book flashcards
to what container should you set the base DN to in the search box of ldp.exe tool when performing tombstone reanimation of a user in test.com?
CN=Deleted Objects,DC=test,DC=com
what should you run from the command line to register SPN ‘http/srv55.nutex.com’ for a win2012R2 server named srv55?
> setspn -S http/srv55.nutex.com srv55
what service uses port 389?
LDAP
what GUI tool will allow you to enable the Active Directory recycle bin?
ADAC
when do you choose to import an object that has been exported from an Active Directory snapshot instead of retreiving an object form the Active Directory Recycle Bin?
when you want to reset the values of an objects attributes to a previous value
what parameter of the install-ADDSDomainController cmdlet is used to install and configure DNS on the DC?
-installDNS
which parameter of the Move-ADDirectoryServerOperationMasterRole cmdlet will allow you to seize a master operations role?
-force
what setspn.exe command will list all SPN’s of services on the web server?
> setspn -l
what parameter of the install-ADDSDomainController cmdlet is used to prevent the replication of certain passwords to the DC
-DenyPasswordReplicationAccountName
which type of account in w2008R2 and above is a ‘managed local account’ that provides the ability to access the network with a computer identity in a domain environment with no password management required?
virtual account
what additional step is required to view deleted objects after setting the base DN to in the search box of ldp.exe tool when performing a tombstone reanimation of a user account?
use the ‘return deleted objects’ control to view deleted objects.
to use kerberos authentication with SQL server, which two conditions are required?
- the client and server computers must be part of the same windows domain, or in trusted domains.
- ServicePrincipalNames (SPN) must be registered with AD
what are the four image types used in WDS?
- boot images
- install images
- capture images
- discover images
what are the prerequisites to install a WDS server in an Active Directory network?
- ADDS Server
- DHCP
- DNS
- NTFS Share
- WDS Server needs GUI
- WDS can be installed on member server
what are the three steps to create a Managed Service Account on Domains required 2008 R2?
on server
- > New-ADServiceAccount -Name -RestrictToSingleComputer -enabled $True
- > Add-ADComputerServiceAccount -Identity -serviceAccount
on target
3. > Install-ADServiceAccount -Identity
What are the prerequisites for Active Directory MSA to work on a clint computer?
- Active Directory Powershell Module
- .Net 3.5 Framework
what is the time period, in that managed service account renew their passowrds automaticaly?
30 Days
what tool is the only tool that can be used to create WSUS groups?
wsus.exe
what are the steps to update an offline image or vhd(x) with dism? with
security updates
hotfixes
drivers
- set image to read-write (attrib -r)
- mount the image on empty mount point
- extract contents of update (winrar, etc)
- inject .cab files into mounted image (add-windowsPackage)
- commit changes and unmoute
> Save-WindowsImage
> Dismount-WindowsImage
in configuring WSUS, what does client side targeting mean?
to use GPOs to assign computers to WSUS groups
(used in lager organisations)
DNS
which zone type can NOT be stored in Active Directory?
secondary zones
[secutity implications]
PS
what cmdlet is used to create a new conditional forwarder fot test.com
> Add-DnsServerConditionalZone -Name -masterServers -forwardertimeout -replicationscope
PS,DNS
which cmdlet is used to create an new stub zone ?
> Add-DnsServerStubZone -name -masterServers -replicationScope
PS,DNS
wich cmdlet is used to create a new secondary zone?
> Add-DnsServerSecondaryZone -name -zonefile -masterServers
DNS
can secondary DNSserver be a master server in DNS?
yes
PS,DNS
which cmdlet can be used to create a primary zone?
> Add-DnsServerPrimaryZone -name -replicationscope -dynamicupdate ‘secure’
(Active Directory integrated)
or
Add-DnsServerPrimaryZone -name -zonefile -dynamicupdate ‘none’
(file based)
DNS
why can the two parameters -ReplicationScope and -ZoneFile not be used at the same time when creating a new DNS zone
one fits file based zones the other Active Directory integrated zones
DNS
is it possible to change the zone* type from file-based to Active Directory integrated or vice versa with powershell?
