book flashcards

Question 1

to what container should you set the base DN to in the search box of ldp.exe tool when performing tombstone reanimation of a user in test.com?

Answer 1

CN=Deleted Objects,DC=test,DC=com

Question 2

what should you run from the command line to register SPN ‘http/srv55.nutex.com’ for a win2012R2 server named srv55?

Answer 2

> setspn -S http/srv55.nutex.com srv55

Question 3

what service uses port 389?

Answer 3

LDAP

Question 4

what GUI tool will allow you to enable the Active Directory recycle bin?

Answer 4

ADAC

Question 5

when do you choose to import an object that has been exported from an Active Directory snapshot instead of retreiving an object form the Active Directory Recycle Bin?

Answer 5

when you want to reset the values of an objects attributes to a previous value

Question 6

what parameter of the install-ADDSDomainController cmdlet is used to install and configure DNS on the DC?

Answer 6

-installDNS

Question 7

which parameter of the Move-ADDirectoryServerOperationMasterRole cmdlet will allow you to seize a master operations role?

Answer 7

-force

Question 8

what setspn.exe command will list all SPN’s of services on the web server?

Answer 8

> setspn -l

Question 9

what parameter of the install-ADDSDomainController cmdlet is used to prevent the replication of certain passwords to the DC

Answer 9

-DenyPasswordReplicationAccountName

Question 10

which type of account in w2008R2 and above is a ‘managed local account’ that provides the ability to access the network with a computer identity in a domain environment with no password management required?

Answer 10

virtual account

Question 11

what additional step is required to view deleted objects after setting the base DN to in the search box of ldp.exe tool when performing a tombstone reanimation of a user account?

Answer 11

use the ‘return deleted objects’ control to view deleted objects.

Question 12

to use kerberos authentication with SQL server, which two conditions are required?

Answer 12

• the client and server computers must be part of the same windows domain, or in trusted domains.
• ServicePrincipalNames (SPN) must be registered with AD

Question 13

what are the four image types used in WDS?

Answer 13

• boot images
• install images
• capture images
• discover images

Question 14

what are the prerequisites to install a WDS server in an Active Directory network?

Answer 14

• ADDS Server
• DHCP
• DNS
• NTFS Share
• WDS Server needs GUI
• WDS can be installed on member server

Question 15

what are the three steps to create a Managed Service Account on Domains required 2008 R2?

Answer 15

on server

1. > New-ADServiceAccount -Name -RestrictToSingleComputer -enabled $True
2. > Add-ADComputerServiceAccount -Identity -serviceAccount

on target
3. > Install-ADServiceAccount -Identity

Question 16

What are the prerequisites for Active Directory MSA to work on a clint computer?

Answer 16

• Active Directory Powershell Module

- .Net 3.5 Framework

Question 17

what is the time period, in that managed service account renew their passowrds automaticaly?

Answer 17

30 Days

Question 18

what tool is the only tool that can be used to create WSUS groups?

Answer 18

wsus.exe

Question 19

what are the steps to update an offline image or vhd(x) with dism? with
security updates
hotfixes
drivers

Answer 19

• set image to read-write (attrib -r)
• mount the image on empty mount point
• extract contents of update (winrar, etc)
• inject .cab files into mounted image (add-windowsPackage)
• commit changes and unmoute
  > Save-WindowsImage
  > Dismount-WindowsImage

Question 20

in configuring WSUS, what does client side targeting mean?

Answer 20

to use GPOs to assign computers to WSUS groups

(used in lager organisations)

Question 21

DNS

which zone type can NOT be stored in Active Directory?

Answer 21

secondary zones

[secutity implications]

Question 22

PS

what cmdlet is used to create a new conditional forwarder fot test.com

Answer 22

> Add-DnsServerConditionalZone -Name -masterServers -forwardertimeout -replicationscope

Question 23

PS,DNS

which cmdlet is used to create an new stub zone ?

Answer 23

> Add-DnsServerStubZone -name -masterServers -replicationScope

Question 24

PS,DNS

wich cmdlet is used to create a new secondary zone?

