Chapter 10 - Implement Identity Federation and Access Solutions Flashcards

Question 1

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a domain controller named Server1. You recently restored a backup of the Active Directory database from Server1 to an alternate location. The restore operation did not interrupt the Active Directory services on Server1. What tool should you use if you need to make the Active Directory data in the backup accessible by using Lightweight Directory Access Protocol (LDAP)?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsacls
D. Dsadd quota
E. Dsamain
F. Dsmod
G. Group Policy Management Console
H. Ntdsutil

Answer

A

E. The Dsamain tool exposes Active Directory data that is stored in a snapshot or backup as an LDAP server. Dsamain.exe is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use Dsamain, you must run it from an elevated command prompt.

Question 2

Q

You are the administrator for your company network. You and a colleague are discussing the Federation Proxy services. The Federation Proxy services are installed through which of the following?
A. A separate Active Directory Federation Proxy install download
B. Server Manager ➢Remote Access ➢Web Proxy
C. Server Manager ➢Active Directory Federation Services ➢Active Directory Proxy services
D. PowerShell ➢Install-Windows-Feature Web Proxy

Answer

A

B. Federation Proxy services are installed under Remote Access as a Web Application Proxy (WAP) server in Windows Server 2016. A domain controller can contain Active Directory information for only one domain. If you want to use a multidomain environment, you must use multiple domain controllers configured in either a tree or a forest setting.

Question 3

Q

You are the administrator for your company network. You and a colleague are discussing different authentication capabilities offered when using Active Directory Federation Services (AD FS) authentication. One of the features offered with AD FS is the ability to allow users to enter their credentials only once but then be authenticated to all supported published applications. What is this feature called?
A. Multi-Factor Authentication (MFA) 
B. Multi-Factor Access Control
C. Single Sign-On
D. Workplace Join

Answer

A

C. The Single Sign-On (SSO) feature allows users to enter their credentials only once to be authenticated to all supported published applications. SSO is a feature that is used heavily when connecting your corporate network to another network (like the cloud). Users sign in once but have access to both networks.

Question 4

Q

You are the administrator for your company network. You and a colleague are discussing the Certification Authority role. What should you consider if you want the configuration modifications of the Certification Authority role service to be logged? (Choose all that apply.)
A. Enabling auditing of system events
B. Enabling logging
C. Enabling auditing of object access
D. Enabling auditing of privilege use
E. Enabling auditing of process tracking

Answer

A

B, C. To log modifications of the Certification Authority role service, you will need to enable AD FS auditing. You must check the boxes for Success Audits and Failure Audits on the Events tab of the Federation Service Properties dialog box. You must also enable Object Access Auditing in Local Policy or Group Policy.

Question 5

Q

You are the administrator for your company network. Company management asks you to implement a new Windows Server 2016 system. Which of the following will you need to implement if you want to use federated identity management?
A. Active Directory DNS Services
B. Active Directory Federation Services 
C. Active Directory IAS Services
D. Active Directory IIS Services

Answer

A

B. You will need to use Active Directory Federation Services (AD FS) in order to implement federated identity management. Federated identity management is a standards-based and information technology process that will enable distributed identification, authentication, and authorization across organizational and platform boundaries. The AD FS solution in Windows Server 2016 helps administrators address these challenges by enabling organiza- tions to share a user’s identity information securely.

Question 6

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that has the Windows Application Proxy role service installed.
You need to publish Microsoft Exchange ActiveSync services by using the Publish New Application Wizard. The ActiveSync services must use preauthentication. How should you configure Server1’s preauthentication method and preauthentication type?
A. Configure the Active Directory Federation Services (AD FS) preauthentication method and the Oath2 preauthentication type.
B. Configure the pass-through preauthentication method and the Web/MS-OFBA preau- thentication type.
C. Configure the pass-through preauthentication method and the HTTP Basic preauthen- tication type.
D. Configure the Active Directory Federation Services (AD FS) preauthentication method and the HTTP Basic preauthentication type

Answer

A

C. The pass-through preauthentication method is when users are not required to enter credentials before they are allowed to connect to published web applications. The HTTP Basic preauthentication type is the authorization protocol used by many protocols, includ- ing ActiveSync, to connect to smartphones or to your Exchange mailbox. Publishing an app using HTTP Basic provides support for ActiveSync clients in Web Application Proxy (WAP) by caching the token that is received from AD FS and serving it from the cache. In this way, WAP enables the HTTP app to receive a non-claims Relying Party Trust for the application to the Federation Service.

Question 7

Q

You are the administrator for your company network. Your network contains an Active Directory forest, which contains a member server named Server1 that runs Windows Server 2016. Server1 is located in the perimeter network. You install the Active Directory Federa- tion Services (AD FS) server role on Server1. You create an AD FS farm by using a certifi- cate that has a subject name of adfs.abc.com. What inbound TCP ports should you open on the firewall if you need to enable certificate authentication from the Internet on Server1? (Choose two.)
A. 389 
B. 443 
C. 3389 
D. 8531 
E. 49443

Answer

A

B, E. AD FS provides features such as Single Sign-On (SSO). SSO allows you to log in one time with a set of credentials and use that set of credentials to access the applications over and over. To use a Web Application Proxy (WAP), you should set your firewall to allow for ports 443 and 49443.

Question 8

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that has the Web Application Proxy (WAP) role service installed. You publish an application named App1 by using the WAP. What cmdlet should you run if you need to change the URL that users use to connect to App1 when they work remotely?
A. Set-WebApplicationProxyConfiguration
-ID 874A4543-77A3-1E6D-1163E7419AC1 -ADFSUrl https://abc.com/
B. Set-WebApplicationProxySslCertificate
-ID 874A4543-77A3-1E6D-1163E7419AC1 -BackendServerUrl https://abc.com/
C. Set-WebApplicationProxyApplication
-ID 874A4543-77A3-1E6D-1163E7419AC1 -ExternalUrl https://abc.com/
D. Set-WebApplicationProxy -ID 874A4543-77A3-1E6D-1163E7419AC1 -InternalUrl https://abc.com/

Answer

A

C. The Set-WebApplicationProxyApplication cmdlet modifies settings of a web application published through Web Application Proxy. Specify the web application to modify by using its ID. The -ID parameter specifies the GUID of a web application. The -ExternalUrl parameter specifies the external address, as a URL, for the web applica- tion. Include the trailing slash (/).

Question 9

Q

You are the administrator for your company network. Your network contains an Active Directory domain. What should you use if you need to create a Central Store for Group Policy Administrative Template files?
A. Server Manager
B. File Explorer
C. dcgpofix.exe
D. Group Policy Management Console (GPMC)

Answer

A

B. Administrative Template files are divided into .admx files and .adml files for use by Group Policy administrators. Windows uses a Central Store to store Administrative Tem- plates files. To create a Central Store for .admx and .adml files, create a new folder named PolicyDefinitions in File Explorer.

Question 10

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1. You need to configure Server1 as a Web Application Proxy (WAP). Which server role or role service should you install on Server1?
A. Active Directory Federation Services 
B. DirectAccess and VPN (RAS)
C. Remote Access
D. Web Server (IIS)

Answer

A

C. To use the WAP, you must install the Remote Access role. One of the advantages of using the Remote Access role service in Windows Server 2016 is the WAP. Normally, your users access applications on the Internet from your corporate network. The WAP reverses this feature, and it allows your corporate users to access applications from any device out- side the network.

