Windows Server 2008 & 2008 R2

Install Manage and Master OS

o
o

o
o

o
o
o

o
o

What is DNS?
The Domain Name System (DNS) is a hierarchical, distributed database that maps
logical host names to IP addresses
What does a DNS server hold?
A DNS server holds a database of hostnames and their corresponding IP addresses.
Clients query the DNS server to get the IP address of a given host.
What was used before DNS?
a hosts file saved on each host computer

What makes up the DNS hierarchy?

The DNS hierarchy is made up of the following components:
- . (dot) domain (also called the root domain)
- Top Level Domains (TLDs) (.com, .edu, .gov)
- Second-level and additional domains
- Hosts

o
o

What is a FQDN?
Fully Qualified Domain Name - includes the host name and the name of all domains
back to root.

o
o
o

o
o

What makes DNS a distributed database?

DNS is a distributed database because no one server holds all of the DNS
information. Instead, multiple servers hold portions of the data.

What is a zone?
Zones typically contain one or more domains, although additional servers might hold
information for child domains.

o
o

What do DNS servers do?

DNS servers hold zone files and process name resolution requests from client
systems.

o
o
o

What is a DNS forward lookup?

A forward lookup uses the host name (or the FQDN) to find the IP address


o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o

o
o

o
o
o

o
o

What is a DNS reverse lookup?

A reverse lookup uses the IP address to find the host name (or FQDN).

What is an A record?
The A record maps a host name to an IP address and is used for forward lookups.

What is a PRT record?

The PTR record maps an IP address to a host name and is used for reverse lookups.

What is a CNAME record?

The CNAME record provides an alternate name (an alias) for a host.

What is a SRV record?

The SRV record identifies a service, such as an Active Directory domain controller.

How are DNS records created?

Manually, or dynamically using Dynamic DNS (DDNS). With DDNS, hosts
automatically register and update their corresponding records with the DNS server.

What is the process followed when a client computer needs to find an IP address?
- The client examines its HOSTS file for the IP address.
- If the IP address is not in the HOSTS file, it examines its local DNS cache for the IP address.
- If the IP address is not in the cache, the client sends the request to a DNS server.

What is the process when a DNS server received a name resolution request?
1) The DNS server examines its local DNS cache for the IP address
2) If the IP address is not in the server cache, it checks its HOSTS file.
3) If the information is not in the HOSTS file, the server checks any zones for which it is authoritative.
4) Forwarding or Recursion
5) After the information is found or received from another server, the DNS server returns the result to
the client, and places the information in its server cache.

What is an authoritative DNS server?

a DNS server that has a full, complete copy of all the records for a particular zone.

What is DNS Forwarding?

Where the DNS server forwards the name resolution request to another DNS server,
then waits for a response from that server

o
o
o

o
o

o
o
o

o
o
o

o
o
o

o
o

o
o
o

o
o
o

o
o
o

o
o

What is DNS Recursion

Where the DNS server queries root domain servers, top-level domain server and
other DNS servers in an iterative manner until it finds the one that hosts the target domain.

What is a caching-only DNS server?

A caching-only DNS server has no zone information; it is not authoritative for any
domains. It uses information in its server cache, or forwarding or recursion, to respond to client
queries.

Who can install DNS in Server 2008?

Members of the Domain Admins group

Which versions of server 2008 can have DNS installed on them?

You can install DNS on any version of Windows Server 2008 except for the Windows
Server 2008 Web Server edition.

What type of IP address must the DNS server have?

Static

How would you add the DNS role from a command prompt (or on a server core)?
start /w ocsetup DNS-Server-Core-Role

What command will give a list of installed services on a server?

Run the oclist command to get a list of services (including DNS) installed on a server.

What can be used to manage DNS on Server 2008?

Use the DNS snap-in or the dnscmd command to manage DNS.

What is a primary DNS zone?

the master copy of a zone database

What are the properties of a primary zone?

- The primary zone is the only writeable copy of the zone database.
- Changes to the zone can only be made to the primary zone.
- The server that holds the primary zone is called a primary server.

- Each zone can have only a single primary zone server.

- Zone data is stored in a text file.
o

o
o
o

o
o

What is a secondary DNS zone?

A secondary zone is a read-only copy of the zone database.

What are the properties of a secondary DNS zone?

- Changes cannot be made to the records in a secondary zone.
- A server that holds a secondary zone is called a secondary server.
- Secondary servers copy zone data from other servers through a process called zone transfer.
- Secondary servers can copy zone data from the primary server or other secondary servers.
- Zone data is stored in a text file.

o
o

What is an Active Directory-integrated DNS zone?

An Active Directory-integrated zone holds zone data in Active Directory instead of a
text file.

o
o

o
o
o

o
o

What are the properties of an Active Directory-integrated DNS zone?

- Active Directory-integrated zones are multi-master zones, meaning that changes to
the zone information can be made by multiple servers. Multiple servers hold read-write copies of the
zone data.
- Only DNS servers that are domain controllers can host Active Directory-integrated zones.
- Storing zone data in Active Directory provides automatic replication, fault tolerance, and distributed
administration of DNS data.
- Replication of zone data occurs during Active Directory replication and is secured by Kerberos.

What is a stub zone?

A stub zone is a zone with only a partial copy of the zone database.

What are the properties of a stub zone?

- The stub zone only contains information about the name servers that are
authoritative for the zone; it does not contain information for other hosts.
- A stub zone is not authoritative for the zone; its purpose is to identify the name servers that can be
contacted for full zone information.
- The stub zone is dynamic, meaning that it will keep the list of name servers for the zone updated
automatically.
- Use a stub zone to forward name requests based on zones while keeping name server lists updated
automatically.

What is the GlobalNames DNS zone?

o
o

o
o

o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

The GlobalNames zone is a special zone in the DNS database that is used for singlelabel name resolution.

What is a GlobalNames DNS zone used for?

- Allow clients to use simple host names without domain information for name
resolution. For example, to contact a server named web1.corp.us.westsim.private, users could simply
enter the single-label name web1.
- Allow DNS clients to contact NetBIOS-only hosts without the need for a WINS server.
- Allow IPv6-only hosts to contact NetBIOS hosts (IPv6 does not support the use of WINS).

What are the features of a GlobalNames zone?

- When users enter a single-label name, the client computer first tries to resolve the
name using DNS and the search suffix configuration. If that process fails, the GlobalNames zone is
checked (if it exists).
- Using the GlobalNames zone does not require any changes to client machines.
- Dynamic updates are not supported on the GlobalNames zone. You must manually create each
record in the GlobalNames zone.
- Use the GlobalNames zone to replace WINS servers on your network only when you have a small
number of hosts that do not support DNS. For a large number of NetBIOS-only hosts, or to support
dynamic registration of single-label names, continue to use a WINS server.

What is a forward lookup DNS zone?

A forward lookup zone provides hostname-to-IP address resolution. Clients query the
DNS server with the hostname, and receive the IP address in return.

What is a reverse lookup DNS zone?

A reverse lookup zone provides IP address-to-hostname resolution. Clients query the
DNS server with the IP address, and receive the hostname in return.

How many servers can hold the primary zone file?