Answer 24

> Add-DnsServerSecondaryZone -name -zonefile -masterServers

Question 25

DNS

can secondary DNSserver be a master server in DNS?

Answer 25

yes

Question 26

PS,DNS

which cmdlet can be used to create a primary zone?

Answer 26

> Add-DnsServerPrimaryZone -name -replicationscope -dynamicupdate ‘secure’
(Active Directory integrated)
or
Add-DnsServerPrimaryZone -name -zonefile -dynamicupdate ‘none’
(file based)

Question 27

DNS

why can the two parameters -ReplicationScope and -ZoneFile not be used at the same time when creating a new DNS zone

Answer 27

one fits file based zones the other Active Directory integrated zones

Question 28

DNS
is it possible to change the zone* type from file-based to Active Directory integrated or vice versa with powershell?

*or conditional forwarder

Answer 28

no

Question 29

DNS

what tool do you use to change the type of zone from Active Directory integrated to file-based or voce versa?

Answer 29

use DNS management console

Question 30

DNS

what are the four possible settings for zone transfers in DNS management?

Answer 30

• noTransfer
• TransferAnyServer
• TrasnsferToZoneNameServer
• TransferToSecureServers

Question 31

DNS

what are the three possible notification settings for DNS zone changes?

Answer 31

• NoNotify
• Notify
• NotifyServers

Question 32

DNS

what is the possible alternative in Active Directory integrated DNS to file-based secondars servers?

Answer 32

stub-zones and conditional forwarders

Question 33

DNS

what are conditional forwarders used for?

Answer 33

conditional forwarders provide a means to manage to which DNS server a DNS query is forwarded for specific zones.

Question 34

DNS

what is zone delegation used for?

Answer 34

use DNS zone delegation to delegate the administration of a portion of your DNS namespace.

Question 35

DNS

what is the default zone transfer setting?

Answer 35

zone transfers are disallowed unless explicitly allowed.

Question 36

DNS

which DNS resource record type can NOT be created with PowerShell?

Answer 36

SOA* - Start Of Authority record.

* is a version number record identifying the number of the DNSZone

Question 37

DNS

if DNS has two MX entries for a domain with different priority settings, which server ist receiving the SMTP traffic?

Answer 37

lowest value

Question 38

what tool is used to perform a tombstone reanimation?

Answer 38

> ldp.exe

Question 39

what tools can you use to view the contents of a mounted Active Directory snapshot?

Answer 39

• ADUC (DSA.msc)
• ADSIEDIT.msc
• LDP.exe

Question 40

which cmdlet do you use to copy images between groups in WDS ?

Answer 40

> export-WDSInstallImage

> import-WDSInstallImage

Question 41

which cmdlet do you use to copy images inside a WDS group?

Answer 41

> copy-WDSInstallImage

Question 42

how do you enable client-side targeting in WSUS?

Answer 42

by selecting computers in the options section of the server update services and selecting “use group policy or registry settings on computers”

Question 43

what is the minimum size of the local updates volume for WSUS?

Answer 43

6GB

Question 44

what form of credential does the -credential option expect?

Answer 44

a psCredential object. not a string “domain\user”

Question 45

what cmdlet do you use to open an elevated PowerShell ?

Answer 45

> Start-Process Powershell.exe -verb RunAs

Question 46

to install WDS via PowerShell including tools type..

Answer 46

> Install-windowsFeature -name WDS -cn -includemanagementtools

Question 47

before capturing an image from a template installation, what do you need to do?

Answer 47

> %windir”\system32\sysprep sysprep /oobe /generalize /reboot

Question 48

can you remove a driver-package from an image in WDS?

Answer 48

no

Question 49

can you use powershell to create or manage the properties of driver-groups in WDS?

Answer 49

no

Question 50

what are the steps to install or remove features in offline images?

Answer 50

• set the image to read-write with : attrib -r
• mount image on empty mountpoint
• modify image > enable-windowsoptionalfeature
  > disable-windowsoptionalfeature
  -commit changes and unmount
  > save-windowsImage
  > dismount-windowsImage

Question 51

DA

what cmdlet do you use to install the direct access role on a server

Answer 51

> Install-WindowsFeature -name RemoteAccess -IncludeAllSubfeatures -IncludeManagementTools

Question 52

WDS

what can you do to maintain functionality in established boot images to support hardware compatibility?

