Active Directory Concepts and Management Quiz

Questions and Answers

What is the primary purpose of a global catalog (GC) server in Active Directory?

To ensure all data is read-only for security purposes.

To provide a searchable, partial representation of every object in the directory. (correct)

To store only user accounts for faster access.

To manage replication between multiple domain controllers.

What is the difference between adding a child domain and adding a new tree in an existing forest?

New trees are limited to geographical locations.

A child domain shares the same naming structure while a new tree does not. (correct)

A child domain can only be added with existing resources.

Both require identical configurations for security policies.

Which feature of Active Directory Administrative Center (ADAC) allows you to manage organizational units?

Windows PowerShell History pane

User and Group Management wizard

Domain replication settings

Organizational Unit management tools (correct)

How are commands executed in Active Directory Administrative Center (ADAC)?

Each action results in a corresponding PowerShell command. (B)

What functionality does enabling the Active Directory Recycle Bin provide?

It enables the recovery of deleted objects without requiring backup. (D)

What is the first step in configuring Active Directory after installation?

Click the notifications flag in Server Manager (B)

Which option should be selected if it is the first Domain Controller in the network?

Add a new forest (D)

What is the purpose of the Directory Services Restore Mode password?

To perform restore operations on Active Directory (D)

What must be created in the DNS options window during the Active Directory installation?

DNS delegation (A)

Which of the following is NOT a capability that can be selected for a Domain Controller?

Active Directory Integrated DNS (B)

What protocol is based on the X.500 Directory Access Protocol and uses TCP/IP?

Lightweight Directory Access Protocol (LDAP) (B)

What should you specify in the Additional Options window during Active Directory setup?

NetBIOS domain name (D)

Why does Microsoft recommend at least two Domain Controllers in every domain?

For fault tolerance and load balancing (B)

Which component forms the core structural unit of an Active Directory?

Domain (D)

Which of the following features is not offered by Active Directory?

Cloud Integration (B)

What is the significant difference when installing an additional Domain Controller?

You select 'Add a domain controller to an existing domain' (D)

What is the primary function of a domain controller in Active Directory?

Store and replicate domain data (C)

In an Active Directory structure, a forest is best described as which of the following?

A collection of one or more Active Directory trees (B)

Which of the following is a correct statement regarding organizational units (OUs)?

OUs can contain users, computers, and other directory objects. (A)

What is a necessary step if DNS is not present on the network before installing Active Directory Domain Services (ADDS)?

Install the DNS Server Role (B)

What does the tree structure in Active Directory primarily represent?

Domains sharing a common naming structure (C)

Which of the following is true regarding the physical structure of Active Directory?

It includes sites and servers configured as domain controllers. (C)

Which of these statements about Active Directory's logical structure is correct?

Trees may have parent-child domain relationships. (C)

What is the primary purpose of the Active Directory schema?

To describe the types and structure of data in the AD database (A)

Which of the following is NOT a type of container object in Active Directory?

User Groups (A)

Which statement most accurately describes the function of Organizational Units (OUs)?

OUs organize multiple objects into logical groups with specific policies. (D)

What kind of objects do Folder Objects typically house in Active Directory?

Computer accounts and default user accounts (C)

In terms of Active Directory, which of the following best defines a leaf object?

An object representing a security account or network resource (A)

Which folder object is automatically created to house default user accounts?

Users (D)

Which statement accurately describes domain objects in Active Directory?

The domain is the core logical structure and holds container and leaf objects. (A)

Active Directory allows the nesting of Organizational Units. What is the main advantage of this feature?

It simplifies the management of policies and groups. (D)

What does the attribute value refer to in the context of Active Directory?

The information stored in a schema attribute (C)

What are Managed Service Accounts primarily used for in Active Directory?

To allow services to access domain resources securely (B)

Which of the following statements about Group Policy Objects (GPOs) is true?

The order of GPO application is Local Computer, Site, Domain, and Organizational Unit. (B)

What is a characteristic of leaf objects in Active Directory?

Leaf objects typically represent security accounts and resources. (A)

What feature allows administrators to control user computer environments in the User Configuration node?

Software Settings (B)

Which of the following is NOT a component of the Windows Settings in the User Configuration node?

Administrative templates (B)

In Active Directory, what does enabling the AD Recycle Bin do?

Provides a method to recover deleted objects. (C)

Which of the following best defines a domain in Active Directory?

An administrative unit that identifies resources and policies. (A)

Which statement is true about directory partitions in Active Directory?

They manage different types of data within Active Directory. (C)

What do Administrative templates in Group Policy primarily facilitate?

