ts: windows server 2008 active directory, … windows server 2008 active directory, configuring...

TS: Windows Server 2008 Active Directory, Configuri ng

Number: 70-640Passing Score: 700Time Limit: 150 minFile Version: 2012

http://www.gratisexam.com/

Microsoft

70-640 Exam

TS: Windows Server 2008 Active Directory Configurin g

Questions:243

Release Date Feb,2012

By Tamilan

Sections1. AD Sites & Services2. Configuring Additional AD Server Roles3. Configuring AD Backup-Restore4. Configuring AD Infrastructure5. Configuring AD DNS6. Configuring AD Certificate Services7. Configuring AD Rights Mgmt Services8. Configuring AD Federated Services9. Configuring AD LDS10.Configuring AD FSMO Roles11.Configuring Domains and Trusts12.Configuring Group Policy13.Creating & Maintaining AD Objects14.Maintaining the AD Environment15.Powershell & Command line cmds

Exam A

QUESTION 1

Your network contains an Active Directory domain. The relevant servers in the domain are configured as shownin the following table:

Server name Operating System Server role

Server1 Windows 2008 Domain controller

Server2 Windows 2008 R2 Enterprise root certification authority (CA)

Server3 Windows 2008 R2 Network Device Enrollment Service (NDES)

You need to ensure that all device certificate requests use the MD5 hash algorithm.

What should you do?

A. On Server2, run the Certutil tool.B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm

\HashAlgorithm registry key.

Correct Answer: DSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc787544%28WS.10%29.aspx

----------------------------------------------------------------------------------------------------------------------------------------------------------------Edit the registry to enable the hash algorithm

HKEY_Current_User\Software\Microsoft

HKEY_Current_User\Software\Microsoft contains registry settings for user certificates that have beendistributed by means other than Group Policy. These settings are stored in the following subkeys:

HKEY_Current_User\Software\Microsoft\Cryptography

HKEY_Current_User\Software\Microsoft\SystemCertificates

HKEY_Current_User\Software\Microsoft\Cryptography

The following registry entries are located under HKEY_Current_User\Software\Microsoft\Cryptography.AutoenrollmentRegistry path

HKEY_Current_User\Software\Microsoft\Cryptography\Version

Windows Server 2003, Windows 2000, and Windows XP

This setting is used to manage event logging and cached directory service data when user certificateautoenrollment has been enabled.

AEExpressRegistry path

HKEY_Current_User\Software\Microsoft\Cryptography\Autoenrollment

QUESTION 2.

Your network contains an Active Directory domain.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise rootcertification authority (CA).

You have a client computer named Computer1 that runs Windows 7. You enable automatic certificateenrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computerscan automatically enroll for certificates.

Which command should you run on Computer1?

A. certreq.exe retrieveB. certreq.exe submitC. certutil.exe getkeyD. certutil.exe pulse

Correct Answer: DSection: Configuring AD Certificate ServicesExplanation


----------------------------------------------------------------------------------------------------------------------------------------------------------------Applies To: Windows Server 2008/R2

Certutil.exe is a command-line program that is inst alled as part of Certificate Services . You can use Certutil.exe to dump and display certification authority (CA) configuration information, configureCertificate Services, back up and restore CA components, and verify certificates, key pairs, and certificatechains.

-pulse Pulse auto enrollment events

-backupDB Backup the Active Directory Certificate Services database

-backupKey Backup the Active Directory Certificate Services certificate and private key

-restore Restore Active Directory Certificate Service

QUESTION 3.

Your network contains two Active Directory forests named contoso.com and adatum.com. The functional levelof both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory CertificateServices (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically

enroll user certificates.

You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.comcertification authority (CA).

What should you configure in the adatum.com domain?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.

Correct Answer: CSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd851772.aspxConfiguring certificate enrollment policy settings byusing Group Policy

----------------------------------------------------------------------------------------------------------------------------------------------------------------Domain Admins is the minimum group membership required to complete this procedure.To configure certificate enrollment policy settings in Group Policy

Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.

In the console tree, expand the forest and domain that contain the policy that you want to edit, and clickGroup Policy Objects.

Right-click the policy that you want to edit, and then click Edit.

In the console tree under Computer Configuration\Policies\Windows Settings\Security Settings, click PublicKey Policies.

Double-click Certificate Services Client – Certificate Enrollment Policy. For more information about thesettings in this dialog box, see the "Certificate Services Client – Certificate Enrollment Policy Properties dialogbox" table later in this topic.

Click Add to open the Certificate Enrollment Policy Server dialog box. For more information about thesettings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic.

Do one of the following: To add the enrollment policy provided by Active Directory Domain Services (AD DS), select the Usedefault Active Directory domain controller URI check box.

In the Enter enrollment policy server URI box, type a certificate enrollment policy server URI.

In the Authentication type list, select the authentication type required by the enrollment policy server.

Click Validate, and review the messages in the Certificate enrollment policy server properties area. The Addbutton is available only when the enrollment policy server URI and authentication type are valid.

Click Add.

QUESTION 4.

You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed:

-Enterprise root certification authority (CA)-Certificate Enrollment Web Service-Certificate Enrollment Policy Web Service

You create a new certificate template.External users report that the new template is unavailable when they request a new certificate.You verify that all other templates are available to the external users.You need to ensure that the external users can request certificates by using the new template.

What should you do on Server1?

A. Run iisreset.exe /restart.B. Run gpupdate.exe /force.C. Run certutil.exe dspublish.D. Restart the Active Directory Certificate Services service.

Correct Answer: ASection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/gg398409.aspx

http://www.tech-faq.com/the-certificate-enrollment-process.html

http://support.microsoft.com/kb/317584----------------------------------------------------------------------------------------------------------------------------------------------------------------

Restart IIS service to republish sites

Overview of Iisreset.exeIisreset.exe uses the following syntax:iisreset[ computername]NOTE: Items in [] are optional.

While iisreset will run this without arguments, you may wish to perform other functions. You can use thefollowing parameters with Iisreset.exe:

computername: Use this parameter to specify the computer that you want to manage. If you omit thisparameter, the local computer is specified. /restart: Use this parameter to stop and restart all of the running Internet services. /start: Use this parameter to start all of the Internet services that are stopped. /stop: Use this parameter to stop all of the running Internet services. /reboot: Use this parameter to restart the computer. /rebootonerror: Use this parameter to restart the computer if an error occurs after the Internet servicesattempt to start, stop, or restart. /noforce: Use this parameter so that the Internet services do not shut down forcefully if you cannot stop theservices gracefully. /timeout:value Use this parameter (where value is a timeout value in seconds) to specify the time thecomputer waits for the Internet services to stop. After the computer stops, it restarts if you use the /rebootonerror parameter. The following list describes the default values: The default value is 20 seconds if you use this parameter with /restart. The default value is 60 seconds if you use this parameter with /stop. The default value is 0 seconds if you use this parameter with /reboot.

/status: Use this parameter to display the status of all of the Internet services. /enable: Use this parameter to enable the Internet services to restart. /disable: Use this parameter to disable the Internet services restart process.

QUESTION 5.

Your network contains an enterprise root certification authority (CA). You need to ensure that a certificateissued by the CA is valid.

What should you do?

A. Run syskey.exe and use the Update option.B. Run sigverif.exe and use the Advanced option.C. Run certutil.exe and specify the -verify parameter.D. Run certreq.exe and specify the -retrieve parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc962081.aspx

-----------------------------------------------------------------------------------------------------------------certutil.exe -verify - verify certifcate, CRL, or c hain

QUESTION 6.

You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.

Users are required to log on to the domain by using a smart card. Your company's corporate security policystates that when an employee resigns, his ability to log on to the network must be immediately revoked.

An employee resigns. You need to immediately prevent the employee from logging on to the domain.


What should you do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.

Correct Answer: BSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc781527%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------Disable an AD acct

ADUC > right click - Disable/Enable

Cmd Line

dsmod userUserDN-disabled {yes|no}

QUESTION 7.

You add an Online Responder to an Online Responder Array. You need to ensure that the new OnlineResponder resolves synchronization conflicts for all members of the Array.

What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.C. From the Online Responder Management Console, select the new Online Responder, and then select Set

as Array Controller.D. From the Online Responder Management Console, select the new Online Responder, and then select

Synchronize Members with Array Controller.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731175.aspx---------------------------------------------------------------------------------------------------------------------------------------------------Online Responder

QUESTION 8.

Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterpriseroot certification authority (CA).

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping.

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessingthe Web site.

What should you do?

A. Run certutil.exe -crl.B. Run certutil.exe -delkey.C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.D. From Active Directory Users and Computers, modify the Contact object for the external partner.

Correct Answer: A

Section: Configuring AD Certificate ServicesExplanation


-----------------------------------------------------------------------------------------------------------------certutil -CRL - Publish new certificate revocation lists (CRLs) [or only delta CRLs]

-revoke - Revoke a certificate

QUESTION 9.

Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standardprimary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need toensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.

What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.B. Configure the DNS server on DC2 to forward requests to DC1.C. Create a new secondary zone named ad.contoso.com on DC2.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.


Explanation/Reference:support.microsoft.com/kb/816101--------------------------------------------------------------------------------------------------------------------------Convert Primary DNS Server to Active Directory Inte grated Primary

On the current DNS server, start DNS Manager. Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will bePrimary zone, Secondary zone or Stub zone. Click Change. In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNSserver is a domain controller) check box. When you are prompted to answer whether want this zone to becomeActive Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated"

QUESTION 10.

Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNSservers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that thecontoso.com zone has multiple entries for the host names of computers that do not exist.

You need to configure the contoso.com zone to automatically remove expired records.

What should you do?

A. Enable only secure updates on the contoso.com zone.B. Enable scavenging and configure the refresh interval on the contoso.com zone.C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone.

Correct Answer: BSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc759204%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------------------------Enable scavenging and configure the refresh interva l - DNS

If left unmanaged, the presence of stale RRs in zone data might cause some problems. The following areexamples:

If a large number of stale RRs remain in server zones, they can eventually take up server disk space andcause unnecessarily long zone transfers.

DNS servers loading zones with stale RRs might use outdated information to answer client queries,potentially causing the clients to experience name resolution problems on the network.

The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness.

In some cases, the presence of a stale RR in a zone could prevent a DNS domain name from being used byanother computer or host device.

To solve these problems, the DNS Server service has the following features:

Time stamping, based on the current date and time set at the server computer, for any RRs addeddynamically to primary-type zones. In addition, time stamps are recorded in standard primary zones whereaging/scavenging is enabled.

For RRs that you add manually, a time stamp value of zero is used, indicating that they are not affected bythe aging process and can remain without limitation in zone data unless you otherwise change their time stampor delete them.

Aging of RRs in local data, based on a specified refresh time period, for any eligible zones.

Only primary type zones that are loaded by the DNS Server service are eligible to participate in this process.

Scavenging for any RRs that persist beyond the specified refresh period.

When a DNS server performs a scavenging operation, it can determine that RRs have aged to the point ofbecoming stale and remove them from zone data. Servers can be configured to perform recurring scavengingoperations automatically, or you can initiate an immediate scavenging operation at the server.

QUESTION 11.

Your company has a main office and a branch office. The company has a single-domain Active Directory forest.

The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. Thebranch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domaincontrollers hold the DNS Server server role and are configured as Active Directory- integrated zones. The DNSzones only allow secure updates.

You need to enable dynamic DNS updates on DC3.

What should you do?

A. Run the Ntdsutil.exe DS Behavior commands on DC3.B. Run the Dnscmd.exe /ZoneResetType command on DC3.C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.D. Create a custom application directory partition on DC1. Configure the partition to store Active Directory-

integrated zones.

Correct Answer: CSection: Configuring Additional AD Server RolesExplanation


A RODC vs.a writable DC

QUESTION 12.

Your company has a main office and five branch offices that are connected by WAN links. The company has anActive Directory domain named contoso.com. Each branch office has a member server configured as a DNSserver. All branch office DNS servers host a secondary zone for contoso.com.

You need to configure the contoso.com zone to resolve client queries for at least four days in the event that aWAN link fails.

What should you do?

A. Configure the Expires after option for the contoso.com zone to 4 days.B. Configure the Retry interval option for the contoso.com zone to 4 days.C. Configure the Refresh interval option for the contoso.com zone to 4 days.D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.

Correct Answer: ASection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/bb727018.aspx------------------------------------------------------------------------------------------------------------------------------------------DNS Config

Expires After The period of time for which zone information is valid on the secondary server. If the secondaryserver can't download data from a primary server within this period, the secondary server lets the data in itscache expire and stops responding to DNS queries. Setting Expires After to seven days allows the data on asecondary server to be valid for seven days.

QUESTION 13.

Your company has an Active Directory domain named contoso.com. The company network has two DNSservers named DNS1 and DNS2.

The DNS servers are configured as shown in the following table:

DNS1 DNS2

_msdcs.contoso.comcontoso.com

.(root)_msdcs.contoso.comcontoso.com

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to InternetWeb sites.

You need to enable Internet name resolution for all client computers.

What should you do?

A. Create a copy of the .(root) zone on DNS1.B. Update the list of root hints servers on DNS2.C. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.D. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.


Explanation/Reference:http://support.microsoft.com/kb/298148----------------------------------------------------------------------------------------------------------------------------------------------DNS Root zone

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.

QUESTION 14.

Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com.

You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computersin a DNS domain named fabrikam.com.Fabrikam.com has a DHCP server and a DNS server.

Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has an A recordin the fabrikam.com DNS zone. What are two possible ways to achieve this goal?

(Each correct answer presents a complete solution. Choose two.)

A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.

E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to thedomain name fabrikam.com.

Correct Answer: BDSection: AD Sites & ServicesExplanation

Explanation/Reference:OPT1)

http://technet.microsoft.com/en-us/library/cc779282%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------To resolve an unqualified name by appending the primary DNS suffix and the DNS suffix of each connection (ifconfigured), click Append primary and connection specific DNS suffixes. If you also want to search the parentsuffixes of the primary DNS suffix up to the second level domain, select the Append parent suffixes of theprimary DNS suffix check box.

OPT2)

http://technet.microsoft.com/en-us/library/ee941136%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------------------------------------- Configure a DNS domain option as a server or scope option using the DHCP MMC.

