HOME
deploy and manage identity insfrastructure
intro to AD DS
Knowledge Check
1. What scope of group can be assigned permissions anywhere in an AD DS forest and can have members from anywhere in the forest?
universal group scope
Universal groups can be granted permissions anywhere in the forest AND can contain members from anywhere in the forest
2. What type of trust relationship is automatically created between the domains Contoso.com and Seattle.Contoso.com?
a parent and child two-way transitive trust
When you create a child domain in a forest, a two-way trans. trust is establisthed between parent and child automatically
3. Which of the following is a built-in container in an AD DS domain that can home computer accounts?
the Domain Controllers OU
it is an OU but still considered to be a "container". The Domain Controllers OU will contain the first computer in your domain- the DC
manage AD DS domain controllers and FSMO roles
Knowledge Check
1. When deploying the first domain controller in a forest by running the Active Directory Domain
Services Configuration Wizard, which of the following options is configured by default?
Global catalog
The option is selected by default for the first domain controller in a forest.
promoting our first server to DC:
2. What does the global catalog contain?
A copy of all objects and some of their attributes from all domains in an AD DS forest
it contains a 'subset' of attributes that are most likely to be useful in cross-domain searches
3. Which of the following operations master is a forest-level operations master?
domain naming
two levels for Flexible Single Master Ops:
Forest level:
schema master- modifys schema
domain naming master- add/remove/change name of a domain
domain level:
RID master
infrastructure master- interdomain object references
primary domain controller (PDC) emulator - time source, password changes
implement Group Policy objects
Knowledge Check
1. In Adatum.com, there are two sites: London and Windsor. A single GPO (called London settings) is linked to
London and another (Windsor settings) is linked to Windsor. In addition, there are two GPOs linked to the
Adatum.com domain: The Default Domain GPO (which is Enforced) and a further policy: Adatum Folder Redirection
(which has a link order value of 2). The Sales OU has a linked GPO called Sales Desktop settings.
A user in the Sales department based in Windsor, whose user account and computer account reside in the Sales OU,
is experiencing problems with settings on their computer. An administrator decides to investigate.
The administrator suspects that there are conflicting settings in the various GPOs that apply to the user
and their computer. Which GPO's settings take precedence?
the Default Domain GPO takes precedence beacuse it is enforced. so the answer is NOT the Sales GPO
The user is in Windsor.
A single GPO is linked to the Windsor site
there are TWO gpo's linked to Adatum.com- default domain policy(enforced) and 'adatum folder redirection' policy with link order #2
***When you set a GPO link to Enforced, the GPO takes the highest level of precedence.
An enforced link applies to child containers even when those containers are set to Block Inheritance.
The Enforced option causes the policy to apply to all objects within its scope.
2. Which of the following options contains the GPO settings?
thr group policy or container OR the group policy template
the Group Policy TEMPLATE contains the group policy settings.
A GPO is a virtual object that is identified by a GUID and stored at the domain level. The policy-setting information for a GPO is stored in GP container and GP template
the CONTAINER (GPC) - is an AD container that holds GPO properties such as version info and GPO status
the TEMPLATE (GPT) - is a file system folder that includes policy data. That data is specified by .adm files, security settings, script files..
The GPT is located in the system volume volder (SysVol) in the domain \policies subfolder
3. The IT department in Adatum is deploying a new version of Microsoft Office in their on-premises environment.
The administrator wants to configure settings with GPOs for Office. What should they do?
download and install new administrative template files, then configure the desired settings in the Administrative Templates node in the appropriate GPO
You must upate the .admx AND .adml files together...
Administrative templates are applied in the GP managment editor. Two kinds of templates-
Computer settings - printer, server
User settings - desktop, shard folders, start menu
considered to be BOTH user and computer- network, control panel, system, windows components, all settings
all of the settings in the Admin Templates node are stored in .ADMX files which are XML‑based and language-neutral.