Controlling and managing users’ computer and network environments. (A)

Which of the following is a benefit of using Group Policies in networks?

They allow centralized management of user and computer environments. (C)

What happens to policies that are not defined or configured in Active Directory?

They are ignored and not applied. (C)

What is the primary function of a Group Policy Object (GPO)?

To provide a remote configuration for user and computer environments. (B)

Which type of Active Directory zone is considered authoritative and contains a read/write master copy of resource records?

Primary zone (C)

What is the difference between local and domain user accounts?

Domain accounts provide access to resources throughout the entire domain. (D)

What type of replication occurs between two or more sites in Active Directory?

Intersite replication (B)

Which statement about directory partitions in Active Directory is true?

Domain directory partition holds all objects in a specific domain. (A)

Which FSMO role is responsible for ensuring the uniqueness of names in a forest?

Domain Naming master (B)

What happens when there is no trust relationship between two domains?

Access across domains is completely restricted. (B)

What does the Knowledge Consistency Checker (KCC) do?

Determines the replication topology for Active Directory. (C)

What main functions does a Global Catalog server perform?

Facilitates domain and forest-wide searches. (B)

Which user configuration settings in GPO are enforced and cannot be overridden by users?

Policies settings (C)

What is the purpose of the Administrative Templates folder in GPO?

To configure settings for Control Panel, Network, and System components. (A)

Which command is used in PowerShell to view forest-wide FSMO roles?

Get-AD Forest (B)

What is a characteristic of a secondary zone in Active Directory?

It is not considered authoritative. (B)

Flashcards

Adding a child domain

Adding a domain to an existing forest that shares the top-level and second-level domain name structure with an existing domain.

Adding a new tree

Adding a new domain to an existing forest using a separate naming structure.

Active Directory Administrative Center (ADAC)

Tool for managing Active Directory objects, like users, computers, and organizational units.

Domain functional level

Setting the compatibility level of the domain controlling which features are available.

Read-only domain controller (RODC)

Domain controller that does not store any writable data; it is only for reading.

Active Directory

A directory service used to manage and store information about a computer network.

Domain Controller (DC)

A server running Windows Server with Active Directory Domain Services, responsible for storing and replicating domain data.

Organizational Unit (OU)

An Active Directory container that groups users and resources logically for management.

Domain

The core structural unit of Active Directory, providing administrative, security, and policy boundaries.

Tree

A grouping of domains sharing the same active directory naming structure.

Forest

A collection of Active Directory trees, providing a common Active Directory environment.

LDAP

Lightweight Directory Access Protocol: A protocol for accessing directory services.

Site

A physical location where domain controllers communicate.

Active Directory Domain Services (ADDS)

The Windows Active Directory service that manages and provides network resources.

X.500

The standard that defines, stores, and accesses Active Directory objects.

Active Directory Configuration

Setting up Active Directory on a server to manage users, computers, and resources in a network.

Promoting a Server

Converting a server to a Domain Controller (DC) in Active Directory.

Deployment Configuration Options

Choices when setting up the first or subsequent domain controllers in Active Directory.

Fully Qualified Domain Name (FQDN)

A complete domain name including all sub-domains, and the top-level domain (e.g. example.com).

Forest Functional Level

Determines the features and capabilities supported in the network hierarchy, affecting compatibility among domain controllers.

Domain Controller Capabilities

Features like DNS, Global Catalog (GC), and read-only domain controllers are chosen when installing domain controllers.

Directory Services Restore Mode (DSRM)

A special boot mode in Active Directory to recover from malfunctions or accidental deletions of active directory objects if they are corrupted or damaged.

Additional Domain Controllers

Installing more domain controllers to increase reliability, availability, and load balancing in an existing domain.

Active Directory Schema

Defines the structure, type, and organization of data in an Active Directory database.

Active Directory Container Object

An object that manages and groups network resources and users.

Folder Objects

Pre-defined container objects in Active Directory holding specific types of objects (e.g., users, computers).

Domain Object

The core structure in Active Directory; contains other objects like OUs and folder objects.

Active Directory Leaf Object

An object that holds data but does not contain other objects; often represents a resource or account.

Schema classes

Defines the types of objects that can be stored in Active Directory.

Schema attributes

Specifies the specific information stored within each object.

Attribute value

The specific data stored in a particular attribute of an object.

Security Account

A leaf object in Active Directory representing a user, group or computer.

What's the difference between User Configuration and Computer Configuration?

User Configuration sets policies for users logging into a domain, affecting individual users. Computer Configuration sets policies for all computers within the container, affecting devices directly.

What does the 'Software Settings' node do?

The 'Software Settings' node allows administrators to assign or publish application packages to users or computers within the GPO's scope.

