F01X

Question 0

F02: Identify the purpose of Directory Services

Answer 0

A shared information structure used to locate, manage, administer, organize, and secure those objects that comprise a directory.

Question 1

F02: Identify the definition of Directory

Answer 1

All of the services, printers, computers, users, applications, and everything else in the network comprise a directory.

Question 2

F02: Select from a list of distracters the purpose of the X.500 Directory Access Protocol (DAP)

Answer 2

Provides a set of rules and standards that organize directories and create a standard interface to allow clients to access the directories.

*X.500 was the original standard, based on the OSI model, and very resource intensive. It ran on mainframes and was too complex to operate using desktops and over the Internet so the Lightweight Directory Access Protocol (LDAP) was designed.

Question 3

F02: Select from a list of distracters the purpose of the Lightweight Directory Access Protocol (LDAP)

Answer 3

LDAP is a much more compact protocol, designed around the TCP/IP model, that allows for faster searches of the directory service because it requires much less network overhead.

*Microsoft’s Active Directory uses the LDAP protocol as the foundation for its directory services agent. The Marine Corps uses Microsoft Active Directory as its directory service agent.

Question 4

F03: Define an Object

Answer 4

the basic building block of Active Directory. Users, computers, printers, servers, and other network resources are all objects.

*Furthermore, an object in Active Directory is defined by its attributes

Question 5

F03: Define the Active Directory (AD) Schema

Answer 5

The collection of objects and their attributes.

*The Schema is created and maintained by network administrators and there is only 1 schema per active directory instance.

Question 6

F03: Define Security Groups

Answer 6

Objects in Active Directory just like individual users.

*Security Groups are useful because individual users can be associated with a Security Group and then have permissions applied to the group vice each and every user. Security Groups are a quick and efficient way to delegate out permissions to shared resources for a large collection of users.

Question 7

F03: Define Organizational Unit (OU)

Answer 7

Containers for objects.

*You can think of them like folders for files. OUs are an administrative boundary as well. For example, the Regiment could delegate permissions to its subordinate battalions by giving them their own OU. Inside that OU, the data Marines for the battalion can control everything that happens.

Question 8

F03: Define Domain

Answer 8

The cornerstone element of Active Directory; the grouping of all objects that share common resources, services, and administration.

*All of the computers, users, groups, and OUs within a domain share a common security database and permissions hierarchy.

Question 9

F03: Define tree

Answer 9

Multiple domains are arranged into a hierarchical structure

*The first domain created is known as the root domain. Any subsequent domains created from the first domain are known as child domains.

Question 10

F03: Define forest

Answer 10

The largest category of organizing objects and domains.

*Every instance of Active Directory is known as a forest. There can be multiple domains and domain trees in a forest. Every domain in the forest shares the same schema and object definitions. The first domain established is called the forest root domain. Additional domains can then be constructed as child domains or as separate trees in the forest.

Question 11

F03: State in writing the purpose of Trust Relationships

Answer 11

A link in Active Directory between two domains and/or forests that allows users to access resources and services in another domain.

Parent / child
Tree / root 
External Trusts 
Shortcut Trusts 
Realm Trusts 
Forest Trusts

Question 12

F04: Define Domain Controller (DC)

Answer 12

A server in an Active Directory Forest that is running a Windows Server 2003 or better (2008R2, Server 2012) network operating system and actively providing directory services.

*A DC has a complete copy of every object in the domain

Question 13

F04: Create a name for a Microsoft Domain Controller

Answer 13

For example, for a MEB domain, the first three domain controllers in the MEB domain may be 1MEBN01C, 1MEBN02C, and 1MEB03C. The C at the end of the name designates the server as a domain controller. The format reads, from left to right, “Domain Name (1MEB)” – “NIPR or SIPR designation (N/S)” – “Sequential Numerical Identifier (01)” – “Domain Controller, Exchange Server, or Member Server Designator (C/E/R)”.

NIPR Designator – NameN01C
SIPR Designator – NameS01C

There may be other servers running Windows Server 2008R2 or another operating system, but are not running Active Directory; they are known as member servers. These servers could be admin servers, file servers, print servers, and run other resources for the network. Member servers are named almost the same as the domain controllers but with an ‘R’ in place of the ‘C’:

NIPR Designator – NameN01R
SIPR Designator – NameS01R

Question 14

F04: Describe the relationship between Domain Controllers and Flexible Single Master Operations (FSMO) Roles

Answer 14

There are 5 roles that are unique within the forest or domain that can only be held by one server at a time. There are two roles that are unique in the forest – the Schema Master and the Domain Naming Master, and there are 3 roles that are unique in each domain – Relative Identifier Master, Primary Domain Controller Emulator, and Infrastructure Master. There may be multiple servers in the domain – but 2 of the 5 are unique instances per forest and the other 3 are unique instances per domain.

