Server2012 final

Server2012 final

What function does the CSVDE tool perform?
It exports/imports Active Directory information
If a single domain controller’s AD database becomes corrupt, which type of restore should you perform on it?
nonauthoritative
To perform an authoritative restore, into what mode must you reboot the domain controller?
DSRM (Directory Services Restore Mode)
What is a GUID?
A unique identifier for a snapshot
What utility first appeared in Windows Server 2008 R2 that allows you to undelete Active Directory containers and objects?
The Active Directory recycle bin
By default, how often does Active Directory “garbage collection” occur
12 hours
After you undelete a user account with the LDP utility, what action do you need to perform
Reset the user’s password
In interactive mode, what aspect of AD can you check with the ntdsutil integrity command?
low-level database corruption
What is the proper procedure for removing a domain controller from Active direcotry
Uninstall Active Directory Domain Services
Which ntdsutil commands cleans up metadata?
metadata cleanup
to perform an authoritative restore of an object or subtree, what bit of information do you need to know about the object?
its distinguished name
When you do an authoritative restore process, a back-links file is created. What is the back-links file?
a reference to an attribute within another object
Before you can use the Active Directory recycle bin, what two actions do you have to perform?
1) You have to set the AD forest to Windows Server 2008 R2 or higher
2) You have to enable the Recyle bin
Windows Server 2012 introduces a new time-saving feature when performing tasks such as AD Defragmentation. What is that feature?
Restartable Active Directory Domain Services
What utility do you use to defragment Active Directory
ntdsutil
Why is backup of the Active Directory database so important?
Backup is needed in case of corruption, deletion, or other failure
Why is backing up the Windows system state necessary?
It’s needed to perform a full system restore
An Active Directory snapshop is actually what kind of backup
a shadow copy
Why can you not modify snapshots
They are read-only
What is the name of the physical database file in which all directory data is stored?
ntds.nit
Which file is used to track the point up to which transactions in the log file have been committed
edb.chk
What is the name of the file into which directory transactions are written before being committed to the database file
edb.log
Which file is used as a scratch pad to store information about in-progress large transactions and to hold pages pulled out of ntds.dit during maintenance operations
temp.edb
Name 4 examples of password policies
history, length, complexity, age
Why primarily are account lockout policies put into place?
security
What is the default setting for password history?
24
What is the default minimum password length in characters
7
What account setting can you give for account lockout duration that requires an administrator to manually unlock the account?
By default, who has read/write capability to the default domain policy?
domain administrators
How should you assign Password Settings objects (PSOs) to users?
Assign PSOs to a global security group and add users to the group
What is the primary advantage of using group policies in a domain environment
Centralized Management
What is the secpol.msc utility for?
editing local security polices
What does the minimum password age setting control?
how many days a user must wait before a password reset
Why should administrator passwords change more often than user passwords?
because administrator accounts carry more security sensitivity than users do
What is the range of password history settings?
0 to 24
What is an easy method of creating a strong password?
Start with a sentence and then add numbers and special characters
Why is a setting of 0 for maximum password age not a good idea?
1) It means that passwords never expire, which is a major security problem
2) It means that you have disabled password aging
Account policies contain various subsets, which 3 are legitimate subsets of account policies?
Password Policy, Account Lockout Policy, Kerberos Policy
Which password is considered complex? M!croS0ft or candybar01
M!croS0ft
What character length for a password generally accepted as a minimum
eight
The default maximum password age is how long?
42 days
This setting defines a default password filter that is enabled by default
complexity requirements
This setting defines the number of days that a password can before a user must change it
maximum password age
This setting defines the number of unique, new passwords that must be associated with a user account before an old password can be reused
enforce password history
This setting defines the minimum number of characters that a user’s password must contain
minimum password length
What policy will affect all users in the domain, including domain controllers
Default Domain Policy
In which order are group policy objects processed?
Local Group Policy, Site, Domain, OU
What is the default timeout value for GPOs to process on system startup
600 seconds
GPOs are processed on computer startup and after logon. Why is the user never aware of the processing
Processing is hidden from the user
What is the first step in the GPO processing order?
