MCSA 70-741 Flashcards

Question

What is NSEC?

Answer 1

Next Secure NSEC and NSEC3 are resource records for DNSSEC, which provide authenticated denial of existence.

Answer 2

Trust Anchor Two types of DNSSEC resource records are referred to as Trust Anchors: DNS Key (DNSKEY) Delegation Signer (DS)

Answer 3

A single hostname has multiple DNS records with different IP addresses and low TTL. The DNS server cycles through records each time an address is requested. This allows for load balancing. It is configured in the properties of a zone, in the Advanced tab.

Answer 4

A new feature of Server 2016, DNS Policies allow you to configure how a Windows Server 2016 DNS server behaves, based on a combination of client, server, and environmental variables. Features: * Location-based traffic management * Load balancing with weighting * Time-based policies * Split Brain DNS * Selective recursion * Query filters

Answer 5

Policies configured at the server level will take precedence over policies at the zone level. Policies are assigned priorities, and the lowest priority will be applied first. The first match wins, so as soon as a policy is applied, the other policies are ignored.

Answer 6

Response Rate Limiting * RRL settings allow you to configure how a DNS server responds to repeated queries for the same record over a short period of time, since such behavior is likely malicious, as in a DOS attack. * It is disabled by default on Server 2016 DNS.

Answer 7

You can configure the DNS server to resolve queries recursively for some clients, without the DNS server being an open resolver for all clients. For example, you could allow recursion for internal clients, but disallow recursion for external clients, which would help mitigate the amplitude of a DDOS attack.

Answer 8

Prior to Server 2012 R2, Windows DNS servers with recursion disabled would reply with an "upward referral response" which contained a list of name servers. This makes the DNS server susceptible to a DNS amplification attack. Windows Server 2016 DNS servers with recursion disabled will instead respond with SERV_FAIL messages. This generally should not cause a problem, since most clients should already be aware of what the root servers are, and shouldn't need a list.

Answer 9

Cache Locking configures the DNS cache so that records in the cache cannot be overwritten until a chosen percentage of the TTL has expired. It is enabled by default, for 100% of the TTL. This helps mitigate against cache poisoning attacks.

Answer 10

When records in the DNS server's cache are overwritten by fraudulent, malicious records.

Answer 11

If the server is receiving a couple hundred or a couple thousand of queries per second, leave on defaults. If receiving tens or hundreds of thousands of queries per second, then: * Disable recursion, either entirely, or through selective recursion where it is allowed for an internal scope of clients, but disabled for everyone else * Create an explicit firewall rule for UDP port 53 for interface IP address. This reduces firewall CPU usage. * On computers with more than 12 cores, set the UDP thread count to 8. This is the optimum level. (If less than 12 cores, leave on default) - Set network adapter buffers to maximum

Answer 12

BIND is the most widely used DNS server software. It is open source. Windows Server 2016 DNS can be configured to interface with it.

Answer 13

Multicast Address Dynamic Configuration Allocation Protocol * Previously known as Multicast DHCP * Provides addresses in the multicast address range (224.0.0.0 through 239.255.255.255) * Clients still need an IP address for network communication outside of the multicast range. So, clients can receive a traditional IP address as well as a multicast address for when they need to access multicast networks and content.

Answer 14

224.0.0.0 through 239.255.255.255

Answer 15

* Multicasting is the process of sending messages to a select group of clients on a network. * Used for services like streaming audio and video. * Multicast is used when you have a single point of content that you want going out to many points. Instead of using unicast to broadcast to each individual client, multicast broadcasts to many clients.

Answer 16

Network Subnet Default Gateway Option Codes (DNS Servers, NTP Servers, etc) MAC Address

Answer 17

* Network Prefix * Option Codes (DNS Servers, NTP Servers, etc) * DHCP Unique Identifier (DUID) * Interface Association Identifier (IAID)

Answer 18

* In DHCPv6, it is not necessary to provide the Default Gateway, because that is handled by router advertisements from the local router. * MAC addresses are not used for DHCPv6 address allocation. Instead, it uses a DUID and IAID (DHCP Unique Identifier and Interface Association Identifier).

Answer 19

DHCP Unique Identifier * A unique ID per host computer, used for IPv6 DHCP. * In the Windows DHCP console, this is labeled as a "Unique ID" in some places.

Answer 20

Interface Association Identifier A unique number per network interface, used for IPv6 DHCP.

Answer 21

Stateless Address Automatic Configuration Allows a host to generate its own IPv6 addresses using a combination of locally available information, and information advertised by routers. SLAAC requires an IPv6 router, to send out Router Advertisement (RA) messages. These messages contain the IPv6 prefix information (similar to an IPv4 subnet), and the default gateway address.

Answer 22

• Server icon with no indicator: DHCP server is added to console Server icons with indicators: * Green check mark: DHCP server is connected and active in console * Red down arrow: DHCP server is connected, but not authorized in AD for use on your network * Red minus symbol: DHCP server connected but current user does not have the administrative credentials to manage the server * Yellow exclamation mark: DHCP server warning. Available addresses for server scopes are 90 percent or more leased and in use. * Blue exclamation mark: DHCP server alert. No address are available from server scopes because 100 percent of the addresses allocated for use are currently leased.

Answer 23

Folder icon with no indicator: Scope or superscope is active Folder icons with indicators: Red down arrow: Scope or superscope is inactive Yellow exclamation mark: Scope or superscope warning. Scope warning: 90 percent or more of the scope's IP addresses are in use. Superscope warning: If any scope within the superscope has a warning, the superscope has a warning. Blue exclamation mark: Scope or superscope alert. Scope alert: All IP addresses have been allocated by the DHCP server and are in use. Superscope alert: At least one scope contained in the superscope has all IP addresses allocated by the DHCP server.

