70-640 Sample Test Questions

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID : rrMS_70-640-010

______________________________________________________________________________________________________________________________________________

Your network includes one domain controller running Windows Server 2008. It is configured with an Active Directory-Integrated zone for stayandsleep.com. You have installed the Server Core installation on DC2 and promoted the server to a domain controller for the stayandsleep.com domain.

You need to configure DC2 to resolve names for computers in the stayandsleep.com domain.

What should you do?

1. Execute the following commands:start /w ocsetup DNS-Server-Core-Rolednscmd /zoneadd stayandsleep.com /dsprimary

<Correct>

2. Use Computer Manager to add the DNS Server role.Use Server Manager to create an Active Directory-Integrated zone.

3. Execute the following commands:dcpromo.exe /DNS-Server-Core-Rolednscmd /zoneadd stayandsleep.com

4. Use Server Manager to add the DNS Server role.Use DNS Manager to create an Active Directory-Integrated zone.

Explanation :You should execute the following commands:

start /w ocsetup DNS-Server-Core-Rolednscmd /zoneadd stayandsleep.com /dsprimary

The Server Core installation must be managed from the command line. You use the ocsetup command to add roles to the server. You use the dnscmd command with the /zoneadd option to add a zone to the DNS server role. The /dsprimary option adds an Active Directory-Integrated zone.

You should not execute the following commands:

dcpromo.exe /DNS-Server-Core-Rolednscmd /zoneadd stayandsleep.com

The dcpromo.exe command launches the Active Directory Domain Controller Installation Wizard, which cannot be run on Server Core installations. The dcpromo command must be used with an unattended installation file on Server Core installations. The /DNS-Server-Core-Role option is not a valid option for the dcpromo.exe utility. Also, you must specify the /dsprimary option to create an Active Directory-Integrated zone.

You should not use Server Manager to add the DNS Server role and use DNS Manager to create an Active Directory-Integrated zone. Server Manager is used to manage roles, but only on a full installation of Windows Server 2008, not on a Server Core installation.

You should not use Computer Manager to add the DNS Server role and use Server Manager to create an Active Directory-Integrated zone. Computer Manager and Server Manager cannot be used on a Server Core installation.

Objective:Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):Configure DNS server settings.

References :Lesson 2: Configuring and Managing Server Core

Course 6415A

Server Core Installation Option of Windows Server 2008 Step-By-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/47a23a74-e13c-46de-8d30-ad0afb1eaffc1033.mspx?mfr=true

Dnscmd SyntaxMicrosoft TechNetLink: http://technet2.microsoft.com/WindowsServer/en/Library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx


Question ID : niit9MS_70-640-096

______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization.

On one server, you install Active Directory Domain Services (AD DS), Active Directory Certificates Services (AD CS), Active Directory Federation Services (AD FS), and Active Directory Lightweight Directory Services (AD LDS).

You need to perform offline defragmentation of the Active Directory database on this computer.

What should you do before performing offline defragmentation?

1. Select the Always perform incremental backup radio button in the Optimize Backup Performance window from the Windows Server Backup snap-in.

2. Perform disk cleanup from the Windows Server Backup snap-in.

3. Perform a system state backup from the Windows Server Backup snap-in. <Correct>

4. Perform a differential backup from the Windows Server Backup snap-in.

Explanation :You should perform a system state backup before starting offline defragmentation of the Active Directory database. In Windows Server 2008, you cannot perform a system state backup in the same manner as it was done in Windows Server 2003 or Windows Server 2000. In Windows Server 2008, you cannot back up only system state data; you must back up critical volumes, and then you can back up system state data. The critical volumes include:

* The system volume, which hosts the boot files * The boot volume, which hosts the Windows operating system and registry

You do not need to perform disk cleanup. Disk cleanup removes temporary files, empties the Recycle Bin, and removes unnecessary files. You do not need to perform disk cleanup before executing offline defragmentation.

You should not select the Always perform incremental backup radio button. This will configure Windows Server Backup to perform an incremental backup each time a backup is performed. An incremental backup is a change-only backup that will only back up files that have changed since the backup of any type. It does not perform a full system state backup and is, therefore, not required before performing an offline defragmentation of the Active Directory database.

You need not perform a differential backup. A differential backup is a change-only backup that saves only those files that have changed since the last full backup. It does not perform a full system state backup.

Objective:Maintaining the Active Directory Environment

Sub Objective(s):Perform offline maintenance.

References :Windows Server 2008 Restartable AD DS Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx

What Are Restartable AD DS?Course 6043



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. You install Active Directory Certificate Services (AD CS) on a Windows Server 2008 computer named Server1. You configure Server1 as a Certification Authority (CA) to issue certificates to all domain users for smart card logon.

You need to validate the real-time revocation status of certificates issued to all domain users. You need to keep cost to a minimum.

What should you do?

1. Use Online Certificate Status Protocol (OCSP) responses. <Correct>

2. Use a Certification Revocation List (CRL).

3. Use a Delta Certification Revocation List (CRL).

4. Use an Online Responder array.

Explanation :You should use OCSP responses. An Online Responder provides revocation status information for certificates issued by a single CA or multiple CAs. Certificate status responses from Online Responders are also referred to as OCSP responses. OCSP uses Hypertext Transfer Protocol (HTTP). It allows a relying party to submit a certificate status request to an OCSP responder. In addition to using OCSP responses, you can also use CRLs and delta CRLs to validate the revocation status of certificates. The recommended scenarios for using OCSP responses include:

* Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificate revocation checking* Smart card logon* Enterprise Secure/Multipurpose Internet Mail Extensions (S/MIME)* Extensible Authentication Protocol (EAP)/TLS-based Virtual Private Network (VPN)

OCSP responders usually get their data from published CRLs and are therefore reliant on the publishing frequency of the CA. However, OCSP responders can be configured to receive data directly from the CA's certificate status database, which provides near real-time status. OCSP responders do not provide information about all certificates that have been revoked or suspended. This information is provided by a CRL.

You should not use a CRL or delta CRL. A CRL is a file that contains the serial numbers of certificates that have been issued by the CA and are revoked. A CRL also contains the revocation reason for each certificate and the time the certificate was revoked. There are two types of CRLs that you can create: base CRLs and delta CRLs. Base CRLs contain a complete list of revoked certificates, while delta CRLs list only those certificates that have been revoked since the last publication of a base CRL. CRLs are published according to a predefined period. Therefore, information in the CRL might be out of date until a new CRL or delta CRL is published.

You should not use an Online Responder array because this will not be viable for a single domain with a single CA. Using an Online Responder array will also incur more costs.

Objective:Configuring Active Directory Certificate Services

Sub Objective(s):Install Active Directory Certificate Services.

References :Installing, Configuring, and Troubleshooting the Microsoft Online ResponderWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea-f2df7e270e1f1033.mspx?mfr=true

AD CS: Online Certificate Status Protocol SupportWindows Server 2008 Technical Library

Link: http://technet2.microsoft.com/windowsserver2008/en/library/99d1f392-6bcd-4ccf-94ee-640fc100ba5f1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You are planning an Active Directory forest that will span three sites: New York, Miami, and Denver. The forest will have three domains: a root domain, DomA, and DomB. A domain controller for each domain is located in Miami. A read-only domain controller (RODC) for DomA is located in New York. An RODC for DomB is located in Denver. Most of the users in DomB are located in the Denver office. The users in DomA are split evenly between Miami and New York.

You need to optimize the placement of the Primary Domain Controller (PDC) Emulator role.

What should you do?

1. Configure the root domain's domain controller in Miami, the domain controller in New York, and the domain controller in Denver with the PDC Emulator role.

2. Configure the domain controller in New York and the domain controller in Denver with the PDC Emulator role.

3. Configure all three domain controllers in Miami with the PDC Emulator role. <Correct>

4. Configure only the domain controller in the root domain with the PDC Emulator role.

Explanation :You should configure all three domain controllers in Miami with the PDC Emulator role. The PDC Emulator role is a domain-wide role. Therefore a domain controller in each domain should hold it. You should generally position the PDC Emulator role as close to the users in the domain as possible. However, in this case the domain controllers in New York and Denver are RODCs. An RODC cannot hold an operations master role.

You should not configure only the domain controller in the root domain with the PDC Emulator role. The PDC Emulator role is a domain-wide role, so it should be held by one domain controller in each domain.

You should not configure the domain controller in New York and the domain controller in Denver with the PDC Emulator role. The domain controllers in New York and Denver are RODCs, so they cannot hold an operations master role.

You should not configure the root domain's domain controller in Miami, the domain controller in New York, and the domain controller in Denver with the PDC Emulator role. The domain controllers in New York and Denver are RODCs, so they cannot hold an operations master role.

Objective:Configuring the Active Directory Infrastructure

Sub Objective(s):Configure operations masters.

Planning Operations Master Role PlacementWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e2616396-12e6-4bad-a081-f94c032887101033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You have recently performed a full backup on a Windows Server 2008 server which has the Web Server role installed on it.

You need to recover a folder from the full backup because that folder is not accessible any longer due to some software corruption.

Which command should you use?

1. Wbadmin start recovery -notrestoreacl

2. Wbadmin start recovery -skipbadclustercheck

3. Wbadmin start recovery -itemtype:File <Correct>

4. Wbadmin start recovery -recursive

Explanation :You should run the Wbadmin start recovery -itemtype:File command to run a recovery of the specified folder. Wbadmin allows you to back up and restore your computer, volumes, and files and folders from the command prompt. The Wbadmin command has replaced the Ntbackup command that was used in earlier versions of Windows. The Wbadmin command applies only to Windows Server 2008.

You should not use the Wbadmin start recovery -recursive command. This parameter is not valid when recovering folders by using Wbadmin. This parameter is valid only to recover files.

You should not use the Wbadmin start recovery -notrestoreacl command. The -notrestoreacl parameter is not valid for recovering folders by using Wbadmin. This parameter is valid only when recovering files. The -notrestoreacl parameter specifies to not restore the security access control lists (ACLs) of the files that are being recovered from the backup.

You should not use the Wbadmin start recovery -skipbadclustercheck command. The -skipbadclustercheck parameter is not valid for recovering folders by using Wbadmin. This parameter is valid only when recovering volumes. The -skipbadclustercheck parameter will skip checking your recovery destination disks for bad cluster information when restoring volumes.


Sub Objective(s):Configure backup and recovery.

References :Wbadmin start recoveryMicrosoft TechNetLink: http://technet2.microsoft.com/WindowsServer2008/en/library/52381316-a0fa-459f-b6a6-01e31fb216121033.mspx

The Process of Recovering AD DC DataCourse 6043



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in your company's Active Directory domain. Your organization has a single forest and a single Active Directory domain. You recently installed Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. You plan to install Active Directory Federation Services (AD FS) to use with AD CS.

You need to ensure that AD FS can provide security tokens to client applications in response to requests for access to the resources.

Which role service should you configure while installing AD FS?

1. Federation Service Proxy

2. Federation Service <Correct>

3. Claims-aware Agent

4. Windows Token-based Agent

Explanation :You should install the Federation Service to provide security tokens to client applications in response to requests for access to the resources. The Federation Service routes authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.

You should not use the Claims-aware Agent to provide security tokens to client applications in response to requests for access to the resources. The Claims-aware Agent provides federated access control for applications that use the claims directory for authentication. A claims-aware application is a Microsoft ASP.NET application that uses claims in an AD FS security token to make authorization decisions and personalize applications.

You should not use the Windows Token-based Agent to provide security tokens to client applications in response to requests for access to the resources. The Windows Token-based Agent provides federated access control for Windows applications that use traditional Windows token-based authentication. The Windows Token-based Agent hosts a Windows NT token-based application to convert an AD FS security token into an impersonation-level, Windows NT access token.

You should not use Federation Service Proxy to provide security tokens to client applications in response to requests for access to the resources. The Federation Service Proxy collects user credentials from browsers and Web applications and forwards the credentials to the federation service. The Federation Service Proxy uses WS-Federation Passive Requestor Profile (WS-F PRP) protocols to collect user credential information from browser clients.

Objective:Configuring Additional Active Directory Server Roles

Sub Objective(s):Configure Active Directory Federation Services (AD FS).

Active Directory Federation Services OverviewWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d31033.mspx



______________________________________________________________________________________________________________________________________________

Your network has three Active Directory domains in a single site: stayandsleep.com, dev.stayandsleep.com, and sales.stayandsleep.com. Each domain has four domain controllers, all running Windows Server 2008. Each domain controller is configured with an Active Directory-Integrated zone for its own domain. A Domain Name System (DNS) server named DNS-Ext is located on the perimeter network. DNS-Ext is configured as a caching only DNS server.

You need to enable clients in the child domains to resolve the names of servers in the parent domain. Your solution should limit the domain controllers' exposure to the Internet.

What should you do? (Each correct answer presents part of the solution. Choose two.)

1. Modify the root hints for all internal DNS servers to contain only DNS servers in the stayandsleep.com domain. <Correct>

2. Add all internal DNS servers as forwarders on DNS-Ext.

3. Modify the root hints for all internal DNS servers to contain only DNS-Ext.

4. Configure DNS-Ext as a forwarder for all internal DNS servers. <Correct>

5. Modify the root hints for DNS-Ext to contain the DNS servers on the internal network.

Explanation :You should configure DNS-Ext as a forwarder for all internal DNS servers. Configuring DNS-Ext as a forwarder for all internal DNS servers will allow them to send recursive queries to DNS-Ext, which DNS-Ext will resolve by contacting Internet root servers.

You should also modify the root hints for all internal DNS servers to contain only DNS servers in the stayandsleep.com domain. A DNS server will use root hints to resolve name resolution requests if it cannot resolve them and if it is not configured with a forwarder or if the forwarder cannot resolve the name. By removing the Internet DNS servers from root hints and replacing them with the DNS servers in the stayandsleep.com domain, you can prevent the DNS servers from sending requests to the Internet root servers, while still enabling clients in the child domains to resolve the names of servers in the parent domain.

You should not modify the root hints for DNS-Ext to contain the DNS servers on the internal network. DNS-Ext should not contact the internal DNS servers to provide name resolution. It should only resolve names for Internet servers.

You should not add all internal DNS servers as forwarders on DNS-Ext. You add the server to which the DNS server should forward requests as a forwarder, not the other way around.

You should not modify the root hints for all internal DNS servers to contain only DNS-Ext. You should configure DNS-Ext as a forwarder. If you modify root hints to contain only DNS-Ext, users will only be able to resolve the names of resources in their domain or on the Internet.



References :Securing the DNS Server ServiceWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/9f93a319-4e77-4c17-ad4a-10e3ea9847f11033.mspx?mfr=true

Understanding ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/52ec32f6-5eda-4d6a-8e38-809fee243b71103

3.mspx?mfr=true

Using ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e2dd91d6-441f-4175-9d1d-d152d148d73c1033.mspx?mfr=true

Updating Root HintsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/7fc91f3b-c926-4dd7-a9f5-8d140d261a141033.mspx



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. The network currently has only a single site. The company is preparing to open a branch office.

You must ensure that administrators at the branch office can create, modify, and delete user accounts only for employees at the branch office. Administrators must be able to manage user accounts even if the link to the corporate office is unavailable.

What should you do?

1. Install a read-only domain controller (RODC) at the branch office.Create a global group named BranchAdmins.Create domain local group named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

2. Install a read-only domain controller (RODC) at the branch office.Create a global group named BranchAdmins.Create an organizational unit (OU) named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

3. Install a standard domain controller at the branch office.Create a global group named BranchAdmins.Create an organizational unit (OU) named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

<Correct>

4. Install a standard domain controller at the branch office.Create a global group named BranchAdmins.Create a domain local group named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

Explanation :You should perform the following steps:

* Install a standard domain controller at the branch office. * Create a global group named BranchAdmins. * Create an OU named BranchUsers. * Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

You should install a standard domain controller at the branch office to allow administrators there to log on to it and manage accounts even if the link to the corporate office is unavailable. You should create an OU named BranchUsers and use the Delegation of Control Wizard to delegate the Create, delete, and manage user accounts task to the BranchAdmins global group. You must delegate the permission to manage user accounts on the OU that will contain those user accounts.

You should not install an RODC at the branch office. An RODC cannot be used to make changes to user accounts. Therefore, administrators at the branch office would not be able to manage user accounts if the link to the corporate office was unavailable.

You should not create a domain local group named BranchUsers. You cannot delegate control to manage user accounts by delegating control for a group to which the accounts will belong. You must delegate control for the OU that will contain the user accounts to be managed.

Objective:Creating and Maintaining Active Directory Objects

Sub Objective(s):Maintain Active Directory accounts.

References :Creating an Organization Unit DesignWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/04f9603d-b4a8-4a33-af4a-257aca2f32791033.mspx?mfr=true

Delegating Administration by Using OU ObjectsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/2ddcbce2-cbc2-48f7-a732-0caf4effef9f1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. You install Windows Server 2008 on all servers on the network. You install a domain controller named DC1 in the main office and a Read-Only Domain Controller (RODC) named RODC1 in the branch office. The offices are connected by a 128-Kbps link.

A user named Paul travels frequently to the branch office and requires access to the branch office network. You want to ensure that Paul is able to log on to the network in the branch office even if the Wide Area Network (WAN) link to DC1 is unavailable.

Which actions should you perform? (Each correct answer presents part of the solution. Choose two.)

1. Add Paul's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1.

2. Prepopulate the password cache of RODC1 with the password of Paul's user account. <Correct>

3. Add Paul's user account with the Deny setting to the Password Replication Policy tab in the properties dialog box for RODC1.

4. Add Paul's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1.

5. Add Paul's user account with the Allow setting to the Password Replication Policy tab in the properties dialog box for RODC1. <Correct>

Explanation :You should add Paul's user account with the Allow setting to the Password Replication Policy tab in the properties dialog box for RODC1 and prepopulate the password cache of RODC1 with the password of Paul's user account. An RODC hosts read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, except for account passwords. Prepopulating the RODC password cache allows the RODC to store the passwords for users and computers before they try to log on in the branch office. Prepopulating the password cache is helpful when you want to ensure that a user is able to log on to the network in a branch office even if the WAN link to the writable domain controller is unavailable. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.

You should not add Paul's user account with the Deny setting to the Password Replication Policy tab in the properties dialog box for RODC1. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. Therefore, you should add Paul's user account with the Allow setting to the Password Replication Policy tab in the properties dialog box for RODC1.

You should not add Paul's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts that have been authenticated to this Read-only Domain Controller list displays all user and computer accounts that are authenticated to an RODC. You cannot manually add a user or a computer account to the Accounts that have been authenticated to this Read-only Domain Controller list.

You should not add Paul's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts whose passwords are stored on this Read-only Domain Controller list displays all user or computer accounts whose passwords are stored on that RODC. You cannot manually add a user or a computer account to the Accounts whose passwords are stored on this Read-only Domain Controller list.


Sub Objective(s):Configure the read-only domain controller (RODC).

References :Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008Microsoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true

Password Replication Policy AdministrationMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/1ec4c1ac-5768-4b53-9271-1948b8e8816f1033.mspx?mfr=true

Options for Configuring Password Replication PoliciesCourse 6043



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You want to implement security for digital information which is in the form of user data and e-mail messages.

You plan to install the Active Directory Rights Management Services (AD RMS) server role by using the Server Manager on a computer running Windows Server 2008.

Which other roles must also be installed on the server? (Choose two.)

1. Web Server (IIS) <Correct>

2. Windows Process Activation Service (WPAS) <Correct>

3. Network Policy and Access Services

4. Application Server

5. File Services

Explanation :The WPAS and Web Server (IIS) roles are required to install AD RMS on a computer running Windows Server 2008. When configuring AD RMS, you must ensure that Web Server (IIS), WPAS, and Message Queuing are listed on the Role Services page. AD RMS works with AD RMS-enabled applications to secure sensitive and confidential information. AD RMS uses WPAS to manage the activation and lifetime of applications invoked remotely over the network.

The Application Server role is not required when installing the AD RMS server role on a computer running Windows Server 2008. Application Server provides an environment for deploying and running custom business applications. It is not required for installing the AD RMS server role.

The Network Policy and Access Services role is not required when installing the AD RMS server role on a computer running Windows Server 2008. The Network Policy and Access Services role provides network connectivity solutions. This server role helps with routing local area network (LAN) and wide area network (WAN) traffic, creating and enforcing network access policies, and accessing network resources over virtual private network (VPN) and dial-up connections. This server role is not required to install the AD RMS server role.

You do not require the File Services role to install the AD RMS server role on a computer running Windows Serve 2008. The File Services role provides technology for storage management, file replication, and streamlined client access to files.


Sub Objective(s):Configure Active Directory Rights Management Service (AD RMS).

References :Step 2: Installing and Configuring AD RMS on ADRMS-SRVMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/2d55f53f-8a4a-4dcd-886b-944cb4aa7cb41033.mspx

What Are Server Roles?Course 6042


Question ID : flm9MS_70-640-059

______________________________________________________________________________________________________________________________________________

You are configuring your network as a single Active Directory domain. The domain will include three sites, each with three to five remote offices. Each office has a maximum of 70 users. You plan to place two domain controllers in each office. All wide area links are full-time links.

You need to determine global catalog placement for your network. Your solution must meet the following criteria:

* Optimize searches for domain resources.* Optimize logon and authentication.* Minimize replication traffic.* Minimize CPU and disk resource requirements on domain controllers.* Minimize management overhead.* Provide fault tolerance.

Except for the main office, all domain controllers will be deployed on computers running a Server Core installation of Microsoft Windows Server 2008. There will be one writable domain controller in each site. The remaining domain controllers will be read-only domain controllers (RODCs). The forest root domain controller will be physically located in the main office.

What should you do?

1. Configure each writable domain controller as a global catalog.

2. Configure the forest root domain controller as the only global catalog.

3. Configure one domain controller in each office as a global catalog.

4. Configure all domain controllers as global catalogs. <Correct>

Explanation :You should configure all domain controllers as global catalogs. This is the configuration recommended by Microsoft when supporting a single-domain Active Directory. This does not increase the resource requirements because, in a single-domain Active Directory, every domain controller stores the domain directory partition. Because the global catalog is maintained locally on each domain controller, domain operations are optimized and the second domain controller in each office provides fault tolerance. None of the other configurations provide local fault tolerance.

You should not limit global catalog servers to the forest root only. This places an additional load on the forest root and network infrastructure and could lead to less than optimum performance.

You should not make just the writable domain controllers or just one domain controller in each office a global catalog. This does not provide local fault tolerance and might not provide as good performance.


Sub Objective(s):Configure the global catalog.

References :Planning Global Catalog Server PlacementMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/d59c8afc-9781-442e-8421-ee549a6966651033.mspx?mfr=true

What's New in AD DS Installation and RemovalMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/e5bf22f7-f617-4820-a6d0-6271e3b80fe41033.mspx?mfr=true

Global catalogs and sitesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/0e74916d-28d7-4cdd-8dce-89c824622fcd1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with three sites: Chicago, New York, and Atlanta. Your company is planning to implement smart card authentication. The smart card issuing plan must meet the following requirements:

* Members of the Help Desk department at each location must be able to issue smart card certificates. * Members of the Help Desk department must be able to issue smart card certificates only for users at their own location.

You create HelpDeskNY, HelpDeskAtl, HelpDeskChi global groups.

You need to configure the CA to meet the smart card enrollment requirements.

What should you do? (Each correct answer presents part of the solution. Choose three.)

1. Issue an Enrollment Agent certificate to each member of the Help Desk department. <Correct>

2. Create a Smart Card Logon certificate template for each location. Grant HelpDeskNY, HelpDeskAtl, and HelpDeskChi the Read and Enroll permission on only the appropriate Smart Card Logon certificate template.

3. Create UsersNY, UsersAtl, and UsersChi global groups. <Correct>

4. Create an Enrollment Agent certificate template for each location. Grant UsersNY, UsersAtl, and UsersChi the Read permission on only the appropriate Enrollment Agent certificate template.

5. Enable Restricted enrollment agents. Associate the HelpDeskxx global group for each location with the Usersxx global group for each location. <Correct>


* Create UsersNY, UsersAtl, and UsersChi global groups. * Issue an Enrollment Agent certificate to each member of the Help Desk department. * Enable Restricted enrollment agents. * Associate the HelpDeskxx global group for each location with the Usersxx global group for each location.

Windows Server 2008 supports restricted enrollment agents. You can create a security group containing enrollment agents who are allowed to enroll for a Smart Card certificate on behalf of a specific group of users and associate that group with the security group containing those user accounts.

You should not perform the following steps:

* Create an Enrollment Agent certificate template for each location.* Grant UsersNY, UsersAtl, and UsersChi the Read permission on only the appropriate Enrollment Agent certificate template.

You cannot limit which users an enrollment agent can enroll for a smart card certificate on behalf of by granting permission on the Enrollment Agent certificate template. Granting users Read permission on a certificate template allows a user to view the certificate template. It does not limit whether a person with a certificate based on that template can enroll on behalf of the users.


* Create a Smart Card Logon certificate template for each location.* Grant HelpDeskNY, HelpDeskAtl, and HelpDeskChi the Read and Enroll permission on only the appropriate Smart Card Logon certificate template.

You cannot limit which users an enrollment agent can enroll for a smart card certificate on behalf of by granting creating different Smart Card Logon certificates and granting permission to them based on location. An enrollment agent could use the Smart Card Logon certificate to enroll

any user.


Sub Objective(s):Manage enrollments.

References :Active Directory Certificate Server Enhancements in Windows Server Code Name "Longhorn"Microsoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?familyid=9bf17231-d832-4ff9-8fb8-0539ba21ab95&displaylang=en

AD CS: Restricted Enrollment AgentWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/56d66319-2e49-447b-92a3-1ca2a674fb8d1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your organization has a single forest and a single Active Directory domain. You have deployed Windows Server 2008 on all servers in the organization.

Your organization wants to ensure that Windows Server 2008 provides customizable services for creating and managing public key certificates. You plan to install Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008 that cannot use Directory Service data to issue or manage certificates.

What should you do while installing AD CS?

1. Select the Enterprise option on the Specify Setup Type page in the Add Roles Wizard.

2. Clear the Certification Authority checkbox on the Select Role Services page in the Add Roles Wizard.

3. Select the recommended option on the Specify Setup Type page in the Add Roles Wizard.

4. Select the Standalone option on the Specify Setup Type page in the Add Roles Wizard. <Correct>

Explanation :You should select the Standalone option on the Specify Setup Type page in the Add Roles Wizard when installing AD CS. As mentioned in the scenario, the computer running Windows Server 2008 cannot use Directory Service data to issue or manage certificates, and the Standalone option should be selected if the certification authority (CA) does not use Directory Service data to issue or manage certificates.

You should not select the recommended option. The Enterprise option is the recommended option on the Specify Setup Type page. This option should be selected if the CA is a member of a domain and can use Directory Service data to issue and manage certificates.

You should not select the Enterprise option. The Enterprise option should be selected if the CA is a member of a domain and can use Directory Service data to issue and manage certificates. As mentioned in the scenario, this server cannot use Directory Service data to issue or manage certificates. Therefore, you cannot select the Enterprise option.

You should not clear the Certification Authority checkbox on the Select Role Services page. The Certification Authority issues and manages certificates for users, computers and organization. Therefore, you must select a CA when configuring Role services while installing AD CS.



References :Windows Server Active Directory Certificate Services Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6f-a801-ae6a87fd174c1033.mspx?mfr=true

How To Install Server Roles and Server FeaturesCourse 6042



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. A portion of the organizational unit (OU) hierarchy is shown in the exhibit.

You need to deploy Microsoft Office 2007 to all members of the Sales department.

What should you do?

1. Create a Group Policy object (GPO) that assigns the application. Link it to SalesComputers. <Correct>

2. Create a Group Policy object (GPO) that publishes the application. Link it to SalesComputers.

3. Create a Group Policy object (GPO) that publishes the application. Link it to SalesUsers.

4. Create a Group Policy object (GPO) that assigns the application. Link it to SalesUsers.

Explanation :You should create a GPO that assigns the application and link it to SalesComputers. Office 2007 cannot be assigned or published to a user. It must be assigned to a computer. Therefore, you must identify the package and assign it using the Software Installation policy in Computer Configuration. You must link it to the OU that contains the computers.

You should not create a GPO that assigns the application and link it to SalesUsers. Office 2007 can only be assigned to computers.

You should not create a GPO that publishes the application and link it to SalesComputers. You cannot publish applications to a computer. You can only publish applications to a user. However, Office 2007 cannot be published to a user.

You should not create a GPO that publishes the application and link it to SalesUsers. You cannot publish Office 2007 to a user.


Sub Objective(s):Configure software deployment GPOs.

Use Group Policy Software Installation to deploy the 2007 Office systemMicrosoft TechNetLink: http://technet2.microsoft.com/Office/en-us/library/efd0ee45-9605-42d3-9798-3b698fff3e081033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You need to install two Active Directory Lightweight Directory Services (AD LDS) instances on a computer running a full installation of Microsoft Windows Server 2008.

What should you do first?

1. Run Ocsetup.

2. Run Dcpromo.

3. Run Active Directory Lightweight Directory Services Setup Wizard.

4. Run Server Manager. <Correct>

Explanation :You should run Server Manager. Server Manager is a general-purpose management utility. You can use Server Manager on a server running Windows Server 2008 to add or remove roles, including AD LDS. Before you can install AD LDS instances, you must use Server Manager to install the AD LDS role. Role prerequisites will be installed at the same time.

You should not run Active Directory Lightweight Directory Services Setup Wizard first. You use the Wizard to install AD LDS instances after you have installed the AD LDS role.

You should not run Dcpromo. Dcpromo is used to promote a computer to an Active Directory Domain Services (AD DS) domain controller. It can also be used to demote a domain controller. It is not used to manage AD LDS instances. You must use install the AD DS role before you promote the computer to domain controller.

You should not run Ocsetup. Ocsetup is used to install roles on a Windows Server 2008 Server Core installation. Ocsetup is supported for Server Core installations only.


Sub Objective(s):Configure Active Directory Lightweight Directory Service (AD LDS).

References :Step-by-Step Guide for Getting Started with Active Directory Lightweight Directory ServicesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/141900a7-445c-4bd3-9ce3-5ff53d70d10a1033.mspx?mfr=true

Step 1: Install the AD LDS Server RoleMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/682674f4-a652-4772-8567-2f27417f4ec81033.mspx?mfr=true

Step 2: Practice Working with AD LDS InstancesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/27c4ac30-1058-4d9e-99fe-f0cd33eb21501033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your organization's network contains five servers running Windows Server 2008 in an organizational unit named WinServers. All five servers are part of the company's domain. You notice that some unauthorized network connection attempts have been made to connect to all five servers.

You want to track down all network connection events across the five servers in the WinServers organizational unit. You create a new Group Policy object (GPO).

What should you do next?

1. Activate the Audit logon events policy and link the GPO to the WinServers organizational unit. <Correct>

2. Activate the Audit account logon events policy and link the GPO to the WinServers organizational unit.

3. Activate the Audit process tracking policy and link the GPO to the WinServers organizational unit.

4. Activate the Audit object access policy and link the GPO to the WinServers organizational unit.

Explanation :You should activate the Audit logon events policy. An Audit logon events policy audits each event related to a user logging on, logging off, or making a network connection. The events in this level of audit are logged when a user logs on to a computer interactively or from the network by using a domain user account. Once you configure the Audit policy, you can link the GPO to the appropriate organizational unit. In this scenario, the servers are located in the WinServers organizational unit. Therefore, you should link the GPO to the WinServers organizational unit.

You should not activate the Audit process tracking policy and link the GPO to the WinServers organizational unit. The Audit process tracking policy audits events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access.

You should not activate the Audit object access policy and link the GPO to the WinServers organizational unit. The Audit object access policy audits user attempts to access an object.

You should not activate the Audit account logon events policy and link the GPO to the WinServers organizational unit. The Audit account logon events policy audits each time a user logs on or off the domain.


Sub Objective(s):Configure audit policy by using GPOs.

References :Audit logon eventsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true

HOW TO: Audit Active Directory Objects in Windows Server 2003Microsoft Help and SupportLink: http://support.microsoft.com/kb/814595

Windows Server 2008 Auditing AD DS Changes Step-by-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx?mfr=true

How To Audit Changes to Domain ServicesCourse 6043


Question ID : dhMS_70-640-017

______________________________________________________________________________________________________________________________________________

Your company has recently upgraded all servers to Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. Computers are members of the MedDev forest.

To comply with the company's security regulations, you have implemented a Certificate Authority (CA) and several root Subordinate CAs.

The company has recently sold one of its divisions. The division had a subordinate CA to issue certificates to computers and users.

You need to ensure that the rest of the CAs on your network no longer accept certificates issued by the former division's CA. You want to accomplish this with the least amount of administrative effort.

What should you do?

1. Revoke the certificates issued by the division's subordinate CA. Publish the Certificate Revocation List (CRL).

2. Revoke the certificates issued by the division's subordinate CA, and then revoke the certificate issued to the division's subordinate CA. Publish the Certificate Revocation List (CRL).

3. Revoke the certificate issued to the division's subordinate CA. Publish the Certificate Revocation List (CRL). <Correct>

4. Revoke the certificate of the enterprise root CA. Publish the Certificate Revocation List (CRL).

Explanation :You should revoke the certificate issued to the division's subordinate CA. This procedure is performed on the enterprise CA. Once the certificate issued to the division's subordinate CA is revoked, the certificates it has issued will no longer be accepted by other CAs. Once the certificate has been revoked, the Certificate Revocation List should be published.

You should not revoke all the certificates that have been issued by the division's subordinate CA. Although other CAs will no longer accept the certificates once they are revoked, the solution would require too much administrative effort.

You should not revoke the certificate of the enterprise root CA. This solution would decommission the entire infrastructure. Once the enterprise root CA certificate is revoked, no other certificates issued by the CA are valid.

You should not revoke the certificates issued by the division's subordinate CA and then revoke the certificate issued to the division's subordinate CA. Revoking the certificates issued by the CA is not necessary if you revoke the CAs certificate. This solution requires too much administrative effort.


Sub Objective(s):Manage certificate revocations.

References :Active Directory Certificate ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c8955f83-fed9-4a18-80ea-31e865435f731033.mspx?mfr=true

Manage Certificate RevocationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/5531ecb5-3073-490f-80f9-5d263e60b07a103

3.mspx?mfr=true

Configuring Certificate RevocationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083-8606-c0a4fdca9a251033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured with one Windows Server 2008 server. The network also contains 200 Windows Vista client computers installed in various departments. You create a separate organizational unit for each department and place the client computers in each department in its respective organizational unit.

You install new software on all computers in the sales department, which are located in an organizational unit named SalesPC. The user accounts for all users in the sales department are located in an organizational unit named SalesUsers.

Three users from the sales department report that their computers restart every five minutes.

You need to identify the cause of the problem.

What should you do?

1. Create a new Group Policy object (GPO). Enable the Audit process tracking policy. Link the GPO to the SalesPC organizational unit.

2. Create a new Group Policy object (GPO). Enable the Audit process tracking policy. Link the GPO to the SalesUsers organizational unit.

3. Create a new Group Policy object (GPO). Enable the Audit system events policy. Link the GPO to the SalesPC organizational unit. <Correct>

4. Create a new Group Policy object (GPO). Enable the Audit system events policy. Link the GPO to the SalesUsers organizational unit.

Explanation :You should create a new GPO, enable the Audit system events policy, and link the GPO to the SalesPC organizational unit. The Audit system events policy allows you to audit events related to computer restart or shut down. This setting is only enabled for Windows Server 2003 or Windows Server 2008 domain controllers that are configured to audit success of these events. You can configure the Audit system events policy in the GPO settings. Once you configure Audit policy, you can link the GPO to the appropriate organizational unit. In this scenario, the client computers in the sales department are located in the SalesPC organizational unit. Therefore, you should link the GPO to the SalesPC organizational unit.

