share a common directory database and security policies What is an AD object attribute? Information about the object such as a user's name. phone number. What is the forest root domain? The forest root domain is the top-level domain in the top tree. Name the OU structure First-level OUs can be called parents.g. o  o o What is an AD tree? A tree is a group of related domains that share the same contiguous DNS name space. and email address) which is used for locating and securing resources. . computers. Second-level OUs can be called children. users. What does an object schema identify? The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object. The forest establishes the relationship between trees that have different DNS name spaces. What does AD use DNS for? Active Directory uses DNS for locating and naming objects. OUs can contain other OUs or any type of leaf object (e.o  o o o  o o o  o o o  o o o  o o o  o o o  o o Do different forests share the same name space? No What is NTDS.

Domains in a tree: . What is a child domain? Each domain in the tree that is connected to the tree root domain is called a child domain. .A site represents a group of well-connected networks (networks that are connected with high-speed links). while a domain represents the logical structure of your organization. Each subnet possesses its own unique network address space. How are clients assigned to AD sites? Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask. . o  o o What is a domain tree? A domain tree is a group of domains based on the same name space. o  o o What is a domain controller? A domain controller is a server that holds a copy of the Active Directory database that can be written to o  o o What is replication? Replication is the process of copying changes to Active Directory between the domain controllers. What manages AD replication between locations? Sites and subnets are used to manage Active Directory replication between locations. . What does an AD site differ from a domain? A site differs from a domain in that it represents the physical structure of your network. o  o o o  o o o  o o o  o o What two objects does AD use to represent the physical structure of the network? .o  o o o  o o What is the tree root domain? The tree root domain is the highest level domain in a tree.Have common global catalogs.Are connected with a two-way transitive trust.Share a common schema. .A subnet represents a physical network segment.

dit file? .The data table contains all the information in the Active Directory data store: users.Infrastructure Master What does the schema master do? Maintains the schema (the mapping of all the different object types) What does the RID master do? The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user. . group.Domain Naming Master . which contain values that refer to other objects in Active Directory. What is the structure of the NTDS. or computer accounts). Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes What are the FSMO roles? . o  o o  o o o  o o o  o o o  o o o What does the Global Catalog server do? Responsible for replicating a subset of attributes throughout Active Directory What are FSMO roles/What do they do? Flexible Single-Master Operation roles are specialized domain controller tasks assigned to a domain controller in the domain or forest. application-specific data.The link table contains data that represents linked attributes.Schema Master .o  o o o  o o How are domain controllers assigned to AD sites? Domain controllers are assigned to sites according to the location of their associated server object in Active Directory. groups. and any other data that is stored in Active Directory after its installation.The security descriptor (SD) table contains data that represents inherited security descriptors for each object.RID Master (Relative Identifier) .PDC Emulator . . .

A server that holds a copy of the Global Catalog is a global catalog server. o  o o o  o o What is a functional level? A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest What does a functional level define? .Which Active Directory Domain Services (AD DS) features are available to the domain or forest. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.Which Windows Server operating systems can be run on domain controllers in the domain or forest.time services) What does the Infrastructure Master do? Provides a mapping of all the container objects in AD. o o o  o o o  o o o  o o o  o o o  o o What does the PDC Emulator do? The PDC emulator acts like a Windows NT 4. PDC and Infrastructure Master roles operate at? The domain level What is the Global Catalog? The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. o  o o What does the Domain Naming Master do? The domain naming master adds new domains to and removes existing domains from the forest. .0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers. Functional levels do not affect which operating systems you can run on workstations and servers that are joined to the domain or forest. Which level do the Schema and Domain Naming Master roles operate at? The Forest Level What level do the RID. The infrastructure master is responsible for updating changes made to objects. . What is an Operations Master? A domain controller that performs an operations master role is known as an operations master or operations master role owner. (eg .

