Active Directory Concepts Quiz

Questions and Answers

Which type of object in Active Directory generally represents security accounts?

Organizational Units

Leaf objects (correct)

Domain objects

Container objects

When Group Policies are applied, which policy takes precedence?

The first policy defined

The policy defined at the site level

The last policy to be defined (correct)

The policy defined in the Organizational Unit

What does the Administrative Templates folder in User Configuration allow administrators to do?

Control user software installations only

Control users' computer and network environments (correct)

Modify security settings only

Assign network printer access

Which of the following best describes the forest in Active Directory?

The broadest logical component of Active Directory

What is the primary function of an Organizational Unit (OU) in Active Directory?

To organize and manage resources in a domain

In which locations can Group Policies be applied in Active Directory?

Local Computer, Site, Domain, and Organizational Unit

Which of the following best describes a leaf object in Active Directory?

It typically represents a security account, network resource, or GPO.

What does enabling the Active Directory Recycle Bin allow administrators to do?

Search for deleted objects easily

What type of information does a schema attribute in Active Directory define?

The specific information stored in each object

Which folder in User Configuration allows the assignment or publication of application packages?

Software Settings

What is true about the policies configured in the Computer Configuration node?

They affect all computers in the container to which the GPO is linked

What is the role of folder objects in Active Directory?

To house default groups and organize domain resources

Which container object is not one of the three main container types found in Active Directory?

Security Groups

Which component is not considered a type of Active Directory object?

Session accounts

What does a domain represent in the context of Active Directory?

A logical structure holding user accounts

What is the purpose of nesting Organizational Units (OUs) in Active Directory?

To mimic a corporate structure for better resource organization

How many default folder objects are created in Active Directory, and what is one of them?

Five; Computers

Which object does not typically represent an Active Directory leaf object?

Organizational Unit

What characteristic defines a domain object in Active Directory?

It houses container objects like OUs and folders and has a default GPO linked.

What does Active Directory's schema define?

The types and structures of data stored in the AD database

What type of replication occurs between domain controllers in different sites?

Intersite replication

Which of the following is NOT a function of the Global Catalog server?

Provides detailed security audit logs

Which type of Group Policy Object (GPO) configuration cannot be overridden by users?

Policies folder settings

What is the primary purpose of a computer account object in Active Directory?

To identify and authenticate computers in the domain

Which zone type contains only a read-only copy of the resource records for a zone?

Secondary zone

Which user account type allows users to access resources across the entire domain?

Domain user account

Which of the following is one of the five directory partition types in Active Directory?

Global catalog partition

Which Active Directory feature automatically manages the replication topology?

Knowledge Consistency Checker (KCC)

What is an essential characteristic of a Primary zone in DNS within Active Directory?

Contain a read/write master copy of resource records

Which built-in user account in Windows is usually disabled by default?

Guest

What type of permissions in Active Directory define access to specific actions or resources?

Rights

How many FSMO roles are there in Active Directory that can be assigned to domain controllers?

5

Which PowerShell command is used to view the domain-wide FSMO roles?

Get-AD Domain

Study Notes

Windows Domain Administration

• Windows Domain Administration is a course covering the topic of managing Windows networks.
• The course is taught by Professor Denis Latremouille.
• The course schedule covers topics for week 3.

Week 03

• The agenda for week 3 is a list of topics to be covered.

The Role of a Directory Service

• A network directory service stores information about a computer network.
• It offers features for retrieving and managing that information.
• Directory services are generally considered an administrative tool.
• Users utilize Directory Services to find resources.
• Directory services provide a centralized management tool, but due to complexity, careful planning is required before setup.

Windows Active Directory

• Active Directory is a directory service based on standards for defining, storing, and accessing directory service objects.
• X.500 is the basis for the hierarchical structure of Active Directory.
• Lightweight Directory Access Protocol (LDAP) is based on the X.500 Directory Access Protocol.
• It utilizes the more efficient TCP/IP protocol enabling integration with other operating systems such as Linux using LDAP.
• Active Directory was first used in Windows 2000 Server.
• Features of active directory include hierarchical organization.
• A centralized but distributed database.
• Scalability
• Security.
• Flexibility, and policy-based administration.

Overview of the Active Directory Structure

• The physical structure consists of sites and servers configured as domain controllers.
• The logical structure is configured to match the organization's structure which it is to be a part of.

Active Directory's Physical Structure

• An Active Directory site is a physical location in which domain controllers communicate and replicate information periodically.
• A domain controller (DC) is a computer running Windows Server 2016 with the Active Directory Domain Services role installed.
• Each domain controller contains a full replica of the domain's objects.
• It's responsible for storing a copy of the domain data and replicating changes.
• Domain Controllers provide data search and retrieval for users attempting to locate domain objects.
• Domain Controllers provide authentication and authorization.

