Professional Documents
Culture Documents
Key Terms
Active Directory Domains and Trusts A Windows utility that manages Active Directory trust relationships and domain functional levels. Active Directory Sites and Services A Windows utility that manages site objects and Global Catalog functionality for an Active Directory domain. Active Directory Users and Computers Directory objects. Bridgehead Server Container Object objects. Directory Partitions Distribution Group the group. Domain A Windows utility that manages Active
A domain controller that is responsible for intersite replication. An Active Directory object that contains other Active Directory Divisions of the Active Directory database. A group type that can be used to relay email to the members of
A portion of the Domain Name Space. A computer that hosts the Active Directory database.
3-1
Lesson 2
Domain Functional Level A mode that indicates the level of backwards compatibility for Active Directory domain controllers. Domain Naming Master An Active Directory FSMO role that enforces the uniqueness of domain names within a forest. Dynamic Update The process whereby a computer automatically creates or updates its DNS records on a DNS server. Flexible Single Master Operations (FSMO) A domain controller role that provides a unique function within an Active Directory domain or forest. Forest The largest container object within Active Directory.
Forest Functional Level A mode that represents the level of backwards compatibility for legacy domain controllers within an Active Directory forest. Forest Root Domain The first domain within an Active Directory forest.
Global Catalog (GC) An Active Directory database and service that records user and group object information for the forest to ensure quick access and searching. Globally Unique IDentifier (GUID) Directory object. A unique number assigned to every Active
Group Policy Objects (GPOs) An object that contains a set of configuration settings that are applied to users and computers. Group Scope The Active Directory domains that can assign permissions to an Active Directory group. Infrastructure Master domains within a forest. Kerberos An FSMO role that updates group membership across
Leaf Object An object within Active Directory that does not contain other Active Directory objects. Lightweight Directory Access Protocol (LDAP) Active Directory database. The protocol used to search the
PDC Emulator An FSMO role that manages time synchronization, password changes, and BDC replication within an Active Directory domain.
3-2
Lesson 2
An FSMO role that generates Relative Identifiers for objects within a The FSMO role that has the ability to modify the Active Directory
Security Accounts Manager (SAM) The portion of the Windows registry that contains local user accounts and user accounts within a Windows NT4 domain. Security Group An Active Directory group type that can be assigned permissions and rights to resources. Security IDentifier (SID) A unique identifier assigned to a user account for use in permissions and rights assignments. Service Record (SRV) a specific computer. Site Link Site Object Subnet Object site object. A DNS record that is used to list services that are available on
An object that is used to represent the physical connection between sites. An object that represents a physical location with a fast interconnect. An Active Directory object that represents an IP network used by a
Tree A group of Active Directory domains within the same forest that share the same domain name suffix. Trust Relationship An association between two Active Directory, NT4, or Kerberos domains that allows for remote resource access. It is also called a trust. Universal Group Membership Caching (UGMC) A feature of an Active Directory site that allows domain controllers within the site to cache universal group memberships to speed logon times in a native mode domain. User Principle Name (UPN) Active Directory forest. The unique name assigned to a user account in an
3-3
Lesson 2
Multiple Choice
Circle the letter that corresponds to the best answer. 1.You receive an object-related error when attempting to create a new user account within your domain. What FSMO role should you ensure is online to complete the addition of the user account? a. b. c. d. PDC Emulator Domain Naming Master Infrastructure Master RID Master
The RID Master is used to generate RIDs for use when creating new objects. 2.You plan on promoting an existing Windows Server 2003 computer to become and additional domain controller in your domain. To which group must the user account you specify during the AD installation belong at minimum?