Question 11

Q

You are the administrator for your company network. Your network contains an Active Directory domain. You plan to deploy a Windows 2016 Active Directory Federation Ser- vices (AD FS) farm that will contain eight federation servers. You need to identify which technology or technologies must be deployed on the network before you install the federa-
tion servers. Which technology or technologies should you identify?
A. Microsoft Forefront Identity Manager 2010
B. Microsoft SQL Server 2016
C. Network Load Balancing (NLB)
D. Windows Internal Database feature
E. The Windows Identity Foundation 3.5 feature

Answer

A

B. The AD FS configuration database stores all of the configuration data. It contains infor- mation that a federation service requires to identify partners, certificates, attribute stores, claims, and so forth. You can store this configuration data in either a Microsoft SQL Server or the Windows Internal Database feature that is included with Windows Server 2008/2008 R2, Windows Server 2012/2012 R2, and Windows Server 2016. The Windows Internal Database supports only up to five federation servers in a farm.

Question 12

Q

You are the administrator for your company network. Your network contains an Active Directory forest. Your company has a custom application named CustomApp1. CustomApp1 uses an Active Directory Lightweight Directory Services (AD LDS) server named Server1
to authenticate users. You have a Windows Server 2016 member server named Server2.
You install the Active Directory Federation Services (AD FS) server role on Server2 and create an AD FS farm. What two cmdlets should you run if you need to configure AD FS
to authenticate users from the AD LDS server? (Choose two.)
A. You should run the Add-AdfsRelyingPartyTrust and Set-AdfsEndpoint cmdlets.
B. You should run the New-AdfsLdapServerConnection and
Add-AdfsLocalClaimsProviderTrust cmdlets.
C. You should run the Set-AdfsEndpoint and Enable-AdfsRelyingPartyTrust
cmdlets.
D. You should run the Enable-AdfsRelyingPartyTrust and
New-AdfsLdapServerConnection cmdlets.

Answer

A

B. The New-AdfsLdapServerConnection cmdlet creates a connection object that represents the Lightweight Directory Access Protocol (LDAP) folder that serves as a claims provider
trust. The Add-AdfsClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service. In order for AD FS to authenticate users from an LDAP directory, you must connect this LDAP directory to your AD FS farm by creating a local claims provider trust. A local claims provider trust is a trust object that represents an LDAP directory in
your AD FS farm. So to configure a connection to your LDAP directory, you would use the New-AdfsLdapServerConnection cmdlet. Then you must register the LDAP store with AD FS as a local claims provider trust by using the Add-AdfsLocalClaimsProviderTrust cmdlet.

Question 13

Q

You are the administrator for your company network. You are deploying a web application named WebApp1 to your internal network. WebApp1 is hosted on a Windows Server
2016 server named Web1. You deploy an Active Directory Federation Services (AD FS) infrastructure and a Web Application Proxy (WAP) to provide access to WebApp1 for remote users. What should you do if you need to ensure that Web1 can authenticate the remote users?
A. Publish WebApp1 by using pass-through preauthentication.
B. Publish WebApp1 by using AD FS preauthentication.
C. Publish WebApp1 by using client certificate preauthentication.
D. Publish WebApp1 as a Remote Desktop Gateway (RD Gateway) application in the Web Application Proxy.

Answer

A

A. When using pass-through preauthentication, users are not required to enter credentials before they are allowed to connect to published web applications. Pass-through will let WAP act like a reverse proxy

Question 14

Q

You are the administrator for your company network. The network contains an Active Directory domain. The domain contains an Active Directory Federation Services (AD FS) server named Server1. On a stand-alone server named Server2, you install and configure the Web Application Proxy (WAP). You have an internal web application named WebApp1. AD FS has a relying party trust for WebApp1. You need to provide external users with access
to WebApp1. What tool should you use to publish WebApp1 if authentication to WebApp1 must use AD FS preauthentication?
A. On Server1, use AD FS Management.
B. On Server1, use Remote Access Management.
C. On Server1, use Routing and Remote Access.
D. On Server2, use AD FS Management.
E. On Server2, use Remote Access Management.

Answer

A

E. AD FS preauthentication requires the user to authenticate directly with the AD FS server. After the AD FS authentication happens, WAP then redirects the user to the pub- lished web application. This guarantees that traffic to your published web applications is authenticated before a user can access them. You will do this using the Remote Access Management console.

Question 15

Q

You are the administrator for your company network. You and a colleague are discussing certificates for AD FS. You store AD FS servers in an OU named Federation Servers. You want to auto-enroll the certificates used for AD FS. Which certificates should you add to the GPO?
A. The Certificate Authorities (CA) certificate of the forest
B. The SSL certificate assigned to the AD FS servers
C. The third-party (VeriSign, Entrust) Certificate Authorities (CA) certificate
D. The Token Signing certificate assigned to the AD FS servers

Answer

A

A. The Certificate Authorities (CA) certificate of the forest should be added to the GPO. The Forest Certificate Authorities (CA) certificate is the only certificate that is automatically trusted; it does not require user interaction or a digital signature, and it does not change in this scenario. CAs issue certificates, revoke certificates they’ve issued, and publish certifi- cates for their clients.

Question 16

Q

You are the administrator for your company network. You have an internal web server that hosts websites. The websites use HTTP and HTTPS. You deploy a Web Application Proxy (WAP) to your perimeter network. You need to ensure that users from the Internet can access the websites by using HTTPS only. What actions should you perform if you want Internet access to the websites to use the WAP? (Choose two.)
A. Publish the websites from the Remote Access Management console. Configure pass- through authentication and select Enable HTTP to HTTPS redirection.
B. Using Oauth2, configure the WAP to perform preauthentication.
C. Create DNS entries that point to the private IP address of the web server on the exter-
nal DNS name servers.
D. Enable HTTP Redirect on the WAP server from the web server.
E. Create DNS entries that point to the public IP address of the WAP on the external DNS name servers.

Answer

A

A, E. For your users to gain access, you need to allow them to have access and set up DNS so that they can find the access point. So, you would publish the websites from the Remote Access Management console. Configure Pass-Through Authentication and select Enable HTTP to HTTPS redirection. You would also create DNS entries that point to the public IP address of the WAP on the external DNS name servers.

Question 17

Q

You are the administrator for your company network. You use Application Request Routing (ARR) to make internal web applications available to the Internet by using NTLM authentication. What server role should you deploy first if you need to replace ARR by using Web Application Proxy (WAP)?
A. Active Directory Lightweight Directory Services (AD LDS) B. Active Directory Rights Management Services (AD RMS) C. Active Directory Federation Services (AD FS)
D. Active Directory Certificate Services (AD CS)

Answer

A

C. To install WAP, you must first install Active Directory Federation Service (AD FS). AD FS is Microsoft’s claims-based identity solution providing browser-based clients (internal or external to your network) with transparent access to one or more protected Internet-facing applications. WAP functions as an AD FS federation server proxy. WAP provides reverse proxy functionality for web applications inside your corporate network to enable users on any device to access them from outside the corporate network.

Question 18

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains an Active Directory Federation Services (AD FS) server named ADFS1, a Web Application Proxy (WAP) server named WAP1, and a web server named Web1. You need to publish a website on Web1 by using the WAP. Users will authenticate by using OAuth2 preauthentication. What should you do first?
A. Add site bindings on Web1.
B. Add a claims provider trust on ADFS1.
C. Add handler mappings on Web1.
D. Enable an endpoint on ADFS1

Answer

A

B. A claims provider is a federation server that processes trusted identity claims requests. A federation server processes requests to issue, manage, and validate security tokens. Security tokens consist of a collection of identity claims, such as a user’s name or role or an anony- mous identifier.