Answer 24

For migrations from Server 2012 R2 or older, to Server 2016, you may use netsh For migrations from Server 2012 or newer, to Server 2016, you may use PowerShell: Export-DhcpServer Import-DhcpServer

Answer 25

Hot Standby - Active-passive failover - Best suited for branch office - Branch office has primary DHCP server; central office has a standby partner DHCP server that will only become active if the primary goes down. Load Balancing - Active-active failover - Both servers are active - Best suited for same-site deployments

Answer 26

Role-Based Access Control Part of IPAM, it allows you to configure user permissions within IPAM, based on what a user can do, and where they can do it.

Answer 27

* DHCP failover supports DHCPv4 scopes only, not DHCPv6. * Failover is configured at the scope level. * You first configure the scope on one (primary) server, then in the settings for that scope, configure failover and specify the partner server and failover mode. * You can only add one partner server configured as failover, for a total of two servers on the scope.

Answer 28

IP Address Management

Answer 29

- It can be configured for manual provisioning, which is extremely complicated and requires numerous firewall configurations on each server. - Manual provisioning should only be used, if at all, when you have a very small number of servers to manage. - It is recommended, and much easier, to configure for Group Policy-based provisioning, also called automatic provisioning. - Once the IPAM server has been provisioned, you cannot change the provisioning type.

Answer 30

- Configure DHCP server properties - View DNS server properties - Create, configure, and manage DHCP scopes and options - Create, configure, and manage DNS zones and options - Manage IP addressing - Record historical data - Manage physical and virtual IP address space - Note that IPAM CANNOT manage 3rd party products or Azure

Answer 31

- It cannot be installed on a domain controller - Avoid installing on a DNS or DHCP server (it is best installed as a standalone server) - Can optionally be installed on Server Core - The IPAM server, and all servers it is managing, must be members of the domain

Answer 32

IPAM can manage up to: - 150 DHCP servers - Approx. 6000 scopes - 500 DNS servers - Approx. 150 zones - 3 years of forensics data - 100,000 users

Answer 33

In IPAM, a Block is an IP address space used by an organization, which could contain multiple ranges and subnets. Ex. 192.168.x.x This block could include 255 Class C subnets. A Block configured in IPAM will include: - Network ID - Prefix length - Automatic assignment settings - Start and end IP addresses - For Public IPs, the registry details

Answer 34

In IPAM, a Range is a contiguous group of IP addresses within a block. It may contain multiple subnets. A range can also be defined as a subnet within a block.

Answer 35

It locates an available IP address to assign to a host, and can create a DHCP reservation and DNS records all in the same process. It locates an available address by first checking the IPAM database, then confirming with DNS Records, and finally by attempting to PING the address.

Answer 36

- Account Login Event auditing must be enabled on all Domain Controllers (it is NOT enabled by default) - IPAM must be configured to manage all Domain Controllers (so that any DC which processes the login will have the event captured) - Reverse lookup zones must be configured - DHCP logging must be enabled (it IS enabled by default) - Note, this will only audit domain user logins; local user logins cannot be audited using IPAM

Answer 37

A feature of IPAM, IP Address Tracking can search and correlate IP address usage history by: * IP Address * Client ID * Hostname * Username Note, a date or date range must be specified when searching.

Answer 38

- A two-way trust relationship, either between the domain that hosts IPAM and every other domain in the forest, or else a full forest-trust relationship - The account that performs GPO provisioning for each domain must be a member of the administrators group in that domain, or be delegated the appropriate privilege. It requires credentials that have the ability to run IPAM's Invoke-IPAMGPOProvisioning command.

Answer 39

1) In DNS, set up a conditional forwarder from each domain to the other. (Each forest needs to be able to find the root domain of the other.) 2) In Active Directory, go to the Properties of a forest, then the Trust tab, and click "New Trust" to launch the wizard.

Answer 40

You only need to backup and restore these two files: ipam.mdf ipam_log.ldf Both are contained in \Windows\System32\Ipam\Database

Answer 41

- Requires SQL Enterprise Edition - Must be SQL 2012 or newer. The newer, the better. - Migration is one-way. You cannot migrate back to WID.

Answer 42

The DHCP Pre-Boot Execution (PXE) client option ID is: 060 You could use this to get clients to work with WDS.

Answer 43

This will show all authorized DHCP servers in Active Directory, i.e. authoritative DHCP servers in the domain.

Answer 44

* A domain user account that does not expire * The user must be in these two groups on the IPAM server: IPAM ASM Administrators, and Remote Management Users * Time must be synchronized between the VMM and IPAM servers * Following the above, IPAM must be added to the VMM networking fabric

Answer 45

DirectAccess allows managed domain-joined computers to connect to the internal corporate network as DirectAccess clients. Connectivity is seamless and transparent, and is available any time client computers are connected to the Internet. DirectAccess administrators can remotely manage clients, ensuring that mobile computers are kept up-to-date with security updates and corporate compliance requirements.

Answer 46

VPN allows it to remotely access corporate networks over a VPN connection. It is managed in the Remote Access console.