The computer establishes a secure link to the domain controller
The downward flow of group policies is known as what feature of GPOs?
inheritance
If a site, domain, or OU has multiple GPOs, how are the group policies processed
by precedence
Which two filters can you use to control who or what receives a group policy?
Security Group FIlter & WMI filter
For users to receive GPO settings, they must have which two permissions to the GPO
Allow Read & Allow Apply
By default, which GPO permissions are all authenticated users given?
Apply Group
At what point are WMI filters evaluated
when the policy is processed
To use WMI filters, you must have one domain controller running which version of Windows Server or higher
2003
How many WMI filters can be configured for a GPO?
one
What kind of group policies should you enable for student computers?
loopback
What is the primary purpose of running the Group Policy Results Wizard?
To analyze the cumulative effect of GPOs and for GPO troubleshooting
Which utility do you use to set up loopback policies?
Group Policy Management Editor
How are client-side extensions applied
to the local computer or currently logged-on user
What is the best method of dealing with slow-link processing?
changing the slow-link policy processing behavior
Where would using Replace mode GPOs be appropriate?
in a classroom
What feature uses a security access list (ACL) to determine who can modify or read a policy and who or what a GPO is applied to?
security group filtering
What component extends the Windows Driver Model to provide an interface to the operating system to provide information and notification on hardware, software, operating systems, and services
Windows Management Instrumentation (WMI)
How do group policy settings flow down into the lower containers and objects?
inheritance
What feature configures a GPO to be applied to certain users or computers based on specific hardware, software, operating systems, and services?
WMI filtering
Which operating systems can have its security setting managed by using security templates?
Windows 7 and Windows 8
Which two methods can you use to deploy security templates
1) using active directory GPOs
2) using the security configuration and analysis snapin
What is an ADMX file?
the ADM format for newer operating systems
What is the central store?
a repository for Administrative Templates
Name two legitimate Administrative Template Property filters?
Keyword Filters, Requirement Filters
What is the name of the software component used for installation, maintenance, and removal of software on Windows?
Windows Installer
What is the filename extension for the files in which installation information is stored?
.msi
What are MST files used for?
They deploy customized software installation files
Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe file, what must you do to it?
Convert it to an MSI file
The Security Template allows you to configure which 3 settings?
System Services, Registry Permissions, File System Permissions
Where is the default location for ADMX files?
c:WindowsPolicyDefinitions
Identify the 3 possible states of an Administrative Template
Not Configured, Enabled, Disabled
What language are ADMX files based on?
XML
Unlike ADM files, ADMX files are NOT stored where ?
in individual GPOs
Where is the Central Store located
in the SYSVOL directory
An application cannot be published to a
computer
When configuring Group Policy to deploy applications, the applications must be mapped to where?
UNC path
What happens when an application deployed via group policies becomes damaged or corrupted?
The installer will detect and reinstall or repair the application
If you, as an administrator, change an installed application, how do you update your users?
By redeploying the application via the GPO
Which node contains only one node, Software installation, which allows you to install and maintain software within your organization?
Software Settings
Which node contains settings that are applied when the user logs on?
User configuration
Which node contains settings that are applied to the computer regardless of who logs on to the computer
Computer Configuration
Which node allows you to configure settings such as Name Resolution Policy, Security Settings, Policy-Based QoS nodes?
Windows Settings
Which domain users are automatically granted permissions to perform Group Policy Management tasks?
domain administrators
Name two reasons for resetting the domain policy and the domain controller policy to the default settings?
If they’ve become corrupted or if someone deleted one of the policies
A user must have which two existing permissions for new permissions to be applied to their accounts for GPO delegation
Allow Read and Allow Apply
If you don’t want a GPO to apply, which group policy permission do you apply to a user or a group
Disallow apply
When you’re about to reset domain policy and domain policy and domain controllers policy back to default with the dcgpofix.exe command, what final warning are you given before you accept the change?
that all User Rights Assignments will be replaced
To give someone permission to manage a particular GPO, you use the ___tab of the individual GPO
delegate
What is a collection of files stored in the SYSVOL (%SYSTEMROOT%SYSVOLPolicies) of each domain controller?