and Print Server. Other roles.o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o Which domain functional levels does Server 2008 support? Windows 2000 Native Windows Server 2003 Windows Server 2008 Which forest functional levels does Server 2008 support? Windows 2000 Windows Server 2003 Windows Server 2008 What is a group policy? A policy is a set of configuration settings that must be applied to users or computers. like Print Server. have a single role service. Examples of roles include DNS server. and clustering support. templates. What are new services in AD 2008? . Features include management tools. like DNS. The GPO is a collection of files that includes registry settings. communication protocols or clients.AD Certificate Services . Some roles. with each role service being a sub-component of the role. Collections of policy settings are stored in a Group Policy object (GPO). What is an AD feature? A feature is a software program not directly related to a server role but which adds functionality to the entire server.AD Lightweight Directory Services . What is Active Directory Domain Services (AD DS) . and software-specific configuration values. File Server.AD Federation Services . What is an AD role service? Role services are specific programs that provide the functions of a role. have multiple role services such as the LPD Service for Unix printing and Internet Printing.AD Rights Management Services What is an AD role? A role is a set of software features that provides a specific server function. You can think of a role as a group of programs. scripts.AD Domain Services . DHCP server.

The AD RMS role: . or service to a corresponding private key. . forward. The AD CS role: . o  o o What is Active Directory Rights Management Service (AD RMS) AD RMS is a feature which safeguards digital information from unauthorized use. . such as users. financial reports. What is Active Directory Lightweight Directory Service (AD LDS) Active Directory Lightweight Directory Services (AD LDS). print. . . computers. and/or take other actions.Read Only") that can be applied directly to information such as product specifications. such as Group Policy. AD LDS is very similar to Active Directory Domain Services (AD DS). The AD FS role: .Enhances security by binding the identity of a person.Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments . .Helps administrators securely manage information. and printers.Can define exactly how a recipient can use information. and customer data.Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations. What is Active Directory Federation Services (AD FS) AD FS is a feature which enables secure access to web applications outside of a user's home domain or forest.Provides customizable services for creating and managing public key certificates. e-mail messages. is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications.Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies. but is customizable and can be much smaller than an AD DS database. modify.Allows organizations to create custom usage rights templates (such as "Confidential . formerly known as Active Directory Application Mode (ADAM). device. specifying who can open.Facilitates resource sharing and collaboration between users.o o  o o o  o o AD DS is a distributed database that stores and manages information about network resources. The AD DS role: .Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. o  o o What is Active Directory Certificate Services (AD CS) AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. .

Log on using Remote Desktop to gain access to the command prompt. There is no managed code support (no . What methods can you use to manage a Server 2008 core system? Log on and use the command prompt. There is only MSI support for unattended mode installs. o o o  o o o  o o o  o o o  o o o  o o o  Name some things that AD Certificate Services supports Digital signatures Encrypting File System (EFS) Internet Protocol security (IPsec) Secure/Multipurpose Internet Mail Extensions (S/MIME) Secure Socket Layer/Transport Layer Security (SSL/TLS) Secure wireless networks Smart card logon Virtual Private Networks (VPN) What AD roles are not supported on Server 2008 Standard? AD FS requires the DataCenter or Enterprise editions for deployment. . Switches for the role or service must be typed exactly as they are listed. and role names are case-sensitive. All code has to be native Windows API code. This method allows you to use a GUI interface for managing the server core system. Use Windows Remote Shell (winrm). How would you add server roles to a Server 2008 core system? Run start /w ocsetup to add server roles to the server core system. Run Server Manager or another tool on another computer and connect to the server core system.NET framework). WHich server roles can Server 2008 core run? Active Directory Active Directory Lightweight Directory Services (AD LDS) Dynamic Host Configuration Protocol (DHCP) Server DNS Server File Server Print Server Media Services Web Server (IIS) What are the limitations of Server 2008 core? There is no Windows Shell.

trees.o o How would you see a list of roles. forest. Definition Forest root domain Term all objects in a given site first domian created when you create AD structure. role services and features that can be installed on Server 2008 core? run the oclist command Cards Term Definition What are the building blocks of active directory Domains. Definition What are an OU (organizational unit) logical subgroup within a domain. section. organizational units Term Definition how is the physical location of objects in AD represented Term Definition What is a domain Term A logical grouping of computers that share a database and security Definition what is a tree in AD Term A parent domain with child domains that reflect name of parent domain Definition How are domains in a tree linked Term 2-way transitive trust relationships (they can access eachothers info) Definition what is a forest in AD Term a group of domains that do not share a adjoining name space. or department . used to locate single workgroup.

