Microsoft.TestKing.70-640.v2012-03-15.by - GRATIS EXAM · Version Windows Server 2003, Windows...

70-640-Combo

Number: 70-640Passing Score: 700Time Limit: 240 minFile Version: 14

http://www.gratisexam.com/

70-640 Exam

TS: Windows Server 2008 Active Directory Configurin g

By RedaXium

Incorrect Questions fixed as per posts

V 2.0

Sections1. AD Sites & Services2. Configuring Additional AD Server Roles3. Configuring AD Backup-Restore4. Configuring AD Infrastructure5. Configuring AD DNS6. Configuring AD Certificate Services7. Configuring AD Rights Mgmt Services8. Configuring AD Federated Services9. Configuring AD LDS10.Configuring AD FSMO Roles11.Configuring Domains and Trusts12.Configuring Group Policy13.Creating & Maintaining AD Objects14.Maintaining the AD Environment15.Powershell & Command line cmds16.Cooper Exam D

Exam A

QUESTION 1

Your network contains an Active Directory domain. The relevant servers in the domain are configured as shownin the following table:

Server name Operating System Server role

Server1 Windows 2008 Domain controller

Server2 Windows 2008 R2 Enterprise root certification authority (CA)

Server3 Windows 2008 R2 Network Device Enrollment Service (NDES)

You need to ensure that all device certificate requests use the MD5 hash algorithm.

What should you do?

A. On Server2, run the Certutil tool.B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm

\HashAlgorithm registry key.

Correct Answer: DSection: Configuring AD DNSExplanation

Explanation/Reference:Configuring the Network Device Enrollment Service

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\ MSCEP

HashAlgorithm\HashAlgorithm

String SHA1 Specifies the hash algorithm theservice will use when constructing therequest to the CA.

http://technet.microsoft.com/en-us/library/cc787544%28WS.10%29.aspx

----------------------------------------------------------------------------------------------------------------------------------------------------------------Edit the registry to enable the hash algorithm

HKEY_Current_User\Software\Microsoft

HKEY_Current_User\Software\Microsoft contains registry settings for user certificates that have beendistributed by means other than Group Policy. These settings are stored in the following subkeys:

HKEY_Current_User\Software\Microsoft\Cryptography HKEY_Current_User\Software\Microsoft\SystemCertificates

The following registry entries are located under HKEY_Current_User\Software\Microsoft\Cryptography.AutoenrollmentRegistry path

HKEY_Current_User\Software\Microsoft\Cryptography\

Version

Windows Server 2003, Windows 2000, and Windows XP

This setting is used to manage event logging and cached directory service data when user certificateautoenrollment has been enabled.AEExpressRegistry path

HKEY_Current_User\Software\Microsoft\Cryptography\Autoenrollment

QUESTION 2.

Your network contains an Active Directory domain.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise rootcertification authority (CA).

You have a client computer named Computer1 that runs Windows 7. You enable automatic certificateenrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computerscan automatically enroll for certificates.

Which command should you run on Computer1?

A. certreq.exe retrieveB. certreq.exe submitC. certutil.exe getkeyD. certutil.exe pulse

Correct Answer: DSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx

----------------------------------------------------------------------------------------------------------------------------------------------------------------Applies To: Windows Server 2008/R2

Certutil.exe is a command-line program that is inst alled as part of Certificate Services . You can use Certutil.exe to dump and display certification authority (CA) configuration information, configureCertificate Services, back up and restore CA components, and verify certificates, key pairs, and certificatechains.

-pulse Pulse auto enrollment events

-getkey Retrieve an archived private key recovery blob

-resubmit Resubmit a pending certificate request

the other options are not defined.

QUESTION 3.

Your network contains two Active Directory forests named contoso.com and adatum.com. The functional levelof both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory CertificateServices (AD CS) is configured in the contoso.com forest to allow users from both forests to automaticallyenroll user certificates.

You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.comcertification authority (CA).

What should you configure in the adatum.com domain?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.

Correct Answer: CSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd851772.aspxConfiguring certificate enrollment policy settings byusing Group Policy

Properties Opens the Certificate Enrollment Policy Server Properties dialog box, which displays the policydetails and list of enrollment policy servers for the selected enrollment policy.

Enable for automatic enrollment and renewal Specifies that the enrollment policy is used for autoenrollment when autoenrollment is enabled.On computers running Windows 7 that are not members of a domain, autoenrollment is enabled by default. Oncomputers that are members of a domain, autoenrollment must be enabled in Group Policy.----------------------------------------------------------------------------------------------------------------------------------------------------------------Domain Admins is the minimum group membership required to complete this procedure.To configure certificate enrollment policy settings in Group Policy

Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.

In the console tree, expand the forest and domain that contain the policy that you want to edit, and clickGroup Policy Objects.

Right-click the policy that you want to edit, and then click Edit.

In the console tree under Computer Configuration\Policies\Windows Settings\Security Settings, click PublicKey Policies.

Double-click Certificate Services Client – Certificate Enrollment Policy . For more information about thesettings in this dialog box, see the "Certificate Services Client – Certificate Enrollment Policy Properties dialogbox" table later in this topic.

Click Add to open the Certificate Enrollment Policy Server dialog box. For more information about thesettings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic.

Do one of the following:

To add the enrollment policy provided by Active Directory Domain Services (AD DS), select the Usedefault Active Directory domain controller URI check box.

In the Enter enrollment policy server URI box, type a certificate enrollment policy server URI.

In the Authentication type list, select the authentication type required by the enrollment policy server.

Click Validate, and review the messages in the Certificate enrollment policy server properties area. The Addbutton is available only when the enrollment policy server URI and authentication type are valid.

Click Add.

QUESTION 4.

You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed:

-Enterprise root certification authority (CA)-Certificate Enrollment Web Service-Certificate Enrollment Policy Web Service

You create a new certificate template.External users report that the new template is unavailable when they request a new certificate.You verify that all other templates are available to the external users.You need to ensure that the external users can request certificates by using the new template.

What should you do on Server1?

A. Run iisreset.exe /restart.B. Run gpupdate.exe /force.C. Run certutil.exe dspublish.D. Restart the Active Directory Certificate Services service.

Correct Answer: ASection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:Q - Normally you can use gpupdate /force and or certutil -pulse on the users computer to refresh there localcertificate store for issued certificates or templates.But it states what should you do on Server1

http://technet.microsoft.com/en-us/library/gg398409.aspx

http://www.tech-faq.com/the-certificate-enrollment-process.html

http://support.microsoft.com/kb/317584----------------------------------------------------------------------------------------------------------------------------------------------------------------

Restart IIS service to republish sites

Overview of iisreset.exeIisreset.exe uses the following syntax:iisreset[ computername]NOTE: Items in [] are optional.

While iisreset will run this without arguments, you may wish to perform other functions. You can use thefollowing parameters with Iisreset.exe:

computername: Use this parameter to specify the computer that you want to manage. If you omit thisparameter, the local computer is specified. /restart: Use this parameter to stop and restart all of the running Internet services. /start: Use this parameter to start all of the Internet services that are stopped. /stop: Use this parameter to stop all of the running Internet services. /reboot: Use this parameter to restart the computer. /rebootonerror: Use this parameter to restart the computer if an error occurs after the Internet servicesattempt to start, stop, or restart. /noforce: Use this parameter so that the Internet services do not shut down forcefully if you cannot stop theservices gracefully. /timeout:value Use this parameter (where value is a timeout value in seconds) to specify the time thecomputer waits for the Internet services to stop. After the computer stops, it restarts if you use the /rebootonerror parameter. The following list describes the default values: The default value is 20 seconds if you use this parameter with /restart. The default value is 60 seconds if you use this parameter with /stop. The default value is 0 seconds if you use this parameter with /reboot. /status: Use this parameter to display the status of all of the Internet services. /enable: Use this parameter to enable the Internet services to restart. /disable: Use this parameter to disable the Internet services restart process.

QUESTION 5.

Your network contains an enterprise root certification authority (CA). You need to ensure that a certificateissued by the CA is valid.

What should you do?

A. Run syskey.exe and use the Update option.B. Run sigverif.exe and use the Advanced option.C. Run certutil.exe and specify the -verify parameter.D. Run certreq.exe and specify the -retrieve parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc962081.aspx

-----------------------------------------------------------------------------------------------------------------certutil.exe -verify - verify certifcate, CRL, or c hain

QUESTION 6.

You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.

Users are required to log on to the domain by using a smart card. Your company's corporate security policystates that when an employee resigns, his ability to log on to the network must be immediately revoked.

An employee resigns. You need to immediately prevent the employee from logging on to the domain.

What should you do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.

Correct Answer: BSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:For most of these options, there appears to be a lag time or possible ways around the solution. Simplydisabling the user's account seems to be the fastest and most fool-proof solution.

http://technet.microsoft.com/en-us/library/cc781527%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------Disable an AD acct

ADUC > right click - Disable/Enable

Cmd Line

dsmod userUserDN-disabled {yes|no}

QUESTION 7.

You add an Online Responder to an Online Responder Array. You need to ensure that the new OnlineResponder resolves synchronization conflicts for all members of the Array.

What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.C. From the Online Responder Management Console, select the new Online Responder, and then select Set

as Array Controller.D. From the Online Responder Management Console, select the new Online Responder, and then select

Synchronize Members with Array Controller.


Explanation/Reference:Although each Online Responder in an Array can be configured and managed independently, in case ofconflicts the configuration information for the Array controller will override configuration options set on otherArray members.

http://technet.microsoft.com/en-us/library/cc731175.aspx---------------------------------------------------------------------------------------------------------------------------------------------------Online Responder

QUESTION 8.

Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterpriseroot certification authority (CA).


You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping.

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessingthe Web site.

What should you do?

A. Run certutil.exe -crl.B. Run certutil.exe -delkey.C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.D. From Active Directory Users and Computers, modify the Contact object for the external partner.



-----------------------------------------------------------------------------------------------------------------certutil -CRL - Publish new certificate revocation lists (CRLs) [or only delta CRLs]

-revoke - Revoke a certificate

QUESTION 9.

Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standardprimary zone .

You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need toensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.

What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.

B. Configure the DNS server on DC2 to forward requests to DC1.C. Create a new secondary zone named ad.contoso.com on DC2.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.


Explanation/Reference:support.microsoft.com/kb/816101--------------------------------------------------------------------------------------------------------------------------Convert Primary DNS Server to Active Directory Inte grated Primary

On the current DNS server, start DNS Manager. Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will bePrimary zone, Secondary zone or Stub zone. Click Change. In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNSserver is a domain controller) check box. When you are prompted to answer whether want this zone to becomeActive Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated"

QUESTION 10.

Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNSservers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that thecontoso.com zone has multiple entries for the host names of computers that do not exist.

You need to configure the contoso.com zone to automatically remove expired records.

What should you do?

A. Enable only secure updates on the contoso.com zone.B. Enable scavenging and configure the refresh interval on the contoso.com zone.C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone.

Correct Answer: BSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc759204%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------------------------Enable scavenging and configure the refresh interva l - DNS

If left unmanaged, the presence of stale RRs in zone data might cause some problems. The following areexamples:

If a large number of stale RRs remain in server zones, they can eventually take up server disk space andcause unnecessarily long zone transfers.

DNS servers loading zones with stale RRs might use outdated information to answer client queries,potentially causing the clients to experience name resolution problems on the network.

The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness.

In some cases, the presence of a stale RR in a zone could prevent a DNS domain name from being used byanother computer or host device.

To solve these problems, the DNS Server service has the following features:

Time stamping, based on the current date and time set at the server computer, for any RRs addeddynamically to primary-type zones. In addition, time stamps are recorded in standard primary zones whereaging/scavenging is enabled.

For RRs that you add manually, a time stamp value of zero is used, indicating that they are not affected bythe aging process and can remain without limitation in zone data unless you otherwise change their time stampor delete them.

Aging of RRs in local data, based on a specified refresh time period, for any eligible zones.

Only primary type zones that are loaded by the DNS Server service are eligible to participate in this process.

Scavenging for any RRs that persist beyond the specified refresh period.

When a DNS server performs a scavenging operation, it can determine that RRs have aged to the point ofbecoming stale and remove them from zone data. Servers can be configured to perform recurring scavengingoperations automatically, or you can initiate an immediate scavenging operation at the server.

QUESTION 11.

Your company has a main office and a branch office. The company has a single-domain Active Directory forest.

The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. Thebranch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domaincontrollers hold the DNS Server server role and are configured as Active Directory- integrated zones. The DNSzones only allow secure updates.

You need to enable dynamic DNS updates on DC3.

What should you do?

A. Run the Ntdsutil.exe DS Behavior commands on DC3.B. Run the Dnscmd.exe /ZoneResetType command on DC3.C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.D. Create a custom application directory partition on DC1. Configure the partition to store Active Directory-

integrated zones.

Correct Answer: CSection: Configuring Additional AD Server RolesExplanation


A RODC vs.a writable DC

QUESTION 12.

Your company has a main office and five branch offices that are connected by WAN links. The company has anActive Directory domain named contoso.com. Each branch office has a member server configured as a DNS

server. All branch office DNS servers host a secondary zone for contoso.com.

You need to configure the contoso.com zone to resolve client queries for at least four days in the event that aWAN link fails.

What should you do?

A. Configure the Expires after option for the contoso.com zone to 4 days.B. Configure the Retry interval option for the contoso.com zone to 4 days.C. Configure the Refresh interval option for the contoso.com zone to 4 days.D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.

Correct Answer: ASection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/bb727018.aspx------------------------------------------------------------------------------------------------------------------------------------------DNS Config

Expires After The period of time for which zone information is valid on the secondary server. If the secondaryserver can't download data from a primary server within this period, the secondary server lets the data in itscache expire and stops responding to DNS queries. Setting Expires After to seven days allows the data on asecondary server to be valid for seven days.

QUESTION 13.

Your company has an Active Directory domain named contoso.com. The company network has two DNSservers named DNS1 and DNS2.

The DNS servers are configured as shown in the following table:

DNS1 DNS2

_msdcs.contoso.comcontoso.com

.(root)_msdcs.contoso.comcontoso.com

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to InternetWeb sites.

You need to enable Internet name resolution for all client computers.

What should you do?

A. Create a copy of the .(root) zone on DNS1.B. Update the list of root hints servers on DNS2.C. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.D. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.


Explanation/Reference:http://support.microsoft.com/kb/298148

----------------------------------------------------------------------------------------------------------------------------------------------DNS Root zone

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.

QUESTION 14.

Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com.

You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computersin a DNS domain named fabrikam.com.Fabrikam.com has a DHCP server and a DNS server.

Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has an A recordin the fabrikam.com DNS zone. What are two possible ways to achieve this goal?

(Each correct answer presents a complete solution. Choose two.)

A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.

Correct Answer: BDSection: AD Sites & ServicesExplanation

Explanation/Reference:OPT1)

http://technet.microsoft.com/en-us/library/cc779282%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------To resolve an unqualified name by appending the primary DNS suffix and the DNS suffix of each connection (ifconfigured), click Append primary and connection specific DNS suffixes. If you also want to search the parentsuffixes of the primary DNS suffix up to the second level domain, select the Append parent suffixes of theprimary DNS suffix check box.

OPT2)

http://technet.microsoft.com/en-us/library/ee941136%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------------------------------------- Configure a DNS domain option as a server or scope option using the DHCP MMC.

Dynamic Host Configuration Protocol (DHCP) uses options to pass additional Internet Protocol (IP) settings toDHCP clients on a network. Examples of DHCP options include:

The default gateway IP address

The Domain Name System (DNS) server IP address

The DNS domain name

QUESTION 15.

Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server2008 R2. All domain controllers are configured as DNS servers.

You have a standard primary zone for dev.contoso.com that is stored on a member server.

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.

What should you do?

A. On the member server, create a stub zone.B. On the member server, create a NS record for each domain controller.C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the forest.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.

Correct Answer: CSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754941.aspx----------------------------------------------------------------------------------------------------------------------------------------------Conditional Forwarder

When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.

QUESTION 16.

You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.

You need to record all inbound DNS queries to the server.

What should you configure in the DNS Manager console?

A. Enable debug logging.B. Enable automatic testing for simple queries.C. Enable automatic testing for recursive queries.D. Configure event logging to log errors and warnings.

Correct Answer: ASection: Configuring AD DNSExplanation

Explanation/Reference:Using server debug logging optionsThe following DNS debug logging options are available:

Direction of packets

Send Packets sent by the DNS server are logged in the DNS server log file.

Receive Packets received by the DNS server are logged in the log file.

Content of packets

Standard queries Specifies that packets containing standard queries (per RFC 1034) are logged in the DNSserver log file.

Updates Specifies that packets containing dynamic updates (per RFC 2136) are logged in the DNS server logfile.

Notifies Specifies that packets containing notifications (per RFC 1996) are logged in the DNS server log file.

Type of packet

Request Specifies that request packets are logged in the DNS server log file (a request packet is characterizedby a QR bit set to 0 in the DNS message header).

Response Specifies that response packets are logged in the DNS server log file (a response packet ischaracterized by a QR bit set to 1 in the DNS message header).

http://technet.microsoft.com/en-us/library/cc776361%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Logging

Dns.log contains debug logging activity. By default, it is located in the windir\System32\Dns folder.

To enable and use file-based logging, see Select and enable debug logging options on the DNS server.

QUESTION 17.

Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in theForestDnsZones Active Directory application partition.

You have a member server that contains a standard primary DNS zone for dev.contoso.com.

You need to ensure that all domain controllers can resolve names for dev.contoso.com.

What should you do?

A. Create a NS record in the contoso.com zone.B. Create a delegation in the contoso.com zone.C. Create a standard secondary zone on a Global Catalog server.D. Modify the properties of the SOA record in the contoso.com zone.

Correct Answer: BSection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:When delegating zones within your namespace, be aware that for each new zone you create, you will needdelegation records in other zones that point to the authoritative DNS servers for the new zone. This is

necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the newservers being made authoritative for the new zone.

http://technet.microsoft.com/en-us/library/cc785881%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Create a DNS Delegation

Using the Windows interface

Open the DNS console.

In the console tree, right-click the applicable subdomain, and then click New Delegation.

Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain.

Using a command line

dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}

QUESTION 18.

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers. You have an Active Directory-integrated zone for contoso.com.

You have a UNIX-based DNS server.

You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.comzone to the UNIX-based DNS server.

What should you do in the DNS Manager console?

A. Disable recursion.

B. Create a stub zone.C. Create a secondary zone.D. Enable BIND secondaries.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc786538%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Enable BIND - DNS

To enable or disable fast DNS zone transfers using the Windows interface

Open the DNS snap-in.

In the console tree, click the applicable DNS server.

Where? DNS/applicable DNS server

On the Action menu, click Properties.

Click the Advanced tab.

In Server options, select the BIND secondaries check box, and then click OK.

QUESTION 19.

Your network consists of an Active Directory forest that contains one domain named contoso.com.

All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two ActiveDirectory-integrated zones: contoso.com and nwtraders.com.

You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user frommodifying the SOA record in the nwtraders.com zone.

What should you do?

A. From the DNS Manager console, modify the permissions of the contoso.com zone.B. From the DNS Manager console, modify the permissions of the nwtraders.com zone.C. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.D. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers

organizational unit (OU).


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc780538%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Security

QUESTION 20.

Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directorydomain named intranet.fabrikam.com.

Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.

You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.

What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.B. Configure conditional forwarding for the intranet.fabrikam.com domain.C. Create a standard secondary zone for the intranet.fabrikam.com domain.D. Create an Active Directoryintegrated zone for the intranet.fabrikam.com domain.


Explanation/Reference:http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx----------------------------------------------------------------------------------------------------------------------------------------------Configure Conditional Forwarding

Exam B

QUESTION 1.

Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllersnamed DC1 and DC2. Both domain controllers have the DNS Server server role installed.

You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 toforward all unresolved name requests to DNS1.contoso.com.

You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding onthe DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform?

(Each correct answer presents part of the solution. Choose two.)

A. Clear the DNS cache on DC2.B. Delete the Root zone on DC2.C. Configure conditional forwarding on DC2.D. Configure the Listen On address on DC2.

Correct Answer: BCSection: Configuring AD DNSExplanation

Explanation/Reference:http://support.microsoft.com/kb/298148----------------------------------------------------------------------------------------------------------------------------------------------DNS Root zone

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.

QUESTION 2.

Your network consists of an Active Directory forest that contains one domain. All domain controllers runWindows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.

You have two Active Directory sites. Each site contains five domain controllers.

You add a new NS record to the zone.

You need to ensure that all domain controllers immediately receive the new NS record.

What should you do?

A. From the DNS Manager console, reload the zone.B. From the Services snap-in, restart the DNS Server service.C. From the command prompt, run repadmin /syncall.D. From the DNS Manager console, increase the version number of the SOA record.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835086%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Sync Replication

repadmin /syncall

Synchronizes a specified domain controller with all of its replication partners.

QUESTION 3.

You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSserver for contoso.com.

You install the DNS Server server role on a member server named Server1 and then you create a standardsecondary zone for contoso.com. You configure DC1 as the master server for the zone.

You need to ensure that Server1 receives zone updates from DC1.

What should you do?

A. On Server1, add a conditional forwarder.B. On DC1, modify the permissions of contoso.com zone.C. On DC1, modify the zone transfer settings for the contoso.com zone.D. Add the Server1 computer account to the DNSUpdateProxy group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc739056%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Modify zone transfer settings

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2003 with SP2

To modify DNS zone transfer settings

Using the Windows interface

Open DNS.

Right-click a DNS zone, and then click Properties.

On the Zone Transfers tab, do one of the following:

To disable zone transfers, clear the Allow zone transfers check box.

To allow zone transfers, select the Allow zone transfers check box.

If you allowed zone transfers, do one of the following:

To allow zone transfers to any server, click To any server.

To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to serverslisted on the Name Servers tab.

To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add theIP address of one or more DNS servers.


dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList[SecondaryIPAddress...]}

QUESTION 4Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2and are configured as DNS servers.

A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller namedDC2 has a standard secondary zone for contoso.com.

You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data.

What should you do?

A. On both servers, modify the interface that the DNS server listens on.B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.C. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.D. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the

secondary zone.




QUESTION 5.

Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. Thedomain controllers run Windows Server 2008 R2 and are configured as DNS servers.

You plan to create a new Active Directory-integrated zone.

You need to ensure that the new zone is only replicated to four of your domain controllers.

What should you do first?

A. Create a new delegation in the ForestDnsZones application directory partition.B. Create a new delegation in the DomainDnsZones application directory partition.C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.D. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756116%28WS.10%29.aspx#BKMK_5----------------------------------------------------------------------------------------------------------------------------------------------Dnscmd createdirectorypartition

Creates a DNS application directory partition. When DNS is installed, an application directory partition for theservice is created at the forest and domain levels. This operation creates additional DNS application directorypartitions.Syntax

Art Image dnscmd [ServerName] /createdirectorypartition PartitionFQDNParameters

ServerName Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Hostname. If omitted, the local server is used.

PartitionFQDN The fully qualified domain name of the DNS application directory partition that will be created.

Dnscmd deletedirectorypartition

Removes an existing DNS application directory partition.Syntax

Art Image dnscmd [ServerName] /deletedirectorypartition PartitionFQDNParameters

ServerName Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Hostname. If omitted, the local server is used.

PartitionFQDN The fully qualified domain name of the DNS application directory partition that will be removed.

Dnscmd directorypartitioninfo

Lists information about a specified DNS application directory partition.Syntax

Art Image dnscmd [ServerName] /directorypartitioninfo PartitionFQDN [/detail]

QUESTION 6.

Your network consists of a single Active Directory domain. You have a domain controller and a member serverthat run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run eitherWindows XP Service Pack 3 or Windows 7. You have a standard primary zone on the domain controller. The

member server hosts a secondary copy of the zone.

You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.


A. On the member server, add a conditional forwarder.B. On the member server, install Active Directory Domain Services.C. Add all computer accounts to the DNSUpdateProxy group.D. Convert the standard primary zone to an Active Directory-integrated zone.




QUESTION 7.

Your company has an Active Directory domain. The main office has a DNS server named DNS1 that isconfigured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 thatcontains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.

You add a new server to the main office. Five minutes after adding the server, a user from the branch officereports that he is unable to connect to the new server. You need to ensure that the user is able to connect tothe new server.

What should you do?

A. Clear the cache on DNS2.B. Reload the zone on DNS1.C. Refresh the zone on DNS2.D. Export the zone from DNS1 and import the zone to DNS2.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784052%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Dynamic update

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2003 with SP2

Dynamic update

Dynamic update enables DNS client computers to register and dynamically update their resource records with aDNS server whenever changes occur. This reduces the need for manual administration of zone records,especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

The DNS Client and Server services support the use of dynamic updates, as described in Request forComments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allowsdynamic update to be enabled or disabled on a per-zone basis at each server configured to load either astandard primary or directory-integrated zone. By default, the DNS Client service will dynamically update host(A) resource records (RRs) in DNS when configured for TCP/IP. For more information about RFCs, see DNSRFCs.How client and server computers update their DNS names

By default, computers that are statically configured for TCP/IP attempt to dynamically register host (A) andpointer (PTR) resource records (RRs) for IP addresses configured and used by their installed networkconnections. By default, all computers register records based on their fully qualified domain name (FQDN).

The primary full computer name, a FQDN, is based on the primary DNS suffix of a computer appended to itsComputer name.

Both of these settings are displayed or configured from the Computer Name tab in System properties. For moreinformation, see View system properties.

QUESTION 8You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What is the minimal forest functional level that you should use?

A. Windows Server 2008 R2B. Windows Server 2008C. Windows Server 2003D. Windows 2000

Correct Answer: CSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731243%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Prerequisites for Deploying an RODC

Applies To: Windows Server 2008, Windows Server 2008 R2

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or h igher , so that linked-value replication(LVR) is available. This provides a higher level of replication consistency. The domain functional level must beWindows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functionallevel is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003or higher.

QUESTION 9Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run

Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level isWindows 2000.

You need to ensure the UPN suffix for contoso.com is available for user accounts.


A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.C. Add the new UPN suffix to the forest.D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to

contoso.com.

Correct Answer: CSection: Configuring Domains and TrustsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772007.aspx----------------------------------------------------------------------------------------------------------------------------------------------Add User Principal Name Suffixes

To add UPN suffixes

Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, clickAdministrative Tools, and then click Active Directory Domains and Trusts.

In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.

On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

Repeat step 3 to add additional alternative UPN suffixes.

Additional considerations

To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins groupin Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As asecurity best practice, consider using Run as to perform this procedure. For more information, search for "usingrun as" in Help and Support.

UPN suffixes should conform to DNS conventions for valid characters and syntax.

You can also perform the task in this procedure by using the Active Directory module for WindowsPowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click ActiveDirectory Module for Windows PowerShell. For more information, see Add User Principal Name Suffixes (http://go.microsoft.com/fwlink/?LinkId=137827). For more information about Windows PowerShell, see WindowsPowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).

QUESTION 10.

Your company: A. Datum Corporation, has a single Active Directory domain named intranet.adatum.com. Thedomain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers.

The intranet.adatum.com DNS zone is configured as an Active Directoryintegrated zone with the Dynamicupdates setting configured to Secure only. A new corporate security policy requires that theintranet.adatum.com DNS zone must be updated only by domain controllers or member servers.

You need to configure the intranet.adatum.com zone to meet the new security policy requirement.

Which two actions should you perform?


A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zoneproperties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNSzone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of theintranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tabof the intranet.adatum.com DNS zone properties.

Correct Answer: ADSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc780538%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Security

C is incorrect becuase there is no "Allow on Write All" permission (see screenshot below).

C is incorrect becuase there is no "Allow on Write All" permission.

QUESTION 11.

Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.

Which two tasks should you perform?


A. Run the adprep /forestprep command.B. Run the adprep /domainprep command.C. Raise the forest functional level to Windows Server 2008.D. Raise the domain functional level to Windows Server 2008.

Correct Answer: ABSection: Powershell & Command line cmdsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Adprep

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008

Extends the Active Directory® schema and updates permissions as necessary to prepare a forest and domainfor a domain controller that runs the Windows Server® 2008 operating system.

Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the\sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder. You must run adprep from an elevated command prompt. To open an elevated commandprompt, click Start, right-click Command Prompt, and then click Run as administrator.

In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit versionruns by default. If you need to run Adprep on a 32-bit computer, run the 32-bit version (Adprep32.exe).

For more information about running Adprep.exe and how to resolve errors that can occur when you run it, seeRunning Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

For examples of how this command can be used, see Examples.

For more information about running adprep /forestprep, see Prepare a Windows 2000 or Windows Server 2003Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242).

For more information about running adprep /domainprep /gpprep, see Prepare a Windows 2000 or WindowsServer 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2(http://go.microsoft.com/fwlink/?LinkID=93243).

For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain Controller(http://go.microsoft.com/fwlink/?LinkID=93244).

QUESTION 12.

Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.

You install Windows Server 2008 R2 on a server.

You need to add the new server as a domain controller in your domain.


A. On the new server, run dcpromo /adv.B. On the new server, run dcpromo /createdcaccount.C. On a domain controller run adprep /rodcprep.D. On a domain controller, run adprep /forestprep.

Correct Answer: DSection: Creating & Maintaining AD ObjectsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Adprep

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008

Extends the Active Directory® schema and updates permissions as necessary to prepare a forest and domainfor a domain controller that runs the Windows Server® 2008 operating system.

Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the\sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder. You must run adprep from an elevated command prompt. To open an elevated commandprompt, click Start, right-click Command Prompt, and then click Run as administrator.

In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit versionruns by default. If you need to run Adprep on a 32-bit computer, run the 32-bit version (Adprep32.exe).

For more information about running Adprep.exe and how to resolve errors that can occur when you run it, seeRunning Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

For examples of how this command can be used, see Examples.

For more information about running adprep /forestprep, see Prepare a Windows 2000 or Windows Server 2003Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242).

For more information about running adprep /domainprep /gpprep, see Prepare a Windows 2000 or WindowsServer 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2(http://go.microsoft.com/fwlink/?LinkID=93243).

For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain Controller(http://go.microsoft.com/fwlink/?LinkID=93244).

QUESTION 13.

Your company has two Active Directory forests as shown in the following table:

Forest name Forest functional level Domain(s)

contoso.com Windows Server 2008 contoso.com

fabrikam.com Windows Server 2008 fabrikam.com eng.fabrikam.com

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wideauthentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain toaccess resources in the contoso.com domain.

You need to configure the forest trust to meet the new security policy requirement.

What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.B. Delete the incoming forest trust in the contoso.com domain.C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide

authentication to Selective authentication.D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude

*.eng.fabrikam.com from the Name Suffix Routing trust properties.

Correct Answer: DSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:Name Suffixes Routing controls routing of authentication traffic. When an account attempts to authenticate andthat account does not exist in the local domain, the Name Suffix Route is used to direct authentication requests to the trusted forest root domain.When you exclude a name suffix, all children of that DNS name will also be excluded, so this means also allusers from fabrikam.com

Exclude name suffixes from routing to a local foresthttp://technet.microsoft.com/en-us/library/cc758388(WS.10).aspx

-Q- answer C

http://technet.microsoft.com/en-us/library/cc778851%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Create a two-way, forest trust for both sides of th e trust

To create a two-way, forest trust for both sides of the trust

Open Active Directory Domains and Trusts.

In the console tree, right-click the domain node for the domain that you want to establish a trust with, andthen click Properties.

On the Trusts tab, click New Trust, and then click Next.

On the Trust Name page, type the Domain Name System (DNS) name (or network basic input/output system(NetBIOS) name) of the domain, and then click Next.

On the Trust Type page, click Forest trust, and then click Next.

On the Direction of Trust page, click Two-way, and then click Next.

For more information about the selections that are available on the Direction of Trust page, see the section"Direction of Trust" in Appendix: New Trust Wizard Pages.

On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

For more information about the selections that are available on the Sides of Trust page, see the section"Sides of Trust" in Appendix: New Trust Wizard Pages.

On the User Name and Password page, type the user name and password for the appropriate administratorin the specified domain.

On the Outgoing Trust Authentication Level--Local Forest page, do one of the following, and then click Next: Click Forest-wide authentication.

Click Selective authentication.

On the Outgoing Trust Authentication Level--Specified Forest page, do one of the following, and then clickNext: Click Forest-wide authentication.

Click Selective authentication.

On the Trust Selections Complete page, review the results, and then click Next.

On the Trust Creation Complete page, review the results, and then click Next.

On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do notconfirm the trust at this stage, the secure channel will not be established until the first time the trust is used byusers.

If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriateadministrative credentials from the specified domain.

On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust.

If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriateadministrative credentials from the specified domain.

On the Completing the New Trust Wizard page, click Finish.

QUESTION 14.

You have an existing Active Directory site named Site1. You create a new Active Directory site and name itSite2.

You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.You create the site link between Site1 and Site2.

What should you do next?

A. Use the Active Directory Sites and Services console to configure a new site link bridge object.B. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.C. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new

domain controller object to Site2.D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred

bridgehead server for Site1.

Correct Answer: C

Section: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730718.aspx----------------------------------------------------------------------------------------------------------------------------------------------AD Sites & Services - Configure an Additional Site

The tasks for configuring a new site include the following:

Creating the site

Mapping the correct IP addresses to the site by creating a subnet

Linking the site to another site or sites by creating a site link and adding the new site to it

QUESTION 15.

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

You upgrade all domain controllers to Windows Server 2008 R2.

You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).

What should you do?

A. From the command prompt, run netdom /reset.B. From the command prompt, run dfsutil /addroot:sysvol.C. Raise the functional level of the domain to Windows Server 2008 R2.D. From the command prompt, run dcpromo /unattend:unattendfile.xml.

Correct Answer: CSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Windows Server 2008 uses the newer DFS Replication service when in domains that use the Windows Server2008 domain functional level , and FRS for domains that run older domain functional levels.

QUESTION 16.

Your company has a branch office that is configured as a separate Active Directory site and has an ActiveDirectory domain controller.

The Active Directory site requires a local Global Catalog server to support a new application.

You need to configure the domain controller as a Global Catalog server.

Which tool should you use?

A. The Dcpromo.exe utilityB. The Server Manager consoleC. The Computer Management console

D. The Active Directory Sites and Services consoleE. The Active Directory Domains and Trusts console

Correct Answer: DSection: AD Sites & ServicesExplanation

Explanation/Reference:To add or remove the global catalog Open Active Directory Sites and Services . To open Active Directory Sites and Services, click Start , clickAdministrative Tools , and then click Active Directory Sites and Services .

http://technet.microsoft.com/en-us/library/cc733162.aspx----------------------------------------------------------------------------------------------------------------------------------------------Adding the Global Catalog to a Site


A global catalog server makes it possible to search the entire Active Directory Domain Services (AD DS) forestwithout referrals to a domain controller in the domain that stores the target of the search. When you add theglobal catalog to a domain controller, a partial, read-only replica of every domain in the forest (other than thedomain that the new global catalog server stores) is replicated to the domain controller. Global catalog serversare required for searching and for processing domain logons in forests where universal groups are available.Global catalog servers and domains

Global catalog servers respond to forest-wide Lightweight Directory Access Protocol (LDAP) queries over port3268. The global catalog eliminates the need for a query to be sent to multiple domain controllers until thequery locates the domain that contains the requested object.

When a forest contains only one domain, all domain controllers have the full complement of objects that can besearched, and a global catalog server is not required to eliminate referrals to other domains. However, becausethe global catalog port is different from the default LDAP port (389), global catalog queries must locate a globalcatalog server. In a single-domain forest, by configuring all domain controllers as global catalog servers youensure that global catalog queries are load-balanced evenly among all domain controllers in the domain.Because no additional replication or processing of other domain data is required, the single-domain globalcatalog server requires no special hardware advantages over other domain controllers.

If a forest contains more than one domain, however, a global catalog server must store and replicate domaindata for all domains in the forest. In this case, determine the placement of global catalog servers in your forestaccording to site needs, as described in the following section.Global catalog servers and sites

To optimize network performance in a multiple-site environment, consider adding global catalog servers in sitesaccording to the needs in the sites for fast search responses and domain logons. In a single-site, multiple-domain environment, a single global catalog server is usually sufficient to cover common Active Directoryqueries and logons. Use the information in the following table to determine whether your multiple-domain,multiple-site environment can benefit from additional global catalog servers.

QUESTION 17.

Your company has a main office and 10 branch offices. Each branch office has an Active Directory site thatcontains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.

You need to deactivate the Universal Group Membership Caching option on the domain controllers in thebranch offices.

At which level should you deactivate the Universal Group Membership Caching option?

A. SiteB. ServerC. DomainD. Connection object


Explanation/Reference:http://technet.microsoft.com/en-us/magazine/ff797984.aspx----------------------------------------------------------------------------------------------------------------------------------------------Enable/disable Universal Group Membership Caching o ption

You can enable or disable universal group membership caching by following these steps:1. In Active Directory Sites And Services , expand and then select the site you want to work with.2. In the details pane, right-click NTDS Site Settings, and then click Properties.3. To enable universal group membership caching, select the Enable Universal Group Membership Cachingcheck box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cacheuniversal group memberships. The selected site must have a working global catalog server.4. To disable universal group membership caching, clear the Enable Universal Group Membership Cachingcheck box on the Site Settings tab.5. Click OK.

QUESTION 18.

Your company has an Active Directory forest. Not all domain controllers in the forest are configured as GlobalCatalog Servers. Your domain structure contains one root domain and one child domain.

You modify the folder permissions on a file server that is in the child domain. You discover that some AccessControl entries start with S-1-5-21... and that no account name is listed.

You need to list the account names.

What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global

Catalog.

