• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/123

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

123 Cards in this Set

  • Front
  • Back
In workgroup __________ is the authority for authentication
SAM

(Microsoft, 2011 p. 5-5)
In a domain, ___________________ is the authority for authentication
Active Directory

(Microsoft, 2011 p. 5-5)
Computers have _______________________ with the domain.
Trust relationship.

(Microsoft, 2011 p. 5-5)
You must have ________ in active directory services that allow you to join a computer to the domain.
permissions

(Microsoft, 2011 p. 5-6)
In order to change the domain or workbook you ___________________________.
Must be a member of the local administrators group.

(Microsoft, 2011 p. 5-6)
If you don't join a computer to an existing object ___________________ happens?
Windows will create a computer object in the default computer container.

(Microsoft, 2011 p. 5-6)
The default Computers container is a ________________, not an _______________________.
container

organizationalUnit object

(Microsoft, 2011 p. 5-7)
Cannot link __________ to a container
GPOs

(Microsoft, 2011 p. 5-7)
Cannot create _____________ in a container
sub-OUs

(Microsoft, 2011 p. 5-7)
Servers are usually subdivided by ______________
server role

(Microsoft, 2011 p. 5-7)
Client Computers are usually subdivided by ________________
Region

(Microsoft, 2011 p. 5-7)
CN
Computer Name

(Microsoft, 2011 p. 5-7)
When you create a domain the _________________________ is created by default
Computers Container

(Microsoft, 2011 p. 5-7)
The computers container is __________________________
An object of the Container Class.

(Microsoft, 2011 p. 5-7)
Most organizations create at least two OUs for Computer Objects: What are they
1. one to host computer accounts for client computers - desktops, laptops and other user systems

2. for servers

(Microsoft, 2011 p. 5-7)
How do you divide Organizational Units
Divide OUs based first on administration, then to facilitate configuration with Group Policy

(Microsoft, 2011 p. 5-7)
Prestage
Pre-create

Create a computer in the correct OU

(Microsoft, 2011 p. 5-8)
How do you create (prestage) a computer?
Right-click the OU and choose New  Computer (Microsoft, 2011 p. 5-7)
Right-click the OU and choose New  Computer


(Microsoft, 2011 p. 5-7)
Computer name and Computer Name (pre-Windows 2000) should _____________________
be the same

(Microsoft, 2011 p. 5-10)
prestaging
The process you complete to create a computer to an account before joining the computer to the domain is called prestaging the account

(Microsoft, 2011 p. 5-10)
The System Properties dialog box or window prompts for __________________
Domain Credentials and Requires Restart (Microsoft, 2011 p. 5-11)
Domain Credentials
and
Requires Restart

(Microsoft, 2011 p. 5-11)
By prestaging a computer object, you fulfill the first two requirements for joining a computer to the domain
1. The computer object exists

2. you have specified who has permissions to join a computer with the same name to the domain.

(Microsoft, 2011 p. 5-11)
Once Prestaging is complete a local administrator of the computer can change the computer's _____________________ and _______________________________
1. change the computers domain membership

2. enter the specified domain credentials to successfully complete the process.

(Microsoft, 2011 p. 5-11)
When does group policy apply to the computer after joining the domain?
Immediately

(Microsoft, 2011 p. 5-13)
How to configure the default container in PowerShell
redircmp "DN of OU for new computer objects"

(Microsoft, 2011 p. 5-13)
How many domains can users join?
10

(Microsoft, 2011 p. 5-13)
What is the first problem with the windows prestaging process?
First, the computer account created automatically by Windows is placed in the default computer container, which is not where the computer object belongs in most enterprises.

(Microsoft, 2011 p. 5-13)
What is the second problem with the windows prestaging process?
Second, you must move the computer from the default computer container into the correct OU, which is an extra step that is often forgotten.

(Microsoft, 2011 p. 5-13)
What is the third problem with Windows prestaging process?
Third, any domain user can also do this - no domain-level administrative permissions are required. Any user can join any computer to the domain if you don't manage and secure the process. Because a computer object is security principle, and because the creator of a computer object owns the object and can change its attributes, this exposes a potential security vulnerability.