and servers as centers to administer AD in Windows Server 2008 Provides info on universal group membership on any domain in forest.Term Definition What is a site in AD Term Sites group resources in a forest according to location of subnet Definition Why does AD us sites Term Control replication of data in ADDB and apply policies to users and domains and delegate administratife control to objects in a single physical location Definition What are some of the other things that site enable Enable users to be authenticated by domain controller in same physical location. (All domian controller hold master copy of ADDB Definition What is the global catalog Term Enables domain in same forest to access resources in any domain in that particular forest. Term Definition What is a domain controller Term Definition What is a domain controller Term Domain controllers authenticate users logging onto their domain. and allows users to log onto a domain other than their own domain useing the UPN Definition . schema. config info relevent to forest where domain is located. and servers as centers to administer AD in Windows Server 2008 Definition What does a domain controller store Term A complete copy of all objects within domain. Definition What does Global catalog provide Term Domain controllers authenticate users logging onto their domain.

makes sure no 2 objects has same RID Definition What is a server role Term A specific function that server performs on the NW. RID masster (Relative Identifier Definition How is SID different from RID Term SID is a security identifier common to all objects in its domain and RID is a relative identifer that unique to objects in domain. Definition What is a feature Term An optional components that adds a certain feature. Infrastructure master 5.What is the UPN Term The UPN (User principal name) is a user name in format of an email address. PDC emulator (Primary domain controller) 4. .0. command line Definition What is RODC and how does it function 1. Domain naming master 3. Definition What is FSMO Term Flexible single-master operatons servers. Has a read only copy of the ADDB 3. Initial config 2. Read-only domain controller 2. BitLocker Drive Encryption Definition How do you add features to a role Term 1. Server Manager 3.NET Framework 3. very useful for branch office deployment and high security . restricted domain controllers Definition What are the FSMO's Term 1. schema master 2.

More secure because it present smaller attack footprint Definition What is AD CS Term 1. a ______ . modify config of installed roles and features. taskbar. Can open by compmgmt. Adds roles.exe Definition Schema _____ is an Active Directory component that defines all the objects and attributes that the directory service uses to store data. View. customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. Definition What is the GUI Term 1. manage.Term Definition What is the server core and its functionA stripped down version of server 2008 without a GUI. Definition Server Manager MMC (Microsoft Management Console) Term 1. 3. Less HW and memory 2. & server features 2. Active Directory Certificate Service 2. You can think of it as a set of blueprints for each of the objects. and it includes a list of properties that can be used to describe the objects. A GUI lets you interact with your computer using pictures and symbols Definition How do you get to the server manager command line Term Start Run CMD ServerManagerCmd. role server.msc at RUN 2. Grafical User Interface 2. or start menu Term Definition Why use a server core Term 1.

Definition Global Catalog Term ______ ______ is a listing of all objects in the entire forest. Domain-wide ______ ______ roles must appear once in every domain in the forest. These _______ can be managed with AD DS (Active Directory Domain Services) All _______ have properties that can be configured. Example: users may have 100 properties but only 10 are included. Infrastructure master . It is hosted on the domain controllers that are designated as the ______ ______ server. Note: CN: Common name Note: DS is Domain service AKA Domain Controller Term Definition Operations master roles The five _____ _____ roles are assigned automatically when the first domain controller in a given domain is created Forest-wide ______ ______ roles must appear only once in every forest. Definition LDAP (Lightweight Directory Access Protocol) Active Directory uses the _ _ _ _ to uniquely identify each object within the directory.(DN: Distinguished name. users. It is searchable and used by different applications to search AD Domain Services for specific objects. There is only one per forest.definition for a user object can be used to create a user object. Note: to prevent it from becoming too large the properties are limited to a subset. Term Definition Objects Term ______ are Real-world items in Active Directory such as: computers. printers and groups. Every forest must have the following roles: Schema master Domain naming master Every domain in the forest must have the following roles: Relative ID (RID) master Primary domain controller (PDC) emulator master.