Correct Answer: DSection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://support.microsoft.com/kb/22334----------------------------------------------------------------------------------------------------------------------------------------------Infrastructure master role and the Global Catalog

As a general rule, the infrastructure master should be located on a nongl obal catalog server that has adirect connection object to some global catalog in the forest, preferably in the same Active Directory site.Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master,if placed on a global catalog server, will never update anything, because it does not contain any references to

objects that it does not hold. Two exceptions to the "do not place the infrastructure master on a global catalogserver" rule are:

o Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructuremaster has no work to do. The infrastructure master may be placed on any domain controller in the domain,regardless of whether that domain controller hosts the global catalog or not.

o Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, thereare no phantoms or work for the infrastructure master to do. The infrastructure master may be put on anydomain controller in that domain.

QUESTION 19.

Your company has an Active Directory domain.

You log on to the domain controller. The Active Directory Schema snap-in is not available in the MicrosoftManagement Console (MMC).

You need to access the Active Directory Schema snap-in.

What should you do?

A. Register Schmmgmt.dll.B. Log off and log on again by using an account that is a member of the Schema Admins group.C. Use the Ntdsutil.exe command to connect to the schema master operations master and open the schema

for writing.D. Add the Active Directory Lightweight Directory Services (AD/LDS) role to the domain controller by using

Server Manager.

Correct Answer: ASection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732110.aspx----------------------------------------------------------------------------------------------------------------------------------------------Install the Active Directory Schema Snap-In

Open an elevated command prompt. Click Start, type command prompt, and then right-click Command Promptwhen it appears in the Start menu. Next, click Run as administrator. When the command prompt opens, typethe command below, and then press ENTER:

regsvr32 schmmgmt.dll

Now you can open from Admin tools like the ADUC

QUESTION 20

Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operationsmaster roles.DC1 fails.

You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations masterroles to their original state. You perform a metadata cleanup and remove all references of DC1.

Which three actions should you perform next?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.)

Build List and Reorder:

Correct Answer:

Section: Configuring AD FSMO RolesExplanation

Explanation/Reference:

Exam C

QUESTION 1.

You are decommissioning one of the domain controllers in a child domain. You need to transfer all domainoperations master roles within the child domain to a newly installed domain controller in the same child domain.

Which three domain operations master roles should you transfer?

(Each correct answer presents part of the solution. Choose three.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: ABDSection: Configuring AD FSMO RolesExplanation

Explanation/Reference:Each domain in a forest has its own RID master, PDC emulator, and infrastructure master.

http://technet.microsoft.com/en-us/library/cc779716%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Operations Master Roles

The five operations master roles are assigned automatically when the first domain controller in a given domainis created. Two forest-level roles are assigned to the first domain controller created in a forest and threedomain-level roles are assigned to the first domain controller created in a domain.Forestwide Operations Master Roles

The schema master and domain naming master are forestwide roles, meaning that there is only oneschema master and one domain naming master in the entire forest.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Domainwide Operations Master Roles

The other operations master roles are domainwide roles, meaning that each domain in a forest has its own RIDmaster, PDC emulator, and infrastructure master.RID Master

The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in thedomain. Whenever a domain controller creates a new security principal, such as a user, group, or computerobject, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is thesame for all security principals created in the domain, and a RID, which uniquely identifies each securityprincipal created in the domain.PDC Emulator

The PDC emulator operations master acts as a Windows NT PDC in domains that contain client computersoperating without AD DS client software or Windows NT backup domain controllers (BDC). In addition, the PDCemulator processes password changes from clients and replicates the updates to the Windows NT BDCs. Evenafter all Windows NT domain controllers are upgraded to AD DS, the PDC emulator receives preferentialreplication of password changes performed by other domain controllers in the domain.

If a logon authentication fails at another domain controller due to a bad password, that domain controllerforwards the authentication request to the PDC emulator before rejecting the logon attempt.Infrastructure Master

The infrastructure operations master is responsible for updating object references in its domain that point tothe object in another domain. The infrastructure master updates object references locally and uses replicationto bring all other replicas of the domain up to date. The object reference contains the object’s globally uniqueidentifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the objectreference are periodically updated to reflect changes made to the actual object. These changes include moveswithin and between domains as well as the deletion of the object. If the infrastructure master is unavailable,updates to object references are delayed until it comes back online.

QUESTION 2.

Your company has an Active Directory domain. The company has two domain controllers named DC1 andDC2. DC1 holds the schema master role.DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer theschema master role.

You need to ensure that DC2 holds the schema master role.

What should you do?

A. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.B. Configure DC2 as a bridgehead server.C. On DC2, seize the schema master role.D. Log off and log on again to Active Directory by using an account that is a member of the Schema Admins

group. Start the Active Directory Schema snap-in.

Correct Answer: CSection: Configuring AD FSMO RolesExplanation

Explanation/Reference:Only a schema admin can perform this task but you are logged on with the administrator account and he isa member of the shema admins group!

http://support.microsoft.com/kb/255504----------------------------------------------------------------------------------------------------------------------------------------------Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operationfrom completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremovalcommand. The operating system on the computer that originally owned a specific role no longer exists or has beenreinstalled.

QUESTION 3.

You are decommissioning domain controllers that hold all forest-wide operations master roles. You need totransfer all forest-wide operations master roles to another domain controller.

Which two roles should you transfer?


A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: CESection: Configuring AD FSMO RolesExplanation

Explanation/Reference:The schema master and domain naming master are forestwide roles, meaning that there is only oneschema master and one domain naming master in the entire forest.

http://support.microsoft.com/kb/255504----------------------------------------------------------------------------------------------------------------------------------------------Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to aspecific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance andyou need specific FSMO roles to be assigned to a “live” domain controller. This may be required to performoperations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but lesstrue for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operationfrom completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremovalcommand. The operating system on the computer that originally owned a specific role no longer exists or has beenreinstalled.

QUESTION 4.

Your company has a server that runs an instance of Active Directory Lightweight Directory Services (AD LDS).

You need to create new organizational units in the AD LDS application directory partition.

What should you do?

A. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDSapplication directory partition.

B. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.D. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.

Correct Answer: B

Section: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794959%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Manage an AD LDS Instance Using ADSI Edit

Explanation:You can use both the Adsiedit.msc tool to create a new OU in the AD LDS application directory partition. ADLDS isusually used to store information about users, organizations, and the groups that they belong to. LightweightDirectory Access Protocol (LDAP)-based directories, such as Active Directory Domain Services (AD DS) andAD LDS, most commonly use OUs to keep usersand groups organized. To create a new OU in AD LDS, you can use Adsiedit.msc tool. Active DirectoryServices Interfaces Editor (ADSI Edit) is a low-level editor for AD DS and AD LDS. ADSI Edit can be used toview, modify, create, anddelete any object in AD DS and AD LDS.

QUESTION 5.

Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network.

What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.B. Create a naming context by running the Dsmgmt command on the test computer.C. Create a new directory partition by running the Dsmgmt command on the test computer.D. Create and install a replica by running the AD LDS Setup wizard on the test computer.

Correct Answer: DSection: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771458(v=WS.10).aspx

Install a replica AD LDS instance from mediaWhen you install an AD LDS replica from media, you use a restored backup of an AD LDS instance as the datasource, rather than another AD LDS instance. When you restore an AD LDS instance for use in a replicainstallation from media, you must restore the files to an alternate location, rather than to the original locationfrom which they were backed up. After you restore AD LDS files from a backup to an alternate location, theAdamntds.dit file and Edb*.log files will be nested in the specified alternate location. For example, if you specify C:\restore_dir as the restore location for the AD LDS files, Adamntds.dit and theEdb*.log files will be located at C:\restore_dir\Program Files\Microsoft ADAM\instancename\data, whereinstancename represents the AD LDS instance that was restored.

To install an AD LDS replica from mediaRestore a backup copy of the AD LDS instance from which you want to install to an alternate location. (Do notrestore the backup to the original location of the AD LDS instance.)Click Start , right-click Command Prompt , and then click Run as administrator .Type the following command, and then press ENTER: %windir%\adam\adaminstall /advFollow the steps in the Active Directory Lightweight Directory Services Setup Wizard.

http://technet.microsoft.com/en-us/library/cc771458%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Managing Replica AD LDS Instances

To create a replica AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard

Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services SetupWizard.

On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.

On the Setup Options page, click A replica of an existing instance, and then click Next.

On the Instance Name page, accept the default name instance2 (or instance1, if you are installing AD LDSon a second computer), and then click Next. noteNote AD LDS instance names have to be unique only on a given computer.

On the Ports page, accept the default values of 50000 and 50001 (if you are installing onto the firstcomputer) or 389 and 636 (if you are installing onto a second computer), and then click Next.

On the Joining a Configuration Set page, in Server, type the host name or DNS name of the computer wherethe first AD LDS instance is installed. Then, type the LDAP port number in use by the first AD LDS instance(which is 389 by default), and then click Next. noteNote You must use a valid host name or DNS name, rather than an IP address or localhost when you specify aserver on the Joining a Configuration Set page of the Active Directory Lightweight Directory Services SetupWizard.

On the Administrative Credentials for the Configuration Set page, click the account that is used as the ADLDS administrator for your first AD LDS instance.

On the Copy Application Partition page, select the application directory partitions that you want to replicate tothe new AD LDS instance. (The schema and configuration partitions will be replicated automatically.)

Accept the default values on the remaining Active Directory Lightweight Directory Services Set Wizard pagesby clicking Next on each page, and then click Finish on the Completing the Active Directory Application ModeSetup Wizard page.

After the installation is complete, use the ADSI Edit snap-in to confirm that the selected directory partition hasbeen replicated to your second AD LDS instance.

QUESTION 6.

Your company has an Active Directory Rights Management Services (AD RMS) server. Users have WindowsVista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.

You need to configure AD RMS so that users are able to protect their documents.

What should you do?

A. Install the AD RMS client 2.0 on each client computer.B. Add the RMS service account to the local administrators group on the AD RMS server.C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.

D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Correct Answer: CSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd772659%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------AD RMS Prerequisites

All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail addressconfigured in Active Directory .

Active Directory Forest Functional Level - AnyActive Directory Domain Functional Level - Any

AD RMS must be installed in an Active Directory domain in which the domain controllers are running one ofthe following: Windows Server 2000 with Service Pack 5 (SP5) * Windows Server 2003 with Service Pack 2 (SP2) Windows Server 2003 R2 with Service Pack 2 (SP2) Windows Server® 2008 Standard Windows Server® 2008 Enterprise Windows Server® 2008 Datacenter Windows Small Business Server® 2008 Premium Windows Small Business Server® 2008 Standard Windows Essential Business Server® 2008 Premium Windows Essential Business Server® 2008 Standard Windows Server® 2008 R2 Enterprise Windows Server® 2008 R2 Datacenter Windows Server® 2008 R2 Standard Windows Server® 2008 R2 Foundation

QUESTION 7.

Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.

You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server2005.

When you attempt to open the AD RMS administration Web site, you receive the following error message:"SQL Server does not exist or access denied." You need to open the AD RMS administration Web site.



A. Restart IIS.B. Install Message Queuing.C. Start the MSSQLSVC service.D. Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD

RMS.

Correct Answer: ACSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc747605%28WS.10%29.aspx#BKMK_1----------------------------------------------------------------------------------------------------------------------------------------------RMS Administration Issues

"SQL Server does not exist or access denied" message received when attempting to open the RMSAdministration Web site

If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQLServer Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured toautomatically star t when the server is started. If you have restarted your SQL Server since installing RMS andhave not configured this service to automatically restart RMS will not be able to function and only the RMSGlobal Administration page will be accessible.

After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster torestore RMS functionality.

QUESTION 8.

Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one ofthe branch offices.

You need to identify the user accounts that were cached on the stolen RODC server.

Which utility should you use?

A. Dsmod.exeB. Ntdsutil.exeC. Active Directory Sites and ServicesD. Active Directory Users and Computers

Correct Answer: DSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835486%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Deleting the RODC computer account using Active Directory Users and Computers

An efficient tool for removing the RODC computer ac count and resetting all the passwords for theaccounts that were authenticated to it is the Activ e Directory Users and Computers snap-in.To delete the RODC computer account using Active Directory Users and Computers

Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start,click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users andComputers.

Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correctdomain. To connect to the appropriate domain or domain controller, in the details pane, right-click the ActiveDirectory Users and Computers object, and then click Change Domain or Change Domain Controller,respectively.

In the console tree, expand the domain object, and then select the Domain Controllers organizational unit(OU).

In the details pane, right-click the RODC computer account, and then click Delete.

When the Active Directory Domain Services dialog box appears, click Yes to confirm the deletion.

In the Deleting Domain Controller dialog box (shown below) select the appropriate options to indicatewhether you want to reset all user account passwords or all computer account passwords and to specify thelocation (file system path) where you want to export a list of accounts whose current passwords were cachedon the RODC. You can clear or select any of the check boxes at this point. By default, the Reset all passwordsfor user accounts that were cached on this Read-only Domain Controller and the Export the list of accounts thatwere cached on this Read-only Domain Controller to this file: check boxes are selected, as shown in thefollowing illustration. If you want to also reset the passwords for the computer accounts that were cached on theRODC, you must select the Reset all passwords for computer accounts that were cached on this Read-onlyDomain Controller check box. Although computer account passwords are reset every 30 days by default, youcan choose to reset those account passwords immediately, which may reduce the chance that the computeraccounts that were cached on the RODC can be used by an attacker in an attempt to compromise the domainbefore the accounts are reset automatically. When you are ready to proceed, click Delete. noteNote If you reset the computer account passwords, you will have to rejoin the computer to the domain. If youautomatically reset the computer account passwords, users will not be able to log on to the domain until theycan contact an account administrator to have their passwords reset to a mutually-agreed-on password.

Delete RODC computer account

The Delete Domain Controller then asks you to confirm your deletion request. Verify that the request isaccurate, and then click OK to continue with the deletion, as shown in the following illustration.

QUESTION 9.

Your company has an Active Directory forest that contains a single domain. The domain member server has anActive Directory Federation Services (AD FS) server role installed.

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directorydomain.

What should you do?

A. Add and configure a new account store.B. Add and configure a new account partner.C. Add and configure a new resource partner.D. Add and configure a Claims-aware application.

Correct Answer: ASection: Configuring AD Federated ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732095.aspx

Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claimsfor those users. You can configure multiple account stores for a single Federation Service. You can also definetheir priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate withaccount stores. AD FS supports the following two account stores:

Active Directory Domain Services (AD DS)Active Directory Lightweight Directory Services (AD LDS)

http://technet.microsoft.com/en-us/library/cc772309%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc734905%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Read above articles URL's for more info on ADFS Installation/Troubleshooting

QUESTION 10.

A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.

You need to enable the user to join a single computer to the domain. You must ensure that the user is deniedany additional rights beyond those required to complete the task.

What should you do?

A. Prestage the computer account in the Active Directory domain.B. Add the user to the Domain Administrators group for one day.C. Add the user to the Server Operators group in the Active Directory domain.D. Grant the user the right to log on locally by using a Group Policy Object (GPO).

Correct Answer: ASection: Creating & Maintaining AD ObjectsExplanation

Explanation/Reference:Prestaged clients are computer account objects that are created within Active Directory Domain Services (ADDS) before the operating system is installed.

There is an additional benefit if the domain is using WDS to deploy images over the network. The prestagedaccounts correspond to physical devices that will boot from the network by using Windows DeploymentServices.

Prestage client computers - http://technet.microsoft.com/en-us/library/cc759196%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Set permissions for users who use prestaged client computers - http://technet.microsoft.com/en-us/library/cc779006%28WS.10%29.aspx

QUESTION 11.

Your company's security policy requires complex passwords.

You have a comma delimited file named import.csv that contains user account information. You need to createuser accounts in the domain by using the import.csv file.

You also need to ensure that the new user accounts are set to use default passwords and are disabled.

What should you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run theDSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde f import.csv command. Runthe DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADDutility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run the ldifde i f import.csv command. Run theDSADD utility to set passwords for the imported user accounts.

Correct Answer: ASection: Powershell & Command line cmdsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732101(v=WS.10).aspx

Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder. It isavailable if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roleinstalled. To use csvde , you must run the csvde command from an elevated command prompt. To open anelevated command prompt, click Start , right-click Command Prompt , and then click Run asadministrator . For examples of how to use this command, see Examples.SyntaxCopy Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <S tring1> <String2>] [-v] [-j<Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFi lter>] [-p <Scope] [-l<LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a<UserDistinguishedName> {<Password> | *}] [-b <User Name> <Domain> {<Password> |*}]

ParametersParameter Description -i Specifies import mode. If not specified, the default mode is export.-f <FileName> Identifies the import or export file name.-s <ServerName> Specifies the domain controller to perform the import or export operation.

-c <String1> <String2>

Replaces all occurrences of String1 with String2. You use this parameter when youimport data from one domain to another and you want to replace the distinguishedname of the export domain (String1) with the distinguished name of the importdomain (String2).

-v Sets verbose mode.-j <Path> Sets the log file location. The default is the current path.

-t <PortNumber> Specifies an LDAP port. The default LDAP port is 389. The global catalog port is3268.

-u Specifies Unicode format.-d <BaseDN> Sets the distinguished name of the search base for data export.-r <LDAPFilter> Creates an LDAP search filter for data export. -p <Scope> Sets the search scope. Search scope options are Base, OneLevel, or SubTree.

-l <LDAPAttributeList> Sets the list of attributes to return in the results of an export query. LDAP canreturn attributes in any order, and csvde does not attempt to impose any orderon the columns. If you omit this parameter, AD DS returns all attributes.

-o<LDAPAttributeList>

Specifies the list of attributes to omit from the results of an export query. You usethis parameter if you need to export objects from AD DS, and then import theminto another LDAP-compliant directory. If the other directory does not supportcertain attributes, you can use this parameter to omit those attributes from theresult set.

-g Omits paged searches.

-m Omits attributes that apply only to Active Directory objects, such as theObjectGUID, objectSID, pwdLastSet, and samAccountType attributes.

-n Omits the export of binary values.

-k

Ignores errors during an import operation and continues processing. The followingis a complete list of ignored errors: Object already exists

Constraint violation

Attribute or value already exists -a[<UserDistinguishedName> {<Password> | *}]

Performs a simple LDAP bind with the user name and password. Sets thecommand to run using the supplied UserDistinguishedName and Password. Bydefault, the command runs using the credentials of the user who is currently

logged on to the network.

-b [<UserName><Domain>{<Password> | *}]

Performs a secure LDAP bind with the NEGOTIATE authentication method. Setsthe command to run using the supplied Username, Domain, and Password. Bydefault, the command will run using the credentials of the user who is currentlylogged on to the network.

/? Displays Help at the command prompt.RemarksYou cannot import user passwords by using csvde because passwords must be sent over an encryptedchannel. Csvde does not support Secure Sockets Layer (SSL) or encrypted LDAP communication. Theprevious references to passwords relate to the credentials of the user who is running csvde . They are notrelated to setting passwords for users.

ExampleThe following sample file contents are for a domain named Cpandl.com that has organizational units (OUs)named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file defines theActive Directory object properties for user accounts to be created by the entries in the rest of the file. Theremaining lines are used to create the user accounts. The first user account is created in the default Userscontainer, and the rest of the user accounts are created in the SW Dev, Acct, and AP OUs, respectively:Copy objectClass,dn,sAMAccountName,userPrincipalName,use rAccountControluser,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,KenM @cpandl.com,514user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,WeiY@ cpandl.com,514user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,Jon [email protected],514user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,Ye [email protected],514

Note Setting userAccountControl to 514 disables the user account. This is recommended becausecsvde cannot set passwords.

csvde - adv configs - http://www.computerperformance.co.uk/Logon/Logon_CSVDE_import.htmdsmod - http://technet.microsoft.com/en-us/library/cc732954%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason: C is wrong because Windows scripts are files with the following file name extensions: .wsf, .vbs, .js.

DSMOD user to change pwds

To reset multiple user passwords to a common password and force users to change their passwords when theynext log on to the network, type:Copy dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=DeniseSmith,CN=Users,DC=Contoso,DC=Com" -pwd A1b2C3d4 -mu stchpwd yes

QUESTION 12.

Your company hires 10 new employees. You want the new employees to connect to the main office through aVPN connection. You create new user accounts and grant the new employees the Allow Read and AllowExecute permissions to shared resources in the main office.

The new employees are unable to access shared resources in the main office. You need to ensure that usersare able to establish a VPN connection to the main office.

What should you do?

A. Grant the new employees the Allow Full control permission.B. Grant the new employees the Allow Access Dial-in permission.

C. Add the new employees to the Remote Desktop Users security group.D. Add the new employees to the Windows Authorization Access security group.

Correct Answer: BSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd469674.aspx

Permissions for Remote Access Users

Applies To: Windows Server 2008 R2

After the Routing and Remote Access service (RRAS) is installed, you must specify the users who are allowedto connect to the RRAS server. RRAS authorization is determined by the dial-in properties on the user account,the network policies, or both.You do not need to create user accounts just for remote access users. RRAS servers can use existing useraccounts in the user accounts databases. In both Local Users and Groups and Active Directory Users andComputers, user accounts have a Dial-in tab on which you can configure remote access permissions. For alarge number of users, we recommend that you configure network policies on a server running Network PolicyServer (NPS).

http://technet.microsoft.com/en-us/library/cc786285%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Best practices for assigning permissions on Active Directory objects

QUESTION 13.

You need to relocate the existing user and computer objects in your company to different organizational units.

What are two possible ways to achieve this goal?


A. Run the Dsmove utility.B. Run the Active Directory Migration Tool (ADMT).C. Run the Active Directory Users and Computers utility.D. Run the move-item command in the Microsoft Windows PowerShell utility.

Correct Answer: ACSection: Creating & Maintaining AD ObjectsExplanation

Explanation/Reference:dsmove - http://technet.microsoft.com/en-us/library/cc731094%28WS.10%29.aspx

ADUC - AD DS GUI under admin tools/RSAT on clients - http://technet.microsoft.com/en-us/library/cc786675%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason: D is incorrect because move-item can move files and folders only - http://technet.microsoft.com/en-us/library/dd315310.aspx

B is incorrect because ADMT is used to restructure AD between forests and domains within the same forest.

QUESTION 14.

You want users to log on to Active Directory by using a new User Principal Name (UPN). You need to modifythe UPN suffix for all user accounts.


A. DsmodB. NetdomC. RedirusrD. Active Directory Domains and Trusts


Explanation/Reference:dsmod - http://technet.microsoft.com/en-us/library/cc732954%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason : You configure upn on Active directory domains and trusts. But you still have to modify the users withdsmod or "active directory users and computers".

http://technet.microsoft.com/en-us/library/bb742437.aspx#EEAA

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory.The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mailaddress.The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of theforest. In this and the other step-by-step guides on this site, the default UPN suffix is your FQDN for the firstdomain in the forest.

You can add alternate User Principal Name suffixes, which increase logon security. And you can simplify userlogon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows2000 domain and is not required to be a valid DNS domain name.

Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties.

Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.

Click OK to close the window.

QUESTION 15.

You are installing an application on a computer that runs Windows Server 2008 R2. During installation, theapplication will need to add new attributes and classes to the Active Directory database.

You need to ensure that you can install the application.

What should you do?

A. Change the functional level of the forest to Windows Server 2008 R2.B. Log on by using an account that has Server Operator rights.C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the

application.D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install

the application.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756898%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Schema Admin permissions

Schema Admins (only appears in the forest root domain) Members of this group can modify the Active Directory schema. By default, the Administrator account is amember of this group. Because this group has significant power in the forest, add users with caution. No default user rights.

QUESTION 16.

Your company has an organizational unit named Production. The Production organizational unit has a childorganizational unit named R&D. You create a GPO named Software Deployment and link it to the Productionorganizational unit.

You create a shadow group for the R&D organizational unit. You need to deploy an application to users in theProduction organizational unit. You also need to ensure that the application is not deployed to users in the R&Dorganizational unit.

What are two possible ways to achieve this goal?


A. Configure the Enforce setting on the software deployment GPO.B. Configure the Block Inheritance setting on the R&D organizational unit.C. Configure the Block Inheritance setting on the Production organizational unit.D. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D

security group.

Correct Answer: BDSection: Configuring Group PolicyExplanation

Explanation/Reference:Block inheritance GPO - http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Security filter GPO - http://technet.microsoft.com/en-us/library/cc779291%28WS.10%29.aspx

QUESTION 17.

Your company has an Active Directory domain that has an organizational unit named Sales. The Salesorganizational unit contains two global security groups named sales managers and sales executives.

You need to apply desktop restrictions to the sales executives group.

You must not apply these desktop restrictions to the sales managers group. You create a GPO namedDesktopLockdown and link it to the Sales organizational unit.


A. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.C. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.D. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

Correct Answer: ASection: Configuring Group PolicyExplanation

Explanation/Reference:Security filteringSecurity filtering is a way of refining which users and computers will receive and apply the settings in a GroupPolicy object (GPO). Using security filtering, you can specify that only certain security principals within acontainer where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as awhole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.In order for the GPO to apply to a given user or computer, that user or computer must have both Read andApply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively though groupmembership.

http://technet.microsoft.com/en-us/library/cc786636(v=WS.10).aspx

To filter the scope of Group Policy according to se curity group membershipOpen the Group Policy object whose scope you want to filter.

In the console tree, right-click the icon or name of the Group Policy object, and then click Properties .

Click the Security tab, and then click the security group through which you want to filter this Group Policyobject. If you want to change the list of security groups through which to filter this Group Policy object, use the Add and Remove buttons to add or remove security groups.

In the Permissions box for the selected security group, select or clear the appropriate check boxes to setpermissions as shown in the following table, and then click OK.

Your intention Permissions Result

Members of this security grouphave this Group Policy objectapplied to them.

Set ApplyGroup Policy toAllow .Set Read toAllow .

This Group Policy object applies to members of thissecurity group, unless they are members of at leastone other security group that has Apply GroupPolicy set to Deny , or Read set to Deny , or both.

Members of this security groupare exempt from this GroupPolicy object.

Set ApplyGroup Policy toDeny .Set Read toDeny .

This Group Policy object never applies to members ofthis security group, regardless of the permissions thesemembers have in other security groups.

Membership in this security groupis irrelevant to whether the GroupPolicy object should be applied.

Set ApplyGroup Policy toneither Allownor Deny .Set Read toneither Allownor Deny .

This Group Policy object applies to members of thissecurity group if and only if they have both ApplyGroup Policy and Read set to Allow asmembers of at least one other security group. Theyalso must not have Apply Group Policy or Readset to Deny as members of any other security group.

http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Managing inheritance of Group Policy

QUESTION 18.

Your company has an Active Directory forest. The company has branch offices in three locations.Each location has an organizational unit.

You need to ensure that the branch office administrators are able to create and apply GPOs only to theirrespective organizational units.



A. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.B. Modify the Managed By tab in each organizational unit to add the branch office administrators to their

respective organizational units.C. Run the Delegation of Control Wizard and delegate the right to link GPOs for the domain to the branch

office administrators.D. Run the Delegation of Control Wizard and delegate the right to link GPOs for their branch organizational

units to the branch office administrators.

Correct Answer: BDSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc782678%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Creating and Working with GPOs

QUESTION 19.

Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administratorsof the subsidiary company must use the French-language version of the administrative templates.

You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR.

You need to ensure that the French-language version of the templates is available.

What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copythe ADM files to the FR folder.

B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator.

C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FRfolder on the subsidiary PDC emulator.

D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator.

Correct Answer: BSection: Configuring Group PolicyExplanation


http://technet.microsoft.com/en-us/library/cc772507%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------.admx and .adml File Structure

n order to support the multilingual display of policy settings, the ADMX file structure must be broken into twotypes of files:

A language-neutral file, .admx, describing the structure of the categories and Administrative template policysettings displayed in the Group Policy Object Editor. A set of language-dependent files, .adml, providing the localized portions displayed in the Group PolicyObject Editor. Each .adml file represents a single language you wish to support.

SEE above URL for more info

QUESTION 20.

A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active DirectoryLightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on theC: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform insequence? (To answer, move the three appropriate actions from the list of actions to the answer area andarrange them in the correct order.)


Correct Answer:

Section: Configuring AD LDSExplanation


Exam D

QUESTION 1.

Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 andclient computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatorycompliance requirements.

Your partner company has an Active Directory forest that contains a single domain. The company has serversthat run Windows Server 2008 R2 and client computers that run Windows 7.

You need to configure your partner company's domain to use the approved set of administrative templates.

What should you do?

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, importthe GPO to the default domain policy.

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Website. Copy the ADM files to the PolicyDefinitions folder on the partner company's PDC emulator.


Explanation/Reference:In Group Policy for versions of Windows earlier than Windows Vista, if you modify Administrative templatepolicy settings on local computers, the Sysvol share on a domain controller within the domain is automaticallyupdated with the new ADM files. In Group Policy for Windows Server 2008 and Windows Vista, if you modifyAdministrative template policy settings on local computers, Sysvol will not be automatically updated with thenew ADMX or ADML files (ADML files are XML-based ADM files that contain language-specific settings). Thischange in behavior is implemented to reduce network load and disk storage requirements, and to preventconflicts from occurring between ADMX files and ADML files when edits to Administrative template policysettings are made across different locales. To ensure that any local updates are reflected in Sysvol as well, youmust manually copy the updated ADMX or ADML files from the PolicyDefinitions folder on the local computer tothe Sysvol\PolicyDefinitions folder on the appropriate domain controller.

----------------------------------------------------------------------------------------------------------------------------------------------Reason : The requirement is administrative templates. “A” is wrong, GPO is not a template file. ADMX is.

QUESTION 2.

Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers andDNS servers. All client computers run Windows XP SP3.

You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored inthe ADMX central store.

What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.

C. Install .NET Framework 3.0 on your client computers.D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the

PolicyDefinitions folder.


Explanation/Reference:Prerequisites for Administering Domain-Based GPOs w ith ADMX FilesTo complete the tasks in this section, you should have at least:A Windows Server 2008, Windows Server 2003, or Windows 2000 domain that uses a DNS name server.A Windows Vista–based computer to use as an administrative workstation.

Since the client machine must be running at least Vista, "B" is the best answer.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 3.

Your company purchases a new application to deploy on 200 computers. The application requires that youmodify the registry on each target computer before you install the application.

The registry modifications are in a file that has an .adm extension.

You need to prepare the target computers for the application.

What should you do?

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unitthat contains the target computers.

B. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each targetcomputer.

C. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsrCONTAINER-DN command on each target computer.

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmpCONTAINER-DN command on each target computer.



----------------------------------------------------------------------------------------------------------------------------------------------Reason: An ADM template is a file that is designed to be used within Group Policy to define a Registry settingand its’ value

QUESTION 4.

Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.The TempWorkers group is not nested in any other groups.

You move the computer objects of three file servers to a new organizational unit named SecureServers. Thesefile servers contain only confidential data in shared folders. You need to prevent members of the TempWorkers group from accessing the confidential data on the file

servers. You must achieve this goal without affecting access to other domain resources.

What should you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to thiscomputer from the network user right to the TempWorkers global group.

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the networkuser right to the TempWorkers global group.

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkersglobal group.

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally userright to the TempWorkers global group.


Explanation/Reference:It appears the strategy is to move the servers with confidential data into their own OU, then deny access tothose servers only to the global group.

Should not do this at the domain level, since other resources may be needed in the domain.Denying the log on locally user right does not affect network access.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 5.

All consultants belong to a global group named TempWorkers.

You place three file servers in a new organizational unit named SecureServers. The three file servers containconfidential data located in shared folders.

You need to record any failed attempts made by the consultants to access the confidential data.



A. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege useFailure audit policy setting.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object accessFailure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to thiscomputer from the network user rights setting for the TempWorkers global group.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure theFailed Full control setting in the Auditing Entry dialog box.

E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.Configure the Failed Full control setting in the Auditing Entry dialog box.

Correct Answer: BESection: Configuring Group PolicyExplanation

Explanation/Reference:Audit privilege use

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit PolicyDescription Determines whether to audit each instance of a user exercising a user right.By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) andin the local policies of workstations and servers.If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit theevent type at all. Success audits generate an audit entry when a user right is successfully exercised.Failure audits generate an audit entry when the exercise of a user right fails. You can select No auditingby defining the policy setting and unchecking Success and Failure .----------------------------------------------------------------------------------------------------------------------------------------------Auditing Files and FoldersIf you configure a group policy to enable the Audit Object Access option, you can set the level of auditing forindividual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing ofthis type is only available on NTFS volumes.You can configure file and folder auditing by completing the following steps:In Windows Explorer, right-click the file or folder to be audited, and then from the pop-up menu selectProperties.Choose the Security tab, and then click Advanced.In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 13-15.If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Auditing Entries FromParent To Propagate To This Object is selected.If you want child objects of the current object to inherit the settings, select Reset Auditing Entries On All ChildObjects And Enable Propagation Of Inheritable Auditing Entries.

Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. Toremove an account, select the account in the Auditing Entries list box, and then click Remove.To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialogbox to select an account name to add. When you click OK, you'll see the Auditing Entry For New Folder dialogbox, shown in Figure 13-16.Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specificuser groups or users, or both, that you want to audit.As necessary, use the Apply Onto drop-down list box to specify where objects are audited.Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logssuccessful events, such as successful file reads. Failed logs failed events, such as failed file deletions. Theevents you can audit are the same as the special permissions listed in Table 13-5—except you can't auditsynchronizing of offline files and folders.Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.

QUESTION 6.

Your company has an Active Directory domain and an organizational unit. The organizational unit is namedWeb. You configure and test new security settings for Internet Information Service (IIS) servers on a servernamed IISServerA.

You need to deploy the new security settings only on the IIS servers that are members of the Weborganizational unit.

What should you do?

A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, and then run secedit /configure /db webou.inf from the command prompt.

B. Export the settings on IISServerA to create a security template. Import the security template into a GPO andlink the GPO to the Web organizational unit.

C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf fromthe command prompt.

D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.



----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 7.

Your company has an Active Directory forest that contains client computers that run Windows Vista andWindows XP.

You need to ensure that users are able to install approved application updates on their computers.



A. Set up Automatic Updates through Control Panel on the client computers.B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically

search for updates on the Microsoft Update site.C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows

Server Update Services (WSUS) server for approved updates.D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on

the Internet. Approve all required updates.

Correct Answer: CDSection: Configuring Group PolicyExplanation


----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 8.

Your company has an Active Directory forest. Each branch office has an organizational unit and a childorganizational unit named Sales.

The Sales organizational unit contains all users and computers of the sales department.

You need to install a Microsoft Office 2007 application only on the computers in the Sales organizational unit.

You create a GPO named SalesApp GPO.


A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to thedomain.

B. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

D. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

Correct Answer: DSection: Configuring Group PolicyExplanation

Explanation/Reference:Assign the application to the computer account to prevent Sales users from accessing the application whenlogging in on a computer outside of ou=Sales. This GPO needs to be applied at the OU level not the domainlevel.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 9.

Your company has an Active Directory forest. The forest includes organizational units corresponding to thefollowing four locations:

- London- Chicago- New York- Madrid

Each location has a child organizational unit named Sales. The Sales organizational unit contains all the usersand computers from the sales department.

The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid isconnected by a 256-Kbps ISDN connection.

You need to install an application on all the computers in the sales department.



A. Disable the slow link detection setting in the Group Policy Object (GPO).B. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).C. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users. Link the GPO

to each Sales organizational unit.D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link

the GPO to each Sales organizational unit.

Correct Answer: ADSection: Configuring Group PolicyExplanation

Explanation/Reference:Need to create a GPO to assign the software to computers.----------------------------------------------------------------------------------------------------------------------------------------------Since the Madrid office is connected via a slow link, the slow link detection setting would stop distribution to thatsite.

QUESTION 10.

Your company has an Active Directory forest. The company has three locations. Each location has anorganizational unit and a child organizational unit named Sales.

The Sales organizational unit contains all users and computers of the sales department. The company plans todeploy a Microsoft Office 2007 application on all computers within the three Sales organizational units.

You need to ensure that the Office 2007 application is installed only on the computers in the Salesorganizational units.

What should you do?

A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the domain.

B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.


Explanation/Reference:Need to apply this GPO to the computers in the Sales OU, not the users and not the domain level.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 11.

The default domain GPO in your company is configured by using the following account policy settings:

- Minimum password length: 8 characters- Maximum password age: 30 days- Enforce password history: 12 passwords remembered- Account lockout threshold: 3 invalid logon attempts .Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQLServer application uses a service account named SQLSrv. The SQLSrv account has domain user rights.The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is notlocked out.

You need to resolve the server failure and prevent recurrence of the failure.



A. Reset the password of the SQLSrv user account.B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user

account.C. Configure the properties of the SQLSrv account to Password never expires.D. Configure the properties of the SQLSrv account to User cannot change password.E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon

locally user right.

Correct Answer: ACSection: Configuring Group PolicyExplanation

Explanation/Reference:Because of default password policies, the password reached its maximum age. The password does need to bereset, and the account should be set so the password never expires - to prevent this from happening again.----------------------------------------------------------------------------------------------------------------------------------------------Reason : B iand E not correct because the account was able to logged on and performed the tasks before thepassword was expired.

D is not correct as it will not fix this problem or prevent it from happening again.

QUESTION 12.

You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked outfor 5 minutes.

Which three actions should you perform?


A. Set the Minimum password age setting to one day.B. Set the Maximum password age setting to one day.C. Set the Account lockout duration setting to 5 minutes.D. Set the Reset account lockout counter after setting to 5 minutes.E. Set the Account lockout threshold setting to 3 invalid logon attempts.F. Set the Enforce password history setting to 3 passwords remembered.

Correct Answer: CDESection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:Password age settings would not address the scenario requirements, nor would Enforce password history.----------------------------------------------------------------------------------------------------------------------------------------------Lockout settings ahd lockout thresholds directly apply.

QUESTION 13.


A user attempts to log on to the domain from a client computer and receives the following message: "This useraccount has expired. Ask your administrator to reactivate the account."

You need to ensure that the user is able to log on to the domain.

What should you do?

A. Modify the properties of the user account to set the account to never expire.B. Modify the properties of the user account to extend the Logon Hours setting.C. Modify the properties of the user account to set the password to never expire.D. Modify the default domain policy to decrease the account lockout duration.