Answer 52

inject vendor specific drivers into boot images.
cmdlets:
> Import-WDSDriverPackage
> Add-WDSDriverPackage

Question 53

WDS

what is the prerequisite to install the WDS role on a 2012 R2 server?

Answer 53

WDS is only supported on a full GUI installation.

Question 54

WDS

wich cmdlet is used to install the WDS role ?

Answer 54

> Install-WindowsFeature -name WDS -includeManagementTools

Question 55

WDS

what is the initial configuration after installing the WDS role on a server?

Answer 55

set the location of the WDS image store.

NTFS, not on C:!

Question 56

WDS

what are capture images used for?

Answer 56

capture images are custom install images from a template computer.

Question 57

WDS

what are discover images?

Answer 57

discover images are use to deploy by using physical media rather than PXE boot.

Question 58

WDS

what are the two cmdlets to update images?

Answer 58

after mounting the offline image read-write on the local file system
> Add-WindowPackage
or
> Enable-WindowsOptionalFeature

don’t forget to commit changes and unmont the image.

Question 59

WDS

what is the only tool to create WDS driver groups?

Answer 59

WDS console

Question 60

WDS

what are two basic network requirements for WDS?

Answer 60

• active DHCP server

- working and reachable DNS server

Question 61

WDS

what cmdlet is used to update an offline boot image file with a new driver?

Answer 61

> Add-WDSDriverPackage

Question 62

RA VPN

which ports are used for the PPTP VPN Protocol?

Answer 62

TCP 1723

GRE 47

Question 63

RA VPN

which ports are used for the L2TP VPN Protocol?

Answer 63

UDP 500
UDP 4500
UDP 1701
ESP 50

Question 64

RA VPN

which ports are used for the SSTP VPN Protocol?

Answer 64

TCP 443

Question 65

RA VPN

which ports are used for the IKEv2 VPN Protocol?

Answer 65

UDP 500
UDP 4500
UDP 1701
ESP 50

Question 66

IPv6

what is a global IPv6 prefix?

Answer 66

2000::/3

Question 67

IPv6

what is a link local IPv6 prefix?

Answer 67

FE80::/10

Question 68

IPv6

what is a multicast IPv6 prefix?

Answer 68

FF00::/8

Question 69

IPv6

what is a unique local IPv6 prefix

Answer 69

FC00::/7

Question 70

IPv6

what is the loopback IPv6 address?

Answer 70

::1

Question 71

what can be configured with the routing and remote access console?

Answer 71

routing
NAT
dial-up remote access
vpn remote access

Question 72

VPN
which module in PS provides cmdlets for VPN server support?

Answer 72

RemoteAccess module

Question 73

VPN

which are the four parts that construct the remote acces role?

Answer 73

routing
VPN
directAccess
web application proxy

Question 74

you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?

Answer 74

Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).

Question 75

you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)

Answer 75

• in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
• in the remote access management console, select assign addresses from a static address pool

Question 76

name three benifits of Direct Access compared with VPNs.

Answer 76

• always-on (no need to initiate connection)
• seamless (transparently connected if online)
• security (managed connection + IPsec)

Question 77

which VPN protocols are supported in w2012 R2?

Answer 77

PPTP
L2TP
IKEv2
SSTP

Question 78

what command do you use to !only! install VPN and NAT and their management tools?

Answer 78

> Add-WindowsFeature DirectAccess-VPN,Routing -inludeManagementTools

Question 79

you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?

Answer 79

Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).

Question 80

you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)

Answer 80

• in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
• in the remote access management console, select assign addresses from a static address pool

Question 81

name three benifits of Direct Access compared with VPNs.

Answer 81

• always-on (no need to initiate connection)
• seamless (transparently connected if online)
• security (managed connection + IPsec)

Question 82

what is the default setting in the remote access quick start wizard to allow connectoins via DirectAccess?

Answer 82

mobile computers only

Question 83

radius

whitch settings can be configured in seperate templates each?

