Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
222 Cards in this Set
- Front
- Back
|
What is scavenging in the DNS Zone
|
DNS servers running Windows Server 2003 support aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records (RRs), which can accumulate in zone data over time. (http://technet.microsoft.com/en-us/library/cc759204%28v=ws.10%29.aspx)
|
|
|
What is ADSI Edit (adsiedit.msc)?
|
Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.
|
|
|
What is the Schema Master?
|
The Schema Master Domain Controller handles all of the updates and modifications to the Windows 2000 Active Directory Schema, and you must have access to the Schema Master to make the changes. There can be only one Schema Master in the entire forest, and you must be a member of the Schema Administrators group to make changes to the Schema. (http://www.serverwatch.com/tutorials/article.php/10825_1468641_2/Learn-AD-in-15-Minutes-a-Week-Active-Directory-Schema-Master.htm)
|
|
|
What is MSSQLSVC service?
|
The SQL server service is running under a domain service account called “domain\SQLSVC“. No SPNs have been set yet.
The Basics Active directory user and computer accounts are objects in the active directory database. These objects have attributes. Attributes like Name and Description. Computer and User accounts are actually very similar in the way they operate on a Windows domain and they both share an attribute called ServicePrincipalName. An account object can have multiple ServicePrincipalName attributes defined. The setspn.exe tool manipulates this attribute. That’s all it does. The Failure The client wants to access the SQL server so he asks his domain controller: “Please may I have a ticket for accessing MSSQLSvc/sql1.domain.com” Now the domain controller asks the active directory database: “Give me the name of the account object who’s ServicePrincipalName is MSSQLSvc/sql1.domain.com“ The active directory database replies: “Sorry, there are no account objects with that ServicePrincipalName” So the domain controller asks the active directory database again: “Ok then, give me the account object who’s ServicePrincipalName is HOST/sql1.domain.com“ All computer accounts have, by default ServicePinciaplName attributes set to: HOST/[computername] and HOST/[computername].[domain] So the active directory database replies to the domain controller: “The account object that has that ServicePrincipalName is sql1.domain.com’s computer account“ The domain controller now creates a ticket that only the computer account of sql1.domain.com can read. He gives the ticket to the client. The client goes to the SQL service on sql1.domain.com and says “here is my ticket, may I come in?” The SQL service will attempt to read the ticket. The problem is, the SQL service is not running under the computer account; it is running under a domain service account. It can not read the ticket; the ticket is only intended for the computer account of sql1.domain.com. Authentication fails (falls backto NTLM). |
|
|
Online Certificate Status Protocol (OCSP)
|
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.
In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. For example: Clients connect to the network remotely and either do not need nor have the high-speed connections required to download large CRLs. A network needs to handle large peaks in revocation checking activity, such as when large numbers of users log on or send signed e-mail simultaneously. An organization needs an efficient means to distribute revocation data for certificates issued from a non-Microsoft CA. An organization wants to provide only the revocation checking data needed to verify individual certificate status requests, rather than make available information about all revoked or suspended certificates. (http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx) |
|
|
Authority Information Access (AIA)
|
After a root or subordinate CA is installed, you must configure the Authority Information Access (AIA) and CRL distribution point (CDP) extensions before the CA issues any certificates. The AIA extension specifies where to find up-to-date certificates for the CA. The CDP extension specifies where to find up-to-date CRLs that are signed by the CA. These extensions apply to all certificates that are issued by that CA.
Configuring these extensions ensures that this information is included in each certificate that the CA issues so that it is available to all clients. This ensures that PKI clients experience the least possible number of failures due to unverified certificate chains or certificate revocations that can result in unsuccessful VPN connections, failed smart card logons, or unverified e-mail signatures. (http://technet.microsoft.com/en-us/library/cc776904%28v=ws.10%29.aspx) |
|
|
OCSP
|
OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List (CRL). (http://searchsecurity.techtarget.com/definition/OCSP)
|
|
|
The ABC.com network has a client computer named ABC-WS640 that was last used six months ago. During the course of the day you attempt to log on to ABC-WS640 but you are unable to authenticate during the logon process.
|
In the scenario you should have the computer disjoined from the domain and rejoined to the domain whilst having the computer account reset as well. You should additionally note that the long inactivity caused the computer to stop responding to the authentication query using the Active Directory records. You should note by disjoining and rejoining with the account being reset would refresh the computer account passwords.
|
|
|
ntdsutil
|
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.(http://technet.microsoft.com/en-us/library/cc753343%28v=ws.10%29.aspx)
|
|
|
The network has the following setup.
