Pro: Windows Server 2008, Server Administrator
Question No: 81 – (Topic 1)
Your network contains two DHCP servers. The DHCP servers are named DHCP1 and DHCP2. The internal network contains 1,000 DHCP client computers that are located on a single subnet. A router separates the internal network from the Internet. The router has a single IP address on the internal interface.
DHCP1 has the following scope information:
->Starting IP address: 172.16.0.1
->Ending IP address: 172.16.7.255
->Subnet mask: 255.255.240.0
You need to provide a fault tolerant DHCP infrastructure that supports the client computers on the internal network. In the event that a DHCP server fails, all client computers must be able to obtain a valid IP address.
How should you configure DHCP2?
Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.15.254.
Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address of 172.16.0.1 and an ending IP address of 172.16.15.254.
Create a scope for the subnet 172.16.8.0/21. Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.10.254.
Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address of 172.17.0.1 and an ending IP address of 172.17.255.254.
Answer: A Explanation:
Create a scope for the subnet 172.16.0.0/20.
Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.15.254.
Subnet 255.255.240.0 is a /20 subnet in CIDR notation, this allows for 4096 client IPs, ranging from 172.16.0.1 all the way to 172.16.15.254 as DHCP1 only used half of the available IPs then you should configure DHCP2 to use the other half. http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing as an aside you could consider the 80/20 design rule for balancing scope distribution of addresses where multiple DHCP servers are deployed to service the same scope.
Using more than one DHCP server on the same subnet provides increased fault tolerance for servicing DHCP clients located on it. With two DHCP servers, if one server is unavailable, the other server can take its place and continue to lease new addresses or renew existing clients.
A common practice when balancing a single network and scope range of addresses between two DHCP servers is to have 80 percent of the addresses distributed by one DHCP server and the remaining 20 percent provided by a second.
Question No: 82 – (Topic 1)
Your company has a main office and two branch offices. The main office is located in London. The branch offices are located in New York and Paris.
Your network consists of an Active Directory forest that contains three domains named contoso.com, paris.contoso.com, and newyork.contoso.com. All domain controllers run Windows Server 2008 R2 and have the DNS Server server role installed.
The domain controllers for contoso.com are located in the London office. The domain controllers for paris.contoso.com are located in the Paris office. The domain controllers for newyork.contoso.com are located in the New York office.
A domain controller in the contoso.com domain has a standard primary DNS zone for contoso.com. A domain controller in the paris.contoso.com domain has a standard primary DNS zone for paris.contoso.com. A domain controller in the newyork.contoso.com domain has a standard primary DNS zone for newyork.contoso.com.
You need to plan a name resolution strategy for the Paris office that meets the following requirements:
->If a WAN link fails, clients must be able to resolve hostnames for contoso.com.
->If a WAN link fails, clients must be able to resolve hostnames for newyork.contoso.com.
->The DNS servers in Paris must be updated when new authoritative DNS servers are added to newyork.contoso.com.
What should you include in your plan?
Configure conditional forwarding for contoso.com. Configure conditional forwarding for newyork.contoso.com.
Create a standard secondary zone for contoso.com. Create a standard secondary zone for newyork.contoso.com.
Convert the standard zone into an Active Directoryintegrated zone. Add all DNS servers in the forest to the root hints list.
Create an Active Directoryintegrated stub zone for contoso.com. Create an Active Directoryintegrated stub zone for newyork.contoso.com.
Answer: B Explanation:
Understanding Zone Delegation
Applies To: Windows Server 2008, Windows Server 2008 R2
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers.
When you are deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or department in your organization.
You want to divide one large zone into smaller zones to distribute traffic loads among multiple servers, improve DNS name resolution performance, or create a more-fault- tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for
example, to accommodate the opening of a new branch or site.
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.
Question No: 83 – (Topic 1)
A company wants to prevent employees who access the company#39;s Remote Desktop Session Hosts (RD Session Hosts) from introducing malware onto the corporate network.
You have the following requirements:
->Ensure that only client computers that have an up-to-date antivirus program installed can connect to the RD Session Hosts.
->Display a notification when a client computer that does not meet the antivirus
requirements attempts to connect to an RD Session Host. Provide information about how to resolve the connection problem.
->Ensure that client computers can access only the RD Session Hosts.
You need to recommend a Remote Desktop Services (RDS) management strategy that meets the requirements.
What should you recommend? (More than one answer choice may achieve the goal. Select the BEST answer.)
