Senior Acquisitions Editor: Kenyon Brown
Development Editor: Kim Wimpsett
Technical Editors: Rodney R. Fournier and Chris Crayton
Senior Production Editor: Christine O’Connor
Copy Editor: Judy Flynn
Editorial Manager: Mary Beth Wakefield
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Book Designers: Judy Fung and Bill Gibson
Proofreader: Nancy Carrasco
Indexer: Jack Lewis
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: Getty Images Inc./Jeremy Woodhouse
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-35932-6
ISBN: 978-1-119-35944-9 (ebk.)
ISBN: 978-1-119-35940-1 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018932871
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows Server is a registered trademark of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
This book is dedicated to the three ladies of my life, Crystal, Alexandria, and Paige
I would like to thank my wife and best friend, Crystal. She is always the light at the end of my tunnel. I want to thank my two daughters, Alexandria and Paige, for all of their love and support during the writing of all my books. The three of them are my support system and I couldn’t do any of this without them.
I want to thank all of my family and friends who always help me when I’m writing my books. I want to thank my brothers Rick, Gary, and Rob. I want to thank my great friends Shaun, Jeremy, and Gene.
I would like to thank all of my friends and co-workers at StormWind Studios. I want to especially thank the team who I work with on a daily basis and that includes Tom W, Dan Y, Corey F, Ronda, Dan J, Jessica, Dave, Tiffany, Tara, Ashley, Brittany, Doug, Mike, Vince, Desiree, Ryan, Ralph, Dan G, Tyler, Jeff B, Shayne, Patrick, Noemi, Michelle, Zachary, Colin, and the man who makes it all possible, Tom Graunke. Thanks to all of you for everything that you do. I would not have been able to complete this book without all of your help and support.
I want to thank everyone on my Sybex team, especially my development editor Kim Wimpsett, who helped me make this the best book possible, and Rodney R. Fournier, who is the technical editor of many of my books. It’s always good to have the very best technical guy backing you up. I want to thank Christine O’Connor, who was my production editor, and Judy Flynn for being the Copy Editor.
I want to also thank Chris Crayton who is my Technical Proofreader. Special thanks to my acquisitions editor, Kenyon Brown, who was the lead for the entire book. Finally, I want to thank everyone else behind the scenes that helped make this book possible. It’s truly an amazing thing to have so many people work on my books to help make them the very best. I can’t thank you all enough for your hard work.
William Panek holds the following certifications: MCP, MCP+I, MCSA, MCSA+ Security and Messaging, MCSE-NT (3.51 & 4.0), MCSE 2000, 2003, 2012/2012 R2, MCSE+Security and Messaging, MCDBA, MCT, MCTS, MCITP, CCNA, CCDA, and CHFI. Will is also a four time and current Microsoft MVP winner.
After many successful years in the computer industry, Will decided that he could better use his talents and his personality as an instructor. He began teaching for schools such as Boston University and the University of Maryland, just to name a few. He has done consulting and training for some of the biggest government and corporate companies in the world including the United States Secret Service, Cisco, United States Air Force, and US Army.
In 2015, Will became a Sr. Microsoft Instructor for StormWind Studios (www.stormwindstudios.com). He currently lives in New Hampshire with his wife and two daughters. Will was also a Representative in the New Hampshire House of Representatives from 2010 to 2012. In his spare time, he likes to do blacksmithing, shooting (trap and skeet), snowmobiling, playing racquetball, and riding his Harley. Will is also a commercially-rated helicopter pilot.