Correct Answer: ASection: Maintaining the AD EnvironmentExplanation


----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 14.

Your network consists of a single Active Directory domain. User accounts for engineering department arelocated in an OU named Engineering.

You need to create a password policy for the engineering department that is different from your domainpassword policy.

What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.


Explanation/Reference:In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies andapply different password restrictions and account lockout policies to different sets of users within a singledomain. For example, to increase the security of privileged accounts, you can apply stricter settings to theprivileged accounts and then apply less strict settings to the accounts of other users. Or in some cases, youmay want to apply a special password policy for accounts whose passwords are synchronized with other datasources.To store fine-grained password policies, Windows Server 2008 includes two new object classes in the ActiveDirectory Domain Services (AD DS) schema:

Password Settings Container Password Settings

The Password Settings Container (PSC) object class is created by default under the System container in thedomain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or deletethis container.

PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, considercreating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you mustupdate user memberships in the corresponding global security groups.

-Q-Windows 2008Fine-Grained Passwords [Password policies per OU, Group or user]

Adsi edit, cn=system, cn=password settings container, RightMouse, new object, msds-passwordsettings, entername Passwordsettings, enter values…

ADUC enable advanced mode, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enterthe group.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 15.

Your company has file servers located in an organizational unit named Payroll. The file servers contain payrollfiles located in a folder named Payroll.

You create a GPO. You need to track which employees access the Payroll files on the file servers.

What should you do?

A. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers,configure Auditing for the Everyone group in the Payroll folder.

B. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configureAuditing for the Authenticated Users group in the Payroll folder.

C. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. Onthe file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

D. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the fileservers, configure Auditing for the Everyone group in the Payroll folder.


Explanation/Reference:Must be configured in GPO and on the Auditing tab for the shared folder. The main question is which usergroups/users would be affected, and what the trigger is to write the access event to the log.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 16.

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

The Audit account management policy setting and Audit directory services access setting are enabled for theentire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged changes mustinclude the old and new values of any attributes.

What should you do?

A. Enable the Audit account management policy in the Default Domain Controller Policy.B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.C. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.D. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable

directory service changes.


Explanation/Reference:The original answer was B - wondering if C was enabled in the scenario before this answer.


Step 1: Enable audit policy.This step includes procedures to enable change auditing with either the Windows interface or a command line: By using Group Policy Management, you can turn on the global audit policy, Audit directory service access ,which enables all the subcategories for AD DS auditing. If you need to install Group Policy Management, click Add Features in Server Manager. Select Group Policy Management and then click Install .

By using the Auditpol command-line tool, you can enable individual subcategories.

To enable the global audit policy using the Windows interfaceClick Start , point to Administrative Tools , and then Group Policy Management .

In the console tree, double-click the name of the forest, double-click Domains , double-click the name of yourdomain, double-click Domain Controllers , right-click Default Domain Controllers Policy , and then click Edit .Under Computer Configuration , double-click Policies , double-click Windows Settings , double-click SecuritySettings , double-click Local Policies , and then click Audit Policy .In the details pane, right-click Audit directory service access , and then click Properties .Select the Define these policy settings check box.Under Audit these attempts , select the Success , check box, and then click OK.

To enable the change auditing policy using a comman d lineClick Start , right-click Command Prompt , and then click Run as administrator .Type the following command, and then press ENTER:auditpol /set /subcategory:"directory service chang es" /success:enable

Step 2: Set up auditing in object SACLs.The following procedure presents an example of just one of many different types of SACLs that you can setbased on the operations that you want to audit.

To set up auditing in object SACLsClick Start , point to Administrative Tools , and then click Active Directory Users and Computers .Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties .Click the Security tab, click Advanced , and then click the Auditing tab.Click Add , and under Enter the object name to select , type Authenticated Users (or any other securityprincipal), and then click OK.In Apply onto , click Descendant User objects (or any other objects).Under Access , select the Successful check box for Write all properties .Click OK until you exit the property sheet for the OU or other object.----------------------------------------------------------------------------------------------------------------------------------------------Reason : after applying the policy, you need to configure the properties>security>audit of the OU.

QUESTION 17.


Auditing is configured to log changes made to the Managed By attribute on group objects in an organizationalunit named OU1.

You need to log changes made to the Description attribute on all group objects in OU1 only.

What should you do?

A. Run auditpol.exe.B. Modify the auditing entry for OU1.C. Modify the auditing entry for the domain.D. Create a new Group Policy object (GPO). Enable the Audit account management policy setting.

Link the GPO to OU1.



----------------------------------------------------------------------------------------------------------------------------------------------Reason : after applying the policy, you need to configure the properties>security>audit of the OU. The questionhere indicates that "Auditing is configured" , this mean the policy setting is already configured. Therefore you donot need to modify the GPO anymore.

QUESTION 18.

You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature isinstalled on the domain controller.

You need to perform a non-authoritative restore of the domain controller by using an existing backup file.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to performa critical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-into perform a critical volume restore.

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a criticalvolume restore.

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volumerestore.


Explanation/Reference:Performing a Nonauthoritative Restore of AD DS

Applies To: Windows Server 2008To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a systemstate backup. For more information about the specific components that are included in a system state backup,see What's New in AD DS Backup and Recovery?. To restore a system state backup, use the wbadmin start systemstaterecovery command. Theprocedure in this topic uses the wbadmin start systemstaterecovery command.You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if youdo not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to thetime of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessaryto achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use the wbadmin start recovery command.Requirements for performing nonauthoritative restor e of AD DSTo perform a nonauthoritative restore, you must start the domain controller in Directory Services Restore Mode(DSRM). When the domain controller starts in DSRM, you must supply the administrator password for DSRM.

----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 19.

Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains anOU for Computers, an OU for Groups, and an OU for Users.

You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OUwithout affecting users and computers in the Sales OU.

What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform an authoritative restore of the Groups OU.C. Perform a non-authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Sales OU.

Correct Answer: BSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:The authoritative restore is needed to make certain replication does not cause the Groups OU to be deleteagain in replication.

You want to restore only the Groups OU, not the Sales OU, which contains the other sub-OUs -- no need tochange those OUs.s----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 20.

Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. Theserver is a backup server. The server has a single 500-GB hard disk that has three partitions for the operatingsystem, applications, and data. You perform daily backups of the server.

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart thecomputer on the installation media. You select the Repair your computer option.

You need to restore the operating system and all files.

What should you do?

A. Select the System Image Recovery option.B. Run the Imagex utility at the command prompt.C. Run the Wbadmin utility at the command prompt.D. Run the Rollback utility at the command prompt.

Correct Answer: CSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:Wbadmin is the correct utility for this job.----------------------------------------------------------------------------------------------------------------------------------------------

Exam E

QUESTION 1.

You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

What tool should you use?

A. dsmodB. ntdsutilC. Local Users and Groups snap-inD. Active Directory Users and Computers snap-in

Correct Answer: BSection: Powershell & Command line cmdsExplanation

Explanation/Reference:#ntdsutil#set dsrm password----------------------------------------------------------------------------------------------------------------------------------------------

To Reset the DSRM Administrator PasswordClick, Start , click Run , type ntdsutil , and then click OK.At the Ntdsutil command prompt, type set dsrm password.At the DSRM command prompt, type one of the following lines: To reset the password on the server on which you are working, type reset password on server null. The nullvariable assumes that the DSRM password is being reset on the local computer. Type the new password whenyou are prompted. Note that no characters appear while you type the password.

-or- To reset the password for another server, type reset password on server servername, where servername is theDNS name for the server on which you are resetting the DSRM password. Type the new password when youare prompted. Note that no characters appear while you type the password.At the DSRM command prompt, type q.At the Ntdsutil command prompt, type q to exit.

QUESTION 2.

A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for thedomain has been completed and unnecessary objects have been deleted.

You need to perform an offline defragmentation of the Active Directory database on DC12. You also need toensure that the critical services remain online.

What should you do?

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Defrag utility.D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Ntdsutil utility.

Correct Answer: DSection: Powershell & Command line cmdsExplanation

Explanation/Reference:To perform offline defragmentation of the directory databaseCompact the database file to a local directory or remote shared folder, as follows:Local directory: Go to step 2.

Remote directory: If you are compacting the database file to a shared folder on a remote computer, beforeyou stop AD DS, prepare a shared directory on a remote server in the domain. For example, create the share \\ServerName\NTDS. Allow access to only the Builtin Administrators group. On the domain controller, map anetwork drive to this shared folder.

Important You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy ona network drive. If the compaction of the database does not work properly, you can then easily restore thedatabase by copying back the copy of the Ntds.dit file that you made. Do not delete this copy of theNtds.dit file until you have verified that the domain controller starts properly. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt , andthen click Run as administrator . If the User Account Control dialog box appears, providecredentials, if required, and then click Continue .At the command prompt, type the following command, and then press ENTER:net stop ntds Type Y to agree to stop additional services, and then press ENTER.At the command prompt, type ntdsutil , and then press ENTER.At the ntdsutil prompt, type activate instance ntds , and then press ENTER.At the ntdsutil prompt, type files , and then press ENTER.If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to<drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to alocation on the local computer), and then press ENTER.If you mapped a drive to a shared folder on a remote computer, type the drive letter only, for example, compact to K:\ .

Note When you compact the database to a local drive, you must provide a path. If the path contains anyspaces, enclose the entire path in quotation marks (for example, compact to "c:\new folder" ). Ifthe directory does not exist, Ntdsutil.exe creates the directory and then creates the file named Ntds.dit inthat location. If defragmentation completes successfully, type quit , and then press ENTER to quit the filemaintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. Go to step 9.If defragmentation completes with errors, go to step 12.

Caution Do not overwrite the original Ntds.dit file or delete any log files. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to:To delete all the log files in the log directory, type the following command, and then press ENTER:

del <drive>:\<pathToLogFiles>\*.log

Ntdsutil provides the correct path to the log files in the onscreen instructions.

Note You do not have to delete the Edb.chk file. You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on asecured network drive. If the compaction of the database does not work properly, you can then easily restorethe database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you haveat least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.ditfile to preserve it. Avoid overwriting the original Ntds.dit file.

Manually copy the compacted database file to the original location, as follows:

copy “<temporaryDrive>:\ntds.dit” “<originalDrive>: \<pathToOriginalDatabaseFile>\ntds.dit”

Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file.

At the command prompt, type ntdsutil , and then press ENTER.At the ntdsutil: prompt, type files , and then press ENTER.At the file maintenance: prompt, type integrity , and then press ENTER.If the integrity check fails, the likely cause is that an error occurred during the copy operation in step 9.c. Repeatsteps 9.c through step 12. If the integrity check fails again:Contact Microsoft Customer Service and Support.

Or

Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location, andrepeat the offline defragmentation procedure.

If the integrity check succeeds, proceed as follows:If the initial compact to command failed, go back to step 7 and perform steps 7 through 12.

If the initial compact to command succeeded, type quit and press ENTER to quit the filemaintenance: prompt, and then type quit and press ENTER again to quit Ntdsutil.exe.

Restart AD DS. At the command prompt, type the following command, and then press ENTER:net start ntds If errors appear when you restart AD DS:Stop AD DS. At the command prompt, type the following command, and then press ENTER:

net stop ntds

Type Y to agree to stop additional services, and then press ENTER.

Check the errors in Event Viewer.

If the following events are logged in the Directory Service log in Event Viewer when you restart AD DS, respondto the events as follows:

Event ID 1046. “The Active Directory database engine caused an exception with the following parameters.” Inthis case, AD DS cannot recover from this error and you must restore from backup media.

Event ID 1168. “Internal error: An Active Directory error has occurred.” In this case, information is missing fromthe registry and you must restore from backup media.

Check database integrity, and then proceed as follows:

If the integrity check fails, try repeating step 9.c through step 12 above, and then repeat the integrity check. Ifthe integrity check fails again:

Contact Microsoft Customer Service and Support.

Or

Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location andrepeat the offline defragmentation procedure.

If the integrity check succeeds, follow the steps in the procedure If the Database Integrity Check Fails, PerformSemantic Database Analysis with Fixup.

If semantic database analysis with fixup succeeds, quit Ntdsutil.exe, and then restart AD DS. At the commandprompt, type the following command, and then press ENTER:

net start ntds

Compacting or defragging the AD database (ntds.dit)

Stop “active directory domain services

#ntdsutil: files#file maintenance: compact to c:\temp----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 3.

You need to identify all failed logon attempts on the domain controllers.

What should you do?

A. Run Event Viewer.B. View the Netlogon.log file.C. Run the Security Configuration Wizard.D. View the Security tab on the domain controller computer object.



----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 4.

You create 200 new user accounts. The users are located in six different sites. New users report that theyreceive the following error message when they try to log on: "The username or password is incorrect."

You confirm that the user accounts exist and are enabled. You also confirm that the user name and passwordinformation supplied are correct.

You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.

Which utility should you run?

A. Rsdiag

B. RstoolsC. RepadminD. Active Directory Domains and Trusts

Correct Answer: CSection: Powershell & Command line cmdsExplanation

Explanation/Reference:Repadmin

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008, Windows Server 2008 R2Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllersrunning Microsoft Windows operating systems.Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have theAD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain ServicesTools that are part of the Remote Server Administration Tools (RSAT). For more information, see How toAdminister Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813). To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open anelevated command prompt, click Start , right-click Command Prompt , and then click Run asadministrator .You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domaincontroller. In addition, you can use Repadmin.exe to manually create the replication topology, to forcereplication events between domain controllers, and to view both the replication metadata and up-to-datenessvectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active DirectoryDomain Services (AD DS) forest.----------------------------------------------------------------------------------------------------------------------------------------------http://technet.microsoft.com/en-us/library/cc770963(v=WS.10).aspx

QUESTION 5.

You need to validate whether Active Directory successfully replicated between two domain controllers.

What should you do?

A. Run the DSget command.B. Run the Dsquery command.C. Run the RepAdmin command.D. Run the Windows System Resource Manager.


Explanation/Reference:Repadmin

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008, Windows Server 2008 R2Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllersrunning Microsoft Windows operating systems.Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have theAD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain ServicesTools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to

Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813). To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open anelevated command prompt, click Start , right-click Command Prompt , and then click Run asadministrator .You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domaincontroller. In addition, you can use Repadmin.exe to manually create the replication topology, to forcereplication events between domain controllers, and to view both the replication metadata and up-to-datenessvectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active DirectoryDomain Services (AD DS) forest.----------------------------------------------------------------------------------------------------------------------------------------------http://technet.microsoft.com/en-us/library/cc770963(v=WS.10).aspx

QUESTION 6Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008R2.

You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amountof available CPU resources on a domain controller.

What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.D. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.


Explanation/Reference:server managerdiagnosticsreliability and performancesystemActive Directory Diagnostics----------------------------------------------------------------------------------------------------------------------------------------------To run the Active Directory Data Collector follow these steps:Open Server Manager on a Full version of Windows Server 2008 or later, or go to Start > Run >Perfmon.msc and then press enter.Expand Diagnostics > Reliability and Performance > Data Collector Sets > SystemRight-click on Active Directory Diagnostics and then click Start in the menu which appears.The default setting will gather data for the report for 300 seconds (5 minutes), after which it will take anadditional period to compile the report. The amount of time needed to compile the report is proportional to howmuch data has been gathered during the period.Once the report has compiled, look under Diagnostics > Reliability and Performance > Reports >System > Active Directory Diagnostics to view the report or reports which have been completed.

The report contains eight broad categories under Diagnostic Results which will contain information andconclusions in the report. These will not always tell the exact cause of the problem but can be used todetermine where to investigate in order to find the exact cause.

Items to look at when facing high CPU utilization by Lsass.exe are the Diagnostic Results portion of the report,which will show general performance concerns. In addition, examining the Active Directory category will detailwhat actions-such as what LDAP queries are effecting performance-the domain controller is busy doing at thattime.

Domain controllers are often most effected by remote queries from computers in the environment asking"expensive" queries, or subjecting them to a higher volume of queries. The Network portion of the report can beuseful in determining the remote clients which are communicating most with the domain controller while thediagnostic was gathering data.

QUESTION 7.


You need to capture all replication errors from all domain controllers to a central location.

What should you do?

A. Configure event log subscriptions.B. Start the System Performance data collector set.C. Start the Active Directory Diagnostics data collector set.D. Install Network Monitor and create a new capture.


Explanation/Reference:server managerdiagnosticseventlogssubscriptions

with subscriptions you can configure eventlogs to be forwarded to a central computer.

QUESTION 8.

You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certificationauthority (CA) server that meets the following requirements:

- Allows the certification authority to automatically issue certificates- Integrates with Active Directory Domain Services

What should you do?

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA .B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA .C. Purchase a certificate from a third-party certification authority. Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA .D. Purchase a certificate from a third-party certification authority. Import the certificate into the computer store

of the schema master.


Explanation/Reference:If you are using templates you need Windows 2008 Enterprise.----------------------------------------------------------------------------------------------------------------------------------------------Automatically issuing certificates requires ADCS

QUESTION 9.

Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on adedicated stand-alone server.

When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that theEnterprise CA option is not available.

You need to install the AD CS (Certificate Services) server role as an Enterprise CA.


A. Add the DNS Server server role.B. Join the server to the domain.C. Add the Web Server (IIS) server role and the AD CS server role.D. Add the Active Directory Lightweight Directory Services (AD LDS) server role.


Explanation/Reference:Root CA and SUB-CA’s are normally NOT a member of the domain (pre-R2?)because those servers are Offline and locked-up in a vault.The Issuing CA’s are a member of the domain, because they are online.----------------------------------------------------------------------------------------------------------------------------------------------In this case, however, this Server 2008 R2 server must be a member server in the domain to get the EnterpriseCA option, but should not be a DC.

QUESTION 10.

You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.

You need to minimize the amount of time it takes for client computers to download a certificate revocation list(CRL).

What should you do?

A. Install and configure an Online Responder.B. Install and configure an additional domain controller.C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.


Explanation/Reference:An Online Responder is a trusted server that receives and responds to individual client requests for informationabout the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity ofcertificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain informationabout all certificates that have been revoked or suspended, an Online Responder receives and responds onlyto individual requests from clients for information about the status of a certificate. The amount of data retrieved

per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than byusing CRLs.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 11.

You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80 frombeing opened on domain controllers and on the issuing CA .You need to allow users to request certificates from a Web interface. You install the Active Directory CertificateServices (AD CS) server role.


A. Configure the Online Responder Role Service on a member server.B. Configure the Online Responder Role Service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.


Explanation/Reference:The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role servicethat enables users and computers to obtain certificate enrollment policy information. Together with theCertificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer isnot a member of a domain or when a domain member is not connected to the domain.The Certificate Enrollment Policy Web Service uses the HTTPS protocol to communicate certificate policyinformation to network client computers. The Web service uses the LDAP protocol to retrieve certificate policyfrom Active Directory Domain Services (AD DS) and caches the policy information to service client requests. Inprevious versions of AD CS, certificate policy information can be accessed only by domain client computersthat are using the LDAP protocol. This limits policy-based certificate issuance to the trust boundariesestablished by AD DS forests.----------------------------------------------------------------------------------------------------------------------------------------------Since the CEWS role uses HTTPS, the scenario says it cannot be installed on a DC, this limits the answer to C.

QUESTION 12.

Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS)is configured as a standalone Certification Authority (CA) on the server. You need to audit changes to the CAconfiguration settings and the CA security settings.



A. Configure auditing in the Certification Authority snap-in.B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%

\CertSrv directory.C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate

Services (AD CS) server.

Correct Answer: AD

Section: Configuring AD Certificate ServicesExplanation

Explanation/Reference:To configure CA event auditing Open the Certification Authority snap-in. In the console tree, click the name of the CA.On the Action menu, click Properties .On the Auditing tab, click the events that you want to audit, and then click OK.On the Action menu, point to All Tasks , and then click Stop Service . On the Action menu, point to All Tasks , and then click Start Service .----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 13.


You install an Enterprise Root certification authority (CA) on a member server named Server1. You need toensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.

What should you do?

A. Remove the Request Certificates permission from the Domain Users group.B. Remove the Request Certificates permission from the Authenticated Users group.C. Assign the Allow - Manage CA permission to only the Security Manager user account.D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager user account.


Explanation/Reference:A certificate manager can approve certificate enrollment and revocation requests, issue certificates, andmanage certificates. This role can be configured by assigning a user or group the Issue and ManageCertificatespermission.When you assign this permission to a user or group, you can further refine their ability to manage certificates bygroup and by certificate template. For example, you might want to implement a restriction that they can onlyapprove requests or revoke smart card logon certificates for users in a certain office or organizational unit thatis the basis for a security group.This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) andthe user groups that have Enroll permissions for that certificate template from that CA.You must be a CA administrator or a member of Enterprise Admins , or equivalent, to complete thisprocedure. For more information, see Implement Role-Based Administration.To configure certificate manager restrictions for a CAOpen the Certification Authority snap-in, and right-click the name of the CA. Click Properties , and then click the Security tab.Verify that the user or group that you have selected has Issue and Manage Certificates permission. Ifthey do not yet have this permission, select the Allow check box, and then click Apply .Click the Certificate Managers tab.Click Restrict certificate managers , and verify that the name of the group or user is displayed.Under Certificate Templates , click Add , select the template for the certificates that you want this user orgroup to manage, and then click OK. Repeat this step until you have selected all certificate templates that youwant to allow this certificate manager to manage.

Under Permissions , click Add , type the name of the client for whom you want the certificate manager tomanage the defined certificate types, and then click OK.If you want to block the certificate manager from managing certificates for a specific user, computer, or group,under Permissions , select this user, computer, or group, and click Deny .When you are finished configuring certificate manager restrictions, click OK or Apply .----------------------------------------------------------------------------------------------------------------------------------------------Reason:A certificate manager can approve certificate enrollment and revocation requests, he can also issuecertificates and manage certificates

QUESTION 14.

You have a Windows Server 2008 R2 Enterprise Root certification authority (CA). You need to grant membersof the Account Operators group the ability to only manage Basic EFS certificates.

You grant the Account Operators group the Issue and Manage Certificates permission on the CA . Which threetasks should you perform next?


A. Enable the Restrict Enrollment Agents option on the CA .B. Enable the Restrict Certificate Managers option on the CA .C. Add the Basic EFS certificate template for the Account Operators group.D. Grant the Account Operators group the Manage CA permission on the CA .E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCESection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:A certificate manager can approve certificate enrollment and revocation requests, issue certificates, andmanage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.

http://technet.microsoft.com/en-us/library/cc753372.aspx----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 15.

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an enterprise root certification authority (CA).

You install the Online Responder role service on Server2. You need to configure Server1 to support the OnlineResponder.

What should you do?

A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.

Correct Answer: C


Explanation/Reference:To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.

2. Configure enrollment permissions for any computers that will be hosting Online Responders.

3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.

4. Add the location of the Online Responder or OCSP responder to the authority information accessextension on the CA.

5. Enable the OCSP Response Signing certificate template for the CA.

----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 16.

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runsan Enterprise Root certification authority (CA).

You need to ensure that only administrators can sign code.



A. Publish the code signing template.B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only administrators to apply the policy.C. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted

Publishers.D. Modify the security settings on the template to allow only administrators to request code signing certificates.

Correct Answer: ADSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:Default templates in Windows Server 2008

Name Description Key

usage

Subjecttype

Applications usedforenhancedkey usage

Applicationpolicies orenhancedkey usage

Administrator Allows trust list signing and user authentication

Signature andencryption

User

Microsoft trustlist signingEncryptingFile System

4.1

(EFS)Secure e-mailClientauthentication

AuthenticatedSession

Allows subjects to authenticate to a Web server Signature User Client

authentication3.1

BasicEFS Used by EFS to encrypt data Encrypti

on User EFS 3.1

CAExchange

Used to protect private keys as they are sent to theCA for private key archival

Encryption

Computer

Private keyarchival 106.0

CEPEncryption

Allows the holder to act as a registration authority forSimple Certificate Enrollment Protocol (SCEP)requests; used by the Network Device EnrollmentService for its key exchange certificate

Encryption

Computer

Certificaterequest agent 4.1

CodeSigning Used to digitally sign software Signatur

e User Code signing 3.1

----------------------------------------------------------------------------------------------------------------------------------------------Reason : Code Signing is a template.

QUESTION 17.

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.

The Enterprise Intermediate CA certificate expires.

You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.

What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.


Explanation/Reference:-Q-You bring the Root CA online and make a cert request from the Intermediate CA, send it to the Root CA forsigningand then import the signed certificate into the Intermediate CA.

So i think "B" instead of "D"----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 18.


You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runsWindows Server 2008 R2.

You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.

Which three actions should you perform?


A. Install the AD CS server role and configure it as an Enterprise Root CA .B. Install the AD CS server role and configure it as a Standalone CA .C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.E. Create a Smartcard logon certificate.F. Create an Enrollment Agent certificate.

Correct Answer: ACESection: Configuring AD Certificate ServicesExplanation


----------------------------------------------------------------------------------------------------------------------------------------------To configure enrollment agents, right click on the issuing CA and select properties( see screenshot below).

QUESTION 19.

Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to create multiple password policies for users in your domain.

What should you do?

A. From the Active Directory Schema snap-in, create multiple class schema objects.B. From the ADSI Edit snap-in, create multiple Password Setting objects.C. From the Security Configuration Wizard, create multiple security policies.D. From the Group Policy Management snap-in, create multiple Group Policy objects.


Explanation/Reference:Fine-Grained Passwords [Password policies per OU, Group or user]Adsi edit, cn=system, cn=password settings container, RM, new object, msds-passwordsettings, enter name

Passwordsettings, enter values…ADUC adv, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group.----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 20.

You need to perform an offline defragmentation of an Active Directory database. Which four actions should youperform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer areaand arrange them in the correct order.)


Correct Answer:

Section: Configuring AD Federated ServicesExplanation


Exam F

QUESTION 1.

Your company has an Active Directory domain. All servers run Windows Server 2008 R2.

Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificateinformation is highly available.

What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.B. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and

Acceleration Server array.C. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.


Explanation/Reference:There are two major pieces in implementing the High Availability Configuration. The first step is to add theOCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, theconfiguration of the OCSP responders can be easily maintained, so that all Responders in the Array have thesame configuration. The configuration of the Array Controller is used as the baseline configuration that is thenapplied to other members of the Array.

The second piece is to load balance the OCSP Responders . Load balancing of the OCSP responders is whatactually provides fault tolerance. I am going to demonstrate using the built in Windows Network LoadBalancing feature of Windows Server 2008. You can of course use a third party hardware load balancer if youwish. In this example, we are going to deploy two OCSP Servers in a highly available configuration.

http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability.aspx

QUESTION 2.

Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offlineroot CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.

You need to ensure users are able to enroll new certificates.

What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA . Copy the CRL to the CertEnroll folder on theissuing CA .

B. Renew the Certificate Revocation List (CRL) on the issuing CA . Copy the CRL to the SystemCertificatesfolder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations.

Correct Answer: ASection: Configuring AD Certificate Services

Explanation


QUESTION 3.

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an Enterprise Root certification authority (CA). You install the Online Responder role service onServer2.

You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.



A. Import the enterprise root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:The signature on OCSP responses must follow the following rules to be considered valid by a Windows Vista orWindows Server 2008 client:

For Windows Vista, either the OCSP signing certificate must be issued by the same CA as the certificate beingverified or the OCSP response must be signed by the issuing CA.

For Windows Vista with Service Pack 1 and Windows Server 2008, the OCSP signing certificate may chain upto any trusted root CA as long as the certificate chain includes the OCSP Signing EKU extension.

CryptoAPI will not support independent OCSP signer during revocation checking on this OCSP signingcertificate chain to avoid circular dependency. CryptoAPI will support CRL and delegated OCSP signer only.

QUESTION 4.

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hostsa standard secondary DNS zone for the domain.

You need to configure DNS to allow only secure dynamic updates.


A. On DC1 and DC2, configure a trust anchor.B. On DC1 and DC2, configure a connection security rule.C. On DC1, configure the zone transfer settings.D. On DC1, configure the zone to be stored in Active Directory.


Explanation/Reference:To allow only secure dynamic updates using the Wind ows interface Open DNS Manager.In the console tree, right-click the applicable zone, and then click Properties .On the General tab, verify that the zone type is Active Directory-integrated .In Dynamic Updates , click secure only .

http://technet.microsoft.com/en-us/library/cc753751.aspx

QUESTION 5.

Your network contains a domain controller that has two network connections named Internal and Private.Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5.

You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address.

What should you do?

A. Modify the netlogon.dns file on the domain controller.B. Modify the Name Server settings of the DNS zone for the domain.C. Modify the properties of the Private network connection on the domain controller.D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.


Explanation/Reference:To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid theissue).

1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -> Advanced -> DNS - > Uncheck "Register this connections Addressin DNS"

2. Open the DNS server console: highlight the server on the left pane Action-> Properties and on the"Interfaces" tab select "listen on only the following IP addresses". Remove unwanted IP address from the list

3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP addressassociated with the DC. Remove unwanted IP address if it is listed.After performing this delete the existing unwanted Host A record of the DC.

http://support.microsoft.com/kb/2023004#appliesto

QUESTION 6.

Your network contains an Active Directory forest named contoso.com. You plan to add a new domain namednwtraders.com to the forest.All DNS servers are domain controllers.

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNSservers in the forest.

What should you do?

A. Add the computer accounts of all the domain controllers to the DnsAdmins group.B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.C. Create a standard primary zone on a domain controller in the forest root domain.D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.


Explanation/Reference:When you use standard zone storage, the default for the DNS Server service is to not allow dynamic updateson its zones. For zones that are either directory-integrated or that use standard file-based storage, you canchange the zone to allow all dynamic updates, which permits all updates to be accepted.


Reason : Standard primary zone is local to the DC. The requirement here is to allow clients to register their hostfrom any DC/DNS servers.

QUESTION 7.

Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 hosts a standard primary zone for contoso.com.

You discover that non-domain member computers register records in the contoso.com zone. You need toprevent the non-domain member computers from registering records in the contoso.com zone. All domainmember computers must be allowed to register records in the contoso.com zone.


A. Configure a trust anchor.B. Run the Security Configuration Wizard (SCW).C. Change the contoso.com zone to an Active Directory-integrated zone.D. Modify the security settings of the %SystemRoot%\System32\Dns folder.


Explanation/Reference:When you use standard zone storage, the default for the DNS Server service is to not allow dynamic updateson its zones. For zones that are either directory-integrated or that use standard file-based storage, you canchange the zone to allow all dynamic updates, which permits all updates to be accepted.


Trust anchors are required on all non-authoritative DNS servers that will perform DNSSEC validation of datafrom a signed zone.

http://technet.microsoft.com/en-us/library/ee649280%28WS.10%29.aspx

QUESTION 8.

Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. Youadd an alias (CNAME) resource record named Server1 to the zone. The target host of the record isserver2.contoso.com. When you ping Server1, you discover that the name fails to resolve.

You successfully resolve server2.contoso.com. You need to ensure that you can resolve names by using theGlobalNames zone.

What should you do?

A. From the command prompt, use the netsh tool.B. From the command prompt, use the dnscmd tool.C. From DNS Manager, modify the properties of the GlobalNames zone.D. From DNS Manager, modify the advanced settings of the DNS server.


Explanation/Reference:Deploying a GlobalNames zoneThe specific steps for deploying a GlobalNames zone can vary somewhat, depending on the AD DS topology ofyour network.Step 1: Create the GlobalNames zoneThe first step in deploying a GlobalNames zone is to create the zone on a DNS server that is a domaincontroller running Windows Server 2008. The GlobalNames zone is not a special zone type; rather, it is simplyan AD DS-integrated forward lookup zone that is called GlobalNames. For information about creating a primaryforward lookup zone, see Add a Forward Lookup Zone.Step 2: Enable GlobalNames zone supportThe GlobalNames zone is not available to provide na me resolution until GlobalNames zone support isexplicitly enabled by using the following command o n every authoritative DNS server in the forest: dnscmd <ServerName> /config /enableglobalnamessupport 1

where ServerName is the DNS name or IP address of the DNS server that hosts the GlobalNames zone. Tospecify the local computer, replace ServerName with a period (.), for example, dnscmd . /config /enableglobalnamessupport 1 .Step 3: Replicate the GlobalNames zoneTo make the GlobalNames zone available to all DNS servers and clients in a forest, replicate the zone to alldomain controllers in the forest, that is, add the GlobalNames zone to the forest-wide DNS application partition.For more information, see Change the Zone Replication Scope.If you want to limit the servers that will be authoritative for the GlobalNames zone, you can create a customDNS application partition for replicating the GlobalNames zone. For more information, see Understanding DNSZone Replication in Active Directory Domain Services.Step 4: Populate the GlobalNames zoneFor each server that you want to be able to provide single-label name resolution for, add an alias (CNAME)resource record to the GlobalNames zone. For more information, see Add an Alias (CNAME) Resource Recordto a Zone.Step 5: Publish the location of the GlobalNames zon e in other forestsIf you want DNS clients in other forests to use the GlobalNames zone for resolving names, add service location(SRV) resource records to the forest-wide DNS application partition, using the service name_globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone. For more

information, see Add a Resource Record to a Zone and Service Location (SRV) Resource Record Dialog Box.In addition, you must run the dnscmd ServerName/config /enableglobalnamessupport 1 commandon every authoritative DNS server in the forests that do not host the GlobalNames zone.

http://technet.microsoft.com/en-us/library/cc731744 .aspx

Reason : GNZ is intended to aid the retirement of W INS. To enable gnz:Dnscmd ServerName /config /Enableglobalnamessupport 1. Next , you can use gui to create GlobalNames zone o r using command :Dnscmd ServerName /ZoneAdd GlobalNames /DsPrimary / DP /forest

QUESTION 9.

Your company has a main office and a branch office.

The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com isconfigured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.

The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.

You uninstall the DNS server role from RODC1. You need to prevent DNS records from replicating to RODC1.

What should you do?

A. Modify the replication scope for the contoso.com zone.B. Flush the DNS cache and enable cache locking on RODC1.C. Configure conditional forwarding for the contoso.com zone.D. Modify the zone transfer settings for the contoso.com zone.

Correct Answer: ASection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:Change the Zone Replication Scope

Applies To: Windows Server 2008, Windows Server 2008 R2You can use the following procedure to change the replication scope for a zone. Only Active Directory DomainServices (AD DS)–integrated primary and stub forward lookup zones can change their replication scope.Secondary forward lookup zones cannot change their replication scope.Membership in Administrators , or equivalent, is the minimum required to complete this procedure. Reviewdetails about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.Changing zone replication scopeUsing the Windows interface


To change zone replication scope using the Windows interface Open DNS Manager.In the console tree, right-click the applicable zone, and then click Properties .On the General tab, note the current zone replication type, and then click Change .Select a replication scope for the zone.Additional considerationsTo open DNS Manager, click Start , point to Administrative Tools , and then click DNS.

To change zone replication scope using the command line At a command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /ZoneChangeDirectoryPartition < ZoneName> <NewPartitionName>

Parameter Description dnscmd Specifies the name of the command-line tool for managing DNS servers.

<ServerName> Required. Specifies the Domain Name System (DNS) host name of the DNS server. Youcan also type the IP address of the DNS server. To specify the DNS server on the localcomputer, you can also type a period (.)

/ZoneChangeDirectoryPartition

Required. Changes a zone's replication scope.

<ZoneName> Required. Specifies the fully qualified domain name (FQDN) of the zone.<NewPartitionName>

Required. The FQDN of the DNS application directory partition where the zone will bestored.


QUESTION 10.

Your network contains an Active Directory domain named contoso.com. The domain contains the serversshown in the following table:

Server name Operating system Role

DC1 Windows Server 2008 Domain controller

DC2 Windows Server 2008 R2 Domain controller

DNS1 Windows Server 2008 DNS server

DNS2 Windows Server 2008 R2 DNS server

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2003.DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise.

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.


A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade DNS1 to Windows Server 2008 R2.


Explanation/Reference:Note

In Windows Server 2003 and Windows Server® 2008, DNSSEC is implemented on secondary zones asdescribed in RFC 2535. Because RFC 2535 has been made obsolete by the previously mentioned RFCs, theWindows Server 2003 and Windows Server 2008 implementations are not interoperable with the Windows

Server 2008 R2 or Windows 7 implementation.

http://technet.microsoft.com/en-us/library/ee649205(v=WS.10).aspx

QUESTION 11.

Your network contains a domain controller that is configured as a DNS server. The server hosts an ActiveDirectory-integrated zone for the domain.

You need to reduce how long it takes until stale records are deleted from the zone.

What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime.B. From the configuration directory partition of the forest, modify the garbage collection interval.C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.



QUESTION 12.

You have an Active Directory domain named contoso.com. You have a domain controller named Server1 that isconfigured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The DNS configuration of

Server1 is shown in the exhibit. (Click the Exhibit button.)

You discover that stale resource records are not automatically removed from the contoso.com zone. You needto ensure that the stale resource records are automatically removed from the contoso.com zone.

What should you do?

A. Set the scavenging period of Server1 to 0 days.B. Modify the Server Aging/Scavenging properties.C. Configure the aging properties for the contoso.com zone.D. Convert the contoso.com zone to an Active Directory-integrated zone.



Scavenging is set in three places on a Windows Server:On the individual resource record to be scavenged.

On a zone to be scavenged. At one or more servers performing scavenging. It must be set in all three places or nothing happens.

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx?PageIndex=3

QUESTION 13.

Your network contains an Active Directory domain named contoso.com.

You remove several computers from the network.

You need to ensure that the host (A) records for the removed computers are automatically deleted from thecontoso.com DNS zone.

What should you do?

A. Configure dynamic updates.B. Configure aging and scavenging.C. Create a scheduled task that runs the Dnscmd /ClearCache command.D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.



Scavenging is set in three places on a Windows Server:On the individual resource record to be scavenged. On a zone to be scavenged. At one or more servers performing scavenging. It must be set in all three places or nothing happens.