Only one server can hold the primary zone file. To place zone data on multiple
servers, configure secondary servers.

Where does Windows store standard zone data?

Windows stores standard zone data in the %windir%\System32\Dns directory. The file
is a text file with .dns added to the zone name.

Which types of zone support dynamic updates?

Primary and Active Directory-integrated zones support dynamic updates. Use an
Active Directory-integrated zone to use secure dynamic updates.


o
o
o

o
o
o

o
o

o
o

o
o
o

o
o
o

o
o

o
o

o
o
o

What types of record does a reverse lookup zone hold?

Reverse lookup zones hold PTR (pointer) records. The PTR record maps the IP
address to an A record.

What type of zones can a reverse lookup zone be?

A reverse lookup zone can be a primary zone, a secondary zone, or an Active
Directory integrated zone.

What is the SOA (Start of Authority) record?

The first record in any DNS database file is the SOA. It defines the general
parameters for the DNS zone, and it is assigned to the DNS server hosting the primary copy of a
zone. There is only one SOA record, and it is the first record in the zone database file. The SOA
record includes parameters such as the authoritative server and the zone file serial number.

What is an NS (Name Server) record?

The NS resource record identifies all name servers that can perform name resolution
for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone
(all authoritative DNS servers).

What is an A (Host Address) record?

The A record maps an IPv4 (32-bit) DNS host name to an IP address. This is the
most common resource record type.

What is an AAAA (Quad A) record?

The AAAA record maps an IPv6 (128-bit) DNS host name to an IP address.

What is an MX (Mail Exchanger) Record?

The MX record identifies servers that can be used to deliver e-mail.

What is a CNAME record?

The CNAME record provides alternate names (or aliases) to hosts that already have a
host record. Using a single A record with multiple CNAME records means that when the IP address
changes, only the one A record needs to be modified.

What is a DNAME record?

The DNAME record provides alternate names (or aliases) to domains that already
have a host record.


o
o

o
o

o
o

o
o
o

o
o

o
o
o

o
o

o
o
o

What is a SRV (Service Locator) record?

The SRV record is used by Windows Server 2008 to register network services. This
allows clients to find services (such as domain controllers) through DNS. Windows 2008 automatically
creates these records as needed and during domain controller installation.

What is a PTR (Pointer) record?

In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e.
"points" to an A record). Where IPv4 PTR records are created in the in-addr.arpa namespace, reverse
lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.

What are WINS and WINS-R records?

Add these records to a zone when you want to allow DNS to use WINS resolution.
The WINS resource record allows DNS queries that fail to resolve to be forwarded to the WINS
servers in the WINS resource record. The WINS-R resource record allows the resolution of a reverse
query that is not resolvable through DNS.

How can DNS records be automatically created on a DNS server?

By using Dynamic DNS. Dynamic DNS is required to support Active Directory.

When do dynamic updates occur?

- A network connection's IP address is added, deleted, or changed.
- The DHCP server changes or renews an IP address lease.
- The client's DNS information is manually changed using ipconfig /registerdns.
- The client boots.
- A server is promoted to a domain controller.

Which Windows clients support DDNS?

Windows clients (2000 and above) create their A records with the DNS server.
Windows 9x/Me/NT clients do not support dynamic DNS.

How does the DHCP server tie in with DDNS?

The DHCP server registers the PTR record with the DNS server for clients capable of
dynamic updates. The DHCP server updates both the A and PTR records for clients that do not
support dynamic updates.

Are dynamic updates enabled by default on a primary zone?

Dynamic updates are not enabled on primary zones. You can enable dynamic
updates when you create the zone or modify the zone properties later to enable this feature.

o
o

o
o
o

o
o
o

o
o
o

o
o

o
o
o

o
o
o

o
o

o
o

Are dynamic updates enabled by default on an Active Directory-integrated zone?

Dynamic updates are enabled on Active Directory-integrated zones. Note: When you
convert a primary zone to an Active Directory-integrated zone, the current dynamic update setting is
retained.

What are secure dynamic updates?

With secure dynamic updates, only domain members can create records, and only
the original client can modify or remove records.

What is used to keep track of changes to a DNS zone?

The zone serial number keeps track of changes to the zone. When you make
changes to the zone, the serial number is incremented.

What is a DNS master server?

A master server is the server from which the secondary copies the zone data. The
master server can be the primary server or another secondary server.

What are the two types of zone transfer?

Zone transfers can copy all records or only changed records:
- A full zone transfer (AXFR) copies all of the zone data with each zone transfer.
- A partial (or incremental) zone transfer (IXFR) copies only the changed records. This is the default
method on Windows Server 2008.

Are zone transfers enabled in Server 2008 by default?

By default, zone transfer in Windows Server 2008 is disabled for security reasons. To
use zone transfers, manually enable the feature in the DNS settings in Server Manager.

How can you restrict the servers to which zone transfers are allowed?
- Allow zone transfers only to servers that are listed as name servers.
- Allow zone transfers only to servers you specifically identify.

How does a secondary server initiate a zone transfer?

- The secondary server contacts the master server and compares the serial number
on the master with the serial number in its copy.
- If the serial number on the master is greater, the secondary initiates zone transfer.
- If the serial number is the same (or lower) on the master, no zone transfer takes place.

What is DNS notify?

Windows DNS servers support the use of DNS Notify. With DNS Notify, master
servers are configured with a list of slave DNS servers.

o
o

How does DNS notify work?

- When a change takes place, the master notifies the slave servers that the zone has
changed.
- The secondary server then initiates zone transfer, first checking the serial number, then requesting
changes.

o
o
o

o
o
o

o
o
o

o
o

o
o

o
o
o

o
o

What is a DNS caching server?

A caching only server runs DNS but has no zones configured. Use a caching only
server to improve performance while eliminating zone transfers.

How does an Active Directory-integrated zone store DNS information?

An Active Directory-integrated zone stores DNS information in Active Directory rather
than in a zone file. Zone information is copied automatically when Active Directory replicates.

How can you secure zone transfers to secondary servers?

Active Directory replication traffic is automatically secured. To secure zone transfers
to secondary servers, use IPsec between servers.

How can you force an update of DNS zone data?

You can force an update of zone data through the DNS console or by using the
Dnscmd command

How would you delegate control of an AD OU to a user?

- Right Click on OU
- Delegate Control
- Choose User
- Choose the appropriate option
- Finish

What is an OU?
An Organizational Unit (OU) is similar to a folder that subdivides and organizes
network resources within a domain.

What are the different types of OU?

Parent OUs are OUs that contain other OUs.
Child OUs are OUs within other OUs.

o
o
o

o
o
o

o
o

What organisational structures can you not apply GPO's to?

Generic Containers

What is group policy inheritance?

Through inheritance, settings applied to the domain or parent OUs apply to all child
OUs and objects within those OUs.

How can you prevent objects from accidental deletion in AD?

- On the Object tab, select the Protect object from accidental deletion check box.
(This option is only seen with Advanced Features selected from the View menu.)
- On the Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.

What setting should be set at creation to prevent an AD OU being accidentally

deleted?

o
o
o

o
o
o

o
o

When you create an organizational unit, leave the Protect container from accidental
deletion check box selected. This is the default. Other types of objects do not have this default setting
and must be manually configured.