Relative ID (RID) master One of five Forest-wide operations master roles. The domain controller holding the ______ ______ ______role controls the addition or removal of domains in the forest. To move an object between domains (using Movetree. Term Definition Schema master Term Definition Domain naming master Term The ______ ______ domain controller controls all updates and modifications to the schema. This means that each domain in the forest can have only one RID master. there can be only one domain controller acting as the _____ master in each domain in the forest. To update the schema of a forest. you must have access to the ______ ______.exe). At any time. The SID consists of a domain SID. or computer object. PDC emulator master. Definition RID master . there can be . and a (_ _ _). Term Definition PDC emulator operations master One of five Forest-wide operations master roles. Whenever a domain controller creates a user. The _____ master allocates sequences of relative IDs to each of the various domain controllers in its domain. There can be only one in the entire forest. you must initiate the move on the domain controller acting as the (_ _ _)master of the domain that currently contains the object. and infrastructure master. group.These roles must be unique in each domain. which is the same for all SIDs created in the domain. There can be only one in the entire forest. One of five Forest-wide operations master roles. which is unique for each SID created in the domain. it assigns the object a unique security ID (SID). The PDC _____ ______ master processes password changes from client computers and replicates these updates to all domain controllers throughout the domain. At any time.

The infrastructure master then replicates that updated data to the other domain controllers in the domain. Term Definition Distribution group and Security group Term Active Directory has two basic group types. You can delegate permissions to an _ _ and you can link Group Policy to an _ _. there can be only one domain controller acting as the ______ ______ in each domain. it requests the updated data from a global catalog. The domain controller configured with the PDC ______ ______ master role supports two authentication protocols: The Kerberos V5 protocol The NTLM protocol Note: PDC Primary Domain Controler Term Definition Infrastructure master Term One of five Forest-wide operations master roles. At any time. The ______ ______ is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. If the ______ ______ finds data that is out of date. The ______ ______ compares its data with that of a global catalog. so the global catalog data will always be up to date. you can think of an _ _ simply as a container for the objects within AD. The ______ ______ is responsible for updating references from objects in its domain to objects in other domains. Definition OU (Organizational unit) ______ ______ are used to organize objects within Active Directory. Global catalogs receive regular updates for objects in all domains through replication. They are: ______ group and ______ group Definition Distribution group One of two AD basic group types: A ______ ______ is used to group a number of objects together that will be addressed collectively. A mail server can present the ______ .only one domain controller acting as the ___ ______ master in each domain in the forest.

global groups and universal groups from any domain in the forest and domain local groups from the same domain. That allows a ______ _____ not only to be used by all computers in the forest but also to contain members from any domain within the forest. This implies that the ______ _____ is replicated to domains across the entire forest. ______ _____ are domain-to-domain trust. Definition Universal group Term One of two AD basic group types: A ______ ______ is used to assign permissions or rights to an object or a set of objects. Definition Global group Term One of three AD basic group scopes: This is the default scope when you create a group in AD. global groups. and other ______ _____s from any domain in the forest. This allows AD to become not only your single authentication mechanism for your network but also your authorization mechanism. One of three AD basic group scopes: A ______ _____ is stored on domain controllers that are configured as global catalogs. If you want a domain in a forest to trust a domain outside the forest(external domain)then you build . A _____ _____ can be used by computers within the domain that it is a member of and by members of other domains in the AD forest._____ to users as a email destination. Single-domain networks do not really need ______ _____s because there isn't much use for them. Term Definition Security group Term Definition Domain local group Term One of three AD basic group scopes: A ______ _____ _____ is intended to be used only within the domain that it was created in. It can contain user/computer accounts from the domain that the _____ _____ is created in. Definition External trust (Non-transitive) One of four domain trusts. ______ _____s can contain user/computer accounts. It can contain user/computer accounts.