Question 15

F04: State the purpose of the Active Directory Schema Master

Answer 15

The Schema Master role is usually found upon the first domain controller in the forest. It controls the master list of objects and attributes in the Active Directory structure. The Active Directory Schema cannot be modified unless the schema master is available. Every domain controller has a copy of the schema, but that copy is read only.

Question 16

F04: State the purpose of the Active Directory Domain Naming Master

Answer 16

The Domain Naming Master records the additions and deletions of domains in the forest. New domains cannot be added or removed if the domain naming master is unavailable.

Question 17

F04: State the purpose of the Active Directory Relative Identifier (RID) Master

Answer 17

Every object in the domain has a unique Security Identifier (SID) that identifies the object and the permissions it has. It is composed of 2 numerical parts. The first part of the SID is domain specific – every object in the domain has an identical first half of the SID. The second half of the SID is unique and assigned by the RID Master.

Question 18

F04: State the purpose of the Active Directory Primary Domain Controller (PDC) Emulator

Answer 18

The PDC Emulator role performs multiple, crucial functions for a domain:

1. Active Directory Structures is to process password changes in order to ensure that every domain controller knows of object password changes immediately.
2. Manage group policy updates within a domain.
3. Provides a master time source for the domain. The PDC in the forest root domain is the time master for the entire forest, by default.

Question 19

F04: State the purpose of the Active Directory Infrastructure Master

Answer 19

The master catalog of all objects in the domain.

*Any domain controller can create and modify objects in the domain using Active Directory but after the change is made, the first domain controller that gets the traffic is the Infrastructure Master. All changes and additions are reported to the Infrastructure Master first and then replicated out to the other domain controllers in the domain. The infrastructure master is arguably the most critical out of all of the domain level FSMO roles.

Question 20

F04: State the purpose of the Active Directory Global Catalog Server

Answer 20

The Global Catalog role maintains a subset of the most commonly used objects and their attributes for the whole forest.

*A global catalog server has a complete replica of its own domain partition and partial copies of the domain partitions of the other domains in the forest. It is used for 2 primary functions – authentication for all users in the forest, and to allow users to locate objects within Active Directory without adding overhead to the network.

Question 21

F04: Define a Site

Answer 21

A group of domain controllers connected by a fast, reliable, high speed connection.

Sites are the interface between the logical and physical structure of Active Directory. A site in Active Directory should exist where a LAN exists; a domain can have any number of sites.

Question 22

F04: Define a site link

Answer 22

By placing our domain controllers into sites we can control the time and type of replication taking place across our WAN links by establishing site links that link together your separate sites. Your site links should exactly mirror your WAN circuits depicted on your WAN Diagram.

Question 23

F04: Describe the Replication Process

Answer 23

Place the DCs into sites to control the time and type of replication. One DC, the IP Bridgehead server, controls replication into and out of the site. Instead of having every domain controller sent its changes to every other controller, domain controllers will replicate freely to each other in the same site. The IP Bridgehead server will replicate between sites across the WAN.

Question 24

F04: State the purpose of a Bridgehead Server

Answer 24

The IP Bridgehead controls replication into and out of the site. Instead of having every domain controller sent its changes to every other controller, domain controllers will replicate freely to each other only if they are placed in the same site. The IP bridgehead server will consolidate all of the changes and then send them across the WAN links to other sites. It will receive changes from the other sites and then replicate those changes to the domain partition of all of the domain controllers in its site.

Question 25

F04: State the purpose of the Knowledge Consistency Checker (KCC)

Answer 25

Controls Replication topology

*The KCC is a service that runs inside every Active Directory domain controller and it determines how Active Directory is going to replicate both inter and intra site. The KCC service replicates this topology to all domain controllers every 15 minutes. When you create site links, the KCC service uses this information to build replication connectors in between bridgehead servers in different sites.

Question 26

F04: State the purpose for Directory Service Remote Procedure Call (DS-RPC)

Answer 26

Intra-site replication utilizes DS-RPC and is the default, preferred replication protocol in Domain Controllers running Server 2008R2. DS- RPC appears in the Active Directory Sites and Services snap-in as “IP”. Intra-site replication is not necessary to depict on diagrams because it happens automatically when domain controllers are placed into sites.