How would you delete an AD object that is protected from deletion?

To delete on abject that is protected, first clear the Protect container from accidental
deletion setting, then delete the object.

What is delegation of authority?

Delegating authority is the assignment of administrative tasks, such as resetting
passwords or creating new users, to appropriate users and groups.

Describe some of the facts about delegating control :

- You can delegate control of any part of an OU or object at any level with the
Delegation of Control Wizard or through the Authorization Manager console.
- An object-based design allows you to delegate control based on the types of objects in each OU. For
example, you can delegate control over specific object types (such as user objects).
- A task-based design allows you to delegate control based on the types of administrative tasks that
need to be done

What is the Builtin Default Container?

o
o
o

o
o
o

o
o

o
o
o

o
o

o
o

o
o

o
o

The Builtin container holds default service administrator accounts and domain local
security groups. These groups are pre-assigned permissions needed to perform domain management
tasks.

What is the Computers default container?

The Computers container holds all computers joined to the domain without a
computer account. It is the default location for new computer accounts created in the domain.

What is the Domain Controllers detault container?

The Domain Controllers OU is the default location for the computer accounts for
domain controllers.

What is the LostAndFound default container?

The LostAndFound container holds objects moved or created at the same time an
Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted
on one domain controller while administrators at other domain controllers can add or move objects to
the deleted OU before the change has been replicated. During replication, new objects are placed in
the LostAndFound container.

What is the NTDS Quotas default container?

The NTDS Quotas container holds objects that contain limits on the number of
objects users and groups can own.

What is the Program Data default container?

The Program Data container holds application-specific data created by other
programs. This container is empty until a program designed to store information in Active Directory
uses it.

What is the System default container?

The System container holds configuration information about the domain including
security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP
security policies.

What is the Users default container?

The Users container holds additional predefined user and group accounts (besides
those in the Builtin container). Users and groups are pre-assigned membership and permissions for
completing domain and forest management tasks.

What is special about AD containers?

They are automatically created and cannot be deleted

o
o

What is special about the Domain Controllers OU

It is the only default OU, and it can have a GPO applied, whereas the other default
containers cannot have a GPO applied

o
o
o

o
o

How would you view hidden containers in AD Users and Computers?

Click Advanced Features from the View menu

Which containers are hidden by default in AD Users and Computers?

- LostAndFound
- NTDS Quotas
- Program Data
- System

o
o
o

o
o
o

o
o

o
o

What is special about AD containers and how do they differ from OU's?
They are automatically created and cannot have GPO's applied to them.

What is the SAM database?

A local database that allows users to access local resources on the machine

What are the two types of user account?

Local and Domain

What is a local user account?

A local user account is created and stored on a local system and is not distributed to
any other system.
- Local user accounts are created with the Computer Management console.
- The local Security Accounts Manager (SAM) manages the user account information.
- Only local resources are accessible with local user accounts.

o
o
o

o
o

What is a domain user account?

A domain user account is created and centrally managed through Active Directory,
and is replicated between domain controllers in the domain.

How can domain user accounts be created?

Domain user accounts are created with Active Directory Users and Computers,
command line tools, and PowerShell.

o
o

What is unique to each domain user account?

Each domain user account has a unique security identifier (SID) to identify the user. A
user can log on to the domain from any computer that is a member of the domain and can access
resources on that computer or on other computers for which the domain user account has
permissions.

o
o

How can external users with email accounts be represented in AD?

External users which need an e-mail account, can be represented through a contact
object

o
o

What is a contact object?

an account that does not have any security permissions. Users represented as
contact objects cannot log on to the domain. Use contacts to add information about individuals, such
as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for
attributes of contact objects.

o
o
o

o
o

What is the user or logon name?

The user or logon name is the name of the user account

What is the user principle name (UPN)?

The User Principle Name (UPN) combines the user account name with the DNS
domain name
- The UPN format is also known as the SMTP address format.
- The DNS domain name in the UPN is known as the UPN suffix.
- By default, the domain that holds the user account is selected for the UPN suffix. However, you can
configure different UPN suffixes to use instead of the domain name.

o
o

o
o
o

What is the LDAP Distinguished Name (DN)?

The LDAP Distinguished Name (DN) references the domain and related container(s)
where the object resides. It has three basic attributes:
Domain Component (DC)
Organizational Unit (OU)
Common Name (CN)

What is the Relative Distinguished Name (RDN)

The Relative Distinguished Name (RDN) is used to identify the object within its
container. The RDN needs to be unique only within the objects container.

o
o

o
o

o
o

o
o

o
o
o

o
o

When would you use the ser cannot change password"option?

when you want to maintain control over a Guest, service, or temporary account. For
example, many applications use service accounts for performing system tasks. The application must
be configured with the user account name and password. If you allow changing the user account
password for the service account, you would also need to change the password within every
application that uses that account.

How would you unlock an account?

To unlock an account, go to the Account tab in the account object's Properties dialog
box, and select the Unlock Account box. Resetting the password on the account also unlocks a user
account.

What should you do if a user account is accidentally deleted?

Restore it from backup rather than creating a new one with the same name. Creating
a new account with the same name results in a user account with a different SID and will not
automatically assume the permissions and memberships of the previously deleted account.

How would you add a User Principal Name (UPN) suffix to a forest?
1) Open Active Directory Domains and Trusts.
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties.
3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab.
4) Click Add.
5) Click OK.

What is a computer account?

A computer account is an Active Directory object that identifies a network computer.
The account in Active Directory is associated with a specific hardware device

How would you prestage a computer account?

From Active Directory Users and Computers, create a computer account. This
process is called prestaging computer accounts. From the workstation, join the domain. The
workstation will be associated with the computer account you created previously.

o
o
o

Where is the computer account created when you join a workstation to the domain?
In the Computers built-in container

How would you control where computer accounts are placed when a computer joins
the domain?

o
o

Create computer account ahead of time (pre-stage them)

o
o

o
o
o

o
o
o

o
o

o
o

Which groups have permissions to create a computer account?

- Account Operators
- Domain Admins
- Enterprise Admins

How many computers are the Authenticated Users group members allowed to join to
the domain (from a workstation)?
10 - this wil also create the computer account automatically if it doesn't already exist.
This ability comes from the Add workstations to a domain user right.

How would you allow a specific user to join a specific computer to the domain?
You can also allow specific users to join specific computers to a domain by selecting
The following user or group can join this computer to a domain when creating the computer account.

How would you give other users permissions to create computer accounts in AD?
By giving them the Create Computer Objects right over the Active Directory OU. This
permission does not have a limit on the number of accounts that can be created. Note: You must grant
this right to the domain or specific OUs.

Will a computer receive group policy settings once the computer account is created?
No, the computer must be joined to the domain before it receives any GPO settings or
AD receives any workstation-specific information

What commands can be used to create computer accounts from a command prompt
or script?

o
o

o
o

dsadd or netdom. (Use netdom join to jion a computer to the domain)

What establishes a secure channel between a computer and the domain controller?
The computer password (authomatically generated when the computer joins the
domain).

o
o
o

o
o

Where is the computer account password saved?

