A tree is a group of domains that share the same name space. Example: corp.abc.com
What is a tree?
Forest -> Tree -> Domain
What are the 3 types of of Structure for a Active Policy?
A schema defines a domain it is like the building code.
What is a schema?
A domain is a database of objects that organize users and computers that can be broken up in ous.
What is a domain?
Advanced install mode is used for a new tree in a forest or for media based installs.
When do you use advanced install mode?
A guiless mode of server 2008
What is server 2008 core server?
Schema, Config, and Domain
What are the main 3 tables discussed of NTDS.dit?
Schema, and Config
What Tables synchronize forest wide?
What tables does AD sites and services bind to?
What tables does domain and trusts modify?
Active Directory Users and Computers modifys what table?
It is the minimum level of operating systems used for domain controllers
What does raise domain functional level mean?
You can only lower a domain functionality level if the Forrest domain functionality level is lower.
When can you lower domain functionality levels?
Can server 2008 core server use powershell?
What does powershell need to run?
A program that lets you modify various properties of a 2008 r2 core server. Example ip, domain, computer name, time, date, etc
What is sconfig.exe?
No, Only 2008 R2
Can Server 2008 Core be a certificate server?
Yes, only in server 2008 and 2008 r2
Is accidental deletion default checked in ou setup?
because of encryption. If the user has encrypted files then they will not be accessible if you reset the password. have them use a password reset disk.
Why should you not reset a user's password in a workgroup?
Changes default computer location for adding a computer to a domain.
What is redircmp?
How do you change the default user location?
Discretionary Access Control List. Used for delegating permissions.
What is DACL?
Secure access control list. User for auditing. Needs to be turned on via policy first.
What is SACL?
Only if the deny permission is a pushed permission.
When will an allow overwrite a deny permission?
to add a the active directory schema to mmc.
Why do you register the schema .dll?
Powershell, VB Scripts, DSADD, CSVDE, LDIFDE
How can you add a user from command line?
It is needed for powershell.
Why is active directory web services important?
A User Principal Name email@example.com. Used so users can use their email to signon if the login domain matches the email.
What is a UPN?
From the active directory sites and services.
How can you add a alternative upn?
A group that is given a sid that can do security and email.
Define a security group.
No sid, email only
Define a distribution group.
Open Membership, Local domain resource access
Define Domain Local Membership and Resource access.
Membership from users in the same domain only. Open resource access
Define Global group Membership and Resource access.
Open Membership and open enrollment.
Define Universal Group Membership and Resource access.
The global catalog server
Where does universal membership reside?
A group that mimics the users in its ou for PSOs
What is a shadow group?
Password Setting Object. It lets you create password polices specific to a group or user.
What is a PSO?
What Domain functional level do you need to be to use PSOs?
Groups that have dynamic membership. Like everyone or interactive users.
What is a special identity group?
Containers only. Site, Domain, OU
What can group policy link to?
Does local policy win over Active Directory?
The last one read will overwrite the previous one if setup for the same attributes only if the previous on is optional. Set to enforced to overwrite optional.
How can you keep GPOs from overwriting each other.
What is the server core configuration command for installing roles and components?
What is the command to promote a domain controller?
What is the command to configure dns via command prompt?
What is the command to configure dfs via command prompt?
It finds objects in the active directory via command prompt.
What does dsquery.exe do?
create an answer file
What do you have to do before running dc promo on a core server?
What is the command to change ip?
Using the ad schema snapin
How do you manage the schema?
What port is LDAP?
What port is used by the global catalog server?
netdom or nltest
What is the best way to reset computer passwords?
Who can add an alternative upn?
On the resource domain make a local group and on the user domain make a global group. Link the global to the local.
What is the best way to have users from one domain connect to a resource in another domain?
PSO: Password Setting Option
What is a fine grain password setting?
Local, Site, Domain, OU
How is group policy read?
Used to add a computer to the domain while the domain is offline
What is djoin.exe?
It blocks all optional policy above for the location it set to and for the locations below it as well.
How does block policy inheritance work?
How do you edit local group policy?
How do you push out group policy update?
Local GP and Site GP
What policys follow pc?
Domain and OU Group Policies
What policies follow users?
Group Policy Creator Owner
What group does a user need to belong to to make a group policy?
In group policy management console.
Where do you give permission to link a gpo?
No. It depends on your ip scheme.
Are site policies for computers static?
User and computers it does not attach to groups.
What does group policy modify?
Either WMI filtering or Security filtering.
How do you fiter out a person from a specific policy?
Setting up a queue for a specific result to have a gpo apply to. Example computers with more that 2 gb or memory.
What is WMI filtering?
Setting up permission in the dacl of the group policy object for a specific group. Then setting read and append permissions allow or deny. This allows a policy to not apply or apply to member of that group.
What is group policy security filtering?
A command tool to give status on what policy apply to that machine and user account. Use the /R command.
What is gpresult?
Where are GPO setting kept?
Where does GPO Admin templates modify?
A 2008 admin template file
What is a .admx file?
You can now use commenting and starter gpos.
What changes were made in the administrator template setting for server 2008?
a gpo that is used as a template for other gpos.
What is a starter gpo?
If the gpo no longer applies then the registry mods are removed. The unmanaged will leave the changes to the registry even though the policy does not apply.
Why is it better to use manged administrative template gpos?
What tables does AD sites and services bind to?
What tables does domain and trusts modify?
Look back processing allows you to have a group policy attached to an ou modify other objects that interact with the object in you ou. Example if Bob loggs in to a pc the loopback could have a user properties policy that is attached to the computer ou modify Bob.
What is look back processing and why would you use it?
Repadmin is a command line utility that is used to diagnose syncing issues between domain controllers. /syncall used to push sync.