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx?PageIndex=3

QUESTION 14.

You need to force a domain controller to register all service location (SRV) resource records in DNS.

Which command should you run?

A. ipconfig.exe /registerdnsB. net.exe stop dnscache & net.exe start dnscacheC. net.exe stop netlogon & net.exe start netlogonD. regsvr32.exe dnsrslvr.dll


Explanation/Reference:To make sure that all you A and SRV records are updated corretly, please proceed like the following:

Make sure that each DC / DNS server is pointing to its private IP address as primary DNS server Make sure that each DC without DNS is pointing to the correct internal DNS server a primary DNS server Check that you don't have connectivity problems Run net.exe stop netlogon & net.exe start netlogon command on all your DCs. Make sure that all your client computers / member servers are using the correct internal DNS server as primaryone

QUESTION 15.

Your network contains an Active Directory domain named contoso.com. You plan to deploy a child domainnamed sales.contoso.com. The domain controllers in sales.contoso.com will be DNS servers forsales.contoso.com.

You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fullyqualified domain names (FQDNs).

What should you do?

A. Create a DNS forwarder.B. Create a DNS delegation.C. Configure root hint servers.D. Configure an alternate DNS server on all client computers.


Explanation/Reference:Create a Zone Delegation Applies To: Windows Server 2008, Windows Server 2008 R2You can divide your Domain Name System (DNS) namespace into one or more zones. You can delegatemanagement of part of your namespace to another location or department in your organization by delegatingthe management of the corresponding zone. For more information, see Understanding Zone Delegation.When you delegate a zone, remember that for each new zone that you create, you will need delegation recordsin other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transferauthority and to provide correct referral to other DNS servers and clients of the new servers that are beingmade authoritative for the new zone.Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure.Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.Creating a zone delegationUsing the Windows interface


To create a zone delegation using the Windows inter face Open DNS Manager.In the console tree, right-click the applicable subdomain, and then click New Delegation .Follow the instructions in the New Delegation Wizard to finish creating the new delegated domain.Additional considerationsTo open DNS Manager, click Start , point to Administrative Tools , and then click DNS.

All domains (or subdomains) that appear as part of the applicable zone delegation must be created in thecurrent zone before delegation is performed as described here. As necessary, use DNS Manager to first adddomains to the zone before you complete this procedure.

To create a zone delegation using a command line Open a command prompt.Type the following command, and then press ENTER: dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName > [/Aging] [/OpenAcl] [<Ttl>]NS {<HostName>|<FQDN>}Parameter Description dnscmd Specifies the name of the command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address ofthe DNS server. To specify the DNS server on the local computer, you can also type a period(.)

/RecordAdd

Required. Specifies the command to add a resource record.

<ZoneName> Required. Specifies the fully qualified domain name (FQDN) of the zone.

<NodeName>

Required. Specifies the FQDN of the node in the DNS namespace for which the start ofauthority (SOA) resource record is added. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node.

/AgingIf this command is used, this resource record is able to be aged and scavenged. If thiscommand is not used, the resource record remains in the DNS database unless it is manuallyupdated or removed.

/OpenAcl Specifies that new records are open to modification by any user. Without this parameter, onlyadministrators may modify the new record.

<Ttl> Specifies the Time To Live (TTL) setting for the resource record. (The default TTL is defined instart of authority (SOA) resource record).

NS Required. Specifies that you are adding a name server (NS) resource record to the zone that isspecified in ZoneName.

<HostName>|<FQDN>

Required. Specifies the host name or FQDN of the new authoritative server.

To view the complete syntax for this command, at a command prompt, type the following command, and thenpress ENTER: dnscmd /RecordAdd /help

QUESTION 16.

Your network contains a single Active Directory domain named contoso.com. The domain contains two domaincontrollers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone forcontoso.com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an ActiveDirectory-integrated zone and configure the zone to accept secure dynamic updates only.

You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.


A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.comB. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimaryC. dnslint.exe /qlD. repadmin.exe /syncall /force



Dnscmd zoneresettypeChanges the type of the zone.Syntaxdnscmd [ServerName] /zoneresettype ZoneName ZoneType [/overwrite_mem | /overwrite_ds ] ParametersServerName Specifies the DNS server the administrator is planning to manage, represented by local computer syntax, IPaddress, FQDN, or Host name. If omitted, the local server is used. ZoneName Identifies the zone on which the type will be changed. ZoneType Specifies the type of zone to create. Each type has different required parameters. /dsprimaryCreates an Active Directory-integrated zone. /primary /file FileNameCreates a standard primary zone. /secondary MasterIPAddress [,MasterIPAddress ...]Creates a standard secondary zone. /stub MasterIPAddress [,MasterIPAddress ...] /file FileNameCreates a file-backed stub zone. /dsstub MasterIPAddress [,MasterIPAddress... ]Creates an Active Directory-integrated stub zone. /forwarder MasterIPAddress [,MasterIPAddress ]... /file FileNameSpecifies that the created zone forwards unresolved queries to another DNS server. /dsforwarderSpecifies that the created Active Directory-integrated zone forwards unresolved queries to another DNS server. /overwrite_mem | /overwrite_ds Specifies how to overwrite existing data. /overwrite_memOverwrites DNS data from data in Active Directory. /overwrite_dsOverwrites existing data in Active Directory. RemarksSetting the zone type as /dsforwarder creates a zone that performs conditional forwarding.

Sample Usagednscmd dnssvr1.contoso.com /zoneresettype test.cont oso.com /primary /filetest.contoso.com.dns dnscmd dnssvr1.contoso.com /zoneresettype second.co ntoso.com /secondary 10.0.0.2

http://technet.microsoft.com/en-us/library/cc756116(v=WS.10).aspx#BKMK_29

Reason : dsprimary is AD integrated zone. We need AD-integrated to get the secure dynamic updates.

DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues. Youneed to download it from Microsoft.

QUESTION 17.

Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in thefollowing Command Prompt window.

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records forcontoso.com.

What should you modify?

A. the root hints of the DNS serverB. the security settings of the zoneC. the Windows Firewall settings on the DNS serverD. the zone transfer settings of the zone


Explanation/Reference:To modify zone transfer settings using the Windows interface Open DNS Manager.Right-click a DNS zone, and then click Properties .On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box.

To allow zone transfers, select the Allow zone transfers check box.

If you allowed zone transfers, do one of the following:

To allow zone transfers to any server, click To any server .

To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only toservers listed on the Name Servers tab .

To allow zone transfers only to specific DNS servers, click Only to the following servers , and then addthe IP address of one or more DNS servers.

QUESTION 18.

Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is storedin Active Directory. All domain controllers run Windows Server 2008 R2.

You need to identify if all of the DNS records used for Active Directory replication are correctly registered.

What should you do?

A. From the command prompt, use netsh.exe.B. From the command prompt, use dnslint.exe.C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.


Explanation/Reference:DNSLint is a Microsoft Windows utility that runs on Windows 2000-and-later operating systems. Among otheruses, it can help you troubleshoot Active Directory replication issues. Specifically, it can help you determine twothings: Whether all DNS servers that are supposed to be authoritative for the root of an Active Directory forest actually

have the necessary DNS records to successfully synchronize partition replicas among domain controllers in anActive Directory forest. DNSLint identifies which DNS records are missing from each authoritative DNS server. Whether a particular Active Directory domain controller can resolve all of the necessary DNS records tosuccessfully synchronizing partition replicas among domain controllers in an Active Directory forest. DNSLintidentifies which DNS records cannot be resolved by the domain controller being tested.

http://support.microsoft.com/kb/321046

Reason : DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolutionissues. You need to download it from Microsoft.

QUESTION 19.

Your network contains an Active Directory forest. The forest contains one domain and three sites. Each sitecontains two domain controllers. All domain controllers are DNS servers.

You create a new Active Directory-integrated zone.

You need to ensure that the new zone is replicated to the domain controllers in only one of the sites.


A. Modify the NTDS Site Settings object for the site.B. Modify the replication settings of the default site link.C. Create an Active Directory connection object.D. Create an Active Directory application directory partition.

Correct Answer: DSection: Configuring AD InfrastructureExplanation

Explanation/Reference:Application directory partitionsAn application directory partition is a directory partition that is replicated only to specific domain controllers.

QUESTION 20.

Your network contains a single Active Directory forest. The forest contains two domains named contoso.comand sales.contoso.com. The domain controllers are configured as shown in the following table:

Server name Domain DNS zones hosted

DC1 contoso.com contoso.com

DC2 contoso.com contoso.com

DC3 sales.contoso.com sales.contoso.com

DC4 sales.contoso.com sales.contoso.com

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integratedzones.

You need to ensure that contoso.com records are available on DC3.


A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainB. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forestC. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainD. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest


Explanation/Reference:You can use these procedures to change the replication scope for a zone using either the DNS Manager snap-in or the dnscmd command-line tool. Only Active Directory–integrated primary and stub forward lookup zonescan change their replication scope. Because they are not integrated with Active Directory, secondary forwardlookup zones cannot change their replication scope.

Caution Improperly configuring the replication scope of a zone can cause replication to fail or produce unexpectedresults, interfering with name resolution for the zone. You should not change the replication scope of azone unless you fully understand how Active Directory replication works.The following table describes the available zone replication scopes for Active Directory–integrated DomainName System (DNS) zone data. Zone replication scope Description All DNS servers in the ActiveDirectory forest

Replicates zone data to all DNS servers that are running on domaincontrollers in the Active Directory forest. Usually, this is the broadest scopeof replication.

All DNS servers in the ActiveDirectory domain

Replicates zone data to all DNS servers that are running on domaincontrollers in the Active Directory domain. This option is the default settingfor Active Directory–integrated DNS zone replication in Windows Server2003 and Windows Server 2008.

All domain controllers in theActive Directory domain

Replicates zone data to all domain controllers in the Active Directorydomain.

All domain controllers in aspecified application directorypartition

Replicates zone data according to the replication scope of the specifiedapplication directory partition. For a zone to be stored in the specifiedapplication directory partition, the DNS server that is hosting the zone mustbe enlisted in the specified application directory partition.

To change zone replication scope using the command line Open a command prompt. To open an elevated Command Prompt window, click Start , point to AllPrograms , click Accessories , right-click Command Prompt , and then click Run asadministrator .At a command prompt, type the following command, and then press ENTER:Copy dnscmd <ServerName> /ZoneChangeDirectoryPartition < ZoneName> <NewPartitionName>

Exam G

QUESTION 1.

You have a DNS zone that is stored in a custom application directory partition.

You install a new domain controller.

You need to ensure that the custom application directory partition replicates to the new domain controller.

What should you use?

A. the Active Directory Administrative Center consoleB. the Active Directory Sites and Services consoleC. the DNS Manager consoleD. the Dnscmd tool


Explanation/Reference:Create a DNS Application Directory Partition Applies To: Windows Server 2008, Windows Server 2008 R2You can store Domain Name System (DNS) zones in the domain or application directory partitions of ActiveDirectory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for differentreplication purposes. When you create an application directory partition for DNS, you can control the scope ofreplication for the zone that is stored in that partition. For more information, see Understanding Active DirectoryDomain Services Integration.Membership in the Enterprise Admins group is required to complete this procedure. Review details aboutusing the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.To create a DNS application directory partition Open a command prompt.Type the following command, and then press ENTER: Copy dnscmd <ServerName> /CreateDirectoryPartition <FQDN >

Parameter Description dnscmd Specifies the name of the command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IPaddress of the DNS server. To specify the DNS server on the local computer, you can alsotype a period (.).

/CreateDirectoryPartition

Required. Creates a DNS application directory partition.

<FQDN> Required. Specifies the name of the new DNS application directory partition. You must usea DNS fully qualified domain name (FQDN).

To view the complete syntax for this command, at a command prompt, type the following command, and thenpress ENTER:

dnscmd /CreateDirectoryPartition /?

http://technet.microsoft.com/en-us/library/cc754292 .aspx

QUESTION 2.

Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2008 R2. The functional level of the domain is Windows Server 2008 R2.

The functional level of the forest is Windows Server 2008. You have a member server named Server1 that runsWindows Server 2008. You need to ensure that you can add Server1 to contoso.com as a domain controller.

What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccountB. dcpromo.exe /ReplicaOrNewDomain:replicaC. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008DomainD. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest


Explanation/Reference:Since the domain functional level is set to Windows Server 2008 R2, you cannot add Server1 running WindowsServer 2008 as a DC until you upgrade the server or change the domain functional level.

After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back orlower the domain functional level, with one exception: when you raise the domain functional level to WindowsServer 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rollingthe domain functional level back to Windows Server 2008. You can lower the domain functional level only fromWindows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by settingthe DomainMode parameter.

The domain mode can be set to the following values that are listed in order of functionality from lowest tohighest.

Windows2000DomainWindows2003InterimDomainWindows2003DomainWindows2008DomainWindows2008R2Domain

You can change the domain mode to a mode with highe r functionality only . For example, if the domainmode for a domain is set to Windows 2003, you can use this cmdlet to change the mode to Windows 2008.However, in the same situation, you cannot use this cmdlet to change the domain mode from Windows 2003 toWindows 2000. (must take into account the above exception)

http://technet.microsoft.com/en-us/library/ee617230.aspx

/CreateDCAccountCreates a read-only domain controller (RODC) account. Only a member of the Domain Admins group or theEnterprise Admins group can run this command.

ReplicaOrNewDomain:{<Replica> | ReadOnlyReplica | Domain}

Specifies whether to install an additional domain controller (a writable domain controller or an RODC) or tocreate a new domain.The default is to install an additional writable domain controller.

QUESTION 3.

Your network contains an Active Directory forest. The forest contains a single domain. You want to accessresources in a domain that is located in another forest.

You need to configure a trust between the domain in your forest and the domain in the other forest.

What should you create?

A. an incoming external trustB. an incoming realm trustC. an outgoing external trustD. an outgoing realm trust

Correct Answer: ASection: Configuring Domains and TrustsExplanation

Explanation/Reference:A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at thetime that you run the New Trust Wizard) to access resources in another Active Directory domain (outside yourforest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com andusers in that domain need to access resources in the marketing.tailspintoys.com domain (which is located inanother forest), you can use this procedure (in conjunction with another procedure, which is executed by theadministrator in the other forest) to establish one side of the relationship so that users in your domain canaccess resources in the marketing.tailspintoys.com domain.


QUESTION 4.

Your network contains two Active Directory forests. One forest contains two domains named contoso.com andna.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configuredbetween the two forests.

You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to acomputer in the nwtraders.com domain by using the user name NA\User1.

Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain.

You need to ensure that User1 can log on to the computer in the nwtraders.com domain.

What should you do?

A. Enable selective authentication over the forest trust.B. Create an external one-way trust from na.contoso.com to nwtraders.com.C. Instruct User1 to log on to the computer by using his user principal name (UPN).D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.

Correct Answer: CSection: Configuring Domains and TrustsExplanation

Explanation/Reference:UPN [email protected]

QUESTION 5.

Your company has a main office and a branch office. The main office contains two domain controllers.

You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branchoffice, and then add the domain controller to the BranchOfficeSite site.

You discover that users in the branch office are randomly authenticated by either the domain controller in thebranch office or the domain controllers in the main office.

You need to ensure that the users in the branch office always attempt to authenticate to the domain controller inthe branch office first.

What should you do?

A. Create organizational units (OUs).B. Create Active Directory subnet objects.C. Modify the slow link detection threshold.D. Modify the Location attribute of the computer objects.

Correct Answer: BSection: AD Sites & ServicesExplanation

Explanation/Reference:If you create a new site or if you enlarge a new site, you can use this procedure to create a subnet object orobjects and associate them with the site in Active Directory Domain Services (AD DS). You can assign theappropriate network address to the subnet object so that it represents a range of TCP/IP addresses. Toaccomplish this procedure, you must have the following information:The site with which the subnet is to be associated.

The IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix.

You can modify the Default Domain Policy to enable Windows Vista and Windows Server 2008 clients in thedomain to locate domain controllers in the next closest site if no domain controller in their own site or theclosest site is available.

QUESTION 6.

Your company has a main office and 50 branch offices. Each office contains multiple subnets.

You need to automate the creation of Active Directory subnet objects.



A. the Dsadd toolB. the Netsh toolC. the New-ADObject cmdletD. the New-Object cmdlet


Explanation/Reference:The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new useraccount. You can use this cmdlet to create any type of Activ e Directory object . Many object properties aredefined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using theOtherAttributes parameter.You must set the Name and Type parameters to create a new Active Directory object. The Name specifies thename of the new object. The Type parameter specifies the LDAP display name of the Active Directory SchemaClass that represents the type of object you want to create. Examples of Type values include computer, group,organizational unit, and user.The Path parameter specifies the container where the object will be created.. When you do not specify the Pathparameter, the cmdlet creates an object in the default naming context container for Active Directory objects inthe domain.

Examples-------------------------- EXAMPLE 1 -------------- ------------Command Prompt: C:\PS> Copy New-ADObject -Name '192.168.1.0/26' -Type subnet -D escription'192.168.1.0/255.255.255.192' -OtherAttributes @{lo cation="BuildingA";siteObject="CN=HQ,CN=Sites,CN=Configuration,DC=F ABRIKAM,DC=COM"} -Path"CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,D C=COM"

Creates a subnet object in the HQ site with the described attributes.

Dsadd tool is only used for creation of users and ou´s

QUESTION 7.

Your network contains an Active Directory forest. The forest contains multiple sites.

You need to enable universal group membership caching for a site.

What should you do?

A. From Active Directory Sites and Services, modify the NTDS Settings.B. From Active Directory Sites and Services, modify the NTDS Site Settings.C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the

site.

Correct Answer: BSection: Maintaining the AD Environment

Explanation

Explanation/Reference:Enable Universal Group Membership Caching in a Site

Updated: January 9, 2009Applies To: Windows Server 2008, Windows Server 2008 R2In a branch site that has no global catalog server and in a forest that has multiple domains, you can use thisprocedure to enable Universal Group Membership Caching on a domain controller in the site so that a globalcatalog server does not have to be contacted across a wide area network (WAN) link for every initial userlogon. You enable this setting on the NTDS Site Settings object for the site in Active Directory Domain Services(AD DS), and you can specify the site of a global catalog server to contact when the cache must be updated. Inmost cases, the closest global catalog server is located in the hub site.You can use this procedure to enable Universal Group Membership Caching in a site.Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure. Reviewdetails about using the appropriate accounts and group memberships at Local and Domain Default Groups(http://go.microsoft.com/fwlink/?LinkId=83477).To enable Universal Group Membership Caching in a s iteOpen Active Directory Sites and Services: On the Start menu, point to Administrative Tools , and then clickActive Directory Sites and Services .In the console tree, expand Sites , and then click the site in which you want to enable Universal GroupMembership Caching.In the details pane, right-click the NTDS Site Settings object, and then click Properties .Under Universal Group Membership Caching , select Enable Universal Group Membership Caching .In the Refresh cache from list, click the site that you want the domain controller to contact when the UniversalGroup membership cache must be updated, and then click OK.

http://technet.microsoft.com/en-us/library/cc816928(v=ws.10).aspx

QUESTION 8.

You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.

What should you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.B. From the IP properties, select Disable site link bridging.C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection

objects.D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each

site.


Explanation/Reference:Creating a Site Link Bridge Design

Updated: April 11, 2008Applies To: Windows Server 2008, Windows Server 2008 R2A site link bridge connects two or more site links and enables transitivity between site links. Each site link in abridge must have a site in common with another site link in the bridge. The Knowledge Consistency Checker(KCC) uses the information on each site link to compute the cost of replication between sites in one site linkand sites in the other site links of the bridge. Without the presence of a common site between site links, theKCC also cannot establish direct connections between domain controllers in the sites that are connected by thesame site link bridge.

By default, all site links are transitive. We recommend that you keep transitivity enabled by not changing thedefault value of Bridge all site links (enabled by default). However, you will need to disable Bridge allsite links and complete a site link bridge design if:Your IP network is not fully routed. When you disable Bridge all site links , all site links are considerednontransitive, and you can create and configure site link bridge objects to model the actual routing behavior ofyour network.

You need to control the replication flow of the changes made in Active Directory Domain Services (AD DS). Bydisabling Bridge all site links for the site link IP transport and configuring a site link bridge, the site linkbridge becomes the equivalent of a disjointed network. All site links within the site link bridge can routetransitively, but they do not route outside of the site link bridge.

For more information about how to use the Active Directory Sites and Services snap-in to disable the Bridgeall site links setting, see Enable or disable site link bridges (http://go.microsoft.com/fwlink/?LinkId=107073).


QUESTION 9.


You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates byusing a domain controller in the main office. You need to ensure that IPv6-only computers authenticate todomain controllers in the same site.

What should you do?

A. Configure the NTDS Site Settings object.B. Create Active Directory subnet objects.C. Create Active Directory Domain Services connection objects.D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.


Explanation/Reference:If you create a new site or if you enlarge a new site, you can use this procedure to create a subnet object orobjects and associate them with the site in Active Directory Domain Services (AD DS). You can assign theappropriate network address to the subnet object so that it represents a range of TCP/IP addresses. Toaccomplish this procedure, you must have the following information: The site with which the subnet is to be associated. The IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix.

http://technet.microsoft.com/nl-nl/library/cc816870%28WS.10%29.aspx

For enterprise networks, an incremental upgrade to IPv6 is possible using the Intra-Site Automatic TunnelAddressing Protocol (ISATAP) (RFC 4214). ISATAP allows IPv6-only hosts and subnets to fully coexist andinteroperate with IPv4 hosts and subnets in an intranet. In partnership with 6to4 technology, a comprehensiveincremental migration solution is available to businesses transitioning their corporate networks.

http://technet.microsoft.com/en-us/library/bb726949.aspx

QUESTION 10

.

Your network contains an Active Directory domain. The domain is configured as shown in the following table:

Active Directory site Domain controllers

Main DC1 and DC2

Branch1 DC3

Branch2 None

Users in Branch2 sometimes authenticate to a domain controller in Branch1.

You need to ensure that users in Branch2 only authenticate to the domain controllers in Main.

What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.B. On DC3, set the AutoSiteCoverage value to 1.C. On DC1 and DC2, set the AutoSiteCoverage value to 0.D. On DC1 and DC2, set the AutoSiteCoverage value to 1.


Explanation/Reference:Usually domain controllers (DCs) register site-specific records for their local site in DNS, enabling clients toeasily find DCs and other services that are closest to them. If a site contains no DCs, then DCs in the sites closest to that site (calculated by site-link costs) will registersite-specific records for that site as well, to help clients find a DC as close as possible. This is known as automatic site coverage.

Start the registry editor (regedit.exe). Navigate to the HKEY_ LOCAL_MACHINE\SYSTEM CurrentControlSet\Services Netlogon\Parametersregistry subkey. From the Edit menu, select New, DWORD value. Enter a name of AutoSite- Coverage and press Enter. Double-click the new value and set it to 0 to disable it (1 enables it). Click OK.

http://www.windowsitpro.com/article/dns/learning-about-automatic-site-coverage

QUESTION 11.

Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has twodomain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.DC3 fails.

You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 andthe domain controllers in Site1.On DC4, you run repadmin.exe /kcc.

Replication between the sites continues to fail.

You need to ensure that Active Directory data replicates between the sites.

What should you do?

A. From Active Directory Sites and Services, modify the properties of DC3.B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.C. From Active Directory Users and Computers, modify the location settings of DC4.D. From Active Directory Users and Computers, modify the delegation settings of DC4.


Explanation/Reference:Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008, Windows Server 2008 R2Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllersrunning Microsoft Windows operating systems.Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have theAD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain ServicesTools that are part of the Remote Server Administration Tools (RSAT). For more information, see How toAdminister Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813). To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open anelevated command prompt, click Start , right-click Command Prompt , and then click Run asadministrator .You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domaincontroller. In addition, you can use Repadmin.exe to manually create the replication topology, to forcereplication events between domain controllers, and to view both the replication metadata and up-to-datenessvectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active DirectoryDomain Services (AD DS) forest.

Repadmin /kcc

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2003 with SP2, Windows Server 2008, Windows Server 2008 R2Forces the Knowledge Consistency Checker (KCC) on each targeted domain controller to immediatelyrecalculate the inbound replication topology. By default, each domain controller performs this recalculation every 15 minutes. Run this command totroubleshoot KCC errors after you remove suspected fault conditions or to re-evaluate whether new connectionobjects must be created on behalf of the targeted domain controllers.

Reason: Since repadmin /kcc is not finding issues with DC4, then the issue is mostly likely with DC3.

QUESTION 12.

Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that runWindows Server 2008 R2.

You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).


A. Run dfsrdiag.exe PollAD.B. Run dfsrmig.exe /SetGlobalState 0.C. Upgrade all domain controllers to Windows Server 2008 R2.D. Raise the functional level of the domain to Windows Server 2008.


Explanation/Reference:Reason : Distributed File System (DFS) Replication is a replication service that is available for replicatingSYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFSReplication was introduced in Windows Server 2003 R2. However, on domain controllers that are runningWindows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

QUESTION 13.

Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.

You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.

You need to ensure that Attribute1 is replicated to the global catalog.

What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.B. In Active Directory Sites and Services, configure the universal group membership caching.C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.D. From the Active Directory Schema snap-in, modify the properties of the Attribute1 class schema attribute.


Explanation/Reference:You can also follow these steps to set the registry key discussed in the article mentioned above by way of theSchema MMC snap-in: Highlight Active Directory SchemaChoose Action | Operations Master....Click to select the box titled The Schema may be modified on this Domain Controller.Click OK.At this point, a Schema Administrator can add additional attributes to the GC. There are several methods toadd additional attributes to the GC including the Schema MMC snap-in and ADSI scripts. To Make Modifications Using Active Directory Schema MMC Snap-InClick the Attributes folder in the snap-in.In the right pane, scroll down to the desired attribute, right-click it, and then click Properties .Click to select the Replicate this attribute to the Global Catalog check box.Click OK.

QUESTION 14.

Your network contains an Active Directory domain. The domain contains three domain controllers.

One of the domain controllers fails.

Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that thehelp desk can create new user accounts.

Which operations master role should you seize?

A. domain naming masterB. infrastructure masterC. primary domain controller (PDC) emulatorD. RID masterE. schema master


Explanation/Reference:RID MasterThe relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain.Whenever a domain controller creates a new security principal, such as a user, group, or computer object, itassigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same forall security principals created in the domain, and a RID, which uniquely identifies each security principal createdin the domain.

If the RID role is unavailable, eventually security principals cannot be created because there are no more RIDsavailable.

QUESTION 15.

Your network contains two standalone servers named Server1 and Server2 that have Active DirectoryLightweight Directory Services (AD LDS) installed.

Server1 has an AD LDS instance.

You need to ensure that you can replicate the instance from Server1 to Server2.

What should you do on both servers?

A. Obtain a server certificate.B. Import the MS-User.ldf file.C. Create a service user account for AD LDS.D. Register the service location (SRV) resource records.

Correct Answer: CSection: Configuring AD LDSExplanation

Explanation/Reference:If you run AD LDS on a domain controller in an AD DS environment, do not use the Network Service account asthe AD LDS service account. Instead, use a domain user account that does not have administrative privileges.

Create a replica AD LDS instanceYou can use the Active Directory Lightweight Directory Services Setup Wizard to create AD LDS serviceinstances. In AD LDS, a "service instance" (or, simply, "instance") refers to a single running copy of AD LDS. Toprovide fault tolerance and load balancing, AD LDS instances can be part of a configuration set. All AD LDSinstances in a configuration set replicate a common configuration directory partition and a common schemadirectory partition, plus any number of application directory partitions.To create an AD LDS instance and join it to an existing configuration set, use the Active Directory LightweightDirectory Services Set Wizard to create a replica AD LDS instance. You need to know the Domain NameSystem (DNS) name of the server running an AD LDS instance that belongs to the configuration set, as well as

the Lightweight Directory Access Protocol (LDAP) port that was specified when the instance was created. Youcan also supply the distinguished names (also known as DNs) of specific application directory partitions thatyou want to copy from the configuration set to the AD LDS instance that you are creating. Membership in Administrators , or equivalent, is the minimum required to complete this procedure. Reviewdetails about using the appropriate accounts and group memberships at Local and Domain Default Groups(http://go.microsoft.com/fwlink/?LinkId=83477).To create a replica AD LDS instance by using the Ac tive Directory Lightweight Directory Services SetupWizardClick Start , point to Administrative Tools , and then click Active Directory Lightweight Directory ServicesSetup Wizard .On the Welcome to the Active Directory Lightweight Directo ry Services Setup Wizard page, click Next .On the Setup Options page, click A replica of an existing instance , and then click Next .On the Instance Name page, accept the default name instance2 (or instance1, if you are installing AD LDS ona second computer), and then click Next .Note AD LDS instance names have to be unique only on a given computer. On the Ports page, accept the default values of 50000 and 50001 (if you are installing onto the first computer)or 389 and 636 (if you are installing onto a second computer), and then click Next .On the Joining a Configuration Set page, in Server , type the host name or DNS name of the computer wherethe first AD LDS instance is installed. Then, type the LDAP port number in use by the first AD LDS instance(which is 389 by default), and then click Next .Note You must use a valid host name or DNS name, rather than an IP address or localhost when you specify aserver on the Joining a Configuration Set page of the Active Directory Lightweight Directory ServicesSetup Wizard. On the Administrative Credentials for the Configuration Se t page, click the account that is used asthe AD LDS administrator for your first AD LDS inst ance. On the Copy Application Partition page, select the application directory partitions that you want to replicate tothe new AD LDS instance. (The schema and configuration partitions will be replicated automatically.) Accept the default values on the remaining Active Directory Lightweight Directory Services Set Wizard pages byclicking Next on each page, and then click Finish on the Completing the Active Directory Application ModeSetup Wizard page.After the installation is complete, use the ADSI Edit snap-in to confirm that the selected directory partition hasbeen replicated to your second AD LDS instance.

QUESTION 16.

Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an ActiveDirectory Lightweight Directory Services (AD LDS) instance on Server1.

You need to create an additional AD LDS application directory partition in the existing instance.


A. AdaminstallB. DsaddC. DsmodD. Ldp


Explanation/Reference:Create an Application Directory Partition

Applies To: Windows Server 2008, Windows Server 2008 R2You use Ldp.exe to add a new application directory partition to an existing instance of ActiveDirectory Lightweight Directory Services (AD LDS).Membership in the Administrators group of the AD LDS instance is the minimum requiredto complete this procedure. By default, the security principal that you specify as the AD LDSadministrator during AD LDS setup becomes a member of the Administrators group in theconfiguration partition. For more information about AD LDS groups, see Understanding AD LDSUsers and Groups.

To add an application directory partition to an exi sting AD LDS instance

Open LDP, and then connect and bind to an AD LDS instance. For more information, seeuse Use Ldp.exe to Manage an AD LDS Instance.On the Browse menu, click Add child .In Dn, type a distinguished name for the application partition.Under Edit entry , type ObjectClass in the Attribute box and container in the Values box,and then click Enter .Under Edit entry , type instanceType in the Attribute box and 5 in the Values box, andthen click Enter .Click Run . After the new application directory partition is added, the following information appears inthe details pane:Added {distinguished name}where distinguished name is the distinguished name that you typed in step 3.Click Close .


LDP is a GUI with which you can administer an AD LDS instance.

QUESTION 17.

Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create anActive Directory Lightweight Directory Services (AD LDS) instance named Instance1.

You connect to Instance1 by using ADSI Edit.

You run the Create Object wizard and you discover that there is no User object class. You need to ensure thatyou can create user objects in Instance1.

What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).



Note As an alternative to using ldifde , you can import the optional AD LDS user classesduring AD LDS setup. If you do not specify user credentials using the -b parameter, ldifde uses the credentials ofthe currently logged on user.

QUESTION 18.

Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2.

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.

What should you do?

A. Run ldp.exe and use the Bind option.B. Run diskpart.exe and use the Attach option.C. Run dsdbutil.exe and use the snapshot option.D. Run imagex.exe and specify the /mount parameter.

Correct Answer: CSection: Configuring AD LDSExplanation

Explanation/Reference:snapshot

Applies To: Windows Server 2008Manages snapshots of the volumes that contain the Active Directory database and log files,which you can view on a domain controller without starting in Directory Services RestoreMode (DSRM). You can also run the snapshot subcommand on an Active DirectoryLightweight Directory Services (AD LDS) server. In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to managethe snapshots, but you must use Dsamain.exe to expose the snapshot as a LightweightDirectory Access Protocol (LDAP) server. For more information about using Dsamain, see Dsamain.This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-linetools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil isavailable if you have the Active Directory Domain Services (AD DS) or AD LDS server roleinstalled. Dsdbutil is available if you have the AD LDS server role installed. These tools arealso available if you install the Active Directory Domain Services Tools that are part of theRemote Server Administration Tools (RSAT). For more information, see How to AdministerMicrosoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).To use either of these tools, you must run them from an elevated command prompt. Toopen an elevated command prompt, click Start , right-click Command Prompt , and thenclick Run as administrator .

Reason : dsdbutil is an AD LDS tool to manage LDS instances


ldp.exe bind / bind is authentication to lds instance only.

QUESTION 19.

Your network contains a single Active Directory domain. Active Directory Rights Management Services (ADRMS) is deployed on the network.

A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensurethat User1 can change the service connection point (SCP) for the AD RMS installation. The solution must minimize the administrative rights of User1.

To which group should you add User1?

A. AD RMS AuditorsB. AD RMS Service GroupC. Domain AdminsD. Schema Admins


Explanation/Reference:Registering or changing the service connection point (SCP)

Performing this task requires that the logged in user account be a member of the AD RMSEnterprise Administrators and have permission to change and create object in ActiveDirectory Domain Services (AD DS). For example, a user who is a member of the AD RMSEnterprise Administrators group and the AD DS Enterprise Admins group would have theproper credentials to perform this task.

To administer AD RMS you must have been granted an Administration role on each serverin the AD RMS cluster. For day-to-day operations there are three administration groupsidentified for AD RMS:AD RMS Enterprise Administrators

Members of this group have access to all features in the AD RMS console. Duringinstallation of AD RMS, the installing user account is automatically added to this group.

AD RMS Template Administrators

Members of this group can only access rights policy template administration features in theAD RMS console.

AD RMS Auditors

Members of this group can only access the reports feature in the AD RMS console.


So according to this, domain admins may not be the correct answer, but is the closest to thecorrect answer.

QUESTION 20.

Your network contains two Active Directory forests named contoso.com and adatum.com. Active DirectoryRights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com.

From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest areauthenticating as users from contoso.com.

You need to prevent users from impersonating contoso.com users.

What should you do?

A. Configure trusted e-mail domains.B. Enable lockbox exclusion in AD RMS.C. Create a forest trust between adatum.com and contoso.com.D. Add a certificate from a third-party trusted certification authority (CA).

Correct Answer: ASection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:To specify properties of the trusted user domain If the trusted user domain is based on another AD RMS cluster's server licensor certificate, you can specifywhich e-mail domains within the trusted user domain are trusted. Select the certificate name in the results pane and then in the Actions pane, click Properties. Click the Trusted E-mail Domains tab, and then choose one of the following trust options: Select the Trust all e-mail domains option to trust all of the user accounts that are members of thatdomain. Select the Trust only specified e-mail domains option and then type the domain name to trust, such asexample.com, and then click Add. This adds the domain to the Trusted e-mail domains list. To remove a name from the list, select thename, and then click Remove. Adding a domain includes all of its child domains. Select the Trust AD RMS licensing to security identifiers (SIDs) for this user domain check box, if necessary. When finished, click OK.


Exam H

QUESTION 1.

Your network contains an Active Directory domain named contoso.com. The network contains client computersthat run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network.

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updatedevery month.

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template. Youwant to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.

Correct Answer: BSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:When you modify a rights policy template on the AD RMS server, the server updates thetemplate in both the configuration database and the shared folder (if the AD RMS cluster isconfigured to specify a file location for storing copies of rights policy templates). When usingAD RMS clients other than Windows Vista with SP1, Windows Server 2008, Windows 7,and Windows Server 2008 R2, you should redeploy each rights policy template to clientcomputers when they have been modified so that users have the most current versionavailable. AD RMS clients running Windows Vista with SP1 , Windows Server 2008,Windows 7, and Windows Server 2008 R2 will automatically detect this change and updatethe rights policy templates accordingly. Templates can be redeployed several waysincluding login scripts and using group policies. For more information about deploying rightspolicy templates see AD RMS Client Deployment and Usage Considerations (http://go.microsoft.com/fwlink/?LinkID=153481).

http://technet.microsoft.com/en-us/library/dd996658(v=WS.10).aspx

QUESTION 2.

Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS.

You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.

What should you do?

A. Modify the security of the ServerCertification.asmx file.

B. Modify the security of the MobileDeviceCertification.asmx file.C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.


Explanation/Reference:Enable Certification of Mobile Devices

Applies To: Windows Server 2008 R2AD RMS can provide rights account certificates (RACs) and use licenses to AD RMS-enabled applications that are running Windows Mobile 6. There are a few things that youshould be aware of when configuring mobile services:Discretionary access control lists (DACLs) on the AD RMS pipelines use the most securesettings by default. You must modify the DACL when using AD RMS mobile services.

Many mobile services use advanced Active Directory Domain Services (AD DS) functionalitythat is available only if all AD DS domain controllers are running Windows Server 2003,Windows Server 2008, or Windows Server 2008 R2. If you are using any mobile services,we recommend that all domain controllers are running Windows Server 2003, WindowsServer 2008, or Windows Server 2008 R2, and that both the domain and forest ActiveDirectory functional levels are at least at Windows Server 2003.

In a default AD RMS installation, the DACL of the AD RMS mobile certification pipeline isrestricted, which means an application cannot obtain certificates and licenses for theirusers. However, if you have an AD RMS-enabled application for these computers, you canenable them to participate in your AD RMS system by configuring the DACLs on the ADRMS mobile certification pipeline.AD RMS-enabled mobile applications can connect to the AD RMS mobile certification serverby using the MobileDeviceCertification.asmx file.

