MOAC 70-741 cht 7-9
BGP is enabled by using powershell cmdlets?
"add or GET"
Which option should be used with the Route command when creating a static route that will ensure the route is still available if the computer is rebooted?
-p
to make routes persistent which will be available after the server is rebooted you must also use the ___ switch
-p
private NAT addresses are?
10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255
The maximum number of hops allowed for RIP is ?
15
Which of the following is the largest number of hops supported by RIP?
15
The hop count of ___ is considered an infinite distance and therefore it is considered unreachable
16
CM supports different features in a profile depending upon the operating system that is running on the client computer. you must create a connection profile on a computer that uses the same architecture ____ as the clients n which you will install the profile
32/64-bits
Which of the following is needed for IPAM to manage DNS and DHCP servers in another forest?
A two-way trust relationship
Microsoft recommends using computer-certificate authentication because it is a much stronger authentication method. Computer-level authentication is performed only for L2TP/IPsec connections.
Computer-level authentication that uses IKE to exchange either computer certificates or a pre-shared key
A corporation has a main office and 12 branch offices. The users and computers are within a single domain. All servers are Windows Server 2008 R2 and Windows Server 2012. All data must be encrypted by using end-to-end encryption. In addition, instead of using user names and passwords, computer-level authentication should be used. Which of the following is the recommended course of action?
Configure L2TP with IPsec and EAP-TLS authentication.
A client network connection tool that helps administrators simplify the management of their remote connections. CM uses profiles that consist of settings that allow connections from the local computer to a remote network
Connection Manager (CM)
Used to create and customize the profiles for CM and to distribute them to users. The profile, once completed, contains all the settings necessary for the user to connect, including the IP address of the VPN server.
Connection Manager Administration Kit (CMAK)
In Windows Server 2016, which of the following are methods to create DNS resource records? (Choose all that apply.)
DNS Manager console Windows PowerShell Server Manager IPAM
manages DNS resource records
DNS RECORD AMINISTRATOR
you can open Server Manager IPAM\MONITOR AND MANAGE\DNS and DHCP servers to manage what?
DNS and DHCP server properties
IPAM console provides
DNS record administrator IP address record administrator IPAM administrator IPAM ASM administrator IPAM DHCP administrator IPAM DHCP reservation administrator IPAM DHCP scope administrator IPAM DNS administrator IPAM MSM administrator
View displays all the forward lookup and reverse lookup zones on all DNS servers that IPAM is currently managing.
DNS zone monitoring
Verifies that the data sent over the VPN connection has not been modified in transit. This is usually done by using a cryptographic checksum that is based on an encryption key known only to the sender and receiver.
Data integrity
When establishing a VPN connection, which of the following verifies that data has not been modified while in transit?
Data integrity
A ______ connection to a target intranet resource is initiated when the DirectAccess client connects to the DirectAccess server through IPv6. IPsec is then negotiated between the client and server. connection is then established between client and target resource
DirectAccess
Compared with other forms of remote access, _____ is more complex, which has more required components
DirectAccess
Provides seamless intranet connectivity to DirectAccess client computers when they are connected to the Internet
DirectAccess
Which of the following technologies is used to automatically connect to the company network whenever Internet access is available?
DirectAccess
connections are automatically established and they provide always-on seamless connectivity.
DirectAccess
overcomes the limitations of VPN's by automatically establishing a bidirectional connection from client computers to the organization's network using IPsec and IPv6.
DirectAccess
you can use transition mechanisms such as 6to4 and teredo transition technology for connectivity across IPv4 internet and the (ISATAP) IPv6 transition technology so _____ clients can access IPv6-capable resources across your IPv4-only intranet
DirectAccess
Which tool is available in Windows 7 that allows the diagnosis of DirectAccess connections?
DirectAccess Connectivity Assistant (DCA)
Which authentication protocol should be used to start using smart cards with the VPN?
EAP
network topology connects to the edge or DMZ with the firewall where firewall software is deployed on the edge computer. edge computer must have two network adapter: one that connects to the internal network and the other to the internet
EDGE
When installing and configuring DirectAccess, which of the following topologies should be configured to place the server running Windows Server 2016 connected directly to the Internet?
