cna 122 chapter 6

question

active directory replication
answer

the transfer of information between all domain controllers to make sure they have consistent and up-to-date information
question

application directory partition
answer

a directory partition that applications and services use to store information that benefits from automatic active directory replication and security.
question

assigned application
answer

an application package made available to users via group policy and places a shortcut to the application in the start screen. the application is installed automatically if a user tries to run it or opens a document associated with it. if the application applies to a computer account the application is installed the next time windows boots.
question

attribute value
answer

information stored in each attribute
question

authentication
answer

a process that confirms a user’s identity, and the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.
question

built-in-user accounts
answer

user accounts created by windows automatically during installation.
question

child domains
answer

domains that =share at least the top-level and second-level domain name structure s an existing domain in the forest;also called “subdomains”
question

configuration partition
answer

a directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.
question

directory partition
answer

a section of n active directory database stored on a domain controllers hard drive. these section are managed by different processes and replicated to other domain controllers in an active directory network.
question

directory service
answer

a database that stores information about a computer network and includes features for retrieving and managing that information
question

directory services restore mode (dsrm)
answer

a boot mode used to perform restore operations on active directory if it becomes corrupted or parts of it are deleted accidentally.
question

domain
answer

the core structural unit of active directory; contains OU’s and represents administrative, security, and policy boundaries.
question

domain directory partition
answer

a directory partition that contains all objects in a domain, including users, groups, computers, OU’s and so forth
question

domain user account
answer

an user account created in active directory that provides a single logon for users to access all resources in the domain for which they have been authorized.
question

extension
answer

an item in a gpo that allows an administrator to configure a policy setting.
question

flexible single master operation (fsmo) roles
answer

specialized domain controller tasks that handle operations that can affect the entire domain or forest. only one domain controller can be assigned a particular FSMO.
question

forest
answer

a collection of one or more active directory trees. a forest can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains.
question

forest root domain
answer

the first domain created in a new forest
question

fully qualified domain name (FQDN)
answer

a domain name that includes all parts of the name, including the top-level domain.
question

global catalog partition
answer

a directory partition that stores the global catalog, which is a partial replica of all objects in the forest. it contains the most commonly accessed object attributes to facilitate object searches and user logons across domains.
question

gpo scope
answer

the object affected by a gpo linked to a site, domain or OU
question

group policy object (gpo)
answer

a list of settings that administrators use to configure user and computer operating environments remotely through active directory
question

install from media (ifm)
answer

an option when installing a dc in an existing domain, much of the active directory database contents are copied to the new dc from media created from and existing dc.
question

intersite replication
answer

active directory replication that occurs between 2 or more sites.
question

intrasite replication
answer

active directory replication between domain controllers in the same site
question

knowledge consistency checker (KCC)
answer

a process that runs on every domain controller to determine the replication topology.
question

lightweight directory access protocol (LDAP)
answer

a protocol that runs over tcp/ip and is designed to facilitate access to directory services and directory objects. it’s based on a suite of protocols called x.500, developed by the international telecommunication union.
question

local user account
answer

an user account defined on a local computer that’s authorized to access resources only on that computer. local user accounts are mainly used on stank-alone computers or in a workgroup network with computers that aren’t part of an active directory domain.
question

multimaster replication
answer

the process for replicating active directory objects; changes to the database can occur on any domain controller and are propagated, or replicated, to all other domain controllers.
question

object
answer

a grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or ou.
question

operations master
answer

a domain controller with sole responsibility for certain domain or forest-wide functions.
question

organizational unit (ou)
answer

an active directory container used to organize a network’s users and resources into logical administrative units
question

permissions
answer

setting that define which resources users can access and what level of access they have to resources.
question

published application
answer

an application package made available via group policy for users to install by using programs and features in control panel.the application is installed automatically if a user tries to run it or opens a document associated with it.
question

relative idntifier (rid)
answer

the part of a sid that’s unique for each active directory object.
question

replication partner
answer

a domain controller configured to replicate with another domain controller.
question

right
answer

a setting that specifies what types of action a user can perform on a computer or network.
question