The .ADML files are language specific and can be applied to the .ADMX files
manage advanced features of AD DS
Knowledge Check 3-19-22
1. What functionality does the transitivity of a two-way forest trust provide?
all domains in both trusted forests trust each other
When creating a trust between forests, you specify the root domain of each forest. Forest trust are tranisitve for ALL DOMAINS in each forest so it is implied that all domains
trust eachother when you link forests
2. How should a trust between an ESAE forest and a production forest be configured?
the ESAE forest model uses one-way trust with selective authentication and the production forest trusting the ESAE forest
ESAE= Enhanced Security Admin Environment
aka 'red forest' , 'admin forest' , 'hardened forest'
ESAE accounts can be used in the production forest, but not vice versa.
3. Which of the following tools can be used to monitor and troubleshoot AD DS replication?
dcdiag.exe
dcdiag is available if you have the ADDS server role installed. Syntax calls for path with name of domain controller.
The tool supports several tests that allow you to monitor and troubleshoot replication
implement hybrid identity with Windows Server
Knowledge Check 3-19-22
1. Which of the following statements about Azure AD is true?
it implements the same authentication protocols as on-prem ADDS
it is essentially on-prem ADDS in the cloud
it's users and groups are created in a 'flat structure'
Azure AD users and groups are created in a 'flat structure'
there are no OU's or GPO's in Azure AD
2. Contoso IT staff have set up Azure AD Connect and are beginning to synchronize accounts.
Maria in IT finds a new user account in Azure AD that has been created by the Azure AD Connect process.
Which is an example of an account Maria would have found?
Sync_CONTOSO-DC1_c778af008d92@Contoso.com
an account with a prefix 'sync' is created in azure AD as part of the Azure AD Connect setup
3. Which of the following sign-in methods is NOT available for Contoso IT staff to combine with Seamless SSO?
password hash syncronization
AD FS
pass-thru authentication
AD FS = Active Directory Federation Services
ADFS is NOT used with Seamless SSO..
Azure AD Seamless SSO works with password hash sync and pass-through authentication
When Seamless SSO is enabled, users rarely need to type usernames, and never need to type passwords to sign into Azure AD
Passthru authenication allows you to validate passwords again an on-prem ADDS instace
4. When planning to implement Azure AD DS, which of the following statements are true?
its possible to extend the schema for the azure ADDS domain
nested OUs are supported
it is NOT possible to target OUs with built in GPOs
it is NOT possible to target OUs with built in GPOs
additionally you cannot use WMI filters or security-group filtering
5. Which role from the following groups in an Azure AD DS domain can administer DNS on the managed domain,
create and administer custom OUs on the managed domain, and administer computers joined to the managed domain?
AAD DC Administrators
members of the AAD DC Admnistrators group are granted administrator privs on the Azure ADDS
6. Which of the following tasks can Azure AD DS domain administrators perform?
add domain controllers to the managed domain
configure the built-in GPO for the AADC computers and AADDC users containers in the managed domain
configure the built-in GPO for the AADC computers and AADDC users containers in the managed domain
Administrators AKA member of the AAD DC administrators group, can also create and administer custom OUs
on both the managed domain and administer computers joined to the managed domain
deploy and manage Azure IaaS AD domain controllers in Azure
Knowledge Check 3-19-22
1. Contoso want to deploy an LDAP-aware LOB application in Azure. Which of the following deployment models best suits this scenario?
deploy a seperate AD forest that's trusted by domains in their on-prem AD forest
deploy AD DS only on an Azure VM
deploy ADDS in an on-prem infrastructure and on an Azure VM
deploy ADDS in an on-prem infrastructure and on an Azure VM
this scenario is common for apps that are LDAP-aware and that support windows-integrated authentication
2. When planning deployment for AD domain controllers in Azure, how can an administrator at Contoso control Active Directory replication?
they must configure sites in AD DS
the must configure ADDS sites so they can control replication traffic between on-prem and Azure domain controllers
3. Which of the following options reduces the amount of egress traffic when deploying AD domain controllers in Azure?
read-only domain controllers
RODCs reduce egress traffic and Azure service fees. Changes to directory objects are not allowed on RODCs; replication of
directory objects from RODC's to other domain controllers doesnt occur
manage windows servers and worlkloads in a hybrid environment
perform windows server secure administration
Knowledge Check 3-20-22
an administrator wans to increase security by adjusting the default behavior of the UAC elevation prompt for standard users.