Dynamic Host Configuration Protocol (DHCP) uses options to pass additional Internet Protocol (IP) settings toDHCP clients on a network. Examples of DHCP options include:

The default gateway IP address

The Domain Name System (DNS) server IP address

The DNS domain name

QUESTION 15.

Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server2008 R2. All domain controllers are configured as DNS servers.

You have a standard primary zone for dev.contoso.com that is stored on a member server.

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.

What should you do?

A. On the member server, create a stub zone.B. On the member server, create a NS record for each domain controller.C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the forest.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.

Correct Answer: CSection: Configuring AD DNSExplanation

Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc754941.aspx----------------------------------------------------------------------------------------------------------------------------------------------Conditional Forwarder

When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.

QUESTION 16.

You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.

You need to record all inbound DNS queries to the server.

What should you configure in the DNS Manager console?

A. Enable debug logging.B. Enable automatic testing for simple queries.C. Enable automatic testing for recursive queries.D. Configure event logging to log errors and warnings.

Correct Answer: ASection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc776361%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Logging

Dns.log contains debug logging activity. By default, it is located in the windir\System32\Dns folder.

To enable and use file-based logging, see Select and enable debug logging options on the DNS server.

QUESTION 17.

Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in theForestDnsZones Active Directory application partition.

You have a member server that contains a standard primary DNS zone for dev.contoso.com.

You need to ensure that all domain controllers can resolve names for dev.contoso.com.

What should you do?

A. Create a NS record in the contoso.com zone.B. Create a delegation in the contoso.com zone.C. Create a standard secondary zone on a Global Catalog server.D. Modify the properties of the SOA record in the contoso.com zone.

Correct Answer: BSection: Configuring AD Backup-RestoreExplanation


----------------------------------------------------------------------------------------------------------------------------------------------Create a DNS Delegation

Using the Windows interface

Open the DNS console.

In the console tree, right-click the applicable subdomain, and then click New Delegation.

Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain.

Using a command line

dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}

QUESTION 18.

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers. You have an Active Directory-integrated zone for contoso.com.

You have a UNIX-based DNS server.

You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.comzone to the UNIX-based DNS server.

What should you do in the DNS Manager console?

A. Disable recursion.B. Create a stub zone.C. Create a secondary zone.D. Enable BIND secondaries.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc786538%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Enable BIND - DNS

To enable or disable fast DNS zone transfers using the Windows interface

Open the DNS snap-in.

In the console tree, click the applicable DNS server.

Where? DNS/applicable DNS server

On the Action menu, click Properties.

Click the Advanced tab.

In Server options, select the BIND secondaries check box, and then click OK.

QUESTION 19

.

Your network consists of an Active Directory forest that contains one domain named contoso.com.

All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two ActiveDirectory-integrated zones: contoso.com and nwtraders.com.

You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user frommodifying the SOA record in the nwtraders.com zone.

What should you do?

A. From the DNS Manager console, modify the permissions of the contoso.com zone.B. From the DNS Manager console, modify the permissions of the nwtraders.com zone.C. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.D. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers

organizational unit (OU).

Correct Answer: ASection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc780538%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Security

QUESTION 20.

Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directorydomain named intranet.fabrikam.com.

Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.

You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.

What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.B. Configure conditional forwarding for the intranet.fabrikam.com domain.C. Create a standard secondary zone for the intranet.fabrikam.com domain.D. Create an Active Directoryintegrated zone for the intranet.fabrikam.com domain.


Explanation/Reference:http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx----------------------------------------------------------------------------------------------------------------------------------------------Configure Conditional Forwarding

Exam B

QUESTION 1.

Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllersnamed DC1 and DC2. Both domain controllers have the DNS Server server role installed.

You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 toforward all unresolved name requests to DNS1.contoso.com.

You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding onthe DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform?

(Each correct answer presents part of the solution. Choose two.)

A. Clear the DNS cache on DC2.B. Delete the Root zone on DC2.C. Configure conditional forwarding on DC2.D. Configure the Listen On address on DC2.

Correct Answer: BCSection: Configuring AD DNSExplanation

Explanation/Reference:http://support.microsoft.com/kb/298148----------------------------------------------------------------------------------------------------------------------------------------------DNS Root zone

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.

QUESTION 2.

Your network consists of an Active Directory forest that contains one domain. All domain controllers runWindows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.

You have two Active Directory sites. Each site contains five domain controllers.

You add a new NS record to the zone.

You need to ensure that all domain controllers immediately receive the new NS record.

What should you do?

A. From the DNS Manager console, reload the zone.B. From the Services snap-in, restart the DNS Server service.C. From the command prompt, run repadmin /syncall.D. From the DNS Manager console, increase the version number of the SOA record.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835086%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Sync Replication

repadmin /syncall

QUESTION 3.

You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSserver for contoso.com.

You install the DNS Server server role on a member server named Server1 and then you create a standardsecondary zone for contoso.com. You configure DC1 as the master server for the zone.

You need to ensure that Server1 receives zone updates from DC1.

What should you do?

A. On Server1, add a conditional forwarder.B. On DC1, modify the permissions of contoso.com zone.C. On DC1, modify the zone transfer settings for the contoso.com zone.D. Add the Server1 computer account to the DNSUpdateProxy group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc739056%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Modify zone transfer settings

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2003 with SP2

To modify DNS zone transfer settings


Open DNS.

Right-click a DNS zone, and then click Properties.

On the Zone Transfers tab, do one of the following:

To disable zone transfers, clear the Allow zone transfers check box.

To allow zone transfers, select the Allow zone transfers check box.

If you allowed zone transfers, do one of the following:

To allow zone transfers to any server, click To any server.

To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers

listed on the Name Servers tab.

To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add theIP address of one or more DNS servers.


dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList[SecondaryIPAddress...]}

QUESTION 4Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2and are configured as DNS servers.

A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller namedDC2 has a standard secondary zone for contoso.com.

You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data.

What should you do?

A. On both servers, modify the interface that the DNS server listens on.B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.C. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.D. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the

secondary zone.




QUESTION 5.

Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. Thedomain controllers run Windows Server 2008 R2 and are configured as DNS servers.

You plan to create a new Active Directory-integrated zone.

You need to ensure that the new zone is only replicated to four of your domain controllers.

What should you do first?

A. Create a new delegation in the ForestDnsZones application directory partition.B. Create a new delegation in the DomainDnsZones application directory partition.C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.D. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756116%28WS.10%29.aspx#BKMK_5----------------------------------------------------------------------------------------------------------------------------------------------Dnscmd createdirectorypartition

Creates a DNS application directory partition. When DNS is installed, an application directory partition for theservice is created at the forest and domain levels. This operation creates additional DNS application directorypartitions.Syntax

Art Image dnscmd [ServerName] /createdirectorypartition PartitionFQDNParameters

ServerName Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Hostname. If omitted, the local server is used.

PartitionFQDN The fully qualified domain name of the DNS application directory partition that will be created.

Dnscmd deletedirectorypartition

Removes an existing DNS application directory partition.Syntax

Art Image dnscmd [ServerName] /deletedirectorypartition PartitionFQDNParameters

ServerName Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Hostname. If omitted, the local server is used.

PartitionFQDN The fully qualified domain name of the DNS application directory partition that will be removed.

Dnscmd directorypartitioninfo

Lists information about a specified DNS application directory partition.Syntax

Art Image dnscmd [ServerName] /directorypartitioninfo PartitionFQDN [/detail]

QUESTION 6.

Your network consists of a single Active Directory domain. You have a domain controller and a member serverthat run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run eitherWindows XP Service Pack 3 or Windows 7. You have a standard primary zone on the domain controller. Themember server hosts a secondary copy of the zone.

You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.


A. On the member server, add a conditional forwarder.B. On the member server, install Active Directory Domain Services.C. Add all computer accounts to the DNSUpdateProxy group.D. Convert the standard primary zone to an Active Directory-integrated zone.




QUESTION 7.

Your company has an Active Directory domain. The main office has a DNS server named DNS1 that isconfigured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 thatcontains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.

You add a new server to the main office. Five minutes after adding the server, a user from the branch officereports that he is unable to connect to the new server. You need to ensure that the user is able to connect tothe new server.

What should you do?

A. Clear the cache on DNS2.B. Reload the zone on DNS1.C. Refresh the zone on DNS2.D. Export the zone from DNS1 and import the zone to DNS2.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784052%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Dynamic update

Updated: January 21, 2005


Dynamic update

Dynamic update enables DNS client computers to register and dynamically update their resource records with aDNS server whenever changes occur. This reduces the need for manual administration of zone records,especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

The DNS Client and Server services support the use of dynamic updates, as described in Request forComments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allowsdynamic update to be enabled or disabled on a per-zone basis at each server configured to load either astandard primary or directory-integrated zone. By default, the DNS Client service will dynamically update host(A) resource records (RRs) in DNS when configured for TCP/IP. For more information about RFCs, see DNSRFCs.How client and server computers update their DNS names

By default, computers that are statically configured for TCP/IP attempt to dynamically register host (A) andpointer (PTR) resource records (RRs) for IP addresses configured and used by their installed networkconnections. By default, all computers register records based on their fully qualified domain name (FQDN).

The primary full computer name, a FQDN, is based on the primary DNS suffix of a computer appended to itsComputer name.

Both of these settings are displayed or configured from the Computer Name tab in System properties. For moreinformation, see View system properties.

QUESTION 8You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What is the minimal forest functional level that you should use?

A. Windows Server 2008 R2B. Windows Server 2008C. Windows Server 2003D. Windows 2000

Correct Answer: CSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731243%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Prerequisites for Deploying an RODC

Applies To: Windows Server 2008, Windows Server 2008 R2

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication(LVR) is available. This provides a higher level of replication consistency. The domain functional level must beWindows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functionallevel is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003or higher.

QUESTION 9Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers runWindows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level is

Windows 2000.

You need to ensure the UPN suffix for contoso.com is available for user accounts.


A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.C. Add the new UPN suffix to the forest.D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to

contoso.com.

Correct Answer: CSection: Configuring Domains and TrustsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772007.aspx----------------------------------------------------------------------------------------------------------------------------------------------Add User Principal Name Suffixes

To add UPN suffixes

Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, clickAdministrative Tools, and then click Active Directory Domains and Trusts.

In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.

On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

Repeat step 3 to add additional alternative UPN suffixes.

Additional considerations

To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins groupin Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As asecurity best practice, consider using Run as to perform this procedure. For more information, search for "usingrun as" in Help and Support.

UPN suffixes should conform to DNS conventions for valid characters and syntax.

You can also perform the task in this procedure by using the Active Directory module for WindowsPowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click ActiveDirectory Module for Windows PowerShell. For more information, see Add User Principal Name Suffixes (http://go.microsoft.com/fwlink/?LinkId=137827). For more information about Windows PowerShell, see WindowsPowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).

QUESTION 10.

Your company,

A. Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has twodomain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNSservers.

The intranet.adatum.com DNS zone is configured as an Active Directoryintegrated zone with the Dynamicupdates setting configured to Secure only. A new corporate security policy requires that theintranet.adatum.com DNS zone must be updated only by domain controllers or member servers.

You need to configure the intranet.adatum.com zone to meet the new security policy requirement.

Which two actions should you perform?


A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zoneproperties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNSzone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of theintranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tabof the intranet.adatum.com DNS zone properties.

Correct Answer: ADSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc780538%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------DNS Security

C is incorrect becuase the is no "Allow on Write All" permission( see screenshot below).

C is incorrect becuase the is no "Allow on Write All" permission.

QUESTION 11.

Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.

Which two tasks should you perform?


A. Run the adprep /forestprep command.B. Run the adprep /domainprep command.C. Raise the forest functional level to Windows Server 2008.D. Raise the domain functional level to Windows Server 2008.

Correct Answer: ABSection: Powershell & Command line cmdsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Adprep

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008

Extends the Active Directory® schema and updates permissions as necessary to prepare a forest and domainfor a domain controller that runs the Windows Server® 2008 operating system.

Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the\sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder. You must run adprep from an elevated command prompt. To open an elevated commandprompt, click Start, right-click Command Prompt, and then click Run as administrator.

In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit versionruns by default. If you need to run Adprep on a 32-bit computer, run the 32-bit version (Adprep32.exe).

For more information about running Adprep.exe and how to resolve errors that can occur when you run it, seeRunning Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

For examples of how this command can be used, see Examples.

For more information about running adprep /forestprep, see Prepare a Windows 2000 or Windows Server 2003Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242).

For more information about running adprep /domainprep /gpprep, see Prepare a Windows 2000 or WindowsServer 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2(http://go.microsoft.com/fwlink/?LinkID=93243).

For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain Controller(http://go.microsoft.com/fwlink/?LinkID=93244).

QUESTION 12.

Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.

You install Windows Server 2008 R2 on a server.

You need to add the new server as a domain controller in your domain.


A. On the new server, run dcpromo /adv.B. On the new server, run dcpromo /createdcaccount.C. On a domain controller run adprep /rodcprep.D. On a domain controller, run adprep /forestprep.

Correct Answer: DSection: Creating & Maintaining AD ObjectsExplanation











QUESTION 13.

Your company has two Active Directory forests as shown in the following table:

Forest name Forest functional level Domain(s)

contoso.com Windows Server 2008 contoso.com

fabrikam.com Windows Server 2008 fabrikam.com eng.fabrikam.com

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wideauthentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain toaccess resources in the contoso.com domain.

You need to configure the forest trust to meet the new security policy requirement.

What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.B. Delete the incoming forest trust in the contoso.com domain.C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide

authentication to Selective authentication.D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude

*.eng.fabrikam.com from the Name Suffix Routing trust properties.

Correct Answer: DSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc778851%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Create a two-way, forest trust for both sides of th e trust

To create a two-way, forest trust for both sides of the trust

Open Active Directory Domains and Trusts.

In the console tree, right-click the domain node for the domain that you want to establish a trust with, andthen click Properties.

On the Trusts tab, click New Trust, and then click Next.

On the Trust Name page, type the Domain Name System (DNS) name (or network basic input/output system(NetBIOS) name) of the domain, and then click Next.

On the Trust Type page, click Forest trust, and then click Next.

On the Direction of Trust page, click Two-way, and then click Next.

For more information about the selections that are available on the Direction of Trust page, see the section"Direction of Trust" in Appendix: New Trust Wizard Pages.

On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

For more information about the selections that are available on the Sides of Trust page, see the section"Sides of Trust" in Appendix: New Trust Wizard Pages.

