Well its Monday, time to start something new. I’m ready to get into Network+ and maybe go through to PenTest+ over the course of the next year. Regardless it would be great to get Network+ done by year end. Which seems doable but I could be wrong. Anyway, lets get into that thing that I use this blog for where I post a slide and then break it down until I figure out whats going on because memorizing answers does not do it for me.

The longer I look at this the more I’m not sure why I added it other than I didn’t really know what they meant by device density. Like are they using old laptops or something? I mean it would be a safe assumption I suppose. The other thing I hate about comptia stuff is that they use language that I’m assuming you cant pull from the web to study for. Like maybe this stuff is in a book. Did a quick search and it mentions the concept as a bullet point then gives no further info.

Ok so this does exist: What is network density

Ok jeeze, that does make sense. It doesn’t specifically say timeout errors connecting to resources but that makes sense. A rouge access point would also provide for this as its possible to have internet access and no access to internet resources, clearly.

I dont really know what any of this stuff is so I’m going to have to start by looking up each of these terms, just to be through.

Stuff in question
• Rssi- RSSI stands for Received Signal Strength Indicator. It is an estimated measure of power level that a RF client device is receiving from an access point or router. At larger distances, the signal gets weaker and the wireless data rates get slower, leading to a lower overall data throughput.
• channel vlan- Virtual local area networks (VLANs) are a wonderful wireless network security tool by enabling its separation technology. You can implement VLANs in several ways when working with your wireless LAN. VLANs allow you to. Separate different types of traffic based on the SSID to which they connect. however these appear to be channels rather than vlans, which is confusing
• Overlapping channels- Short Answer: Only use channel 1, 6, or 11. Longer Answer: In the United States, while channels 1-13 can be used for 2.4 GHz WiFi, only three channels are considered non-overlapping (channels 12 and 13 are allowed under low powered conditions, but for most cases are not used)
• signal strength- see RSSI
• ssid broadcast- The continuous transmission of packets from a Wi-Fi access point that announces its availability. Also called “beaconing,” if the network is secured with a password, users will see the SSID, but not be able to access it (see WEP and WPA).
• incorrect VLAN- Using the wrong wireless vlan, I understand what a vlan is but its confusing when incorporating wireless tech into it. Is this like a separate SSID or you some how are randomly assigned to a separate vlan when connecting to the SSID? I cant be perfectly sure on every thing so I’ll figure this out as we go.

So the overlapping channel thing kind of makes since you are only supposed to use 1, 6, or 11 but it still seems as if its miss labeled. Or maybe the vlan is the channel? Unclear but i’m sure ill understand it eventually so lets move on.

Answers
• DMZ- I feel like this is has been replaced by WAP or web application proxy in terms of naming conventions but its past the network firewall and less closed off to web traffic
• NAT- I’m assuming this is network address translation which could possibly have something to do with phones but I’m not sure
• VLAN- We just covered a VLAN but its a virtual network and I have no idea what it could have to do with phones but then again, I know absolutely nothing about VOIP tech to be honest
• QoS- QoS (Quality of Service) is a major issue in VOIP implementations. The issue is how to guarantee that packet traffic for a voice or other media connection will not be delayed or dropped due interference from other lower priority traffic. Ok google thats fairly broad but its clear that this is the issue in this case. ok.

answers
• Switch set to full duplex- WiFi is Half Duplex – A wired Ethernet network is full duplex, meaning a device can send and receive, or upload and download, simultaneously. WiFi is half duplex, so if a client is sending data to the AP, the AP can not also send data to the same or any other client at the same time.
• Conflicting IP addresses- An IP address conflict occurs when two communication endpoints on a network are assigned the same IP address. Endpoints can be PCs, mobile devices, or any individual network adapter. IP conflicts between two endpoints normally render either one or both of them unusable for network operations
• Packet bottlenecks- A bottleneck occurs when bandwidth is unable to accommodate large amounts of system data at designated data transfer rate speeds. Road traffic is a common bottleneck analogy. For example, bottle necking is inevitable when only one of two busy road lanes is passable.
• IP address scope depletion- This is the DHCP server running out of addresses in a given address space causing clients to be unable to request an IP assignment for the network

I like this test, once you understand the definitions, so far, the answers are obvious. Clearly a performance issue would be the cause of a performance issue. I mean, given that I’m actually studying the right material. I may purchase a pretest from another location to verify that I’m actually studying the right material before dropping the money on the test.

