Windows server 2008 active directory and security questions

Setup searches the hard disk drives for an existing Windows installation and then displays the results in System Recovery Options. If you are recovering the operating system onto separate hardware, the list should be empty there should be no operating system on the computer. Click Next. This opens the Re-image your computer page. You use Wbadmin to manage all aspects of backup configuration that you would otherwise manage in Windows Server Backup.

This means that you can typically use. Question 35 - Topic 1 Your company has a main office and three branch offices. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers. From the Active Directory Sites and Services console, select the existing connection objects and force replication. Use Repadmin. Configure auditing in the Certification Authority snap-in.

Change the CA configuration. Change CA security settings. Issue and manage certificate requests. Revoke certificates and publish certificate revocation lists CRLs. Store and retrieve archived keys. To configure CA event auditing 1. On the Auditing tab, click the events that you want to audit, and then click OK. Additional considerations To audit events, the computer must also be configured for auditing of object access.

Question 37 - Topic 1 Your company has file servers located in an organizational unit named Payroll. Enable the Audit process tracking option. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.

Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder.

Explanation: Answer: Enable the Audit object access option. Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. There are nine different kinds of events for which you can specify Audit Policy settings.

If you audit any of these kinds of events, Windows records the events in the Security log, which you can find in Event Viewer. Object access. Audit this to record when someone has used a file, folder, printer, or other object.

Process tracking. Audit this to record when events such as program activation or a process exiting occur. When you implement Audit Policy settings: If you want to audit directory service access or object access, determine which objects you want to audit access of and what type of access you want to audit.

For example, if you want to audit all attempts by users to open a particular file, you can configure audit policy settings in the object access event category so that both successful and failed attempts to read a file are recorded. Simple implementations will have a single site and a single domain.

Within a domain, you can create organizational units OUs. OUs are like folders in Windows Explorer. Instead of containing files and subfolders, however, they can contain computers, users, and other objects. For example, in Figure 1 you see an OU named Departments. Question 38 - Topic 1 You network consists of a single Active Directory domain. Active Directory Users and Computers snap-in.

You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators. Question 39 - Topic 1 Your company has an Active Directory domain. The most common means of communicating certificate status is by distributing certificate revocation lists CRLs.

What does OCSP support do? The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate.

The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization's PKI.

Question 40 - Topic 1 Your company has an Active Directory domain. Modify the properties of the user account to set the account to never expire. Modify the properties of the user account to set the password to never expire.

You can select between the following options: Use Never to specify that the selected account will never expire. This option is the default for new users.

Select End of and then select a date if you want to have the user's account expire on a specified date. Question 41 - Topic 1 Your network consists of a single Active Directory domain.

Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone. Convert the primary zone into an Active Directory-integrated zone. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone. Explanation: Answer: Convert the primary zone into an Active Directory-integrated zone.

AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone.

This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain.

With the multimaster update model of AD DS, any of the. Question 42 - Topic 1 Your company has an Active Directory forest. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global Catalog.

For each access control entry ACE , there exists a SID that identifies the user or group for whom access is allowed, denied, or audited. Well-known security identifiers special identities : Network S Includes all users who are logged on through a network connection.

Access tokens for interactive users do not contain the Network SID. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.

This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master. Infrastructure master At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog.

Global catalogs receive re. Question 43 - Topic 1 Your company has an Active Directory domain. Assign the Certificate Manager role to the CertIssuers group. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

Question 44 - Topic 1 Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. Configure DC1 as a Global Catalog server. Decrease the replication interval on the site link that connects the branch office to the corporate network. Increase the replication interval on the site link that connects the branch office to the corporate network. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

This role can be configured by assigning a user or group the Issue and Manage Certificatespermission. When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.

This restriction is based on a subset of the certificate templates enabled for the certification authority CA and the user groups that have Enroll permissions for that certificate template from that CA. To configure certificate manager restrictions for a CA: 1. Open the Certification Authority snap-in, and right-click the name of the CA. Click Pr. Question 46 - Topic 1 You are installing an application on a computer that runs Windows Server R2. Change the functional level of the forest to Windows Server R2.

Log on by using an account that has Schema Administrator rights and the appropriate rights to install the application. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the application.

You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles. Groups in the Builtin container The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group. PNG Groups in the Users container The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group.

Add your account to the Domain Admins group. These new files replace ADM files, which used their own markup language. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. Is this the right way to do it?

The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file thats created. Its just used to create the policy by the administrative tool itself. This was one of the areas that caused major problems w. Question 48 - Topic 1 Your company has an Active Directory forest that contains a single domain. Add and configure a new account partner. You can configure multiple account stores for a single Federation Service.

You can also define their priority. Question 49 - Topic 1 Your company has an Active Directory domain. You have a two-tier PKI infrastructure that A. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations. This means that the root CA is validating itself self- validating.

This root CA could then have subordinate CAs that effectively trust it. This establishes a CA hierarchy and trust path. CA Compromise If a root CA is in some way compromised broken into, hacked, stolen, or accessed by an unauthorized or malicious person , then all of the certificates that were issued by that CA are also compromised.

Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. Make sure that you keep all CAs in secure areas with limited access.

To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on.

This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA. How Do Offline CAs issue certificates? Offline root CAs can issue certificates to removable media devices e. If the subordinate CA is a non-issuing intermediate that is offline, then. ADSI Edit adsiedit. To create an OU 1. In Select a class, click organizationalUnit, and then click Next.

In Value, type a name for the new OU, and then click Next. If you want to set values for additional attributes, click More attributes. Question 51 - Topic 1 Your company has an Active Directory forest that runs at the functional level of Windows Server Restart IIS. Question 52 - Topic 1 Your company has an Active Directory domain. Run the csvde -f computers.