On the User Name and Password page, type the user name and password for the appropriate administratorin the specified domain.

On the Outgoing Trust Authentication Level--Local Forest page, do one of the following, and then click Next: Click Forest-wide authentication.

Click Selective authentication.

On the Outgoing Trust Authentication Level--Specified Forest page, do one of the following, and then clickNext: Click Forest-wide authentication.


On the Trust Selections Complete page, review the results, and then click Next.

On the Trust Creation Complete page, review the results, and then click Next.

On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do notconfirm the trust at this stage, the secure channel will not be established until the first time the trust is used byusers.

If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriateadministrative credentials from the specified domain.

On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust.

If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriateadministrative credentials from the specified domain.

On the Completing the New Trust Wizard page, click Finish.

QUESTION 14.

You have an existing Active Directory site named Site1. You create a new Active Directory site and name itSite2.

You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.You create the site link between Site1 and Site2.

What should you do next?

A. Use the Active Directory Sites and Services console to configure a new site link bridge object.B. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.C. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new

domain controller object to Site2.D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred

bridgehead server for Site1.

Correct Answer: CSection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730718.aspx----------------------------------------------------------------------------------------------------------------------------------------------AD Sites & Services - Configure an Additional Site

The tasks for configuring a new site include the following:

Creating the site

Mapping the correct IP addresses to the site by creating a subnet

Linking the site to another site or sites by creating a site link and adding the new site to it

QUESTION 15.

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

You upgrade all domain controllers to Windows Server 2008 R2.

You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).

What should you do?

A. From the command prompt, run netdom /reset.B. From the command prompt, run dfsutil /addroot:sysvol.C. Raise the functional level of the domain to Windows Server 2008 R2.D. From the command prompt, run dcpromo /unattend:unattendfile.xml.

Correct Answer: CSection: Maintaining the AD EnvironmentExplanation











QUESTION 16.

Your company has a branch office that is configured as a separate Active Directory site and has an ActiveDirectory domain controller.

The Active Directory site requires a local Global Catalog server to support a new application.

You need to configure the domain controller as a Global Catalog server.

Which tool should you use?

A. The Dcpromo.exe utilityB. The Server Manager consoleC. The Computer Management consoleD. The Active Directory Sites and Services consoleE. The Active Directory Domains and Trusts console

Correct Answer: DSection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc733162.aspx----------------------------------------------------------------------------------------------------------------------------------------------Adding the Global Catalog to a Site


A global catalog server makes it possible to search the entire Active Directory Domain Services (AD DS) forestwithout referrals to a domain controller in the domain that stores the target of the search. When you add theglobal catalog to a domain controller, a partial, read-only replica of every domain in the forest (other than thedomain that the new global catalog server stores) is replicated to the domain controller. Global catalog serversare required for searching and for processing domain logons in forests where universal groups are available.Global catalog servers and domains

Global catalog servers respond to forest-wide Lightweight Directory Access Protocol (LDAP) queries over port3268. The global catalog eliminates the need for a query to be sent to multiple domain controllers until thequery locates the domain that contains the requested object.

When a forest contains only one domain, all domain controllers have the full complement of objects that can besearched, and a global catalog server is not required to eliminate referrals to other domains. However, becausethe global catalog port is different from the default LDAP port (389), global catalog queries must locate a globalcatalog server. In a single-domain forest, by configuring all domain controllers as global catalog servers youensure that global catalog queries are load-balanced evenly among all domain controllers in the domain.Because no additional replication or processing of other domain data is required, the single-domain globalcatalog server requires no special hardware advantages over other domain controllers.

If a forest contains more than one domain, however, a global catalog server must store and replicate domaindata for all domains in the forest. In this case, determine the placement of global catalog servers in your forestaccording to site needs, as described in the following section.Global catalog servers and sites

To optimize network performance in a multiple-site environment, consider adding global catalog servers in sitesaccording to the needs in the sites for fast search responses and domain logons. In a single-site, multiple-

domain environment, a single global catalog server is usually sufficient to cover common Active Directoryqueries and logons. Use the information in the following table to determine whether your multiple-domain,multiple-site environment can benefit from additional global catalog servers.

QUESTION 17.

Your company has a main office and 10 branch offices. Each branch office has an Active Directory site thatcontains one domain controller. Only domain controllers in the main office are configured as Global Catalogservers.

You need to deactivate the Universal Group Membership Caching option on the domain controllers in thebranch offices.

At which level should you deactivate the Universal Group Membership Caching option?

A. SiteB. ServerC. DomainD. Connection object


Explanation/Reference:http://technet.microsoft.com/en-us/magazine/ff797984.aspx----------------------------------------------------------------------------------------------------------------------------------------------Enable/disable Universal Group Membership Caching o ption

You can enable or disable universal group membership caching by following these steps:1. In Active Directory Sites And Services, expand and then select the site you want to work with.2. In the details pane, right-click NTDS Site Settings, and then click Properties.3. To enable universal group membership caching, select the Enable Universal Group Membership Cachingcheck box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cacheuniversal group memberships. The selected site must have a working global catalog server.4. To disable universal group membership caching, clear the Enable Universal Group Membership Cachingcheck box on the Site Settings tab.5. Click OK.

QUESTION 18.

Your company has an Active Directory forest. Not all domain controllers in the forest are configured as GlobalCatalog Servers. Your domain structure contains one root domain and one child domain.

You modify the folder permissions on a file server that is in the child domain. You discover that some AccessControl entries start with S-1-5-21... and that no account name is listed.

You need to list the account names.

What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global

Catalog.

Correct Answer: DSection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://support.microsoft.com/kb/22334----------------------------------------------------------------------------------------------------------------------------------------------Infrastructure master role and the Global Catalog

As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a directconnection object to some global catalog in the forest, preferably in the same Active Directory site. Because theglobal catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on aglobal catalog server, will never update anything, because it does not contain any references to objects that itdoes not hold. Two exceptions to the "do not place the infrastructure master on a global catalog server" ruleare:

o Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructuremaster has no work to do. The infrastructure master may be placed on any domain controller in the domain,regardless of whether that domain controller hosts the global catalog or not.

o Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, thereare no phantoms or work for the infrastructure master to do. The infrastructure master may be put on anydomain controller in that domain.

QUESTION 19.

Your company has an Active Directory domain.

You log on to the domain controller. The Active Directory Schema snap-in is not available in the MicrosoftManagement Console (MMC).

You need to access the Active Directory Schema snap-in.

What should you do?

A. Register Schmmgmt.dll.B. Log off and log on again by using an account that is a member of the Schema Admins group.C. Use the Ntdsutil.exe command to connect to the schema master operations master and open the schema

for writing.D. Add the Active Directory Lightweight Directory Services (AD/LDS) role to the domain controller by using

Server Manager.

Correct Answer: ASection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732110.aspx----------------------------------------------------------------------------------------------------------------------------------------------Install the Active Directory Schema Snap-In

Open an elevated command prompt. Click Start, type command prompt, and then right-click Command Prompt

when it appears in the Start menu. Next, click Run as administrator. When the command prompt opens, typethe command below, and then press ENTER:

regsvr32 schmmgmt.dll

Now you can open from Admin tools like the ADUC

QUESTION 20

Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operationsmaster roles.DC1 fails.

You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations masterroles to their original state. You perform a metadata cleanup and remove all references of DC1.

Which three actions should you perform next?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.)

Build List and Reorder:

Correct Answer:

Section: Configuring AD FSMO RolesExplanation


Exam C

QUESTION 1.

You are decommissioning one of the domain controllers in a child domain. You need to transfer all domainoperations master roles within the child domain to a newly installed domain controller in the same child domain.

Which three domain operations master roles should you transfer?

(Each correct answer presents part of the solution. Choose three.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: ABDSection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc779716%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Operations Master Roles

The five operations master roles are assigned automatically when the first domain controller in a given domainis created. Two forest-level roles are assigned to the first domain controller created in a forest and threedomain-level roles are assigned to the first domain controller created in a domain.Forestwide Operations Master Roles

The schema master and domain naming master are forestwide roles, meaning that there is only oneschema master and one domain naming master in the entire forest.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Domainwide Operations Master Roles

The other operations master roles are domainwide roles, meaning that each domain in a forest has its own RIDmaster, PDC emulator, and infrastructure master.RID Master

The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in thedomain. Whenever a domain controller creates a new security principal, such as a user, group, or computerobject, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is thesame for all security principals created in the domain, and a RID, which uniquely identifies each securityprincipal created in the domain.PDC Emulator

The PDC emulator operations master acts as a Windows NT PDC in domains that contain client computersoperating without AD DS client software or Windows NT backup domain controllers (BDC). In addition, the PDCemulator processes password changes from clients and replicates the updates to the Windows NT BDCs. Evenafter all Windows NT domain controllers are upgraded to AD DS, the PDC emulator receives preferentialreplication of password changes performed by other domain controllers in the domain.

If a logon authentication fails at another domain controller due to a bad password, that domain controllerforwards the authentication request to the PDC emulator before rejecting the logon attempt.

Infrastructure Master

The infrastructure operations master is responsible for updating object references in its domain that point tothe object in another domain. The infrastructure master updates object references locally and uses replicationto bring all other replicas of the domain up to date. The object reference contains the object’s globally uniqueidentifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the objectreference are periodically updated to reflect changes made to the actual object. These changes include moveswithin and between domains as well as the deletion of the object. If the infrastructure master is unavailable,updates to object references are delayed until it comes back online.

QUESTION 2.

Your company has an Active Directory domain. The company has two domain controllers named DC1 andDC2. DC1 holds the schema master role.DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer theschema master role.

You need to ensure that DC2 holds the schema master role.

What should you do?

A. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.B. Configure DC2 as a bridgehead server.C. On DC2, seize the schema master role.D. Log off and log on again to Active Directory by using an account that is a member of the Schema Admins

group. Start the Active Directory Schema snap-in.

Correct Answer: CSection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://support.microsoft.com/kb/255504----------------------------------------------------------------------------------------------------------------------------------------------Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operationfrom completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremovalcommand. The operating system on the computer that originally owned a specific role no longer exists or has beenreinstalled.

QUESTION 3.

You are decommissioning domain controllers that hold all forest-wide operations master roles. You need totransfer all forest-wide operations master roles to another domain controller.

Which two roles should you transfer?


A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: CESection: Configuring AD FSMO RolesExplanation

Explanation/Reference:http://support.microsoft.com/kb/255504----------------------------------------------------------------------------------------------------------------------------------------------Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to aspecific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance andyou need specific FSMO roles to be assigned to a “live” domain controller. This may be required to performoperations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but lesstrue for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operationfrom completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremovalcommand. The operating system on the computer that originally owned a specific role no longer exists or has beenreinstalled.

QUESTION 4.

Your company has a server that runs an instance of Active Directory Lightweight Directory Services (AD LDS).

You need to create new organizational units in the AD LDS application directory partition.

What should you do?

A. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDSapplication directory partition.

B. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.D. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.

Correct Answer: BSection: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794959%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Manage an AD LDS Instance Using ADSI Edit

Explanation:You can use both the Adsiedit.msc tool to create a new OU in the AD LDS application directory partition. ADLDS isusually used to store information about users, organizations, and the groups that they belong to. LightweightDirectory Access Protocol (LDAP)-based directories, such as Active Directory Domain Services (AD DS) andAD LDS, most commonly use OUs to keep usersand groups organized. To create a new OU in AD LDS, you can use Adsiedit.msc tool. Active DirectoryServices Interfaces Editor (ADSI Edit) is a low-level editor for AD DS and AD LDS. ADSI Edit can be used toview, modify, create, anddelete any object in AD DS and AD LDS.

QUESTION 5.

Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network.

What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.B. Create a naming context by running the Dsmgmt command on the test computer.C. Create a new directory partition by running the Dsmgmt command on the test computer.D. Create and install a replica by running the AD LDS Setup wizard on the test computer.

Correct Answer: DSection: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771458%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Managing Replica AD LDS Instances

To create a replica AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard

Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services SetupWizard.

On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.

On the Setup Options page, click A replica of an existing instance, and then click Next.

On the Instance Name page, accept the default name instance2 (or instance1, if you are installing AD LDSon a second computer), and then click Next. noteNote AD LDS instance names have to be unique only on a given computer.

On the Ports page, accept the default values of 50000 and 50001 (if you are installing onto the firstcomputer) or 389 and 636 (if you are installing onto a second computer), and then click Next.

On the Joining a Configuration Set page, in Server, type the host name or DNS name of the computer wherethe first AD LDS instance is installed. Then, type the LDAP port number in use by the first AD LDS instance(which is 389 by default), and then click Next. noteNote You must use a valid host name or DNS name, rather than an IP address or localhost when you specify aserver on the Joining a Configuration Set page of the Active Directory Lightweight Directory Services Setup

Wizard.

On the Administrative Credentials for the Configuration Set page, click the account that is used as the ADLDS administrator for your first AD LDS instance.

On the Copy Application Partition page, select the application directory partitions that you want to replicate tothe new AD LDS instance. (The schema and configuration partitions will be replicated automatically.)

Accept the default values on the remaining Active Directory Lightweight Directory Services Set Wizard pagesby clicking Next on each page, and then click Finish on the Completing the Active Directory Application ModeSetup Wizard page.

After the installation is complete, use the ADSI Edit snap-in to confirm that the selected directory partition hasbeen replicated to your second AD LDS instance.

QUESTION 6.

Your company has an Active Directory Rights Management Services (AD RMS) server. Users have WindowsVista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.

You need to configure AD RMS so that users are able to protect their documents.

What should you do?

A. Install the AD RMS client 2.0 on each client computer.B. Add the RMS service account to the local administrators group on the AD RMS server.C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Correct Answer: CSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd772659%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------AD RMS Prerequisites

All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail addressconfigured in Active Directory.

QUESTION 7.

Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.

You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server2005.

When you attempt to open the AD RMS administration Web site, you receive the following error message:"SQL Server does not exist or access denied." You need to open the AD RMS administration Web site.



A. Restart IIS.B. Install Message Queuing.C. Start the MSSQLSVC service.D. Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD

RMS.

