cna 122 chapter 6 – Flashcards
Unlock all answers in this set
Unlock answersquestion
active directory replication
answer
the transfer of information between all domain controllers to make sure they have consistent and up-to-date information
question
application directory partition
answer
a directory partition that applications and services use to store information that benefits from automatic active directory replication and security.
question
assigned application
answer
an application package made available to users via group policy and places a shortcut to the application in the start screen. the application is installed automatically if a user tries to run it or opens a document associated with it. if the application applies to a computer account the application is installed the next time windows boots.
question
attribute value
answer
information stored in each attribute
question
authentication
answer
a process that confirms a user's identity, and the account is assigned permissions and rights that authorize the user to access resources and perform certain tasks on the computer or domain.
question
built-in-user accounts
answer
user accounts created by windows automatically during installation.
question
child domains
answer
domains that =share at least the top-level and second-level domain name structure s an existing domain in the forest;also called "subdomains"
question
configuration partition
answer
a directory partition that stores configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another.
question
directory partition
answer
a section of n active directory database stored on a domain controllers hard drive. these section are managed by different processes and replicated to other domain controllers in an active directory network.
question
directory service
answer
a database that stores information about a computer network and includes features for retrieving and managing that information
question
directory services restore mode (dsrm)
answer
a boot mode used to perform restore operations on active directory if it becomes corrupted or parts of it are deleted accidentally.
question
domain
answer
the core structural unit of active directory; contains OU's and represents administrative, security, and policy boundaries.
question
domain directory partition
answer
a directory partition that contains all objects in a domain, including users, groups, computers, OU's and so forth
question
domain user account
answer
an user account created in active directory that provides a single logon for users to access all resources in the domain for which they have been authorized.
question
extension
answer
an item in a gpo that allows an administrator to configure a policy setting.
question
flexible single master operation (fsmo) roles
answer
specialized domain controller tasks that handle operations that can affect the entire domain or forest. only one domain controller can be assigned a particular FSMO.
question
forest
answer
a collection of one or more active directory trees. a forest can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains.
question
forest root domain
answer
the first domain created in a new forest
question
fully qualified domain name (FQDN)
answer
a domain name that includes all parts of the name, including the top-level domain.
question
global catalog partition
answer
a directory partition that stores the global catalog, which is a partial replica of all objects in the forest. it contains the most commonly accessed object attributes to facilitate object searches and user logons across domains.
question
gpo scope
answer
the object affected by a gpo linked to a site, domain or OU
question
group policy object (gpo)
answer
a list of settings that administrators use to configure user and computer operating environments remotely through active directory
question
install from media (ifm)
answer
an option when installing a dc in an existing domain, much of the active directory database contents are copied to the new dc from media created from and existing dc.
question
intersite replication
answer
active directory replication that occurs between 2 or more sites.
question
intrasite replication
answer
active directory replication between domain controllers in the same site
question
knowledge consistency checker (KCC)
answer
a process that runs on every domain controller to determine the replication topology.
question
lightweight directory access protocol (LDAP)
answer
a protocol that runs over tcp/ip and is designed to facilitate access to directory services and directory objects. it's based on a suite of protocols called x.500, developed by the international telecommunication union.
question
local user account
answer
an user account defined on a local computer that's authorized to access resources only on that computer. local user accounts are mainly used on stank-alone computers or in a workgroup network with computers that aren't part of an active directory domain.
question
multimaster replication
answer
the process for replicating active directory objects; changes to the database can occur on any domain controller and are propagated, or replicated, to all other domain controllers.
question
object
answer
a grouping of information that describes a network resource, such as a shared printer, or an organizing structure, such as a domain or ou.
question
operations master
answer
a domain controller with sole responsibility for certain domain or forest-wide functions.
question
organizational unit (ou)
answer
an active directory container used to organize a network's users and resources into logical administrative units
question
permissions
answer
setting that define which resources users can access and what level of access they have to resources.
question
published application
answer
an application package made available via group policy for users to install by using programs and features in control panel.the application is installed automatically if a user tries to run it or opens a document associated with it.
question
relative idntifier (rid)
answer
the part of a sid that's unique for each active directory object.
