CIS 206 Exam 2
A slow link, by default, is a network connection that's less than which of the following? 500 Mbps 1 Gbps 500 Kbps 10 Gbps
500 Kbps
On a Windows Server 2016, what is the default CRL publication interval? 1 day 1 year 1 month 1 week
1 week
What can you install on a Windows Server 2016 server that can scan documents and apply rights policy templates automatically based on resource properties? Exclusion policies FSRM TPD file AD FS
FSRM
A claims provider is the resource partner that accepts claims from the business partner to make authentication and authorization decisions. True or False
False
A site bridge is needed to connect two or more sites for replication. True or False
False
A tree can consist of a single domain or a parent domain and child domains, which cannot have child domains of their own. True of False
False
Active Directory metadata describes the actual Active Directory data, not the Active Directory database. True or False
False
Applications that are not claims-aware can't be used in an AD FS deployment. True or False
False
By default, subnets are created in Active Directory Sites and Services True or False
False
CA Administrator approves requests for certificate enrollment and revocation. True or False
False
GPO enforcement is configured on a GPO, not on an Active Directory container. True or False
False
Group conversion facilitates migrating user accounts from one domain to another. True of False
False
Group policy caching improves system startup speed because the cache is used during asynchronous background processing, which occurs when the system boots. True or False
False
If a certificate is not renewed before the validity period expires, the certificate can still be used until the renewal period ends. True or False
False
If your domain includes Windows Server 2003 or older DCs, it's using DFSR to replicate SYSVOL. True of False
False
Intrasite replication occurs between bridgehead servers. True or False
False
Intrasite replication takes place between DCs in two or more sites. True or False
False
On a slow link, policies involving folder redirection are always processed. True or False
False
Online Responder used to issue certificates to network devices, such as routers and switches True or False
False
Primary authentication is not required for all users who access applications that use AD FS. True or False
False
The federated Web SSO with forest trust design is most often used in business-to-employee relationships. True or False
False
The intermediate CA is the most critical and is the server typically configured for offline operation. True or False
False
The logical components of Active Directory are forests, domains, and sites. True or False
False
Version 5 templates allow customization of most certificate settings and permit autoenrollment. True or False
False
When you back up a GPO, the policy settings are backed up, but not the security filtering settings, delegation settings, and WMI filter links. True or False
False
With AD FS preauthentication, client requests for the application are sent via a proxy server to the application server. True or False
False
With separate domains, stricter resource control and administrative permissions are more difficult. True of False
False
The option to turn off background processing is not available for which type of policy below? Application preference Disk quota Scripts processing Folder redirection
Folder redirection
Select the specific tab within the Group Policy Management Console that will allow you to view which policies affect a domain or OU and where the policies are inherited from. Question 32 options: Group Policy Management Group Policy Details Group Policy Delegation Group Policy Inheritance
Group Policy Inheritance
What tool can be used to determine what policy settings would apply to a computer or user account if it were moved to a different container? Group Policy Testing Group Policy Modeling Group Policy Projection Resultant Move of Policy
Group Policy Modeling
Which of the following is a type of CA in the CA three-level hierarchy? (Choose all that apply.) Question 152 options: Intermediate stand-alone CA Issuing offline CA Issuing enterprise CA Secondary enterprise CA
Intermediate stand-alone CA Issuing enterprise CA
What command can be used to cause a group policy refresh remotely on Windows Vista and later clients? Invoke-GPUpdate gpupdate.exe gpremote.exe Remote-GPUpdate
Invoke-GPUpdate
Which of the following is true about using IP in site links? (Choose all that apply.) It is synchronous It is asynchronous RPC runs over IP It can't be used to replicate domain directory partitions
It is synchronous RPC runs over IP
Which of the following is used to map attributes from the claims provider to claims attributes acceptable to the relying party? Question 180 options: Acceptance transform rules Multi-factor authentication Authentication policies Data source selection
Acceptance transform rules
In which LDAP-compatible database are claims values stored? Attribute store ADMX central store AD Directory Service Claims provider
Attribute store
Which feature was first introduced with Windows Server 2012 R2, and are new Active Directory containers to which authentication policies can be applied to restrict where high-privilege user accounts can be used in the domain? Automatic SPN management DFS replication Authentication Policy silos AES support