Group Policy Template (GPT)
What is a file that maps references to users, groups, computers, and UNC paths in the source GPO to new values in the destination GPO?
migration table
What is an Active Directory object stored in Group Policy Objects container with the domain naming content of the directory that defines basic attributes of the GPO but does not contain any of the settings
Group Policy Container
What process grants permissions to other users to manage group policies?
Delegation
Which utility do you use to create GPO preferences?
Group Policy Management Editor
For GPP editing states, which key do you use to toggle Enable Content
F6
How do you stop processing a preference if an error occurs?
Select the Stop processing items option on the Common tab
Which Windows extension allows you to copy registry settings and apply them to other computers’ create,replace, or delete registry settings
Registry
Which Windows extension allows you to add, replace, or delete sections or properties in configuration settings or setup information files
.ini files
To copy, replace, update, or delete files, you can use wildcard characters. Which wildcard characters can you use? Select all that apply
? and *
If you need to provide users access to a common network location, which GPP would you use? name 2
Shortcut and Drive Maps
To support GPPs on older Windows versions (Server and Workstation), you have to install what component from microsoft
GPP Client-Side Extensions
Which component allows you to create multiple Registry preference items based on registry settings that you select
Registry Wizard
Name two possible targets for individual preferences?
computer name and CPU speed
Which term describes changing the scope of individual preferences items so that the preference items apply only to selected users or computers
item-level targeting
Which items can you configure shortcuts to in performing GPP deployments? Name 4
Windows Firewall applet, Documents folder, Microsoft Excel, Printer
Identify at least 4 Window Settings multiple preference extensions
Registry, Shortcuts, Folders, Storage
When working with Network Drive Mapping Preferences, which preference behaviors delete drive mappings?
Replace and Delete
What 3 server versions can GPP be configured on domain controllers running Windows Server
2008, 2008 R2, 2012
What is the key difference between preferences and policy settings?
enforcement
GPPs are divided into which two sections
Windows and Control Panel
Windows Settings are common configuration settings used in Windows but now used where?
Control Panel
What object can you create to organize Registry preference items?
a Collection
Normally, preferences are refreshed at the same interval as Group Policy settings. If this option is selected, this option will be applied only once on logon or startup
Apply once and do not reapply
When this option is selected, if an error occurs while processing a preference, no other preferences in this GPO will process
Stop processing items in this extension if an error occurs
This option determines which users or computers will receive a preference based on a a criterion such as computer name, IP address range, operating system, security group, user, or Windows Management Instrumentation (WMI) queries
Use item-level targeting
By default, this option runs as the System account. If this option is selected, the logged-on user context is used
Run in logged-on user’s security context
What kind of Radius server is placed between the Radius Server and RADIUS clients?
a Radius proxy server
What process determines what a user is permitted to do on a computer or network
authorization
What is a RADIUS server known as in Microsoft parlance
Network Policy Server (NPS)
What ports to Microsoft RADIUS servers use officially
1812 and 1813
When an access client contacts a VPN server or wireless access point, a connection request is sent to what system
the NPS server
Which system in a RADIUS infrastructure handles the switchboard duties of relaying requests to the RADIUS server and back to the client
the access server
What is the final step in the authentication, authorization, and accounting scenario between an access client and the radius server
an Accounting-Response to the access server
To configure RADIUS service load balancing you must have more than one kind of what system per remote RADIUS server group
RADIUS server
Which parameter specifies the order of importance of the RADIUS server to the NPS proxy server
priority
Using what feature can streamline the creation and setup of RADIUS servers
templates
What kind of information does the Accounting-Start message contain?
the type of service and the user it’s delivered to
Which system is the destination for Accounting-Start messages?
the RADIUS accounting server
What type of NPS authentication is recommended over password authentication
certificate
Why is password-based authentication not recommended
usernames and passwords are sent in plain text
Where do you get certificates for authentication purposes
a certificate authority
When setting up authentication to NPS services for Microsoft-only clients, what type of authentication should you use
MS-CHAPv2
What would be the biggest problem with configuring text files for accounting logging?