EXERCISE 1.1 Viewing the Disk Configurations
EXERCISE 1.2 Promoting a Domain Controller
EXERCISE 1.3 Installing AD DS on Server Core Using PowerShell
EXERCISE 1.4 Creating an RODC Server
EXERCISE 1.5 Viewing the Active Directory Event Log
EXERCISE 1.6 Joining a Computer to an Active Directory Domain
EXERCISE 1.7 Configuring DNS Integration with Active Directory
EXERCISE 2.1 Creating an OU Structure
EXERCISE 2.2 Modifying OU Structure
EXERCISE 2.3 Using the Delegation of Control Wizard
EXERCISE 2.4 Delegating Custom Tasks
EXERCISE 2.5 Creating Active Directory Objects
EXERCISE 2.6 Creating a User Template
EXERCISE 2.7 Managing Object Properties
EXERCISE 2.8 Moving Active Directory Objects
EXERCISE 2.9 Resetting an Existing Computer Account
EXERCISE 2.10 Applying Security Policies by Using Group Policy
EXERCISE 2.11 Fine-Grained Password Policy
EXERCISE 2.12 Creating and Publishing a Printer
EXERCISE 2.13 Creating and Publishing a Shared Folder
EXERCISE 2.14 Finding Objects in Active Directory
EXERCISE 2.15 Creating a PSO Using the Active Directory Administrative Center
EXERCISE 3.1 Creating Sites
EXERCISE 3.2 Creating Subnets
EXERCISE 3.3 Configuring Sites
EXERCISE 3.4 Creating Site Links and Site Link Bridges
EXERCISE 3.5 Moving Server Objects Between Sites
EXERCISE 3.6 Creating a New Subdomain
EXERCISE 3.7 Assigning Single-Master Operations
EXERCISE 3.8 Managing Trust Relationships
EXERCISE 3.9 Adding a UPN Suffix
EXERCISE 3.10 Managing GC Servers
EXERCISE 3.11 Managing Universal Group Membership Caching
EXERCISE 3.12 Backing Up Active Directory
EXERCISE 4.1 Creating a Group Policy Object Using the GPMC
EXERCISE 4.2 Linking Existing GPOs to Active Directory
EXERCISE 4.3 Filtering Group Policy Using Security Groups
EXERCISE 4.4 Delegating Administrative Control of Group Policy
EXERCISE 4.5 Configuring Automatic Certificate Enrollment in Group Policy
EXERCISE 4.6 Configuring Folder Redirection in Group Policy
EXERCISE 4.7 Creating a Software Deployment Share
EXERCISE 4.8 Publishing and Assigning Applications Using Group Policy
EXERCISE 4.9 Applying Software Updates
EXERCISE 5.1 Installing AD CS Through Server Manager
EXERCISE 5.2 Configuring AD CS Through Server Manager
EXERCISE 5.3 Configure an Auto-Enrollment Group Policy for a Domain
EXERCISE 5.4 Creating a Certificate Template
EXERCISE 5.5 Publishing a Certificate Template
EXERCISE 5.6 Revoking a Certificate
EXERCISE 5.7 Configuring CA Policy Auditing
EXERCISE 5.8 Backing Up the Certificate Authority Server
EXERCISE 6.1 Installing the AD FS Role on a Computer Using Server Manager
EXERCISE 6.2 Configuring the AD FS Role on the Computer Using Server Manager
EXERCISE 6.3 Configuring Multifactor Authentication
EXERCISE 6.4 Workplace Joining a Device
EXERCISE 6.5 Installing an AD RMS Role on the Local Computer Using Server Manager
EXERCISE 6.6 Backing Up an AD RMS Database
EXERCISE 6.7 Adding a Trusted User Domain
EXERCISE 6.8 Exporting the Trusted User Domain
EXERCISE 6.9 Exporting the Trusted Publishing Domain
EXERCISE 6.10 Adding the Trusted Publishing Domain
This book is drawn from more than 20 years of IT experience. I have taken that experience and translated it into a Windows Server 2016 book that will help you not only prepare for the MCSA: Windows Server 2016 exams but also develop a clear understanding of how to install and configure Windows Server 2016 while avoiding all of the possible configuration pitfalls.
Many Microsoft books just explain the Windows operating system, but with MCSA: Windows Server 2016 Complete Study Guide, I go a step further by providing many in-depth, step-by-step procedures to support my explanations of how the operating system performs at its best.
Microsoft Windows Server 2016 is the newest version of Microsoft’s server operating system software. Microsoft has taken the best of Windows Server 2003, Windows Server 2008, and Windows Server 2012 and combined them into the latest creation, Windows Server 2016.
Windows Server 2016 eliminates many of the problems that plagued the previous versions of Windows Server, and it includes a much faster boot time and shutdown. It is also easier to install and configure, and it barely stops to ask the user any questions during installation. In this book, I will show you what features are installed during the automated installation and where you can make changes if you need to be more in charge of your operating system and its features.
This book takes you through all the ins and outs of Windows Server 2016, including installation, configuration, Group Policy Objects, auditing, backups, and so much more.
Windows Server 2016 has improved on Microsoft’s desktop environment, made networking easier, enhanced searching capability, and improved performance—and that’s only scratching the surface.