Question 19

Q

You are the administrator for your company network. Your network contains an Active Directory forest. You have an Active Directory Federation Services (AD FS) farm. The farm contains a Windows Server 2012 R2 server named Server1. You add a Windows Server 2016 server named Server2 to the farm. You remove Server1 from the farm. What cmdlet should you run if you need to ensure that you can use role separation to manage the farm?
A. Invoke-AdfsFarmBehaviorLevelRaise 
B. Set-AdfsProperties
C. Set-AdfsFarmInformation
D. Update-AdfsRelyingPartyTrust

Answer

A

A. To upgrade the farm behavior level from Windows Server 2012 R2 to Windows Server 2016, use the Invoke-AdfsFarmBehaviorLevelRaise cmdlet. This raises the behavior level of an Active Directory Federation Services (AD FS) farm to enable the new features that are available in later versions of the Windows operating system. AD FS for Windows Server 2016 introduces the ability to have role separation between server administrators and AD FS service administrators. After upgrading an AD FS server
to Windows Server 2016, the last step is to raise the Farm Behavior Level using the Invoke-AdfsFarmBehaviorLevelRaise PowerShell cmdlet.

Question 20

Q

You are the administrator for your company network. Your network contains an Active Directory forest that contains an Active Directory Federation Services (AD FS) deployment. The AD FS deployment contains the following:
You create a Microsoft Office 365 tenant named abc.onmicrosoft.com.
You use Microsoft Azure Active Directory Connect (AD Connect) to synchronize all of the users and the UPNs from the contoso.com forest to Office 365.
You need to configure federation between Office 365 and the on-premises deployment of
Active Directory. Which commands should you run from Server1? (Choose all that apply.)
A. Connect-MsolService
B. Convert-MsolDomainToFederated -DomainName abc.com
C. Convert_MsolDomainToFederated -DomainName adfs.abc.com D. Enter-PSSession -Name Office365
E. Set-MsolADFSContext -Computer server1.abc.com
F. Set-MsolADFSContext -Computer abc.com

Answer

A

A, B, E. You would do them in this order: A, E, B.
The Connect-MsolService cmdlet attempts to initiate a connection to Azure Active Directory. The Set-MsolADFSContext cmdlet sets the credentials to connect to Microsoft Online and to the Active Directory Federation Services (AD FS) server.
The -Computer parameter specifies the computer name of the primary AD FS server. The Convert-MSOLDomainToFederated cmdlet converts the specified domain from standard authentication to Single Sign-On. The -DomainName parameter specifies the name of the domain to convert to Single Sign-On.

Question 21

Q

You are the administrator for your company network. You need to see all of the location sets for the CRL Distribution Point (CDP). What PowerShell cmdlet would you use?
A. Add-CACrlDistributionPoint 
B. Get-CACrlDistributionPoint 
C. See-CACrlDistributionPoint 
D. View-CACrlDistributionPoint

Answer

A

B. Administrators can use the Get-CACrlDistributionPoint cmdlet to view all the locations set for the CRL distribution point (CDP). The Get-CACRLDistributionPoint cmdlet gets all the locations set on the CDP extension of the certification authority (CA) properties.

Question 22

Q

You are the administrator for your company network. The network contains an Active Direc- tory domain. A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS) on a server named Server1. After the Proof of Concept was complete, the AD RMS server role was removed. You attempt to deploy AD RMS. During the configuration you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found. What should you do if you need to ensure
that clients will only attempt to establish connections to the new AD RMS deployment?
A. Increase the priority of the DNS records for the new deployment of AD RMS from DNS.
B. Remove the computer object for Server1 from Active Directory.
C. Remove the records for Server1 from DNS.
D. Remove the SCP from Active Directory.

Answer

A

D. The AD RMS Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS–enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to dis- cover the AD RMS web services. Only one SCP can exist in your Active Directory forest.
If you try to install AD RMS and an SCP already exists in your forest from a previous AD RMS installation that was not properly removed, the new SCP will not install properly. The pre-existing SCP must be removed before you can establish the new SCP.

Question 23

Q

You are the administrator for your company network. The network contains an Active Directory domain. The domain contains an Active Directory Rights Management Services (AD RMS) cluster and a certification authority (CA). What should you do if you need to ensure that all the documents that are protected by using AD RMS can be decrypted if the account used to encrypt the documents is deleted?
A. Configure super users in the AD RMS deployment.
B. Manually configure the AD RMS cluster key password.
C. On the CA, configure key archival.
D. Using Windows Server Backup, back up the AD RMS–protected files.

Answer

A

A. The AD RMS super user group is a special group that has full control over all rights- protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured.

Question 24

Q

You are the administrator for your company network. You deploy a new Enterprise Certifi- cation Authority (CA) named CA1. You plan to issue certificates based on the User certifi- cate template. What should you do first if you need to ensure that the issued certificates are valid for two years and support auto-enrollment?
A. Add a new certificate template for CA1 to issue.
B. Duplicate the User certificate template.
C. Modify the Request Handling settings for the CA.
D. Run the certutil.exe command and specify the resubmit parameter.

Answer

A

B. Since you are planning to issue certificates based on a User certificate template, you need to first copy that template so that you can alter it to the new settings. The built-in templates support auto-enrollment. You need to duplicate the template and then modify the permis- sions on the new template.

Question 25

Q

You are the administrator for your company network. You need to ensure that clients check at least every 30 minutes as to whether a certificate has been revoked. Which of the follow- ing should you configure to accomplish this goal?
A. Certificate templates
B. CRL publication interval
C. Delta CRL publication interval 
D. Key recovery agent

Answer

A

C. A Delta CRL is a Certificate Revocation List (CRL) that contains all non-expired cer- tificates that have been revoked since the last base CRL was published. You can set a time interval for how often the servers check the CRL. This is referred to as the Delta CRL pub- lication interval.

Question 26

Q

You are the administrator for your company network. You install and configure four Windows Server 2016 servers as an AD FS server farm. The AD FS configuration database is stored in a Microsoft SQL Server database. You need to ensure that AD FS will continue to function in the event of an AD FS server failure. You also need to ensure that all four servers in the AD FS farm will actively perform AD FS functions. What should you include in your solution?
A. Network Load Balancing
B. Windows Failover Clustering
C. Windows Identity Foundation 3.5
D. Web Proxy Server

Answer

A

A. Network Load Balancing (NLB) is the only supported Microsoft solution for providing high availability across an AD FS server farm. Windows Failover Clustering does not cur- rently support AD FS, as one master server is allowed to write to the configuration database per farm.

Question 27

Q

You are the administrator for your company network. Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a hierarchy that could issue signing certificates to other CAs and then would be taken offline if not issuing, renewing, or revoking signing certificates?
A. Enterprise root
B. Enterprise subordinate 
C. Stand-alone root
D. Stand-alone subordinate

Answer

A

C. You can take a stand-alone root CA offline and it functions as the top of a CA hierar- chy. A stand-alone root CA is also the topmost CA in the certificate chain. A stand-alone root CA is not dependent on Active Directory and can be removed from the network. This makes a stand-alone root CA the solution for implementing a secure offline root CA.

Question 28

Q

You are the administrator for your company network. Your network contains an Active Directory domain. Domain users use smartcards to sign in to their client computers. Several users report that it takes a long time to sign in to their computers and that the logon attempt times out, so they must restart the sign-in process. You discover that the issue is with check- ing the Certificate Revocation List (CRL) of the smartcard certificates. What should you do if you need to resolve the issue without reducing the security of the smartcard logons?
A. Implement an Online Certification Status Protocol (OCSP) responder.
B. Modify the Request Handling settings from the properties of the smartcard’s certifi-
cate template.
C. Modify the Issuance Requirements settings from the properties of the smartcard’s cer- tificate template.
D. On the computers, deactivate certificate revocation checks.