You should not create a new GPO, enable the Audit system events policy, and link the GPO to the SalesUsers organizational unit. In this scenario, the client computers in the sales department are located in the SalesPC organizational unit. Therefore, you should link the GPO to the SalesPC organizational unit. Linking the GPO to the SalesUsers organizational unit will not allow you to identify the cause of the problem stated in this scenario.

You should not create a new GPO, enable the Audit process tracking policy, and link the GPO to the SalesPC organizational unit. An Audit process tracking policy audits events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access. This audit policy will not audit a computer that keeps restarting or shutting down.

You should not create a new GPO, enable the Audit process tracking policy, and link the GPO to the SalesUsers organizational unit. An Audit process tracking policy audits events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access. This audit policy will not audit a computer that keeps restarting or shutting down. Also, in this scenario, the client computers in the sales department are located in the SalesPC organizational unit. Therefore, you should link the GPO to the SalesPC organizational unit.



References :Audit system eventsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/a8297bc2-d53a-4a2f-94c5-8e412ae4e3861033.mspx?mfr=true






______________________________________________________________________________________________________________________________________________

Your network is configured as a single Active Directory domain. You deploy a read-only domain controller (RODC) in a branch office.

You need to specify a user to manage the RODC locally. The user should have permissions for that RODC only. You are currently logged on at the RODC as a member of the Domain Admins group.

What should you do?

1. Use Active Directory Users and Computers to make the user a member of Domain Admins.

2. Use the OCSetup command.

3. Use the Appcmd command.

4. Use Active Directory Users and Computers and add the user to the Managed By tab. <Correct>

Explanation :You should use Active Directory Users and Computers to add the user's name to the Managed By tab of the RODC's account properties. You need to configure Administrator Role Separation for the RODC. This identifies a user as a local administrator for the RODC. The user will have permissions for that RODC only and no other domain controllers or RODCs.

You can also use the Dsmgmt local roles command or the Ntdsutil local roles command. Note that using these commands stores the administrator role locally on the RODC and not in Active Directory.

You should not use Active Directory Users and Computers to make a user a member of Domain Admins. This would give the user more rights than necessary. The user would be able to manage any domain controller.

You should not use the Appcmd command. Appcmd is used to manage Internet Information Services (IIS) from the command line.

You should not use the OCSetup command. OCSetup lets you add roles on a Server Core installation, but it does not let you configure the roles. You would use OCSetup if you were configuring a Server Core installation as an RODC, but you could not use it to configure the RODC instance.



References :Lesson 2: Read-Only Domain Controller OperationCourse 6416A

Administrator Role Separation ConfigurationMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/c0a45344-f77b-4ea6-8685-37a51f853b571033.mspx?mfr=true

RODC AdministrationMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/f5123310-a004-452f-b9a9-87643ac55dde1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a multiple-domain Active Directory forest that includes several geographic locations. Each location is configured with at least one domain controller. The network uses a mix of writable and read-only domain controllers (RODCs).

You need to improve performance when searching for resources available in the forest from one of the remote offices. The remote office supports 200 users. The office does not support any remote users. The wide area network (WAN) link is available all of the time, but you need to reduce traffic over the link. The office currently has one RODC.

What should you do?

1. Replace the RODC with a writable domain controller.

2. Deploy a second RODC.

3. Configure the RODC as a global catalog server. <Correct>

4. Enable universal group caching.

Explanation :You should configure the RODC as a global catalog server. Microsoft recommends placing a global catalog server in any location that:

* supports applications that require the global catalog. * supports 100 or more users. * supports several remote users.

The global catalog is used any time users search for forest resources. Placing a copy of the global catalog on the local domain controller makes it able to respond more quickly to user requests. Also, because the requests are handled locally, traffic over the wide area link is reduced overall. There would be some additional background traffic required to support global catalog replication, but this would occur only when there are changes to the global catalog. This would be less than the traffic necessary to support queries to the global catalog.

Replacing the existing domain controller or adding a second domain controller will not correct this situation unless one of them is a global catalog server. However, you might consider adding a second domain controller if you are concerned about fault tolerance.

There is no need to enable universal group caching. Microsoft recommends deploying a domain controller and enabling universal group caching if:

* None of the requirements for a local global catalog are met.* The WAN link is always available.

Since the location has over 100 users, the better solution is to configure the RODC as a global catalog server.



References :Planning Global Catalog Server PlacementMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/d59c8afc-9781-442e-8421-ee549a6966651033.mspx?mfr=true

Global catalogs and sitesMicrosoft TechNetLink:

http://technet2.microsoft.com/windowsserver/en/library/0e74916d-28d7-4cdd-8dce-89c824622fcd1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network includes four domain controllers. DC1 is configured for the PDC emulator role. You need to take DC1 down for maintenance.

You need to assign the role to DC2 during maintenance.

What should you do?

In the list on the right, select the steps you should take. Place your selections in the list on the left in the order in which you should take them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.


* Open Active Directory Users and Computers. * Connect to DC2. * Transfer the PDC emulator role.

You transfer the PDC emulator role using Active Directory Users and Computers or ntdsutil. You must connect to the target computer (the one to which the role is being transferred) before transferring the role. Because the server is operational, you should transfer the role instead of seizing it.

You should not open Active Directory Sites and Services. You do not manage any operation master roles from Active Directory Sites and Services.

You should not open Active Directory Domains and Trusts. You manage the domain naming operations master role from Active Directory Domains and Trusts, not the PDC emulator role.

You should not connect to DC1. You must be connected to the target domain controller to transfer the role.

You should not seize the role. You should only seize a role if the server that holds the role is inaccessible.



Transfer the PDC emulator roleWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver/en/library/c3a082ac-d855-48ba-a3d9-3b3a945cd7261033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2008 and are members of the domain. You are in the process of installing Active Directory Certificate Services (AD CS) on a server named CertSrv. You want to install the Certification Authority (CA) role service and Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service.

You attempt to install the CA role service and the MSCEP role service simultaneously on CertSrv, but receive an error message that states: Cannot Install MSCEP.

What should you do to ensure that you are able to install both role services on CertSrv?

1. Install the CA role service first and then install the MSCEP role service. <Correct>

2. Install Active Directory Lightweight Directory Services (AD LDS) on CertSrv.

3. Install an Online Responder service before installing the MSCEP role service.

4. Install Active Directory Domain Services (AD DS) on CertSrv.

Explanation :You should install the CA role service first and then install the MSCEP role service. AD CS provides services for creating and managing public key certificates. You can install four types of role services on a server configured as AD CS. These role services are CA, Certification Authority Web Enrollment, Online Certificate Status Protocol (OCSP), and MSCEP. MSCEP allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA. Windows Server 2008 does not allow you to install the CA role service and the MSCEP role service simultaneously. To ensure that you are able to install both the AD CS role services, you should first complete the CA setup and then install the MSCEP role service.

You should not install AD DS or AD LDS on CertSrv. The problem in this scenario is that Windows Server 2008 does not allow you to install the CA role service and the MSCEP role service simultaneously. Access to AD DS is required when you want to install an enterprise root CA in your domain, but it does not need to be installed on the same server as AD CS.

You should not install an Online Responder service before installing the MSCEP role service. Online responders are used as an alternative to or an extension of Certificate Revocation Lists (CRLs) to provide certification revocation data. You can use an Online Responder based on OSCP to manage and distribute revocation status information when the use of conventional CRLs is not an optimal solution.



References :Windows Server Active Directory Certificate Services Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6f-a801-ae6a87fd174c1033.mspx




______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. The servers on the company's network run Windows Server 2008. Each office has its own Active Directory domain.

There are three file servers in the main office named File1, File2, and File3. The users in the main office who access File1 and File2 are reporting that file downloads have been slow for the past two days from 3 P.M. to 5 P.M.

You want to see the processor and memory usage on File1 and File2. You want to schedule performance logs and alerts on both File1 and File2 to start at 3 P.M.

Which tool should you use?

1. Event Viewer

2. Windows Task Manager

3. Reliability and Performance Monitor <Correct>

4. Component Services

Explanation :You should use Reliability and Performance Monitor to set the performance logs and alerts on both File1 and File2 to start at 3 P.M. When you open Reliability and Performance Monitor, you will see the option Performance Logs and Alerts. You can open the Performance Logs and Alerts and set the new log for memory and processor to be scheduled at 3 P.M. The Windows Reliability and Performance Monitor combines several previous stand-alone tools, such as Performance Logs and Alerts, Server Performance Advisor, and System Monitor.

You should not use Windows Task Manager to schedule performance logs and alerts. Windows Task manager does not allow you to create a new performance log or alert. Windows Task Manager shows only the current applications, processes, performance, network usage, and users that are correctly connected to the server.

You should not use Event Viewer to schedule performance logs and alerts. Event viewer does not allow you to create a new performance log or alert. Event Viewer shows only the current event logs that are created.

You should not use Component Services to schedule performance logs and alerts. Component Services does not allow you to create a new performance log or alert. Component Services only allows you to access Active Directory Users and Computers, Event Viewer and Services.


Sub Objective(s):Monitor Active Directory.

References :Windows Reliability and Performance MonitorWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ec5b5e7b-5d5c-4d04-98ad-55d9a09677101033.mspx?mfr=true

Performance Logs and Alerts overviewMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/b3d458a8-7d62-4f2a-80bb-c16e75994b1d1033.mspx?mfr=true

What Is Windows Reliability and Performance Monitor?Course 6042



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. You install a Certification Authority (CA) on a stand-alone computer that runs Windows Server 2008. The network also contains a file server named FileSrv1 that is installed on a member server running Windows Server 2008. FileSrv1 contain files that are accessed by all users on the network.

You prepare the offline root CA to issue certificates to all users in the domain. You issue a certificate to each user to log on to the domain.

You need to ensure that once a certificate is revoked for a user, the user is unable to log on to the domain by using the revoked certificate.

What should you do?

1. Run the Certutil -dsPublish -f command.

2. Change the Uniform Resource Locator (URL) location of the Certificate Revocation List (CRL) distribution point to FileSrv1. <Correct>

3. Change the default action of the stand-alone root CA for request handling.

4. Run the Certutil -pulse command.

Explanation :You should change the URL location of the CRL distribution point to FileSrv1. Every certificate that is issued by a Microsoft CA contains the URL of CRL distribution points as part of its content. A CRL distribution point provides a certificate verifier with the network location where it can retrieve the current copy of the CRL or delta CRL. By default, CRL and delta CRL files are published on the CA in the %Systemroot%\System32\CertSrv\CertEnroll folder. You can specify multiple CRL distribution points for a CA. When preparing an offline root CA to issue certificates, you must change the URL location of the CRL distribution point to a location that is accessible to all users on the network. Performing this step is necessary because the offline CA's default CRL distribution points are not accessible to users on the network, which causes certificate revocation checking to fail. In this scenario, FileSrv1 is accessible to all users. Therefore, you should change the URL location of the CRL distribution point to FileSrv1.

You should not run the Certutil -pulse command. This command is used to start autoenrollment for the new certificates.

You should not run the Certutil -dsPublish -f command. This command is used to publish a certificate or CRL to Active Directory. The -f parameter in the Certutil -dsPublish command overwrites existing files or keys. A stand-alone root CA does not have access to Active Directory. Therefore, running the Certutil -dsPublish -f command will not be useful.

You should not change the default action of the stand-alone root CA for request handling. The default request handling action for a stand-alone root CA is to place all requests in the Pending Requests list. When you change the default request handling action for a stand-alone CA, the CA will be configured to automatically issue certificates without verifying the identity of the certificate requester. However, changing the default action of the stand-alone root CA for request handling will not make the CRL distribution point on an offline root CA available to users on the network.



References :Checklist: Creating a certification hierarchy with an offline root certification authorityMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/45c28bf8-9952-4ca1-b124-7d86afb83f691033.mspx?mfr=true

Revoking certificates and publishing CRLsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?mfr=true

Specify certificate revocation list distribution points in issued certificatesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/6c95826e-8c8d-4138-bae6-a92e8612499f1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network has a corporate office and a branch office. It is configured as a single Active Directory domain and two sites - one for each office. There are three domain controllers at the corporate office and a read-only domain controller (RODC) at the branch office.

Users at the branch office report that performance is slow when accessing resources at the corporate office during the business day.

You need to improve performance for the users at the branch office. Your solution must ensure that all changes to Active Directory are replicated to the branch office and must not grant any additional rights to administrators at the branch office.

What should you do?

1. Configure the site link to use Simple Mail Transfer Protocol (SMTP) instead of Remote Procedure Call over Internet Protocol (RPC over IP).

2. Add a child domain for the computers at the branch office.

3. Configure the site link so that Active Directory replication occurs only after hours. <Correct>

4. Configure the domain controller at the branch office as a standard domain controller.

Explanation :You should configure the site link so that Active Directory replication occurs only after hours. Active Directory replication uses bandwidth. Therefore, you can improve performance by limiting replication to times outside high traffic periods.

You should not configure the site link to use SMTP instead of RPC over IP. SMTP can be used for replicating global catalog data, but it cannot be used to replicate the domain partition. While using SMTP would reduce the replication traffic, it would not replicate all the necessary data because it cannot be used to replicate the entire domain partition. Therefore, the RODC would not be kept up to date with all Active Directory data.

You should not add a child domain for computers at the branch office. Separating the branch office into a separate domain might reduce the amount of traffic due to replication, but it will not meet the requirements. You would either need to add a domain controller for that domain to the network at the corporate office or make the domain controller at the branch office a standard domain controller. If you add a domain controller for the child domain to the corporate office, there would still need to be replication across the WAN link. If you make the domain controller at the branch office a standard domain controller, administrators at the branch office would be able to create and modify objects in Active Directory.

You should not make the domain controller at the branch office a standard domain controller. Doing so would not decrease traffic because replication would still occur during business hours and the solution would allow administrators at the branch office the ability to modify Active Directory objects.


Sub Objective(s):Configure Active Directory replication.

Configure Intersite Replication AvailabilityWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/16a9a735-8a73-45a3-a629-a98da46452b61033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single domain. All domain controllers are running Windows Server 2003. Some member servers run Windows Server 2003. Others run Windows 2000 Server.

You are preparing to add a domain controller running Windows Server 2008 to the domain. You need to prepare Active Directory for the new server.

What should you do?

In the list on the right, select the commands you should run before installing Windows Server 2008. Place your selections in the list on the left in the order in which you should run them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :You must first extend the schema by running the adprep /forestprep command on the schema master. Next you should execute adprep /domainprep on the infrastructure master to prepare the domain for its first Windows Server 2008 domain controller.

You should not execute adprep /domainprep /gpprep. You only need to execute adprep /domainprep /gpprep if there are domain controllers running Windows 2000 Server in the domain.

You should not execute dcpromo /uninstall. You should not remove the domain controller role before upgrading a domain controller to Windows Server 2008.


Sub Objective(s):Configure a forest or a domain.

References :Lesson 1: Installing Active Directory Domain ServicesCourse 6425A

AdprepWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/aa923ebf-de47-494b-a60a-9fce083d2f691033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company has a main office and several branch offices. Servers are running Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. Computers in all locations are members of a single domain. Each branch office is configured as a separate site with its own domain controllers.

One of the branch offices is connected to the main office by a 56-Kbps WAN connection. Users are reporting that response time is slow when accessing resources in the main office. You discover that the problem is due to inter-site Active Directory replication.

You need to minimize replication traffic over the WAN link.

What should you do? (Each correct answer presents a complete solution. Choose two.)

1. Move domain controllers into the same Active Directory site as the domain controllers in the main office.

2. Configure domain controllers in the branch office as read-only domain controllers (RODCs). <Correct>

3. Increase the replication interval for the site link. <Correct>

4. Enable universal group membership caching in the branch office.

Explanation :You should increase the replication interval for the site link connecting the branch office site to the main office site. Active Directory replication between the domain controller in the branch office site and the domain controller in the main office is consuming too much bandwidth on the WAN connection. You can reduce replication traffic across the link by configuring replication to occur less frequently. You can accomplish this by increasing the replication interval.

Another solution is to configure DC10 as an RODC. An RODC hosts a read-only copy of the Active Directory database and is typically deployed in branch office environments. Since no changes can be written to the RODC, replication traffic is unidirectional only. As a result, there will be less replication traffic on the WAN connection.

You should not enable universal group membership caching. This solution will not decrease the amount of replication traffic on the WAN connection. If universal groups are being used, a global catalog server must be available to enumerate universal group membership before you can be authenticated to the domain. Universal group caching ensures that users can log on even if a global catalog server is not available. This is useful in branch offices that are connected to head offices by slow WAN links.

You should not move the domain controllers into the same Active Directory site as the main office domain controllers. This solution will increase network traffic. If branch office domain controllers are in the same Active Directory site as the domain controllers physically located in the main office, replication traffic will increase. Replication within a site occurs more often than replication between sites.


Sub Objective(s):Configure sites.

References :AD DS: Read-Only Domain ControllersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.mspx?mfr=true

Determining the ScheduleWindows Server 2008 Technical Library

Link: http://technet2.microsoft.com/windowsserver2008/en/library/afeaea89-8ca0-43ed-bd44-4c822d6535081033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your organization has a main office and a branch office. You have deployed Windows Server 2008 on all servers in your organization. You install Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), and Active Directory Domain Services (AD DS) on a server in the main office. You configure the server as a domain controller for the root domain in a new forest.

Your need to deploy a read-only domain controller (RODC) in the branch office.

What should you do?

In the list on the right, select the tasks that you should perform to deploy the RODC. Place your selections in the list on the left in the order in which you should perform them, with the first task at the top of the list. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :You should run dcpromo.exe to launch the Active Directory Domain Services Installation Wizard. This wizard allows you to configure a domain controller as an RODC. An RODC allows you to deploy a domain controller where physical security is not possible or where local storage of all domain passwords is not secure.

You should then select the Add a domain controller to an existing domain option under the Existing Forest section on the Choose a Deployment Configuration page.

You should not run azman.msc. The azman.msc command opens the Authorization Manager, which allows you to create, deploy, and maintain a new authorization store.

You should not select the Create a new domain in an existing forest option on the Choose a Deployment Configuration page. This option will configure the server as the first domain controller in the new domain, and you cannot configure the first domain controller as an RODC. The first domain controller can be configured as a global catalog server, but not as an RODC.



References :Steps for Deploying an RODCMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/8294cfa1-c828-4bba-82b2-e825e2f5a2401033.mspx?mfr=true

Guidelines for Deploying RODCsCourse 6043



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with three sites: Chicago, New York, and Atlanta. Your company is planning to implement smart card authentication. Certificate enrollment must meet the following requirements:

* User interaction should be minimized. * Certificates must use the Cryptographic Service Provider (CSP) installed by the manufacturer's software. * Smart card certificates must be valid for 2 years. * Smart card certificates must be able to protect e-mail.

You need to create the certificate template that will be used to issue smart card certificates.

What should you do?

1. Duplicate the existing Smart Card User certificate template.Change the CSP and the validity period.Select Enroll subject without requiring any user input.

2. Duplicate the existing Smart Card Logon certificate template.Change the CSP and the validity period.

3. Duplicate the existing Smart Card Logon certificate template.Change the CSP and the validity period.Select Enroll subject without requiring any user input.

4. Duplicate the existing Smart Card User certificate template.Change the CSP and the validity period.

<Correct>


* Duplicate the existing Smart Card User certificate template. * Change the CSP and the validity period.

The predefined Smart Card User certificate template allows users to log on and protect e-mail. When choosing a template to duplicate as a base for a custom template, you should choose the one closest in purpose to the certificate you need. You only need to change the CSP and the validity of the Smart Card User certificate for it to meet the requirements.

You should not duplicate the Smart Card Logon certificate template. The Smart Card Logon certificate cannot be used to protect e-mail.

You should not select Enroll subject without requiring any user input. The smart card administrator must be prompted to insert the smart card. Therefore, you cannot clear this option when creating the certificate template.


Sub Objective(s):Manage certificate templates.

Active Directory Certificate Services Longhorn Beta3 Certificate Templates WhitepaperMicrosoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&displaylang=en



______________________________________________________________________________________________________________________________________________

Your company has a main office and several branch offices. Servers are running Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. Computers in all locations are members of a single domain. Each branch office is configured as a separate site with its own domain controllers.

Two additional branch offices have been opened, and you need to configure the site topology. You configure the two branch offices as separate sites. You discover that both locations are connected to the main office using T1 WAN connections that are already heavily used during business hours.

You need to configure the sites links for both locations to connect to the main office site. You do not want to consume additional bandwidth during busy times.

What should you do?

1. Create site links that use Remote Procedure Call (RPC) over IP. Configure the replication schedule so that replication can only occur only during non-business hours. <Correct>

2. Create site links that use Simple Mail Transfer Protocol (SMTP). Configure the replication schedule so that replication can only occur only during non-business hours.

3. Create site links that use Remote Procedure Call (RPC) over IP.

4. Create site links using Simple Mail Transfer Protocol (SMTP).

Explanation :You should create site links that use RPC over IP and configure the replication schedule so that replication can only occur only during non-business hours. By doing so, you will not consume additional bandwidth on the already heavily used WAN connections during business hours.

You should not create SMTP site links. SMTP provides limited replication functionality. SMTP does not support site link schedules, which means that you cannot schedule replication to occur during non-business hours. SMTP will not be supported in future versions of Active Directory Domain Services, and therefore it is not recommended as a replication transport method.

You should not just create site links that use Remote Procedure Call (RPC) over IP. You should not allow replication to occur during business hours. The WAN connection is already heavily used during business hours. Therefore, to optimize the existing bandwidth, replication should be scheduled to occur during non-business hours.



Creating a Site Link DesignWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/d35bcae0-fe46-4f6f-8cf2-df09e58965461033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network contains servers running Microsoft Windows Server 2008 and client computers running Windows XP Professional and Vista Enterprise. All computers are members of a single Active Directory domain named MedDev.com. MedDev has just acquired another company named GoShop, Inc. GoShop, Inc. has an existing Active Directory domain and Domain Name System (DNS) infrastructure that needs to remain in place. MedDev and GoShop, Inc. will each maintain its own DNS servers.

You want to optimize name resolution when users in MedDev access resources in GoShop,Inc. You want to accomplish this with the least amount of administrative effort.

What should you do?

1. Configure conditional forwarding on the DNS server at GoShop, Inc.

2. Send name resolution requests for hosts in GoShop, Inc. to a designated DNS server.

3. Forward all name resolution requests to a DNS server in GoShop, Inc.

4. Configure conditional forwarding on the DNS server at MedDev. <Correct>

5. Add a host name record to the root hints file that points to the DNS server in GoShop, Inc.

6. Create a stub zone on the DNS server in MedDev.

Explanation :You should configure conditional forwarding on the DNS server at MedDev. When the DNS server in MedDev receives a name resolution request for a host in GoShop, Inc. the request will be sent directly to the DNS server in GoShop, Inc. The DNS server in MedDev will not need to query root name servers to resolve the name resolution requests, thereby optimizing name resolution performance.

You should not add a host name record to the root hints file. Root hints are used by DNS servers to locate other authoritative DNS servers. Adding an entry to the root hints will allow the DNS server in MedDev to locate the server authoritative for GoShop, inc. However, by implementing conditional forwarding, the root hints file does not need to be parsed and authoritative DNS servers do not need to be queried.

You should not configure conditional forwarding on the DNS server at GoShop, Inc. You configure conditional forwarding on the DNS server in the domain where the requests will originate. You want name resolution requests originating in MedDev for hosts in GoShop, Inc. forwarded to the DNS server in GoShop, Inc. Therefore, you should configure conditional forwarding on the DNS server in MedDev.

You should not create a stub zone on the DNS server in MedDev. Stub zones ensure that DNS servers authoritative for a parent zone automatically receive updates about the DNS servers for child zones. Since the name resolution requests are for DNS clients in another network, you should use conditional forwarding.



References :Configure a DNS Server to use forwardersMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx?mfr=true

DNS Server Role

Windows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a single Active Directory domain. You have not deployed a public key infrastructure (PKI) in the domain. The client computers on your network run either Microsoft Windows XP Professional or Windows Vista.

You need to provide secure communication with a server running Windows Server 2008. The solution must meet the following requirements:

* The connection must use end-to-end encryption. * Only those clients that you identify should be able to communicate with the server. * Changes to the network and to client computers needed to deploy the solution must be minimal.


1. Deploy a stand-alone Certificate Authority (CA). <Correct>

2. Configure an isolated subnet bounded by a firewall.

3. Issue only a server computer certificate.

4. Use Secure Socket Tunneling Protocol (SSTP).

5. Use IP Security (IPSec) authenticated by domain user account.

6. Use IP Security (IPSec) authenticated by client computer. <Correct>

7. Issue client and server computer certificates. <Correct>

8. Physically move the server running Windows Server 2008 to the isolated subnet.

9. Deploy an enterprise root Certificate Authority (CA).

Explanation :You need to deploy a stand-alone CA, issue client and server certificates, and use IPSec authenticated by client computer. IPSec authenticated by computer provides the security access and end-to-end encryption required by the solution. Mutual authentication is used when establishing the connection, so certificates are necessary on both the server and clients.

You should not deploy an enterprise root CA. This will require additional effort and changes to the network to secure the root CA and configure CAs to issue certificates.

You should not use IP Security (IPSec) authenticated by domain user account. This is supported for Windows Vista and Windows Server 2008 only, so the Windows XP clients would not be supported by this solution.

You should not use SSTP. This is a protocol used for configuring virtual private networks (VPNs). A solution using SSTP would require making more changes to the network infrastructure than necessary.

You should not configure an isolated subnet or move the server to an isolated subnet. Neither action is required by the solution.


Sub Objective(s):Configure CA server settings.

References :Security rules for Windows Firewall and for IPsec-based connections in Windows Vista and in Windows Server 2008Microsoft Help and SupportLink: http://support.microsoft.com/kb/942957

IPsec: Frequently Asked QuestionsMicrosoft TechNetLink: http://www.microsoft.com/technet/network/ipsec/ipsecfaq.mspx



______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. The company's network consists of a single Active Directory domain at the Windows Server 2003 functional level. You install Windows Server 2008 on servers in the main office and Windows Server 2003 on servers in the branch office. The client computers in the main office run Windows Vista, and client computers in the branch office run Windows XP Professional.

You deploy Active Directory Rights Management Services (AD RMS) in the main office. However, you notice that no client computer in the branch office is able to protect its documents using the AD RMS service.

You need to fix the problem.

What should you do?

1. Raise the domain functional level to Windows Server 2008.

2. Upgrade all client computers in the branch office to Windows XP Professional Service Pack 2 (SP2).

3. Download and install the AD RMS client on all client computers in the branch office. <Correct>

4. Flush the RMS Message Queuing queue.

Explanation :You should download and install the AD RMS client on all client computers in the branch office. Windows Vista includes the AD RMS client by default. However, earlier versions of Windows do not have the RMS client installed. To use the AD RMS service on a Windows XP computer, you can download and install the RMS client from the Microsoft Download Center.

You should not upgrade all computers to Windows XP Professional Service Pack 2 (SP2). Versions of Windows released prior to Windows Vista and Windows Server 2008 do not have the RMS client installed. Therefore, upgrading the client computers in the branch office to Windows XP Professional SP2 will not be useful.

You should not raise the functional level to Windows Server 2008. All servers in this scenario are already using Windows Server 2003 as the functional level, which is enough to deploy AD RMS on your company's network. Therefore, raising the functional level to Windows Server 2008 will not fix the problem in this scenario.

You should not flush the RMS Message Queuing queue. You should flush the RMS Message Queuing queue to ensure that all messages are written to the RMS logging database when you are upgrading from RMS to AD RMS.



References :Active Directory Rights Management Services OverviewWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-15b156a0b4e01033.mspx?mfr=true

Pre-installation Information for Active Directory Rights Management ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-7ea309ddb0ed1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company has a main office that consists of a single Active Directory domain. All servers on the network run Windows Server 2008. A server named SRV1DC is configured as a domain controller.

The company opens a new branch office at a different location. You configure a Read-Only Domain Controller (RODC) named SRV2RODC in the branch office. You must ensure that sensitive information is not replicated between SRV1DC and SRV2RODC.

What should you do?

1. Disable the Krbtgt account on SRV2RODC.

2. Configure the Password Replication Policy on SRV2RODC.

3. Disable the Replicator user group on SRV2RODC.

4. Configure the RODC filtered attribute set. <Correct>

Explanation :You should configure the RODC filtered attribute set. An RODC hosts read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, except for account passwords. By default, an RODC does not store user or computer credentials except for its own computer account and the Krbtgt account. The Krbtgt account is a unique account that is used for Kerberos authentication. When you want to prevent replication of sensitive information, you should configure the RODC filtered attribute set. The RODC filtered attribute set is a set of attributes that you can configure in the schema to ensure that these attributes are not replicated to an RODC.

You should not disable the Krbtgt account on SRV2RODC. The Krbtgt account is used by an RODC for Kerberos authentication. Disabling the Krbtgt account will not prevent sensitive information from being replicated between a writable domain controller and an RODC.

You should not configure the Password Replication Policy on SRV2RODC. The Password Replication Policy determines if an RODC should be allowed to cache a password. The Password Replication Policy lists the accounts for which passwords are permitted to be cached and accounts that are explicitly denied from having their passwords cached. The Password Replication Policy is configured and enforced on a writable domain controller.

You should not disable the Replicator user group on SRV2RODC. The Replicator user group supports file replication in a domain. Disabling the Replicator user group will not ensure that sensitive information is not replicated between a writable domain controller and an RODC.



References :AD DS: Read-Only Domain ControllersMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.mspx?mfr=true

Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute SetMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/f62c9720-a5c3-40c9-aa40-440026f585e91033.mspx?mfr=true

Step-by-Step Guide for Read-only Domain ControllersMicrosoft TechNetLink:

http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true

How To Manage RODCsCourse 6043



______________________________________________________________________________________________________________________________________________

Your company's network is configured as an Active Directory domain. CA1 is an Enterprise subordinate Certification Authority (CA) running Windows Server 2008. You issue a large number of smart card certificates.

You need to create a backup copy of only the CA and the certificates database.


1. Log on as a member of the Backup Operators group. Use certutil with the -backup option. <Correct>

2. Log on as a member of the Administrators group. Use xcopy to back up the directory where certificates are stored.

3. Log on as a member of the Administrators group. Use certutil with the -store option.

4. Log on as a member of the Administrators group. Use Certificates to export the private keys.

5. Log on as a member of the Backup Operators group. Use Certification Authority to back up the CA database. <Correct>


* Log on as a member of the Backup Operators group. * Use Certification Authority to back up the CA database.

You can use the Backup CA command in Certification Authority to back up only the CA and the certificates database. You must be a member of the Backup Operators group to perform this task.

Another way to perform the task is to use certutil with the -backup option to back up the CA and the certificates database. You must be a member of the Backup Operators group to perform this task. You should usually use the Backup utility to back up the CA database along with the server's configuration. However, in some situations, such as when you issue a large number of certificates, you might want to back up only the CA database. In this situations, use either Certification Authority or certutil.

You should not perform the following tasks:

* Log on as a member of the Administrators group. * Use xcopy to back up the directory where certificates are stored.

To back up the CA, you must use Certification Authority, certutil, or Backup. You cannot just use xcopy to copy the directory where certificates are stored.


* Log on as a member of the Administrators group. * Use Certificates to export the private keys.

A backup of the CA must include more than just private keys. It must include the certificate database, the CA's signing certificate, and the CA's private key. Therefore, you cannot back up the database by exporting private keys.

You should not use the certutil command with the -store option. The -store option is used to view the certificates stored in a specific store.



References :Backing up and restoring a certification authorityMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/69e3aa8e-800c-435e-920a-f5eb2ac2a9ed1033.mspx?mfr=true

Back Up a Certification AuthorityWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/25fbd545-9aa8-4e2a-a9bc-eac92cf8bd401033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You recently installed Microsoft Windows Server 2008 on all network servers. Client computers are running Microsoft Windows XP Professional and Windows Vista Enterprise. The network consists of a single forest. There are four child domains - one for each branch office. Each domain has two domain controllers.

One of the domain controllers in a branch office has lost connectivity to the network. You want to remove the domain controller from the domain and replace it with a new server.

What should you do?

1. Launch dcpromo and remove the domain controller from the existing domain.

2. Run the dcpromo /demotion command at the command prompt and then perform a metadata cleanup.

3. Launch dcpromo and select the option to delete the domain.

4. Run the dcpromo /forceremoval at the command prompt and then perform a metadata cleanup. <Correct>

Explanation :Since the domain controller that you want to remove from the domain has lost connectivity to the network, you must force the removal of the domain controller from the domain. A domain controller is forcibly removed from a domain using the dcpromo / forceremoval command at the command prompt. After you remove the domain controller, you must manually perform a metadata cleanup.

You should not run the dcpromo /demotion command at the command prompt. The demotion option is used to remove a domain controller from a domain when the domain controller still has network connectivity to the domain.

You should not launch dcpromo and select the option to delete the domain. The scenario indicates that only the domain controller needs to be removed, not the entire domain. This solution will completely remove the domain from the forest.

You should not launch dcpromo and remove the domain controller from the existing domain. This removal method can only be used when removing a domain controller that still has connectivity to the domain.



References :Forcing the Removal of a Windows Server 2008 Domain ControllerWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ae4dd0e3-2019-4278-8efd-61c36ba9e1c01033.mspx?mfr=true

Steps for Removing AD DSWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/9260bb40-a808-422f-b33b-c3d2330f5eb81033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

A computer running Microsoft Windows Server 2008 is configured as a domain controller. The computer also supports other services, including the Dynamic Host Configuration Protocol (DHCP) service.

You need to move the Active Directory database on the computer. You must minimize the impact on the other services running on the computer.

What should you do first? (Each correct answer presents a complete solution. Choose two.)

1. Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role.

2. Run Ntdsutil to compact the database.

3. Use Computer Manager to stop the Active Directory service. <Correct>

4. Restart the domain controller in Directory Services Restore Mode (DSRM).

5. Run Net stop to stop the Active Directory service. <Correct>

Explanation :You should either use Computer Manager or the Net stop command to stop the Active Directory service. Windows Server 2008 supports restartable AD DS, which lets you perform some types of maintenance, including offline database compaction and movement, without affecting other services running on the computer.

You should not restart the domain controller in DSRM. This would allow you to compact the database, but it would also prevent users from accessing the other services supported on the computer.

You should not run Ntdsutil first. You need to first stop AD DS. Then you can use Ntds to compact and then move the database.

You should not run Dcpromo to force removal of the AD DS role. There is no reason to remove the role. You can move the database without doing this.



References :Windows Server 2008 Restartable AD DS Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx?mfr=true

Compact the directory database file (offline defragmentation)Microsoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true

Module 4: Active Directory Domain ServicesCourse 6416A



______________________________________________________________________________________________________________________________________________

All servers on your company's network run Windows Server 2008. You have configured a scheduled backup on each server. The company requires you to modify the scheduled backup settings on a file server named FileSrv.

Before modifying the settings on FileSrv, you want to view a list of currently scheduled backup settings.

What should you do?

1. Run the Wbadmin start backup command without any parameter.

2. Run the Wbadmin start backup command with the -include parameter.

3. Run the Wbadmin enable backup command with the -schedule parameter.

4. Run the Wbadmin enable backup command without any parameter. <Correct>

Explanation :You should run the Wbadmin enable backup command without any parameter. The Wbadmin enable backup command can be used to create a daily backup schedule or modify an existing backup schedule. This command can also be used to create customized backups. When the Wbadmin enable backup command is run without any parameters, it displays the currently scheduled backup settings.