Again, I don’t really know any of this because I don’t know squat about networking. I’m starting to realize it may be more than simply doing math. This excites me.

Answers
• VLAN mismatch- VLAN mismatch basically is saying that you have a device plugged into your Cisco device that has a different native VLAN than your switch. Clear as mud to me at this point
• Duplex/Speed mismatch-On an Ethernet connection, a duplex mismatch is a condition where two connected devices operate in different duplex modes, that is, one operates in half duplex while the other one operates in full duplex. The effect of a duplex mismatch is a link that operates inefficiently. Duplex mismatch may be caused by manually setting two connected network interfaces at different duplex modes or by connecting a device that performs auto-negotiation to one that is manually set to a full duplex mode.
• Duplicate IP address- This will make both devices not functional, leasing issue
• TX/RX reverse- One particular type of cabling issue is the one in which the Transmit and the Receive pairs of a cable are inversed so the TX sides are connected to each other and the RX sides are connected to each other (as opposed to the correct way of connecting TX to RX).

So the answer still somewhat escapes me as I don’t understand the the exact issue described in the problem and there is an explanation on Cisco forums that provides all sorts of hot topics such as trunks and vlans and devices and I don’t know whats going on. I kind of get excited at that point to learn because I’m a nerd.

I guess that’s all for now but I really don’t know much of this so I’ll probably post a ton of stuff. I really hate that there isn’t one source for this stuff like TechNet but so far I can mostly make out the information on various websites/blogs

I passed!

I found some more things that I wanted to go over today while going through the test at work. Included on thing specifically mentioned. I was taking screen shots and going through the material in between calls so I’m not sure if I got the full variance of the questions that I was struggling with but I made it through like all but 75 of the questions while working so I feel like I have a good grip on the material and now im getting granular with my understandings of specifics on repeated questions with slight variable changes. Any way. That may have been too complicated of way to say that I’m trying to figure the last little bit of stuff out before…Saturday. It’s possible I’ll pass but to be honest I don’t have my hopes up. Or what if I pass and then I’m told for some reason that my 2012 MCSA cant be upgraded. That would also be the opposite of the bees knees. I don’t what that means so lets get into some things haha

These three where really throwing me off as they use the exact same bad screen shot. Without going into much detail the one that uses PowerShell connecting to external is incorrect and the ones that uses RRA snap-in works or the PS internal also works. Not really much else to talk about but it was driving me nuts because I was basically guilty of trying to memorize the answer without really looking into the question. How embarrassing.

These two also annoy me. Same scenario and there may be 1 more that I didn’t get to when going through questions today. Guest services works and nothing else does. Its really annoying when going through the material because your like ‘I just saw this question and it was no!’ or vise versa. I feel like there might be one more of these but I could be wrong on that. Who knows.

This SR-IOV stuff is a mess. There are like 3 unique questions on this and only one of them is correct. It also uses the GUI.

Seriously, how many times can you ask the same question? It’s a safe bet that the answer is no but still, you know, I would like to get as many questions correct as possible. So it looks like the only way to do this is through device manager. I literally just went through all 300 questions to find the one that was the correct SR-IOV lol. I wanted to know which one was right and to be honest this is the only way it would work. I tried to find a TechNet article on this but I think this is another question where you have to lab the answers. Any way, its late and there isn’t much text in this but really I was more interested in creating a repository for these images to look at these similar questions. There are more questions that had planned to include in this but staying up yesterday from 4 am to almost midnight and well…I basically haven’t really stopped doing something in a few days so I may need to take a breather lol. However, honestly, I’m feeling pretty good with this material. If (thats a big if) I’m studying the right thing I think I’ll pass. Regardless, its time to find out.

I’m set to take the test this weekend and there are a few things I would like to cover today before taking the test Saturday at 3 pm. Honestly, I kind of doubt I’ll pass but its time to try as my scores on the pretests are in the 900 range and a 700 hundred is passing. The things that are left that are confusing are mostly repetitive questions where they change one detail and the entire thing is different. These types of questions are usually tough to find answers to on TechNet but can be recreated in a lab. However, I’m not going to set up a lab. Maybe one day but at present I don’t really have the time or desire to create a Windows Server lab. Anyway, I’ve got 10 slides that I want to go through and hopefully I will get through them all tonight.

