book flashcards Preview

70-411 mcsa Windows Server 2012 R2 > book flashcards > Flashcards

Flashcards in book flashcards Deck (136):
1

to what container should you set the base DN to in the search box of ldp.exe tool when performing tombstone reanimation of a user in test.com?

CN=Deleted Objects,DC=test,DC=com

2

what should you run from the command line to register SPN 'http/srv55.nutex.com' for a win2012R2 server named srv55?

> setspn -S http/srv55.nutex.com srv55

3

what service uses port 389?

LDAP

4

what GUI tool will allow you to enable the Active Directory recycle bin?

ADAC

5

when do you choose to import an object that has been exported from an Active Directory snapshot instead of retreiving an object form the Active Directory Recycle Bin?

when you want to reset the values of an objects attributes to a previous value

6

what parameter of the install-ADDSDomainController cmdlet is used to install and configure DNS on the DC?

-installDNS

7

which parameter of the Move-ADDirectoryServerOperationMasterRole cmdlet will allow you to seize a master operations role?

-force

8

what setspn.exe command will list all SPN's of services on the web server?

> setspn -l

9

what parameter of the install-ADDSDomainController cmdlet is used to prevent the replication of certain passwords to the DC

-DenyPasswordReplicationAccountName

10

which type of account in w2008R2 and above is a 'managed local account' that provides the ability to access the network with a computer identity in a domain environment with no password management required?

virtual account

11

what additional step is required to view deleted objects after setting the base DN to in the search box of ldp.exe tool when performing a tombstone reanimation of a user account?

use the 'return deleted objects' control to view deleted objects.

12

to use kerberos authentication with SQL server, which two conditions are required?

- the client and server computers must be part of the same windows domain, or in trusted domains.
- ServicePrincipalNames (SPN) must be registered with AD

13

what are the four image types used in WDS?

- boot images
- install images
- capture images
- discover images

14

what are the prerequisites to install a WDS server in an Active Directory network?

- ADDS Server
- DHCP
- DNS
- NTFS Share
- WDS Server needs GUI
- WDS can be installed on member server

15

what are the three steps to create a Managed Service Account on Domains required 2008 R2?

on server
1. > New-ADServiceAccount -Name -RestrictToSingleComputer -enabled $True
2. > Add-ADComputerServiceAccount -Identity -serviceAccount

on target
3. > Install-ADServiceAccount -Identity

16

What are the prerequisites for Active Directory MSA to work on a clint computer?

- Active Directory Powershell Module
- .Net 3.5 Framework

17

what is the time period, in that managed service account renew their passowrds automaticaly?

30 Days

18

what tool is the only tool that can be used to create WSUS groups?

wsus.exe

19

what are the steps to update an offline image or vhd(x) with dism? with
security updates
hotfixes
drivers

- set image to read-write (attrib -r)
- mount the image on empty mount point
- extract contents of update (winrar, etc)
- inject .cab files into mounted image (add-windowsPackage)
- commit changes and unmoute
> Save-WindowsImage
> Dismount-WindowsImage

20

in configuring WSUS, what does client side targeting mean?

to use GPOs to assign computers to WSUS groups
(used in lager organisations)

21

DNS
which zone type can NOT be stored in Active Directory?

secondary zones
[secutity implications]

22

PS
what cmdlet is used to create a new conditional forwarder fot test.com

> Add-DnsServerConditionalZone -Name -masterServers -forwardertimeout -replicationscope

23

PS,DNS
which cmdlet is used to create an new stub zone ?

> Add-DnsServerStubZone -name -masterServers -replicationScope

24

PS,DNS
wich cmdlet is used to create a new secondary zone?

> Add-DnsServerSecondaryZone -name -zonefile -masterServers

25

DNS
can secondary DNSserver be a master server in DNS?

yes

26

PS,DNS
which cmdlet can be used to create a primary zone?

> Add-DnsServerPrimaryZone -name -replicationscope -dynamicupdate 'secure'
(Active Directory integrated)
or
> Add-DnsServerPrimaryZone -name -zonefile -dynamicupdate 'none'
(file based)

27

DNS
why can the two parameters -ReplicationScope and -ZoneFile not be used at the same time when creating a new DNS zone

one fits file based zones the other Active Directory integrated zones

28

DNS
is it possible to change the zone* type from file-based to Active Directory integrated or vice versa with powershell?

*or conditional forwarder

no

29

DNS
what tool do you use to change the type of zone from Active Directory integrated to file-based or voce versa?

use DNS management console

30

DNS
what are the four possible settings for zone transfers in DNS management?