Edge
Which metric is used by RIP to determine the optimal route?
Hops
Which VPN protocol should be used to use VPN Reconnect?
IKEv2
automatically establishes a VPN connection when internet connectivity is available. only WIN7, Win serv 2008 R2 and later support VPN reconnect
IKEv2
manages IP addresses but not IP address spaces, ranges, block or subnets
IP address record administrator
Can monitor DHCP and DNS servers from any physical location in the organization as well as simultaneously manage multiple DHCP servers or scopes that exist among multiple DHCP server
IPAM
With windows server 2016 _____ can manage resources in its current active directory forest as well as remote active directory forests
IPAM
You can use ___ to view and check the status and health of selected sets of Windows Server DNS and DHCP servers from a single console and display recent configuration events
IPAM
You can use ____ to audit address utilization, policy compliance, and other information based on the type of servers IPAM is managing.
IPAM
In Server Manager, in which of the following locations is a DHCP policy configured?
IPAM > MONITOR AND MANAGE > DHCP Scopes
members of this group have IPAM users privileges and can perform common IPAM address space management (ASM) tasks and IP address space tasks
IPAM ASM administrator
possess IPAM user privileges and can perform common IPAM address space management (ASM) tasks and IP address space tasks
IPAM ASM administrator
completely manages DHCP servers
IPAM DHCP administrator
manages DHCP reservations
IPAM DHCP reservations administrator
manages DHCP scopes
IPAM DHCP scope administrator
completely manages the DNS server
IPAM DNS administrator
members of this group have IPAM users privileges and can perform common IPAM management tasks and can view IP address tracking information
IPAM IP Audit administrator
possess IPAM users privileges and can perform common IPAM multi-server management (MSM) tasks and server management tasks
IPAM MSM administrator
members of this group have IPAM users privileges and can perform common IPAM multi server management (MSM) tasks and server management task
IPAM MSM administrators
Which of the following is the minimal role that is needed to view IP address space without seeing IP address tracking information?
IPAM Users
members of this group have the privileges to view all IPAM data and perform all IPAM tasks
IPAM administrator
possesses the privileges to view all IPAM data and perform all IPAM tasks
IPAM administrator
users who are members of this group can view server discovery, IP address space, and server management information. Group members can also view IPAM and DHCP server operational events but they cannot view IP address tracking information
IPAM users
DirectAccess relies on which of the following?
IPv6
before installing DirectAccesss you need?
IPv6 and any transitional IPv6 technologies in place. certificate server and you need to have external and internal DNS entries.
When configuring DirectAccess on Server1, which step needs to be performed to ensure that Server1 can initiate connections to DirectAccess client computers?
Infrastructure Servers
Consists of three protocols: IPsec tunnel mode, Encapsulating Security Payload (ESP), and IKEv2 Mobility and Multihoming (MOBIKE)
Internet Key Exchange v2 (IKEv2)
IPsec uses IKEv2 for key negotiations ESP for securing the packet transmissions and MOBIKE for switching tunnel endpoints
Internet Key Exchange v2 (IKEv2)
designed for remote access VPN it works well over IPv4 and IPv6 networks and traverses NAT. Also supports user or machine authentication via IKEv2 and uses 3DES and AES for data confidentiality
Internet Key Exchange v2 (IKEv2)
_____ can be used only when both computers involved in the L2TP tunnel are in the same forest.
Kerberos
is the domain controllers default protocol for trust
Kerberos v5
Requires that the computers mutually authenticate themselves to each other. The computer-to-computer authentication takes place before the user is authenticated. L2TP provides the tunneling while IPsec provides the security.