Note If there is more than one AD RMS server in the AD RMS cluster, the DACL on themobile certification service must be changed on each server in the cluster. Membership in the local Administrators group, or equivalent, is the minimum required tocomplete this procedure.

To enable certification of mobile devicesOpen Windows Explorer and navigate to the folder where Internet Information Services wasinstalled. By default, the folder path is %systemdrive%\Inetpub\wwwroot\_wmcs\Certificationfolder. To enable mobile devices to receive RACs, right-click the MobileDeviceCertification.asmxfile, and then click Properties . On the Security tab, click Add , and then add the user account object of the AD RMS-enabled mobile application and the AD RMS Service Group . In the Permissions list for the groups, select the Allow check box for both Read and Read& Execute permissions, and then click OK.

Note If several servers are hosting AD RMS-enabled mobile applications, consider creating agroup, adding all of the user objects to this group, and then adding the group to theACL of the certification pipeline instead. Restart Internet Information Services by running IISRESET at a command prompt toimplement the changes on the DACLs on the Web services. Do this on each server in theAD RMS cluster.

QUESTION 3.

Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.An administrator changes the password of the user account that is used by AD RMS.

You need to update AD RMS to use the new password.

Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Component ServicesD. Services

Correct Answer: ASection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:Change the AD RMS Service Account

Applies To: Windows Server 2008 R2During installation, Active Directory Rights Management Services (AD RMS) creates the ADRMS Service Group on the local computer and grants it appropriate permissions on all ofthe resources that are required for AD RMS to operate. When you provision AD RMS on aserver, you must define a domain account for use as the AD RMS service account. That account is made a member of the AD RMS Service Group, and it is granted thepermissions that are associated with this group. During routine operations, AD RMS runsunder the AD RMS service account.You can change the AD RMS service account at any time. When you do so, the previouslyspecified account is automatically removed from the AD RMS Service Group, and the newaccount is made a member of it. If there is more than one server in the AD RMS clusterwhere you are changing the AD RMS service account, you must change the service accounton all servers in the cluster.To run the Change Service Account wizard, you must be logged on locally on the AD RMSserver with a user account that has administrative privileges to the configuration database.

Important For security reasons, we highly recommend that you create a special user account touse as the AD RMS service account, and that you use this account only as the AD RMSservice account and for no other purpose. In addition, you should not grant this accountany additional permissions.

Membership in the AD RMS Enterprise Administrators and the local Administratorsgroup, or equivalent, is the minimum required to complete this procedure.To change the AD RMS Service AccountOpen the Active Directory Rights Management Services console and select the AD RMScluster.In the Actions pane, click Change Service Account .In the Change Service Account wizard, read the text on the Before Changing the AD RMSService Account page, and then click Next .In the User name box, specify the name of the account within which AD RMS will run formost operations. The user name should use the format domain_name\user_name. In thePassword box, type the password for the associated user account.Click Next , and then click Finish .Repeat steps 1–5 for each server in the AD RMS cluster.


QUESTION 4.

Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have severalcustom policy templates. The custom policy templates are updated frequently.

Some users report that it takes as many as 30 days to receive the updated policy templates. You need toensure that users receive the updated custom policy templates within seven days.

What should you do?

A. Modify the registry on the AD RMS servers.B. Modify the registry on the users computers.C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.


Explanation/Reference:The automated scheduled task will not query the AD RMS template distribution pipelineeach time that this scheduled task runs. Instead, it checks the updateFrequency DWORDvalue registry entry. This registry entry specifies the time interval (in days) after which theclient should update its rights policy templates. By default the registry key is not present onthe client computer. In this scenario, the client checks for new, deleted, or modified rightspolicy templates every 30 days. To configure an interval other than 30 days, create aregistry entry at the following location: HKEY_CURRENT_USER\Software\Microsoft\MSDRM\Template Management . In this registry key, you can also configure the updateIfLastUpdatedBeforeTime value,which forces the client computer to update its rights policy templates.

AD RMS Policy Template Considerations


Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. Active Directory Rights Management Services (AD RMS) stores rights policy templates in theconfiguration database. Optionally, it may maintain a copy of all rights policy templates in a shared folder thatyou specify.

When publishing protected content, the author selects the rights policy template to apply from the templatesthat are available on the local computer. To make rights policy templates available for offline publishing, theadministrator must deploy them to client computers from a shared folder. In Windows Vista® with ServicePack 1 (SP1), Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2, rights policytemplates are automatically managed by the AD RMS c lient . A new template distribution pipeline has beencreated that the AD RMS client can poll for updates. If a rights policy template has been added, changed, ordeleted, the client detects these changes and updates the local rights policy templates during its next refresh.The rights policy templates are stored locally on the AD RMS client running Windows Vista with SP1, WindowsServer 2008, Windows 7, and Windows Server 2008 R2 in the %localappdata%\Microsoft\DRM\templatesfolder. For Windows XP, Windows 2000, and Windows Server 2003, the path is %appdata%\Microsoft\DRM\templates.

http://technet.microsoft.com/en-us/library/dd996658%28WS.10%29.aspx

QUESTION 5.

Your company has a main office and a branch office. The branch office contains a read-only domain controllernamed RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must preventAdmin1 from logging on to other domain controllers.

What should you do?

A. Run ntdsutil.exe and use the Roles option.B. Run dsmgmt.exe and use the Local Roles option.C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.

Correct Answer: BSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:Use the ntdsutil local roles command or the dsmgmt local roles command. You can usethis command to view, add, or remove members from the Administrators group and otherbuilt-in groups on the RODC. For more information about syntax and examples for using thiscommand, see local roles (http://go.microsoft.com/fwlink/?LinkId=120147).


-Q-Read only domain controllers

Administrator Role Seperation:Delegate admin role to any user In dcpromo answer file Dsmgmt.exe

Applies only to RODCAdmin user can Install updates, drivers, Perform admin tasks

QUESTION 6.

You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user namedUser1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.


A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. DsaddD. Dsmgmt


Explanation/Reference:Use the ntdsutil local roles command or the dsmgmt local roles command. You can usethis command to view, add, or remove members from the Administrators group and otherbuilt-in groups on the RODC. For more information about syntax and examples for using thiscommand, see local roles (http://go.microsoft.com/fwlink/?LinkId=120147).


-Q-Read only domain controllers

Administrator Role Seperation:Delegate admin role to any user In dcpromo answer file Dsmgmt.exe

Applies only to RODCAdmin user can Install updates, drivers, Perform admin tasks

QUESTION 7.

Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1contains four domain controllers. Site2 contains a read-only domain controller (RODC). You add a user namedUser1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails.

User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored andUser1 reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if theWAN link fails.

What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.

D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.


Explanation/Reference:User/Machine authenticationUser and machine authentication works pretty much identically. From DNS and theDCLocator process, the client figures that the RODC is the authoritative authenticationsource for its site (1). It requests to be authenticated by the RODC. The RODC checks itsdatabase to see whether it has already stored the user’s/computer’s credentials (2). Sincethis isn’t the case, it’ll use the WAN connection (3) and forward the auth request to awriteable DC. Since the writable DC knows about the credentials in question, it’ll check them(4) and, if the password provided was correct, it’ll send back the response to the RODC (5)which will happily provide the successful auth (6) to the user/computer. By that time, theclient’s request is serviced — but the RODC isn’t happy about not being able to process theauth request on its own. In order to do better, it’ll request the user’s/computer’s credentialsfrom the writable DC - to be able to perform the authentication on its own. The writable DCchecks the Password Replication Policy to get to know whether RODC is allowed to cachethat password. If so, DC replicates the credentials to RODC which happily stores them in itslocal database.Now, the RODC is able to authenticate the user/computer if there was a WAN outage.Before the special password replication (that doesn’t take place during normal rep), RODCwouldn’t be able to service the client’s request if the WAN link was down.

http://www.frickelsoft.net/blog/?p=232

QUESTION 8.

Your company has a main office and a branch office. The network contains an Active Directory domain.

The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named DC2.You discover that the password of an administrator named Admin1 is cached on DC2.

You need to prevent Admin1's password from being cached on DC2.

What should you do?

A. Modify the NTDS Site Settings.B. Modify the properties of the domain.C. Create a Password Setting object (PSO).D. Modify the properties of DC2's computer account.


Explanation/Reference:Not certain on this one. This is all I can find on the topic.

Managing passwords and the PRPDepending on your security and service availability requirements for your RODC site, youmay want to change the default PRP. The PRP acts as an access control list (ACL). Itdetermines whether an RODC is permitted to cache a password. After the RODC receives an authenticated user or computer logon request, if it does nothave the credentials cached locally, it forwards the logon request to a writable WindowsServer 2008 domain controller. The writable domain controller refers to the PRP todetermine whether the password for the account should be cached on the RODC. For moreinformation about how the PRP works, see Credential caching.You can change the PRP by modifying attributes of an RODC. For more information aboutchanging the PRP, see Administering the Password Replication Policy.Default PRPBy default, all RODCs have the same Password Replication Policy (PRP). The default PRPspecifies that no account passwords can be cached on any RODC, and certain accountsare explicitly denied from being cached on any RODC. The RODC PRP is determined by two multivalued Active Directory attributes that containsecurity principals (users, computers, and groups): msDS-Reveal-OnDemandGroup , also commonly known as the Allowed List

msDS-NeverRevealGroup , also commonly known as the Denied List

The msDS-Reveal-OnDemandGroup attribute specifies what security principals can havepasswords cached on an RODC. By default, this attribute has one value, which is theAllowed RODC Password Replication Group. Because this domain local group has nomembers by default, no account passwords can be cached on any RODC by default. The msDS-NeverRevealGroup attribute specifies what security principals are explicitlydenied from having their passwords cached on an RODC. By default, this attribute has thefollowing values:Account Operators

Server Operators

Backup Operators

Administrators

Denied RODC Password Replication Group, which is a domain local group that includes thefollowing:

Enterprise Domain Controllers

Enterprise Read-Only Domain Controllers

Group Policy Creator Owners

Domain Admins

Cert Publishers

Enterprise Admins

Schema Admins

Domain-wide krbtgt account

Modifying the PRPBy using a combination of the Allowed List and the Denied List for each RODC with thedomain-wide password replication groups, you have great flexibility to decide preciselywhich accounts can be cached on specific RODCs. The following table describes threeexamples of ways that you might administer the PRP to manage how passwords are cachedon the RODCs that you deploy. You can customize any of these examples to best suit yourneeds.

QUESTION 9.


The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.RODC1 runs Windows Server 2008 R2.

A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 isnot stored on RODC1.

You need to ensure that User1's password is stored on RODC1.

What should you modify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1



QUESTION 10.

Your company has a main office and a branch office. The branch office has an Active Directory site thatcontains a read-only domain controller (RODC).

A user from the branch office reports that his account is locked out. From a writable domain controller in themain office, you discover that the user's account is not locked out.

You need to ensure that the user can log on to the domain.

What should you do?

A. Modify the Password Replication Policy.

B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.


Explanation/Reference:If the credentials are not cached previously to the RODC, a writable DC needs to be contacted to verify theauthentication attempt.

QUESTION 11.

Your network contains a single Active Directory domain. The domain contains five read-only domain controllers(RODCs) and five writable domain controllers. All servers run Windows Server 2008. You plan to install a new RODC that runs Windows Server 2008 R2.

You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using theminimum amount of administrative effort.



A. At the command prompt, run adprep.exe /rodcprep.B. At the command prompt, run adprep.exe /forestprep.C. At the command prompt, run adprep.exe /domainprep.D. From Active Directory Domains and Trusts, raise the functional level of the domain.E. From Active Directory Users and Computers, pre-stage the RODC computer account.

Correct Answer: BCSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:Run Adprep.exe commands to prepare your existing forest and domains for domaincontrollers that run Windows Server 2008 or Windows Server 2008 R2. The adprepcommands extend the Active Directory schema and update security descriptors so that youcan add the new domain controllers. There are different versions of Adprep.exe forWindows Server 2008 and Windows Server 2008 R2. For more information, see RunningAdprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

Prepare the forest and domains. There are three adprep commands to complete and havethe changes replicate throughout the forest. Run the three commands as follows:

Prepare the forest by running adprep /forestprep on the server that holds the schemamaster operations master (also known as flexible single master operations or FSMO) role toupdate the schema. For more information, see Prepare a Windows 2000 or Windows Server 2003Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.

Prepare the domain by running adprep /domainprep /gpprep on the server that holds theinfrastructure operations master role. For more information, see Prepare a Windows 2000 or

Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server2008 R2.

If you are installing an RODC in an existing Windows Server 2003 domain, you must alsorun adprep /rodcprep . For more information, see Prepare a Forest for a Read-Only DomainController. For more information about how to resolve possible errors when you run adprep /rodcprep , see Adprep /rodcprep can have an error if the infrastructure master for an application directorypartition is not available.

Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard,the command line, or an answer file. For more information, see Installing an AdditionalDomain Controller (http://go.microsoft.com/fwlink/?LinkID=93254).

Deploy at least one writable domain controller running Windows Server 2008 orWindows Server 2008 R2 in the same domain as the RODC and ensure that the writabledomain controller is also a DNS server that has registered a name server (NS) resourcerecord for the relevant DNS zone. An RODC must replicate domain updates from a writabledomain controller running Windows Server 2008 or Windows Server 2008 R2.


QUESTION 12.

You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which inbound TCP port should you allow on Server1?

A. 88B. 135C. 443D. 445


Explanation/Reference:Firewalls:Internal and external users will need to access the application over SSL (typically port 443) The AD FS 2.0 Proxy Server will need to access the internal AD FS server over SSL(default port 443) Internal users will need to access the internal Federation Service on its SSL port (TCP/443by default) External users will need to access the Federation Service Proxy on its SSL port (TCP/443by default)

QUESTION 13.

You deploy a new Active Directory Federation Services (AD FS) federation server.

You request new certificates for the AD FS federation server. You need to ensure that the AD FS federationserver can use the new certificates.

To which certificate store should you import the certificates?

A. ComputerB. IIS Admin Service service accountC. Local AdministratorD. World Wide Web Publishing Service service account


Explanation/Reference:Before you install the AD FS 2.0 software on the computer that will become the federationserver, make sure that both certificates are in the Local Computer personal certificate storeand that the service communication certificate is assigned to the Default Web Site. Formore information about the order of the tasks that are required to set up a federation server,see Checklist: Setting Up a Federation Server.

QUESTION 14.

Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. Server1 has the Active Directory Federation Services (AD FS) role installed.

You have an application named App1 that is configured to use Server1 for AD FS authentication. You deploy anew server named Server2. Server2 is configured as an AD FS 2.0 server. You need to ensure that App1 canuse Server2 for authentication.

What should you do on Server2?

A. Add an attribute store.B. Create a relaying party trust.C. Create a claims provider trust.D. Create a relaying provider trust.

Correct Answer: BSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:Add a Relying Party Trust

Applies To: Active Directory Federation Services (AD FS) 2.0You can use the Add Relying Party Trust Wizard in Active Directory Federation Services(AD FS) 2.0 to add a new relying party trust and configure a new relying party.To add a new relying party trustClick Start , point to Administrative Tools , and then click AD FS 2.0.Under AD FS 2.0\Trust Relationships , right-click the Relying Party Trusts folder, andthen click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

On the Welcome page, click Start .On the Select Data Source page, click Enter data about the relying party manually , andthen click Next .

Note The Select Data Source page provides three options for entering the data about therelying party. If the relying party publishes its federation metadata or can provide a filecopy of it for you to use, the automatic retrieval method is recommended. It can savetime, and it allows you to skip most of the remaining steps in this procedure. The thirdoption is to enter all the configuration data for the new relying party trust manually, asdescribed in steps 5 through 9.

On the Specify Display Name page, type a name in Display name . Click Next after youenter the description details.You have the option, but you are not required, to enter details in the Notes text box.On the Choose Profile page, select the appropriate profile for your needs, and then clickNext .If you know you will require interoperability with federation servers running an earlier versionof AD FS, such as provided in Windows Server 2003 R2, click AD FS 1.0 and 1.1 profile .Otherwise, click AD FS 2.0 profile .On the Configure Certificate page, click Browse to browse to and locate a certificate fileand add it to the list of certificates, and then click Next .On the Configure URL page, select the appropriate check boxes and specify anycorresponding URLs as appropriate for the WS-Federation Passive protocol-based orSecurity Assertion Markup Language (SAML) 2.0 WebSSO protocol-based endpoint, andthen click Next .On the Configure Identifiers page, you must specify at least one identifier for this relyingparty trust. Type the URI you want to use here, click Add to add it to the list, and then clickNext .On the Choose Issuance Authorization Rules page, select whether you want to permit allusers or restrict them, based on configuring authorization rules, and then click Next .On the Ready to Add Trust page, review your settings. When you are ready to save yoursettings, click Next .On the Finish page, click Close .

http://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust(v=WS.10).aspx

QUESTION 15.

Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. The Active Directory Federation Services (AD FS) role is installed on Server1.

Contoso.com is defined as an account store.

A partner company has a Web-based application that uses AD FS authentication. The partner company plansto provide users from contoso.com access to the Web application. You need to configure AD FS oncontoso.com to allow contoso.com users to be authenticated by the partner company.

What should you create on Server1?

A. a new applicationB. a resource partnerC. an account partnerD. an organization claim


Explanation/Reference:Account partnerAn account partner represents the organization in the federation trust relationship thatphysically stores user accounts in either an Active Directory Domain Services (AD DS) storeor an Active Directory Lightweight Directory Services (AD LDS) store. The account partner isresponsible for collecting and authenticating a user's credentials, building up claims for thatuser, and packaging the claims into security tokens. These tokens can then be presentedacross a federation trust for access to Web-based resources that are located in theresource partner organization.In other words, an account partner represents the organization for whose users the account-side Federation Service issues security tokens. The Federation Service in the accountpartner organization authenticates local users and creates security tokens that are used bythe resource partner in making authorization decisions. In relation to AD DS, the account partner in AD FS is conceptually equivalent to a single ADDS forest whose accounts need access to resources that are physically located in anotherforest. Accounts in this example forest can access resources in the resource forest onlywhen an external trust or forest trust relationship exists between the two forests and theresources to which the users are trying to gain access have been set with the properauthorization permissions.

Resource partnerA resource partner is the second organizational partner in the federation trust relationship. Aresource partner is the organization where the AD FS-enabled Web servers that host one ormore Web-based applications (the resources) reside. The resource partner trusts theaccount partner to authenticate users. Therefore, to make authorization decisions, theresource partner consumes the claims that are packaged in security tokens coming fromusers in the account partner. In other words, a resource partner represents the organization whose AD FS-enabled Webservers are protected by the resource-side Federation Service. The Federation Service atthe resource partner uses the security tokens that are produced by the account partner tomake authorization decisions for AD FS-enabled Web servers that are located in theresource partner. To function as an AD FS resource, an AD FS-enabled Web server in the resource partnerorganization must have the AD FS Web Agent component of AD FS installed. Web serversthat function as an AD FS resource can host either claims-aware applications or WindowsNT token–based applications.


QUESTION 16.

Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has the Active Directory Federation Services (AD FS) Federation Service role service installed.

You plan to deploy AD FS 2.0 on Server2.

You need to export the token-signing certificate from Server1, and then import the certificate to Server2.

Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)C. DER encoded binary X.509 (.cer)D. Personal Information Exchange PKCS #12 (.pfx)


Explanation/Reference:Export the token signing certificateUse the procedure in this section to export the token signing certificate of the AD FS Serverwith which you want to establish a trust relationship, and then copy the certificate to alocation that SharePoint Server 2010 can access.To export a token signing certificateVerify that the user account that is performing this procedure is a member of theAdministrators group on the local computer. For additional information about accounts andgroup memberships, see Local and Domain Default GroupsOpen the Active Directory Federation Services (AD FS) 2.0 Management console.In the left pane, click to expand Service , and then click the Certificates folder. Under Token signing , click the primary token certificate as indicated in the Primary column.In the right pane, click View Certificate link . This displays the properties of the certificate.Click the Details tab.Click Copy to File . This starts the Certificate Export Wizard.On the Welcome to the Certificate Export Wizard page, click Next .On the Export Private Key page, click No, do not export the private key , and then clickNext .On the Export File Format page, select DER encoded binary X.509 (.CER) , and then clickNext .On the File to Export page, type the name and location of the file you want to export, andthen click Next . For example, enter C:\ADFS.cer .On the Completing the Certificate Export Wizard page, click Finish .

http://technet.microsoft.com/en-us/library/hh305235.aspx

QUESTION 17.

Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm.

The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQLServer.

You install AD FS 2.0 on Server2.

You need to add Server2 to the existing AD FS farm.

What should you do?

A. On Server1, run fsconfig.exe.B. On Server1, run fsconfigwizard.exe.C. On Server2, run fsconfig.exe.D. On Server2, run fsconfigwizard.exe.


Explanation/Reference:To configure a new federation server using the command linefsconfig.exe {StandAlone|CreateFarm|CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specificparameters]

http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server%28WS.10%29.aspx

The AD FS configuration database stores all the configuration data that represents a singleinstance of Active Directory Federation Services (AD FS) 2.0 (that is, the FederationService). The AD FS configuration database defines the set of parameters that a FederationService requires to identify partners, certificates, attribute stores, claims, and various dataabout these associated entities. You can store this configuration data in either a MicrosoftSQL Server® database or the Windows Internal Database (WID) feature that is includedwith Windows Server® 2008 and Windows Server 2008 R2.

QUESTION 18.

Your network contains an Active Directory forest.You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in thenetwork. You create a Windows PowerShell script named new-users.ps1 that contains the following lines:

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the script fails tocreate the user accounts.

You need to ensure that the script creates the user accounts.

Which cmdlet should you add to the script?

A. Import-ModuleB. Register-ObjectEventC. Set-ADDomainD. Set-ADUser


Explanation/Reference:The Import-Module cmdlet adds one or more modules to the current session. A module is a package that contains members (such as cmdlets, providers, scripts,functions, variables, and other tools and files) that can be used in Windows PowerShell.After a module is imported, you can use the module members in your session. To import a module, use the Name, Assembly, or ModuleInfo parameter to identify themodule to import. By default, Import-Module imports all members that the module exports,but you can use the Alias, Function, Cmdlet, and Variable parameters to restrict themembers that are imported. Import-Module imports a module only into the current session. To import the module into allsessions, add an Import-Module command to your Windows PowerShell profile. For moreinformation about profiles, see about_Profiles. For more information about modules, see about_Modules.

QUESTION 19.

Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to modify the custom attribute value of 500 user accounts.


A. CsvdeB. DsmodC. DsrmD. Ldifde


Explanation/Reference:LDIFDE:CAN move or modify objects

CSVDE:CANNOT move or modify an object

Microsoft recommends that you use the Ldifde utility for Modify or Delete operations

QUESTION 20.

Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to give the human resources department a file that contains the last logon time and the customattribute values for each user in the forest.

Which should you use?

A. the Dsquery toolB. the Export-CSV cmdletC. the Get-ADUser cmdletD. the Net.exe user command


Explanation/Reference:The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple userobjects.

The Identity parameter specifies the Active Directory user to get. You can identify a user byits distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager(SAM) account name or name. You can also set the parameter to a user object variable,such as $<localUserObject> or pass a user object through the pipeline to the Identityparameter.

To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. TheFilter parameter uses the PowerShell Expression Language to write query strings for ActiveDirectory. PowerShell Expression Language syntax provides rich type conversion supportfor value types received by the Filter parameter. For more information about the Filterparameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP querystrings, you can use the LDAPFilter parameter.

This cmdlet retrieves a default set of user object properties. To retrieve additional propertiesuse the Properties parameter.


Exam I

QUESTION 1.

You have a Windows PowerShell script that contains the following code:import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword$_.password}

When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.

You need to run a script that successfully creates the user accounts by using the password contained inaccounts.csv.

Which script should you run?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)}

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)}

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString "Password")}

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString $_.Password)}


Explanation/Reference:I believe the "Password" parameter in "A" is when y ou specify the actual password inthe command, whereas the $_.Password parameter in " B" is a variable that would usethe password in the CSV file. Need to check that, though.

ConvertTo-SecureString

Applies To: Windows PowerShell 2.0Converts encrypted standard strings to secure strings. It can also convert plain text tosecure strings. It is used with ConvertFrom-SecureString and Read-Host.SyntaxCopy ConvertTo-SecureString [-Key <Byte[]>] [-String] <s tring> [<CommonParameters>]

ConvertTo-SecureString [-AsPlainText] [-Force] [-St ring] <string>[<CommonParameters>]

ConvertTo-SecureString [[-SecureKey] <SecureString> ] [-String] <string>[<CommonParameters>]

DescriptionThe ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings.It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString andRead-Host. The secure string created by the cmdlet can be used with cmdlets or functionsthat require a parameter of type SecureString. The secure string can be converted back to

an encrypted, standard string using the ConvertFrom-SecureString cmdlet. This enables it to bestored in a file for later use.If the standard string being converted was encrypted with ConvertFrom-SecureString using aspecified key, that same key must be provided as the value of the Key or SecureKeyparameter of the ConvertTo-SecureString cmdlet.Parameters-AsPlainText Specifies a plain text string to convert to a secure string. The secure string cmdlets helpprotect confidential text. The text is encrypted for privacy and is deleted from computermemory after it is used. If you use this parameter to provide plain text as input, the systemcannot protect that input in this manner. To use this parameter, you must also specify theForce parameter.Required? falsePosition? 2Default Value noneAccept Pipeline Input? falseAccept Wildcard Characters? false-Force Confirms that you understand the implications of using the AsPlainText parameter and stillwant to use it.Required? falsePosition? 3Default Value noneAccept Pipeline Input? falseAccept Wildcard Characters? false-Key <Byte[]>Specifies the encryption key to use when converting a secure string into an encryptedstandard string. Valid key lengths are 16, 24, and 32 bytes.Required? falsePosition? namedDefault Value noneAccept Pipeline Input? falseAccept Wildcard Characters? false-SecureKey <SecureString>Specifies the encryption key to use when converting a secure string into an encryptedstandard string. The key must be provided in the format of a secure string. The secure stringis converted to a byte array before being used as the key. Valid key lengths are 16, 24, and32 bytes.Required? falsePosition? 2Default Value noneAccept Pipeline Input? falseAccept Wildcard Characters? false-String <string>Specifies the string to convert to a secure string.Required? truePosition? 1Default Value noneAccept Pipeline Input? true (ByValue)Accept Wildcard Characters? false

<CommonParameters>This command supports the common parameters: Verbose, Debug, ErrorAction,ErrorVariable, OutBuffer, OutVariable, WarningAction, and WarningVariable. For moreinformation, see about_CommonParameters.Inputs and OutputsThe input type is the type of the objects that you can pipe to the cmdlet. The return type isthe type of the objects that the cmdlet returns.

Inputs System.StringYou can pipe a standard encrypted string to ConvertTo-SecureString.

Outputs System.Security.SecureStringConvertTo-SecureString returns a SecureString object.

Example 1Copy C:\PS>$secure = read-host -assecurestring

C:\PS> $secureSystem.Security.SecureString

C:\PS> $encrypted = convertfrom-securestring -secur estring $secureC:\PS> $encrypted01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a1 14d45b8dd3f4aa11ad7c0abdae9800000000002000000000003660000a8000000100000005df63cea 84bfb7d70bd6842e7efa79820000000004800000a000000010000000f10cd0f4a99a 8d5814d94e0687d7430b100000008bf11f1960158405b2779613e9352c6d14000000e6b7bf46a9d48 5ff211b9b2a2df3bd6eb67aae41

C:\PS> $secure2 = convertto-securestring -string $e ncryptedC:\PS> $secure2System.Security.SecureString

Description-----------This example shows how to create a secure string from user input, convert the secure stringto an encrypted standard string, and then convert the encrypted standard string back to asecure string.The first command uses the AsSecureString parameter of the Read-Host cmdlet to create asecure string. After you enter the command, any characters that you type are converted intoa secure string and then saved in the $secure variable.The second command displays the contents of the $secure variable. Because the $securevariable contains a secure string, Windows PowerShell displays only theSystem.Security.SecureString type. The third command uses the ConvertFrom-SecureString cmdlet to convert the secure stringin the $secure variable into an encrypted standard string. It saves the result in the$encrypted variable. The fourth command displays the encrypted string in the value of the$encrypted variable.The fifth command uses the ConvertTo-SecureString cmdlet to convert the encryptedstandard string in the $encrypted variable back into a secure string. It saves the result in the$secure2 variable. The sixth command displays the value of the $secure2 variable. TheSecureString type indicates that the command was successful.Example 2Copy C:\PS>$secure = read-host -assecurestring

C:\PS> $encrypted = convertfrom-securestring -secur eString $secure -key (1..16)

C:\PS> $encrypted | set-content encrypted.txt

C:\PS> $secure2 = get-content encrypted.txt | conve rtto-securestring -key (1..16)

Description-----------This example shows how to create a secure string from an encrypted standard string that issaved in a file.The first command uses the AsSecureString parameter of the Read-Host cmdlet to create asecure string. After you enter the command, any characters that you type are converted intoa secure string and then saved in the $secure variable. The second command uses the ConvertFrom-SecureString cmdlet to convert the securestring in the $secure variable into an encrypted standard string by using the specified key.The contents are saved in the $encrypted variable.The third command uses a pipeline operator (|) to send the value of the $encrypted variableto the Set-Content cmdlet, which saves the value in the Encrypted.txt file.The fourth command uses the Get-Content cmdlet to get the encrypted standard string inthe Encrypted.txt file. The command uses a pipeline operator to send the encrypted string tothe ConvertTo-SecureString cmdlet, which converts it to a secure string by using thespecified key. The results are saved in the $secure2 variable.Example 3Copy C:\PS>$secure_string_pwd = convertto-securestring " P@ssW0rD!" -asplaintext -force

Description-----------This command converts the plain text string "P@ssW0rD!" into a secure string and storesthe result in the $secure_string_pwd variable. To use the AsPlainText parameter, the Forceparameter must also be included in the command.

http://technet.microsoft.com/en-us/library/dd347656.aspx

QUESTION 2.

Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

Your company's corporate security policy states that the password for each user account must be changed atleast every 45 days.

You have a user account named Service1. Service1 is used by a network application named Application1.Every 45 days, Application1 fails.

After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causesApplication1 to fail. The solution must adhere to the corporate security policy.

What should you do?

A. Run the Set-ADAccountControl cmdlet.B. Run the Set-ADServiceAccount cmdlet.C. Create a new password policy.D. Create a new Password Settings object (PSO).


Explanation/Reference:Set-ADServiceAccountModifies an Active Directory service account.

Detailed DescriptionThe Set-ADServiceAccount cmdlet modifies the properties of an Active Directory serviceaccount. You can modify commonly used property values by using the cmdlet parameters.Property values that are not associated with cmdlet parameters can be modified by usingthe Add, Replace, Clear and Remove parameters.

The Identity parameter specifies the Active Directory service account to modify. You canidentify a service account by its distinguished name (DN), GUID, security identifier (SID), orSecurity Accounts Manager (SAM) account name. You can also set the Identity parameterto an object variable such as $<localServiceAccountObject>, or you can pass an objectthrough the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the objectthrough the pipeline to the Set-ADServiceAccount cmdlet.

The Instance parameter provides a way to update a service account object by applying thechanges made to a copy of the object. When you set the Instance parameter to a copy ofan Active Directory service account object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original service account object.To get a copy of the object to modify, use the Get-ADServiceAccount object. When youspecify the Instance parameter you should not pass the Identity parameter. For moreinformation about the Instance parameter, see the Instance parameter description.

For more information about how the Instance concept is used in Active Directory cmdlets,see about_ActiveDirectory_Instance.

InstanceSpecifies a modified copy of a service account object to use to update the actual ActiveDirectory service account object. When this parameter is used, any modifications made tothe modified copy of the object are also made to the corresponding Active Directory object.The cmdlet only updates the object properties that have changed.

The Instance parameter can only update service account objects that have been retrievedby using the Get-ADServiceAccount cmdlet. When you specify the Instance parameter, youcannot specify other parameters that set properties on the object.

The following is an example of how to use the Get-ADServiceAccount cmdlet to retrieve aninstance of the ADServiceAccount object. The object is modified by using the WindowsPowerShell command line. Then the Set-ADServiceAccount cmdlet saves the changes tothe Active Directory object.

Step 1: Retrieve a local instance of the object.$serviceAccountInstance = Get-ADServiceAccount -Identity ADServiceAdminStep 2: Modify one or more properties of the object instance.$serviceAccountInstance.Description = "default"

Step3: Save your changes to ADServiceAdmin.Set-ADServiceAccount -Instance $serviceAccountInstance

http://technet.microsoft.com/en-us/library/ee617252 .aspx


QUESTION 3.

Your network contains an Active Directory forest.

You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN suffix of allusers.

You want to achieve this goal by using the minimum amount of administrative effort.


A. the Active Directory Domains and Trusts consoleB. the Active Directory Users and Computers consoleC. the Csvde toolD. the Ldifde tool

Correct Answer: DSection: Configuring Domains and TrustsExplanation

Explanation/Reference:In TechNet they talk about using PowerShell scripts to do this, but of the answers here, Ldifde is the one mostlikely to be used to modify AD attributes for multiple users.

It is not ADDT, because it would only affect the UPN for new users:

QUESTION 4.

Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2(SP2).

You need to prevent all users from running an application named App1.exe.

Which Group Policy settings should you configure?

A. Application CompatibilityB. AppLockerC. Software InstallationD. Software Restriction Policies


Explanation/Reference:Reason : applocker is a Windows 2008 R2 and Windows 7 feature. Software Restriction Policies applied tovista and earlier.


QUESTION 5.

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows XP Service Pack 3 (SP3) or Windows Vista.

You need to ensure that all client computers can apply Group Policy preferences.

What should you do?

A. Upgrade all Windows XP client computers to Windows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).

Correct Answer: CSection: Configuring Group PolicyExplanation

Explanation/Reference:Reason: Group Policy Preferences/group policy client side extensions(CSEs) enable information technologyprofessionals to configure, deploy, and manage operating system(xp for example) and application settings theypreviously were not able to manage using Group Policy. After you install this update, your computer will be ableto process the new Group Policy Preference extensions

This article discusses the Group Policy preferences that are new in Windows Server 2008and how to enable down-level computers to process these new items. Group Policypreferences are made up of more than 20 new Group Policy client-side extensions (CSEs)that expand the range of configurable settings in a Group Policy object (GPO). These newpreference extensions are included in the Group Policy Management Editor window of theGroup Policy Management Console (GPMC). The kinds of preference items that can be

created by using each extension are listed when New is selected for the extension.Examples of the new Group Policy preference extensions include the following: Folder Options Drive Maps Printers Scheduled Tasks Services Start Menu

Updated versions of the new Windows Server 2008 Group Policy preferences client-sideextensions for Windows Server 2003 and Windows XP can be downloaded by usingWindows Update.


QUESTION 6.

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows 7 or Windows Vista Service Pack 2 (SP2).

You need to audit user access to the administrative shares on the client computers.

What should you do?

A. Deploy a logon script that runs Icacls.exe.B. Deploy a logon script that runs Auditpol.exe.C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.


Explanation/Reference:Auditpol

Displays information about and performs functions to manipulate audit policies.For examples of how this command can be used, see the Examples section in each topic.


Reason: Not C or D: Advance audit policy is 2k8 R2 and windows 7 feature.

Which Versions of Windows Support Advanced Audit Po licy Configuration?15 out of 18 rated this helpful Rate this topic All versions of Windows Server 2008 R2 and Windows 7 that can process Group Policy can be configured touse the new advanced security auditing enhancements. Versions of Windows Server 2008 R2 and Windows 7that cannot join a domain do not have access to these features. There is no difference in security auditingsupport between 32-bit and 64-bit versions of Windows 7.


QUESTION 7.


You need to create a central store for the Group Policy Administrative templates.

What should you do?

A. Run dfsrmig.exe /createglobalobjects.B. Run adprep.exe /domainprep /gpprep.C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\SYSVOL\contoso.com\Policies

folder.D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\contoso.com

\Policies folder.

Correct Answer: CSection: Configuring Group PolicyExplanation

Explanation/Reference:The Central StoreTo take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on adomain controller. The Central Store is a file location that is checked by the Group Policy tools. The GroupPolicy tools use any .admx files that are in the Central Store. The files that are in the Central Store are laterreplicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in thefollowing location:

\\FQDN\SYSVOL\FQDN\policies

Note FQDN is a fully qualified domain name.

For example, to create a Central Store for the Test.Microsoft.com domain, create a PolicyDefinitions folder inthe following location: \\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\PoliciesCopy all files from the PolicyDefinitions folder on aWindows Vista-based client computer to the PolicyDefinitions folder on the domain controller. ThePolicyDefinitions folder on a Windows Vista-based computer resides in the same folder as Windows Vista. ThePolicyDefinitions folder on the Windows Vista-based computer stores all .admx files and .adml files for alllanguages that are enabled on the client computer.


QUESTION 8.

You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.

You need to identify whether a specific application file is allowed to run on a computer.

Which Windows PowerShell cmdlet should you use?

A. Get-AppLockerFileInformationB. Get-GPOReportC. Get-GPPermissionsD. Test-AppLockerPolicy

Correct Answer: DSection: Powershell & Command line cmds

Explanation

Explanation/Reference:The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of filesare allowed to run on the local computer for a specific user.


QUESTION 9.

You create a Password Settings object (PSO).

You need to apply the PSO to a domain user named User1.

What should you do?

A. Modify the properties of the PSO.B. Modify the account options of the User1 account.C. Modify the security settings of the User1 account.D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).


Explanation/Reference:To apply PSOs to users or global security groups us ing the Windows interfaceOpen Active Directory Users and Computers. To open Active Directory Users and Computers, click Start , pointto Administrative Tools , and then click Active Directory Users and Computers .On the View menu, ensure that Advanced Features is checked.In the console tree, click Password Settings Container.Where? Active Directory Users and Computers\domain node\System\Password Settings Container.