______ _____ speed up authentication.an ______ _____. Term Definition Shortcut trust (Transitive) Term One of four domain trusts. Once done every domain in the first forest trust every domain in the second forest.aspx Term Forest Definition In accordance with DNS naming standards.com/enus/library/cc754612. Active Directory domains are created in an inverted tree structure. (What Microsoft calls domains Unix call realms. When it is necessary for domains in the same organization to have different namespaces. .) Term Definition Transitive trust (Understanding Trust ______ _____ determines whether a trust can be Transitivity) extended outside the two domains between which the trust was formed. It is a transitive trust between a domain in the same domain tree or forest that shortens the trust path in a large and complex domain tree or forest. http://technet. create a separate tree for each namespace. Definition Forest trust (Transitive) Term One of four domain trusts. ______ _____ is a transitive trust between a forest root domain and a second forest root domain. Two or more trees with different names makes a forest. You can use a non-transitive trust to deny trust relationships with other domains. You can use a ______ _____ to extend trust relationships with other domains.microsoft. Definition Realm trust (Non-transitive) _____ _____ allow trust relationships with Unix systems that use Kerberos for authentication.

Windows Server 2003 and earlier .Term Definition NAME RESOLUTION METHODS Domain Name System(DNS) Term _____ _____ _____ (_ _ _ )  Preferred Method for name resolution  Supports IPv4 and IPv6 Definition NAME RESOLUTION METHODS Term NAME RESOLUTION METHOD Features: ·Enabled by default ·Supports most older versions of Windows ·Support LMHOSTS local resolution ·Can use a WINS server Drawbacks: ·Only supports IPv4 ·Uses broadcasts ·15 Character Maximum ·Local Subnet only without WINS Definition NAME RESOLUTION METHOD: LINKNAME RESOLUTION METHOD: LAYER MULTICAST NAME RESOLUTION ____ _____ _____ _____ _____ (_ _ _ _ _) (LLMNR) Operating System Support Drawbacks: ·Windows Vista and Windows 7 ·Works within local subnet only ·Windows Server 2008 and R2 ·Differences in behavior based on operating system ·No support for Windows XP.

This means “does the DNS server have a zone configured and a resource record that answers the query?” Step 5: If no match was found in step 4 the DNS server checks its local DNS cache. Step 2: A DNS query is sent to the local resolver on the PC.5 DNS Request Process Step 1: Enter www.·Disabled via Group Policy ·IPv6 must be enabled Features: ·Multicast ·IPv4 and IPv6 Name resolution ·Low overhead ·Smaller attack surface ·Should be used before NetBIOS when both LLMNR and NetBIOS are available.com in your browser and hit enter. The local resolver check the local DNS cache.microsoft. Term Definition Recursion Term __________: •Client sends a ________ request to a DNS server •DNS server completes query on behalf of the DNS client and sends result back to client. Definition Iteration __________: Used by DNS server when contacting other DNS servers •Receives referral from one server and directly queries the server listed in the referral. Term Definition FULLY QUALIFIED DOMAIN NAME (FQDN)____ ____ ____ ____ (_ _ _ _) References a host: ·Hostname ·Doname name ·Top Level Domain ·Can Contain Subdomains Term Definition Steps 1 . •One DNS server does most of the work . Step 3: If there is no match in step 2 a query is sent to the primary DNS server if one is configured and it is available. Step 4: The DNS server checks to see if it can authoritatively answer the query.

9 DNS Request ProcessStep 6: Based on the configuration of the DNS server a query is sent to a root server.com DNS server. Step 12: The original DNS server responds to the client query with the IP address to www.12 DNS Request Process Step 10: Again the original DNS server takes the referral and sends a query to the microsoft.com it is able to respond with the Host resource record that contains the IP address for www. Term Definition Steps 10 . Step 8: The original DNS server that the query was first sent to takes the referral and sends a request to the top level DNS server.arpa Term Definition DNS Forwarders DNS _________ forwards DNS query to another DNS server instead of using Root Hints. Request Process is: •DNS Server receives query •DNS Server checks locally hosted zones .com. Step 11: Since the DNS server is authoritative for microsoft.Term Definition Root Hints Term ____ _____ •Used during recursion •Gives DNS a starting point •Can be modified for private namespaces •Stored in Windows \System32 \DNS\Cache.com. DNS server sends a referral to the microsoft.microsoft. Step 7: The root server responds with a referral to a top level DNS server.dns •Loaded when DNS service starts Definition Steps 6 .com Term Definition Forward and Reverse Lookup Zones _____ & ______ Look up Zones Forward Lookup ·Translates a name to an IP address ·Most commonly used zone type Reverse Lookup ·Translates an IP address to a name ·Zone name ends with in-addr.com.com DNS server.microsoft. Step 9: The . In this example .

