Documente Academic
Documente Profesional
Documente Cultură
16 Multiple Choice
6 Short Answer
4 Best Answer
3 Build List
4 Repeated Answer
33 questions
Multiple Choice
1. What is the default authentication protocol for non-domain computers?
a. NTLM
b. PAP
c. CHAP
d. Kerberos
Answer: a
Difficulty: Easy
Section Ref: Configuring Server Authentication
Explanation: Although Kerberos is the default authentication protocol for todays
domain computers, NTLM is the default authentication protocol for Windows NT,
standalone computers that are not part of a domain, and situations in which you
authenticate to a server using an IP address.
2. What does the acronym NTLM stand for?
a. NT Link Messenger
b. NT Link Manager
c. NT LAN Manager
d. NT LAN Messenger
Answer: c
Difficulty: Easy
Section Ref: Understanding NTLM Authentication
Explanation: NT LAN Manager (NTLM) is a suite of Microsoft security protocols that
provides authentication, integrity, and confidentiality to users.
3. NTLM uses a challenge-response mechanism for authentication without doing
what?
10. What are the two restrictions for adding SPNs to an account?
a. Domain Administrator privileges
b. full control permissions for the folder
c. local administrator privileges
d. the editor runs from the domain controller
Answer: a and d
Difficulty: Medium
Section Ref: Managing Service Principal Names
Explanation: To configure an SPN for a service or application pool account, you must
have domain administrative permissions or a delegation to modify the
ServicePrincipalName property. You also must run ADSI Edit from a domain
controller.
11. Identify another utility that you can use to add SPNs to an account.
a. dnscmd
b. spnedit
c. setspn
d. netsh
Answer: c
Difficulty: Easy
Section Ref: Managing Service Principal Names
Explanation: You can use setspn.exe to add SPNs to an account.
12. What type of account is an account under which an operating system, process,
or service runs?
a. user
b. system
c. service
d. network
Answer: c
Difficulty: Easy
Section Ref: Managing Service Accounts
Explanation: A service account is an account under which an operating system,
process, or service runs.
13. When creating accounts for operating systems, processes, and services, you
should always configure them with what two things in mind?
a. using strong passwords
b. using cryptic user names
Difficulty: Medium
Section Ref: Configuring Virtual Accounts
Explanation: A virtual account is an account that emulates a Network Service
account that has the name NT Service\servicename. The virtual account has
simplified service administration, including automatic password management, and
simplified SPN management.
Short Answer
17. Kerberos is more secure than NTLM but it is also more __________________.
Answer: Complicated. Kerberos requires additional configuration.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: Although Kerberos is more secure than NTLM, it is also more
complicated than NTLM, which requires additional configuration, such as requiring a
service principal name (SPN) for the domain account.
18. For Kerberos to work properly, which service needs to be accurate and generally
synchronized between systems?
Answer: The Time Service. Systems need to be time synchronized within a certain
amount of lapse.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: For all of this to work and to ensure security, the domain controllers
and clients must have the same time. Windows operating systems include the Time
Service tool (W32Time service). Kerberos authentication will work if the time
interval between the relevant computers is within the maximum enabled time
parameters.
19. Name the two ways that Kerberos authentication improves overall
authentication performance.
Answer: Kerberos uses the current ticket to prove authentication and Kerberos can
also perform double-hop authentication.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: When the client connects to a server or service, Kerberos uses the
current client ticket proving that the client is authenticated. As a result, the service
does not have to perform authentication to a domain controller. Kerberos also can
perform a double-hop authentication. Both of these Kerberos benefits improve
authentication performance.
Best Answer
23. What is the default authentication protocol for contemporary domain
computers?
a. NTLM
b. PAP
c. CHAP
d. Kerberos
Answer: d
Difficulty: Easy
Section Ref: Configuring Server Authentication
Explanation: Although Kerberos is the default authentication protocol for todays
domain computers, NTLM is the default authentication protocol for Windows NT,
standalone computers that are not part of a domain, and situations in which you
authenticate to a server using an IP address.
24. What is the name by which a client uniquely identifies an instance of a service?
a. service instance name
b. service account name
c. service provider name
d. service principal name
Answer: d
Difficulty: Medium
Section Ref: Managing Service Principal Names
Explanation: A service principal name (SPN) is the name by which a client uniquely
identifies an instance of a service.
25. Before you can create an MSA object type, you must create what?
a. a key services MSA group
b. a key services MSA distributed domain account
c. a key distribution services root key
d. a key distribution services Master MSA
Answer: c
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: Before you can create an MSA object type, you need to create a key
distribution services root key for the domain.
26. What service right does an MSA account automatically receive upon creation?
a. log on interactively
b. log on as a service
c. domain administrator
d. domain power user
Answer: b
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: On the Log On tab, confirm that the name appears with a dollar sign
($). The account will be given the Log On As Service right.
Build List
27. Order the following steps required to use the SPN with a service.
a. Connect to the domain.
b. Expand Default Naming Context in the console tree, expand the domain, and
then expand the nodes representing the OUs.
c. Open the ADSI Edit console.
d. Add SPN to the service account.
e. Select the OU where the service account exists.
Answer: C A B E D
Difficulty: Easy
Section Ref: Managing Service Principal Names
Explanation: Refer to the steps outlined in the Use the Managed Service Account
with a Service.
28. Order the following steps required to create a service account.
a. Open the Domain node.
b. Open Active Directory Users and Computers.
c. Open the OU where you want to add the user account.
d. Select Password never expires.
e. Create the new user account.
Answer: B A C E D
Difficulty: Easy
Section Ref: Creating and Configuring Service Accounts
Explanation: Refer to the steps shown under Create a Service Account.
29. Order the following steps required to use the MSA with a service.
a. Open the service to show the properties.
b. Select Log On As a Service.
c. Restart the service.
d. Click the Log On tab.
e. Clear the Password and Confirm password text boxes.
f. Open the Service console.
g. Select This account option and enter the name of the service account.
Answer: F A D G E B C
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: Refer to the steps required in Use the MSA with a Service.
Repeated Answer
30. Which Kerberos setting defines the maximum time skew that can be tolerated
between a tickets timestamp and the current time at the KDC?
a. maximum lifetime for service ticket
b. maximum lifetime for user ticket
Answer: c
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: The setting for maximum lifetime for user ticket renewal defines how
long a service or user ticket can be renewed. By default, it can be renewed up to 7
days.