Answer

A

A. Online Certificate Status Protocol (OCSP) is a lightweight HTTP protocol that responds more quickly and efficiently than downloading a traditional CRL. An online responder is
a trusted server that receives and responds to individual client requests for the status of a certificate. An OCSP responder retrieves CRLs and provides digitally signed real-time cer- tificate revocation status responses to clients based on a given certificate authority’s CRL.

Question 29

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory Rights Management Services (AD RMS). How many AD RMS root clus- ters can you have per Active Directory forest?
A. 1
B. 2
C. 5
D. Unlimited

Answer

A

A. There can be only one Active Directory Rights Management Services (AD RMS) root cluster per Active Directory forest. After a root cluster is deployed, there is the option of installing addi- tional licensing-only clusters, which issue licenses to clients for publishing their content.

Question 30

Q

You are the administrator for your company network. You have an Enterprise Certification Authority (CA) named CA1. Recovery agents are configured for CA1. You duplicate the User certificate template and name it Temp_User. You plan to issue the certificates based on Temp_User to provide users with the ability to encrypt email messages and files. What should you use if you need to ensure that the recovery agents can access any user-encrypted files and email messages if the users lose their certificates?
A. Configure the Key Recovery Agent template as a certificate template to issue on CA1.
B. Issue a certificate based on a Key Recovery Agent certificate.
C. Modify the Recovery Agents settings for CA1.
D. Modify the Request Handling settings for Temp_User.

Answer

A

D. The Request Handling tab in the Certificate Templates Management console has the Renew With Same Key Certificate Template Configuration option. This certificate template option becomes visible in the user interface when you configure the Certification Authority and Certificate Recipient options to Windows Server 2016 and Windows 8/8.1, and Windows 10, respectively.

Question 31

Q

You are the administrator for your company network. You have a server that is configured as a hosted BranchCache server. You discover that a Service Connection Point (SCP) is missing for the BranchCache server. What should you run to register the SCP?
A. Enable-BCHostedServer 
B. ntdsutil.exe
C. Reset-BC
D. setspn.exe

Answer

A

A. To configure the computer as a hosted cache server after the BranchCache feature is installed, and to register an SCP in AD DS, use the Enable-BCHostedServer PowerShell cmdlet. The Enable-BCHostedServer cmdlet configures BranchCache to operate in hosted cache server mode.

Question 32

Q

You are the administrator for your company network. Your network contains an Active Directory forest. The forest contains an Active Directory Federation Services (AD FS) farm. You install Windows Server 2016 on a server named Server2. What cmdlets should you run if you need to configure Server2 as a node in the federation server farm?
A. Install-AdfsFarm and New-AdfsOrganization
B. Install-WindowsFeature and Install-AdfsFarm
C. Install-Package and Set-AdfsFarmInformation
D. Install-AdfsFarm and Set-AdfsProperties

Answer

A

B. The Install-WindowsFeature installs one or more roles, role services, or features on either the local or a specified remote server that is running Windows Server 2016. The Install-AdfsFarm cmdlet creates the first node of a new federation server farm.

Question 33

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory Certificate Services (AD CS). AD CS role provides six role services to issue and manage public key certificates in an enterprise environment. Which one retrieves revo- cation status requests for specific certificates and the status of these certificates, and then returns a signed response with the requested certificate status information?
A. Certificate Authority (CA)
B. Certificate Enrollment Web Services (CES)
C. Online Responder
D. Web Enrollment

Answer

A

C. The Online Responder service retrieves revocation status requests for specific certifi- cates and the status of these certificates, and it returns a signed response with the requested certificate status information. Online Responders are used to validate requests sent by network users. Instead of downloading huge CRLs, a user will send a request to the local Online Certificate Status Protocol (OCSP) service to verify the authenticity of an entity. You can deploy one Online Responder to verify the revocation status for one or multiple CAs.

Question 34

Q

You are the administrator for your company network. You have an Enterprise Certification Authority (CA) named CA1 that has a certificate template named CertTemplate that
is based on a User certificate template. Domain users are configured to auto-enroll CertTemplate. A user named User1 has an email address defined in Active Directory and a user named User2 does not. You discover that User1 was issued a certificate based on the template automatically. A request by User2 for a certificate based on the template fails. You need to ensure that all users can auto-enroll for certificates based on the template. What setting should you configure from the properties on the CertTemplate certificate template?
A. Cryptography
B. Issuance Requirements
C. Request Handling
D. Subject Name

Answer

A

D. If you want to enable automatic certificate approval and automatic user certificate enrollment, use enterprise CAs to issue certificates. You would need to open the template properties and select the Subject Name tab. If the Email name field is populated in the Active Directory user object, that email name will be used for user accounts. The email name is required for user certificates. If the email name is not populated for a user in AD DS, the certificate request by that user will fail.

Question 35

Q

You are the administrator for your company network. You are looking at installing Active Directory Certificate Services (AD CS). To install AD CS using PowerShell, which com- mand would you use?
A. Get-WindowsFeature adcs-cert-authority –IncludeManagementTools
B. Get-WindowsFeature ad rms-cert-authority IncludeManagementTools
C. Install-WindowsFeature adcs-cert-authority –IncludeManagementTools
D. Install-WindowsFeature ad rms-cert-authority IncludeManagementTools

Answer

A

C. To install Active Directory Certificate Services (AD CS) using PowerShell, follow these steps:
1. Open an elevated PowerShell console.
2. Use the Get-WindowsFeature cmdlet to ensure that the Active Directory Certificate
Services role’s installation state is available.
3. In the PowerShell console, type the following command and press Enter:
Install-WindowsFeature adcs-cert-authority –IncludeManagementTools.
4. Use the Get-WindowsFeature cmdlet to verify the installation.

Question 36

Q

You are the administrator for your company network. You plan to implement Active Directory Rights Management Services (AD RMS) across the enterprise. You need to plan the AD RMS cluster installations for the forest. Users in all domains will access AD RMS– protected documents. You need to minimize the number of AD RMS clusters. How many AD RMS root clusters do you require?
A. At least one AD RMS root cluster for the enterprise
B. At least one AD RMS root cluster per forest
C. At least one AD RMS root cluster per domain
D. At least one AD RMS root cluster per Active Directory site
E. An AD RMS root cluster is not required

Answer

A

B. An AD RMS root cluster manages all of the AD RMS licensing and certificate provi- sions for the forest. There can be only one AD RMS root cluster per AD forest.

Question 37

Q

You are the administrator for your company network. You and a colleague are discussing
Active Directory Federation Services (AD FS). What server should you deploy on a perim- eter network if you want to configure AD FS?

A. Claims-provider server B. Federation server
C. Relying Party server
D. Web application proxy

Answer

A

D. With the Web Application Proxy, an organization can make on-premises web resources available for external access while at the same time managing the risk of this access by con- trolling authentication and authorization policies on the AD FS. Since you are discussing the perimeter network, you would need to deploy a WAP.

