AZ-800 QUESTIONS AND ANSWERS SOLUTION GRADE A+ GRANTEED

Guarded Fabric in Hyper-V is a security solution that protects VMs against unwarranted inspection, theft, and tampering from either malware or malicious system administrators. Domain controller A domain controller contains a copy of the AD DS database. For most operations, each domain controller can process changes and replicate the changes to all the other domain controllers in the domain. Data store A copy of the data store exists on each domain controller. The AD DS database uses Microsoft Jet database technology and stores the directory information in the N file and associated log files. The C:WindowsNTDS folder stores these files by default. Global catalog server A global catalog server is a domain controller that hosts the global catalog, which is a partial, read-only copy of all the objects in a multiple-domain forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest. Read-only domain controller (RODC) An RODC is a special, read only installation of AD DS. RODCs are common in branch offices where physical security is not optimal, IT support is less advanced than in the main corporate centers, or line-of-business applications need to run on a domain controller. Site A site is a container for AD DS objects, such as computers and services that are specific to a physical location. This is in comparison to a domain, which represents the logical structure of objects, such as users and groups, in addition to computers. Subnet A subnet is a portion of the network IP addresses of an organization assigned to computers in a site. A site can have more than one subnet. AD DS forest A forest is a top-level container in AD DS. Each forest is a collection of one or more domain trees that share a common directory schema and a global catalog. Parent and child Trust Relationship When you add a new AD DS domain to an existing AD DS tree, you create new parent and child trusts. Tree-root Trust Relationship When you create a new AD DS tree in an existing AD DS forest, you automatically create a new tree-root trust. External Trust Relationship External trusts enable resource access with a Windows NT 4.0 domain or an AD DS domain in another forest. You also can set these up to provide a framework for a migration. Realm Trust Relationship Realm trusts establish an authentication path between a Windows Server AD DS domain and a Kerberos version 5 (v5) protocol realm that implements by using a directory service other than AD DS. Forest (complete or selective) Trust Relationship Trusts between AD DS forests allow two forests to share resources. Shortcut Trust Relationship Configure shortcut trusts to reduce the time taken to authenticate between AD DS domains that are in different parts of an AD DS forest. No shortcut trusts exist by default, and an administrator must create them if they are required. Windows Admin Center Windows Admin Center is a web-based console that you can use to manage server computers and computers that are running Windows 10. Typically, you use Windows Admin Center to manage servers instead of using Remote Server Administration Tools (RSAT). Are you installing a new forest, a new tree, or an additional domain controller for an existing domain? Answering this question determines what additional information you might need, such as the parent domain name. What is the Domain Name System (DNS) name for the AD DS domain? When you create the first domain controller for a domain, you must specify the fully qualified domain name (FQDN). When you add a domain controller to an existing domain or forest, you use the existing domain name. Which level will you choose for the forest functional level? The forest functional level determines the available forest features and the supported domain controller operating system (OS). This also sets the minimum domain functional level for the domains in the forest. Which level will you choose for the domain functional level? The domain functional level determines the domain features that will be available and the supported domain controller operating systems. Will the domain controller be a DNS server? You can install the DNS role as part of the domain controller deployment. Will the domain controller host the global catalog? This option is selected by default. Will the domain controller be a read-only domain controller (RODC)? This option is not available for the first domain controller in a forest. What will be the Directory Services Restore Mode (DSRM) password? This is necessary for restoring AD DS database objects from a backup. What is the NetBIOS name for the AD DS domain? When you create the first domain controller for a domain, you must specify the NetBIOS name for the domain. Where will the database, log files and SYSVOL folders be created? By default, the database and log files folder is located at C:WindowsNTDS. By default, the SYSVOL folder is located at C:WindowsSYSVOL. Install a domain controller on a Server Core installation of Windows Server A Windows Server computer that is running a Server Core installation doesn't have the Server Manager graphical user interface (GUI).You can use Windows Admin Center, Server Manager, Windows PowerShell, or Remote Server Administration Tools (RSAT) installed on any supported version of Windows Server that has the Desktop Experience feature, or any supported Windows client such as Windows 10. Install a domain controller