question
replication partner
answer
a domain controller configured to replicate with another domain controller.
question
right
answer
a setting that specifies what types of action a user can perform on a computer or network.
question
schema
answer
information that defines the type, organization, and structure of data stored in the active directory, such as user or computer accounts.
question
schema attributes
answer
a category of schema information that defines what type of information is stored in each object.
question
schema classes
answer
a category of schema information that defines the types of objects that can be stored in active directory, such as user or computer accounts.
question
schema directory partition
answer
a directory partition containing the information needed to define active directory objects and object attributes for all domains in the forest.
question
security identifier
answer
a numeric value assigned to each object in a domain that uniquely identifies the object; composed of a domain identifier, which is the same for all objects in a domain, and an rid.
question
site
answer
a physical location in which domain controllers communicate and replicate information regularly.
question
sysvol folder
answer
a shared fodler that stores information from active directory that's replicated to other domain controllers.
question
tree
answer
a grouping of domains that share a common naming structure.
question
trust relationship
answer
an arrangement that defines whether and how security principals from one domain can access network resources in another domain.
question
user prinicipal name
answer
a user logon name that follows the format username@domain. users can use upn's to log on to their own domain from a computer that's a member of a different domain.
question
active directory offers what features to make it flexible?
answer
hierarchical organization, centralized but distributed database, scalability, security, flexibility, policy-based administration.
question
what are the 2 aspects of active directory structure?
answer
physical structure, logical structure
question
each domain controller contains a full replica of the objects that make up the domain and is responsible for what functions?
answer
storing a copy of the domain data and replicating changes to that data to all domain controller in the domain, providing data search and retrieval functions for users attempting to locate objects in the directory, and providing authentication and authorization services for users who log on to the domain and attempt to access network resources.
question
what are the 4 organizing components of active directory?
answer
organizational units, domains, trees, forests
question
what is active directory service commonly referred to as?
answer
active directory domain services (AD DS)
question
there are 3 options to specify capabilites for the dc what are they?
answer
domain name system (dns) server, global catalog, read only domain controller
question
for the first dc in a new domain, this should be installed unless you will be using an existing ----- server for the domain.
answer
DNS
question
global catatlog
answer
for the first dc in a forest, this check box is selected and disabled because the first dc in a new forest must alsow be a global catalog server.
question
read only domain controller
answer
isn't on by default, disabled for the first dc in the domain because it can't be a rodc.
question
how many domain controllers does microsoft recommend at a minimum?
answer
2 (for fault tolerance and load balancing)
question
there are 4 questions you ask before adding a new dc to an existing domain.
answer
should you install dns?, should the dc be a global catalog server? should this be a read only domain controller? in which site should the dc be located?
question
reasons you should install dns
answer
if you're installing the second dc in a domain for fault tolerance, if it is in a remote site
question
should the dc be a global catalog server?
answer
the first dc is always configured as a gc server, but when you're installing additional dc's in a domain, this setting is optional. in most cases it makes sense to make all your dc's global catalog servers.
question
should this be a rodc?
answer
branch offices , ( a rodc doesn't store credentials, so if it is compromised, no passwords can be retrieved) if the dc isn't at a branch office, there is no real advantage to making it a rodc.
question
add a child domain
answer
add a domain that shares at least the top-level and second-level domain name structure as an existing domain in the forest.
question
add a new tree
answer
add a domain with a seperate naming structure from any existing domains in the forest.
question
add-windowsfeature ad-domain-services
answer
install active directory domain services role
question
-includemanagementtools
answer
prepares server for promotion to a dc but you must enter another command to start the promotion process.
question
install-addsforest
answer
create new dc in a new forest (must provide domain name)
question
install -addsdomaincontroller
answer
adds dc to an existing domain
question
the procedure for using imf is...
answer
select a sutiable dc, (must be a standard dc) , if you're creating imf data for a rodc, you can use a rodc or a standard dc.,run ntdsutil command from an admin command prompt
question
ntdsutil
answer
starts command-line program
question
activate instance ntds
answer
sets the program focus on the active directory database.