* Chicago Office - Domain Controller named ABC-DC01 * Dallas Office - Read-Only Domain Controller named ABC-DC02 How can you make sure that Dallas Office users use only ABC-DC02 for authentication? |
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. Ref: http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx |
|
|
What action should you take to ensure that computers that are not part of the intl.ABC.com domain are not able to dynamically register their DNS registration information in the intl.ABC.com zone?
|
In order to ensure that only domain members are able to register their DNS records dynamically you need to set the option Secure only for Dynamic updates. This will only allow the domain members to register their DNS records dynamically.
(www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx) |
|
|
All master roles in the forest are maintained at a domain controller ABC-DC01. You have another domain controller in the network named ABC-DC02 which contains better hardware and can improve performance. ABC-DC01 is to be removed from the network.
Which option can you select in order to ensure that proper roles are transferred to ABC-DC02 without disrupting the forest wide operations? |
In order to transfer all forest-wide operation master roles to another domain you need to transfer Domain naming master as well as the Schema master. Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
( http://support.microsoft.com/kb/324801) |
|
|
How do you transfer the ntds.dit databaseto a new drive?
|
The way you move the Active Directory database to a new volume, is to move the ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition.
Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca- d51707bf01eb1033.mspx?mfr=true |
|
|
Root CA
|
The first CA that is installed becomes the root CA. The root CA forms the foundation of the PKI. The common practice is to first install the root CA, and then use the root CA to validate all the other CAs within the organization. A root CA is the most trusted CA in a CA hierarchy. When a root CA issues certificates to other CAs, these CAs become subordinate CAs of the root CA. When a root CA remains online, it is used to issue certificates to subordinate CAs. The root CA never usually directly issues certificates to users, computers, aplications or services. (http://www.tech-faq.com/understanding-certificate-authorities.html)
|
|
|
Subordinate CA
|
A subordinate CA can also issue certificates to other subordinate CAs. These subordinate CAs are called intermediate CAs. While an intermediate CA is subordinate to the root CA, it is considered superior to those subordinate CAs to which it issued certificates. Subordinate CAs which only issue certificates to users, and not to other subordinate CAs, are called leaf CAs. (http://www.tech-faq.com/understanding-certificate-authorities.html)
|
|
|
Enterprise CAs:
|
An enterprise CA stores its certificate information in Active Directory. Enterprise CAs are essentially dependent on Active Directory to store and replicate certificate data. What this means is that the enterprise CAs have to be configured as domain controllers. This in turn means that enterprise CAs can only issue certificates to users and computers that belong to the forest.(http://www.tech-faq.com/understanding-certificate-authorities.html)
|
|
|
Stand-alone CAs:
|
A stand-alone CA stores its certificate data in a shared folder which can be accessed through a Web URL. When users want to request certificates from stand-alone CAs, they have to use Web enrollment. (http://www.tech-faq.com/understanding-certificate-authorities.html)
|
|
|
Certificate templates Can only be used with ___________________
|
Certificate templates can only be used with enterprise CAs. Certificate templates are used to define the format and content of the certificate, based on intended use of the certificate. Through certificate templates, you can specify the users and groups which are permitted to request the particular certificate. ((http://www.tech-faq.com/understanding-certificate-authorities.html))
|
|
|
Enterprise root CA:
|
This is the topmost CA in the CA hierarchy, and is the first CA installed in the enterprise. Enterprise root CAs are reliant on Active Directory. Enterprise root CAs issue certificates to subordinate ((http://www.tech-faq.com/understanding-certificate-authorities.html))
|
|
|
Enterprise Subordinate CA:
|
This CA also needs Active Directory, and is used to issue certificates to users and computers.
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
Stand-alone Root CA:
|
A stand-alone root CA is also the topmost CA in the certificate chain. A stand-alone root CA is not however dependent on Active Directory, and can be removed from the network. This makes a stand-alone root CAs the solution for implementing a secure offline root CA.
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
Stand-alone Subordinate CA:
|
This type of CA is also not dependent on Active Directory, and is used to issue certificates to users, computers, and other CAs.