Correct Answer: ACSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc747605%28WS.10%29.aspx#BKMK_1----------------------------------------------------------------------------------------------------------------------------------------------RMS Administration Issues

"SQL Server does not exist or access denied" message received when attempting to open the RMSAdministration Web site

If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQLServer Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured toautomatically start when the server is started. If you have restarted your SQL Server since installing RMS andhave not configured this service to automatically restart RMS will not be able to function and only the RMSGlobal Administration page will be accessible.

After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster torestore RMS functionality.

QUESTION 8.

Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one ofthe branch offices.

You need to identify the user accounts that were cached on the stolen RODC server.

Which utility should you use?

A. Dsmod.exeB. Ntdsutil.exeC. Active Directory Sites and ServicesD. Active Directory Users and Computers

Correct Answer: DSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835486%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Deleting the RODC computer account using Active Dir ectory Users and Computers

An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts thatwere authenticated to it is the Active Directory Users and Computers snap-in.

To delete the RODC computer account using Active Directory Users and Computers

Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start,click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users andComputers.

Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correctdomain. To connect to the appropriate domain or domain controller, in the details pane, right-click the ActiveDirectory Users and Computers object, and then click Change Domain or Change Domain Controller,respectively.

In the console tree, expand the domain object, and then select the Domain Controllers organizational unit(OU).

In the details pane, right-click the RODC computer account, and then click Delete.

When the Active Directory Domain Services dialog box appears, click Yes to confirm the deletion.

In the Deleting Domain Controller dialog box (shown below) select the appropriate options to indicatewhether you want to reset all user account passwords or all computer account passwords and to specify thelocation (file system path) where you want to export a list of accounts whose current passwords were cachedon the RODC. You can clear or select any of the check boxes at this point. By default, the Reset all passwordsfor user accounts that were cached on this Read-only Domain Controller and the Export the list of accounts thatwere cached on this Read-only Domain Controller to this file: check boxes are selected, as shown in thefollowing illustration. If you want to also reset the passwords for the computer accounts that were cached on theRODC, you must select the Reset all passwords for computer accounts that were cached on this Read-onlyDomain Controller check box. Although computer account passwords are reset every 30 days by default, youcan choose to reset those account passwords immediately, which may reduce the chance that the computeraccounts that were cached on the RODC can be used by an attacker in an attempt to compromise the domainbefore the accounts are reset automatically. When you are ready to proceed, click Delete. noteNote If you reset the computer account passwords, you will have to rejoin the computer to the domain. If youautomatically reset the computer account passwords, users will not be able to log on to the domain until theycan contact an account administrator to have their passwords reset to a mutually-agreed-on password.

Delete RODC computer account

The Delete Domain Controller then asks you to confirm your deletion request. Verify that the request isaccurate, and then click OK to continue with the deletion, as shown in the following illustration.

QUESTION 9.

Your company has an Active Directory forest that contains a single domain. The domain member server has anActive Directory Federation Services (AD FS) server role installed.

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directorydomain.

What should you do?

A. Add and configure a new account store.B. Add and configure a new account partner.C. Add and configure a new resource partner.D. Add and configure a Claims-aware application.

Correct Answer: ASection: Configuring AD Federated ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772309%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc734905%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Read above articles URL's for more info on ADFS Installation/Troubleshooting

QUESTION 10.

A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.

You need to enable the user to join a single computer to the domain. You must ensure that the user is deniedany additional rights beyond those required to complete the task.

What should you do?

A. Prestage the computer account in the Active Directory domain.B. Add the user to the Domain Administrators group for one day.C. Add the user to the Server Operators group in the Active Directory domain.D. Grant the user the right to log on locally by using a Group Policy Object (GPO).

Correct Answer: ASection: Creating & Maintaining AD ObjectsExplanation

Explanation/Reference:Prestage client computers - http://technet.microsoft.com/en-us/library/cc759196%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Set permissions for users who use prestaged client computers - http://technet.microsoft.com/en-us/library/cc779006%28WS.10%29.aspx

QUESTION 11.

Your company's security policy requires complex passwords.

You have a comma delimited file named import.csv that contains user account information. You need to createuser accounts in the domain by using the import.csv file.

You also need to ensure that the new user accounts are set to use default passwords and are disabled.

What should you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run theDSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde f import.csv command. Runthe DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADDutility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run the ldifde i f import.csv command. Run theDSADD utility to set passwords for the imported user accounts.

Correct Answer: ASection: Powershell & Command line cmdsExplanation

Explanation/Reference:csvde - adv configs - http://www.computerperformance.co.uk/Logon/Logon_CSVDE_import.htmdsmod - http://technet.microsoft.com/en-us/library/cc732954%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason: C is wrong because Windows scripts are files with the following file name extensions: .wsf, .vbs, .js.

DSMOD user to change pwds

i.e. dsmod user "cn=guyt, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg

QUESTION 12.

Your company hires 10 new employees. You want the new employees to connect to the main office through aVPN connection. You create new user accounts and grant the new employees the Allow Read and AllowExecute permissions to shared resources in the main office.

The new employees are unable to access shared resources in the main office. You need to ensure that usersare able to establish a VPN connection to the main office.

What should you do?

A. Grant the new employees the Allow Full control permission.B. Grant the new employees the Allow Access Dial-in permission.C. Add the new employees to the Remote Desktop Users security group.D. Add the new employees to the Windows Authorization Access security group.

Correct Answer: BSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc786285%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Best practices for assigning permissions on Active Directory objects

QUESTION 13.

You need to relocate the existing user and computer objects in your company to different organizational units.

What are two possible ways to achieve this goal?


A. Run the Dsmove utility.B. Run the Active Directory Migration Tool (ADMT).C. Run the Active Directory Users and Computers utility.D. Run the move-item command in the Microsoft Windows PowerShell utility.

Correct Answer: ACSection: Creating & Maintaining AD ObjectsExplanation

Explanation/Reference:dsmove - http://technet.microsoft.com/en-us/library/cc731094%28WS.10%29.aspx

ADUC - AD DS GUI under admin tools/RSAT on clients - http://technet.microsoft.com/en-us/library/cc786675%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason: D is incorrect because move-item can move files and folders only - http://technet.microsoft.com/en-us/library/dd315310.aspx

QUESTION 14.

You want users to log on to Active Directory by using a new User Principal Name (UPN). You need to modifythe UPN suffix for all user accounts.


A. DsmodB. NetdomC. RedirusrD. Active Directory Domains and Trusts


Explanation/Reference:dsmod - http://technet.microsoft.com/en-us/library/cc732954%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason : You configure upn on Active directory domains and trusts. But you still have to modify the users withdsmod or "active directory users and computers".

http://technet.microsoft.com/en-us/library/bb742437.aspx#EEAA

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory.The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mailaddress.The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of theforest. In this and the other step-by-step guides on this site, the default UPN suffix is your FQDN for the firstdomain in the forest.

You can add alternate User Principal Name suffixes, which increase logon security. And you can simplify userlogon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows2000 domain and is not required to be a valid DNS domain name.

Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties.

Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.

Click OK to close the window.

QUESTION 15.

You are installing an application on a computer that runs Windows Server 2008 R2. During installation, theapplication will need to add new attributes and classes to the Active Directory database.

You need to ensure that you can install the application.

What should you do?

A. Change the functional level of the forest to Windows Server 2008 R2.B. Log on by using an account that has Server Operator rights.C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the

application.D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install

the application.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756898%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Schema Admin permissions

Schema Admins (only appears in the forest root domain) Members of this group can modify the Active Directory schema. By default, the Administrator account is amember of this group. Because this group has significant power in the forest, add users with caution. No default user rights.

QUESTION 16.

Your company has an organizational unit named Production. The Production organizational unit has a childorganizational unit named R&D. You create a GPO named Software Deployment and link it to the Productionorganizational unit.

You create a shadow group for the R&D organizational unit. You need to deploy an application to users in theProduction organizational unit. You also need to ensure that the application is not deployed to users in the R&Dorganizational unit.

What are two possible ways to achieve this goal?


A. Configure the Enforce setting on the software deployment GPO.B. Configure the Block Inheritance setting on the R&D organizational unit.C. Configure the Block Inheritance setting on the Production organizational unit.D. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D

security group.

Correct Answer: BDSection: Configuring Group PolicyExplanation

Explanation/Reference:Block inheritance GPO - http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Security filter GPO - http://technet.microsoft.com/en-us/library/cc779291%28WS.10%29.aspx

QUESTION 17.

Your company has an Active Directory domain that has an organizational unit named Sales. The Sales

organizational unit contains two global security groups named sales managers and sales executives.

You need to apply desktop restrictions to the sales executives group.

You must not apply these desktop restrictions to the sales managers group. You create a GPO namedDesktopLockdown and link it to the Sales organizational unit.


A. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.C. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.D. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

Correct Answer: ASection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Managing inheritance of Group Policy

QUESTION 18.

Your company has an Active Directory forest. The company has branch offices in three locations.Each location has an organizational unit.

You need to ensure that the branch office administrators are able to create and apply GPOs only to theirrespective organizational units.



A. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.B. Modify the Managed By tab in each organizational unit to add the branch office administrators to their

respective organizational units.C. Run the Delegation of Control Wizard and delegate the right to link GPOs for the domain to the branch

office administrators.D. Run the Delegation of Control Wizard and delegate the right to link GPOs for their branch organizational

units to the branch office administrators.

Correct Answer: ADSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc782678%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Creating and Working with GPOs

QUESTION 19.

Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators

of the subsidiary company must use the French-language version of the administrative templates.

You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR.

You need to ensure that the French-language version of the templates is available.

What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copythe ADM files to the FR folder.

B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator.

C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FRfolder on the subsidiary PDC emulator.

D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator.

Correct Answer: BSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772507%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------.admx and .adml File Structure

n order to support the multilingual display of policy settings, the ADMX file structure must be broken into twotypes of files:

A language-neutral file, .admx, describing the structure of the categories and Administrative template policysettings displayed in the Group Policy Object Editor. A set of language-dependent files, .adml, providing the localized portions displayed in the Group PolicyObject Editor. Each .adml file represents a single language you wish to support.

SEE above URL for more info

QUESTION 20.

A server named DC1 has the Active Directory Domain Services (AD?DS) role and the Active DirectoryLightweight Directory Services (AD?LDS) role installed. An AD?LDS instance named LDS1 stores its data onthe C: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform insequence? (To answer, move the three appropriate actions from the list of actions to the answer area andarrange them in the correct order.)


Correct Answer:

Section: Configuring AD LDSExplanation


Exam D

QUESTION 1.

Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 andclient computers that run Windows 7. The domain uses a set of GPO administrative templates that have beenapproved to support regulatory compliance requirements.

Your partner company has an Active Directory forest that contains a single domain. The company has serversthat run Windows Server 2008 R2 and client computers that run Windows 7.

You need to configure your partner company's domain to use the approved set of administrative templates.

What should you do?

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, importthe GPO to the default domain policy.

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Website. Copy the ADM files to the PolicyDefinitions folder on the partner company's PDC emulator.


Explanation/Reference:http://www.70-640.net/70-640true-qa-part-2/----------------------------------------------------------------------------------------------------------------------------------------------Reason : The requirement is administrative templates. “A” is wrong, GPO is not a template file. ADMX is.

QUESTION 2.

Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers andDNS servers. All client computers run Windows XP SP3.

You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored inthe ADMX central store.

What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.C. Install .NET Framework 3.0 on your client computers.D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the

PolicyDefinitions folder.


Explanation/Reference:technet.microsoft.com/en-us/library/cc709647(WS.10).aspx

----------------------------------------------------------------------------------------------------------------------------------------------New Windows Vista–based or Windows Server 2008–based policy settings can be managed only fromWindows Vista–based (Windows 7) or Windows Server 2008–based administrative machines running GroupPolicy Object Editor or Group Policy Management Console. Such policy settings are defined only in ADMX filesand, as such, are not exposed on the Windows Server 2003, Windows® XP, or Windows 2000 versions ofthese tools. An Administrator will need to use the Group Policy Object Editor from a Windows Vista–based orWindows Server 2008–based administrative machine to configure a new Windows Vista–based Group Policysettings.

QUESTION 3.

Your company purchases a new application to deploy on 200 computers. The application requires that youmodify the registry on each target computer before you install the application.

The registry modifications are in a file that has an .adm extension.

You need to prepare the target computers for the application.

What should you do?

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unitthat contains the target computers.

B. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each targetcomputer.

C. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsrCONTAINER-DN command on each target computer.

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmpCONTAINER-DN command on each target computer.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc778207%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason: An ADM template is a file that is designed to be used within Group Policy to define a Registry settingand it's value

QUESTION 4.

Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.The TempWorkers group is not nested in any other groups.

You move the computer objects of three file servers to a new organizational unit named SecureServers. Thesefile servers contain only confidential data in shared folders. You need to prevent members of the TempWorkers group from accessing the confidential data on the fileservers. You must achieve this goal without affecting access to other domain resources.

What should you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to thiscomputer from the network user right to the TempWorkers global group.

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the networkuser right to the TempWorkers global group.

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers

global group.D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user

right to the TempWorkers global group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/bb742376.aspx----------------------------------------------------------------------------------------------------------------------------------------------Read URL for step by steps instructions to setup GP O's

QUESTION 5.

All consultants belong to a global group named TempWorkers.

You place three file servers in a new organizational unit named SecureServers. The three file servers containconfidential data located in shared folders.

You need to record any failed attempts made by the consultants to access the confidential data.



A. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege useFailure audit policy setting.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object accessFailure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to thiscomputer from the network user rights setting for the TempWorkers global group.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab.Configure the Failed Full control setting in the Auditing Entry dialog box.

E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.Configure the Failed Full control setting in the Auditing Entry dialog box.

Correct Answer: BESection: Configuring Group PolicyExplanation

Explanation/Reference:http://www.scribd.com/doc/52145777/24/QUESTION-24----------------------------------------------------------------------------------------------------------------------------------------------GPO

QUESTION 6.

Your company has an Active Directory domain and an organizational unit. The organizational unit is namedWeb. You configure and test new security settings for Internet Information Service (IIS) servers on a servernamed IISServerA.

You need to deploy the new security settings only on the IIS servers that are members of the Weborganizational unit.

What should you do?

A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, and then run secedit /configure /db webou.inf from the command prompt.

B. Export the settings on IISServerA to create a security template. Import the security template into a GPO andlink the GPO to the Web organizational unit.

C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf fromthe command prompt.

D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.