You should not run the Wbadmin enable backup command with the -schedule parameter. The -schedule parameter is used to specify comma-delimited times of day in HH:MM format for backup.

You should not run the Wbadmin start backup command with the -include parameter or without any parameter. The Wbadmin start backup command is used to run a backup by using specified parameters. The -include parameter specifies a list of volume drive letters, volume mount points, or GUID-based volume names to include in the backup. The Wbadmin start backup command cannot be used to display a list of currently scheduled backup settings. When you run the Wbadmin start backup command without any parameters, the command runs the backup by using the settings for the scheduled backup.



References :Wbadmin enable backupWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c0e57f8a-70fa-4c60-9754-e762e8ad87721033.mspx?mfr=true

WbadminWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/4b0b3f32-d21f-4861-84bb-b2eadbf1e7b81033.mspx?mfr=true

How To Back Up AD DCsCourse 6043



______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. Each office has its own Active Directory domain in a single forest. Each office has three departments: sales, payroll, and marketing. All servers on the company's network run Windows Server 2008.

You want to deploy Active Directory Rights Management Services (AD RMS) to safeguard all sensitive information on your company's network.

You need to secure all documents and provide user authentication in both the main office domain and the branch office domain only for the sales and payroll departments.


1. Configure the users in the sales and payroll departments in both offices to use the AD RMS server in the main office.

2. Set up a separate AD RMS server in each office. <Correct>

3. Set up a single AD RMS server in the main office.

4. Configure the users in the sales and payroll departments in both offices to use the AD RMS server in their respective offices. <Correct>

5. Install the AD RMS role on the domain controller in the main office.

Explanation :You should set up a separate AD RMS server in each office, and configure the users in the sales and payroll departments in both offices to use the AD RMS server in their respective offices to achieve the objective in this scenario. You must install AD RMS server as a member server in the same Active Directory Domain Services (AD DS) domain that contains the user accounts that will be accessing the content protected by AD RMS. AD RMS can be used to protect all sensitive information on your company's network.

You should not set up a single AD RMS server in the main office and configure the users in the sales and payroll departments in both the offices to use the AD RMS server in the main office. When you deploy AD RMS in your company's network, you must create a separate AD RMS service for each domain's users. You cannot create a single AD RMS server for two or more separate domains.

You should not install the AD RMS role on the domain controller in the main office. You cannot create a single AD RMS server for two or more separate domains.



References :Pre-installation Information for Active Directory Rights Management ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-7ea309ddb0ed1033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. All member servers are located in a MemberServers organizational unit (OU).

A member server contains a folder named Confidential. The Confidential folder contains documents that no temporary employee should be allowed to access regardless of their membership in other groups.

You need to prevent temporary employees from accessing files in the Confidential folder.

What should you do?

1. Create a local group named Temps on the file server.Create a security policy that denies the Read access on the Confidential folder to the Temps group.Apply the security policy to the file server.

2. Create a domain local group named Permanent and add all permanent employees to it.Create a Group Policy object (GPO) named DenyTemps and link it to the domain.In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Domain Users group and grant Read access to the Permanent group.

3. Create a domain local group named Temps and add all temporary employees to it.Create a Group Policy object (GPO) named DenyTemps and link it to the domain.In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Temps group.

<Correct>

4. Create a local group named Permanent on the file server and add all permanent employees to it.Create a Group Policy object (GPO) named DenyTemps and link it to the domain.In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Domain Users group and grant Read access to the Permanent group.


* Create a domain local group named Temps and add all temporary employees to it. * Create a GPO named DenyTemps and link it to the domain. * In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Temps group.

The File System policy in a GPO allows you to globally manage permissions for a file system folder. You can allow access or deny access to a domain group, but it is recommended that you use a domain local group for better manageability. When you deny access, it takes precedence over all other permissions granted to that user or to a group to which that user belongs.


* Create a local group named Temps on the file server. * Create a security policy that denies the Read access on the Confidential folder to the Temps group. * Apply the security policy to the file server.

The File System policy is not available in a security policy that you apply locally. It is only available in a GPO.


* Create a domain local group named Permanent and add all permanent employees to it. * Create a GPO named DenyTemps and link it to the domain. * In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Domain Users group and grant Read access to the Permanent group.

The deny permission takes precedence over all other permissions. Because all users belong to the Domain Users group, taking these steps will deny permissions to all users, including those who should otherwise be granted access to the files.


* Create a local group named Permanent on the file server and add all permanent employees to it. * Create a GPO named DenyTemps and link it to the domain. * In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Domain Users group and grant Read access to the Permanent group.

You cannot assign local groups permissions using the File System policy. You can only assign domain groups permission using the File System policy.



Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1Microsoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?FamilyID=2043b94e-66cd-4b91-9e0f-68363245c495&DisplayLang=en



______________________________________________________________________________________________________________________________________________

You are configuring a network as a single Active Directory domain. Your network includes several branch offices connected by low-bandwidth, on-demand links.

You need to ensure that users in the branch offices are able to log onto the domain. You want to keep the effort required to configure and manage the network to a minimum. You also want to keep network traffic to these remote offices to a minimum during normal operations.

What should you do?

1. Deploy a DNS-stub zone in each of the branch offices.

2. Enable logon caching on clients in the branch offices.

3. Deploy a read-only domain controller (RODC) configured as a global catalog server in each office. <Correct>

4. Configure each branch office as a child domain.

Explanation :You should deploy a read-only domain controller (RODC) configured as a global catalog server in each office. The RODC will support unlimited user logons between connections with the main office. You can configure the RODC as a global catalog server during promotion to domain controller. When using an RODC in each branch, each branch must be configured as a different site.

Enabling logon caching is not a fully reliable solution. No matter how high you set the logon cache limit, users will be limited to no more than 50 cached logons. Depending on how often the branch office connects to the main office, this could become a problem.

There is no reason to deploy a DNS-stub zone in the branch offices. A DNS-stub zone provides pointers to authoritative DNS servers, but it does nothing to enable local support for logon. It is often useful to deploy a stub zone in a branch office to direct DNS requests to the appropriate DNS server.

You should not configure each branch office as a child domain. This increases the administrative overhead because each of the branch offices must be maintained separately.



References :Windows Server 2008 in Branch OfficesMicrosoft.comLink: http://www.microsoft.com/windowsserver2008/branch-office.mspx

Cached domain logon informationMicrosoft Help and SupportLink: http://support.microsoft.com/kb/172931

What's New in AD DS Installation and RemovalMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/e5bf22f7-f617-4820-a6d0-6271e3b80fe41033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory forest. All servers on the network are running Windows Server 2008. You install the Active Directory Federation Services (AD FS) server role on a computer named FedSrv. You install Windows SharePoint Services (WSS) on a computer named WSS1. FedSrv and WSS1 are members of a domain in the forest. The network also contains a stand-alone server.

You configure FedSrv to enable users from a partner organization to access a Web application in your network. You want to install the Federation Service Proxy to forward credentials of users and Web applications to the Federation Services server on their behalf.

Where should you install the Federation Service Proxy?

1. Install the Federation Service Proxy on WSS1.

2. Install the Federation Service Proxy on a domain-based computer that does not have AD FS or WSS installed. <Correct>

3. Install the Federation Service Proxy on FedSrv.

4. Install the Federation Service Proxy on the stand-alone server.

Explanation :You should install the Federation Service Proxy on a domain-based computer that does not have AD FS or WSS installed. The Federation Service Proxy collects user credentials from browser clients and Web applications and forwards the credentials to the federation service. The Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running WSS. AD FS allows browser-based clients to access protected Internet-facing applications without having to supply additional credentials, even if the user accounts and applications are in different networks or organizations.

You should not install the Federation Service Proxy on FedSrv or WSS1. The Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running WSS.

You should not install the Federation Service Proxy on a stand-alone computer. This will not allow the Federation Service Proxy to collect and forward user credentials to the Federation Service server.



References :Active Directory Federation Services OverviewMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d31033.mspx

Step 1: Preinstallation TasksMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true

Phases of Setting Up Windows Server 2008Course 6042



______________________________________________________________________________________________________________________________________________

Your company's network includes four domains. Each domain is located at a different site and is managed by a different group of administrators. The file servers in each domain are stored in the FileServers organizational unit (OU).

The company has a set of security policies that must be implemented on all file servers company-wide. These policies include audit policies, restricted groups, and user rights assignments.

You need to implement these security policies.

What should you do?

1. Use Group Policy Editor to create an ADMX file and import it to the central store. Instruct administrators for each domain to create a Group Policy object (GPO) using the ADMX file and link it to the FileServers OU.

2. Use Group Policy Editor to create an ADM file and import it to the central store. Instruct administrators for each domain to create a Group Policy object (GPO) using the ADM file and link it to the FileServers OU.

3. Use Security Configuration and Analysis to create a security policy. Instruct administrators for each domain to create a Group Policy object (GPO), import the security policy, and link it to the FileServers OU.

4. Use Security Templates to create a security policy. Instruct administrators for each domain to create a Group Policy object (GPO), import the security policy, and link it to the FileServers OU. <Correct>


* Use Security Templates to create a security policy. * Instruct administrators for each domain to create a GPO, import the security policy, and link it to the FileServers OU.

You can use Security Templates to create a security policy that contains settings for any policy in the Computer Configuration | Security Settings node. Administrators can apply a security policy to a computer or deploy it by importing it to a GPO.

You should not create an ADMX file and store it in the central store. An ADMX file is a file that defines an Administrative Template. An Administrative Template defines settings that can be implemented through GPOs and where they are stored in the Registry. It does not contain values for Security Settings.

You should not create an ADM file and store it in the central store. An ADM file is the legacy format for Administrative Templates. It does not contain values for Security Settings and cannot be stored in the central store.

You should not use Security Configuration and Analysis to create a security policy. Security Configuration and Analysis can import a policy or analyze a system against a policy. It cannot be used to create a security policy.


Sub Objective(s):Configure GPO templates.

Server Security Policy Management in Windows Server 2008Windows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/6a85b0ac-2e0a-4a53-9379-b0b3140179601033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2008. A server named DC1 is configured as a domain controller, and a server named DNS1 is configured as a Domain Name System (DNS) server and stores an Active Directory-integrated zone.

The company opens a new branch office at a physically insecure location. You need to provide name resolution services to the users in the branch office without compromising the security of the Active Directory database.

What should you do?

1. Install a read-only domain controller (RODC) in the branch office. <Correct>

2. Install the DNS role on a member server in the branch office and create a primary zone.

3. Install a writable domain controller in the branch office and create an Active Directory-integrated zone.

4. Install the DNS role on a standalone computer in the branch office and create a stub zone.

Explanation :You should install a read-only domain controller (RODC) in the branch office. An RODC is a shadow copy of a domain controller that cannot be directly configured. This makes it less vulnerable to network threats. You can install an RODC in a location that is not physically secure enough for a domain controller. To support RODC in a network, the DNS server running Windows Server 2008 supports a new type of zone called a primary read-only zone or a branch office zone. When a computer becomes an RODC, it receives a full read-only copy of all of the application directory partitions that DNS uses, including the domain partition, ForestDNSZones, and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions.

You should not install the DNS role on a standalone computer in the branch office and create a stub zone. Stub zones contain only those resource records that identify the authoritative DNS servers for that zone. A stub zone does not contain a full read-only copy of zone.

You should not install the DNS role on a member server in the branch office and create a primary zone. A standard primary zone is not a read-only zone and can be modified. A standard primary zone stores the DNS zone information in a .dns text file instead of in Active Directory.

You should not install a writable domain controller in the branch office and create an Active Directory-integrated zone. An Active Directory-integrated zone stores zone data in Active Directory. Active Directory-integrated zones provide name resolution even if a Wide Area Network (WAN) link is temporarily unavailable between domains, as long as each domain has an authoritative DNS server installed on a domain controller. In this scenario, the branch office is located at a physically insecure location. Therefore, installing a writable domain controller in the branch office can compromise the security of the Active Directory database.


Sub Objective(s):Configure zone transfers and replication.

References :DNS Server RoleWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d1033.mspx?mfr=true

New features for DNSMicrosoft TechNetLink:

http://technet2.microsoft.com/WindowsServer/en/library/f031ac33-23f7-4fb8-9bfc-4947cb9959fb1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You used Dsdbutil to create a back up of Active Directory Lightweight Directory Services (AD LDS) to removable media. You need to restore this copy to a server running Microsoft Windows Server 2008 configured with the Active Directory Domain Services (AD DS) and AD LDS roles.

What should you do?

In the list on the right, select the steps necessary to restore the LDS instance. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You may not need to use all of the items from the list on the right.

Explanation :The steps necessary to restore from a backup made with Dsdbutil are:

Stop the AD LDS service.Copy the instance data using Xcopy.Start the AD LDS service.

You must stop the AD LDS server before copying the instance data. Use Xcopy to copy the data to the LDS data directory The default location of this directory is:

%ProgramFiles%\Microsoft ADAM\<instance_name>\data

Replace <instance_name> with the LDS instance name.

You cannot use Windows Server Backup to restore from a backup created with Dsdbutil.

It is not necessary to stop and later start the AD DS service to restore LDS instance data.



References :Appendix B: Restore an AD LDS Instance with a Backup Taken with Dsdbutil.exeMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/2294e21c-eede-4dbf-9f29-135b65b2b2c61033.mspx?mfr=true

Step 2: Restore AD LDS Instance DataMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/3c586656-271f-4f8e-9f9c-62400e55ce0b1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. Your network does not currently have a Public Key Infrastructure (PKI).

You plan to implement Internet Protocol Security (IPSec) on the network. You will use certificates for authentication.

You want to deploy certificates using automatic enrollment. Only a single server can be configured to run Certificate Services.

What should you do?

1. Install a standalone issuing certificate authority (CA).

2. Install an Enterprise root certificate authority (CA). <Correct>

3. Install an Online Responder.

4. Install a standalone root certificate authority (CA).

Explanation :You should install an Enterprise root CA. Automatic enrollment is configured using certificate templates. Certificate templates are only supported by Enterprise CAs because they depend on Active Directory. Because you are installing only one CA, you must install it as a root CA.

You should not install a standalone root CA. You would install a standalone root CA if you did not have an Active Directory network or if you needed to be able to take the root CA offline. Standalone CAs do not support automatic enrollment on certificate templates.

You should not install an Online Responder. An Online Responder is used to respond to certificate verification requests. It cannot be the only server in a PKI because it must receive a certificate from an enterprise issuing CA.

You should not install a standalone issuing CA. An issuing CA is a CA that issues certificates. However, you cannot install a standalone issuing CA because you need Active Directory to support automatic enrollment.



References :Active Directory Certificate Services Longhorn Beta3 Certificate Templates WhitepaperMicrosoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&displaylang=en

Defining CA Types and RolesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/1b28424c-8c62-44b6-a24f-8ea06ac5832b1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your organization has a single forest environment which includes computers running Windows Server 2003.

You plan to create a new child domain by installing a computer running Windows Server 2008 as a domain controller. You also need to configure the computer as a global catalog server.

What should you install on the Windows Server 2008 computer to create the first Windows Server 2008 domain controller?

1. Active Directory Federation Services (AD FS)

2. Active Directory Lightweight Domain Services (AD LDS)

3. Active Directory Domain Services (AD DS) <Correct>

4. Active Directory Certificate Services (AD CS)

Explanation :You should install AD DS on the Windows Server 2008 computer to configure it as the first Windows Server 2008 domain controller. AD DS stores information about objects on the network. After installing the AD DS server role, you should run the Active Directory Domain Services Installation Wizard from the Administrative Tools folder to further promote the server as a fully functional domain controller. When installing and configuring the first Windows Server 2008 domain controller, the Active Directory Domain Services Installation Wizard will also configure the server as a global catalog server.

You should not install AD FS. The AD FS server role provides secured identity federation and Web single sign-on (SSO) capabilities.

You should not install AD CS. The AD CS server role is used to create and manage certification authorities and related components.

You should not install AD LDS. The AD LDS server role provides a store for application-specific data for directory-enabled applications.



References :Scenarios for Installing AD DSMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/708da9f7-aaad-4fa1-bccb-76ea8569da501033.mspx?mfr=true

The Process of Installing Domain ControllersCourse 6043



______________________________________________________________________________________________________________________________________________

Your company hires many employees each month. The human resource manager typically gives you a Microsoft Office Excel workbook with the pertinent information about 30 to 40 new employees each month.

You need to minimize the amount of effort required to create user accounts for new employees.

What should you do?

1. Create a user account and disable it. Use the user account as a template.

2. Create a user account. Copy it and rename it for each user.

3. Use the Active Directory Migration Tool to create the user accounts.

4. Create a PowerShell script to import the accounts. <Correct>

Explanation :You should create a PowerShell script to import the accounts. Windows Server 2008 includes PowerShell, which is a powerful tool for creating scripts that can be used to perform a large number of tasks, including managing user accounts and importing them from a file.

You should not create a user account, disable it, and then use the user account as a template. Although this procedure would work, it would require much more effort each month than importing the users from the file provided by human resources.

You should not use the Active Directory Migration Tool (ADMT) to create the user accounts. ADMT is used to migrate users between domains, not to import users from a file.

You should not create a user account, copy it, and rename it for each user. While this would work, it would require more effort each month than importing the user accounts from a script.


Sub Objective(s):Automate creation of Active Directory accounts.

Windows PowerShellWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/add493f5-e54b-4033-a6a0-567900d787211033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network has four Active Directory domains and four locations. The domain controllers are shown in the exhibit.

All users need frequent access to resources in stayandsleep.com. Users in Atlanta need frequent access to resources in Atlanta, Chicago, and Des Moines. Users in other offices need access only to resources in their own domains and in stayandsleep.com.

You need to configure DNS to allow users to resolve the names of the resources they use most frequently using a local DNS server. Your solution must minimize data transfer across the link between Europe and the United States.

What should you do?

1. Create an Active Directory-Integrated primary zone for each domain. Install DNS on a domain member on each continent. Configure a secondary zone on those domain members. Configure zone transfer.

2. Create a standard primary zone for each domain. Install DNS on a domain member on each continent. Configure a secondary zone on those domain members. Configure zone transfer.

3. Install DNS on all domain controllers and create an Active Directory-Integrated zone for each domain. Specify All DNS servers in the domain that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope for each zone.

4. Install DNS on all domain controllers and create an Active Directory-Integrated zone for each domain. Create application directory partitions to meet replication requirements. Specify All domain controllers in a specified application directory partition as the replication scope for each zone. <Correct>


* Install DNS on all domain controllers and create an Active Directory-Integrated zone for each domain. * Create application directory partitions to meet replication requirements. * Specify All domain controllers in a specified application directory partition as the replication scope for each zone.

An Active Directory-Integrated zone is replicated along with other Active Directory data. You can limit the scope of replication by creating application directory partitions to meet replication requirements and selecting All domain controllers in a specified application directory partition as the replication scope.


* Install DNS on all domain controllers and create an Active Directory-integrated zone for each domain. * Specify All DNS servers in the domain that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope for each zone.

When you specify this option, DNS data is replicated only within the domain. In this example, users in Atlanta would not be able to resolve the names of resources in stayandsleep.com or midwest.stayandsleep.com locally.

You should not use secondary zones. Active Directory replication is more efficient than zone transfer because data is replicated using the replication topology. Therefore, you do not need to separately manage a zone transfer topology. Also, Active Directory replication is more secure than zone transfer. Finally, Active Directory replication allows for incremental replication of only the changes that have occurred.



References :Understanding DNS Zone Replication in Active Directory Domain ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e93c32c9-0c5c-4822-9c84-d464658d6ed31033.mspx?mfr=true

Understanding Active Directory Domain Services IntegrationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/427144ca-37ce-4db7-a611-605338ec01ca1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a single Active Directory forest with two domains: DomA and DomB. DomA-DC2 is configured as the schema master. DomA-DC2 and DomB-DC2 are configured as infrastructure masters. Denver and New York are both connected to Chicago using a high-speed link. There is no physical connection between Denver and New York. The site topology for the network is shown in the exhibit. The Bridge All Site Links option is not enabled.

An administrator in Denver attempts to install an application. The installation fails with the error "Cannot extend the schema" You realize that the connection between New York and Chicago has failed.

You need to enable the administrator in Denver to install applications that modify the schema even if the link between New York and Chicago goes down.

What should you do?

1. Transfer the schema master role to DomA-DC1. <Correct>

2. Transfer the infrastructure master role to DomB-DC1.

3. Add the infrastructure master role to DomB-DC1.

4. Add the schema master role to DomB-DC2.

Explanation :You should transfer the schema master role to DomA-DC1. The problem is occurring because DomB-DC1 cannot access the schema master in New York. By positioning the schema master in the hub site, you make it accessible to all sites.

You should not add the schema master role to DomB-DC2. The schema master role is a forest-wide role and can only be held by one domain controller in the forest.

You should not transfer the infrastructure master role to DomB-DC1. The infrastructure master is responsible for keeping track of security principals from other domains who are members of groups in the domain to which the infrastructure master belongs. Being unable to contact the infrastructure master will not prevent an application from extending the schema.

You should not add the infrastructure master role to DomB-DC1. The infrastructure master role is a domain-wide role and can only be assigned to one domain controller in the domain.



Planning Operations Master Role PlacementWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e2616396-12e6-4bad-a081-f94c032887101033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is implemented as a single Active Directory domain. All domain controllers are running Windows Server 2008.

Your company wants to require users to change their passwords at least every 60 days. A user should not be able to reuse a password within six months.

You need to configure account policies.

What should you do?

1. Set the following policies:Enforce user logon restrictions = trueMaximum password age = 60Minimum password age = 30

2. Set the following policies:Enforce password history = 180Enforce user logon restrictions = trueMaximum password age = 60

3. Set the following policies:Enforce password history = 3Maximum password age = 60Minimum password age = 45

4. Set the following policies:Enforce password history = 6Maximum password age = 60Minimum password age = 30

<Correct>

Explanation :You should set the following policies:

* Enforce password history = 6 * Maximum password age = 60 * Minimum password age = 30

The Enforce password history policy determines the number of passwords that a user must use before recycling a password. The Minimum password age determines the number of days that must pass between password changes. Therefore, setting Enforce password history to 6 and Minimum password age to 30 requires 180 days before a password can be reused. The Maximum password age determines the maximum number of days a password can be used before it is changed.

You should not set the following policies:

* Enforce password history = 3 * Maximum password age = 60 * Minimum password age = 45

These policies would allow a user to reuse a password after 3 * 45 days or 135 days.


* Enforce user logon restrictions = true * Maximum password age = 60 * Minimum password age = 30

These policies do not define the Enforce password history policy. Therefore, a password can be reused immediately. The Enforce user logon restrictions policy determines whether the Kerberos Key Distribution Center (KDC) verifies user rights each time a user requests a session ticket. It

does not affect password expiration.


* Enforce password history = 180 * Enforce user logon restrictions = true * Maximum password age = 60

The Enforce password history policy defines the number of passwords that must be used before a password can be reused. It must be set to a value between 0 and 24.


Sub Objective(s):Configure account policies.




______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You recently installed the Windows Server Backup feature by using Server Manager on a Windows Server 2008 server.

You need to set up and run scheduled backups that back up the full server to external disks at 9:00 P.M. You have connected an external disk to the server that supports universal serial bus (USB) 2.0.

What should you do?

In the list on the right, select the tasks that you should perform to set up a scheduled backup. Place the tasks in the order in which you should perform them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. Place the first task that you should perform at the top of the list. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :You should perform the following steps to set up and run scheduled backups for the full server to external disks:

* Select Backup Schedule from the Actions pane in the Windows Server Backup snap-in. This will start the Backup Schedule Wizard on Windows Server 2008, which allows you to schedule a backup for one time or multiple times. Once the backup schedule is in place, backups will run automatically at the scheduled time. By default, the backup is scheduled to run at 9:00 P.M. each day. * Click Next on the Getting Started page in the Backup Schedule Wizard. This page provides general information on how to use the Wizard to schedule backups. * Select the recommended option on the Select backup type page and click Next. This page allows you to select the type of backup that you are scheduling. By default, Full Server backup is selected. This is also a recommended type of backup when you are using the Backup Schedule Wizard. Full server backup allows recovery of the operating system state, as well as files, folders, and application data by creating snapshots of the full server at specific intervals. * Select the default on the Specify backup time page and click Next. The Specify backup time page allows you to choose how often you want to perform backups and at what time. By default, the Once a day option is selected under How often do you want to run backups? and 9:00 P.M. is selected in the Select time of day drop-down box. * Select the external disk on the Specify target disk page, and then click Next. The Specify target disk page allows you to choose where to save the backup. Once the decision is made about what data should be backed up, the next step is to determine where to store the backup. Options for storage include external or internal hard drives, CDs, DVDs, or USB flash drives.

You should not select the Custom option on the Select backup type page and click Next. This option should be selected when you want to back up only selected volumes, or if you want to exclude some volumes from scheduled backups.



References :Windows Server 2008 Backup and Recovery Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/00162c92-a834-43f9-9e8a-71aeb25fa4ad1033.mspx




______________________________________________________________________________________________________________________________________________

All servers on your company's network run Windows Server 2008. A server named DC1 has Active Directory Domain Services (AD DS) installed. You have configured a scheduled backup to be performed every day on DC1.

Some users report that searching for resources in the Active Directory takes a considerable amount of time. To resolve this problem, you need to perform an offline defragmentation of the Active Directory database.

Which steps should you perform to achieve the desired goal?

In the list on the right, select the correct steps. Place your selections in the list on the left in the order in which they should be performed. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :You should perform the following steps to perform an offline defragmentation of AD DS in Windows Server 2008:

* Stop the Active Directory Domain Services (AD DS) service. * Run the Compact to command at the Ntdsutil file maintenance prompt. * Delete all the log files in the log directory. * Copy the compacted Ntds.dit file to the original location. * Run the Integrity command at the Ntdsutil file maintenance prompt. * Restart the AD DS service.

When you perform offline defragmentation of the directory database file, a new compacted version of the database file is created in a different location. In Windows Server 2008, you can perform offline defragmentation of the AD DS directory database by stopping the AD DS service, performing the offline defragmentation, and starting the AD DS service. To perform an offline defragmentation of the AD DS database, you should first stop the AD DS service. You should run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command. If defragmentation completes successfully, you should delete all of the log files in the log directory. You should then manually copy the compacted database file to its original location. After copying the compacted Ntds.dit file to its original location, you should perform the integrity check on the database. If the integrity check succeeds, you should restart the AD DS service.

You should not restart the server in Directory Services Restore Mode because it is not required in Windows Server 2008. The Restartable AD DS feature in Windows Server 2008 allows you to perform an offline defragmentation of the AD DS database without restarting the domain controller in Directory Services Restore Mode.



References :Compact the directory database file (offline defragmentation)Microsoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true

Windows Server 2008 Restartable AD DS Step-by-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx?mfr=true

What Are Restartable AD DS?

Course 6043



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in your organization. Your organization has purchased a new computer to support File Services. Another Windows Server 2008 server exists in the organization that has File Services installed on it.

You need to perform a full system backup and then decommission the existing server before installing File Services on the new server.

In the list on the right, select the steps that you should take to perform a full system backup. Place your selections in the list on the left in the order in which you should perform them, and place the first step that you should take at the top of the list. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :You should take the following steps to perform a full system backup:

* Select Backup once from the Actions pane in the Windows Server Backup snap-in. You should click the Backup once link in the Actions pane to start the Backup Once Wizard to perform a full system backup. * On the Backup options page, choose Different options and then click Next. When creating a backup by using the Backup Once Wizard, you should select Different options; this will allow you to choose the items to back up and the location to store the backup items. * Select the recommended option on the Select items page and click Next. The Select items page allows you to choose the type of backup, such as Full Server or Custom, that you want to perform. By default, the Full server (recommended) option is selected. * Select Local drives on the Specify location type page, and then click Next. You should select the Local drives option to store the backup in the local disk or on the DVD drive. You can also select Remote shared folder when choosing the type of storage for the backup.

You should not select Backup Schedule from the Actions pane in the Windows Server Backup snap-in, because this will schedule the backup for a later time in the day. As mentioned in the scenario, you need to perform a full system backup and then decommission the server immediately after the backup is finished. Therefore, you should run the Backup Once Wizard to perform a full system backup.

You should not click Next on the Getting Started page in the Backup Schedule Wizard, because this page is only available when running the Backup Schedule Wizard. In this scenario, you should run the Backup Once Wizard to perform a full system backup, because you need to decommission the server immediately after the backup is finished.

You should not select the recommended option on the Select backup type page and click Next, because this page is only available when running the Backup Schedule Wizard, In this scenario, you should run the Backup Once Wizard to perform a full system backup, because you need to decommission the server immediately after the backup is finished.



References :Windows Server 2008 Backup and Recovery Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/00162c92-a834-43f9-9e8a-71aeb25fa4ad1033.mspx




______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. All domain controllers are running Microsoft Windows Server 2008. Client computers are running Windows XP Professional.

The company has recently acquired a subsidiary company. You need to create user accounts within your company's existing domain for all users from the subsidiary. You have a comma separated value (CSV) file that contains all the names of all user accounts that need to be added.

You need to import the user accounts into the domain.


1. csvde <Correct>

2. ADSI Edit

3. dsadd

4. ldifde

Explanation :You should use csvde to import the accounts into Active Directory. Csvde is used to import and export data that is stored in comma separated value (CSV) format. You can also perform batch operations such as adding new users and updating properties by using the CSV file. For example, you can create multiple user accounts in a single batch operation.

You should not use dsadd. Dsadd is a command line tool used to create objects, such as computer accounts, in Active Directory. However, it can not be used to import accounts into Active Directory.

You should not use ldifde. Ldifde is used to create, modify, and delete directory objects. It can also be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services. However, it cannot be used to import data from a CSV file into Active Directory.

You should not use ADSI Edit. This tool is used to manage objects and attributes in Active Directory Domain Services. You can use ADSI to perform such functions as querying, viewing, and editing attributes. However, it cannot be used to import data into Active Directory.



References :CsvdeMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/bd5e4f88-c30a-47a8-b3d2-026e4497275c1033.mspx?mfr=true

Dsadd groupWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/4b547a24-3132-4b92-9812-7de9766005cc1033.mspx?mfr=true

LdifdeWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/8fe5b815-f89d-48c0-8b2c-a9cd1d6986521033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. You perform the Server Core installation of Windows Server 2008 on a computer named Server1. A volume named ConfVol on Server1 contains confidential files that are accessed by managers of the company.

One day, a manager reports that he is unable to access the ConfVol volume on Server1. You investigate and discover that the volume has become corrupt.

You need to restore the ConfVol volume from a backup.

Which command should you run?

1. Wbadmin start recovery <Correct>

2. Wbadmin start sysstaterecovery

3. Wbadmin restore catalog

4. Wbadmin start sysrecovery

Explanation :You should run the Wbadmin start recovery command. Wbadmin.exe is a command-line tool that allows you to perform backup and restore operations on your computer, volume, and files. The Wbadmin start recovery command is used to perform a recovery of the specified volumes, applications, or files and folders. The -itemtype parameter specifies the type of items to recover. The value for this parameter must be one of the following: Volume, App, or File. The -backupTarget parameter specifies the location of the backup that you want to recover.

You should not run the Wbadmin start sysrecovery command. This command is used to perform a full system recovery. In this scenario, you want to restore only a volume.

You should not run the Wbadmin start sysstaterecovery command. The Wbadmin start sysstaterecovery command is used to perform a system state recovery of a Windows Server 2008 computer. In this scenario, you want to restore only a volume.

You should not run the Wbadmin restore catalog command. The Wbadmin restore catalog command is used to recover a catalog that has been corrupted. Running this command is useful if recovery from the backup catalog is not possible. The Wbadmin restore catalog command cannot be used to recover a corrupted volume.



References :Wbadmin start recoveryWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/52381316-a0fa-459f-b6a6-01e31fb216121033.mspx?mfr=true


Backup Command ReferenceWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/03de0a65-21f0-4dd7-a3ae-251c98bbf6eb1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory forest. The network contains an Active Directory Federation Services (AD FS) server and a Windows SharePoint Services server. The network also contains a stand-alone computer that runs Windows Server 2008. The AD FS server allows users from a partner organization to access a Web application in your network. You install Windows Server 2008 on a server named Server1 in the perimeter network.

You want to install the Federation Service Proxy to forward credentials of users and Web applications to the Federation Services server on their behalf.

What should you do?

1. Install the Federation Service Proxy on the stand-alone computer.

2. Install the Federation Service Proxy on the AD FS server.

3. Install the Federation Service Proxy on the Windows SharePoint Services server.

4. Install the Federation Service Proxy on Server1 in the perimeter network. <Correct>

Explanation :You should install the Federation Service Proxy on a computer that does not have AD FS or Windows SharePoint Services installed. In this scenario, Server1 does not have AD FS or Windows SharePoint Services installed. Therefore, you can install the Federation Service Proxy on Server1 in the perimeter network to achieve the desired goal. The Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running Windows SharePoint Services.

You should not install the Federation Service Proxy on the AD FS server or the Windows SharePoint Services server because the Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running Windows SharePoint Services.

You should not install the Federation Service Proxy on a stand-alone computer because installing the Federation Service Proxy on a stand-alone computer will not allow the Federation Service Proxy to collect and forward domain users' credentials to the Federation Service server.



References :Active Directory Federation Services OverviewWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d31033.mspx

Step 1: Preinstallation TasksWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

The network you manage has the five domains shown in the exhibit. Users in dev.eu.stayandsleep.com frequently access files on file servers in dev.corp.stayandsleep.com.

You need to optimize performance for users in dev.eu.stayandsleep.com when accessing files in dev.corp.stayandsleep.com.

What should you do?

1. Create a shortcut trust in which dev.corp.stayandsleep.com trusts dev.eu.stayandsleep.com. <Correct>

2. Create a two-way external trust between dev.eu.stayandsleep.com and dev.corp.stayandsleep.com.

3. Create a shortcut trust in which dev.eu.stayandsleep.com trusts dev.corp.stayandsleep.com.

4. Create a forest trust and enable selective authentication.

Explanation :You should create a shortcut trust in which dev.corp.stayandsleep.com trusts dev.eu.stayandsleep.com. A shortcut trust is used to shorten the authentication path when users in one child domain need frequent access to resources in another child domain. The trusting domain is the one in which the resources are located.

You should not create a shortcut trust in which dev.eu.stayandsleep.com trusts dev.corp.stayandsleep.com. The trusting domain is the one in which the resources are located.

You should not create a two-way external trust between dev.eu.stayandsleep.com and dev.corp.stayandsleep.com. An external trust is used to allow access to or from a Windows NT 4.0 domain or when you cannot use a forest trust. An external trust is not used between domains in the same forest.

You should not create a forest trust and enable selective authentication on it. A forest trust is used between two Active Directory forests, not within the same forest. Selective authentication is used to limit the access to specific users in different forests.


Sub Objective(s):Configure trusts.

Understanding When to Create a Shortcut TrustWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/6d35ab81-0b60-4425-8c95-46f676d1ea691033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network includes the domain controllers shown in the exhibit.

DC1 experiences a hardware failure that makes it inaccessible. It will take several days to repair it, and it will need to have the operating system reinstalled.

You need to recover the operations master roles.

What should you do?