Answer 47

The following roles services fall under the Remote Access role: • Remote Access Service (RAS) - Includes DirectAccess, VPN, and RAS Gateway • Routing - Provides support for NAT Routers, LAN Routers running BGP, RIP, and multicast capable routers • Web Application Proxy

Answer 48

You can configure: - A site-to-site VPN - a VPN gateway - a Dial-up remote access server - NAT - LAN routing - a basic firewall

Answer 49

Class A: 10. 0.0.0/8 10. 0.0.0 to 10.255.255.255 Class B: 172. 16.0.0/12 172. 16.0.0 to 172.31.255.255 Class C: 192. 168.0.0/16 192. 168.0.0 to 192.168.255.255

Answer 50

You would use VPN instead of DirectAccess if: - The client is not part of the domain - The client applications do not support IPv6 - You need to support Windows XP clients, or Windows 7 clients where there's no PKI - You need to support non-Enterprise editions of Windows - You need to support non-Windows clients - There's no strong need to specify restricted resources

Answer 51

PPTP - Point-to-Point Tunneling Protocol - not recommended due to security weaknesses L2TP/IPsec - Layer 2 Tunneling Protocol - Uses IKEv1 SSTP - Secure Socket Tunneling Protocol - does not support site-to-site VPNs IKEv2 - Internet Key Exchange version 2 - the default protocol for Windows 7, Server 2008 R2, and newer systems

Answer 52

PAP - Password Authentication Protocol - sends in plaintext; not recommended CHAP - Challenge-Handshake Auth. Protocol - also older and not recommended MSCHAPv2 - Microsoft's improvement on CHAP - Mutual (2-way) authentication EAP/PEAP - (Protected) Extensible Authentication Protocol - Flexible; clients and servers negotiate the authentication method based on their respective capabilities; can also use certificates

Answer 53

Remote Authentication Dial-In User Service A RADIUS server is an NPS system that provides a central location to authenticate and authorize users for multiple remote access servers.

Answer 54

Network Policy Server In the NPS console, you can: Configure remote access policies - Connection request policies - Network policies Configure RADIUS - Radius clients and servers - Radius accounting - Radius templates management

Answer 55

Connection Manager Administration Kit Can create VPN connection profiles as .exe files, which can be run on a client computer to have the profile added and fully configured.

Answer 56

Internet Authentication Service A former name for NPS. The IAS acronym is still occasionally used in the UI, for example, in the Active Directory built-in group "RAS and IAS servers".

Answer 57

Network policies are ordered, and NPS evaluates them one at a time in sequence. If the conditions of a policy do not match, NPS goes on to the next policy in line. If the conditions of a policy are met, then no more policies get evaluated. The constraints on a policy get evaluated after the conditions of the policy have been satisfied. Each and every constraint must then be satisfied, or access is denied. If a policy's conditions have matched, but a constraint doesn't match, then access is denied.

Answer 58

- If the AD dial-in property is set to "Deny," then the user is denied regardless of network policies. - If the AD property is set to "Allow," then the user is granted access, unless a network policy has an explicit "deny" policy affecting this user. - If the AD property is set to "NPS Controlled" / "Not configured," then the network policy is the sole decider for the user. - If there are NO network policies, the AD property is the sole decider for the user.

Answer 59

- Conditions: Determine whether a policy is evaluated for a connection request. A policy must have at least one condition. - Access Permission: Simply set to either Grant, Deny, or determine based on the User's Dial-in Properties in AD - Authentication Methods - Constraints: Optional, additional parameters that are required to match the connection request. If any constraint is not matched, the request is rejected. - Settings: If the policy's conditions and constraints are all matched, NPS will apply the settings to the connection request. - Processing Order: The placement of the policy on the list of Network Policies determines the order it will be evaluated in.

Answer 60

1. First, the RADIUS Server must already be configured. 2. On the RADIUS client, in the NPS console, create a "Remote RADIUS Server Group." 3. Add the RADIUS server(s) to the group, and the shared secret that was set for the server. 4. Then, in Connection Requests Policies, edit the properties of the default policy named "Microsoft Routing and Remote Access Service Policy," which should be at Processing Order 1. In the policy's settings tab, under Authentication, set it to "Forward requests to the remote RADIUS server group for authentication."

Answer 61

RADIUS clients • Reuse locally or on other NPS servers Remote RADIUS Servers • Reuse in remote RADIUS server groups Shared Secrets • Reuse with RADIUS clients and server IP Filters • Reuse with network policies

Answer 62

"RAS and IAS Servers" This group is built-in to Active Directory

Answer 63

Network Location Server * A Web Server with an SSL certificate, used by DirectAccess clients to determine if they are currently located internally on the corporate network, or if they are external. * If the client can access the NLS, it knows it is on the corporate LAN and does not need to establish a DirectAccess connection. * If the NLS server is not reachable from the client cannot access the NLS, it will assume it is outside of the corporate network and will try to establish to DirectAccess connection. * The NLS is not reachable over a DirectAccess connection, because an exemption is created for it in the NRPT.

Answer 64

* Commonly deployed on IIS, but it can be installed on any platform that can serve as a web server with an SSL certificate installed (IIS, Apache, NGINX, etc.) * You can also use an Application Delivery Controller (ADC) to serve as an NLS. * It should be highly available, due to the nature of its role. * It can be installed on the same server as the DirectAccess server, but this is not recommended, because if this server goes down, it can confuse DirectAccess clients connecting internally.

Answer 65

* Windows Server 2016, either Standard or Datacenter editions * Server must be joined to the domain * IPv6 must not be disabled (but does not require any further configuration) * Windows Firewall must be Enabled, for all profiles (domain, public, and private) * Network Interfaces must be configured with IP address, mask, and gateway. * If using a topology with two NICs (external and internal), then the external NIC should not have any DNS server configured. And, if you have more than one internal subnet, static routes are required for the internal-facing interface to access the additional subnets.

Answer 66

It is a very fast, easy method of predefined configuration for deployments with basic settings. It has less infrastructure requirements than a standard DA configuration. But, overall, it is not recommended because of its limiting inflexibility.

Answer 67

The default configuration of DirectAccess is called Split Tunneling, in which the client connects ONLY to the internal network via the Remote Access server, and all other internet traffic is separate and does not involve DA. If force tunneling is enabled, DirectAccess clients connect to the internal network AND to the internet via the Remote Access server. All traffic goes through the DA connection. This can allow for enforcement of web policies, logging of traffic, etc.