Authentication Policy silos
If you configure the issuance requirements for a certificate issued from a template so that more than one signature is required before a certificate can be issued, which of the following is true? Certificate enrollment is disabled Certificate enrollment is automatic The certificate is added to the CRL Autoenrollment is disabled
Autoenrollment is disabled
A server configured for Web enrollment is referred to as which of the following? CA Web proxy Intermediate CA Delta CRL Online responder
CA Web proxy
Which of the following best describes an attribute of a certificate that identifies where the CRL for a CA can be retrieved? CRL distribution point CRL enrollment CRL recovery Attribute distribution
CRL distribution point
Select below the FSMO role that is a forest-wide FSMO role: Infrastructure master RID master PDC Emulator Domain naming master
Domain naming master
Select the FSMO role that is required to be online to facilitate the addition or removal of a domain controller: RID master PDC emulator Schema master Domain naming master
Domain naming master
With universal group membership caching, how often is the cached information on group membership refreshed? Every 2 days Every 8 days Every 2 hours Every 8 hours
Every 8 hours
Once Active Directory has been installed, a default site link is created. What is the name of this site link? ADSITEHOLDER DEFAULTIPSITELINK IPSITECONTAINER FIRSTSITE
DEFAULTIPSITELINK
All your domain controllers are running Windows Server 2016 in a new forest. What should you check if GPT replication is not occurring correctly? GPC replication FRS AD Replication DFSR
DFSR
Which server role below cannot be installed on a domain controller that will be cloned? RADIUS WSUS DNS DHCP
DHCP
You need to allow your network technician to view the RMS logs and reports, but no additional permissions should be granted to this technician. What can you do? Add the technician to the Backup Operators group Add the technician to the Domain Admins group Delegate the AD RMS Auditor role Delegate the AD RMS Service role
Delegate the AD RMS Auditor role
Which of the following is a type of AD RMS exclusion policy? (Choose all that apply.) Lockbox Version Exclusion Application Exclusion Address Exclusion Machine Exclusion
Lockbox Version Exclusion Application Exclusion
What mode of the Resultant Set of Policy (RSoP) snap-in produces a database of policy results that you browse in a similar manner to using the Group Policy Management Editor? Logging Testing Processing Planning
Logging
An administrator has received a call indicating that some users are having difficulty logging on after a password change. Which FSMO role should be investigated? PDC emulator RID master Schema master Infrastructure master
PDC emulator
The RID master FSMO role is ideally placed on the same server as what other role? Schema master PDC emulator Infrastructure master Domain naming master
PDC emulator
What permission is given to the Enterprise Domain Controllers universal group on all GPOs by default, and grants permission to view settings and back up a GPO? Create GPOs Link GPOs Edit Settings Read
Read
What is the name of a domain controller on which changes can't be written? No write domain controller Read only domain controller Access only domain controller Secured domain controller
Read only domain controller
What is used to identify all objects in a domain? DIR PDC RID SID
SID
What feature should you enable to prevent the sIDHistory attribute from being used to falsely gain administrative privileges in a trusting forest? Trust transitivity Fine-grained password policies SID filtering Selective authentication
SID filtering
What features should you configure if you want to limit access to resources by users in a trusted forest, regardless of permission settings on these resources? Selective authentication Fine-grained password policies Trust transitivity SID filtering
Selective authentication
An administrator has attempted to change the forest functional level, but the attempt failed due to the failure of an FSMO role. Which FSMO role should be investigated? PDC emulator Infrastructure master Schema master RID master
Schema master
Which of the following is a self-signed certificate and identifies the AD RMS cluster? Client licensor certificate Server licensor certificate Machine certificate Rights account certificate
Server licensor certificate
What type of key is used in symmetric cryptography, must be known by both parties, and is used for both encryption and decryption? Ciphertext Private key Public key Shared secret
Shared secret
Which policy below requires synchronous processing to ensure a consistent computing environment? Software installation policies Script policies Wired network policies Wireless network policies
Software installation policies
You have installed AD RMS on your network, and you must specify who can access AD RMS content and from which AD RMS clusters content may be published. What should you configure? (Choose all that apply.) TPD TUD RAC SCP
TPD TUD
What GPO policy will take precedence over all other GPO policies when they are being applied? The last policy applied takes precedence The policy with a value of 100 will take precedence The policy selected by the administrator will take precedence The first policy applied takes precedence
