Chapter 4

Question 1

What is maintained by a NAT device to record which internal client traffic must be routed outside?

Answer 1

A mapping table

Question 2

What must be installed to provide Windows Server with NAT server capability?

Answer 2

The Remote Access server role

Question 3

How do you set up NAT on Windows Server?

Answer 3

Server Manager > Tools > Routing and Remote Access > Right-click server > Configure and Enable Routing and Remote Access > from the Route and Remote Access Server Setup Wizard, choose NAT > select the public and private interfaces

Question 4

What is a recommended step that makes NAT configuration easier?

Answer 4

Name your network connections so they are easily identifiable, by right-clicking Start and selecting Network Connections

Question 5

Where can you configure NAT settings?

Answer 5

The Routing and Remote Access console

Question 6

How can you configure NAT to allow certain private clients to use public addresses?

Answer 6

Reserve public addresses

Question 7

What two additional network services can be enabled from within NAT?

Answer 7

DHCP and DNS resolution

Question 8

Where can you monitor NAT’s DHCP service?

Answer 8

In the Routing and Remote Access console, right-click the NAT node, and select Show DHCP Allocator Information

Question 9

Where can you monitor NAT’s DNS service?

Answer 9

In the Routing and Remote Access console, right-click the NAT node, and select Show DNS Proxy Information

Question 10

What are two remote access scenarios where VPN is used?

Answer 10

Remote access by allowing remote users to connect to a site

Site-to-site (S2S) allowing for connections between remote sites

Question 11

What are three common characteristics of VPNs?

Answer 11

Authentication between client and server, encryption of data, and encapsulation through tunneling

Question 12

What are the four VPN protocols available in Windows Server?

Answer 12

Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec)
Secure Socket Tunneling Protocol (SSTP)
Internet Key Exchange Version 2 (IKEv2)

Question 13

Which VPN protocol is widely supported, but is considered to be less secure than its alternatives?

Answer 13

PPTP

Question 14

What authentication methods are available for PPTP?

Answer 14

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

Question 15

What protocols does L2TP use?

Answer 15

It combines PPTP and Layer 2 Forwarding L2F, but unlike PPTP, uses IPsec for encryption

Question 16

Which protocol is based on HTTPS, and what is its key advantage?

Answer 16

SSTP, uses port 443 which is usually open in most firewalls

Question 17

Which protocol is particularly useful for mobile devices and why?

Answer 17

IKEv2, the only protocol that supports VPN reconnect

Question 18

What port is used by PPTP?

Answer 18

TCP 1723

Question 19

What ports are used by L2TP?

Answer 19

UDP 500, 1701, and 4500

Question 20

What port is used by SSTP?

Answer 20

TCP 443, also used by HTTPS

Question 21

What port is used by IKEv2?

Answer 21

UDP 500

Question 22

What VPN authentication methods are supported by Windows Server 2016?

Answer 22

PAP, CHAP, MS-CHAPv2, and EAP

Question 23

Which VPN authentication protocol uses insecure plaintext authentication?

Answer 23

PAP

Question 24

Which VPN authentication protocol uses challenge/response and stores passwords with reversible encryption?

Answer 24

CHAP

Question 25

Which VPN authentication protocol uses challenge/response, but has better security than some others?

Answer 25

MS-CHAPv2

Question 26

Which VPN authentication protocol is the most secure and supports multiple authentication methods?

Answer 26

EAP

Question 27

What role service is required to deploy the RAS Gateway in Windows Server?

Answer 27

DirectAccess and VPN (RAS) role service

Question 28

What scenarios are supported by RAS Gateway?

Answer 28

Multitenant-aware VPN gateway
Multitenant-aware NAT gateway
Forwarding gateway
DirectAccess server
GRE tunneling
Dynamic routing with BGP

Question 29

What type of RAS Gateway deployment allows for virtual machines on virtual networks to access the Internet?

Answer 29

Multitenant-aware NAT gateway

Question 30

What type of RAS Gateway deployment enables access to server resources on physical networks from virtual networks?

Answer 30

Forwarding gateway for internal physical network access

Question 31

What type of RAS Gateway deployment allows remote users to access network infrastructure without a VPN?

Answer 31

DirectAccess server

Question 32

What type of RAS Gateway deployment enables connectivity between tenant virtual networks and external networks?

Answer 32

GRE tunneling

Question 33

What type of RAS Gateway deployment is a dynamic routing protocol that can traverse S2S VPNs, useful on enterprise and cloud networks?

Answer 33

Dynamic routing with BGP

Question 34

What is required to implement remote access VPN?

Answer 34

Two network interfaces
DHCP distribution (either by reserving DHCP server addresses or distributing directly through VPN)
Set up the VPN server as a RADIUS client

Question 35

What is required to use VPN reconnect?

Answer 35

VPN server running Server 2008 R2 minimum
Client PC running Windows 7 minimum
Organization PKI to deploy computer certificates
IKEv2 VPN

Question 36

Which PowerShell cmdlet is used to configure app-triggered VPNs?

Answer 36

Add-VpnConnectionTriggerApplication

Question 37

What kind of PCs do not support app-triggered VPNs?

Answer 37

Domain-bound PCs

Question 38

What options are available with VPN profiles?

