A domain is a database of objects that organize users and computers that can be broken up in ous.
What is a domain?
Advanced install mode is used for a new tree in a forest or for media based installs.
When do you use advanced install mode?
It is the minimum level of operating systems used for domain controllers
What does raise domain functional level mean?
You can only lower a domain functionality level if the Forrest domain functionality level is lower.
When can you lower domain functionality levels?
A program that lets you modify various properties of a 2008 r2 core server. Example ip, domain, computer name, time, date, etc
What is sconfig.exe?
because of encryption. If the user has encrypted files then they will not be accessible if you reset the password. have them use a password reset disk.
Why should you not reset a user's password in a workgroup?
Secure access control list. User for auditing. Needs to be turned on via policy first.
What is SACL?
A User Principal Name firstname.lastname@example.org. Used so users can use their email to signon if the login domain matches the email.
What is a UPN?
Membership from users in the same domain only. Open resource access
Define Global group Membership and Resource access.
Password Setting Object. It lets you create password polices specific to a group or user.
What is a PSO?
Groups that have dynamic membership. Like everyone or interactive users.
What is a special identity group?
The last one read will overwrite the previous one if setup for the same attributes only if the previous on is optional. Set to enforced to overwrite optional.
How can you keep GPOs from overwriting each other.
On the resource domain make a local group and on the user domain make a global group. Link the global to the local.
What is the best way to have users from one domain connect to a resource in another domain?
It blocks all optional policy above for the location it set to and for the locations below it as well.
How does block policy inheritance work?
Setting up a queue for a specific result to have a gpo apply to. Example computers with more that 2 gb or memory.
What is WMI filtering?
Setting up permission in the dacl of the group policy object for a specific group. Then setting read and append permissions allow or deny. This allows a policy to not apply or apply to member of that group.
What is group policy security filtering?
A command tool to give status on what policy apply to that machine and user account. Use the /R command.
What is gpresult?
You can now use commenting and starter gpos.
What changes were made in the administrator template setting for server 2008?
If the gpo no longer applies then the registry mods are removed. The unmanaged will leave the changes to the registry even though the policy does not apply.
Why is it better to use manged administrative template gpos?
Look back processing allows you to have a group policy attached to an ou modify other objects that interact with the object in you ou. Example if Bob loggs in to a pc the loopback could have a user properties policy that is attached to the computer ou modify Bob.
What is look back processing and why would you use it?
Repadmin is a command line utility that is used to diagnose syncing issues between domain controllers. /syncall used to push sync.
What is repadmin.exe?
The local security databse located in c:windows:securitydatabase. These are settings are from local group policy
What is secedit.sbd?
It is a read only domain controller and is used to keep a copy copy of the database without passwords. Used for remote sites.
What is a RODC and why is it used?
By default no but you can set it to store some passwords for specific objects.
Can a rodc store passwords?
A list of root dns server that can assist on finding the dns resources for .com, .net, etc.
What is a root hint?
Using the dnscmd command or right clicking the dns manager to clear cache.
What are the ways to clean up server dns?
it imports the ad objects via command line. The -I is the import command.
what does csvde -i do? Why is -I important?
an domain user, set to default of 10, change is asdi for machine quota
who can add computers to domains?
IT detects if you have a bad connection during domain controller sysncing. if that is the case it only applies part of gpo policys. Does not push software or larger policys.
What is slow link detection?
It lets you out enviromental variabales by filtering for a specific target.
WHat is item level targeting?
Enable it in group policy and configuer you SACLs of the objects to audit.
Where does directory service auditing need you to do?
It allows you to remove attributes from RODC caching.
What does RODC filtered attribute set allow you to do?
Load the schema in to asdi edit and find the object to not cache. Go to the objects properties and find the search flag. Modify the search flag to be 640 marking it a confedental.
How do you modify the filtered attribute set of a rodc?
it prompts you to reset the users passwords that are synced and cached.
What happens when you delete a rodc?
A server that does not have root records. It looks at other local dns servers for recursion and helps lower queries for internet traffic.
What is a cache only dns server?
It is used for unix servers that are secondary servers for your site.
Why would you use the dns property bind secondaries?
Round robbin is used for addind multiple dns server to a host record. This is poor mans load balancing.
What is round robbin and what is it used for?
Secure cache polution verifys the reply matches the request so the dns cache does not have incorrect information.
What does secure cache against polution?
Conditional fowarding lets you setup a a specific dns server for a domain.
What is conditional forwarding?
You use it to search multiple domain names by using the object name. For example m1.abc.com or m1.tlc.com
What is a suffix search list?
A stub zone is a preconfigured list of NS (dns servers) and the a host record for them. This lets you queue the dns server directly without recursion.
What is a stub zone in dns?
DNS zones stored in AD will replicate accross to other domain servers. It is a more secure way than dns replication.
Why store zones in AD?
Forest DNS Zones, Domain DNS Zones, Domain partition, and custom app partition
What are the ad tables you can store dns zones in?
A record that matches the name of a service and port to a server. Very important for active directory to function properly.
What is a srv record?
it let you use win as a dns lookup for netbios names that are not located in your dns server
What is wins forward lookup?
It is a lookup zone that lets you connect to a resource without the dns suffix.
What is a global name zone?
in dns manager select transfer from master
How do you force dns zones not in active directory to replicate?
Have the child dc setup a zone for their domain and remove from the parent dc. Add a new deligation record for the parent dc.
How do you setup a deligation record?
using ntdsutil you can make a backup of the ad db as well as the sysvol
How do you backup active directory db and sysvol in server 2008?
Domain Naming Master, Schema Master, RID Master, Infrastrature Master, and PDC Emulater
What are the types of Operation masters?
The domain naming master has the ability to add and remove domain contollers in a forest
What is a domain naming master?
the master that keeps track of time, emulates for backwards compatability,manages gpo updates ina domain?
What is a pdc emulator?
What master role should you transfer inf you have a dc that is a global catalog?
trusts that are created inside a forest to speed up auth from one domain to another
What are shortcut trust?
forest to forest trusts using kerbos auth from the forest root dc to another forest root dc
What are forest trusts?
non transtive trusts from one domain in a forest to another domain in a different forest.
what are external trusts?
selective trusts that define specific resource access while wide allows all badge access from the trust
What are selective trusts and how do they differ from domain wide/tree wide trusts?
schema master and domain naming master. Rid master and pdc emulator
What master roles should be paired up on a dc?
To orgainize objects via ip to assist with replication traffic and service location
What are sites used for?
when deploying a dc that is not a global catalog server and had a poor conenction to other dcs
Why would you enable universal member group caching?
rename a dc, userpassword attribute, lastlogin attribute, default user and computer container redirection, selective auth for trusts
What does server 2003 domain funtionality allow?
DFS-R, advanced encryption services, last interactive login info, fine grained password policys,
What does server 2008 domain functionality allow?
aging is the process of using timestamps to track the age of resources that are dynamically assigned. It is composed of no refresh and refresh intervals.
What is aging?
at command prompt dnscmd . /config /enableglobalnemessupport 1
How do you enable a globalnames zone?
recordes the old and new changes of a ad attribute but you need to run auditpol to enable
What is subcatagory auditing of ds changes do?