The last policy applied takes precedence
What does the /target option do when used with the gpupdate command? The option can specify whether computer or user policy settings should be updated The option allows the specification of a target time window for the update The option can be used to specify a remote computer to force policy updates The option allows the administrator to target a specific policy setting to be updated
The option can specify whether computer or user policy settings should be updated
A Web Application Proxy server needs two NICS installed to function correctly. True or False
True
A delegated installation allows a domain administrator to create the RODC computer account in Active Directory, so a that a regular user can perform the installation at a later time. True or False
True
A domain controller clone is a replica of an existing DC. True or False
True
A loopback policy can be used to change user policy settings based on the GPO within whose scope a computer object falls. True or False
True
A migration table is a list of security principals and UNC paths in a GPO that can be mapped to the security principals and UNC paths in the destination domain. True or False
True
A revocation configuration tells the CA what methods are available for clients to access CRLs. True or False
True
AD FS is designed to work over the public Internet with a Web browser interface. True or False
True
Adding a subdomain is a common reason for expanding an Active Directory forest. True or False
True
An Active Directory snapshot is a replica of the Active Directory database at a specific moment. True or False
True
Authentication efficiency, replication efficiency, and application efficiency are the three main reasons for establishing multiple sites. True or False
True
Before you can install a DC running a newer Windows Server version in an existing forest with a lower functional level, you must prepare existing DCs with the adprep.exe command-line program. True of False
True
Before you can install an RODC, the forest functional level must be at least Windows Server 2003. True or False
True
Certificate autoenrollment is an option only on enterprise CAs. True or False
True
Device registration is a feature that allows non domain-joined devices to access claims-based resources securely. True or False
True
GPOs set at the domain level should contain settings that you want to apply to all objects in the domain. True or False
True
Multi-factor authentication means users must authenticate with more than one device. True or False
True
Remote Desktop Gateway applications are a convenient way for organizations to make applications available to users without having to install the application on every user's computer. True of False
True
The Group Policy Results wizard will show administrators which policy settings apply only to a user, computer, or both. True or False
True
The PowerShell cmdlet "Restore-CARoleService" restores the CA database and all private key data. True or False
True
The repadmin /replicate command causes replication of a specified partition from one DC to another. True of False
True
There's only one global catalog per forest. True of False
True
Universal groups allow administrators to assign rights and permissions to forest-wide resources to users from any domain. True of False
True
Users can request certificates that aren't configured for autoenrollment by using the Certificates snap-in. True or False
True
When a full backup or system state backup is performed on a CA server, the certificate store is backed up along with other data. True or False
True
You can configure a firewall with the Group Policy tool or on a client computer. True or False
True
You can see a GPO's DACL in Active Directory Users and Computers in the System\Policies folder. True or False
True
If an employee leaves a company, what should happen to any certificates held by that employee that was issued by the company's PKI? They should be included in the CDP They should be forwarded to the AIA They should be put on the CRL They should be added to the OR
They should be put on the CRL
How is a computer's designated site determined, such that the computer is given a domain controller to request services from within the same site? Through NPS policies Through GPOs Through computer OU information Through subnets added to the site
Through subnets added to the site
During garbage collection, what setting controls how long deleted objects remain within the database before such objects are completely removed? Remove by date Purge lifetime Object expiry date Tombstone lifetime
Tombstone lifetime
Which of the following uses permissions to restrict objects from accessing a GPO? WMI filtering security filtering blocking enforcement GPO status
WMI filtering
Which of the following is NOT a feature of AD RMS? Self-enrollment AD FS integration Mobile device support Workplace Join
Workplace Join
Which of the following is the international standard that defines a PKI and certificate formats? LDAP X.509 1394 802.3
X.509
When configuring a claims provider trust, what are the claims configured on? publishing license attribute store use license Web Application Proxy
