Server-side targeting - Easy for small numbers of clients, doesn't require that clients can process group policy (i.e. aren't domain members, typically). Administratively burdensome for large numbers of clients or for clients that change roles and need to have their client group membership dynamically updated. For non-domain-joined clients this is the easiest way to get them into client groups.

Client-side targeting - Requires that clients either be able to process Group Policy (i.e. a member of a domain) or have the settings set in their Local Group Policy or registry (and why you'd do either of those last two things is quite beyond me, as well). Works well if you plan on having client group membership change based on moving the AD object that represents the client between OUs (move from "Staging" to "Production" OUs for new system deployments and want client group membership to change automatically).

I use both at different Customer sites. I find server-side targeting more flexible insofar as making "quick changes" (because I don't have to mess w/ Group Policy and I can see the results of my changes reflected immediately), but client-side handier when I need to the client group membership to reflect some "role" that's implied by the client's location in AD.

服务器端目标设置，比较适用于客户端计算机较少的环境，此种设置不需要客户端计算机处理组策略（如：客户端不是一个域成员)。但是这会经常更改客户端角色，并且需要改变客户端计算机组成员关系的情况，会增加管理的麻烦。对于非域客户端，这是加入windows 更新组的最简单便捷的方式。

客户端目标设置，需要客户端能处理组策略，或者在本地组策略、注册表中进行设置。对于需要经常更改角色的客户端比较适合。例如：在WSUS组中创建了更新组sales_wsus，那么可以在链接到sales OU的组策略中，设置Client-side targeting，使得被加入到sales OU中的计算机，自动成为更新服务器组sales_wsus更新组的成员。实现windows 更新服务器为每一个不同的OU，分发各自不同的windows 补丁的功能。

---------------------------------------------------------------------------------------------------------------------------------------------------------------

msDS-DeletedObjectLifetime

对象删除时间

tombstonelifetime

墓碑生存时间

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Run logon scripts synchronously组策略项可以用来配置，在windows 桌面出现前，确保powershell 脚本运行完成。

---------------------------------------------------------------------------------------------------------------------------------------------------------------

域控制器克隆，域中PDC主机必须是windows server 2012

---------------------------------------------------------------------------------------------------------------------------------------------------------------

在性能计数器中

processor(_total)\% interrupt time 一般不能超过50%，若数值过大可能有硬件故障。但也有例外，如一些较早期的磁盘控制器和有大量用户访问的IIS服务器。

性能计数器中各参数的值的意义

http://technet.microsoft.com/en-us/library/cc768048.aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------

基础结构主机的作用：

1、负责更新用户账户与组的关系，甚至不用域中用户账户与组的关系。

2、当组中用户账户未能显示名称，而只是显示SID时，也是基础结构主机出现了问题。

---------------------------------------------------------------------------------------------------------------------------------------------------------------

对共享文件夹做审核，只需要在域组策略中开启两处设置就可以实现了（见截图），不需要在文件安全选项中开启SACL：

---------------------------------------------------------------------------------------------------------------------------------------------------------------QUESTION 123

Your network contains an Active Directory domain named contoso.com. The domain contains a servernamed Server1. Server1 has the DHCP Server server role and the Network Policy Server role service installed. Server1 contains three non-overlapping scopes named Scope1, Scope2, and Scope3. Server1 currently provides the same Network Access Protection (NAP) settings to the three scopes. You modify the settings of Scope1 as shown in the exhibit. (Click the Exhibit button.)You need to configure Server1 to provide unique NAP enforcement settings to the NAP non- compliantDHCP clients from Scope1

What should you create?

A.A network policy that has the MS-Service Class condition

B.A network policy that has the Identity Type condition

C.A connection request policy that has the Identity Type condition

D.A connection request policy that has the Service Type condition

Correct Answer: A

释义：

server1有三个不重叠的作用域。server1对这三个作用域提供了相同的设置，现在修改了Scope1的设置。你需要配置Server1对不兼容NAP的客户端，强制实施NAP设置。你应该在server1创建什么配置？

答案：配置MS-Service类条件。

---------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 21

Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2012. You have a Group Policy object (GPO) named GPO1 that contains hundreds of settings. GPO1 is linked toan organizational unit (OU) named OU1. OU1 contains 200 client computers. You plan to unlink GPO1 from OU1. You need to identify which GPO settings will be removed from the computers after GPO1 is unlinked fromOU1.

Which two GPO settings should you identify? (Each correct answer presents part of the solution. Choosetwo.)

A.The managed Administrative Template settings

B.The unmanaged Administrative Template settings

C.The System Services security settings

D.The Event Log security settings

E.The Restricted Groups security settings

Correct Answer: AD

释义:当OU断开GPO时，怎样确定哪些GPO中的设置将被移除。“非管理的组策略项”，指那些无论组策略存在与否，其在注册表中的值，都不会变化。所以说该题需要看哪些在移除GPO时，哪些设置值会变化，就应该查看“被管理的项“

---------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 43

Server1 as a DNS server hosts a Primary zone,Server2 is the secondary zone contoso.com domain, youneed to determine how long Server2 Server1 to renew regional, how to configure

A.Refresh interval

B.Restart DNS

C.Forwarders

D.Stub zone

Correct Answer: A

Explanation/Reference:Refresh interval. Used to determine how often other DNS servers that load and host the zone mustattempt to renew the zone.

释疑：

刷新间隔：此参数定义了辅助DNS服务器查询主服务器以进行区域更新前等待的时间。

当刷新时间到期时，辅助DNS服务器从主服务器上获取主DNS区域的SOA 记录，然后

和本地辅助DNS 区域的SOA记录相比较，如果值不相同则进行区域传输。默认情况下，

刷新间隔为15 分钟。

重试间隔：此参数定义了当区域复制失败时，辅助DNS服务器进行重试前需要等待的

时间间隔，默认情况下为10分钟。

过期时间：此参数定义了当辅助DNS服务器无法联系主服务器时，还可以使用此辅助

DNS区域答复DNS客户端请求的时间，当到达此时间限制时，辅助DNS服务器会认为此

辅助DNS区域不可信。默认情况下为1 天。

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 12

Your network contains an Active Directory domain named contoso.com. The domain contains more than100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. The domain contains a top-level organizational unit (OU) for eachdepartment. A group named Group1 contains members from each department. You have a GPO named GPO1 that islinked to the domain.You need to configure GPO1 to apply settings to Group1 only.

What should you use?

A.dcgpofix

B.Get-GPOReport

C.Gpfixup

D.Gpresult

E.Gptedit.msc

F.Import-GPO

G.Restore-GPO

H.Set-GPInheritance

I.Set-GPLink

J.Set-GPPermission

K.Gpupdate

L.Add-ADGroupMember

dcgpofix

Exhibit:

Get-GPOReport

Correct Answer: J

翻译：contoso.com域中包含100个组策略对象，且没有强制应用的组策略。在域中为每个部门创建了顶层的OU。Group1包含了所有部门的成员。你及那个一个GPO1对象链接到了这个域。

你需要配置让GPO1的设置仅仅应用到Group1，你应该怎么做？

释疑：配置组策略对象的安全筛选。用powershell命令，即为Set-gPPermission