*The Marine Corps uses DS- RPC for inter-site replication

Question 27

F04: State the purpose for Inter-Site Messaging - Simple Mail Transfer Protocol (ISM-SMTP)

Answer 27

ISM-SMTP can only be used to replicate between separate domains without employing advanced certificate authority settings in your Active Directory infrastructure.

Question 28

F06: State the purpose of Microsoft Internet Information Services (IIS)

Answer 28

A Microsoft product used as a framework for hosting web and FTP sites. It is made up of a suite of protocols and services that add functionality and support to server to allow clients to connect to it.

*Every time a user visits a web site, his or her TCP/IP traffic is directed towards a directory on a server running a web service like IIS or Apache. This web service has to be able to support computers and web browsers operating on Linux, Macintosh, Microsoft and other operating systems.

Question 29

F06: Describe the structure of a Uniform Resource Locator (URL)

Answer 29

A Uniform Resource locator is how a user accesses information on the web server. It can be broken into 5 parts:
Protocol
A fully qualified domain name or IP address
Folders
Document
Language

Question 30

F06: State the importance of Microsoft Internet Information Services (IIS) Security

Answer 30

In its capacity to serve as a web server, the best place for IIS to run is on a member server that is not running any Active Directory roles or other vital roles in your services infrastructure. This becomes especially paramount when the web server is made accessible by the Internet. For security purposes and access control many Marine Corps web pages only run internal to a unit.

While a domain controller is perfectly capable of handling IIS in addition to its duties of controlling Active Directory, web services can open up vulnerabilities on the server making it easier for hackers to access the domain controller. Since a domain controller has a complete copy of every object in the domain and controls access to just about everything in your network, allowing a hacker access to your domain controller would be like giving him or her keys to your house.

Overall, Security is an important factor in website and network design. Websites are extensively used for collaboration and information sharing. By hardening the web site and enabling authentication and restricting privileges, you protect the website but make it harder for the user to get the information he or she needs.

Access is not the only problem with website security. Website functionality like animations, automatic updates, and various types of content that add to the user’s experience, may detract from the ability of the website to convey information if turned off. There is a balance between functionality and security that must take both factors into account.

Question 31

F07: Identify the ports commonly used to enable Electronic Mail (E-mail) Services within Packet Switching Networks (PSNs)

Answer 31

SMTP: 25 
IMAP: 143 
POP3: 110 
MAPI: 135 
NNTP (Network News Transfer Protocol) Port 119
HTTP: 80
HTTPS: 443

Question 32

F07: Compare the Microsoft Exchange Logical Structure (Organization, Administrative Groups, and Servers) with the Microsoft Active Directory (AD) Logical Structure

Answer 32

Exchange -- Active Directory
Organization -- Forest
Administrative Groups -- Domains, Organizational Units
Servers -- Domain Controllers
Recipients -- Objects

Question 33

F07: Define organization

Answer 33

The Exchange Organization is synonymous with the Active Directory Forest. Only 1 Exchange Organization can exist within the Active Directory Forest. All the other logical components fall under the Organization.

Question 34

F07: State the purpose of Administrative Groups

Answer 34

Administrative Groups in Exchange are similar to domains and Organizational Units. They are primarily used to group servers, email policies, route groups, and public folder trees for the delegation of permissions.

Question 35

F07: Describe the three Administrative Models for Microsoft Exchange Organizations

Answer 35

Centralized Administration – only 1 administrative group is used and permissions and access to the Exchange Servers is tightly controlled. Even if servers are in multiple physical locations they are still in the same administrative group.

Decentralized Administration – Administrative groups are divided into separate physical locations and permissions and access is administered locally instead of from a centralized location.

Mixed – a combination of decentralized and centralized administration.

Question 36

F07: Describe the three core components of Microsoft Exchange

Answer 36

Information Store
The Information store is a collection of databases: The mailbox store and the public folder store. Incoming mail is received from the routing engine and stored in the appropriate mailbox or mailboxes. Outgoing mail is delivered from the information store to the routing engine for routing to its destination. The Information Store notifies clients when email arrives, and interfaces with Active Directory to resolve email addresses before the email is sent.

Routing Engine
The Routing Engine in the Exchange server has 2 functions. It routes messages to other Exchange servers in the organization and it routes messages to external email servers as appropriate using SMTP connectors.