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
CA Hierarchies
Key archival and recovery: |
This feature allows you to archive the keys, and re-issue them when users happen to lose their keys.
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
CA Hierarchies
User auto-enrollment: |
You can configure users to auto-enroll for a User certificate.
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
CA Hierarchies
Delta CRLs: |
With delta CRLs, clients are only sent the updates that should be added to their base CRLs when changes are made.
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
CA Hierarchies
Qualified subordination: |
Through this feature, you can control the types of certificates which subordinate CAs can issue
((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
What action should you take to configure ABC-SR01 to support key archival?
|
The Startup Type of the Certificate Propagation service on ABC-SR01 should be set to Automatic.
|
|
|
The Differences between Internal CAs and External CAs
|
While a small organization could possibly need only one CA, a large organization would need multiple CAs, which could include a combination of internal and external CAs. When both internal and external CAs are used in an organization, Windows Server 2003 Certificate Services could be used to provide internal CA capabilities to the organization, while a third party such as VeriSign could be used as the external CA. The use of an external CA becomes important if the organization needs to exchange digital certificates with other organizations.
The security needs of the organization would dictate whether internal CAs, external CAs, or both of the two are used. Organizations typically use internal CAs to secure data that is communicated over the internal network, and external CAs to secure data communicated to external entities. ((http://www.tech-faq.com/understanding-certificate-authorities.html)) |
|
|
how to create multiple passwords with ADSI Edit console?
|
ADSI Edit
The most important tool for this ‘exercise’ is actually a tool that most administrators have feared through the years – because whenever you have to use it it is normally when something bad has happened – well, I am referring to the ADSI Edit utility (adsiedit.msc). Most of the granular password policy settings are created and configured from within this tool. ADSI Edit is part of the standard Windows Server 2008 installation so you do not have to add it afterwards. The steps This is a quick view on the steps required to configure ‘Granular Password Settings’ in Windows Server 2008: Create a Password Settings Object (PSO) in the Password Settings Container (PSC) using ADSI Edit Configure the PSO options by completing the ‘primitive’ wizard within ADSI Edit Assign the PSO to a user account or a global security group Confirm that the settings actually applied (http://www.windowsecurity.com/articles-tutorials/windows_os_security/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html) |
|
|
What is Debug Logging?
|
A debug log records database operations, system processes, and errors that occur when executing a transaction or while running unit tests. The system generates a debug log for a user every time that user executes a transaction that is included in the filter criteria. (http://login.salesforce.com/help/doc/en/code_debug_log.htm)
|
|
|
The ABC.com Network contains a server which is configured as:
* Domain Controller * DNS Server What option can you use to ensure tracking of all DNS queries received by ABC-SR01? |
You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
|
|
|
What are the Default Standards Debug Logging Options?
|
By default, all debug logging options are disabled. When selectively enabled, the DNS Server service can perform additional trace-level logging of selected types of events or messages for general troubleshooting and debugging of the server.
Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed. (http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx) |
|
|
What is Active Directory Sites and Services console?
|
You can use the Active Directory Sites and Services snap-in to manage the site-specific objects that implement the intersite replication topology. These objects are stored in the Sites container in Active Directory Domain Services (AD DS).
noteNote You can also use Active Directory Sites and Services to administer the replication of directory data among all sites in an Active Directory Lightweight Directory Services (AD LDS) configuration set. In addition, Active Directory Sites and Services provides a view of the Services container, which you can use to view service-related objects that are published in AD DS. The following sections provide detailed information about site management and service publication with Active Directory Sites and Services: (http://technet.microsoft.com/en-us/library/cc731907.aspx) |
|
|
How is Active Directory Connected?
|
An Active Directory site is a physical subnet that is connected using a high-speed connection. Active directory sites are connected using site links, which are low-bandwidth, unreliable connections.
(http://www.omnisecu.com/windows-2003/active-directory/what-is-active-directory-site-link.htm) |
|
|
What is DEFAULTIPSITELINK?
|
When a network infrastructure is expanded and scattered around the globe and multiple sites are created to manage them, replication plays an important role in the setup. With the help of replication all the domain controllers in every site are capable of exchanging information in order to provide consistent data worldwide. If there are multiple sites configured in the domain environment intersite replication takes place through DEFAULTIPSITELINK. This replication configuration creates a kind of mesh topology and in some conditions may consume additional network bandwidth. In order to utilize the bandwidth efficiently administrators can create intersite replication links which are used during these replications between the mentioned sites only. As an administrator if you want to do so you are required to follow the steps given below: (http://www.pctips3000.com/create-new-site-link-for-replication-in-windows-server-2008/)
|
|
|
What is OCSP?
|
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders. (http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)
|
|
|
During the course of the day a ABC.com user named Rory Allen complains that he cannot logon to the ABC.com domain from his client computer. When he attempt to, he receives an error message stating that his account has expired.