On the local computer and in AD. BY default, it is changed every 30 days

What might cause a computer to fail to authenticate to the domain?

If the two computer passwords (on the local machine and in AD) become
unsychronised.

This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with
another one using the same computer account name.
o

o
o

How would you reset the computer account after a logon failure?
- Run the netdom reset command followed by the computer account name and the
domain.
- In Active Directory Users and Computers, right-click the computer account and select Reset
Account.
- Create a script in Visual Basic.
After resetting the computer account, you must rejoin the computer to the domain.

o
o
o

o
o
o

o
o

What is a local group?

Local groups exist only on the local computer, and control access to local resources.

What is a domain group?

Domain groups exist in Active Directory, and can be used to control access to domain
and local resources. In an Enterprise environment, you will work mainly with domain groups.

What is group scope?

Active Directory groups have a group scope. The scope defines the potential group
membership and the resource access that can be controlled through the group. The following table
lists the different security group scopes and their membership and use.

o
o

What membership can a global group have?

Global groups can contain members within the same domain. These include:
- Global groups in the same domain (in native mode only).
- Users and computers within the same domain.

o
o

What should a global group be used for?

Use global groups to group users and computers within the domain who have similar
access needs.

o
o

What membership can a domain local group have?

Domain local groups can contain members from any domain in the forest. These
include:
- Domain local groups in the same domain (in native mode only).
- Global groups within the forest.

Universal groups within the forest (in native mode only).

- Users and computers within the forest.
o

o
o

What membership can a universal group have?

Universal groups can contain members from any domain in the forest. These include:
- Universal groups within the forest.
- Global groups within the forest.
- Users and computers within the forest.

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o

o
o

What resources can global groups permission?

Global groups can be assigned permissions to resources anywhere in the forest.

What resources can domain local groups permission?

Domain local groups can be assigned permissions within a domain.

What resources can universal groups permission?

Universal groups can be assigned permissions to resources anywhere in the forest.

What should global groups be used for?

Create global groups to organize users (e.g., Sales or Development).

What should domain local groups be used for?

Create domain local groups representative of the domain controller resources to
which you want to control access, and then assign permissions on the resource to the group.

What should universal groups be used for?

Universal group membership should be relatively stable. For this reason, you should
only add global or universal groups to universal groups. Avoid adding user accounts directly to
universal groups.

What is a security group?

A security group is one that can be used to manage rights and permissions.
- Group members get the permissions that are granted to the group.
- A security group represents an object with a security identifier (SID), which through the member
attribute, collects other objects, such as users, computers, contacts, and other groups.

Which type of AD group should be used for assiging permissions?

o
o

o
o

Security

What is a ditribution group?

A distribution group is used to maintain a list of users and is typically used for sending
e-mails to all group members. Distribution groups cannot be used for assigning permissions.

o
o

What happens if you convert a security group to a distribution group?

This would remove the permissions assigned to the group.
This could prevent or allow unwanted access.

o
o
o

How would you convert a global group to a domain local group?

First convert to a universal group, then to a domain local.

Can you convert a global group nested in another global group into a universal
group?

o
o

o
o
o

o
o
o

o
o

o
o
o

o
o
o

o
o

No - a universal group cannot be a member of a global group

Can you make a universal group a member of a global group?

No

What happens when a group is deleted?

All information about the group - including any permissions assigned - is deleted.

How can you recover a deleted group?

- Re-create the group, add all the original group members, and reassign any
permissions granted to the group.
- Restore the group from a recent backup.

What directory format does Active Directory use?

X500

What do AD tree structures share?

The same contiguous name space?

What is an RODC?
A Read Only Domain Controller

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o

Do different forests share the same name space?

No

What is NTDS.dit?
The AD database

What is a domain?
A domain is an administratively-defined collection of network resources that share a
common directory database and security policies

What is an AD object attribute?

Information about the object such as a user's name, phone number, and email
address) which is used for locating and securing resources.

What does an object schema identify?

The schema identifies the object classes (the type of objects) that exist in the tree and
the attributes (properties) of the object.

What does AD use DNS for?

Active Directory uses DNS for locating and naming objects.

Name the OU structure

First-level OUs can be called parents.
Second-level OUs can be called children.
OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).

o
o

What is an AD tree?
A tree is a group of related domains that share the same contiguous DNS name
space.

o
o
o

o
o

What is an AD forest?
A forest is a collection of related domain trees. The forest establishes the relationship
between trees that have different DNS name spaces.

What is the forest root domain?

The forest root domain is the top-level domain in the top tree. It is the first domain
created in the Active Directory forest.

o
o
o

o
o

What is the tree root domain?

The tree root domain is the highest level domain in a tree.

What is a child domain?

Each domain in the tree that is connected to the tree root domain is called a child
domain.

o
o

What is a domain tree?

A domain tree is a group of domains based on the same name space. Domains in a
tree:
- Are connected with a two-way transitive trust.
- Share a common schema.
- Have common global catalogs.

o
o

What is a domain controller?

A domain controller is a server that holds a copy of the Active Directory database that
can be written to

o
o

What is replication?
Replication is the process of copying changes to Active Directory between the domain
controllers.

o
o

o
o
o

o
o
o

o
o

What two objects does AD use to represent the physical structure of the network?
- A subnet represents a physical network segment. Each subnet possesses its own
unique network address space.
- A site represents a group of well-connected networks (networks that are connected with high-speed
links).

What manages AD replication between locations?

Sites and subnets are used to manage Active Directory replication between locations.

What does an AD site differ from a domain?

A site differs from a domain in that it represents the physical structure of your network,
while a domain represents the logical structure of your organization.

How are clients assigned to AD sites?

Clients are assigned to sites dynamically according to their Internet Protocol (IP)
address and subnet mask.

o
o
o

o
o

How are domain controllers assigned to AD sites?

Domain controllers are assigned to sites according to the location of their associated
server object in Active Directory.

What is the structure of the NTDS.dit file?

- The data table contains all the information in the Active Directory data store: users,
groups, application-specific data, and any other data that is stored in Active Directory after its
installation.
- The link table contains data that represents linked attributes, which contain values that refer to other
objects in Active Directory.
- The security descriptor (SD) table contains data that represents inherited security descriptors for
each object.

o
o

o
o

o
o

o
o
o

o
o

What does the Global Catalog server do?

Responsible for replicating a subset of attributes throughout Active Directory

What are FSMO roles/What do they do?

Flexible Single-Master Operation roles are specialized domain controller tasks
assigned to a domain controller in the domain or forest. Operations master roles are useful because
certain domain and enterprise-wide operations are not well suited for the multi-master replication
performed by Active Directory to replicate objects and attributes

What are the FSMO roles?

- Schema Master
- Domain Naming Master
- RID Master (Relative Identifier)
- PDC Emulator
- Infrastructure Master

What does the schema master do?

Maintains the schema (the mapping of all the different object types)

What does the RID master do?

The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that
are used by the domain controller when creating new security principles (such as user, group, or
computer accounts).


o
o
o

o
o
o

o
o
o

o
o
o

o
o

o
o

What does the PDC Emulator do?

