CIS 222
Which server role below cannot be installed on a domain controller that will be cloned?
DHCP
Applications that are not claims-aware can't be used in an AD FS deployment.
False
By default, subnets are created in Active Directory Sites and Services.
False
If a certificate is not renewed before the validity period expires, the certificate can still be used until the renewal period ends.
False
Intrasite replication takes place between DCs in two or more sites.
False
The federated Web SSO with forest trust design is most often used in business-to-employee relationships.
False
The logical components of Active Directory are forests, domains, and sites
False
With separate domains, stricter resource control and administrative permissions are more difficult.
False
Which AD DS design should you use if you want your design to support business-to-business relationships where the account federation server validates credentials and no Active Directory trust is created?
Federated Web SSO
To increase security of data stored on an RODC, what can be configured to specify domain objects that aren't replicated to RODCs?
Filtered attribute sets
What is the first domain installed in a forest called?
Forest Root
What type of algorithm is used to sign the CA certificate?
Hash
For intrasite replication, what component builds a replication topology for DCs in a site and establishes replication partners?
KCC
If an employee leaves a company, what should happen to any certificates held by that employee that was issued by the company's PKI?
They Should be put on the CRL
Your company has purchased another company that also uses Windows Server 2016 and Active Directory. Both companies need to be able to access each other's forest resources. How can you achieve this goal with the least administrative effort?
Create a two way forest trust
Why might you need to configure multiple forests?
Need for different schemas
Which service provided by a PKI ensures that a party in a communication can't dispute the validity of the transaction?
Nonrepudiation
You were issued a certificate on March 1st 2015 for your secure Web server. The validity period is three years and the renewal period is four months. What is the earliest date you can renew this certificate?
November 1, 2017
Which of the following is associated with an Active Directory tree? (Choose all that apply.)
One or more domains A Common naming structure Parent and Child domains
You have a network that consists of Windows 8.1 and Windows 10 computers as well as some Mac OS and Linux computers. You need to install a PKI using Windows Server 2016 that will be able to issue certificates to all your client computers. What should you install?
Online Standalone CA
The RID master FSMO role is ideally placed on the same server as what other role?
PDC Emulator
What is the name of a domain controller in which changes cant be written
Read Only Domain Controller
Which of the following is a self-signed certificate and identifies the AD RMS cluster?
Server Licencor Certificate
How is a computer's designated site determined, such that the computer is given a domain controller to request services from within the same site?
Through Subnets added to the site
Which of the following is true about the domain functional level?
You can have different functional levels within the forest
Which option below is not one of the three main methods for cleaning up metadata?
wbsadmin.exe
Which of the following is the first step to allow third-party devices to perform device registration to access domain resources from the Internet?
Install a certificate from a third party CA
Which of the following are requirements to raise the forest functional level to Windows Server 2016? (Choose all that apply.)
Member of enterprise admins group The Schema FSMO role must be available
After you install AD CS, you want to begin issuing certificates for the encrypting file system. What should you do first?
Modify a certificate template
You have a number of Cisco routers and switches that you wish to secure using IPsec. You want IPsec authentication to use digital certificates. You already have a PKI in place using Certificate Services on Windows Server 2016. What should you install to secure your devices?
NDES role service
Which of the following is NOT a feature of AD RMS?
Workplace Join
Your company deals with highly confidential information, some of which is transmitted via email among employees. Some documents have been forwarded via email, making the documents more difficult to track. You want to be able to prevent employees from forwarding certain emails. What should you deploy?
AD RMS
Which type of cryptography provides the most security?
Asymmetric Cryptography
In which LDAP-compatible database are claims values stored?
Attribute Store
Which feature was first introduced with Windows Server 2012 R2, and are new Active Directory containers to which authentication policies can be applied to restrict where high-privilege user accounts can be used in the domain?
Authentication policy silos
You have several marketing documents that are published through AD RMS. However, you have three new marketing employees that require additional training before they should be able to access these documents. These employees should have all other rights and permissions as members of the Marketing group. What should you do to prevent these users from accessing these rights-protected documents?
Configure a user exclusion policy in AD RMS
Once Active Directory has been installed, a default site link is created. What is the name of this site link?
DEFAULTIPSITELINK
You need to allow your network technician to view the RMS logs and reports, but no additional permissions should be granted to this technician. What can you do?
Delegate the AD RMS
With universal group membership caching, how often is the cached information on group membership refreshed?
Every 8 Hours
A tree can consist of a single domain or a parent domain and child domains, which cannot have child domains of their own.
FALSE
A claims provider is the resource partner that accepts claims from the business partner to make authentication and authorization decisions.
False
A domain controller clone is a replica of an existing DC.
True
A revocation configuration tells the CA what methods are available for clients to access CRLs.
True
Adding a subdomain is a common reason for expanding an Active Directory forest.
True
Before you can install an RODC, the forest functional level must be at least Windows Server 2003.
True
Users can request certificates that aren't configured for autoenrollment by using the Certificates snap-in.
True
Which of the following is issued to users when they request access to a rights-protected document?
Use License
What is issued by the root cluster and contains a computer's public key when an AD RMS application is used?
machine certificate
AD FS is designed to work over the public Internet with a Web browser interface.
true
Certificate autoenrollment is an option only on enterprise CAs.
true