from media You can create an AD DS backup (perhaps to a USB drive) and take this backup to the remote location. When you're at the remote location and run Server Manager to install AD DS, you can select the Install from media option. Most of the copying occurs locally. In this scenario, the WAN link transfers only security-related traffic and AD DS changes following the backup. The WAN link also helps ensure that the new domain controller receives any changes made to the central AD DS after you created the Install from media backup. Nonauthoritative restore This type of restore is useful when the directory on a domain controller has been damaged or corrupted, but the problem has not spread to other domain will not enable you to recover an object you deleted after the backup took place, if that deletion has replicated to other domain controllers. If you restore a known good version of AD DS and restart the domain controller, the deletion that happened after the backup took place will simply replicate back to the domain controller. Authoritative restore An authoritative restore allows you to restore a known good copy of AD DS objects, which replaces the current version of these objects in the AD DS database. RID master To ensure that no two domain controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain controller within the domain to use when building SIDs. Infrastructure master This role maintains interdomain object references, such as when a group in one domain has a member from another domain. In a multiple-domain forest, the infrastructure master updates references to SIDs from other domains with the corresponding security principal names. PDC emulator master The domain controller that is the PDC emulator master serves as the time source for the domain. What is a schema? An AD DS schema is the component that defines all the object classes and attributes that AD DS uses to store data. All domains in a forest contain a copy of the schema that applies to that forest. What is Group Policy? Group Policy is a framework in Windows operating systems with components that reside in AD DS, on domain controllers, and on each Windows Server and client. What are GPOs? A GPO is an object that contains one or more policy settings that apply to one or more configuration settings for a user or a computer. Which tool can you use to trigger an AD DS schema update? ADSI.MSC What are starter GPOs? You can use a Starter GPO as a template from which to create other GPOs within the Group Policy Management Console. You might use a Starter GPO to provide a starting point to create new GPOs in your domain. What is Block Inheritance? You can configure a domain or OU to prevent the inheritance of policy settings. To block inheritance, right-click or access the context menu for the domain or OU in the GPMC console tree, and then select Block Inheritance. What is Default Domain Policy? This GPO doesn't have any WMI filters. Therefore, it affects all users and computers in the domain. This GPO contains policy settings that specify password, account lockout, and Kerberos version 5 authentication protocol policies. What is Default Domain Controllers Policy? Links to the OU of the domain controllers. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers or other computer objects that are in the Domain Controllers OU. How does Group Pollicy container replicate? The Group Policy container in AD DS replicates by using the Directory Replication Agent (DRA). The DRA uses a topology that the Knowledge Consistency Checker generates, which you can define or refine manually. The result is that the Group Policy container replicates within seconds to all domain controllers in a site and replicates between sites based on your intersite replication configuration. How does Group Policy Template replicate? The Group Policy template in the SYSVOL replicates by using the Distributed File System Replication (DFS-R). What are .admx files All the settings in the Administrative Templates node of a GPO are stored in files. All currently supported operating systems store the settings in .admx files. These settings use a standards-based XML file format known as .admx files. By default, Windows stores .admx files in the WindowsPolicyDefinitions folder, but you can store them in a central location. What are .adml files The PolicyDefinitions folder stores .adml files subfolders. Each language has its own folder. For example, the en-US folder stores the English files, and the es-ES folder stores the Spanish files. By default, only the .adml language files for the language of the installed operating system are present. What is the Central Store? In domain-based enterprises, you can create a Central Store location for .admx files, which anyone with permissions to create or edit GPOs can access. How do you create a Central Store? To create a Central Store for .admx and .adml files, create a folder and name it PolicyDefinitions in the FQDNSYSVOLFQDNPolicies location, where FQDN is the domain name for your AD DS domain. EX: Seattle.CSYSVOLSeattle.Cpolicies What is forest-wide authentication? Enables all users in the trusted forest to authenticate for services and access on all computers in the trusting forest. Therefore, it is possible for resource administrators in the trusting forest to grant users from the trusted forest permissions to resources in the local forest. What is selective authentication? CONTINUED.....