What action should you consider to have Rory Allen log on to the ABC.com domain from his client computer? |
You should consider setting Rory Allen's user account to never expire.
|
|
|
Why would you install a new domain controller?
|
Domain controllers provide network users and computers with the Active Directory directory service, which stores and replicates directory data and manages user interactions with the domain, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. You install a domain controller by installing Active Directory on any member or stand-alone server (except those with restrictive license agreements).
When you install the first domain controller in your organization, you are creating the first domain (also called the root domain) and the first forest. You can add additional domain controllers to an existing domain to provide fault tolerance, improve service availability, and balance the load of existing domain controllers. (http://technet.microsoft.com/en-us/library/cc759011%28v=ws.10%29.aspx) |
|
|
Why would you install Child Domain -Domain Controller?
|
You can also install a domain controller to create a new child domain or new domain tree. Create a new child domain when you want a new domain that shares a contiguous namespace with one or more domains. This means that the name of the new domain contains the full name of the parent domain. For example, sales.microsoft.com would be a child domain of microsoft.com. Create a new domain tree only when you need a domain whose Domain Name System (DNS) namespace is not related to the other domains in the forest. This means that the name of the new domain tree’s root domain (and all of its children) does not contain the full name of the parent domain. A forest can contain one or more domain trees. (http://technet.microsoft.com/en-us/library/cc759011%28v=ws.10%29.aspx)
|
|
|
What is Adprep.exe?
|
Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server.
(http://technet.microsoft.com/en-us/library/dd464018%28v=ws.10%29.aspx#BKMK_WhatsADPrep) |
|
|
What is the first command you must run in adprep.exe?
|
You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. None of the commands requires a restart of the server after the operation is complete. The remaining sections in this topic contain more details about each command.
(http://technet.microsoft.com/en-us/library/dd464018%28v=ws.10%29.aspx) |
|
|
What is an event log subscription?
|
Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. (http://technet.microsoft.com/en-us/library/cc749183.aspx) |
|
|
What is dnscmd /createdirectorypartition?
|
Creates a DNS application directory partition.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
What is DNSCMD?
|
A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
What is dnscmd /ageallrecords?
|
Sets the current time on all time stamps in a zone or node.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
What is dnscmd /clearcache?
|
Clears the DNS server cache.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /config
|
Resets the DNS server or zone configuration.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /createbuiltindirectorypartitions
|
Creates the built-in DNS application directory partitions.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /deletedirectorypartition
|
Deletes a DNS application directory partition.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /directorypartitioninfo
|
Lists information about a DNS application directory partition.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /enlistdirectorypartition
|
Adds a DNS server to the replication set of a DNS application directory partition.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /enumdirectorypartitions
|
Lists the DNS application directory partitions for a server.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /enumrecords
|
Lists the resource records in a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /enumzones
|
Lists the zones hosted by the specified server.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /exportsettings
|
Writes server configuration information to a text file.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /info
|
Gets server information.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /ipvalidate
|
Validates remote DNS servers.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /nodedelete
|
Deletes all records for a node in a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /recordadd
|
Adds a resource record to a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /recorddelete
|
Removes a resource record from a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /resetforwarders
|
Sets DNS servers to forward recursive queries.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /resetlistenaddresses
|
Sets server IP addresses to serve DNS requests.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /startscavenging
|
Initiates server scavenging.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /statistics
|
Queries or clears server statistics data.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /unenlistdirectorypartition
|
Removes a DNS server from the replication set of a DNS application directory partition.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /writebackfiles
|
Saves all zone or root-hint data to a file.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneadd
|
Creates a new zone on the DNS server.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zonechangedirectorypartition
|
Changes the directory partition on which a zone resides.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zonedelete
|
Deletes a zone from the DNS server.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneexport
|
Writes the resource records of a zone to a text file.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneinfo
|
Displays zone information.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zonepause
|
Pauses a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneprint
|
Displays all records in the zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zonerefresh
|
Forces a refresh of the secondary zone from the master zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zonereload
|
Reloads a zone from its database.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneresetmasters
|
Changes the master servers that provide zone transfer information to a secondary zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneresetscavengeservers
|
Changes the servers that can scavenge a zone
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneresetsecondaries
|
Resets secondary information for a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneresettype
|
Changes the zone type.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneresume
|
Resumes a zone.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zoneupdatefromds
|
Updates an Active Directory–integrated zone with data from Active Directory Domain Services (AD DS).