Active Directory's Logical Structure

• Four organizing components of Active Directory are Organizational Units (OUs), Domains, Trees, and Forests.
• The Organizational Unit (OU) is an Active Directory container to organize network users and resources into logical administrative units.
• OU's contain Active Directory objects like user accounts, groups, computer accounts, printers, shared folders, applications, servers, and domain controllers.

Installing Active Directory

• The Windows Active Directory service is commonly referred to as Active Directory Domain Services (ADDS).
• Server Manager is used for installing Active Directory Domain Services.
• If DNS doesn't already exist on the network, install the DNS Server role.
• After installation is complete, configure Active Directory.
• Promoting the server to a Domain Controller in Server Manager.
• Selecting options in the Deployment Configuration window to add a domain controller to an existing domain, add a new domain to an existing forest or add a new forest.
• Enter the Fully Qualified Domain Name(FQDN).
• Choose Forest and Domain functional levels.
• Select domain controller capabilities (DNS server, Global Catalog (GC), and Read-only domain controller (RODC)).
• Creating the DNS delegation.
• Entering the Directory Services Restore Mode (DSRM) password..
• A prerequisite check needs to be performed before starting Active Directory installation.

Installing Additional Domain Controllers in a Domain

• Microsoft recommends at least two domain controllers (DCs) in every domain for fault tolerance and load balancing.
• Adding additional DC's within an existing domain differs in adding the first Domain Controller by the step of selecting "Add a domain controller to an existing domain" instead of "Add a new forest".

Installing a New Domain in an Existing Forest

• Adding a child domain to an existing forest shares a similar top-level and second-level domain name structure.
• Adding a new tree differs in which it creates a domain with a different naming structure to existing domains in the forest.

What's Inside Active Directory?

• Explore Active Directory using the Active Directory Administrative Center (ADAC) or Active Directory Users and Computers MMC (Microsoft Management Console).
• Use ADAC to perform tasks like creating and managing users, groups, and computer accounts, managing OUs, or connecting in the same to or different domains.
• Active Directory Administrative Center is built upon PowerShell.
• Results of commands in ADAC can be viewed in the PowerShell History pane.

The Active Directory Schema

• An object in Active Directory is a group of information that describes a network resource.
• The schema defines the type, organization, and structure of data stored in the AD database.
• Schema classes define the types of objects that can be stored in Active Directory.
• Schema attributes define the type of information that is stored in each object.
• The information stored in each attribute is called the attribute value.
• Active directory objects include schema classes, schema attributes and Active Directory objects.
• Icons used to represent Active Directory objects are shown like Site, Domain, Folder, Organizational Unit (OU), Computer, Group, and User.

Active Directory Container Objects

• A container object contains other objects.
• It's used to organize and manage users and network resources.
• A container can also act as administrative or security boundaries.
• Active Directory contains three types of container objects: Organizational Units (OU), Folder objects, and Domain objects.

Organizational Units

• An OU is a primary container for organizing and managing resources in a domain.
• OUs organize multiple objects and can have specific policies.
• OU authorities can be delegated.
• Nested OUs can create hierarchical Active Directory structures.

Folder Objects

• Built-in default groups are created by Windows.
• Computer accounts are stored in the default location.
• Foreign Security Principals contain user accounts from other domains.
• Managed Service Accounts are specifically created for domain services to access domain resources.
• Users are two default users known as Administrator and Guest and their respective groups.

Domain Objects

• A domain is the core logical structure in Active Directory.
• It contains OU and folder objects.
• Larger companies can utilize multiple domains for separate administration, defining security, and policy boundaries.
• Each domain object has a default GPO.
• A domain object is represented with an icon of three tower computers in the Active Directory Users and Computers snap-in.

Active Directory Leaf Objects

• A leaf object doesn't contain other objects.
• It usually represents Security accounts, Network resources or a Group Policy Object(GPO).
• GPOs are not viewed as objects in the same way as other Active Directory objects, but are administered through Group Policy Management Console (GPMC).
• Security account objects include users, groups, and computers.
• Network resource objects include servers, domain controllers, file shares, printers, etc.

User Accounts

• A user account object holds information like group memberships, account restrictions, profile path, and dial-in permissions.
• Authentication confirms a user's identity and assigns permissions.
• Local user accounts have access only to resources on that computer.
• Domain user accounts provide a single logon to access resources in the domain.
• Windows creates two built-in user accounts, Administrator and Guest.

Zone Type

• Three types of zones exist: Primary, Secondary, and Stub zones.
• A Primary zone is a read/write type zone for the master copy of the resource records and is authoritative to the zone.
• A Secondary zone holds a read-only copy of the resource records and is authoritative to the zone.
• A Stub zone contains only a read-only copy of the SOA and NS records for a zone and the necessary A records to resolve NS records.
• It isn't authoritative.

