-
The local domain is trusted while the remote domain is trusting, is which type of communication?
A.
-
Which group type can contains members from the local domain or forest and any other forest?
A.
-
Which port is required to open for SMB to work?
445 TCP
-
What are the command syntax to create a IFM to setup a remote DC?
- c>ntdsutil
- C>ntdsutil: activate instance ntds
- c>ntdsutil: ifm
- C> ifm:
- C> ifm: create full c:\ifmfolder
- C>
-
What are the steps for creating a RODC?
- 1. Right click Domain Controller container
- 2. Select Pre-stage RODC
-
What is the Windows PowerShell cmdlet to install a Domain Controller from IFM?
Install-ADDSDomainController -Domain 'domain.com' -InstallationMediaPath 'c:\ifm' -ReplicationSourceDC 'DC.domain.com' -Credential(Get-credential) -SafeModeAdministratorPassword(Convertto-securestring 'Password' -AsPlainText -Force) -force
-
How do you change the Schema Master FSMO role to DC2.
- 1. Go to cmd
- 2. run command regsvr32 shcmmgmt.dll
- 3. run MMC
- 4. Go to File -->Add a Snap-in
- 5. Select Active Directory Schema
-
What windows command can be used to get the list of FSMO role assignment?
netdom /query fsmo
-
What are the steps to setup a DC Clone?
- 1. Add the DC to AD group "Cloneable Domain Controllers"
- 2. Generate the excluded Application list using command Get-ADDCCloningExcludedApplicationList -GenerateXML
- 3. Generate the DC cloning xml file using New-DCDCCloningConfigFile
- 4. Shutdown the VM
- 5. Export it and import it as a copied VM with new SID.
-
What is the Windows PowerShell used to transfer and seize FSMO roles from a DC?
- Transfer Roles
- ----------------
- Move-ADDirectoryServerOperationMasterRole -Identity [targetDC] -OperationMasterRole PDEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster
- Seizing Roles
- ---------------
- same command with parameter -Force
-
What is the PS command to get the FSMO roles assignments?
- Get-ADForest | Select SchemaMaster, DomainNamingMaster
- Get-ADDomain | Select PDCEmulator, InfrastructureMaster, RIDMaster
-
What is the utility command to transfer or seizing FSMO roles?
- ntdsutil
- roles
- connections
- connect to server [targetDC]
- quit
- transfer [role]
- or
- seize [role]
-
which dos command can be used to view assigned FSMO roles?
netdom /query fsmo
-
What utility is used to view or change the Global Catalog role of a DC?
Active Directory Sites and Services
-
What is the Powershell command to get the global catalogs?
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
-
What is the GPO processing order?
LSDOU - Local, Site, Domain, OU
-
What are the filtering methods for GPO?
- Security filter
- WMI Filter
-
What objects can the security filter for the GPO applies?
-
Which of the following built-in service accounts have maximum local access and authenticate with the AD DS using the machine account?
Local System
-
Which of the following built-in service accounts have minimum local access and authenticate with the AD DS using the machine account?
Network service
-
Which of the following built-in service accounts have maximum local access and authenticate with the AD DS using the anonymous account?
Local service
-
What password settings is configured for a service account?
- 1. Password never expires
- 2. User cannot change password
-
What is the benefit of using a Managed Service Account over a normal service account?
- Managed Service Account password is managed by the Computer in AD while service account password is set once and is vulnerable to security breach.
- It cannot be locked out.
- It cannot be used for interactive logons.
-
In what version of Windows was Managed Service Accounts was introduced?
Windows Server 2008 R2
-
What is the password recycle settings for a Standard Managed Service Account?
- 1. Changed every 30 days
- 2. It is 120 character long (240 bytes)
-
What are the commands to create a Standard Managed Service Accounts?
- New-ADServiceAccount -Name [ServiceAccountName] -RestrictToSingleComputer
- Add-ADComputerServiceAccount -Identity [ComputerName] -ServiceAccount [ServiceAccountName]
- Run on Computer with the service
- Install-ADServiceAccount -Identity [ServiceAccountName]
-
What is the format for configuring standard managed service accounts on a local computer?
- Domain\ServiceAccount$
- remove the password
-
what is required by gMSA that is not by sMSA?
- a KDS root key
- KDS - Key Distribution Service
-
What are the steps for creating a gMSA?
- Add-KdsRootKey -EffectiveImmediately
- New-ADServiceAccount -Name [gMSA] -DnsHostName [gMSA.domain.com] -PrincipalsAllowedToRetrieveManagedPassword [gMSAGroup] -Enabled $true
- Install-ADServiceAccount -Identity [gMSA]
- Added gMSA to service with $ sign
-
What is the format for a locally managed service account?
NT Service\ServiceName$
Note: This is also called a virtual service account.
-
What are the primary features of a virtual service account?
- No password management required
- Accesses the domain as the computer account
- Is a specially named account
-
What is the term for allowing one application or service to delegate authentication to another service?
Kerberos Delegation (KD)
-
What is the term for allowing one application or service to delegate authentication to a specific service?
KCD (Kerberos Constrained Delegation)
-
What will you use to uniquely identify a service instance on the domain?