Where are GPOs applied?

GPOs can be applied at the Local Computer, Site, Domain, or Organizational Unit level, applying policies progressively from these levels.

What does the 'Security Settings' subtree do?

The 'Security Settings' subtree within the User Configuration/Windows Settings nodes lets administrators control users' access to resources and set security policies.

What's the purpose of 'Administrative Templates'?

The 'Administrative Templates' node under User Configuration lets administrators adjust user settings, controlling their environment and network access.

What happens if a policy is not defined?

If a GPO setting is not defined or configured, it's not applied at all; the default setting will be used.

What's the order of GPO application?

GPOs are applied in this order: Local Computer, Site, Domain, and Organizational Unit, with the last defined policy taking precedence.

What is a directory service?

A directory service is a database that stores information about network resources, used to manage users, computers, and other assets.

What is Active Directory built upon?

Active Directory is built on the X.500 standard and LDAP protocol, providing a standardized way to manage and access information.

What does installing the first DC create?

Installing the first Domain Controller (DC) on a network creates a new forest and the domain is called the forest root domain.

What is a GPO?

A Group Policy Object (GPO) is a collection of settings that administrators use to configure user and computer operating environments remotely.

What are the two default GPOs?

The two default GPOs in Active Directory are the 'Default Domain Policy' and the 'Default Domain Controllers Policy'.

What is User Configuration?

The User Configuration node in a GPO is used to set policies that apply to users within the GPO's scope.

What is Computer Configuration?

The Computer Configuration node in a GPO is used to set policies that apply to computers within the GPO's scope.

What's the difference between Policies and Preferences?

Policies are applied to users or computers and cannot be overridden by users, while Preferences can be overridden.

What's the purpose of Software Settings?

The Software Settings node allows administrators to install and manage applications remotely.

What's inside the Windows Settings node?

The Windows Settings node contains various components, including Name Resolution Policy, Scripts, Security Settings, and Policy-based QoS.

What's the role of Administrative Templates?

Administrative Templates provide settings for various system aspects, including Control Panel, Network, Printers, System, and Windows Components.

What is a primary zone?

A primary zone is a DNS zone that contains a read/write master copy of all resource records for the zone.

What is a secondary zone?

A secondary zone is a DNS zone that contains a read-only copy of all resource records for the zone.

What is a stub zone?

A stub zone is a DNS zone that contains a read-only copy of only the SOA and NS records for a zone.

What is the purpose of Active Directory replication?

Replication ensures that all domain controllers have an identical copy of the Active Directory database.

What are the types of Active Directory replication?

There are two types: intrasite replication within the same site and intersite replication across different sites.

What is the Knowledge Consistency Checker (KCC)?

The KCC runs on all domain controllers to determine the optimal replication topology.

What are Directory Partitions?

Directory Partitions are sections of the Active Directory database that contain different types of information.

What's the role of an Operations Master?

There's a specific domain controller responsible for each critical function in a forest, called an Operations Master.

Study Notes

Windows Domain Administration - CST8200

• The course is CST8200 - Windows Domain Administration
• Professor: Denis Latremouille
• Week 3

Agenda

• No specific agenda is listed

The Role of a Directory Service

• A network directory service stores information about a computer network and offers features for retrieving and managing the information.
• It's primarily an administrative tool, but users also utilize it to find resources.
• Due to the complexity, careful planning is required before setting up the directory service.

Windows Active Directory

• Active Directory is a directory service based on industry standards to define, store, and access directory service objects.
• The X.500 standard forms its hierarchical structure.
• The Lightweight Directory Access Protocol (LDAP) is based on the X.500 Directory Access Protocol.
• TCP/IP protocol is used for efficiency.
• Integrating other OS's like Linux into an Active Directory network necessitates the use of LDAP.
• Active Directory first appeared in Windows 2000 Server.

Active Directory Features

• Hierarchical organization
• Centralized, but distributed database
• Scalability
• Security
• Flexibility
• Policy-based administration

Overview of the Active Directory Structure

• Physical structure consists of sites and servers configured as domain controllers.
• Logical structure patterns the directory service after the organization that uses it.

Active Directory's Physical Structure

• An Active Directory site is a physical location where domain controllers communicate and replicate information regularly.
• A domain controller (DC) is a computer running Windows Server 2016 with the Active Directory Domain Services role installed.
• Each domain controller holds a full replica of domain objects and manages data replication across all controllers.
• It handles data searches and retrieval requests.
• It provides authentication and authorization services for users accessing network resources.