Explanation/Reference:http://www.windowsecurity.com/articles/understanding-windows-security-templates.html----------------------------------------------------------------------------------------------------------------------------------------------Windows Web Security

QUESTION 7.

Your company has an Active Directory forest that contains client computers that run Windows Vista andWindows XP.

You need to ensure that users are able to install approved application updates on their computers.



A. Set up Automatic Updates through Control Panel on the client computers.B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically

search for updates on the Microsoft Update site.C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows

Server Update Services (WSUS) server for approved updates.D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on

the Internet. Approve all required updates.

Correct Answer: CDSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc512630.aspx----------------------------------------------------------------------------------------------------------------------------------------------GPO

QUESTION 8.

Your company has an Active Directory forest. Each branch office has an organizational unit and a childorganizational unit named Sales.

The Sales organizational unit contains all users and computers of the sales department.

You need to install a Microsoft Office 2007 application only on the computers in the Sales organizational unit.

You create a GPO named SalesApp GPO.


A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to thedomain.

B. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

D. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

Correct Answer: DSection: Configuring Group PolicyExplanation


QUESTION 9.

Your company has an Active Directory forest. The forest includes organizational units corresponding to thefollowing four locations:

- London- Chicago- New York- Madrid

Each location has a child organizational unit named Sales. The Sales organizational unit contains all the usersand computers from the sales department.

The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid isconnected by a 256-Kbps ISDN connection.

You need to install an application on all the computers in the sales department.



A. Disable the slow link detection setting in the Group Policy Object (GPO).B. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).C. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users. Link the GPO

to each Sales organizational unit.D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link

the GPO to each Sales organizational unit.


Explanation/Reference:http://support.microsoft.com/kb/227260

----------------------------------------------------------------------------------------------------------------------------------------------read above article for GPO

QUESTION 10.

Your company has an Active Directory forest. The company has three locations. Each location has anorganizational unit and a child organizational unit named Sales.

The Sales organizational unit contains all users and computers of the sales department. The company plans todeploy a Microsoft Office 2007 application on all computers within the three Sales organizational units.

You need to ensure that the Office 2007 application is installed only on the computers in the Salesorganizational units.

What should you do?

A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the domain.

B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.



QUESTION 11.

The default domain GPO in your company is configured by using the following account policy settings:

- Minimum password length: 8 characters- Maximum password age: 30 days- Enforce password history: 12 passwords remembered- Account lockout threshold: 3 invalid logon attempts .Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQLServer application uses a service account named SQLSrv. The SQLSrv account has domain user rights.The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is notlocked out.

You need to resolve the server failure and prevent recurrence of the failure.



A. Reset the password of the SQLSrv user account.B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user

account.C. Configure the properties of the SQLSrv account to Password never expires.D. Configure the properties of the SQLSrv account to User cannot change password.E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon

locally user right.

Correct Answer: ACSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/bb742376.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason : B is not correct because the account was able to logged on and performed the tasks before thepassword was expired.

QUESTION 12.

You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked outfor 5 minutes.

Which three actions should you perform?


A. Set the Minimum password age setting to one day.B. Set the Maximum password age setting to one day.C. Set the Account lockout duration setting to 5 minutes.D. Set the Reset account lockout counter after setting to 5 minutes.E. Set the Account lockout threshold setting to 3 invalid logon attempts.F. Set the Enforce password history setting to 3 passwords remembered.

Correct Answer: CDESection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc736605%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Read article about the W2K8 R2 pwd policy

QUESTION 13.


A user attempts to log on to the domain from a client computer and receives the following message: "This useraccount has expired. Ask your administrator to reactivate the account."

You need to ensure that the user is able to log on to the domain.

What should you do?

A. Modify the properties of the user account to set the account to never expire.B. Modify the properties of the user account to extend the Logon Hours setting.

C. Modify the properties of the user account to set the password to never expire.D. Modify the default domain policy to decrease the account lockout duration.

Correct Answer: ASection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc755130.aspx----------------------------------------------------------------------------------------------------------------------------------------------Password never expires

Prevents a user password from expiring. We recommend that service accounts have this option enabled anduse strong passwords.

QUESTION 14.

Your network consists of a single Active Directory domain. User accounts for engineering department arelocated in an OU named Engineering.

You need to create a password policy for the engineering department that is different from your domainpassword policy.

What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Creating a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an ActiveDirectory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects andattributes.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Reviewdetails about using the appropriate accounts and group memberships at Local and Domain Default Groups(http://go.microsoft.com/fwlink/?LinkId=83477).To create a PSO using ADSI Edit

Click Start, click Run, type adsiedit.msc, and then click OK. noteNote If you are running ADSI Edit for the first time on a domain controller, proceed to step 2. Otherwise, proceedto step 4.

In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.

In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO,and then click OK.

Double-click the domain.

Double-click DC=<domain_name>.

Double-click CN=System.

Click CN=Password Settings Container.

All the PSO objects that have been created in the selected domain appear.

Right-click CN=Password Settings Container, click New, and then click Object.

In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.

In Value, type the name of the new PSO, and then click Next.

Continue with the wizard, and enter appropriate values for all mustHave attributes.

QUESTION 15.

Your company has file servers located in an organizational unit named Payroll. The file servers contain payrollfiles located in a folder named Payroll.

You create a GPO. You need to track which employees access the Payroll files on the file servers.

What should you do?

A. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers,configure Auditing for the Everyone group in the Payroll folder.

B. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configureAuditing for the Authenticated Users group in the Payroll folder.

C. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. Onthe file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

D. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the fileservers, configure Auditing for the Everyone group in the Payroll folder.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd560628%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Global Object Access Auditing.

In Windows Server 2008 R2 and Windows 7, administrators can define computer-wide system access controllists (SACLs) for either the file system or registry. The specified SACL is then automatically applied to everysingle object of that type. This can be useful both for verifying that all critical files, folders, and registry settingson a computer are protected, and for identifying when an issue with a system resource occurs.

QUESTION 16.

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

The Audit account management policy setting and Audit directory services access setting are enabled for theentire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged changes mustinclude the old and new values of any attributes.

What should you do?

A. Enable the Audit account management policy in the Default Domain Controller Policy.B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.C. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.D. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable

directory service changes.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd560628%28WS.10%29.asp----------------------------------------------------------------------------------------------------------------------------------------------Reason : after applying the policy, you need to configure the properties>security>audit of the OU.

QUESTION 17.


Auditing is configured to log changes made to the Managed By attribute on group objects in an organizationalunit named OU1.

You need to log changes made to the Description attribute on all group objects in OU1 only.

What should you do?

A. Run auditpol.exe.B. Modify the auditing entry for OU1.C. Modify the auditing entry for the domain.D. Create a new Group Policy object (GPO). Enable the Audit account management policy setting.

Link the GPO to OU1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd560628%28WS.10%29.asp----------------------------------------------------------------------------------------------------------------------------------------------Reason : after applying the policy, you need to configure the properties>security>audit of the OU. The questionhere indicates that "Auditing is configured" , this mean the policy setting is already configured. Therefore you donot need to modify the GPO anymore.

QUESTION 18.

You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is

installed on the domain controller.

You need to perform a non-authoritative restore of the domain controller by using an existing backup file.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to performa critical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-into perform a critical volume restore.

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a criticalvolume restore.

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volumerestore.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc776568%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Restart the domain controller in Directory Services Restore Mode locally


If you have physical access to a domain controller, you can restart the domain controller in Directory ServicesRestore Mode locally. Restarting in Directory Services Restore Mode takes the domain controller offline. In thismode, the server is not functioning as a domain controller.

When you start Windows Server 2003 in Directory Services Restore Mode, the local Administrator account isauthenticated by the local Security Accounts Manager (SAM) database. Therefore, logging on requires that youuse the local administrator password, not an Active Directory domain password. This password is set duringActive Directory installation when you provide the password for Directory Services Restore Mode.

Administrative credentials

To perform this procedure, you must provide the Administrator password for Directory Services Restore Mode.To restart the domain controller in Directory Services Restore Mode locally

Restart the domain controller.

When the screen for selecting an operating system appears, press F8.

On the Windows Advanced Options menu, select Directory Services Restore Mode.

When you are prompted, log on as the local administrator.

QUESTION 19.

Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains anOU for Computers, an OU for Groups, and an OU for Users.

You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OU

without affecting users and computers in the Sales OU.

What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform an authoritative restore of the Groups OU.C. Perform a non-authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Sales OU.

Correct Answer: BSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:http://support.microsoft.com/kb/241594----------------------------------------------------------------------------------------------------------------------------------------------During a typical file restore operation, Microsoft Windows Backup operates in nonauthoritative restore mode. Inthis mode, Windows Backup restores all files, including Active Directory objects, with their original UpdateSequence Number (USN) or numbers. The Active Directory replication system uses the USN to detect andreplicate changes to Active Directory to all the domain controllers on the network. All data that is restorednonauthoritatively appears to the Active Directory replication system as old data. Old data is never replicated toany other domain controllers. The Active Directory replication system updates the restored data with newer datafrom other domain controllers. Performing an authoritative restore resolves this issue.

Note Use an authoritative restore with extreme caution because of the effect it may have on Active Directory.An authoritative restore must be performed immediately after the computer has been restored from a previousbackup, before restarting the domain controller in normal mode. An authoritative restore replicates all objectsthat are marked authoritative to every domain controller hosting the naming contexts that the objects are in. Toperform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessaryUSN changes to the Active Directory database.

There are certain parts of Active Directory that cannot or should not be restored in an authoritative manner:

You cannot authoritatively restore the schema. The configuration naming context is also very sensitive, because changes will affect the whole forest. Forexample, it does not make sense to restore connection objects. Connection objects should be recreated by theKnowledge Consistency Checker (KCC) or manually. Restoring server and NTDS settings objects makessense when no destructive troubleshooting was done before. If you are unsure, contact Microsoft ProductSupport Services for help: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS In the domain context, do not restore any objects that deal with relative identifier (RID) pools. This includesthe subobject "Rid Set" of domain controller computer accounts and the RidManager$ object in the SYSTEMcontainer. Another issue is that many distinguished name-type links may break when you restore. This may affectobjects that are used by the File Replication Service (FRS). These exist underneath CN=File ReplicationService,CN=System,DC=yourdomain and CN=NTFRS Subscriptions,CN=DC computer account. Attempts to authoritatively restore a complete naming context will always include objects that can disrupt theproper functionality of crucial parts of Active Directory. You should always try to authoritatively restore a minimalset of objects. Finally, similar issues might exist for objects created by other applications. These go beyond the scope ofthis article.

A system state restore replaces all new, deleted, or modified objects on the domain controller that is beingrestored.

A system state restore of a naming context that contains two or more replicas is an authoritative merge. In anauthoritative merge, all objects that are deleted or modified are rolled back to when the backup was made.Objects that were created after the backup are replicated from naming context replicas. An authoritative mergerepresents a merge of the state that existed when the backup was made with new objects that were created

after the backup.

When you nonauthoritatively restore a naming context that contains a single replica, you actually perform anauthoritative restore.

QUESTION 20.

Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. Theserver is a backup server. The server has a single 500-GB hard disk that has three partitions for the operatingsystem, applications, and data. You perform daily backups of the server.

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart thecomputer on the installation media. You select the Repair your computer option.

You need to restore the operating system and all files.

What should you do?

A. Select the System Image Recovery option.B. Run the Imagex utility at the command prompt.C. Run the Wbadmin utility at the command prompt.D. Run the Rollback utility at the command prompt.

Correct Answer: CSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/magazine/dd767786.aspx----------------------------------------------------------------------------------------------------------------------------------------------To run Wbadmin by following these steps:1. Click Start, click All Programs, and then click Accessories to open the Accessories menu.2. Start an elevated command prompt by right-clicking Command Prompt and then selecting Run AsAdministrator.3. In the Command Prompt window, enter the necessary command text or run a script that invokes Wbadmin.

wbadmin get versions [-backupTarget:{VolumeName | NetworkSharePath}][-machine:BackupMachineName]

The brackets tell you that –backupTarget and –machine are optional. Thus, you could type the following to getinformation on recoverable backups on the local computer:

wbadmin get versions

You could type the following to get information on recoverable backups for C:

wbadmin get versions -backuptarget:f:

Or you could type the following to get information on recoverable backups for C on Server96:

wbadmin get versions -backuptarget:f: -machine:server96

Many Wbadmin commands use the –backupTarget and –machine parameters. The backup target is thestorage location you want to work with, and can be expressed as a local volume name (such as F:) or as anetwork share path, such as \\FileServer32\backups\Server85. The –machine parameter identifies thecomputer you want to work with for backup or recovery operations

Exam E

QUESTION 1.

You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

What tool should you use?

A. dsmodB. ntdsutilC. Local Users and Groups snap-inD. Active Directory Users and Computers snap-in

Correct Answer: BSection: Powershell & Command line cmdsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753343%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services(AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands toperform database maintenance of AD DS, manage and control single master operations, and remove metadataleft behind by domain controllers that were removed from the network without being properly uninstalled. Thistool is intended for use by experienced administrators.

Ntdsutil.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the ADDS or the AD LDS server role installed. It is also available if you install the Active Directory Domain ServicesTools that are part of the Remote Server Administration Tools (RSAT). For more information, see How toAdminister Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).

To use Ntdsutil.exe, you must run the ntdsutil command from an elevated command prompt. To open anelevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

If you have the AD LDS server role installed but not the AD DS server role, you can use the dsdbutil.exe anddsmgmt.exe command-line tools to perform the same tasks that you can perform with ntdsutil.exe. For moreinformation about the dsdbutil command, see Dsdbutil. For more information about the dsmgmt command, seeDsmgmt.

For most of the Ntdsutil commands, you only need to type the first few characters of the command nameinstead than the entire command. For example, you can type either of the following commands to activate aninstance for AD DS:

activate instance ntdsac i ntds

The short form for each command is listed in the following table.Syntax

Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings |DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | localroles | metadata cleanup | partition management | popups on | popups off | quit | roles | security accountmanagement | semantic database analysis | set DSRM password | snapshot | SSL port %d]

QUESTION 2.

A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for thedomain has been completed and unnecessary objects have been deleted.

You need to perform an offline defragmentation of the Active Directory database on DC12. You also need toensure that the critical services remain online.

What should you do?

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Defrag utility.D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Ntdsutil utility.