Answer 68

• The client computer object must be added to the DirectAccess clients security group in Active Directory (for the default setup; any other method of applying the DA Client GPO to the computer will also work) • The DirectAccess IPsec certificate must be deployed to the client computer (this may also be automated through auto-enrollment settings in the Certificate Templates Console and Group Policy) • It is also optimizes the client to disable unnecessary IPv6 technologies: 6to4, ISATAP, and Teredo (again, this can be implemented through Group Policy)

Answer 69

Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol. It enables cryptographically signing DNS records so that client computers can validate responses. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence. With DNSSEC, the DNS protocol is much less susceptible to certain types of attacks, particularly DNS spoofing attacks.

Answer 70

DNS records are split into different scope zones, which allows DNS servers to respond to client requests based on whether the client is internal or external to the network.

Answer 71

DirectAccess Connectivity Assistant An optional component for Windows 7 DirectAccess clients, that provides some of the functions that are built into Windows 8+ * Provides a graphical connectivity status indicator * Can generate diagnostic logs * Facilities OTP/PIN entry

Answer 72

* Certificate authentication is required (It is optional if only working with Windows 8+ clients) * For multisite configurations, additional AD security groups are required * If using OTP for user authentication, an application (DCA) must be installed on the client

Answer 73

Network Connectivity Assistant * Used by DirectAccess clients * Built-in to Windows 8+ systems

Answer 74

A user role in IPAM. MSM stands for "Multi-Server Management." The role can manage multiple DNS and DHCP servers.

Answer 75

UDP ports 500 and 4500 for the IKEv1 data and UDP port 1701 for the L2TP/IPSec data

Answer 76

UDP ports 500 and 4500 for the IKEv2 data UDP port 1701 for the L2TP/IPSec data

Answer 77

* NPS servers * DHCP servers * Routing configuration * But NOT DNS

Answer 78

In a stateful configuration, IPv6 addresses are leased from and recorded by a DHCP server, similar to DHCPv4. In a stateless configuration, IPv6 clients retrieve address prefix information from routers, and use this for auto-configuration of their own addresses. The addresses are not saved in DHCP. In both cases, the DHCPv6 server can still provide configuration options such as a DNS server. In both cases, the DHCPv6 server does NOT provide gateway information. There is no option to do so. Clients must obtain this from an IPv6 router's advertisement.

Answer 79

IPv4 clients use DHCPDiscover broadcasts. IPv6 clients use solicit messages. A multicast address is used when sending a solicit message.

Answer 80

A client requesting access is checked against network policies that are configured on the RADIUS proxy before being forwarded to the RADIUS server.

Answer 81

Pre-Boot Execution (PXE) servers / Windows Deployment Services (WDS) servers

Answer 82

Because DHCP is a broadcast-based protocol, it does not pass through routers. So, a DHCP Relay Agent relays messages between DHCP clients and servers located on different networks. A DHCP Relay Agent receives any DHCP broadcasts on its subnet, and forwards them to a specified DHCP server on a different subnet. Every subnet that contains DHCP clients must have either a DHCP server, or a relay agent.

Answer 83

Routing and Remote Access Service An MMC snap-in.

Answer 84

Add-DhcpServerInDC

Answer 85

Router Advertisement Used for IPv6 networks. IPv6 clients receive an RA from an IPv6 router. The RA messages contain, at minimum, the default gateway address. If using SLAAC, the RA will also include the IPv6 prefix information (which servers a similar function to an IPv4 subnet).

Answer 86

Automatic (synchronous) backups, and the backup destination, are configured through Server Manager. Automatic backups include: • All scopes • Reservations • Leases • All options • All related registry keys and configuration settings The default backup interval for automatic backups is 60 minutes. This can only be changed by modifying the registry. Manual (asynchronous) backups can be taken through the PowerShell cmdlet: Backup-DhcpServer DHCP databases can be backed up and restored by exporting and importing it using Netsh.

Answer 87

DNS clients are redirected to the healthiest endpoint for a given application.

Answer 88

DNS clients are redirected to the closest datacenter.

Answer 89

DNS records are split into different Zone Scopes, and DNS clients receive a response based on whether they are internal or external clients.

Answer 90

DNS queries from a list of malicious IP addresses or FQDNs are blocked.

Answer 91

Malicious DNS clients are redirected to a sink hole instead of the computer they are trying to reach.

Answer 92

DNS clients can be redirected to datacenters based on the time of the day.

Answer 93

By use of a shared secret.

Answer 94

A shared secret is a sequence of 22 to 128 characters. It is used on RADIUS devices as a password between RADIUS servers, clients, and proxies. It can be typed or pasted in manually, or saved as an NPS template and applied by selected the template.

Answer 95

The cmdlet for manual IPAM provisioning is: Invoke-IpamServerProvisioning

Answer 96

The cmdlet for automatic IPAM provisioning is: Invoke-IPAMGPOProvisioning This creates three GPOs: • DNS • DHCP • DC and NPS

Answer 97

A forest trust can be two-way, or one-way (either incoming or outgoing). It can be forest-wide, or selective.

Answer 98

IPAM can use either a WIndows Internal Database (WID) or SQL. If using SQL, it must be SQL Enterprise Edition, and must be version 2012 or newer.

Answer 99

Secure dynamic updates: * Can be configured only in AD-Integrated zones * Client can perform update * DHCP can perform update

Answer 100

Non-secure dynamic updates * Can be allowed for any primary zone, whether AD integrated or not * Any client can update the zone by registering themselves

Answer 101

Every update made to the primary zone must be processed manually, rather than being initiated by any client computer.

Answer 102

It is configured through the Routing and Remote Access MMC snap-in. (RRAS) You CANNOT use the DHCP Relay Agent component on a computer that is already running DHCP, NAT, or ICS (Internet Connection Sharing).