Groups

• A group object represents a collection of users with common permissions or rights.
• Permissions define which resources users can access and the level of access.
• Groups efficiently assign permissions compared to assigning each user separately.

Computer Accounts

• A computer account object is for domain controllers and domain members.
• Used to identify, authenticate, and manage computers in the domain.
• Computer accounts are automatically created when Active Directory is installed on a server.
• The name of the computer account object should match the computer name.

Locating Active Directory Objects

• Active Directory objects can be searched using the Find Users, Contacts, and Groups dialog box.
• You can search a single domain or the entire directory.
• Not all objects are available to all users, depending on the Object's security settings and its container location.

Active Directory Terminology

• The next few sections examine terms associated with replication, directory partitions, operations masters, and trust relationships.

Active Directory Replication

• Replication maintains a consistent database of information when distributed among multiple locations.
• Intrasite replication occurs between domain controllers in the same site.
• Intersite replication occurs between multiple sites.
• Multimaster replication is used in Active Directory for replacing objects.
• Knowledge Consistency Checker (KCC) runs on all domain controllers to determine the replication topology.

Directory Partitions

• A directory partition is each section of an Active Directory database.
• Five directory partition types exist: Domain, Schema, Global Catalog, Application, and Configuration partitions.
• A Domain partition contains all objects within the domain.
• A Schema partition contains information for defining AD objects and their attributes.
• A Global Catalog partition holds a replica of all objects in the forest.
• An Application partition is used by applications and services.
• A Configuration partition contains configuration information.

Operations Master Roles

• Several operations in a forest require having a single operations master.
• The first domain controller generally assumes the operation master roles.
• These operations master roles can also be transferred to a different domain controller.
• Five master roles are: Schema, Infrastructure, Domain Naming, RID Master, and PDC Emulator masters.

Trust Relationships

• A trust relationship in Active Directory defines whether and how security principals from one domain can access network resources in another domain.
• Trusts are automatically established between all domains in the forest.
• Trusts do not equal permissions. Permissions are still required.
• When there is no trust between domains, no cross-domain access is possible.

The Role of Forests

• All domains in a forest share a single schema.
• Forest-wide administrative accounts, operations masters, trusts between domains and replication between domains are also shared.
• Global Catalog domains are shared.

The Importance of the Global Catalog Server

• The first domain controller installed in a forest is automatically the global catalog server.
• Additional global catalog servers can be configured.
• Facilitates domain and forest-wide searches.
• Users can log on to computers in any domain using their user principal name (UPN).
• Universal group membership information is stored.

Introducing Group Policies

• A Group Policy Object (GPO) is a list of settings to remotely configure user and computer operating environments.
• The scope of a GPO defines the objects it affects.
• Installing Active Directory creates two default GPO's: Default Domain Policy and Default Domain Controllers Policy.
• Viewing, creating, and managing GPOs are performed using the Group Policy Management Console (GPMC).

The Computer Configuration Node

• Three folders under the policies folder contain the following information: Software Settings, Windows Settings, and Administrative Templates.
• Software Settings enable administrators to install and manage applications remotely.
• Windows Settings contain Name Resolution Policy, Scripts extension, Security Settings, and Policy-based QoS node.
• Administrative Templates contain Control Panel, Network, Printers, System, and Windows Components folders.
• Policies affect all computers in a container to which the GPO is linked.

The User Configuration Node

• Policies folder contains three identical folders as in the Computer Configuration Node.
• Policies for User Configuration affect domain users within the scope of the GPO.
• Software Settings can include assigning or publishing application packages.
• Windows Settings folder includes Scripts extension, Security Settings, Folder Redirection, and Policy-based QoS node.
• Administrative Templates contain settings for controlling users' computer and network environments.

How Group Policies Are Applied

• GPOs can be applied in four locations: Local Computer, Site, Domain, Organizational Unit.
• Policies are applied in the order listed above. Undefined or unconfigured policies aren't applied.
• The last defined policy takes precedence.

Chapter Summary

• A directory service stores network resource information and manages users, computers, and resources.
• Active Directory uses the X.500 standard and LDAP. Server Manager is used for installing Active Directory Domain Services (ADDS).
• Active Directory is organized into objects (container and leaf).
• The first domain controller creates a forest and the root domain.
• Leaf objects represent security accounts, network resources, and GPOs.

Description

Test your knowledge on Active Directory objects, Group Policies, Organizational Units, and more. This quiz covers key concepts and definitions essential for understanding how Active Directory functions. Perfect for IT professionals and students studying network administration.