Question 38

Q

You are the administrator for your company network. You have a RADIUS server named RADIUS1. RADIUS1 is configured to use an IP address of 172.23.100.101. You want to add a Wireless Access Point (WAP) named WAP-Secure to your network that uses an IP address of 10.0.100.101. What command should you run if you need to ensure that WAP-Secure can authenticate to RADIUS1 by using a shared secret key?
A. Import-NpsConfiguration -address 10.0.100.101 -name WAP-Secure -SharedSecret “001001001001”
B. New-NpsRadiusClient -address 10.0.100.101 -name WAP-Secure -SharedSecret “001001001001”
C. Import-NpsConfiguration -address 172.23.100.101 -enabled $true -SharedSecret “001001001001”
D. New-NpsRadiusClient -address 172.21.100.101 -name WAP-Secure -SharedSecret “001001001001”

Answer

A

B. The New-NpsRadiusClient cmdlet creates a Remote Authentication Dial-In User Ser- vice (RADIUS) client. A RADIUS client uses a RADIUS server to manage authentication, authorization, and accounting requests that the client sends. A RADIUS client can be an access server, such as a dial-up server or WAP, or a RADIUS proxy. To add a new RADIUS client, use New-NpsRadiusClient -Address <address> -Name -SharedSecret . This command adds a WAP as a RADIUS client to the NPS configu- ration. The -Address parameter specifies a fully qualified domain name (FQDN) or IP address of the RADIUS client. The -Name parameter specifies a name for the RADIUS cli- ent. This name must be unique. The -SharedSecret parameter specifies a shared secret key that is configured at the RADIUS client.</address>

Question 39

Q

You are the administrator for your company network. The network contains two Active Directory forests named abc.com and xyz.com. Each forest contains two sites. Each site contains two domain controllers. What snap-in should you use if you need to configure all the domain controllers in both of the forests as global catalog servers?
A. Active Directory Domains and Trusts 
B. Active Directory Federation Services 
C. Active Directory Sites and Services
D. Active Directory Users and Computers

Answer

A

C. Active Directory Sites and Services is a tool to create and manage Active Directory sites and services to map to an organization’s physical network infrastructure. Using this tool, you can create objects called sites, place servers in sites, and create connections between sites. You can graphically create and manage sites in much the same way that you create and manage OUs. To create a global catalog, expand the Server object in the Active Direc- tory Sites and Services tool.

Question 40

Q

You are the administrator for your company network. You have users who access web applications by using HTTPS. The web applications are located on the servers in your perimeter network. The servers use certificates obtained from an enterprise root Certifi- cation Authority (CA). The certificates are generated by using a custom template named WebApps. The Certificate Revocation List (CRL) is published to Active Directory. When users attempt to access the web applications from the Internet, they report that they receive a revocation warning message in their web browsers. The users do not receive the message when they access the web applications from the intranet. What should you do if you need to ensure that the warning message is not generated when the users attempt to access the web applications from the Internet?
A. On a server in the perimeter network, install the Certificate Enrollment Web Service role service.
B. On a server in the perimeter network, install the Web Application Proxy role service, then create a publishing point for the CA.
C. Modify the CRL distribution point and then reissue the certificates used by the web application servers.
D. Modify the WebApps certificate template and then issue the certificates used by the web application servers.

Answer

A

C. Certificate revocation uses CRLs, which contain a list of certificates that are no longer valid. CRLs can become large. They are accessed through CRL Distribution Points (CDPs), which are part of a CA role in Windows Server 2016. HTTP, FTP, LDAP, or file-based addresses may be used as URLs.

Question 41

Q

You are the administrator for your company network. You have an Active Directory Rights Management Services (AD RMS) server named Server1 that protects multiple documents. Server1 fails and cannot be recovered. You install the AD RMS server role on a new server named Server2. You restore the AD RMS database from Server1 to Server2. Users report that they fail to open the protected documents and to protect new documents. What should you do if you need to ensure that the users can access the protected content?
A. Create an alias (CNAME) record for Server2 from DNS.
B. Modify the Service Location Record (SRV) for Server1 from DNS.
C. Register a Service Principal Name (SPN) in Active Directory from Server2.
D. Update the Service Connection Point (SCP) for Server1 from Active Directory Rights Management.

Answer

A

C. Service Principal Names (SPNs) are registered by services in order for clients to identify them in a domain. Before a client can connect to a service, it must compose the SPN for that instance of service, connect to the service, and finally present the SPN for authentica- tion via Kerberos. SPN is a unique identifier of a service instance. A SPN must be registered with Active Directory, which assumes the role of the Key Distribution Center (KDC) in a Windows domain.

Question 42

Q

You are the administrator for your company network. Your network contains an Active Directory forest, abc.com, which contains an Active Directory Rights Management Services (AD RMS) deployment. Your company merges with another company. The new company network contains an Active Directory forest named xyz.com and an AD RMS deployment. What should you do if you need to ensure that users in abc.com can access rights-protected documents sent by the users in xyz.com?
A. From AD RMS in xyz.com, configure abc.com as a trusted publisher domain.
B. From AD RMS in abc.com, configure xyz.com as a trusted user domain.
C. From AD RMS in xyz.com, configure abc.com as a trusted user domain.
D. From AD RMS in abc.com, configure xyz.com as a trusted publisher domain.

Answer

A

D. In this scenario, from AD RMS in abc.com, you would configure xyz.com as a trusted publisher domain. Trusted Publishing Domains (TPDs) allow an AD RMS cluster to issue end-use licenses for content that was originally published by a different AD RMS cluster. A TPD does not restrict the applications and distribution channels that clients use to protect and consume content. It also presents two advantages. First, configuring a TPD requires less administrative effort to enable users to protect documents for groups that contain part- ner users. Second, you do not need to connect to your partner’s AD RMS cluster to con- sume content, reducing network overhead. A TPD allows a cluster to decrypt content it did not publish. Therefore, the original cluster does not have to be accessible in order for part- ner users to consume content. By configuring a TPD, users can still access all documents published by the partner cluster, even after that cluster has been decommissioned.

Question 43

Q

You are the administrator for your company network. You and a colleague are discussing Workplace Join. For Workplace Join to work, a(n)   is placed on the mobile device. AD FS challenges the device as a claims-based authentication to applications or other resources without requiring administrative control of the device. What is being discussed?
A. Application 
B. Certificate 
C. Module
D. Service

Answer

A

B. For Workplace Join to work, a certificate is placed on the mobile device. AD FS challenges the device as a claims-based authentication to applications or other resources without requiring administrative control of the device. Workplace Join is supported by the Device Registration Service (DRS) included with the Active Directory Federation Services role in Windows Server 2016. When a device is set up with Workplace Join, the DRS registers a device as an object
in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing.

Question 44

Q

You are the administrator for your company network. The network contains an Active Directory domain. You plan to deploy a new Active Directory Rights Management Services (AD RMS) cluster on a server named Server1. The solution must use the principle of least amount of privilege. What should you do if you need to create the AD RMS service account?
A. In the domain, create a domain user account and add the account to the Account Oper- ators group.
B. On Server1, create a local user account and add the account to the Administrators group.
C. In the domain, create a domain user account and add the account to the Domain
Users group.
D. On Server1, create a domain user account and add the account to the Administrators group.

Answer

A

C. Considerations for installing AD RMS on Windows Server 2016 include creating an AD RMS Service account by creating a domain user account that has no additional permissions that can be used as the AD RMS service account. Use a group-managed service account
to ensure that the account password is managed by Active Directory and that it does not require a manual password change by an administrator. If you are registering the AD RMS Service Connection Point (SCP) during installation, the user account installing AD RMS must be a member of the AD DS Enterprise Admins group or equivalent.

