Server2012 final – Flashcards
Unlock all answers in this set
Unlock answersquestion
What function does the CSVDE tool perform?
answer
It exports/imports Active Directory information
question
If a single domain controller's AD database becomes corrupt, which type of restore should you perform on it?
answer
nonauthoritative
question
To perform an authoritative restore, into what mode must you reboot the domain controller?
answer
DSRM (Directory Services Restore Mode)
question
What is a GUID?
answer
A unique identifier for a snapshot
question
What utility first appeared in Windows Server 2008 R2 that allows you to undelete Active Directory containers and objects?
answer
The Active Directory recycle bin
question
By default, how often does Active Directory "garbage collection" occur
answer
12 hours
question
After you undelete a user account with the LDP utility, what action do you need to perform
answer
Reset the user's password
question
In interactive mode, what aspect of AD can you check with the ntdsutil integrity command?
answer
low-level database corruption
question
What is the proper procedure for removing a domain controller from Active direcotry
answer
Uninstall Active Directory Domain Services
question
Which ntdsutil commands cleans up metadata?
answer
metadata cleanup
question
to perform an authoritative restore of an object or subtree, what bit of information do you need to know about the object?
answer
its distinguished name
question
When you do an authoritative restore process, a back-links file is created. What is the back-links file?
answer
a reference to an attribute within another object
question
Before you can use the Active Directory recycle bin, what two actions do you have to perform?
answer
1) You have to set the AD forest to Windows Server 2008 R2 or higher 2) You have to enable the Recyle bin
question
Windows Server 2012 introduces a new time-saving feature when performing tasks such as AD Defragmentation. What is that feature?
answer
Restartable Active Directory Domain Services
question
What utility do you use to defragment Active Directory
answer
ntdsutil
question
Why is backup of the Active Directory database so important?
answer
Backup is needed in case of corruption, deletion, or other failure
question
Why is backing up the Windows system state necessary?
answer
It's needed to perform a full system restore
question
An Active Directory snapshop is actually what kind of backup
answer
a shadow copy
question
Why can you not modify snapshots
answer
They are read-only
question
What is the name of the physical database file in which all directory data is stored?
answer
ntds.nit
question
Which file is used to track the point up to which transactions in the log file have been committed
answer
edb.chk
question
What is the name of the file into which directory transactions are written before being committed to the database file
answer
edb.log
question
Which file is used as a scratch pad to store information about in-progress large transactions and to hold pages pulled out of ntds.dit during maintenance operations
answer
temp.edb
question
Name 4 examples of password policies
answer
history, length, complexity, age
question
Why primarily are account lockout policies put into place?
answer
security
question
What is the default setting for password history?
answer
24
question
What is the default minimum password length in characters
answer
7
question
By default, who has read/write capability to the default domain policy?
answer
domain administrators
question
How should you assign Password Settings objects (PSOs) to users?
answer
Assign PSOs to a global security group and add users to the group
question
What is the primary advantage of using group policies in a domain environment
answer
Centralized Management
question
What is the secpol.msc utility for?
answer
editing local security polices
question
What does the minimum password age setting control?
answer
how many days a user must wait before a password reset
question
Why should administrator passwords change more often than user passwords?
answer
because administrator accounts carry more security sensitivity than users do
question
What is the range of password history settings?
answer
0 to 24
question
What is an easy method of creating a strong password?
answer
Start with a sentence and then add numbers and special characters
question
Why is a setting of 0 for maximum password age not a good idea?
answer
1) It means that passwords never expire, which is a major security problem 2) It means that you have disabled password aging
question
Account policies contain various subsets, which 3 are legitimate subsets of account policies?
answer
Password Policy, Account Lockout Policy, Kerberos Policy
question
Which password is considered complex? M!croS0ft or candybar01
answer
M!croS0ft
question
What character length for a password generally accepted as a minimum
answer
eight
question
The default maximum password age is how long?