Layer 2 Tunneling Protocol (L2TP) with IPsec
VPN connections provide data confidentiality, data integrity and data authentication
Layer 2 Tunneling Protocol (L2TP) with IPsec
is supported by windows client operating systems (Windows XP or later) and (win servr 2003 or later)
Layer 2 Tunneling Protocol (L2TP) with IPsec
is the industry standard when setting up secure tunnels kerberos is the native authentication protocol
Layer 2 Tunneling Protocol (L2TP) with IPsec
typically used for remote access and site to site VPNs over IPv4 and IPv6 and supports NAT
Layer 2 Tunneling Protocol (L2TP) with IPsec
uses UDP ports 500, 1701, 4500 and uses IPsec for machine authentication
Layer 2 Tunneling Protocol (L2TP) with IPsec
ensures that if a break occurs in connectivity the user can continue without restarting the connection
MOBIKE
you can encrypt data with PPTP only if you use _____ and _____ as the authentication protocols.
MS-CHAPv2 EAP-TLS
Provides two-way authentication (mutual authentication).
Microsoft chap version 2 (MS-CHAP v2)
Which of the following is used to translate between private addresses and public addresses?
NAT
enables a local area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.
NAT
Which table is used to determine the behavior of the DNS clients when determining the address of internal resources?
NRPT
Determines whether the client computer is connected to the corporate intranet or the Internet.
Network Connectivity Assistant (NCA)
Which tool is available in Windows 8 that allows the diagnosis of DirectAccess connections?
Network Connectivity Assistant (NCA)
Which server is used to determine if the server is connected to the intranet or the Internet?
Network Location Server
A DirectAccess client uses a _____ to determine its location
Network Location Server (NLS)
It allows multiple computers on a network to connect to the internet through a single IP address
Network address translation (NAT)
used with masquerading to hide an entire address space behind a single IP address.
Network address translation (NAT)
Which of the following allows split tunneling?
Open Advanced TCP/IP Settings and deselect Use default gateway on remote network.
Which authentication protocol is the least secure and, therefore, should not be used?
PAP
used typically for remote access and site to site VPNs with IPv4 and uses NAT which is supported via PPTP-enabled NAT routers
Point-to-Point Tunneling Protocol (PPTP)
uses PPP for user authentication and RC4 for data confidentiality
Point-to-Point Tunneling Protocol (PPTP)
types of tunneling protocols are used with VPN/RAS server running windows server 2016
Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) with Internet Protocol Security (IPsec) Internet Key Exchange v2 (IKEv2) Secure Socket Tunneling Protocol (SSTP)
Which of the following should be used to manage BGP on Windows Server 2016?
PowerShell cmdlets
SSTP is enabled on a server called Server1. When a user tries to log on, he receives an error: Error 0x80092013: The revocation function is unable to check revocation because the revocation server was offline. The certificate looks fine. Which of the following actions should be taken to overcome this problem?
Publish the CRL distribution point to a site that is available over the Internet.
has been a popular distance-vector routing protocol for small organizations.
RIP
uses broadcast where the entire routing table is sent to the other routers within the network.
RIP
Which of the following can be found in RRAS? (Choose all that apply.)
RIP NAT OSPF
RIP was improved with ______ by using multicasts to send the entire routing table to all adjacent routers at the address of 224.0.0.9 instead of using broadcast
RIP version 2 (RIPv2)
After you install RAS you need to enable the server and configure?
RRAS
Microsoft windows supports the ROUTING INFORMATION PROTOCOL (RIP) through this?
RRAS
you will use ____ to configure RIP or define static routes
RRAS
Which Windows Server 2016 services and applications offer IPv6 support?
Remote Access supports IPv6 routing and advertising, and the DHCP Server role can allocate IPv6 addresses.
Which of the following statements describes the most effective reason for deploying DirectAccess connectivity for remote users?
Remote users' computers can be easily managed and kept up to date.
Which two steps need to be performed on the DNS server so that it can support DirectAccess?
Remove the ISATAP from the DNS global query block. Add a record for the NSL server.
A method of granting access to computer or network resources based on the roles of individual users within an organization. Access allows an individual user to perform specific tasks, such as read or create a file, and open a database.
Role-Based Access Control (RBAC)
Which of the following should be used to enable NAT?
Routing and Remote Access Service (RRAS)
A client configured for DirectAccess is connected to the Internet from home. Which of the following allows you, as the administrator, to verify whether the client can resolve the DirectAccess server called server1.contosol.com?
Run the ping server1.contoso.com command.
As an administrator for an organization, you want to make a server running Windows Server 2016 into a VPN server. However, the networking team allows only HTTPS through the firewall. Which VPN protocol should be used?
