Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
107 Cards in this Set
- Front
- Back
|
What are the Sytem Requirements to run AD RMS?
|
-Pentium 4.3 GHz or higher
-512MB RAM -40GB HDD -OS of Windows Server 2008 except Web Edition or Itanium Based systems -FAT32 or NTFS file system -Message Queing -IIS with ASP.NET enabled web service |
|
|
What are the considerations for AD RMS?
|
-Reserve URLs that will not change and do not include a computer name nor use localhost
-An AD DS domain running on Windows 2000 SP3, 2003, or Windows Server 2008 -AD RMS must be installed in the same domain as its potential users. -Domain User accounts are email address configured in AD DS. -A service account must be a standard domain user account that is a member of the local Administrators group. -An installation account must be a domain based account; not on a smart card;local admin privileges;must be a member of the Enterprise Admins group; to use external database, must be a member of System Admins role on DB server;Needs to have Windows Internal Database or SQL server 2005 with SP2 or later;create and name the AD RMS database instance and start the SQL server browser before installation for database instance;Obtain an SSL certificate for the AD RMS cluster -Protect Cluster key in the AD RMS configuration database. -For DNS configuration, create custom CNAME records for the root cluster URL and the database server -Prepare an official Server licensor certificate name before you install -Client needs AD RMS enalbed browser or app. -Smart Card usage can be integrated in AD RMS but not for setup. -Client Os needs to be VIsta or XP with RMS Client with SP2 |
|
|
What is a Server License certificate (SLC)?
|
it is a self-signed certificate generated during the AD RMS cetup of the frst server in a root cluster.
|
|
|
What is a Rights Account Certificate (RAC)?
|
issued to trusted users who have an email enabled account in AD DS.
-RACs are generated when the user first tries to open rights-protected content. -have a duration of 365 days -Temp RACs do not tie the user to a specific computer and are valid for only 15 minutes -contains the public key of the user as well as his or her private key. |
|
|
What is a Client Licensor certificate (CLC)?
|
After the user has a RAC and launches an AD RMS-enabled application the application automatically sends a request for a CLC to the AD RMS cluster.
-includes the client licensor public key, the client licensor private key that is encyrpted by the user's public key, and the AD RMS cluster's public key. |
|
|
What is a Machine Certificate?
|
The first time an AD RMS enabled applicaton is used a machine certificate is created.
-contains the public key for the activated computer. Private key is containted within the lockbox on the computer. |
|
|
What is a Publishing License?
|
created when the user saves content in a rights protected mode. the license lists which users can use the content and under which conditions as well s the rights each user has to the content.
-includes the symmetric content key for decrypting content as well as the public key of the cluster. |
|
|
What is a Use license?
|
The use license is assigned to a user wh opens rights-protected content.
|
|
|
What is a Federated Web SSO?
|
usually spans firewalls because it links applications contained within an extranet in a resource organization to the internal directory stores of account organizations.
The only trust that exists in this model is the federation trust.. It is always a one-way trust from the resource organization to the account organizations. -This is the most common deployement scenario. |
|
|
What is a Federated Web SSO with Forest Trust?
|
the organization uses two AD DS forests. One is internal and the is an external forest located with in a perimeter network.
-internal users have access to the applications from both the internal newtork and internet. -external users have access to the applications only from the internet |
|
|
What is a Web SSO?
|
use when all the users for an extranet application are external and do not have accounts within an AD DS domain.
|
|
|
What kind of certificate does a Federation server need in an AD FS environment?
|
server authentication certificate and a token signing certificate
|
|
|
What kind of certificate does a Federation Service Proxy use?
|
must have a server authentication certificate to support SSL-encrypted communications with Web clients
-must also have a client authentication certificate to authenticate the federation server during communications. |
|
|
What kind of certificate des an AD FS Web Agent use?
|
server authentication certificate to secure its communications with web clients.
|
|
|
Is publisng CA configuration to AD DS directories optional or mandatory for a Standalone CA?
|
optional
Mandatory for Enterprise |
|
|
What is a Domain?
|
An administratively defined collection of network resources that share a common directory database and security policies.
|
|
|
What are objects?
|
Within an active directory, each resource is identified as an object.
-Each object contains attributes -Active Directory uses DNS for locating and naming objects -Container objects hold or group other objects, either other containers or leaf objects |
|
|
What is the Schema?
|
The schema identifies the object classes that exist in the tree and the attributes of the object.
|
|
|
What is an OU?
|
An organizational unit is like folder that subdivides and organizes network resources within a domain.