(Microsoft, 2011 p. 5-13)
DC
Domain

(Microsoft, 2011 p. 5-13)
What is the default computer container called?
Computers (CN=Computers,DC=Domain)

(Microsoft, 2011 p. 5-13)
What command is used to redirect the default computer container
redircmp.exe

(Microsoft, 2011 p. 5-14)
If a computer joins the domain without a prestaged computer account, and you apply some baseline GPO policies what happens to the group?
The new settings affect all the computers

(Microsoft, 2011 p. 5-14)
The creator of an object by default has has permissions to _________________
join the computer to the domain.

(Microsoft, 2011 p. 5-14)
WHy would you close the loophole?
so that nonadministrative users cannot join machines to the domain
You should change the ms-DS-MachineAccountQuoya to
0

(Microsoft, 2011 p. 5-13)
CSVDE
Comma Separated Value Discretionary Exchange Import (create) or export computer accounts (Microsoft, 2011 p. 5-17)
Comma Separated Value Discretionary Exchange

Import (create) or export computer accounts

(Microsoft, 2011 p. 5-17)
LDIFDE
Lightweight Directory Access Protocol Data Interchange Format (LDIF) Import(create), modify, or export computer accounts (Microsoft, 2011 p. 5-17)
Lightweight Directory Access Protocol Data Interchange Format (LDIF)

Import(create), modify, or export computer accounts

(Microsoft, 2011 p. 5-17)
DSadd
- Create computer accounts and set initial properties
- import and automate the creation of computer objects

(Microsoft, 2011 p. 5-17)
NetDom
- Create computer accounts

- join machines to a domain

(Microsoft, 2011 p. 5-17)
Windows PowerShell with Active Directory Module
Create and manage computer accounts

(Microsoft, 2011 p. 5-17)
Scripts can allow you to provision computer objects, that is
to perform business logic such as the enforcement of computer naming conventions
PowerShell Command for CSVDE.exe
csvde -i -f filename [-k] (Microsoft, 2011 p. 5-17)
csvde -i -f filename [-k]

(Microsoft, 2011 p. 5-17)
csvde

what is -i
Import (default mode is export) -> -> (Microsoft, 2011 p. 5-18)
Import (default mode is export) -> ->

(Microsoft, 2011 p. 5-18)
csvde

what is -k
Continue past errors (such as Objects Already Exists) (Microsoft, 2011 p. 5-18)
Continue past errors (such as Objects Already Exists)

(Microsoft, 2011 p. 5-18)
When importing computers with CSVDE ______________________________________
Include userAccountControl column (set to 4096) and sAMAccountName column (set to computername$) (Microsoft, 2011 p. 5-18)
Include userAccountControl column (set to 4096) and sAMAccountName column (set to computername$)

(Microsoft, 2011 p. 5-18)
What is the breakdown of csvde [i] [-f "filename"] [-k]
the i option specifies immport mode-without it, the default mode of CSVDE is export. The -f option identifies the file name to import from or export to. The -k option is useful during import operations because it instructs CSVDE to ignore errors, including "object already exists," constraint violation," and "attribute or value already exist."

(Microsoft, 2011 p. 5-18)
Comma-deliminated files can be created, modified, and opened with tools as familiar as __________________
- notepad
- MS Excell
- others

(Microsoft, 2011 p. 5-18)
The first line of the comma-denominated files means?
it defines the attributes by their LDAP attribute names. Each object follows, one per line, and must contain exactly the attributes listed on the first line.

(Microsoft, 2011 p. 5-18)
When importing computers be sure to include an attribute set to ____ to be sure the computer can join the account.
4096

(Microsoft, 2011 p. 5-18)
LDIFDE.exe
ldifde [-i] [-f filename] [-k] (Microsoft, 2011 p. 5-19)
ldifde [-i] [-f filename] [-k]

(Microsoft, 2011 p. 5-19)
ldifde [-i] [-f filename] [-k]

What does te -i mean?
Import - the default mode is export

(Microsoft, 2011 p. 5-19)
ldifde [-i] [-f filename] [-k]

What does the -k mean?
Continue past errors (including objects already exist)

(Microsoft, 2011 p. 5-19)
What format do the LDIFDE.exe import data files in the LDAP?
Data Interchange Format (LDIF)

(Microsoft, 2011 p. 5-19)
What are LDIF files?
They are text files within which operations are specified by a block of lines separated by a blank line. Each operation begins with the DN attribute of the object that is the target of the operation. The next line, changeType, specifies the type of operation: add, modify or delete.