Answer 103

Each DHCP scope is a database.

Answer 104

A user role in IPAM. ASM stands for "Address Space Management." The role can manage IP address blocks, ranges, and addresses.

Answer 105

Distributed File System Replication Allows you to duplicate DFS data, and replicate it across multiple locations. Each location has a full read/write copy of the data.

Answer 106

In DFS, you can have these two types of namespaces. In STAND-ALONE mode, the namespace is stored on a single namespace server. In DOMAIN-BASED mode, the namespace is stored on as many namespace servers as you need, as well as in Active Directory.

Answer 107

In stand-alone mode, the namespace UNC path will use the server name of the namespace server. In domain-based mode, the namespace UNC path will use the domain name.

Answer 108

For DFS Replication, conflicts can occur if a file is being changed and saved in different locations, at the same time (or close enough to the same time, that the replication service cannot complete before alternative changes are made). The file that has the latest change, by the split second, is the one that will be saved to the DFS namespace and replicated. The other file will be saved to a hidden folder under the target folder on the replica server, called "ConflictAndDeleted," with a version number appended to the file name.

Answer 109

* Improved user response time for cached files * Reduced WAN utilization * Does not need maintenance or configuration once set up (set and forget) * Data transfer is secure * No replication conflicts, since only "read" data is cached * Minimal infrastructure required * Included with Windows (on supported versions)

Answer 110

For an Application or Web Content Server, just install the BranchCache Feature. For a File Content server, it's a role service under the File Services server role: BranchCache for Network Files role service. For a Hosted Cache Server (at the branch office), install the BranchCache feature, and use PowerShell to enable hosted cache mode. For a BranchCache clients, no installation is needed, just enable it in the local or domain Group Policy.

Answer 111

* Performance Counters. Several counters are made for BC. * Get-BCStatus * Event Viewer. There are folders under the Application and Logs folders dedicated to BC.

Answer 112

A command-line interface for managing DNS servers.

Answer 113

* VPN servers * Dial-in access servers * Wireless access points * 802.1X capable switches * RADIUS proxies

Answer 114

Simply by deploying additional namespace servers. Note, DFS namespace servers do not benefit from being installed on a failover cluster node. You can install it, but it will have access to local resources only, with no fault tolerance.

Answer 115

DHCP filters are used to allow or deny client leases based on specified settings.

Answer 116

* Address hashing * Hyper-V mode * Dynamic mode

Answer 117

* Switch independent * Link Aggregation Control Protocol (LACP) * Static Teaming

Answer 118

* NetLbfoTeam * NetLbfoTeamNic * NetLbfoTeamMember (The "Lbfo" stands for "Load Balanced Fail Over")

Answer 119

The Remote Procedure Call (RPC) protocol is used by DFS for replication. It uses a dynamic port by default, but can be configured to use a static port.

Answer 120

The components of RBAC are: * Roles: specifies tasks that can be performed * Access scopes: specifies where an action can be performed (per zone, scope, server, subnet, etc.) * Access policies: combines Roles and Access scopes, and applies them to a User or User Group

Answer 121

CNAME records are used to create aliases for host names.

Answer 122

The hints file is used to support root hints. It provides information for Internet root DNS servers for resolving names that are not in the authoritative domain.

Answer 123

Only in Server 2016, DNS introduced the ability to create new resource record types. DNS will respond to requests for the records, but will not do any other automatic record processing.

Answer 124

A pool of ports that, when Socket Pool is enabled, the DNS uses to randomize the port used with DNS queries. This makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID.

Answer 125

IPv6 transition technologies provide a way to support IPv6 address traffic over IPv4 networks. There are various technologies to support communication between network hosts, between networks through routers, and over the Internet. Examples include: * ISATAP * Teredo * 6to4 * 6over4

Answer 126

In Split Tunneling, the client connects ONLY to the internal network via the Remote Access server, and all other internet traffic is separate and does not involve DA. This is the default behavior for DirectAccess.

Answer 127

One of the load balancing mode options. * One NIC accepts all inbound requests * Outbound traffic is assigned to other NICS on a first-in, first-out load-balanced basis. * Address hash created based on packet address information * It works best for servers that have a lot of outbound traffic, and not too much coming in. Such as media or web servers.

Answer 128

One of the load balancing mode options. * Specifically used for Hyper-V hosts to support virtual machine network traffic * Allocates specific NICs to specific VMs * Ensures that VMs are allocated adapters in a load balanced manner

Answer 129

One of the load balancing mode options. * Switches between Hyper-V and Address Hashing modes on the fly * Requires Server 2012 R2 or newer * The default mode for NIC teams in Server 2016

Answer 130

* Used when configuring NIC teaming for failover purposes * If an adapter fails, the standby adapter takes over * This feature is supported by NIC Teaming, but not Switch Embedded Teaming

Answer 131

One of the NIC Teaming Mode options. * For use with unmanaged switches * The NIC team is managed by Windows, independent of the switch the adapter is connected to * The NICs are not required to be connected to the same switch * All switches must be on the same subnet * This is the only mode option available for Switch Embedded Teaming

Answer 132

Link Aggregation Control Protocol (802.1ax) One of the NIC Teaming mode options. * Identifies links between the server and switch dynamically * The switches must have LACP enabled on the ports which are connecting to the teamed NICs

Answer 133

One of the Teaming Mode options. * Based on 802.3ad protocol * All physical interfaces must be on the same VLAN * Requires you to configure an enterprise class switch to support the NIC team

Answer 134

Another term for LACP (Link Aggregation Control Protocol).