1. Transfer the schema master role to DC3. Transfer the infrastructure master role to DC2.

2. Seize the schema master role to DC4.

3. Seize the schema master role and the infrastructure master role to DC2. <Correct>

4. Transfer the schema master role to DC2. Transfer the infrastructure master role to DC4.

Explanation :You should seize the schema master role and the infrastructure master role to DC2. The schema master role is a forest-wide role that must be on a domain controller in the root domain. The infrastructure master role is a domain-wide role. Therefore, it must be on a domain controller in the same domain. Because DC1 is inaccessible, you must seize the roles. You should only seize roles when absolutely necessary because the existing operations master is inaccessible and will not be brought back online. In addition, you should seize a role on the domain controller that is most synchronized with the failed operations master. Seizing a role on a domain controller that is not synchronized could cause problems. For example, if the schema has not been updated, applications that use modifications to the schema could fail to operate correctly. If the infrastructure master role is seized to a computer that does not have the latest changes, problems due to accounts that have been moved or renamed could occur. You should run repladmin to ensure the target domain controller is as up to date as possible before seizing a role.

You cannot transfer the roles because DC1 is inaccessible. You can only transfer roles if you can access the domain controller that currently holds the roles.

You should not seize the schema master role to DC4. You should always seize a role with a direct replication partner if possible. Also, the schema master role must be held by a domain controller in the root domain.



References :Planning Operations Master Role PlacementWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e2616396-12e6-4bad-a081-f94c032887101033.mspx?mfr=true

Seize operations master rolesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/33d25c21-ae42-422c-be18-d3e706e4b45e1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company has three domains: stayandsleep.com, nw.stayandsleep.com, and mw.stayandsleep.com. All user accounts are created in either nw.stayandsleep.com or mw.stayandsleep.com. Users must be able to log on using [email protected].

You are creating a script that will add users to nw.stayandsleep.com.

What command should you use?

1. dsadd user cn=username,cn=nw,dc=stayandsleep,dc=com -disabled no

2. dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -upn [email protected] -disabled no <Correct>

3. dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -samID [email protected] -disabled no

4. dsadd user cn=username,dc=nw,dc=stayandsleep,dc=com -email [email protected] -disabled no

Explanation :You should use the following command:

dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -upn [email protected] -disabled no

You must provide the distinguished name of the user. The distinguished name includes two common name (cn) elements, the username and the container in which the user should be created. It also includes a domain component (dc) for each name in the fully-qualified domain name of the domain. To meet the requirement that the user can log in using [email protected], you must specify a user principal name (UPN) of [email protected].

You should not use the following command:

dsadd user cn=username,cn=nw,dc=stayandsleep,dc=com -disabled no

This command would create a user in the nw container of the stayandsleep.com domain.


dsadd user cn=username,dc=nw,dc=stayandsleep,dc=com -email [email protected] -disabled no

This command does not specify a container. Also, you do not specify a login name by specifying an e-mail address.


dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -samID [email protected] -disabled no

The samID attribute is used to set the name of the Security Account Manager (SAM) account, which is the username.



Dsadd userWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/9e274947-2dec-4448-a822-8dd2f688fcec1033.mspx



______________________________________________________________________________________________________________________________________________

You manage a network that includes the DNS servers shown in the exhibit. DNS-AD1 and DNS-AD2 are configured to forward requests for Internet addresses to DNS-Ext. DNS-Ext is not configured with a forwarder.

You need to configure the DNS servers to help mitigate the risk of a denial of service attack.

What should you do?

1. Disable recursion on DNS-AD1 and DNS-AD2.

2. Delete the Internet servers from root hints on DNS-Ext.

3. Disable recursion on DNS-Ext. <Correct>

4. Delete the Internet servers from root hints on DNS-AD1 and DNS-AD2.

Explanation :You should disable recursion on DNS-Ext. DNS-Ext is not configured as a forwarder. Therefore, it can use iterative requests to query the Internet root servers for name resolution. Disabling recursion when it is not needed can help prevent denial of service attacks.

You should not disable recursion on DNS-AD1 and DNS-AD2. When a DNS server uses a forwarder, it sends a recursive query to that forwarder. Therefore, if you disable recursion on DNS-AD1 and DNS-AD2, you will prevent them from being able to send queries for Internet resources to DNS-Ext.

You should not delete the Internet servers from root hints on DNS-AD1 and DNS-AD2. You can delete the Internet servers from root hints to prevent DNS-AD1 and DNS-AD2 from sending data directly to servers on the Internet. However, doing so will not mitigate the risk of a denial of service attack.

You should not delete the Internet servers from root hints on DNS-Ext. DNS-Ext needs root hints to locate Internet root servers and send iterative requests to them. Therefore, if you delete the Internet root servers, DNS-Ext will not be able to function.



References :Securing the DNS Server ServiceWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/9f93a319-4e77-4c17-ad4a-10e3ea9847f11033.mspx?mfr=true

Understanding ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/52ec32f6-5eda-4d6a-8e38-809fee243b711033.mspx




______________________________________________________________________________________________________________________________________________

Your company's network consists of 10 Microsoft Windows Server 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain. A Public Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. Users are required to enroll for a User certificate using Web enrollment.

Users are reporting that the response time is very slow when accessing servers that host financial data. Certificate authentication is required to access these servers. You discover that the network is extremely busy and network bandwidth is reaching capacity.

You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on the network.

What should you do?

1. Open the Certificate Templates snap-in and configure auto-enrollment instead of Web-based enrollment.

2. Open Active Directory Sites and Services. Deny users the Enroll permission on all templates except the User template.

3. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List (CRL). <Correct>

4. Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL) publication interval.

Explanation :You should use the Certificate Authority snap-in to configure the CA to use a Delta CRL. Delta CRLs only replicate the new revocations to each CRL distribution point. Using a Delta CRL means a smaller file and therefore, less network traffic.

You should not decrease the Certificate Revocation List publication interval. The publication interval determines the frequency that the CRL is published. By decreasing the interval, the CRL will be published more frequently and increase network traffic.

You should not deny users the Enroll permission on all templates except the User template. Denying users access to certificate templates increases security so you can control the types of certificates users can request. It does not however, reduce network traffic.

You should not change the method used for certificate enrollment. Traffic will be generated when users first enroll for certificates. However, once users are issued a certificate, they do not need to generate an additional request. Changing the method used for certificate enrollment will not reduce network traffic on an on-going basis.



Configuring Certificate RevocationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083-8606-c0a4fdca9a251033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network contains servers that run Windows Server 2008. You install Active Directory Domain Services (AD DS) on a server named DC1.

You are in the process of performing an offline defragmentation of AD DS database on DC1. You run the Compact to command at the Ntdsutil file maintenance prompt to compact the AD DS database file.

What should you do next?

1. Delete all of the log files in the log directory. <Correct>

2. Copy the compacted database to the %SystemRoot%\Windows\NTDS folder.

3. Copy the compacted database to the %SystemRoot%\Windows\SYSVOL folder.

4. Run the Integrity command at the Ntdsutil file maintenance prompt.

Explanation :You should delete all of the log files in the log directory. To perform an offline defragmentation of the AD DS database, you must be a member of the local Administrators group on the domain controller. To perform the offline defragmentation of the AD DS database, you should first stop the AD DS service. You should then perform the following steps to perform offline defragmentation of the AD DS database:

* Run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command. * Delete all of the log files in the log directory. * Manually copy the compacted database file to its original location. * Perform the integrity check on the database. * Restart the AD DS service.

You should not copy the compacted database to the %SystemRoot%\Windows\NTDS folder. This step is performed after deleting all of the log files from the log directory.

You should not copy the compacted database to the %SystemRoot%\Windows\SYSVOL folder. The AD DS database file must be copied to its default location, which is the %SystemRoot%\Windows\NTDS folder.

You should not run the Integrity command at the Ntdsutil file maintenance prompt. This step is performed after copying the compacted database to the %SystemRoot%\Windows\NTDS folder.



References :Compact the directory database file (offline defragmentation)Microsoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true

Windows Server 2008 Restartable AD DS Step-by-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company has a main office and five branch offices. You configure each office to have its own Active Directory domain in the same forest. All servers on the network run Windows Server 2008. The computers on the network are configured to use Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).

To ensure that the host names of important servers on the network remain unique throughout all domains in the forest, you decide to configure the GlobalNames zone.

Which type of zone should you use?

1. Stub zone

2. Active Directory-integrated zone <Correct>

3. Standard secondary zone

4. Standard primary zone

Explanation :You should use an Active Directory-integrated zone. The GlobalNames zone provides single-name resolution for networks that do not contain a WINS server. To ensure that the GlobalNames zone provides single-name resolution, all authoritative DNS servers must be running Windows Server 2008. When you want to support deployment of the GlobalNames zone across multiple domains and forests, the GlobalNames zone must be integrated with AD DS.

You should not use a standard primary zone. A standard primary zone stores the DNS zone information in a .dns text file instead of in Active Directory.

You should not use a standard secondary zone. A standard secondary zone obtains zone information from its master DNS server. A master DNS server can be an Active Directory, primary, or secondary zone that is configured for zone transfers. The data stored in a secondary zone cannot be modified.

You should not use a stub zone. A stub zone contains only resource records for the authoritative DNS servers for that zone. A stub zone is generally used to resolve the host names between separate DNS namespaces.


Sub Objective(s):Configure zones.


DNS Server GlobalNames Zone DeploymentMicrosoft.comLink: http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/dns-globalnames-zone-deployment.doc



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. Users in the Sales department travel with portable computers and usually connect to the network from their hotel rooms. When a new salesperson is hired, he or she receives a portable computer.

Microsoft Office 2007 must be installed on each salesperson's portable computer. Some settings must be predefined. Others should be configurable by the salesperson.

You need to ensure that Office 2007 is installed the first time the user starts the computer. Your solution must minimize the bandwidth required to install the application.


1. Pre-stage the installation onto the portable computers. <Correct>

2. Create a startup script that installs the application. <Correct>

3. Create a Software Installation package to assign the application to the computer.

4. Create an installation share on a domain controller.

5. Create a Software Installation package to publish the application to the user.

6. Create a Software Installation package to assign the application to the user.

Explanation :You should pre-stage the installation onto the portable computers. Doing so will allow the installation to occur without requiring the files to be downloaded across the Internet, thus minimizing bandwidth requirements.

You should also create a startup script that installs the application. The startup script is stored in the startup script policy in a Group Policy object (GPO). A Startup Script executes when a computer boots. The startup script will execute the first time the users boot the computers. The startup script can reference a Setup customization file (.msp) that can contain the settings you want to configure centrally. Users can make other customizations during installation. One thing to note is that the settings applied by the .msp file are considered default settings that can later be changed by the user.

You should not create an installation share on a domain controller. Doing so will require installation files to be transferred across the network, thus using more bandwidth than pre-staging the installation onto the portable computer.

You should not use Software Installation packages to assign or publish the application. Office 2007 cannot be assigned or published to a user. Also, when you assign the application to a computer, the files must be downloaded from a server. Finally, you cannot use an .msp file to customize an installation assigned using Software Installation. You can only make minor customizations, such as the features that are installed, using the config.xml file.



Use Group Policy to assign computer startup scripts for 2007 Office deploymentMicrosoft TechNetLink: http://technet2.microsoft.com/Office/en-us/library/a57c8446-b959-4025-a866-b690ddcaa66d1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with two domain controllers. One domain controller is running Windows Server 2008 and the Domain Name System (DNS) service. You have created a single Active Directory-Integrated zone. DNS is configured for Secure Dynamic DNS (DDNS).

Users report that they cannot connect to a server application. They receive the message "Access Denied. Cannot verify client name." You are able to ping the server and the client computers, but you cannot resolve the name of client computers using nslookup.

You need to allow client computers to use the server application.

What should you do?

1. Install DNS on the other domain controller. Configure it to support conditional forwarding.

2. Create an Active Directory-Integrated reverse lookup zone. <Correct>

3. Add the application server name to the GlobalNames zone.

4. Install DNS on the other domain controller. Create a stub zone.

Explanation :You should create an Active Directory-Integrated reverse lookup zone. Network applications sometimes use reverse lookup zones to obtain a client's name from its IP address. The nslookup tool queries a DNS server for an IP address based on a computer's name. When nslookup fails, you know that you need to either configure a reverse lookup zone or, if one exists, that it is configured incorrectly.

You should not install DNS on the other domain controller and create a stub zone. A stub zone contains only Name Server (NS) records. It cannot be used to determine the name of a computer from its IP address. You would use a stub zone to keep a parent zone up to date with the addresses of DNS servers in the child zones.

You should not install DNS on the other domain controller and configure it to support conditional forwarding. The problem is not caused by the application server being unable to contact a DNS server. The problem is caused because the DNS server is not configured with a reverse lookup zone.

You should not add the application server to the GlobalNames zone. The GlobalNames zone is used to allow for single-label name resolution. It is not used by application servers to obtain the name of a client computer based on its IP address.



Reverse LookupMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/edf68cca-86f1-4b89-8e44-79f768963e951033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a single Active Directory domain. It has domain controllers running Windows Server 2003 and Windows 2000 Server. You are configuring the network for a new branch office. Users at the branch office need to be able to authenticate even if the connection to the corporate office is down. The network administrator at the branch office should not be able to make changes to Active Directory objects.

You need to prepare the Active Directory forest to support the branch office domain controller. Your solution must require the minimum number of new operating system licenses.


1. Upgrade the domain controllers running Windows 2000 Server to Windows Server 2008. <Correct>

2. Upgrade all domain controllers to Windows Server 2008.

3. Raise the forest functional level to Windows Server 2003. <Correct>

4. Raise the forest functional level to Windows Server 2008.

5. Execute adprep /rodcprep on any domain controller. <Correct>

6. Execute adprep /adprep /gpprep on the schema master.

Explanation :You should upgrade the domain controllers running Windows 2000 Server to Windows Server 2008. You need to install a Read-Only Domain Controller (RODC) in the branch office to allow users to authenticate locally instead of depending on the Wide Area Network (WAN) connection. An RODC is only supported at the Windows Server 2003 forest functional level or the Windows Server 2008 forest functional level. The Windows Server 2003 forest functional level cannot support domain controllers running Windows 2000 Server, so you must upgrade these domain controllers to either Windows Server 2003 or Windows Server 2008.

You should also raise the forest functional level to Windows Server 2003.

You should also execute adprep /rodcprep to prepare the domain controllers to replicate data to the RODC. You can execute adprep /rodcprep from any domain member or domain controller.

You should not upgrade all domain controllers to Windows Server 2008. The requirements call for a minimal number of new operating system licenses. It is not necessary to upgrade the domain controllers running Windows Server 2003.

You should not raise the forest functional level to Windows Server 2008. Doing so would require that you upgrade all domain controllers to Windows Server 2008.

You should not execute adprep /adprep /gpprep on the schema master. This command is used to prepare a domain that includes both Windows Server 2003 and Windows 2000 Server domain controllers for installing the first Windows Server 2008 domain controller. The command must be run on the infrastructure master.



References :Lesson 1: Installing Active Directory Domain ServicesCourse 6425A

AdprepWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/aa923ebf-de47-494b-a60a-9fce083d2f69103

3.mspx?mfr=true

Appendix of Functional Level FeaturesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156-c600f723b31f1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company, MedDev, has formed a new manufacturing company named GoShop. GoShop is run independently but is located in the MedDev office complex in Boston. MdeDev management requires access to financial information from GoShop.

MedDev and GoShop both maintain empty forest root domains with single child domains. All servers are running Microsoft Windows Server 2008.

You need to grant the MedDev managers access to the financial data at GoShop without compromising security at MedDev.

What should you do?

1. Create a one-way external trust between the child domains. <Correct>

2. Create a two-way forest trust between the forests.

3. Create a two-way external trust between the two child domains

4. Create a one-way forest trust between the forests.

Explanation :You need to create a one-way external trust between the MedDev child domain and the GoShop child domain in which the GoShop child domain trusts the MedDev child domain. The one-way external trust will allow users in the MedDev child domain to access resources in the GoShop child domain. Users in the GoShop domain will not have access to resources in the MedDev domain.

You should not create forest trusts. Forest trusts extend the transitivity of domain trusts to another forest. A one-way forest trust will allow all users in one forest to trust all domains in the other forest. A two-way forest trust establishes a transitive trust relationship among all domains in both forests. This solution not only allows users in the MedDev child domain access to resources in GoShop, but it also allows users in GoShop to access all domains in the MedDev forest, thereby potentially compromising security. Since that scenario indicates that you do not want to compromise security at MedDev, a forest trust should not be created.

You should not create a two-way trust between the child domains. Doing so will permit users in the MedDev child domain to trust users in the GoShop child domain. The scenario does not indicate that users in the GoShop child domain need access to resources in the MedDev child domain.



Forest Design ModelsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/066d1fe4-cd49-4efb-9e24-3ab0612620fc1033.mspx



______________________________________________________________________________________________________________________________________________

Your network is configured as two Active Directory domains: stayandsleep.com and chi.stayandsleep.com. The network includes the servers shown in the exhibit. All servers are running Windows Server 2003.

Client applications in both domains must access the application server using the name PayrollApp.

You are planning to decommission the Windows Internet Name Service (WINS) servers in both domains.

You need to configure name resolution for PayrollApp. Your solution should require only upgrades that are necessary to meet the requirements.

What should you do?

1. Upgrade DC1 and DC2 to Windows Server 2008.Install the DNS role on DC2.Configure the stayandsleep.com zone for Secure Dynamic Updates.Create a stub zone in chi.stayandsleep.com.

2. Upgrade DC1 to Windows Server 2008.Create a GlobalNames zone.Add PayrollApp to the GlobalNames zone.

<Correct>

3. Upgrade DC1 and DC2 to Windows Server 2008.Create a GlobalNames zone.Add PayrollApp to the GlobalNames zone.

4. Upgrade DC1, DNS1, and DNS2 to Windows Server 2008.Add the Domain Controller role to DNS1 and DNS2.Configure all zones as Active Directory-Integrated zones.


* Upgrade DC1 to Windows Server 2008. * Create a GlobalNames zone. * Add PayrollApp to the GlobalNames zone.

The GlobalNames zone is a zone that allows a computer name to be resolved by using the host name only, instead of a fully-qualified domain name. GlobalNames zones are useful when decommissioning WINS servers. To use the GlobalNames zone, all authoritative name servers must be running Windows Server 2008. Therefore, you need to upgrade DC1 to Windows Server 2008.


* Upgrade DC1 and DC2 to Windows Server 2008. * Create a GlobalNames zone. * Add PayrollApp to the GlobalNames zone.

Part of the requirement is that you need to minimize the number of upgrades necessary. You do not need to upgrade DC2 because it is not an authoritative DNS server.


* Upgrade DC1 and DC2 to Windows Server 2008. * Install the DNS role on DC2. * Configure the stayandsleep.com zone for Secure Dynamic Updates. * Create a stub zone in chi.stayandsleep.com.

A stub zone contains only Name Server (NS) records. It does not resolve the names of other computers. Therefore, it would not resolve single label names. You would use a stub zone to keep

a parent zone up-to-date with the addresses of DNS servers in the child zones. Although you might create a stub zone on DC1 to keep it aware of changes in chi.stayandsleep.com, creating a stub zone in chi.stayandsleep.com would not allow clients in chi.stayandsleep.com to resolve the name of PayrollApps.


* Upgrade DC1, DNS1, and DNS2 to Windows Server 2008. * Add the Domain Controller role to DNS1 and DNS2. * Configure all zones as Active Directory-Integrated zones.

Configuring the zones as Active Directory-Integrated zones will not allow clients in chi.stayandsleep.com to resolve the name for PayrollApp.



DNS Server RoleWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

The site topology of your network is shown in the exhibit. All offices connect to the Chicago office through a high speed connection. Other offices can connect to each other through dial-up connections. You need to reconfigure the site links to meet the following requirements:

* The domain controllers in Denver can be updated even if the connection to Chicago fails.* The dial-up connections should be used only if the high-speed connection is not available.


1. Reduce the cost of the New Orleans-New York site link to 50.

2. Remove the New York - New Orleans site link.

3. Reduce the cost of the Chicago-New Orleans site link to 90. <Correct>

4. Add a site link between Denver and New Orleans. Assign a cost of 100.

5. Add a site link between Denver and New York. Assign a cost of 100. <Correct>

Explanation :You should reduce the cost of the Chicago-New Orleans site link to 90. The partner with the lowest replication cost will be used for replication unless that partner is not available. Therefore, to ensure that New Orleans replicates with Chicago instead of New York whenever possible, you need to reduce the cost to lower than the cost of the New York-New Orleans link plus the New York-Chicago link.

You should also add a site link between Denver and New York to ensure that Denver can replicate even if the connection with Chicago goes down. You should assign a cost greater than 70 to the site link so that Denver prefers using the link to Chicago over the new site link to New York.

You should not reduce the cost of the New Orleans-New York site link to 50. Doing so will give preference to the dial-up connection between New Orleans and New York.

You should not add a site link between Denver and New Orleans and assign a cost of 100. Doing so would cause Denver to use the dial-up connection with New Orleans as the most cost-effective route.

You should not remove the New York - New Orleans site link. Doing so will prevent New Orleans from being updated if Chicago goes down.



References :How Active Directory Replication Topology WorksMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true

Create a Site LinkWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/9e81596f-7cce-477b-9649-86af9a7c435c1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is a single Active Directory domain with a single site. All domain controllers are running Windows Server 2008.

You are preparing to upgrade users who are running Microsoft Office 2003 to Microsoft Office 2007 using Group Policy. Office 2003 was deployed by assigning it to computers.

You have created an installation share.

You need to configure a Software Installation package.

What should you do?

1. Create a new software installation package.Select the Microsoft Transform (.mst) file from the installation share.Add the new package to the Upgrades tab of the existing package.

2. Modify the existing software installation package.Select the Windows Installer (.msi) file from the installation share.

3. Create a new software installation package.Select the Windows Installer (.msi) file from the installation share.Add the existing package to the Upgrades tab of the new package.

<Correct>

4. Create a new software installation package.Select the Microsoft Transform (.mst) file from the installation share.Delete the existing software installation package.


* Create a new software installation package. * Select the Windows Installer (.msi) file from the installation share. * Add the existing package to the Upgrades tab of the new package.

When you create a software installation package for any application, you must reference the .msi file. To perform an upgrade of existing software, you must add the package for the existing software to the Upgrades tab of the new package.


* Create a new software installation package. * Select the Microsoft Transform (.mst) file from the installation share. * Add the new package to the Upgrades tab of the existing package.

You can use an .mst file to install language support and some other features. However, you do not reference the transform file in the package. You also should not add the new package to the Upgrades tab of the existing package. Instead, you must add the existing package to the Upgrades tab of the new package to cause an upgrade to occur instead of installing both versions side-by-side.


* Modify the existing software installation package. * Select the Windows Installer (.msi) file from the installation share.

Modifying the existing software installation package will not cause an upgrade to occur for users who already have the previous package installed.


* Create a new software installation package. * Select the Microsoft Transform (.mst) file from the installation share. * Delete the existing software installation package.

You should not reference the transform file in the package. Also, you should not delete the existing software installation package because you need to reference it on the Upgrades tab of the new package.






______________________________________________________________________________________________________________________________________________

You network is configured as a single Active Directory domain. The network has several remote locations connected through wide area network (WAN) links.

You deployed a domain controller in each office. All domain controllers run Microsoft Windows Server 2008. Remote offices are experiencing intermittent problems with logon and authentication. You determine that you need a global catalog server in each location.

What should you use to configure the domain controllers?

1. Active Directory Domains and Trusts

2. Dcpromo

3. Add Role Wizard

4. Active Directory Sites and Services <Correct>

Explanation :You should use Active Directory Sites and Services. Windows Server 2008 lets you configure any or all domain controllers with the global catalog role. Active Directory Sites and Services lets you add the global catalog to any domain controller. In a single-domain network, Microsoft recommends making all domain controllers global catalog servers.

You should not use Active Directory Domain and Trusts. This utility lets you manage security and establish trusts between domains, but it does not let you manage the global catalog.

You should not use the Add Role Wizard or Dcpromo to add the global catalog to an existing domain controller. The Add Role Wizard and Dcpromo are used to create domain controllers. You first add the domain controller role through the Add Role Wizard, and then promote the server with Dcpromo. You can specify that the server be configured as a global catalog server during promotion.



References :What's New in AD DS Installation and RemovalMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/e5bf22f7-f617-4820-a6d0-6271e3b80fe41033.mspx?mfr=true

How to create or move a global catalog in Windows Server 2003, Windows 2000, or Small Business Server 2000Microsoft Help and SupportLink: http://support.microsoft.com/kb/313994/



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You have installed Active Directory Domain Services (AD DS), Active Directory Certificates Services (AD CS), Active Directory Federation Services (AD FS), and Active Directory Lightweight Directory Services (AD LDS) on a computer running Windows Server 2008.

Active Directory automatically performs online defragmentation of the database every 12 hours. You need to perform offline defragmentation of the Active Directory database to create a new and compacted version of the database file.

What should you do to accomplish the task without restarting the domain controller?

1. Stop the wuauserv service from the Services Console.

2. Stop AD LDS.

3. Stop AD DS. <Correct>

4. Stop the ERSvc service from the Services Console.

Explanation :You should stop AD DS to perform offline defragmentation of the Active Directory database to create a new and compacted version of the database file. The AD DS server role can be stopped and restarted in Windows Server 2008 to perform routine maintenance such as offline defragmentation. While AD DS is stopped, other domain controllers can service new domain logon requests.

You should not stop AD LDS. Stopping AD LDS will not allow you to perform offline defragmentation of the Active Directory database.

You should not stop the wuauserv service. If this service is stopped or disabled, then the computer will not be able to use the Automatic Updates feature or the Windows Update Web site.

You dshould not stop the ERSvc service. This service allows error reporting for services and applications running in non-standard environments.



References :Windows Server 2008 Restartable AD DS Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx




______________________________________________________________________________________________________________________________________________

Your company's network is an Active Directory domain with four domain controllers. One domain controller is running Windows Server 2008. The other three are running Windows Server 2003. Member servers named SQL1 and SQL2 are running Windows Server 2003 and SQL Server 2005. A domain user account named SqlUser is used as the SQL Server service account.

A password policy is applied to all computers in the domain.

You restart SQL1. The SQL Server service will not start due to an authentication error.

You need to correct the problem and prevent it from happening in the future. Your solution should be the most secure option.

What should you do?

1. Reset the password for SqlUser in Active Directory.Reset the password for SqlUser on SQL1 and SQL2.Enable the Password never expires option for SqlUser.

<Correct>

2. Reset the password for SqlUser in Active Directory.Create a fine-grained password policy for SQL1 and SQL2.

3. Configure the SQL Server service on SQL1 to use the Local System account.Configure the SQL Server service on SQL2 to use the Local System account.

4. Reset the password for SqlUser in Active Directory.Reset the password for SqlUser on SQL1 and SQL2.Create a fine-grained password policy for SqlUser.


* Reset the password for SqlUser in Active Directory. * Reset the password for SqlUser on SQL1 and SQL2. * Enable the Password never expires option for SqlUser.

The problem is caused because the password has expired, so SqlUser can no longer log on. SqlUser is a service account, so it should be configured so that its password never expires. You can do this through the user account properties in Active Directory Users and Computers or by using dsmod. Because the password has already expired, you need to reset the password for the user account in Active Directory and using SQL Server Configuration Manager on both SQL1 and SQL2.


* Configure the SQL Server service on SQL1 to use the Local System account. * Configure the SQL Server service on SQL2 to use the Local System account.

The Local System account has more permissions than is required to run SQL Server. Therefore, performing these steps will weaken security unnecessarily.


* Reset the password for SqlUser in Active Directory. * Create a fine-grained password policy for SQL1 and SQL2.

If you reset the password in Active Directory, you must also reset it in SQL Server Configuration Manager on both SQL1 and SQL2. Also, fine-grained password policies are applied to users or global groups, not to computers. Finally, fine-grained password policies are only supported in domains running at the Windows Server 2008 functional level. Because the domain includes domain controllers running Windows Server 2003, you know that the domain is not operating at the Windows Server 2008 functional level.


* Reset the password for SqlUser in Active Directory. * Reset the password for SqlUser on SQL1 and SQL2. * Create a fine-grained password policy for SqlUser.

This would be a good solution if the domain was running at the Windows Server 2008 functional level. However, it includes domain controllers running Windows Server 2003, so you cannot use fine-grained password policies.



References :Understanding User AccountsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ef9fd6f4-5a9a-4e98-bbdc-552c6427bd5e1033.mspx

AD DS: Fine-Grained Password PoliciesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx



______________________________________________________________________________________________________________________________________________

Your organization has a single forest environment which includes multiple domains with domain controllers running Windows 2000 Server, Windows Server 2003 and Windows Server 2008.

You have configured the first Windows Server 2008 domain controller as a global catalog server and you host the infrastructure master role on the same server. You are installing two more domain controllers to create a new child domain. You have installed the global catalog on the first domain controller in the new child domain.

What should you do while configuring the additional domain controller in the new child domain?

1. Configure the additional domain controller with default options.

2. Configure the additional domain controller as a global catalog server. <Correct>

3. Configure the additional domain controller as a Domain Name System (DNS) server.

4. Configure the additional domain controller as a read-only domain controller (RODC).

Explanation :You should configure the additional domain controller as a global catalog server. When you install the global catalog on the first domain controller in a new child domain, you should ensure that at least one additional domain controller is also configured as a global catalog server. If you install the global catalog on the first domain controller in the new child domain and the global catalog is not installed on additional domain controllers in the same domain, then you can encounter problems because the first domain controller in a domain also hosts all domain-wide operations master roles, including the infrastructure master role.

You do not need to configure the additional domain controller as an RODC or a DNS server. Instead, you should configure the additional domain controller as a global catalog server.

You should not configure the additional domain controller with default options. When you create a domain controller in a new child domain, the global catalog checkbox is not checked by default.



Windows Server 2008 Help FileWindows Server 2008 Virtual PC



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. The servers on the network run Windows Server 2008, and client computers run Windows Vista. You install Active Directory Rights Management Service (AD RMS) on a server named Server1.

You create various policies in Active Directory that define the level of access to resources for users on the network. You need to prevent an assistant administrator named John from making changes to these policies.

Which Directory Service command-line utility should you use?

1. Run the Dsmod /user:John /canchpwd:no command.

2. Run the Dsrm John command.

3. Run Authorization Manager and grant John the Reader role.

4. Run the Dsmod /RestrictPolicyChange /User:John command. <Correct>

Explanation :You should run the Dsmod /RestrictPolicyChange /User:John command. You can use the Directory Service command-line utilities to perform administrative tasks for Active Directory. The Directory Service command-line utilities include Dsadd, Dsget, Dsmod, Dsmove, Dsquery, and Dsrm. When you want to modify attributes of an existing user in the directory, you should use the Dsmod user command. The Dsmod user command has parameters that you can use to modify a user's attributes. When you want to restrict a user from making policy changes, you should include the /RestrictPolicyChange parameter in the Dsmod user command.

You should not run Authorization Manager and grant John the Reader role. You can use Authorization Manager to configure role-based access control. Authorization Manager can store authorization policy in either Active Directory or in the XML file format. The Reader role in Authorization Manager provides users with privileges that are required for managing Authorization Manager. However, the Reader role in Authorization Manager will not prevent a user from making changes to AD RMS policies.

You should not run the Dsrm John command. You use the Dsrm utility to delete objects from the directory. Therefore, running the Dsrm John command will delete John's user account from Active Directory, which is not required in this scenario.

You should not run the Dsmod /user:John /canchpwd:no command. The -canchpwd parameter is used to specify whether a user can change his password or not. The -canchpwd parameter cannot be used to prevent a user from making changes to AD RMS policies.



References :How To Use the Directory Service Command-Line Tools to Manage Active Directory Objects in Windows Server 2003Microsoft Help and SupportLink: http://support.microsoft.com/kb/322684

Active Directory Rights Management Services OverviewWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-15b156a0b4e01033.mspx?mfr=true

Pre-installation Information for Active Directory Rights Management ServicesWindows Server 2008 Technical LibraryLink:

http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-7ea309ddb0ed1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. Your company's security policy specifies the following requirements:

* Users must change their passwords every 45 days. * Passwords must be at least 8 characters long. * Passwords cannot contain only lowercase, only uppercase, only numeric, or only symbolic characters. * Users cannot reuse a password within 3 months. * Users should be locked out after entering a password incorrectly 4 times within a 5-minute period. * Users should remain locked out until an administrator unlocks their accounts.

The following account policies are defined:

* Enforce password history = 3 * Maximum password age = 45 * Minimum password age = 30 * Minimum password length = 8 * Password must meet complexity requirement = True * Account lockout duration = 5 * Account lockout threshold = 4 * Reset lockout counter after = 0

You need to modify the account policies to meet the security requirements.


1. Change Account lockout threshold to 5.

2. Change Enforce password history to 90.

3. Change Password must meet complexity requirements to False.

4. Change Account lockout duration to 0. <Correct>

5. Change Reset lockout counter after to 5. <Correct>

6. Change Minimum password age to 45.

7. Change Reset lockout counter after to 4.

Explanation :You should change Account lockout duration to 0. Account lockout duration specifies the number of minutes an account remains locked out. A setting of 0 causes it to remain locked out until an administrator unlocks the account.

You should also change Reset lockout counter after to 5. The Reset lockout counter after policy determines how many minutes must elapse after a failed logon attempt before the failed logon counter is set to 0.

You should not change Password must meet complexity requirements to False. When set to True, the Password must meet complexity requirements policy requires that a password be at least 6 characters long, contain at least three of four types of characters (uppercase, lowercase, numeric, or symbolic) and that it does not contain the user's name. This policy more than meets the complexity requirements specified by the company's security policy, with the exception of length. Because the Minimum password length policy is set to 8, that overrides the 6-character limitation enforced by the Password must meet complexity requirements policy.

You should not change Enforce password history to 90. The Enforce password history policy sets the number of passwords that should remembered, not the number of days they should be remembered. The policy must be set to a value between 0 and 24.

You should not change Minimum password age to 45. The requirements state that a password cannot

be used within three months (90 days). The current account policy configuration remembers 3 passwords and does not allow a password to be changed for 30 days. Therefore, it prevents a password from being recycled for 3 * 30 (or 90) days.

You should not change Account lockout threshold to 5. The Account lockout threshold is the number of passwords that must be entered incorrectly within the duration defined by Reset lockout counter after to cause the account to be locked out. The requirements state that this value should be 4.

You should not change Reset lockout counter after to 4. The Reset lockout counter after policy determines how many minutes must elapse after a failed login attempt before the failed login counter is set to 0. The requirements state a duration of 5 minutes.






______________________________________________________________________________________________________________________________________________

Your company has a main office and 15 branch offices. Each office has its own Active Directory domain in the same forest. The computers on the network are configured to use Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).

The Windows Server 2008 domain controller in the main office has the Domain Name System (DNS) service installed.

You want to ensure that the host names of important servers on the network remain unique throughout all domains in the forest.

What should you do?

1. Install a Windows Internet Name Service (WINS) server on the network.

2. Create a new secondary zone named GlobalNames that stores data in Active Directory Directory Services (AD DS).

3. Create a new stub zone named GlobalNames on the DNS server.

4. Create a new Active Directory Domain Services (AD DS)-integrated primary zone named GlobalNames. <Correct>

Explanation :You should create a new AD DS-integrated primary zone named GlobalNames. The GlobalNames zone provides single-name resolution for networks that do not contain a WINS server. To ensure that the GlobalNames zone provides single-name resolution, all authoritative DNS servers must be running Windows Server 2008. When you want to support deployment of the GlobalNames zone across multiple domains and forests, the GlobalNames zone must be integrated with AD DS. Active Directory integrated zones provide name resolution even if a Wide Area Network (WAN) link is temporarily unavailable between domains, as long as each domain has an authoritative DNS server installed on a domain controller.