schema
answer

information that defines the type, organization, and structure of data stored in the active directory, such as user or computer accounts.
question

schema attributes
answer

a category of schema information that defines what type of information is stored in each object.
question

schema classes
answer

a category of schema information that defines the types of objects that can be stored in active directory, such as user or computer accounts.
question

schema directory partition
answer

a directory partition containing the information needed to define active directory objects and object attributes for all domains in the forest.
question

security identifier
answer

a numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an rid.
question

site
answer

a physical location in which domain controllers communicate and replicate information regularly.
question

sysvol folder
answer

a shared fodler that stores information from active directory that’s replicated to other domain controllers.
question

tree
answer

a grouping of domains that share a common naming structure.
question

trust relationship
answer

an arrangement that defines whether and how security principals from one domain can access network resources in another domain.
question

user prinicipal name
answer

a user logon name that follows the format [email protected] users can use upn’s to log on to their own domain from a computer that’s a member of a different domain.
question

active directory offers what features to make it flexible?
answer

hierarchical organization, centralized but distributed database, scalability, security, flexibility, policy-based administration.
question

what are the 2 aspects of active directory structure?
answer

physical structure, logical structure
question

each domain controller contains a full replica of the objects that make up the domain and is responsible for what functions?
answer

storing a copy of the domain data and replicating changes to that data to all domain controller in the domain, providing data search and retrieval functions for users attempting to locate objects in the directory, and providing authentication and authorization services for users who log on to the domain and attempt to access network resources.
question

what are the 4 organizing components of active directory?
answer

organizational units, domains, trees, forests
question

what is active directory service commonly referred to as?
answer

active directory domain services (AD DS)
question

there are 3 options to specify capabilites for the dc what are they?
answer

domain name system (dns) server, global catalog, read only domain controller
question

for the first dc in a new domain, this should be installed unless you will be using an existing —– server for the domain.
answer

DNS
question

global catatlog
answer

for the first dc in a forest, this check box is selected and disabled because the first dc in a new forest must alsow be a global catalog server.
question

read only domain controller
answer

isn’t on by default, disabled for the first dc in the domain because it can’t be a rodc.
question

how many domain controllers does microsoft recommend at a minimum?
answer

2 (for fault tolerance and load balancing)
question

there are 4 questions you ask before adding a new dc to an existing domain.
answer

should you install dns?, should the dc be a global catalog server? should this be a read only domain controller? in which site should the dc be located?
question

reasons you should install dns
answer

if you’re installing the second dc in a domain for fault tolerance, if it is in a remote site
question

should the dc be a global catalog server?
answer

the first dc is always configured as a gc server, but when you’re installing additional dc’s in a domain, this setting is optional. in most cases it makes sense to make all your dc’s global catalog servers.
question

should this be a rodc?
answer

branch offices , ( a rodc doesn’t store credentials, so if it is compromised, no passwords can be retrieved) if the dc isn’t at a branch office, there is no real advantage to making it a rodc.
question

add a child domain
answer

add a domain that shares at least the top-level and second-level domain name structure as an existing domain in the forest.
question

add a new tree
answer

add a domain with a seperate naming structure from any existing domains in the forest.
question

add-windowsfeature ad-domain-services
answer

install active directory domain services role
question

-includemanagementtools
answer

prepares server for promotion to a dc but you must enter another command to start the promotion process.
question

install-addsforest
answer

create new dc in a new forest (must provide domain name)
question

install -addsdomaincontroller
answer

adds dc to an existing domain
question

the procedure for using imf is…
answer

select a sutiable dc, (must be a standard dc) , if you’re creating imf data for a rodc, you can use a rodc or a standard dc.,run ntdsutil command from an admin command prompt
question

ntdsutil
answer

starts command-line program
question

activate instance ntds
answer

sets the program focus on the active directory database.
question

ifm
answer

sets program to ifm mode
question

create full path
answer

creates ifm data for a writeable dc
question

create rodc path
answer

creates ifm data for a rodc
question

create sysvol full path
answer

creates ifm data for a writeable dc and includes the sysvol folder.
question

create sysvol rodc path
answer

creates ifm data for a rodc and includes the sysvol folder
question

what is disabled by default when you instal active directory?
answer

active directory recycle bin
question

active directory administrative center (adac)
answer

central console for performing many active directory tasks
question

when active directory is installed, what 5 folders are created?
answer

builtin, computers, foreignsecurityprincipals, managed service accounts, users.
question