Answer 83

• shared secret
• radius clients
• remote radius servers
• IP filters
• health policies
• remediation server groups

Question 84

what are the four possible settings for RADUS logging

Answer 84

SQL logging only
Test logging only
Parallel logging
SQL logging with backup

Question 85

what are the possible settings that can be simplified by RADIUS templates

Answer 85

shared secrets
RADIUS clients
remote RADIUS servers
IP filters
health policies
remediation server groups

Question 86

with multiple RADIUS server infrastructure, you have three servers all with parity 1. server1 has weight 10, server2 has weight 15 and server3 has weight 25.
how are the next 100 messages processed.

Answer 86

server1  = 20
server2 = 30
server3 = 50

Question 87

in NPS which server is higher priorized.

server1 with priority 1 or server2 with priority 50?

Answer 87

the lower the number the higher the priority.

server1

Question 88

in NPS what ports are used for authentication and accounting?

Answer 88

1812 = authentication
1813 = accounting

Question 89

in NPS (RADIUS) if you have two servers. server1 with priority 1 and server2 with priority 2. how many messages does server2 recieve if 100 messages are sent by clients?

Answer 89

zero.

server2 is only accessed if server1 is unavailable.

Question 90

NPS / RADIUS certificates
in which policy do you set up the configuration for auto enrollment for clients and servers for certificate-based authentication?
what path ist used for the policy setting?

Answer 90

default domain policy

comp/policies/windows settings/security settings/public key policies

Question 91

NPS / RADIUS certificates

which purpose of a certificate does not work with client and server authentication?

Answer 91

the purpose “All” does not work wiht authentication.

Question 92

NPS templates

what does the abreviation SHV stand for?

Answer 92

system health validator

Question 93

NPS templates

what are the options for client SHV checks (7)?

Answer 93

client passes all SHV checks
client fails all SHV checks
client passes one or more SHV checks
client fails one or more SHV checks
client reported as transitionsl by one or more SHVs
client reported as infected by one or more SHVs
client reported as unknown by one or more SHVs

Question 94

what two options can be configured on an NPS?

Answer 94

RADIUS server

RADIUS proxy

Question 95

for whitch scenarios can RADIUS be used for?

Answer 95

VPN authentication and authorization

Dial-in authentication and authorization

Question 96

what does RADIUS client mean?

Answer 96

network access servers

other RADIUS servers

Question 97

when installing NPS as RADIUS proxy which NPS role services are required in win2012R2?

Answer 97

NPS

Question 98

what does it mean when a NPS is configured as a RADIUS proxy?

Answer 98

the server acts as a RADIUS client, forwarding connection requests to a RADIUS server group for authentication and authorization.

Question 99

certificates with which purposes can be used for mutual authentication of NPS and client computers?

Answer 99

server authentication certs

client authentication cerst

Question 100

which three kinds of policies are supported by NPS?

Answer 100

connection request policies
network policies
health plicies

Question 101

NPS

in older versions of windows server NPS policies were im- and exported. what technologies are used instead in win2012R2?

Answer 101

import and export templates

import and export NPS entire configuration

Question 102

NPS

which two policies control which clients are allowed to connect to the network?

Answer 102

client request policy and network policy

Question 103

NPS

what is the purpose of the connection request policy?

Answer 103

it handles the initial request by a client to connect and passes it to an appropriate network policy
connection request policies define which connections are processed on the NPS server and which are processed on remote RADIUS servers.

Question 104

NPS

what does a network policy do?

Answer 104

it determines how a client is authenticated and whether is authorized to connect.

Question 105

NPS

how can you manage nps templates?

Answer 105

export the templates to xml files.

import templates from a server or from a file.

Question 106

NPS configuration

what is the most important concern when exporting NPS configuration to a file.

Answer 106

the exported file includes policies, templates,clients, RADIUS server information and shared secrets. this is sensitive information that should be handled with security concerns in mind.
if accounting is set up to sql db - this info is not included in the exported file and has to be added manually after import.

Question 107

NPS export

what is the cmdlet to export the NPS configuration?