You should not create a new stub zone named GlobalNames on the DNS server. A stub zone contains only resource records for the authoritative DNS servers for that zone. A stub zone is generally used to resolve the host names between separate DNS namespaces.

You should not install a WINS server on the network because, in this scenario, networks are configured to use both IPv4 and IPv6, and WINS does not support IPv6.

You should not create a new secondary zone named GlobalNames that stores data in AD DS. A secondary zone cannot store zone data in Active Directory.



References :DNS Server GlobalNames Zone DeploymentMicrosoft.comLink: http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/dns-globalnames-zone-deployment.doc




______________________________________________________________________________________________________________________________________________

You are deploying a Public Key Infrastructure (PKI) in your Active Directory domain. The domain is configured with Windows Server 2003 AD schema. You are preparing to set up your Certificate Authority (CA) servers. You plan to eventually migrate your domain controllers to Windows Server 2008, but you plan to phase the change in as gradually as possible.

You need to ensure that your environment will support key archival and recovery through automated archival. You want to keep changes to the network and hardware and software requirements to a minimum.

What should you do?

1. Upgrade the forest root domain controller to Windows Server 2008 Enterprise Edition.

2. Install Windows Server 2008 Enterprise Edition on servers configured as CAs. <Correct>

3. Upgrade all domain controllers to Windows Server 2008 Standard Edition.

4. Install Windows Server 2008 Standard Edition on servers configured as CAs.

Explanation :You need to install Windows Server 2008 Enterprise Edition on servers configured as CAs. Key archival and retrieval, whether automated or manual, requires version 2 certificate templates. This requires, at minimum, a domain configured with Windows Server 2003 schema. This requirement has already been met. It also requires that all CAs are running, at minimum, Windows Server 2008 Enterprise Edition or Windows Server 2003 Enterprise Edition.

You should not install Windows Server 2008 Standard Edition on servers configured as CAs. CAs on computers running Windows Server 2008 Standard Edition or Windows Server 2003 Standard Edition support version 1 certificate templates, but they do not support version 2 certificate templates.

You should not upgrade all domain controllers or the forest root domain controller to Windows Server 2008, either edition. This is not a requirement for supporting key archival and retrieval.



Key Archival and ManagementMicrosoft DownloadsLink: http://download.microsoft.com/download/0/2/c/02c2ca18-1ed8-414c-b883-1753cd2a8b63/KeyArchivalandManagementinLonghornBeta3_pub.doc



______________________________________________________________________________________________________________________________________________

Your network has four Active Directory domains and four locations. The domain controllers are shown in the exhibit. All domain controllers are running the DNS service and each domain is configured as an Active Directory-Integrated zone.

All users need frequent access to resources in stayandsleep.com. Users in Atlanta need frequent access to resources in Atlanta, Chicago, and Des Moines. Users in other offices need access only to resources in their own domains and in stayandsleep.com.

You need to configure DNS to prevent DNS data from midwest.stayandsleep.com and south.stayandsleep.com from being transferred across the intercontinental link. Your solution must allow users to resolve the names of resources they access frequently using a local server.

Which of the following will you include in your plan?

1. Use DNS Manager to create an application directory partition for south.stayandsleep.com and midwest.stayandsleep.com.

2. Use dnscmd to create an application directory partition for south.stayandsleep.com and midwest.stayandsleep.com. <Correct>

3. Use DNS Manager to limit the zone transfer for south.stayandsleep.com and midwest.stayandsleep.com to DC1, DC2, DC3, DC4, and DC5.

4. Use dnscmd to limit the zone transfer for south.stayandsleep.com and midwest.stayandsleep.com to DC1, DC2, DC3, DC4, and DC5.

Explanation :You should use dnscmd to create an application directory partition. You can create application directory partitions to restrict DNS replication traffic so that a zone is only replicated to enlisted domain controllers. To do so you must create application directory partitions and then enlist the DNS server using dnscmd.

You should not use DNS Manager to create an application directory partition. DNS Manager can be used to manage zones, but not to create application directory partitions.

You should not use either dnscmd or DNS Manager to limit zone transfer to only the DNS servers in the United States. Zone transfer is used to transfer zone information to a secondary zone and should not be used instead of Active Directory replication. Using Active Directory replication for DNS data allows you to use a single replication topology, replicate only incremental changes, and is more secure than using zone transfer.



References :Understanding DNS Zone Replication in Active Directory Domain ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e93c32c9-0c5c-4822-9c84-d464658d6ed31033.mspx?mfr=true

Understanding Active Directory Domain Services IntegrationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/427144ca-37ce-4db7-a611-605338ec01ca1033.mspx?mfr=true

Create a DNS Application Directory PartitionWindows Server 2008 Technical LibraryLink:

http://technet2.microsoft.com/windowsserver2008/en/library/66587c39-5a8f-401c-80f7-fa0528c1340f1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You deploy Windows Server 2008 and Windows Vista computers on the company network. You configure Active Directory Domain Services (AD DS) to manage users and other network resources.

You are responsible for auditing users' access to the network resources. You recently notice that one of the administrators is providing unauthorized access to some users by changing the User Rights Assignment settings.

You want configure a Group Policy to audit each event related to changes made in User Rights Assignment settings.

What should you do?

1. Enable the Audit account management policy.

2. Enable the Audit object access policy.

3. Enable the Audit policy change policy. <Correct>

4. Enable the Audit process tracking policy.

Explanation :You should configure the Audit policy change policy to audit each event related to changes made in the User Rights Assignment settings. The Audit policy change policy will audit each event related to a change to one of the three policy areas on a computer. These policy areas include:

* user rights assignment * audit policies * trust relationships

You should not enable the Audit object access policy. Enabling the Audit object access policy ensures that user access of an object, such as a file, folder, Registry key, or printer, will be audited. This policy does not audit user access of Active Directory objects.

You should not configure the Audit account management policy. This policy setting is used to audit events related to account management on a computer. Examples of account management events include the following:

* Creating, changing, or deleting a user account or group * Renaming, disabling, or enabling a user account * Setting or changing a password

The Audit account management policy cannot be used to audit related changes made in User Rights Assignment settings.

You should not configure the Audit process tracking policy. By enabling the Audit process tracking policy, you can audit events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access.



References :Directory Services in Windows Server "Longhorn"Microsoft TechNetLink: http://www.microsoft.com/technet/technetmag/issues/2006/11/FutureOfWindows/

AD DS: AuditingWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ad35ab51-2e85-41e9-91f7-ccedf2fc9824103

3.mspx?mfr=true


Audit policy changeMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/962f5863-15df-4271-9ae0-4b0412e297491033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your network has two domains, three sites and five domain controllers. All domain controllers are configured as DNS servers with an Active Directory-Integrated zone for each domain. Information about each domain controller is shown in the exhibit.

Users in Atlanta and Des Moines rarely access resources in Chicago. Users in Chicago need access to resources on both stayandsleep.com and sales.stayandsleep.com.

You need to allow users in each office to locally resolve the names of the servers they use most frequently. Your solution must minimize the amount of replication traffic between sites.

What should you do?

1. Choose All domain controllers in a specified application directory partition as the replication scope for each zone.

2. Choose All domain controllers in the Active Directory domain as the replication scope for each zone. <Correct>

3. Choose All DNS servers in the forest that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope for each zone.

4. Choose All DNS servers in the domain that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope for each zone.

Explanation :You should choose All domain controllers in the Active Directory domain as the replication scope. This option is the only supported option when you need to replicate data to an Active Directory-Integrated zone on a computer running Windows 2000 Server. You need to replicate the data from sales.stayandsleep.com to DC3 to ensure that users in Chicago can locally resolve the names of computers in the sales.stayandsleep.com domain.

You should not choose All DNS servers in the forest that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope. This option will replicate all the zone data to all domain controllers in the forest running Windows Server 2003 or Windows Server 2008. This option will not replicate data to Windows 2000 Server and will generate the most replication traffic because data from stayandsleep.com will be replicated to Atlanta and Des Moines, which is not required because users in Atlanta and Des Moines do not access these resources very often.

You should not choose All DNS servers in the domain that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope. This option will not replicate data to Windows 2000 Server, so the users in Chicago will have to access name servers in Atlanta or Des Moines to resolve the names for computers in sales.stayandsleep.com.

You should not choose All domain controllers in a specified application directory partition as the replication scope. You use a scope of an application directory partition if you need to replicate some, but not all zones to the domain controllers. This option is not supported by Windows 2000 Server.



Understanding DNS Zone Replication in Active Directory Domain ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e93c32c9-0c5c-4822-9c84-d464658d6ed31033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You plan to install Active Directory Lightweight Directory Services (AD LDS) on one Windows Server 2008 computer.

Which steps should you perform to install AD LDS?

In the list on the right, select the tasks that you should perform during the installation process. Place your selections in the list on the left in the order in which they should be performed. Place the first task at the top of the list. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :To install AD LDS on a Windows Server 2008 server, you should perform the following steps in this order:

* Click Start and then click Server Manager. * Click the Add Roles link and select Active Directory Lightweight Directory Services and then click Next. * Review the information and click the Install button to finish the installation.

Server Manager allows you to install AD LDS and other server roles in Windows Server 2008. You can click the Add Roles link in the Roles Summary section on the Roles page in the Server Manager window. This will launch the Add Roles Wizard, which allows you to select the server roles to install on Windows Server 2008.

You should not click Start and then click Administrative Tools. The Administrative Tools folder provides an option to start the Active Directory Lightweight Directory Services Setup Wizard, which helps you create an instance of AD LDS after installing the AD LDS server role.

You should not launch the Active Directory Lightweight Directory Services Setup Wizard from the Administrative Tools. The Active Directory Lightweight Directory Services Setup Wizard allows you to create an instance of AD LDS after installing the AD LDS server role.

You should not select Windows Authentication and click the Install button to finish the installation. This option is available when installing the Web Server (IIS) role on the Windows Server 2008 server. You can select the Windows authentication solution for internal Web sites when configuring Role services for Web Server (IIS).



References :Step 1: Install the AD LDS Server RoleMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/682674f4-a652-4772-8567-2f27417f4ec81033.mspx




______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You have deployed the Active Directory Domain Services (AD DS) server role on a server running Windows Server 2008. You need to set up AD DS auditing to track events associated with AD DS activities.

What should you do?

In the list on the right, select the tasks that you should perform to set up AD DS auditing. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You may not need to use all of the items from the list on the right.

Explanation :You should perform the following tasks to set up AD DS auditing on a Windows Server 2008 server:

* Open the Group Policy Management console. * Enable the Audit directory service access policy. * Enable the Audit object access policy. * Enable subcategories by using Auditpol.exe.

To set up AD DS auditing, you should first open the Group Policy Management console, expand domains under forests, right-click the Default Domain Policy, and click Edit. You should then expand Computer Configuration and select Security Settings under Windows Settings and click Audit Policy under Local Policies. Setting the Audit directory service access properties to log failures and successes will enable the Audit directory service access policy. You should enable the Audit object access policy for each object that you want to audit to log access failures and successes. You should also run the auditpol.exe command from the command prompt to enable subcategories. These subcategories are as follows:

* Directory Service Access - audits the event of a user accessing an Active Directory object.* Directory Service Changes - provides the ability to audit changes to Active Directory objects, such as create, modify, move, and undelete operations.* Directory Service Replication - replicates computer and user accounts and other Active Directory objects from one domain controller to other domain controllers of the same domain.* Detailed Directory Service Replication - replicates specified computer and user accounts and other Active Directory objects from one domain controller to other domain controllers of the same domain.

You do not need to open Server Manager. Server Manager allows you to view and make changes to server roles and features installed on the server. Server Manager also allows you to verify the server status, determine critical events, and troubleshoot configuration issues or failures.

You do not need to open Computer Management. Computer Management provides access to System tools, Storage Management tools, and Computer services and applications. It does not provide any way to create auditing events.

You do not need to open Active Directory Domains and Trusts. Opening Active Directory Domains and Trusts does not allow you to create and view auditing events. Active Directory Domains and Trusts provides a way to manage trust relationships between domains.



References :Lesson: Implementing AD DS Change AuditingCourse 6416A




______________________________________________________________________________________________________________________________________________

Servers for MedDev are running Microsoft Windows Server 2008 and are members of a single Active Directory domain.

Recently, MedDev formed a new company named GoShop, Inc. GoShop, Inc. is run independently but is located in the MedDev office complex. You install Windows Server 2008 on the servers that will function as domain controllers in the GoShop, Inc. domain and create a new forest root domain named GoShopInc.com.

Users in both domains require access to resources in both forests. You need to configure the Active Directory infrastructure to permit resource access between forests and any child domains that might be added in the future.


1. Create a two-way forest trust between MedDev and GoShop.

2. Raise the forest functional levels to Windows Server 2003. <Correct>

3. Raise the domain functional levels to Windows Server 2008.

4. Create a one-way forest trust between MedDev and GoShop.

Explanation :To allow employees to access resources between forests, a two-way forest trust must be created. However, before you can set up a trust, the forest functional level must be raised. When Windows Server 2008 is first deployed in the forest root domain, the functional level is automatically set to Windows 2000. The Windows 2000 functional level does not support forest trusts. Therefore, you must first raise the forest functional level to at least Windows Server 2003.

You should not create a one-way forest trust. The scenario indicates that all employees need to access resources in both forests. Therefore, a two-way forest trust is required. A one-way forest trust between MedDev and GoShop will only permit employees in MedDev to access resources in GoShop, not vice versa.

You should not first create a two-way forest trust between MedDev and GoShop. Although a forest trust is required, the forest functional level needs to be raised before a trust can be created.

You should not raise the domain functional levels to Windows Server 2008. Raising the domain functional level will not provide support for forest trusts. You need to raise the functional level of the forest.



References :Enabling Windows Server 2008 Advanced Features for Active Directory Domain ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/36c824b5-bf53-42f7-8c7a-48f2f3d355ed1033.mspx?mfr=true

Raising the Functional LevelsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/95a37a13-0263-41fd-92ea-56d3d39a3b141033.mspx?mfr=true

Understanding AD DS Functional LevelsWindows Server 2008 Technical LibraryLink:

http://technet2.microsoft.com/windowsserver2008/en/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb01033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization.

You need to configure a domain controller as a global catalog server to store a copy of all Active Directory objects in the forest.

Which component should you use to accomplish the task?

1. Active Directory Domains and Trusts

2. Server Manager

3. Active Directory Domain Services Installation Wizard <Correct>

4. Active Directory Users and Computers

Explanation :You should run the Active Directory Domain Services Installation Wizard to configure a domain controller as a global catalog server. The first Windows Server 2008 domain controller is always configured as the global catalog server. When installing additional domain controllers in a domain, you can select the global catalog server check box on the Additional Domain Controller Options page in the Active Directory Domain Services Installation Wizard to configure the domain controller as a global catalog server.

You should not use Active Directory Domains and Trusts. You can use Active Directory Domains and Trusts to manage the domain trusts, domain and forest functional levels, and user principal name (UPN) suffixes.

You should not use Active Directory Users and Computers. Active Directory Users and Computers allows you to manage users, computers, security groups, and other objects in Active Directory Domain Services (AD DS).

You should not use Server Manager. Server Manager allows you to view and make changes to server roles and features installed on the server. It also allows you to verify the server status, determine critical events, and troubleshoot configuration issues or failures.



References :What's New in AD DS Installation and RemovalMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/e5bf22f7-f617-4820-a6d0-6271e3b80fe41033.mspx




______________________________________________________________________________________________________________________________________________

Your network includes the domain controllers shown in the exhibit. All domain controllers are running the DNS service and the zone is an Active Directory-Integrated zone.

You need to prevent unauthorized DNS servers from accessing DNS zone data.


1. Execute the following commands:dnscmd DC1 /ZoneResetSecondaries stayandsleep.com /NoXfrdnscmd DC2 /ZoneResetSecondaries stayandsleep.com /NoXfr <Correct>

2. In DNS Manager, clear the Allow zone transfer option. <Correct>

3. Execute the following command:dnscmd DC1 /ZoneResetSecondaries stayandsleep.com /SecureList 192.168.10.15, 192.168.10.16

4. In DNS Manager, add 192.168.10.15 and 192.168.10.16 to the Only to the following servers list.

5. In DNS Manager click Only to servers listed on the Name Servers tab. Add 192.168.10.15 and 192.168.10.16 to the Name Servers list.

Explanation :You should use DNS Manager to clear the Allow zone transfer option. Zone transfer is used to transfer zone information to a secondary zone. There are no secondary zones in the environment. Therefore, you should disable zone transfer. When zone transfer is enabled, an unauthorized server might be able to initiate a zone transfer and obtain information about your network's configuration.

Another way to prevent zone transfer is to execute the following commands:

dnscmd DC1 /ZoneResetSecondaries stayandsleep.com /NoXfrdnscmd DC2 /ZoneResetSecondaries stayandsleep.com /NoXfr

You should not use DNS Manager to add 192.168.10.15 and 192.168.10.16 to the Only to the following servers list. Doing so would allow zone transfer to these two IP addresses. Your DNS server would still be vulnerable to having its data copied to an unauthorized server if the attacker spoofed one of these addresses. Since you do not need zone transfer, the most secure option is to disable it.

You should not use DNS Manager to select Only to servers listed on the Name Servers tab and then add 192.168.10.15 and 192.168.10.16 to the Name Servers list. This would also leave your server vulnerable to a spoofing attack.

You should not execute the following command:

dnscmd DC1 /ZoneResetSecondaries stayandsleep.com /SecureList 192.168.10.15, 192.168.10.16

Executing this command is equivalent to setting the Only to the following servers list option in DNS Manager.



Modify Zone Transfer SettingsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/744b7d08-dfcd-4a1b-8157-fd443cb0482b1033.mspx



______________________________________________________________________________________________________________________________________________

Your network is an Active Directory forest with three domains. The root domain is stayandsleep.com. All domain controllers are running Windows Server 2008.

Your company is merging with BCD Train. During the merger, a subset of users in stayandsleep.com need to access resources in the BCD Train network. The BCD Train network is a single Active Directory domain. All domain controllers are running Windows Server 2008.

You need to configure Active Directory to support the necessary access. Your solution must minimize the exposure of both networks to only those who need access.

What should you do?

1. Create a one-way realm trust in which bcdtrain.com trusts stayandsleep.com.

2. Create a one-way realm trust in which stayandsleep.com trusts bcdtrain.com. Configure selective authentication.

3. Create a one-way external trust in which stayandsleep.com trusts bcdtrain.com.

4. Create a one-way forest trust in which bcdtrain.com trusts stayandsleep.com. Configure selective authentication. <Correct>

Explanation :You should create a one-way forest trust in which bcdtrain.com trusts stayandsleep.com and configure selective authentication. The requirements are that users in stayandsleep.com access resources in bcdtrain.com. Therefore, bcdtrain must trust stayandsleep.com. Because only certain users need access, you can limit the exposure by enabling selective authentication.

You should not create a one-way external trust in which stayandsleep.com trusts bcdtrain.com. An external trust is used to allow access to or from a Windows NT 4.0 domain or when you cannot use a forest trust. Also, the trust relationship is in the wrong direction and would allow users from bcdtrain.com to access resources in stayandsleep.com.

You should not create a one-way realm trust in which bcdtrain.com trusts stayandsleep.com. A realm trust is used between a Kerberos v5 realm that is not a Windows domain and a Windows Server 2008 domain.

You should not create a one-way realm trust in which stayandsleep.com trusts bcdtrain.com and configure selective authentication. Selective authentication is only supported on forest trusts and external trusts.



References :Understanding When to Create a Forest TrustWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/79feb454-7529-4742-9f39-5d6c0696e6c11033.mspx

Understanding Trust TypesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/6472046a-30dd-4dc9-92e0-450cebdafc901033.mspx

Understanding Trust DirectionWindows Server 2008 Technical LibraryLink:

http://technet2.microsoft.com/windowsserver2008/en/library/a43bb3e4-77b3-4b2e-adbd-d154b346781a1033.mspx?mfr=true

Select the Scope of Authentication for UsersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/7a01372b-6eb1-4175-b9ff-8c330a6160211033.mspx



______________________________________________________________________________________________________________________________________________

You recently installed Microsoft Windows Server 2008 on all network servers. Client computers - many of which are mobile - are running Windows XP Professional and Windows Vista Enterprise. All computers are members of a single Active Directory domain.

Server01 is configured as the Domain Name System (DNS) server. Some users on the network report that they are experiencing name resolution problems. You discover that there are stale resource records in the zone data.

You need to eliminate the stale resource records.

What should you do?

1. Disable dynamic updates for the zone.

2. Enable scavenging on the DNS server. <Correct>

3. Decrease the refresh interval on the DNS server.

4. Delete the DNS server's root zone.

Explanation :You should enable scavenging on the DNS server. If there are stale resource records in the zone data, the DNS clients may experience name resolution problems. By Enabling scavenging, the stale resource records will be removed from the zone data. By default, scavenging in disabled.

You should not delete the root zone on DNSServer01. The root zone should only be deleted when you are configuring DNS forwarders. The root zone is represented by a period. A computer that hosts a root zone cannot be configured to use a forwarder because the computer is considered to be at the top of the DNS namespace. If your network is not connected to the Internet or if your network uses a proxy server to connect to the Internet, you should have a root zone on at least one DNS server on your network.

You should not disable dynamic updates. Dynamic Updates lets DNS clients automatically register their host names and Internet Protocol (IP) addresses with the DNS server. The records will be automatically removed from the zone when the client is properly shut down. Disabling dynamic updates will not resolve the problem. In fact, this solution could worsen the problem because an administrator would have to manually maintain the zone data.

You should not decrease the refresh interval on the DNS server. The refresh interval determines when the client needs to update the time stamp for its resource record. However, adjusting the refresh interval will not remove the stale resource records from the zone data.



References :Enable Aging and Scavenging for DNSWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/7972082c-22a1-44fc-8e39-841f7327b6051033.mspx?mfr=true

Using DNS Aging and ScavengingMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/20fbbd82-0cea-4a74-9634-fdd993f4c4f41033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as two Active Directory domains with two sites: a Corporate site and a BranchOffice site. The stayandsleep.com domain has domain controllers at the corporate office. The branch.stayandsleep.com domain has domain controllers at the branch office.

You are creating a batch file that will be used to configure file servers at the branch office. File servers run the Server Core installation of Windows Server 2008 and will be member servers in the branch.stayandsleep.com domain. You will install Windows Server 2008 at the corporate office before shipping the server to the branch office.

You need to add a command to the batch file that will create an account for each new server in Active Directory and join the server to the branch.stayandsleep.com domain. The batch file will be executed on the file server by a domain administrator at the branch office.

What should you do?

1. Use the dsadd command.

2. Use the netsh command.

3. Use the dsmgmt command.

4. Use the netdom command. <Correct>

Explanation :You should use the netdom command. The netdom command can be used to join a computer to a domain.

You should not use the dsadd command. Although you can run the dsadd command to create a computer account, you would need to run the command on the domain controller, not on the member server.

You should not use the netsh command. The netsh command is used to configure IP address settings and firewall configuration. It is not used to join a computer to a domain.

You should not use the dsmgmt command. The dsmgmt command is used to manage flexible operations master roles and application partitions. It is not used to join a computer to a domain.



Server Core Installation Option of Windows Server 2008 Step-By-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/47a23a74-e13c-46de-8d30-ad0afb1eaffc1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. You install both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) roles on a computer running Windows Server 2008. The AD LDS server contains an instance with the default name. The AD LDS instance is used by several applications that access data from and write data to the AD LDS database. Over time, users report that AD LDS applications have become slow.

To resolve this problem, you need to defragment the AD LDS database.

What should you do?

In the list on the right, select the steps you should perform. Place your selections in the list on the left in the order in which you should perform them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :You should run the Net stop Adam_instance1 command, the Defrag command with the appropriate parameters, and the Net start Adam_instance1 command. When you perform offline defragmentation of the directory database file, a new compacted version of the database file is created in a different location. Restartable AD DS allows you to perform offline operations quickly because it does not require you to restart the domain controller in Directory Services Restore Mode. This means that you can perform offline defragmentation of the AD LDS directory database by stopping the AD LDS service, performing the defragmentation, and starting the AD LDS service. In this scenario, the AD LDS instance is installed with the default name, which is Instance1 by default. Therefore, to stop the AD LDS service, you should run the Net stop Adam_instance1 command. You should then run the Defrag command with the appropriate parameters, and then start the AD LDS service.

You should not restart the domain controller in Directory Services Restore Mode. Restarting the domain controller in Directory Services Restore Mode is required for previous versions of Active Directory. In Windows Server 2008, you can perform offline defragmentation by stopping AD LDS instead of restarting the domain controller in Directory Services Restore Mode.

You should not run the Net stop Ntds command or the Net start Ntds command. These commands will stop and start the AD DS service. In this scenario, you want to perform offline defragmentation of the AD LDS database. Therefore, you should stop the AD LDS service instead of the AD DS service.



References :Windows Server 2008 Restartable AD DS Step-by-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx?mfr=true

Compact the directory database file (offline defragmentation)Microsoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008.

A password policy currently configured for the domain requires passwords to meet the following criteria:

* At least six characters long * At least three of these: lower-case alpha character, upper-case alpha character, number, non-alphanumeric symbol * Password change every 60 days

A new security policy states that any user with network administration permissions must have a password at least 10 characters long.

You need to make the necessary changes to implement the new security policy. Your policy should not affect other users.

What should you do?

1. Create a domain local group named NetworkAdministrators.Add the users with network administration permissions to NetworkAdministrators.Create a fine-grained password policy and apply it to the NetworkAdministrators group.

2. Create an organizational unit (OU) named NetworkAdministrators.Move the computer accounts for users with network administration permissions to the NetworkAdministrators OU.Create a Group Policy object (GPO) that defines a password policy and link it to the NetworkAdministrators OU.

3. Create a global group named NetworkAdministrators.Add the users with network administration permissions to NetworkAdministrators.Create a fine-grained password policy and apply it to the NetworkAdministrators group.

<Correct>

4. Create an organizational unit (OU) named NetworkAdministrators.Move the user accounts for users with network administration permissions to the NetworkAdministrators OU.Create a Group Policy object (GPO) that defines a fine-grained password policy and link it to the NetworkAdministrators OU.


* Create a global group named NetworkAdministrators. * Add the users with network administration permissions to NetworkAdministrators. * Create a fine-grained password policy and apply it to the NetworkAdministrators group.

The new fine-grained password policy feature of Windows Server 2008 allows you to assign different password strength, password expiration, and account lockout policies to a subset of users. You can assign a fine-grained password policy to an individual user or to a global group.


* Create an OU named NetworkAdministrators. * Move the computer accounts for users with network administration permissions to the NetworkAdministrators OU. * Create a GPO that defines a password policy and link it to the NetworkAdministrators OU.

Although you can define a password policy inside a GPO, that policy does not affect domain user accounts unless it is linked to the domain. When linked to an OU, a GPO's password policy affects local user accounts for the computers in the OU. Windows Server 2008 also supports fine-grained

password policies. However, you cannot define a fine-grained password policy inside a GPO. A fine-grained password policy must be assigned to a user or a global group, not to an OU. Also, a fine-grained password policy is assigned to a user, not to a specific computer.


* Create a domain local group named NetworkAdministrators. * Add the users with network administration permissions to NetworkAdministrators. * Create a fine-grained password policy and apply it to the NetworkAdministrators group.

You must assign a fine-grained password policy to a user or a global group, not to a domain local group.


* Create an OU named NetworkAdministrators. * Move the user accounts for users with network administration permissions to the NetworkAdministrators OU. * Create a GPO that defines a password policy and link it to the NetworkAdministrators OU.

You cannot define a fine-grained password policy inside a GPO. A fine-grained password policy must be assigned to a user or a global group, not an OU.



AD DS: Fine-Grained Password PoliciesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx



______________________________________________________________________________________________________________________________________________

You install Active Directory Lightweight Directory Services (AD LDS) on a computer running Windows Server 2008. The AD LDS server hosts several AD LDS instances for various applications and users.

You need to modify the password of a user in an AD LDS instance by using Secure Sockets Layer (SSL).


1. Install a server certificate on the AD LDS server. <Correct>

2. Use the Ldp.exe tool to modify the password of the AD LDS user. <Correct>

3. Install a client certificate on the client computer. <Correct>

4. Open the Ldp.exe tool and select the LDAP_OPT_ENCRYPT option in the Option Name list in the Connection Options dialog box.

5. Use the ADSI Edit tool to modify the password of the AD LDS user.

6. Use the Active Directory Users and Computers utility to modify the password of the AD LDS user.

Explanation :You should install a server certificate on the AD LDS server, install a client certificate on the client computer, and use the Ldp.exe tool to modify the password of the AD LDS user. Ldp.exe is a Lightweight Directory Access Protocol (LDAP) tool that you can use to view and modify AD LDS data. You can use the ADSI Edit tool, the Ldp tool over an encrypted but non-SSL connection, or the Ldp tool over an SSL connection to modify the password of an AD LDS user. You must install certificates on both the server and the clients to establish an SSL connection to an AD LDS instance by using the Ldp.exe. Therefore, you should install a server certificate on the computer where the AD LDS instance is running, and install a matching client certificate on the computer from which you administer the AD LDS instance. Certificates are also required when you want an application to authenticate with an AD LDS instance.

You should not open the Ldp.exe tool and select the LDAP_OPT_ENCRYPT option in the Option Name list in the Connection Options dialog box. You can use the LDAP-OPT_ENCRYPT option when you want to modify the password of an AD LDS user over an encrypted, non-SSL connection.

You should not use the ADSI Edit tool to modify the password of the AD LDS user. ADSI Edit does not support SSL connections to AD LDS.

You should not use the Active Directory Users and Computers utility to modify the password of the AD LDS user. AD LDS is not supported by domain-oriented tools such as Active Directory Domains and Trusts, Active Directory Users and Computers, and Active Directory Sites and Services.



References :Set or modify the password of an AD LDS userWindows Server 2008 Help and Support

Active Directory Lightweight Directory Services RoleWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ee718046-0ed8-4ccc-938a-e765b668f6b21033.mspx?mfr=true

Step 7: Practice Managing AuthenticationWindows Server 2008 Technical Library

Link: http://technet2.microsoft.com/windowsserver2008/en/library/ad25814e-dbd8-4969-88b4-a389694a587b1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as an Active Directory domain. You discover that replication is failing with one of the domain controllers.

You need to determine if the domain controller is healthy and functioning properly.

What tool should you use?

1. Dcdiag.exe <Correct>

2. Replmon.exe

3. Netmon.exe

4. Repadmin.exe

Explanation :You should use Dcdiag.exe. Dcdiag is an Active Directory domain controller diagnostic tool. It can be used to determine if a domain controller is functioning properly and can identify problems discovered with a domain controller.

You should not use Repadmin.exe. Repladmin is used to monitor and troubleshoot Active Directory replication, but you should first determine if the domain controller is working properly.

You should not use Replmon.exe. Replmon is a replication troubleshooting tool. It will tell you whether or not replication is working, but it does not tell you if the domain controller is functioning properly.

You should not use Netmon.exe. Netmon is a network monitor program that lets you capture and view network traffic. It will not tell you if a specific computer is functioning properly.



References :Finding Additional Resources for Deploying the Windows Server 2008 Regional DomainsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/7be8912a-e37d-4226-be5a-9f7f1d25c9e31033.mspx?mfr=true

Dcdiag OverviewMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/f7396ad6-0baa-4e66-8d18-17f83c5e4e6c1033.mspx?mfr=true

Dcdiag ExamplesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/824f106c-a90b-421b-aa44-ebc1403c8b4c1033.mspx?mfr=true

How To Use Additional Monitoring Tools in Windows Server 2008Course 6042



______________________________________________________________________________________________________________________________________________

You are the enterprise administrator for your organization. Domain controllers and member servers are running Microsoft Windows Server 2008. Client computers are running Microsoft Windows Vista Enterprise. The Active Directory infrastructure consists of two separate forest root domains with several child domains in each forest. Each forest has its own administrative group. There is no forest trust configured between forests.

You have created a series of starter Group Policy objects (GPOs) with the minimum baseline settings for users and computers based on different roles within the company. You need to share the templates with the administrators in the other forest so they can customize them and apply them within their environment.

What should you do?

1. Use the Group Policy Management console to copy the GPOs to the destination forest.

2. Use the Group Policy Management console to export the GPOs to a cabinet file. Send the cabinet file to the appropriate administrators. <Correct>

3. Use the ADM File Parser to export the GPOs to a tab-delimited text file. Send the text file to the appropriate administrators.

4. Use the ADM File Parser to export the GPOs to a cabinet file. Place the file in a shared folder on a folder and assign the Enterprise Admins group permission to the share.

Explanation :You should export the GPOs to a cabinet file. Windows Server 2008 lets you create starter GPOs that can be saved as cabinet files and shared with others, via e-mail for example. The cabinet file can easily be imported and used as a baseline for creating custom GPOs.

You should not export the GPOs to a tab-delimited text file because the solution does not provide other administrators with a template of GPO settings. You would export GPO settings to a tab-delimited text file if you want to find changes for the policy settings between different operating system versions.

You should not place the templates in a shared folder. Since there is no trust set up between the forests, you will not be able to share resources with administrators in the other forest.

You should not copy the GPOs to the destination forest. Although you can use a copy operation to transfers settings in a GPO between domains and forests, trust relationships must be in place. The scenario states that there is no trust relationship between the two forests. Therefore, a copy operation would not be a feasible solution.



References :Step-by-Step Guide to using Group Policy Management ConsoleMicrosoft TechNetLink: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspx#ECPAC

Windows Server Group PolicyMicrosoft TechNetLink: http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. You install Active Directory Lightweight Directory Services (AD LDS) on a computer running Windows Server 2008.

You install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers to enable Secure Sockets Layer (SSL)-based connections to the AD LDS server.

You need to test the certificate with AD LDS.

What should you do?

1. From a client computer, use the Dsamain.exe tool to connect to the AD LDS instance.

2. From a client computer, use the Ldp.exe tool to connect to the AD LDS instance. <Correct>

3. From a client computer, use the ADSI Edit tool to connect to the AD LDS instance.

4. From a domain controller, use the Active Directory Sites and Services snap-in to connect to the AD LDS instance.

Explanation :You should use the Ldp.exe tool from a client computer to connect to the AD LDS instance. To establish SSL connections to AD LDS, both the server and the clients require certificates. To set up SSL for AD LDS, you should install a certificate that is marked for server authentication from a trusted CA onto the computer running AD LDS. When requesting the certificate, you must use the Fully Qualified Domain Name (FQDN) as the identifying name for the certificate. To connect to AD LDS from a client computer over SSL, the client computer must trust the certificate on the computer running AD LDS. To achieve this trust, you can add a certificate from the same CA to the Trusted Root Certification Authorities store on the client computer. To test the certificate with the AD LDS server, you should run the Ldp.exe tool on the computer running AD LDS and connect to the local AD LDS instance by using SSL. You must specify the FQDN of the computer running AD LDS when you use the Ldp.exe tool to make an SSL connection to AD LDS. If the server running ASD LDS is a standalone computer, you must include the primary DNS suffix when requesting the certificate and connecting with Ldp.exe.

You should not use the Dsamain.exe tool from a client computer to connect to the AD LDS instance. The Dsamain.exe tool examines any changes that are made to data stored in Active Directory Domain Services (AD DS) or AD LDS. The Dsamain.exe tool allows you to compare data in snapshots or backups taken at different times. This is helpful in helping you to decide which data to restore after data loss.