builtin
answer

mainly used to assign permissions to users who have administrative responsibilities in the domain
question

computers
answer

default location for computer accounts created when a new computer or server becomes a domain member.
question

foreignsecurityprincipals
answer

initially empty but later contains user accounts from other domains added as members of local domains groups
question

managed service accounts
answer

added to the schema in server 2008 created specifically for services to access domain resources. in this account, the password is managed by the system, alleviating the admin of this task. it is empty initially.
question

users
answer

stores 2 default users (admin and guest) and several default groups.
question

leaf object
answer

dosen’t contain other objects and usually represents a security account, network resource, or GPO.
question

security account objects include?
answer

users, groups, and computers
question

network resource objects include?
answer

servers, domain controllers, file shares, printers, and so forth
question

how are GPO’s managed in active directory?
answer

by the group policy MMC
question

what is the difference between permissions and right?
answer

permissions define which resources users can ACCESS and what level of access they have, right specifies what types of actions a user can PERFORM on a computer or network.
question

other leaf objects include?
answer

contact, printer, shared folder
question

where can the active directory recycle bin be enabled?
answer

in the (ADAC)
question

can the recycle bin be disabled without reinstalling all domain controllers in the forest?
answer

no
question

what must all dc’s in a forest be running to use the recycle bin?
answer

windows server 2008 or later
question

there are 5 operations master roles also referred to as flexible single master operation (fsmo) roles in an active directory forest what are they? *****
answer

schema master, infrastructure master, domain naming master, rid master, pdc emulator master
question

schema master ****
answer

only one that can change the schema partition, responsible for replicating the schema directory partition to all other domain controllers in the forest when changes occur.
question

infrastructure master ****
answer

responsible for ensuring that changes made to object names in one domain are updated in references to the objects in other domains.
question

domain naming master ****
answer

manages adding, removing and renaming domains in the forest. there is only one per forest.
question

RId master **** (relative identifier)
answer

responsible for issuing unique pools of rid’s to each dc, therby guaranteeing unique sid’s (security identifier) throughout the domain.
question

an objects SID is composed of what?
answer

domain identifier, which is the same for all objects in the domain, and a RID, which is unique for each object.
question

pdc emulator master ****
answer

provides backward-compatibility with windows servers configured as windows nt backup domain controllers or member servers. manages password changes to help make sure users authentication occurs without lengthy delays.
question

get-addomain
answer

view the domain
question

get-adforest
answer

view the folder of the 2 forest-wide roles
question

trust relationship
answer

defines whether and how security principals from one domain can access network resources in another domain.
question

when is configuring trust a must?
answer

when your active directory environment includes 2 or more forests or when you want to integrate with other OS’s.
question

all domains in a forest share common characteristics what are they?
answer

a single schema, forest-wide amin accounts, operations masters, global catalog, trusts between domains, replication between domains.
question

single schema
answer

active directory objects and their attributes, can be changed by the admin or an application to best suit the organizations needs. all domains in a forest share the same schema.
question

forest-wide admin accounts
answer

each forest has 2 groups with unique rights: schema admins and enterprise admins. schema admins are the only ones allowed to make changes to the schema and enterprise admins can add or remove domains from a forest and have admin access to every domain in the forest.
question

operations master
answer

certain forest-wide operations can be performed only by a dc designated as the operations master.
question

global catalog
answer

only one per forest, multiple dc’s can be designated as global catalog servers. they contain information about all objects in the forest, used to speed searching for objects across domains in the forest and to allow users to log on to any domain in the forest.
question

trusts between domains
answer

allow users to log on to their home domains and access resources in domains throughout the forest without having to authenticate to each domain.
question

replication between domains
answer

the forest structure facilitates replicating important information between all domain controllers throughout the forest. forest-wide replication includes information stored in the global catalog, schema directory, and configuration partitions.
question

