book flashcards
1
Q
to what container should you set the base DN to in the search box of ldp.exe tool when performing tombstone reanimation of a user in test.com?
A
CN=Deleted Objects,DC=test,DC=com
2
Q
what should you run from the command line to register SPN ‘http/srv55.nutex.com’ for a win2012R2 server named srv55?
A
> setspn -S http/srv55.nutex.com srv55
3
Q
what service uses port 389?
A
LDAP
4
Q
what GUI tool will allow you to enable the Active Directory recycle bin?
A
ADAC
5
Q
when do you choose to import an object that has been exported from an Active Directory snapshot instead of retreiving an object form the Active Directory Recycle Bin?
A
when you want to reset the values of an objects attributes to a previous value
6
Q
what parameter of the install-ADDSDomainController cmdlet is used to install and configure DNS on the DC?
A
-installDNS
7
Q
which parameter of the Move-ADDirectoryServerOperationMasterRole cmdlet will allow you to seize a master operations role?
A
-force
8
Q
what setspn.exe command will list all SPN’s of services on the web server?
A
> setspn -l
9
Q
what parameter of the install-ADDSDomainController cmdlet is used to prevent the replication of certain passwords to the DC
A
-DenyPasswordReplicationAccountName
10
Q
which type of account in w2008R2 and above is a ‘managed local account’ that provides the ability to access the network with a computer identity in a domain environment with no password management required?
A
virtual account
11
Q
what additional step is required to view deleted objects after setting the base DN to in the search box of ldp.exe tool when performing a tombstone reanimation of a user account?
A
use the ‘return deleted objects’ control to view deleted objects.
12
Q
to use kerberos authentication with SQL server, which two conditions are required?
A
- the client and server computers must be part of the same windows domain, or in trusted domains.
- ServicePrincipalNames (SPN) must be registered with AD
13
Q
what are the four image types used in WDS?
A
- boot images
- install images
- capture images
- discover images
14
Q
what are the prerequisites to install a WDS server in an Active Directory network?
A
- ADDS Server
- DHCP
- DNS
- NTFS Share
- WDS Server needs GUI
- WDS can be installed on member server
15
Q
what are the three steps to create a Managed Service Account on Domains required 2008 R2?
A
on server
- > New-ADServiceAccount -Name -RestrictToSingleComputer -enabled $True
- > Add-ADComputerServiceAccount -Identity -serviceAccount
on target
3. > Install-ADServiceAccount -Identity
16
Q
What are the prerequisites for Active Directory MSA to work on a clint computer?
A
- Active Directory Powershell Module
- .Net 3.5 Framework
17
Q
what is the time period, in that managed service account renew their passowrds automaticaly?
A
30 Days
18
Q
what tool is the only tool that can be used to create WSUS groups?
A
wsus.exe
19
Q
what are the steps to update an offline image or vhd(x) with dism? with
security updates
hotfixes
drivers
A
- set image to read-write (attrib -r)
- mount the image on empty mount point
- extract contents of update (winrar, etc)
- inject .cab files into mounted image (add-windowsPackage)
- commit changes and unmoute
> Save-WindowsImage
> Dismount-WindowsImage
20
Q
in configuring WSUS, what does client side targeting mean?
A
to use GPOs to assign computers to WSUS groups
(used in lager organisations)
21
Q
DNS
which zone type can NOT be stored in Active Directory?
A
secondary zones
[secutity implications]
22
Q
PS
what cmdlet is used to create a new conditional forwarder fot test.com
A
> Add-DnsServerConditionalZone -Name -masterServers -forwardertimeout -replicationscope
23
Q
PS,DNS
which cmdlet is used to create an new stub zone ?
A
> Add-DnsServerStubZone -name -masterServers -replicationScope
24
Q
PS,DNS
wich cmdlet is used to create a new secondary zone?
A
> Add-DnsServerSecondaryZone -name -zonefile -masterServers
25
DNS
| can secondary DNSserver be a master server in DNS?
yes
26
PS,DNS
| which cmdlet can be used to create a primary zone?
> Add-DnsServerPrimaryZone -name -replicationscope -dynamicupdate 'secure'
(Active Directory integrated)
or
> Add-DnsServerPrimaryZone -name -zonefile -dynamicupdate 'none'
(file based)
27
DNS
| why can the two parameters -ReplicationScope and -ZoneFile not be used at the same time when creating a new DNS zone
one fits file based zones the other Active Directory integrated zones
28
DNS
is it possible to change the zone* type from file-based to Active Directory integrated or vice versa with powershell?
