741 Final (7, 8, 9, 10, 11)
Requirements for a forest trust?
*Both domains must be the forest root domain and have a forest functional level of Windows Server 2003 or higher. *You must be a member of Domain Admins, Enterprise Admins, or been delegated the authority within the appropriate permissions to create the trust. *To create a two-way trust you need an account in the EXTERNAL domain with the appropriate permissions or work closely with the other Domain Admins or Enterprise Admins to complete the two-way trust.
CMAK
*Creates and customize the profiles for CM and to distribute them to users. *Must be created on a connection profile that uses the same architecture (32/64 bit) as the install point *Vista or above *Server 2003, XP, or Windows 2000
In Windows Server 2016, which of the following are methods to create DNS resource records?
*DNS Manager Console *Windows PowerShell *Server Manager IPAM
RRAS built-in logging levels
*Log errors only *Log errors and warnings *Log all events *Do not log any events (Found in C:\Windows\Tracing folder) Can be enabled with (netsh ras set tracing * enabled) or setting the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing \EnableFileTracing=1
Ways to create a VPN connection:
*Network and sharing center set up a connection or network wizard *Windows Server 2016 settings *Connection Manager Admin Kit (CMAK) (Easiest)
Things to consider when selecting VPN protocols
*Operating system *The clients need and ability to traverse firewalls, NAT devices, and web proxies *Authentication requirements, for computers and users *Implementations such as site-to-site VPN or remote access VPN
Tunneling protocols used with a VPN/RAS server running on Windows Server 2016:
*PPTP *L2TP with IPsec *IKEv2 *SSTP
Route command line-utility commands:
*Print: Shows routing table *Add: Adds route to table (-p makes routes persistent) *Change: Modify a route *Delete: Delete a route
Five basic options for configuring RRAS
*Remote access (dial-up or VPN): Sets up the server to accept incoming remote access connections *Network Address Translation (NAT): Sets up the servers to provide NAT services to clients on the network that need to access the internet. *VPN access and NAT: Sets up the server to support incoming VPN connections and to provide NAT service *Secure connection between two private networks: Demand-dial or persistent connection between to private networks *Custom configuration: Enables you to choose services: NAT, LAN, routing, and VPN access
Microsoft include RRAS (Routing and Remote Access Service), which provides:
*VPN gateway where clients can connect to an organization's network using the internet *Ability to connect 2 networks using a VPN *Dial-up remote access server, which enables users to connect to a private network using a modem *NAT, which enables multiple users to use one IP *Routing functionality *Basic firewall functionality ((dis)allow packets based on soure/destination addresses)
Secure Socket Tunneling Protocol (SSTP)
*Windows Vista SP1 and later, and Server 2008 and later *Works with IPv4 and IPv6 networks *Remote access VPN that can traverse NAT, firewalls, and web proxies *PPP for user auth, and RC4/AES for data confidentiality Improved on the PPTP and L2TP/IPsec VPN tunneling protocols, it sends PPP or L2TP traffic though a secure sockets layer (SSL) 3.0 channel Uses SSL and TCP port 443 the relay traffic, and will work in network enviroments in wich other VPN protocols might be blocked by the firewall, NAT devices, and web proxies. Uses a 2,048-bit certificate for authentication and implements stronger encryption, which makes it the MOST secure protocol If you need a VPN behind a firewall that allows only HTTPS, SSTP is your only option
Which option should be used with the Router command when creating a static route that will ensure the route is still available if the computer is rebooted?
-p
Challenge Handshake Authentication Protocol (CHAP)
Based on a challenge-response authentication that uses the industry standard MD5 hashing scheme to encrypt the response. CHAP was an industry standards for years, and is still quite popular.
CHAPTER 7
CHAPTER 7
CHAPTER 7 End of Chapter Questions
CHAPTER 7 End of Chapter Questions
CHAPTER 8
CHAPTER 8
Which of the following is needed for IPAM to manage DNS and DHCP servers in another forest?
A two-way trust relationship
Routing metric
A unit calculated by a routing algorithm to determine the optimal router for sending network traffic.
Extensible authentication Protocol (EAP)
A universal authentication framework that allows third-party vendors to develop custom auth schemes (retinal, voice, fingerprint, cards, Kerberos, and digital certificates). It also provides a mutual authentication method that supports password0based user or computer authentication. Often combined with MS-CHAPv2 (EAP-MS-CHAPv2 or MS-CHAPv2 is best)
By default RRAS allows how many ports for each VPN protocol type?