-is a container object -can be used to logically organize network resources simplifies security administration -first level ous are called parents -second level ous are called children -ous can contain other ous or any type of leaf object. |
|
|
What are Generic Containers?
|
used to organize Active Directory objects.
-created by default -cannot be created, moved, renamed, or deleted. -have very few editable properties. |
|
|
What is a tree?
|
A group of related domains tha share the same contiguous DNS name space.
|
|
|
What is a forest?
|
a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
|
|
|
What is a Domain Controller?
|
a server that holds a copy of the Active directory database that can be written to.
|
|
|
What is a Global Catalog?
|
A database that contains a partial replica of every object from every domain within a forest.
|
|
|
What is an AD DS?
|
a distributed database that stores and manages information about network resources, such as users, computers and printers.
|
|
|
What is AD LDS?
|
An LDAP directory service that you can use to create a directory store for use by directory-enabled applications.
-formerly known as ADAM. |
|
|
What is AD FS?
|
a feature that enables secure access to web applications outside of a user's home domain or forest.
-provides web SSO |
|
|
What is AD RMS?
|
a feature that safeguards digital information from unauthorized use.
|
|
|
What is AD CS?
|
an identity and access control feature that creates and manages public key certificates used in software security systems.
|
|
|
What are the steps to prevent objects from accidental deletion?
|
In AD Users and Computers or Active Directory Sites and Services...do either or...
-On the object tab, select the Protect object from accidental deletion check box. -On Security tab, select the Deny Delete All Child Objects advanced permission for Everyone. |
|
|
Where does Windows store standard zone data?
|
%windir%\System32\Dns
|
|
|
How do you change the replication scope for a zone using an application partition?
|
dnscmd/zonechangedirectorypartition
/foest /domain |
|
|
What cmdlets are used to manage user accounts?
|
-New-ADUser...creates a new AD user
-Get-ADUser..displays one or more AD user's profile -Set-ADUser...modifies an AD user -Enable-ADAccount/Disable-ADAccount...enables/disables an AD account. -Search-ADAccount...gets AD user, computer, and service accounts -Import-Module ActiveDirectory...to use AD module for Windows Powershell. |
|
|
How do you perform and offline domain join?
|
Djoin.exe/provision then copy resulting file to the computer that you want to join to the domain.
run Djoin.exe/requestI=ODJ |
|
|
Can you convert a group from global to domain local or domain global?
|
No. Not directly. First convert the group to a universal group and apply the changes, then convert the group to the desired scope.
|
|
|
What are the requirements to join a computer to a domain?
|
You must be a member of the Administrators group on the local computer or be given necessary rights.
|
|
|
What utilities do you use to create computer accounts from a command prompt or script?
|
-dsadd
-netdom |
|
|
What is a managed service account?
|
a new account type available in Windows Server 2008 R2 and Windows 7. Provides the same benefits of using a domain user account with these improvements.
-passwords managed and reset automatically -when running at Win Server 2008 R2 functional level the SPN does not need to be managed as with local accounts. |
|
|
What is a Virtual Account?
|
a new account type that are not created deleted.
|
|
|
What is AGDLP?
|
a strategy to manage users, groups, and permissions.
-A place user accounts -G into Global groups -DL into Domain Local groups -P assign permissions to domain local groups. Used in mixed mode. Universal groups not available in mixed mode. |
|
|
What is AGUDLP?
|
Same as AGDLP except Universal groups are used.
Used in nateve mode where this more than one domain and you need to grand access to similar groups defined in multiple domains. |
|
|
What do you use Active Directory Users and Computers for?
|
Use it to create, organize, and delete objects in Active Directory.
|
|
|
How do you access Active Directory Users and Computers?
|
-Server Manager
-Admin Tools -Running dsa.msc |
|
|
What is ADSI Edit?
|
It is the Active Directory Service Interfaces Editor.
-use it to query, view, and edit attributes that are not exposed through other MMC snap-ins. |
|
|
What is Dsadd used for?
|
creates a new object in Active Directory
|
|
|
What is Dsquery used for?
|
finds objects that match the search criteria. Returns a list of objects that match the search criteria.
|
|
|
What is Dsget used for?
|
retrieves property info about an object.
|
|
|
What is Csvde used for?
|
used to import and export Active Directory objects using a comma-seperated list file.
-PASSWORD ARE NOT EXPORTED. |
|
|
What is Ldifde used for?
|
imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files.