*or conditional forwarder
no
DNS
what tool do you use to change the type of zone from Active Directory integrated to file-based or voce versa?
use DNS management console
DNS
what are the four possible settings for zone transfers in DNS management?
- noTransfer
- TransferAnyServer
- TrasnsferToZoneNameServer
- TransferToSecureServers
DNS
what are the three possible notification settings for DNS zone changes?
- NoNotify
- Notify
- NotifyServers
DNS
what is the possible alternative in Active Directory integrated DNS to file-based secondars servers?
stub-zones and conditional forwarders
DNS
what are conditional forwarders used for?
conditional forwarders provide a means to manage to which DNS server a DNS query is forwarded for specific zones.
DNS
what is zone delegation used for?
use DNS zone delegation to delegate the administration of a portion of your DNS namespace.
DNS
what is the default zone transfer setting?
zone transfers are disallowed unless explicitly allowed.
DNS
which DNS resource record type can NOT be created with PowerShell?
SOA* - Start Of Authority record.
* is a version number record identifying the number of the DNSZone
DNS
if DNS has two MX entries for a domain with different priority settings, which server ist receiving the SMTP traffic?
lowest value
what tool is used to perform a tombstone reanimation?
> ldp.exe
what tools can you use to view the contents of a mounted Active Directory snapshot?
- ADUC (DSA.msc)
- ADSIEDIT.msc
- LDP.exe
which cmdlet do you use to copy images between groups in WDS ?
> export-WDSInstallImage
> import-WDSInstallImage
which cmdlet do you use to copy images inside a WDS group?
> copy-WDSInstallImage
how do you enable client-side targeting in WSUS?
by selecting computers in the options section of the server update services and selecting “use group policy or registry settings on computers”
what is the minimum size of the local updates volume for WSUS?
6GB
what form of credential does the -credential option expect?
a psCredential object. not a string “domain\user”
what cmdlet do you use to open an elevated PowerShell ?
> Start-Process Powershell.exe -verb RunAs
to install WDS via PowerShell including tools type..
> Install-windowsFeature -name WDS -cn -includemanagementtools
before capturing an image from a template installation, what do you need to do?
> %windir”\system32\sysprep sysprep /oobe /generalize /reboot
can you remove a driver-package from an image in WDS?
no
can you use powershell to create or manage the properties of driver-groups in WDS?
no
what are the steps to install or remove features in offline images?
- set the image to read-write with : attrib -r
- mount image on empty mountpoint
- modify image > enable-windowsoptionalfeature
> disable-windowsoptionalfeature
-commit changes and unmount
> save-windowsImage
> dismount-windowsImage
DA
what cmdlet do you use to install the direct access role on a server
> Install-WindowsFeature -name RemoteAccess -IncludeAllSubfeatures -IncludeManagementTools
WDS
what can you do to maintain functionality in established boot images to support hardware compatibility?
inject vendor specific drivers into boot images.
cmdlets:
> Import-WDSDriverPackage
> Add-WDSDriverPackage
WDS
what is the prerequisite to install the WDS role on a 2012 R2 server?
WDS is only supported on a full GUI installation.
WDS
wich cmdlet is used to install the WDS role ?
> Install-WindowsFeature -name WDS -includeManagementTools
WDS
what is the initial configuration after installing the WDS role on a server?
set the location of the WDS image store.
NTFS, not on C:!
WDS
what are capture images used for?
capture images are custom install images from a template computer.
WDS
what are discover images?
discover images are use to deploy by using physical media rather than PXE boot.
WDS
what are the two cmdlets to update images?
after mounting the offline image read-write on the local file system
> Add-WindowPackage
or
> Enable-WindowsOptionalFeature
don’t forget to commit changes and unmont the image.
WDS
what is the only tool to create WDS driver groups?
WDS console
WDS
what are two basic network requirements for WDS?
- active DHCP server
- working and reachable DNS server
WDS
what cmdlet is used to update an offline boot image file with a new driver?
> Add-WDSDriverPackage
RA VPN
which ports are used for the PPTP VPN Protocol?
TCP 1723
GRE 47
RA VPN
which ports are used for the L2TP VPN Protocol?
UDP 500
UDP 4500
UDP 1701
ESP 50
RA VPN
which ports are used for the SSTP VPN Protocol?