The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and
performs other tasks normally associated with NT domain controllers. (eg - time services)

What does the Infrastructure Master do?

Provides a mapping of all the container objects in AD. The infrastructure master is
responsible for updating changes made to objects.

Which level do the Schema and Domain Naming Master roles operate at?
The Forest Level

What level do the RID, PDC and Infrastructure Master roles operate at?
The domain level

What is the Global Catalog?

The Global Catalog (GC) is a database that contains a partial replica of every object
from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog
server. The Global Catalog facilitates faster searches because different domain controllers do not
have to be referenced.

What is an Operations Master?

A domain controller that performs an operations master role is known as an
operations master or operations master role owner.

o
o

What does the Domain Naming Master do?

The domain naming master adds new domains to and removes existing domains from
the forest.

o
o
o

o
o

What is a functional level?

A functional level is a set of operation constraints that determine the functions that
can be performed by an Active Directory domain or forest

What does a functional level define?

- Which Active Directory Domain Services (AD DS) features are available to the
domain or forest.
- Which Windows Server operating systems can be run on domain controllers in the domain or forest.
Functional levels do not affect which operating systems you can run on workstations and servers that
are joined to the domain or forest.

o
o

o
o

o
o

o
o

o
o
o

o
o

o
o

Which domain functional levels does Server 2008 support?

Windows 2000 Native
Windows Server 2003
Windows Server 2008

Which forest functional levels does Server 2008 support?

Windows 2000
Windows Server 2003
Windows Server 2008

What is a group policy?

A policy is a set of configuration settings that must be applied to users or computers.
Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of
files that includes registry settings, scripts, templates, and software-specific configuration values.

What are new services in AD 2008?

- AD Domain Services
- AD Lightweight Directory Services
- AD Certificate Services
- AD Federation Services
- AD Rights Management Services

What is an AD role?
A role is a set of software features that provides a specific server function. Examples
of roles include DNS server, DHCP server, File Server, and Print Server.

What is an AD role service?

Role services are specific programs that provide the functions of a role. Some roles,
like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as
the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs,
with each role service being a sub-component of the role.

What is an AD feature?
A feature is a software program not directly related to a server role but which adds
functionality to the entire server. Features include management tools, communication protocols or
clients, and clustering support.

What is Active Directory Domain Services (AD DS)

o
o

o
o

AD DS is a distributed database that stores and manages information about network

resources, such as users, computers, and printers. The AD DS role:
- Helps administrators securely manage information.
- Facilitates resource sharing and collaboration between users.
- Is required to be installed on the network to install directory-enabled applications such as Microsoft
Exchange Server and for applying other Windows Server technologies, such as Group Policy.

What is Active Directory Lightweight Directory Service (AD LDS)

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active
Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a
directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active
Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS
database.

What is Active Directory Federation Services (AD FS)

AD FS is a feature which enables secure access to web applications outside of a
user's home domain or forest. The AD FS role:
- Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web
applications using a single user account.
- Securely federates (shares) user identities and access rights in the form of digital claims between
partner organizations.

o
o

What is Active Directory Rights Management Service (AD RMS)

AD RMS is a feature which safeguards digital information from unauthorized use. The
AD RMS role:
- Can define exactly how a recipient can use information, specifying who can open, modify, print,
forward, and/or take other actions.
- Allows organizations to create custom usage rights templates (such as "Confidential - Read Only")
that can be applied directly to information such as product specifications, financial reports, e-mail
messages, and customer data.

o
o

What is Active Directory Certificate Services (AD CS)

AD CS is an identity and access control feature that creates and manages public key
certificates used in software security systems. The AD CS role:
- Provides customizable services for creating and managing public key certificates.
- Enhances security by binding the identity of a person, device, or service to a corresponding private
key.
- Includes features that allow you to manage certificate enrollment and revocation in a variety of
scalable environments


o
o

o
o
o

o
o

o
o

o
o

o
o
o

Name some things that AD Certificate Services supports

Digital signatures
Encrypting File System (EFS)
Internet Protocol security (IPsec)
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure Socket Layer/Transport Layer Security (SSL/TLS)
Secure wireless networks
Smart card logon
Virtual Private Networks (VPN)

What AD roles are not supported on Server 2008 Standard?

AD FS requires the DataCenter or Enterprise editions for deployment.

WHich server roles can Server 2008 core run?

Active Directory
Active Directory Lightweight Directory Services (AD LDS)
Dynamic Host Configuration Protocol (DHCP) Server
DNS Server
File Server
Print Server
Media Services
Web Server (IIS)

What are the limitations of Server 2008 core?

There is no Windows Shell.
There is no managed code support (no .NET framework). All code has to be native Windows API
code.
There is only MSI support for unattended mode installs.

What methods can you use to manage a Server 2008 core system?
Log on and use the command prompt.
Log on using Remote Desktop to gain access to the command prompt.
Use Windows Remote Shell (winrm).
Run Server Manager or another tool on another computer and connect to the server core system. This
method allows you to use a GUI interface for managing the server core system.

How would you add server roles to a Server 2008 core system?
Run start /w ocsetup to add server roles to the server core system. Switches for the
role or service must be typed exactly as they are listed, and role names are case-sensitive.

o
o

How would you see a list of roles, role services and features that can be installed on
Server 2008 core?
run the oclist command

Cards
Term

Definition

What are the building blocks of active directory

Domains, trees, forest, organizational units
Term

Definition

how is the physical location of objects in AD

represented
Term

Definition

What is a domain

Term

A logical grouping of computers that share a

database and security
Definition

what is a tree in AD

Term

A parent domain with child domains that reflect

name of parent domain
Definition

How are domains in a tree linked

Term

2-way transitive trust relationships (they can

access eachothers info)
Definition

what is a forest in AD

Term

a group of domains that do not share a adjoining

name space.
Definition

Forest root domain

Term

all objects in a given site

first domian created when you create AD

structure.
Definition

What are an OU (organizational unit) logical subgroup within a domain, used to locate
single workgroup, section, or department

Term

Definition

What is a site in AD

Term

Sites group resources in a forest according to

location of subnet
Definition

Why does AD us sites

Term

Control replication of data in ADDB and apply

policies to users and domains and delegate
administratife control to objects in a single
physical location
Definition

What are some of the other things that site enable

Enable users to be authenticated by domain
controller in same physical location.
Term

Definition

What is a domain controller

Term

Definition

What is a domain controller

Term

Domain controllers authenticate users logging

onto their domain, and servers as centers to
administer AD in Windows Server 2008
Definition

What does a domain controller store

Term

A complete copy of all objects within domain,

schema, config info relevent to forest where
domain is located.
(All domian controller hold master copy of ADDB
Definition

What is the global catalog

Term

Enables domain in same forest to access resources

in any domain in that particular forest.
Definition

What does Global catalog provide

Term

Domain controllers authenticate users logging

onto their domain, and servers as centers to
administer AD in Windows Server 2008

Provides info on universal group membership on

any domain in forest, and allows users to log onto
a domain other than their own domain useing the
UPN
Definition