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
dnscmd /zonewriteback
|
Saves zone data to a file.
(http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx) |
|
|
What are zone transfer settings?
|
The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented.
(http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Network/nslookupandDNSZoneTransfers.html) |
|
|
What is a code signing?
|
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.
Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object. (http://en.wikipedia.org/wiki/Code_signing) |
|
|
What is GPO?
|
Group Policy is a feature of the Microsoft Windows NT family of operating systems that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment.
(http://en.wikipedia.org/wiki/Group_Policy) |
|
|
What is repadmin /replicate?
|
Triggers the immediate replication of the specified directory partition to a destination domain controller from a source domain controller.
(http://technet.microsoft.com/en-us/library/cc742152%28v=ws.10%29.aspx) |
|
|
What is BIND?
|
BIND is an implementation of the Domain Name System (DNS) protocols. What is DNS? See a fun animation. The name BIND stands for "Berkeley Internet Name Domain", because the software originated in the early 1980s at the University of California at Berkeley. In recent years, the word BIND has become, like "radar" and "snafu" and "laser" and "scuba", more word than acronym.
The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. What it means to say "BIND is an implementation of the DNS protocols" is that the BIND software distribution contains all of the software needed both to ask name service questions and to answer such questions. (https://www.isc.org/software/bind/whatis) |
|
|
What are the three parts of BIND?
|
1. A Domain Name System server.
2. A Domain Name System "resolver library". 3. Software tools for testing servers. (https://www.isc.org/software/bind/whatis) |
|
|
What is A Domain Name System server?
|
This is a program called "named", which is pronounced "name-dee" and stands for "name daemon". It answers questions that are sent to it, following the rules specified in the DNS protocol standards. You can provide DNS service on the internet by installing this software on a server computer and giving it correct information about your domain names.
A Domain Name System "resolver library". A "resolver" is a program that resolves questions about names by send (https://www.isc.org/software/bind/whatis) |
|
|
What is A Domain Name System "resolver library".?
|
A "resolver" is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers' replies. A "resolver library" is a collection of software components that a programmer can add to software being developed, which will give that software the ability to resolve names. For example, a programmer who was programming a new web browser does not need to create the part of it that looks up names in DNS; he or she can plug in the resolver library and then send questions to the library software components. This saves time (the programmer does not need to re-invent that particular wheel) and helps ensure that the new browser correctly follows the DNS standards.
(https://www.isc.org/software/bind/whatis) |
|
|
What are Software tools for testing servers.?
|
These are the tools that we use for testing, and we include them in the distribution in case you would like to do your own testing, perhaps to make sure your server configuration is working properly.
(https://www.isc.org/software/bind/whatis) |
|
|
What is Schmmgmt.dll?
|
Description: The file schmmgmt.dll, also named Active Directory Schema Manager MMC SnapIn, is an application extension for the Microsoft Windows 2000 Operating System. The latest version was created on March 16, 2005 with a file size of 162064 bytes.
One function of the file schmmgmt.dll is to serve as the access point of the general programming language C++. Another task of the file schmmgmt.dll is to determine whether the dynamic-link library (DLL) is in use or not. If the DLL is not in use, then the caller who is using the function of the file schmmgmt.dll can safely unload the DLL from memory. (http://dll.paretologic.com/detail.php/schmmgmt) |
|
|
What is Audit object Access?
|
This security setting determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. (http://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx) |
|
|
What is DISTGRP?
|
Distribution groups are mail enabled Active Directory group objects that are created to expedite the mass
sending of e-mail messages and other information within an Exchange organization. (http://www.itcs.umich.edu/exchange/docs/Exchange_SelfServAdmin16_gd.pdf) |
|
|
How do you use Allow Access Dial-in permission?
|
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control access through Remote Access Policy option is only available on user accounts in a Windows 2000 native domain, a Windows server 2003 domain, or for local accounts on stand-alone servers running Windows 2000, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. (http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx) |
|
|
Active Directory Diagnostics Data Collector
|
Active Directory records events in the directory services log in Event Viewer. You can use the log to monitor the activity level of Active Directory or to investigate problems.