attribute store
How can an administrator initiate a system state recovery using the command line? wbadmin restore catalog wbadmin recover wbadmin staterecovery start wbadmin start systemstaterecovery
wbadmin start systemstaterecovery
Which option below is not one of the three main methods for cleaning up metadata? Active Directory Sites and Services ntdsutil.exe Active Directory Users and Computers wbsadmin.exe
wbsadmin.exe
Which of the following hosts resources that are made available to the account partner? Claims provider Federation trustee Relying party Claims agent
relying party
Which command shows you detailed information about replication status, including information on each partition? Get-ADReplication /all repadmin /showrepl dcdiag /replsum showrepl /detailed
repadmin /showrepl
The gpupdate command in conjunction with which option below causes synchronous processing during the next computer restart or user logon? /force /wait /full /sync
/sync
How often does garbage collection run on a DC? 18 hours 12 hours 6 hours 2 hours
12 hours
What is the schedule for non-urgent intrasite replication? 15 seconds after any change occurs, with a 3-second delay between partners Immediately after any change occurs, with a 10-second delay between partners Once per hour unless manually started by an administrator On a fixed schedule every 30 minutes, with a random delay between partners
15 seconds after any change occurs, with a 3-second delay between partners
By default, for how long are deleted objects stored within the Active Directory database before they are removed entirely? 160 days 60 days 180 days 120 days
180 days
Which of the following is associated with an Active Directory tree? (Choose all that apply.) A common naming structure Parent and child domains A container object One or more domains
A container object
A partition stored on a domain controller in the HQ site isn't being replicated to other sites, but all other partitions on domain controllers in the HQ site are being replicated. The problem partition is stored on multiple domain controllers in HQ. What should you investigate as the source of the problem? A manually configured KCC A manually configured bridgehead server A failed Global Catalog A failed site link bridge
A manually configured bridgehead server
In a new partnership with XYZ Company, ABC company wants to share documents securely using Web-based applications. All communication must be secure, and document usage must be controlled. Both companies run Windows Server 2016 domains but must remain in separate forests. What can you implement to facilitate this partnership? Question 179 options: Network Device Enrollment Services AD Certificate Services and AD Lightweight Directory Services AD Federation Services and AD Rights Management Services Two-way transitive realm trusts
AD Federation Services and AD Rights Management Services
Your company deals with highly confidential information, some of which is transmitted via email among employees. Some documents have been forwarded via email, making the documents more difficult to track. You want to be able to prevent employees from forwarding certain emails. What should you deploy? AD CS Web SSO AD RMS EFS
AD RMS
Which of the following is the company whose users are accessing resources from another company? Claims provider Resource host Account partner Relying partner
Account partner
When a GPO is linked to a site object, what will be affected? All users physically located at the site All users and computers physically located at the site Any computers or users connected logically to the site All computers physically located at the site
All users and computers physically located at the site
What policy setting can be used to force synchronous processing? Force synchronous processing before logon Change Group Policy processing to run asynchronously when a slow network connection is detected Always wait for the network at computer startup and logon Prevent bypass of synchronous processing
Always wait for the network at computer startup and logon
Which type of cryptography provides the most security? Secret key cryptography Digital signature cryptography Asymmetric cryptography Private key cryptography
Asymmetric cryptography
Which of the following is not a required PKI component but identifies the CA and describes the security practices in place for maintaining CA integrity? Root CA Online Responder Authority Information Access Certificate Practice Statement
Certificate Practice Statement
Which of the following information may be found in a CPS? (Choose all that apply.) Certificate lifetimes List of revoked certificates Types of certificates issued CA administrator name
Certificate lifetimes Types of certificates issued
What tool can a user use to request certificates that are not configured for autoenrollment? Certificate Manager Registration snap-in Active Directory Services snap-in Certificates snap-in
Certificates snap-in
By default, what policies will be downloaded and processed by a Group Policy client? All approved polices Changed policies only No polices are downloaded and processed by default All policies
Changed policies only
Which of the following usually includes the user's logon name, group memberships, and other user attributes in an AD FS-enabled network? Claim Classification Trust Resource