(Microsoft, 2011 p. 5-19)
What is change type
specifies type of operation

- Change
- Modify
- Delete

(Microsoft, 2011 p. 5-19)
Basic syntax of LDIFDE command
ldifde [-i] [-f "Filename"] [-k]

(Microsoft, 2011 p. 5-19)
If you do not use -k on LDFDE what happens when it encounters errors?
It Stops!

(Microsoft, 2011 p. 5-20)
DSAdd
creates objects in Active Directory

dsadd computer Computer DN

(Microsoft, 2011 p. 5-21)
DSadd In Active Directory PowerShell
New-ADComputer -SamAccountName DESKTOP123 -Path 'OU=Client Computers,DC=contoso,DC=com'

(Microsoft, 2011 p. 5-21)
To create objects in Active Directory simply type ___________
dsadd computer ComputerDN

(Microsoft, 2011 p. 5-21)
DN
Distinguished Name

(Microsoft, 2011 p. 5-21)
CN=Desktop123,OU=NYC,OU=client Computers, DC=contoso,DC=com is an exaple of ____________________
where computerDN is the distinguished name (DN) of the comuputer

(Microsoft, 2011 p. 5-21)
If the computer's DN includes a space, surround the entire DN with quotation marks.

The DSadd computer command can take the following options after the DN option
-samid ComputerName

-desc Description

-loc Location

(Microsoft, 2011 p. 5-21)
New-ADComputer -SamAccountName DESKTOP123 -Path 'OU=Client Computers,DC=Contoso,DC=com' is what?
PowerShell command in Windows Server 2008 R2 to create a new computer account in AD DS

(Microsoft, 2011 p. 5-21)
For full explanation of the parameters that you can pass to New-ADComputer, at the Active Directory module command prompt, type _____________________________
Get -Help New-ASComputer -detailed then press enter

(Microsoft, 2011 p. 5-21)
NetDom and Powershell

-create an account
netdom add ComputerName /domain:DomainName [/ou:'OUDN]
[/ UserD:DomainUsername /PasswordD:DomainPassword]

(Microsoft, 2011 p. 5-22)
NetDom and PowerShell

- Join the domain (and if necessary, create am account)
netdom join MachineName /Domain:DomainName
[/OU: 'OUDN']

[/UserD:DomainUserName][/PasswordD: {DomainPassword|*} ]

[/User0:LocalIsername] [/Password0:{LocalPassword|*}] [/securePasswordPrompy]
[/REBoot[:TimeInSecinds}}

(Microsoft, 2011 p. 5-22)
What does the command netdom add ComputerName /domain:DomainName [/ou:'OUDN'] [/userD:DomainUsername /PasswordD:DomainPassword} mean?
This command creates the commputer account for ComputerName in the domain indicated by the /domain option, using the credentials specified by /IserD and /PasswordD. The /ou option causes the object to be created in the OU specified by the organizational unit distinguished name (OUDN) following the option, If no OUDN is supplied, the computer account is created in the default computer container. The user credentials must, of course, have permissions to create computer objects.

(Microsoft, 2011 p. 5-22`)
/reboot
causes the system to reboot after joining the domain

(Microsoft, 2011 p. 5-23)
/SecurePasswordPrompt
displays a popup for credentials when "is specified for either/PasswordO or /PasswordD.

(Microsoft, 2011 p. 5-23)
Description Attribute
Describes the attribute

(Microsoft, 2011 p. 5-32)
Location Attribute
- used by location-aware applications such as Search for Printers

example: US\WA|SEA\HQ\Building33\Floor3\Q04\1531

(Microsoft, 2011 p. 5-32)
Managed By Attribute
- Link user who is the primary user of the computer

-Link to Group that is responsible for the computer (servers)

(Microsoft, 2011 p. 5-32)
Member of Attribute
- Groups: Group Policy Filtering, software deployment

(Microsoft, 2011 p. 5-32)
dsmond computer attribute
"ComputerDN" [-desc "description"] [-loc "Location"]

(Microsoft, 2011 p. 5-32)
What attribute does this PowerShell Command represent Set-ADComputer LON-SRV1 -Managedby 'CN=SQL Administrator 01,OU=UserAccounts,OU=Managed,DC=Contoso,DC=com'
ManagedBy attribute