question
ifm
answer
sets program to ifm mode
question
create full path
answer
creates ifm data for a writeable dc
question
create rodc path
answer
creates ifm data for a rodc
question
create sysvol full path
answer
creates ifm data for a writeable dc and includes the sysvol folder.
question
create sysvol rodc path
answer
creates ifm data for a rodc and includes the sysvol folder
question
what is disabled by default when you instal active directory?
answer
active directory recycle bin
question
active directory administrative center (adac)
answer
central console for performing many active directory tasks
question
when active directory is installed, what 5 folders are created?
answer
builtin, computers, foreignsecurityprincipals, managed service accounts, users.
question
builtin
answer
mainly used to assign permissions to users who have administrative responsibilities in the domain
question
computers
answer
default location for computer accounts created when a new computer or server becomes a domain member.
question
foreignsecurityprincipals
answer
initially empty but later contains user accounts from other domains added as members of local domains groups
question
managed service accounts
answer
added to the schema in server 2008 created specifically for services to access domain resources. in this account, the password is managed by the system, alleviating the admin of this task. it is empty initially.
question
users
answer
stores 2 default users (admin and guest) and several default groups.
question
leaf object
answer
dosen't contain other objects and usually represents a security account, network resource, or GPO.
question
security account objects include?
answer
users, groups, and computers
question
network resource objects include?
answer
servers, domain controllers, file shares, printers, and so forth
question
how are GPO's managed in active directory?
answer
by the group policy MMC
question
what is the difference between permissions and right?
answer
permissions define which resources users can ACCESS and what level of access they have, right specifies what types of actions a user can PERFORM on a computer or network.
question
other leaf objects include?
answer
contact, printer, shared folder
question
where can the active directory recycle bin be enabled?
answer
in the (ADAC)
question
can the recycle bin be disabled without reinstalling all domain controllers in the forest?
answer
no
question
what must all dc's in a forest be running to use the recycle bin?
answer
windows server 2008 or later
question
there are 5 operations master roles also referred to as flexible single master operation (fsmo) roles in an active directory forest what are they? *****
answer
schema master, infrastructure master, domain naming master, rid master, pdc emulator master
question
schema master ****
answer
only one that can change the schema partition, responsible for replicating the schema directory partition to all other domain controllers in the forest when changes occur.
question
infrastructure master ****
answer
responsible for ensuring that changes made to object names in one domain are updated in references to the objects in other domains.
question
domain naming master ****
answer
manages adding, removing and renaming domains in the forest. there is only one per forest.
question
RId master **** (relative identifier)
answer
responsible for issuing unique pools of rid's to each dc, therby guaranteeing unique sid's (security identifier) throughout the domain.
question
an objects SID is composed of what?
answer
domain identifier, which is the same for all objects in the domain, and a RID, which is unique for each object.
question
pdc emulator master ****
answer
provides backward-compatibility with windows servers configured as windows nt backup domain controllers or member servers. manages password changes to help make sure users authentication occurs without lengthy delays.
question
get-addomain
answer
view the domain
question
get-adforest
answer
view the folder of the 2 forest-wide roles
question
trust relationship
answer
defines whether and how security principals from one domain can access network resources in another domain.
question
when is configuring trust a must?
answer
when your active directory environment includes 2 or more forests or when you want to integrate with other OS's.
question
all domains in a forest share common characteristics what are they?
answer
a single schema, forest-wide amin accounts, operations masters, global catalog, trusts between domains, replication between domains.
question
single schema
answer
active directory objects and their attributes, can be changed by the admin or an application to best suit the organizations needs. all domains in a forest share the same schema.
question
forest-wide admin accounts
answer
each forest has 2 groups with unique rights: schema admins and enterprise admins. schema admins are the only ones allowed to make changes to the schema and enterprise admins can add or remove domains from a forest and have admin access to every domain in the forest.
question
operations master
answer
certain forest-wide operations can be performed only by a dc designated as the operations master.
question
global catalog
answer
only one per forest, multiple dc's can be designated as global catalog servers. they contain information about all objects in the forest, used to speed searching for objects across domains in the forest and to allow users to log on to any domain in the forest.
question
trusts between domains
answer
allow users to log on to their home domains and access resources in domains throughout the forest without having to authenticate to each domain.