Deploy a Remote Desktop Gateway in a perimeter network. Install and configure a Network Policy and Access Services server. Configure the System Health Validator. Enable the Remote Desktop Gateway Network Access Protection Enforcement Client. Configure Remote Desktop Connection Authorization Policies and Remote Desktop Resource Authorization Polices.
Deploy the Routing and Remote Access Service in a perimeter network to support VPN connections. Install and configure a Network Policy and Access Services server. Enable the Network Access Protection VPN Enforcement Client. Configure the System Health Validator. Configure static routes on the VPN server to allow access only to the RD Session Hosts.
Deploy a Remote Desktop Gateway in a perimeter network. Configure Remote Desktop Connection Authorization Policies and Remote Desktop Resource Authorization Polices. Configure a logon message.
Deploy the Routing and Remote Access Service in a perimeter network to support VPN connections. Configure Connection Request Policies to specify which computers can connect to the corporate network. Configure static routes on the VPN server to allow access only to the RD Session Hosts.
Answer: A Explanation:
NAP with SHVs configured will ensure that the AV is installed and up to date. if they ar not you can direct them to a quarantine/remediation server to update http://www.techrepublic.com/article/solutionbase-configuring-network-access-protection-for- windows-server-2008/178022
Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal network resources (computers) that remote users can connect to through an RD Gateway server.
Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD
Question No: 84 – (Topic 1)
You need to recommend a Windows Server 2008 R2 server configuration that meets the following requirements:
->Supports the installation of Microsoft SQL Server 2008
->Provides redundancy for SQL services if a single server fails
What should you recommend?
Install a Server Core installation of Windows Server 2008 R2 Enterprise on two servers. Configure the servers in a failover cluster.
Install a full installation of Windows Server 2008 R2 Standard on two servers. Configure Network Load Balancing on the two servers.
Install a full installation of Windows Server 2008 R2 Enterprise on two servers. Configure Network Load Balancing on the two servers.
Install a full installation of Windows Server 2008 R2 Enterprise on two servers. Configure the servers in a failover cluster.
Answer: D Explanation:
Fail Over Clustering, which is available on the Enterprise edition (not on standard) will provide fail over as required.
Windows Server 2008 Enterprise Edition
Windows Server 2008 Enterprise Edition is the version of the operating system targeted at large businesses. Plan to deploy this version of Windows 2008 on servers that will run applications such as SQL Server 2008 Enterprise Edition and Exchange Server 2007.
These products require the extra processing power and RAM that Enterprise Edition supports. When planning deployments, consider Windows Server 2008 Enterprise Edition in situations that require the following technologies unavailable in Windows Server 2008 Standard Edition:
Failover Clustering I-ail over clustering is a technology that allows another server to continue to service client requests in the event that the original server fails. Clustering is covered in more detail in Chapter 11. quot;Clustering and High Availability.quot; You deploy failover clustering on mission-critical servers to ensure that important resources are available even if a server hosting those resources fails.
Question No: 85 – (Topic 1)
Your network consists of a single Active Directory domain. Your main office has an Internet connection.
Your company plans to open a branch office. The branch office will connect to the main office by using a WAN link. The WAN link will have limited bandwidth. The branch office will not have access to the Internet. The branch office will contain 30 Windows Server 2008 R2 servers.
You need to plan the deployment of the servers in the branch office. The deployment must meet the following requirements:
->Installations must be automated.
->Computers must be automatically activated.
->Network traffic between the offices must be minimized.
What should you include in your plan?
In the branch office, implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services (WDS).
Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office, implement a DHCP server and Windows Deployment Services (WDS).
In the main office, implement Windows Deployment Services (WDS). In the branch office, implement a DHCP server and implement the Key Management Service (KMS).
Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office, implement a DHCP server. In the branch office, implement Windows Deployment Services (WDS).
Answer: A Explanation:
The key here is that bandwidth from the branch to the main office is limited and there is no direct link to MS.
WDS and Product Activation
Although product activation does not need to occur during the actual installation process, administrators considering using WDS to automate deployment should also consider using volume activation to automate activation. Volume activation provides a simple centralized method that systems administrators can use for the activation of large numbers of deployed
servers. Volume activation allows for two types of keys and three methods of activation. The key types are the Multiple Activation Key (MAK) and the Key Management Services (KMS) key.