Service Principal Name (SPN)
-
what is the command to list all the SPN for an object?
setspn -l <accountname>
-
What is the syntax to delete a SPN for an object?
setspn -d <SPN> <accountname>
-
What is the command syntax to add a SPN for an object?
setspn -s <SPN> <accountname>
-
What is the naming convention for the SPN?
<service class>/<host>:<port>/<service name>
-
What is the command syntax to search for duplicate SPN?
setspn -X
-
What is the command syntax to query a LDAP service for DC srv5?
setspn -q ldap/srv5
-
What is the naming format of the SPN for a host-based service?
- <service class>/<host>
- or
- <service class>/<host>:<port>
-
What is the naming format of the SPN for a replicable service?
<service class>/<host>:<port>/<service name>
-
What is the PS to create a FGPP?
- New-ADFineGrainedPasswordPolicy <NameOfPolicy>
- Add-ADFineGrainedPasswordPolicySubject <NameOfPolicy> -Subjects <GroupAppliedTo>
-
What is the default domain password policy?
- 24 password remembered
- 42 days maximum age
- 1 day minimum age
- 7 characters long
- password complexity enabled
-
Which tool used for hosting the snapshot in a ldap server instance
dsamain -dpath (path) -ldapport (port#)
-
Which tool is used to create a snapshot of Active Directory?
Ntdsutil snapshot
-
What are the ntdsutil commands to create and mount AD snapshot?
- ntdsutil
- active instance ntds
- Create
- List all
- mount %s
- Quit
- Quit
-
What are the steps of commands used in ntdsutil to do DC metadata cleanup?
- ntdsutil
- activate instance ntds
- metadata cleanup
- select operation target
- list sites
- select site %d
- list domains
- select domain %d
- list naming contexts
- select naming context %d
- list servers for domain in site
- select server %d
- quit
- remove selected server
- quit
- quit
-
RODC forwards which write request to a writeable DC and then receives the update via standard replication from its partners?
- Password Changes
- LastLogonTimeStamp
- SPN updates
-
Which groups are members of the security group "Denied RODC PRG"?
- Schema Admins
- Enterprise Admins
- Domain Admins
- Cert Publishers
- Group Policy Creator Owners
- Domain Controllers
- Read-only Domain Controllers
-
Which command utility can be used to get the replication status in a summary?
repadmin /replsummary
-
What is the command to get the status of DFRS on a DC?
dfsrmig /getGlobalState
-
what is the command-line utility to migrate SYSVOL from FRS to DFSR?
- dfsrmig /setGlobalState 1 (Prepared)
- dfsrmig /setGlobalState 2 (Migrated)
- dfsrmig /setGlobalState 3 (Eliminated)
- dfsrmig /getMigrationState
-
Command-line utility to reveal PRP cached password on the RODC?
repadmin /prp view <RODC> reveal
-
Command-line utility to reveal PRP deny list on RODC
repadmin /prp view <RODC> deny
-
Command-line utility to reveal PRP allowed list on RODC?
repadmin /prp view <RODC> allow
-
Command-line utility to reveal list of service principles authenticated by the RODC?
repadmin /prp view <RODC> auth2
-
What addition option is shown when you select advanced mode during the pre-create RODC account creation?
The option to modify the Password Replication Policy (PRP) settings.
-
Where do you add alternate UPN for the forest?
Active Directory Domains and Trust
-
What type of trust if the local domain is trusted and the remote domain is trusted?
Two-way trust
-
What type of trust if the local domain is trusting and the remote domain is trusted?
one-way incoming
-
In a domain trust relationship which domain host the resource and which domain host the user accounts?
- the trusted domain - hosts the user accounts or security principals
- the trusting domain - hosts the resources
-
What are the two types of authentication available for Forest trusts?
- Forest-wide authentication
- Selective authorization
-
True/False: Forest trusts relationship is always transitive?
True
-
True/False: External trusts relationship is transitive?
False
-
Which Trust is suitable for AD DS domain and a non-windows environment?
A.
-
Shortcut trust
- - Domains exist in same forest or domain tree
- - Authenticate directly between domain
-
External Trust
- - It is non-transitive
- - exist between two forest
- - it can be uni or bidirectional
- - Functional level of Windows 2003 or higher is not required
-
Realm Trust
- - It can exist between a AD DS domain and a non-windows kerberos realm
- - The kerberos security can be in a linux or Apple environment
- - It can be transitive or non-transitive
-
What is the command to disable SID filtering?
netdom trust <trusting domain> /domain:<trusted domain> /EnableSIDHistory:Yes
-
What is the command to re-enable SID filtering?
netdom trust <trusting domain> /domain:<trusted domain> /EnableSIDHistory:No
-
How do you create the IFM media file for a FULL DC?
- ntdsutil
- activate instance ntds
- ifm
- create full %s
-
What is the command to join a client computer to the domain offline after provision?
djoin /requestodj /loadfile c:\filename /windowspath %systemroot%
-
What is the command to provision a computer CLIENT to join the domain test.com offline?
djoin /provision /domain test.com /machine CLIENT /savefile c:\filename
-
What is the port used in DNS SRV for Global Catalog?
3268
-
What is the port used for Kerberos in DNS SRV?
88
|
|