Based on this I’m going to assume that this a result of the disk being set as NTFS instead of GPT. I could be wrong about that but it does appear to be the reason that the answer is to use disk part. It’s honestly kind of baffling that there are so many choices for types of disks and so forth that, to be honest, don’t seem to do much other than cause issues. Reason number 428 of why Hyper-V is annoying lol. I mean, to be honest I haven’t seen it in enterprise production use so I could be jumping to conclusions here.

So one would assume that you would use disk-part to adjust something related to a disk but apparently that is incorrect. A quick search through TechNet yields this nugget that you would think would be the extra version but its not:

Set-VHD

[-Path]

-PhysicalSectorSizeBytes

[-Passthru]

[-CimSession ]

[-ComputerName ]

[-Credential ]

[-WhatIf]

[-Confirm]

[]

So now we know how to set physical sector bytes.

This is network security group thing is new and to be quite frank, I have no idea what it is. The only info I can find about it mentions Azure and none of the questions with this as an answer seem to directly mention Azure. Literally this is only used with Azure so its seems crazy that the questions wouldn’t reference Azure. Honestly, this explains it the best out of what I found so far: Network Security group

This one throws me off and it took a while to figure out that there are several questions related to this and that the answer is the one that references SCVMM is correct and any thing else is wrong. I thought I took better screen shots today but it would appear that I did not.

Honestly I know what a Radius server is but the exact process, escapes me

Honestly, this is the best info. I cant really find the exacts for PS on this one. This is one of those things that makes me nervous for sys admins but I’m going to assume you figure things out after a while. Case in point, I’ve picked up most of this new material quickly. Granted, I have no idea if this is whats on the test and that has me nervous.

These questions confuse the shit out of me and I have no idea why any of them are the way they are but like they make sense in a lab I’m assuming. This one, actually has an answer. Which to be honest I don’t even look at the answers usually. This one says we have to make iSCSI which makes sense.

The answer to this one is the fail over cluster manager and it seems like the questions that mention failover cluster that’s actually the answer.

To be honest, again, I’m not exactly sure what’s going on here so Web Application Proxy does require ADFS for auth. Its not totally cut and dry but its a safe assumption.

There are a few other questions that I’m unclear on as I pass quickly through the test as it seems like I’m looking at the same question and the answer is different but I know I’m missing a detail. I may go back through those
at a later date but for the rest of the week my focus is on just going through the questions and answering them over and over.

Back with part 2 of the questions that I don’t understand from the vce. There are lots of questions about DNS/DHCP configs that have several questions associated and to be honest, I’m not that great with those.

To be honest I have no idea why the answers are what they are and that’s a huge point of contention for me. I have trouble memorizing but perhaps i can figure it out. at least sort of. What is server 1’s ip? who knows

Thoughts
• Pt 1. Ok so there is a host record, im assuming on server 1 but its not giving an ip for server on or
• specifying that this DNS manager with zone records is on server 1 but we are going to assume that.
• Pt. 2 So now that I’m looking at this im starting to think that I wasn’t reading the question closely because if you look at the record for host2 it does not have an IP any where in it. I don’t really understand how that resolves but ok.
• Pt. 3 This one is a little more confusing. I’m honestly not sure why its necessary to have the host resolve back to its self or if im obsessing over the amount of information provided. Anyway, that’s simple enough.

This one actually has an answer. I’m not sure that there is much to know other that some PowerShell but i’m shocked it has an answer.

I thought that I wouldn’t find any thing but I actually did and fairly quickly. Set-VMhost

Its really hard to be much more direct than that.

This one seriously makes no sense and there isn’t enough information that I can read into to figure out whats going on. Its clear in the question that 1 holds roles, it doesn’t say what 2 is doing and then you take dc1 offline and run a move cmd without using -force. This is memorization for me. Honestly i don’t think ill find an answer.

This one took some looking at but I realized there is no record for server 2 or adatum and that’s the reason they don’t resolve. Which seems really obvious once you start actually looking at it.

That’s all for today. I think at this point the only thing left is to memorize the ones I really cant fully understand. Which seems kind of absurd. Whatever, keep pressing on.

I’m almost ready to test but there are about 60 questions I’m still struggling with so I’m going to do a few posts about some of those. I’m going to start with this question about connecting on prem ADFS with Office 365 that includes a service I’m not familiar with. So these questions do not have links or explications most of the time, its just the answers. Which is fine once you generally can ‘speak server.’