In the details pane, right-click the PSO, and then click Properties .Click the Attribute Editor tab.Select the msDS-PsoAppliesTo attribute, and then click Edit .

Note If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter , and then click Showattributes /Optional . Also, clear the Show only attributes that have values check box.

In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user orthe global security group that you want to apply this PSO to, click Add , and then click OK.


You can also use the ldifde command to apply a PSO to multiple users or global security groups quickly.

QUESTION 10.

You need to create a Password Settings object (PSO).


A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. Ntdsutil


Explanation/Reference:Fine-Grained Passwords [Password policies per OU, Group or user]Adsi edit, cn=system, cn=password settings container, Right Mouse, new object, msds-passwordsettings, entername Passwordsettings, enter values…ADUC adv, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group.

QUESTION 11.

Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.

You need to audit the deletion of registry keys on each server.

What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.B. From Audit Policy, modify the System Events settings and the Privilege Use settings.C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object

Access Auditing settings.

Correct Answer: DSection: Configuring AD InfrastructureExplanation

Explanation/Reference:Reason : Advanced audit policy configuration is a W2K8 R2 feature (see sceenshot below).

Global Object Access Auditing1 out of 1 rated this helpful Rate this topic Updated: July 15, 2010Applies To: Windows 7, Windows Server 2008 R2Global Object Access Auditing policy settings allow administrators to define computer

system access control lists (SACLs) per object type for either the file system or registry. Thespecified SACL is then automatically applied to every object of that type. Auditors will be able to prove that every resource in the system is protected by an auditpolicy by just viewing the contents of the Global Object Access Auditing policy settings. Forexample, a policy setting "track all changes made by group administrators" shows that thispolicy is in effect. Resource SACLs are also useful for diagnostic scenarios. For example, setting a GlobalObject Access Auditing policy setting to log all the activity for a specific user and enablingthe Object Access audit policy for a resource (file system, registry) to track "access denied"events can help administrators quickly identify which object in a system is denying a useraccess.

This category includes the following subcategories:File System (Global Object Access Auditing)

Registry (Global Object Access Auditing)

Registry (Global Object Access Auditing)

Applies To: Windows 7,Windows Server 2008 R2This security policy setting allows you to configure a global system access control list(SACL) on the registry for a computer. If you select the Configure security check box, you can add a user or group to the globalSACL.

QUESTION 12.

Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to enable the Active Directory Recycle Bin.


A. the Dsmod toolB. the Enable-ADOptionalFeature cmdletC. the Ntdsutil toolD. the Set-ADDomainMode cmdlet


Explanation/Reference:Enabling Active Directory Recycle BinAfter the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)

Ldp.exe


QUESTION 13.

Your network contains a single Active Directory domain.

You need to create an Active Directory Domain Services snapshot.

What should you do?

A. Use the Ldp tool.B. Use the NTDSUtil tool.C. Use the Wbadmin tool.D. From Windows Server Backup, perform a full backup.


Explanation/Reference:Requirements for using the Active Directory databas e mounting toolYou do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following:

A new ntdsutil snapshot operation that you can use to create, list, mount, and unmount snapshots of AD DSor AD LDS data

Note You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You can instead use a backup of the AD DS orAD LDS database or another domain controller or AD LDS server. The ntdsutil snapshot operation simply provides a convenientdata input for Dsamain.exe.

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server

Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers


QUESTION 14.

Your network contains a single Active Directory domain. A domain controller named DC2 fails.

You need to remove DC2 from Active Directory.



A. At the command prompt, run dcdiag.exe /fix.B. At the command prompt, run netdom.exe remove dc2.C. From Active Directory Sites and Services, delete DC2.D. From Active Directory Users and Computers, delete DC2.

Correct Answer: CDSection: Creating & Maintaining AD ObjectsExplanation

Explanation/Reference:TechNet wants you to do this from the server containing the DC - using dcpromo. Have not found theprocedure mentioned above.

QUESTION 15.

Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008. The functional level of the domain is Windows Server 2008 R2.

All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2. You need toensure that you can enable the Active Directory Recycle Bin.

What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.

Correct Answer: ASection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:Reason : Active directory recycle bin is a W2K8 R2 feature.

Raising the forest functional levelYou can enable Active Directory Recycle Bin only if the forest functional level of yourenvironment is set to Windows Server 2008 R2.


QUESTION 16.

Your network contains an Active Directory domain. The domain contains several domain controllers.All domain controllers run Windows Server 2008 R2.

You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server2008 R2 default settings.

What should you do?

A. Run dcgpofix.exe /target:dc.B. Run dcgpofix.exe /target:domain.C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.


Explanation/Reference:Dcgpofix restores the default Group Policy objects to their original default state after initial

installation of a domain controller. The Dcgpofix tool recreates the two default Group Policyobjects and creates the settings based on the operations that are performed only duringDcpromo.

The Dcgpofix tool is intended for use only as a last-resort disaster-recovery tool.

To run Dcgpofix Type the following at the command prompt: dcgpofix [/ignoreschema][/target: {domain |dc | both}]Where:/ignoreschema is an optional parameter. If you set this parameter, the Active Directoryschema version number is ignored. /target: {domain | dc | both} is an optional parameter that specifies the target domain,domain controller, or both. If you do not specify /target , dcgpofix uses both by default.

QUESTION 17.

Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, anadministrator deletes a user account while he is logged on to DC1. You need to restore the deleted useraccount. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. On DC1, run the Restore-ADObject cmdlet.B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory

Domain Services.D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active

Directory Domain Services.

Correct Answer: DSection: AD Sites & ServicesExplanation

Explanation/Reference:Authoritative restore allows the administrator to recover a domain controller, restore it to aspecific point in time, and mark objects in Active Directory as being authoritative withrespect to their replication partners. For example, you might need to perform anauthoritative restore if an administrator inadvertently deletes an organizational unitcontaining a large number of users. If you restore the server from tape, the normalreplication process would not restore the inadvertently deleted organizational unit.Authoritative restore allows you to mark the organizational unit as authoritative and force thereplication process to restore it to all of the other domain controllers in the domain.

Reason : A and B are incorrect because the functional level of the forest must be win2k8 R2 to use restore-adoject cmdlet (It is an AD recycle bin feature).

QUESTION 18.

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.You update a script in the SYSVOL folder.

You discover that the new script fails to run properly. You need to restore the previous version of the script inthe SYSVOL folder. The solution must minimize the amount of time required to restore the script.


A. Run the Restore-ADObject cmdlet.B. Restore the system state to its original location.C. Restore the system state to an alternate location.D. Attach the VHD file created by Windows Server Backup.

Correct Answer: DSection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:Windows Server Backup creates VHD files. Simply mount the VHD in a compatible operating system (DiskManagement) and copy the needed file.

QUESTION 19.


You need to restore a deleted computer account from the Active Directory Recycle Bin.

What should you do?

A. From the command prompt, run recover.exe.B. From the command prompt, run ntdsutil.exe.C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.


Explanation/Reference:Restoring a deleted Active Directory object using t he Get-ADObject and Restore-ADObject cmdletsYou can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObjectActive Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObject cmdlet.

To restore a single, deleted Active Directory objec t using the Get-ADObject and Restore-ADObjectcmdlets Click Start , click Administrative Tools , right-click Active Directory Module for Windows PowerShell , andthen click Run as administrator .

At the Active Directory module for Windows PowerShell command prompt, type the followingcommand, and then press ENTER:Get-ADObject -Filter {String} -IncludeDeletedObject s | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type thefollowing command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -Incl udeDeletedObjects | Restore-ADObject

http://technet.microsoft.com/en-us/library/dd379509(v=WS.10).aspx#BKMK_3

It's not Restore-Computer cmdlet, because it only Starts a system restore on the local computer.

QUESTION 20.

You need to back up all of the group policies in a domain.

The solution must minimize the size of the backup.


A. the Add-WBSystemState cmdletB. the Group Policy Management consoleC. the Wbadmin toolD. the Windows Server Backup feature


Explanation/Reference:Back Up a Group Policy Object

Applies To: Windows Server 2008 R2

To back up a Group Policy object

In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest anddomain containing the Group Policy object (GPO) to back up.To back up a single GPO, right-click the GPO, and then click Back Up . To back up all GPOs in the domain,right-click Group Policy objects and click Back Up All .In the Backup Group Policy object dialog box, in the Location box, enter the path for the location in whichyou want to store the GPO backups, or click Browse , locate the folder in which you want to store the GPObackups, and then click OK.In the Description box, type a description for the GPOs that you want to back up, and then click Back Up . Ifyou are backing up multiple GPOs, the description will apply to all GPOs you back up.After the operation completes, click OK.


Exam J

QUESTION 1.

You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.

You need to ensure that you can recover the private key of a certificate issued to a Web server.

What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.B. From the Web server, run the Get-PfxCertificate cmdlet.C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.


Explanation/Reference:A .pfx file includes the public and private key.

The correct notation is:certutil.exe -privatekey -exportpfx "MyCert" MyCert.pfxhttp://blogs.microsoft.co.il/blogs/applisec/archive/2008/04/08/creating-x-509-certificates-using-makecert-exe.aspx

The Get-PfxCertificate cmdlet gets an object representing each specified .pfx certificate fileThis command gets information about the .pfx certificate on the system and does NOT export it!http://technet.microsoft.com/en-us/library/dd347671.aspx

QUESTION 2.


The network contains a single Active Directory domain. The main office contains a domain controller namedDC1.

You need to install a domain controller in the branch office by using an offline copy of the Active Directorydatabase.


A. From the Ntdsutil tool, create an IFM media set.B. From the command prompt, run djoin.exe /loadfile.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the get-ADDomainController cmdlet.


Explanation/Reference:Create Installation Media by Using Ntdsutil

This task uses the Install from Media (IFM) option. Create the media on a domain controller in the domainwhere you are installing one or more new domain controllers.


QUESTION 3.

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. Thefunctional level of the domain is Windows Server 2003. All client computers run Windows 7.

You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline domain join ofServer1.



A. From Server1, run djoin.exe.B. From Server1, run netdom.exe.C. From a Windows 7 computer, run djoin.exe.D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.

Correct Answer: ACSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:Reason : Requirement must be 2k8 R2 DC and Windows 7 to use djoin.exe

Operating system requirementsYou can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer onwhich you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 orWindows Server 2008 R2. The computer that you want to join to the domain must also be running Windows 7or Windows Server 2008 R2.

By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that isrunning a version of Windows Server that is earlier than Windows Server 2008 R2

1. On the provisioning server (Windows 7 client), open an elevated command prompt. Type the following command to provision the computer account:djoin /provision /downlevel /domain <domain to be joined> /machine <name of the destination computer> /savefile blob.txtCopy the blob.txt file to the client computer.

2. Command to insert the computer account metadata into the Windows directory of the destination computer.On the client computer (The new W2K8 DC), open an elevated command prompt, and then type the followingcommand to request the domain join:djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos

http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step%28WS.10%29.aspx#BKMK_ODJRequirements

QUESTION 4.

You have an Active Directory snapshot.

You need to view the contents of the organizational units (OUs) in the snapshot.

Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.mscB. ntdsutil.exe, dsamain.exe, and dsa.mscC. wbadmin.msc, dsamain.exe, and netdom.exeD. wbadmin.msc, ntdsutil.exe, and explorer.exe


Explanation/Reference:In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, butyou must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server.

To start Active Directory Users and Computers focused on domain1, type:

dsa.msc /domain= domain1

To start Active Directory Users and Computers focused on server1, type:

dsa.msc /server= server1.domain1

QUESTION 5.

Your network contains a domain controller that runs Windows Server 2008 R2. You run the following commandon the domain controller:dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport 389 -allowNonAdminAccess

The command fails.

You need to ensure that the command completes successfully.

How should you modify the command?

A. Include the path to Dsamain.B. Change the value of the dbpath parameter.C. Change the value of the ldapport parameter.D. Remove the allowNonAdminAccess parameter.


Explanation/Reference:Normally when you use ntdsutil and dsamain.exe to connect a snapshot then you use a different port, becauseAD is allready running on the default port 389

The LDAPPort property specifies the TCP/IP port on which the domain controller listens for LDAP requests.

The LDAPPort property is read-write.

QUESTION 6.

Your network contains an Active Directory domain. The domain contains five domain controllers. A domaincontroller named DC1 has the DHCP role and the file server role installed.

You need to move the Active Directory database on DC1 to an alternate location. The solution must minimizeimpact on the network during the database move.


A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.


Explanation/Reference:To move the directory database and log files to a l ocal drive

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt , and thenclick Run as administrator . If the User Account Control dialog box appears, provide credentials, if required,and then click Continue .At the command prompt, type the following command, and then press ENTER:net stop ntds Type Y to agree to stop additional services, and then press ENTER.

Continue with the procedure...


QUESTION 7.


The network contains an Active Directory forest. The forest contains three domains. The branch office containsone domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a fileserver.

You remove the global catalog from DC5.

You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impacton all users in the branch office.


A. Start DC5 in Safe Mode.B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.


Explanation/Reference:Only offline defragmentation can return unused disk space from the directory database to the file system. Whendatabase contents have decreased considerably through a bulk deletion (for example, you remove the globalcatalog from a domain controller), or if the size of the database backup is significantly increased due to thewhite space, use offline defragmentation to reduce the size of the Ntds.dit file.

QUESTION 8.

Your network contains a domain controller that runs Windows Server 2008 R2.

You need to change the location of the Active Directory log files.


A. DsamainB. DsmgmtC. DsmoveD. Ntdsutil


Explanation/Reference:Start a command prompt, and then type ntdsutil.exe.NOTE: To get a list of commands that you can use at theNtdsutil prompt, type ?.

At a Ntdsutil prompt, type files. At the File Maintenance prompt, use one or both of the following procedures:

To move a database, type move db to %s, where %s is the drive and folder where you want the databasemoved. To move log files, type move logs to %s, where %s is the drive and folder where you want the log files moved.

QUESTION 9.

Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You deploy anew server that runs Windows Server 2008 R2. The server is not connected to the internal network.

You need to ensure that the new server is already joined to the domain when it first connects to the internalnetwork.

What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, runsysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server,run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server,

run djoin.exe and specify the /provision parameter.


Explanation/Reference:Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 canuse to join a domain without contacting a domain controller. This makes it possible to join computers to adomain in locations where there is no connectivity to a corporate network.

Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run theprovisioning command, the computer account metadata is created in a .txt file that you specify as part of thecommand. After you run the provisioning command, you can either run Djoin.exe again to request the computeraccount metadata and insert it into the Windows directory of the destination computer or you can save thecomputer account metadata in an Unattend.xml file and then specify the Unattend.xml file during an unattendedoperating system installation of the destination computer.

djoin /provision /domain <domain_name> /machine <de stination computer> /savefile<filename.txt> [/machineou <OU name>] [/dcname <nam e of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printbl ob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/pol icypaths <Path(s)>]

djoin /requestodj /loadfile <filename.txt> /windows path <path to the Windowsdirectory of the offline image> /localos

http://technet.microsoft.com/en-us/library/offline- domain-join-djoin-step-by-step(v=WS.10).aspx

QUESTION 10.

Your network contains an Active Directory domain. The domain contains four domain controllers.You modify the Active Directory schema.

You need to verify that all the domain controllers received the schema modification.


A. dcdiag.exe /aB. netdom.exe query fsmoC. repadmin.exe /showrepl *D. sc.exe query ntds


Explanation/Reference:Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inboundreplication on Active Directory partitions.


Reason : * means all controllers.

QUESTION 11.

You remotely monitor several domain controllers.

You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query to retrieveinformation from the bios of each domain controller.

Which format should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML


Explanation/Reference:Reason : the WMI Query Language (WQL) is a subset of the American National Standards Institute StructuredQuery Language (ANSI SQL) with minor semantic changes. Queries built using WQL are used to control the WMI Service.

WMI Query LanguageWMI Query Language (WQL) isn’t so much a dialect as it is a language within a language. You use a scriptinglanguage such as VBScript to access and manipulate WMI objects, but you use WQL to retrieve the exactobject or objects you want to work with.

QUESTION 12.

Your network contains an Active Directory domain named contoso.com. The domain contains five domaincontrollers.

You add a logoff script to an existing Group Policy object (GPO). You need to verify that each domain controllersuccessfully replicates the updated group policy.

Which two objects should you verify on each domain controller?


A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.polC. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com containerD. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container


Explanation/Reference:Group Policy has two configurations – the computer and the user configuration. In order to track changes toeach configuration, the GPO must track a version number for each configuration. With only one versionnumber, the way two versions are tracked is to split the version number into two numbers. The top 16 bits of the version number corresponds to the user configuration version. The lower 16 bits of theversion number corresponds to the computer configuration version. When looking at the version entry in thegpt.ini file what you are then seeing is: Version = [user version number top 16 bits] [computer version number lower 16 bits]

This number can be found in the editor and in the gpt.ini file

QUESTION 13.

Your network contains an Active Directory domain that contains five domain controllers. You have amanagement computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the domain.

The information must be consolidated on one list.

Which command should you run on each domain controller?

A. Wecutil.exe qcB. Wevtutil.exe gliC. Winrm.exe quickconfigD. Winrshost.exe


Explanation/Reference:Winrm.exe quickconfig must be run on the remote computers to enable the collection of events.

QUESTION 14.

You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2.

The domain contains five domain controllers. You need to monitor the replication of the group policy templatefiles.


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


Explanation/Reference:Reason : Dfsrdiag can be used to replicate sysvol if the DC is running 2008 R2.

By running DFSRDIAG.EXE you can create test files then measure their replication times in a very granularway. In Windows Server 2008 R2 the SYSVOL is replicated using DFS

QUESTION 15.

You create a new Active Directory domain. The functional level of the domain is Windows Server 2003.

The domain contains five domain controllers that run Windows Server 2008 R2.

You need to monitor the replication of the group policy template files.


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


Explanation/Reference:Reason: FRS will be used to replicate sysvol if the functional level is 2008 and below. Use ntfrsutl to monitorthat. If you want to use DFS to replicate sysvol, the functional level must be at 2008 R2. Then you monitorusing dfsrdiag.

QUESTION 16.

You have a domain controller named Server1 that runs Windows Server 2008 R2.

You need to determine the size of the Active Directory database on Server1.

What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.

Correct Answer: CSection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:You can use the Search command on the Start menu to locate the database file (Ntds.dit) or the edb*.log filefor the location of the database and log files, respectively.

If you have set garbage collection logging to report free disk space, Event ID 1646 in the Directory Service logalso reports the size of the database file: “Total allocated hard disk space (megabytes):”

As an alternative, you can determine the size of the database file by listing the contents of the directory thatcontains the files.

Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure. Reviewdetails about using the appropriate accounts and group memberships at Local and Domain Default Groups(http://go.microsoft.com/fwlink/?LinkId=83477).

To determine the database size and location online

On the domain controller on which you want to manage database files, open a command prompt as anadministrator: On the Start menu, right-click Command Prompt , and then click Run as administrator . If theUser Account Control dialog box appears, provide Domain Admins credentials, if required, and then clickContinue .

Change directories to the directory that contains the files that you want to manage.At the command prompt, type dir , and then press ENTER to examine the database size. In the followingexample command output, the Ntds.dit file and the log files are stored in the same directory. In the example,the files take up 58,761,256 bytes of disk space. This output is representative of a directory database to whichfew objects have been added.

C:\Windows\NTDS>dir Volume in drive C has no label. Volume Serial Number is 003D-0E9E Directory of C:\Windows\NTDS 01/29/2008 11:04 AM <DIR> . 01/29/2008 11:04 AM <DIR> .. 01/29/2008 10:29 AM 8,192 edb.chk 01/29/2008 10:29 AM 10,485,760 edb.log 01/29/2008 10:29 AM 10,485,760 edb00001.log 01/29/2008 10:29 AM 10,485,760 edbres00001.jrs 01/29/2008 10:29 AM 10,485,760 edbres00002.jrs 01/29/2008 10:29 AM 14,696,488 ntds.dit 01/28/2008 02:54 PM 2,113,536 temp.edb 7 File(s) 58,761,256 bytes 2 Dir(s) 126,027,243,520 bytes free


QUESTION 17.

You need to receive an e-mail message whenever a domain user account is locked out.


A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard


Explanation/Reference:When an account lockout occurs, it generates a message in the event log.

QUESTION 18.

Your network contains an Active Directory domain named contoso.com. You have a management computernamed Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked

to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on

Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate

on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).


Explanation/Reference:Subscriptions

The following list describes the types of event subscriptions:

Source-initiated subscriptions: allows you to define an event subscription on an event collector computer without defining the event source computers . Multiple remote event source computers can then be set up(using a group policy setting) to forward events to the event collector computer. For more information, seeSetting up a Source Initiated Subscription. This subscription type is useful when you do not know or you do notwant to specify all the event sources computers that will forward events.

Collector-initiated subscriptions: allows you to create an event subscription if you know all the event sourcecomputers that will forward events. You specify all the event sources at the time the subscription is created. Formore information, see Creating a Collector Initiated Subscription.For either of these subscription types, only computers running the following platforms are allowed to be eventcollectors: Windows Server 2003 R2, Windows Vista with Service Pack 1 (SP1), or Windows Server 2008.

Computers that run on the following operating systems can be an event source: Windows XP with Service Pack2 (SP2), Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2),Windows Server 2003 R2, Windows Vista, Windows Vista with SP1, or Windows Server 2008.

http://technet.microsoft.com/en-us/query/bb427443

QUESTION 19.

Your network contains an Active Directory domain that has two sites.

You need to identify whether logon scripts are replicated to all domain controllers.

Which folder should you verify?

A. GroupPolicyB. NTDSC. SoftwareDistributionD. SYSVOL


Explanation/Reference:The System Volume (Sysvol) is a shared directory that stores the server copy of the domain's public files thatmust be shared for common access and replication throughout a domain. The Sysvol folder on a domaincontroller contains the following items:

Net Logon shares. These typically host logon scripts and policy objects for network client computers. User logon scripts for domains where the administra tor uses Active Directory Users and

Computers. Windows Group Policy. File replication service (FRS) staging folder and files that must be available and synchronized betweendomain controllers. File system junctions.

QUESTION 20.

You install a standalone root certification authority (CA) on a server named Server1.

You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the localcomputer's Trusted Root Certification Authorities store.

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameterB. certreq.exe and specify the -retrieve parameterC. certutil.exe and specify the -dspublish parameterD. certutil.exe and specify the -importcert parameter



Exam K

QUESTION 1.

Your network contains an Active Directory forest. The forest contains two domains. You have a standalone rootcertification authority (CA).

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select anenterprise CA is disabled.

You need to install an enterprise subordinate CA on the server.

What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domainC. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain


Explanation/Reference:Reason: Enterprise administrator privileges on the DNS, Active Directory, and CA servers. This is especiallyimportant because setup modifies information in numerous places, some of which require enterpriseadministrator privileges.

QUESTION 2.

You have an enterprise subordinate certification authority (CA). You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must notbe allowed to revoke certificates.

What should you do?

A. Add Group1 to the local Administrators group.B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.


Explanation/Reference:Reason : Only CA admin can Manage Certificate Revocation. "B" can only publish normal certificate template.

QUESTION 3.

You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued.The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

A. Add a data recovery agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.


Explanation/Reference:To identify a key recovery agent

Log on to the system as a Certification Authority Administrator.

Open Certification Authority.

In the console tree, click the name of the certification authority (CA).

Where?

Certification Authority (Computer)/CA name

On the Action menu, click Properties .

On the Recovery Agents tab, click Archive the key .

In the Number of recovery agents to use box, type the number of key recovery agentsthat will be used to encrypt the archived key.

Click Add to add key recovery agent certificates.

QUESTION 4.

You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardwaresecurity module.

You need to back up Active Directory Certificate Services on the CA.


A. certutil.exe backupB. certutil.exe backupdbC. certutil.exe backupkeyD. certutil.exe store

Correct Answer: A


Explanation/Reference:Certutil

Applies To: Windows Server 2008Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exeto dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

-back upBackup Active Directory Certificate Services


QUESTION 5.

You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.

You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template.



A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.


Explanation/Reference:Deploy User Certificates Applies To: Windows Server 2008 R2You can use this procedure to configure the certificate template that Active Directory® Certificate Services (ADCS) uses as the basis for user certificates that are enrolled to members of the domain users group.Membership in both the Enterprise Admins group and the Domain Admins group of the root domain is theminimum required to complete this procedure.To configure the certificate template and autoenrol lment On the computer where Active Directory Certificate Services is installed, click Start , click Run , type mmc , andthen click OK.On the File menu, click Add/Remove Snap-in . The Add or Remove Snap-ins dialog box opens.In Available snap-ins , double-click Certification Authority . Select the certification authority (CA) that youwant to manage, and then click Finish . The Certification Authority dialog box closes, returning to the Add orRemove Snap-ins dialog box.In Available snap-ins , double-click Certificate Templates , and then click OK.In the console tree, click Certificate Templates . All of the certificate templates are displayed in the detailspane.In the details pane, click the User template.On the Action menu, click Duplicate Template . The Duplicate Template dialog box opens. Select thetemplate version appropriate for your deployment, and then click OK. The new template properties dialog box

opens.On the General tab, in Display Name , type a new name for the certificate template or keep the default name.Click the Security tab. In Group or user names , click Domain Users .In Permissions for Domain Users , under Allow , select the Enroll and Autoenroll permission check boxes,and then click OK.Double-click Certification Authority , double-click the CA name, and then click Certificate Templates . On theAction menu, point to New, and then click Certificate Template to Issue . The Enable Certificate Templatesdialog box opens.Click the name of the certificate template you just configured, and then click OK. For example, if you did notchange the default certificate template name, click Copy of User , and then click OK.On the computer where Active Directory Domain Services (AD DS) is installed, click Start , click Run , typemmc , and then click OK.On the File menu, click Add/Remove Snap-in . The Add or Remove Snap-ins dialog box opens.In the Add or Remove Snap-ins dialog box, in Available snap-ins , double-click Group Policy ManagementEditor . The Select Group Policy Object wizard opens. Click Browse , and then select Default DomainPolicy . Click OK, click Finish , and then click OK again.Click Default Domain Policy . Open User Configuration , then Policies , then Windows Settings , thenSecurity Settings , and then Public Key Policies .In the details pane, double-click Certificate Services Client - Auto-Enrollment . The Certificate ServicesClient - Auto-Enrollment Properties dialog box opens.In the Certificate Services Client - Auto-Enrollment Prope rties dialog box, in Configuration Model , selectEnabled .Select the Renew expired certificates, update pending certific ates, and remove revoked certificatescheck box.Select the Update certificates that use certificate templates check box, and then click OK.

QUESTION 6.

You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificatetemplate.

Users can enroll for certificates based on the custom certificate template by using the Certificates console.

The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template isavailable on the Web enrollment pages.

What should you do?

A. Run certutil.exe pulse.B. Run certutil.exe installcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.


Explanation/Reference:version 3 templates cannot be requested via web enrollment using the “out of box”certificate web enrollment pages.

QUESTION 7.

You have an enterprise subordinate certification authority (CA). You have a custom certificate template that hasa key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.


A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management



QUESTION 8.

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.The functional level of the domain is Windows Server 2003. You have a certification authority (CA).

The relevant servers in the domain are configured as shown in the following table:

Server name Operating system Server role

Server1 Windows Server 2003 Enterprise root CA

Server2 Windows Server 2008 Enterprise subordinate CA

Server3 Windows Server 2008 R2 Web Server

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.


Explanation/Reference:Installation requirementsBefore installing the certificate enrollment Web services, ensure that your environment meets theserequirements:

A host computer as a domain member running Windows Server 2008 R2.

An Active Directory forest with a Windows Server 2008 R2 schema . See Prepare a Windows 2000 orWindows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or

Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242).

An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, orWindows Server 2003.

If the Certificate Enrollment Web Service is configured for client certificate authentication, the CA must berunning Windows Server 2008 R2 or Windows Server 2008.

For enrollment across forests, the CA must be installed on a computer running Windows Server 2008 R2Enterprise or Windows Server 2008 R2 Datacenter. See Configuring Certificate Enrollment Web Servicesfor Enrollment Across Forest Boundaries.

Client computers running Windows 7 or Windows Server 2008 R2.

A Server Authentication certificate installed for HTTPS.

QUESTION 9

Your company has an Active Directory forest that contains multiple domain controllers. The domain controllersrun Windows Server 2008.You need to perform an an authoritative restore of a deleted organizational unit and its child objects.Which four actions should you perform in sequence? (To answer, move the appropriate four actions from thelist of actions to the answer area, and arrange them in the correct order.)


Correct Answer:

Section: Maintaining the AD EnvironmentExplanation


Exam L

QUESTION 1Your network contains an Active Directory domain named contoso.comThe properties of the contoso.com DNS zone are configured as shown in the exhibit. You need to update all service location (SRV) records for a domain controller in the domain.

What should you do?

Exhibit:

A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.


Explanation/Reference:The SRV resource records are registered by starting the Net Logon service, which enlists the records in theNetlogon.dns file under the % systemroot %\System32\config folder.

QUESTION 2Your network contains an Active Directory domain. The domain contains a group named Group1.The minimum password lenght for the domain is set to six characters.you need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other usersmust be able to use passwords that are six characters long.


A. Run the New-ADFineGrainedPasswordPolicy cmdlet.B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.


Explanation/Reference:Important : For the fine-grained password and account lockout policies to function properly in a given domain,the domain functional level of that domain must be set to Windows Server 2008.

Instead of powershell you can also do it like this:Fine-Grained Passwords [Password policies per OU, Group or user]Adsi edit, cn=system, cn=password settings container, Right Mouse, new object, msds-passwordsettings, enter namePasswordsettings, enter values…ADUC adv, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group.

QUESTION 3Your network contains an Active Directory domain.A user named User1 takes a leave of absence for one year.You need to restrict access to the User1 user account while User1 is away.

What should you do?

A. From the Default Domain Policy, modify the account lockout settings.B. From the Default Domain Controller Policy, modify the account lockout settings.C. From the properties of the user account, modify the Account options.D. From the properties of the user account, modify the Session settings.

Correct Answer: CSection: Maintaining the AD Environment

Explanation

Explanation/Reference:Account options:check account is disabled

QUESTION 4Your network contains 10 domain controllers that run Windows 2008 Server R2.The network contains a member server that is configured to collect all of the events that occur on the domaincontrollers.Your need to ensure that administrators are notified when a specific event occurs on any of the domaincontrollers. You want to achive the goal by using the minimum amount effort.What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller,run the Create Basic Task Wizard.


Explanation/Reference:Forwarded Events will be on the collector computer - the member server.

QUESTION 5Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.

What should you do first ?

A. At the command prompt, run net stop ntds.B. At the command prompt, run net stop netlogon.C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).


Explanation/Reference:The local copy of the AD database must be taken offline before the defrag.

QUESTION 6Your company uses an application that stores data in an Active Directory Lightweight Directory Services (ADLDS) instance named instance1.You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)You need to ensure that you can take a snapshot of Instance1.What should you do?

Exhibit:

A. At the command prompt, run net start VSS.B. At the command prompt, run net start Instance1.C. Set the Start Type for the Instance1 service to Disabled.D. Set the Start Type for the Volume Shadow Copy Service (VSS) to Manual.

Correct Answer: ASection: Configuring AD LDSExplanation

Explanation/Reference:Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser)Step-by-Step Guide

Applies To: Windows Server 2008This guide shows how you can use an improved version of Ntdsutil and a new Active Directory® databasemounting tool in Windows Server® 2008 to create and view snapshots of data that is stored in Active DirectoryDomain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting thedomain controller or AD LDS server. A snapshot is a shadow copy—created by the Volume Shadow CopyService (VSS)—of the volumes that contain the Active Directory database and log files.


QUESTION 7Your network contains an Active Directory domain named contoso.com. All domain controllers and memberservers run Windows Server 2008. All client computers run Windows 7.From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings inthe Default Domain Policy Group Policy object (GPO).You discover that the audit policy is not applied to the member servers. The audit policy is applied to the clientcomputers.You need to ensure that the audit policy is applied to all member servers and all client computers.

What should you do?

A. Add a WMI filter to the Default Domain Policy GPOB. Modify the security settings of the Default Domain Policy GPOC. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.


Explanation/Reference:Advanced audit policy is a 2k8 R2 feature.After applying the policy, make sure "apply group policy" is enable . See screenshot below.

QUESTION 8Your network contains an Active Directory domain. The domain contains 1000 user accounts.You have a list that contains the mobile phone number of each userYou need to add the mobile number of each user to Active Directory.

What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exeB. Create a file that contains the mobile phone numbers, and then run csvde.exeC. From Adsiedit, select the CN=Users container, and then mofify the properties of the container.D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the

users.


Explanation/Reference:LDIFDE:Used mostly for changing a lot of user properties at once.

CSVDECANNOT move or modify an object

QUESTION 9Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way foresttrust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.Nwtraders.com contains a global group named G_Marketing. The Change share permission and the ModifyNTFS permissions for the Marketing folder are assigned to the G_Marketing group.Members of G_Marketing report that they cannot accesss the Marketing folder.You need to ensure that the G_Marketing members can accesss the folder from the network.

What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folderB. From Windows Explorer, modify the share permissions of the folderC. From Active Directory Users and Computers, modify the computer object for Server1D. From Active Directory Users and Computers, modify the group object for G_Marketing


Explanation/Reference:Selective authentication over a forest trust restricts access to only those users in a trusted forest who havebeen explicitly given authentication permissions to computer objects (resource computers) that reside in thetrusting forest. To explicitly give authentication permissions to computer objects in the trusting forest to certainusers, Administrators must grant those users the Allowed to Authenticate permission in Active Directory. Formore information, see Grant the Allowed to Authenticate permission on computers in the trusting domain orforest.

To grant the Allowed to Authenticate permission on computers in the trusting domain or forestUsing the Windows interface1. Open Active Directory Users and Computers.2. In the console tree, click the Computers container or the container where your computer objects reside. 3. Right-click the computer object that you want users in the trusted domain or forest to access, and then click

Properties .4. On the Security tab, do one of the following:

In Group or user names , click the user names or group names for which you want to grant access to thiscomputer, select the Allow check box next to the Allowed to Authenticate permission, and then click OK.

Click Add . In Enter the object names to select , type the name of the user object or group object for whichyou want to grant access to this resource computer, and then click OK. Select the Allow check box next tothe Allowed to Authenticate permission, and then click OK.

QUESTION 10Your network contains an Active Directory domain named contoso.com. Contoso.com contains threeservers.The servers are configure as shown in the following table.

Server name Server role ServiceServer1 Certification authority (CA)Server2 Certificate Enrollment Web ServiceServer3 Certificate Enrollment Policy Web Service

You need to ensure that users can manually enroll and renew their certificates by using the CertificateEnrollment Web Service.

Which two actions should you perform? (Each corrent answer presents part of the solution. (Choose two).

A. Configure the policy module setting.B. Configure the issuance requirements for the certificate templates.C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.D. Configure the delegation setting for the Certification Enrollment Web Service application pool account.

Correct Answer: BCSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:Configuring Group Policy to Support the Certificate Enrollment Policy Web Service

Applies To: Windows Server 2008 R2Before client computers can use the Certificate Enrollment Policy Web Service, a Group Policy setting must beconfigured to provide the location of Web service to domain members.

A certification authority (CA) processes each certificate request by using a defined set of rules. The CA mayissue some certificates with no proof of identification and require proof of identification before other types ofcertificates are issued. This provides different levels of assurance for different certificates. These levels ofassurance are represented in certificates as issuance policies.

QUESTION 11Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Serever 2008 Standard.You need to install an enterprise subordinate certification authority (CA) that support private key archival. Youmust achieve this goal by using the minimum amount of administrative effort.What do you do first?

A. Initialize the Trusted Platform Module (TPM)B. Upgrade the member server to Windows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.



QUESTION 12Your company has four offices.The network contains a single Active Directory domain.Each office has a domain controller. Each office has an organitational unit (OU) that contains the user accountsfor the users in that office.In each office, support technicians perform basic troubleshooting for the users in their respective office.You need to ensure that the support technicians can reset the password for the user accounts in theirrespective office only. The solution must prevent the technicians from creating user accounts.What should you do?

A. Four each OU, run the Delegation of Control Wizard.B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security setting for each group.D. For each office, create an Active Directory group, and then modify the ControlAccessRights attribute for

each group.


Explanation/Reference:Active Directory Object Type

Applies To: Windows Server 2008, Windows Server 2008 R2Control Details This folder, existing objectsin this folder, and creationof new objects in this folder

Select this option if you want to delegate full control ofthis folder and all its existing object contents, as well asany future objects that it might contain.

Only the following objects inthe folder

Select this option if you want to delegate control of onlyselected types of objects in this folder. The types ofobjects that are available are determined by the ActiveDirectory schema. For more information about specificobject types, see Active Directory Domain ServicesReference (http://go.microsoft.com/fwlink/?LinkId=80181).

Create selected objects inthis folder check box

Select this check box to create objects of the types thatare selected in the object type list.

Delete selected objects inthis folder check box

Select this check box to remove objects of the types thatare selected in the object type list.

QUESTION 13You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.What should you do?

A. Run defrag.exe /a /c.B. Run defrag.exe /c /u.C. Form Ntdsutil, use the Files option.D. From Ntdsutil, use the Metadata cleanup option.

Correct Answer: CSection: Configuring AD Backup-Restore

Explanation

Explanation/Reference:At the command prompt, type the following command, and then press ENTER:net stop ntds Type Y to agree to stop additional services, and then press ENTER.At the command prompt, type ntdsutil , and then press ENTER.At the ntdsutil prompt, type activate instance ntds , and then press ENTER.At the ntdsutil prompt, type files, and then press ENTER.If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to<drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to alocation on the local computer), and then press ENTER.