In order to allow users to access resources in another domain. you must configure the appropriate permissions. Before you take any other actions.•DNS Server checks local server cache •DNS Server forwards query to first DNS server listed on the _______ tab Term Definition Conditional Forwarders Term ______ Forwarders: •Forwards queries for a specific domain name to specific DNS servers •Often used to improve performance for DNS resolution of partner domain names and resources Definition 3 DNS Zone Types Primary Secondary Stub Term There are 3 DNS Zone Types Definition Resource Records Term ______ ______ are: Database entries used to answer queries •SOA – Start of Authority •NS – Name Server •A or AAAA (HOST) •PTR (Pointer) •CNAME (Alias) – Canonical Names •SRV (Service Locator) •MX (Mail Exchanger) Definition NAT Network Address Translation AD Trees & Forests  o o o  o You decide to create a trust relationship between Domain A and Domain B. it does not explicitly provide any permissions. can users in Domain A use resources from Domain B yet? No. A trust relationship only allows for the possibility of sharing resources between domains. Plans are to deploy four Active Directory domains with the following requirements: minimize the number of servers .

o o  o o o  o o o  o o o  o o enough fault tolerance to survive the complete failure of one domain controller.. Need to add field to the properties of a User object.. Want a complete undo.com domain. you may have been able to recover information by rebuilding the server o  o o Items that depend on the DNS namespace are . Possible? Once the last domain controller in an environment has been removed.. o  o What are several Active Directory domains that share a contiguous namespace called? o o  o o A tree Accidentally demoted the last domain controller of your ADTest. What is the minimum number of domain controllers to deploy initially? 8 Two per domain for fault tolerance What server configurations can be directly promoted to become a domain controller for a new domain? Member servers Stand-alone servers Server1: Schema Master Server2: RID Master Server3: Windows NT 4 BDC Server4: Infrastructure Master Server5: PDC Emulator Master Entire environment migrating to Windows Server 2008. If adequate backups had been performed. there is no way to recreate the same domain. Domains trees forests DNS zones . Which Server not needed? Server3: Windows NT 4 BDC Implicit trusts created between domains are known as ______ transitive trusts. On what servers can the change be made? The Schema Master is the only server within Active Directory on which changes to the schema can be made.

Needs following specs: Fast logon times Reduced network bandwidth Ability to use existing hardware What can you implement to achieve the above requirements? Universal group membership caching stores information locally once a user attempts to log on for the first time.o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o Which types of computers contain a copy of the Global Catalog (GC)? Specified Active Directory domain controllers Which pieces of information should you have before you use the Active Directory Installation Wizard to install a new subdomain? name of the child domain name of the parent domain DNS configuration information NetBIOS name for the server Which type of trust is automatically created between the domains in a domain tree? Transitive two-way A systems administrator wants to remove a domain controller from a domain. Regarding the sharing of resources between forests. . Of the five main single master functions. What is the easiest way to perform the task? Use the Active Directory Installation Wizard to demote the domain controller. two apply to an entire Active Directory forest.. New remote location with very slow WAN link.. you decide to create a new domain tree. What are the three that apply to just the domain? RID Master PDC Emulator Master Infrastructure Master When deploying Active Directory. What do you need to do to create this? Promote a Windows Server 2008 computer to a domain controller and select the option that makes this domain controller the first machine in a new domain that is a child of an existing one. A trust relationship must exist before resources can be shared between forests.

o  o o o  o o 7 Reasons for Using Multiple Domains Scalability Reducing replication traffic Meeting Business needs hierarchy .easier data managment Decentralized administration Multiple DNS or domain namesLegality What are some of the Drawbacks of Multiple Domains? Administrative inconsistency Increased management Decreased flexibility o  o o o  o o o  o o Min Requirements for DC numbers 2 DCs per Domain Recommended Req's for DC numbers 2 DCs per Site Reasons for adding extra DCs Fault tolerance and reliability Performance o  o o o  o Main requirement for joining a new domain to an existing forest Domain does not share a namespace with the existing Active Directory domain. If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do first? o o  o o  Prepare the domain by running: adprep /forestprep adprep /domainprep What naming information do you need prior to joining a domain to a new tree? name of the parent domain name of the child domain NetBIOS name for the new server .