What is the UPN

Term

The UPN (User principal name) is a user name in

format of an email address.
Definition

What is FSMO

Term

Flexible single-master operatons servers,

restricted domain controllers
Definition

What are the FSMO's

Term

1. schema master
2. Domain naming master
3. PDC emulator (Primary domain
controller)
4. Infrastructure master
5. RID masster (Relative Identifier
Definition

How is SID different from RID

Term

SID is a security identifier common to all objects

in its domain and RID is a relative identifer that
unique to objects in domain, makes sure no 2
objects has same RID
Definition

What is a server role

Term

A specific function that server performs on the

NW.
Definition

What is a feature

Term

An optional components that adds a certain

feature, .NET Framework 3.0, BitLocker Drive
Encryption
Definition

How do you add features to a role

Term

1. Initial config
2. Server Manager
3. command line
Definition

What is RODC and how does it function

1. Read-only domain controller

2. Has a read only copy of the ADDB
3. very useful for branch office
deployment and high security

Term

Definition

What is the server core and its functionA stripped down version of server 2008 without a
GUI, taskbar, or start menu
Term

Definition

Why use a server core

Term

1. Less HW and memory

2. More secure because it present
smaller attack footprint
Definition

What is AD CS

Term

1. Active Directory Certificate Service

2. customizable services for creating and
managing public key certificates used in software
security systems that employ public key
technologies.
Definition

Server Manager MMC (Microsoft Management

Console)

Term

1. Adds roles, role server, & server

features
2. View, manage, modify config of
installed roles and features.
3. Can open by compmgmt.msc at RUN
2.

Definition

What is the GUI

Term

1. Grafical User Interface

2. A GUI lets you interact with your computer
using pictures and symbols
Definition

How do you get to the server manager command

line

Term

Start
Run
CMD
ServerManagerCmd.exe

Definition

Schema

_____ is an Active Directory component that

defines all the objects and attributes that the
directory service uses to store data, and it
includes a list of properties that can be used to
describe the objects. You can think of it as a set of
blueprints for each of the objects. a ______

definition for a user object can be used to create a

user object.
Term

Definition

Objects

Term

______ are Real-world items in Active Directory

such as: computers, users, printers and groups.
These _______ can be managed with AD DS
(Active Directory Domain Services) All _______
have properties that can be configured.
Definition

Global Catalog

Term

______ ______ is a listing of all objects in the

entire forest. It is searchable and used by
different applications to search AD Domain
Services for specific objects. It is hosted on the
domain controllers that are designated as the
______ ______ server. There is only one per
forest.
Note: to prevent it from becoming too large the
properties are limited to a subset.
Example: users may have 100 properties but only
10 are included.
Definition

LDAP (Lightweight Directory Access Protocol)

Active Directory uses the _ _ _ _ to uniquely
identify each object within the directory.(DN:
Distinguished name.
Note: CN: Common name
Note: DS is Domain service AKA Domain
Controller
Term

Definition

Operations master roles

The five _____ _____ roles are assigned

automatically when the first domain controller in
a given domain is created Forest-wide ______
______ roles must appear only once in every
forest. Domain-wide ______ ______ roles must
appear once in every domain in the forest.
Every forest must have the following roles:
Schema master
Domain naming master
Every domain in the forest must have the
following roles:
Relative ID (RID) master
Primary domain controller (PDC) emulator
master.
Infrastructure master

These roles must be unique in each domain. This

means that each domain in the forest can have
only one RID master, PDC emulator master, and
infrastructure master.
Term

Definition

Schema master

Term

Definition

Domain naming master

Term

The ______ ______ domain controller controls all

updates and modifications to the schema. To
update the schema of a forest, you must have
access to the ______ ______. There can be only
one in the entire forest.

One of five
Forest-wide operations master roles.
The domain controller holding the ______ ______
______role controls the addition or removal of
domains in the forest. There can be only one in
the entire forest.
Definition

RID master - Relative ID (RID) master

One of five
Forest-wide operations master roles.
The _____ master allocates sequences of relative
IDs to each of the various domain controllers in
its domain. At any time, there can be only one
domain controller acting as the _____ master in
each domain in the forest.

Whenever a domain controller creates a user,

group, or computer object, it assigns the object a
unique security ID (SID). The SID consists of a
domain SID, which is the same for all SIDs
created in the domain, and a (_ _ _), which is
unique for each SID created in the domain.
To move an object between domains (using
Movetree.exe), you must initiate the move on the
domain controller acting as the (_ _ _)master of
the domain that currently contains the object.
Term

Definition

PDC emulator operations master

One of five
Forest-wide operations master roles.
The PDC _____ ______ master processes
password changes from client computers and
replicates these updates to all domain controllers
throughout the domain. At any time, there can be

only one domain controller acting as the ___

______ master in each domain in the forest.
The domain controller configured with the PDC
______ ______ master role supports two
authentication protocols:
The Kerberos V5 protocol
The NTLM protocol
Note: PDC Primary Domain Controler
Term

Definition

Infrastructure master

Term

One of five
Forest-wide operations master roles.
At any time, there can be only one domain
controller acting as the ______ ______ in each
domain. The ______ ______ is responsible for
updating references from objects in its domain to
objects in other domains. The ______ ______
compares its data with that of a global catalog.
Global catalogs receive regular updates for
objects in all domains through replication, so the
global catalog data will always be up to date. If
the ______ ______ finds data that is out of date, it
requests the updated data from a global catalog.
The infrastructure master then replicates that
updated data to the other domain controllers in
the domain.
The ______ ______ is also responsible for
updating the group-to-user references whenever
the members of groups are renamed or changed.
Definition

OU (Organizational unit) ______ ______ are used to organize objects within

Active Directory. you can think of an _ _ simply
as a container for the objects within AD.
You can delegate permissions to an _ _ and you
can link Group Policy to an _ _.
Term

Definition

Distribution group and

Security group

Term

Active Directory has two basic group types. They

are:
______ group and
______ group
Definition

Distribution group

One of two AD basic group types:

A ______ ______ is used to group a number of
objects together that will be addressed
collectively. A mail server can present the ______

_____ to users as a email destination.

Term

Definition

Security group

Term

Definition

Domain local group

Term

One of three AD basic group scopes:

A ______ _____ _____ is intended to be used only
within the domain that it was created in. It can
contain user/computer accounts, global groups
and universal groups from any domain in the
forest and domain local groups from the same
domain.
Definition

Global group

Term

One of three AD basic group scopes:

This is the default scope when you create a group
in AD. A _____ _____ can be used by computers
within the domain that it is a member of and by
members of other domains in the AD forest. It can
contain user/computer accounts from the domain
that the _____ _____ is created in.
Definition

Universal group

Term

One of two AD basic group types:

A ______ ______ is used to assign permissions or
rights to an object or a set of objects. This allows
AD to become not only your single authentication
mechanism for your network but also your
authorization mechanism.