QUESTION 14Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers. The domain controllers are configured as show in the following table.------------------------------------------------------------------------------------------------------------------------------------- Server Server IP Address Server site-------------------------------------------------------------------------------------------------------------------------------------DC1 10.1.1.1/16 Default-First-Site-Name

DC2 10.1.1.2/16 Default-First-Site-Name-------------------------------------------------------------------------------------------------------------------------------------All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240You need to minimize the number of client authentication requests send to DC2.What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign thesubnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign thesubnet to Site1. Move DC1 to Site1.

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign thesubnet to Site1. Move DC2 to Site1.

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign thesubnet to Site1. Move DC2 to Site1.

Correct Answer: CSection: AD Sites & ServicesExplanation

Explanation/Reference:This effectively isolates DC2 in its own site as far as Sites, Subnets, and Clients are concerned.

QUESTION 15Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zonefor contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com

The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com

Which two actions should you perform? (Each correct answers presents part of the solution. Choose two.)

Exhibit:

A. Create a zone delegation record in the contoso.com zoneB. Create a zone delegation record in the eu.contoso.com zoneC. Create an Active Directory-integrated zone for _msdsc.contoso.comD. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com

Correct Answer: ACSection: Configuring AD DNSExplanation


QUESTION 16Your network contains three Active Directory forest named Forest1, Forest2, and Forest3. Each forest containsthree domains.

A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.

You need to configure the forest to meet the following requirements

Users in Forest3 must be able to access resources in Forest1.Users in Forest1 must be able to access resources in Forest3.The number of trusts must be minimized.

What should you do?

A. In Forest2, modify the name suffix routing settings.B. In Forest1 and Forest3, configure selective authentication.C. In Forest1 and Forest3, modify the name suffix routing settings.D. Create a two-way forest trust between Forest1 and Forest3.E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.

Correct Answer: DSection: Configuring Domains and TrustsExplanation

Explanation/Reference:Two Forest Trusts Between Three Windows Server 2003 Forests

In this example, a two-way transitive forest trust exists between the forest root domains in Forest 1 and Forest2, and another two-way transitive forest trust exists between the forest root domains in Forest 3 and Forest 2.This configuration allows:

Users in Forest 2 to access resources in any domain in either Forest 1 or Forest 3

Users in Forest 3 to access resources in any domain in Forest 2

Users in Forest 1 to access resources in any domain in Forest 2

This configuration does not allow users in Forest 1 to access resources in Forest 3 or vice versa. To allowusers in both Forest 1 and Forest 3 to share resources, a two-way transitive trust must be created between thetwo forests.


QUESTION 17Your network contains an Active Directory forest. The forest contains two domain controllers. The domaincontrollers are configured as shown in the following table.

Server name Server configuration-------------------------------------------------------------------------------------------------- Global catalog serverDC1 Schema master Domain naming master-------------------------------------------------------------------------------------------------- Primary domain controller (PDC) emulatorDC2 RID master Infrastructure master--------------------------------------------------------------------------------------------------

All client computers run Windows 7.

You need to ensure that all client computers in the domain keep the same time as an external time server.

What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.


Explanation/Reference:This has to be run on PDC emulator.

Most domain member computers have a time client type of NT5DS, which means that theysynchronize time from the domain hierarchy. The only typical exception to this is the domaincontroller that functions as the primary domain controller (PDC) emulator operations masterof the forest root domain, which is usually configured to synchronize time with an externaltime source.

QUESTION 18Your network contains a single Active Directory domain named contoso.com.

An administrator accidentally deletes the _msdsc.contoso.com zone.

You recreate the _msdsc.contoso.com zone.

You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.

What should you do on each domain controller?

A. Restart the Netlogon service.B. Restart the DNS Server service.C. Run dcdiag.exe /fix.D. Run ipconfig.exe /registerdns.



QUESTION 19Active Directory Rights Management Services (AD RMS) is deployed on your network.

You need to configure AD RMS to use Kerberos authentication.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.

Correct Answer: ADSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:Enable support for Kerberos authentication

Applies To: Windows Server 2008 R2If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, youmust take additional steps to configure the server running AD RMS after installing the AD RMS server role andprovisioning the server. Specifically, you must perform these procedures:

Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

Set the Service Principal Names (SPN) value for the AD RMS service account


QUESTION 20Your network contains an Active Directory forest. The forest contains an Acitve Directory site for a remoteoffice. The remote site contains a read-only domain controller (RODC).

You need to configure the RODC to store only the password of users in the remote site.

What should you do?

A. Create a Paasword Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the users accounts of the remote site users to the Allowed RODC Password Replication Group.D. Add the users accounts of users who are not in the remote site to the Denied RODC Password Replication

Group.


Explanation/Reference:When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domaincontroller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be

permitted to cache a password. After the RODC receives an authenticated user or computer logon request, itrefers to the Password Replication Policy to determine if the password for the account should be cached. Thesame account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub site is offline.

QUESTION 21Your network contains an Active Directory domain. All domain controller run Windows Server 2003.

You replace all domain controllers with domain controllers that run Windows Server 2008 R2.

You raise the functional level of the domain to Windows Server 2008 R2.

You need to minimize the amount of SYSVOL replication traffic on the network.

What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.


Explanation/Reference:Reason: Windows Server 2008 includes a command line tool called dfsrmig.exe which can be used byadministrators to control the process of migrating replication of the SYSVOL share from FRS to the DFSReplication service.

Windows Server 2008 ships a command line tool called ‘dfsrmig.exe’ which can be used by an administrator toinitiate migration of SYSVOL replication from FRS to the DFS Replication service. This tool essentially setsmigration related directives in Active Directory. Thereafter, on each of the domain controllers in the domain,when the DFS Replication service running polls Active Directory for configuration information, it notices thismigration directive and takes steps to migrate replication of SYSVOL to the DFS Replication service. Thefollowing section explains the various migration states that are possible during this migration process in moredetail.Thus migration directives are set only once (globally) and all domain controllers in the domain notice thisdirective and automatically take steps to attain the selected migration state, thus resulting in migration ofSYSVOL replication from FRS to the DFS Replication service.

http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

Exam M

QUESTION 1Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Managements Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in thecontoso.com forestWhat should you do?

A. Create an external trust from contoso.com to nwtraders.com.B. Create an external trust from nwtraders.com to contoso.comC. Add a trusted user domain to the AD RMS cluster in the contoso.com domainD. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.


Explanation/Reference:Trusted User Domain

Applies To: Windows Server 2008, Windows Server 2008 R2By default, Active Directory Rights Management Services does not service requests from users whose RACswere issued by a different AD RMS cluster. However, you can add AD RMS domains to a list of trusted userdomains in an AD RMS cluster. This allows Active Directory Rights Management Services to process suchrequests.

A trusted user domain, often referred as a TUD, is a trust between AD RMS clusters that instructs a licensingserver to accept rights account certificates (the certificates identifying users) from another AD RMS server in adifferent Active Directory forest. An AD RMS trust is not the same as an Active Directory trust, but it is similar inthat it refers to the ability of one environment to accept identities from another environment as valid subjects.

As a TUD is a trust between AD RMS infrastructures, it requires that each forest (whether in the same companyor in different companies) has its own AD RMS infrastructure.

Using trusted user domains, AD RMS can process requests for use licenses from users whose rights accountcertificates were issued by an AD RMS installation in a different Active Directory forest; in other words, from adifferent certification cluster. Trusted user domains are added by importing the server licensor certificate, of theAD RMS installation to trust, to the trusting AD RMS installation.


QUESTION 2You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC)What should you do?

A. From Active Directory Users and Computers, modify the properties of the RODC computer objectB. Run the repadmin.exe command an specify the /prp parameterC. Run the dsrm.exe command and specify the -u parameterD. From Active Directory Sites an Services, modify the properties of the RODC computer object


Explanation/Reference:repadmin /prp

You can use this command to view or modify the PRP for an RODC. The PRP determines which accountpasswords are allowed to be cached on an RODC and which account are denied from being cached.

http://technet.microsoft.com/en-us/library/administer-prp-for-rodc-with-repadmin.exe%28WS.10%29.aspx#BKMK_PRP

To clear the authenticated accounts list

Open an elevated Command Prompt window using the credentials of a Domain Admin. To do this, click Start .In Start Search , type runas /user:<domainName>\<domainAdminAccountUser> c md, and then pressENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name ofa user account that is a member of the Domain Admins group in that domain.

To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all .Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list ofauthenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all , and then pressENTER.

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=WS.10).aspx

QUESTION 3Your network contains an Active Directory domain.

You need to back up all of the Group Policy objects (GPOs) Group Policy permissions, and Group Policy linksfor the domain.

What should you do?

A. From Windows PowerShell, run the Backup-GPO cmdlet.B. From Windows Server Backup, perform a system state backupC. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.D. From Group Policy Management Console (GPMC), back up the GPOs


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee461052.aspx

Detailed DescriptionThe Backup-GPO cmdlet backs up a specified GPO or all the GPOs in a domain to a backup directory

http://www.petri.co.il/backing-up-group-policy-objects.htmYou can also choose answer D, but in the answer it does not state "Back Up All" from Group Policy Objects!

QUESTION 4Your network contains an Active Directory forest. The forest contains one domain. The domain contains twodomain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 was installed before DC2.

DC1 fails

You need to ensure that you can add 1,000 new user accounts to the domain.

What should you do?

A. Seize the schema master FSMO role.B. Configure DC2 as a global catalog server.C. Seize the RID master FSMO roleD. Modify the permissions of the DC2 computer account


Explanation/Reference:RID masterThe RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in itsdomain. At any time, there can be only one domain controller acting as the RID master in each domain in theforest.Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique securityID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID,which is unique for each SID created in the domain.To move an object between domains (using Movetree.exe), you must initiate the move on the domain controlleracting as the RID master of the domain that currently contains the object.


QUESTION 5Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sitesnamed Site1 and Site2. Site1 contains a domain controller named DC1.

In Site1 , you install a new domain controller named DC2. You ship DC2 to Site2.

You discover that certain users in Site2 authenticate to DC1.

You need to ensure that the users in Site2 always attemp to authentcate to DC2 first.

What should you do?

A. From Active Dirctory Sites and Services, move the DC2 server object.B. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.C. From Active Directory Sites and Services, modify the Location attribute for Site2.D. From Active Directory Users and Computers, move the DC2 computer object.


Explanation/Reference:Servers (especially DCs) need to be in the correct site to accomplish this goal.

QUESTION 6Your company has a main office and four branch offices.

An Active Directory site exists for each office. Each site contains one domain controller. Each branch office sitehas a site link to the main office site.

You discover that the domain controllers in the branch offices sometimes replicate directly to each other.

You need to ensure that domain controllers in the branch offices only replicate to the domain controller in themain office.

What should you do?

A. Disable the Knowledge Consistency Checker (KCC) for each branch office site.B. Modify the firewall settings for the main office siteC. Modify the security settings for the main office siteD. Disable site link bridging


Explanation/Reference:Controlling replication failoverIf your organization has a hub-and-spoke network topology, you generally do not want the satellite sites tocreate replication connections to other satellite sites if all domain controllers in the hub site fail. In suchscenarios, you must disable Bridge all site links and create site link bridges so that replication connections arecreated between the satellite site and another hub site that is just one or two hops away from the satellite site.


QUESTION 7

Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack3 (SPP·) or Windows 7. All of the computer accounts for the client computers are located in an organizationalunit (OU) named OU1.

You link a new Group Policy object (GPO) named GPO10 to OU1.

You need to ensure that GPO10 is applied only to client computers that run Windows 7.

What should you do?

A. Enable block inheritance on OU1.B. Create a new OU in OU1. Move the Windows Xp computer accounts to the new OUC. Modify the permissions of OU1.D. Create a WMI filter and assign the filter to GPO10

Correct Answer: DSection: Configuring Group PolicyExplanation

Explanation/Reference:Creating WMI and Group Filters

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

When the network includes client computers that run a variety of Windows operating systems, two computers inthe same OU might require different settings to achieve the same configuration. For example, a computer thatis running Windows XP might require a different setting than a computer that is running Windows 7 or WindowsVista. Two GPOs would be required in that case, one to apply to computers that are running Windows XP, andone to apply to computers that are running the later versions of Windows.

There are also times when you cannot rearrange the computers in your AD OU hierarchy to let you link a GPOto OUs that contain only the computers to which you want the GPO to apply. So Group Policy also supportsusing access control lists (ACLs) to prevent the GPO from applying to any computer or user account that is notgranted permissions to the GPO.

There are two frequently used techniques used to make sure that GPOs only apply to the correct computers:

Add a Windows Management Instrumentation (WMI) filt er to the GPO . A WMI filter enables you tospecify criteria that must be matched before the linked GPO is applied to a computer. By letting you filter thecomputers to which the GPO applies, this reduces the need to further subdivide your OUs in ActiveDirectory. This technique is dynamic, in that the filter is evaluated when the computer attempts to apply thepolicy. So if you are filtering based on the version of Windows then upgrading the computer from WindowsXP to Windows 7 requires no changes to your GPO, because the filter will automatically recognize thechange and filter the computer’s access to the GPO accordingly.

Grant or deny the Apply Policy security permission in the ACL for the GPO. If you put your computers insecurity groups, you can then grant the Apply Policy permission to only the groups that should use theGPO.


QUESTION 8Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority(CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Configure an Online Certification Status Protocol (OSCP) responderB. Configure an LDAP publishing point for the certificate revocation list (CRL).C. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS)D. Modify the settings of the delta certificate revocation list (CRL)

Correct Answer: ASection: Configuring AD LDSExplanation

Explanation/Reference:CRLs

A CRL is a file, created and signed by a CA, that contains serial numbers of certificates that have been issuedby that CA and are revoked. In addition to the serial number for the revoked certificates, the CRL also containsthe revocation reason for each certificate and the time the certificate was revoked.Currently, two types of CRLs exist: base CRLs and delta CRLs. Base CRLs maintain a complete list of revokedcertificates while delta CRLs maintain only those certificates that have been revoked since the last publicationof a base CRL.The major drawback of CRLs is their potentially large size, which limits the scalability of the CRL approach. Thelarge size adds significant bandwidth and storage b urdens to the CA and relying party, and thereforelimits the ability of the system to distribute the CRL. Bandwidth, storage space, and CA processingcapacity can also be negatively affected if the pub lishing frequency gets too high . Numerous attemptshave been made to solve the CRL size issue through the introduction of partitioned CRLs, delta CRLs, andindirect CRLs. All these approaches have added complexity and cost to the system without providing an idealsolution to the underlying problem. Another drawback of CRLs is latency; because the CRL publishing period is predefined, information in the CRLmight be out of date until a new CRL or delta CRL is published.

OCSP

OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status requestto an OCSP responder. This returns a definitive, digitally signed response indicating the certificate status. Theamount of data retrieved per request is constant re gardless of the number of revoked certificates in t heCA. Most OCSP responders get their data from published CRLs and are therefore reliant on the publishingfrequency of the CA. Some OCSP responders can, however, receive data directly from the CA's certificatestatus database and consequently provide near real-time status. Scalability is the major drawback of the OCSP approach. Since it is an online process and is designed torespond to single certificate status requests, it results in more server hits, requiring multiple and sometimesgeographically dispersed servers to balance the load. The response signing and signature verificationprocesses also take time, which can adversely affect the overall response time at the relying party. Finally,since the integrity of the signed response depends on the integrity of the OCSP responder's signing key, thevalidity of this key must also be verified after a response is validated by the client.


QUESTION 9Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard.

You need to create an enterprise subordinate certification authority (CA) that can issue certificates based onversion 3 certificate templates. You must achieve this goal by using the minimun amount of administrative effort.


A. Upgrade the member server to Windows Server 2008 R2 Enterprise.B. Disjoin the member server from the domain.

C. Run certutil.exe -addenrollmentserver.D. Install the Active Directory Certificate Services (AD CS) role on the member server.


Explanation/Reference:It appears there is a problem with this question. If the server was running 2008 (not R2) the answerwould be correct.

Version 3 certificate templatesIn addition to version 2 template features and autoenrollment, version 3 certificate templates provide support forSuite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specifycryptographic algorithms that must be used by U.S. government agencies to secure confidential information.Template availability

Windows Server 2008 R2, all editions

Windows Server 2008, Enterprise and Datacenter editions

QUESTION 10Your Network contains an Active Directory domain. You create and mount an Active Directory snapshot.You run the following command on the domain controller :dsamain.exe dbpath C:\Windows\NTDS\ntds.dit ldapport 54321 -allowNonAdminAccessand the command fails as shown in the exhibit. ( Click the Exhibit button ).You need to ensure that you can browse the contents of Active Directory snapshot. What should you do ?

Exhibit:

A. Change the value of the ldapport parameter, and then rerun dsamain.exe .B. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe .C. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe .D. Change the value of the dbpath parameter, and then rerun dsamain.exe .


Explanation/Reference:NOTE: THE COMPLETE COMMAND THAT YOU WILL SEE IN THE EXHIBIT (in the exam) IS :

dsamain.exe dbpath C:\Windows\NTDS\ntds.dit ldapport 54321 -allowNonAdminAccess

Now Take a look :To create a snapshot of the Active Directory database: ** Ntdsutil snapshot **

Command to mount (make active) a database snapshot. You can mount multiple snapshots. ** Ntdsutil mount **

Run the ** Dsamain.exe ** command to expose a snapshot as an LDAP server. This step allows you to connect to and

view the snapshot. With *Dsamain.exe *, you specify the path to the snapshot , along with a port number that will be used toconnect to the snapshot. But in the EXHIBIT , the path is the real Active Directory database path , notthe snapshot path .

Finally ,,Run the ** Ldp ** tool or Active Directory Users and Computers using the specified port to view the snapshot data.

QUESTION 11Your network contains an Active Directory domain named contoso.com.You need to audit changes to a service account .Which security policy setting should you configure ?

A. Audit Sensitive Privilege Use .B. Audit Directory Service Changes .C. Audit User Account Management .D. Audit Other Account Management Events .


Explanation/Reference:Audit User Account ManagementThis security policy setting determines whether the operating system generates audit events when the followinguser account management tasks are performed: * A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. * A user account password is set or changed. * Security identifier (SID) history is added to a user account. * The Directory Services Restore Mode password is set. * Permissions on accounts that are members of administrators groups are changed. * Credential Manager credentials are backed up or restored.This policy setting is essential for tracking events that involve provisioning and managing user accounts.


QUESTION 12Your network contains an Active Directory domain named contoso.com.The Adminisrator deletes an OU named OU1 accidentally.You need to restore OU1. Which cmdlet should you use ?

A. Set-ADObject cmdletB. Set-ADOrganizationalUnit cmdletC. Set-ADUser cmdletD. Set-ADGroup cmdlet


Explanation/Reference:Set-ADObjectModifies an Active Directory object.http://technet.microsoft.com/en-us/library/ee617254.aspx

Restore-ADObjectRestores an Active Directory object.http://technet.microsoft.com/en-us/library/ee617262.aspx

But you can use Get_ADObject with Restore-ADObject!Get-ADObject -Filter 'samaccountname -eq "kimabercrombie"' -IncludeDeletedObjects | Restore-ADObject

QUESTION 13Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance,HR, Marketing, Sales and Dev.

You link a Group Policy object named GPO1 to the domain as shown in the exhibit.You need to ensure that GPO1 is applied to users in Finance, HR, Marketing and Sales OUs.

The solution must prevent GPO1 from being applied to users in the Dev OU. What should you do?

Exhibit:

A. Link GPO1 to the Finance OU.B. Modify the security settings of the Finance OU.C. Enforce GPO1.D. Modify the security settings of the Dev OU



the idea here is that the ! icon on the Finance OU is letting us know that inheritance of GPO1 is blocked. Youwould need to either remove the block (which makes more sense than the answer in this question) or establisha specific link to the policy to accomplish the goal of the question.

Let’s tackle “Block Inheritance” first. We’ve seen that, from a directory tree perspective,down the tree to the target objects, all GPOs are applied and settings configured there arecumulated – where settings contradict, the last writers win. There may be situations youdon’t want that. That’s what “Block Inheritance” is for. For example, we don’t want the IT-OUapply domain-level GPOs. We go right-click the “IT”-OU in GPMC and choose “BlockInheritance” from the context menu. Voilá! You see a blue exclamation mark on the OUicon. From now on, IT objects won’t be bugged with domain-level GPOs. GPOs from levelshigher than IT-OU will simply be ignored. Even GPOs from the same level, such asOULevel2-GPO, will. We’ve cut up-level administrators off.

http://blogs.technet.com/b/grouppolicy/archive/2010/01/07/tales-from-the-community-enforced-vs-block-inheritance.aspx

Exam N

QUESTION 1Your network contains an Active Directory domain. All DNS servers are domain controllers. You view theproperties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that only domain members can register DNS records in the zone. What should you do first?

A. Modify the zone type.B. Create a trust anchor.C. Modify the Advanced properties of the DNS server.D. Modify the Dynamic updates setting.

Correct Answer: ASection: Cooper Exam DExplanation

Explanation/Reference:Secure dynamic updatesFor Windows Server 2008, DNS update security is available only for zones tha t are integrated into ActiveDirectory . After you integrate a zone, you can use the access control list (ACL) editing features that areavailable in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for aresource record.By default, dynamic update security for Windows Server 2008–based DNS servers and clients is handled in thefollowing manner:

1. Windows Server 2008–based DNS clients try to use nonsecure dynamic updates first. If the nonsecureupdate is refused, clients try to use a secure update.

Also, clients use a default update policy that lets them to try to overwrite a previously registered resourcerecord, unless they are specifically blocked by update security.

2. By default, after a zone becomes Active Directory-integrated, Windows Server 2008–based DNS serversenable only secure dynamic updates.

By default, when you use standard zone storage, the DNS Server service does not enable dynamic updateson its zones. For zones that are either directory-integrated or use standard file-based storage, you canchange the zone to enable all dynamic updates. This enables all updates to be accepted by passing the useof secure updates.

QUESTION 2Your company has a single Active Directory forest with a single domain. Consultants in different departments ofthe company require access to different network resources. The consultants belong to a global group namedTempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The fileservers contain confidential data in shared folders. You need to prevent the consultants from accessing theconfidential data.

What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.Assign the Deny access to this computer from the network user right to the TempWorkers global group.

B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computerfrom the network user right to the TempWorkers global group.

C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full controlpermission for the TempWorkers global group on the share.

D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user rightto the TempWorkers global group.

E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.Assign the Deny log on locally user right to the TempWorkers global group.


Explanation/Reference:You would want to do this at the OU level using a GPO rather than at the domain level.

QUESTION 3Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functionallevel of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains twodomains. You need to ensure that users in contoso.com can access the resources in all domains. The solutionmust require the minimum number of trusts.

Which type of trust should you create?

A. externalB. forestC. realmD. shortcut

Correct Answer: BSection: Cooper Exam DExplanation


Explanation:

Well the right answer for this question is B.

A is wrong because need to create a trust where contoso.com domain users can access all the resources andExternal trust doesn't provide transitivity.

C is wrong because we donot have to establish trust between any non-Windows Kerberos V5 realm and aWindows Server 2008 domain.

D is wrong because shortcut trust are used within a forest to speed up inter-domain authentication.

Trust TypesYou can use the New Trust Wizard or the Netdom command-line tool to create four types of trusts: externaltrusts, realm trusts, forest trusts, and shortcut trusts. The following table describes these trust types.

Trusttype Transitivity

Direction Description

External Nontransitive

One-wayor two-way

Use external trusts to provide access to resources that are located on aWindows NT 4.0 domain or a domain that is located in a separate forest thatis not joined by a forest trust. For more information, see UnderstandingWhen to Create an External Trust.

Realm

Transitive ornontransitive

One-wayor two-way

Use realm trusts to form a trust relationship between a non-WindowsKerberos realm and a Windows Server 2008 or a Windows Server 2008 R2domain. For more information, see Understanding When to Create a RealmTrust.

Forest Transitive

One-wayor two-way

Use forest trusts to share resources between forests. If a forest trust is atwo-way trust, authentication requests that are made in either forest canreach the other forest. For more information, see Understanding When toCreate a Forest Trust.

Shortcut Transitive

One-wayor two-way

Use shortcut trusts to improve user logon times between two domains withina Windows Server 2008 or a Windows Server 2008 R2 forest. This is usefulwhen two domains are separated by two domain trees. For moreinformation, see Understanding When to Create a Shortcut Trust.

When you create external trusts, shortcut trusts, realm trusts, or forest trusts, you have the option to createeach side of the trust separately or both sides of a trust simultaneously.

If you choose to create each side of the trust separately, you must run the New Trust Wizard twice—once foreach domain. When you create trusts using the method, you must supply the same trust password for eachdomain. As a security best practice, all trust passwords should be strong passwords. For more information, seeStrong passwords (http://go.microsoft.com/fwlink/?LinkId=92697).

If you choose to create both sides of the trust simultaneously, you run the New Trust Wizard once. When youchoose this option, a strong trust password is automatically generated for you. You must have the appropriateadministrative credentials for the domains between which you are creating the trust.


QUESTION 4You install an Active Directory domain in a test environment.You need to reset the passwords of all the user accounts in the domain from a domain controller.

Which two Windows PowerShell commands should you run? (Each correct answer presents part of thesolution, choose two.)

A. $ newPassword = *B. Import-Module ActiveDirectory

C. Import-Module WebAdministrationD. Get- AdUser -filter * | Set- ADAccountPassword - NewPassword $ newPassword - ResetE. Set- ADAccountPossword - NewPassword - ResetF. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )G. Import-Module ServerManager

Correct Answer: DFSection: Cooper Exam DExplanation

Explanation/Reference:Explanation:

QUESTION 5Your network contains two forests named adatum.com and litwareinc.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a forest trust between adatum.com and litwareinc.com.


A. Create an external trust.B. Raise the functional level of both forests.C. Configure SID filtering.D. Raise the functional level of all the domains.


Explanation/Reference:Explanation: Forest trusts can be established when the forest and domain functional levels are set to Windows2003.

QUESTION 6Your network contains an Active Directory forest named adatum.com.All client computers used by the marketing department are in an organizational unit (OU) named MarketingComputers. All user accounts for the marketing department are in an OU named Marketing Users.

You purchase a new application.

You need to ensure that every user in the domain who logs on to a marketing department computer can use theapplication. The application must only be available from the marketing department computers.

What should you do?

A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to ashared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a shared folder on the network. Assign the application.

C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a local drive on each marketing department computer. Publish the application.

D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to afolder on each marketing department computer. Publish the application.

Correct Answer: B

Section: Cooper Exam DExplanation

Explanation/Reference:Explanation: Has to be done with a GPO assigned to the Marketing Computers. The GPO must point to ashared location where the users/computers have permissions.

QUESTION 7Your network contains an Active Directory forest named adatum.com.

You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.

What should you install before you create the AD RMS root cluster?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008

Correct Answer: ESection: Cooper Exam DExplanation

Explanation/Reference:Deploying an AD RMS Licensing-only Cluster in a Tes t EnvironmentWe recommend that you first use the steps provided in this guide in a test lab environment.Step-by-step guides are not necessarily meant to be used to deploy Windows Serverfeatures without additional deployment documentation and should be used with discretionas a stand-alone document.Upon completion of this step-by-step guide, you will have a working AD RMS infrastructurewith an AD RMS licensing-only cluster. You can then test and verify AD RMS functionalityas follows:Restrict permissions on a Microsoft Office Word 2007 document

Have an authorized user open and work with the document.

Have an unauthorized user attempt to open and work with the document.

Licensing-only clusters are optional and are most often deployed to address specificlicensing requirements, such as supporting unique rights management requirements of adepartment. For instance, a group within your organization may require specific rights policytemplates that no other department can access.The test environment described in this guide includes six computers connected to a privatenetwork and using the following operating systems, applications, and services:ComputerName

Operating System Applications and Services

ADRMS-SRV Windows Server® 2008

AD RMS, Internet Information Services (IIS)7.0, World Wide Web Publishing Service, andMessage Queuing

CPANDWindows Server 2008 or Active Directory Domain Services or Active

L-DC Windows Server 2003 withService Pack 2 (SP2) Directory®, Domain Name System (DNS)

ADRMS-DB Windows Server 2003 with SP2Microsoft SQL Server® 2005 Standard Edition

with Service Pack 2 (SP2)ADRMS-CLNT

Windows Vista® Microsoft Office Word 2007 Enterprise Edition

CPANDL-ADRMSLIC

Windows Server 2008AD RMS, Internet Information Services (IIS)7.0, World Wide Web Publishing Service, andMessage Queuing

CPANDL-LICDB

Windows Server 2003 with SP2Microsoft SQL Server® 2005 StandardEdition with Service Pack 2 (SP2)

QUESTION 8Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains adomain controller named DC1.

You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource recordnamed Server1 to the zone. The target host of the record is server2.contoso.com.

When you ping Server1, you discover that the name fails to resolve. You are able to successfully pingserver2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.


A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domainB. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forestC. DnscmdDCl.contoso.com/config/Enableglobalnamessupport 1D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

Correct Answer: CSection: Cooper Exam DExplanation

Explanation/Reference:Deploying a GlobalNames zoneThe specific steps for deploying a GlobalNames zone can vary somewhat, depending on the AD DS topology ofyour network.Step 1: Create the GlobalNames zoneThe first step in deploying a GlobalNames zone is to create the zone on a DNS server that is a domaincontroller running Windows Server 2008. The GlobalNames zone is not a special zone type; rather, it is simplyan AD DS-integrated forward lookup zone that is called GlobalNames. For information about creating a primaryforward lookup zone, see Add a Forward Lookup Zone.Step 2: Enable GlobalNames zone supportThe GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitlyenabled by using the following command on every authoritative DNS server in the forest: dnscmd <ServerName> /config /enableglobalnamessupport 1

QUESTION 9Your network contains an Active Directory domain named contoso.com.

The network has a branch office site that contains a read-only domain controller (RODC) named R0DC1.R0DC1 runs Windows Server 2008 R2.

A user logs on to a computer in the branch office site.

You discover that the user's password is not stored on R0DC1.

You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office sitecomputer.

What should you do?

A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC PasswordReplication Group.

B. Modify the RODC's password replication policy by adding R0DC1's computer account to the list of allowedusers, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on R0DC1.D. Add R0DC1's computer account to the built-in Allowed RODC Password Replication Group on R0DC1.


Explanation/Reference:To cache a user password on the RODC server, the user must be on the Allowed list.

QUESTION 10You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which protocol should you allow on Server1?

A. KerberosB. SSLC. SMBD. RPC


Explanation/Reference:Uses port 443

QUESTION 11Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard.

You need to create an enterprise subordinate certification authority (CA) that can issue certificates based onversion 3 certificate templates.

You must achieve this goal by using the minimum amount of administrative effort.


A. Run the certutil.exe - addenrollmentserver command.B. Install the Active Directory Certificate Services (AD CS) role on the member server.C. Upgrade the member server to Windows Server 2008 R2 Enterprise.D. Run the certutil.exe - installdefaulttemplates command.


Explanation/Reference:Duplicate: The server must run 2008 Enterprise or DataCenter or any 2008R2 version.

QUESTION 12Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.An administrator changes the password of the user account that is used by AD RMS. You need to update ADRMS to use the new password.


A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Local Users and GroupsD. Services


Explanation/Reference:Duplicate

QUESTION 13Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standardprimary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WANlink fails.

What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.B. Create a new stub zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: DSection: Cooper Exam DExplanation

Explanation/Reference:Duplicate - if you want to update records in the branch office as well, this needs to be an AD-integrated zone.

QUESTION 14Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted FileSystem (EFS) certificates.

You need to archive the private key for all new EFS certificates.

Which snap-in should you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Group Policy ManagementD. Enterprise PKIE. Security TemplatesF. TPM ManagementG. CertificatesH. Certification AuthorityI. Certificate Templates

Correct Answer: HSection: Cooper Exam DExplanation

Explanation/Reference:Enable Key Archival for a CA Applies To: Windows Server 2008 R2Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled forthe key recovery certificate and be registered as the recovery agent for the certification authority (CA).You must be a CA administrator to complete this procedure. For more information, see Implement Role-BasedAdministration.

To enable key archival for a CA 1. Open the Certification Authority snap-in.

QUESTION 15HOTSPOT


You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

To answer, select the appropriate node in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:IP Address to FQDN resolution requires a Reverse Lookup Zone.

QUESTION 16HOTSPOT

Your network contains an Active Directory forest.

The DNS infrastructure fails.

You rebuild the DNS infrastructure.

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

To answer, select the appropriate service in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:The Netlogon service would be involved with this.

QUESTION 17HOTSPOT

Your network contains an Active Directory forest named contoso.com.

The password policy of the forest requires that the passwords for all of the user accounts be changed every 30days.

You need to create user accounts that will be used by services. The passwords for these accounts must bechanged automatically every 30 days.

Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:Creating a Managed Service Account

Applies To: Windows Server 2008 R2This topic explains how to use the Active Directory module for Windows PowerShell to create a managedservice account. Managed service accounts are used to run various services for applications that are operatingin your domain environment.Example 1The following example demonstrates how to create a service account, SQL-SRV1, in the container ManagedService Accounts in the Fabrikam.com domain:New-ADServiceAccount -Name SQL-SRV1 -Path "CN=Manag ed ServiceAccounts,DC=FABRIKAM,DC=COM"

QUESTION 18HOTSPOT

You need to modify the Password Replication Policy on a read-only domain controller (RODC).


To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:To view the PRP using Active Directory Users and Co mputersOpen Active Directory Users and Computers. To open Active Directory Users and Computers, click Start . InStart Search , type dsa.msc , and then press ENTER.Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the detailspane, right-click the Active Directory Users and Computers object, and then click Change Domain . Expand Domain Controllers , right-click the RODC account object for which you want to modify the PRP, andthen click Properties .Click the Password Replication Policy tab.

QUESTION 19DRAG DROP

Your network contains an Active Directory forest named adatum.com. The forest contains four child domainsnamed europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum.com.

You need to create four new groups in the forest root domain. The groups must be configured as shown in thefollowing table.

What should you do?

To answer, drag the appropriate group type to the correct group name in the answer area.

Select and Place:

Correct Answer:


Explanation/Reference:Groupscope

Group can include asmembers…

Group can be assignedpermissions in…

Group scope can beconverted to…

Universal

Accounts from any domainwithin the forest in which thisUniversal Group resides

Global groups from anydomain within the forest inwhich this Universal Groupresides

Universal groups from anydomain within the forest inwhich this Universal Groupresides

Any domain or forest

Domain local

Global (as long as noother universal groupsexist as members)

Global

Accounts from the samedomain as the parent globalgroup

Global groups from thesame domain as the parentglobal group

Member permissions can beassigned in any domain

Universal (as long asit is not a member ofany other globalgroups)

Domainlocal

Accounts from any domain

Global groups from any

Member permissions can beassigned only within the samedomain as the parent domain

Universal (as long asno other domain localgroups exist as

domain

Universal groups from anydomain

Domain local groups butonly from the same domainas the parent domain localgroup

local group members)

QUESTION 20HOTSPOT


You need to create a new site link between two sites named Site1 and Site3. The site link must support thereplication of domain objects.

Under which node in Active Directory Sites and Services should you create the site link?

To answer, select the appropriate node in the answer area

Point and Shoot:

Correct Answer:


Explanation/Reference:To create a site link Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start , clickAdministrative Tools , and then click Active Directory Sites and Services .In the console tree, right-click the intersite transport protocol that you want the site link to use.Where? Active Directory Sites and Services\Sites\Inter-Site Transports\IP or SMTP

Click New Site Link .In Name, type the name for the site link.In Sites not in this site link , click a site to add to the site link, and then click Add . Repeat to add more sites tothe site link. To remove a site from the site link, in Sites in this link , click the site, and then click Remove .When you have added the sites that you want to be connected by this site link, click OK.


Your network contains an Active Directory forest named contoso.com. The forest contains a domain controllernamed DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runsWindows Server 2008 R2 Standard.

You have a computer named Computer1 that runs Windows 7. Computer1 is not connected to the network.You need to join Computer1 to the contoso.com domain.

What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

Select and Place:

Correct Answer:


Explanation/Reference:Performing an offline domain join using different physical computers

To perform an offline domain join using physical computers, you can complete the following steps. The best

practice in this case is to have one domain controller, one domain-joined computer to use as a provisioningserver, and one client computer that you want to join to the domain.On the provisioning server, open an elevated command prompt. To open an elevated Command Promptwindow, click Start , point to All Programs , click Accessories , right-click Command Prompt , and then clickRun as administrator .

Type the following command to provision the computer account: djoin /provision /domain <domain to be joined> /mac hine <name of the destinationcomputer> /savefile blob.txt

Copy the blob.txt file to the client computer.

On the client computer, open an elevated command prompt, and then type the following command to requestthe domain join:

djoin /requestODJ /loadfile blob.txt /windowspath % SystemRoot% /localos

QUESTION 22HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named Server1. Server1 has an IP address of 192.168.200.100.

You need to view the Pointer (PTR) record for Server1.Which zone should you open in the DNS snap-in to view the record?

To answer, select the appropriate zone in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:the corresponding in-addr.arpa zone would be 200.168.192, assuming a default subnet of /24s

Exam O

QUESTION 1Your network contains an Active Directory domain.

You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy linksfor the domain.

What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Backup-GPO cmdlet.


Explanation/Reference:There is quite a bit of discussion regarding this question. It seems A is incorrect as that back-up does notinclude the links. Many think D is correct, but others do not think this backup would have any more informationthan the GPMC backup. Found one blog entry that thinks that only the system state backup would include all ofthe required parameters.

QUESTION 2Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the DirectoryServices Restore Mode (DSRM) password on the domain controller. Which tool should you use?