question
replication between domains
answer
the forest structure facilitates replicating important information between all domain controllers throughout the forest. forest-wide replication includes information stored in the global catalog, schema directory, and configuration partitions.
question
the global catalog server has some vital functions what are they?
answer
facilitates domain and forest-wide searches, facilitates logon across domains, holds universal group membership information.
question
the forest root domain handles what functions?
answer
dns server, global catalog server, forest-wide admin accounts operations masters
question
can the dns server and global catalog server functions be installed on other servers in domains?
answer
yes for fault tolerance
question
where does the forest-wide operations masters and forest-wide amin accounts reside?
answer
only on a dc in the forest root domain
question
why do small and medium businesses choose a single domain?
answer
simplicity, lower costs, easier management, easier access to resources.
question
why does using more than one domain make sense?
answer
there is a need for differing account policies, need for different name identities, replication control, need for internal vs. external domains, need for tight security.
question
group policy object
answer
list of setting admins use to configure user and computer operating environments remotely. can specify security settings, deploy software, and configure a user's desktop.
question
do GPO's apply to group objects?
answer
NO! despite the name they do not apply to group objects.
question
you can link GPO's to what?
answer
sites, domains and OU's (when linked they affect only user and computer accounts in the containers)
question
when active directory is installed, two GPO's are created and linked to 2 containers, what are they?
answer
default domain policy, default domain controllers policy
question
default domain policy
answer
linked to the domain object and specifies default settings that affect all users and computers in the domain. the settings in this policy are related mainly to account policies. ( i.e. password and logon requirements and some network security policies)
question
default domain controllers policy
answer
linked to the domain controllers OU and specifies the default policy settings for all domain controllers in the domain. pertain mainly to user rights assignments, which specify the types of actions users can perform on a dc
question
the default policies dont define any user-specific policies instead they are designed to provide what?
answer
default security settings for all computers, including domain controllers, in the domain
question
each GPO has 2 main nodes in GPMC (group policy manangement console) what are they?
answer
computer configuration, user configuration
question
computer configuration
answer
used to set policies that apply to computers within the GPO's scope. these policies are applied to a computer when the computer starts
question
user configuration
answer
used to set policies that apply to all users within the GPO's scope. user policies are applied when a user logs on to any computer in the domain.
question
each node contains 2 folders..
answer
policies folder, preferences folder
question
policies folder
answer
settings here are applied to users or computers and cant be overridden by users
question
preferences folder
answer
settings here are applied to users or computers but are just preferences so the users can change them.
question
in the configuration node, there are 3 folders under policies folder they are?
answer
software settings, windows settings, admin templates
question
software settings folder
answer
contains an item called sofware installation, (enables admins to install and manage applications remotely.can be configures to start automatically. (this is called assigning the application to the computer.
question
windows settings folder
answer
contains the Name Resolution Policy node, scripts extension, security settings node, and policy-based Qos node.
question
----name resolution policy
answer
stores configuration settings for dns security and directaccess. admins can use the scripts extension to create scripts that run at computer startup or shutdown
question
----security settings node
answer
contains the lions share of policies that affect computer security, including account policies, user rights wireless network policies, registry and file system permissions, and network communication policies among others.
question
----policy based Qos node
answer
can be used to prioritize and control outgoing network traffic from a computer.
question
admin templates folder
answer
contains control panel, Network, printers, system adn windows components folders. the settings here affect computer settings that apply to all logged-on users.
question
do the policies configured in the computer configuration node affect all computers in the container to which the GPO is linked?
answer
yes and all child containers
question
the computer configuration node contains these 3 folders. (these differ from user configuration node policies)
answer
software settings, windows settings, admin templates
question
software settings
answer
also contains the software installation extension however, app packages configured here, can be assigned or published.
question
windows settings
answer
contains 4 items scripts extension, security settings node, folder redirection node, and policy-based QoS node.
question
admin templates
answer
contains a host of settings that enable admins to tightly control users computer and network environments.
question
gpo's can be applied in 4 places.
answer
local computer,site, domain, and OU. ( in this order too)
question
the last policy to be applied, is the last one to take precedence yes or no?
answer
yes and also policies that arent defined or configured, are not applied at all