128
Largest number of hops supported by RIP?
15
DirectAccess
A feature introduced in Windows 7 and Server 2008R2 that provides seamless intranet connectivity to DirectAccess client computers when they are connected to the internet. Automatically established and provide always-on bidirectional seamless connectivity using IPsec and IPv6. Used on nothing earlier than Vista or Server 2008 (non-R2) Client must be joined to an Active Directory domain Requires internal and external DNS (Two external DNS A records, both of which point to the first of your two consecutive IPs (DA Server, Cert Revocation List (CRL)) You need a PKI key which requires AD CS, CA
Role-Based Access Control (RBAC)
A method of granting access to computer or network resources based on the roles of individual users in an organization.
Having VPN traffic go through a Default Gateway helps because:
All traffic also goes though firewalls and proxy servers, which prevents a network from being infected or compromised.
Remote access (dial-up or VPN)
Allows clients to connect to this server through a secure virtual private network connection
IPAM DHCP Administrator
Completely manages DHCP servers
IPAM DNS Administrator
Completely manages the DNS server.
Site-to-site VPN connection
Connects two private networks to control who can connect to the VPN server, the calling server or router must authenticate itself to the answer server or router. To ensure that the calling server or router is talking to the correct VPN server, the remote server must also auth itself to the caller (Mutual authentication)
Internet Key Exchange v2 (IKEv2)
Consists of three protocols: IPsec tunnel mode, Encapsulating Security Payload (ESP), and IKEv2 mobility and Multihoming (MOBIKE). *IKEv2: Key negotiations *ESP: Securing the packet transmissins *MOBIKE: Switching tunnel endpoints, ensures that if a rbeak occurs in connectivity, the user can continue without restarting the connection. Therefore the connection is resilient. Will not drop the VPN tunnel upon lost connection, will stay up for 30 mins by default *Designed for remote access VPN *Works over IPv4 and IPv6, and traverses NAT *3DES and AES for data confidentiality Supported on Windows 7, Server 2008, and later OS
Chapter 8 End of Chapter Questions
Chapter 8 End of Chapter Questions
Chapter 9 End of Chapter Questions
Chapter 9 End of Chapter Questions
Remote Access Server (RAS)
Enables users to connect remotely to a network using various protocols and connection types. (i.e. connecting to their organization's network so that they can access data files, read email, and use other applications as if they were at work.)
Encapsulation
Encapsulates or places private data in a packet with a header containing routing information that allows the data to traverse the transit network such as the internet
Protected Extensible Authentication Protocol (PEAP)
Encapsulates the EAP with an encrypted and authenticated Transport Layer Security (TLS) tunnel.
Data encryption
Ensures data remains private by encrypting it prior to transmission, preventing unauthorized users from accessing it.
To view IP routing tables using RRAS:
Expand the server node, the IPv4/IPv6 nodes, right-click the static routes note, and choose Show IP Routing Table
Which metric is sued by RIP to determine the optimal route?
Hops
Which VPN Protocol should be used to use VPN reconnect?
IKEv2
In server Manager, in which of the following locations is a DHCP policy configured?
IPAM > Monitor and manage >DHCP Scopes
IPAM MSM Administrator
IPAM User privileges and can perform IPAM Multi-server management (MSM) tasks and server management tasks.
IPAM ASM Administrators
IPAM User privileges and can perform common IPAM address space management (ASM) tasks and IP address space tasks.
Which of the following is the minimal role that is needed to view IP address space without seeing IP address tracking information?
IPAM Users
DirectAccess Relies on which of the following?
IPv6
RIP v2
Improved RIP that uses multicasts to send the entire routing table to all adjacent routers at the address of 224.0.0.0 instead of using broadcasts. Uses classless routing, which include the network mas to allow classless routing advertisement. Also, uses authentication to ensure that routes being distributed are authorized.
VPN Error 721: Remote computer is not repsonding
For whatever reason, GRE traffic (part of PPTP) is not getting to the VPN. Check that standard ports are open on all relevant firewalls, including host firewalls (on client and server) for PPTP.