Answer 38

Always On - VPN initiates when users signs in or network change
App-Triggered VPN
Traffic Filters - VPN initates based on policies, e.g. apps, protocols, addresses
LockDown VPN - Secures device so only VPN can be used

Question 39

What tools can be used to create and distribute VPN profiles?

Answer 39

Connection Manager Administration Kid (CMAK)
Microsoft Intune
Configuration Manager

Question 40

What must be created at the originating routers of an S2S VPN?

Answer 40

A demand-dial interface

Question 41

In what version of Windows Server was DirectAccess first introduced?

Answer 41

Server 2008 R2

Question 42

What is the minimum client requirement for using DirectAccess?

Answer 42

Windows 7

Question 43

What IP technology is used in DirectAccess connections?

Answer 43

IPv6 and IPsec

Question 44

How do clients determine their network location?

Answer 44

By checking if the network location server (NLS) is available, in which case they do not need DirectAccess

Question 45

What is used by DirectAccess clients to determine which DNS servers they should use?

Answer 45

Name Resolution Policy Table (NRPT)

Question 46

What kind of IPv6 compatibility options are offered by DirectAccess?

Answer 46

ISATAP - Connect to DirectAccess over IPv4 for intranet
6to4 - Connect to DirectAccess over IPv4 Internet
Teredo - Connect to DirectAccess over IPv4 through NAT
IP-HTTPS - Connect to DirectAccess when other methods are unavailable

Question 47

On what kind of server can DirectAccess not be installed?

Answer 47

A domain controller

Question 48

What is required a client to automatically select a DirectAccess server?

Answer 48

Windows 8

Question 49

How can you provision DirectAccess to new clients that are not on the network?

Answer 49

Use djoin with an AD DS Binary Large Object (BLOB)

Question 50

What are the server requirements for DirectAccess?

Answer 50

Domain member, but not controller
At least one internal network adapter
For edge topology, one public IPv4 address for any Internet network adapter
Windows Firewall enabled on all profiles
DirectAccess and VPN (RAS) role service installed

Question 51

What role provides the DirectAccess and VPN (RAS) role service?

Answer 51

Remote Access server role

Question 52

What DirectAccess setup method is not suitable for deployments support Windows 7 clients?

Answer 52

The wizard-based setup

Question 53

How can you apply DirectAccess to specific computers?

Answer 53

Create an AD group and add use that group in the DirectAccess Client Setup

Question 54

What DNS records are created by the DirectAccess Getting Started Wizard?

Answer 54

directaccess-corpConnectivityHost
DirectAccess-NLS
directaccess-WebProbeHost

Question 55

What GPOs are created by the DirectAccess Getting Started Wizard?

Answer 55

DirectAccess Client Settings

DirectAccess Server Settings

Question 56

How can you tell if DirectAccess settings are applied to a client?

Answer 56

Run gpresult /r and see if the DirectAccess Client Settings GPO appears

Question 57

What are some ways to troubleshoot DirectAccess issues on a client?

Answer 57

Verify the GPO is applied
Verify the client has an IPv6 address starting with 2002
See if the DirectAccess connection is active in Settings > Network & Internet > DirectAccess
Use “netsh show effectivepolicy” to see if the DirectAccess policy is applied

Question 58

Which Windows Server role provides policy-based management of remote access?

Answer 58

NPS

Question 59

How can the NPS role be installed using PowerShell?

Answer 59

Install-WindowsFeature -Name npas -IncludeManagementTools

Question 60

What is Microsoft’s implementation of a RADIUS server?

Answer 60

NPS

Question 61

Which PowerShell cmdlet is used to add RADIUS clients to NPS?

Answer 61

New-NpsRadiusClient

Question 62

What type of server can forward certain requests to a central RADIUS server?

Answer 62

RADIUS proxy

Question 63

What can you use to predefine RADIUS server and client settings?

Answer 63

NPS templates

Question 64

What values are used to load balance RADIUS servers?

Answer 64

Priority and weight

Question 65

What are RADIUS clients?

Answer 65

Devices or serves that service remote client connection attempts, NOT the client devices that connect to wireless or VPN resources

Question 66

What are the default ports for RADIUS authentication and accounting?

Answer 66

1812 and 1813

Question 67

What types of NPS templates can be created?

Answer 67

Shared secrets
RADIUS clients
Remote RADIUS servers
IP filters

Question 68

What two types of policies are supported by NPS?

Answer 68

Network policies - Control whether a remote client’s connection attempt is successful
Connection request policies - Determine whether the local vs. remote server processes client connection attempts

Question 69

How are multiple NPS policies handled?

Answer 69

The first one that meets the policy conditions is the one applied, but if a client does not meet policy constraints, it is rejected without processing further policies

Question 70

How can a user accounts dial-in permissions be set?

Answer 70

In AD, they can be defined to allow access, deny access, or control access through NPS policy
Note that allow access permits access even if no NPS policy is defined

Question 71

What two network policies are created by default when you install NPS, and what are their permissions?

Answer 71

Connections to Microsoft Routing and Remote Access server
Connections to other access servers
Both are set to deny access by default

Question 72

Which PowerShell cmdlets are used to export and import NPS configurations?

Answer 72

Export-NpsConfiguration and Import-NpsConfiguration

Question 73

What certificate purposes are deployed by default from certificates generated by AD Certificate Services?

Answer 73

Both client authentication and server authentication