Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
121 Cards in this Set
- Front
- Back
build a new forest credentials required |
Must be local admin on first DC |
|
build a new domain tree or child domain credentials required |
Must be Enterprise Admin |
|
Add additional DCs credentials required |
must be a domain admin |
|
Upgrade process for domain/forest functional level |
1. Get Healthy check DCs, Sites, replication 2. Extend schema (add columns to AD DB) 3. Upgrade DCs to New OS 4. Relocate FSMO roles as necessary 5. Raise functional level |
|
Check AD Health |
- ensuring registration of active DNS records -function replication between DCs -sites / services approp. configured |
|
Extend the schema tool and order of operation |
ADPrep.exe - (old way) 1: /ForestPrep (by ent. admin) 2: /DomainPrep (on each domain) 3 (optional): /DomainPrep /GPPrep 4 (optional): /RodcPrep must run in order. |
|
Windows 2008 Domain function level additions |
DFS replication. (FRS depricated in 2012 R2) DFS namespaces AES for Kerberos Last Login info Fine Grain passwords (PSOs) personal Virtual Desktops |
|
Windows 2008 R2 Domain function level additions |
Authentication mechanism assurance (smart card or creds in kerb. token sent to apps) SPN for managed service accounts |
|
Windows 2012 Domain function level additions |
Kerberos authentication enhancements |
|
Windows 2012 R2 Domain function level additions |
DC authentication protection Authentication Policies / policy silos |
|
Windows 2008 Forest function level additions |
no new additions |
|
Windows 2008 R2 Forest function level additions |
AD recycle bins |
|
Windows 2012 / Windows 2012 R2 Forest function level additions |
no new additions |
|
User Principle Name (UPN) suffixes |
control how to adjust how users authenticate with the domain Dan@company.pri vs Dan@company.com (example: connected to O365 through ADFS to support internal/external namespace) config in AD Domain & trust domain properties then adjust each AD user account properties |
|
Trusting vs Trusted |
Trusting domain contains resources to access Trusted domain contains security principle (users / computers) "Ing" --> "Ed" : Inged: from the trusting to the trusted |
|
Trust Directions |
One Way Bi-directional: 2 one way trusts Transitive: A=B=C equates to A=C |
|
Trust Types |
External: a domain in one forest trusts a domain in a different forest Shortcut: between 2 domains in the same forest (speed authen. between far reaching branches) Forest: trust between 2 forests at root domain always transitive. Configurable authen. (most common. example: company merger) Realm: trust to non-AD (ie: Linux) |
|
Name resolution mechanisms |
Consolidated. Conditional Forwarded. |
|
What needs to been done to each user object if selective authentication is selected for a forest trust? |
Each user object must be configured with the proper allow to authenticate security permissions. AD Users & Computers: advanced > properties Security: allow to authenticate |
|
SIDs |
mechanism for identifying objects within a domain. (unique identifying by AD) S-1-5-21-994053806-3297582373925-34234335325-24 SIDs may change GUIDs do not and are globally unique |
|
security implications with SID |
SID history an old full access SID can be associated with a different user. Prevented by SID filtering (auto enabled) (to migrate objects to another forest, SID filtering must be disabled) |
|
netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine: No /usero:domainadministratorAcct /passwordo:domainadminpwd netdom trust TrustingDomain /domain:TrustedDomain /enableSIDhistory:yes /usero:domainadministratorAcct /passwordo:domainadminpwd |
Enable/Disable SID filtering Used on external trust Used on Forest trust |
|
Why to create AD Sites? |
AD replication -getting content from 1 geographic location to another. Sites must be tied to a subnet Must have a DC in each Site |
|
Migrate AD Sysvol from FSR to DFS-R |
Get Healthy Migrate to prepared state Migrate to redirected state Migrate to eliminated state (remove old FSR) |
|
dfsrmig /GetGlobalState /GetMigrationState |
get the current state of the migration of the SYSVOL from FSR to DFSR command (Eliminated: migrated) GetMigrationState: progress of changing state to domain controllers. (must wait) |
|
What should you never do to a RODC? |
Log in as a domain admin or enterprise admin. (Credentials would be cached. Always treat them as if they could be compromised.) Config Delegated RODC admin: (Designate access with AD U&C> DC: properties: managed by or via NTDSUtil > Local Roles) |
