Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
118 Cards in this Set
- Front
- Back
|
Tunneling Protocols IKEv2 - used to setup secure SA (security association) PPP (obsolete) L2TP VPN PPTP (obsolete) |
Internet Key Exchange Point to Point Protocol Layer 2 Tunneling Protocol Point-to-Point Tunneling Protocol |
|
|
Authentication Protocols PAP CHAP MS-CHAPV2 EAP |
PAP - Backwards compatibility. No encryption CHAP - old like PAP but with Encryption MS-CHAPV2 - best choice EAP - Radius or NAP |
|
|
CMAK |
CMAK - Connection Manager Administration Kit Create and deploy VPN profiles |
|
|
NAP |
Network Access Protection (depricated) |
|
|
Forefront UAG |
Forefront Unified Access Gateway |
|
|
Why is Direct Access better? |
No PKI certs No consec. public IPs Can be on same server as RRAS Simplified deployment |
|
|
Ipv4 / ipv6 tunneling protocols |
6to4 - DA client has public IP (directly connected) Teredo - DA client behind NAT (private IP) UDP 3544 Last option: IP-HTTPS - DA behind NAT, but UDP 3544 blocked |
|
|
ISATAP |
Manages outbound IPv6for Direct Access (turn it on for the future) Intra-Site Automatic Tunnel Addressing Protocol |
|
|
What are the 3 things to know for the 413? |
Direct Access is an always on VPN. System Center VM Manager is how to make a private cloud. IPAM is great for government or HIPAA that needs to audit. |
|
|
ADFS |
Active Directory Federated Services isn't so bad for device management. Like Sharepoint it has gotten much simpler. |
|
|
Windows Server 2016 Servercore |
All boxes we setup should be managed via remote server manager. Just have to setup Remote-PS and WSMAN (it will ensure the longevity of VNS support) |
|
|
What are work folders? |
Similiar to offline files and folder redirection accept files are accessible externally via HTTPS (can connect with non domain PC using credentials if u have a public cert) |
|
|
What do you need for Work folders? |
Windows Server 2012 R2 and above Windows 8.1 and above or Windows 7: Pro, ultimate, or Enterprise (with download package) Also exists clients for iOS, Android, Windows phone |
|
|
What are the limits of work folders? |
There is no ability for group folder share. No ability to share outside organization. To access outside of network need Web App Proxy and AD FS. |
|
|
How to setup work folders on server? |
add work foldersrole. New sync share. Externally available: add roles WAP / ADFS certificate on server (public or push private) IIS Web site Publish URL through Web App Proxy |
|
|
How to setup work folders on workstations |
Control panel > setup work folders (Windows 7 must download work folders package) |
|
|
What is workplace join? (not a full domain join) |
Claims-based SSO (Single Sign On) for non-domain devices. Allows a user to join a personal machine to access resources that have been selectively granted. |
|
|
Workplace Join limitations |
No group policy or traditional management. AD object created, but access must be granted selectively. (not a domain user) |
|
|
Workplace join requirements |
AD FS Device REgistration services UPNs (Dan@vns.net as opposed to doldenkamp) |
|
|
What is Active Directory Federation Services (AD FS) |
Web service that grants identity (SSO) thru claims based authentication Can serve as an intermediary for |
|
|
What is claims based authentication |
Specified attributes representing users and computers Authentication does not use Windows NT username No AD trust (or even windows) required |
|
|
what do you need on your certificate and DNS to make AD FS work for work folders external? |
Public Wildcard cert or SAN with: server FQDN (ADFS-box.vns.net) enterpriseregistration.vns.net DNS: A record for FQDN to ADFS server |
|
|
What is WAP? Web Application Proxy |
Reverse proxy (from the outside to the inside) formerly UAG (forefront Unified Access Gateway) replaces AD FS Proxy For publishing internal apps / services to outside |
|
|
What 2 things do you need for: Internet based Work Folders and Workplace join |
WAP & AD FS |
|
|
What works with workplace join? |
Do not suggest workplace join. MS is moving to Intune and Azure AD for device enrollment. Windows 8.1, iOS, Android (Windows 7 client has a separate download) (Windows 10 not supported) |
|
|
What do you need to link on premise to Windows Azure services? |
Site to Site VPN. (not necessary for O365 DirSync) |
|
|
What are load balancing DIPs? |
Dedicated IP addresses. For adding nodes to Direct Access load balancing cluster. |