Claim
To find a full list of policies and preferences that can have background processing disabled, where should you look? Computer Configuration\Policies\Administrative Templates\System\Group Policy Computer Configuration\Policies\Administrative Templates\Group Policy User Configuration\Policies\Administrative Templates\System\Group Policy User Configuration\Policies\Administrative Templates\Group Policy
Computer Configuration\Policies\Administrative Templates\System\Group Policy
Which of the following tasks must be completed to configure an online responder? (Choose all that apply.) Configure a KRA Add a user to the OR-Users group Configure the CA to support the online responder Configure revocation for the OR
Configure the CA to support the online responder Configure revocation for the OR
You have several marketing documents that are published through AD RMS. However, you have three new marketing employees that require additional training before they should be able to access these documents. These employees should have all other rights and permissions as members of the Marketing group. What should you do to prevent these users from accessing these rights-protected documents Configure a user exclusion policy in AD RMS Create a new group, add the users to the group and configure Deny permissions Configure a rights policy template in AD RMS Create a revocation policy in AD RMS
Configure a user exclusion policy in AD RMS
What is the last step, just before you review the relying party trust information, in the Add Relying Party Trust Wizard? Install and configure the claims-aware application Configure an access control policy Select the data source Configure multi-factor authentication
Configure an access control policy
Which of the following are typical tasks involved in configuring a certification authority? (Choose all that apply.) Configure enrollment options Configure certificate templates Configure DNS SRV records Create a revocation configuration
Configure enrollment options Configure certificate templates Create a revocation configuration
What is created automatically by the KCC and allows the configuration of replication between sites? Bridgehead server Site link Site link bridge Connection object
Connection object
You have just installed two new Linux servers to handle a new application. You want to integrate user authentication between Linux and your existing Windows Server 2012 R2 domain controllers. What can you do? Create a forest trust Create an external trust Create a transitive trust Create a realm trust
Create a realm trust
You have a forest with three trees and twelve domains. Users are complaining that access to resources in other domains is slow. You suspect the delay is caused by authentication referrals. What can you do to mitigate the problem? Create a forest trust Create a shortcut trust Create an external trust Create a transitive trust
Create a shortcut trust
Your company has purchased another company that also uses Windows Server 2016 and Active Directory. Both companies need to be able to access each other's forest resources. How can you achieve this goal with the least administrative effort? Configure selective authentication Configure an external trust Create a two-way forest trust Share the global catalog for both companies
Create a two-way forest trust
Which of the following are common ways to configure DNS for a forest trust? (Choose all that apply.) Create primary standard zones Create primary AD-integrated zones Create conditional forwarders Create stub zones
Create conditional forwarders Create stub zones
Which of the following is created using a hash algorithm and can be used to verify the authenticity of a document? Ciphertext Public Key Infrastructure Digital signature Certificate authority
Digital signature
What Active Directory replication method is more efficient and reliable? File Replication Service Distributed File System Replication SYSVOL Replication AD File System Replication
Distributed File System Replication
Select the GPO permission that provides the ability to change existing settings, import settings, and enable or disable a GPO, but is not granted to any user by default. Question 28 options: Read Create GPOs Edit Settings Link GPOs
Edit Settings
Which AD DS design should you use if you want your design to support business-to-business relationships where the account federation server validates credentials and no Active Directory trust is created? Federated Web SSO with forest trust Web SSO AD RMS Federated trust Federated Web SSO
Federated Web SSO
To increase security of data stored on an RODC, what can be configured to specify domain objects that aren't replicated to RODCs? Online defragmentation settings Site-to-site relationships Bridgehead server Filtered attribute sets
Filtered attribute sets
What is the first domain installed in a forest called? Master domain Forest root Primary tree Global catalog
Forest root
What are the two flexible single master operation (FSMO) roles? (Choose all that apply.) Forestwide Systemwide Domainwide Objectwide
Forestwide Domainwide
Select the term used to describe forcing inheritance of settings on all child objects in the GPO's scope, even if a GPO with conflicting settings is linked to a container at a deeper level. object enforcement GPO enforcement forced inheritance scope enforcement