answer
42 days
question
This setting defines a default password filter that is enabled by default
answer
complexity requirements
question
This setting defines the number of days that a password can before a user must change it
answer
maximum password age
question
This setting defines the number of unique, new passwords that must be associated with a user account before an old password can be reused
answer
enforce password history
question
This setting defines the minimum number of characters that a user's password must contain
answer
minimum password length
question
What policy will affect all users in the domain, including domain controllers
answer
Default Domain Policy
question
In which order are group policy objects processed?
answer
Local Group Policy, Site, Domain, OU
question
What is the default timeout value for GPOs to process on system startup
answer
600 seconds
question
GPOs are processed on computer startup and after logon. Why is the user never aware of the processing
answer
Processing is hidden from the user
question
What is the first step in the GPO processing order?
answer
The computer establishes a secure link to the domain controller
question
The downward flow of group policies is known as what feature of GPOs?
answer
inheritance
question
If a site, domain, or OU has multiple GPOs, how are the group policies processed
answer
by precedence
question
Which two filters can you use to control who or what receives a group policy?
answer
Security Group FIlter & WMI filter
question
For users to receive GPO settings, they must have which two permissions to the GPO
answer
Allow Read & Allow Apply
question
By default, which GPO permissions are all authenticated users given?
answer
Apply Group
question
At what point are WMI filters evaluated
answer
when the policy is processed
question
To use WMI filters, you must have one domain controller running which version of Windows Server or higher
answer
2003
question
How many WMI filters can be configured for a GPO?
answer
one
question
What kind of group policies should you enable for student computers?
answer
loopback
question
What is the primary purpose of running the Group Policy Results Wizard?
answer
To analyze the cumulative effect of GPOs and for GPO troubleshooting
question
Which utility do you use to set up loopback policies?
answer
Group Policy Management Editor
question
How are client-side extensions applied
answer
to the local computer or currently logged-on user
question
What is the best method of dealing with slow-link processing?
answer
changing the slow-link policy processing behavior
question
Where would using Replace mode GPOs be appropriate?
answer
in a classroom
question
What feature uses a security access list (ACL) to determine who can modify or read a policy and who or what a GPO is applied to?
answer
security group filtering
question
What component extends the Windows Driver Model to provide an interface to the operating system to provide information and notification on hardware, software, operating systems, and services
answer
Windows Management Instrumentation (WMI)
question
How do group policy settings flow down into the lower containers and objects?
answer
inheritance
question
What feature configures a GPO to be applied to certain users or computers based on specific hardware, software, operating systems, and services?
answer
WMI filtering
question
Which operating systems can have its security setting managed by using security templates?
answer
Windows 7 and Windows 8
question
Which two methods can you use to deploy security templates
answer
1) using active directory GPOs 2) using the security configuration and analysis snapin
question
What is an ADMX file?
answer
the ADM format for newer operating systems
question
What is the central store?
answer
a repository for Administrative Templates
question
Name two legitimate Administrative Template Property filters?
answer
Keyword Filters, Requirement Filters
question
What is the name of the software component used for installation, maintenance, and removal of software on Windows?
answer
Windows Installer
question
What is the filename extension for the files in which installation information is stored?
answer
.msi
question
What are MST files used for?
answer
They deploy customized software installation files
question
Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe file, what must you do to it?
answer
Convert it to an MSI file
question
The Security Template allows you to configure which 3 settings?
answer
System Services, Registry Permissions, File System Permissions
question
Where is the default location for ADMX files?
answer
c:WindowsPolicyDefinitions
question
Identify the 3 possible states of an Administrative Template
answer
Not Configured, Enabled, Disabled
question
What language are ADMX files based on?
answer
XML
question
Unlike ADM files, ADMX files are NOT stored where ?
answer
in individual GPOs
question
Where is the Central Store located
answer
in the SYSVOL directory
question
An application cannot be published to a
answer
computer
question
When configuring Group Policy to deploy applications, the applications must be mapped to where?