Connect to Office 365 PowerShell

The most important note here is “Commands in the Microsoft Azure Active Directory Module for Windows PowerShell have Msol in their cmdlet name.” because it seemed really odd to me at first and I wasn’t sure what was going on with it. But at the end of the day i have to remember service, context and then domain.

There are a handful of questions with a ton of answers that get confusing because most of them are about failover testing and that should not be that complicated but the scenarios seem to vary so I’m going to get into that too but this first one is about DNS mobile device registration which somehow has something to do with DHCP and either I don’t understand one of these two technologies or this shit is confusing.

So I cant find a dang thing about this but I spent a good 20 mins looking for an answer so I should be able to remember the DHCP Policy Config Wizard. Honestly this scenario isn’t mentioned any where online. It’s really hard to call out MSFT for these types of questions but I’m praying that this VCE is enough to actually pass this test. I guess I’ll find out soon.

This another question with ‘a lot of possible answers’ in it

However there is a pretty straight forward TechNet article on the subject.

Set Up Hyper-V Replica

It clearly explains the failover process in this scenario and being able to test it through through MMC hyper-v management. Very specific.

Test failover: If you want to run a test failover right-click the primary virtual machine and select Replication > Test Failover. Pick the latest or other recovery point if configured. A new test virtual machine will be created and started on the secondary site. After you’ve finished testing, select Stop Test Failover on the replica virtual machine to clean it up. Note that for a virtual machine you can only run one test failover at a time.

This is another ‘lots of answers’ question.

How to migrate Virtual Machine Storage in HYPER-V Failover Clustering

This is straight up instructions on how to do it. It seems confusing for some absurd reason that you would test failover with Hyper-V Manager and migrate storage with the Failover Clustering Console but that is how it works. Hopefully ill remember that.

I think that’s all for tonight but I have a few more blog posts to do and then hopefully a test to pass. Rather than fail.

VPN settings are fairly extensive and this is mostly new tech to me so I’m going to take a look at this within reason. I’m happy to say that I feel that test prep study is coming along nicely. Anyway, lets get back into this VPN stuff. Before posting the questions I’m going to go through the TechNet articles. Lets start with an obvious but helpful one.

VPN Tunneling Protocols

Choosing between tunneling protocols
• PPTP can be used with a variety of Microsoft clients including Microsoft Windows 2000, Windows XP, Windows Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
• L2TP can only be used with client computers running Windows 2000, Windows XP, or Windows Vista. L2TP supports either computer certificates or a preshared key as the authentication method for IPsec. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data confidentiality, data integrity, and data authentication.
• Unlike PPTP and SSTP, L2TP/IPsec enables machine authentication at the IPsec layer and user level authentication at the PPP layer.
• SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1) or Windows Server 2008. By using SSL, SSTP VPN connections provide data confidentiality, data integrity, and data authentication.
• All three tunnel types carry PPP frames on top of the network protocol stack. Therefore, the common features of PPP, such as authentication schemes, Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPV6) negotiation, and Network Access Protection (NAP), remain the same for the three tunnel types.

This is really helpful information that seems really obvious. This information seems really cut and dry however its from 2012 so its quite possible we may run into complications later. The other issue is that win 10 is mentioned no where in this and lets hope that the clients in our domain are supporting win 10.

RAS Gateway High Availability

There are two articles that I have saved on RAS so this one must be important. Ok for starters:

You can deploy RAS Gateway in multitenant mode as an edge gateway to route tenant customer network traffic to tenant virtual networks and resources.

I mean internal VPN is one thing for encapsulating traffic but this literally has ‘remote’ in the name. What else would you do with RAS besides throw it in front of a firewall to rout traffic, securely, to internal resources? Anyway back to the information at hand. There are lots of things going on in this article. Personally, I’m a big fan of the undefined colored clouds connected to Mixed Pool, GRE Pool and IKEv2. There is so much information here that says “A front-end RAS server connects to a gateway after authentication and then passes the traffic to the internal servers.” There are some specifics but its mostly theory that may or may not (most likely) be helpful when comprehending the questions at hand. Lets move on.