TCP 443
RA VPN
which ports are used for the IKEv2 VPN Protocol?
UDP 500
UDP 4500
UDP 1701
ESP 50
IPv6
what is a global IPv6 prefix?
2000::/3
IPv6
what is a link local IPv6 prefix?
FE80::/10
IPv6
what is a multicast IPv6 prefix?
FF00::/8
IPv6
what is a unique local IPv6 prefix
FC00::/7
IPv6
what is the loopback IPv6 address?
::1
what can be configured with the routing and remote access console?
routing
NAT
dial-up remote access
vpn remote access
VPN which module in PS provides cmdlets for VPN server support?
RemoteAccess module
VPN
which are the four parts that construct the remote acces role?
routing
VPN
directAccess
web application proxy
you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?
Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).
you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)
- in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
- in the remote access management console, select assign addresses from a static address pool
name three benifits of Direct Access compared with VPNs.
- always-on (no need to initiate connection)
- seamless (transparently connected if online)
- security (managed connection + IPsec)
which VPN protocols are supported in w2012 R2?
PPTP
L2TP
IKEv2
SSTP
what command do you use to !only! install VPN and NAT and their management tools?
> Add-WindowsFeature DirectAccess-VPN,Routing -inludeManagementTools
you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?
Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).
you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)
- in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
- in the remote access management console, select assign addresses from a static address pool
name three benifits of Direct Access compared with VPNs.
- always-on (no need to initiate connection)
- seamless (transparently connected if online)
- security (managed connection + IPsec)
what is the default setting in the remote access quick start wizard to allow connectoins via DirectAccess?
mobile computers only
radius
whitch settings can be configured in seperate templates each?
- shared secret
- radius clients
- remote radius servers
- IP filters
- health policies
- remediation server groups
what are the four possible settings for RADUS logging
SQL logging only
Test logging only
Parallel logging
SQL logging with backup
what are the possible settings that can be simplified by RADIUS templates
shared secrets RADIUS clients remote RADIUS servers IP filters health policies remediation server groups
with multiple RADIUS server infrastructure, you have three servers all with parity 1. server1 has weight 10, server2 has weight 15 and server3 has weight 25.
how are the next 100 messages processed.
server1 = 20 server2 = 30 server3 = 50
in NPS which server is higher priorized.
server1 with priority 1 or server2 with priority 50?
the lower the number the higher the priority.
server1
in NPS what ports are used for authentication and accounting?
1812 = authentication 1813 = accounting
in NPS (RADIUS) if you have two servers. server1 with priority 1 and server2 with priority 2. how many messages does server2 recieve if 100 messages are sent by clients?
zero.
server2 is only accessed if server1 is unavailable.
NPS / RADIUS certificates
in which policy do you set up the configuration for auto enrollment for clients and servers for certificate-based authentication?
what path ist used for the policy setting?
default domain policy
comp/policies/windows settings/security settings/public key policies
NPS / RADIUS certificates
which purpose of a certificate does not work with client and server authentication?
the purpose “All” does not work wiht authentication.
NPS templates
what does the abreviation SHV stand for?
system health validator
NPS templates
what are the options for client SHV checks (7)?
client passes all SHV checks
client fails all SHV checks
client passes one or more SHV checks
client fails one or more SHV checks
client reported as transitionsl by one or more SHVs
client reported as infected by one or more SHVs
client reported as unknown by one or more SHVs
what two options can be configured on an NPS?
RADIUS server
RADIUS proxy
for whitch scenarios can RADIUS be used for?
VPN authentication and authorization
Dial-in authentication and authorization
what does RADIUS client mean?
network access servers
other RADIUS servers
when installing NPS as RADIUS proxy which NPS role services are required in win2012R2?
NPS
what does it mean when a NPS is configured as a RADIUS proxy?
the server acts as a RADIUS client, forwarding connection requests to a RADIUS server group for authentication and authorization.
certificates with which purposes can be used for mutual authentication of NPS and client computers?
server authentication certs
client authentication cerst
which three kinds of policies are supported by NPS?
connection request policies
network policies
health plicies
NPS
in older versions of windows server NPS policies were im- and exported. what technologies are used instead in win2012R2?
import and export templates
import and export NPS entire configuration
NPS
which two policies control which clients are allowed to connect to the network?
client request policy and network policy
NPS
what is the purpose of the connection request policy?
it handles the initial request by a client to connect and passes it to an appropriate network policy
connection request policies define which connections are processed on the NPS server and which are processed on remote RADIUS servers.
