CIS 276 Directory Services Chapter 2 Questions

Fill in the Blank

Complete the following sentences by writing the correct word or words in the blanks provided. 1. To begin an AD installation, you can run the dcpromo.exe command. 2. The authentication protocol used by Windows 2000 and later computers in a domain is called Kerberos______. 3. The PDC emulator FSMO role is responsible for time synchronization across the domain. 4. To complete the authentication process in a domain that is at the Windows 2000 Native functional level or higher, a ___remote GC_ must be contacted. 5. Following an AD installation, you should verify the existence of __DNS SRV_______ records on the DNS server that holds the zone for the AD domain. 6. The general principle used when using groups in a large forest is represented by the letters: _____ABC_______. 7. To view the DC that holds the Schema Master FSMO role, you must use the ____AD Schema_______ MMC snap-in. 8. A(n) _____GUID______________ is a LDAP name used to describe each object within AD. 9. To speed up resource access across child domains in your forest, you can create _____transitive__ trusts. 10. To enable Universal Group Membership Caching, you must use the ___AD sites and services___ console.

Multiple Choice
Circle the letter that corresponds to the best answer. 1. You receive an object-related error when attempting to create a new user account within your domain. What FSMO role should you ensure is online to complete the addition of the user account? a. PDC Emulator b. Domain Naming Master c. Infrastructure Master d. RID Master

CIS 276 Directory Services Chapter 2 Questions

2. You plan on promoting an existing Windows Server 2003 computer to become and additional domain controller in your domain. To which group must the user account you specify during the AD installation belong at minimum? a. Domain Users b. Domain Admins c. Enterprise Admins d. Schema Admins 3. Which of the following utilities must you use to seize a FSMO fole? a. ntdsutil.exe b. dcpromo.exe c. Active Directory Domains and Trusts d. Active Directory Sites and Services 4. Which of the following are container objects in the AD database? (Choose all that apply.) a. group policy b. site c. domain d. OU 5. Which of the following objects is used to locate the correct site for a newly installed DC? a. site link b. subnet c. locator d. bridgehead 6. Several users called you today stating that they could not change their passwords. After investigating, you also noticed that the time on their computers was also incorrect. Which of the following FSMO roles may be unavailable? a. PDC Emulator b. RID Master c. Infrastructure Master d. Schema Master 7. Which of the following DCs are allows to participate in a Windows 2000 Native mode domain? (Choose all that apply.) a. Windows NT4 Server b. Windows 2000 Server c. Windows Sever 2003 d. Windows Server 2008

CIS 276 Directory Services Chapter 2 Questions

8. A single user within your organization calls you for help after having trouble logging on to the domain. Upon further investigation you notice that the user is able to log on to the domain from another computer and that no users are able to successfully log on to the domain from the users original computer. What is the most likely cause of the problem? a. The time on the computer is incorrect and must be changed b. The user account has been disabled and must be enabled c. The user account has been locked and must be unlocked d. The computer account for the users computer has become corrupted and must be reset 9. You wish to create a group that will contain the Marketing staff within your own domain. This group will be assigned permissions to resources in other domains within your forest. What is the most appropriate scope for this new group? a. Local b. Global c. Domain Local d. Universal 10. When attempting to remove AD from an existing DC that you wish to decommission, you receive an error message. Which switch to the dcpromo.exe command will allow you to remove this DC from the domain? a. /force b. /remove c. /forceremoval d. /f

True/False
Circle T if the statement is true or F if the statement is false. T T T T T T T T T T F F F F F F F F F F 1. Tokens are issued to users following authentication and used to provide access to resources that list the user in their ACL. 2. When a domain functional level is set to Windows 2000 Interim, only Windows 2000 and later DCs are allowed to participate in domain authentication. 3. Global groups may only be used in the local domain but can contain objects from any domain in the forest. 4. Computer objects may be managed using the Active Directory Users and Computers console. 5. By default, two-way transitive trusts between all domains in a forest. 6. To control replication, you configure the properties of site link objects. 7. When possible, you should ensure that each site in the forest contains a DC that contains the GC role. 8. You can configure Group Policy using the Active Directory Domains and Trusts console. 9. The Domain Naming Master FSMO role should be on a DC that contains the GC. 10. A single AD domain can contain an unlimited number of objects.

CIS 276 Directory Services Chapter 2 Questions

Review Questions
1. Explain why it is important to create sites after deploying your first domain in the forest. To control replication within an organization, AD uses site and site link objects. Exchange Server 2007 uses AD sites to control the flow of internal email within an organization. Site and subnet objects are used to represent different locations within an AD forest.

2. Why will understanding the function and location of your FSMO roles help you troubleshoot AD problems. FSMO roles provide special functions in an AD forest and domain. Each forest contains a Schema Master FSMO that may be configured using the Active Directory Schema MMC snap-in, as well as a Domain Naming Master FSMO that may be configured using Active Directory Domains and Trusts console. Similarly, each domain contains a PDC Emulator, RID Master, and Infrastructure Master FSMO that may be configured using the Active Directory Users and Computers console.

3. Give some reasons why each AD site should contain a DC that hosts the GC. By default, the GC is hosted on the first DC in the forest by default. Because forests can grow very large, a list of all object names in the forest is stored on the global catalog (GC), located on at one DC, to aid in locating objects in the AD.

4. Explain why AD domains are a security and replication boundary. To allow users in a domain (the source domain) to access resources that they have permission to in another domain (the target domain), the target domain must trust the source domain. Trust relationships do not give permissions to resources. Each domain in a forest maintains its own security, administrator user accounts, and resources. Each DC in a domain will contain a copy of the AD database. Information is replicated between DCs in a domain and forest when new information is added to the AD database or existing information is modified or removed. To control replication within an organization, AD uses site and site link objects