SSTP
Improves on the PPTP and L2TP/IPsec VPN tunneling protocols; works by sending PPP or L2TP traffic through a Secure Sockets Layer (SSL) 3.0 channel.
Secure Socket Tunneling Protocol (SSTP)
designed for remote access VPN works over IPv4 and IPv6 networks and traverses NAT firewalls and web proxies.
Secure Socket Tunneling Protocol (SSTP)
if you need to use a VPN connection behind a firewall that allows only HTTPS _____ is your only option
Secure Socket Tunneling Protocol (SSTP)
is the most secure VPN protocol
Secure Socket Tunneling Protocol (SSTP)
supported by ( windows vista SP1 and later) and (windows server 2008 and later).
Secure Socket Tunneling Protocol (SSTP)
use SSL and TCP port 443 to relay traffic. TCP port 443 will work in network environments in which other VPN protocols might be blocked when traversing fire-walls NAT devices and web devices
Secure Socket Tunneling Protocol (SSTP)
uses a generic port that firewalls rarely block. Uses PPP for user authentication and RC4/AES for data confidentiality
Secure Socket Tunneling Protocol (SSTP)
Which tab in the RIP properties dialog box can be used to prevent routes being received from a router located on 10.10.10.10?
Security
Instead of using the DNS Manager console, which of the following tools can be used to create a DHCP scope?
Server Manager IPAM
Which option should be used to make sure that a user can dial in using only her home phone?
Set By Caller
Which one of the Remote Access Management interfaces provides the most control?
The Remote Access Setup Wizard
Which of the following describes why DirectAccess needs certificates?
To support IPsec
Are relationships between domains or forests that enable a user to be authenticated by domain controllers from another domain.
Trust
Which of the following is the easiest way to set up a VPN client on a computer for a nontechnical user?
Use CMAK to create an executable to install.
User-level authentication is usually user name and password. With a VPN connection, if the VPN server authenticates, the VPN client attempts the connection using a PPP user-level authentication method and verifies that the VPN client has the appropriate authorization.If the method uses mutual authentication, the VPN client also authenticates the VPN server. By using mutual authentication, clients are ensured that the client does not communicate with a rogue server masquerading as a VPN server.
User-level authentication by using Point-to-Point Protocol (PPP) authentication
authentication for VPN connections takes these to forms
User-level authentication by using Point-to-Point Protocol (PPP) authentication Computer-level authentication that uses IKE to exchange either computer certificates or a pre-shared key
Which of the following is the main advantage of using DirectAccess over VPN connections?
Users don't have to manually connect to the remote network.
designed to provide users with consistent VPN connectivity and automatically reestablishes a VPN when users temporarily lose their internet connection
VPN reconnect (IKEv2)
in most situations using ______ should provide you the best option for security and uninterrupted VPN connectivity.
VPN reconnect (IKEv2)
link two computers or network devices through a wide area network (WAN) such as the Internet. Because the Internet is a public network and is considered insecure, the data sent between the two computers or devices is encapsulated and encrypted.
Virtual private networks (VPNs)
functions as a software-based router that can be used for lightly trafficked subnets on a small network.
Windows server 2016
VPN can be used in the following scenarios
a client connects to the RAS to access internal resources from off site two remote sites connect to each other by creating a VPN tunnel between RAS serves located at each site two different organizations create a VPN tunnel so users from one organization can privately access the resources in the other organization
Allows you to configure your end-to-end authentication and security for the DirectAccess components. It also allows you to provide secure connections with individual servers that you want to establish secure connections with.
application servers
Proves the identity of the user or computer that tries to connect.
authentication
RIPv2 uses ____ to ensure that routes being distributed throughout the network are coming from authorized sources
authentication
direct access server cannot
be a domain controller
network topology uses the edge device as a firewall solution where the DirectAccess server has one network adapter connected to the internal network.
behind the firewall with one network adapter
network topology uses the edge device as a firewall solution in this scenario the DirectAccess sever is located in a perimeter network behind the edge device
behind the firewall with two network adapters
is standardized exterior gateway protocol that exchanges routing and reachability information among autonomous systems (AS) between edge routers on the internet.