One of three AD basic group scopes:

A ______ _____ is stored on domain controllers
that are configured as global catalogs. This
implies that the ______ _____ is replicated to
domains across the entire forest. That allows a
______ _____ not only to be used by all computers
in the forest but also to contain members from
any domain within the forest. Single-domain
networks do not really need ______ _____s
because there isn't much use for them. ______
_____s can contain user/computer accounts,
global groups, and other ______ _____s from any
domain in the forest.
Definition

External trust (Non-transitive)

One of four domain trusts.
______ _____ are domain-to-domain trust. If you
want a domain in a forest to trust a domain
outside the forest(external domain)then you build

an ______ _____.
Term

Definition

Shortcut trust (Transitive)

Term

One of four domain trusts.

______ _____ speed up authentication. It is a
transitive trust between a domain in the same
domain tree or forest that shortens the trust path
in a large and complex domain tree or forest.

Definition

Forest trust (Transitive)

Term

One of four domain trusts. ______ _____ is a

transitive trust between a forest root domain and
a second forest root domain. Once done every
domain in the first forest trust every domain in
the second forest.
Definition

Realm trust (Non-transitive) _____ _____ allow trust relationships with Unix
systems that use Kerberos for authentication.
(What Microsoft calls domains Unix call realms.)
Term

Definition

Transitive trust (Understanding Trust

______ _____ determines whether a trust can be
Transitivity)
extended outside the two domains between which
the trust was formed. You can use a ______ _____
to extend trust relationships with other domains.
You can use a non-transitive trust to deny trust
relationships with other domains.
http://technet.microsoft.com/enus/library/cc754612.aspx
Term

Forest

Definition

In accordance with DNS naming standards,

Active Directory domains are created in an
inverted tree structure.
When it is necessary for domains in the same
organization to have different namespaces, create
a separate tree for each namespace. Two or more
trees with different names makes a forest.

Term

Definition

NAME RESOLUTION METHODS

Domain Name System(DNS)

Term

_____ _____ _____ (_ _ _ )

Preferred Method for name resolution

Supports IPv4 and IPv6

Definition

NAME RESOLUTION METHODS

Term

NAME RESOLUTION METHOD

Features:
Enabled by default
Supports most older versions of Windows
Support LMHOSTS local resolution
Can use a WINS server
Drawbacks:
Only supports IPv4
Uses broadcasts
15 Character Maximum
Local Subnet only without WINS

Definition

NAME RESOLUTION METHOD: LINKNAME RESOLUTION METHOD:

LAYER MULTICAST NAME RESOLUTION
____ _____ _____ _____ _____ (_ _ _ _ _)
(LLMNR)
Operating System Support
Drawbacks:
Windows Vista and Windows 7
Works within local subnet only
Windows Server 2008 and R2 Differences in behavior based on operating
system
No support for Windows XP, Windows Server
2003 and earlier

Disabled via Group Policy

IPv6 must be enabled
Features:
Multicast
IPv4 and IPv6 Name resolution
Low overhead
Smaller attack surface
Should be used before NetBIOS when both
LLMNR and NetBIOS are available.
Term

Definition

FULLY QUALIFIED DOMAIN NAME (FQDN)____ ____ ____ ____ (_ _ _ _)

References a host:
Hostname
Doname name
Top Level Domain
Can Contain Subdomains

Term

Definition

Steps 1 - 5 DNS Request Process

Step 1: Enter www.microsoft.com in your browser
and hit enter.
Step 2: A DNS query is sent to the local resolver
on the PC. The local resolver check the local DNS
cache.
Step 3: If there is no match in step 2 a query is
sent to the primary DNS server if one is
configured and it is available.
Step 4: The DNS server checks to see if it can
authoritatively answer the query. This means
does the DNS server have a zone configured and
a resource record that answers the query?
Step 5: If no match was found in step 4 the DNS
server checks its local DNS cache.
Term

Definition

Recursion

Term

__________:
Client sends a ________ request to a DNS server
DNS server completes query on behalf of the
DNS client and sends result back to client.
Definition

Iteration

__________:
Used by DNS server when contacting other DNS
servers
Receives referral from one server and directly
queries the server listed in the referral.
One DNS server does most of the work

Term

Definition

Root Hints

Term

____ _____
Used during recursion
Gives DNS a starting point
Can be modified for private namespaces
Stored in Windows \System32 \DNS\Cache.dns
Loaded when DNS service starts
Definition

Steps 6 - 9 DNS Request ProcessStep 6: Based on the configuration of the DNS

server a query is sent to a root server.
Step 7: The root server responds with a referral
to a top level DNS server.
Step 8: The original DNS server that the query
was first sent to takes the referral and sends a
request to the top level DNS server. In this
example .com.
Step 9: The .com. DNS server sends a referral to
the microsoft.com DNS server.
Term

Definition

Steps 10 - 12 DNS Request Process

Step 10: Again the original DNS server takes the
referral and sends a query to the microsoft.com
DNS server.
Step 11: Since the DNS server is authoritative for
microsoft.com it is able to respond with the Host
resource record that contains the IP address for
www.microsoft.com.
Step 12: The original DNS server responds to the
client query with the IP address to
www.microsoft.com
Term

Definition

Forward and Reverse Lookup Zones

_____ & ______ Look up Zones

Forward Lookup
Translates a name to an IP address
Most commonly used zone type
Reverse Lookup
Translates an IP address to a name
Zone name ends with in-addr.arpa

Term

Definition

DNS Forwarders

DNS _________ forwards DNS query to another

DNS server instead of using Root Hints.
Request Process is:
DNS Server receives query
DNS Server checks locally hosted zones

DNS Server checks local server cache

DNS Server forwards query to first DNS server
listed on the _______ tab
Term

Definition

Conditional Forwarders

Term

______ Forwarders:
Forwards queries for a specific domain name to
specific DNS servers
Often used to improve performance for DNS
resolution of partner domain names and
resources
Definition

3 DNS Zone Types

Primary
Secondary
Stub
Term

There are 3 DNS Zone Types

Definition

Resource Records

Term

______ ______ are:

Database entries used to answer queries
SOA Start of Authority
NS Name Server
A or AAAA (HOST)
PTR (Pointer)
CNAME (Alias) Canonical Names
SRV (Service Locator)
MX (Mail Exchanger)
Definition

NAT

Network Address Translation

AD Trees & Forests

o
o

You decide to create a trust relationship between Domain A and Domain B. Before
you take any other actions, can users in Domain A use resources from Domain B yet?
No.
A trust relationship only allows for the possibility of sharing resources between domains; it does not
explicitly provide any permissions. In order to allow users to access resources in another domain, you
must configure the appropriate permissions.

Plans are to deploy four Active Directory domains with the following requirements:
minimize the number of servers

o
o

o
o
o

o
o

o
o
o

o
o

enough fault tolerance to survive the complete failure of one domain controller.
What is the minimum number of domain controllers to deploy initially?
8
Two per domain for fault tolerance

What server configurations can be directly promoted to become a domain controller

for a new domain?
Member servers
Stand-alone servers

Server1: Schema Master

Server2: RID Master
Server3: Windows NT 4 BDC
Server4: Infrastructure Master
Server5: PDC Emulator Master
Entire environment migrating to Windows Server 2008. Which Server not needed?
Server3: Windows NT 4 BDC

Implicit trusts created between domains are known as ______

transitive trusts.

Need to add field to the properties of a User object.

On what servers can the change be made?
The Schema Master is the only server within Active Directory on which changes to
the schema can be made.