Multiple Activation Keys allow activation of a specific number of computers. Each successful activation depletes the activation pool. For example, a MAK key that has 100 activations allows for the activation of 100 computers. The Multiple Activation Key can use the MAK Proxy Activation and the MAK Independent Activation activation methods. MAK Proxy Activation uses a centralized activation request on behalf of multiple products using a single connection to Microsoft’s activation servers. MAK Independent Activation requires that each computer activates individually against Microsoft#39;s activation servers.
The Branch office has no internet connection, so MAK is not the solution.
KMS requires at least 25 computers connecting before activation can occur, and activation must be renewed by reconnecting to the KMS server every 180 days.
You can use KMS and MAK in conjunction with one another. The number of computers, how often they connect to the network, and whether there is Internet connectivity determines which solution you should deploy. You should deploy MAK if substantial numbers of computers do not connect to the network for more than 180 days. If there is no Internet connectivity and more than 25 computers, you should deploy KMS. If there is no Internet connectivity and less than 25 computers, you will need to use MAK and activate each system over the telephone.
Question No: 86 – (Topic 1)
Your company has a main office and two branch offices. Each office has a domain controller and file servers. Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. You need to plan the deployment of Distributed File System (DFS) to meet the following requirements:
路Ensure that users see only the folders to which they have access
路Ensure that users can access the data locally
路Minimize the bandwidth required to replicate data What should you include in your plan?
Deploy a stand-alone DFS namespace. Enable access-based enumeration and use DFS Replication.
Deploy a stand-alone DFS namespace. Enable access-based enumeration and use File Replication Service (FRS).
Deploy a domain-based DFS namespace and use DFS Replication. Modify each share to be a hidden share.
Deploy a domain-based DFS namespace and use File Replication Service (FRS). Modify each share to be a hidden share.
Answer: A Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration: Distributed File System (DFS) DFS is considerably enhanced in Windows Server 2008. It consists of two technologies, DFS Namespaces and DFS Replication, that you can use
(together or independently) to provide fault-tolerant and flexible file sharing and replication services.
DFS Namespaces lets you group shared folders on different servers (and in multiple sites) into one or more logically structured namespaces. Users view each namespace as a single shared folder with a series of subfolders. The underlying shared folders structure is hidden from users, and this structure provides fault tolerance and the ability to automatically connect users to local shared folders, when available, instead of routing them over wide area network (WAN) connections.
DFS Replication provides a multimaster replication engine that lets you synchronize folders on multiple servers across local or WAN connections. It uses the Remote Differential Compression (RDC) protocol to update only those files that have changed since the last replication. You can use DFS Replication in conjunction with DFS Namespaces or by itself. This lesson summarizes DFS only very briefly as part of your planning considerations.
Lesson 2 of this chapter discusses the topic in much more depth.
Exam TipPrevious Windows Server examinations have contained a high proportion of DFS questions. There is no reason to believe 70-646 will be any different.
You can also use Share And Storage Management to view and modify the properties of a shared folder or volume, including the local NTFS permissions and the network access permissions for that shared resource. To do this you again select the shared resource on the Shares tab and select Properties in the Actions pane.
Figure 6-6 shows the Properties dialog box for the share folder Public. The Permissions tab lets you specify share and NTFS permissions. Clicking Advanced lets you configure user limits and caching and disable or enable access-based enumeration (ABE). ABE is enabled by default and lets you hide files and folders from users who do not have access to them.
Question No: 87 – (Topic 1)
Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. All client computers run Windows 7. Users store all of their files in their Documents folder. Many users store large files.
You plan to implement roaming user profiles for all users by using Group Policy. You need to recommend a solution that minimizes the amount of time it takes users to log on and log
off of the computers that use the roaming user profiles. What should you recommend?
Modify the Group Policy object (GPO) to include folder redirection.
Modify the Group Policy object (GPO) to include Background Intelligent Transfer Service (BITS) settings.
On the server that hosts the roaming user profiles, enable caching on the profiles share.
On any server, install and configure the Background Intelligent Transfer Service (BITS) server extensions.
Answer: A Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration: Planning and Managing Group Policy
Planning your Group Policy is in part planning your organizational structure. If you have a huge number of OUs-some inheriting policies, others blocking inheritance, several OUs linking to the same GPO, and several GPOs linking to the same OU-you have a recipe for disaster. While too few OUs and GPOs is also a mistake, most of us err on the side of having too many. Keep your structures simple. Do not link OUs and GPOs across site boundaries. Give your OUs and GPOs meaningful names.
