The local domain is trusted while the remote domain is trusting, is which type of communication?
Which group type can contains members from the local domain or forest and any other forest?
Which port is required to open for SMB to work?
What are the command syntax to create a IFM to setup a remote DC?
- C>ntdsutil: activate instance ntds
- c>ntdsutil: ifm
- C> ifm:
- C> ifm: create full c:\ifmfolder
What are the steps for creating a RODC?
- 1. Right click Domain Controller container
- 2. Select Pre-stage RODC
What is the Windows PowerShell cmdlet to install a Domain Controller from IFM?
Install-ADDSDomainController -Domain 'domain.com' -InstallationMediaPath 'c:\ifm' -ReplicationSourceDC 'DC.domain.com' -Credential(Get-credential) -SafeModeAdministratorPassword(Convertto-securestring 'Password' -AsPlainText -Force) -force
How do you change the Schema Master FSMO role to DC2.
- 1. Go to cmd
- 2. run command regsvr32 shcmmgmt.dll
- 3. run MMC
- 4. Go to File -->Add a Snap-in
- 5. Select Active Directory Schema
What windows command can be used to get the list of FSMO role assignment?
netdom /query fsmo
What are the steps to setup a DC Clone?
- 1. Add the DC to AD group "Cloneable Domain Controllers"
- 2. Generate the excluded Application list using command Get-ADDCCloningExcludedApplicationList -GenerateXML
- 3. Generate the DC cloning xml file using New-DCDCCloningConfigFile
- 4. Shutdown the VM
- 5. Export it and import it as a copied VM with new SID.
What is the Windows PowerShell used to transfer and seize FSMO roles from a DC?
- Transfer Roles
- Move-ADDirectoryServerOperationMasterRole -Identity [targetDC] -OperationMasterRole PDEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster
- Seizing Roles
- same command with parameter -Force
What is the PS command to get the FSMO roles assignments?
- Get-ADForest | Select SchemaMaster, DomainNamingMaster
- Get-ADDomain | Select PDCEmulator, InfrastructureMaster, RIDMaster
What is the utility command to transfer or seizing FSMO roles?
- connect to server [targetDC]
- transfer [role]
- seize [role]
which dos command can be used to view assigned FSMO roles?
netdom /query fsmo
What utility is used to view or change the Global Catalog role of a DC?
Active Directory Sites and Services
What is the Powershell command to get the global catalogs?
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
What is the GPO processing order?
LSDOU - Local, Site, Domain, OU
What are the filtering methods for GPO?
- Security filter
- WMI Filter
What objects can the security filter for the GPO applies?
Which of the following built-in service accounts have maximum local access and authenticate with the AD DS using the machine account?
Which of the following built-in service accounts have minimum local access and authenticate with the AD DS using the machine account?
Which of the following built-in service accounts have maximum local access and authenticate with the AD DS using the anonymous account?
What password settings is configured for a service account?
- 1. Password never expires
- 2. User cannot change password
What is the benefit of using a Managed Service Account over a normal service account?
- Managed Service Account password is managed by the Computer in AD while service account password is set once and is vulnerable to security breach.
- It cannot be locked out.
- It cannot be used for interactive logons.
In what version of Windows was Managed Service Accounts was introduced?
Windows Server 2008 R2
What is the password recycle settings for a Standard Managed Service Account?
- 1. Changed every 30 days
- 2. It is 120 character long (240 bytes)
What are the commands to create a Standard Managed Service Accounts?
- New-ADServiceAccount -Name [ServiceAccountName] -RestrictToSingleComputer
- Add-ADComputerServiceAccount -Identity [ComputerName] -ServiceAccount [ServiceAccountName]
- Run on Computer with the service
- Install-ADServiceAccount -Identity [ServiceAccountName]
What is the format for configuring standard managed service accounts on a local computer?
- remove the password
what is required by gMSA that is not by sMSA?
- a KDS root key
- KDS - Key Distribution Service
What are the steps for creating a gMSA?
- Add-KdsRootKey -EffectiveImmediately
- New-ADServiceAccount -Name [gMSA] -DnsHostName [gMSA.domain.com] -PrincipalsAllowedToRetrieveManagedPassword [gMSAGroup] -Enabled $true
- Install-ADServiceAccount -Identity [gMSA]
- Added gMSA to service with $ sign
What is the format for a locally managed service account?
Note: This is also called a virtual service account.
What are the primary features of a virtual service account?
- No password management required
- Accesses the domain as the computer account
- Is a specially named account
What is the term for allowing one application or service to delegate authentication to another service?
Kerberos Delegation (KD)
What is the term for allowing one application or service to delegate authentication to a specific service?