A. NtdsutilB. DsamainC. Active Directory Users and ComputersD. Local Users and Groups


Explanation/Reference:set DSRM password

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRMAdministrator Password: prompt, type any of the parameters listed under “Syntax.”This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built intoWindows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active DirectoryDomain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.Dsmgmt is available if you have the AD LDS server role installed. Reset Password on server %s

http://technet.microsoft.com/en-us/library/cc754363 (v=WS.10).aspx

QUESTION 3Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).B. Configure an Online Certification Status Protocol (OCSP) responder.C. Modify the settings of the delta certificate revocation list (CRL).D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).


Explanation/Reference:Duplicate OSPF does this.

QUESTION 4Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance,HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in theexhibit. (Click the Exhibit button.)

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solutionmust prevent GPO1 from being applied to users in the Dev OU. What should you do?

A. Enforce GPO1.B. Modify the security settings of the Dev OU.

C. Link GPO1 to the Finance OU.D. Modify the security settings of the Finance OU.


Explanation/Reference:Duplicate - the idea here is that the ! icon on the Finance OU is letting us know that inheritance of GPO1 isblocked. You would need to either remove the block (which makes more sense than the answer in thisquestion) or establish a specific link to the policy to accomplish the goal of the question.

Let’s tackle “Block Inheritance” first. We’ve seen that, from a directory tree perspective,down the tree to the target objects, all GPOs are applied and settings configured there arecumulated – where settings contradict, the last writers win. There may be situations youdon’t want that. That’s what “Block Inheritance” is for. For example, we don’t want the IT-OUapply domain-level GPOs. We go right-click the “IT”-OU in GPMC and choose “BlockInheritance” from the context menu. Voilá! You see a blue exclamation mark on the OUicon. From now on, IT objects won’t be bugged with domain-level GPOs. GPOs from levelshigher than IT-OU will simply be ignored. Even GPOs from the same level, such asOULevel2-GPO, will. We’ve cut up-level administrators off.

http://blogs.technet.com/b/grouppolicy/archive/2010/01/07/tales-from-the-community-enforced-vs-block-inheritance.aspx

QUESTION 5Your network contains an Active Directory domain. The domain contains an organizational unit (OU) namedOU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed serviceaccounts from being deleted accidentally from OU1. Which cmdlet should you use?

A. Set-ADUserB. Set-ADOrganizationalUnitC. Set-ADServiceAccountD. Set-ADObject


Explanation/Reference:Set-ADObjectModifies an Active Directory object.SyntaxCopy Set-ADObject [-Identity] <ADObject> [-Add <hashtabl e>] [-Clear <string[]>] [-Description <string>] [-DisplayName <string>] [-Pro tectedFromAccidentalDeletion<System.Nullable[bool]>] [-Remove <hashtable>] [-Re place <hashtable>] [-AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential >] [-Partition <string>] [-PassThru <switch>] [-Server <string>] [-Confirm] [- WhatIf] [<CommonParameters>]

ProtectedFromAccidentalDeletion

QUESTION 6Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writabledomain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllersrun Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remotesite. The solution must minimize the amount of replication traffic that occurs during the installation of ActiveDirectory Domain Services (AD DS) on DC3. What should you do first?

A. Run dcpromo.exe /createdcaccount on DC3.B. Run ntdsutil.exe on DC2.C. Run dcpromo.exe /adv on DC3.D. Run ntdsutil.exe on DC1.


Explanation/Reference:Active Directory Installation Wizard

You can run the Active Directory Installation Wizard from the command line, or from the Configure Your ServerWizard. You can also install Active Directory using an unattended setup script called an answer file.When running the wizard from the command line, you can append the /adv switch to the dcpromo commandto populate the directory using a backup of system state data from another domain controller in the samedomain. Installing from backup media reduces the amount of data that must be replicated over thenetwork, thus reducing the time required to install Active Directory.

QUESTION 7Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers areconfigured as global catalog servers.

You remove the global catalog role from a domain controller named DC5.

You need to reclaim the hard disk space used by the global catalog on DC5.

What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).B. From Active Directory Sites and Services, modify the general properties of DC5.C. From Ntdsutil, use the Semantic database analysis option.D. From Ntdsutil, use the Files option.


Explanation/Reference:Use the ntdsutil files compact command to perform an offline defragmentation of the Active Directorydatabase

QUESTION 8A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone aredomain controllers.You add multiple DNS records to the zone.

You need to ensure that the new records are available on all DNS servers as soon as possible.


A. LdpB. RepadminC. NtdsutilD. NslookupE. Active Directory Sites And Services consoleF. Active Directory Domains And Trusts consoleG. DnslintH. Dnscmd


Explanation/Reference:Explanation: http://technet.microsoft.com/en-us/library/cc778513(WS.10).aspx

Dnscmd.exe: DNS Server Troubleshooting ToolThis command-line tool assists administrators in Domain Name System (DNS) management.DNSCmd displays and changes the properties of DNS servers, zones, and resource records. It manuallymodifies these properties, creates and deletes zones and resource records, and forces replication eventsbetween DNS server physical memory and DNS databases and data files. Some operations of this tool work atthe DNS server level while others work at the zone level.

QUESTION 9You have a DNS zone that is stored in a custom application partition. You need to add a domain controller tothe replication scope of the custom application partition. Which tool should you use?

A. DNScmdB. DNS ManagerC. Server ManagerD. Dsmod


Explanation/Reference:To change zone replication scope using the command line Open a command prompt. To open an elevated Command Prompt window, click Start , point to All Programs ,click Accessories , right-click Command Prompt , and then click Run as administrator .At a command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /ZoneChangeDirectoryPartition < ZoneName> <NewPartitionName>

QUESTION 10Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has theActive Directory Certificate Services (AD CS) role installed. You configure a certificate template namedTemplate1 for autoenrollment. You discover that certificates are not being issued to any client computers. Theevent logs on the client computers do not contain any autoenrollment errors. You need to ensure that all of theclient computers automatically receive certificates based on Template1. What should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).B. Modify the Default Domain Controllers Policy Group Policy object (GPO).C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.D. Restart Certificate Services on Server1.


Explanation/Reference:Use the Group Policy Management Console to configure user autoenrollment policy settings, and use theCertificate Templates snap-in to configure autoenrollment settings on the certificate template. To automatically enroll client computers for certificates in a domain environment, you must:

Configure an autoenrollment policy for the domain .

Configure certificate templates for autoenrollment.

Configure an enterprise CA.

QUESTION 11Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) roleinstalled.

You need to perform an automated installation of an AD LDS instance.


A. Dism.exeB. Servermanagercmd.exeC. Adaminstall.exeD. Ocsetup.exe


Explanation/Reference:At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM\ adaminstall.exe /answer:drive:\<pathname>\<filename>.txt"

Where drive:\<pathname>\<filename>.txt represents the drive, path, and file name of your answerfile. (The command requires the quotation marks.)

QUESTION 12Your network contains an Active Directory domain named contoso.com. A partner company has an ActiveDirectory domain named nwtraders.com.

The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.

You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on theInternet.


A. Modify the Trusted Root Certification Authorities store.B. Modify the Intermediate Certification Authorities store.C. Create conditional forwarders.D. Add a root hint to the DNS server.


Explanation/Reference:Conditional forwarder will allow for the resolution of DNS records between the two domains.

QUESTION 13Your network contains an Active Directory forest. The forest contains multiple domains.

You need to ensure that users in the human resources department can search for employees by using theemployeeNumber attribute.

What should you do?

A. From Active Directory Sites and Services, modify the properties of each global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the user object class.C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.


Explanation/Reference:Indexed attributesDirectory searches for attributes that are indexed are more efficient than searches for attributes that are notindexed. Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1.Changing the value of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it removes anindex for the attribute in question. The index is built automatically by a background thread on the directoryserver.The values for indexed attributes are stored in a sorted list. This makes searching much more efficient becausethe system needs to search only until it locates the area in the list where the value should be, based on the sort.If the value is not there, the system can assume it will not find the value anywhere else in the list, and it canterminate the search. When attributes are not indexed, the entire list must be searched to determine whether ornot a particular value actually exists.Indexing requires more storage to maintain the lists, but it makes searching more efficient. Nonindexedattributes are less efficient to search, but they require less storage to maintain. With this in mind, only attributesthat are frequently referenced should be indexed. Ideally, indexed attributes are single-value attributes withunique values that are evenly distributed across the set of instances. Multivalue attributes can be indexed, butbuilding the index requires more storage and updating.

searchFlags

The searchFlags property of each property’s attributeSchema object defines whether a property is indexed andother behavior.The seven currently defined bits for this attribute are:1 = Index over attribute only2 = Index over container and attribute4 = Add this attribute to the ambiguous name resolution (ANR) set (should be used in conjunction with 1)8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones)

16 = Include this attribute when copying a user object32 = Create a Tuple index for the attribute to improve medial searches64 = Reserved for future use; value should be 0.128 = Available in Windows Server 2003 Service Pack 1 (SP1) only. Mark the attribute confidential(CONTROL_ACCESS is required to read it).

QUESTION 14Your network contains a single Active Directory domain. The domain contains an enterprise certificationauthority (CA).

You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database.

You modify the e-mail certificate template to support key archival.


A. Issue the key recovery agent certificate template.B. Run certutil.exe -recoverkey.C. Run certreq.exe-policy.D. Modify the location of the Authority Information Access (AIA) distribution point.


Explanation/Reference:Microsoft 70-640 Examrecoverkey as this recovers archived keys but e-mail certificate Explanation: Not certutil.exetemplate does not have key archival by default.

QUESTION 15Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that thezone includes DNS records for computers that were removed from the network. You need to ensure that theDNS records are deleted automatically from the zone. What should you do?

A. From DNS Manager, set the aging properties.B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.D. Create a scheduled task that runs ipconfig.exe /flushdns.


Explanation/Reference:To enable the aging and scavenging features, you perform the following steps to configure the applicableserver and any of its zones that are integrated with Active Directory Domain Services (AD DS):Enable aging and scavenging for the DNS server.

These settings determine the effect of zone-level properties for any zones that are integrated with AD DS andloaded at the server.

Enable aging and scavenging for specified zones on the DNS server.

When you set zone-level properties for a specified zone, these settings apply only to that zone and its resourcerecords. Unless you otherwise configure these zone-level properties, they inherit their default settings fromcomparable settings that AD DS maintains in the aging and scavenging properties for the DNS server.

QUESTION 16Your network contains a domain controller that runs Windows Server 2008 R2.

You run the following command on the domain controller:

dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -allowNonAdminAccess

The command fails. You need to ensure that the command completes successfully.

How should you modify the command?

A. Change the value of the -dbpath parameter.B. Include the path to Dsamain.C. Change the value of the -ldapport parameter.D. Remove the CallowNonAdminAccess parameter.


Explanation/Reference:The ldapport parameter has to be set to a different value as this is on of the default ports used by AD DS on theDC.

Since dsamain.exe exposes Active Directory data that is stored in a snapshot or backup as a LightweightDirectory Access Protocol (LDAP) server, it cannot use the port that is already in use.

QUESTION 17Your network contains an Active Directory domain. The domain contains 10 domain controllers that runWindows Server 2008 R2.

You need to monitor the following information on the domain controllers during the next five days:

- Memory usage- Processor usage- The number of LDAP queries

What should you do?

A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.B. Use the System Performance Data Collector Set (DCS).C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.D. Use the Active Directory Diagnostics Data Collector Set (DCS).


Explanation/Reference:Creating a data collector set to monitor the 10 DCs AD properties from the same location would be efficient.


Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) named

RODC1.

You need to view the most recent user accounts authenticated by RODC1.


A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.


Explanation/Reference:Unless the user passwords are cached on the RODC, authentication takes place through the the DC.

QUESTION 19Your network contains an Active Directory domain. The domain contains 3,000 client computers.All of the client computers run Windows 7.

Users log on to their client computers by using standard user accounts.

You plan to deploy a new application named App1.

The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run.

You need to deploy App1 to all client computers. The solution must meet the following requirements:

- App1 must automatically detect and replace corrupt application files.- App1 must be available from the Start menu on each client computer.


A. Create a logon script that calls Setup.exe for App1.B. Create a .zap file.C. Create a startup script that calls Setup.exe for App1.D. Repackage App1 as a Windows Installer package.


Explanation/Reference:Repackaging Applications for Windows Installer

When you cannot reauthor a package to use Windows Installer, you might want to repackage it. Repackagingan application for Windows Installer involves taking a snapshot of a clean computer (including the registrysettings, files, and system settings), installing the software, and then taking a post-installation snapshot of thecomputer. The repackaging software detects the difference between the two snapshots, and then creates thenecessary instructions to reproduce the installation. If any registry changes, files changes, or system settingchanges occur during the capture process, they are included in the installation. You use repackaging when you

do not have control over DLL files, source code, and registry entries, or for applications about which you do nothave in-depth knowledge.

Use this method only as a last resort when you need to repackage an application into an .msi. It is easy tounderestimate the cost of repackaging in terms of labor hours. Also, users often set their expectations too highfor the reliability of repackaged applications. Repackaging requires a thorough knowledge of the application’sinstallation program and of the Windows Installer setup on the Windows platform.

Success with repackaging is affected by the state of the computer where you perform the repackaging. For bestresults, always perform a repackaging by using a clean computer. For the purpose of repackaging, a cleancomputer is defined as a computer that has only the operating system and operating system service packsinstalled before you run the repackaging software. Because of this limitation, and other issues, repackaging isnot recommended.


Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named DC1.

In Site1, you install a new domain controller named DC2. You ship DC2 to Site2.

You discover that certain users in Site2 authenticate to DC1.You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.

What should you do?

A. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.B. From Active Directory Sites and Services, modify the Location attribute for Site2.C. From Active Directory Sites and Services, move the DC2 server object.D. From Active Directory Users and Computers, move the DC2 computer object.


Explanation/Reference:Need to change DC2 to site 2 in AD Sites and Services.


Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in theexhibit. (Click the Exhibit button.)

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable.

You need to configure Server2 as an enterprise subordinate CA.


A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.C. Import the root CA certificate.D. Join Server2 to the domain.


Explanation/Reference:To be an Enterprise CA (even a subordinate) the server must be joined to the domain, at least as a memberserver.

QUESTION 22Your network contains an Active Directory domain. The domain contains an enterprise certification authority(CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.

Which tool should you use to assign permissions to Admin1?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services


Explanation/Reference:The rest of these options do not have the ability to do this.

Exam P


You need to ensure that all of the members of a group named Group1 can view the event log entries forCertificate Services.


A. Certificate TemplatesB. Certification AuthorityC. Authorization ManagerD. Active Directory Users and ComputersE. TPM ManagementF. Security TemplatesG. Group Policy ManagementH. Enterprise PKII. Certificates


Explanation/Reference:There is mention of an Event Log Reader Group. Membership should be able to be configured in AD Usersand Groups. Check this answer.


You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificatetemplate


A. Enterprise PKIB. TPM ManagementC. CertificatesD. Active Directory Users and ComputersE. Authorization ManagerF. Certification AuthorityG. Group Policy ManagementH. Security TemplatesI. Certificate Templates

Correct Answer: ISection: Cooper Exam DExplanation

Explanation/Reference:Templates can be configured with such permissions.


You have a custom certificate template named Template 1. Template1 is published to the CA.

You need to ensure that all of the members of a group named Group1 can enroll for certificates that useTemplate1.


A. Security TemplatesB. Enterprise PKIC. Certification AuthorityD. Certificate TemplatesE. CertificatesF. TPM ManagementG. Authorization ManagerH. Group Policy ManagementI. Active Directory Users and Computers




You need to approve a pending certificate request.


A. Active Directory Users and ComputersB. Authorization ManagerC. Certification AuthorityD. Group Policy ManagementE. Certificate TemplatesF. TPM ManagementG. CertificatesH. Enterprise PKII. Security Templates



QUESTION 5Your network contains an Active Directory domain named adatum.com.

You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

A. Reverse Lookup ZonesB. adatum.comC. Forward Lookup ZonesD. Conditional ForwardersE. _msdcs.adatum.com



QUESTION 6Your network contains an Active Directory domain named adatum.com. The domain contains a domaincontroller named DC1. DC1 has an IP address of 192.168.200.100.

You need to identify the zone that contains the Pointer (PTR) record for 0C1.

Which zone should you identify?

A. adatum.comB. _msdcs.adatum.comC. 100.168.192.in-addr.arpaD. 200.168.192.in-addr.arpa



QUESTION 7Your network contains an Active Directory forest named adatum.com.

The DNS infrastructure fails.

You rebuild the DNS infrastructure.You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

A. NetlogonB. DNS ServerC. Network Location AwarenessD. Network Store Interface ServiceE. Online Responder Service


Explanation/Reference:Duplicate

QUESTION 8Your network contains an Active Directory domain named adatum.com.

The password policy of the domain requires that the passwords for all user accounts be changed every 50days.

You need to create several user accounts that will be used by services. The passwords for these accountsmust be changed automatically every 50 days.

Which tool should you use to create the accounts?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. Active Directory Module for Windows PowerShellD. ADSI EditE. Active Directory Domains and Trusts


Explanation/Reference:PowerShell should be able to set such attributes.

QUESTION 9Your network contains an Active Directory domain. The domain contains several domain controllers. You needto modify the Password Replication Policy on a read-only domain controller (RODC).Which tool should you use?

A. Group Policy ManagementB. Active Directory Domains and TrustsC. Active Directory Users and ComputersD. Computer ManagementE. Security Configuration Wizard


Explanation/Reference:To view the PRP using Active Directory Users and Co mputers

Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start . InStart Search , type dsa.msc , and then press ENTER.Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the detailspane, right-click the Active Directory Users and Computers object, and then click Change Domain . Expand Domain Controllers , right-click the RODC account object for which you want to modify the PRP, andthen click Properties .Click the Password Replication Policy tab.

QUESTION 10Your network contains an Active Directory forest. The forest contains domain controllers that run WindowsServer 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain isWindows Server 2008.

From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).


A. Raise the functional level of the forestB. Modify the tombstone lifetime of the forest.C. Restore the system state.D. Raise the functional level of the domain.


Explanation/Reference:The first task is to backup the current state of the DC (just in case everything blows up during this procedure). After that restore the back of the system state before the deletion.

QUESTION 11Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.

You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.

You need to ensure that Attribute1 is included in the global catalog.

What should you do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User

objects.C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the

forest.


Explanation/Reference:To Make Modifications Using Active Directory Schema MMC Snap-InClick the Attributes folder in the snap-in.In the right pane, scroll down to the desired attribute, right-click it, and then click Properties .Click to select the Replicate this attribute to the Global Catalog check box.Click OK.

QUESTION 12Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the ActiveDirectory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances namedInstance1 and Instance2.

You need to remove Instance2 from Server1 without affecting Instance1.


A. NTDSUtilB. DsdbutilC. Programs and Features in the Control Panel

D. Server Manager


Explanation/Reference:Remove an AD LDS Instance

Applies To: Windows Server 2008You can use this procedure to remove an Active Directory Lightweight Directory Services (AD LDS) instance.Membership in the local Administrators group, or equivalent, is the minimum required to complete thisprocedure. Review details about using the appropriate accounts and group memberships at Local and DomainDefault Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To remove an AD LDS instanceTo open Programs and Features , click Start , click Settings , click Control Panel , and then double-clickPrograms and Features .Locate and click the AD LDS instance that you want to remove.Click Uninstall .


QUESTION 13Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to compact the Active Directory database.

What should you do?

A. Run the Get-ADForest cmdlet.B. Configure subscriptions from Event Viewer.C. Run the eventcreate.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (OCS).E. Create a Data Collector Set (DCS).F. Run the repadmin.exe command.G. Run the ntdsutil.exe command.H. Run the dsquery.exe command.I. Run the dsamain.exe command.J. Create custom views from Event Viewer.

Correct Answer: GSection: Cooper Exam DExplanation

Explanation/Reference:At the command prompt, type the following command, and then press ENTER:net stop ntds Type Y to agree to stop additional services, and then press ENTER.At the command prompt, type ntdsutil , and then press ENTER.At the ntdsutil prompt, type activate instance ntds , and then press ENTER.At the ntdsutil prompt, type files , and then press ENTER.If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to<drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to alocation on the local computer), and then press ENTER.


You need to collect all of the Directory Services events from all of the domain controllers and store the events ina single central computer.

What should you do?

A. Run the ntdsutil.exe command.B. Run the repodmin.exe command.C. Run the Get-ADForest cmdlet.D. Run the dsamain.exe command.E. Create custom views from Event Viewer.F. Run the dsquery.exe command.G. Configure the Active Directory Diagnostics Data Collector Set (DCS),H. Configure subscriptions from Event Viewer.I. Run the eventcreate.exe command.J. Create a Data Collector Set (DCS).


Explanation/Reference:Event Viewer subscription would be correct.

QUESTION 15Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Youneed to receive a notification when more than 100 Active Directory objects are deleted per second.

What should you do?

A. Create custom views from Event Viewer.B. Run the Get-ADForest cmdlet.C. Run the ntdsutil.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (DCS).E. Create a Data Collector Set (DCS).F. Run the dsamain.exe command.G. Run the dsquery.exe command.H. Run the repadmin.exe command.I. Configure subscriptions from Event Viewer.J. Run the eventcreate.exe command.

Correct Answer: ESection: Cooper Exam DExplanation

Explanation/Reference:Creating a collector set would work.


You need to create a snapshot of Active Directory.

What should you do?

A. Run the dsquery.exe command.B. Run the dsamain.exe command.C. Create custom views from Event Viewer.D. Configure subscriptions from Event Viewer.E. Create a Data Collector Set (DCS).F. Configure the Active Directory Diagnostics Data Collector Set (DCS).G. Run the repadmin.exe command.H. Run the ntdsutil.exe command.I. Run the Get-ADForest cmdlet.J. Run the eventcreate.exe command.


Explanation/Reference:Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser)Step-by-Step Guide

Applies To: Windows Server 2008This guide shows how you can use an improved version of Ntdsutil and a new Active Directory® databasemounting tool in Windows Server® 2008 to create and view snapshots of data that is stored in Active DirectoryDomain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting thedomain controller or AD LDS server. A snapshot is a shadow copy—created by the Volume Shadow CopyService (VSS)—of the volumes that contain the Active Directory database and log files.


You mount an Active Directory snapshot.

You need to ensure that you can query the snapshot by using LDAP.

What should you do?

A. Run the dsamain.exe command.B. Create custom views from Event Viewer.C. Run the ntdsutil.exe command.D. Configure subscriptions from Event Viewer.E. Run the Get-ADForest cmdlet.F. Create a Data Collector Set (DCS).G. Run the eventcreate.exe command.H. Configure the Active Directory Diagnostics Data Collector Set (DCS).I. Run the repadmin.exe command.J. Run the dsquery.exe command.



The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for yourorganization by providing a means to compare data as it exists in snapshots that are taken at different times sothat you can better decide which data to restore after data loss. This eliminates the need to restore multiplebackups to compare the Active Directory data that they contain


Your network contains an Active Directory domain named adatum.com.

You need to use Group Policies to deploy the line-of-business applications shown in the following table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:

Correct Answer:


Explanation/Reference:You can use Group Policy to distribute computer programs by using the following methods: Assigning SoftwareYou can assign a program distribution to users or computers. If you assign the program to a user, it is installedwhen the user logs on to the computer. When the user first runs the program, the installation is finalized. If youassign the program to a computer, it is installed when the computer starts, and it is available to all users wholog on to the computer. When a user first runs the program, the installation is finalized. Publishing SoftwareYou can publish a program distribution to users. When the user logs on to the computer, the published programis displayed in the Add or Remove Programs dialog box, and it can be installed from there.

QUESTION 19HOTSPOT

Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7Enterprise.

You need automatically to create a local group named PowerManagers on each client computer that contains abattery. The solution must minimize the amount of administrative effort.

Which node in Group Policy Management Editor should you use?

To answer, select the appropriate node in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:Would be a GPO applied to a computer.


Your network contains two forests named contoso.com and fabrikam.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that users fromcontoso.com can only access the servers in fabrikam.com that have the Allowed to Authenticate permissionset.

What should you do?


Select and Place:

Correct Answer:


Explanation/Reference:In this case the forest functional levels need to be at 2003 or higher, and a forest trust should be established. Selective authentication would also be needed.

External trusts are usually for NT domains or LDAP connections.


Your network contains an Active Directory forest named contoso.com.

You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.

What should you do?


Select and Place:

Correct Answer:




Your company has a main office and a branch office. All servers are located in the main office.

The network contains an Active Directory forest named adatum.com. The forest contains a domain controllernamed MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer thatruns Windows Server 2008 R2 Standard.

You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connectedto the network.

You need to join Public_Computer to the adatum.com domain.

What should you do?


Select and Place:

Correct Answer:


Explanation/Reference:These are the steps for to pre-join a computer to the domain.

Exam Q

QUESTION 1Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.Active Directory services are running on a domain controller named CKDC1. You have to perform criticalupdates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to performoffline critical updates on CKDC1 without rebooting the server?

A. Start the Active Directory Domain Services on CKDC1B. Disconnect from the network and start the Windows update featureC. Stop the Active Directory domain services and install the updates. Start the Active Directory domain

services after installing the updates.D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect

againE. None of the above

Correct Answer: CSection: Configuring AD InfrastructureExplanation


QUESTION 2Your company asks you to implement Windows Cardspace in the domain. You want to use WindowsCardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you dotocreate a backup copy of Windows Cardspace cards to be used at home?

A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB driveB. Backup \Windows\Globalization folder by using backup status and save the folder onyour USB driveC. Back up the system state data by using backup status tool on your USB driveD. Employ Windows Cardspace application to backup the data on your USB drive.E. Reformat the C: DriveF. None of the above



QUESTION 3Company has an active directory forest on a single domain. Company needs a distributed application thatdeploys a custom application. The application is directory partition software named PARDAT. You need toimplement this application for data replication. Which two tools should you use to achieve this task? (Choosetwo answers.Each answer is a part of a complete solution)

A. DnscmdB. NtdsutilC. IpconfigD. DnsutilE. All of the above

Correct Answer: AB

Section: Powershell & Command line cmdsExplanation


QUESTION 4Company has an Active Directory forest with six domains. The company has 5 sites. The company requires anew distributed application that uses a custom application directory partition named ResData for datareplication. The application is installed on one member server in five sites. You need to configure the fivemember servers to receive the ResData application directory partition for data replication. What should you do?

A. Run the Dcpromo utility on the five member servers.B. Run the Regsvr32 command on the five member serversC. Run the Webadmin command on the five member serversD. Run the RacAgent utilityon the five member servers

Correct Answer: ASection: Configuring AD InfrastructureExplanation


QUESTION 5Your company has a main office and three branch offices. Each office is configured as a separate ActiveDirectory site that has its own domain controller. You disable an account that has administrative rights. Youneed to immediately replicate the disabled account information to all sites. What are two possible ways toachieve this goal? (Each correct answer presents a complete solution. Choose two.)

A. From the Active Directory Sites and Services console, configure all domain controllers as global catalogservers.

B. From the Active Directory Sites and Services console, select the existing connection objects and forcereplication.

C. Use Repadmin.exe to force replication between the site connection objects.D. UseDsmod.exe to configure all domain controllers as global catalog servers.

Correct Answer: BCSection: AD Sites & ServicesExplanation


QUESTION 6ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deletedan Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process ofrestoring the OU. You need to execute a non-authoritative restore before an authoritative restore of the OU.Which backup should you use to perform non-authoritative restore of Active Directory Domain Services (ADDS) without disturbing other data stored on domain controller?

A. Critical volume backupB. Backup of all the volumesC. Backup of the volume that hosts Operating systemD. Backup of AD DS foldersE. all of the above

Correct Answer: ASection: Configuring AD Backup-RestoreExplanation


QUESTION 7You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensurethat data and log files are backed up regularly. This will also ensure the continued availability of data toapplications and users in the event of a system failure. Because you have limited media resources, you decidedto backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do toaccomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files ofAD LDS

B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instanceC. Move AD LDS database and log files on a separate volume and use windows server backup utilityD. None of the above

Correct Answer: BSection: Configuring AD LDSExplanation


Exam R

QUESTION 1Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured asan Active Directory Federation Services (AD FS) 2.0 standalone server. You plan to add a new token-signingcertificate to Server1. You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.You need to ensure that you can use the new certificate for AD FS. What should you do?

Exhibit:

A. From the properties of the certificate, modify the Certificate Policy OIDs setting.B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.C. From the properties of the certificate, modify the Certificate purposes setting.D. Import the certificate to the local computer personal certificate store.

Correct Answer: DSection: Configuring AD Federated ServicesExplanation


QUESTION 2Your company has two Active Directory forests named contoso.com and fabrikam.com. The company networkhas three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in thefollowing table.

All computers that belong to the fabrikam.com domain have DNS3 configured as thepreferred DNS server. All

other computers use DNS1 as the preferred DNS server. Users from the fabrikam.com domain are unable toconnect to the servers that belong to the contoso.com domain. You need to ensure users in the fabrikam.comdomain are able toresolve all contoso.com queries. What should you do?

A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.



QUESTION 3You had installed Windows Server 2008 on a computer andconfigured it as a file server, named FileSrv1. TheFileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance andperformance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Whichutility you will use to convert basic disks to dynamic disks on FileSrv1?

A. Diskpart.exeB. Chkdsk.exeC. Fsutil.exeD. Fdisk.exeE. None of the above



QUESTION 4The corporate network of Company consists of a Windows Server 2008 single Active Directory domain. Thedomain has two servers named Company 1 and Company 2. To ensure central monitoring of events youdecided to collect all the events on one server, Company 1. To collect events from Company 2. and transferthem to Company 1, you configured the required event subscriptions. You selected the Normal option for theEvent delivery optimization setting by using the HTTP protocol. However, you discovered that none of thesubscriptions work. Which of the following actions would you perform to configure the event collection andevent forwarding on the two servers? (Select three. Each answer is a part of the complete solution).

A. Through Run window execute the winrm quickconfig command on Company 2.B. Through Run window execute the wecutil qc command on Company 2.C. Add the Company 1 account to the Administrators groupon Company 2.D. Through Run window execute the winrm quickconfig command on Company 1.E. Add the Company 2 account to the Administrators group on Company 1.F. Through Run window execute the wecutil qc command on Company 1.

Correct Answer: ACFSection: Maintaining the AD EnvironmentExplanation


QUESTION 5Exhibit:

Company servers run Windows Server 2008. It has asingle Active Directory domain. A server called S4 has fileservices role installed. You install some disk for additional storage. The disks are configured as shown in theexhibit above. To support data stripping with parity, you have to create a new drive volume. What should you doto achieve this objective?

A. Build a new spanned volume by combining Disk0 and Disk1B. Create a new Raid-5 volume by adding another disk.C. Create a new virtual volume by combining Disk 1 and Disk 2D. Build a new striped volume by combining Disk0 and Disk 2

Correct Answer: BSection: Configuring AD InfrastructureExplanation


QUESTION 6ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runsWindows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on anisolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card.ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IPaddress space used by software evaluation lab must not be used by other networks. Similarly, it states the IPaddress space used by other networks should not be used by the evaluation lab network.As an administratoryou find you that the applications tested in the software evaluation lab need to access normal network toconnect to the vendors update servers on the internet. You need to configure all virtual servers on the CKTserver to access the internet. You also need to comply with company's security policy. Which two actionsshould you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution)

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on eachvirtual server

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)C. Use ABC.com intranet IP addresses on all virtual servers on CKT.

D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface andcreate a new virtual network.

E. None of the above

Correct Answer: ADSection: Maintaining the AD EnvironmentExplanation


QUESTION 7Your company has an Active Directory domain. The company has purchased 100 new computers. You want todeploy the computers as members of the domain. You need to create the computer accounts in an OU.Whatshould you do?

A. Run the csvde -f computers.csv commandB. Run the ldifde -f computers.ldf commandC. Run the dsadd computer <computerdn> commandD. Run the dsmod computer <computerdn> command


Explanation/Reference:The -f switch creates an export file.Dsmod will not create computer accounts.

QUESTION 8Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domaincontrollers. You add multiple DNS records to the zone. You need to ensure that the records are replicated to allDNS servers. Which tool should you use?

A. DnslintB. LdpC. NslookupD. Repadmin



QUESTION 9You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remotelocation. The remote location doesn't have proper physical security. You need to activate non-administrativeaccounts passwords on that RODC server. Which of the following action should be considered to populate theRODC server with non-administrative accounts passwords?

A. Delete all administrative accounts from the RODC's groupB. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group

Policy Object (GPO)C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied

groupD. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the

security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.E. None of the above



QUESTION 10Your company has an Active Directory forest that contains two domains, The forest has universal groups thatcontain members from each domain, A branch office has a domain controller named DC1, Users at the branchoffice report that the logon process takes too long, You need to decrease the amount of time it takes for thebranch office users to logon, What should you do?

A. Configure DC1 as a Global Catalog server,B. Configure DC1 as a bridgehead server for the branch office site,C. Decrease the replication interval on the site link that connects the branch office to the corporate network,D. Increase the replicationinterval on the site link that connects the branch office to the corporate network.



QUESTION 11The Company has a Windows 2008 domain controller server. This server is routinely backed up over thenetwork from a dedicated backup server that is running Windows 2003 OS. You need to prepare the domaincontroller for disaster recovery apart from the routine backup procedures. You are unable to launch the backuputility while attempting to back up the system state data for the data controller. You need to backup systemstate data from the Windows Server 2008 domain controller server. What should you do?

A. Add your user account to the local Backup Operators groupB. Install the Windows Server backup feature using the Server Manager feature.C. Install the Removable Storage Manager feature using the Server Manager featureD. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the

Windows 2003 server.E. None of the above



QUESTION 12Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers runWindows Server 2008 and the DNS server role. All computers, including no domain members, dynamicallyregister their DNS records. You need to configure the intranet.adatum.com zone to allow only domain membersto dynamically register DNS records. What should you do?

A. Set dynamic updates to Secure Only.B. Remove the Authenticated Users group.C. Enable zone transfers to Name Servers.D. Deny the Everyone group the Create All Child Objects permission.



QUESTION 13Your company has a main office and a branch office that are configured as a single Active Directory forest. Thefunctional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003domain controllers in the main office. You need to ensure that you are able to deploy a read-only domaincontroller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presentspart of the solution. Choose two.)

A. Raise the functional level of the forest to Windows Server 2008.B. Deploy a Windows Server 2008 domain controller at the main office.C. Raise the functional level of the domain to Windows Server 2008.D. Run the adprep/rodcprep command.

Correct Answer: BDSection: Configuring Additional AD Server RolesExplanation


QUESTION 14Your company, Contoso, Ltd., has offices in North America and Europe. Contoso has an Active Directory forestthat has three domains. You need to reduce the time required to authenticate users from thelabs.eu.contoso.com domain when they access resources in the eng.n a.contoso.com domain. What shouldyou do?

A. Decrease the replication interval for all Connection objects.B. Decrease the replication interval for the DEFAULTIPSITELINK site link.C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.

Correct Answer: CSection: Configuring AD InfrastructureExplanation


QUESTION 15Your company uses shared folders. Users are granted access to the shared folders by using domain localgroups. One of the shared folders contains confidential data. You need to ensure that unauthorized users arenot able to access the shared folder that contains confidential data. What should you do?

A. Enable the Do not trust this computer fordelegation property on all the computers of unauthorized users by

using the Dsmod utility.B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control

permission on the shared folders that hold the confidentialdata for the Guest account.C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to

the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold theconfidential data forthe Deny DLG group.

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorizedusers in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that holdthe confidential data for theDeny DLG group.

Correct Answer: DSection: Creating & Maintaining AD ObjectsExplanation


QUESTION 16You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. Ithas an Active Directory domain. You have installed a software application on the servers. As soon as theapplication is installed, one of the member servers shuts down itself. To trace and rectify the problem, youcreate a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdownsand identify the cause of it. What should you do to perform this task?

A. Link the GPO to the domain and enable System Events optionB. Link the GPO to the domain and enable Audit Object Access optionC. Link the GPO to the Domain Controllers and enable Audit Object Access optionD. Link the GPO to the Domain Controllers and enable Audit Process tracking optionE. Perform all of the above actions



QUESTION 17Your company has an Active Directory domain. All servers run Windows Server. You deploy a CertificationAuthority (CA) server. You create a new global security group named CertIssuers. You need to ensure thatmembers of the CertIssuers group can issue, approve, and revoke certificates.What should you do?

A. Assign the Certificate Manager role to the CertIssuers groupB. Place CertIssuers group in the Certificate Publisher groupC. Run the certsrv -add CertIssuers command promt of the certificate serverD. Run the add -member-membertype memberset CertIssuers command by usingMicrosoft Windows

Powershell



QUESTION 18You need to remove the Active Directory Domain Services role from a domain controller named DC1.What should you do?

A. Run the netdom remove DC1 command.B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.C. Run the nltest /remove_server: DC1 command.D. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.



QUESTION 19One of the remote branch offices of Company branch is running a Windows Server 2008 having ready onlydomain controller (RODC) installed. For security reasons you don't want some critical credentials like(passwords,encryption keys) to be stored on RODC. What should you do so that these credentials are notreplicated to any RODC's in the forest? (Select 2)

A. Configure RODC filtered attribute set on the serverB. Configure RODC filtered set on the server that holds Schema Operations Master role.C. Delegate local administrative permissions for an RODC to any domain user without granting that user any

user rights for the domainD. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.E. None of the above

Correct Answer: BDSection: Maintaining the AD EnvironmentExplanation


QUESTION 20Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Clientcomputers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.

Exhibit BServers-----------------------Operating system-------------------RoleCompany_DC1------------Windows server 2008--------------Domain controllerCompany _DC2-----------Windows server 2008--------------Domain controllerCompany _SRV5---------Windows server 2008--------------File and Print server

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents,spreadsheets and to provide user authentication. What do you need to configure, in order to complete thedeployment of AD RMS?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _DC1C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _SRV5

E. None of the above




Microsoft.TestKing.70-640.v2012-03-15.by - GRATIS EXAM · Version Windows Server 2003, Windows...

Documents

Transcript of Microsoft.TestKing.70-640.v2012-03-15.by - GRATIS EXAM · Version Windows Server 2003, Windows...