-passwords are NOT exported. |
|
|
How do you export user accounts and import them with a password?
|
-Export the user accounts
-Import the user accounts to create the accounts. User will be forced to change the password at next logon. -Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account -Run Ldifde using the file with the passwords to modify the existing user accounts. |
|
|
What is Powershell?
|
a command line environment designed for automating administration and maintenance for Windows Server 2008 and Windows Server 2008 R2.
|
|
|
What is the general syntax of Powershell cmdlts?
|
(command)-ADObject
|
|
|
What is Ldp?
|
allows you to search for and view the properties of multiple Active Directory objects.
-GUI based |
|
|
What is the ADMT?
|
-Active Directory Migration tool.
GUI based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another. |
|
|
What is the Active Directory Administrative Center?
|
an Active Directory management GUI tool built on Windows Powershell.
-Creates or manages new or existing user accounts groups, computer accounts, organizational units and containers -Connect to one or several domains or domain controllers in the same instance of AD Admin Center. -Change domain and forest functional levels -Filter Active Directory data by using queries. |
|
|
What is SOA?
|
-Start of Authority record.
-first record in any DNS database file. -defines general paremeters for DNS zone. -only one SOA |
|
|
What is NS?
|
-Name Server
-identifies all name servers that can perform name resolution for the zone. |
|
|
What is an A host?
|
maps an IPv4 DNS host name to an IP address.
|
|
|
What an AAAA?
|
maps an IPv6 DNS host name to an IP address.
|
|
|
What is a CNAME?
|
provides alternative names to hosts that already have a host record.
|
|
|
What is DNAME?
|
provides alternative names to domains that already have a host record.
|
|
|
what is SRV?
|
used by Windows Server 2008 to register network services.
|
|
|
What is PTR?
|
in a reverse lookup zone, the PTR reodrd maps an IP address to a host name.
|
|
|
What does a full zone transfer copy?
|
It copies all of the zone data with each zone transfer.
|
|
|
Who initiates a zone transfer?
|
the secondary server ALWAYs initiates the zone transfer.
|
|
|
What is DNS Notify?
|
-master servers are configured with a list of slave DNS servers.
-when a change takes place, the master notifies the slave servers that the zone has changed. -the secondary server then initiates zone transfer, first checking the serial number, then requesting changes. |
|
|
How do you improve DNS performance?
|
place multiple DNS servers on your network.
|
|
|
What does a caching only server do?
|
runs DNS but has no zones configured.
-Use a caching only server to improve performance while eliminating zone transfers. |
|
|
When can you disable zone transfers?
|
If a zone is AD-integrated and has no secondary servers, you can disable zone transfers.
|
|
|
What is a forwarder?
|
a DNS server that can be used by another DNS server to resolve queries for records that cannot be resolved through the cache.
|
|
|
What is a secondary zone?
|
you can eliminate the need for a forwarder for a specific zone by adding a secondary zone to the server.
|
|
|
What is a stub zone?
|
a zone with only a partial copy of the zone database. It holds only the following
-SOA record for the zone -NS records for all authoritative DNS servers for the zone. -A records for authoritative name servers identified in the NS records. |
|
|
What is a conditional forwarder?
|
a forwarder that is used for a specific domain.
|
|
|
When should you use a conditional forwarder?
|
use a conditional forwarder to eliminate all zone transfer traffic, or in conditions where you are not allowed to transfer data from a zone.
|
|
|
What is recursion?
|
the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution.
|
|
|
What are Root hints?
|
pointers to top level DNS servers on the internet.
|
|
|
What is DNS Round Robin?
|
a local balancing mechanism used by DNS servers to share and distribute network resorce loads.
|
|
|
What is Background Zone Loading?
|
DNS servers loads zone data from AD DS in the background while the server restarts.
|
|
|
What is an RODC?
|
-Read Only Domain Controller
-an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. |
|
|
What is the No-refresh interval?
|
the time between the record's last refresh and when it can next be refreshed.
|
|
|
What is the refresh-interval?
|
identifies a period of time when a record can be refreshed. It begins when the no-refresh interval ends.
|
|
|
What is the command adprep/forestprep used for?
|
used to update the Windows Server 2003 or Windows 2000 Server Active Directory schema for Windows Server 2008 or Windows Server 2008 R2.
-run it only once in the forest -run on the domain controller that holds the schema master. -must be a member of the Admins group, Schema Admnis group, and the Domain Admins group. |
|
|
What is the command adprep/domainprep used for?
|
-prepares a domain for a Windows Server 2008 or Windows Server 2008 R2 domain controller.