border gateway protocol (BGP)
is unique in using TCP as its transport protocol
border gateway protocol (BGP)
provides scalability which allows the joining of a number of large AS areas and it allows for multihoming which can provide redundancy.
border gateway protocol (BGP)
to create a forest trust ?
both domains of the trust must be the forest root domain and have a forest functional level of windows server 2003 or higher
Based on a challenge-response authentication that uses the industry standard MD5 hashing scheme to encrypt the response.
challenge handshake authentication protocol (CHAP)
PPTP provides ______ meaning that it prevents the data from being viewed but does not provide data _____ ( proof that the data was not modified in transit) or data origin authentication.
confidentiality and integrity
By connecting to the RAS over the internet a user will be able to?
connect to their organizations network so that they can access data files , read email, and access other applications just as if they were sitting at work
is the easiest and quickest for the user to install
connection manager administration kit (CMAK)
enables you to choose individual services including NAT,LAN routing and VPN access
custom configuration
Ensures data remains private by encrypting it prior to transmission, preventing unauthorized users from accessing it.. When it is received, the intended recipient decrypts it. the encryption and decryption depend on the sender and receiver. Both must have a common or related encryption key; larger keys offer better security.
data encryption
DirectAccess should be deployed in one of these network topologies
edge behind the firewall with two network adapters behind the firewall with one network adapter
from the IPAM console you can perform the following
edit DHCP server properties edit DHCP server options create DHCP scopes configure predefined options and values configure the user class across multiple servers simultaneously create and edit new and existing user classes across multiple servers simultaneously configure the vendor class across multiple servers simultaneously start the management console for a selected DHCP server retrieve server data from multiple servers
Encapsulates or places private data in a packet with a header containing routing information that allows the data to traverse the transit network such as the Internet.
encapsulation
A universal authentication framework that allows third-party vendors to develop custom authentication schemes, including retinal scans, voice recognition, fingerprint identifications, smart cards, Kerberos, and digital certificates.
extensible authentication protocol (EAP)
if you want to use smart cards for remote connections you must use
extensible authentication protocol (EAP)
For more complex networks with heavy network traffic you should use a ___ which provides more reliability and improved network performance
hardware-based router
To determine the distance or cost between networks Rip uses the metric of ______ which is the count of routers.
hop count
is the count of routers
hop count
Allows you to configure how the clients access the core infrastructure services, such as Active Directory domain controllers and DNS servers. You also specify an internal web server that can provide location services for infrastructure components to your DirectAccess clients.
infrastructure servers
Traffic that is routed within a single network AS is referred to as??
internal BGP
domain controllers authenticate users via either _____ or ______ ?
kerberos v5 NT LAN (NTLM)
operate at layer 2 of the OSI model and are used to connect a host to a network by performing packet switching that allows traffic to be sent only to where it need to be sent based on mapping MAC addresses of local devices
layer 2 switches
Can perform layer 2 switching but can also perform routing based on IP addresses within an organization.
layer 3 switches
remote access logging tab logging levels include
leg errors only log errors and warnings log all events do not log any events
The PPP frame is encrypted with ?
microsoft point to point encryption (MPPE) with RC4 (128 bit key)
contains the settings used by the DNS client on the computer that determines what happens to DNS queries
name resolution policy table (NRPT)
sets up the server to provide NAT services to clients on the private network that need to access the internet
network address translation (NAT)
the DirectAccess server must have at least __ network adapter connected to the domain network.
one
when selecting an appropriate VPN protocol you need to consider the?
operating system, authentication requirements and limitations
Uses plaintext (unencrypted passwords). PAP is the least secure authentication and is not recommended.
password authentication protocol(PAP)
A VPN protocol based on the legacy Point-to-Point (PPP) protocol used with modems. Has widespread support with nearly all versions of Windows.
point to point tunneling protocol (PPTP)
uses TCP port 1723 and IP protocol ID 47.
point to point tunneling protocol (PPTP)
uses a Transmission Control Protocol (TCP) connection for tunnel management and a modified version of Generic Route Encapsulation (GRE) to encapsulate PPP frames for tunneled data.