answer
UNC path
question
What happens when an application deployed via group policies becomes damaged or corrupted?
answer
The installer will detect and reinstall or repair the application
question
If you, as an administrator, change an installed application, how do you update your users?
answer
By redeploying the application via the GPO
question
Which node contains only one node, Software installation, which allows you to install and maintain software within your organization?
answer
Software Settings
question
Which node contains settings that are applied when the user logs on?
answer
User configuration
question
Which node contains settings that are applied to the computer regardless of who logs on to the computer
answer
Computer Configuration
question
Which node allows you to configure settings such as Name Resolution Policy, Security Settings, Policy-Based QoS nodes?
answer
Windows Settings
question
Which domain users are automatically granted permissions to perform Group Policy Management tasks?
answer
domain administrators
question
Name two reasons for resetting the domain policy and the domain controller policy to the default settings?
answer
If they've become corrupted or if someone deleted one of the policies
question
A user must have which two existing permissions for new permissions to be applied to their accounts for GPO delegation
answer
Allow Read and Allow Apply
question
If you don't want a GPO to apply, which group policy permission do you apply to a user or a group
answer
Disallow apply
question
When you're about to reset domain policy and domain policy and domain controllers policy back to default with the dcgpofix.exe command, what final warning are you given before you accept the change?
answer
that all User Rights Assignments will be replaced
question
To give someone permission to manage a particular GPO, you use the ___tab of the individual GPO
answer
delegate
question
What is a collection of files stored in the SYSVOL (%SYSTEMROOT%SYSVOLPolicies) of each domain controller?
answer
Group Policy Template (GPT)
question
What is a file that maps references to users, groups, computers, and UNC paths in the source GPO to new values in the destination GPO?
answer
migration table
question
What is an Active Directory object stored in Group Policy Objects container with the domain naming content of the directory that defines basic attributes of the GPO but does not contain any of the settings
answer
Group Policy Container
question
What process grants permissions to other users to manage group policies?
answer
Delegation
question
Which utility do you use to create GPO preferences?
answer
Group Policy Management Editor
question
For GPP editing states, which key do you use to toggle Enable Content
answer
F6
question
How do you stop processing a preference if an error occurs?
answer
Select the Stop processing items option on the Common tab
question
Which Windows extension allows you to copy registry settings and apply them to other computers' create,replace, or delete registry settings
answer
Registry
question
Which Windows extension allows you to add, replace, or delete sections or properties in configuration settings or setup information files
answer
.ini files
question
To copy, replace, update, or delete files, you can use wildcard characters. Which wildcard characters can you use? Select all that apply
answer
? and *
question
If you need to provide users access to a common network location, which GPP would you use? name 2
answer
Shortcut and Drive Maps
question
To support GPPs on older Windows versions (Server and Workstation), you have to install what component from microsoft
answer
GPP Client-Side Extensions
question
Which component allows you to create multiple Registry preference items based on registry settings that you select
answer
Registry Wizard
question
Name two possible targets for individual preferences?
answer
computer name and CPU speed
question
Which term describes changing the scope of individual preferences items so that the preference items apply only to selected users or computers
answer
item-level targeting
question
Which items can you configure shortcuts to in performing GPP deployments? Name 4
answer
Windows Firewall applet, Documents folder, Microsoft Excel, Printer
question
Identify at least 4 Window Settings multiple preference extensions
answer
Registry, Shortcuts, Folders, Storage
question
When working with Network Drive Mapping Preferences, which preference behaviors delete drive mappings?
answer
Replace and Delete
question
What 3 server versions can GPP be configured on domain controllers running Windows Server
answer
2008, 2008 R2, 2012
question
What is the key difference between preferences and policy settings?
answer
enforcement
question
GPPs are divided into which two sections
answer
Windows and Control Panel
question
Windows Settings are common configuration settings used in Windows but now used where?
