Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
150 Cards in this Set
- Front
- Back
WSUS / WDS |
Windows Update Services / Windows Deployment Services |
|
GP Setting: Enable client-side targeting |
Sets a WSUS group for computer update groups. |
|
Configure Automatic Updates |
GP Setting : Computer Config > Policy > Admin Template > Windows Components > Windows Update: Choices: Notify, Auto Download Notifiy, Auto DL & schedule, allow to choose. |
|
GP: Specify intranet MSUS location |
http://SERVERNAME:8530 |
|
wuauclt /resetauthorization /detectnow wuauclt /reportnow |
Detect and report on clients to WSUS
|
|
Old / New WSUS port number |
Old port 80 New port 8530 |
|
c:\Program Files\Update Services\Tools\ wsusutil |
WSUS utilities: move WSUS content Configure SSL reset export check health / health monitoring etc |
|
Windows Reliability Monitor |
find historical critical events in a timeline. |
|
Which event collection subscription method is more dynamic for adding new members? Collector or Source initiated? |
Source initiated allows the addition of groups and allows subscription method to be set by group policy. Collect initiated have to be manually configured. |
|
Configure target subscription manager subscription manager: server=DC.Danlab.pri |
GP configure computer to send Event log to a subscription manager |
|
What zone to add when you want to add high availability (HA) to the name resolution already in DNS? |
Secondary Zone on other DNS server. |
|
How to change the permissions on what machines have permission to receive the entire transfer records of a zone |
Zone transfer settings |
|
How to ensure secondary zones do not have orphaned content after a zone transfer? |
Configure notify settings to the proper servers. |
|
How to point DNS to another machine to resolve queries? |
Zone Delegation |
|
In multi forest configurations how to point access to another server to resolve DNS queries? |
Conditional Forwarders |
|
When do you use Stub zone over a conditional forwarder in DNS? |
When you want to designate MULTIPLE authoritative servers in the forward zone instead of just one.
|
|
DNS Records |
A - Address (Host Record) AAAA - IPv6 address (Host Record) PTR - Pointer SOA - Start of Authority NS - Name Server CNAME - Canonical Name (alias) MX - Mail Exchange SRV - Service Locator Record |
|
How to provide alternative more friendly names for servers |
CName DNS records |
|
How to provide which servers are responsible for a particular zone |
Name Server records |
|
Determine IP address into a FQDN (Fully Qualified Domain Name) |
Pointer record (PTR) (not used all that often: pings, some group policy uses) |
|
Which machine is authoritative for a zone |
Start of Authority Record (SOA) |
|
Records to find specific Active directory services on a machine |
Service Locator Record (SRV) |
|
How long does a record exist in a client's cache? |
Set in DNS record's TTL (Time to Live) Default is 1 hr. |
|
Start of Authority responsible person how to fill out? |
Designed to be an email with a . replacing @ ie: DanOldenkamp@gmail.com would be DanOldenkamp.gmail.com |
|
What is a good way to change servers without having to disseminate no server names? |
Use a CName record originally and just change the alias as needed. |
|
What is the powershell equivelent of NSLookup? |
Resolve-DNSName |
|
How to view all public DNS cached records with powershell? |
Show-DNSServerCache |
|
Command to display local DNS resolver's cache? |
IPConfig /DisplayDNS |
|
SRV record: Priority vs Weight |
Priority: 0 (Lower is first anything higher will never be used unless lower not availabale) Weight: 100 (percentage of requests sent to server) |
|
For load balancing Active Directory services with SRV record configure Priority or Weight? |
Weight. Priority works as failover not load balancing. |
|
How to setup round robin server availability with DNS? |
Have multiple identical Host(A) records, one for each server IP. ourfileserver A 192.168.0.103 ourfileserver A 192.168.0.104 |
|
When does a windows host refresh its DNS record? |
At startup. At DHCP lease renewal. Every 24 hours. |
|
No-Refresh vs Refresh interval for aging of Records |
The server does not reissue the record during the no-refresh period although the client is refreshing. |
|
Enable record aging / scavenging |
Must be enabled on the server and the zone level. Static records must be configured to delete when stale if needed on the static record. (if not old static records will persist) |
|
What are the advantages to use an separate Radius server over RRAS to authenticate remote users? |