Correct Answer: DSection: Powershell & Command line cmdsExplanation








Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings |DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | localroles | metadata cleanup | partition management | popups on | popups off | quit | roles | security account

management | semantic database analysis | set DSRM password | snapshot | SSL port %d]

QUESTION 3.

You need to identify all failed logon attempts on the domain controllers.

What should you do?

A. Run Event Viewer.B. View the Netlogon.log file.C. Run the Security Configuration Wizard.D. View the Security tab on the domain controller computer object.


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee126097%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc787567%28WS.10%29.aspxhttp://www.itechtalk.com/thread1559.html----------------------------------------------------------------------------------------------------------------------------------------------Event Viewer

Microsoft defines an event in Windows Server 2008 as any important occurrence in the operating system or anapplication that needs users (particularly administrators) to be notified.

Events are recorded in event logs. Events and the event log are significant administrative tools because theyare essential for recognizing and troubleshooting problems, tracking security access (logon, logoff, resourceauditing, and so on), and tracking the status of the system and its applications.

Note: Some features are not available if you use the Event Viewer console within the Computer Managementconsole.

The general categories of Events are as follows:

1) System: These contain system-related events such as service start-up and shutdown, driver initialization,system-wide warning messages, network events, and other events that apply to the system in general.

2) Security: These contain events related to security, such as logon/logoff and resource access (auditing).

3) Application: These events are related with specific applications. For instance, a virus scrubber may logevents related to a virus scan, cleaning operation, and so on, to the application log.

4) Setup: These events are related with setup processes such as adding roles and features.

5) Forwarded Events: The Forwarded Events log includes log entries from another computer system. Here youcan create a subscription to an event log on another system, and then filter the event log that you havesubscribed to so that only the desired events are retrieved. The retrieved events are placed into the ForwardedEvents log.

QUESTION 4.

You create 200 new user accounts. The users are located in six different sites. New users report that theyreceive the following error message when they try to log on: "The username or password is incorrect."

You confirm that the user accounts exist and are enabled. You also confirm that the user name and passwordinformation supplied are correct.

You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.

Which utility should you run?

A. RsdiagB. RstoolsC. RepadminD. Active Directory Domains and Trusts

Correct Answer: CSection: Powershell & Command line cmdsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc770963%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllersrunning Microsoft Windows operating systems.

Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have theAD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain ServicesTools that are part of the Remote Server Administration Tools (RSAT). For more information, see How toAdminister Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).

To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open anelevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domaincontroller. In addition, you can use Repadmin.exe to manually create the replication topology, to forcereplication events between domain controllers, and to view both the replication metadata and up-to-datenessvectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active DirectoryDomain Services (AD DS) forest.

QUESTION 5.

You need to validate whether Active Directory successfully replicated between two domain controllers.

What should you do?

A. Run the DSget command.B. Run the Dsquery command.C. Run the RepAdmin command.D. Run the Windows System Resource Manager.



----------------------------------------------------------------------------------------------------------------------------------------------Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllersrunning Microsoft Windows operating systems.

Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have theAD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain ServicesTools that are part of the Remote Server Administration Tools (RSAT). For more information, see How toAdminister Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).

To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open anelevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domaincontroller. In addition, you can use Repadmin.exe to manually create the replication topology, to forcereplication events between domain controllers, and to view both the replication metadata and up-to-datenessvectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active DirectoryDomain Services (AD DS) forest.

QUESTION 6Your network consists of a single Active Directory domain.? All domain controllers run Windows Server 2008R2.

You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amountof available CPU resources on a domain controller.

What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.D. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd736504%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Installing performance objects and running the Acti ve Directory Diagnostics Data Collector Set

The NTDS and Database object counters are not installed by default. This section explains how to install theNTDS and Database object counters and how to run the Active Directory Diagnostics Data Collector Set tocapture NTDS and Database object data over time.To install NTDS and Database object counters

Click Start, click Administrative Tools, and then click Reliability and Performance Monitor.

Double-click Monitoring Tools, right-click Performance Monitor, and then click Properties.

Click the Data tab, and then click Add.

Double-click the name of the Performance object whose counters you want to install, click the name of eachcounter, and then click Add. For example, double-click NTDS, and then click each counter that is listed in thefollowing section. After you select the appropriate counters, click Add.

Click OK to close the Add Counters dialog box, and then click OK to close Performance Monitor Properties.

To start the Active Directory Diagnostics Data Collector Set

Click Start, click Administrative Tools, and then click Reliability and Performance Monitor.

Double-click Data Collector Sets, double-click System, right-click Active Directory Diagnostics, and then clickStart.

To stop the data collection, right-click Active Directory Diagnostics, and then click Stop.

QUESTION 7.


You need to capture all replication errors from all domain controllers to a central location.

What should you do?

A. Configure event log subscriptions.B. Start the System Performance data collector set.C. Start the Active Directory Diagnostics data collector set.D. Install Network Monitor and create a new capture.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc748890.aspx---------------------------------------------------------------------------------------------------To configure computers in a domain to forward and c ollect events

Log on to all collector and source computers. It is a best practice to use a domain account with administrativeprivileges.

On each source computer, type the following at an elevated command prompt:

winrm quickconfig

noteNote If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then youmust also run the above command on the collector computer.

On the collector computer, type the following at an elevated command prompt:

wecutil qc

Add the computer account of the collector computer to the local Administrators group on each of the sourcecomputers. noteNote By default, the Local Users and Groups MMC snap-in does not enable you to add computer accounts. In theSelect Users, Computers, or Groups dialog box, click the Object Types button and select the Computers checkbox. You will then be able to add computer accounts.

The computers are now configured to forward and collect events. Fol

QUESTION 8

.

You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certificationauthority (CA) server that meets the following requirements:

- Allows the certification authority to automatically issue certificates- Integrates with Active Directory Domain Services

What should you do?

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA .B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA .C. Purchase a certificate from a third-party certification authority. Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA .D. Purchase a certificate from a third-party certification authority. Import the certificate into the computer store

of the schema master.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Install and configure the Active Directory Certific ate Services

QUESTION 9.

Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on adedicated stand-alone server.

When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that theEnterprise CA option is not available.

You need to install the AD CS server role as an Enterprise CA.


A. Add the DNS Server server role.B. Join the server to the domain.C. Add the Web Server (IIS) server role and the AD?CS server role.D. Add the Active Directory Lightweight Directory Services (AD?LDS) server role.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc875810.aspx----------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 10.

You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.

You need to minimize the amount of time it takes for client computers to download a certificate revocation list(CRL).

What should you do?

A. Install and configure an Online Responder.B. Install and configure an additional domain controller.C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc725937.aspx----------------------------------------------------------------------------------------------------------------------------------------------To install the CA Online Responder service

Click Start, point to Administrative Tools, and then click Server Manager.

Click Manage Roles. Under Active Directory Certificate Services, click Add role services. If a different AD CSrole service has already been installed on this computer, select the Active Directory Certificate Services checkbox in the Role Summary pane, and then click Add role services.

On the Select Role Services page, select the Online Certificate Status Protocol check box.

A message appears explaining that IIS and Windows Activation Service (WAS) must also be installed tosupport OCSP.

Click Add required role services, and then click Next three times.

On the Confirm Installation Options page, click Install.

When the installation is complete, review the status page to verify that the installation was successful.

QUESTION 11.

You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80 frombeing opened on domain controllers and on the issuing CA .You need to allow users to request certificates from a Web interface. You install the Active Directory CertificateServices (AD CS) server role.


A. Configure the Online Responder Role Service on a member server.B. Configure the Online Responder Role Service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd759243.aspx----------------------------------------------------------------------------------------------------------------------------------------------Certificate Enrollment Web Service - Installation requirements

Before installing the certificate enrollment Web services, ensure that your environment meets theserequirements:

A host computer as a domain member running Windows Server 2008 R2.

An Active Directory forest with a Windows Server 2008 R2 schema. See Prepare a Windows 2000 orWindows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or WindowsServer 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242).

An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, orWindows Server 2003.

If the Certificate Enrollment Web Service is configured for client certificate authentication, the CA must berunning Windows Server 2008 R2 or Windows Server 2008.

For enrollment across forests, the CA must be installed on a computer running Windows Server 2008 R2Enterprise or Windows Server 2008 R2 Datacenter. See Configuring Certificate Enrollment Web Services forEnrollment Across Forest Boundaries.

Client computers running Windows 7 or Windows Server 2008 R2.

A Server Authentication certificate installed for HTTPS.

During installation of certificate enrollment Web services, the following server roles and features will be installedif they are not already installed:

Web Server (IIS)

Microsoft .NET Framework version 3.5

QUESTION 12.

Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS)is configured as a standalone Certification Authority (CA) on the server. You need to audit changes to the CAconfiguration settings and the CA security settings.



A. Configure auditing in the Certification Authority snap-in.B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%

\CertSrv directory.C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate

Services (AD CS) server.

Correct Answer: ADSection: Configuring AD Certificate ServicesExplanation


http://technet.microsoft.com/en-us/library/cc772451.aspx----------------------------------------------------------------------------------------------------------------------------------------------Configure CA Event Auditing

Applies To: Windows Server 2008 R2

You can audit a variety of events relating to the management and activities of a certification authority (CA):

Back up and restore the CA database.

Change the CA configuration.

Change CA security settings.

Issue and manage certificate requests.

Revoke certificates and publish certificate revocation lists (CRLs).

Store and retrieve archived keys.

Start and stop Active Directory Certificate Services (AD CS).

You must be a CA administrator or a CA auditor to complete this procedure. The CA auditor must perform thisprocedure if the CA has been configured to enforce role-based administration. For more information, seeImplement Role-Based Administration.To configure CA event auditing

Open the Certification Authority snap-in.

In the console tree, click the name of the CA.

On the Action menu, click Properties.

On the Auditing tab, click the events that you want to audit, and then click OK.

On the Action menu, point to All Tasks, and then click Stop Service.

On the Action menu, point to All Tasks, and then click Start Service.

QUESTION 13.


You install an Enterprise Root certification authority (CA) on a member server named Server1. You need toensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.

What should you do?

A. Remove the Request Certificates permission from the Domain Users group.B. Remove the Request Certificates permission from the Authenticated Users group.C. Assign the Allow - Manage CA permission to only the Security Manager user account.D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager user account.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason:A certificate manager can approve certificate enrollment and revocation requests, he can also issuecertificates and manage certificates

QUESTION 14.

You have a Windows Server 2008 R2 Enterprise Root certification authority (CA). You need to grant membersof the Account Operators group the ability to only manage Basic EFS certificates.

You grant the Account Operators group the Issue and Manage Certificates permission on the CA . Which threetasks should you perform next?


A. Enable the Restrict Enrollment Agents option on the CA .B. Enable the Restrict Certificate Managers option on the CA .C. Add the Basic EFS certificate template for the Account Operators group.D. Grant the Account Operators group the Manage CA permission on the CA .E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCESection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------CA config

QUESTION 15.

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an enterprise root certification authority (CA).

You install the Online Responder role service on Server2. You need to configure Server1 to support the OnlineResponder.

What should you do?

A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc776904%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Configure CDP and AIA Extensions


After a root or subordinate CA is installed, you must configure the Authority Information Access (AIA) andCRL distribution point (CDP) extensions before the CA issues any certificates. The AIA extension specifieswhere to find up-to-date certificates for the CA. The CDP extension specifies where to find up-to-date CRLsthat are signed by the CA. These extensions apply to all certificates that are issued by that CA.

Configuring these extensions ensures that this information is included in each certificate that the CA issues sothat it is available to all clients. This ensures that PKI clients experience the least possible number of failuresdue to unverified certificate chains or certificate revocations that can result in unsuccessful VPN connections,failed smart card logons, or unverified e-mail signatures.

Follow these guidelines when configuring CDP extension URLs:

Avoid publishing delta CRLs on offline root CAs. Because you do not revoke many certificates on an offlineroot CA, a delta CRL is probably not needed.

Adjust the default LDAP:/// and HTTP:// URL locations on the Extensions tabof the certification authorityProperties page according to your needs. Do not remove the local CDP location, however. The CA requires thelocal CDP location in order to publish the CRL to itself. The CA uses the local CRL to validate all certificatesbefore they are issued to users. The local path does not show in the CDP extension of issued certificates.

Enable the publication of delta CRLs, regardless of whether delta CRLs are going to be published, to allowfor the potential use of delta CRLs in the future. Enable delta CRL publication by selecting the Publish DeltaCRLs to this location check box.

Publish both the LDAP and HTTP URLs for CDP locations to enable clients to retrieve CRL data with HTTPand LDAP. If required, publish a CRL on an HTTP Internet or extranet location so that users and applicationsoutside the organization can perform certificate validation.

Consider using Active Directory–based publication. An LDAP certificate revocation list URL distributed bymeans of Active Directory is replicated in a fault-tolerant, distributed, highly available manner. However,replication of CRL data among Active Directory domain controllers introduces some latency.

For certificates that are to be validated by clients that use Active Directory, place the LDAP CDP location firstin the list to optimize client revocation checking. Windows clients always retrieve the list of URLs in sequentialorder until a valid CRL is retrieved.

Provide an additional HTTP CDP location or an alternative LDAP path to CRLs for clients that cannot useActive Directory or LDAP.

QUESTION 16.

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runsan Enterprise Root certification authority (CA).

You need to ensure that only administrators can sign code.



A. Publish the code signing template.B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only administrators to apply the policy.C. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted

Publishers.

D. Modify the security settings on the template to allow only administrators to request code signing certificates.

Correct Answer: ADSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Reason : Code Signing is a template.

QUESTION 17.

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.

The Enterprise Intermediate CA certificate expires.

You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.

What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Import the new certificate into the Intermediate Ce rtification Store

QUESTION 18.


You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runsWindows Server 2008 R2.

You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.

Which three actions should you perform?


A. Install the AD CS server role and configure it as an Enterprise Root CA .B. Install the AD CS server role and configure it as a Standalone CA .C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

E. Create a Smartcard logon certificate.F. Create an Enrollment Agent certificate.

Correct Answer: ACESection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------To configure enrollment agents, right click on the issuing CA and select properties( see screenshot below).

QUESTION 19.

Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to create multiple password policies for users in your domain.

What should you do?