NPS
what does a network policy do?
it determines how a client is authenticated and whether is authorized to connect.
NPS
how can you manage nps templates?
export the templates to xml files.
import templates from a server or from a file.
NPS configuration
what is the most important concern when exporting NPS configuration to a file.
the exported file includes policies, templates,clients, RADIUS server information and shared secrets. this is sensitive information that should be handled with security concerns in mind.
if accounting is set up to sql db - this info is not included in the exported file and has to be added manually after import.
NPS export
what is the cmdlet to export the NPS configuration?
> export-NPSConfiguration -path “… path\filename.xml”
NPS export
can you use netsh to export the NPS configuration?
yes.
> netsh nps export filename=path\filename.xml exportpsk=yes
NPS
what does the term 2FA mean?
two-factor authentication
NPS export
how can you mitigate security implications when exporting a NPS configuration file.
store the file in an encrypted location, or an encrypted usb device.
NPS
what is it that controls whether a NPS acts as a RADIUS server or a RADIUS proxy?
the connection request policy
NPS
which condition sets the allowed protocols for a RADIUS connection?
the tunnel type condition
NPS
can you set a condition for connection request policies for user names?
yes
NPS
can you set a condition for connection request policies for user groups?
no
NPS
can you set a condition for connection request policies for NAS port types?
yes
NPS
can you set a condition for connection request policies for MS service classes?
no
NAP DHCP
why is NAP enforcement using DHCP not a secure enforcement method?
a knowlegable user can assign a fixed IP address and bypass the restciction.
NAP DHCP
what are the prerequsites for using NAP enforcement using DHCP?
either the NPS is the DHCP server
or the DHCP server has a NPS role installed as RADIUS proxy
NAP
what are the four possible options for a NAP enforcement policy?
- non-enforcement (monitoring)
- limited enforcement (limited acces)
- full enforcement (blocking)
- full enforcement with remediation (acces to remediation servers)
NAP
in network policy for remediation for noncompiant clients, should the clients be granted access or not?
yes - to enable access to remediation servers
NAP
to implement NAP on your network, what steps do you need to take?
enable NAP on RADIUS servers
implement health policy that requires client computers to have firewall turned on, have all current updates, be free of infection.
implement remediation servers
how often do you have to create a KDSRootkey if you want to use gMSAs?
once for each domain
how long does it take to create a KDS-rootkey with the cmdlet
add-KDSRootKey -effectiveImmediately?
10 hours
what is the prerequisite to use gMSAs?
the cration of the KDS-rootkey
what are the steps to remove a MSA from a computer
> uninstall-ADServiceAccount on local comp
remove-ADComputerServiceAccount to unassign the account f comp
if you do not want to reuse account:
remove-ADServiceAccount
what are the prerequsites on a client computer to use MSAs?
win 7 , Active Directory ps module, dotnet framewrk 3.5 or later
what are the cmdlets to create a managed service account?
on server:
> new-ADServiceAccount -name -restrictToSingleComputer -enabled $true
> add-ADComputerServiceAccount -idntity -serviceAccount
on local computer:
> install-ADServiceAccount -identity
when were MSAs introduced?
win srv 2008 R2
when were gMSAs introduced?
win srv 2012 R2
what tool or command do you use to create a MSA?
> New-ADServiceAccount
with the -standalone paramater
what command should you use to add a gMSA on a computer?
> Install-ADComputerServiceAccount
you want to use a virtual account for the testService on computer server1. what commands or tools would you use?
> services.msc
what are the FSMO operations master roles and which are forest or domain wide roles?
once per forest: schema master domain naming master once per domain: RID master PDC emulador infrastructure master
who has rights to seize or transfer the schema master role?
schema administrators group
who has the rights to tansfer or seize the domain naming master?
the enterprise administrators group
who has the rights to seize or transfer the RID master, PDC emulator, or infrastructure master role?
domain administrators group