Question 45

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory Rights Management Services (AD RMS). What are the three database servers that AD RMS uses? (Choose all that apply.)
A. Configuration Database
B. Directory Services Database
C. Logging Database
D. Remote Database

Answer

A

A, B, C. Active Directory Rights Management Services (AD RMS) uses three database servers:
■■ Configuration Database—This is a critical component of an AD RMS installation. The database stores, shares, and retrieves all configuration data and other data that the ser- vice requires to manage account certification, licensing, and publishing services for a whole cluster.
■■ Directory Services Database—This contains information about users, identifiers (such as email addresses), security IDs, group membership, and alternate identifiers. This infor- mation is a cache of directory services data.
■■ Logging Database—This is all of the historical data about client activity and license acquisition. For each root or licensing-only cluster, by default AD RMS installs a logging database in the same database server instance hosting the configuration database.

Question 46

Q

You are the administrator for your company network. Your network contains an enterprise root Certification Authority (CA) named CA1. Multiple computers on the network success- fully enroll for certificates that will expire in one year. The certificates are based on a tem- plate named CertificateTemplate. The template uses schema version 2. What should you do if you need to ensure that new certificates based on CertificateTemplate are valid for three years?
A. Instruct users to request certificates by running the certreq.exe utility.
B. Instruct users to request certificates by using the Certificates console.
C. Modify the Validity period for the certificate template.
D. Modify the Validity period for the root CA certificate.

Answer

A

C. You would modify the validity period for the certificate template. All certificates issued by a CA have a validity period. The validity period is a time range that specifies how long public key infrastructure (PKI) clients can accept the certificate as an authoritative creden- tial based on the identity stated in the subject of the certificate.

Question 47

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains an enterprise Certification Authority (CA)
named CA1. You duplicate the Computer Certificate template and you name the template CA_Computers. What should you do if you need to ensure that all of the certificates issued based on CA_Computers have a key size of 4,096 bits?
A. Modify the Security settings from the properties of CA1.
B. Modify the Request Handling settings from the properties of CA1.
C. Modify the Key Attestation settings from the properties of the Computer template.
D. Modify the Cryptography settings from the properties of Cert_Computers.

Answer

A

D. To manage certificate templates, open a CA console, right-click Certificate Templates, and select Manage. Key size is modified in the Cryptography settings for the template. On the Cryptography tab, you can choose the minimum key size and the Cryptographic Service Provider (CSP). CSP is a library that contains algorithms to encrypt or unencrypt informa- tion. For this scenario, you would modify the Cryptography settings from the properties of Cert_Computers.

Question 48

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory Federation Services (AD FS). You want to start the AD FS Management console. You know that there are multiple methods for configuring AD FS. What are two methods? (Choose two.)
A. Select Start ➢Run and type ADFSConfigWizard.exe.
B. Select Start ➢Run and type FsConfigWizard.exe.
C. Click the ADFSConfigWizard.exe file located in the C:\windows\adfs folder.
D. Click the FsConfigWizard.exe file located in the C:\windows\adfs folder.

Answer

A

B, D. To configure Active Directory Federation Services (AD FS) you can select Start ➢Run and type FsConfigWizard.exe, or you can click the FsConfigWizard.exe file located in the C:\windows\adfs folder.

Question 49

Q

You are the administrator for your company network. You and a colleague are discussing the key archive store. The key archive stores which of the following information?
A. The public key only
B. The public key and private key only
C. The public key, private key, and supported cryptographic algorithms only
D. The subject name, public key, private key, and supported cryptographic algorithms

Answer

A

D. The key archive stores a certificate’s subject name, public key, private key, and sup- ported cryptographic algorithms in its CA database. Key archiving can be performed manu- ally or automatically, depending on the configuration. If the certificate template requires key archiving, then the process requires no manual intervention. However, key archiving can also be performed manually if the private key is exported and then sent to an adminis- trator for import into the CA database.

Question 50

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a member server named Server1 that has the Active Directory Federation Services (AD FS) server role installed. All servers run Windows Server 2016. You complete the AD FS Configuration Wizard on Server1. Which two actions should you perform on Server1 if you need to ensure that client devices on the internal net- work can use Workplace Join?
A. Edit the multifactor authentication global authentication policy settings.
B. Edit the primary authentication global authentication policy settings.
C. Run Enable-AdfsDeviceRegistration.
D. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
E. Run Set-AdfsProxyProperties HttpPort 80.

Answer

A

B, C. To enable the Device Registration Service:
On your federation server, open a PowerShell command window and type Enable-AdfsDeviceRegistration.

Repeat this step on each federation farm node in your AD FS farm.
Enable seamless second factor authentication. Seamless second factor authentication is
an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a “known” device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent Single Sign-On (SSO), and conditional access for Workplace Joined devices:
1. In the AD FS Management console, navigate to Authentication Policies.
2. Select Edit Global Primary Authentication.
3. Select the check box next to Enable Device Authentication.
4. Click OK

Question 51

Q

You are the administrator for your company network. You and a colleague are discussing Windows Server 2016 Active Directory. Which one of the following allows users to set up a key-based authentication that allows them to authenticate by using more than just their password using biometrics or PIN numbers?
A. Adprep
B. Azure Active Directory Join
C. Microsoft Passport
D. Privileged Access Management (IPAM)

Answer

A

C. Microsoft Passport allows your users to set up a key-based authentication that allows them to authenticate by using more than just their password (biometrics or PIN numbers). Your users would then log on to their systems using a biometric or PIN number that is linked to a certificate or an asymmetrical key pair.

Question 52

Q

You are the administrator for your company network. Your company hosts a web RMS- aware application that the abc.com forest and xyz.com forest users need to access. You deploy a single AD FS server in the abc.com forest. Which of the following are true state- ments about the AD FS implementation? (Choose all that apply.)
A. You will configure a relying party server on the abc.com AD FS server.
B. The AD FS server in the xyz.com forest functions as the claims provider.
C. The AD FS server in the xyz.com forest functions as the relying party server.
D. You will configure a claims provider trust on the abc.com AD FS server

Answer

A

A, B. The relying-party server is a member of the Active Directory forest that hosts resources that a user in the partner organization wants to access. In this case, the relying party server should be the abc.com AD FS server. A claims provider provides users with claims. These claims are stored within digitally encrypted and signed tokens. In this case, xyz.com is the claims provider.

Question 53

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1. A Microsoft Azure Backup of Server1 is created automatically every day. You rename Server1 to Server2. You discover that backups are no longer created in Azure. What should you do if you need to back up the server to Azure?
A. Run the Add-WBBackupTarget cmdlet on Server2.
B. Run the Start-OBRegistration cmdlet on Server2.
C. Upload the Server2 certificate as a management certificate from the Azure Manage- ment Portal.
D. Modify the configuration on the backup vault from the Azure Management Portal.

Answer

A

B. The Start-OBRegistration cmdlet registers the server using the vault credentials downloaded during enrollment. The cmdlet registers the server by uploading a backup cer- tificate to the vault. This cmdlet supports the -WhatIf and -Confirm parameters. The cmd- let prompts the user for confirmation by default.

Question 54

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1. A Microsoft Azure Backup of Server1 is created automatically every day. What cmdlet should you run if you need to view the items that are included in the backup?
A. Get-OBJob
B. Get-OBPolicy
C. Get-OBPolicyState D. Get-WBSummary

Answer

A

B. The Get-OBPolicy cmdlet gets the current backup policy that is set for the server, including the details about scheduling backups, files included in the backup, and retention policy.