Answer 107

> export-NPSConfiguration -path “… path\filename.xml”

Question 108

NPS export

can you use netsh to export the NPS configuration?

Answer 108

yes.

> netsh nps export filename=path\filename.xml exportpsk=yes

Question 109

NPS

what does the term 2FA mean?

Answer 109

two-factor authentication

Question 110

NPS export

how can you mitigate security implications when exporting a NPS configuration file.

Answer 110

store the file in an encrypted location, or an encrypted usb device.

Question 111

NPS

what is it that controls whether a NPS acts as a RADIUS server or a RADIUS proxy?

Answer 111

the connection request policy

Question 112

NPS

which condition sets the allowed protocols for a RADIUS connection?

Answer 112

the tunnel type condition

Question 113

NPS

can you set a condition for connection request policies for user names?

Answer 113

yes

Question 114

NPS

can you set a condition for connection request policies for user groups?

Answer 114

no

Question 115

NPS

can you set a condition for connection request policies for NAS port types?

Answer 115

yes

Question 116

NPS

can you set a condition for connection request policies for MS service classes?

Answer 116

no

Question 117

NAP DHCP

why is NAP enforcement using DHCP not a secure enforcement method?

Answer 117

a knowlegable user can assign a fixed IP address and bypass the restciction.

Question 118

NAP DHCP

what are the prerequsites for using NAP enforcement using DHCP?

Answer 118

either the NPS is the DHCP server

or the DHCP server has a NPS role installed as RADIUS proxy

Question 119

NAP

what are the four possible options for a NAP enforcement policy?

Answer 119

• non-enforcement (monitoring)
• limited enforcement (limited acces)
• full enforcement (blocking)
• full enforcement with remediation (acces to remediation servers)

Question 120

NAP

in network policy for remediation for noncompiant clients, should the clients be granted access or not?

Answer 120

yes - to enable access to remediation servers

Question 121

NAP

to implement NAP on your network, what steps do you need to take?

Answer 121

enable NAP on RADIUS servers
implement health policy that requires client computers to have firewall turned on, have all current updates, be free of infection.
implement remediation servers

Question 122

how often do you have to create a KDSRootkey if you want to use gMSAs?

Answer 122

once for each domain

Question 123

how long does it take to create a KDS-rootkey with the cmdlet
add-KDSRootKey -effectiveImmediately?

Answer 123

10 hours

Question 124

what is the prerequisite to use gMSAs?

Answer 124

the cration of the KDS-rootkey

Question 125

what are the steps to remove a MSA from a computer

Answer 125

> uninstall-ADServiceAccount on local comp
remove-ADComputerServiceAccount to unassign the account f comp
if you do not want to reuse account:
remove-ADServiceAccount

Question 126

what are the prerequsites on a client computer to use MSAs?

Answer 126

win 7 , Active Directory ps module, dotnet framewrk 3.5 or later

Question 127

what are the cmdlets to create a managed service account?

Answer 127

on server:
> new-ADServiceAccount -name -restrictToSingleComputer -enabled $true
> add-ADComputerServiceAccount -idntity -serviceAccount
on local computer:
> install-ADServiceAccount -identity

Question 128

when were MSAs introduced?

Answer 128

win srv 2008 R2

Question 129

when were gMSAs introduced?

Answer 129

win srv 2012 R2

Question 130

what tool or command do you use to create a MSA?

Answer 130

> New-ADServiceAccount

with the -standalone paramater

Question 131

what command should you use to add a gMSA on a computer?

Answer 131

> Install-ADComputerServiceAccount

Question 132

you want to use a virtual account for the testService on computer server1. what commands or tools would you use?

Answer 132

> services.msc

Question 133

what are the FSMO operations master roles and which are forest or domain wide roles?

Answer 133

once per forest:
schema master 
domain naming master 
once per domain:
RID master 
PDC emulador
infrastructure master

Question 134

who has rights to seize or transfer the schema master role?

Answer 134

schema administrators group

Question 135

who has the rights to tansfer or seize the domain naming master?

Answer 135

the enterprise administrators group

Question 136

who has the rights to seize or transfer the RID master, PDC emulator, or infrastructure master role?

Answer 136

domain administrators group