RAS Gateway for SDN

Ok, so I’m interested. Basically this one is advising that this exists and its designed for multi-tenant application environments. Assuming they mean docker environs but it could be any thing. The most important thing to me was the definitions towards the end:

RAS Gateway Features
• Site-to-site VPN. This RAS Gateway feature allows you to connect two networks at different physical locations across the Internet by using a site-to-site VPN connection. For CSPs that host many tenants in their datacenter, RAS Gateway provides a multitenant gateway solution that allows your tenants to access and manage their resources over site-to-site VPN connections from remote sites, and that allows network traffic flow between virtual resources in your datacenter and their physical network.
• Point-to-site VPN. This RAS Gateway feature allows organization employees or administrators to connect to your organization’s network from remote locations. For multitenant deployments, tenant network administrators can use point-to-site VPN connections to access virtual network resources at the CSP datacenter.
• GRE Tunneling. Generic Routing Encapsulation (GRE) based tunnels enable connectivity between tenant virtual networks and external networks. Since the GRE protocol is lightweight and support for GRE is available on most of network devices it becomes an ideal choice for tunneling where encryption of data is not required. GRE support in Site to Site (S2S) tunnels solves the problem of forwarding between tenant virtual networks and tenant external networks using a multi-tenant gateway, as described later in this topic.
• Dynamic routing with Border Gateway Protocol (BGP). BGP reduces the need for manual route configuration on routers because it is a dynamic routing protocol, and automatically learns routes between sites that are connected by using site-to-site VPN connections. If your organization has multiple sites that are connected by using BGP-enabled routers such as RAS Gateway, BGP allows the routers to automatically calculate and use valid routes to each other in the event of network disruption or failure. For more information, see RFC 4271.

Theses are actually helpful when trying to sort through answering basic questions. I suppose dealing with PowerShell CMDs are nice too, from the high availability

GRE Tunneling in Windows Server 2016

There is a really good definition in the intro and then some information about plausible uses. Its not marking and its helpful information. The most important part is

GRE tunnels are useful in many scenarios because:
• They are lightweight and RFC 2890 compliant, making it interoperable with various vendor devices
• You can use Border Gateway Protocol (BGP) for dynamic routing
• You can configure GRE multitenant RAS Gateways for use with Software Defined Networking (SDN)
• You can use System Center Virtual Machine Manager to manage GRE-based RAS Gateways
• You can achieve up to 2.0 Gbps throughput on a 6 core virtual machine that is configured as a GRE RAS Gateway
• A single gateway supports multiple connection modes

Really, that’s the only useful info in this.

Network Function Virtualization

Virtual appliance benefits
• A virtual appliance is dynamic and easy to change because it is a pre-built, customized virtual machine. It can be one or more virtual machines packaged, updated, and maintained as a unit. Together with software defined networking (SDN), you get the agility and flexibility needed in today’s cloud-based infrastructure. For example:

This is awesome! I’ve been wondering what an appliance was and I haven’t seen solid information on it. There is a lot of info on this topic. Highlight, when the hit the “But wait! There’s more!” lick haha. As I haven’t seen much in terms of questions on appliances I think we are good here. Lets get into the MeasureUp questions.

<

This one is pretty much definitonal and straight forward. The answers are clear and we have covered all this above.

The only thing I found here to be interesting was the L3 being the preferred method for datacenter to cloud architecture. Anyway, that’s all for the night. Time to go to to bed wake up, go straight to work and come home and start working on this again!

There is so much to IPAM that I need to cover for my self. In this post im looking at administrative roles and configurations. There are two questions that I’m looking and I think I’ll start with the easier of the two.

This question specifically looks at all the roles and features of ASM admin however there are also a few more potentially assigned roles along with a way to set an access scope (as previously discussed) by setting an IP range. I’m starting to kind of understand the concept but I would like to take a closer look at this as this granular scope of definition question was not quickly answerable to me. It’s quite possible I’ve covered this in a previous post but its not quickly memorable to me so I’m going to go over the entire thing again for my own sake.

IPAM roles

This is the most helpful thing I’ve found so far. This was not on the 2012 test, that I recall but MesureUp keeps going over this and so far hasn’t even mentioned Sysvol replication or that GP exists, really.