System Attendant
The system attendant has several functions in Exchange including building routing tables for the routing engine to execute. It also generates addresses for emails sent outside the organization, is used to enable and disable digital signatures, and logs all errors. The system attendant is the first service started on an Exchange Server and the last one to shut down before a reboot. If the system attendant function is not running, the exchange server will not send, route, receive, or process emails.

Question 37

F07: Select from a list of distracters the purpose of the Automated Message Handling System (AMHS)

Answer 37

The Automated Message Handling System (AMHS) was adopted by the Marine Corps in November 2007 and is the official messaging system consisting of government and commercial-of-the-shelf (COTS) software and hardware used to prepare, submit, transport, deliever, store and retrieve organizational messages (releasing messages [MARADMINS], equipment taskers, feasibility of support, etc). AMHS was developed to replace the legacy equipment and messaging centers that comprised the Automatic Digital Network (AUTODIN) and the Defense Messaging System (DMS).

Question 38

F08: Identify the four software installations required to enable Microsoft Exchange services within Packet Switching Networks (PSNs)

Answer 38

Windows Server 2008R2 NOS & (Not a Domain Controller; w/ ADDS)
IIS
Exchange 2010
An E-Mail Security Solution (i.e. McAfee HBSS)

Question 39

F08: Identify the actions required to prepare Active Directory for the installation of Microsoft Exchange

Answer 39

Thus, you need to execute Exchange’s /PrepareSchema utility once per AD Forest. Most Marine Corps networks you fall in on will have already done this at the Enterprise level (Comm Bn, MEF G-6, etc). Running this utility on an AD Forest writes Exchange attributes to the AD Schema in order to provide the users and administrators messaging functionality.

The second utility that needs to be run is /PrepareDomain. This utility needs to be run once per domain in the forest in order to ensure that Exchange has been fully integrated with AD.

Question 40

F08: Create a name for a Microsoft Exchange Server

Answer 40

NIPR Designator – NameN01E

SIPR Designator – NameS01E

Question 41

F08: State the purpose of the Mailbox role

Answer 41

The Microsoft Exchange Server 2010 Mailbox server role hosts mailbox databases and provides e-mail storage and advanced scheduling services for Microsoft Office Outlook users. The Mailbox server role can also host a public folder database, which provides a foundation for workflow, document sharing, and other forms of collaboration.

Question 42

F08: State the purpose the Client Access role

Answer 42

The Client Access server role supports the Microsoft Outlook Web Access, Outlook Anywhere, Microsoft Entourage 2004 and Entourage 2008 for Mac, and Microsoft Exchange ActiveSync client applications, in addition to the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) protocols. The Client Access server role also hosts several key services, such as the Autodiscover service and Exchange Web Services.

Question 43

F08: State the purpose of the Edge Transport role

Answer 43

Exchange Servers running the Edge Transport role connects the Exchange Organization to the NIPR or SIPR cloud via a SMTP connector.

Question 44

F08: State the purpose of the Hub Transport role

Answer 44

The Hub Transport server role is a required role in a Microsoft Exchange Server 2010 organization that provides routing within a single organizational network by using the Active Directory site.

Question 45

F09: State the two purposes for creating Organizational Units (OUs) within Microsoft Active Directory (AD)

Answer 45

1. To delegate administrative control of objects below the domain level. This allows the owner of the OU to create and manage all of the objects inside the OU without affecting the domain structure and higher level functions and roles inside Active Directory.
2. To control and manage Group Policy. Group Policy in Active Directory provides a centralized method for controlling what users can and cannot do on their own individual computers. Group policy settings can be defined for both users and computers inside Active Directory.

Question 46

F09: Define Group Policy

Answer 46

Group Policy provides a centralized method for modifying user and computer environments to predetermined settings.

Question 47

F09: State the differences between Security Groups and Group Policies within Microsoft Active Directory (AD)

Answer 47

Group policy is not related to security groups however. Remember that security groups give permissions to functions and services within Active Directory like folders on a share drive and access to domain controllers. Group Policy on the other hand controls what users can and cannot do on their own computers.

Question 48

F09: Describe the principles of Inheritance as they apply to Group Policy within Microsoft Active Directory (AD)

Answer 48

Group Policy can be linked to domains, sites, and OUs. Group Policy does not apply at the forest level and to other domains in the forest, only within a domain. The Marine Corps often manages group policy at the domain and OU levels. Group Policy settings are inherited from the top down. So a computer in an OU may have group policies applied at both the domain and OU level. Child OUs inherit the group policy of the parent OU. Group Policy inheritance can be blocked by experienced administrators but is not commonly done.