|
Find out if stolen RODC would compromise security: view the passwords cached on an RODC |
AD > DC > properties > Password Replication Properties: Advanced or command-line: repadmin /prp view DC1 reveal |
|
repadmin /kcc |
initiate replication's knowledge consistency checker to find best replication partners. (automatically done every 15 minutes) |
|
repadmin /showrepl |
Showissues with AD replication on particular DC |
|
DFSDiag/TestDCs |
Find replication issues with Domain Controllers. |
|
Test to determine if communication with DC |
NLTest /DsGetDC:company.pri nltest /sc_Query:company.pri determine if secure channel to DC. |
|
Turn on AD change notification for instant DC replication |
|
|
Which DfsrMig parameter is used to advance a SYSVOL migration to a new state? /SetGlobalState /SetMigrationState |
/SetGlobalState |
|
A ______ domain can be in a non-contiguous namespace from its parent domain. Root, Child, External, Trust |
Child |
|
SID Filtering is enabled by default. T/ F |
True |
|
A Domain Controller ______ exist in _______ site(s). must/must not 1 or many |
A Domain Controller ______ exist in _______ site(s). must; exactly one |
|
How to setup DHCP split scope for failover |
Set a DHCP offer delay on the failover DHCP server. (DHCP failover is far superior to split scope) |
|
Does DNSSec (Domain Name System Security Extensions) require certificates? |
No. It hashes the server response to confirm sender. |
|
DNS recognized ports |
TCP 53 / UDP 53 |
|
dnscmd /config /socketpoolsize 2500 dnscomd /info /socketpoolsize |
randomized client sized socket pooling is configured by default. (2500) This command will change the random pool for enhanced security. |
|
cache locking |
Prevents cache values from being overwritten for 100% of TTL. (configured by default) In defense of the kominsky DNS vulnerability |
|
Can you delegate DNS tasks on a DNS server to user objects? |
Only on an AD integrated zone |
|
When should you disable recursion of DNS? |
Disable recursion on DNS servers in DMZ serving outside requests. ie: ExternalDNS.company.pri protects against DOS attack. |
|
How to ensure users connect to the local WSUS users when WSUS is load balanced. |
DNS Netmask filtering. (Enabled by default) |
|
How to enable short name lookups in DNS to replace WINS |
GlobalNames (enabled by creating a new primary zone name "GlobalNames") Seed with Host shortnames. On all DNS servers enable GN support: dnscmd server /config /enableglobalnamesupport1 |
|
downloadable MS command-line tool for DNS record lookup and statistics output to HTML |
DNSLint pluralsight.com DNSLint /ad /s 192.168.0.200 |
|
invoke-IpamGpoProvisioning -Domain company.pri -GpoPrefixName IPAMGPO -IpamServerFqdn file1.company.pri |
create GPOs for AD integrated IPAM for settings for DHCP, DNS, NPS Access
|
|
DNS netmask ordering requires participating hosts to have __________. the same or different hostnames |
the same hostname |
|
DNSSEC's client-side configuration can be configured in Group Policy's _______ node. |
Name Resolution Policy |
|
The Provision IPAM wizard itself creates how many GPOs in Active Directory |
zero must be done with the invoke-ipamGpoProvisioning powershell |
|
Scope options are managed on ______ and not on _______. individual scopes superscopes |
individual scopes; superscopes |
|
set-filestorageTier clear-filestorageTier |
pin and unpin specific files to an SSD tier with powershell. |
|
optimize-volume -driveletter e -retrim |
Trim is enabled by default to auto delete files from volume upon deletion. Can use resources. Can be disabled with registry setting. This PS: will invoke the trim function on a volume to avoid waiting. |
|
Target vs initiator |
Target: where the storage is Initiator: who needs the storage (begin with the initiator) |
|
set-WmiInstance -Namespace root\wmi WT_iSNSServer -Arguments @{Servername="File1"} |
Register an iSCSI target with iSNS so the target is displayed also not just the registered initiators. |
|
configure Windows Feature on demand |
create a feature file store so it doesn't need to be installed on each Windows instance. |
|
BranchCache client requirements |
Windows 7 Enterprise or any version of 8 and greater. Can cache and locally share files, windows updates, web server, etc. |
|
hosted mode vs distributed branchcache mode |
Hosted Branch cache is stored on a local server not on shared client computers.