*or conditional forwarder
no
29
DNS
| what tool do you use to change the type of zone from Active Directory integrated to file-based or voce versa?
use DNS management console
30
DNS
| what are the four possible settings for zone transfers in DNS management?
- noTransfer
- TransferAnyServer
- TrasnsferToZoneNameServer
- TransferToSecureServers
31
DNS
| what are the three possible notification settings for DNS zone changes?
- NoNotify
- Notify
- NotifyServers
32
DNS
| what is the possible alternative in Active Directory integrated DNS to file-based secondars servers?
stub-zones and conditional forwarders
33
DNS
| what are conditional forwarders used for?
conditional forwarders provide a means to manage to which DNS server a DNS query is forwarded for specific zones.
34
DNS
| what is zone delegation used for?
use DNS zone delegation to delegate the administration of a portion of your DNS namespace.
35
DNS
| what is the default zone transfer setting?
zone transfers are disallowed unless explicitly allowed.
36
DNS
| which DNS resource record type can NOT be created with PowerShell?
SOA* - Start Of Authority record.
| * is a version number record identifying the number of the DNSZone
37
DNS
| if DNS has two MX entries for a domain with different priority settings, which server ist receiving the SMTP traffic?
lowest value
38
what tool is used to perform a tombstone reanimation?
> ldp.exe
39
what tools can you use to view the contents of a mounted Active Directory snapshot?
- ADUC (DSA.msc)
- ADSIEDIT.msc
- LDP.exe
40
which cmdlet do you use to copy images between groups in WDS ?
> export-WDSInstallImage
| > import-WDSInstallImage
41
which cmdlet do you use to copy images inside a WDS group?
> copy-WDSInstallImage
42
how do you enable client-side targeting in WSUS?
by selecting computers in the options section of the server update services and selecting "use group policy or registry settings on computers"
43
what is the minimum size of the local updates volume for WSUS?
6GB
44
what form of credential does the -credential option expect?
a psCredential object. not a string "domain\user"
45
what cmdlet do you use to open an elevated PowerShell ?
> Start-Process Powershell.exe -verb RunAs
46
to install WDS via PowerShell including tools type..
> Install-windowsFeature -name WDS -cn -includemanagementtools
47
before capturing an image from a template installation, what do you need to do?
> %windir"\system32\sysprep sysprep /oobe /generalize /reboot
48
can you remove a driver-package from an image in WDS?
no
49
can you use powershell to create or manage the properties of driver-groups in WDS?
no
50
what are the steps to install or remove features in offline images?
- set the image to read-write with : attrib -r
- mount image on empty mountpoint
- modify image > enable-windowsoptionalfeature
> disable-windowsoptionalfeature
-commit changes and unmount
> save-windowsImage
> dismount-windowsImage
51
DA
| what cmdlet do you use to install the direct access role on a server
> Install-WindowsFeature -name RemoteAccess -IncludeAllSubfeatures -IncludeManagementTools
52
WDS
| what can you do to maintain functionality in established boot images to support hardware compatibility?
inject vendor specific drivers into boot images.
cmdlets:
> Import-WDSDriverPackage
> Add-WDSDriverPackage
53
WDS
| what is the prerequisite to install the WDS role on a 2012 R2 server?
WDS is only supported on a full GUI installation.
54
WDS
| wich cmdlet is used to install the WDS role ?
> Install-WindowsFeature -name WDS -includeManagementTools
55
WDS
| what is the initial configuration after installing the WDS role on a server?
set the location of the WDS image store.
| NTFS, not on C:!
56
WDS
| what are capture images used for?
capture images are custom install images from a template computer.
57
WDS
| what are discover images?
discover images are use to deploy by using physical media rather than PXE boot.
58
WDS
| what are the two cmdlets to update images?
after mounting the offline image read-write on the local file system
> Add-WindowPackage
or
> Enable-WindowsOptionalFeature
don't forget to commit changes and unmont the image.
59
WDS
| what is the only tool to create WDS driver groups?
WDS console
60
WDS
| what are two basic network requirements for WDS?
- active DHCP server
| - working and reachable DNS server
61
WDS
| what cmdlet is used to update an offline boot image file with a new driver?
> Add-WDSDriverPackage
62
RA VPN
| which ports are used for the PPTP VPN Protocol?
TCP 1723
| GRE 47
63
RA VPN
| which ports are used for the L2TP VPN Protocol?
UDP 500
UDP 4500
UDP 1701
ESP 50
64
RA VPN
| which ports are used for the SSTP VPN Protocol?