|
|
What are entry points for with regards to Direct Access? |
used for Multisite deployments to associate groups with specific Direct Access servers. |
|
|
Direct Access requirements |
server: Windows server 2012 R2 client: Windows 8.1 and above |
|
|
NAP |
Network Access Protection (depricated) Making clients get updated and AV cleaned before access internal resources |
|
|
What can Domain rename affect? |
AD partitions, DNS, replication, user logon experience |
|
|
What tools to use for domain rename |
Rendom.exe GPFixup.exe |
|
|
How to export / restore GPO? |
Group Policy Management > right click Group Policy Objects > Backup Actions > migration table editor tools > Populate from backup Right click > browse: to map to new objects create new GPO > Import settings |
|
|
What is PES used for? |
Password Export Server (PES) A DLL used to encrypt passwords for use when migrating users to a new domain while retaining password security. |
|
|
How to use PES on source and destination domains |
commandline key setup for pes.pes on source ADMT Password Migration DLL Setup on destination Ensure service is running. |
|
|
How to change a domain name step 1: Rendom |
Rendom / list modify the xml Rendom /showforest to view rendom /upload rendom /prepare if error replicate Active directory rendom /exexcute |
|
|
change domain name step 2: GPFixup |
GPFixup /old dns /new dns gpfixup / old netbios /new netbios rendom /clean rendom /end (next fix domain membership of workstations) |
|
|
MDOP |
Microsoft Desktop Optimization Package |
|
|
AGPM |
Advanced Group Policy Management console |
|
|
GPO applying priority mnemonic: SDOU |
(L)ocal policy is applied first then (S)ite (D)omain (Organizational (U)nit policy tip: deploy as few GPOs as possible |
|
|
When to use enforce inheritance for GPOs |
When you are managing multiple domains and are trying to over-ride an admin who has blocked inheritance or need to overwrite below policies. (so pretty much never. It changes the order of applying GPO and applies it last.) |
|
|
Faster GPOs |
Asynchronism GPO settings (don't wait for the network before letting users log on) |
|
|
GPO best practices |
-Avoid site linked GPOs -Seperate Users and computers -Multiple OUs is ok but avoid nested OUs if possible (except disabled or deleted sub-OU for organization) |
|
|
How to do change management (versioning) and GPO approval? |
AGPM |
|
|
What is loopback processing for GPOs |
replace mode: applies both the computer & user policies merge mode: applies both the computer & user policies but computer policies win out [ie: when user logs into machine (terminal server or kiosk)] |
|
|
Powershell GPO backup |
Backup-GPO -All -Path c:\backup |
|
|
What does this command do? Invoke-command -ComputerName (get-content "c:\servers.txt") -scriptblock {invoke-gpupdate} |
force a text list of computers to update their group policy You can also right click an OU and select group policy update in Server 2012 |
|
|
select * from win32_OperatingSystem where version like "6.2%" and producttype = "3" |
WMI filtering for targeting Windows 8.1 machines (a GUI tool to create a WMI query is freeware WMI Explorer 2.0) WMI filters can be applied to a GPO to limit the GPO's scope |
|
|
What is the group policy refresh window? |
90 minutes + random offset DC's refresh every 5 minutes can be adjusted for slow link |
|
|
What is Desktop Optimization Pack for software assurance? (download for MSDN or intune users) |
Bitlocker Admin & monitoring Enterprise desktop User experience virtualization Advanced GP Mgmnt - versioning, differences, change control, delete failsafe (recycle bin) (useful for Producers) |
|
|
What is the default slow link detection threshold |
500 Kbps For client side extensions: (scripts, folder redirection, printers, registry security) Win 8.1 and higher does GPO caching |
|
|
Modern replacement for Group Policy? |
Desired State Configuration (DSC) accomplishes same goals as GP w/o GP overhead. |
|
|
AD Object security: - DACL with AD -protet against deletion flag |
Discretionary Access Control List. Every AD object: OU, group, user, computer, GPO, has a DACL. Enable advanced to view security tab Defines what an object can do. |
|
|
Admin SD Holder |
Protects against privilege escalation attacks and DOS attacks. - way to protect enterprise & domain admin account from modification (not a 413 exam topic) ADUC > System > AdminSDHolder |