(http://technet.microsoft.com/en-us/library/cc961809.aspx) |
|
|
Parameters of adprep /forestprep
|
Prepares a forest for the introduction of a domain controller that runs Windows Server 2008. You run this command only once in the forest. You must run this command on the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO) for the forest. You must be a member of all the following groups to run this command:
The Enterprise Admins group The Schema Admins group The Domain Admins group of the domain that hosts the schema master (http://technet.microsoft.com/en-us/library/cc731728%28v=ws.10%29.aspx) |
|
|
dnscmd /ZoneExport Parameters
|
ServerName
Specifies the DNS server the administrator is planning to manage, represented by local computer syntax, IP address, FQDN, or Host name. If omitted, the local server is used. ZoneName Specifies the name of the zone. ZoneExportFile Specifies the name of the file to create. Remarks The zoneexport operation creates a file of resource records for an Active Directory-integrated zone for troubleshooting purposes. By default, the file created by this operation is placed in the DNS directory, which is by default the %systemroot%/System32/Dns directory. (http://technet.microsoft.com/en-us/library/cc756116%28v=ws.10%29.aspx#BKMK_25) |
|
|
what is ugmc in active directory
|
Universal Group Membership Caching
Universal groups allow users (and groups) from multiple domains to have membership in a single group that is available throughout the Active Directory forest. This is useful in a forest with multiple Active Directory domains to simplify resource access permissions. If users or groups from different domains need access to resources that are located in multiple domains, a universal group can be used to allow for that access. (http://www.informit.com/articles/article.aspx?p=415792) |
|
|
What is raising the domain functional level?
|
You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The AD DS administrative tools that you use to raise the domain functional level (the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in) automatically target the PDC emulator when you raise the domain functional level.
|
|
|
ACL
|
Access Control List
|
|
|
ACPI
|
Advanced Configuration and PowerInterface
|
|
|
D/AM
|
Active Directory an Power Interface
|
|
|
ADC
|
Active Directory Connector
|
|
|
ADM
|
Administrative Directory
|
|
|
ADO
|
ActiveX Data Objects
|
|
|
ADSI
|
Active Directory Server Interface
|
|
|
ADUC
|
Active Directory User and Computer
|
|
|
AE
|
Auditing Entry
|
|
|
ANR
|
Ambiguous Name Resolution
|
|
|
AXFR
|
Full Zone Transfer
|
|
|
BINL
|
Boot Information Negotiation Layer
|
|
|
CIW
|
Client Installation Wizard
|
|
|
DACL
|
Directory Access Control List
|
|
|
DC
|
Domain Component OR Domain Controller
|
|
|
DDNS
|
Dynamic DNS
|
|
|
DFS
|
Distributed File System
|
|
|
DIT
|
Directory Information Tree
|
|
|
DLT
|
Distributed Link Tracking
|
|
|
DN
|
Distinguished Name
|
|
|
DNS
|
Domain Name System
|
|
|
DSA
|
Directory System Agent
|
|
|
DS-RPC
|
Directory Service Remote Procedure Call
|
|
|
ESE
|
Extensible Storage Engine
|
|
|
FSMO
|
Flexible SIngle Master of Operations (Pronounced "fizmo")
|
|
|
GC
|
Global Catelog
|
|
|
GPC
|
Group Configuration Catelog
|
|
|
GPC
|
Group Policy Configuration
|
|
|
GPMC
|
Group Policy Management Console
|
|
|
GPO
|
Group Policy Object
|
|
|
GPOE
|
Group Policy Editor
|
|
|
GUID
|
Globally Unique Identifier
|
|
|
HCL
|
Hardware comparability List
|
|
|
IIS
|
Internet Information Services
|
|
|
IXFR
|
Incremental Zone Transfer
|
|
|
KCC
|
Knowledge Consistency Checker
|
|
|
L2TP
|
Layer 2 Tunneling Protocol
|
|
|
MMC
|
Microsoft Management Console
|
|
|
NC
|
Naming Context
|
|
|
NOS
|
Network Operating System
|
|
|
OU
|
Organizational Unit
|
|
|
PDC
|
Primary Domain Controller
|
|
|
PKI
|
Public Key Infrstructure
|
|
|
PPTP
|
Point to Point Tunneling Protocol
|
|
|
RAS
|
Remote Access Server
|
|
|
RDN
|
Relative Distinguished NAme
|
|
|
RID
|
Relative Identifier
|
|
|
RIS
|
Remote Installation Serviced
|
|
|
RPC
|
Remote Procedure Call
|
|
|
SAM
|
Security Accounts Manager
|
|
|
SDOU
|
Site/Domain/Organizational Unit
|
|
|
SID
|
Security Identifier
|
|
|
