Microsoft Windows Server 2016: Identity - MCSA 740-742

  1. The local domain is trusted while the remote domain is trusting, is which type of communication?



    A.
  2. Which group type can contains members from the local domain or forest and any other forest?



    A.
  3. Which port is required to open for SMB to work?
    445 TCP
  4. What are the command syntax to create a IFM to setup a remote DC?
    • c>ntdsutil
    • C>ntdsutil: activate instance ntds
    • c>ntdsutil: ifm
    • C> ifm:
    • C> ifm: create full c:\ifmfolder
    • C>
  5. What are the steps for creating a RODC?
    • 1. Right click Domain Controller container
    • 2. Select Pre-stage RODC
  6. What is the Windows PowerShell cmdlet to install a Domain Controller from IFM?
    Install-ADDSDomainController -Domain 'domain.com' -InstallationMediaPath 'c:\ifm' -ReplicationSourceDC 'DC.domain.com' -Credential(Get-credential) -SafeModeAdministratorPassword(Convertto-securestring 'Password' -AsPlainText -Force) -force
  7. How do you change the Schema Master FSMO role to DC2.
    • 1. Go to cmd
    • 2. run command regsvr32 shcmmgmt.dll
    • 3. run MMC
    • 4. Go to File -->Add a Snap-in
    • 5. Select Active Directory Schema
  8. What windows command can be used to get the list of FSMO role assignment?
    netdom /query fsmo
  9. What are the steps to setup a DC Clone?
    • 1. Add the DC to AD group "Cloneable Domain Controllers"
    • 2. Generate the excluded Application list using command Get-ADDCCloningExcludedApplicationList -GenerateXML
    • 3. Generate the DC cloning xml file using New-DCDCCloningConfigFile
    • 4. Shutdown the VM
    • 5. Export it and import it as a copied VM with new SID.
  10. What is the Windows PowerShell used to transfer and seize FSMO roles from a DC?
    • Transfer Roles
    • ----------------
    • Move-ADDirectoryServerOperationMasterRole -Identity [targetDC] -OperationMasterRole PDEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster

    • Seizing Roles
    • ---------------
    • same command with parameter -Force
  11. What is the PS command to get the FSMO roles assignments?
    • Get-ADForest | Select SchemaMaster,  DomainNamingMaster
    • Get-ADDomain | Select PDCEmulator, InfrastructureMaster, RIDMaster
  12. What is the utility command to transfer or seizing FSMO roles?
    • ntdsutil
    • roles
    • connections
    • connect to server [targetDC]
    • quit
    • transfer [role]
    • or
    • seize [role]
  13. which dos command can be used to view assigned FSMO roles?
    netdom /query fsmo
  14. What utility is used to view or change the Global Catalog role of a DC?
    Active Directory Sites and Services
  15. What is the Powershell command to get the global catalogs?
    Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
  16. What is the GPO processing order?
    LSDOU - Local, Site, Domain, OU
  17. What are the filtering methods for GPO?
    • Security filter
    • WMI Filter
  18. What objects can the security filter for the GPO applies?
    • Users
    • Groups
    • Computers
  19. Which of the following built-in service accounts have maximum local access and authenticate with the AD DS using the machine account?
    Local System
  20. Which of the following built-in service accounts have minimum local access and authenticate with the AD DS using the machine account?
    Network service
  21. Which of the following built-in service accounts have maximum local access and authenticate with the AD DS using the anonymous account?
    Local service
  22. What password settings is configured for a service account?
    • 1. Password never expires
    • 2. User cannot change password
  23. What is the benefit of using a Managed Service Account over a normal service account?
    • Managed Service Account password is managed by the Computer in AD while service account password is set once and is vulnerable to security breach.
    • It cannot be locked out.
    • It cannot be used for interactive logons.
  24. In what version of Windows was Managed Service Accounts was introduced?
    Windows Server 2008 R2
  25. What is the password recycle settings for a Standard Managed Service Account?
    • 1. Changed every 30 days
    • 2. It is 120 character long (240 bytes)
  26. What are the commands to create a Standard Managed Service Accounts?
    • New-ADServiceAccount -Name [ServiceAccountName] -RestrictToSingleComputer
    • Add-ADComputerServiceAccount -Identity [ComputerName] -ServiceAccount [ServiceAccountName]
    • Run on Computer with the service
    • Install-ADServiceAccount -Identity [ServiceAccountName]
  27. What is the format for configuring standard managed service accounts on a local computer?
    • Domain\ServiceAccount$
    • remove the password
  28. what is required by gMSA that is not by sMSA?
    • a KDS root key
    • KDS - Key Distribution Service
  29. What are the steps for creating a gMSA?
    • Add-KdsRootKey -EffectiveImmediately
    • New-ADServiceAccount -Name [gMSA] -DnsHostName [gMSA.domain.com] -PrincipalsAllowedToRetrieveManagedPassword [gMSAGroup] -Enabled $true
    • Install-ADServiceAccount -Identity [gMSA]
    • Added gMSA to service with $ sign
  30. What is the format for a locally managed service account?
    NT Service\ServiceName$