Answer 135

* A new feature of Server 2016 * A new, alternative type of NIC team, where a host's physical adapters are integrated into a Hyper-V virtual switch as a one or more virtual adapters. * SET allows a Hyper-V virtual switch to work with RDMA, and the SET NIC team to support both RDMA and IP traffic. (Apart from SET, Remote Direct Memory Access is not possible through a NIC team or a Hyper-V virtual switch, so you would need separate NICs for RDMA and IP traffic.)

Answer 136

* SET requires all NICs in the team to be identical (unlike NIC Teaming). * SET can support up to 8 physical NICs. NIC Teaming supports up to 32. * SET only supports Switch Independent Teaming mode. NIC Teaming supports that, as well as Static and LACP (Dynamic) teaming modes. * SET requires Server 2016. * SDNv2 is only compatible with SET * RDMA and DCB are compatible with SET, but not NIC Teaming. * VM QoS and 802.1x Authentication are compatible with NIC Teaming, but not SET.

Answer 137

* SMB 1 and 2 use a single NIC connection to transmit files. * With SMB 3, SMB Multichannel can be enabled to use all available NICs to share a file server load. * It automatically discovers and uses multiple available network paths. * If one of the NICs fails, it will automatically failover to another. * It doesn't matter whether NICs are teamed or non-teamed.

Answer 138

* The "Datacenter Bridging" feature must be installed on the server, to minimize and handle collisions and packet loss * Server must run 2012 or later * Clients must run Windows 8 or later

Answer 139

SMBClientConfiguration SMBServerConfiguration • Each allow you to view and configure general SMB settings, including enabling multichannel SMBMultiChannelConstraint • Allows you to limit and assign which NICs are used by a server for SMB multichannel SMBMultiChannelConnection • Allows you to view current connections, and to update connections

Answer 140

Virtual Machine Multi-queue * The physical NIC must support VMQ (which typically requires enterprise-class hardware) * The NIC link speed must be at least 10 Gbps (this a requirement of VMQ) * VMMQ must then be enabled on the physical NIC * Once enabled on the physical NIC, it must be enabled on the virtual NIC in the VM settings * The VM must be assigned multiple virtual cores to take advantage of VMMQ

Answer 141

This will tell you if your physical NICs support VMQ. It MUST be run as administrator, or no results will be provided.

Answer 142

Receive Side Scaling (RSS) * When enabled, a network adapter I/O queue uses more than a single processor core * (The normal NIC I/O queue behavior is to use a single core) * It can be enabled either on physical NICs (RSS) or virtual NICs (vRSS), though vRSS works quite differently. * If used with NIC teaming, RSS must be enabled for all adapters in the team

Answer 143

* RSS is an older technology, but doesn't have as rigorous (enterprise-class) hardware requirements. * RSS is a single queue using multiple cores, whereas VMMQ is multiple queues using multiple cores.

Answer 144

Virtual Machine Multi-queue * A new technology in Server 2016 * Allows network adapter I/O queues to use multiple processor cores, while allowing cores to process multiple queues.

Answer 145

* No NLS * No public SSL certificate * No PKI * Therefore, Windows 7 clients are not supported * No load balancing * No multisite / geographic redundancy * No OTP / multi-factor authentication * No force tunneling

Answer 146

By default, the Group Policy is configured to apply to all domain computers with a mobile processor. However, this Group Policy can be edited to apply it as desired.

Answer 147

Non-Uniform Memory Addressing

Answer 148

For utilizing RSS to make a difference, your traffic needs must exceed 10 gigabit per second. And, of course, your NICs must therefore support higher than 10 Gb/s as well.

Answer 149

Single Root I/O Virtualization * SR-IOV maps Virtual Machine Queue pools (VMQ pools) directly into VM memory * It leverages the motherboard chipset, instead of the processor, to move traffic from one hardware component to another. * It bypasses the software switch layer of the Hyper-V virtualization stack

Answer 150

If both are enabled, SR-IOV will take precedence. RSS will be unused. This is because RSS uses processor cores, and SR-IOV bypasses them.

Answer 151

There are some dedicated hardware requirements. * PCI Express network card must support SR-IOV * Motherboard chipset must support SR-IOV - Requires an IOMMU device - SR-IOV must be enabled in BIOS * System must support SLAT (common on any modern Hyper-V system) * The VM Switch must be enabled to support SR-IOV when the vSwitch is created. (It cannot be enabled on an existing switch) * Once enabled on the vSwitch, it must be enabled on the VM's NIC(s) in the VM Settings.

Answer 152

Policy-based QoS • manages traffic on physical networks • controls bandwidth based on application type, users, and computers • Built into Group Policy Hyper-V QoS • manages traffic on virtual networks • controls bandwidth based on vSwitch port number • can apply separate QoS for each vNIC.

Answer 153

Data Center Bridging * Ensures lossless ethernet transport between Windows server and switches * Manages hardware-based bandwidth allocation to specific traffic types * Manages reliability through priority-based flow control * If going through physical hardware switches and network adapters, they must be DCB-capable

Answer 154

* QoS depends on DCB to apply its policies to network adapters * SMB Multichannel depends on DCB, to minimize and handle collisions and packet loss * SMB Direct requires SMB Multichannel, and therefore also requires DCB * RoCE (RDMA over Converged Ethernet) also requires the DCB feature

Answer 155

Remote Direct Memory Access * This feature enables the pushing of data straight from a NIC to a VM's memory, rather than going through the processor core or processor cache. * New for Server 2016, RDMA now also allows the direct transfer of data between the memories of different VMs on the same host, from VM memory to VM memory. * It is enabled by default in Windows Server 2016

Answer 156

* The network adapter(s) must be RDMA-capable, and have RDMA enabled * SMB Multichannel must be enabled and running * You need a 10 gigabit plus network to notice any benefit with using RDMA

Answer 157

SMB Direct is SMB over RDMA Compared to normal SMB, it has: * Increased throughput * Lower latency * Low CPU utilization * Failover when there are multiple NICs

Answer 158

* VMs transferring the SMB data must be running Server 2012 or later * One or more network adapters must have RDMA capability * RDMA must be enabled * SMB Multichannel must be enabled

Answer 159

* RSS works only with physical NICs and physical processor cores. * vRSS works with Hyper-V NICs and virtual processor cores. * RSS is incompatible with VMQ. If VMQ is enabled, RSS is disabled. * vRSS depends on VMQ; it requires that the physical network adapters support VMQ. * Both are configured with the same "NetAdapterRSS" PowerShell noun. When run on the physical Hyper-V host, it will configure RSS. When run on a VM, it will configure vRSS.