You should not use the ADSI Edit tool from a client computer to connect to the AD LDS instance. ADSI Edit is a Microsoft Management Console (MMC) snap-in for general AD LDS administration. You can use ADSI Edit to view, modify, create, or delete any object in AD LDS. The ADSI Edit tool does not support SSL connections to AD LDS.

You should not use the Active Directory Sites and Services tool from a domain controller to connect to the AD LDS instance. AD LDS is not supported by domain-oriented tools such as Active Directory Domains and Trusts, Active Directory Users and Computers, and Active Directory Sites and Services.



References :Active Directory Application Mode: Frequently Asked QuestionsMicrosoft TechNetLink: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx

How to enable LDAP over SSL with a third-party certification authorityMicrosoft Help and Support

Link: http://support.microsoft.com/kb/321051

Appendix A: Configuring LDAP over SSL Requirements for AD LDSWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/2f5d0612-75f9-4883-bf52-d11c7cda907f1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network has three Active Directory domains in a single forest. All servers are running Windows Server 2008. The domain controller in the parent domain is configured as a Domain Name System (DNS) server for all domains. Secure Dynamic DNS (DDNS) updates are enabled for all domains.

A number of users connect to the network using a portable computer. IP configuration is assigned using Dynamic Host Configuration Protocol (DHCP).

Clients on the network begin to experience name resolution problems. You analyze the problem reports and determine that the problems are caused by DNS records that exist in the database for computers that have not connected to the network in a long time.

You need to ensure that records are deleted automatically if a computer does not connect to the network for 14 days.

What should you do?

1. On the DNS server, set the Scavenge Stale Resources option. <Correct>

2. Create a stub zone for each child domain in the parent domain.

3. Create a stub zone for the parent domain in each child domain.

4. On the DHCP scope, reduce the lease period.

Explanation :On the DNS server, you should set the Scavenge Stale Resources option. Scavenging allows the DNS server to remove records that have not been refreshed for a specific interval. This helps to ensure that old records do not accumulate and adversely impact performance and name resolution.

You should not reduce the lease period on the DHCP scope. The lease period determines how often an IP address can be reissued. In this case, the problem is not caused by a lack of available IP addresses. It is caused by old records on the DNS server.

You should not create a stub zone for the parent domain in each child domain. A stub zone contains only Name Server (NS) records. You would use a stub zone to keep a parent zone up to date with the addresses of DNS servers in the child zones.

You should not create a stub zone for each child domain in the parent domain. In this scenario, the DNS server in the parent domain is performing all name resolution for all domains. Therefore, it does not need a stub zone. You would use a stub zone if the problem was caused by the DNS server in the parent domain not being able to locate the DNS servers in the child domains.



Enable Aging and Scavenging for DNSWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/7972082c-22a1-44fc-8e39-841f7327b6051033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single domain with four sites. All domain controllers are running Windows Server 2008. Some client computers are running Windows XP Professional. Others are running Windows Vista.

Your company uses a large number of Group Policy objects (GPOs) to manage configuration settings. Network administrators currently use a computer named Admin1 to manage, create, and edit GPOs. Admin1 is running Windows XP Professional.

You analyze network traffic and disk space consumption and determine that GPOs are using a large amount of disk space and network bandwidth.

You need to reduce the amount of disk space and network bandwidth used by GPOs. Your solution must require only the upgrades necessary to meet the requirements.


1. Store the ADM files in a central store.

2. Store the ADMX files in a central store. <Correct>

3. Upgrade Admin1 to Windows Vista. <Correct>

4. Upgrade all client computers to Windows Vista.

5. Store the ADMX and ADM files on Admin1.

Explanation :You should store the ADMX files in a central store. The ADMX files are used by Windows Server 2008 and Windows Vista Group Policy Editor and Group Policy Management Console (GMPC) tools to define Group Policy settings. ADMX files can be stored in a central store or on the administrative workstation. A central store is a subdirectory of the SYSVOL folder on a domain controller. You must create the central store before you can use it. ADMX files require less storage and network bandwidth than ADM files because they are stored only once. ADM files are stored with every GPO. Therefore, if you have a large number of GPOs, storage requirements can be excessive. Also, the GPOs are replicated throughout the domain, so network bandwidth consumption can also be excessive.

You should also upgrade Admin1 to Windows Vista. Before you can delete the ADM information from the GPOs, you need to ensure that GPOs will only be edited on a computer running either Windows Vista or Windows Server 2008. You can delete an ADM template by using the Add/Remove Templates menu in the Group Policy Editor.

You should not store the ADM files in the central store. ADM files are stored in each GPO, not in the central store.

You should not store the ADMX and ADM files on Admin1. You could store the ADMX files on Admin1 instead of storing them in a central store. However, you cannot store ADM files on an administrative workstation.

You should not upgrade all client computers to Windows Vista. The ADMX files are used when editing or creating a GPO, not when applying it. Therefore, you only need to upgrade the management workstation, not all client computers.



References :ADMX Technology ReviewWindow Vista Tech CenterLink:

http://technet2.microsoft.com/WindowsVista/en/library/ef346453-eee8-4abe-ba6c-2160fee3be461033.mspx?mfr=true

Managing Group Policy ADMX Files Step-by-Step GuideMicrosoft DownloadsLink: http://go.microsoft.com/fwlink/?LinkId=55414

Inside ADM and ADMX Templates for Group PolicyMicrosoft TechNetLink: http://technet.microsoft.com/en-us/magazine/cc137719.aspx



______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. You install Windows Server 2008 on all servers on the network. You install a domain controller named DC1 in the main office and a Read-Only Domain Controller (RODC) named RODC1 in the branch office. The offices are connected by a 128-Kbps link.

A user named John travels frequently to the branch office and requires access to the branch office network. You want to ensure that John is able to log on to the network in the branch office even if the Wide Area Network (WAN) link to the domain controller is unavailable.

To achieve this, you need to prepopulate the password cache of RODC1 with the password of John's user account.

What should you do?

1. Add John's user account to the Denied List on the Password Replication Policy tab in the Properties dialog box for RODC1.

2. Add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for RODC1. <Correct>

3. Add John's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1.

4. Add John's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1.

Explanation :You should add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for RODC1. You can prepopulate the cache of an RODC with the passwords of user and computer accounts that will authenticate to that RODC. Prepopulating the password cache is helpful when you want to ensure that a user can log on to the network in a branch office even if the WAN link to the writable domain controller is unavailable. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.

You should not add John's user account to the Denied List on the Password Replication Policy tab in the Properties dialog box for RODC1. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. Therefore, you should add John's user account to the Allowed List on the Password Replication Policy tab in the properties dialog box for RODC1.

You should not add John's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts that have been authenticated to this Read-only Domain Controller list displays all user and computer accounts that are authenticated to an RODC. You cannot manually add a user or a computer account to the Accounts that have been authenticated to this Read-only Domain Controller list.

You should not add John's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts whose passwords are stored on this Read-only Domain Controller list displays all user or computer accounts whose passwords are stored on that RODC. You cannot manually add a user or a computer account to the Accounts whose passwords are stored on this Read-only Domain Controller list.



References :Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008

Windows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true

Password Replication Policy AdministrationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/1ec4c1ac-5768-4b53-9271-1948b8e8816f1033.mspx?mfr=true

Options for Configuring Password Replication PoliciesCourse 6043



______________________________________________________________________________________________________________________________________________

You are responsible for maintaining an Active Directory infrastructure. Domain controllers are running Microsoft Windows Server 2008. Client computers are running Windows Vista Enterprise. All computers are members of a single Active Directory domain.

You need to deploy a custom application to 100 users in the Human Resources department. You want the application to be available to all Human Resources staff when they log on to their computers.


1. Create a Group Policy object (GPO) that will publish the application to the HR Staff Organizational Unit (OU).

2. Create an Organizational Unit (OU) named HR Staff. Move the appropriate user accounts into the OU.<Correct>

3. Create an Organizational Unit (OU) named HR Computers. Move the appropriate computer accounts into the OU.

4. Create a Group Policy object (GPO) that will assign the application to the HR Computers Organizational Unit (OU).

5. Create a Group Policy object (GPO) that will publish the application to the HR Computers Organizational Unit (OU).

6. Create a Group Policy object (GPO) that will assign the application to the HR Staff Organizational Unit (OU). <Correct>

Explanation :Since you need to apply the software installation to a group of users, you first need to create an OU and move the user accounts into that container. In order to have the application available to users when they log on to their computers, the application needs to be assigned through a GPO that is linked to the OU.

You should not move the computer accounts into a separate OU. The application needs to be assigned to users, not computers. If the application is assigned to the computers, the application will install the next time the computer is restarted.

You should not publish the application through a GPO linked to the HR Staff OU. When an application is published, users have the option of whether or not to install it.

You should not publish the application through a GPO linked to the HR Computers OU. Applications can only be published to users, not computers.



References :Group Policy Software Deployment BackgroundMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/bca0be15-7170-4670-a771-753566e3e5781033.mspx?mfr=true

Assigning and Publishing SoftwareMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/d3d52f5d-45ab-4be9-a040-28ffe09bc8f81033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You are configuring a multi-domain Active Directory network. The network includes several geographic locations, which are organized into four sites. All locations are connected through full-time wide area links, but some of the links have relatively low bandwidth.

You are configuring a location with 10 users, all of whom are members of the same universal group. You install a server core installation of Microsoft Windows Server 2008 on the server you plan to deploy as the location's domain controller. You cannot ensure the physical security of the server.

You need to configure the location to optimize the time required to log on to the domain. The solution should minimize the replication traffic to the location. You also need to keep the server as secure as possible.

What should you do?

1. Configure a writable domain controller with the global catalog.

2. Configure a read-only domain controller (RODC) with the global catalog.

3. Configure a writable domain controller without the global catalog and enable universal group membership caching (UGMC).

4. Configure a read-only domain controller (RODC) without the global catalog and enable universal group membership caching (UGMC). <Correct>

Explanation :You should configure an RODC without the global catalog and enable UGMC. UGMC eliminates the need for a global catalog server at a location. You can cache authentication credentials locally, and the domain controller will not need to access a global catalog to obtain universal group membership information.

You should not configure an RODC with the global catalog. This would cause any changes made to the global catalog to be replicated to the server, so replication traffic would not be minimized.

You should not configure a writable domain controller. Because you are not able to physically secure the domain controller, this would be a security risk. It is more secure to use an RODC.



References :Active Directory Replication ConceptsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/a85971c3-3e64-4a05-873c-45b8ee0570f51033.mspx?mfr=true

What Is the Global Catalog?Microsoft TechNetLink: http://technet2.microsoft.com/WindowsServer/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true

Planning Global Catalog Server PlacementMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/d59c8afc-9781-442e-8421-ee549a6966651033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a single domain with two sites, as shown in the exhibit. DC1 is configured as a preferred bridgehead server. DC2 is configured as the schema master and infrastructure master.

You need to ensure that DC3 can be updated with changes to Active Directory if either DC1 or DC2 fails.

What should you do?

1. Configure DC3 so that it is a preferred bridgehead server.

2. Move the infrastructure master role to DC1.

3. Move the schema master role to DC1

4. Configure DC1 so that it is not the preferred bridgehead server. <Correct>

Explanation :You should configure DC1 so that it is not the preferred bridgehead server. If you identify a preferred bridgehead server, you prevent the Knowledge Consistency Checker (KCC) from choosing a server to use for replication. If the preferred bridgehead server fails, replication will not occur.

You should not move the schema master role to DC1. The schema master role does not affect replication.

You should not move the infrastructure master role to DC1. The infrastructure master role does not affect replication.

You should not configure DC3 so that it is a preferred bridgehead server. DC3 is the only domain controller in Site-B, so it will automatically be used for inter-site replication.



Designate a preferred bridgehead serverMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5449da52-613f-48f3-bc87-1a7f5c7ab3401033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network has a single Active Directory domain with two servers running Active Directory Domain Services (AD DS). Both domain controllers are configured as Domain Name System (DNS) servers. You have created an Active Directory-Integrated forward lookup zone and an Active Directory-Integrated reverse lookup zone on one domain controller.

Your company is adding a branch office. The branch office will connect to the corporate office using a reliable high-speed connection. The branch office has several domain members running Windows Server 2008. Multiple users will share client computers and will not always use the same computer.

You need to enable users at the branch office to log on to the network and access the servers at the branch office even if the connection to the corporate office goes down. Your solution must ensure that administrators at the branch office cannot modify Active Directory objects or DNS records.

What should you do?

1. Install DNS and create a secondary zone on one of the servers at the branch office.

2. Install the AD DS role and the DNS role on one of the servers at the branch office.

3. Install the AD DS role on one of the servers at the branch office. Promote it to a read-only domain controller (RODC) and install DNS. <Correct>

4. Install the AD DS role on one of the servers at the branch office. Promote it to a read-only domain controller (RODC) and install DNS. Create a stub zone.

Explanation :You should install the AD DS role on one of the servers at the branch office, promote it to an RODC and install DNS. When you install DNS on an RODC using the Active Directory Domain Services Installation Wizard, a read-only zone is automatically created and synchronized with the Active Directory-Integrated zone. The RODC role does not allow administrators to manage Active Directory objects on the RODC.

You should not install DNS and create a secondary zone on one of the servers at the branch office. Users will not be able to authenticate to a domain controller, so they will not be able to access the network unless they are configured to cache credentials. You should not configure the client computers to cache logon credentials because multiple users use the same computer and a user might use a different computer each day. Therefore, caching logon credentials on the client computers will not allow users to reliably access the network.

You should not install the AD DS role and the DNS role on one of the servers at the branch office. The AD DS role allows an administrator to modify Active Directory objects.

You should not install the AD DS role on one of the servers at the branch office, promote it to an RODC, install DNS, and create a stub zone. You should not create a stub zone. A stub zone contains only Name Server (NS) records. It cannot be used to resolve names when the connection to the primary DNS server is down. You would use a stub zone to keep a parent zone up-to-date with the addresses of DNS servers in the child zones.




Lesson 2: Read-Only Domain Controller OperationCourse 6416A



______________________________________________________________________________________________________________________________________________

You want to use an Active Directory Lightweight Directory Services (AD LDS) configuration set to provide fault tolerance for AD LDS service instances.

You need to create a replica of an AD LDS instance for inclusion in the configuration set.

What command or utility should you use?

1. Active Directory Lightweight Directory Services Setup Wizard <Correct>

2. Ntdsutil

3. Windows Server Backup

4. Dsdbutil

Explanation :You should use Active Directory Lightweight Directory Services Setup Wizard to create a replica to be added to a configuration set. The wizard is added to the server's Administrative Tools folder when you configure the AD LDS role.

You should not use Windows Server Backup or Dsdbutil for this purpose. Both can be used to back up AD LDS instance data, but not for creating a replica that can be added to a configuration set.

You should not use Ntdsutil. The Ntdsutil command can be used to manage an AD LDS instance, but it cannot be used to create a replica.



References :Step 1: Practice Managing Replica AD LDS InstancesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/7a985180-aa70-41b1-ac74-8432eeca159e1033.mspx?mfr=true

Step 1: Back Up AD LDS Instance DataMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/8e82c111-32da-430e-a954-c0dbe9f4607f1033.mspx?mfr=true

NtdsutilMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/199cebb9-967c-4307-a9d7-1c0bb50dc75b1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You have deployed Active Directory Federation Services (AD FS) in your organization. You need to configure another organization as a federated partner. Your organization is the resource partner in this partnership.

You need to exchange partner values with the partner organization. You want to do this with as little administrative effort as possible.

What should you do?

1. Add your partner's domain as an Active Directory Domain Services (AD DS) Account store.

2. Have the partner send its federation server's validation certificate.

3. Export your trust policy files and send the resulting file to the partner administrator. <Correct>

4. Deploy an AD FS Proxy in the partner's perimeter network.

Explanation :You should export your trust policy files and send the resulting file to the partner administrator. Your partner would then import the XML policy file. Your partner can use the same process to provide you with trust policy file information. You use the Add Partner Wizard to both export and import trust policy files. The trust policy files include all of the information needed, including Uniform Resource Indicators (URIs), claim types, claim mappings, validation certificate, and so on.

You should not have the partner send its federation server's validation certificate. You would only need this if you were setting up the partnership manually. While this is possible, the process requires significantly more administrative effort.

You should not add your partner's domain as an Active Directory Domain Services (AD DS) Account store. This is used to add your organization's AD DS accounts to support user authentication to facilitate remote access by users from your network's domain.

You should not deploy an AD FS Proxy in the partner's perimeter network. An AD FS Proxy receives authentication requests and passes them on for authentication. You would deploy the AD FS Proxy in your own perimeter network.



References :Active Directory Federation Services RoleMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/f5e12c1f-a3fa-453d-98ce-be29352afaca1033.mspx?mfr=true

Active Directory Federation ServicesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/acc299c9-3bff-4c2d-b4af-78d772012b101033.mspx?mfr=true

Understanding Account StoresMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/bd1c92bf-f72a-4444-8c67-ad00a3ab4dde1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. The network includes four database servers running Windows Server 2003. Database administrators need to be able to perform the following tasks on these servers:

* Create and manage local groups.* Install software.* Shut down the server.* Modify network configuration settings.* Back up and restore files.

Database administrators should not be able to add other users to the Administrators group on the database servers.

You need to grant the necessary permissions to the DatabaseAdmins global group.

What should you do?

1. Add the DatabaseAdmins group to the Administrators group on the database servers only.

2. Create a DatabaseOperators organizational unit (OU).Add the DatabaseAdmins group to the DatabaseOperators OU.Create a Group Policy object (GPO) that defines a Restricted Groups policy and link it to the DatabaseOperators OU.

3. Create a DatabaseServers organizational unit (OU).Add the database server computer objects to the DatabaseServers OU.Create a Group Policy object (GPO) that defines a Restricted Groups policy and link it to the DatabaseServers OU.

<Correct>

4. Create a DatabaseServers organizational unit (OU).Add the database server computer objects to the DatabaseServers OU.Use the Delegation of Control Wizard to delegate control of the DatabaseServers OU to the DatabaseAdmins group.


* Create a DatabaseServers organizational unit (OU). * Add the database server computer objects to the DatabaseServers OU. * Create a Group Policy object (GPO) that defines a Restricted Groups policy and link it to the DatabaseServers OU.

To meet the requirements, you need to define a Restricted Groups policy for the database servers. A Restricted Groups policy allows you to limit the membership of a group. In this case, you will define a Restricted Groups policy that allows only DatabaseAdmins to be members of the Administrators group on the database servers. The Restricted Groups policy is defined through a GPO. You must create an OU containing the computer accounts to which the policy should apply and link the GPO to that OU.


* Create a DatabaseServers organizational unit (OU). * Add the database server computer objects to the DatabaseServers OU. * Use the Delegation of Control Wizard to delegate control of the DatabaseServers OU to the DatabaseAdmins group.

Delegation of control allows you to delegate the administration of Active Directory accounts. It does not allow you to delegate administrative permission, such as the ability to shut down the computer, create local groups on that computer, or install software.


* Create a DatabaseOperators organizational unit (OU). * Add the DatabaseAdmins group to the DatabaseOperators OU. * Create a Group Policy object (GPO) that defines a Restricted Groups policy and link it to the DatabaseOperators OU.

The Restricted Groups policy is a Computer Configuration policy. Therefore, you must create an OU that stores the computer accounts, not the group containing the user accounts for the database administrators.

You should not add the DatabaseAdmins group to the Administrators group on the database servers only. If you assign the DatabaseAdmins group to the Administrators group without using the Restricted Groups policy, members of DatabaseAdmins will be able to add other users to the Administrators group.



Delegating Administration of Account OUs and Resource OUsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/7a820c22-ca12-4209-96c1-edfc8b3774ab1033.mspx



______________________________________________________________________________________________________________________________________________

You have deployed a Public Key Infrastructure (PKI) in your domain. All Certificate Authorities (CAs) are running Microsoft Windows Server 2008.

Your organization has very large certificate revocation lists (CRLs). Applications frequently report errors when attempting to download CRLs. You need to correct this problem.

What should you do?

1. Increase the CRL retrieval timeout. <Correct>

2. Extend CRL expiration times.

3. Deploy additional CRL distribution points (CDPs).

4. Deploy the most recent intermediate CA certificates to all computers.

Explanation :You should increase the CRL retrieval time. The default retrieval time is 15 seconds. When the CRLs become too large for applications to download during that time, applications will report errors during download. You can increase the CRL retrieval timeout through Group Policy settings.

You should not deploy additional CDPs. The problem is with the size of the CRLs, not the number of CDPs available.

You should not deploy intermediate CA certificates to all computers. You would do this if you had errors in certificate chain building due to expired intermediate CA certificates.

You should not extend CRL expiration times. This would not correct the problem. You would do this if a delay in publishing a new CRL is affecting applications.


Sub Objective(s):Manage certificate revocations.

References :Lesson 1: Certificate AuthorityCourse 6416A

Certificate Settings in Group Policy Step-by-Step Guide for Windows Server Code Name "Longhorn"Microsoft DownloadsLink: http://download.microsoft.com/download/5/a/7/5a7f8f7f-4355-4241-ad66-8572bb854ef2/Certificate%20Settings_StepByStep_Guide.doc



______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. The company's network consists of a single Active Directory domain named bcdtrain.com. All servers on the network run Windows Server 2008. You install a Read-Only Domain Controller (RODC) on a server named RODC1 on the branch office network and configure the server to cache passwords for all domain users.

You want to enable an assistant administrator named Andrew to manage RODC1 in the branch office. You need to configure the Administrator Role Separation feature of RODC to delegate Andrew as a local administrator of RODC1 without granting him any rights for the domain or other domain controllers.

What should you do?

In the list on the right, select the commands you should use. Place your selections in the list on the left in the order in which you should use them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :Administrator Role Separation specifies that any user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. A delegated administrator is allowed to log on to an RODC and perform maintenance work on the server. To configure Administrator Role Separation for an RODC, you should be a member of the Domain Admins group. You should enter the following commands at a command prompt on RODC1:

1. Dsmgmt 2. Local roles 3. Add <DOMAIN>\<user> <administrative role>

For example, to add Andrew to the local administrators group in this scenario, you should use the add bcdtrain\Andrew administrators command. After a user has been added to the administrator role on an RODC, that user can log on locally and can further configure Administrator Role Separation.

You should not type Security account management at the Dsmgmt prompt. The Security account management command is used to manage security account database and duplicate Security Identifier (SID) cleanup.

You should not type Roles at the Dsmgmt prompt. The Roles command is used to manage NTDS role owner tokens. You can perform maintenance of Flexible Single Master Operations (FSMO) roles by using the Roles command.

You should not run the Add Andrew administrators command. The Add command requires the user name in <Domain>\<user> format. In this scenario, the domain name is bcdtrain.com. Therefore, you should specify bcdtrain\Andrew instead of specifying only Andrew.



References :Administrator Role Separation ConfigurationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c0a45344-f77b-4ea6-8685-37a51f853b571033.mspx?mfr=true

RODC FeaturesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/0e8e874f-3ef4-43e6-b496-302a47101e611033.mspx?mfr=true

Options for Administering RODCsCourse 6043



______________________________________________________________________________________________________________________________________________

Your organization has a single Active Directory domain and has deployed Windows Server 2008 on all servers in the domain. You have installed Network Policy and Access Services, Terminal Services, and Universal Description, Discovery and Integration (UDDI) Services on a Windows Server 2008 server.

Your organization wants to ensure that unauthorized users cannot gain access to digital information stored on the server.

What should you do?

1. Install Active Directory Lightweight Directory Services (AD LDS) on the server.

2. Install Active Directory Rights Management Services (AD RMS) on the server. <Correct>

3. Install Windows Deployment Services (WDS) on the server.

4. Install the Application Server role on the server.

Explanation :You should install AD RMS on the server to ensure that unauthorized users cannot gain access to the digital information stored on the server. AD RMS ensures that users cannot view, copy, or print a file until they are granted permissions. To use AD RMS, you should install the AD RMS server role, configure the AD RMS cluster, and configure the AD RMS-enabled client computers in your organization.

You should not install AD LDS on the server. AD LDS provides a store for application-specific data for directory-enabled applications.

You should not install WDS on the server. The Windows Deployment Services server role provides a feature to remotely deploy Windows on computers over the network.

You should not install the Application Server role on the server. The Application Server role enables you to manage the custom business applications that are based on Microsoft .NET Framework 3.0.



References :Windows Server Active Directory Rights Management Services Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/437d3040-89f0-40ac-a2af-c288a48714c41033.mspx




______________________________________________________________________________________________________________________________________________

Your company's network consists of three Windows Server 2003 computers and 1,000 Windows Vista client computers installed in different locations. All computers on the network are configured to use Internet Protocol version 4 (IPv4).

The company's network is configured with Windows Internet Name Service (WINS), which is used as a secondary name-resolution protocol alongside Domain Name System (DNS). You are responsible for upgrading all the servers from Windows Server 2003 to Windows Server 2008. You upgrade the servers and also configure the network to use Internet Protocol version 6 (IPv6).

You need to ensure that the network continues to provide single-label name resolution for all computers on the network.


1. Remove the WINS server from the network. <Correct>

2. Configure the GlobalNames zone on the DNS server. <Correct>

3. Configure Link-local multicast name resolution (LLMNR).

4. Configure conditional forwarders on the DNS server.

5. Install a Read-only domain controller (RODC) on the network.

Explanation :You should remove the WINS server from the network and configure the GlobalNames zone on the DNS server. WINS is often used as a secondary name resolution protocol with DNS. However, WINS does not support IPv6. Therefore, WINS will not provide single-label name resolution to computers using IPv6. Therefore, you should remove the WINS server from the network and configure the GlobalNames zone on the DNS server. The GlobalNames zone uses the WINS methodology to provide single-label name resolution. To ensure that the GlobalNames zone provides single-name resolution, all authoritative DNS servers must be running Windows Server 2008.

You should not configure conditional forwarders on the DNS server. Conditional forwarders do not provide single-label name resolution. Conditional forwarders are used to forward queries according to domain names instead of having a DNS server to forward all DNS queries it cannot resolve locally to a forwarder. DNS servers can also be configured to forward queries for different domains to different forwarders.

You should not install an RODC on the network. An RODC is a shadow copy of a domain controller that cannot be configured directly, thereby making the domain controller less vulnerable to network threats.

You should not configure LLMNR because LLMNR does not provide single-label name resolution. LLMNR is another new feature of Windows Server 2008. DNS client computers can use LLMNR to resolve a host name on a local network segment when the DNS sever is unavailable.






______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. The domain includes an organizational unit (OU) named CallCenter, which contains computer objects. All computers in the CallCenter OU should have the same User Configuration settings applied, regardless of who logs on.

You have created these settings in a Group Policy object (GPO) named CallCenterGPO and linked it to CallCenter. However, users are still able to log on and receive the User Configuration settings that apply to their user accounts.

You need to ensure that the users' settings are not applied to the computers in the call center.

What should you do?

1. In the CallCenterGPO link, enable the Enforce option.

2. In CallCenterGPO, enable the User Group Policy loopback processing mode policy and set the Merge option.

3. In CallCenterGPO, enable the User Group Policy loopback processing mode policy and set the Replace option.<Correct>

4. On the CallCenter OU, enable the Block Policy Inheritance option.

Explanation :In CallCenterGPO, you should enable the User Group Policy loopback processing mode policy and set the Replace option. When the User Group Policy loopback processing mode policy is enabled and the Replace option is set, the GPO policies that apply to the user account are ignored. Therefore, the computer will be configured identically regardless of who logs on.

You should not set the Merge option. The Merge option causes the user's GPO policies to be applied unless there is a conflict. The requirements state that users should not be able to receive their own settings when logging on at a call center computer.

You should not enable the Enforce option on the CallCenterGPO GPO link. The Enforce option causes the policies to be enforced regardless of policies defined in GPOs that are applied later. This would prevent a policy defined lower in the OU hierarchy from overriding one defined in a GPO linked to CallCenter, but would not prevent user configuration settings from being used from GPOs applied to the user account.

You should not enable the Block Policy Inheritance option on the CallCenter OU. Block Policy Inheritance prevents policies applied higher in the hierarchy from being applied. It does not prevent policies linked to the OU containing the user accounts from being applied based on the user who is logged on.


Sub Objective(s):Create and apply Group Policy objects (GPOs).

Planning and Deploying Group PolicyMicrosoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?familyid=73D96068-0AEA-450A-861B-E2C5413B0485&displaylang=en



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. Domain controllers and member servers are running Microsoft Windows Server 2008. The default domain and forest functional levels are configured.

A global distribution group named Sales Users contains all employees in the Sales department. You have just created a new domain local group named All Sales Users and assigned permissions to the group.

You create a new share named Sales Data on FileServer10. You want employees in the Sales department to store all their sales data in this shared folder.

You want to grant all employees in the Sales department access to the share using the least amount of administrative effort.


1. Convert Sales Users to a security group. <Correct>

2. Raise the domain functional level to Windows Server 2003.

3. Change All Sales Users to a global group.

4. Add the Sales Users group to the All Sales Users domain local group. <Correct>

5. Add each user from the sales department to All Sales Users.

Explanation :You must convert the Sales Users group from a distribution group to a security group. Since distribution groups are only used for e-mail purposes, you must open the properties dialog box for the group within Active Directory Users and Computers and change the group type from distribution to security. The Sales Users global group needs to be added to the All Sales Users domain local group. When assigning permissions to group accounts, the recommended strategy is to add global groups to domain local groups and assign permission to the domain local groups.

You should not add the Sales Users group to the domain local group named All Sales Users. This step cannot be performed until the distribution group is changed to a global security group.

Raising the domain functional level will have no impact on the situation. The current domain and forest functional levels support group conversions as well as global and domain local groups.

The scope of the domain local group should not be changed. The recommended strategy for groups is to place users in global groups and add the global groups to domain local groups. A domain local group is required so the scope of the group should not be changed. You need a domain local group to assign permissions to the resource, which in this case is a shared folder. You would then add the global group containing the user accounts to the domain local group.

You should not add each user account to the All Sales Users domain local group. Not only would the solution require more administrative effort, but the solution goes against the recommended strategy for implementing groups and assigning permissions to resources.



References :Group typesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/95107162-47eb-4891-832f-0c0b15b7c8581033.mspx?mfr=true

Convert a group to another group typeWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver/en/library/a935bf64-8a1d-4317-a339-0b035f08244f1033.mspx?mfr=true

Understanding AD DS Functional LevelsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb01033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You are responsible for maintaining an Active Directory infrastructure. Domain controllers are running Microsoft Windows Server 2008. Client computers are running Windows Vista Enterprise. All computers are members of a single Active Directory domain.

You have set up the following Organizational Units (OUs):

File ServersHuman Resources UsersHuman Resources Servers

Computers used by the HR department have been placed in the Human Resources Users OU. Servers storing HR data have been placed in the Human Resources Server OU. Servers that store public data for all company users have been placed in the File Servers OU.

Regulations require all communication with servers storing HR data to be secured using IP Security (IPSec). You need to ensure that the HR servers use IPSec when communicating with other computers. You do not want any other servers to use IPSec. Your solution must ensure that HR staff can store their data on the HR servers and access all other servers.


1. Create a Group Policy object (GPO) that assigns the Client (Respond Only) policy setting. Link the GPO to the Human Resources Users OU. <Correct>

2. Create a Group Policy object (GPO) that assigns the Server (Request Security) policy setting. Link the GPO to the File Servers OU.

3. Create a Group Policy object (GPO) that assigns the Server (Request Security) policy setting. Link the GPO to the Human Resources Servers OU.

4. Create a Group Policy object (GPO) that assigns the Secure Server (Require Security) policy setting. Link the GPO to the File Servers OU.

5. Create a Group Policy object (GPO) that assigns the Secure Server (Require Security) policy setting. Link the GPO to the Human Resources Servers OU. <Correct>

Explanation :You must create two GPOs. One GPO will be linked to the Human Resources Servers OU and the other to the Human Resources Users OU. You must assign the servers in the Human Resources Servers the Secure Server (Require Security) IPSec policy. This policy will force the servers to use IPSec for all communications.

You must also assign the computers in the Human Resources Users OU the Client (Respond Only) IPSec policy. This policy will let them to communicate with the servers using IPSec and still communicate with any servers that do not require it, such as with those in the File Servers OU.

You should not assign an IPSec policy to the File Servers OU. The servers within this OU should not be using IPSec for any communications.

You should not create a GPO that assigns the Server (Request Security) policy setting and link it to the Human Resources Servers OU. By doing so, the servers will request secure communications using IPSec. However, the servers will still allow unsecured communications. The scenario indicates that all communication with these servers must be secured with IPSec.



References :Creating an Organizational Unit DesignWindows Server 2008 Technical Library

Link: http://technet2.microsoft.com/windowsserver2008/en/library/04f9603d-b4a8-4a33-af4a-257aca2f32791033.mspx?mfr=true

Designing a Group Policy InfrastructureMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/c75e3e6f-c322-4220-b205-46c6e9ba76741033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company network is running Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. All computers are members of a single Active Directory domain.

Senior executives have indicated that members of the Financial department require a stricter password policy than the rest of the company.

You need to create a second password policy for the Financial department.

What should you do?

1. Create a separate domain for the financial department. Create a stricter password policy for the new domain.

2. Deny members of the financial department permission to the Group Policy Object (GPO) containing the company-wide password policy.

3. Create a stricter password policy and link it to the global group containing members of the financial department. <Correct>

4. Create a new Organizational Unit (OU) for the financial department. Create a stricter password policy and link it to the OU.

Explanation :You should create a second password policy and link it to the group containing members of the financial department. Windows Server 2008 introduces the ability to create multiple password policies in a single domain. Password policies are then linked to users or global groups.

You do not need to create a second domain because multiple password policies can now exist for an entire domain. In earlier versions of Windows Server, only a single password policy could exist within a domain.

You should not create an OU for the financial department and apply a second password policy to the OU. Although multiple password policies can be created within a single domain, they are linked to users and global groups.

You should not deny permission to the GPO containing the company-wide password policy. Denying permission to users in the financial department would only exempt them from the company-wide password policy.



References :AD-DS: Fine-Grained Password PoliciesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true

Security Watch: Windows Domain Password PoliciesMicrosoft TechNetLink: http://www.microsoft.com/technet/technetmag/issues/2007/12/SecurityWatch/

Apply or modify password policyMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a multiple domain Active Directory forest. Active Directory configured replication topology automatically when you deployed the domain controllers. You are concerned that the replication topology is less than optimum because of some low-bandwidth links in your network infrastructure.

You want to be able to quickly and easily identify how the topology links are configured for a selected domain controller. You need to view the replication topology to determine if you need to make manual changes.


1. Dsmgmt.exe

2. Netmon.exe

3. Repadmin.exe <Correct>

4. Dcdiag.exe

Explanation :You should use Repadmin.exe. Repadmin is a replication troubleshooting and administration utility. It lets you view replication topology from the context of any domain controller. It shows how the topology links out from the selected domain controller, making it easy to see exactly where it fits in the current topology. It makes it easy to identify potential problems, such as connecting directly to another domain controller that you know is connected over a low-bandwidth link, or trying to support too many direct connections over a low-bandwidth link. It can also be used to manually configure replication topology.

You should not use Dsmgmt.exe. Dsmgmt is an Active Directory management utility, but it does not let you view or manage replication topology. You would use Dsmgmt, for example, to manage roles and configurable settings.

You should not use Dcdiag.exe. Dcdiag is a domain controller diagnostic utility. It can be used to test domain controller and replication functionality, but it does not display the replication topology.