- noTransfer
- TransferAnyServer
-TrasnsferToZoneNameServer
-TransferToSecureServers

31

DNS
what are the three possible notification settings for DNS zone changes?

-NoNotify
-Notify
-NotifyServers

32

DNS
what is the possible alternative in Active Directory integrated DNS to file-based secondars servers?

stub-zones and conditional forwarders

33

DNS
what are conditional forwarders used for?

conditional forwarders provide a means to manage to which DNS server a DNS query is forwarded for specific zones.

34

DNS
what is zone delegation used for?

use DNS zone delegation to delegate the administration of a portion of your DNS namespace.

35

DNS
what is the default zone transfer setting?

zone transfers are disallowed unless explicitly allowed.

36

DNS
which DNS resource record type can NOT be created with PowerShell?

SOA* - Start Of Authority record.
* is a version number record identifying the number of the DNSZone

37

DNS
if DNS has two MX entries for a domain with different priority settings, which server ist receiving the SMTP traffic?

lowest value

38

what tool is used to perform a tombstone reanimation?

> ldp.exe

39

what tools can you use to view the contents of a mounted Active Directory snapshot?

- ADUC (DSA.msc)
- ADSIEDIT.msc
- LDP.exe

40

which cmdlet do you use to copy images between groups in WDS ?

> export-WDSInstallImage
> import-WDSInstallImage

41

which cmdlet do you use to copy images inside a WDS group?

> copy-WDSInstallImage

42

how do you enable client-side targeting in WSUS?

by selecting computers in the options section of the server update services and selecting "use group policy or registry settings on computers"

43

what is the minimum size of the local updates volume for WSUS?

6GB

44

what form of credential does the -credential option expect?

a psCredential object. not a string "domain\user"

45

what cmdlet do you use to open an elevated PowerShell ?

> Start-Process Powershell.exe -verb RunAs

46

to install WDS via PowerShell including tools type..

> Install-windowsFeature -name WDS -cn -includemanagementtools

47

before capturing an image from a template installation, what do you need to do?

> %windir"\system32\sysprep sysprep /oobe /generalize /reboot

48

can you remove a driver-package from an image in WDS?

no

49

can you use powershell to create or manage the properties of driver-groups in WDS?

no

50

what are the steps to install or remove features in offline images?

- set the image to read-write with : attrib -r
- mount image on empty mountpoint
- modify image > enable-windowsoptionalfeature
> disable-windowsoptionalfeature
-commit changes and unmount
> save-windowsImage
> dismount-windowsImage

51

DA
what cmdlet do you use to install the direct access role on a server

> Install-WindowsFeature -name RemoteAccess -IncludeAllSubfeatures -IncludeManagementTools

52

WDS
what can you do to maintain functionality in established boot images to support hardware compatibility?

inject vendor specific drivers into boot images.
cmdlets:
> Import-WDSDriverPackage
> Add-WDSDriverPackage

53

WDS
what is the prerequisite to install the WDS role on a 2012 R2 server?

WDS is only supported on a full GUI installation.

54

WDS
wich cmdlet is used to install the WDS role ?

> Install-WindowsFeature -name WDS -includeManagementTools

55

WDS
what is the initial configuration after installing the WDS role on a server?

set the location of the WDS image store.
(NTFS, not on C:!)

56

WDS
what are capture images used for?

capture images are custom install images from a template computer.

57

WDS
what are discover images?

discover images are use to deploy by using physical media rather than PXE boot.

58

WDS
what are the two cmdlets to update images?

after mounting the offline image read-write on the local file system
> Add-WindowPackage
or
> Enable-WindowsOptionalFeature

don't forget to commit changes and unmont the image.

59

WDS
what is the only tool to create WDS driver groups?

WDS console

60

WDS
what are two basic network requirements for WDS?

- active DHCP server
- working and reachable DNS server

61

WDS
what cmdlet is used to update an offline boot image file with a new driver?

> Add-WDSDriverPackage

62

RA VPN
which ports are used for the PPTP VPN Protocol?

TCP 1723
GRE 47

63

RA VPN
which ports are used for the L2TP VPN Protocol?

UDP 500
UDP 4500
UDP 1701
ESP 50

64

RA VPN
which ports are used for the SSTP VPN Protocol?

TCP 443

65

RA VPN
which ports are used for the IKEv2 VPN Protocol?

UDP 500
UDP 4500
UDP 1701
ESP 50

66

IPv6
what is a global IPv6 prefix?