Distributed is shared securely on clients. |
|
GP: Computer > admin > network >Lanman Hash Publication for BranchCache GP: Computer > admin > network > BranchCache |
Lanman: (coupled with configured share) Enables Branchcache for servers. BranchCache: GP to configure client settings |
|
Enable-BCHostedServer Publish-BCFileContent Export-BCCachePackage |
turn on branch cache on hosted server stage files to hosted branch cache server transfer content to branch cache server |
|
certutil setreg ca\roleseparationenabled1 |
How to initiate administrative role separation for Certificate Authorities. (for very high security environments only) (do not enable without full knowledge.) |
|
old certutil backup/restore -backup -backupDB -backupKey -restore -restoreDB -restoreKey |
-backup (backup AD CS) -backupDB (backup AD CS DB) -backupKey (backup certificates and private key) -restore (restore AD CS) -restoreDB (restore AD CS DB) -restoreKey(restore certificates and private key) |
|
Certutil -GetKey -RecoverKey |
-GetKey (search for key to create certificate out of key) -RecoverKey (recover key out of certificate into pfk file) |
|
Powershell alternate backup to certutil |
Backup-CARoleService |
|
set-AuthenticationcodeSignature |
Powershell sign a file with a certificate |
|
What CA template to use for file signing? |
Code Signing template |
|
Enhanced Key Usage: EKA is now called what? |
Application policy: How a certificate can be used. (ie: Digital rights, bitlocker, document signing) (found under certificate template: Extension > key usage) |
|
What certificate template property defines who will use the certificate |
Subject Name (ie: User Principle Name UPN, Service Principle Name SPN, email name, DNS name, user defined) |
|
What is the only Certificate revoke reason that can be unrevoked |
Certificate Hold (afterwards revoke certificate publish to publish the CRL) |
|
EFS certificate how to ensure ability to recovery |
Certificate template > Request Handling check archive subject's encryption private key |
|
user or comp config > policies > windows settings > Security settings > Public key policies: certificate enrollment policy: AD Autoenrollment: enabled (renew expired) (update certs that use templates) |
Configure auto-enrollment via group policy for user or computer certificates or Manually add to GP. . . Public key policies: EFS > import Trusted Root > import |
|
AD Rights Management Services (RMS) |
Adding additional rights management to file services such as office docs, emails, etc. (accomplished by encrypting files) (rights: view, print, save as, forward,etc.) |
|
What is necessary in AD for RMS to function? |
Users must have email field associated to control content. Groups must have email field associated to control content. Groups should be universal. (1 RMS single root per Forest) |
|
Can you change the FDQN URL for RMS? |
No. tip: use DNS CName so you can change server if necessary. tip: use a publicly trusted SSL certificate to transfer RMS content outside. |
|
What should you backup to rebuilt an RMS server? |
Config DB Directory services DB Logging DB Server Certificate cluster key password export of trusted publishing domain |
|
What is the use of AD Federated Services? |
To allow domain users from outside first domain to access first domain resources. accomplished by implementing claims-based authentication including party trusts. |
|
Relying Party vs Claims Provider |
Relying Party: Federation server on resources side Claims Provider: Federation server on user objects credentials side. |
|
What is workplace Join? |
Allows non domain joined devices to connect to web based applications on domain through Web application proxy (single sign on by registering device into AD) (device is trusted but not managed) |
|
create service account for ADFS |
add-kdsrootkey -effectivetime (get-date).addhours(-10) new-adserviceaccount fsGmsa -dnshostname adfs1.company.pri -serviceprincipalnames http/adfs1.company.pri |
|
step1: PS: Initialize-ADDeviceRegistration step2: PS: Enable-ADFSDeviceRegistration step3: ADFS: edit global authentication policy: enable device authentication |
Implement claims based authentication for ADFS Setup Device registration service. Initializes AD FS for device registration to support Workplace join. |
|
Where do Workplace join devices show up in Active Directory that are authenticated |
AD: Users and computers: Registered Devices |
|
Quroum Configurations: Node Majority Node and Disk Majority Node and File Share Majority No Majority: Disk Only |
Node Majority - odd number of nodes Node and Disk Majority - even number of nodes Node and File Share Majority - special config (similiar to node & disk but use with multi-site)
No Majority: Disk Only - not recommended |
|
Network Load Balancing Affinity Modes None Single Network (Class C) |
None - clients can access any server Single - affinity defined by full IP of client Network Class C - affinity defined by subnet mask of client (first 3 octets only) If clients are inbound NATed will not work. |
|
Add-ClusterGenericApplicationRole |
Configure high availability for an application that was not originally designed to run in a failover cluster. (cluster will start the app and check on status of up) |
|
NLB: Host Priority |
highest host priority (lowest numeric value) is called the default host. Client requests not handled by port rule go to default host. |
|
How are failover cluster dependencies used? |
lets you storeserver Application data or VM(s) on file shares for cluster. Reliability, availability, manageability, and performance that you would expect from SAN. All file shares are online on all nodes simultaneously. |
|