GPO enforcement
What defines which objects are affected by settings in a GPO? GPO scope Group Policy Inheritance Group Policy Permissions Group Policy Management
GPO scope
What PowerShell cmdlet will allow an administrator to check for software that is incompatible with the cloning process? Get-ADDCCloneConfigFile Show-ADDCCloningConfigFile New-ADDCCloningExcludedList Get-ADDCCloningExcludedApplicationList
Get-ADDCCloningExcludedApplicationList
An administrator needs to know which servers carry forest-wide roles. What PowerShell cmdlet can be used to display this information? Show-FSMO Show-ForestRoles Get-ADForest Get-ADFSMORoles
Get-ADForest
What type of algorithm is used to sign the CA certificate? Ciphertext Hash Plaintext CSP
Hash
Which of the following are intersite transport protocols? (Choose all that apply.) POP UDP IP SMTP
IP SMTP
Select the command that is used to import settings from a backed-up GPO to an existing GPO. Restore-GPO Import-GPO Select-GPO Open-GPO
Import-GPO
What DC is responsible for ensuring that changes made to object names in one domain are updated in references to these objects in other domains? RID Master Infrastructure master schema master PDC emulator
Infrastructure master
Which FSMO role is responsible for ensuring that changes made to object names within one domain are updated in references to those objects in other domains? Infrastructure master RID master PDC emulator Schema master
Infrastructure master
Which of the following is the first step to allow third-party devices to perform device registration to access domain resources from the Internet? Install a certificate from a third-party CA Select the data source Add DNS records for the AD FS server Configure multi-factor authentication
Install a certificate from a third-party CA
THIS QUESTION DOESN'T WORK PROPERLY ON THE STUDY GUIDE. ANSWER WITH CAUTION ON THE EXAM. Which services are provided by a PKI? (Choose all that apply.) Integrity Replication Intrusion Detection Authentication
Integrity Authentication
Which of the following is responsible for assigning a bridgehead server to handle replication for each directory partition? Domain Naming Master Knowledge Consistency Checker Infrastructure Master Inter-Site Topology Generator
Inter-Site Topology Generator
Which type of CA in the three-level hierarchy is sometimes referred to as a policy CA and issues certificates to issuing CAs? Intermediate Offline Root Enterprise
Intermediate
In an AD RMS cluster, which of the following is true about the AD RMS service connection point? (Choose all that apply.) Once defined, you cannot change it It is defined during installation of the root cluster It is stored in Active Directory By default, non domain member clients can access it
It is defined during installation of the root cluster It is stored in Active Directory
For intrasite replication, what component builds a replication topology for DCs in a site and establishes replication partners? Kerberos Site link PDC KCC
KCC
You want to configure automatic key archival to ease the burden of managing backup of private keys. What role must you assign to at least one trusted user in the organization? KRA CDP CPS OR
KRA
Select the GPO state where the GPO is in the Group Policy Objects folder but hasn't been linked to any container objects. Link status: disabled Link status: unlinked GPO status: disabled GPO status: unlinked
Link status: unlinked
What is issued by the root cluster and contains a computer's public key when an AD RMS application is used? Server licensor certificate Machine certificate Rights account certificate Client licensor certificate
Machine certificate
Which of the following are requirements to raise the forest functional level to Windows Server 2016? (Choose all that apply) Member of Enterprise Admins group The Schema FSMO role must be available All DCs must be at least Windows Server 2008 The server must be a Global Catalog server
Member of Enterprise Admins group The Schema FSMO role must be available
Which of the following is a new AD FS feature found in Windows Server 2016? (Choose all that apply.) Multi-factor authentication Support for LDAP Microsoft Passport support Enhanced device registration
Microsoft Passport support Enhanced device registration
After you install AD CS, you want to begin issuing certificates for the encrypting file system. What should you do first? Configure the online responder Configure enrollment options Install the EFS role service Modify a certificate template
Modify a certificate template
You have a network with three sites named SiteA, SiteB, and SiteC that are assigned the subnets 10.1.0.0/16, 10.2.0.0/16, and 10.3.0.0/16, respectively. You change the IP address of a domain controller in SiteB to 10.1.100.250/16. What should you do now? Right-click the computer object and click Check Replication Topology. Move the computer object of the domain controller in Active Directory Sites and Services to SiteA. Move the computer object in Active Directory Users and Computers to a new OU. Add the 10.1.0.0/16 subnet to SiteB and then force the replication topology to be recalculated.
Move the computer object of the domain controller in Active Directory Sites and Services to SiteA.