Active Directory's Logical Structure

• Active Directory has four organizing components: Organizational Units (OUs), Domains, Trees, and Forests.
• An OU is an Active Directory container that logically groups users and resources for administrative purposes.
• An OU includes objects such as user, group, computer, printer, shared folder, application, server, and domain controller information.

Active Directory Domains, Trees, and Forests

• A domain is the core structural unit of Active Directory; it contains OUs and represents administrative, security, and policy boundaries.
• Small to medium-sized businesses usually have one domain.
• Larger organizations typically have multiple domains to separate geographical regions or management responsibilities.
• A tree is a grouping of domains that share a common naming structure.
• A tree may consist of a parent domain and additional child domains.
• A forest is a collection of one or more Active Directory trees that provide a common Active Directory environment, where all domains within the trees can communicate and share information.
• A forest may comprise of a single tree and a single domain, or several trees each with a parent and child domain hierarchy

Installing Active Directory

• Windows Active Directory service is commonly referred to as ADDS.
• To install ADDS use Server Manager.
• Ensure DNS is installed on the network.
• Configure Active Directory by promoting the server to a DC and selecting appropriate options in the Configuration window for adding (a) a domain controller to an existing domain, (b) a new domain to an existing forest, (c) a new forest
• FQDN (Fully Qualified Domain Name) needs to be specified for the new forest root.
• Specify NetBIOS domain name for backward compatibility (optional).
• Set location for Active Directory database, log files, and SYSVOL.
• Review selections in the Review Options window.
• A prerequisite check is conducted before starting installation.
• A password for DSRM (Directory Services Restore Mode) is required.

Installing Additional Domain Controllers

• Microsoft recommends at least two DCs in every domain for fault tolerance and load balancing.
• Installing an additional DC is similar to installing the first, but it's configured to join an existing domain.

Installing a New Domain in an Existing Forest

• Adding a child domain involves sharing the top-level and potentially second-level naming structure with an existing domain in the forest.
• Adding a new tree involves creating a new domain with a distinct naming structure that's separate from existing domains in the forest.

What's Inside Active Directory

• Explore Active Directory using ADAC or AD Users and Computers MMC.
• Use ADAC to create and manage user, group, and computer accounts; manage OUs; connect to various domain controllers; and change the domain functional level.

The Active Directory Schema

• An object is a group of data that describes a network resource.
• A schema defines the type, organization, and structure of data stored in Active Directory.
• Schema classes define object types (e.g., Computer account, Domain controller, Group).
• Schema attributes define the specific information for each object (e.g., Computer name, DNS name).
• Attribute values store detailed data about individual attributes.

Active Directory Container Objects

• A container object groups other objects for organization, management, and acting as administrative or security boundaries.
• The three container types are OUs, Folder objects, and Domain objects.

Organizational Units(OUs)

• OU is a primary container in a domain for organizing and managing resources.
• OUs logically group objects for administrative tasks and customized policies.
• OUs can be nested to form a hierarchical structure mimicking organizational units.

Folder Objects

• Folder objects are used for local domain specific tasks.
• They include built-in groups (created by Windows), computer accounts, security principals, and managed service accounts.

Domain Objects

• The domain is the core logical structure in AD, including OUs and folder objects.
• Larger organizations may use multiple domains for administration, security boundaries, and policy enforcement.
• Each domain has default GPO (Group Policy Object) linked to it affecting all objects within that domain.
• The domain object appears as an icon with three computer towers in Active Directory administrative tools.

Active Directory Leaf Objects

• Leaf objects are those that don't contain any other objects. They represent:
  • Security accounts (users, groups, computers)
  • Network resources (servers, domain controllers, file shares, printers)
  • Group Policy Objects (GPOs)
• GPOs are managed via the Group Policy Management MMC (Microsoft Management Console).

User Accounts

• A user account object contains details like group memberships, account limitations, profile paths, and dial-in permissions.
• Authentication verifies user identity.
• Local user accounts are authorized to access resources on a specific computer only.
• Domain user accounts offer a single logon for access to all resources in the domain.
• Windows automatically creates an Administrator and Guest accounts.

Zone Types

• Active Directory uses three types of zones:
  • Primary: read/write master copy of zone records
  • Secondary: read-only backup copy of zone records
  • Stub: read-only copy of SOA and NS records; not authoritative.

Groups

• A group represents a collection of users with similar privileges and access rights.
• Groups streamline permission management rather than assigning rights individually to every user.

Computer Accounts

• Computer accounts represent domain computers (members or controllers)
• Used for authentication, identification, and management of computers within a domain.
• They are automatically created when AD is set up on a server.
• The account name matches the actual computer name.