You should not use Netmon.exe. Netmon is the Windows network monitor. You could use it to track replication traffic in the network, but not to directly view or to modify the replication topology.



References :RepadminMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/24cf60ff-6fae-428e-967a-5c24f5f80d311033.mspx?mfr=true

How To Use Additional Monitoring Tools in Windows Server 2008Course 6042



______________________________________________________________________________________________________________________________________________

Your company has two locations: Chicago and Miami. The network is configured as a single Active Directory domain. You are planning to install Windows Server 2008 on a domain controller at each location. IP addresses will be assigned using a Dynamic Host Configuration Protocol (DHCP) server at each location. Your solution must meet the following requirements:

* Administrators in Chicago need to be able to create and modify Active Directory accounts. * Administrators in Miami need to be able to update drivers on the domain controller in Miami, but should not be able to create or modify user accounts. * Records in the Domain Name System (DNS) database must be kept up to date. * Only Active Directory domain members can register with the DNS server. * Name resolution traffic across the Wide Area Network (WAN) link should be minimized.

You need to plan the DNS configuration.


1. Deploy a stub zone in Miami.

2. Deploy a primary read-only zone in Miami. <Correct>

3. Deploy an Active Directory-Integrated zone in Miami.

4. Deploy a standard primary zone in Chicago.

5. Deploy an Active Directory-Integrated zone in Chicago. <Correct>

Explanation :You should install an Active Directory-Integrated zone in Chicago. To support dynamic updates only by domain members, you must enable Secure Dynamic DNS (DDNS). Secure DDNS is only supported on Active Directory-Integrated zones.

You should also create a primary read-only zone on the domain controller in Miami. To prevent administrators in Miami from creating and modifying user accounts, you must install a read-only domain controller (RODC). An RODC supports primary read-only DNS zones. When a client needs to update a DNS record, the primary read-only DNS server refers the client to the writable DNS server on the writable domain controller.

You should not create a standard primary zone in Chicago. A standard primary zone does not support Secure DDNS.

You should not create an Active Directory-Integrated zone in Miami. The Miami office must have an RODC, not a writable domain controller because the administrators in Miami should not be able to create and modify user accounts. An Active Directory-Integrated zone can only be created on a writable domain controller.

You should not create a stub zone in Miami. A stub zone contains only Name Server (NS) records. It does not resolve the names of other computers. Therefore, it would not reduce name resolution traffic across the WAN. You would use a stub zone to keep a parent zone up to date with the addresses of DNS servers in the child zones.




Lesson 2: Read-Only Domain Controller OperationCourse 6416A

DNS Server OverviewWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/05644d1f-6d88-4eb4-81bd-e1af44a802431033.mspx



______________________________________________________________________________________________________________________________________________

Your company has a corporate office and a branch office. The network is configured as a single Active Directory domain with two sites - one for each office. There are three domain controllers at the corporate office and a read-only domain controller (RODC) at the branch office.

You create user accounts for newly hired employees who work at the branch office. The employees report that they cannot log on.

You need to allow the employees to log on.


1. Restart the RODC.

2. Execute gpupdate /force.

3. Launch Active Directory Users and Computers. Right-click the RODC and choose Replicate Now.

4. Launch Active Directory Sites and Services. Right-click the connection and choose Replicate Now. <Correct>

5. Execute repladmin /replicate. <Correct>

Explanation :You should launch Active Directory Sites and Services, right-click the connection and choose Replicate Now. The problem is due to the fact that the user accounts have not replicated to the RODC. You can force replication through Active Directory Sites and Services.

You can also resolve the problem by executing the repladmin /replicate command. Using the /replicate or /syncall option of the repladmin command forces replication.

You should not execute the gpupdate /force command. The gpupdate command updates the application of Group Policy objects (GPOs). The problem is not caused by GPOs that have not been applied. It is caused by user accounts that have not been replicated.

You should not restart the RODC. Restarting the RODC does not cause replication to occur.

You should not launch Active Directory Users and Computers, right-click the RODC and choose Replicate Now. You cannot force replication using Active Directory Users and Computers. You need to use either Active Directory Sites and Services or repladmin.



RODC Frequently Asked QuestionsWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e41e0d2f-9527-4eaf-b933-84f7d3b2c94a1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network has three domains: stayandsleep.com, dev.stayandsleep.com, and sales.stayandsleep.com. The domain controllers are described in the exhibit.

Users on the ProjectA team need access to resources on the ProjectA member server, which is a member of the Stayandsleep.com domain and the ProjectA-Dev server, which is located in the Dev.stayandsleep.com domain. The ProjectA team includes employees with accounts in all three domains.

You need to configure access to the resources on the ProjectA member server. Your solution must minimize the effort required to grant permissions to new team members and minimize global catalog replication.

What should you do?

1. Create a global group named ProjectA in Stayandsleep.com.Add team members to ProjectA.Grant permissions to ProjectA.

2. Create a domain local group named ProjectA.Add team members to ProjectA.Grant permissions to ProjectA.

3. Create a universal group named ProjectAUniv in stayandsleep.com.Create a global group named ProjectA in each domain and add team members to the appropriate group.Add the global groups to the ProjectAUniv group.Create a domain local group named ProjectALocal in Stayandsleep.com and Dev.Stayandsleep.com.Add the ProjectAUniv group to ProjectALocal groups.Grant permissions to ProjectALocal groups.

<Correct>

4. Create a universal group named ProjectA in Stayandsleep.com.Add the team members to ProjectA.Create a domain local group named ProjectALocal in Stayandsleep.com.Add the ProjectA group to ProjectALocal.Grant permissions to ProjectALocal.


* Create a universal group named ProjectAUniv in Stayandsleep.com. * Create a global group named ProjectA in each domain and add team members to the appropriate group. * Add the global groups to the ProjectAUniv group. * Create a domain local group named ProjectALocal in Stayandsleep.com and Dev.stayandsleep.com. * Add the ProjectAUniv group to the ProjectALocal groups. * Grant permissions to the ProjectALocal groups.

A universal group can contain members from any domain and can be added to a domain local group in any domain. Therefore, you should use a universal group as a centralized gathering of users who need access to the resources required by the members of the ProjectA team. A global group can contain only members from the domain in which it was created. Therefore, it can be used to group team members for a specific domain. You can assign a global group membership in a universal group. Doing so reduces the changes to the universal group and minimizes changes that must be replicated to the global catalog servers. You should then create a domain local group and use it to assign permissions. A domain local group can be used to assign permissions to resources in its own domain. However, it can have universal groups or global groups from any domain as a member.


* Create a universal group named ProjectA in Stayandsleep.com. * Add the team members to ProjectA.

* Create a domain local group named ProjectALocal in Stayandsleep.com. * Add the ProjectA group to ProjectALocal. * Grant permissions to ProjectALocal.

If you add team members to the ProjectA universal group, the group will need to be replicated each time a membership change occurs.


* Create a global group named ProjectA in Stayandsleep.com. * Add team members to ProjectA. * Grant permissions to ProjectA.

You cannot add users from multiple domains to a global group. You should create a universal group to consolidate users from multiple domains.


* Create a domain local group named ProjectA. * Add team members to ProjectA. * Grant permissions to ProjectA.

A domain local group can contain universal groups and users and groups from any domain in the forest. However, it can only be used to grant permission to resources in its own domain. Therefore, it cannot be used to grant resources on both ProjectA and ProjectA-Dev.



Understanding User and Group AccountsMicrosoft TechNetLink: http://technet.microsoft.com/en-us/library/bb726978.aspx



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2008, and the client computers on the network run Windows Vista.

An organizational unit has been created and named for each department. All user accounts and client computer accounts for each department belong to their respective departmental organizational units.

You recently realized that some network users are installing unlicensed software by changing the Registry settings on their computers. The network users are provided with roaming profiles because they do not have dedicated systems.

You need to track down Registry changes on all client computers.

What should you do?

1. Modify the Default Domain Policy Group Policy object (GPO) and enable the Audit object access policy for all domain users. <Correct>

2. Modify the Default Domain Controller Group Policy object (GPO) and enable the Audit object access policy for all domain users.

3. Modify the Default Domain Policy Group Policy object (GPO) and enable the Audit system events policy for all domain users.

4. Modify the Default Domain Controller Group Policy object (GPO) and enable the Audit privilege use policy for all domain users.

Explanation :You should modify the Default Domain Policy GPO and enable the Audit object access policy for all domain users. Enabling an Audit object access policy allows you to audit each user attempt to access an object. Objects include files, folders, printers, Registry keys, and Active Directory objects. Modifying the Default Domain Policy GPO allows you to audit Registry changes at the domain level.

You should not modify the Default Domain Controller GPO and enable the Audit object access policy or enable the Audit privilege use policy for all domain users. The Default Domain Controller GPO applies only to domain controllers that are located in the Domain Controllers container in Active Directory. In this scenario, you want to audit Registry changes on all client computers. Therefore, you should modify the Default Domain Policy GPO because the Default Domain Policy GPO applies at the domain level. Also, the Audit privilege use policy cannot be used to audit events related to Registry changes on client computers. The Audit privilege use policy is used to audit events related to a user performing a task controlled by a User Rights Assignment in Group Policy.

You should not modify the Default Domain Policy GPO and enable the Audit system events policy for all domain users. Enabling the Audit system events policy allows you to audit only system events such as a computer restart or shutdown.



References :How to use Group Policy to audit registry keys in Windows Server 2003Microsoft Help and SupportLink: http://support.microsoft.com/kb/324739


Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide

Windows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your network has the IP address assignments shown in the exhibit. Client computers at the branch office currently authenticate across the Wide Area Network (WAN) link to domain controllers at the corporate office.

You need to deploy a domain controller to the branch office. Client computers at the branch office should authenticate locally when possible.

What should you do?

1. Create a site named BranchOffice.Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254.Promote the domain controller.Use Active Directory Sites and Services to move the new domain controller to the BranchOffice site.

2. Create a site named BranchOffice.Create a subnet with the prefix 192.168.1 and associate it with the BranchOffice site.Create a subnet with the prefix 148.130.1 and associate it with DEFAULT-FIRST-SITE-NAME.Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254.

<Correct>

3. Create a site named BranchOffice.Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254.Create an answer file to use with dcpromo that sets the AD-Site attribute to BranchOffice.Execute dcpromo with the answer file.

4. Create a site named BranchOffice and associate it with the range 192.168.1.1 - 192.168.1.254.Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254.Create a connection object between BranchOffice and DEFAULT-FIRST-SITE-NAME.


* Create a site named BranchOffice. * Create a subnet with the prefix 192.168.1 and associate it with the BranchOffice site. * Create a subnet with the prefix 148.130.1 and associate it with DEFAULT-FIRST-SITE-NAME. * Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254.

You need to create a site to segregate the branch office network from the corporate network so that clients in the branch office use the local domain controller when it is available. You must also create a subnet with the IP prefix for the branch office. Finally, because this is the first additional site you have added, you need to create a subnet to identify the subnet associated with DEFAULT-FIRST-SITE-NAME.


* Create a site named BranchOffice and associate it with the range 192.168.1.1 - 192.168.1.254. * Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254. * Create a connection object between BranchOffice and DEFAULT-FIRST-SITE-NAME.

You cannot associate a site with an IP range except by creating a subnet. You also should not create connection objects directly. Active Directory generates connection objects automatically based on site link costs.


* Create a site named BranchOffice. * Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254. * Create an answer file to use with dcpromo that sets the AD-Site attribute to BranchOffice. * Execute dcpromo with the answer file.

You must create subnets to associate each site with specific IP address ranges. Also, you use the

SiteName attribute to assign a domain controller to a site during installation, not the AD-Site attribute.


* Create a site named BranchOffice. * Assign the new domain controller an address in the range 192.168.1.1 - 192.168.1.254. * Promote the domain controller. * Use Active Directory Sites and Services to move the new domain controller to the BranchOffice site.

The site is determined based on the IP address. You cannot move a domain controller to a site using Active Directory Sites and Services.



References :Overview of Active Directory Sites and ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/b8865b4c-ca79-4e84-a45f-82156c0e3d3e1033.mspx?mfr=true

Understanding Sites, Subnets, and Site LinksWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/842d13a6-aab7-4811-96b8-40ee9aa40dfa1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network has a single Active Directory domain. You are preparing to add the first domain controller to a branch office.

You want to ensure that users in the branch office authenticate to that domain controller if it is available. They should be authenticated by a domain controller at the corporate office if the one at their location is not available.

What should you do?

1. Use Active Directory Sites and Services to create a new site link. Select the site link when you promote the domain controller.

2. Use dcpromo.exe to promote the server to domain controller in a new domain in the same forest.

3. Use ntdsutil to create a new site and associate it with the new domain controller.

4. Use Active Directory Sites and Services to create a subnet and associate it with a new site. <Correct>

Explanation :You should Use Active Directory Sites and Services to create a subnet and associate it with a new site. A site is used to control replication and to help ensure that a local server is given preference for authentication. You must create a subnet to define which IP addresses are associated with a specific site.

You should not use Active Directory Sites and Services to create a new site link and install the domain controller to that site. You cannot select a site link during promotion. Site links control replication topology, not which domain controller is used for authentication.

You should not use dcpromo.exe to promote the server to domain controller in a new domain in the same forest. You do not need to create a separate domain. A domain provides a security boundary, not a geographical boundary. Also, if you create a separate domain, the existing domain controllers at the corporate office will not be able to authenticate users in the branch office.

You should not use ntdsutil to create a new site and associate it with the new domain controller. You cannot use ntdsutil to associate a domain controller with a specific site. A subnet is used to determine which domain controllers belong to a specific site.



Understanding Sites, Subnets, and Site LinksWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/842d13a6-aab7-4811-96b8-40ee9aa40dfa1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. Your company uses Encrypting File system (EFS) to protect confidential files. The company wants to control issuing EFS certificates from a Public Key Infrastructure (PKI).

You publish the Basic EFS certificate template.

You need to configure permissions to allow users in the Development department to obtain an EFS certificate automatically.

What should you do?

1. Create a domain local group named Developers. Grant Autoenroll, Enroll, and Read on the Basic EFS certificate template to the Developers group.

2. Create a domain local group named Developers. Grant Autoenroll and Read on the Basic EFS certificate template to the Developers group.

3. Create a global group named Developers. Grant Autoenroll and Read on the Basic EFS certificate template to the Developers group.

4. Create a global group named Developers. Grant Autoenroll, Enroll, and Read on the Basic EFS certificate template to the Developers group. <Correct>


* Create a global group named Developers. * Grant Autoenroll, Enroll, and Read on the Basic EFS certificate template to the Developers group.

You must grant permission on a certificate template to a user, computer, global group, or universal group. To allow users to obtain the certificate automatically, you need to enable autoenrollment. Autoenrollment requires Autoenroll, Enroll, and Read permissions.

You should not create a domain local group and grant permissions to it. You cannot grant permissions on a certificate template to a domain local group because certificate templates are stored in the Configuration container.

You should not grant only Autoenroll and Read permissions. You must also grant the Enroll permission for user to be able to enroll for the certificate.






______________________________________________________________________________________________________________________________________________

Your company's network consists of a forest root domain and three child domains. All servers in the forest have been upgraded to Microsoft Windows Server 2008. Each domain maintains a minimum of three domain controllers.

You discover that a domain controller holding the role of PDC Emulator in one of the child domains has failed and cannot be brought back online.

What should you do?

1. From another domain controller in the same domain, run the Active Directory Users and Computers MMC snap-in to transfer the role to another domain controller.

2. Use the NTDSUTIL command-line utility to seize the role of PDC Emulator. <Correct>

3. From another domain controller in the contoso.com domain, run the Active Directory Domains and Trusts mmc snap-in to transfer the role to another domain controller.

4. Use dcpromo to create a new domain controller. Run a restore from the latest backup of the failed server to update the new domain controller. Then place the new PDC emulator online.

5. Install AD DS on a member server. Run dcpromo to create a new domain controller. Run a restore from the latest backup of the failed server to update the new domain controller. Then place the new PDC emulator online.

Explanation :The PDC Emulator role can be seized from a failed domain controller using either the Active Directory Users and Computers MMC snap-in or the NTDSUTIL command-line utility. If a server has failed and you cannot bring it back online, any Flexible Single Master Operation (FSMO) roles the failed server was assigned can be seized. You should only seize a role if the current operations master will not be available again.

You should not transfer the role to another domain controller. Although it is recommended that you transfer a role, you can only transfer a role between domain controllers if both of them are online. Since the scenario states that the domain controller has failed and can not be brought back online, transferring the PDC Emulator role to another domain controller is not possible.

You should not create another domain controller and run a restore from the latest backup of the failed server. This solution will create duplicate computer SIDs on the network, among other things, when the old PDC Emulator is brought back online.

You should not perform the operation in the contoso.com domain. Each domain has its own PDC Emulator. Therefore, you must perform the operation in the domain that hosts the failed PDC Emulator.



References :Configuring Operations Master RolesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/7a585c8a-95af-43aa-bb96-d0e620118a161033.mspx?mfr=true

Transfer operations master rolesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5da4f9f2-7f90-417a-9d11-5ee1db75bfb61033.mspx?mfr=true

Transfer the PDC emulator roleMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/c3a082ac-d855-48ba-a3d9-3b3a945cd7261033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network consists of 10 Microsoft Windows Server 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain.

Your company has decided that specific users on the network require certificates. You have configured two Certificate Authorities.

You need to issue user certificates to these users through Web-based enrollment. However, you want to ensure that the users can only request User certificates.

What should you do?

1. Open the Active Directory Sites and Services snap-in. Grant users the Auto-enroll permission on the User template and deny the Enroll permission on all other templates.

2. Open the Certificate Authority snap-in. Deny users the Enroll permission on all templates except the User template.

3. Open the Certificate Authority snap-in. Grant users Enroll permission on the User template and deny the Enroll permission on all other templates.

4. Open the Active Directory Sites and Services snap-in. Grant users Read and Enroll permission on the User template and deny the Enroll permission on all other templates. <Correct>

Explanation :You should use the Active Directory Sites and Services snap-in to configure permissions on certificate templates. By granting users Read and Enroll permission on the User template, they will be able to manually request a user certificate. By denying Enroll permission on all other templates, you will prevent users from being able to enroll for any other types of certificates. To restrict which templates certain users can use, set permissions for those users in the Active Directory Sites and Services snap-in.

You should not open the Certificate Authority snap-in. The Certificate Authority snap-in is used to manage and configure a Certificate Authority. It cannot be used to configure permissions on certificate templates.

You should not grant users the Auto-enroll permission. The scenario does not indicate that auto-enrollment is being used. Users will be submitting requests manually through Web-based enrollment, which means that they require the Read and Enroll permission only.

You should not grant users Enroll permission on the User template and deny the Enroll permission on all other templates. To manually request a certificate based on a certificate template, users must be assigned both the Read and Enroll permission on the certificate template.



References :Issuing Certificates Based on Certificate TemplatesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/1ddf06ed-615d-4e24-ba43-468fb0da6c131033.mspx?mfr=true

Manage CertificatesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/6f574ad3-c4e6-431c-b668-448e9111253b1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008.

You are planning to deploy Microsoft Office 2007 to members of the Sales department using the Software Installation policy.

You need to disable certain menu commands. Users must not be able to enable them.

What should you do?

1. Deploy the customizations using the Office 2007 Administrative Templates and Group Policy. <Correct>

2. Use the Office Customization Tool to create a Setup Customization (.msp) file. Add it to the Software Installation package.

3. Create a Custom.xml file and add it to the Software Installation package.

4. Use the Office Customization Tool to create a transform (.mst) file. Add it to the Software Installation package.

Explanation :You should deploy the customizations using the Office 2007 Administrative Templates and Group Policy. The Office 2007 Administrative Templates allow you to configure customizations and deploy them through Group Policy. Because they are policies, users cannot override the settings.

You should not use the Office Customization Tool to create a Setup Customization (.msp) file and add it to the Software Installation package. You cannot add an .msp file to the Software Installation package. If you want to customize an installation using an .msp file, you need to deploy Office in some other way, such as by creating a Startup script that launches installation. Also, users can modify customizations applied using an .msp file.

You should not create a Custom.xml file and add it to the Software Installation package. When you add a Custom.xml file to the Software Installation package, only a subset of the options defined in it are read. These include the ability to specify which features are installed, but not which menu items are enabled.

You should not use the Office Customization Tool to create a transform (.mst) file and add it to the Software Installation package. You can use a transform file to install support for different languages. You cannot use a transform file to disable menu items.



References :Group Policy Overview (2007 Office)Microsoft TechNetLink: http://technet2.microsoft.com/Office/en-us/library/c8cec707-2afa-4964-b0f8-611e4709bd791033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network consists of a Windows Server 2008 server and 200 Windows Vista client computers. You have configured auditing to keep track of Active Directory Domain Services (AD DS) activities. You are now implementing AD DS change auditing to be able to audit changes made to the objects in AD DS.

You want to audit the per user events such as file access, logon attempts, and system shutdown without enabling unnecessary audit policies.

Which type of control should you use to implement the AD DS change auditing feature?

1. Discretionary access control list (DACL)

2. Global audit policy

3. Schema

4. System access control list (SACL) <Correct>

Explanation :You should implement SACL to audit per user events such as file access, logon attempts, and system shutdown. In Windows Server 2008, you can implement the new auditing features by using the following three controls:

* Global audit policy * System access control list (SACL) * Schema

SACL was used in Windows Server 2003 and is still considered to be the ultimate authority to determine whether an access check must be audited or not. SACL controls the generation of audit messages for the attempts made to access an object.

You should not implement a global audit policy. When you enable the global audit policy, all directory service policy subcategories are enabled. In this scenario, you only are required to audit Directory changes. You can use Auditpol.exe to set subcategories to be audited. You can set the global audit policy in the Default Domain Controllers Group Policy under the following folder:Windows Settings\Security Settings\Local Policies\Audit Policy

In Windows Server 2008, the global audit policy is not enabled by default. Although the Directory Service Access subcategory is enabled by default for auditing success events, all the other subcategories are not enabled by default.

You should not implement a Schema control because the purpose of a schema control in auditing is to avoid an excessive number of events generated. You can specify an additional control in the schema that you can use to create exceptions to what is to be audited.

You should not implement a DACL. DACL is a part of an object's security descriptor that grants or denies access to an object by specific users and groups.



References :Windows Server 2008 Auditing AD DS Changes Step-by-Step GuideWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with two domain controllers running Windows Server 2003. Your company uses the SYSVOL folder to store roaming user profiles. You are installing a new Windows Server 2008 domain controller.

You need to enable your network to take advantage of the performance improvements provided by Distributed File System (DFS) Replication. You want the new domain controller to automatically use DFS Replication.

What should you do?



* Upgrade the existing domain controllers to Windows Server 2008. * Raise the domain functional level to Windows Server 2008. * Run dcpromo on the new domain controller.

Windows Server 2008 can use DFS Replication to replicate the SYSVOL folder between domain controllers, but only if all domain controllers are running Windows Server 2008 and the domain is at the Windows Server 2008 functional level.

You should not create a DFS namespace. There is no need to create a DFS namespace to use DFS replication for the SYSVOL folder. You would create a DFS namespace if you needed to make other folders available through DFS.

You should not create a site or a subnet. There is only one physical site. Therefore, intrasite replication is used to replicate data from one site to another. Sites and subnets are used to define intersite replication.



Distributed File SystemWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/1f0d326d-35af-4193-bda3-0d1688f90ea71033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of two Active Directory domains in a single Active Directory forest. All servers on the network are running Windows Server 2008. The company's head office is situated in Mexico. You create an Active Directory site, named Mexico, for the head office. This site supports 400 users and two domain controllers, DC1 and DC2. You configure DC1 as a global catalog server.

The company opens two new branch offices in California. You create Active Directory sites, named California1 and California2, for the new branch offices. The California1 site is connected to the Mexico site by using a high-speed WAN link. The California2 site is connected to the Mexico site by using a slow-speed 56 kbps connection. The California1 site has 300 users and the California2 site has 50 users.

You are required to provide a solution for both sites to ensure that users at these sites can successfully log on to the domain even if the WAN link or the 56 kbps connection fails.


1. Install RODC along with the global catalog at the California2 site.

2. Install only an RODC at the California1 site.

3. Install a global catalog server at the California1 site. <Correct>

4. Install only an RODC at the California2 site. <Correct>

Explanation :You should install only a read-only domain controller (RODC) at the California2 site and a global catalog server at the California1 site to ensure that users at these sites can successfully log on to the domain even if the WAN link or the 56 kbps connection fails. Installing only an RODC at the California2 site is required because an RODC provides the universal group membership caching feature that caches users' information locally. This ensures that even if the 56 kbps connection fails or is running slowly, users in the branch office will be provided with domain access.

Universal group membership caching is best when used in sites that do not contain a global catalog server, contain less than 100 users, and are a single replication hop from a global catalog server. The cache is available for users authenticating to the domain controller, eliminating the need to access the global catalog server during authentication.

You should also install a global catalog server at the California1 site. The number of users at the California1 site is more than 100. Moreover, this site is connected to the Mexico site by using a high-speed WAN link. Therefore, you can install a global catalog server at this site. Global catalog servers are used to support logons locally if the WAN link is not available.

You should not install only an RODC at the California1 site. Because the number of users in the California1 site is more than 100, it is recommended that you install a global catalog server. RODC alone cannot meet the authentication needs of 300 users, you require global catalog for it.

You should not install an RODC along with the global catalog at the California2 site. Because the number of users in the California2 site is less than 100, it is recommended to install only an RODC.



References :Planning Global Catalog Server PlacementMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/0e4d2466-68e8-40d8-8c72-099f8bc259ff1033.mspx?mfr=true

Step-by-Step Guide for Read-only Domain ControllersMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true

Global catalogs and sitesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/0e74916d-28d7-4cdd-8dce-89c824622fcd1033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

A server named DC1 runs Windows Server 2008 and is configured as a domain controller. A server named DNS1 runs Windows Server 2003 and is configured as a Domain Name System (DNS) server. The network consist of 5000 Windows Vista client computers installed in different locations.

You want to use the Background zone loading feature to ensure that the DNS server loads zone data in the background while it restarts so that the DNS server is available to service client requests.

What should you do?

1. Upgrade DNS1 to Windows Server 2008 and create an Active Directory-integrated zone. <Correct>

2. Create a new standard primary zone on DC1.

3. Create a new Active Directory-integrated zone on DNS1.

4. Create a new stub zone on DNS1.

Explanation :You should upgrade DNS1 to Windows Server 2008 and create an Active Directory-integrated zone. The background zone loading feature eliminates the problem of DNS server unavailability when the server needs to be restarted. In earlier versions of Windows Server, restarting the DNS server took a lot of time. However, a DNS server running Windows Server 2008 loads the DNS server zone data from AD DS in the background while the DNS server restarts. This enables the server to respond to client requests by requesting zone data from other available zones. Therefore, it eliminates the unavailability of the DNS server when it needs to be restarted.

You should not create a new Active Directory-integrated zone on DNS1. The background zone loading is a feature of Windows Server 2008. DNS1 runs Windows Server 2003.

You should not create a new standard primary zone on DC1. The background zone loading feature requires an Active Directory-integrated zone on a server running Windows Server 2008. A standard primary zone stores the DNS zone information in a .dns text file instead of in Active Directory.

You should not create a new stub zone on DNS1. The background zone loading is a feature of Windows Server 2008 and requires an Active Directory-integrated zone. A stub zone contains only resource records that identify the authoritative DNS servers for that zone. A stub zone is generally used to resolve the host names between separate DNS namespaces.






______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. Your company is based in the United States but is opening a new location in Germany. Administrators there will manage Group Policy for the organizational units (OUs) that store user and computer accounts for the German office. There are 20 administrators in the United States and 10 administrators in the German office.

Your company uses several custom administrative templates. Administrators in Germany need to access localized versions of the administrative templates when loading the Group Policy Management Console.

You need to make the necessary preparations for localizing the administrative templates. Your solution should ensure that there is only one version of the administrative template in use on the network.


1. Create the following folder on each administrator's workstation:%systemroot%\PolicyDefinitions

2. Create the following folder on each administrator's workstation in Germany:%systemroot%\PolicyDefinitions\DE-DE

3. Create the following folder on a domain controller:%systemroot%\sysvol\domain\policies\PolicyDefinitions\EN-US

<Correct>

4. Create the following folder on each administrator's workstation in the United States:%systemroot%\PolicyDefinitions\EN-US

5. Create the following folder on a domain controller:%systemroot%\sysvol\domain\policies\PolicyDefinitions

<Correct>

6. Create the following folder on a domain controller:%systemroot%\sysvol\domain\policies\PolicyDefinitions\DE-DE

<Correct>

Explanation :You should create the following folders on a domain controller:

%systemroot%\sysvol\domain\policies\PolicyDefinitions%systemroot%\sysvol\domain\policies\PolicyDefinitions\DE-DE%systemroot%\sysvol\domain\policies\PolicyDefinitions\EN-US

Windows Server 2008 supports localized Administrative Template using ADMX files stored in the central store. You must create the central store by creating a PolicyDefinitions folder in SYSVOL and subfolders for each language you must support. Language neutral files are stored in the PolicyDefinitions folder. Language-specific resources are stored in the subfolders. The language identifier for Germany is DE-DE, and the language identifier for the United States is EN-US.

You should not create the folders on the administrative workstations. The Central Store allows you to centralize management of the ADMX files and ensure that there is only one version of the files in use on the network.



References :ADMX Technology ReviewWindow Vista Tech CenterLink: http://technet2.microsoft.com/WindowsVista/en/library/ef346453-eee8-4abe-ba6c-2160fee3be461033.mspx?mfr=true

Managing Group Policy ADMX Files Step-by-Step GuideMicrosoft DownloadsLink: http://go.microsoft.com/fwlink/?LinkId=55414

Inside ADM and ADMX Templates for Group PolicyMicrosoft TechNetLink: http://technet.microsoft.com/en-us/magazine/cc137719.aspx



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with three sites: Chicago, New York, and Atlanta. Your company is planning to migrate to smart card authentication. You are planning a Public Key Infrastructure (PKI) that must meet the following requirements:

* Smart cards must be issued at each site even if the connection between sites is unavailable. * The root certificate authority (CA) must be stored offline.

You need to identify the CAs that you need to install.

Which of the following will you include in your plan? (Each correct answer presents part of the solution. Choose two.)

1. Three enterprise subordinate CAs <Correct>

2. An enterprise root CA

3. Three enterprise root CAs

4. Three standalone subordinate CAs

5. A standalone root CA <Correct>

Explanation :Your plan should include one standalone root CA. A root CA issues certificates to subordinate (issuing) CAs. Because you need to be able to store the CA offline, you need to install it as a standalone CA.

You should also include three enterprise subordinate CAs. These will be the issuing CAs at each office. You can only issue smart card certificates from an enterprise CA.

Your plan should not include an enterprise root CA. You cannot take an enterprise CA offline.

Your plan should not include three enterprise root CAs. A PKI hierarchy should have one root CA and any number of subordinate CAs.

Your plan should not include three standalone subordinate CAs. You cannot issue smart card certificates from a standalone CA.



References :Active Directory Certificate Services Longhorn Beta3 Certificate Templates WhitepaperMicrosoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&displaylang=en

Defining CA Types and RolesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/1b28424c-8c62-44b6-a24f-8ea06ac5832b1033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory forest. The network contains an Active Directory Federation Services (AD FS) server. The AD FS server allows users from a partner organization to access a Web application on your network.

You install the Federation Service Proxy on a server named ADFSProxy that is running Windows Server 2008. ADFSProxy is used to forward credentials of users and Web applications to the Federation Services server on their behalf.

You need to configure backup on ADFSProxy to preserve a snapshot of AD FS state so that you can recover the Federation Service Proxy component on ADFSProxy in the event of a system failure.

You must be able to recover the Federation Service Proxy component.

Which files and components should you back up to ensure that you can recover? (Each correct answer presents part of the solution. Choose two.)

1. TrustPolicy.xml

2. Internet Information Services (IIS) metabase files

3. Web.config and other files under the %systemdrive%\ADFS\ folder <Correct>

4. System state data <Correct>

5. Custom transform module (.dll) and related files

Explanation :You should back up Web.config and other files under the %systemdrive%\ADFS\ folder, and the system state data on ADFSProxy. Backing up ADFS components is critical for ensuring a recovery option in the event of system failure. ADFS state is maintained in the following places:

* TrustPolicy.xml file. The default location is %systemdrive%\adfs\sts. * Web.config and other files under %systemdrive%\ADFS\..., especially any customized Web pages (%systemdrive%\ADFS\sts\ls). * IIS metabase files (MetaBase.xml and MBSchema.xml) in %systemroot%\System32\Inetsrv (included in system state backup). * Windows registry (included in system state backup). * Custom transform module (.dll) or files related to the custom transform module.

You should not back up the TrustPolicy.xml file, custom transform module (.dll), and related files on ADFSProxy. These files are used by the Federation Service ADFS component. By backing up these files, you will be able to recover the Federation Service component on an AD FS server. Backing up the TrustPolicy.xml file, custom transform module (.dll) and related files on ADFSProxy will not enable you to recover the Federation Service Proxy component in the event of a system failure.

You should not back up IIS metabase files on ADFSProxy. These files contain the ADFS settings for a Windows NT token-based application. Therefore, backing up IIS metabase files on ADFSProxy will not enable you to recover the Federation Service Proxy component in the event of system failure.



References :Active Directory Federation Services OverviewWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d31033.mspx?mfr=true

Backing Up ADFS ComponentsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/58184a0c-730f-473f-83ca-d9b95c77b7261033.mspx?mfr=true

Back up ADFS components on a federation server, federation server proxy, or Web serverMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/dab10248-ac17-4156-aa62-f01aefc757d91033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network is configured as two Active Directory domains with six sites. User accounts and computer accounts at each site are stored in a site-specific organizational unit (OU) in each domain. Administrators at each site have been delegated permission to manage Group Policy objects (GPOs) on the OU associated with their own site.

Some company-wide settings must be implemented across all client computers, including the wallpaper, screen saver, and restricted groups.

You need to provide site administrators with the settings that are defined for all client computers. Your solution should minimize the number of GPOs applied on each OU and minimize the administrative effort.

What should you do?

1. Create an ADMX file and distribute it to the site administrators.

2. Create an ADM file and distribute it to the site administrators.

3. Create a security policy and distribute it to the site administrators.

4. Create a starter GPO and distribute it to the site administrators. <Correct>

Explanation :You should create a starter GPO and distribute it to the site administrators. A starter GPO is a special type of GPO you can import when creating a new GPO. Starter GPOs can help minimize the number of GPOs you need to link to a container, while minimizing the effort required to create GPOs that contain a subset of the same settings.

You should not create a security policy and distribute it to the site administrators. Although you can import a security policy to a GPO, it can only contain settings located in Computer Configuration | Security Settings. It cannot define other settings such as wallpaper or screensavers.

You should not create an ADMX file or an ADM file. These files are Administrative Template files and do not contain the values for settings, only the names of the settings and the registry keys where they are stored.



Group PolicyWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/3b4568bc-9d3c-4477-807d-2ea149ff06491033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain. Your company uses Encrypting File system (EFS) to protect confidential files. The company wants to control issuing EFS certificates from a Public Key Infrastructure (PKI). The solution must meet the following requirements:

* Losing a private key should not result in data loss. * Two employees should be allowed to recover a private key.

You need to configure the Certification Authority (CA) to meet the requirements.

What should you do?


Explanation :You must perform the following steps:

* Issue Recovery Agent certificates. * Add Recovery Agents to the CA. * Restart the CA.