the global catalog server has some vital functions what are they?
answer

facilitates domain and forest-wide searches, facilitates logon across domains, holds universal group membership information.
question

the forest root domain handles what functions?
answer

dns server, global catalog server, forest-wide admin accounts operations masters
question

can the dns server and global catalog server functions be installed on other servers in domains?
answer

yes for fault tolerance
question

where does the forest-wide operations masters and forest-wide amin accounts reside?
answer

only on a dc in the forest root domain
question

why do small and medium businesses choose a single domain?
answer

simplicity, lower costs, easier management, easier access to resources.
question

why does using more than one domain make sense?
answer

there is a need for differing account policies, need for different name identities, replication control, need for internal vs. external domains, need for tight security.
question

group policy object
answer

list of setting admins use to configure user and computer operating environments remotely. can specify security settings, deploy software, and configure a user’s desktop.
question

do GPO’s apply to group objects?
answer

NO! despite the name they do not apply to group objects.
question

you can link GPO’s to what?
answer

sites, domains and OU’s (when linked they affect only user and computer accounts in the containers)
question

when active directory is installed, two GPO’s are created and linked to 2 containers, what are they?
answer

default domain policy, default domain controllers policy
question

default domain policy
answer

linked to the domain object and specifies default settings that affect all users and computers in the domain. the settings in this policy are related mainly to account policies. ( i.e. password and logon requirements and some network security policies)
question

default domain controllers policy
answer

linked to the domain controllers OU and specifies the default policy settings for all domain controllers in the domain. pertain mainly to user rights assignments, which specify the types of actions users can perform on a dc
question

the default policies dont define any user-specific policies instead they are designed to provide what?
answer

default security settings for all computers, including domain controllers, in the domain
question

each GPO has 2 main nodes in GPMC (group policy manangement console) what are they?
answer

computer configuration, user configuration
question

computer configuration
answer

used to set policies that apply to computers within the GPO’s scope. these policies are applied to a computer when the computer starts
question

user configuration
answer

used to set policies that apply to all users within the GPO’s scope. user policies are applied when a user logs on to any computer in the domain.
question

each node contains 2 folders..
answer

policies folder, preferences folder
question

policies folder
answer

settings here are applied to users or computers and cant be overridden by users
question

preferences folder
answer

settings here are applied to users or computers but are just preferences so the users can change them.
question

in the configuration node, there are 3 folders under policies folder they are?
answer

software settings, windows settings, admin templates
question

software settings folder
answer

contains an item called sofware installation, (enables admins to install and manage applications remotely.can be configures to start automatically. (this is called assigning the application to the computer.
question

windows settings folder
answer

contains the Name Resolution Policy node, scripts extension, security settings node, and policy-based Qos node.
question

—-name resolution policy
answer

stores configuration settings for dns security and directaccess. admins can use the scripts extension to create scripts that run at computer startup or shutdown
question

—-security settings node
answer

contains the lions share of policies that affect computer security, including account policies, user rights wireless network policies, registry and file system permissions, and network communication policies among others.
question

—-policy based Qos node
answer

can be used to prioritize and control outgoing network traffic from a computer.
question

admin templates folder
answer

contains control panel, Network, printers, system adn windows components folders. the settings here affect computer settings that apply to all logged-on users.
question

do the policies configured in the computer configuration node affect all computers in the container to which the GPO is linked?
answer

yes and all child containers
question

the computer configuration node contains these 3 folders. (these differ from user configuration node policies)
answer

software settings, windows settings, admin templates
question

software settings
answer

also contains the software installation extension however, app packages configured here, can be assigned or published.
question

windows settings
answer

contains 4 items scripts extension, security settings node, folder redirection node, and policy-based QoS node.
question

admin templates
answer

contains a host of settings that enable admins to tightly control users computer and network environments.
question

gpo’s can be applied in 4 places.
answer

local computer,site, domain, and OU. ( in this order too)
question

the last policy to be applied, is the last one to take precedence yes or no?
answer

yes and also policies that arent defined or configured, are not applied at all

Get instant access to
all materials

Become a Member