Answer 160

Virtual Machine Queue * Improves the process of balancing incoming network traffic across VMs * It works with NIC Teaming, but not SET. * To be enabled, it requires at least 10GbE adapters

Answer 161

VMMQ and vRSS require VMQ-capable physical NICs

Answer 162

Run this cmdlet as administrator: Get-NetAdapterVMQ If not run as administrator, you will not get any results.

Answer 163

A component of the IPAM console, the Event Catalog provides records on three categories of events: * IPAM Configuration Events * DHCP configuration Events * IP Address Tracking

Answer 164

* DCB (Data Center Bridging) * RDMA * SR-IOV * VMMQ * VMQ These are all NIC Offloads for Network Acceleration.

Answer 165

It requires a Windows Server 2016 image on a VHD / VHDX file. * Can be either Generation 1 or 2 * Can be either Desktop Experience or Core * Cannot be Nano * Must be SYSPREP'd

Answer 166

* Forwarding (L3) * GRE Tunneling (GRE) * Site-to-site VPN Tunnel (S2S)

Answer 167

* Simple Layer 3 forwarding of traffic * Behaves like a simple router. * Takes care of routing and encapsulating the traffic as required, enabling the communication a virtual network and another network. * Separate VLANs are required. * 8 Gbps throughput

Answer 168

* Like forwarding, except sent over a GRE tunnel, avoiding the need for separate VLANs. * GRE stands for "Generic Routing Encapsulation" * GRE tunnels are lightweight tunnels that are managed through VMM and support BGP for dynamic routing. * 2.5 Gbps throughput

Answer 169

* Site-to-site VPN Tunnel * Connecting to another location in partnership with the SLB to enable easy scaling and high availability. * The SLB front-ends the gateway instance's virtual IP. So the back-end can easily be scaled, adding instances without requiring any changes to the VPN connection. * Supports BGP for dynamic routing * 300 Mbps (one core) throughput per IPsec tunnel

Answer 170

* Must be Server 2016 * Must be Datacenter Edition * It is not necessary to be a domain member * While not required, it is a best practice to be installed on a computer dedicated to that role, with no other roles alongside

Answer 171

* The Software Load Balancing Host Agent gets installed on Hyper-V Hosts. * It is supported by any Server 2016 Hyper-V host, including Nano server. * It listens for SLB policy updates from Network Controller, and applies them. * In addition, the host agent programs rules for SLB into the SDN-enabled Hyper-V Virtual Switches that are configured on the local computer.

Answer 172

Border Gateway Protocol * A method of dynamic routing, required for SLB. * BGP manages routes between multiple tenant networks in a datacenter. * BGP reduces the need for manual route configuration on routers because it automatically learns routes between sites that are connected by using site-to-site VPN connections.

Answer 173

RDMA over Converged Ethernet

Answer 174

The SLB Multiplexer * A component of Software Load Balancing * The MUX consists of one or more VMs, to which VIPs are assigned. * The MUX processes inbound network traffic and maps VIPs to DIPs, then forwards the traffic to the correct DIP. * Each MUX also uses BGP to publish VIP routes to edge routers. * BGP Keep Alive notifies MUXes when a MUX fails, which allows active MUXes to redistribute the load in case of a MUX failure - essentially providing load balancing for the load balancers.

Answer 175

Software Load Balancing SLB works by mapping Virtual IP addresses (VIPs) to dynamic IP addresses (DIPs) that are part of a set of resources in the datacenter.

Answer 176

VIPs are single IP addresses that provide public access to a pool of load balanced VMs. For example, VIPs are IP addresses that are exposed on the Internet so that tenants and tenant customers can connect to tenant resources in the cloud datacenter. VIPs are located in the SLB MUX.

Answer 177

DIPs are the IP addresses of the member VMs of a load balanced pool behind the VIP. DIPs are assigned within the local infrastructure to the tenant resources.

Answer 178

* You must have a Network Controller * You must have one or more SLB MUX VMs * You must configure Hyper-V hosts with the SLB Host Agent, and ensure it is running * Hyper-V Virtual Switches must be SDN-enabled, with the Virtual Filtering Platform enabled. * The routers that serve the hosts must support equal cost multipath (ECMP) routing, and Border Gateway Protocol (BGP). * The routers must be configured to accept BGP peering requests from the SLB MUXes.

Answer 179

Equal Cost Mutlipath * A feature of routing, required for SLB. * ECMP is what the router uses to route inbound traffic to the MUX.

Answer 180

This role is typically used with Virtual Machine Manager (VMM) to manage networks in a datacenter. Network Controller hosts the SLB Manager and performs the following actions for SLB: * Processes SLB commands that come in through the Northbound API from System Center, Windows PowerShell, or another network management application. * Calculates policy for distribution to Hyper-V hosts and SLB MUXes. * Provides the health status of the SLB infrastructure.

Answer 181

For a virtual switch to be compatible with SLB, you must you must enable Virtual Filtering Platform (VFP) for the virtual switch.