(Microsoft, 2011 p. 5-32)
What are the ways to move a computer in Active Directory?
- Drag and Drop
- Right Click the Computer

(Microsoft, 2011 p. 5-34)
What does this PowerShell command do? dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
Moves a computer

(Microsoft, 2011 p. 5-34)
What PowerShell command is used to rename a computer?
-newname NewName

(Microsoft, 2011 p. 5-34)
What PowerShell command is used to move a computer to the OU specified by the ParentDN?
newparent ParentDN

(Microsoft, 2011 p. 5-34)
Using windows with pipelining
get-ADComputer | Move-ADobject

(Microsoft, 2011 p. 5-34)
DSMove command
allows you to move a computer object or any other object.

(Microsoft, 2011 p. 5-34)
what are 3 scenarios where a channel can be broken?
1. Reinstalling computer, even with the same name, generates a new SID and password

2.Restoring a computer from an old backup, or rolling back a computer to an old snapshot

3.Computer and domain disagree about what the password is

(Microsoft, 2011 p. 5-36)
Every computer is Active Directory Domains maintains a computer account with
- use name (sAMAccountName)
- password

(Microsoft, 2011 p. 5-36)
LSA
Local Security Authority

This is how the computer stores its passwords

(Microsoft, 2011 p. 5-36)
LSA changes its password
every 30 days or so

(Microsoft, 2011 p. 5-36)
Why is the secure channel broken after reinstalling the operating system on a workstation?
The workstation is unable to authenticate, even though the technician used the same computer name, because the new installation generated a new SID and because the new computer does not know the computer account password in the domain, it does not belong to the domain and cannot authenticate to the domain.

(Microsoft, 2011 p. 5-36)
Why is the secure channel broken when a computer is completely restored from backup and is unable to authenticate?
It is likely that the computer changed its password with the domain after the backup operation. Computers change their passwords every 30 days, and active directory remembers the current and previous password in the domain, it does not belong to the domain and cannot authenticate to the domain.

(Microsoft, 2011 p. 5-36)
Why is the secure channel broke when a computers LSA secret gets out of synchronization with the password known by the domain?
You can think of this as the computer forgetting its password; although it did not forget its password, it just disagrees with the domain over what the password really is. When this happens, the computer cannot authenticate and the secure channel cannot be created.

(Microsoft, 2011 p. 5-36)
Event log errors include
-password -mistrust -secure channel -relationship with the domain or domain controller -missing computer account in Active Directory (Microsoft, 2011 p. 5-37)
-password
-mistrust
-secure channel
-relationship with the domain or domain controller
-missing computer account in Active Directory

(Microsoft, 2011 p. 5-37)
When resetting a computer account, DO NOT
simply remove a computer from the domain and rejoin

- Create new account: new SID, lost group membership

(Microsoft, 2011 p. 5-38)
What are the options for resetting the secure channel?
1. Active Directory Users and Computers

2. DSMod*

3. NETDom

4. NLTest

5. Windows PowerShell
(Microsoft, 2011 p. 5-38)
Resetting the secure channel for Active Directory Users and Computers
- Right-click the computer, and then click Reset Account

- Requires the computer to rejoin the domain and restart

(Microsoft, 2011 p. 5-38)
Resetting the secure channel for DSMod*
dsmod computer "ComputerDN" -reset

(Microsoft, 2011 p. 5-38)
Resetting the secure channel for NetDom
netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *}

(Microsoft, 2011 p. 5-38)
Resetting the secure channel for NLTest
nltest /server:ServerName /sc_reset:DOMAIN\Domain Controller
Resetting the secure channel in windows PowerShell
Test-ComputerSecureChannel -Repair

(Microsoft, 2011 p. 5-38)
What must you do when the secure channel fails?
You must reset the secure channel

(Microsoft, 2011 p. 5-38)
How do you rename a computer in Active Directory?
Use system Properties of the computer to rename the computer and its account correctly (Microsoft, 2011 p. 5-40)
Use system Properties of the computer to rename the computer and its account correctly

(Microsoft, 2011 p. 5-40)
How do you rename a computer in NetDom
netdom renamecomputer MachineName /Newname:NewName [/User0:LocalUsername] [/Password0:{LocalPassword|*} ] [/UserD:DomainUsername} {/PasswordD:{DomainPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TomeInSecoonds] ]