SIS
|
Single Instance Store
|
|
|
SRV
|
Server Resource Record
|
|
|
SSM
|
Sites and Services Manager
|
|
|
TFTPD
|
Trivial File Transfer Protocol Daemon
|
|
|
TTL
|
Time To Live
|
|
|
UNC
|
Universal Naming Convention
|
|
|
UPN
|
Universal Principal Name OR User Principal Name
|
|
|
WINS
|
Windows Internet Naming Service
|
|
|
WMI
|
Windows Management Instrumentation
|
|
|
NTFS Folder Permissions - Full Control
|
Take Ownership of the folder, delete sub folders and files and change permissions. Also actions permitted by all other NTFS folder permissions. This permission grants administrative control and should not be given to end users.
|
|
|
NTFS Folder Permissions - Modify
|
Take actions permitted bu the Write permission and the Read & Execute permission. Also delete the folder itself.
|
|
|
NTFS Folder Permissions - Read & Execute
|
take actions permitted by the Read permission and the List Folder Contents permission. Also delet the folder itself.
|
|
|
NTFS Folder Permissions - List Folder Contents
|
See the names of files and sub folders in folder
|
|
|
NTFS Folder Permissions - Read
|
See Files and sub-folders in the folder. View ownership, permissions and attributes of the folder
|
|
|
NTFS Folder Permissions - Write
|
View the ownership and permissions of the folder. Create new sub-folders and files in the folder
|
|
|
NTFS File Permissions - Full Control
|
Take ownership of the file an change permissions. Also actions permitted by all other NTFS file permissions
|
|
|
NTFS File Permissions - Modify
|
Take actions permitted by the Write Permission and the Read & Execute permission. Also ,odify or delete the file
|
|
|
NTFS File Permissions - Read & Execute
|
Take Actions Permitted by the Read Permission, plus run applications
|
|
|
NTFS File Permissions - Read
|
Read the file. View file attributes, ownership and permissions
|
|
|
NTFS File Permissions - Write
|
Overwrite the file. Change File Attributes. View file ownership and permissions
|
|
|
Special Permissions - Traverse Folder/Execute File
|
Travers Folder: Move through folders to which the user does not have permission in order to reach files and folders for which the user does have permission
|
|
|
Special Permissions - List Folder/Read Data
|
List Folder:View the names of the folder sub-folder and files. Read Data: View Data on filed
|
|
|
Special Permissions - Read Attributes
|
View the attributes of a file or folder, as those defined by NTFS
|
|
|
Special Permissions - Read Extended Attributes
|
View extended attributes of a file or folder. Extended attributes may vary, because they are defined bby programs
|
|
|
Special Permissions - Create Filed/Write Data
|
Create Files. Create files within a folder. Write data: Make changes to the file: overwrite existing content
|
|
|
Special Permissions - Create Folders/Append Data
|
Create Folders, Create Sub-folders within a folder
|
|
|
Special Permissions - Append Date
|
Add data to the end of a file, Does not allow changing, deleting or overwriting data
|
|
|
Special Permissions - Write Extended Attributes
|
Change the extended attributes of a file or folder, Extended attributes may vary because they are defined by programs
|
|
|
Special Permissions - Write Attributes
|
Change the attributes of a file or folder, as those attributes are defined by NTFS
|
|
|
Special Permissions - Delete Sub-folders and File
|
Delete sub folders and file, even if the Delete permission has not been granted on the sunfolder or file
|
|
|
Special Permissions - Delete
|
Delete the file or folder. Permission denied can be overridden by Delete sub-folders and Dies permissions on the parent file
|
|
|
Special Permissions - Read Permissions
|
Read the permissions on a file or folder
|
|
|
Special Permissions - Change Permissions
|
Change permissions on a file or folder
|
|
|
Special Permissions - Take Ownership
|
Take ownership of a file or folder
|
|
|
Special Permissions - Synchronize
|
Threads to wait on the handle for the file or folder and synchronize with any other thread that may signal it
|
|
|
Commands - browstat
|
Displays the status of browsers running in the domain
|
|
|
Commands - con2prt
|
Used to connect network printers to workstation