Scale-Out File Server for Application data (Scale-Out File Server) Good for file services with few, big files, with little metadata activity Bad for file services with many, small files, with lots of metadata activity |
Preferred owners list is prioritized list of preferred nodes. (Preferred will always be active unless it is down.) Possible owners list is list of allowed nodes. (cannot failover to node if not on this list) |
|
Scale-Out File Server for Application data |
Good for few big files like shared App data or Hyper-V. bad for file shares |
|
Add-CauClusterRole vs Invoke-CauScan cmdlet |
Add-CauClusterRole - addes the Cluster Aware self updating functionality Invoke-CauScan - scans nodes for updates |
|
Hyper-V failover cluster vs Replication |
Failover (preferred for on-site) -requires shared storage (protects against Server failover) (active - passive for instant on) Replication - sends changes over network. (Protects against site level failure) |
|
how to start a cluster if customer does not have quorum. (ie: the recovery group has less nodes than the primary) |
start-clusterNode $node -FixQuorum or adjust node weight so quorum is achieved |
|
constraints for volume data deplication |
Volumes must be NTFS (no ReFS), no system drive (c:), no remote drives |
|
Dynamic Access Control: Access rule: proposed permission. |
only logs rule violations. Great for testing. |
|
Change disk write back cache size Can only be set at time of creation |
New-VirtualDisk –StoragePoolFriendlyName "" –FriendlyName "" –StorageTiers @($ssd_tier, $hdd_tier) –StorageTierSizes @(5GB, 100GB) –ResiliencySettingName Simple –WriteCacheSize 2GB |
|
iSCSI setup order target - LUN storage initiator - accessing client |
Install iSCSI Target Server role Setup and config initiators Configure iSCSI targets on Target server |
|
AGDLP Account, Global, Domain Local, Permission |
User and computer (Accounts) are members of Global Groups which are members of Domain Local groups that describe resource permissions or user rights assignments. |
|
Diskshadow .exe |
DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service ie: diskshadow Delete shadows oldest |
|
Azure backup powershell Start-OBRegistration Set0-OBMachineSetting |
Start-OBRegistrationRegisters computer with Azure Online Backup Set-OBMachineSetting sets network bandwidth throttling and encryption passphrase for decrypt. |
|
Online backup vs Windows backup Get-OBPolicy Get-WBPolicy |
perform a Azure Online Backup Get-OBPolicy | StartOBBackup perform a Windows Backup Get-WBPolicy | Start-WBBackup |
|
Can you install IPAM on a DC? |
No. IPAM cannot be installed on a Domain controller. Also if IPAM Installed on DHCP server than DHCP server discovery will be disabled. |
|
Setup Global Names |
1. Create a forward lookup zone called "GlobalNames" 2. enable by running: DNSCMD ... /enableglobalnamesupport 1 or PS: Set-DnsServerGlobalNameZone Enable $tue |
|
How do you stage a password onto an RODC |
Repadmin /prp (replicates a password to RODC) |
|
2 way trust / migrated users issue? |
disable SID filtering |
|
3rd party browsers can't SSO authenticate their BYO Devices to Federated Services? |
Set-ADFSProperties -ExtendedProtectionTokenCheck None (disables Extended Protection as some browsers do not support it) |
|
Add CA to Servercore with autoenroll |
Install-AdcsCertificationAuthority - install / config of CA role service. Install-AdcsWebEnrollment - install / config of CA Web Enrollment |
|
RMS (Rights Management Services) isn't working |
Make sure all users have an email attribute in AD. (For AD RMS to work all users must have an email attribute to protect and consume content) |
|
Encrypted Hyper-V replication certificate must contain what 2 purposes: |
Enhanced Key Usage must support both: Client authentication Server Authentication |
|
For large enterprises protect CA by ensuring one role per use. |
Enable Role Separation
certutil -setreg ca\RoleSeparationEnabled 1 |
|
2 things to setup RMS |
Run RMS as enterprise admin Register SCP (Service Connection Point) |
|
What pemissions are need to allow to enroll a cert? |
Read and enroll |
|
Compromised certificate? |
revoke certificate or certutil -revoke and publish CRL (Certificate Revocation List) |
|
How to allow users to decrypt but not have direct access to private keys? |
Grant a user access to the key recovery agent certificate. |
|
Order of operations for central access polices. (ie: SSN policy when pii = high, allow editing only for accounting) |
Create a central access rule (when pii = high) Create a central access policy (apply the rule) GPO to apply polices to computer Apply policy to folders. (newly visible central policy tab) |
|
Setup DAC (Dynamic Access Control) order of operations |
1. setup claims types (ie: location, description) 2. setup resource properties (properties for files ie: confidentiality, pii) 3. set classifications on files (must also enable Kerberos armoring with GP. ie: larger encryption size) |
|
How to enable Hyper-V replication |
Always enable on the destination host first (settings: replication configuration) Then enable it on the VM on the sending Host. (VM: enable replication) |
|
bcdboot c:\windows /s f: |
quickly setup or repair boot environment. Copy system boot to drive F |
|
PKISync.ps1 |
Powershell script that allows updating PKI objects in Active Directory for the # cross-forest certificate enrollment |
|
Add-ADCentralAccessPolicyMember |
Adds central access rules to a central access policy in Active Directory. |
|
Invoke-CauScan |
Check for windows update on a cluster |
|
heartbeat threshold |
A failover setting for when the failover server should take control after so many missed heartbeats |
|
repadmin /prp |
repadmin /prp will allow the password caching of the local administrator to the RODC. |