What is repadmin.exe?
The local security databse located in c:windows:securitydatabase. These are settings are from local group policy
What is secedit.sbd?
Local group policy editor.
Where can you import and export the local security policy?
There are advanced auditing options now.
What changes in 2008 R2 in auditing?
USERS AND global groups
What can PSO be linked to?
What tool is used to make pso?
It is a read only domain controller and is used to keep a copy copy of the database without passwords. Used for remote sites.
What is a RODC and why is it used?
By default no but you can set it to store some passwords for specific objects.
Can a rodc store passwords?
2003 or highter
What forest functional level is needed for RODC?
A list of root dns server that can assist on finding the dns resources for .com, .net, etc.
What is a root hint?
Using the dnscmd command or right clicking the dns manager to clear cache.
What are the ways to clean up server dns?
By selecting the manage by tab
How do you change the RODC manage permissions?
The command to change local roles of a machine
What is dsmgmt?
How do you join a domain from commmand?
How do you add server core roles from command?
displays installed roles
What does ocelist do?
the first domain in the forest
What is a forest root domain?
what does dsadd do?
returns attributes of an object
what does dsget do?
modifes object attributes
what does dsmod do?
moves objects to a different ou
what does dsmove do?
removes an object?
what does dsrm do?
it imports the ad objects via command line. The -I is the import command.
what does csvde -i do? Why is -I important?
to allow gpos to hit immediately
why do you prestage computer objects?
an domain user, set to default of 10, change is asdi for machine quota
who can add computers to domains?
the command to enable auditing on directory dervice changes
what is auditpool?
the one with the lower guid (global unique identifyer)
If 2 psos have the same value who wins?
using the password replication plicy (prp)
how do you have a rodc store passwords?
at least 1 writable 2008 dc
what do rodc need?
run adprep /rodcprep
if a rodc server has a 2003 dc in its forest what needs to be done?
can servers be authoritative for more than 1 level of domain herarchy?
a portion of namespace that a dns server is authoritative of
what is a dns zone?
a service to query other dns servers
what is a dns resolver?
dns databse entries that are used to answer queries
what are dns resource records?
where are root hints kept?
what is the command to clear dns cache from command prompt
IT detects if you have a bad connection during domain controller sysncing. if that is the case it only applies part of gpo policys. Does not push software or larger policys.
What is slow link detection?
It lets you out enviromental variabales by filtering for a specific target.
WHat is item level targeting?
Command to modify local security policy.
What does secedit do?
Domain controllers OU
Where does AD security Access auditing bind to?
Domain controllers OU
Where does account management Auditing bind to?
Domain controllers OU
Where does account lock auditing bind to?
Enable it in group policy and configuer you SACLs of the objects to audit.
Where does directory service auditing need you to do?
NTFS file shares, reg keys, printers, and CAs
What does object access auditing audit?
It allows you to remove attributes from RODC caching.
What does RODC filtered attribute set allow you to do?
Load the schema in to asdi edit and find the object to not cache. Go to the objects properties and find the search flag. Modify the search flag to be 640 marking it a confedental.
How do you modify the filtered attribute set of a rodc?
it prompts you to reset the users passwords that are synced and cached.
What happens when you delete a rodc?
Install roles via command line
What does ocsetup do?
A server that does not have root records. It looks at other local dns servers for recursion and helps lower queries for internet traffic.
What is a cache only dns server?
It is used for unix servers that are secondary servers for your site.
Why would you use the dns property bind secondaries?
Round robbin is used for addind multiple dns server to a host record. This is poor mans load balancing.
What is round robbin and what is it used for?
Secure cache polution verifys the reply matches the request so the dns cache does not have incorrect information.
What does secure cache against polution?
Conditional fowarding lets you setup a a specific dns server for a domain.
What is conditional forwarding?
Using the security tab you can delegate control.
How do you deligate control over dns?
Server 2008 R2
What os has Trust anchors for DNS?
You use it to search multiple domain names by using the object name. For example m1.abc.com or m1.tlc.com
What is a suffix search list?
How do you display dns from command line?
A stub zone is a preconfigured list of NS (dns servers) and the a host record for them. This lets you queue the dns server directly without recursion.
What is a stub zone in dns?
DNS zones stored in AD will replicate accross to other domain servers. It is a more secure way than dns replication.
Why store zones in AD?
Forest DNS Zones, Domain DNS Zones, Domain partition, and custom app partition
What are the ad tables you can store dns zones in?
How do Forest DNS zone replicate?
How do Domain DNS Zones replicate?
By using the ntdsutil or dnscmd
How do you make a custom ad zone location?
The zone that will resolve FQDN to ip
What is a foward lookup zone?
The zone that will resolve ip to FQDN
What is a reverse lookup zone?
Start of authority. It defines how often zone transfers happen.
What is a SOA?
It is the autority of a domain
What is a NS DNS Server?
nslookup -qt-ns domainname
What is the command to look up dns ns servers?
a name for a ipv4 address
What is an a host record?
a name for a ipv6 address
What is an aaaa host record?
A record that matches the name of a service and port to a server. Very important for active directory to function properly.
What is a srv record?
it let you use win as a dns lookup for netbios names that are not located in your dns server
What is wins forward lookup?
It is a lookup zone that lets you connect to a resource without the dns suffix.
What is a global name zone?
What command is used to force dns zones in active directory to replicate?
in dns manager select transfer from master
How do you force dns zones not in active directory to replicate?
it is a referral of where your child domain resides
What is a deligation record?
Have the child dc setup a zone for their domain and remove from the parent dc. Add a new deligation record for the parent dc.
How do you setup a deligation record?
using ntdsutil you can make a backup of the ad db as well as the sysvol
How do you backup active directory db and sysvol in server 2008?