TCP 443
65
RA VPN
| which ports are used for the IKEv2 VPN Protocol?
UDP 500
UDP 4500
UDP 1701
ESP 50
66
IPv6
| what is a global IPv6 prefix?
2000::/3
67
IPv6
| what is a link local IPv6 prefix?
FE80::/10
68
IPv6
| what is a multicast IPv6 prefix?
FF00::/8
69
IPv6
| what is a unique local IPv6 prefix
FC00::/7
70
IPv6
| what is the loopback IPv6 address?
::1
71
what can be configured with the routing and remote access console?
routing
NAT
dial-up remote access
vpn remote access
72
```
VPN
which module in PS provides cmdlets for VPN server support?
```
RemoteAccess module
73
VPN
| which are the four parts that construct the remote acces role?
routing
VPN
directAccess
web application proxy
74
you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?
Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).
75
you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)
- in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
- in the remote access management console, select assign addresses from a static address pool
76
name three benifits of Direct Access compared with VPNs.
- always-on (no need to initiate connection)
- seamless (transparently connected if online)
- security (managed connection + IPsec)
77
which VPN protocols are supported in w2012 R2?
PPTP
L2TP
IKEv2
SSTP
78
what command do you use to !only! install VPN and NAT and their management tools?
> Add-WindowsFeature DirectAccess-VPN,Routing -inludeManagementTools
79
you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?
Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).
80
you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)
- in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
- in the remote access management console, select assign addresses from a static address pool
81
name three benifits of Direct Access compared with VPNs.
- always-on (no need to initiate connection)
- seamless (transparently connected if online)
- security (managed connection + IPsec)
82
what is the default setting in the remote access quick start wizard to allow connectoins via DirectAccess?
mobile computers only
83
radius
| whitch settings can be configured in seperate templates each?
- shared secret
- radius clients
- remote radius servers
- IP filters
- health policies
- remediation server groups
84
what are the four possible settings for RADUS logging
SQL logging only
Test logging only
Parallel logging
SQL logging with backup
85
what are the possible settings that can be simplified by RADIUS templates
```
shared secrets
RADIUS clients
remote RADIUS servers
IP filters
health policies
remediation server groups
```
86
with multiple RADIUS server infrastructure, you have three servers all with parity 1. server1 has weight 10, server2 has weight 15 and server3 has weight 25.
how are the next 100 messages processed.
```
server1 = 20
server2 = 30
server3 = 50
```
87
in NPS which server is higher priorized.
| server1 with priority 1 or server2 with priority 50?
the lower the number the higher the priority.
| server1
88
in NPS what ports are used for authentication and accounting?
```
1812 = authentication
1813 = accounting
```
89
in NPS (RADIUS) if you have two servers. server1 with priority 1 and server2 with priority 2. how many messages does server2 recieve if 100 messages are sent by clients?
zero.
| server2 is only accessed if server1 is unavailable.
90
NPS / RADIUS certificates
in which policy do you set up the configuration for auto enrollment for clients and servers for certificate-based authentication?
what path ist used for the policy setting?
default domain policy
| comp/policies/windows settings/security settings/public key policies
91
NPS / RADIUS certificates
| which purpose of a certificate does not work with client and server authentication?
the purpose "All" does not work wiht authentication.
92
NPS templates
| what does the abreviation SHV stand for?
system health validator
93
NPS templates
| what are the options for client SHV checks (7)?
client passes all SHV checks
client fails all SHV checks
client passes one or more SHV checks
client fails one or more SHV checks
client reported as transitionsl by one or more SHVs
client reported as infected by one or more SHVs
client reported as unknown by one or more SHVs
94
what two options can be configured on an NPS?
RADIUS server
| RADIUS proxy
95
for whitch scenarios can RADIUS be used for?
VPN authentication and authorization
| Dial-in authentication and authorization
96
what does RADIUS client mean?
network access servers
| other RADIUS servers
97
when installing NPS as RADIUS proxy which NPS role services are required in win2012R2?
NPS
98
what does it mean when a NPS is configured as a RADIUS proxy?
the server acts as a RADIUS client, forwarding connection requests to a RADIUS server group for authentication and authorization.