Promote it o  o o True of False? A Trust grants all users in one domain access to the other domains. " makes this domain controller the first machine in a new domain that is a child of an existing domain" o  o o DcPromo option selected to create a new domain tree. False. 3.then child domains How do you move a DC between domains? 1. makes this domain controller the first machine in a new domain that is a child of an existing domain o  o o 3 Features common to all Domains in a Forest Schema GC Configuration Info o  o Type of trust between the Forest Root Domain and all the rest of the domains in the forest 2-way Transitive o o  o o o  o o How is a new Domain Tree created? Created top down .o o o  o o What other information (other than the 3 names) do you need prior to joining a domain to a new tree? DNS configuration domain administrator username and password DcPromo option selected to create a new domain tree.forest root domain . o  o o What 2 features of AD to ALL Trees and Forests share? Schema and Global Catalog o  . Trust only provides the foundation. Demote it. Move it. 2. Rights must be granted to resources once Trust is established.

o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o What do you always have even if you only have 1 Domain? A Tree and a Forest What do you need to ensure is done before you remove the last DC from a Domain? Computers no longer log on to this domain No user accounts are needed All encrypted data is decrypted All cryptographic keys are backed up What are the 2 Forest Operation Master Roles? Schema Master Domain Naming Master What tool is used to manage the Forest Operation Master roles? AD Domains & Trusts What are the 3 Domain Operation master Roles? RID Master PDC Emulator Master Infrastructure Master The Schema master holds ___ a master copy of the AD Schema Where can changes to the AD Schema be made? Only on the Schema Master The Domain Naming Master __ tracks domains within the AD Forest What does the RID Master do? Creates a unique RID for every AD object PDC Emulator is responsible for __ Maintaining backward compatibility with NT DCs .used only in Mixed Mode domains. In a Forest running at 2k Native or later what role does the PDC play? Acts as default DC if another is not available .

what is enabled by default to prevent hackers from using SID info to gain access? o o  o o o  o Default SID filtering SID History cleaned of SID history attributes that are not members of the trusted domain. PDC and Infrastructure Roles? Open AD U&C right-click Domain Select Operation Masters Click Change What is a transitive trust? Implied trusts. When is a Realm Trust used? Used to connect to non-Windows domain using Kerberos What types of Realm Trusts are there? . If domain A trusts domain B AND domain B trusts domain C THEN domain A trusts domain C o  o o What are External Trusts used for? Used to provide access to external domain (NT) that can't use forest trusts  o o o  o What type of trust are External Trusts? Non-transitive and either 1-way or 2-way (manually created) On External Trusts.o  o o o  o o o  o o o  o o The Infrastructure Master ensures Ensures that group membership info stays current between DCs How do you assign the Domain Naming Master Role? Open AD D&T AD D&T Properties Select Operations Master Click Change How do you assign all of the RID.

Domain Properties .Selective Authentication Where would you add a UPN suffix? AD D&T .Properties . Where would you go to do this? AD S&S .UPN Suffixes Where would you add a UPN suffix? AD D&T . User logs on .UPN Suffixes You need to add another Global Catalog server to an existing domain.GC Checkbox o  o What happens when Universal Group Membership Caching is enabled on a W2k8 DC? o 1. Next time user logs on .Properties .DC .no need to contact GC .Trusts Tab What happens when Selective authentication is used with Cross Forest Trusts? users can't authenticate to DC or resource server unless explicitly enabled What is a manually created Trust called? Shortcut trusts What is a Cross Forest Trust used for? To Share resources between forests What is the restriction on Cross Forest Trusts? They cannot be Non-transitive.NTDS Settings Properties . Where would you go to enable Selective Authentication? Trust properties .o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o o  o o Either Transitive or Non-Transitive And either 1-way or 2-way Where do you configure Trust Releationships? AD D&T .Universal Groups cached from GC 2.

Properties .Sites .checkbox .NTDS Settings .DefaulFirstSite .o  o o o  o o The benefits of Universal Group Membership Caching are: Faster logon times Reduced network bandwidth Ability to use existing hardware On a W2k8 DC how do you enable Universal Group Membership Caching? AD S&S .