When you are planning Group Policy you need to be aware of the Group Policy settings that are provided with Windows Server 2008. These are numerous and it is not practical to memorize all of them, but you should know what the various categories are. Even if you do not edit any policies, exploring the Group Policy structure in Group Policy Management Editor is worthwhile. You will develop a feel for what is available and whether you need to generate custom policies by creating ADMX files.
You also need a good understanding of how Group Policy is processed at the client. This happens in the following two phases:
Core processing When a client begins to process Group Policy, it must determine whether it can reach a DC, whether any GPOs have been changed, and what policy settings must be processed. The core Group Policy engine performs the processing of this in the initial phase.
Client-side extension (CSE) processing In this phase, Group Policy settings are placed in various categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. A specific
CSE processes the settings in each category, and each CSE has its own rules for processing settings. The core Group Policy engine calls the CSEs that are required to process the settings that apply to the client.
CSEs cannot begin processing until core Group Policy processing is completed. It is therefore important to plan your Group Policy and your domain structure so that this happens as quickly and reliably as possible. The troubleshooting section later in this lesson
discusses some of the problems that can delay or prevent core Group Policy processing.
Question No: 88 – (Topic 1)
Your network contains a single Active Directory domain. All domain controllers run Windows Server 2008 R2. There are 1,000 client computers that run Windows 7 and that are connected to managed switches. You need to recommend a strategy for network access that meets the following requirements:
路Users are unable to bypass network access restrictions.
路Only client computers that have uptodate service packs installed can access the network.
路Only client computers that have uptodate antimalware software installed can access the network. What should you recommend?
Implement Network Access Protection (NAP) that uses DHCP enforcement.
Implement Network Access Protection (NAP) that uses 802.1x enforcement.
Implement a Network Policy Server (NPS), and enable IPsec on the domain controllers.
Implement a Network Policy Server (NPS), and enable Remote Authentication DialIn User Service (RADIUS) authentication on the managed switches.
Answer: B Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration: Integration with network access protection (NAP)System Center Configuration Manager 2007 lets your organization enforce compliance of software updates on client computers. This helps protect the integrity of the corporate network through integration with the
Microsoft Windows Server 2008 NAP policy enforcement platform. NAP policies enable you to define which software updates to include in your system health requirements. If a client computer attempts to access your network, NAP and System Center Configuration Manager 2007 work together to determine the client’s health state compliance and determine whether the client is granted full or restricted network access. If the client is noncompliant, System Center Configuration Manager 2007 can deliver the necessary software updates so that the client can meet system health requirements and be granted full network access.
Restrict network accessSystem Center Configuration Manager 2007 NAPenables you to
include software updates in your system health requirements.NAP policies define which software updates need to be included, and the System Center Configuration Manager 2007 System Health Validator point passes the client’s compliant or noncompliant health state to the Network Policy Server, which determines whether to grant the client full or restricted network access. Noncompliant clients can be automatically brought into compliance through remediation. This requires the System Center Configuration Manager 2007 software updates feature to be configured and operational.
NAP Enforcement Methods
When a computer is found to be noncompliant with the enforced health policy, NAPenforces limited network access. This is done through an Enforcement Client (EC). Windows Vista, Windows XP Service Pack 3, and Windows Server 2008 include NAPEC support for IPsec, IEEE 802.1X, Remote Access VPN, and DHCP enforcement methods. Windows Vista and Windows Server 2008 also support NAP enforcement for Terminal Server Gateway connections.
NAP enforcement methods can either be used individually or can be used in conjunction with each other to limit the network access of computers that are found not to be in compliance with configured health policies. Hence you can apply the remote access VPN and IPsec enforcement methods to ensure that internal clients and clients coming in from the Internet are only granted access to resources if they meet the appropriate client health benchmarks.
802.1X NAP Enforcement
802.1X enforcement makes use of authenticating Ethernet switches or IEEE 802.11 Wireless Access Points.
These compliant switches and access points only grant unlimited network access to computers that meet the compliance requirement. Computers that do not meet the compliance requirement are limited in their communication by a restricted access profile. Restricted access profiles work by applying IP packet filters or VLAN (Virtual Local Area Network) identifiers. This means that hosts that have the restricted access profile are allowed only limited network communication. This limited network communication generally allows access to remediation servers. You will learn more about remediation servers later in this lesson.