answer
Control Panel
question
What object can you create to organize Registry preference items?
answer
a Collection
question
Normally, preferences are refreshed at the same interval as Group Policy settings. If this option is selected, this option will be applied only once on logon or startup
answer
Apply once and do not reapply
question
When this option is selected, if an error occurs while processing a preference, no other preferences in this GPO will process
answer
Stop processing items in this extension if an error occurs
question
This option determines which users or computers will receive a preference based on a a criterion such as computer name, IP address range, operating system, security group, user, or Windows Management Instrumentation (WMI) queries
answer
Use item-level targeting
question
By default, this option runs as the System account. If this option is selected, the logged-on user context is used
answer
Run in logged-on user's security context
question
What kind of Radius server is placed between the Radius Server and RADIUS clients?
answer
a Radius proxy server
question
What process determines what a user is permitted to do on a computer or network
answer
authorization
question
What is a RADIUS server known as in Microsoft parlance
answer
Network Policy Server (NPS)
question
What ports to Microsoft RADIUS servers use officially
answer
1812 and 1813
question
When an access client contacts a VPN server or wireless access point, a connection request is sent to what system
answer
the NPS server
question
Which system in a RADIUS infrastructure handles the switchboard duties of relaying requests to the RADIUS server and back to the client
answer
the access server
question
What is the final step in the authentication, authorization, and accounting scenario between an access client and the radius server
answer
an Accounting-Response to the access server
question
To configure RADIUS service load balancing you must have more than one kind of what system per remote RADIUS server group
answer
RADIUS server
question
Which parameter specifies the order of importance of the RADIUS server to the NPS proxy server
answer
priority
question
Using what feature can streamline the creation and setup of RADIUS servers
answer
templates
question
What kind of information does the Accounting-Start message contain?
answer
the type of service and the user it's delivered to
question
Which system is the destination for Accounting-Start messages?
answer
the RADIUS accounting server
question
What type of NPS authentication is recommended over password authentication
answer
certificate
question
Why is password-based authentication not recommended
answer
usernames and passwords are sent in plain text
question
Where do you get certificates for authentication purposes
answer
a certificate authority
question
When setting up authentication to NPS services for Microsoft-only clients, what type of authentication should you use
answer
MS-CHAPv2
question
What would be the biggest problem with configuring text files for accounting logging?
answer
Space: filling up the C drive has catastrophic effects
question
You would create a radius server template so you could do what with it?
answer
Easily create multiple RADIUS servers from it
question
Which non-recommended method of user authentication is considered to insecure because usernames and passwords are sent in plain text
answer
PAP
question
If you decide to use this method for authentication, you will need certificates that include the client authentication purpose
answer
smart card
question
Which authentication method encompasses the largest number of clients (Microsoft and Non-Microsoft) but only has a moderate level of security
answer
CHAP
question
An NPS policy is a set of permissions or restrictions that determine what three aspects of network connectivity
answer
who, when, and how
question
Which variable can be set to authorize or deny a remote connection
answer
group membership
question
The default connection policy uses NPS as what kind of server
answer
RADIUS
question
Where is the default connection policy set to process all authentication requests
answer
locally
question
What is the last setting in the Routing and Remote Access IP settings
answer
how IP addresses are assigned
question
What command line utility is used to import and export NPS templates
answer
netsh
question
To which type of file do you export an NPS configuration
answer
XML
question
When should you not use the command-line utility method of exporting and importing the NPS configuration
answer
when the source NPS database has a higher version number than the version number of the destination database
question
Network policies determine what two important connectivity restraints
answer
Who is authorized to connect AND the connection circumstances for connectivity
question
When the Remote Access server finds an NPS network policy with conditions that match the incoming connection attempt, the server checks any _____ that have been configured for the policy
answer
contraints
question
If a remote connection attempt does not match any configured constraints, that does the remote server to with the connections
answer
denies
question
Identify the 3 correct NPS templates
answer
Shared Secrets, Health Policies, RADIUS clients
question
Which two of the following are Routing and Remote Access IP settings
answer
Client May Request an IP address Server Must Supply an IP address
question
What Routing and Remote Access IP setting is the default setting
answer
Server Settings Determine IP Address assignments
question
Which is the strongest type of encryption
answer
MPPE 128-Bit
question
RADIUS Access-Request messages are processed or forwarded by NPS only if the settings match what on the NPS server?