When all is said and done, this is a technical book for IT professionals who want to take Windows Server 2016 to the next step and get certified. With this book, you will not only learn Windows Server 2016 and ideally pass the exams, but you will also become a Windows Server 2016 expert.
Since the inception of its certification program, Microsoft has certified more than 2 million people. As the computer network industry continues to increase in both size and complexity, this number is sure to grow—and the need for proven ability will also increase. Certifications can help companies verify the skills of prospective employees and contractors.
The Microsoft certification tracks for Windows Server 2016 include the following:
MCSA: Windows Server 2016 The MCSA is now the lowest-level certification you can achieve with Microsoft in relation to Windows Server 2016. It requires passing three exams: 70-740, 70-741, and 70-742.
MCSE: Cloud Platform and Infrastructure The MCSE certifications, in relation to Windows Server 2016, require that you become an MCSA first and then pass two additional exams. The additional exams will vary depending on which of the two MCSE tracks you choose. For more information, visit Microsoft’s website at www.microsoft.com/learning.
Attaining Microsoft certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new generation of exams, this is simply not the case.
Microsoft has taken strong steps to protect the security and integrity of its new certification tracks. Now prospective candidates must complete a course of study that develops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with the technology being tested.
The new generations of Microsoft certification programs are heavily weighted toward hands-on skills and experience. It is recommended that candidates have troubleshooting skills acquired through hands-on experience and working knowledge.
Fortunately, if you are willing to dedicate the time and effort to learn Windows Server 2016, you can prepare yourself well for the exam by using the proper tools. By working through this book, you can successfully meet the requirements to pass the Windows Server 2016 exams.
Candidates for MCSA certification on Windows Server 2016 must pass at least the following three Windows Server 2016 exams:
Microsoft provides exam objectives to give you a general overview of possible areas of coverage on the Microsoft exams. Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Visit the Microsoft Learning website (www.microsoft.com/learning) for the most current listing of exam objectives. The published objectives and how they map to this book are listed later in this Introduction.
Here are some general tips for achieving success on your certification exam:
At the time this book was released, Microsoft exams are given two ways. You can take the exam live online or through the more than 1,000 Authorized VUE Testing Centers around the world. For the location of a testing center near you, go to VUE’s website at www.vue.com. If you are outside of the United States and Canada, contact your local VUE registration center.
Find out the number of the exam that you want to take and then register with the VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $165 each, and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.
When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from VUE.
This book is intended for individuals who want to earn their MCSA: Windows Server 2016 certification.
This book will not only help anyone who is looking to pass the Microsoft exams, it will also help anyone who wants to learn the real ins and outs of the Windows Server 2016 operating system.
Here is a glance at what’s in each chapter:
Chapter 1: Installing Active Directory In the first chapter, I will explain the benefits of using Active Directory. I will explain how Forests, Trees, and Domains work and I will also show you how to install Active Directory.
Chapter 2: Administer Active Directory This chapter shows you how to create accounts in Active Directory. I will show you how to do bulk imports into Active Directory and also how to create and manage groups. I will also show you how to create and manage service accounts.
Chapter 3: Maintaining Active Directory In this chapter I explain how to configure Active Directory components like an RODC, DFSR, and trusts. I will also show you how to configure and use Active Directory snapshots.
Chapter 4: Implementing GPOs This chapter will show you how to implement and configure Group Policy Objects (GPOs).
Chapter 5: Understanding Certificates This chapter takes you through the different ways to create and manage configure certificates. I will show you how to install and configure a Certificate Server.
Chapter 6: Configure Access and Information Protection Solutions You will see the different ways that you can setup and configure Active Directory Federation Services. I will also show you how to configure a Web Application Proxy.
This book includes many helpful items intended to prepare you for the MCSA: Windows Server 2016 certification.
Assessment Test There is an assessment test at the conclusion of the Introduction that can be used to evaluate quickly where you are with Windows Server 2016. This test should be taken prior to beginning your work in this book, and it should help you identify areas in which you are either strong or weak. Note that these questions are purposely more simple than the types of questions you may see on the exams.
Objective Map and Opening List of Objectives Later in this Introduction, I include a detailed exam objective map showing you where each of the exam objectives are covered. Each chapter also includes a list of the exam objectives that are covered.
Helpful Exercises Throughout the book, I have included step-by-step exercises of some of the more important tasks that you should be able to perform. Some of these exercises have corresponding videos that can be downloaded from the book’s website. Also, in the following section I have a recommended home lab setup that will be helpful in completing these tasks.