To meet the requirements, you must enable key archival. Key archival creates an archive of the private keys, allowing them to be recovered if the original copy is lost. Key archival must be implemented on the CA and on the certificates for which key archival is required. In this scenario, that is the Basic EFS certificates. To implement key archival on the CA, you must first identify the users who will be responsible for recovering lost keys and enroll them for Recovery Agent certificates. Next you must configure the CA by enabling key archival and adding the Recovery Agent certificates. Finally, you must restart the CA. When the CA is restarted, the certificates for the Recovery Agents are verified.

You do not need to add the recovery agents to the Backup Operators group. The Backup Operators group is allowed to back up and restore the CA. They are not given permission to recover keys.

You do not need to add the recovery agents to the CA Administrator group. Members of the CA Administrator group can add recovery agents and perform a number of other tasks. However, they cannot retrieve public keys from the archive.



References :Implement Role-Based AdministrationWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c651f8cf-5c84-42c0-9a61-37e0000e69891033.mspx?mfr=true

Managing Key Archival and RecoveryWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/51842149-feee-43d7-8813-38a64d1f4caa1033.mspx?mfr=true

Enable Key Archival for a CAWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/07a53b9e-c593-4264-8126-508e743dc155103

3.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office named Branch1. Each office has its own Active Directory domain. The domains are named wondersports.com and branch1.wondersports.com.

The Domain Name System (DNS) zone information in each office is stored in Active Directory-integrated zones for internal name resolution. The company's network consists of three servers running Windows Server 2008. The network consists of 2,000 Windows Vista computers installed in various departments.

The company is closing its branch office. You want to delete the DNS zone for the branch office from the DNS server named DNS2. You want to ensure that the zone is deleted from Active Directory.

Which command should you run?

1. Dnscmd /zonedelete branch1.wondersports.com

2. Dnscmd DNS2 /zonedelete branch1.wondersports.com /dsdel <Correct>

3. Dnscmd /zonedelete

4. Dnscmd DNS2 /zonedelete branch1.wondersports.com

Explanation :You should run the Dnscmd DNS2 /zonedelete branch1.wondersports.com /dsdel command. You can use either the DNS snap-in or the Dnscmd.exe command-line utility to delete a zone. You can use the Dnscmd utility to display and change the properties of DNS servers, zones, and resource records. You can use the /zonedelete parameter in the Dnscmd command to specify the name of the DNS zone that you want to delete.

You should not run the Dnscmd DNS2 /zonedelete branch1.wondersports.com command. This command will only delete the branch1.wondersports.com zone. It will not ensure that the zone is deleted from Active Directory. To delete the zone from Active Directory, you should include the /dsdel parameter in your command.

You should not run the Dnscmd /zonedelete branch1.wondersports.com command. To delete a zone from a command line, you can use the Dnscmd ServerName /zonedelete ZoneName [/dsdel] [/f] command. The ServerName and ZoneName values are required in this command. The /f parameter is used to execute the command without asking for confirmation.

You should not run the Dnscmd /zonedelete command. The /zonedelete parameter is used to delete a root zone from the DNS server. Deleting the root zone is required when you want to configure DNS forwarding. A Windows Server 2008 DNS server contains the root zone by default. Therefore, the DNS forwarding option is disabled, and the DNS server cannot act as a forwarder. To configure DNS forwarding, you should delete the root zone, and then enable DNS forwarding on the DNS server. This feature forwards DNS requests to external DNS servers for name resolution.




Dnscmd SyntaxMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx?mfr=true

Dnscmd ExamplesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/ed0e4eeb-34a5-420e-aa6a-961ae5fa0f291033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your network is configured as a single Active Directory domain. All of your domain controllers run Microsoft Windows Server 2008.

Several objects were accidentally deleted from Active Directory Domain Services (AD DS). You need to recover these objects as quickly as possible.


1. Restore critical data from the Windows Backup utility.

2. Take all domain controllers offline.

3. Run a non-authoritative Active Directory restore. <Correct>

4. Run an authoritative Active Directory restore.

Explanation :You should run a non-authoritative Active Directory restore. You must run a non-authoritative restore before you run an authoritative restore. To run a non-authoritative restore, restart in Directory Services Restore Mode (DSRM) and restore from backup.

After you complete the non-authoritative restore, you should then run an authoritative restore. To do this, restart in DSRM, use Ntdsutil to mark the objects as authoritative, and then restart the domain controller in normal mode.

You should not start by restoring critical data from the Windows Backup utility. You must run the restore operation from DSRM.

There is no reason to take all domain controllers offline. This is not necessary and would interfere with network operations.



References :Scenario Overviews for Backing Up and Recovering AD DSMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/b59e3760-880d-47b9-9af0-6cb64dd74efd1033.mspx?mfr=true

Performing a Nonauthoritative Restore of AD DSMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/510b106b-e7fb-42a5-bcb2-0c3278a5d73e1033.mspx?mfr=true

Performing an Authoritative Restore of Deleted AD DS ObjectsMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/f4e9ee21-ee35-4650-acca-798555c0c32c1033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with four sites. All of the domain controllers are running Windows Server 2008. Some client computers are running Windows XP Professional with Service Pack 2. Others are running Windows Vista.

You need to configure portable computers with a default printer based on the site in which the users are logging on.

What should you do?

1. Define preference settings in a Group Policy object (GPO) linked to each site. <Correct>

2. Define preference settings in a local Group Policy object (GPO) installed on each portable computer.

3. Define policy settings in a Group Policy object (GPO) linked to each site.

4. Create an organizational unit (OU) for the portable computers. Define policy settings in a Group Policy object (GPO) linked to the OU.

Explanation :You should define preference settings in a GPO linked to each site. You can use preferences to configure printers and set a default printer for clients running Windows XP Professional with Service Pack 2 and clients running Windows Vista. You can target preferences based on a number of attributes, including whether the computer is a portable computer. You should create a GPO for each site with the settings appropriate to that site. The GPO preferences will be applied when the user connects to the site.

You should not define policy settings in a GPO linked to each site. Although you can define a default printer for Windows Vista clients using policy settings, you cannot define a default printer for Windows XP Professional clients using policy settings.

You should not create an OU for the portable computers and define policy settings in a GPO linked to the OU. A policy linked to an OU will not be changed when the user logs on at a different site.

You should not define preference settings in a local GPO installed on each portable computer. You can define policy settings in a local GPO, but you cannot define preference settings in a local GPO.



Group Policy Preferences OverviewMicrosoft DownloadsLink: http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en



______________________________________________________________________________________________________________________________________________

Your network is configured as a Microsoft Windows Server 2008 Active Directory domain.

You need to configure detailed audit policies to monitor directory service changes and directory service replication. These are the only policy subcategories that you want to enable. You need to enable the appropriate audit policy.


1. Repadmin.exe

2. GPedit.msc

3. Perfmon.exe

4. Auditpol.exe<Correct>

Explanation :You should use Auditpol.exe. Windows Server 2008 Active Directory audit policy supports the following four subcategories:

* Directory Service Access * Directory Service Changes * Directory Service Replication * Detailed Directory Service Replication

If you want to view, edit, and manage policy for individual subcategories, you must use Auditpol. It is currently the only utility available for that purpose. Auditpol lets you enable or disable subcategories and view and set policies. Audit events are written to the Windows Security Event Log.

You should not use GPedit.msc. This is the Group Policy Microsoft Management Console (MMC) snap-in. You can use it to enable auditing, but it can only enable or disable all categories at once. When auditing is enabled, it configures auditing for success events for all audit policies.

You should not use Repadmin.exe. Repadmin is not related to audit policy, though it is related to replication. It is used to monitor and troubleshoot Active Directory replication.

You should not use Perfmon.exe. Perfmon is the performance monitor. You could use Perfmon to view performance counters related to directory services, but not to configure auditing.



References :AD DS: AuditingMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ad35ab51-2e85-41e9-91f7-ccedf2fc98241033.mspx?mfr=true

AuditpolMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/a02cfb9d-732f-4e77-aeba-f18265daa3af1033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company, Stay and Sleep, has merged with BCD Train. A wide area network (WAN) link has been established between the two companies. Your company's network has a domain controller named DC1, which is configured as a Domain Name System (DNS) server with a single Active Directory-Integrated zone. Another DNS server named DNS-Ext is located on the perimeter network and is configured to resolve all requests for Internet servers. BCD Train has a DNS server named BCD-DNS.

You need to ensure that requests for computers in the bcdtrain.com domain are resolved by BCD-DNS.

What should you do?

1. On DC1, add BCD-DNS to root hints.

2. On DNS-Ext, configure DC1 as a forwarder for the bcdtrain.com domain.

3. On DC1, configure BCD-DNS as a forwarder for the bcdtrain.com domain. <Correct>

4. On DNS-Ext, create a stub zone for bcdtrain.com.

Explanation :On DC1, you should configure BCD-DNS as a forwarder for the bcdtrain.com domain. Doing so will implement conditional forwarding. All requests for computers in the bcdtrain.com domain will be forwarded to BCD-DNS and all requests for other external resources will continue to be forwarded to DNS-Ext.

You should not configure DC1 as a forwarder for the bdctrain.com domain. If you enable DC1 as a forwarder for the bcdtrain.com domain, all requests for bcdtrain.com will be forwarded to DC1. DC1 resolves requests for stayandsleep.com, not for bcdtrain.com.

You should not create a stub zone for bcdtrain.com on DNS-Ext. A stub zone contains name server records and is typically used to keep a parent DNS server up to date with information about DNS servers for child zones.

You should not add BCD-DNS to root hints on DC1. Root hints are used as a last resort for resolving names. However, they cannot be mapped to a specific domain. If you added BCD-DNS to root hints on DC1, requests for resources in the bcdtrain.com domain would first be sent to DNS-Ext. If DNS-Ext could not resolve the request, a server in root hints would be tried, but not necessarily BCD-DNS. Also, requests for other resources that could not be resolved by DNS-Ext might also be sent to BCD-DNS.



References :Understanding ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/52ec32f6-5eda-4d6a-8e38-809fee243b711033.mspx


Configure a DNS Server to Use ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e324865f-1cbe-42ec-bf18-a220c0e26fe6103

3.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company has two divisions: eu.stayandsleep.com and na.stayandsleep.com. They are implemented as two separate Active Directory forests.

You are configuring the DNS server in na.stayandsleep.com.

You need to ensure that requests from users in na.stayandsleep.com for resources in eu.stayandsleep.com are resolved by a DNS server in eu.stayandsleep.com.

What should you do?

1. Execute dnscmd /ZoneResetMasters.

2. Execute dnscmd /ZoneAdd. <Correct>

3. Execute dnscmd /RecordAdd.

4. Execute dnscmd /ResetForwarders.

Explanation :You should execute the dnscmd /ZoneAdd command. The /ZoneAdd option is used to add a zone that should be handled using conditional forwarding. You specify eu.stayandsleep.com as the zone and list the IP addresses of the DNS servers that should act as forwarders.

You should not execute the dnscmd /ResetForwarders command. This option is used to configure default forwarders, not conditional forwarders.

You should not execute the dnscmd /ZoneResetMasters command. This option is used to change the IP address for a zone you have already added using /ZoneAdd.

You should not execute the dnscmd /RecordAdd command. This option is used to add a record to a DNS zone.



References :Understanding ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/WindowsServer2008/en/library/52ec32f6-5eda-4d6a-8e38-809fee243b711033.mspx


Configure a DNS Server to Use ForwardersWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/e324865f-1cbe-42ec-bf18-a220c0e26fe61033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You deployed a new computer running Microsoft Windows Server 2008 in a remote office. You configured the server to support the Active Directory Directory Services (AD DS) role, as well as additional support services.

The computer has been running for approximately two weeks in the current configuration. You need to determine whether or not the computer can be trusted as reliable in its current configuration.

What should you do?

1. Run Dsmgmt.exe.

2. Create a Data Collector Set.

3. Launch the Reliability Monitor. <Correct>

4. Run Dcdiag.exe.

Explanation :You should run the Reliability Monitor. Reliability Monitor is part of the Windows Server 2008 Performance and Reliability Monitor. To use Reliability Monitor, the computer must have been running for at least 24 hours and the RACAgent scheduled task must be running on the computer. This task runs by default on a new installation. The Reliability Monitor will display a System Stability Chart that reports any reliability issues.

You should not create a Data Collector Set. This is also a feature of Performance and Reliability Monitor, but it is used to identify the performance counters used to generate a performance log. It can be used for performance analysis and diagnostics, but not reliability.

You should not run Dsmgmt.exe or Dcdiag.exe. These are both Active Directory-specific utilities, rather than utilities for the system as a whole. Dcdiag can be used to test domain controller functionality, but beyond that, it does not provide any relevant information. Dsmgmt is used to manage Active Directory Lightweight Directory Services (AD LDS) application partitions.



References :Windows Server 2008 Performance and Reliability Monitoring Step-by-Step GuideMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/7e17a3be-f24e-4fdd-9e38-a88e2c8fb4d81033.mspx?mfr=true

Windows Reliability and Performance MonitorMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ec5b5e7b-5d5c-4d04-98ad-55d9a09677101033.mspx?mfr=true

What Is Windows Reliability and Performance Monitor?Course 6042



______________________________________________________________________________________________________________________________________________

Your company's main office network consists of two Windows Server 2008 writable domain controllers for two domains. The company opens two branch offices. You decide to set up read-only domain controllers (RODC) in both the branch offices. Each RODC will be joined to a separate existing domain.

You install one RODC in each branch office site. You want to configure the RODC deployment to ensure that the accounts that are permitted are cached on the RODCs and the accounts that are denied are not cached.

What should you do?

1. Install the global catalog on all the writable domain controllers.

2. Configure the Password Replication Policy on both of the RODCs.

3. Configure the Password Replication Policy on the writable domain controller for each RODC. <Correct>

4. Install the global catalog on both the RODCs.

Explanation :You should configure the Password Replication Policy on the writable domain controller for each RODC to ensure that the accounts that are permitted are cached on the RODCs and the accounts that are denied are not cached. After deploying the RODC, you must configure the Password Replication Policy on its respective writable domain controller. The Password Replication Policy determines whether the RODC should cache a password or not. If the Password Replication Policy specifies that the user account password should be cached, the RODC caches the password. This allows the same user to perform future logons more efficiently. You can also use the Password Replication Policy to define a list of user accounts whose password should not be cached on the RODC.

You should not install the global catalog on both of the RODCs. Installing the global catalog will not allow the RODCs to cache the permitted user accounts. The global catalog will provide all domain accounts to both the RODCs locally. However, to meet the requirement, you should configure the Password Replication Policy on the writable domain controller for each RODC to ensure that the accounts that are permitted are cached on the RODCs and the accounts that are denied are not cached.

You should not install the global catalog on all the writable domain controllers. The two domain controllers in the main office are the only domain controllers for two individual domains. These domain controllers must already be running the global catalog. Therefore, there is no need to install the global catalog on the writable domain controllers.

You should not configure the Password Replication Policy on both of the RODCs. The Password Replication Policy is configured on the writable domain controller that will replicate with the RODC. The universal group membership caching feature is enabled by default for a site on the RODC. Universal group membership caching ensures that user account information for users in the branch office is stored locally on the RODC. This ensures that user can log on if there is low bandwidth or a broken WAN link between the branch and main offices.



References :Global catalogs and sitesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/0e74916d-28d7-4cdd-8dce-89c824622fcd1033.mspx?mfr=true

Step-by-Step Guide for Read-only Domain Controllers

Windows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

You have deployed Windows Server 2008 on all servers in the organization. You perform regular full backups of your servers. A Windows Server 2008 server failed last night due to hardware problems.

You need to recover system state data from the backups. Your organization requires that only critical volumes should be recovered. You have booted the computer in the Windows Recovery Environment.


1. Wbadmin start sysrecovery -excludeDisks

2. Wbadmin start sysrecovery <Correct>

3. Wbadmin start sysrecovery -restoreAllVolumes

4. Wbadmin start sysstaterecovery

Explanation :You should run the Wbadmin start sysrecovery command to recover system state data from the backups. The computer is in the Windows Recovery Environment. The Wbadmin start sysrecovery command runs a system recovery based on parameters that you can specify along with the command. You can run this command only from the Windows Recovery Environment.

You should not run the Wbadmin start sysstaterecovery command. The computer is in the Windows Recovery Environment. Therefore, you should use the Wbadmin start sysrecovery command to recover the system state data.

You should not run the Wbadmin start sysrecovery -excludeDisks command. Excluded disks are not partitioned or formatted. This parameter helps preserve data on disks that you do not want modified during the recovery. Additionally, this -excludeDisks parameter is valid only if the -recreateDisks parameter is used.

You should not run the Wbadmin start sysrecovery -restoreAllVolumes command. The -restoreAllVolumes parameter will restore all volumes from the selected backup. As mentioned in the scenario, you only need to recover critical volumes.



References :Wbadmin start sysrecoveryMicrosoft TechNetLink: http://technet2.microsoft.com/WindowsServer2008/en/library/95b8232f-7c42-452b-838e-15b0cf6faebe1033.mspx




______________________________________________________________________________________________________________________________________________

Your company network consists of a single Active Directory domain. Domain controllers have been upgraded to Microsoft Windows Server 2008.

You have created two Active Directory sites. Each site contains two domain controllers. The sites are connected by an IP site link. You have configured one domain controller in each site as a global catalog server.

To meet increased demands, you purchase two additional servers and configure them as Windows Server 2008 domain controllers in the existing company domain. Both servers are equipped with more powerful hardware than the other domain controllers and each one has built-in fault tolerant hardware. One new domain controller is placed in each site.

You want to improve and optimize replication performance between the sites.

What should you do?

1. Create a second IP site link between the two sites. Assign a site link cost of 0 to the new site link.

2. Configure the new domain controllers as read-only domain controllers (RODCs).

3. Configure the new domain controller as bridgehead servers. <Correct>

4. Configure the new domain controllers as global catalog servers.

Explanation :You need to configure the new domain controllers as bridgehead servers. Bridgehead servers are servers in each site that are designated to replicate changes from other sites. By default, the Knowledge Consistency Checker automatically designates bridgehead servers. However, if you want specific domain controllers to be bridgehead servers, you can use the Active Directory Sites and Services mmc to manually assign a bridgehead server.

You should not designate the new domain controllers as global catalog servers. Global catalog servers store attributes pertaining to all objects within the forest. You can query the global catalog using the attributes of an object to determine its location. This is beneficial for clients, because they do not need to go searching for objects in different domains.

You should not configure the new domain controllers as RODCs. An RODC does not facilitate replication between sites. Also, if a domain controller is configured as a RODC, it can not be designated as a bridgehead server. An RODC hosts a read-only copy of the Active Directory database. The RODC is typically deployed in branch office environments.

You should not create a second site link and assign the link a cost of 0. When multiple links exist between sites, you can assign a cost to control which link becomes the preferred link. However, the cost value does not impact which servers are designated as bridgehead servers.



References :Windows Server 2008 Domain Controller Options That Are Not Supported on an RODCWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/2357f050-f9c5-42e6-ab85-3240b52b344a1033.mspx?mfr=true

Designate a preferred bridgehead serverMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/5449da52-613f-48f3-bc87-1a7f5c7ab3401033.ms

px?mfr=true

Setting Site Link PropertiesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/4628cb02-0114-43bf-852e-e9c772f22c611033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

You have installed the Application Server, Dynamic Host Configuration Protocol (DHCP) Server, Domain Name System (DNS) Server, and the File Services role on a server running Windows Server 2008.

Your organization supports applications that require a directory for storing application data. You must install a server role to provide a data store for directory-enabled applications.

What should you do?

1. Install Active Directory Lightweight Directory Services (AD LDS) <Correct>

2. Install Active Directory Rights Management Services (AD RMS)

3. Install Active Directory Certification Services (AD CS)

4. Install Active Directory Federation Services (AD FS)

Explanation :You should install AD LDS to provide a data store for directory-enabled applications. AD LDS provides data storage and recovery support for directory-enabled applications. To install and configure the AD LDS server role, you can use Server Manager.

You should not install AD RMS. AD RMS helps protect sensitive information such as e-mail messages, financial information and other user data. This server role does not provide a data store for directory-enabled programs.

You should not install AD FS. AD FS can be used to authenticate a user or multiple Web applications using a single user account. AD FS is integrated with AD DS, which helps AD FS to retrieve the user attributes from AD DS and authenticate users against AD DS.

You should not install AD CSs. AD CS does not provide any option to be used as a data store for directory-enabled applications. You use AD CS to configure a server as a Certification Authority (CA) as part of a Public Key Infrastructure (PKI).



References :Step-by-Step Guide for Getting Started with Active Directory Lightweight Directory ServicesMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/141900a7-445c-4bd3-9ce3-5ff53d70d10a1033.mspx

How To Manage the AD DS RoleCourse 6043



______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory forest named MedDev.com with several child domains. All domain controllers are running Microsoft Windows Server 2008.

The company has recently taken over another company in Asia. You have created a second domain tree in the forest for the new subsidiary named GoShopInc.com.

Users in sales.us.meddev.com are reporting that it takes a long time to access resources in sales.asia.goshopinc.com. You need to improve authentication for users in sales.us.meddev.com when accessing resources in sales.asia.goshopinc.com.

What should you do?

1. Use the netdom trust command to create a one-way shortcut trust between the two child domains. <Correct>

2. Use the netdom add command to create a two-way shortcut trust between the two child domains.

3. Use Active Directory Domains and Trusts to create a two-way external trust between the two child domains.

4. Use Active Directory Domains and Trusts to create a realm trust between the two child domains.

Explanation :You should use the netdom trust command to create a one-way shortcut trust between the domains. You should create a shortcut trust when you want to shorten the trust path between two child domains within the same forest. There are two types of shortcut trusts: one-way and two-way. If the authentication path needs to be shortened for users in one domain accessing resources in another domain, a one-way trust should be created. The scenario indicates that the trust only needs to go one way. Therefore, you need to create a one-way shortcut trust in which one child domain explicitly trusts the child domain on the other tree.

You should not create a two-way external trust between the two domains. External trusts are created between Windows NT 4.0 domains or domains in another forest. The scenario indicates that all domains are in the same forest.

You should not use the netdom add command to create a two-way shortcut trust. The netdom add command cannot be used to establish trust relationships. Also, you should not create a two-way shortcut trust. The scenario indicates that you only need to shorten authentication going one-way - from sales.us.meddev.com to sales.asia.goshopinc.com.

You should not create a realm trust. A realm trust is used to create a trust with a non-Active Directory domain. In the scenario, all domains are Active Directory domains.



References :Performance Tuning Guidelines for Windows Server 2008Microsoft DownloadsLink: http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Perf-tun-srv.docx

Understanding Trust TypesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/6472046a-30dd-4dc9-92e0-450cebdafc901033.mspx

Understanding Trust DirectionWindows Server 2008 Technical Library

Link: http://technet2.microsoft.com/windowsserver2008/en/library/a43bb3e4-77b3-4b2e-adbd-d154b346781a1033.mspx?mfr=true

Netdom SyntaxMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver/en/library/9f921edc-87f5-460e-89ee-9ca56ec1d0961033.mspx?mfr=true

Understanding When to Create a Forest TrustWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/79feb454-7529-4742-9f39-5d6c0696e6c11033.mspx



______________________________________________________________________________________________________________________________________________

Your organization has a single forest and a single Active Directory domain. You have deployed Windows Server 2008 on all servers in the Active Directory domain.

You have recently installed Active Directory Certificate Services (AD CS) on the computer running Windows Server 2008. You plan to install Active Directory Federation Services (AD FS) to use with AD CS.

You need to ensure that AD FS can provide security tokens to client applications in response to requests for access to the resources. When installing AD FS, which role service should you install?

1. Claims-aware Agent

2. Windows Token-based Agent

3. Federation Service <Correct>

4. Federation Service Proxy

Explanation :You should install the Federation Service to provide security tokens to client applications in response to requests for access to the resources. The Federation Service includes one or more federation servers that share a common trust policy. The Federation Service routes authentication requests from user accounts in other organizations or from clients on the Internet.

You should not use the Claims-aware Agent. The Claims-aware Agent provides federated access control for applications that use the claims directory for authentication.

You should not use the Windows Token-based Agent. The Windows Token-based Agent provides federated access control for Windows applications that use traditional Windows token-based authentication.

You should not use the Federation Service Proxy. The Federation Service Proxy forwards user credentials from browser clients and Web applications to the federation service.



References :Active Directory Federation Services OverviewMicrosoft TechNetLink: http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d31033.mspx




______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with two sites: Los Angeles and New York. All domain controllers are running Windows Server 2008. The organizational unit (OU) hierarchy is shown in the exhibit.

Site administrators at the Los Angeles and New York sites can manage the users, computers, and Group Policy objects (GPOs) linked to their respective OUs.

The company has defined certain policies that must be applied to all computers in the company, regardless of location. The policies cannot be overridden by the site administrators.

You need to configure a GPO to deploy these company-wide policies. Your solution should provide the best possible performance for applying GPOs.

What should you do?

1. Create a GPO and link it to the domain. Select the Enforce option on the GPO link. <Correct>

2. Create a GPO and link it to the Computers and Computers2 OUs. Select the Block Inheritance option on the OUs.

3. Create a GPO and link it to the domain. Select the Block Policy Inheritance option on the domain.

4. Add the settings to the Default Domain Policy. Select the Enforce option on the GPO link.

Explanation :You should create a GPO, link it to the domain, and select the Enforce option on the GPO link. The Enforce option prevents policies applied at lower levels in the hierarchy from overriding the settings in the policy.

You should not create a GPO, link it to the domain, and select the Block Policy Inheritance option on the domain. The Block Inheritance option prevents settings from being inherited from policies applied higher in the hierarchy. If you configure Block Inheritance on the domain, it will prevent any GPOs linked to sites from being applied.

You should not create a GPO, link it to the Computers and Computers2 OUs, and select the Block Inheritance option on the OUs. If you set the Block Inheritance option on Computers and Computers2, you will prevent the GPOs defined at higher levels from being inherited. This does not meet the requirement because the site administrators can modify the policies applied at the Computers and Computers2 OUs and modify the company-wide settings. They could also link another GPO at the Computers and Computers2 OUs and give it precedence.

You should not add the settings to the Default Domain Policy and select the Enforce option. The Default Domain Policy contains a large number of settings, many of which you might not want to enforce. Also, the Enforce option negatively impacts performance and should be used only to enforce settings that should not be overridden.






______________________________________________________________________________________________________________________________________________

Your company's network consists of a single Active Directory domain. The network contains a Server Core installation of Windows Server 2008 on a computer named SrvCore.

You want to create a daily backup schedule for SrvCore. You need to ensure that only volumes that contain system state data are included in the backup.


1. Wbadmin enable backup -allCritical -schedule <Correct>

2. Wbadmin start backup -include

3. Wbadmin start backup -allCritical

4. Wbadmin enable backup -include

5. Wbadmin enable backup -addtarget

Explanation :You can run the Wbadmin enable backup -allCritical -schedule command. Wbadmin.exe is a command-line tool that allows you to perform backup and restore operations on your computer, volume, and files. The Wbadmin enable backup command can be used to create a daily backup schedule or modify an existing backup schedule. When this command is run without any parameters, it displays the currently scheduled backup settings. You can use the -allCritical parameter to ensure that all critical volumes that contain system state data are automatically included in the backup.

You should not run the Wbadmin start backup -allCritical command. This command is used to run a backup by using specified parameters, but it cannot be used to create a backup schedule.

You should not run the Wbadmin enable backup -include command or the Wbadmin start backup -include command. The -include parameter specifies a comma-delimited list of volume drive letters, volume mount points, or GUID-based volume names to include in the backup. To ensure that the system state data is backed up, you should use the -allCritical parameter.

You should not run the Wbadmin enable backup -addtarget command. The -addTarget parameter is used to specify the storage location for backups. It cannot be used to include the system state data in backups.



References :Wbadmin enable backupWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c0e57f8a-70fa-4c60-9754-e762e8ad87721033.mspx?mfr=true

Wbadmin start backupWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/56f3e752-d99a-4c3d-8e97-10303c37dd781033.mspx?mfr=true


Backup Command ReferenceWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/03de0a65-21f0-4dd7-a3ae-251c98bbf6eb1033.mspx?mfr=true




______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with two sites: Los Angeles and New York. All domain controllers are running Windows Server 2008. The organizational unit (OU) hierarchy is shown in the exhibit.

The NewYork OU has two Group Policy objects (GPOs) applied. GPO-User defines desktop settings that should be applied to all users in the New York office. GPO-Computer defines settings that should be applied to all client computers in the New York office.

Users report that logging on is very slow.

You need to reduce the amount of time it takes to process GPOs.

What should you do?

1. Link GPO-User to the Users2 OU. Link GPO-Computer to the Computers2 OU.

2. Configure Windows Management Interface (WMI) filtering for the GPO-Computer GPO.

3. Disable Computer Configuration for the GPO-User GPO. Disable User Configuration for the GPO-Computer GPO. <Correct>

4. Configure Windows Management Interface (WMI) filtering for the GPO-User GPO.

Explanation :You should disable Computer Configuration for the GPO-User GPO and disable User Configuration for the GPO-Computer GPO. The GPO-User GPO contains only user-specific settings. Therefore, you can disable processing for the Computer Configuration policies. The GPO-Computer GPO contains only machine-specific settings. Therefore, you can disable processing for the User Configuration policies. By limiting which configuration containers are processed, you can reduce the amount of time it takes to apply GPOs.

You should not configure Windows Management Interface (WMI) filtering for the GPO-User GPO. WMI filtering provides a way to limit which computers or users receive a GPO. However, WMI filters negatively impact performance instead of improving it. In this case, there is no need to filter which users have GPO-User applied because it contains settings that should be applied to all users.

You should not configure Windows Management Interface (WMI) filtering for the GPO-Computer GPO. WMI filtering provides a way to limit which computers or users receive a GPO. However, WMI filters negatively impact performance instead of improving it. In this case, there is no need to filter which computers have GPO-Computer applied because it contains settings that should be applied to all computers.

You should not link GPO-User to the Users2 OU and link GPO-Computer to the Computers2 OU. Linking the GPOs to an OU lower in the hierarchy will not improve performance. However, it might modify the effective policy because GPOs linked to lower levels override GPOs linked to higher levels.






______________________________________________________________________________________________________________________________________________

Your company's network consists of 10 Microsoft Windows Server 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain.

Your company has decided that all users on the network must have user certificates. You have configured two Certificate Authorities.

You need to issue user certificates to all users as soon as possible, using the least amount of administrative effort.

What should you do?

1. Create a Group Policy object (GPO) to automatically request user certificates. <Correct>

2. Instruct users to launch the Certificate Templates snap-in to request user certificates.

3. Configure your account as an enrollment agent. Use the Certificates snap-in to request user certificates for users.

4. Instruct users to open the Web enrollment page to request user certificates.

Explanation :You should use Group Policy to automatically enroll for user certificates. By doing so, users will automatically be enrolled for certificates once you apply the GPO. This solution will deploy certificates as quickly as possible with the least amount of administrative effort.

You should not instruct users to open the Web enrollment page and request a user certificate. This method will not deploy certificates as quickly as possible because you need to rely on users to manually generate requests for certificates. There are several ways that users can enroll for certificates. They can use Web-based enrollment, use the Certificate snap-in to submit a request for a certificate, an enrollment agent can request certificates on behalf of users, or you can configure autoenrollment.

You should not instruct users to launch the Certificates Templates snap-in. That console cannot be used to submit requests for certificates. That console is used to manage certificate templates.

You should not have an enrollment agent request certificates for users. Since there are 1,000 users on the network, the solution would require far too much administrative effort.



Active Directory Certificate ServicesWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c8955f83-fed9-4a18-80ea-31e865435f731033.mspx?mfr=true



______________________________________________________________________________________________________________________________________________

Your company's network is configured as a single Active Directory domain with three sites: Chicago, New York, and Atlanta. Your company is planning to implement smart card authentication. The smart card issuing plan must meet the following requirements:

* Members of the CertificatesAdmins global group must be able to modify the properties of certificate templates * Members of the SmartCardAdmins global group must be able to issue smart cards

You need to configure the necessary permissions on the CustomLogon certificate template. Your solution should grant only the necessary permissions.


1. Grant SmartCardAdmins Read and Enroll permissions. <Correct>

2. Grant SmartCardAdmins Autoenroll and Read permissions.

3. Grant CertificateAdmins Full Control permissions.

4. Grant CertificateAdmins Read and Write permissions. <Correct>

5. Grant SmartCardAdmins Autoenroll and Enroll permissions.

Explanation :You should grant CertificateAdmins Read and Write permissions. CertificateAdmins need to be able to modify the template. Therefore, they need Read and Write permissions.

You should grant SmartCardAdmins Read and Enroll permissions. SmartCardAdmins need to be able to enroll for a certificate. Enrolling requires both the Enroll and Read permissions.

You should not grant CertificateAdmins Full Control permission. Full Control grants all permissions on the template. CertificateAdmins do not need to be able to enroll or autoenroll for the certificate. Therefore, they should not be granted those permissions.

You should not grant SmartCardAdmins Autoenroll and Enroll permissions. SmartCardAdmins do not need Autoenroll permissions because they will manually enroll for a smart card certificate. Also, they need Read permission to be able to enroll for a smart card certificate.

You should not grant SmartCardAdmins Autoenroll and Read permissions. SmartCardAdmins need to be able to manually enroll for a smart card, not Autoenroll. Also, in order to autoenroll, a user needs Read, Enroll, and Autoenroll permissions.






______________________________________________________________________________________________________________________________________________

Your company has a main office and a branch office. The company's network consists of a single Active Directory domain. You install Active Directory Certificate Services (AD CS) on a server named Server1 that runs Windows Server 2008.

You are required to issue certificates to all client computers on the network by using AD CS. Some client computers in the branch office run the Linux operating system, and these client computers are not joined to the company's domain.

You need to ensure that you are able to issue certificates to Linux clients.

How should you configure AD CS on Server1?

1. Configure the Network Device Enrollment Service (NDES) role service on Server1.

2. Configure Enterprise PKI-View (Public key infrastructure) on Server1.

3. Configure the Web Enrollment Service on Server1. <Correct>

4. Configure the Restricted Enrollment Agent on Server1.

Explanation :You should configure the Web Enrollment Service on Server1. You should use the Web Enrollment Service to issue certificates to client computers that run non-Microsoft operating systems and are not part of the domain. To assign certificate to these clients, you do not have to rely auto-enrollment by a certification authority (CA) or the Certificate Request Wizard. The Web enrollment service is a Windows-based CA that allows users to obtain new or renewed certificates over the Internet.

You should not configure NDES on Server1. NDES is Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP). SCEP helps to provide X.509 certificates for software running on network devices like routers and switches.

You should not configure Enterprise PKI-View (Public key infrastructure) on Server1. Enterprise PKI-View cannot be used to provide certificates to non-Microsoft client computers. Enterprise PKI-view provides a view of the status of your network's PKI environment. This enables administrators to troubleshoot and fix possible errors by the CA.

You should not configure the Restricted Enrollment Agent on Server1. The Restricted Enrollment Agent cannot be used to provide certificates to client computers running non-Microsoft operating systems. The Restricted Enrollment Agent in AD CS allows you to limit permissions to users who are designated as enrollment agents and receive certificates on behalf of other users in the network.



AD CS: Web EnrollmentWindows Server 2008 Technical LibraryLink: http://technet2.microsoft.com/windowsserver2008/en/library/c47e0d48-abeb-493e-a9f1-19bba1537ba51033.mspx?mfr=true

70-640 Sample Test Questions

Documents

Transcript of 70-640 Sample Test Questions