Question 55

Q

You are the administrator for your company network. You and a colleague are discussing Azure Active Directory (Azure AD). Under Azure AD you know that there are a couple of options for controlling devices. Which if the following provides you with all the benefits of registering a device and also changes the local state of a device? (Changing the local state enables your users to sign in to a device using an organizational work or school account instead of a personal account.)
A. Attaching B. Disclosing C. Joining
D. Registering

Answer

A

C. Azure Active Directory (Azure AD) enables Single Sign-On to devices, apps, and ser- vices from anywhere. Through devices, users are getting access to the corporate assets. To protect the corporate assets, you want to have control over these devices. This enables you to make sure that your users are accessing your resources from devices that meet your stan- dards for security and compliance. Getting control of devices through Azure AD is done by registering and joining devices. Joining a device is an extension of registering a device. This means it provides you with all the benefits of registering a device, and in addition to this it changes the local state of a device. Changing the local state enables your users to sign in to a device using an organizational work or school account instead of a personal account.

Question 56

Q

You are the administrator for your company network. You deploy a new Certification Authority (CA) to a Windows Server 2016 server. What should you do if you need to con- figure the CA to support recovery of certificates?
A. Assign the Request Certificates permission to the user account that will be responsible for recovering certificates.
B. Configure the Key Recovery Agent template as a certificate template to issue.
C. Modify the extensions of the OCSP Response Signing template.
D. Modify the Recovery Agents settings from the properties of the CA.

Answer

A

B. A Key Recovery Agent (KRA) is able to extract the private key from an issued certificate from the certificate services database on a CA. The KRA is a user account that is able to perform key recovery. You can configure your CA to enable key archival, and then you can specify that your certificate templates will have key archival enabled. Your private keys can be copied to the CA so that you can recover them when needed.

Question 57

Q

You are the administrator for your company network. Your network contains an Active Directory forest named abc.com. The forest contains an Active Directory Rights Manage- ment Services (AD RMS) cluster. A partner company has an Active Directory forest named xyz.com. The partner company does not have AD RMS deployed. You need to ensure that users in xyz.com can consume rights-protected content from abc.com. Which type of trust policy should you create?
A. A federated trust
B. A trusted publishing domain
C. A trusted user domain
D. Windows Live ID

Answer

A

A. In AD RMS, rights can be assigned to users who have a federated trust with Active Directory Federation Services (AD FS). This enables an organization to share access to rights-protected content with another organization without having to establish a separate Active Directory trust or AD RMS infrastructure.

Question 58

Q

You are the administrator for your company network. The network contains an Active Directory domain. You deploy a stand-alone root Certification Authority (CA) named CA1. What should you do first if you need to auto-enroll domain computers for certificates by using a custom certificate template?
A. Modify the Policy Module for CA1.
B. Modify the Exit Module for CA1.
C. Install a stand-alone subordinate CA.
D. Install an enterprise subordinate CA.

Answer

A

D. You will want to install an Enterprise Subordinate Certificate Authority (CA). This CA needs Active Directory and is used to issue certificates to users and computers. You cannot create templates or configure auto-enrollment on a stand-alone CA.

Question 59

Q

You are the administrator for your company network. The network contains an Active Directory forest. The forest contains three domain controllers. They are configured as shown:
Server Name Active Directory Site
Server1 Boston
Server2 Boston
Server3 Portland
The company physically relocates Server2 from the Boston office to the Portland office. You discover that both Server1 and Server2 authenticate users who sign in to the client comput- ers in the Boston office. Only Server3 authenticates users who sign in to the computers in the Portland office. What should you do if you need to ensure that Server2 authenticates the users in the Portland office during normal network operations?
A. Modify the Location Property of Server2 from Active Directory Users and Computers.
B. Modify the Internet Protocol Version 4 (TCP/IPv4) configuration from Network Con-
nections on Server2.
C. Run the Move-ADDirectoryServer cmdlet using PowerShell.
D. Run the Set-ADReplicationSite cmdlet using PowerShell.

Answer

A

D. The Set-ADReplicationSite cmdlet is used to set the properties for an Active Direc- tory site that is being used for replication. Sites are used in Active Directory to either enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce network traffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers.

Question 60

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory Federation Services (AD FS). What PowerShell cmdlet would you use if you wanted to add a computer to an existing federation server farm?
A. Add-AdfsClient
B. Add-AdfsCertificate
C. Add-AdfsFarmNode
D. Add-AdfsNativeClientApplication

Answer

A

C. The Add-AdfsFarmNode cmdlet allows administrators to add a computer to an existing federation server farm.

Question 61

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named Server1 that has the Active Directory Certificate Services (AD CS) server role installed and is config- ured to support key archival and recovery. You create a new Active Directory group named Group1. Which permissions should you assign to Group1 if you need to ensure that the members of Group1 can request a Key Recovery Agent (KRA) certificate? (Choose all that apply.)
A. Auto-Enroll
B. Enroll
C. Full Control
D. Read
E. Write

Answer

A

B, D. In Template, type a new template display name and then modify any other optional properties as needed. On the Security tab, click Add, type the name of the users you want to issue the KRA certificates to, and then click OK. Under Group or Usernames, select the usernames that you just added. Under Permissions, select the Read and Enroll check boxes, and then click OK.

Question 62

Q

You are the administrator for your company network. You and a colleague are discussing the different Active Directory support tools available with Windows Server 2016. You are discussing a tool that allows an administrator to migrate users, groups, and computers from a previous version of the server to a current version of the server. What tool are you discussing?
A. Active Directory Migration Tool (ADMT)
B. Active Directory Managed Service Accounts
C. Active Directory Rights Management Services (AD RMS)
D. Active Directory Users and Computers

Answer

A

A. Active Directory Migration Tool (ADMT) allows an administrator to migrate users, groups, and computers from a previous version of the server to a current version of the server. Administrators can also use ADMT to migrate users, groups, and computers between Active Directory domains in different forests (interforest migration) and between Active Directory domains in the same forest (intraforest migration). By default, OUs inherit the permissions of their new parent container when they are moved. By using the built-in tools provided with Windows Server 2016 and Active Directory, you can move or copy OUs only within the same domain. You cannot use the Active Directory Users and Computers tool to move OUs between domains.

Question 63

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory Rights Management Services (AD RMS) and the ability to set up exclusion policies to deny certain entities the ability to acquire certificate and license requests. Which of the following are ways to exclude these entities? (Choose all that apply.)
A. By application
B. By lockbox version 
C. By MAC address 
D. By user

Answer

A

A, B, D. You can implement exclusion policies to deny certain entities the ability to acquire certificate and license requests. There are three ways to exclude these entities: by user, by application, and by lockbox version. When an entity is excluded, you use licenses that are created by servers in the AD RMS cluster. If, after a period of time, you decide to remove an entity that you have previously included in an exclusion policy, you can delete the entity from the exclusion list. Any new certification or licensing requests will not consider this entity as excluded. Lockboxes are used to store a user’s private key.

Question 64

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named CA1 that has the Active Directory Certificate Services (AD CS) server role installed and is config- ured to support key archival and recovery. You need to ensure that a user named User1 can decrypt private keys archived in the AD CS database. What should you do to prevent User1 from retrieving the private keys from the AD CS database?
A. Assign User1 the Manage Certificate Authority (CA) permission to CA1.
B. Assign User1 the Read and Write permissions to all certificate templates.
C. Provide User1 with access to a Key Recovery Agent certificate and a private key.
D. Assign User1 the Issue and Manage Certificates permission to CA1.

Answer

A

C. Key Recovery Agents (KRAs) are administrators who can decrypt users’ archived pri- vate keys. An organization can assign KRAs by issuing KRA certificates to designated administrators and configure them on the CA. The KRA role is not one of the default roles defined by the Common Criteria specifications, but a virtual role that can provide separa- tion between Certificate Managers and the KRAs. This allows the separation between the Certificate Manager, who can retrieve the encrypted key from the CA database but not decrypt it, and the KRA, who can decrypt private keys but not retrieve them from the CA database.