3-4
Domain Admins have the ability to add additional DCs to a domain. Enterprise Admins also have this ability, but can do so in any domain within the forest. 3.Which of the following utilities must you use to seize a FSMO fole? a. b. c. d. ntdsutil.exe dcpromo.exe Active Directory Domains and Trusts Active Directory Sites and Services
Ntdsutil.exe is the only utility that can be used to seize a FSMO role. 4.Which of the following are container objects in the AD database? (Choose all that apply.) a. b. c. d. group policy site domain OU
Sites, domains and OUs can contain objects within AD. GPOs are objects themselves. 5.Which of the following objects is used to locate the correct site for a newly installed DC? a. b. c. d. site link subnet locator bridgehead
Subnets objects are linked to a site and used to determine the correct site for a DC that is configured for a particular subnet. 6.Several users called you today stating that they could not change their passwords. After investigating, you also noticed that the time on their computers was also incorrect. Which of the following FSMO roles may be unavailable? a. b. c. d. PDC Emulator RID Master Infrastructure Master Schema Master
The PDC Emulator is responsible for password changes and time synchronization. 7.Which of the following DCs are allows to participate in a Windows 2000 Native mode domain? (Choose all that apply.) a. b. c. d. Windows NT4 Server Windows 2000 Server Windows Sever 2003 Windows Server 2008
Only Windows 2000 Server and later operating systems can participate in a domain that is running at the 2000 Native mode functional level
3-5
Lesson 2 8.A single user within your organization calls you for help after having trouble logging on to the domain. Upon further investigation you notice that the user is able to log on to the domain from another computer and that no users are able to successfully log on to the domain from the users original computer. What is the most likely cause of the problem? a. b. c. d. The time on the computer is incorrect and must be changed The user account has been disabled and must be enabled The user account has been locked and must be unlocked The computer account for the users computer has become corrupted and must be reset
When a computer account becomes corrupted, no user will be able to log on to the domain from the affected computer account. To remedy the situation, the computer account must be reset. 9.You wish to create a group that will contain the Marketing staff within your own domain. This group will be assigned permissions to resources in other domains within your forest. What is the most appropriate scope for this new group? a. b. c. d. Local Global Domain Local Universal
Global groups can contain members from the local domain and can be used globally within the forest. Although Universal groups can also be used for the same purpose, it is recommended that you minimize the use of Universal groups since they are stored in the GC. 10. When attempting to remove AD from an existing DC that you wish to decommission, you receive an error message. Which switch to the dcpromo.exe command will allow you to remove this DC from the domain? a. b. c. d. /force /remove /forceremoval /f
The /forceremoval switch to the dcpromo.exe command will remove AD if the dcpromo.exe wizard returns an error.
True/False
Circle T if the statement is true or F if the statement is false. TF 1. TF 2. TF 3. TF 4. TF 5. Tokens are issued to users following authentication and used to provide access to resources that list the user in their ACL. When a domain functional level is set to Windows 2000 Interim, only Windows 2000 and later DCs are allowed to participate in domain authentication. Global groups may only be used in the local domain but can contain objects from any domain in the forest. Computer objects may be managed using the Active Directory Users and Computers console. By default, two-way transitive trusts between all domains in a forest.
3-6
Lesson 2 TF 6. TF 7. TF 8. TF 9. To control replication, you configure the properties of site link objects. When possible, you should ensure that each site in the forest contains a DC that contains the GC role. You can configure Group Policy using the Active Directory Domains and Trusts console. The Domain Naming Master FSMO role should be on a DC that contains the GC.
TF 10. A single AD domain can contain an unlimited number of objects. 1.True 2.False 3.False 4.True 5.False 6.True 7.True 8.False 9.True 10. True
Review Questions
1.Explain why it is important to create sites after deploying your first domain in the forest. It is important to create sites after deploying your first DC in the forest such that additional DCs are automatically added to the appropriate site. If DCs are located in different sites, AD replication will not occur as frequently across the sites by default and will result in less WAN link congestion. 2.Why will understanding the function and location of your FSMO roles help you troubleshoot AD problems. FSMO roles provide unique functions within an AD domain and forest. Understanding FSMO roles will help you identify whether an AD-related problem is the result of a failed FSMO. Understanding which DCs hold these FSMOs will help you locate a failed FSMO role quickly such that you can seize the role on another DC. 3.Give some reasons why each AD site should contain a DC that hosts the GC. Since GC contains a list of all forest objects, placing a GC in each site will speed up access to resources that are not in the current domain. In addition, for domains that are at the Windows 2000 Native or higher functional level, universal group membership is stored in the GC and a GC must be contacted during the logon process. As a result, placing a GC in each site will ensure that logon traffic will be localized to each site for these domain. 4. Explain why AD domains are a security and replication boundary. Domains provide a security boundary because they have different administrator accounts, GPOs, and prevent external access to resources unless a trust relationship exists. Domains also provide a replication boundary since most replication occurs in the domain partition of the AD database. This domain partition is shared only by DCs in the same
3-7
Lesson 2 domain. Only the occasional replication of schema and configuration partition information is sent to all DCs in the forest.
Case Scenarios Scenario 2-1: Designing a Forest You are the network administrator for a shipping company that has locations in the U.S., Canada and Japan. There are 5 offices in the U.S, 3 offices in Canada, and 3 offices in Japan. In a short memo, diagram a sample forest, domain and OU structure that will accommodate this organization. Answers will vary, but will either include different domains for each location or different domains for each country with country-specific locations represented by OUs, or a single domain with OUs to represent all locations.
Scenario 2-2: Planning for Sites, GC and FSMO Roles In the forest diagram that you created for the company described in Scenario 1-1, label the appropriate sites that should be created to ensure efficient replication. Assuming that each site has a minimum of two DCs, label the location of GC servers and FSMO roles. Answers will vary, but will include a site for each location. In addition, there should be a GC on at least one DC in each site (or UGMC enabled on the site otherwise). The placement of FSMOs will be different for each answer, but in general they should be moved from their default locations to provide better fault tolerance should a single DC fail. The Domain Naming Master FSMO should be on a GC server, whereas the Infrastructure Master FSMO in each domain should not be on a GC server.
3-8