You have a number of Cisco routers and switches that you wish to secure using IPsec. You want IPsec authentication to use digital certificates. You already have a PKI in place using Certificate Services on Windows Server 2016. What should you install to secure your devices? OCSP NDES role service Online Responder Smart Card reader
NDES role service
Why might you need to configure multiple forests? Single administrator Easier access to all domain resources Need for a single global catalog Need for different schemas
Need for different schemas
Why might it be a good idea to configure multiple domains in a forest? Access to Universal groups Need for differing account policies You need multiple schemas Easier access to resources
Need for differing account policies
What are the expiration policy options you can specify for content in a rights policy template? (Choose all that apply.) Expires when the account is locked out Never expires Expires when the certificate expires Expires on the following date
Never expires Expires on the following date
What PowerShell cmdlet will link a GPO to a site, domain or OU? Get-GPOLink New-GPLink Restore-GPLink New-GPOLink
New-GPLink
Which service provided by a PKI ensures that a party in a communication can't dispute the validity of the transaction? Confidentiality Authentication Nonrepudiation Integrity
Nonrepudiation
You were issued a certificate on March 1st 2015 for your secure Web server. The validity period is three years and the renewal period is four months. What is the earliest date you can renew this certificate? November 1, 2017 June 1, 2017 July 1, 2018 November 1, 2018
November 1, 2017
By default, replication between DCs when no changes have occurred is scheduled to happen how often? Never Once per week Once per hour Once per day
Once per hour
You have a network that consists of Windows 8.1 and Windows 10 computers as well as some Mac OS and Linux computers. You need to install a PKI using Windows Server 2016 that will be able to issue certificates to all your client computers. What should you install? Offline root CA Online enterprise CA Offline intermediate CA Online stand-alone CA
Online stand-alone CA
Select below the policy permission that grants a user or group the ability to use the GPO Modeling Wizard on a target container. Allow Resultant Set of Policy Read Group Policy Results data Perform Group Policy Modeling analyses Grant Modeling Analysis
Perform Group Policy Modeling analyses
Which tab in the Group Policy Results window shows all events in Event Viewer that are generated by group policies, and can be used to view the relevant information on a remote computer? Details Log entries Policy events Summary
Policy events
Which of the following contains a list of users and specifies what the users can do with a rights-protected document? Rights account certificate Client licensor certificate Use license Publishing license
Publishing license
What are valid reasons to create site link bridges manually? (Choose all that apply.) Reduce confusion of the KCC Control traffic through firewalls To increase the transitivity of site links When you can't use the IP inter-site transport protocol
Reduce confusion of the KCC Control traffic through firewalls
Which of the following is created on the AD FS server that acts as the claims provider in an AD FS deployment? Claims provider trust Relying party trust Attribute store Federation trust
Relying party trust
What folder contains group policy templates, logon/logoff scripts, and DFS synchronization data? System SYSVOL Root NTDS
SYSVOL
What PowerShell cmdlet can be used to begin transferring your existing Windows Server 2012 R2 server to a secondary server when upgrading AD FS. Set-AdfsSyncSecondary Invoke-AdfsSyncProperties Remove-AdfsSyncPrimary Set-AdfsSyncProperties
Set-AdfsSyncProperties
Which PowerShell cmdlet below can be used to set permissions for a security principal to a GPO or to all GPOs? Chmod-GPO Change-GPOSecurity Set-GPPermission Set-GPOSecurity
Set-GPPermission
What type of certificate enrollment issues certificates that users can use to log on to a system by entering a PIN? Smart card enrollment Web enrollment Autoenrollment Certificates MMC
Smart card enrollment
Which component of a site makes a site link transitive? Bridgehead server SMTP Connection object Site link bridge
Site link bridge
Your network is configured in a hub-and-spoke topology. You want to control the flow of replication traffic between sites, specifically reducing the traffic across network links between hub sites to reach satellite sites. What should you configure? Site link bridges NTDS settings Bridgehead servers Connection objects between domain controllers in each site
Site link bridges
If the slow link detection policy is set at 0, what does this indicate? All links are considered slow links Slow links are designated manually Slow links are detected via metric rather than throughput Slow link detection is disabled
Slow link detection is disabled
What can you do if you notice that a DC failed to register its service records? Configure entries in the host's file. Restart the DNS server using Restart-Service DNS -SRV Stop and start the Netlogon service. Manually add A records to the DNS server.