    Note: This is also called a virtual service account.
  31. What are the primary features of a virtual service account?
    • No password management required
    • Accesses the domain as the computer account
    • Is a specially named account
  32. What is the term for allowing one application or service to delegate authentication to another service?
    Kerberos Delegation (KD)
  33. What is the term for allowing one application or service to delegate authentication to a specific service?
    KCD (Kerberos Constrained Delegation)
  34. What will you use to uniquely identify a service instance on the domain?
    Service Principal Name (SPN)
  35. what is the command to list all the SPN for an object?
    setspn -l <accountname>
  36. What is the syntax to delete a SPN for an object?
    setspn -d <SPN> <accountname>
  37. What is the command syntax to add a SPN for an object?
    setspn -s <SPN> <accountname>
  38. What is the naming convention for the SPN?
    <service class>/<host>:<port>/<service name>
  39. What is the command syntax to search for duplicate SPN?
    setspn -X
  40. What is the command syntax to query a LDAP service for DC srv5?
    setspn -q ldap/srv5
  41. What is the naming format of the SPN for a host-based service?
    • <service class>/<host>
    • or
    • <service class>/<host>:<port>
  42. What is the naming format of the SPN for a replicable service?
    <service class>/<host>:<port>/<service name>
  43. What is the PS to create a FGPP?
    • New-ADFineGrainedPasswordPolicy <NameOfPolicy>
    • Add-ADFineGrainedPasswordPolicySubject <NameOfPolicy> -Subjects <GroupAppliedTo>
  44. What is the default domain password policy?
    • 24 password remembered
    • 42 days maximum age
    • 1 day minimum age
    • 7 characters long
    • password complexity enabled
  45. Which tool used for hosting the snapshot in a ldap server instance
    dsamain -dpath (path) -ldapport (port#)
  46. Which tool is used to create a snapshot of Active Directory?
    Ntdsutil snapshot
  47. What are the ntdsutil commands to create and mount AD snapshot?
    • ntdsutil
    • active instance ntds
    • Create
    • List all
    • mount %s
    • Quit
    • Quit
  48. What are the steps of commands used in ntdsutil to do DC metadata cleanup?
    • ntdsutil
    • activate instance ntds
    • metadata cleanup
    • select operation target
    • list sites
    • select site %d
    • list domains
    • select domain %d
    • list naming contexts
    • select naming context %d
    • list servers for domain in site
    • select server %d
    • quit
    • remove selected server
    • quit
    • quit
  49. RODC forwards which write request to a writeable DC and then receives the update via standard replication from its partners?
    • Password Changes
    • LastLogonTimeStamp
    • SPN updates
  50. Which groups are members of the security group "Denied RODC PRG"?
    • Schema Admins
    • Enterprise Admins
    • Domain Admins
    • Cert Publishers
    • Group Policy Creator Owners
    • Domain Controllers
    • Read-only Domain Controllers
  51. Which command utility can be used to get the replication status in a summary?
    repadmin /replsummary
  52. What is the command to get the status of DFRS on a DC?
    dfsrmig /getGlobalState
  53. what is the command-line utility to migrate SYSVOL from FRS to DFSR?
    • dfsrmig /setGlobalState 1 (Prepared)
    • dfsrmig /setGlobalState 2 (Migrated)
    • dfsrmig /setGlobalState 3 (Eliminated)
    • dfsrmig /getMigrationState
  54. Command-line utility to reveal PRP cached password on the RODC?
    repadmin /prp view <RODC> reveal
  55. Command-line utility to reveal PRP deny list on RODC
    repadmin /prp view <RODC> deny
  56. Command-line utility to reveal PRP allowed list on RODC?
    repadmin /prp view <RODC> allow
  57. Command-line utility to reveal list of service principles authenticated by the RODC?
    repadmin /prp view <RODC> auth2
  58. What addition option is shown when you select advanced mode during the pre-create RODC account creation?
    The option to modify the Password Replication Policy (PRP) settings.
  59. Where do you add alternate UPN for the forest?
    Active Directory Domains and Trust
  60. What type of trust if the local domain is trusted and the remote domain is trusted?
    Two-way trust
  61. What type of trust if the local domain is trusting and the remote domain is trusted?
    one-way incoming
  62. In a domain trust relationship which domain host the resource and which domain host the user accounts?
    • the trusted domain - hosts the user accounts or security principals
    • the trusting domain - hosts the resources
  63. What are the two types of authentication available for Forest trusts?
    • Forest-wide authentication
    • Selective authorization
  64. True/False: Forest trusts relationship is always transitive?
    True
  65. True/False: External trusts relationship is transitive?
    False
  66. Which Trust is suitable for AD DS domain and a non-windows environment?



    A.
  67. Shortcut trust
    • - Domains exist in same forest or domain tree
    • - Authenticate directly between domain
  68. External Trust
    • - It is non-transitive
    • - exist between two forest
    • - it can be uni or bidirectional
    • - Functional level of Windows 2003 or higher is not required
  69. Realm Trust
    • - It can exist between a AD DS domain and a non-windows kerberos realm
    • - The kerberos security can be in a linux or Apple environment
    • - It can be transitive or non-transitive
  70. What is the command to disable SID filtering?
    netdom trust <trusting domain> /domain:<trusted domain> /EnableSIDHistory:Yes
  71. What is the command to re-enable SID filtering?
    netdom trust <trusting domain> /domain:<trusted domain> /EnableSIDHistory:No
  72. How do you create the IFM media file for a FULL DC?
    • ntdsutil
    • activate instance ntds
    • ifm
    • create full %s
  73. What is the command to join a client computer to the domain offline after provision?
    djoin /requestodj /loadfile c:\filename /windowspath %systemroot%
  74. What is the command to provision a computer CLIENT to join the domain test.com offline?
    djoin /provision /domain test.com /machine CLIENT /savefile c:\filename
  75. What is the port used in DNS SRV for Global Catalog?
    3268
  76. What is the port used for Kerberos in DNS SRV?
    88
Author
wiztech
ID
346178
Card Set
Microsoft Windows Server 2016: Identity - MCSA 740-742
Description
Microsoft Windows Server 2016: Identity - MCSA 740-742 This exam is about Active Directory, AD FS, AD CS
Updated