A. From the Active Directory Schema snap-in, create multiple class schema objects.

B. From the ADSI Edit snap-in, create multiple Password Setting objects.C. From the Security Configuration Wizard, create multiple security policies.D. From the Group Policy Management snap-in, create multiple Group Policy objects.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------------------------Creating a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an ActiveDirectory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects andattributes.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Reviewdetails about using the appropriate accounts and group memberships at Local and Domain Default Groups(http://go.microsoft.com/fwlink/?LinkId=83477).To create a PSO using ADSI Edit

Click Start, click Run, type adsiedit.msc, and then click OK. noteNote If you are running ADSI Edit for the first time on a domain controller, proceed to step 2. Otherwise, proceedto step 4.

In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.

In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO,and then click OK.

Double-click the domain.

Double-click DC=<domain_name>.

Double-click CN=System.

Click CN=Password Settings Container.

All the PSO objects that have been created in the selected domain appear.

Right-click CN=Password Settings Container, click New, and then click Object.

In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.

In Value, type the name of the new PSO, and then click Next.

Continue with the wizard, and enter appropriate values for all mustHave attributes.

QUESTION 20.

You need to perform an offline defragmentation of an Active Directory database. Which four actions should youperform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer areaand arrange them in the correct order.)


Correct Answer:

Section: Configuring AD Federated ServicesExplanation


Exam F

QUESTION 1.

Your company has an Active Directory domain. All servers run Windows Server 2008 R2.

Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificateinformation is highly available.

What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.B. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and

Acceleration Server array.C. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc725937.aspx----------------------------------------------------------------------------------------------------------------------------------------------To install the CA Online Responder service

Click Start, point to Administrative Tools, and then click Server Manager.

Click Manage Roles. Under Active Directory Certificate Services, click Add role services. If a different AD CSrole service has already been installed on this computer, select the Active Directory Certificate Services checkbox in the Role Summary pane, and then click Add role services.

On the Select Role Services page, select the Online Certificate Status Protocol check box.

A message appears explaining that IIS and Windows Activation Service (WAS) must also be installed tosupport OCSP.

Click Add required role services, and then click Next three times.

On the Confirm Installation Options page, click Install.

When the installation is complete, review the status page to verify that the installation was successful.

QUESTION 2.

Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offlineroot CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.

You need to ensure users are able to enroll new certificates.

What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA . Copy the CRL to the CertEnroll folder on theissuing CA .

B. Renew the Certificate Revocation List (CRL) on the issuing CA . Copy the CRL to the SystemCertificatesfolder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations.


Explanation/Reference:http://technet.microsoft.com/en-us/library/bb457027.aspx------------------------------------------------------------------------------------------------------------Certificate Revocation and Status Checking

QUESTION 3.

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an Enterprise Root certification authority (CA). You install the Online Responder role service onServer2.

You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.



A. Import the enterprise root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://www.omnisecu.com/security/public-key-infrastructure/how-import-root-ca-certificate-trusted-root-certification-authorities.htm--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Import the enterprise root CA certificate

QUESTION 4.

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hostsa standard secondary DNS zone for the domain.

You need to configure DNS to allow only secure dynamic updates.


A. On DC1 and DC2, configure a trust anchor.B. On DC1 and DC2, configure a connection security rule.C. On DC1, configure the zone transfer settings.D. On DC1, configure the zone to be stored in Active Directory.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771849%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------------DNS

QUESTION 5.

Your network contains a domain controller that has two network connections named Internal and Private.Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5.


You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address.

What should you do?

A. Modify the netlogon.dns file on the domain controller.B. Modify the Name Server settings of the DNS zone for the domain.C. Modify the properties of the Private network connection on the domain controller.D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.


Explanation/Reference:http://forums.techarena.in/active-directory/1179167.htm

Sites and Services

QUESTION 6.

Your network contains an Active Directory forest named contoso.com. You plan to add a new domain namednwtraders.com to the forest.All DNS servers are domain controllers.

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNSservers in the forest.

What should you do?

A. Add the computer accounts of all the domain controllers to the DnsAdmins group.B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.C. Create a standard primary zone on a domain controller in the forest root domain.D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771849%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------Reason : Standard primary zone is local to the DC. The requirement here is to allow clients to register their hostfrom any DC/DNS servers.

QUESTION 7.

Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 hosts a standard primary zone for contoso.com.

You discover that non-domain member computers register records in the contoso.com zone. You need toprevent the non-domain member computers from registering records in the contoso.com zone. All domainmember computers must be allowed to register records in the contoso.com zone.


A. Configure a trust anchor.B. Run the Security Configuration Wizard (SCW).C. Change the contoso.com zone to an Active Directory-integrated zone.D. Modify the security settings of the %SystemRoot%\System32\Dns folder.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771849%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------Create an Active Directory integrated zone

QUESTION 8.

Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. Youadd an alias (CNAME) resource record named Server1 to the zone. The target host of the record isserver2.contoso.com. When you ping Server1, you discover that the name fails to resolve.

You successfully resolve server2.contoso.com. You need to ensure that you can resolve names by using theGlobalNames zone.

What should you do?

A. From the command prompt, use the netsh tool.B. From the command prompt, use the dnscmd tool.C. From DNS Manager, modify the properties of the GlobalNames zone.

D. From DNS Manager, modify the advanced settings of the DNS server.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc778513 %28WS.10%29.aspx--------------------------------------------------- -------------------Global Names zone

Reason : GNZ is intended to aid the retirement of W INS. To enable gnz:Dnscmd ServerName /config /Enableglobalnamessupport 1. Next , you can use gui to create GlobalNames zone o r using command :Dnscmd ServerName /ZoneAdd GlobalNames /DsPrimary / DP /forest

QUESTION 9.

Your company has a main office and a branch office.

The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com isconfigured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.

The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.

You uninstall the DNS server role from RODC1. You need to prevent DNS records from replicating to RODC1.

What should you do?

A. Modify the replication scope for the contoso.com zone.B. Flush the DNS cache and enable cache locking on RODC1.C. Configure conditional forwarding for the contoso.com zone.D. Modify the zone transfer settings for the contoso.com zone.

Correct Answer: ASection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784148%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------Change Replication scope


Open DNS.

In the console tree, right-click the applicable zone, and then click Properties.

On the General tab, note the current zone replication type, and then click Change.

Select a replication scope for the zone.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you

must have been delegated the appropriate authority. If the computer is joined to a domain, members of theDomain Admins group might be able to perform this procedure. As a security best practice, consider using Runas to perform this procedure.

To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.

QUESTION 10.

Your network contains an Active Directory domain named contoso.com. The domain contains the serversshown in the following table:

Server name Operating system Role

DC1 Windows Server 2008 Domain controller

DC2 Windows Server 2008 R2 Domain controller

DNS1 Windows Server 2008 DNS server

DNS2 Windows Server 2008 R2 DNS server

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2003.DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise.

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.


A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade DNS1 to Windows Server 2008 R2.


Explanation/Reference:http://www.dnssec.net/---------------------------------------------------------------------------------------------DNS

Reason : DNSSEC is a technology that was developed to, among other things, protect against such attacks bydigitally ‘signing’ data so you can be assured it is valid.

QUESTION 11.

Your network contains a domain controller that is configured as a DNS server. The server hosts an ActiveDirectory-integrated zone for the domain.

You need to reduce how long it takes until stale records are deleted from the zone.

What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime.B. From the configuration directory partition of the forest, modify the garbage collection interval.

C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd145342.aspx-----------------------------------------------------------------------------------------------------------Zone Aging/Scavenging Properties Dialog Box

QUESTION 12.

You have an Active Directory domain named contoso.com. You have a domain controller named Server1 that isconfigured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The DNS configuration ofServer1 is shown in the exhibit. (Click the Exhibit button.)

You discover that stale resource records are not automatically removed from the contoso.com zone. You needto ensure that the stale resource records are automatically removed from the contoso.com zone.

What should you do?

A. Set the scavenging period of Server1 to 0 days.B. Modify the Server Aging/Scavenging properties.

C. Configure the aging properties for the contoso.com zone.D. Convert the contoso.com zone to an Active Directory-integrated zone.



QUESTION 13.

Your network contains an Active Directory domain named contoso.com.

You remove several computers from the network.

You need to ensure that the host (A) records for the removed computers are automatically deleted from thecontoso.com DNS zone.

What should you do?

A. Configure dynamic updates.B. Configure aging and scavenging.C. Create a scheduled task that runs the Dnscmd /ClearCache command.D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.



QUESTION 14.

You need to force a domain controller to register all service location (SRV) resource records in DNS.

Which command should you run?

A. ipconfig.exe /registerdnsB. net.exe stop dnscache & net.exe start dnscacheC. net.exe stop netlogon & net.exe start netlogonD. regsvr32.exe dnsrslvr.dll


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc783389%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------

Managing DNS resource records

After you create a zone, additional resource records need to be added to it. The most common resourcerecords (RRs) to be added are:

Host (A) For mapping a DNS domain name to an IP address used by a computer.

Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical name.

Mail Exchanger (MX) For mapping a DNS domain name to the name of a computer that exchanges orforwards mail.

Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a computer that pointsto the forward DNS domain name of that computer.

Service location (SRV) For mapping a DNS domain name to a specified list of DNS host computers thatoffer a specific type of service, such as Active Directory domain controllers.

QUESTION 15.

Your network contains an Active Directory domain named contoso.com. You plan to deploy a child domainnamed sales.contoso.com. The domain controllers in sales.contoso.com will be DNS servers forsales.contoso.com.

You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fullyqualified domain names (FQDNs).

What should you do?

A. Create a DNS forwarder.B. Create a DNS delegation.C. Configure root hint servers.D. Configure an alternate DNS server on all client computers.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc785881%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------Create a DNS zone delegation

QUESTION 16.

Your network contains a single Active Directory domain named contoso.com. The domain contains two domaincontrollers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone forcontoso.com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an ActiveDirectory-integrated zone and configure the zone to accept secure dynamic updates only.

You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.


A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com

B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimaryC. dnslint.exe /qlD. repadmin.exe /syncall /force



Reason : dsprimary is AD integrated zone.

QUESTION 17.

Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in thefollowing Command Prompt window.

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records forcontoso.com.

What should you modify?

A. the root hints of the DNS serverB. the security settings of the zoneC. the Windows Firewall settings on the DNS serverD. the zone transfer settings of the zone


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc739056%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------Modify DNS zone transfer settings

QUESTION 18.

Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is storedin Active Directory. All domain controllers run Windows Server 2008 R2.

You need to identify if all of the DNS records used for Active Directory replication are correctly registered.

What should you do?

A. From the command prompt, use netsh.exe.B. From the command prompt, use dnslint.exe.C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.

Correct Answer: BSection: Powershell & Command line cmds

Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc736981%28WS.10%29.aspx-----------------------------------------------------------------------------------------------------------Dnslint

Reason : DNSLint is a Microsoft Windows utility that helps y ou to diagnose commonDNS name resolution issues. You need to download it from Microsoft.

QUESTION 19.

Your network contains an Active Directory forest. The forest contains one domain and three sites. Each sitecontains two domain controllers. All domain controllers are DNS servers.

You create a new Active Directory-integrated zone.

You need to ensure that the new zone is replicated to the domain controllers in only one of the sites.


A. Modify the NTDS Site Settings object for the site.B. Modify the replication settings of the default site link.C. Create an Active Directory connection object.D. Create an Active Directory application directory partition.

Correct Answer: DSection: Configuring AD InfrastructureExplanation


QUESTION 20.

Your network contains a single Active Directory forest. The forest contains two domains named contoso.comand sales.contoso.com. The domain controllers are configured as shown in the following table:

Server name Domain DNS zones hosted

DC1 contoso.com contoso.com

DC2 contoso.com contoso.com

DC3 sales.contoso.com sales.contoso.com

DC4 sales.contoso.com sales.contoso.com

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integratedzones.

You need to ensure that contoso.com records are available on DC3.


A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainB. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forestC. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainD. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc778513%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------Dnscmd.exe: DNS Server Troubleshooting Tool

This command-line tool assists administrators in Domain Name System (DNS) management.

DNSCmd displays and changes the properties of DNS servers, zones, and resource records. It manuallymodifies these properties, creates and deletes zones and resource records, and forces replication eventsbetween DNS server physical memory and DNS databases and data files. Some operations of this tool work atthe DNS server level while others work at the zone level.

Note

DNSCmd enhances the functionality of and replaces Dnsstat.exe, a tool included in some versions of theWindows NT Resource Kit.

Corresponding UI

To manually view and manage DNS by using the DNS Server snap-in in Windows

Click Start, point to Programs, and then point to Administrative Tools.

Click DNS.

For information about how to use DNS, right-click DNS, and then click Help.

Open DNS Server snap-in now.Concepts

DNS resolves computer names to IP addresses so that users can refer to computers by name rather than by aseries of numbers.

For more information about DNS, see "DNS" and "DNS Concepts" in Help for Windows Server 2003.System Requirements

DNSCmd runs on a source computer and acts on a target computer. The target computer can be the samecomputer as the source computer, or it can be a different computer.Source Computer Requirements

The following are the system requirements for the source computer:

Dnscmd.exe

User's membership in the Administrators or Server Operators group on the target computer. Both the useraccount and the server computer must be members of the same domain or reside within trusted domains.

Exam G

QUESTION 1.

You have a DNS zone that is stored in a custom application directory partition.

You install a new domain controller.

You need to ensure that the custom application directory partition replicates to the new domain controller.

What should you use?

A. the Active Directory Administrative Center consoleB. the Active Directory Sites and Services consoleC. the DNS Manager consoleD. the Dnscmd tool


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc778513%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------Dnscmd.exe: DNS Server Troubleshooting Tool

This command-line tool assists administrators in Domain Name System (DNS) management.

DNSCmd displays and changes the properties of DNS servers, zones, and resource records. It manuallymodifies these properties, creates and deletes zones and resource records, and forces replication eventsbetween DNS server physical memory and DNS databases and data files. Some operations of this tool work atthe DNS server level while others work at the zone level.

Note

DNSCmd enhances the functionality of and replaces Dnsstat.exe, a tool included in some versions of theWindows NT Resource Kit.

Corresponding UI

To manually view and manage DNS by using the DNS Server snap-in in Windows

Click Start, point to Programs, and then point to Administrative Tools.

Click DNS.

For information about how to use DNS, right-click DNS, and then click Help.