2000::/3

67

IPv6
what is a link local IPv6 prefix?

FE80::/10

68

IPv6
what is a multicast IPv6 prefix?

FF00::/8

69

IPv6
what is a unique local IPv6 prefix

FC00::/7

70

IPv6
what is the loopback IPv6 address?

::1

71

what can be configured with the routing and remote access console?

routing
NAT
dial-up remote access
vpn remote access

72

VPN
which module in PS provides cmdlets for VPN server support?

RemoteAccess module

73

VPN
which are the four parts that construct the remote acces role?

routing
VPN
directAccess
web application proxy

74

you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?

Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).

75

you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)

- in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
- in the remote access management console, select assign addresses from a static address pool

76

name three benifits of Direct Access compared with VPNs.

- always-on (no need to initiate connection)
- seamless (transparently connected if online)
- security (managed connection + IPsec)

77

which VPN protocols are supported in w2012 R2?

PPTP
L2TP
IKEv2
SSTP

78

what command do you use to !only! install VPN and NAT and their management tools?

> Add-WindowsFeature DirectAccess-VPN,Routing -inludeManagementTools

79

you need to configure VPN to only support clients using the SSTP protocol. What changes do you need to make to the default VPN config in w2012R2?

Clear remote access connections for the WAN Miniport (PPTP), WAN miniport (IKEv2), and WAN miniport (L2TP).

80

you use DirectAccess for all Windows8 and later remote clients, but you use VPN to support windows 7 clients. you need to configure VPN to use IP addresses controlled by the remote access server. what settings do you need to make? (2)

- in the DHCP management console, create a DHCP exclusion for the IP addresses assigned to VPN clients.
- in the remote access management console, select assign addresses from a static address pool

81

name three benifits of Direct Access compared with VPNs.

- always-on (no need to initiate connection)
- seamless (transparently connected if online)
- security (managed connection + IPsec)

82

what is the default setting in the remote access quick start wizard to allow connectoins via DirectAccess?

mobile computers only

83

radius
whitch settings can be configured in seperate templates each?

- shared secret
- radius clients
- remote radius servers
- IP filters
- health policies
- remediation server groups

84

what are the four possible settings for RADUS logging

SQL logging only
Test logging only
Parallel logging
SQL logging with backup

85

what are the possible settings that can be simplified by RADIUS templates

shared secrets
RADIUS clients
remote RADIUS servers
IP filters
health policies
remediation server groups

86

with multiple RADIUS server infrastructure, you have three servers all with parity 1. server1 has weight 10, server2 has weight 15 and server3 has weight 25.
how are the next 100 messages processed.

server1 = 20
server2 = 30
server3 = 50

87

in NPS which server is higher priorized.
server1 with priority 1 or server2 with priority 50?

the lower the number the higher the priority.
server1

88

in NPS what ports are used for authentication and accounting?

1812 = authentication
1813 = accounting

89

in NPS (RADIUS) if you have two servers. server1 with priority 1 and server2 with priority 2. how many messages does server2 recieve if 100 messages are sent by clients?

zero.
server2 is only accessed if server1 is unavailable.

90

NPS / RADIUS certificates
in which policy do you set up the configuration for auto enrollment for clients and servers for certificate-based authentication?
what path ist used for the policy setting?

default domain policy
comp/policies/windows settings/security settings/public key policies

91

NPS / RADIUS certificates
which purpose of a certificate does not work with client and server authentication?

the purpose "All" does not work wiht authentication.

92

NPS templates
what does the abreviation SHV stand for?

system health validator

93

NPS templates
what are the options for client SHV checks (7)?

client passes all SHV checks
client fails all SHV checks
client passes one or more SHV checks
client fails one or more SHV checks
client reported as transitionsl by one or more SHVs
client reported as infected by one or more SHVs
client reported as unknown by one or more SHVs

94

what two options can be configured on an NPS?

RADIUS server
RADIUS proxy

95

for whitch scenarios can RADIUS be used for?

VPN authentication and authorization
Dial-in authentication and authorization

96

what does RADIUS client mean?

network access servers
other RADIUS servers

97

when installing NPS as RADIUS proxy which NPS role services are required in win2012R2?

NPS

98

what does it mean when a NPS is configured as a RADIUS proxy?

the server acts as a RADIUS client, forwarding connection requests to a RADIUS server group for authentication and authorization.