99
certificates with which purposes can be used for mutual authentication of NPS and client computers?
server authentication certs
| client authentication cerst
100
which three kinds of policies are supported by NPS?
connection request policies
network policies
health plicies
101
NPS
| in older versions of windows server NPS policies were im- and exported. what technologies are used instead in win2012R2?
import and export templates
| import and export NPS entire configuration
102
NPS
| which two policies control which clients are allowed to connect to the network?
client request policy and network policy
103
NPS
| what is the purpose of the connection request policy?
it handles the initial request by a client to connect and passes it to an appropriate network policy
connection request policies define which connections are processed on the NPS server and which are processed on remote RADIUS servers.
104
NPS
| what does a network policy do?
it determines how a client is authenticated and whether is authorized to connect.
105
NPS
| how can you manage nps templates?
export the templates to xml files.
| import templates from a server or from a file.
106
NPS configuration
| what is the most important concern when exporting NPS configuration to a file.
the exported file includes policies, templates,clients, RADIUS server information and shared secrets. this is sensitive information that should be handled with security concerns in mind.
if accounting is set up to sql db - this info is not included in the exported file and has to be added manually after import.
107
NPS export
| what is the cmdlet to export the NPS configuration?
> export-NPSConfiguration -path "... path\filename.xml"
108
NPS export
| can you use netsh to export the NPS configuration?
yes.
| > netsh nps export filename=path\filename.xml exportpsk=yes
109
NPS
| what does the term 2FA mean?
two-factor authentication
110
NPS export
| how can you mitigate security implications when exporting a NPS configuration file.
store the file in an encrypted location, or an encrypted usb device.
111
NPS
| what is it that controls whether a NPS acts as a RADIUS server or a RADIUS proxy?
the connection request policy
112
NPS
| which condition sets the allowed protocols for a RADIUS connection?
the tunnel type condition
113
NPS
| can you set a condition for connection request policies for user names?
yes
114
NPS
| can you set a condition for connection request policies for user groups?
no
115
NPS
| can you set a condition for connection request policies for NAS port types?
yes
116
NPS
| can you set a condition for connection request policies for MS service classes?
no
117
NAP DHCP
| why is NAP enforcement using DHCP not a secure enforcement method?
a knowlegable user can assign a fixed IP address and bypass the restciction.
118
NAP DHCP
| what are the prerequsites for using NAP enforcement using DHCP?
either the NPS is the DHCP server
| or the DHCP server has a NPS role installed as RADIUS proxy
119
NAP
| what are the four possible options for a NAP enforcement policy?
- non-enforcement (monitoring)
- limited enforcement (limited acces)
- full enforcement (blocking)
- full enforcement with remediation (acces to remediation servers)
120
NAP
| in network policy for remediation for noncompiant clients, should the clients be granted access or not?
yes - to enable access to remediation servers
121
NAP
| to implement NAP on your network, what steps do you need to take?
enable NAP on RADIUS servers
implement health policy that requires client computers to have firewall turned on, have all current updates, be free of infection.
implement remediation servers
122
how often do you have to create a KDSRootkey if you want to use gMSAs?
once for each domain
123
how long does it take to create a KDS-rootkey with the cmdlet
add-KDSRootKey -effectiveImmediately?
10 hours
124
what is the prerequisite to use gMSAs?
the cration of the KDS-rootkey
125
what are the steps to remove a MSA from a computer
> uninstall-ADServiceAccount on local comp
> remove-ADComputerServiceAccount to unassign the account f comp
if you do not want to reuse account:
> remove-ADServiceAccount
126
what are the prerequsites on a client computer to use MSAs?
win 7 , Active Directory ps module, dotnet framewrk 3.5 or later
127
what are the cmdlets to create a managed service account?
on server:
> new-ADServiceAccount -name -restrictToSingleComputer -enabled $true
> add-ADComputerServiceAccount -idntity -serviceAccount
on local computer:
> install-ADServiceAccount -identity
128
when were MSAs introduced?
win srv 2008 R2
129
when were gMSAs introduced?
win srv 2012 R2
130
what tool or command do you use to create a MSA?
> New-ADServiceAccount
| with the -standalone paramater
131
what command should you use to add a gMSA on a computer?
> Install-ADComputerServiceAccount
132
you want to use a virtual account for the testService on computer server1. what commands or tools would you use?
> services.msc
133
what are the FSMO operations master roles and which are forest or domain wide roles?
```
once per forest:
schema master
domain naming master
once per domain:
RID master
PDC emulador
infrastructure master
```
134
who has rights to seize or transfer the schema master role?
schema administrators group
135
who has the rights to tansfer or seize the domain naming master?
the enterprise administrators group
136
who has the rights to seize or transfer the RID master, PDC emulator, or infrastructure master role?
domain administrators group