Address Space Management

Multi-Server Management and Monitoring
• Key features of MSM include the following:
• Discovery of Microsoft DHCP and DNS servers automatically across an Active Directory forest
• Manual addition or removal of managed servers
• End-to end configuration and management of DHCP servers and scopes
• Support for advanced constructs to enable add, delete, overwrite, or find and replace operations on multiple DHCP scopes and servers
• Simultaneous update of common settings across multiple DHCP scopes or DHCP servers
• Availability monitoring for DHCP and DNS services and DNS zones
• Management of Microsoft DHCP and DNS servers running Windows 2008 or later operating systems
• Addition of custom information to servers enabling visualization using logical groups based on business logic
• Monitoring of DHCP scope utilization
• Automatic and on-demand retrieval of server data from managed DHCP and DNS servers
• DNS zone status monitoring based on DNS zone events
• Classify discovered servers and roles as managed or unmanaged

Network Audit
• Key features of network audit include the following:
• Query the event catalog for DHCP configuration changes across multiple servers from a single console
• Track users, devices, and IP addresses for specified intervals with advanced queries using DHCP lease logs and logon events from domain controllers and network policy servers
• Track and report changes made to the IPAM server
• Export audit findings and create reports
• Quickly resolve configuration problems and track service level agreements

I suppose there isn’t really much else to discuss about this. It’s memorization of what each can do. Lets move on to the next one, shall we. Not feeling super sassy tonight to be honest so you may find this one less colorful than usual. I went to bed early and I guess took a nap and woke up fairly late at night and decided to spend some time with this ol’ thing.

This one is a little trickier than the pervious question. There are two Micosoft links however the layout isn’t quickly helpful for pointing at a bulleted list concerning the specifics of this question. I’m currently trying to watch a silent film in the back ground with a truly insane soundtrack so forgive me if my ‘comments from the peanut gallery’ are not quite as up to par as usual on this one.

IP Address Management (IPAM) Overview

This one is alot of hooplah about about what it could do without telling you. It’s like ‘Billy Maze here! You’ve heard of DNS well now theres IPAM and we do all the work for you! Look a graph! But wait there’s more!’ Honestly, not completely roasting it as there is some useful information here, mostly under the header of ‘IPAM deployment options’ also with a helpful flow chart. I give the town names Hyderabad and Bangalore for very clear normal places that people would have remote offices (hoping they are using slow link detection on this amazing global escalator). This thing is like a real syphonmy.

Ok, so the IPAM specifications might be really helpful but its still not detailed enough to really answer this question.

Multiple Active Directory forest support in IPAM

This one is actually specific as to discussing its possible to use IPAM over a two way forest trust in different forests but its not super clear on the specifics. I suppose having one server to manage multiple forests is helpful. The only tricky part of the question is that ever so important ‘,’ between ‘domain controllers DHCP servers, and DNS servers’ as the material specifies that DHCP servers and DNS servers will be accounted for but given the, at times, questionable language involving specifics I could see them wording DCs running DHCP as one thing, which would be discoverable by default.

This took entirely too long to write but I think I’m sort of starting to understand this. However there is one last thing thats worth reading:

Configure IPAM VMM Integration

Seems fairly straight forward, as per the documentation, don’t forget to create a user account for VMM though. However, in the real world, who knows if it works that eaisy. It quite possibly does but you never can tell.

Im going to go through some DNS stuff tonight. I understand the concept but like anything in IT its a never ending hellscape of ideas as to how it works and eventually you get a feel for it and learn that there are almost never completely hard and fast rules. Funny how the real world works like that too. Anyway, I’m reading to seek some answers that having meaning rather than this goes here. I want to why. Memorization for the sake of memorization has always been and will always be boring to me.

Without futher ado, here are string of articles that are linked by MesureUp. As of this point I haven’t read them but I’m assuming this will work like the last post where the MSFT links where not exactly helpful.

Use DNS Policy for Split-Brain DNS in Active Directory

Use DNS Policy for Applying Filters on DNS Queries

DNS Policies in Windows Server 2016 Tech Preview 2

Use DNS Policy for Application Load Balancing

DNS Policies Overview

There are 2 more but they are on the general networking blog which means that they may or may not load correctly. Generally they don’t. Regardless, that’s a lot to read. I’m going to get back to that as, to be honest, im not super familiar with the basic concepts and usually the TechNet articles assume that you are familiar with the basic concepts. So lets outline those.

Traffic Management

Wow that was short and sweet and to the point and they even used “round robin.” So its a weighted solution that takes into geographical traffic management that accounts for outage to provide the lowest latency response. Very helpful.

DNS Forensics

Honestly, its a pretty straight forward thing that’s analysis of where traffic was routed to and what caused it. Obviously its not a simple as that but that’s a basic overview. If your familiar with any bit of infosec at all you are aware of what the term forensics means.