Stop and start the Netlogon service.
You have successfully configured AD RMS and have thoroughly tested all configuration options and policies. The process took several hours to complete, and you need to be sure you can easily re-create the configuration in the event of a disaster. What are the three tasks you should undertake? (Choose all that apply.) Store the cluster key password in a safe place Back up the AD RMS databases Export the trusted user domain configuration database Export the trusted publishing domain file
Store the cluster key password in a safe place Back up the AD RMS databases Export the trusted publishing domain file
Before you configure a forest trust, what should you configure to ensure you can contact the forest root of both forests from both forests? Stub zones Firewall rules Selective authentication Routing
Stub zones
You run a PKI that has issued tens of thousands of certificates to hundreds of thousands of clients. You have found that the traffic created when clients download the CRL is becoming excessive. What can you do to reduce the traffic caused by clients downloading the CRL? Use a Delta CRL Shorten the renewal period Configure Web enrollment Install NDES
Use a Delta CRL
Which of the following is issued to users when they request access to a rights-protected document? Client licensor certificate Publishing license A new claim Use license
Use license
Two users, UserA and UserB, are engaging in secure communication using only asymmetrical encryption. UserA needs to send a secure message to UserB. What occurs first? UserB sends UserA UserB's public key UserA sends a secret key to UserB UserA sends UserB UserA's private key UserB sends a shared secret to UserA
UserB sends UserA UserB's public key
What specific versions of certificate templates are supported by Windows Server 2016? (Choose all that apply.) Version 4 templates Version 2 templates Version 5 templates Version 3 templates
Version 4 templates Version 2 templates Version 3 templates
You have a network of Windows Server 2016 servers, and you wish to allow remote users the ability to access network applications from any device that supports a Web browser? IIS Proxy Server Federation Service Proxy Web Agents Web Application Proxy
Web Application Proxy
Which of the following is true about the domain functional level? You must raise the functional level on all DCs All DCs and member servers must be running the Windows version that supports the functional level You can have different functional levels within the forest The domain and forest functional level must be the same
You can have different functional levels within the forest
Which of the following are ways to change default GPO inheritance? (Choose all that apply.) blocking inheritance GPO enforcement GPO inheritance tagging blocking enforcement
blocking inheritance GPO enforcement
What are are conditions that determine what attributes are required in a claim and how claims are processed by the federation server? claim attributes claim rules claim trust claim certificates
claim rules
What assigned value represents the bandwidth of the connection between sites? metric cost log site
cost
What feature allows non domain-joined devices to access claims-based resources securely? primary authentication device registration multi-factor authentication certificate Authentication
device registration
Which command analyzes the overall health of Active Directory and performs replication security checks? repadmin net show dcdiag Get-ADReplication
dcdiag
What command below can be used to reset the default GPOs to their original settings? Question 16 options: dcgpofix dcrecovergpo dcrevertgpo dcgporeset
dcgpofix
OU-linked policies are applied last so they take precedence over which policies? (Choose all that apply.) domain site account administrator
domain site
Which of the following manages adding, removing, and renaming domains in the forest? schema master forest master domain naming master operations master
domain naming master
What holds the log of Active Directory transactions or changes? edb.chk ntds.log edb.log aed.dit
edb.log
Which option will allow private keys to be locked away and then restored if the user's private key is lost? key restore key recovery private key cloning key archival
key archival
What type of replication scheme does Active Directory use to synchronize copies of most information in the Active Directory database? single master flexible single master multimaster domain-wide
multimaster
Within the NTDS folder, which file stores the main Active Directory database? edbres00001.jrs ed.dit edb.chk ntds.dit
ntds.dit
Which of the following uses queries to select a group of computers based on certain attributes, and then applies or doesn't apply policies based on the query's results? security filtering blocking enforcement WMI filtering GPO status
security filtering
Select the RODC installation type where the domain administrator creates the RODC computer account in Active Directory, and then a regular user can perform the installation at a later time. deferred installation selected installation default RODC installation staged installation
staged installation
What CAs interact with clients to field certificate requests and maintain the CRL? subordinate CAs intermediate CAs root CAs policy CAs
subordinate CAs