What are several Active Directory domains that share a contiguous namespace
called?

o
o

o
o

A tree

Accidentally demoted the last domain controller of your ADTest.com domain.

Want a complete undo. Possible?
Once the last domain controller in an environment has been removed, there is no way
to recreate the same domain. If adequate backups had been performed, you may have been able to
recover information by rebuilding the server

o
o

Items that depend on the DNS namespace are ....

Domains
trees
forests
DNS zones

o
o
o

o
o

o
o
o

o
o
o

o
o
o

o
o

o
o

o
o

Which types of computers contain a copy of the Global Catalog (GC)?

Specified Active Directory domain controllers

Which pieces of information should you have before you use the Active Directory
Installation Wizard to install a new subdomain?
name of the child domain
name of the parent domain
DNS configuration information
NetBIOS name for the server

Which type of trust is automatically created between the domains in a domain tree?
Transitive two-way

A systems administrator wants to remove a domain controller from a domain. What is

the easiest way to perform the task?
Use the Active Directory Installation Wizard to demote the domain controller.

Regarding the sharing of resources between forests...

A trust relationship must exist before resources can be shared between forests.

New remote location with very slow WAN link. Needs following specs:
Fast logon times
Reduced network bandwidth
Ability to use existing hardware
What can you implement to achieve the above requirements?
Universal group membership caching stores information locally once a user attempts
to log on for the first time.

Of the five main single master functions, two apply to an entire Active Directory forest.
What are the three that apply to just the domain?
RID Master
PDC Emulator Master
Infrastructure Master

When deploying Active Directory, you decide to create a new domain tree. What do
you need to do to create this?
Promote a Windows Server 2008 computer to a domain controller and select the
option that makes this domain controller the first machine in a new domain that is a child of an existing
one.

o
o

o
o

7 Reasons for Using Multiple Domains

Scalability
Reducing replication traffic
Meeting Business needs hierarchy - easier data managment
Decentralized administration
Multiple DNS or domain namesLegality

What are some of the Drawbacks of Multiple Domains?

Administrative inconsistency
Increased management
Decreased flexibility

o
o
o

o
o
o

o
o

Min Requirements for DC numbers

2 DCs per Domain

Recommended Req's for DC numbers

2 DCs per Site

Reasons for adding extra DCs

Fault tolerance and reliability
Performance

o
o
o

Main requirement for joining a new domain to an existing forest

Domain does not share a namespace with the existing Active Directory domain.

If you want to join a W2k8 server to an existing W2k3 Forest what do you need to do
first?

o
o

Prepare the domain by running:

adprep /forestprep
adprep /domainprep

What naming information do you need prior to joining a domain to a new tree?
name of the parent domain
name of the child domain
NetBIOS name for the new server

o
o
o

o
o

What other information (other than the 3 names) do you need prior to joining a
domain to a new tree?
DNS configuration
domain administrator username and password

DcPromo option selected to create a new domain tree.

" makes this domain controller the first machine in a new domain that is a child of an
existing domain"

o
o

DcPromo option selected to create a new domain tree.

makes this domain controller the first machine in a new domain that is a child of an
existing domain

o
o

3 Features common to all Domains in a Forest

Schema
GC
Configuration Info

Type of trust between the Forest Root Domain and all the rest of the domains in the
forest
2-way Transitive

o
o

o
o
o

o
o

How is a new Domain Tree created?

Created top down - forest root domain - then child domains

How do you move a DC between domains?

1. Demote it.
2. Move it.
3. Promote it

o
o

True of False? A Trust grants all users in one domain access to the other domains.
False.
Trust only provides the foundation.
Rights must be granted to resources once Trust is established.

o
o

What 2 features of AD to ALL Trees and Forests share?

Schema and
Global Catalog

o
o
o

o
o

o
o
o

o
o
o

o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o

What do you always have even if you only have 1 Domain?

A Tree and a Forest

What do you need to ensure is done before you remove the last DC from a Domain?
Computers no longer log on to this domain
No user accounts are needed
All encrypted data is decrypted
All cryptographic keys are backed up

What are the 2 Forest Operation Master Roles?

Schema Master
Domain Naming Master

What tool is used to manage the Forest Operation Master roles?

AD Domains & Trusts

What are the 3 Domain Operation master Roles?

RID Master
PDC Emulator Master
Infrastructure Master

The Schema master holds ___

a master copy of the AD Schema

Where can changes to the AD Schema be made?

Only on the Schema Master

The Domain Naming Master __

tracks domains within the AD Forest

What does the RID Master do?

Creates a unique RID for every AD object

PDC Emulator is responsible for __

Maintaining backward compatibility with NT DCs - used only in Mixed Mode domains.

In a Forest running at 2k Native or later what role does the PDC play?
Acts as default DC if another is not available

o
o
o

o
o

o
o

o
o

The Infrastructure Master ensures

Ensures that group membership info stays current between DCs

How do you assign the Domain Naming Master Role?

Open AD D&T
AD D&T Properties
Select Operations Master
Click Change

How do you assign all of the RID, PDC and Infrastructure Roles?
Open AD U&C
right-click Domain
Select Operation Masters
Click Change

What is a transitive trust?

Implied trusts.
If domain A trusts domain B AND
domain B trusts domain C THEN
domain A trusts domain C

o
o

What are External Trusts used for?

Used to provide access to external domain (NT) that can't use forest trusts

o
o
o

What type of trust are External Trusts?

Non-transitive and either 1-way or 2-way (manually created)

On External Trusts, what is enabled by default to prevent hackers from using SID info
to gain access?

o
o

o
o
o

Default SID filtering

SID History cleaned of SID history attributes that are not members of the trusted domain.

When is a Realm Trust used?

Used to connect to non-Windows domain using Kerberos

What types of Realm Trusts are there?

o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o
o

o
o

Either Transitive or Non-Transitive

And either 1-way or 2-way

Where do you configure Trust Releationships?

AD D&T - Domain Properties - Trusts Tab

What happens when Selective authentication is used with Cross Forest Trusts?
users can't authenticate to DC or resource server unless explicitly enabled

What is a manually created Trust called?

Shortcut trusts

What is a Cross Forest Trust used for?

To Share resources between forests

What is the restriction on Cross Forest Trusts?

They cannot be Non-transitive.

Where would you go to enable Selective Authentication?

Trust properties - Selective Authentication

Where would you add a UPN suffix?

AD D&T - Properties - UPN Suffixes

Where would you add a UPN suffix?

AD D&T - Properties - UPN Suffixes

You need to add another Global Catalog server to an existing domain. Where would
you go to do this?
AD S&S
- DC
- NTDS Settings Properties
- GC Checkbox

What happens when Universal Group Membership Caching is enabled on a W2k8

DC?

1. User logs on - Universal Groups cached from GC

2. Next time user logs on - no need to contact GC

o
o

o
o

The benefits of Universal Group Membership Caching are:

Faster logon times
Reduced network bandwidth
Ability to use existing hardware

On a W2k8 DC how do you enable Universal Group Membership Caching?

AD S&S
- Sites
- DefaulFirstSite
- NTDS Settings - Properties
- checkbox