-run on the controller that holds the infrastructure operations master. -run AFTER the adprep/forestprep command finishes and after the changes replicate to all domain controllers in the forest. -run in each domain where you plan to add a domain controller. -must be a member of Domain Admins |
|
|
What is the adprep/rodcprep used for?
|
use if you plan on installing an RODC in any domain in the forest.
-run only once in the forest. -can run this command on any computer in the forest. -must be a member of the Enterprise Admins. |
|
|
When installing a new Windows Server 2008 or 2008 R2, what must the first domain controller be?
|
It must be a Global catalog server.
|
|
|
What must you do if you are installing a new Windows Server 2008 or 2008 R2 domain controller to create a new domain in an existing Windows 2000 or Window Server 2003 forest.
|
-run adprep/forestprep if this the first Windows Server 2008 or Windows Server 2008 R2 domain controlle in the forest.
-Run adprep/rodc if you are making an rodc -schema must be updated before the os is installed if you are performing an unattended intsallation of AD DS. |
|
|
What are the methods that can be used for installing AD DS?
|
-Active Directory Domain Services Installation Wizard
-Command line (dcpromo) -Answer file -AD DS installation (media) (use ntdsutil.exe) |
|
|
What command is used to remove AD DS?
|
dcpromo.exe
|
|
|
What do you do to remove a domain controller from a domain?
|
-transfer the operations master roles hosted by the domain controller to the other domain controllers
|
|
|
What do you do if you are removing the last domain controller from a domain?
|
-move all forest operations master roles
|
|
|
What do you do if you are removing the last domain controller from a FOREST?
|
wizard...select Delete the domain and forest
|
|
|
What is available at 2000 Native Domain functional level?
|
-universal groups are available for security and distribution
-group nesting -Group converting -Security Identifyer history |
|
|
What is available at the 2003 domain functional level?
|
-All features in 2000 Native
-Domain controller rename -Update logon time stamp -User password on IetOrgPerson object -User and computer container redirect. -Constrained delegation allows applications to take advantage of the secure delegation of user credentials using Kerberos-based authentication -Selective authentication allows you to specify users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest. |
|
|
What is available at the 2008 domain functional level?
|
includes all features available in 2003 and adds following...
-DFS for SYSVOL -AES -Last Interactive Logon Info. -Fine-grained password policies that allow you to specify password and account lockout policies for users and global security groups in a domain. |
|
|
What is available at the 2008 R2 domain functional level?
|
includes all previous features and adds...
-Authentication Mechanism Assurance (AMA) allowing you to control access to network resources based on the type of certificate used during logon. -Automatic Service Principle Name (SPN) management when using managed service and virtual accounts. |
|
|
What forest functional level must you be at to use the Active Directory Recycle Bin?
|
Windows Server 2008 R2?
|
|
|
What is a Site Link Bridge?
|
a collection of two or more site links that can be grouped as a single logical link.
-enabled by default -if disabled, you must manually specify site link bridges |
|
|
What is a Bridgehead server?
|
a domain controller in a site that replicates with domain controllers in other sites.
-REPLICATION WITHIN A SITE DOES NOT USE BRIDGEHEAD SERVERS |
|
|
What can be used to allow replication within mail messages in environments where WAN links are not available?
|
SMTP
-cannot replicate only the configuration and schema directory partitions and global catalog read only replicas. -requires an enterprise CAwhen you use it over site links. |
|
|
What is site link cost?
|
a number assigned to a site link that identifies the overall relative cost of using that site link.
-default is 100 -the lower the number, the more preferred the site link. |
|
|
What commands can you use to force replication?
|
-Replicate now
-repadmin.exe/replicate |
|
|
What are the stages of of DFS migration?
|
1. Not initiated
2. Global state 0...this stage DFS replication has not started yet. FRS is still being used 3. Global State 1...DFS begins to replicate but FRS is still the main replication method. 4. Global State 2....FRS continues to replicate but DFS becomes master 5. Global State 3...FRS completely stops and DFS becomes sole source of replication. |
|
|
What does the schema master do?
|
Maintains the AD schema for the forest.
|
|
|
What does the Domain Naming Master do?
|
Adds new domains to and removes existing domains from the forest.
-ensures that domain names are unique |
|
|
What does the RID master do?
|
It allocates pools or blocks of numbers that are used by the domain controller when creating new security principles.
|
|
|
What does the PDC emulator do?
|
acts like a Windows NT 4.0 Primary Domain Controller. It performs other tasks normally associated with NT domain controllers.
|
|
|
What is the Infrastructure Master responsible for?
|
It is responsible for updating changes made to objects.
|