Answer 65

A

A. In this scenario, for Template1, modify the Security settings within the CA. You need to enable users to automatically obtain a certificate based on the template. Then, you will want to set the security permissions to grant a specific User/Authenticated Users to issue and manage certificates, manage CAs, and request certificates. This can be done manually by opening the CA MMC, right-clicking the Server name, selecting Properties from the context menu, selecting the Security tab, and then adding the user and setting permissions.

Answer 66

A

A, D. An online responder is a trusted server that receives and responds to individual cli- ent requests for the status of a certificate. An OCSP responder retrieves CRLs and provides digitally signed real-time certificate revocation status responses to clients based on a given certificate authority’s CRL.
Configuring the CA to support the Online Responder service includes these steps:
1. Run certsrv.msc.
2. Navigate to your CA.
3. Right-click on the CA and click Properties.
4. Select the Extensions tab. In the Select extension list, click Authority Information Access (AIA).
5. Click Add, and in the Add Location dialog box, type in the URL for the location. Click OK.
6. On the Extensions tab, make sure the URL that was just added to the locations area is highlighted. Then make sure the check boxes next to Include in the AIA extension of issued certificates and Include in the Online Certificate Status Protocol (OCSP) exten- sion are checked.
7. Click Apply, let the service restart, and then click OK.
8. In Certification Authority, right-click Certificate Templates, and then click New Cer-
tificate Templates to Issue.
9. Select your CA, and in the right pane, right-click on Certificate Templates.
10. In Enable Certificates Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.
11. Open Certificate Templates in the CA and verify that the modified certificate templates appear in the list.

Answer 67

A

D. The Compatibility tab helps to configure the options that are available in the certificate template. The options available in the certificate template properties change depending on the operating system versions that are selected for the CA and certificate recipient. The option “Do not include revocation information in issued certificates” check box is available only with the compatibility mode set to Windows Server 2008 R2 or later.

Answer 68

A

C. When a user or group is created in Active Directory, the Mail attribute is an optional attribute that can be set to include a primary email address for the user or group. For AD RMS to work properly, this attribute must be set because all users must have an email attri- bute to protect and consume content. This can be done by setting the Email Address field in the properties for the user or group using any of the following tools:
■■ The Active Directory Users and Computers console
■■ The Active Directory Administrative Center
■■ Windows PowerShell

Answer 69

A

A, E. First, you configure what exactly needs to be audited on the object level (in this case, on the level of the CA object). Second, you must also configure the audit policy and enable success or failure auditing for a given set of audit policy categories or subcategories. So, in this scenario, modify the Certificate Manager settings for the CA from the Certification Authority console and then configure auditing for policy change from the Local Group Policy Editor.

Answer 70

A

A. The Add-CATemplate cmdlet adds a certificate template to the CA for issuing. A certifi- cate template is a preconfigured list of certificate settings that allows users and computers to enroll for certificates without having to create complex certificate requests. Certificate templates allow for the customization of a certificate that can be issued by the CA. The template defines items such as the cryptographic types, validity and renewal periods, and certificate purposes.

Answer 71

A

D. The Online Responder service retrieves revocation status requests for specific certifi- cates and the status of these certificates, and it returns a signed response with the requested certificate status information. The Online Responder uses a lightweight HTTP protocol that responds more quickly and efficiently than downloading a traditional CRL.

Answer 72

A

A. To view the installation state of AD FS using PowerShell, open an elevated Pow- erShell console, type the following command, and press Enter: Get-WindowsFeature “adfs”,”fed*”.

Answer 73

A

D. A relying party is a federation server that receives security tokens from a trusted federa- tion partner claims provider. In turn, the relying party issues new security tokens that a local relying party application consumes.

Answer 74

A

C. Endpoints provide access to the federation server functionality of AD FS, such as token issuance, information card issuance, and the publishing of federation metadata. Based on the type of endpoint, you can then enable or disable the endpoint or control whether the endpoint is published to AD FS proxies

Answer 75

A

B. The Message AD FS security mode allows the client credentials to be included in the header of a SOAP message. Confidentiality is preserved by encryption inside the SOAP message.

Answer 76

A

D. The correct syntax would be Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools.
The Install-WindowsFeature installs one or more roles, role services, or features
on either the local or a specified remote server that is running Windows Server 2016. Web-Application-Proxy installs the Federation Service Proxy role and using the -IncludeManagementTools parameter installs the management tools such as snap-ins on a target server.

Answer 77

A

A. DRS requires at least one global catalog server in the forest root domain. The global catalog server is needed to run the PowerShell cmdlet Initialize-ADDeviceRegistration during AD FS authentication.

Answer 78

A

B. In this question, we can see that the Backend Server SPN has been left blank. We need
to enter the Backend Server SPN, so enter the Service Principal Name (SPN) for the backend server. For example, type HTTP/owa.abc.com.
To publish an Integrated Windows authenticated application, follow these steps:
1. On the Web Application Proxy (WAP) server, in the Remote Access Management con- sole, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.
2. In the Publish New Application Wizard, on the Welcome page, click Next.
3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and
then click Next.
4. On the Relying Party page, in the list of relying parties, select the relying party for the application that you want to publish, and then click Next.
5. On
■■ In the Name box, enter a friendly name for the application. This name is used only
the Publishing Settings page, do the following, and then click Next:
in the list of published applications in the Remote Access Management console.
■■ In the External URL box, enter the external URL for this application; for exam- ple, https://owa.yourdomain.com/.
■■ In the External certificate list, select a certificate whose subject covers the external URL.
■■ In the Backend Server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://owa/.
■■ In the Backend Server SPN box, enter the service principal name for the backend server; for example, HTTP/owa.yourdomain.com.
6. On the confirmation page , review the settings, and then click publish
7. On the results page, make sure that the application published successfully and then click Close.

Answer 79

A

C. The Edit right is being discussed. If this right is established, the AD RMS client enables protected content to be decrypted and re-encrypted by using the same content key. Usually, when this right is established, the RMS-aware application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right.

Answer 80

A

A. Trust policies are implemented to define how content licensing requests are processed throughout the enterprise, including rights-protected content from other AD RMS clusters. A Trusted User Domains (TUD) is the boundary mechanism for the AD RMS root cluster to process client licensor certificates or use licenses from users whose RACs were issued by another AD RMS root cluster. You must import the server licensor certificate of the AD RMS cluster to be trusted, in order to define your TUD.

Answer 81

A

D. One of the advantages of using the Remote Access role service in Windows Server 2016 is the Web Application Proxy (WAP) feature. Normally, your users access applications on the Internet from your corporate network. WAP reverses this feature, and it allows your corporate users to access applications from any device outside the network.

Answer 82

A

C. The Web Application Proxy feature allows applications running on servers inside the corporate network to be accessed by any device outside the corporate network. The pro- cess of allowing an application to be available to users outside of the corporate network is known as publishing.

Answer 83

A

B. When using pass-through preauthentication, users are not required to enter credentials before they are allowed to connect to published web applications.

Answer 84

A

D. To publish service-specific data in the directory database, the Active Directory Schema helps define an SCP object class for a service. Clients of the service use the data in an SCP to locate, connect to, and authenticate an instance of your service.

Answer 85

A

A. The Add-AdfsClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service. Use this cmdlet when users from a partner organization need to access resources (relying parties) protected by the AD FS service

Brainscape's Knowledge GenomeTM

Chapter 10 - Implement Identity Federation and Access Solutions Flashcards

Brainscape's Knowledge Genome^TM