Locating Active Directory Objects

• Active Directory objects can be searched using the Find Users, Contacts, and Groups dialog box.
• Searching can be done for a single domain or the entire directory.
• Searchable objects depend on security settings and the container containing them.

Active Directory Terminology

• Active Directory terminology includes terms related to replication, directory partitions, operations masters, and trust relationships.

Active Directory Replication

• Replication maintains a consistent database across various locations when the database is distributed among locations.
• Replication occurs between domain controllers within the same site (intrasite).
• It also happens between different sites (intersite).
• Multimaster replication is used to replace AD objects.
• A Knowledge Consistency Checker runs on domain controllers to define the replication topology and ensure no more than three hops between any two domain controllers

Directory Partitions

• Directory partitions are sections of the Active Directory database.
• Five partition types are:
  • Domain directory partition: holds objects (users, groups, computers).
  • Schema directory partition: defines AD objects and attributes.
  • Global catalog partition: partial replica of all objects in the forest.
  • Application directory partition: used by applications for stored information.
  • Configuration directory partition: holds configurations affecting the entire forest.

Operations Master Roles

• Some operations require a single domain controller (operations master).
• The initial domain controller in a forest often becomes the operations master.
• Role responsibilities can be transferred, if necessary, to another domain controller (using Flexible Single Master Operations, FSMO, roles).
• FSMO Roles include Schema Master, Infrastructure Master, Domain Naming Master, RID Master, and PDC Emulator master

Trust Relationships

• Trust relationships determine if security principals from one domain can access resources in another domain.
• Trusts are automatically established among domains in a forest.
• Trust does not equal permission. Resources may still need specific permissions, even if a trust relationship exists.
• No access is possible between domains lacking a trust relationship.

The Role of Forests

• Domains in a forest share a single schema and forest-wide administrative accounts.
• Global Catalog domains exist for searching and accessing information across the whole forest.
• Trusts and replication between domains allow seamless operation.

The Importance of the Global Catalog server

• The first domain controller created in a forest usually acts as the Global Catalog server, facilitating domain-wide and forest-wide searches and logins using user principal names (UPNs).
• Additional Global Catalog servers can be configured for improved performance and redundancy.
• Global Catalog servers help with user searches across different domains.

Introducing Group Policies

• A Group Policy Object (GPO) is a collection of settings that administrators use to remotely configure user and computer settings.
• The scope defines which objects are affected by a GPO.
• Installing Active Directory creates Default Domain Policy and other default domain controllers' policies.
• GPMC (Group Policy Management Console) enables viewing, creating, and managing GPOs.

GPO application

• GPOs apply locally, on the computer.
• GPOs apply under specific sites.
• GPOs apply under specific OUs.
• GPOs can apply under the domain.

The Computer Configuration Node

• The Computer Configuration node in a GPO manages settings applied to computers.
• This involves software settings, Windows settings (including name resolution), scripts, security, policy-based QoS settings, and administrator templates (templates from various control panels, network services, printers, and system tools).
• The computer configuration settings in a GPO affect all computers in the related container that includes domain controllers.

The User Configuration Node

• The User Configuration node in a GPO manages settings applied to every user within its linked domain.
• This involves managing settings across the operating systems for users, like software settings, scripts, security, folder redirection, and policy-based QoS.
• User configuration GPO settings affect domain users within the scope of the related container or OU.

How Group Policies Are Applied

• GPOs apply in four places:
  • Local Computer, Site, Domain, or Organizational Unit
• Policies apply in the order mentioned above. A later policy might overwrite earlier ones.
• Policies that are not defined will not be applied
• The precedence is from last policy to be defined first.

Chapter Summary

• Active Directory is a database managing users, computers, and resources.
• Active Directory uses the X.500 standard and LDAP.
• Server Manager facilitates Active Directory Domain Services (ADDS) installation.
• Installing the first domain controller creates a new forest, establishing a domain and a forest root
• Data in Active Directory is structured in objects.
• Objects include container and leaf objects: Container objects include OUs, folders, and domains. Leaf objects include security accounts, network resources, and GPOs.
• AD Recycle Bin can be enabled and disabled.
• Large organizations might use multiple domains, trees, and forests.
• Directory partitions are segments of the Active Directory database.
• A forest is the broadest logical Active Directory component
• A domain is the primary identifying and administrative unit of Active Directory.
• GPOs are sets of settings that configure user and computer environments.
• Policies in the Computer Configuration node affect all computers.
• Policies in the User Configuration node affect all domain users within the boundary.

Description

Test your knowledge of Active Directory with this quiz covering essential concepts, server roles, and configuration steps. From understanding global catalogs to the functionality of ADAC, this quiz will challenge your expertise in Active Directory management.