|
|
|
Commands - cusmgr
|
Assigns a random password
|
|
|
Commands - delprof
|
Used to delete user profiles
|
|
|
Commands - diruse
|
Displays the amount of directory space used by directories and sub-directories
|
|
|
Commands - disadd
|
Adds and object to a directory
|
|
|
Commands - dsget
|
Displays attributes of an object in a directory
|
|
|
Commands - dsmod
|
Modifies an existing object in a directory
|
|
|
Commands - dsmove
|
Moves an object to a new location on the same domain controller. Renames an object without changing the location in the directory tree
|
|
|
Commands - dsquery
|
finds an object in a directory
|
|
|
Commands - dsrm
|
Deletes an object in a directory
|
|
|
Commands - movetree
|
used to move a leaf, container or subtree between domains
|
|
|
Commands - msconfig
|
MSConfig (officially called System Configuration in Windows Vista, Windows 7 and Windows 8 or Microsoft System Configuration Utility in previous operating systems) is a system utility to troubleshoot the Microsoft Windows startup process. It can disable or re-enable software, device drivers and Windows services that run at startup, or change boot parameters.
(http://en.wikipedia.org/wiki/MSConfig) |
|
|
Commands - nbstat
|
Identifies IP addresses in the NetBIOS/TCP remote cache table
|
|
|
Commands - netdom
|
used to move workstations or member servers between domains
|
|
|
Commands - netsvc
|
used to start, stop or query the status of services remotely
|
|
|
Commands - pathping
|
The PathPing tool is a route tracing tool that combines features of Ping and Tracert with additional information that neither of those tools provides. PathPing sends packets to each router on the way to a final destination over a period of time, and then computes results based on the packets returned from each hop. Since PathPing shows the degree of packet loss at any given router or link, you can pinpoint which routers or links might be causing network problems.
(http://technet.microsoft.com/en-us/library/cc958876.aspx) |
|
|
Commands - Route
|
Defines manual host routes
|
|
|
Commands - SFC
|
Used to Verify and correct file version problems
|
|
|
Commands - subinacl
|
Used to obtain and transfer security information about files, registry keys and services
|
|
|
Commands - tracert
|
Determines the route taken to a destination using ICMP echo packets
|
|
|
GPO Security Settings - Account Policies
|
Apply settings that govern how accounts on the system work
|
|
|
GPO Security Settings - Password Policy
|
Expiration Date and other password settings. Applied to entire domain
|
|
|
GPO Security Settings - Account Lockout Policy
|
Number of failed logion attempts allowed and length of lockout. Applied to entire domain
|
|
|
GPO Security Settings - Kerberos Policy
|
Kerberos security and ticketing policies to be applied to the domain
|
|
|
GPO Security Settings - Audit Policy
|
Items that write success of failure entries to the security event log. Applied to individual machines
|
|
|
GPO Security Settings - User Rights Assignment
|
Allows or denies additional abilities to account or OS. applied to individual machines
|
|
|
GPO Security Settings - Security Options
|
Security settings for one or more computers in an organization. Applied to individual machines
|
|
|
GPO Security Settings - Event Log
|
Sets properties on security, application and system event logs
|
|
|
GPO Security Settings - Restricted Groups
|
Forces groups on any computer to be members of other groups or to have members themselves
|
|
|
GPO Security Settings - System Services
|
Allows manipulation of services and sets permissions for access to those services
|
|
|
GPO Security Settings - Registry
|
allows the addition of a file or directory on any computer, and automatically sets its permissions and auditing properties
|
|
|
GPO Security Settings - File System
|
Allow the addition of registry key and setting its permission for access to those services
|
|
|
GPO Security Settings - Security Policies
|
Specifies when IPsec is used. Allows configuring of all aspects of IPsec on active directory
|
|
|
GPO Security Settings - Public Key Policies
|
Allows setting of Public Key Infrastructure options.
|