|
|
Default authentication protocol used by Active DIrectory |
Kerberos [Kerberos delegation - provide service accounts with ability to relay credentials. (act as user once authenticated)] |
|
|
How to delegate access to an OU in a mixed control environment |
Right click OU in ADUC Delegate acess wizard |
|
|
How to setup Password reset for helpdesk After delegation access has been granted |
MMC Taskpads: Install RSAT tools mmc /a (for author mode) add snap-in drill down ADUC to OU Right click create new window Right click root: New taskpad window deploy with RSAT tools installed |
|
|
What is the default protocol for AD replication |
RPC over IP replication topologies: ring, hub and spoke, full mesh, hybrid (number / direction of connections) |
|
|
413 question about AD sites info |
Look at topology and paths. Calculate costs. Know that lowest cost is the fastest path. Multi-hop paths will add the cost of each hop when calculating the route for AD site sync. |
|
|
AD replication monitoring tools |
CLI: Repadmin /showrepl /syncall /showconn PS Get-ADReplicationFailure PS Get-ADReplicationPartnerMetadata Get-ADReplicationUptoDateVectorTable GUI: (Replmon depricated) ADREPLSTATUS tool (free download) |
|
|
Simplest way to identify AD replication problems? |
download ADREPLStatus tool - click refresh replication status - click errors only |
|
|
Site link best practices |
Set lower speed links with higher cost. Site links should only have two sites per link. Don't define scheduling unless reasons. Diagram the flow. Large networks? Think interconnected hub and spokes or multi hub & spoke for redundancy |
|
|
What are the FISMO roles? |
Schema master Domain naming master RID master PDC emulator Infrastructure master You should know what they do by now. |
|
|
differentiate between PAS and FAS |
Partial Attribute Set - read-only partition that the GC carries. (RO is the forest parts outside of local domain) |
|
|
Linking FSMO and FL (Funtional Level features) |
ie: Can you do DC cloning with a FL of . . . view 412 cards for FL features |
|
|
Why is Global catalog important? GC attribute enabled under sites > servers > NTDS settings: properties |
required for user logon: forest wide search, UPN resolution Put GC on every DC . . except (edge case) for multi-domain foreset (none of our sites) don't put infrastructure master on GC |
|
|
Who has the FSMOs? |
Powershell or GUI: ADUC / AD sites / AD domain best w/ CLI: netdom query fsmo |
|
|
How to change schema master? |
Register a DLL and load schema master with MMC All other FSMO are simple to change via GUI. I prefer CLI: NTDSUtil /? /? will walk you through it |
|
|
Show me a worthless PS script to display the replicated parts of the PAS |
Get-ADObject -SearchBase "CN=Schema, CN=Configuration,DC=Company,DC=pri" -LDAPFilter "(isMemberOfPartialAtributeSet=TRUE)" -Properties ldapdisplayname | Select ldapdisplayname effing beautiful how easy to query by attribute |
|
|
What FSMO roles are critical to AD Forest scope? |
Forest Scope: Schema Master Domain naming master (put on one DC in forest root and secure) |
|
|
What FSMO roles are critical to AD domain scope? |
Infrastructure master - inter domain obj ref. RID Master - new pool of unique IDs PDC emulator - process pwd changes rep DC updates, time sync, DM browser (put RID & PD on single DC) |
|
|
What problem does DC cloning solve? |
Snapshot recoverying VM DCs solution: VM-Generation-ID attribute (works in Hyper-V & vSphere if follow steps) Duplicate a functioning domain member. (AD prep) |
|
|
DC Cloning requirements? |
- Cloned server must be running Server 2012 - Forest functional level 2003 - AD Schema version must be 2012 (ver 56) -PDC em. FSMO holder must be 2012 - Add computer to "Cloneable DC" AD group - Create xml w/ PS (%systemroot%\NTDS) on VM startup windows will sysprep from XML |
|
|
What scenario do you recommend a RODC |
When a branch office has no local IT staff, few users, potential WAN links, and limited physical security. |
|
|
What does RODC offer |
Enhanced security. - no duh R/O all partitions, DNS, Sysvol cached creds, FAS, ARS make it servercore, FOD (features on demand) and bitlocker |
|
|
What are FAS and ARS? |
FAS - Filtered Attribute Set ARS - Administratrive Role Seperation security features |
|
|
How to setup an RODC with creds? |
ADUC Right click Domain controllers "Pre-create RODC acct) Do this BEFORE creating the computer account install ADDS (do not join to domain) When promoting then select the RODC acct |