99

certificates with which purposes can be used for mutual authentication of NPS and client computers?

server authentication certs
client authentication cerst

100

which three kinds of policies are supported by NPS?

connection request policies
network policies
health plicies

101

NPS
in older versions of windows server NPS policies were im- and exported. what technologies are used instead in win2012R2?

import and export templates
import and export NPS entire configuration

102

NPS
which two policies control which clients are allowed to connect to the network?

client request policy and network policy

103

NPS
what is the purpose of the connection request policy?

it handles the initial request by a client to connect and passes it to an appropriate network policy
connection request policies define which connections are processed on the NPS server and which are processed on remote RADIUS servers.

104

NPS
what does a network policy do?

it determines how a client is authenticated and whether is authorized to connect.

105

NPS
how can you manage nps templates?

export the templates to xml files.
import templates from a server or from a file.

106

NPS configuration
what is the most important concern when exporting NPS configuration to a file.

the exported file includes policies, templates,clients, RADIUS server information and shared secrets. this is sensitive information that should be handled with security concerns in mind.
if accounting is set up to sql db - this info is not included in the exported file and has to be added manually after import.

107

NPS export
what is the cmdlet to export the NPS configuration?

> export-NPSConfiguration -path "... path\filename.xml"

108

NPS export
can you use netsh to export the NPS configuration?

yes.
> netsh nps export filename=path\filename.xml exportpsk=yes

109

NPS
what does the term 2FA mean?

two-factor authentication

110

NPS export
how can you mitigate security implications when exporting a NPS configuration file.

store the file in an encrypted location, or an encrypted usb device.

111

NPS
what is it that controls whether a NPS acts as a RADIUS server or a RADIUS proxy?

the connection request policy

112

NPS
which condition sets the allowed protocols for a RADIUS connection?

the tunnel type condition

113

NPS
can you set a condition for connection request policies for user names?

yes

114

NPS
can you set a condition for connection request policies for user groups?

no

115

NPS
can you set a condition for connection request policies for NAS port types?

yes

116

NPS
can you set a condition for connection request policies for MS service classes?

no

117

NAP DHCP
why is NAP enforcement using DHCP not a secure enforcement method?

a knowlegable user can assign a fixed IP address and bypass the restciction.

118

NAP DHCP
what are the prerequsites for using NAP enforcement using DHCP?

either the NPS is the DHCP server
or the DHCP server has a NPS role installed as RADIUS proxy

119

NAP
what are the four possible options for a NAP enforcement policy?

- non-enforcement (monitoring)
- limited enforcement (limited acces)
- full enforcement (blocking)
- full enforcement with remediation (acces to remediation servers)

120

NAP
in network policy for remediation for noncompiant clients, should the clients be granted access or not?

yes - to enable access to remediation servers

121

NAP
to implement NAP on your network, what steps do you need to take?

enable NAP on RADIUS servers
implement health policy that requires client computers to have firewall turned on, have all current updates, be free of infection.
implement remediation servers

122

how often do you have to create a KDSRootkey if you want to use gMSAs?

once for each domain

123

how long does it take to create a KDS-rootkey with the cmdlet
add-KDSRootKey -effectiveImmediately?

10 hours

124

what is the prerequisite to use gMSAs?

the cration of the KDS-rootkey

125

what are the steps to remove a MSA from a computer

> uninstall-ADServiceAccount on local comp
> remove-ADComputerServiceAccount to unassign the account f comp
if you do not want to reuse account:
> remove-ADServiceAccount

126

what are the prerequsites on a client computer to use MSAs?

win 7 , Active Directory ps module, dotnet framewrk 3.5 or later

127

what are the cmdlets to create a managed service account?

on server:
> new-ADServiceAccount -name -restrictToSingleComputer -enabled $true
> add-ADComputerServiceAccount -idntity -serviceAccount
on local computer:
> install-ADServiceAccount -identity

128

when were MSAs introduced?

win srv 2008 R2

129

when were gMSAs introduced?

win srv 2012 R2

130

what tool or command do you use to create a MSA?

> New-ADServiceAccount
with the -standalone paramater

131

what command should you use to add a gMSA on a computer?

> Install-ADComputerServiceAccount

132

you want to use a virtual account for the testService on computer server1. what commands or tools would you use?

> services.msc

133

what are the FSMO operations master roles and which are forest or domain wide roles?

once per forest:
schema master
domain naming master
once per domain:
RID master
PDC emulador
infrastructure master

134

who has rights to seize or transfer the schema master role?

schema administrators group

135

who has the rights to tansfer or seize the domain naming master?

the enterprise administrators group

136

who has the rights to seize or transfer the RID master, PDC emulator, or infrastructure master role?

domain administrators group