VPN Error 800: VPN Server is unreachable
For whatever reason, the PPTP, L2TP, SSTP, or IKEv2 packets cannot get to the VPN server. Verify that the appropriate ports are open on all relevant firewalls, including host firewalls (on the client and server)
Routing Table
Data table that is stored in a router or networked computer that lists the routes of a particular network distances and the associated metrics or distances associated with those routes. (Dynamically made with routing protocols such as RIP)
Network Connectivity Assistant (NCA)
Determines if the client computer is connected to the corporate intranet or the internet. Also provides tools to help reconnect if problems occur, and can provide diagnostics used by the help desk.
Technology used to automatically connect to the company network whenever internet access is available
DirectAccess
Split tunnel
Disabling the "Use default Gateway" option on remote network option, so that you route your internet browsing through your home internet connection rather than going through the corporate network.
Which protocol should be used to start using smart cards with the VPN?
EAP
IPAM DHCP Reservations Administrator
Manages DHCP reservations
IPAM DHCP Scope Administrator
Manages DHCP scopes.
DNS Record Administrator
Manages DNS resource records
IP Address Record Administrator
Manages IP addresses but not IP address spaces, ranges, blocks, or subnets
Static routes
Manually created route & routing table (Defined using RRAS or "Route" command)
Computer-level authentication that uses IKE to exchange either computer certificates or a pre-shared key
Microsoft recommends using the computer-certificate authentication because it is a much stronger authentication method. computer-level authentication is performed only for L2TP/IPsec connections.
Routers
OSI Layer 3 (Network Layer), join subnets together to form larger networks and join networks together over extended distances or WANs.
Layer 3 switch
Performs layer 2 switching, but can also perform routing based on IP addresses within an organization. CANNOT be used for directly connecting WAN connections.
Which of the following should be used to enable NAT?
Routing and Remote Access Service (RRAS)
Which of the following can be found in RRAS?
Routing, RIP, and NAT
Which VPN should be used when only HTTPS is allowed through the firewall?
SSTP
Which tab in the RIP properties dialog box can be used to prevent routes being received from a router located on 10.10.10.10?
Security
Instead of using the DNS Manager console, which of the following tools can be used to create a DHCP scope?
Server Manager IPAM
Two-way Trust
Trust that goes in both directions (A->B & B->A). Users in each domain can access resources in each other's domain.
Easiest way to set up a VPN client on a computer for a user?
Use CMAK to create an executable to install
Name Location Server (NLS)
Used by directaccess clients to determine its location. If a client computer can securely connect to a network location server using HTTPS, the computer assumes it is on the intranet, and DirectAccess policies are not enforeced. If the NLS cannot be reached, the client assumes it is on the Internet.
Layer 2 switches
Used to connect a host to a network by performing packet switching that allows traffic to be sent only where it needs to be based on mapping MAC addresses of local devices.
Which of the following is the main advantage of using DirectAccess over VPN connections?
Users don't have to manually connect to the ntework
RIP
Uses hop count to determine the distance or cost between networks, which counts the routers. Max is 15.
Password Authentication Protocol (PAP)
Uses plain text (unencrypted passwords). PAP is the least secure authentication and is not recommended.
An early mothed to connecting an organization's network?
Using an analog phone line or ISN line using a modem. Since this is a direct connection it does not typically require an encryption. However, by todays standards this does not have the bandwidth needed and is not used often today.
User-level authentication by using PPP authentication
Usually a username and password. with a VPPN connection, if the VPN server authenticates, the VPN client attempts the connection using a PPP user-level authentication method that verifies the VPN client has the appropriate authorization. If mutual authentication is used, the VPN client also authenticates the VPN server. By using mutual authentication, clients are ensured that the client does not communicate with a rogue server masquerading as a VPN server.
Data integrity
Verifies that the data sent over the VPN connections has not been modified. Typically done by using a cryptographic checksum that is based on an encryption key known only to the sender and receiver.
IPAM Administrators
View all IPAM data and perform all IPAM tasks.
IPAM Users
View server discovery, IP address space, and server management info. Memberscan also view IPAM and DHCP server operational events, but not IP address tracking info.
Routing
The process of selecting paths in a network where data will be sent. Required to send traffic from one subnet to another within an organization, or from one organization to another.
Which command can be used to create a static route on a server running Windows Server 2016?
route
VPNs
Link two computers or network devices through a wide area network (WAN). Data is encapsulated and encrypted.
Which of the following is used to translate between private addresses and public addresses?