Exam Essentials The end of each chapter also includes a listing of exam essentials. These are essentially repeats of the objectives, but remember that any objective on the exam blueprint could show up on the exam.
Chapter Review Questions Each chapter includes review questions. These are used to assess your understanding of the chapter and are taken directly from the chapter. These questions are based on the exam objectives, and they are similar in difficulty to items you might actually receive on the MCSA: Windows Server 2016 exams.
The interactive online learning environment that accompanies this study guide provides a test bank with study tools to help you prepare for the certification exams and increase your chances of passing them the first time! The test bank includes the following elements:
Sample Tests All of the questions in this book are provided, including the assessment test, which you’ll find at the end of this Introduction, and the chapter tests that include the review questions at the end of each chapter. In addition, there is a practice exam. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Electronic Flashcards One set of questions is provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Glossary The key terms from this book and their definitions are available as a fully searchable PDF.
Videos Some of the exercises include corresponding videos. These videos show you how the author does the exercises. There is also a video that shows you how to set up virtualization so that you can complete the exercises within a virtualized environment. The author also has videos to help you on the Microsoft exams at www.youtube.com/c/williampanek.
To get the most out of this book, you will want to make sure you complete the exercises throughout the chapters. To complete the exercises, you will need one of two setups. First, you can set up a machine with Windows Server 2016 and complete the labs using a regular Windows Server 2016 machine.
The second way to set up Windows Server 2016 (the way I set up Server 2016) is by using virtualization. I set up Windows Server 2016 as a virtual hard disk (VHD), and I did all the labs this way. The advantages of using virtualization are that you can always just wipe out the system and start over without losing a real server. Plus, you can set up multiple virtual servers and create a full lab environment on one machine.
I created a video for this book showing you how to set up a virtual machine and how to install Windows Server 2016 onto that virtual machine.
Sybex strives to keep you supplied with the latest tools and information you need for your work. Please check the website at www.wiley.com/go/sybextestprep, where I’ll post additional content and updates that supplement this book should the need arise.
You can contact me by going to my website at www.willpanek.com. You can also watch free videos on Microsoft networking at www.youtube.com/c/williampanek. If you would like to follow information about Windows Server 2016 from Will Panek, please visit Twitter @AuthorWillPanek.
Table I.1 provides the objective mappings for the 70-742 exam. In addition to the book chapters, you will find coverage of exam objectives in the flashcards, practice exams, and videos on the book’s companion website at www.wiley.com/go/sybextestprep.
TABLE I.1 70-742 exam objectives
| Objective | Chapter |
| Install and configure Active Directory Domain Services (AD DS) (20–25%) | |
| Install and configure domain controllers | 1 |
| Install a new forest, add or remove a domain controller from a domain, upgrade a domain controller, install AD DS on a Server Core installation, install a domain controller from Install from Media (IFM), resolve DNS SRV record registration issues, configure a global catalog server, transfer and seize operations master roles, install and configure a read-only domain controller (RODC), configure domain controller cloning. | 1 |
| Create and manage Active Directory users and computers | 2 |
| Automate the creation of Active Directory accounts; create, copy, configure, and delete users and computers; configure templates; perform bulk Active Directory operations; configure user rights; implement offline domain join; manage inactive and disabled accounts; automate unlocking of disabled accounts using Windows PowerShell; automate password resets using Windows PowerShell. | 2 |
| Create and manage Active Directory groups and organizational units (OUs) | 2 |
| Configure group nesting; convert groups, including security, distribution, universal, domain local, and domain global; manage group membership using Group Policy; enumerate group membership; automate group membership management using Windows PowerShell; delegate the creation and management of Active Directory groups and OUs; manage default Active Directory containers; create, copy, configure, and delete groups and OUs. | 2 |
| Manage and maintain AD DS (15–20%) | |
| Configure service authentication and account policies | 2 |
| Create and configure Service Accounts, create and configure Group Managed Service Accounts (gMSAs), configure Kerberos Constrained Delegation (KCD), manage Service Principal Names (SPNs), configure virtual accounts, configure domain and local user password policy settings, configure and apply Password Settings Objects (PSOs), delegate password settings management, configure account lockout policy settings, configure Kerberos policy settings within Group Policy. | 2 |