1. You can put the Radius server internally instead of the DMZ making network entrance more secure. 2. A single Radius server can supply authentication for multiple RRAS entrance vectors. |
|
How to toggle RRAS on after setup so Microsoft client's can connect. |
1. Turn on Remote Access & Logging Policies to make visible. 2. Change connection to RRAS rule from Deny to Grant. |
|
Authentication methods |
Machine Certificate Authentication (adds additional security and setup) Methods most secure to least: EAP-TLS, MS-CHAPv2, CHAP, SPAP, PAP |
|
EAP-TLS |
- Used with smart cards or digital certs - Can only be used with RADIUS or when RRAS is domain joined |
|
MS-CHAPv2 |
-encryption - not smart cards or advanced methods |
|
CHAP |
authentication is encrypted via MD5 |
|
SPAP |
Less secure. Included for down level support. Trivially decrypted |
|
PAP |
No encryption for authentication or session data. Not recommended |
|
Machine Certificate Authentication |
pre-installed certificate installed on client and server. Another step for security. |
|
VPN Protocols |
Most secure to least IKEv2 SSTP L2TP/IPSec PPTP |
|
IKEv2 |
Windows 7 and greater - supports IPv6, VPN reconnect, EAP & certs - no support for PAP or CHAP - Uses UDP port 500 (could be a problem) |
|
SSTP |
Windows Vista and greater - PPTP traffic over SSL - Uses TCP port 443 - needs a client trusted SSL RRAS certificate - Does not support VPN using web proxies |
|
L2TP over IPSec |
Windows XP and greater - requires Client and Servers certs PKI (2 way authentication) - supports smart card |
|
PPTP |
Oldest VPN protocol still support by Server 2012 - No certs required. (Least secure) - default failback insecure protocol |
|
PKI |
Private Key Infrastructure (Certificate Authority in the domain is one way) Public and Privately held keys for security. |
|
How to filter VPN traffic over RRAS |
IPv4 > General > Interface > Inbound/Outbound filters. (allow deny protocols) |
|
Disable insecure VPN Protocols (ie: PPTP) |
|
|
How to configure a dial-up connection for clients |
Group Policy create a new Dial connection with phone number |
|
Group Policy: Configure VPN Settings |
Set security and network to concide with RRAS configuration. |
|
How to add NAT to RRAS to allow internal to connect to outside devices while masking internal network |
|
|
How to configure NAT on RRAS services / ports mapping to internal IP |
|
|
What is a protocol used to determine automatically the best route paths? |
RIP v2 for IP (important if a large number of windows based Routers in network) redirects when path not available |
|
What is required for Web application proxy in passthrough mode |
2 servers. - 1 inside network - 1 in DMZ externally accessible RRAS - web application proxy feature ADFS (federated Services) - in production use a managed service account - SQL server instance for ADFS |
|
DA (Direct Access) requirements |
- Server & Client domain joined - 2 NICs (inside / outside) except when DA is published through a gateway (2 is ideal) - 1 public IP required (2 fact auth requires 2)
|
|
Configure DNS for DA |
DA clients use Netork Location Server to see if they are connecting via LAN or Internet - NLS visible only on LAN -GP: Name resolution policy table (A record list) |
|
Configure Certificates for DA |
- use publicly trusted or self signed (public preferred) - access to online CRL distribution point (complicated if Internal PKI used) |
|
Direct Access client requirements |
Windows 8 Enterprise (Does not work with Pro) Windows 7 Ultimate or Enterprise (not pro) Windows 10 Enterprise (not pro) install certificate on client machine |
|
Direct Access security measure to force all traffic through network |
DA configuration: Use Force tunneling. (bandwidth intensive / affects performance) Split tunneling default |
|
DA configuration where DA server has 2 NICs, domain joined and public facing |
network topology: Edge |
|
PS command to Show Direct Access status
|
Get-DAConnectionStatus |
|
PS command to show contents of Name resolution policy table
(table used to determine which DNS server to resolve resource requests: internal or external) |
Get-DnsClientnrptPolicy |
|
What does Direct Access on Windows 7 enterprise require that is not required on 8.1 Enterprise |
Client computer Certificates and a functioning PKI (Private Key Infrastructure) (8.1 can use Kerberos) |
|
Where do you view / configure the Direct Access NRPT (Name Resolution Policy Table)? |
GP: Computer configuration > Policies > Windows settings > Name Resolution Policy: DNS settings for Direct Access Direct Access column blank do not use internal DA server should be blank IPv4 is translated into IPv6 |
|