An advantage of 802.1X enforcement is that the health status of clients is constantly assessed. Connected clients that become noncompliant will automatically be placed under the restricted access profile. Clients under the restricted access profile that become compliant will have that profile removed and will be able to communicate with other hosts on the network in an unrestricted manner. For example, suppose that a new antivirus update comes out. Clients that have not installed the update are put under a restricted access profile until the new update is installed. Once the new update is installed, the clients are returned to full network access.
A Windows Server 2008 computer with the Network Policy Server role is necessary to support 802.1X NAP enforcement. It is also necessary to have switch and/or wireless access point hardware that is 801.1xcompliant.
Client computers must be running Windows Vista, Windows Server 2008, or Windows XP Service Pack 3 because these operating systems include the EAPHost EC.
MORE INFO 802.1X enforcement step-by-step
Question No: 89 – (Topic 1)
Your network consists of a single Active Directory domain. The network contains five Windows Server 2008 R2 servers that host Web Applications. You need to plan a remote management strategy to manage the Web servers.
Your plan must meet the following requirements:
->Allow Web developers to configure features on the Web sites
->Prevent Web developers from having full administrative rights on the Web servers
What should you include in your plan?
Configure request filtering on each Web server.
Configure authorization rules for Web developers on each Web server.
Configure the security settings in Internet Explorer for all Web developers by using a Group Policy.
Add the Web developers to the Account Operators group in the domain.
Answer: B Explanation:
http://mscerts.programming4.us/windows_server/windows server 2008 %2 0controlling access to web services (part 5) –
managing url authorization rules.aspx
Managing URL Authorization Rules
Authorization is a method by which systems administrators can determine which resources and content are available to specific users Authorization relies on authentication to validate the identity of a user. Once the identity has been proven, authorization rules determine
which actions a user or computer can perform IIS provides methods of securing different types of content using URL-based authorization. Because Web content is generally requested using a URL that includes a full path to the content being requested, you can configure authorization settings easily, using IIS Manager
Creating URL Authorization Rules
To enable URL authorization, the UrlAuthorizationModule must be enabled Authorization rules can be configured at the level of the Web server for specific Web sites, for specific Web applications, and for specific files (based on a complete URL path). URL authorization rules use inheritance so that lower-level objects inherit authorization settings from their parent objects (unless they are specifically overridden).
To configure authorization settings, select the appropriate object in the left pane of IIS Manager, and then select Authorization Rules in Features View. Figure 6 shows an example of multiple rules configured for a Web site.
Figure 6. Viewing authorization rules for a Web site
There are two types of rules: Allow and Deny. You can create new rules by using the Add Allow Rule and Add Deny Rule commands in the Actions pane The available options for both types of rules are the same.
(See Figure 7) When creating a new rule, the main setting is to determine to which users the rule applies. The options are:
All Anonymous Users
Specific Roles Or User Groups
When you choose to specify users or groups to which the rule applies, you can type the appropriate names in a command-separated list. The specific users and groups are defined using NET role providers. This is a standard feature that is available to ASP NET Web developers. Developers can create their own roles and user accounts and can define permissions within their applications. Generally, information about users and roles is stored in a relational database or relies on a directory service such as Active Directory.
In addition to user and role selections, you can further configure an authorization rule based on specific HTTP verbs. For example, if you want to apply a rule only for POST commands (which are typically used to send information from a Web browser to a Web server), add only the POST verb to the rule
Managing Rule Inheritance
As mentioned earlier in this section, authorization rules are inherited automatically by lower-level objects This is useful when your Web site and Web content is organized hierarchically based on intended users or groups The Entry Type column shows whether a rule has been inherited from a higher level or whether it has been defined locally IIS
Manager automatically will prevent you from creating duplicate rules. You can remove rules at any level, including both Inherited and Local entry types
Question No: 90 – (Topic 1)
Your network contains two servers that run the Server Core installation of Windows Server 2008 R2. The two servers are part of a Network Load Balancing cluster.
The cluster hosts a Web site. Administrators use client computers that run Windows 7.
You need to recommend a strategy that allows the administrators to remotely manage the Network Load Balancing cluster. Your strategy must support automation.
What should you recommend?
On the servers, enable Windows Remote Management (WinRM).
On the servers, add the administrators to the Remote Desktop Users group.
On the Windows 7 client computers, enable Windows Remote Management (WinRM).
On the Windows 7 client computers, add the administrators to the Remote Desktop Users group.