| Maintain Active Directory | 3 |
| Back up Active Directory and SYSVOL, manage Active Directory offline, perform offline defragmentation of an Active Directory database, clean up metadata, configure Active Directory snapshots, perform object- and container-level recovery, perform Active Directory restore, configure and restore objects by using the Active Directory Recycle Bin, configure replication to Read-Only Domain Controllers (RODCs), configure Password Replication Policy (PRP) for RODC, monitor and manage replication, upgrade SYSVOL replication to Distributed File System Replication (DFSR). | 3 |
| Configure Active Directory in a complex enterprise environment | 3 |
| Configure a multi-domain and multi-forest Active Directory infrastructure; deploy Windows Server 2016 domain controllers within a pre-existing Active Directory environment; upgrade existing domains and forests; configure domain and forest functional levels; configure multiple user principal name (UPN) suffixes; configure external, forest, shortcut, and realm trusts; configure trust authentication; configure SID filtering; configure name suffix routing; configure sites and subnets; create and configure site links; manage site coverage; manage registration of SRV records; move domain controllers between sites; configure account policies. | 3 |
| Create and manage Group Policy (25–30%) | |
| Create and manage Group Policy Objects (GPOs) | 4 |
| Configure a central store; manage starter GPOs; configure GPO links; configure multiple local Group Policies; back up, import, copy, and restore GPOs; create and configure a migration table; reset default GPOs; delegate Group Policy management; detect health issues using the Group Policy Infrastructure Status dashboard. | 4 |
| Configure Group Policy processing | 4 |
| Configure processing order and precedence, configure blocking of inheritance, configure enforced policies, configure security filtering and Windows Management Instrumentation (WMI) filtering, configure loopback processing, configure and manage slow-link processing and Group Policy caching, configure client-side extension (CSE) behavior, force a Group Policy update. | 4 |
| Configure Group Policy processing | 4 |
| Configure software installation, configure folder redirection, configure scripts, configure administrative templates, import security templates, import a custom administrative template file, configure property filters for administrative templates. | 4 |
| Configure Group Policy preferences | 4 |
| Configure printer preferences, define network drive mappings, configure power options, configure custom registry settings, configure Control Panel settings, configure Internet Explorer settings, configure file and folder deployment, configure shortcut deployment, configure item-level targeting. | 4 |
| Implement Active Directory Certificate Services (AD CS) (10–15%) | |
| Install and configure AD CS | 5 |
| Install Active Directory Integrated Enterprise Certificate Authority (CA), install offline root and subordinate CAs, install standalone CAs, configure Certificate Revocation List (CRL) distribution points, install and configure Online Responder, implement administrative role separation, configure CA backup and recovery. | 5 |
| Manage certificates | 5 |
| Manage certificate templates; implement and manage certificate deployment, validation, and revocation; manage certificate renewal; manage certificate enrollment and renewal for computers and users using Group Policies; configure and manage key archival and recovery. | 5 |
| Implement identity federation and access solutions (15–20%) | |
| Install and configure Active Directory Federation Services (AD FS) | 6 |
| Upgrade and migrate previous AD FS workloads to Windows Server 2016; implement claims-based authentication, including Relying Party Trusts; configure authentication policies; configure multi-factor authentication; implement and configure device registration; integrate AD FS with Microsoft Passport; configure for use with Microsoft Azure and Office 365; configure AD FS to enable authentication of users stored in LDAP directories. | 6 |
| Implement Web Application Proxy (WAP) | 6 |
| Install and configure WAP, implement WAP in pass-through mode, implement WAP as AD FS proxy, integrate WAP with AD FS, configure AD FS requirements, publish web apps via WAP, publish Remote Desktop Gateway applications, configure HTTP to HTTPS redirects, configure internal and external Fully Qualified Domain Names (FQDNs). | 6 |
| Install and configure Active Directory Rights Management Services (AD RMS) | 6 |
| Install a licensor certificate AD RMS server, manage AD RMS Service Connection Point (SCP), manage AD RMS templates, configure Exclusion Policies, back up and restore AD RMS. | 6 |
What is the maximum number of domains that a Windows Server 2016 computer configured as a domain controller may participate in at one time?
Which of the following file systems are required for Active Directory?
Which of the following services and protocols are required for Active Directory? Choose all that apply.
Which of the following PowerShell commands allows you to view Active Directory users?
Which of the following PowerShell commands allows you to enable an active directory account after it’s been locked out?
You need to create a new user account using the command prompt. Which command would you use?
What kind of trust is setup between one domain and another domain in the same forest?