answer
one of the connection request policies
question
Why is there a No Encryption option for network connections
answer
to allow certain trusted connections to remain unencrypted
question
Network Access Policy is part of which larger scope policy
answer
Health
question
What character string makes up the telephone number of the network access server (NAS)
answer
Called station ID
question
What character string attribute designates the phone number used by the access client
answer
Calling station ID
question
What is used to restrict the policy only to clients what can be identified through the special mechanism such as the NAP statement of health
answer
Identity Type
question
What is the name of the RADIUS client computer that requests authentication
answer
client friendly name
question
Network Access Protection (NAP) is Microsoft's software for controlling network access for computers based on what?
answer
a computer's overall health
question
Because NAP is provided by _____, you need to install _____ to install NAP
answer
NPS, NPS
question
DHCP enforcement is not available for what kind of clients
answer
IPv6
question
Identify two remediation server types
answer
Anti-virus/Anti-malware servers AND Software update servers
question
What type of active directory domain controller is recommended to minimize security risks for remediation servers
answer
read-only
question
When you fully engage NAP for remediation enforcement, what mode do you place the policy in
answer
isolation
question
To verify a NAP client's configuration, which command would you run?
answer
netsh nap client show state
question
Which two components must a nap client have enabled in order to use nap
answer
Security Center and NAP agent
question
Why do you need a web server as part of your NAP remediation infrastructure?
answer
To provide user information in case of compliance failure
question
Where do you look to find out which computers are blocked and which are granted access via NAP
answer
the NAP server event viewer
question
Health policies are in pairs, what are the members of the pair, select two
answer
NAP-compliant and NAP-noncompliant
question
You should restrict access only for clients that don't have all available security updates installed if what situation exists
answer
the computers are running Windows update
question
What happens to a computer that isn't running windows firewall
answer
the computer is isolated
question
Health policies are connected to what two other policies
answer
Network Policies and Connection Request Policies
question
To use the NAP-compliant policy, the client must do what?
answer
pass all SHV checks
question
Which computers are not affected by VPN enforcement
answer
locally connected computers
question
When enabling NAP for DHCP scopes, how should you roll out the service
answer
for individual DHCP scopes
question
What is the purpose of the System Health Agent (SHA)
answer
to provide feedback on the status of system protection and updates
question
Why is monitoring system health so important?
answer
to maintain a safe computing environment
question
Why would you setup a monitor-only NAP policy on your network
answer
You are testing your NAP rollout before implementation
question
These computers don't typically move much and are part of the domain
answer
desktop computers
question
These Windows computers are not usually connected directly to the network but connect through a VPN connection. Because they are usually home computers, they might not have up-to-date software
answer
unmanaged home computers
question
These computers are unmanaged computers used by consultants or vendors who need to connect to your network
answer
visiting laptops
question
These window computers move often but are typically part of the domain, but might not always get the newest updates
answer
roaming laptops
question
What is the default authentication protocol for non-domain computers
answer
NTLM
question
What does the acronym NTLM stand for
answer
NT LAN Manager
question
NTLM uses a challenge-response mechanism for authentication without doing what
answer
sending a password to the server
question
What kind of protocol is Kerberos
answer
a secure network authentication protocol
question
Kerberos security and authentication are based on what type of o technology
answer
secret key
question
What is the default maximum allowable time lapse between domain controllers and client systems for Kerberos to work correctly
answer
5 minutes
question
Which three components make up a service principal name (SPN)
answer
service class, host name, port number
question
What happens if a client submits a service ticket request for an SPN that does not exist in the identity store
answer
The client receives an access-denied error
question
Which tool can you use to add SPNs to an account
answer
ADSI Edit
question
What are two restrictions for adding SPNs to an account
answer
Domain Administrator privileges & The editor runs the domain controller
question
Identify another utility that you can use to add SPNs to an account
answer
setspn
question
What type of account is an account under which an operating system, process, or service runs
answer
service account
question
When creating accounts for operating systems, processes, and services, you should always configure them with what two things in mind?