Which of the following VPN protocols will be automatically selected when an RRAS server is not configured with a server certificate? IKEv2 L2TP/IPSec PPTP SSTP |
PPTP (Point to Point Tunneling Protocol) is the default requiring not certs and no SSL. |
|
An RRAS server being used for Direct Access _______ be domain joined. Clients connecting via Direct Access _____ be domain joined. MUST or MUST NOT |
MUST, MUST |
|
Priority and weight settings are found on __________ DNS records. A, AAA, CName, PTR, SRV |
SRV |
|
DNS zone delegation settings define one or more authoritative DNS servers for a subdomain. True / False |
True |
|
Which of the following RRAS VPN protocols requires the use of client certificates? IKEv2 L2TP/IPSec PPTP SSTP |
SSTP (Secure Socket Tunneling Protocol) required for SSL |
|
The ________ command can return all records in a zone when the zone is configured to _______________. |
ls; allow zone transfers to any server |
|
A DNS primary zone not stored in Active Directory can be configured to accept secure dynamic updates. (True / False) |
False |
|
Using default settings, an NPS network policy must be enabled before an RRAS server will accept incoming VPN client connections. (True / False) |
True |
|
Where are domain password policies configured? (Not including PSOs) |
Only in the default domain policy GP: Computer settings > Policy Windows settings > security settings > Account policies > password policies |
|
Where are the PSO (Password Settings Object) settings in the ADAC (Active Directory Administrative Center (domain functional level > Server 2008) |
ADAC > tree System >
Password Settings Container |
|
PSO precedence rules: |
|
|
Build in service accounts: priveleges. |
Local System - most authority. (authority over the whole system.) Network Service - least privilege plus ability to use network Local Service - least privilege |
|
Managed Service Account MSA restrictions (AD service accounts) MSA(s) are service accounts tied to specific computers. (replaced by Group Managed Service Accounts) GMSA(s) |
- can't be used to login (can't become locked) - can't be used for interactive apps - can't be used for Exchange or SQL - can't be used to run scheduled tasks - can't be used across multiple hosts |
|
GMSA restrictions Group Managed Service Accounts are far more usable than MSA. |
- Schema level of domain has to be extended to Server 2012 -1 DC has to be accessible running 2012. - must create Kerberos distributed root key prior to use. - Works with SQL, across hosts, scheduled tasks, etc. |
|
MSA / GMSA powershell: |
New-ADServiceAccount: create new MSA Add-ADComputerServiceAccount: associate MSA with a computer Install-ADServiceAccount: install MSA onto machine |
|
Generate a key for MS Group key Distribution Service (KdsSVC) |
Add-KdsRootKey -EffectiveImmediately (will create in 10hrs to account for large replication) -EffectiveTime ((get-date).addhours(-10)) run immediately |
|
Use GMSA on a computer powershell |
Install-ADServiceAccount X Test-ADServiceAccount -identity X password is saved on computer and should be left blank when used as service account. |
|
Virtual account: how to create a managed local account that does not need access to the network |
NT Service \ServiceName blank password |
|
Often used by Hyper-V live migration or web services to grant permissions on another computer for services to run between machines. |
Configure Kerberos constrained delegation. AD computer trusted delegation for services. |
|
Method to provide access to a specific instance of a service on a machine. (provides mechanism for services to find each other on a domain.) |
SPN (Service Principle Name) - AD service (user account) ie: web server using SPN to facilitate authentication |
|
Active Directory maintenance: 1 Check for integrity 2 Internal consistency verification 3 compact the database |
net stop ntds NTDSUtil activate instance ntds 1 Files > integrity 2 quit > semantic database analysis > go fixup 3. quit > compact to c:\ copy c:\ntds.dit to c:\windows\ntds\ntds.dit reboot |
|
AD recycle bin |
forest functional level Server 2008 R2 ADUC Enable recycle bin Tree view > Deleted objects (180 days) |
|
To associate a virtual account to a service account's logon properties, you must ___________. |
Configure the service name as the logon on as account in the service properties. |
|
Which of the following FSMO roles cannot be transferred from within Active Directory Users and Computers? RID, Domain Naming, PDC emulator, or infrastructure |
Domain Name Master |
|
A/an _____________ is used to recover a Domain Controller and allow inbound replication of the Active Directory database. |