point to point tunneling protocol (PPTP)
Encapsulates the EAP with an encrypted and authenticated Transport Layer Security (TLS) tunnel.
protected extensible authentication protocol (PEAP)
Nat computer or device is usually a router or proxy server as a result you can ?
provide a type of firewall by hiding internal IP addresses enable multiple internal computers to share a single external public IP address
sets up the server to accept incoming remote access connections (dial-up or VPN)
remote access (dial-up or VPN)
RRAS wizard offers these five options
remote access (dial-up or VPN) network address translation (NAT) virtual private network (VPN) access and NAT secure connection between two private networks custom configuration
to configure DirectAccess itself use
remote access management console
Configures the network connections based on one or two network cards and which adapters are internal and which adapters are external. You can also specify the use of smart cards and specify the certificate authority (CA) to use for DirectAccess to provide secure communications.
remote access server
enables users to connect remotely to a network using various protocols and connection types.
remote access server (RAS)
Allows you to specify which clients within your organization can use DirectAccess. You specify the computer groups that you want to include and specify if you want to include Windows 7 clients.
remote clients
Which command can be used to create a static route on a server running Windows Server 2016?
route
to view or configure the routing table from the command line use
route.exe
join subnets together to form larger networks and join networks together over extended distances or WANs. They can also connect dissimilar LANs such as an ethernet LAN to a fiber distributed data interface (FDDI)
routers
operate at the OSI reference model layer 3, network layer. therefore they are sometimes referenced as a layer 3 device.
routers
The process of selecting paths in a network where data will be sent.
routing
is required to send traffic from one subnet to another within an organization, and it is required to send traffic from one organization to another.
routing
is a unit calculated by routing algorithm to determine the optimal route for sending network traffic.
routing metric
is a data table that is stored in a router or networked computer that lists the routes of particular network distances and the associated metrics or distances associated with those routes.
routing table
sets up a demand-dial or persistent connection between two private networks
secure connection between two private networks
requires the most knowledge for the user who is creating the connection because the user must specify all necessary options
set up a connection (network wizard)
when you create a connection using the ____ you are manually creating a VPN connection that will allow you to connect to a VPN server. this method gives you more control of the VPN options
set up a connection (network wizard)
allows routed connections to the remote site or network while helping to maintain secure communications over the Internet
site to site VPN connection
can be used to connect branch offices to an organization's primary site, or to connect one organization to the network of another organization.
site to site VPN connection
connects two private networks.
site to site VPN connection
•When networks are connected over the Internet, a VPN-enabled router forwards packets to another VPN-enabled router across a VPN connection.
site to site VPN connection
if you want to route your internet browsing through your home internet connection rather than going through the corporate network you can disable the "use default gateway" on remote network option disabling this option is called using a?
split tunnel
NAT device or proxy server uses ______ translation tables to map the "hidden" addresses into a single address and then rewrites the outgoing IP packets on exit so that they appear to originate from the router.
stateful
The routing tables are manually created with _____ or are dynamically created with routing protocols such as routing information protocol (RIP)based on the current routing topology
static routes
are best suited for small, single paths that don't change much.
static-routed IP
when selecting the appropriate VPN protocol to use consider the following
the operating system you will be using the client's need- and ability- to traverse firewalls NAT devices and web proxies authentication requirements for computers as well as users implementations such as site-to-site VPN or a remote access VPN
to use direct access
the server must be part of an active directory
True or False as WAN traffic travels multiple routes the router chooses the fastest or cheapest route between the source and destination while sometimes taking consideration of the current load
true
is a trust that goes in both directions.
two way trust
to manage remote DNS and DHCP servers, you need to have a?
two-way trust with the forest where IPAM is installed.
with IPAM you can do the following
view DNS servers and zones create new zones open the DNS console create DNS records manage conditional forwarders
sets up the server to support incoming VPN connections and to provide NAT services
virtual private network (VPN) access and NAT
turning off ____ will disable DirectAccess
windows firewall
Operating systems CMAK wizard can be run on
windows vista and above windows server 2003, windows XP or windows 2000