Which values in Group Policy would be appropriate?
change the "UAC Behavior of the elevation prompt for standard users" setting to 'Automatically deny elevation requests'
this is the most secure setting for standard user accounts
An admininstrator creates a custom delegation using the Delegation Control Wizard. The admin delegates the Sales group
admin rights on computer objects in the Sales OU. The group is granted 'create selected objects in folder' and 'delete
selected objects in folder', plus 'full control' of computer objects. Later, the admin wants to modify the permissions-
what must they do?
review the *security settings* on the Sales OU by enablig 'Advanced Features' in AD Users and Computers, then review the
*advanced security settings*
we need to edit or remote the permissions created by the delegation, and then if necessary rerun the Delegation Control Wizard
an administrator at Contoso is implementing a jump server configuration to improve security. They decide to virutalize the
jump server and install the required admin tools on that VM. What else should this administrator do?
congfigure a PAW, then configure MFA to connect to the jump server VM from the PAW
Exp
an Administrator must create a user account in the Contoso domain. Which group memberships enable the administrator to peform
the task without exceeding the required privilege
domain local Account Operations group
members of "Domain Local Account Operators" can add user accounts in the local domain
an admin in Contoso IT wants to delgate computer management to a small team in Support. The computers are all in the Sales dept.
Their accounts reside in the Sales OU. Adhering to best, pracive how should he proceed.
create a group for the Support team members to belong to.
Apply a custom delegation for that group to the Sales OU for computer objects.
you could also create custom task delegation for each support member, but best practice is to put them into a group,
them delegate to the group. NOTE that 'computer management' is considered a custom task to delegate, rather than a common one.
common tasks to delegate:
-create, delete, manage user accounts
-reset passwords
-read all user info
-create, delete, manage groups
-modify group membership
-manage group policy links
and others....
Which Windows 10 Enterprise feature helps protect user credentials during the sign in process, and what
is needed to enable the feature?
Windows Defender Credential Guard
to implement, you REQUIRE hyper-v, and secure boot. OPTIONALLY you can use TPM and UEFI lock
Note Windows Defender Device Guard is different. It combines Application Control with hyper-v to protect kernel-mode
processes against the injection and execution of unverified code
describe windows server admin tools
Knowledge Check 3-20-22
Which port is used by the Windows Admin Center by Default?
TCP 6516
6516 is default for WAC, but can be changed
An administrator has setup a standalone Windows 10 Enterprise computer in a workgroup as an administrative workstation.
The administrator intends to use PowerShell remoting to manage remote WIndows Servers the Contoso.com domain. He is unable to
establish a remote connection to the domain controller SEA-DC1. Assuming that all default settings have been applied, what's
the reason for the failure to connect?
WSMan:localhost\Client\TrustedHosts -Value 'SEA-DC1.Contoso.com'
since the Win 10 computer is NOT on the domain, Kerberos authentication can't be used. So the administrator must
configure the target server as a trusted host.
An administrator wants to reconfigure the properties of some users in the marketing OU of Contoso.com. He decides to use
PowerShell. Which cmdlet would he use to make changes?
Set-ADuser
this cmdlet commits changes to the selected objects
using Windows Admin Center, the administrator connects to the DC, SEA-DC1. He wants to add a new user
account to the AD DS Contoso domain. Which procedure would NOT work?
you could NOT add a new user by connecting to SEA-DC1 then selecting Local Users & Groups, Create, User....