Answer: A Explanation:
WinRM is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows for hardware and operating systems from different vendors to interoperate. The WS-Management Protocol specification provides a common way for systems to access and exchange management information across an IT infrastructure.
WinRM 2.0 includes the following new features:
The WinRM Client Shell API provides functionality to create and manage shells and shell operations, commands, and data streams on remote computers.
The WinRM Plug-in API provides functionality that enables a user to write plug-ins by implementing certain APIs for supported resources and operations.
WinRM 2.0 introduces a hosting framework. Two hosting models are supported. One is Internet Information Services (HS)-based and the other is WinRM service-based.
Association traversal lets a user retrieve instances of Association classes by using a standard filtering mechanism.
WinRM 2.0 supports delegating user credentials across multiple remote computers.
Users of WinRM 2.0 can use Windows PowerShell cmdlets for system management.
WinRM has added a specific set of quotas that provide a better quality of service and allocate server resources to concurrent users. The WinRM quota set is based on the quota infrastructure that is implemented for the IIS service.
(ALL UPPER-CASE = value that must be supplied by user.) winrs [-/SWITCH[:VALUE]] COMMAND
COMMAND – Any string that can be executed as a command in the cmd.exe shell.
(All switches accept both short form or long form. For example both -r and
-remote are valid.)
-r[emote]:ENDPOINT – The target endpoint using a NetBIOS name or the standard connect ion URL: [TRANSPORT://]TARGET[:PORT]. If not specified
-r:localhost is used.
-un[encrypted] – Specify that the messages to the remote shell will not be encrypted. This is useful for troubleshooting, or when the network traffic is already encrypted using ipsec, or when physical security is enforced. By default the messages are encrypted
using Kerberos or NTLM keys. This switch is ignored when HTTPS transport is selected.
-u[sername]:USERNAME – Specify username on command line. If not specified the tool will use Negotiate authentication or prompt for the name.
If -username is specified, -password must be as well.
-p[assword]:PASSWORD – Specify password on command line. If -password is not specified but -username is the tool will prompt for the password. If -password is specified, – user must be specified as well.
-t[imeout]:SECONDS – This option is deprecated.
-d[irectory]:PATH – Specifies starting directory for remote shell. If not specified the remote shell will start in the user#39;s home directory defined by the environment variable
-env[ironment]:STRING=VALUE – Specifies a single environment variable to be set when shell starts, which allows changing default environment for shell. Multiple occurrences of
this switch must be used to specify multiple environment variables.
-noe[cho] – Specifies that echo should be disabled. This may be necessary to ensure that user#39;s answers to remote prompts are not displayed locally. By default echo is quot;onquot;.
-nop[rofile] – Specifies that the user#39;s profile should not be loaded. By default the server will attempt to load the user profile. If the remote user is not a local administrator on the target system then this option will be required (the default will result in error).
-a[llow]d[elegate] – Specifies that the user#39;s credentials can be used to access a remote share, for example, found on a different machine than the target endpoint.
-comp[ression] – Turn on compression. Older installations on remote machines may not support compression so it is off by default.
-[use]ssl – Use an SSL connection when using a remote endpoint. Specifying this instead of the transport quot;https:quot; will use the default WinRM default port.
-? – Help
To terminate the remote command the user can type Ctrl-C or Ctrl-Break, which will be sent to the remote shell. The second Ctrl-C will force termination of winrs.exe.
To manage active remote shells or WinRS configuration, use the WinRM tool. The URI alias to manage active shells is shell/cmd. The URI alias for WinRS configuration is winrm/conf
ig/winrs. Example usage can be found in the WinRM tool by typing quot;WinRM -?quot;.
winrs -r:https://myserver.com command winrs -r:myserver.com -usessl command winrs -r:myserver command
winrs -r:http://127.0.0.1 command
winrs -r:http://18.104.22.168:80 -unencrypted command winrs -r:https://[::FFFF:22.214.171.124] command
winrs -r:http://[1080:0:0:0:8:800:200C:417A]:80 command
winrs -r:https://myserver.com -t:600 -u:administrator -p:$%fgh7 ipconfig
winrs -r:myserver -env:PATH=^%PATH^%;c:\tools -env:TEMP=d:\temp config.cmd winrs -r:myserver netdom join myserver /domain:testdomain /userd:johns
winrs -r:myserver -ad -u:administrator -p:$%fgh7 dir \\anotherserver\share
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|