Question 49

F09: State the purpose for standardizing user and computer accounts within Microsoft Active Directory (AD)

Answer 49

The rule of thumb is that the computer needs to be able to be quickly identified by administrators throughout the domain. It is not enough for your Marines to know what computer goes where; it needs to be apparent to administrators at the Regimental, Division, and MEF level as well. This is critical for the security of the network as a whole.

Question 50

F09: State the differences between Service and Administrative Permissions and Roles within Microsoft Active Directory (AD)

Answer 50

The service level permissions are the easiest to understand. They come preconfigured in Active Directory as Enterprise Admins and Domain Admins. An Enterprise Admin has permission to do anything in the Active Directory forest. In fact with Enterprise Admin, there isn’t anything that a user can’t do. Most Cyber Marines do not need Enterprise Admin permissions to do their job.

The next level of service permissions is the Domain Admin level. This person has permissions to do anything at the Domain level. They can add, remove, and change the roles of domain controllers and other services within the domain. If your battalion level data chief is trusted by the regimental data planner, your chief may be given domain admin rights. However, on a daily basis your Marines do not need domain admin rights unless they are directly in charge of running a server farm.

The most common type of permissions is found not at a service level but in the data administrator category. Data administrators may have permissions to create and manage users, groups, printers, servers, and other objects within Active Directory. Your Marines will always need these permissions. These permissions are allocated using security groups and group policy. There are no preconfigured data administrator permissions in Active Directory, they need to be created and assigned by the network planner.

Question 51

F10: Define Virtualization

Answer 51

The process of implementing multiple operating systems on the same set of physical hardware in order to better utilize the hardware. It allows the network planner to run multiple operating systems independently on one computer.

Question 52

F10: Identify the most common reasons for implementing virtualization within a Packet Switching Network (PSN)

Answer 52

Server consolidation and Efficiency
Legacy Application Support
Legacy Operating System Support
Demonstrations
Testing
Education and Learning

• Frees network planners from planning 1:1 Active Directory servers, roles, and services.
• Fewer physical servers mean less power, HVAC support, and Marines to manage and maintain as well.
• Supports legacy application and operating systems.
• Can also be used for demonstrations and testing of new configurations and applications.
• Is also great for education, training, and learning applications.

Question 53

F10: State the purpose of a Hypervisor

Answer 53

It is a bare metal Operating System, meaning that it is installed onto a computer as the primary Operating System. It is much more efficient than hosted virtualization software because it does not waste any resources of the computer. All of the resources are applied to the VMs.

Question 54

F10: Identify the virtualization software employed within United States Marine Corps Packet Switching Networks (PSNs)

Answer 54

The Marine Corps primarily uses the VMWare family of virtualization software. Currently the hosted software available for use is VMWare Player, Workstation, and Server. And the Hypervisor software is ESX and ESXi.

Question 55

F10: Identify the characteristics of a virtual server

Answer 55

A virtual machine has no knowledge of other virtual machines on the same physical computer, no knowledge of the virtualization software – hypervisor or hosted. Virtual machines communicate with other computers both physical and virtual on the network using the OSI model. There is no difference between frames and packets destined for a virtual machine than a physical machine. In fact the only difference between a physical server and a virtual server is that your eyes can see the physical server in a rack in a communications closet or Techcon. Virtual Machines have the same components that physical computers do – CPU, RAM, Hard Drives, Network Interface Cards, and DVD-ROM drives. Virtual Machines operate by using a portion of resources on the physical computer. The hypervisor or host virtualization software takes the actual physical resources of the physical computer and makes them available to the virtual machines. Virtual machines will use the CPU from the physical computer, virtual RAM is allocated from the total amount of physical RAM on the computer. The virtual machine’s hard drive can be composed of space on the physical machine’s hard drive, a filer, or other file storage system. Each virtual machine is then linked to the Network Interface Card (NIC) of the physical computer. Each virtual machine is then given a unique IP address and networked through the host computer’s actual NICs. Other physical resources of the host like CD / DVD-ROM drives are also mapped to each of the Virtual Machines for their use.

Question 56

F10: Identify the benefits of the four (4) characteristics of a good network design in a virtual environment

Answer 56

Fault Tolerance and Redundancy
Scalability
Quality of Service
Security