You CANT use the Local Users and Groups node when connected to a DC.
What you COULD do is connect to SEA-DC1 and select Active Drectory, Create, User. Or you powershell New-ADUser
What cmdlet can be run on a remote Windows Server computer to enable PowerShell remoting?
Enable-PSRemoting
enables Windows Remote Management firewall exceptions and the WinRM listener service
perform post-installation configuration of windows server
Knowledge Check 3-20-22
Which component in DSC is responsible for applying the desired configuration to the target computer?
LCM
The LCM is the engine that DSC uses to apply the configs. LCM = Local Configuration Manager
an Admin at Controso is using answer files to configure server settings during deployment. In which section of the answer
file should the administrator define the Windows Server roles and features that should be deployed?
Packages
"Packages" refers to Windows features: updates, service packs, language packs, and SERVER ROLES/FEATURES
"Components" refers to all other settings
When using Windows Admin Center, when might an administrator choose to congfigure trusted hosts?
When the Admin Center workstation is not in the same ADDS forest as is the resources it manages.
when you connect to a remote computer, you must authenticate. If on domain, Kerberos is used. If not, you
must configure target computers as trusted hosts.
A Contoso admin wants to connect to SEA-DC1 using Remote Desktop. He can successfully connect to SEA-DC1 using Server Manager
and also Windows Admin Center. But when he opens Remote Desktop Connection and enters the computer name and user credentials,
the connection fails. What needs to be done?
on SEA-DC1, use Sconfig and select option 8 to reconfigure network settings.
Server Manager and WAC will connect because they dont use 'remote desktop'. Remote desktop must be enabled on the DC.
SConfig options:
remotely administer and manage windows server IaaS VMs
Knowledge Check 3-20-22
which protocol enables an administrator to manage their IaaS VMs and is secured by Azure Bastion
RDP
RDP is secured by Bastion as a means for communicating with your IaaS VMs
Which statement about Basion is true?
Subnet that contains the bastion host must be called "AzureBastionSubnet"
Also- Bastion host and protected VM must be in the same VNet
Which statement about JIT access in Azure is correct?
You can enable JIT access when you attempt to connect to the VM
You can also enable JIT from Security Center
manage hybrid workloads with Azure Arc
Knowledge Check 3-20-22
Channa in IT support at Contoso has been tasked with running a script on an Arc-managed VM hosted in an on-premise datacenter
in the London office. What is the best solution?
onboard into Arc and then use a CustomScriptExtention VM extension to download and execute the script
without that extension you will be unable to run the script
(demo video at time index 3:25)- the admin selects an account to sign in with. What are the minimum pemissions
this account needs?
the account must be a member of the Azure Connected Machine Oboarding Role
in video at time index 2:05, what does the script do in the Arc onboarding process?
downloads the Azure connected machine agent
first the script downloads the agent. Next it installs, then onboards the device into Arc
Just Enough Admnistration in Win Server
Knowledge Check 3-20-22
Which setting should be configured in a role capability file to spcify the exact PowerShell cmdlets that
are available in a JEA session?
VisibleCmdlets
Use this section of a role capbility file to specify which Powershell cmdlets can be used in a JEA session
Which settings should be configured in a session configuration file to ensure that a special account with local
administrative credentials is used during a JEA session instead of the connecting users account?
RunAsVirtualAccount
The RunAsVirtualAccount setting allows you that have the JEA session use a special virtual account with local admin privs.
In addition to the name of the remote computer being connected to, which must be specified when connecting to a JEA endpoin using
remote PowerShell?
endpoint configuration name
you must specify both the computername and the endpoint configuration name when making a remote PowerShell connection with JEA
manage virtualization and containers in a hybrid environment
module
Knowledge Check
implement an on-premises and hybrid networking infrastructure
module
Knowledge Check
configure storage and file services
module
Knowledge Check
squirrelworks