Sobre el empleo
Detalles
Descripción
Mandatory
Active Directory Domain Services
Deployment
Must demonstrate knowledge about how DCs are promoted/demoted, how many partitions are involved in a given Forest design, their names and functionalities provided.
Upgrade to newer Windows Server versions
Must specifically mention the 3 phases involved, Schema Extension, DC replacement, Functional Level Raise. Must be able to suggest rollback options for each.
Troubleshooting and Recovery
Must show repadmin tool knowledge, mainly explain what /replsum /bydest /sort:delta does, what /showreps does, what /kcc does, what /syncall /Aeq does, what /showobjmeta does.
Performance
Must be able to explain how to collect performance counters and which tool to use for that. Mention some counter thresholds like Physical Disk maximum recommended latency, Memory Commit Limit, CPU maximum recommended utilization.
Security Hardening
How many members is recommended to have on high privilege groups such as Domains Admins, Schema Admins
How to better protect LDAP communications
How to prevent rogue file servers from impersonating the SYSVOL share
LMCompatibilityLevel
TLS versions supported for the various verisons of Windows
PowerShell scripting
Must be able to understand what a script does and add specific requested functionality to it.
Kerberos interoperability with 3rd-party implementations
Must show deep understanding of how MIT Kerberos v5 works and interoperates with Active Directory
Must know which Encryption Types were and are supported nowadays
Must know what is a KEYTAB file and what it does
Credential Theft Mitigation
Must know how to prevent credential exposure on Windows systems, how to prevent Domain Admins from logging on untrusted computer.
What is RestrictedAdmin Remote Desktop, what difference with Remote Credential Guard can be mentioned?
Why Wdigest is now obsolete and recommended to be disabled?
What Hashing Algorythms are no longer considered secure?
Must be able to explain the Enterprise access model (may mention the old way of splitting in Tier 0, 1, and 2 and what goes where
What LAPS provide, how it works, and its deployment options.
DNS
What zones are required
What are the replication scopes for AD-Integrated zones
What are the options from resolving names on separate namespaces and their main differences among them
How Dynamic Update works
Active Directory Certificate Services (multi-layered PKI)
Deployment
Be able to describe benefits for a 2-tier PKI, or the benefits for a 1-tier PKI
What are roles available for Certiifcate Services, Web Enrollment, OCSP, NDES, others?
Upgrade to newer Windows Server versions
Must be able to describe the important pieces to export and import
Troubleshooting and Recovery
Must be able to describe the data that is verified before certificates are dimmed valid and trusted.
Performance
Security Hardening
Must be able to talks about Key Lengths and recommended current values
Roles recommended to be separated
PowerShell, Certutil, certreq command line management
How to request, approve/issue, retrieve certificates using such tools
PKI concepts
Asymmetric Encryption versus Symmetric Encryption
Trust Chain
What does EKU stand for?
Entra Connect and Cloud Sync
Deployment
When to use which?
Upgrade
Describe the process available
Troubleshooting and Recovery
Demonstrate how to follow an object from Active Directory to Entra ID throughout the synchronization engine.
What is the Metaverse
What are Connectors
Performance
How frequent can synchronization perform?
Security Hardening
Where to install Entra Connect
Where to install Entra Cloud agents
Accounts or Security Principals involved or required, minimum permissions.
PowerShell scripting
How to start synchronization cycle
Networking
Windows Defender Firewall configuration
Deploy rules from GPOs
Interaction with IPSec
Routing
Must be able to tell the difference between "Request Timed Out" and "Destination Host Unreachable" when using ping
Is routing bidirectional or must be set up in both directions to work?
What is NAT? mention some examples why it is used not between the Internet and a local network.
Network Packet Capture and Troubleshooting
Must be able to mention 2 data capture and analysis tools.
Explain TCP 3-way handshake, how to see it in netstat.
Desired
Entra ID
Joined, Hybrid Joined and Registered devices
Explain the difference in those
Which tool to use to identify which one is used on a device
Access Tokens, Refresh Tokens, Primary Refresh Tokens
Explain duration of each, which one is obtained first, what is required to obtain a Primary Refresh Token
Authentication Methods
Name a few available other than passwords
Authentication Strengths
What are the 3 built-in available?
Where can they be used?
Conditional Access Policies
Explain the What If tool
Give examples of typical recommended CAPs
SSPR
What's required to be implemented
What's required to work with On-premises too
Troubleshooting
Microsoft Graph Powershell scripting
Windows security features
Bitlocker
How is the disk encrypted? Which keys are used for what?
Explain Suspend Bitlocker, what it does and how
DPAPI
Explain what is it used for
SecureBoot
Permissions and User Rights
What is an ACL, an ACE
What is a SID and a RID
Just Enough Administration
Modern Authentication standards (SAML2, OAuth2)
Explain main differences with Kerberos
Where does Open ID Connect (OIDC) come from?
Integration with Entra App Proxy applications that work or were designed for Kerberos, how they work?
Windows security baselines
Comparison to what's deployed, which tool is used?
Group Policy performance recommended practices
What are Client Side Extensions?
Windows performance troubleshooting
ID: 18541851