NAT
IPsec VPN server behind a NAT device
Need to configure the Windows clients to use Network address Translation-Traversal (NAT-T)
Remote Access role
Needed before you can use RRAS
Least secure auth protocol?
PAP
When using VPNs, Windows 10 and Server 2016 supports the following:
PAP, CHAP, MS-CHAPv2, EAP, and PEAP
PPTP ports/ID
TCP 1723 IP protocol ID 47
Name Resolution Policy Table (NRPT)
Table that is used to determine the behavior of the DNS clients when issuing queries and processing so that internal resources are not exposed to the public via the Internet and to separate traffic that isn't DirectAccess Internet traffic from DirectAccess Internet traffic. Managed using group policies, specifically, Computer Configuration\Policies\Windows Settings \Name Resolution Policy Contains the settings used by the DNS client on the computer that determines what happens to DNS queries
Layer 2 Tunneling Protocol (L2TP) with IPsec
*Windows XP and later, and Server 2003 and later *Remote access and site-site VPNs *IPv4 and IPv6, supports NAT Requires that computers mutually authenticate themselves to each other. L2TP provides tunneling, while IPsec provides security (Data confidentiality, data integrity, and data authentication (Also encrypts PPP packets)) Industry standard for setting up secure tunnels, supports pre-shared keys (passwords), digital certificates, or Kerberos. Digital certificates are stored in a format that cannot be modified, and offer a more secure option, and are issued by certification authorities that you trust. Kerberos is the native authentication protocol for Windows Server 2003 and later and provides the easiest way to secure VPN connections in a domain-based environment. (Can only be used when both computers involved in the tunnel are in the same forest.) L2TP messages are encrypted with either Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES (168-bit key)) by using keys that the IKE negotiating process generates
Connection Manager (CM)
Client network connection tool that helps admins simplify the management of their remote connections. Uses profiles that consist of setting that allow connections from the local computer to a remote network.
Which of the following allows split tunneling?
Open Advanced TCP/IP Settings and deselect use default gateway on remote network
Authentication
Proves the identity of the user or computer that tries to connect.
RADIUS server
Provides authentication, authorization, and accounting for the remote access clients
Microsoft CHAP version 2 (MS-CHAP v2)
Provides two-way authentication (mutual authentication). MS-CHAP v2 provides stronger security than CHAP. Only authentication protocol that Windows Server 2016 provides that allow you to change an expired password during the connection process.
Trusts
Relationships between domains or forests that enable a user to be authenticated by domain controllers from another domain. (Authenticate users via Kerberos v5 (default) or NT LAN Manager (NTLM))
Which Windows Server 2016 services and applications offer IPv6 support?
Remote Access supports IPv6 routing and advertising, and the DHCP Server role can aoolocate IPv6 addresses.
Border Gateway Protocol (BGP)
Standardized exterior gateway protocol that exchanges routing and reachability information among autonomous systems (AS) between edge routers on the internet. routed within a single network AS is "internal" Uses TCP as its transport protocol
0x80092013: The revocation function was unable to check revocation because the revocation server was offline
The client is failing the certificate revocation check. Ensure the CRL check servers on the server side are exposed on the internet.
VPN Error 741 or 742: Encryption mismatch error
These errors occur if the VPN client requests an invalid encryption level or the VPN server doesn't support an encryption type that the client request. Check VPN connection properties (security tab) to verify that the proper encryption is selected. If you are using NPS, check the encryption level in the network policy in the NPS console or check the policies on other RADIUS servers. finally, check the server to verify that the correct encryption level is enabled.
L2TP w/ IPsec ports and ID
UDP 500, 1701, & 4500 IP Protocol 50
Point-to-Point Tunneling Protocol (PPTP)
Widespread support with nearly all versions of Windows. VPN protocol based on the legacy PPP used with modems. Uses a TCP connection for tunnel management and a modified version of Generic Router encapsulation )GRE) to encapsulate PPP frames for tunneled data. Payloads of PPP frames can be encrypted, compressed, or both. PPP frame is encrypted with Microsoft PPP Encryption (MPPE) with RC4 (128-bit key) by using encryption keys that are generated by the MC-CHAPv2 or EAP-TLS PPTP is easy to setup but has weak encryption PPTP provides confidentiality, but does not offer data integrity or data origin authentication. Supported by Windows CP and alter, and Windows server 2003 and later Typically used for remote access and site-to-site VPNs, works with IPv4, and uses NAT.