(Microsoft, 2011 p. 5-40)
How do you rename a computer in Windows PowerShell
ReName-Computer

(Microsoft, 2011 p. 5-40)
Why would you disable a computer?
- user will be offline for an extended time

- Prevents secure channel from being established, so users who do not have cached credentials on the computer cannot log on

(Microsoft, 2011 p. 5-42)
How do you enable and disable a computer in Active Directory?
Right Click Computer
-> Click Enable or Disable

(Microsoft, 2011 p. 5-42)
How do you enable or disable a computer is DSMod?
dsmod computer ComputerDN -disabled yes

dsmod computer ComputerDN -disabled no

(Microsoft, 2011 p. 5-42)
How do you delete and Recycle computer user accounts in Active Directory?
Right click the computer
-> click delete

(Microsoft, 2011 p. 5-43)
How do you delete a computer with DSR?
dsrm ObjectDN

(Microsoft, 2011 p. 5-43)
When replacing or reinstalling a computer , if computer will play the same role, what should you do?
Reset the computer account, instead of deleting it

(Microsoft, 2011 p. 5-43)
Why do you reset a computer account instead of deleting it?
It preserves all attributes of a computer, including SID and group memberships.

(Microsoft, 2011 p. 5-43)
How do you delete an object from the command prompt
dsrm Object DN

(Microsoft, 2011 p. 5-43)
dsrm Object DN
Where objectDN is the distinguished name of the comuter, such as "CN=Desktop154 OU=NYC,OU=Client Computers,DC=contoso.DC=com."Again, you will be prompted to confirm the deletion.

(Microsoft, 2011 p. 5-43)
What is resetting a computer?
Resetting a computer account resets its passwords,m but maintains all of the computer onject's properties. With a reset password, the account becomes, in effect, availiable for use. ANy computer can then join the domain using that account, including the upgraded system. In effect, available for use. Any computer can then join the account, assigning it to a new piece of hardware. you can even rename the account. The SID and group memberships remain the same.

(Microsoft, 2011 p. 5-44)
What is an Offline Domain?
An Offline Domain Join allows a client to fully achieve a domain-joined state without ever having communicated with a domain controller.

(Microsoft, 2011 p. 5-50)
When is a trust relationship established between a computer and a domain?
as soon as the network connection with a domain controller is established.


(Microsoft, 2011 p. 5-50)
What are the requirements of an offline domain?
- No function or domain functional level requirements

- No Windows Server 2008 R2 domain Controllers required

- The computer being joined must be Windows 7 client or a Windows Server 2008 R2 member


(Microsoft, 2011 p. 5-50)
When would you benefit from the Offline Domain Join feature
when deploying virtual machines. offline Domain Join makes it possible for you to join the virtual machine to the domain when they initially start following the operating system installation. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scaled computer virtual machine deployments.


(Microsoft, 2011 p. 5-50)
What is the process for Performing an Offline Domain Join
(Microsoft, 2011 p. 5-5)
(Microsoft, 2011 p. 5-5)
Prerequisites for performing Offline Join
- Run Windows 7 or Windows Server 2008 R2

this must occur on both the computer joining domain and computer running Djoin.exe

(Microsoft, 2011 p. 5-51)
base-64-encoded metadata blob that is created by the provisioning command contains very sensitive data and should be treated just as securely as ______________
plain text

(Microsoft, 2011 p. 5-52)
Unattend.xml file
you can perform an unattended domain join during operation installation by providing information that is relevant to the domain join by using deployment tools such as Windows System Image Manager

(Microsoft, 2011 p. 5-52)
Best Practices Related to Computer Account Management
1. Always provision a computer account before joining computers to a domain and place them in appropriate OU.

2. Redirect the default Computer Container to another location.

3. Reset the computer account, instead of just doing a disjoin and rejoin.

4. Integrate the Offline Domain Join Functionality with unattended Installations
(Microsoft, 2011 p. 5-57)
Windows PowerShell with Active Directory Module
New Administrative utility for Active Directory based on Windows PowerShell
Offline Domain Join
New Feature in Windows Server 2008 R2 and Windows 7 that allows you to join machines to domain even when they don't have network connection to domain controller.

(Microsoft, 2011 p. 5-57)