Non-authoritative restore |
|
precedence rules for Password Settings Objects in Active Directory |
PSO settings override those applied via GPOs to the domain PSOs applied directly to user objects override those to groups Lower PSO precedence values override higher precedence values |
|
groups denied from replicating passwords to an RODC? |
BUILTIN\Server Operators BUILTIN\Account Operators BUILTIN\Backup Operators |
|
DFS-R vs DFS-N Distributed File System - Replication Distributed File System - Namespace |
Replication - file replication Namespace - connecting users to a shared link of links where shares are |
|
Domain based vs standalone DFS Namespace |
Domain-based is Active directory integrated. Is scaleable, easily accessible, and supports ABE (hide folders with no access) |
|
2 Types of DFS - Replication |
Multi-purpose replication - bidirectional. vs Data collection - special use case 1 directional copy such as used for off-site copy. |
|
What kind of DFS topology to use in a publish environment. |
Hub and Spoke (replicate one-way. One to many) |
|
RDC with DFS (Remote Differential Compression) |
Compress files before DFS replicating. (Not the same as windows feature RDC) only on files > 64k by default Trade CPU for bandwidth |
|
Increase minimum file size for DFS replication for compression prior to replication. |
set-dfsrconnection -MinimumFileSize |
|
In DFS when you should you increase the staging folder quota |
when you must replicate multiple large files that change frequently on hub members that have many replication partners (event ID 4208 in the DFS Replication event log) is over its configured size and is logged multiple times in an hour |
|
How do you create fault tolerance for data access |
DFS - Namespace. add folder targets to the namespace of other replicated folder |
|
What 4 tasks can FSRM (File Server Resource Management) handle? |
Quotas - limit disk space
File screens - disallow types of files & alerts reports file management tasks - file classification |
|
Use quotas in FSRM on newly created subfolders ie: roaming profile. New users. |
Select the auto apply template during quota creation |
|
FSRM: File Classification management |
inject labels into files to group manage them. (ie: top secret files or Project Deathstar files) |
|
How to configure a file aging task to be performed on a folder based off of criteria. |
In FSRM define an expiration File Management Task |
|
Modify file/folder access denied error message to provide assistance. |
enable / configure Access Denied assistance in FSRM options or in GP:user > system > access denied
|
|
How to set client certificates. - Disallow EFS - Create user to recover for lost keys |
GP: Computer > windows >Security > public key polices EFS properties. EFS > create recovery agent |
|
Bitlocker: automatically unlock when on network |
GP: Comp > Admin > Win comp > Bit Locker > OS Allow network unlock at startup Put key in public key |
|
Bitlocker recovery tools |
Features > RSAT > Bitlocker drive encryption administration utility. Required installed for recovering bitlocker keys from Active Directory. View: Bitlocker Recovery from properties in AD |
|
Bitlocker network unlock requirements |
UEFI firmware WDS server on Server 2012 DHCP server not on on WDS server nor DC Network Unlock feature custom 2048 bit user cert template GP settings TPM + PIN protector enabled |
|
GP: Advanced audit polices vs audit policies |
finer granularity in auditing the 9 audit categories addition of Global Object Access Auditing Either audit or advanced audit. Not both. Force advanced audit subcategory must be enabled (Local Policies > Security Options) |
|
Which type of DFS-R namespace is generally used as part of a backup solution for data in remote sites? Multipurpose or data collection? |
Replication group for data collection |
|
A BitLocker startup key protector is a _____________; a BitLocker password protector is a _______________. file or characters? |
startup key protector: is file password protector is: string of characters |
|
A hub-and-spoke DFS-R topology requires a minimum of ____ members; a full mesh DFS-R topology requires a minimum of ____ members. |
three; two |
|
Group Policy Precedence order |
Local Site Domain Organizational Unit (OU writes over others) |
|
GPO link order |
Lowers number has the highest precedence |
|
Applying GPO by characteristic instead of by security group? |
WMI filter: (ie: apply to laptops running Windows 8) |
|
gwmi win32_computersystem | select * gwmi win32_operatingsystem |
Get WMI table info for creating a WMI filter group. ie: select * from win32_computersystem where (model like "Dell Laptop%") |