|
|
kn ow the two RODC password rep groups for password caching |
Denied RODC Password replication group (deny does not prevent logon, just prevents caching of creds) Allowed RODC Password replication group |
|
|
deduplication volume requirements |
No system or boot volume MBR /GPT ok but file system must be NTFS no de-duping CSV (clustered shared volume) Remotely mapped not supported |
|
|
When to use failover clustering vs network load balancing |
clustering is typically recommended for stateful applications (ie: applications or databases) Only one node is up at any given time. NLB spreads the load. NLB is easier to setup but does not save the user's state. |
|
|
What tools to migrate a domain? |
ADMT (Active Directory Migration Tools) to move AD related objects GPMC to migrate GPOs |
|
|
I need to track / audit IP address leases |
IPAM. Note: Server 2012 req'd for IPAM cannot be installed on DHCP server |
|
|
Sync-ADObject |
replicate objects between DCs. (restore from recycle and then sync) Also used to populate passwords in RODC |
|
|
What is KMS for server deployment |
licensing strategy. Key Management Services centralized activation of multiple clients with volume activation services |
|
|
What is VAMT |
VAMT 3.0 Volume Activation Management Tool Generate license reports. |
|
|
Get-Azure Publish Settings File The Get-AzurePublishSettingsFile cmdlet opens your default browser, signs into your Windows Azure account, and automatically downloads a .publishsettings file that contains information and a certificate for your Windows Azure subscription. |
This file is used by the Import-AzureSubscription cmdlet and is an XML file with a “.publishsettings” extension. |
|
|
The Import-AzurePublishSettingsFile cmdlet imports a .publishsettings file that has been downloaded using the Get-AzurePublishSettingsFile cmdlet. This file contains settings and an encoded certificate that provides management credentials for the Windows Azure account. |
Set Azure Storage Account The Set-AzureStorageAccount cmdlet updates the properties of an Azure storage account in the current subscription. |
|
|
O D X Windows Offloaded Data Transfer (ODX) |
O.D.X functionality in Windows maximizes an enterprise’s investment in intelligent storage arrays by enabling the arrays todirectly transfer data within or between compatible storage devices, bypassing the host computer. Windows Offloaded Data Transfers Overview |
|
|
Un Register- D N S Server Directory Partition |
Un Register- D N S Server Directory Partition cmdlet deregisters a Domain Name System (DNS) server from a specified DNS application directory partition. |
|
|
Branch Cache is designed to reduce WAN link utilization and improve application responsiveness for branch office workers who access content from servers in remote locations. Branch office client computers use a locally maintained cache of data to reduce traffic over a WAN link. |
The cache can be distributed across client computers (Distributed Cache mode) or can be housed on a server in the branch (Hosted Cache mode). |
|
|
Implement Network Access Protection (NAP). |
Ensure that NAP with IPSec enforcement can be configured. |
|
|
Health Registration Authority |
H R A is a component of aNetwork Access Protection (NAP) infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are compliant with network health requirements. |
|
|
S C V M M |
System Center Virtual Machine Manager |
|
|
REN DOM |
Rendom dot exe is a command-line tool that is used to rename Active Directory domains. |
|
|
NET DOM |
NET DOM Makes it possible for administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from a command prompt. |
|
|
Ree D I R user |
Redirects the default container for newly created users to a specified target OU so that newly created user objects are created in the specific target OU instead of in CN=Users. |
|
|
REP Admin |
Makes it possible for administrators to diagnose Active Directory replication problems between domain controllers running Windows operating systems. |
|
|
S P N |
Service Principal Names |
|
|
Set S P N |
Makes it possible for administrators to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account. |
|
|
L DIF DEE |
Creates, modifies, and deletes directory objects on computers running Windows Server 2003 or Windows XP Professional operating systems. |
|
|
AD Prep |
Extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system. |
|
|
Get- AD Authentication Policy |
Gets one or more Active Directory DomainServices authentication policies |
|
|
F A S |
filtered attribute set |
|
|
Search Flag |
for a readonly domain controller (RODC) and marking the attribute as confidential data. |
|
|
K C C |
The Knowledge Consistency Checker |
|
|
What does K C C do? |
The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker creates these connection objects automatically on each domain controller. |
|
|
Internet Key Exchange (I K E or I K E v2) is the protocol used to set up a security association (S A) in the I P sec protocol suite. |
Secure Socket Tunneling Protocol S S T P is a form of V P N tunnel that provides a mechanism to transport P P P or L 2 T P traffic through an S S L 3.0 channel. |
|
|
D N S locking property |
Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, then the D N S server will not overwrite a cached entry for half of the duration of the T T L. By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the T T L. |
|
|
N A T NAT Network address translation |
Network address translation (N A T) allows you to share a connection to the public Internet through a single interface with a single public IP address. The computers on the private network use private, non-routable addresses. NAT maps the private addresses to the public address. |
|
|
W D S Windows Deployment Services using multi casting |
Consider implementing multicasting if your organization: Has network routers that support multicasting. Is a large company that requires many concurrent client installations. Wants to use network bandwidth efficiently. This is because with this feature, images are sent over the network only once, and you can specify limitations |
|
|
Sync- A D Object |
The Sync- A D Object cmdlet replicates a single object between any two domain controllers that have partitions in common. The two domain controllers do not need to be direct replication partners. It can also be used to populate passwords in a read-only domain controller R O D C cache. |
|
|
I PAM |
I PAM includes components for: Automatic IP address infrastructure discover)’: I PAM discovers domain controllers, D H C P servers, and D N S servers in the domains you choose. |
|
|
I PAM also enables I P address tracking using D H C P lease events and user logon events collected from Network Policy Server ( N P S), domain controllers, and D H C P servers. |
Tracking is available by I P address, client ID, host name, or user name. Monitoring and management of D H C P and D N S services: I PAM enables automated service availability monitoring for Microsoft D H C P and D N S servers across the forest. |
|
|
Network Load Balancing N L B |
The Network Load Balancing feature distributes traffic across several servers by using the T C P I P networking protocol. By combining two or more computers that are running applications into a single virtual cluster, N L B provides reliability and performance for web servers and other mission-critical servers. |
|
|
implement RADIUS authentication for V P N connections. |
Modify the authentication provider. The web application must use integrated Windows authentication. Users’ credentials must be passed from the web applications to the See quell Server. |
|
|
the Data Deduplication feature doesn’t do everything in this version. It is only available in certain Windows Server 2012 editions and has some limitations. Deduplication was built for N T F S data volumes and it does not support boot or system drives and cannot be used with Cluster Shared Volumes (C S V) |
We don’t support deduplicating live V M or running See quell databases. |
|
|
Microsoft Desktop Optimization Pack M DOP |
The Microsoft Desktop Optimization Pack for Software Assurance further extends this value by reducing application deployment costs, enabling delivery of applications as services, and allowing for better management and control of enterprise desktop environments. |
|
|
Together these technologies deliver a highly cost-effective and flexible Windows desktop management solution. |
The Microsoft Desktop Optimization Pack M DOP for Software Assurance is an add-on subscription license available. It uses innovative technologies to help reduce the total cost of ownership of the Windows desktop by accelerating operating system and application management and enhancing IT responsiveness and end-user uptime. |