Split-Brain DNS

The MSFT article linked above is the first google result so I went ahead and read that. It wasn’t helpful toward understanding the basic concept. Here we have the basic concept lined out.

Split-Brain DNS, Split-Horizon DNS, or Split DNS are terms used to describe when two zones for the same domain are created, one to be used by the internal network, the other used by the external network (usually the Internet).

I can handle that concept fairly easily. So, if im understanding this right, you have internal and external servers hosting the same site or application and the DNS server points to the correct version based on being an internal or external client. I like this concept. They drop some words in here that are not exactly the same type of technology but are making a comparison so before you start saying “its like a secondary zone” be aware that it is not the same thing and you should look up what a Secondary Zone is. Slightly confusing if your not up to date on all your definitions. A read only copy of the same zone will not point you to an internal server for resource access. As to all the granular specifics of how the traffic is resolved in split-brain DNS, we will leave that alone for now. You will find that no matter what vector of information technology you pursue there are always more birds to chase down after you’ve figured out the first
one and at some point you have to say “ok for now all I need is this concept”.

How Does DNS Filtering Work?

This seems pretty straight forward but dear god is this link annoying. Basically its like access control that says certain websites are blocked. The question that the answer to involves this is much more complicated than something as simple as blocking traffic to a website that your company doesn’t want users to have access to. Expectantly given the source client information which is an indicator that this is not a network wide solution. This kind of has me thinking about granular policies and the implications there in. Clearly they are indicating that this has to be fairly specific and in the experience I have with the 3rd party proxy my company uses and how the internal proxies we can set up direct traffic I can assure you this can involve an immense amount of administrative overhead. However, the question then becomes confusing again because what they are describing sounds very similar to split-brain DNS. I’m very close to chalking this up to arbitrary memorization based on a preferred flavor.

DNS Responses Based on Time of Day with an Azure Cloud App Server

When you google this one this is the first thing that comes up. Honestly it seems pretty apparent. At this point they are not asking how to implement it and with that, I’ll take the explanation hence forth which says ‘it changes what server your pointing at based on the time of day.’ Clearly I did not grasp that concept based on the name.

<pApplication load balancer>

This seems like instance balancing for containers and all the documentation points at AWS stuff, which I found amusing. Obviously AWS tech isnt going to be tested and MSFT has their own balancing tech built into the networking fabric.

So I guess I should read the MSFT stuff now. Ok, I have read through them and honestly the only helpful one, in this case, is the application load balancing one and even that one has a really terrible diagram that makes 0 sense. Like ok, the client is asking for a resource which goes to a DMZ server (I’mm assuming) which is in front of them and then the load hosting servers are not behind that server but rather behind the client asking for access to the resource. lol, perfect. The most confusing thing to me for this one is traffic management. I’m not clear on how this helps sort through geographical resolution however its
quite clear that DNS resolution is a giant time sink so I’m going to leave it at that. I feel good about the terms ‘forensic’ and ‘split-brain DNS’ though.

That’s all for tonight. Nick Barnes signing off. Thanks for your time if you read this, hopefully it was helpful, in some manor of speaking.

Tonight I’m going to dig through some authentication stuff. There are so many types of authentication from front end to back, from federated Kerberos to pass through using NTLM. There are so many options and to be honest the TechNet articles do a better job of confusing that explaining the scenarios and possibilities. I get that when your technical this is kind of funny but, darn it, I’m just not to that level yet. I guess I’ll watch one of those study guide videos on YouTube by such and such academy that totally prep you or order one of those books with the light houses on it. Any way lets get into the one question I’m posting and then a flurry of TechNet articles.

ok, lol so there are 5 listed and we still have to talk about pass-though auth and NTLM is at least worth mentioning. I’m sure there is more I could talk about but ill be sure and draw a diagram to insert with a real nice Spaghetti copter filled with Papas Promise!

Publishing Applications with SharePoint, Exchange and RDG

Publishing Applications using AD FS Preauthentication

Planning to Publish Applications Using Web Application Proxy

Publish Applications using Pass-through Preauthentication

Step 5: Plan to Publish Applications using Pass-through Preauthentication

So MeasureUp has ‘kindly’ provided us with 3 very specific scenarios related to the question which don’t really help to get a general idea of how authentication works. Thankfully I’ve come up with a (sarcastic) diagram

You know, to be honest its probably best to read everything in the network subheading of TechNet. At least for me because there is so much to know. Its kind of baffling to be honest.

windows-server-supported-networking-scenarios

Honestly though, if your looking for a good time, dig through there for some quality networking diagrams.