Question 53 - Topic 1 Your company has a main office and a branch office that are configured as a single Active Directory forest. Raise the functional level of the forest to Windows Server Deploy a Windows Server domain controller at the main office. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. There are different versions of Adprep. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest.

You can install AD DS by using a wizard, the command line, or an answer file. Enable debug logging. For example, when the DNS server starts or stops, a corresponding event message is written to this log.

Most additional critical DNS Server service events are also logged here, for example, when the server starts but cannot locate initializing data and zones or boot information stored in the registry or in some cases Active Directory Domain Services AD DS. These events appear in the System log, and they are written by the DNS Client service at any computers running Windows all versions.

Optional debug options for trace logging to a text file on the DNS server computer. You can also use DNS Manager to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns. Receive Packets received by the DNS server are logged in the log file.

Set up Automatic Updates through Control Panel on the client computers. Create a GPO and link it to the domain. Configure the server to search for new updates on the Internet. Approve all required updates. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA.

Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain.

You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA.

Certificates can be issued for logging on to a Windows Server family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list CRL to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains.

For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the t. Question 57 - Topic 1 Your company has recently acquired a new subsidiary company in Quebec.

Download the Conf. Copy the Install. A set of language-dependent files,. Language-neutral file. The language neutral file will then reference specific sections of the language resource file in order for the GPMC or Local Group Policy Editor to display a policy setting in the correct language. Question 58 - Topic 1 Your company has an Active Directory forest. Configure the GPO to assign the application to the computer account.

Configure the GPO to assign the application to the user account. Configure the GPO to publish the application to the user account. Question 59 - Topic 1 Your network consists of a single Active Directory domain. On the member server, add a conditional forwarder. Convert the standard primary zone to an Active Directory-integrated zone. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role.

This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain contro. Question 60 - Topic 1 Your company has a single-domain Active Directory forest. Add the global distribution group to the Domain Administrators group.

Change the group type of the global distribution group to a security group. Change the scope of the global distribution group to a Universal distribution group. In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below: Security: Security groups allow you to manage user and computer access to shared resources.

You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists. Distribution: Distribution groups are intended to be used solely as email distribution lists.

These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings. Question 61 - Topic 1 Your company network has an Active Directory forest that has one parent domain and one child domain.

Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role.

Run the Dcpromo tool that has individual answer files on each domain controller in the child domain. View the current operations master role holders 2. Transfer the schema master 3. Transfer the domain naming master 4. Transfer the domain-level operations master roles 5. Determine whether a domain controller is a global catalog server 6. Verify DNS registration and functionality 7. Verify communication with other domain controllers 8. Verify the availability of the operations masters 9.

If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key Uninstall Active Directory If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re- import the certificate to the server: Import a certificate Determine whether a Server object has child objects Click Start, click Run, type dcpromo and then click OK.

Question 62 - Topic 1 Your network consists of a single Active Directory domain. Raise the functional level of the domain to Windows Server In Microsoft Windows and Windows Server Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain.

As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons. In Windows Server , you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.

Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set to Windows Server or higher. Question 63 - Topic 1 Your company has two Active Directory forests named contoso. Create a copy of the fabrikam. Configure conditional forwarding on DNS3 to forward contoso. Question 64 - Topic 1 Your company has a single Active Directory domain named intranet.

Set dynamic updates to Secure Only. Explanation: Answer: Set dynamic updates to Secure Only. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol DHCP to obtain an IP address.

Dynamic updates can be secure or nonsecure. After you directory-integrate a zone, access control list ACL editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record. Windows server is a trademark name for a group of server operating systems released by Microsoft. Questions: 10 Attempts: Last updated: Dec 21, Important Questions On Windows Server.

Since its conception, the Windows Server has provided basic improvements to the Windows Server group. The operating system has gone a long way in providing a wider range of improved installation options and advanced level of Questions: 10 Attempts: Last updated: Jul 19, Testing for bugs.

Detecting Virus. Resolving Troubleshoot. Providing good essentials. Featured Quizzes. Which U. Which Doraemon Character Are You? Search Speak now. Questions All questions 5 questions 6 questions 7 questions 8 questions 9 questions 10 questions. Feedback During the Quiz End of Quiz. Play as Quiz Flashcard. Questions and Answers. Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table: You need to ensure that all device certificate requests use the MD5 hash algorithm.

What should you do? You have a server named Server1 that runs Windows Server R2. Server1 is an enterprise root certification authority CA. You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7.

You need to verify that the Windows 7 client computers can automatically enroll for certificates. Which command should you run on Computer1? Your network contains two Active Directory forests named contoso. The functional level of both forests is Windows Server R2.

Each forest contains one domain. You need to ensure that all users in the adatum. What should you configure in the adatum. External users report that the new template is unavailable when they request a new certificate. They need that account back. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

You need to create a WMI script query to retrieve information from the bios of each domain controller. Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site. You discover that the domain controllers in the branch offices sometimes replicate directly to each other. You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office.

By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites. Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases:.

You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller. The default domain GPO in your company is configured by using the following account policy settings:. The SQLSrv account has domain user rights. The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out. You need to resolve the server failure and prevent recurrence of the failure.

Which two actions should you perform? Each correct answer presents part of the solution. Choose two. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon locally user right. The SYSVOL directory must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the network as a domain controller.

For Group Policy to be effective, both parts must be available on a domain controller. You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount of administrative effort. The solution must minimize the number of permissions assigned to User1. You can choose only one security principal.

Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators. Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC.

Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server.

In that case, the original security principal would have administrative rights on the new RODC in the different domain. Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.

To add the local administrator role, use the Add parameter. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service.

When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. Your company has an Active Directory forest. The company has servers that run Windows Server R2 and client computers that run Windows 7.