Mandatory

Active Directory Domain Services

Deployment

Must demonstrate knowledge about how DCs are promoted/demoted, how many partitions are involved in a given Forest design, their names and functionalities provided.

Upgrade to newer Windows Server versions

Must specifically mention the 3 phases involved, Schema Extension, DC replacement, Functional Level Raise. Must be able to suggest rollback options for each.

Troubleshooting and Recovery

Must show repadmin tool knowledge, mainly explain what /replsum /bydest /sort:delta does, what /showreps does, what /kcc does, what /syncall /Aeq does, what /showobjmeta does.

Performance

Must be able to explain how to collect performance counters and which tool to use for that. Mention some counter thresholds like Physical Disk maximum recommended latency, Memory Commit Limit, CPU maximum recommended utilization.

Security Hardening

How many members is recommended to have on high privilege groups such as Domains Admins, Schema Admins

How to better protect LDAP communications

How to prevent rogue file servers from impersonating the SYSVOL share

LMCompatibilityLevel

TLS versions supported for the various verisons of Windows

PowerShell scripting

Must be able to understand what a script does and add specific requested functionality to it.

Kerberos interoperability with 3rd-party implementations

Must show deep understanding of how MIT Kerberos v5 works and interoperates with Active Directory

Must know which Encryption Types were and are supported nowadays

Must know what is a KEYTAB file and what it does

Credential Theft Mitigation

Must know how to prevent credential exposure on Windows systems, how to prevent Domain Admins from logging on untrusted computer.

What is RestrictedAdmin Remote Desktop, what difference with Remote Credential Guard can be mentioned?

Why Wdigest is now obsolete and recommended to be disabled?

What Hashing Algorythms are no longer considered secure?

Must be able to explain the Enterprise access model (may mention the old way of splitting in Tier 0, 1, and 2 and what goes where

What LAPS provide, how it works, and its deployment options.

DNS

What zones are required

What are the replication scopes for AD-Integrated zones

What are the options from resolving names on separate namespaces and their main differences among them

How Dynamic Update works

Active Directory Certificate Services (multi-layered PKI)

Deployment

Be able to describe benefits for a 2-tier PKI, or the benefits for a 1-tier PKI

What are roles available for Certiifcate Services, Web Enrollment, OCSP, NDES, others?

Upgrade to newer Windows Server versions

Must be able to describe the important pieces to export and import

Troubleshooting and Recovery

Must be able to describe the data that is verified before certificates are dimmed valid and trusted.

Performance

Security Hardening

Must be able to talks about Key Lengths and recommended current values

Roles recommended to be separated

PowerShell, Certutil, certreq command line management

How to request, approve/issue, retrieve certificates using such tools

PKI concepts

Asymmetric Encryption versus Symmetric Encryption

Trust Chain

What does EKU stand for?

Entra Connect and Cloud Sync

Deployment

When to use which?

Upgrade

Describe the process available

Troubleshooting and Recovery

Demonstrate how to follow an object from Active Directory to Entra ID throughout the synchronization engine.

What is the Metaverse

What are Connectors

Performance

How frequent can synchronization perform?

Security Hardening

Where to install Entra Connect

Where to install Entra Cloud agents

Accounts or Security Principals involved or required, minimum permissions.

PowerShell scripting

How to start synchronization cycle

Networking

Windows Defender Firewall configuration

Deploy rules from GPOs

Interaction with IPSec

Routing

Must be able to tell the difference between "Request Timed Out" and "Destination Host Unreachable" when using ping

Is routing bidirectional or must be set up in both directions to work?

What is NAT? mention some examples why it is used not between the Internet and a local network.

Network Packet Capture and Troubleshooting

Must be able to mention 2 data capture and analysis tools.

Explain TCP 3-way handshake, how to see it in netstat.

Desired

Entra ID

Joined, Hybrid Joined and Registered devices

Explain the difference in those

Which tool to use to identify which one is used on a device

Access Tokens, Refresh Tokens, Primary Refresh Tokens

Explain duration of each, which one is obtained first, what is required to obtain a Primary Refresh Token

Authentication Methods

Name a few available other than passwords

Authentication Strengths

What are the 3 built-in available?

Where can they be used?

Conditional Access Policies

Explain the What If tool

Give examples of typical recommended CAPs

SSPR

What's required to be implemented

What's required to work with On-premises too

Troubleshooting

Microsoft Graph Powershell scripting

Windows security features

Bitlocker

How is the disk encrypted? Which keys are used for what?

Explain Suspend Bitlocker, what it does and how

DPAPI

Explain what is it used for

SecureBoot

Permissions and User Rights

What is an ACL, an ACE

What is a SID and a RID

Just Enough Administration

Modern Authentication standards (SAML2, OAuth2)

Explain main differences with Kerberos

Where does Open ID Connect (OIDC) come from?

Integration with Entra App Proxy applications that work or were designed for Kerberos, how they work?

Windows security baselines

Comparison to what's deployed, which tool is used?

Group Policy performance recommended practices

What are Client Side Extensions?

Windows performance troubleshooting