You need to deactivate the Global Catalog option on some of your domain controllers. At which level in Active Directory would you deactivate GlobalCatalogs?
You want to allow the new Sales Director to have permissions to reset passwords for all users within the sales OU. Which of the following is the best way to do this?
You need to create OUs in Active Directory. In which MMCs can you accomplish this task? Choose all that apply.
You want a GPO to take effect immediately, and you need to use Windows PowerShell. Which PowerShell cmdlet command would you use?
GPOs assigned at which of the following level(s) will override GPO settings at the domain level?
A system administrator wants to ensure that only the GPOs set at the OU level affect the Group Policy settings for objects within the OU. Which option can they use to do this (assuming that all other GPO settings are the defaults)?
To disable GPO settings for a specific security group, which of the following permissions should you apply?
You want to configure modifications of the Certification Authority role service to be logged. What should you enable? (Choose all that apply.)
You need to add a certificate template to the Certificate Authority. What PowerShell command would you use?
You need to see all of the location sets for the CRL distribution point (CDP). What PowerShell command would you use?
You have a server named Server1 that runs Windows Server 2016. You need to configure Server1 as a Web Application Proxy. Which server role or role service should you install on Server1?
You have installed Active Directory Federation Services server and the Web Application Proxy. Which two inbound TCP ports should you open on the firewall? Each correct answer presents part of the solution.
You need to modify configuration settings for a server application role of an application in AD FS. What PowerShell command do you use?
B. A domain controller can contain Active Directory information for only one domain. If you want to use a multidomain environment, you must use multiple domain controllers configured in either a tree or a forest setting. See Chapter 1 for more information.
D. NTFS has file-level security, and it makes efficient usage of disk space. Since this machine is to be configured as a domain controller, the configuration requires at least one NTFS partition to store the Sysvol information. See Chapter 1 for more information.
B, C. TCP/IP and DNS are both required when installing Active Directory. See Chapter 1 for more information.
A. The Get-ADUser command allows you to view Active Directory user accounts using PowerShell. See Chapter 2 for more information.
C. Administrators can use the Unlock-ADAccount command to unlock an Active Directory account. See Chapter 2 for more information.
D. The dsadd command allows you to add an object (user’s account) to the Active Directory database. See Chapter 2 for more information.
C. Shortcut trusts are trusts setup between two domains in the same forest. See Chapter 3 for more information.
B. The NTDS settings for the site level are where you would activate and deactivate Global Catalogs. See Chapter 3 for more information.
D. The Delegation of Control Wizard is designed to allow administrators to set up permissions on specific Active Directory objects. See Chapter 3 for more information.
A, C. Administrators can create new Organizational Units (OUs) by using either the Active Directory Administrative Center or Active Directory Users and Computers. See Chapter 3 for more information.
A. You would use the Windows PowerShell Invoke-GPUpdate cmdlet. This PowerShell cmdlet allows you to force the GPO to reapply the policies immediately. See Chapter 4 for more information.
A. GPOs at the OU level take precedence over GPOs at the domain level. GPOs at the domain level, in turn, take precedence over GPOs at the site level. See Chapter 4 for more information.
B. The Block Policy Inheritance option prevents group policies of higher-level Active Directory objects from applying to lower-level objects as long as the Enforced option is not set. See Chapter 4 for more information.
D. To disable the application of Group Policy on a security group, you should deny the Apply Group Policy option. This is particularly useful when you don’t want GPO settings to apply to a specific group, even though that group may be in an OU that includes the GPO settings. See Chapter 4 for more information.
B, D. To enable AD FS auditing, you must check the boxes for Success Audits and Failure Audits on the Events tab of the Federation Service Properties dialog box. You must also enable Object Access Auditing in Local Policy or Group Policy. See Chapter 5 for more information.
C. The Add-CATemplate command allows an administrator to add a certificate template to the CA. See Chapter 5 for more information.
D. Administrators can use the Get-CACrlDistributionPoint command to view all the locations set for the CRL distribution point (CDP). See Chapter 5 for more information.
A. To use the Web Application Proxy, you must install the Remote Access role. See Chapter 6 for more information.
A, D. To use a Web Application Proxy and AD FS, you should set your firewall to allow for ports 443 and 49443. See Chapter 6 for more information.
B. The Set-AdfsServerApplication command allows an administrator to modify configuration settings for a server application role of an application in AD FS. See Chapter 6 for more information.