|
Speed up computer login time |
Enable group policy caching GP setting. |
|
How to enforce computer group policy onto a user |
Configure user GP Loopback processing mode replace / merge (ie: for RDS server) |
|
gpupdate /force vs invoke-gpupdate |
PS invoke-gpupdate can be applied against another computer. Can also be performed in GP management right click on OU: Group Policy Update |
|
Assigned app with group policy location |
MUST specify a UNC path location must be shared and have security read permissions ie: \\DC\PublishedAppShare |
|
Assign app to computer vs user |
Computer assigned install with system permissions before user sign on and is more secure. Security tab can limit by user |
|
Can you publish an app to a computer? |
No, only to publish to a user is allowed. |
|
Group Policy central store for ADM administrative templates |
c:\windows\sysvol\domain\policies\ policyDefinitions after copy they will show up in GP management user/computer : policy > admin templates |
|
Create a human readable GPO report with powershell. |
get-GpoReport -all -ReportType html -path c:\report.html |
|
Transfer a GPO from one domain to another and change text values based off of a list. |
Use the GPO migration table to map values. ie: \\DC mapped to \\File1 |
|
Default GPOs are lost and need replacement Domain name or DNS name of server change, command to auto fix GPOs with new name. |
DcGpoFix.exe to recreate default GPOs. DCFixUp.exe to fix GPOs with new DN |
|
GP Policy vs Preference regarding persistence |
A preference after creation always exists until removed. (unless common setting remove when no longer applied is checked) Policies are removed when no over written or no longer applied. |
|
GPP (Group Policy Preference) Actions |
Create - only if setting doesn't exist Replace - remove and create new Delete -remove if exists Update - (default) preferred. If exists update if not create. |
|
Set a GPP to allow removal |
Check common setting: apply once and do not reapply. |
|
Create a share with GPP that allows ACE (Access Based Enumeration) |
User > pref > drive map |
|
How to apply a GPP registry setting if software exists on the machine? |
Use Common > Item Level targeting. File exists. |
|
Group Policy Loopback Processing is used to apply ____________ settings to _____________. |
User Configuration; computers |
|
The default Group Policy refresh interval is every ___________ minutes with an offset of _________ minutes. |
90; 0 to 30 |
|
Which type of Group Policy settings will revert to their original configuration when the user or computer falls out of scope of the GPO? |
Managed. (unmanaged such as restricted groups and preferences will persist) |
|
Will a WMI Filter apply settings to computers when it's GPO is not linked to a site, domain, or OU? |
No |
|
methods used to add settings from a custom ADMX file into a GPO |
Copy the ADMX to \\\SYSVOL\\Policies\PolicyDefinitions |
|
NAP (Network Access Protection services) deprecated in 2016 |
Ensures clients meet prerequisites before logging onto domain. (ie: domain joined, has antivirus) deprecated in 2016 |
|
SHV (System Health Validators) |
Used by NAP (Network Access Protection) DEPRECATEDto verify the health of PCs before allowing access (ie: firewall enabled, windows updates installed, anti-virus installed) |
|
What must be enabled on client for Clients to access NAP (Deprecated) |
- Windows Security Center - enabled enforcement client - NAP service |
|
Which of the following cannot be used as a condition in an NPS Connection Request Policy? Framed protocol, Service type, Embedded authentication protocol, Tunnel type |
Embedded authentication protocol |
|
VPN connections that utilize the Microsoft Protected EAP authentication method require certificates installed onto _____________. |
the RRAS and NPS server |
|
To follow best practices, the _________ is/are generally positioned in the DMZ, whereas the _______ is/are generally positioned in the internal LAN. RRAS, NPS, DC |
RRAS server; NPS server and domain controller |
|
Set-GPInheritance Set-GPLink Set-GPPermissions |
Set-GPInheritance: block or unblock GP inheritance Set-GPLink: enable/disable, enforce, or change GP order Set-GPPermissions: delegate permissions |
|
divide up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers |
Zone delegation |
|
Ability for DNS server to host a secondary Zone |
Add as a name server |
|
What is an AD application directory partition? |
A partition is adata structure in AD DS that distinguishes data for different replication purposes |
|
Unlock bitlocker drive with powershell |
Unlock-powershell or command line tool manage-bde |