Space: filling up the C drive has catastrophic effects
You would create a radius server template so you could do what with it?
Easily create multiple RADIUS servers from it
Which non-recommended method of user authentication is considered to insecure because usernames and passwords are sent in plain text
PAP
If you decide to use this method for authentication, you will need certificates that include the client authentication purpose
smart card
Which authentication method encompasses the largest number of clients (Microsoft and Non-Microsoft) but only has a moderate level of security
CHAP
An NPS policy is a set of permissions or restrictions that determine what three aspects of network connectivity
who, when, and how
Which variable can be set to authorize or deny a remote connection
group membership
The default connection policy uses NPS as what kind of server
RADIUS
Where is the default connection policy set to process all authentication requests
locally
What is the last setting in the Routing and Remote Access IP settings
how IP addresses are assigned
What command line utility is used to import and export NPS templates
netsh
To which type of file do you export an NPS configuration
XML
When should you not use the command-line utility method of exporting and importing the NPS configuration
when the source NPS database has a higher version number than the version number of the destination database
Network policies determine what two important connectivity restraints
Who is authorized to connect AND
the connection circumstances for connectivity
When the Remote Access server finds an NPS network policy with conditions that match the incoming connection attempt, the server checks any _____ that have been configured for the policy
contraints
If a remote connection attempt does not match any configured constraints, that does the remote server to with the connections
denies
Identify the 3 correct NPS templates
Shared Secrets, Health Policies, RADIUS clients
Which two of the following are Routing and Remote Access IP settings
Client May Request an IP address
Server Must Supply an IP address
What Routing and Remote Access IP setting is the default setting
Server Settings Determine IP Address assignments
Which is the strongest type of encryption
MPPE 128-Bit
RADIUS Access-Request messages are processed or forwarded by NPS only if the settings match what on the NPS server?
one of the connection request policies
Why is there a No Encryption option for network connections
to allow certain trusted connections to remain unencrypted
Network Access Policy is part of which larger scope policy
Health
What character string makes up the telephone number of the network access server (NAS)
Called station ID
What character string attribute designates the phone number used by the access client
Calling station ID
What is used to restrict the policy only to clients what can be identified through the special mechanism such as the NAP statement of health
Identity Type
What is the name of the RADIUS client computer that requests authentication
client friendly name
Network Access Protection (NAP) is Microsoft’s software for controlling network access for computers based on what?
a computer’s overall health
Because NAP is provided by _____, you need to install _____ to install NAP
NPS, NPS
DHCP enforcement is not available for what kind of clients
IPv6
Identify two remediation server types
Anti-virus/Anti-malware servers AND Software update servers
What type of active directory domain controller is recommended to minimize security risks for remediation servers
read-only
When you fully engage NAP for remediation enforcement, what mode do you place the policy in
isolation
To verify a NAP client’s configuration, which command would you run?
netsh nap client show state
Which two components must a nap client have enabled in order to use nap
Security Center and NAP agent
Why do you need a web server as part of your NAP remediation infrastructure?
To provide user information in case of compliance failure
Where do you look to find out which computers are blocked and which are granted access via NAP
the NAP server event viewer
Health policies are in pairs, what are the members of the pair, select two
NAP-compliant and NAP-noncompliant
You should restrict access only for clients that don’t have all available security updates installed if what situation exists
the computers are running Windows update
What happens to a computer that isn’t running windows firewall
the computer is isolated
Health policies are connected to what two other policies
Network Policies and Connection Request Policies
To use the NAP-compliant policy, the client must do what?
pass all SHV checks
Which computers are not affected by VPN enforcement
locally connected computers
When enabling NAP for DHCP scopes, how should you roll out the service
for individual DHCP scopes
What is the purpose of the System Health Agent (SHA)
to provide feedback on the status of system protection and updates
Why is monitoring system health so important?