Answer 182

A role service under the Remote Access server role. Routing provides support for: * NAT routers * LAN routers running BGP * Routing Information Protocol (RIP) * Multicast-capable routers using Internet Group Management Protocol (IGMP).

Answer 183

Remote Access Service A role service of the Remote Access server role, sometimes labelled as "DirectAccess and VPN (RAS)". * When you install the DirectAccess and VPN (RAS) role service, you are deploying the Remote Access Service Gateway (RAS Gateway). * You can deploy the RAS Gateway as any of the following: - Single tenant RAS Gateway VPN server - Multitenant RAS Gateway VPN server - DirectAccess server.

Answer 184

Remote Access Service Gateway A software router and gateway that you can use in either single tenant mode or multitenant mode. RAS Gateway supports Border Gateway Protocol (BGP).

Answer 185

This is used for Cloud Service Providors or large Enterprise environments with multiple tenants. Multitenancy is the ability to support multiple virtual networks, yet isolate them from each other, while they run on the same infrastructure. You can deploy RAS Gateway as a multitenant, software-based edge gateway and router when you are using Hyper-V Network Virtualization or you have VM networks deployed with virtual Local Area Networks (VLANs). You can configure the RAS Gateway with BGP for dynamic routing, and you can enable Network Address Translation (NAT) to provide Internet access for VMs on VM networks.

Answer 186

For most organizations, this is the typical configuration. Single tenant mode allows organizations to deploy the gateway as an Internet-facing VPN server, DirectAccess server, or both simultaneously. It allows remote employees to connect to the internal network, and it can connect offices at different physical locations.

Answer 187

* Normally, if changes are made to a failover-enabled scope, the changes must be manually replicated to the partner server. * UNLESS you are using IPAM. Then the changes made to the scope on the primary server are automatically replicated to the partner server.

Answer 188

Network Connectivity Status Indicator An icon on DirectAccess clients. NCSI tests internet connectivity by checking if it is able to reach www.msftncsi.com. If it cannot, an error indicator and "limited connectivity" message will appear to the client. When using force tunneling, a static proxy must be added to the NRPT to ensure that NCSI can reach this site successfully. Otherwise, connectivity will work fine, but the NCSI will report a problem.

Answer 189

BGP Route Reflector is a Windows Server feature. * It provides an alternative to BGP full mesh topology that is required for route synchronization between routers. * With full mesh synchronization, all BGP routers must connect with all other routers in the routing topology. * When you use Route Reflector, however, the Route Reflector is the only router that connects with all of the other routers, called BGP clients, thereby simplifying route synchronization and reducing network traffic. * The Route Reflector learns all routes, calculates best routes, and redistributes the best routes to its BGP clients.

Answer 190

IPv6 multicast addresses always begin with "FF"

Answer 191

It is equivalent in function to an IPv4 APIPA address. The address prefix will always be: FE80::/64

Answer 192

0:0:0:0:0:0:0:1 or, ::1

Answer 193

0:0:0:0:0:0:0:0 or, ::

Answer 194

In IPv6, a site-local address is functionally equivalent to an IPv4 Private IP address. It will always have this network prefix: FEC0::/10

Answer 195

It will stop authenticating users, since it cannot log them.

Answer 196

Service (SRV) resource records enable you to specify the location of the servers for a specific service, protocol, and DNS domain.

Answer 197

Point-to-Point Transfer Protocol supports the widest variety of client operating systems and does not require a PKI infrastructure. * It supports data encryption, but does not provide for data integrity. * It is not recommended, due to security weaknesses.

Answer 198

Secure Socket Tunneling Protocol is designed to use the same port configuration as secure web communications, using port 443. * This is useful, since most firewalls already have this port open, for secure web communication. * It supports both data encryption and data integrity.

Answer 199

Internet Key Exchange version 2 * The default protocol for Windows 7, Server 2008 R2, and newer systems * It supports both data encryption and data integrity. * It is the only VPN protocol that supports VPN Reconnect.

Answer 200

VPN Reconnect enables mobile clients to re-establish VPN connections automatically after the connection drops. * It requires IKEv2 to be the VPN Protocol in use. * It's useful for mobile devices moving around locations, to maintain their VPN connection.

Answer 201

Layer 2 Transfer Protocol / IPSec supports a wider variety of operating systems than IKEv2 does. • It supports both data encryption and data integrity.

Answer 202

Receive-Side Coalescing RSC combines several network packets into one to improve the efficiency of the network stack. I'm not sure, but it is probably an older and inferior technology to RSS.

Answer 203

* The physical NIC must support VMQ (which typically requires enterprise-class hardware) * The NIC link speed must be at least 10 Gbps (this a requirement of VMQ) * SR-IOV must not be enabled. Enabling it will prevent vRSS from functioning. * VMQ must be enabled on the host * vRSS must then be enabled on the adapter

Answer 204

For commands relating to Active Directory-related DNS configurations.

Answer 205

Internet Connection Sharing 6to4 tunneling is enabled automatically when you configure a router to support ICS.

Answer 206

6to4 and 6over are an IPv6 transition technologies that supports router-to-router connectivity over IPv4 networks by automatically configuring tunnels between routers. With 6to4, this tunnels support unicast address packets. With 6over4, this tunnels support both unicast and mutlicast address packets. Neither supports communication through a NAT server.

Answer 207

DirectAccess, if the DA server only has one network adapter

Answer 208

Intra-Site Automatic Tunnel Addressing Protocol Allows communication by using DNS between IPv6 environments, through IPv4 routed networks. ISATAP provides IPv6 over IPv4 tunnels to enable IPv6 traffic to reach the Internet, an IPv4 network, or an IPv6 network. It does not support communication through a NAT server.

Answer 209

An IPv6 transition technology design to support environments where traffic must pass through a NAT server.