Network Policy Server (NPS)

Im not sure if that looks like a robot or if its telling me that the remote requires two 9 volts in the side compartments and then 4 underneath it and then also due to the fact that this remote is so powerful it might be a good idea to use rechargeable batteries? I think that’s where its going anyway. Back to the task at hand, obviously I’m not going to go through every networking scenario and need to get back to the question but I will give the advice that its very worth while to be familiar with anything having to do with radius. At least it was in the past. Unclear on the deprecation factor at this point. May have to check back in on that. Anyway, lets read some stuff that isn’t the suggested Microsoft stuff that deals specifically with the topics at hand. At this point you may be thinking, ‘Why on earth would we need to check sources that are not Microsoft? Why wouldn’t we look at these hella complicated things when we don’t really know the basics?” Im just going to leave this meme here for your perusal (then links):

HTTP Basic

That seems simple enough but honestly, I have no idea what the fuck happens in that exchange. So I’ve called in my buddy, who is an expert.

Ok so its just basic user name and password authentication, if im understanding it right. I didn’t got to school for that sort of thing. In fact I dropped of Security + study because it got boring. I’m sure I’m pretty close to being able to pass. I do that sometimes though. Get real close to finishing something and then on the home stretch be like ‘nahh fuck it.’ Only with personal things though, to be honest. I’m sure I’m going to pick it back up but as I started getting into the groove I got real bad excited to start studying Microsoft stuff again. Anyway. That’s how it goes, lets move on, now that we think we know, meaning we probably have no idea and are arrogant, what we are doing.

MS-OFBA

To be honest, this seems like basic HTTP but with more steps thus making it more exploitable. I could be wrong on that. I’ve been wrong on things before, though I don’t remember them. However, its not that hard to figure out basic HTTP, honestly it seems like the same thing but they added ‘cookies’ for some reason. This makes absolutely 0 sense and I have no idea whats going on. Obviously they want you to read white papers for further info. Surprise fuckers! I’m absolutely not reading that shit because I will have 0 understanding.

OAuth 2

Lol this is surprisingly helpful. It explains how it works without giving away the amount of information needed to easily break it. Which either means its good or these people are drunkenly posting on the internet. Which, for the record is not what im doing while drinking Kyle Juice tm and cheap vodka. (dieting and we are coming up on two weeks without a cigarette and for someone that was a pack a day smoker its a big deal). It looks like this one has a lot of back and forth stuff internally and I’m not exactly clear on how the client is interacting with this that makes it more secure than http basic but I feel comfortable with the idea at least. This isnt used in the question from MeasureUp that I can tell you with 90% certainty will not be on the test due to Microsoft’s propensity toward testing only on proprietary information however I can also tell you with some degree of certainty that kerberos most definitely influenced this authentication model and bits of it where definitely harvest to produce this. Would have to call in an expert to confirm tho.

Azure SSO marketing for Pass-through

Pass-Through basic

Through these two, the first one being ‘look how easy this is for end users’ and the second one being a basic overview, are helpful but they dont shed any light on top how Pass-Through as a basic concept is any different that OAuth. That’s thing with sign on and security protocols, they have names but its sort of meaningless. I can assure, as a person that works for a company that doesn’t exactly have SSO figured out, at least in my department, its not that easy. Like ok so I sign in using a user name and password and then a front end server connects with a back-end server which is completely transparent to me as an end user? I don’t understand why this is any different than basic HTTP. You have a server, you auth to it and then it internally access the resources it needs. On a conceptual level I understand that it isn’t safe to have a front end server in a DMZ area with easy access to a back-end server housing data full time but its still slightly confusing to me. I’m starting to grasp the ideas but there is so much to learn about authentication. I feel like it would be much like what I’ve learned so far about Windows server though, once you get the basics every thing else is kind of seasoning. However, I can say at this point, when I look at the question I’m far less confused. I really think I should get back to Security + at some point and blog about all the confusing stuff as its really helpful for me to write the ideas out. CompTIA certs don’t exactly seem to be taken seriously though so It’s a bit rough for me to sink the money into one as you have to continually renew it now.

Now that I feel I kind of understand the question, I guess that’s all for tonight. Kind of bummed it took a day and a half to write this and feel like It should have been done yesterday and now its midnight but I had a few things to take care of today. I’ll get through this eventually.