to maintain a safe computing environment
Why would you setup a monitor-only NAP policy on your network
You are testing your NAP rollout before implementation
These computers don’t typically move much and are part of the domain
desktop computers
These Windows computers are not usually connected directly to the network but connect through a VPN connection. Because they are usually home computers, they might not have up-to-date software
unmanaged home computers
These computers are unmanaged computers used by consultants or vendors who need to connect to your network
visiting laptops
These window computers move often but are typically part of the domain, but might not always get the newest updates
roaming laptops
What is the default authentication protocol for non-domain computers
NTLM
What does the acronym NTLM stand for
NT LAN Manager
NTLM uses a challenge-response mechanism for authentication without doing what
sending a password to the server
What kind of protocol is Kerberos
a secure network authentication protocol
Kerberos security and authentication are based on what type of o technology
secret key
What is the default maximum allowable time lapse between domain controllers and client systems for Kerberos to work correctly
5 minutes
Which three components make up a service principal name (SPN)
service class, host name, port number
What happens if a client submits a service ticket request for an SPN that does not exist in the identity store
The client receives an access-denied error
Which tool can you use to add SPNs to an account
ADSI Edit
What are two restrictions for adding SPNs to an account
Domain Administrator privileges & The editor runs the domain controller
Identify another utility that you can use to add SPNs to an account
setspn
What type of account is an account under which an operating system, process, or service runs
service account
When creating accounts for operating systems, processes, and services, you should always configure them with what two things in mind?
using strong passwords and granting the least rights possible
Name two benefits to using Managed Service Accounts (MSAs)
automatic password management and simplified SPN management
By default, which service accounts with the Windows Powershell cmdlets manage?
group MSAs
What is the default authentication protocol for contemporary domain computers
Kerberos
What is the name by which a client uniquely identifies an instance of a service
service principal name
Before you create an MSA object type, you must create what?
a key distribution services root key
What service right does an MSA account automatically receive upon creation
log on as a service
Which kerberos setting defines the maximum time skew that can be tolerated between a ticket’s timestamp and the current time at the KDC
maximum tolerance for computer clock synchronization
Which Kerberos setting defines the maximum lifetime ticket for a Kerberos TGT ticket
maximum lifetime for a user ticket
Which Kerberos setting defines the maximum lifetime for a Kerberos ticket
maximum lifetime for a service ticket
Which Kerberos setting defines how long a service or user ticket can be renewed
maximum lifetime for user ticket renewal
The domain controllers are the computers that store and run the ____
Active Directory database
How many PDC emulators are required, if needed, in a domain?
one
You do not place the infrastructure master on a global catalog server unless what situation exists
You have a single domain
When you add attributes to an Active Directory object, what part of the domain database are you actually changing?
schema
Which active directory object is defined as a specialized domain controller that performs certain tasks so that the multi-master domain controllers can operate and synchronize properly
Operations Master
How many global catalogs are recommended for every organizations
at least two
What two things must you do to a Windows Server to convert it to a domain controller?
Install Active Directory Domain Services (AD DS) and Execute dcpromo from Server Manager
Beginning with which server version can you safely deploy domain controllers in a virtual machine
Windows Server 2012
What utility must you run on a cloned system to ensure that the clone receives its own SID
sysprep
Which type of system must you connect to and use to make changes to Active Directory
writeable domain controller
Which version of Windows Server introduced incremental universal group membership replication
Windows Server 2003
What are the three types of groups in a domain
domain local groups, global groups, and universal groups
The global catalog stores a partial copy of all objects in the forest. What are the reasons for keeping that partial copy? 3
logon, object searches, universal group membership
Although the changes are easy to make, why is changing the AD Schema such a big deal
The changes could corrupt the database
Where in the forest is a global catalog automatically created?
the first domain controller
Which utility do you use to manage Active Directory from the command line
ntdsutil
Which command-line command do you use to allow Windows Server 2003 domain controllers to replicate to RODCs?
ADPrep /RODCPrep
Which term describes a collection of domains grouped together in hierarchical structures that share a common root domain?
domain trees
Which term describes an administrative boundary for users and computers, which are stored in a common directory database?
domains
Which term describes a collection of domain trees that share a common Active Directory Domain Services (AD DS)?
Forests
Which term describes containers in a domain that allow you to organize and group resources for easier administration, including providing and delegating administrative rights
organizational units