KCD (Kerberos Constrained Delegation)
What will you use to uniquely identify a service instance on the domain?
Service Principal Name (SPN)
what is the command to list all the SPN for an object?
setspn -l <accountname>
What is the syntax to delete a SPN for an object?
setspn -d <SPN> <accountname>
What is the command syntax to add a SPN for an object?
setspn -s <SPN> <accountname>
What is the naming convention for the SPN?
<service class>/<host>:<port>/<service name>
What is the command syntax to search for duplicate SPN?
What is the command syntax to query a LDAP service for DC srv5?
setspn -q ldap/srv5
What is the naming format of the SPN for a host-based service?
- <service class>/<host>
- <service class>/<host>:<port>
What is the naming format of the SPN for a replicable service?
<service class>/<host>:<port>/<service name>
What is the PS to create a FGPP?
- New-ADFineGrainedPasswordPolicy <NameOfPolicy>
- Add-ADFineGrainedPasswordPolicySubject <NameOfPolicy> -Subjects <GroupAppliedTo>
What is the default domain password policy?
- 24 password remembered
- 42 days maximum age
- 1 day minimum age
- 7 characters long
- password complexity enabled
Which tool used for hosting the snapshot in a ldap server instance
dsamain -dpath (path) -ldapport (port#)
Which tool is used to create a snapshot of Active Directory?
What are the ntdsutil commands to create and mount AD snapshot?
- active instance ntds
- List all
- mount %s
What are the steps of commands used in ntdsutil to do DC metadata cleanup?
- activate instance ntds
- metadata cleanup
- select operation target
- list sites
- select site %d
- list domains
- select domain %d
- list naming contexts
- select naming context %d
- list servers for domain in site
- select server %d
- remove selected server
RODC forwards which write request to a writeable DC and then receives the update via standard replication from its partners?
- Password Changes
- SPN updates
Which groups are members of the security group "Denied RODC PRG"?
- Schema Admins
- Enterprise Admins
- Domain Admins
- Cert Publishers
- Group Policy Creator Owners
- Domain Controllers
- Read-only Domain Controllers
Which command utility can be used to get the replication status in a summary?
What is the command to get the status of DFRS on a DC?
what is the command-line utility to migrate SYSVOL from FRS to DFSR?
- dfsrmig /setGlobalState 1 (Prepared)
- dfsrmig /setGlobalState 2 (Migrated)
- dfsrmig /setGlobalState 3 (Eliminated)
- dfsrmig /getMigrationState
Command-line utility to reveal PRP cached password on the RODC?
repadmin /prp view <RODC> reveal
Command-line utility to reveal PRP deny list on RODC
repadmin /prp view <RODC> deny
Command-line utility to reveal PRP allowed list on RODC?
repadmin /prp view <RODC> allow
Command-line utility to reveal list of service principles authenticated by the RODC?
repadmin /prp view <RODC> auth2
What addition option is shown when you select advanced mode during the pre-create RODC account creation?
The option to modify the Password Replication Policy (PRP) settings.
Where do you add alternate UPN for the forest?
Active Directory Domains and Trust
What type of trust if the local domain is trusted and the remote domain is trusted?
What type of trust if the local domain is trusting and the remote domain is trusted?
In a domain trust relationship which domain host the resource and which domain host the user accounts?
- the trusted domain - hosts the user accounts or security principals
- the trusting domain - hosts the resources
What are the two types of authentication available for Forest trusts?
- Forest-wide authentication
- Selective authorization
True/False: Forest trusts relationship is always transitive?
True/False: External trusts relationship is transitive?
Which Trust is suitable for AD DS domain and a non-windows environment?
- - Domains exist in same forest or domain tree
- - Authenticate directly between domain
- - It is non-transitive
- - exist between two forest
- - it can be uni or bidirectional
- - Functional level of Windows 2003 or higher is not required
- - It can exist between a AD DS domain and a non-windows kerberos realm
- - The kerberos security can be in a linux or Apple environment
- - It can be transitive or non-transitive
What is the command to disable SID filtering?
netdom trust <trusting domain> /domain:<trusted domain> /EnableSIDHistory:Yes
What is the command to re-enable SID filtering?
netdom trust <trusting domain> /domain:<trusted domain> /EnableSIDHistory:No
How do you create the IFM media file for a FULL DC?
- activate instance ntds
- create full %s
What is the command to join a client computer to the domain offline after provision?
djoin /requestodj /loadfile c:\filename /windowspath %systemroot%
What is the command to provision a computer CLIENT to join the domain test.com offline?
djoin /provision /domain test.com /machine CLIENT /savefile c:\filename
What is the port used in DNS SRV for Global Catalog?
What is the port used for Kerberos in DNS SRV?