answer
using strong passwords and granting the least rights possible
question
Name two benefits to using Managed Service Accounts (MSAs)
answer
automatic password management and simplified SPN management
question
By default, which service accounts with the Windows Powershell cmdlets manage?
answer
group MSAs
question
What is the default authentication protocol for contemporary domain computers
answer
Kerberos
question
What is the name by which a client uniquely identifies an instance of a service
answer
service principal name
question
Before you create an MSA object type, you must create what?
answer
a key distribution services root key
question
What service right does an MSA account automatically receive upon creation
answer
log on as a service
question
Which kerberos setting defines the maximum time skew that can be tolerated between a ticket's timestamp and the current time at the KDC
answer
maximum tolerance for computer clock synchronization
question
Which Kerberos setting defines the maximum lifetime ticket for a Kerberos TGT ticket
answer
maximum lifetime for a user ticket
question
Which Kerberos setting defines the maximum lifetime for a Kerberos ticket
answer
maximum lifetime for a service ticket
question
Which Kerberos setting defines how long a service or user ticket can be renewed
answer
maximum lifetime for user ticket renewal
question
The domain controllers are the computers that store and run the ____
answer
Active Directory database
question
How many PDC emulators are required, if needed, in a domain?
answer
one
question
You do not place the infrastructure master on a global catalog server unless what situation exists
answer
You have a single domain
question
When you add attributes to an Active Directory object, what part of the domain database are you actually changing?
answer
schema
question
Which active directory object is defined as a specialized domain controller that performs certain tasks so that the multi-master domain controllers can operate and synchronize properly
answer
Operations Master
question
How many global catalogs are recommended for every organizations
answer
at least two
question
What two things must you do to a Windows Server to convert it to a domain controller?
answer
Install Active Directory Domain Services (AD DS) and Execute dcpromo from Server Manager
question
Beginning with which server version can you safely deploy domain controllers in a virtual machine
answer
Windows Server 2012
question
What utility must you run on a cloned system to ensure that the clone receives its own SID
answer
sysprep
question
Which type of system must you connect to and use to make changes to Active Directory
answer
writeable domain controller
question
Which version of Windows Server introduced incremental universal group membership replication
answer
Windows Server 2003
question
What are the three types of groups in a domain
answer
domain local groups, global groups, and universal groups
question
The global catalog stores a partial copy of all objects in the forest. What are the reasons for keeping that partial copy? 3
answer
logon, object searches, universal group membership
question
Although the changes are easy to make, why is changing the AD Schema such a big deal
answer
The changes could corrupt the database
question
Where in the forest is a global catalog automatically created?
answer
the first domain controller
question
Which utility do you use to manage Active Directory from the command line
answer
ntdsutil
question
Which command-line command do you use to allow Windows Server 2003 domain controllers to replicate to RODCs?
answer
ADPrep /RODCPrep
question
Which term describes a collection of domains grouped together in hierarchical structures that share a common root domain?
answer
domain trees
question
Which term describes an administrative boundary for users and computers, which are stored in a common directory database?
answer
domains
question
Which term describes a collection of domain trees that share a common Active Directory Domain Services (AD DS)?
answer
Forests
question
Which term describes containers in a domain that allow you to organize and group resources for easier administration, including providing and delegating administrative rights
answer
organizational units