Open DNS Server snap-in now.Concepts

DNS resolves computer names to IP addresses so that users can refer to computers by name rather than by aseries of numbers.

For more information about DNS, see "DNS" and "DNS Concepts" in Help for Windows Server 2003.System Requirements

DNSCmd runs on a source computer and acts on a target computer. The target computer can be the same

computer as the source computer, or it can be a different computer.Source Computer Requirements

The following are the system requirements for the source computer:

Dnscmd.exe

User's membership in the Administrators or Server Operators group on the target computer. Both the useraccount and the server computer must be members of the same domain or reside within trusted domains.

QUESTION 2.

Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2008 R2. The functional level of the domain is Windows Server 2008 R2.

The functional level of the forest is Windows Server 2008. You have a member server named Server1 that runsWindows Server 2008. You need to ensure that you can add Server1 to contoso.com as a domain controller.

What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccountB. dcpromo.exe /ReplicaOrNewDomain:replicaC. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008DomainD. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest


Explanation/Reference:http://ss64.com/ps/ad.htmlhttp://ss64.com/ps/set-addomainmode.html-------------------------------------------------------------------------------------------------Set-adDomainMode Set the domain functional level for an AD domain.

QUESTION 3.

Your network contains an Active Directory forest. The forest contains a single domain. You want to accessresources in a domain that is located in another forest.

You need to configure a trust between the domain in your forest and the domain in the other forest.

What should you create?

A. an incoming external trustB. an incoming realm trustC. an outgoing external trustD. an outgoing realm trust

Correct Answer: ASection: Configuring Domains and TrustsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784836%28WS.10%29.aspx-----------------------------------------------------------------------------------------------------------------Set up an incoming external trust

Use Administrative credentials

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Adminsgroup in Active Directory.To create a one-way, incoming, external trust for one side of the trust


In the console tree, right-click the domain that you want to establish a trust with, and then click Properties.



On the Trust Type page, click External trust, and then click Next.

On the Direction of Trust page, click One-way: incoming, and then click Next.


On the Sides of Trust page, click This domain only, and then click Next.


On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishingthe trust.

On the Trust Selections Completepage, review the results, and then click Next.





QUESTION 4.

Your network contains two Active Directory forests. One forest contains two domains named contoso.com andna.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configuredbetween the two forests.

You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to acomputer in the nwtraders.com domain by using the user name NA\User1.

Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain.

You need to ensure that User1 can log on to the computer in the nwtraders.com domain.

What should you do?

A. Enable selective authentication over the forest trust.B. Create an external one-way trust from na.contoso.com to nwtraders.com.C. Instruct User1 to log on to the computer by using his user principal name (UPN).D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.

Correct Answer: CSection: Configuring Domains and TrustsExplanation

Explanation/Reference:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2da8f590-1bd0-4810-b873-5a36eab76a2f/------------------------------------------------------------------------------------------------------------------------------------------------------------------Domains and Trusts - UPNs

Open Active Directory Domains and Trusts.Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.Click Add, and then click OK

QUESTION 5.

Your company has a main office and a branch office. The main office contains two domain controllers.

You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branchoffice, and then add the domain controller to the BranchOfficeSite site.

You discover that users in the branch office are randomly authenticated by either the domain controller in thebranch office or the domain controllers in the main office.

You need to ensure that the users in the branch office always attempt to authenticate to the domain controller inthe branch office first.

What should you do?

A. Create organizational units (OUs).B. Create Active Directory subnet objects.C. Modify the slow link detection threshold.D. Modify the Location attribute of the computer objects.

Correct Answer: BSection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc816870%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------------Create a Subnet Object or Objects and Associate them with a Site

If you create a new site or if you enlarge a new site, you can use this procedure to create a subnet object orobjects and associate them with the site in Active Directory Domain Services (AD DS). You can assign theappropriate network address to the subnet object so that it represents a range of TCP/IP addresses. Toaccomplish this procedure, you must have the following information:

The site with which the subnet is to be associated.

The IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix.

Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest rootdomain, or equivalent, is the minimum required to complete this procedure. Review details about using theappropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).To create a subnet object or objects and associate them with a site

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then clickActive Directory Sites and Services.

In the console tree, expand the Sites container, right-click Subnets, and then click New Subnet.

In New Object - Subnet, in Prefix, type the IPv4 or IPv6 subnet prefix for the subnet.

In Select a site object for this prefix, click the site to be associated with the subnet, and then click OK.

QUESTION 6.

Your company has a main office and 50 branch offices. Each office contains multiple subnets.

You need to automate the creation of Active Directory subnet objects.


A. the Dsadd toolB. the Netsh toolC. the New-ADObject cmdletD. the New-Object cmdlet


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617260.aspx---------------------------------------------------------------------------------------New-ADObject

Creates an Active Directory object.Syntax

New-ADObject [-Name] <string> [-Type] <string> [-AuthType {<Negotiate> | <Basic>}] [-Credential<PSCredential>] [-Description <string>] [-DisplayName <string>] [-Instance <ADObject>] [-OtherAttributes<hashtable>] [-PassThru <switch>] [-Path <string>] [-ProtectedFromAccidentalDeletion <System.Nullable[bool]>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>]

Name

Type

AuthType

Credential

Description

DisplayName

Instance

OtherAttributes

PassThru

Path

ProtectedFromAccidentalDeletion

Server

Confirm

WhatIf

QUESTION 7.

Your network contains an Active Directory forest. The forest contains multiple sites.

You need to enable universal group membership caching for a site.

What should you do?

A. From Active Directory Sites and Services, modify the NTDS Settings.B. From Active Directory Sites and Services, modify the NTDS Site Settings.C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the

site.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731907.aspx-----------------------------------------------------------------------------------------Overview of Active Directory Sites and Services

Updated: December 30, 2008


You can use the Active Directory Sites and Services snap-in to manage the site-specific objects that implementthe intersite replication topology. These objects are stored in the Sites container in Active Directory DomainServices (AD DS).

noteNoteYou can also use Active Directory Sites and Services to administer the replication of directory data among allsites in an Active Directory Lightweight Directory Services (AD LDS) configuration set.

In addition, Active Directory Sites and Services provides a view of the Services container, which you can use toview service-related objects that are published in AD DS.

The following sections provide detailed information about site management and service publication with ActiveDirectory Sites and Services:

Site management

Service publication

Additional references

Site management

In your physical network, a site represents a set of computers that are connected by a high-speed network,such as a local area network (LAN). Typically, all computers in the same physical site reside in the samebuilding or perhaps the same campus network.

In AD DS, a site object represents the aspects of the physical site that you can manage, specifically, replicationof directory data between domain controllers. You can use Active Directory Sites and Services to manage theobjects that represent the sites and the servers that reside in those sites.

Site objects and their related objects are replicated to all domain controllers in an Active Directory forest. Youcan manage the following objects in Active Directory Sites and Services:

Sites

Subnets

Servers

NTDS Settings

Connections

Site links

IP and SMTP intersite transports

QUESTION 8.

You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.

What should you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.B. From the IP properties, select Disable site link bridging.C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection

objects.D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each

site.

Correct Answer: B

Section: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc738789%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------------Enable or disable site link bridges

Open Active Directory Sites and Services.

In the console tree, right-click the intersite transport folder (such as IP or SMTP) for which you want to enableor disable site link bridges, and then click Properties.

Where?

Active Directory Sites and Services/Sites/Inter-Site Transports/intersite transport for which you want toenable or disable link bridges

Do one of the following:

To enable site link bridges, select the Bridge all site links check box.

To disable site link bridges, clear the Bridge all site links check box.

Important

By default, all site links are bridged. For more information about disabling this option and its affects onintersite replication, see Related Topics.

QUESTION 9.


You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates byusing a domain controller in the main office. You need to ensure that IPv6-only computers authenticate todomain controllers in the same site.

What should you do?

A. Configure the NTDS Site Settings object.B. Create Active Directory subnet objects.C. Create Active Directory Domain Services connection objects.D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

Correct Answer: BSection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc816870%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------Create a Subnet Object or Objects and Associate the m with a Site

If you create a new site or if you enlarge a new site, you can use this procedure to create a subnet object orobjects and associate them with the site in Active Directory Domain Services (AD DS). You can assign theappropriate network address to the subnet object so that it represents a range of TCP/IP addresses. Toaccomplish this procedure, you must have the following information:

The site with which the subnet is to be associated.

The IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix.

Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest rootdomain, or equivalent, is the minimum required to complete this procedure. Review details about using theappropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).To create a subnet object or objects and associate them with a site

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then clickActive Directory Sites and Services.

In the console tree, expand the Sites container, right-click Subnets, and then click New Subnet.

In New Object - Subnet, in Prefix, type the IPv4 or IPv6 subnet prefix for the subnet.

In Select a site object for this prefix, click the site to be associated with the subnet, and then click OK.

QUESTION 10.

Your network contains an Active Directory domain. The domain is configured as shown in the following table:

Active Directory site Domain controllers

Main DC1 and DC2

Branch1 DC3

Branch2 None

Users in Branch2 sometimes authenticate to a domain controller in Branch1.

You need to ensure that users in Branch2 only authenticate to the domain controllers in Main.

What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.B. On DC3, set the AutoSiteCoverage value to 1.C. On DC1 and DC2, set the AutoSiteCoverage value to 0.D. On DC1 and DC2, set the AutoSiteCoverage value to 1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc787491%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------Parameters\AutoSiteCoverage

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Data type Range Default value

REG_DWORD

0 | 1

Description: Specifies whether the system can add sites to the coverage area of this domain controller.

Domain controllers cover, that is, provide services to, the site in which they reside and to other sites listed in thevalue of the entrySiteCoverage. In addition, when the value of AutoSiteCoverage is 1, the system can add sitesthat do not have domain controllers to this domain controller's coverage area. Value Meaning

0 The system cannot add sites to the coverage area of this domain controller.

1 The system can add sites to the coverage area of this domain controller.

QUESTION 11.

Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has twodomain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.DC3 fails.

You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 andthe domain controllers in Site1.On DC4, you run repadmin.exe /kcc.

Replication between the sites continues to fail.

You need to ensure that Active Directory data replicates between the sites.

What should you do?

A. From Active Directory Sites and Services, modify the properties of DC3.B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.C. From Active Directory Users and Computers, modify the location settings of DC4.D. From Active Directory Users and Computers, modify the delegation settings of DC4.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730868.aspx-----------------------------------------------------------------------------------------Active Directory Sites and Services

QUESTION 12.

Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that runWindows Server 2008 R2.

You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).


A. Run dfsrdiag.exe PollAD.

B. Run dfsrmig.exe /SetGlobalState 0.C. Upgrade all domain controllers to Windows Server 2008 R2.D. Raise the functional level of the domain to Windows Server 2008.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc773238%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------------------------------------------Reason : Distributed File System (DFS) Replication is a replication service that is available for replicatingSYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFSReplication was introduced in Windows Server 2003 R2. However, on domain controllers that are runningWindows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

QUESTION 13.

Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.

You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.

You need to ensure that Attribute1 is replicated to the global catalog.

What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.B. In Active Directory Sites and Services, configure the universal group membership caching.C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc755885%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------To install the Active Directory Schema snap-in

Open Command Prompt.

Type:


This command will register Schmmgmt.dll on your computer. For more information about using regsvr32,see Related Topics.

Click Start, click Run, type mmc /a, and then click OK.

On the File menu, click Add/Remove Snap-in, and then click Add.

Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.

To save this console, on the File menu, click Save.

In Save in, point to the systemroot\system32 directory.

In File name, type schmmgmt.msc, and then click Save.

To create a shortcut on your Start menu:

QUESTION 14.

Your network contains an Active Directory domain. The domain contains three domain controllers.

One of the domain controllers fails.

Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that thehelp desk can create new user accounts.

Which operations master role should you seize?

A. domain naming masterB. infrastructure masterC. primary domain controller (PDC) emulatorD. RID masterE. schema master


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc780084%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------To identify the RID master




Open Active Directory Users and Computers.

Right-click the domain node, and then click Operations Masters.

On the RID tab, under Operations masters, view the current RID master.

QUESTION 15.

Your network contains two standalone servers named Server1 and Server2 that have Active DirectoryLightweight Directory Services (AD LDS) installed.

Server1 has an AD LDS instance.

You need to ensure that you can replicate the instance from Server1 to Server2.

What should you do on both servers?

A. Obtain a server certificate.B. Import the MS-User.ldf file.C. Create a service user account for AD LDS.D. Register the service location (SRV) resource records.

Correct Answer: CSection: Configuring AD LDSExplanation

Explanation/Reference:http://msdn.microsoft.com/en-us/library/bb897400.aspx--------------------------------------------------------------------------------------Configure LDS

QUESTION 16.

Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an ActiveDirectory Lightweight Directory Services (AD LDS) instance on Server1.

You need to create an additional AD LDS application directory partition in the existing instance.


A. AdaminstallB. DsaddC. DsmodD. Ldp


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772839%28WS.10%29.aspx-----------------------------------------------------------------------------------------------------------LDP

LDP is a GUI-based, Windows Explorer–like utility with a scope pane on the left that is used for navigatingthrough the Active Directory namespace, and a details pane on the right that is used for displaying the results ofthe LDAP operations. Any text displayed in the details pane can be selected with the mouse and "copied" to theClipboard.

QUESTION 17.

Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create anActive Directory Lightweight Directory Services (AD LDS) instance named Instance1.

You connect to Instance1 by using ADSI Edit.

You run the Create Object wizard and you discover that there is no User object class. You need to ensure thatyou can create user objects in Instance1.

What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc755885%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------------------To install the Active Directory Schema snap-in


Type:


This command will register Schmmgmt.dll on your computer. For more information about using regsvr32,see Related Topics.

Click Start, click Run, type mmc /a, and then click OK.

On the File menu, click Add/Remove Snap-in, and then click Add.

Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.

To save this console, on the File menu, click Save.

In Save in, point to the systemroot\system32 directory.

In File name, type schmmgmt.msc, and then click Save.

To create a shortcut on your Start menu:

QUESTION 18.

Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2.

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.

What should you do?

A. Run ldp.exe and use the Bind option.B. Run diskpart.exe and use the Attach option.C. Run dsdbutil.exe and use the snapshot option.D. Run imagex.exe and specify the /mount parameter.

Correct Answer: CSection: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753151%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------Reason : dsdbutil is a AD LDS tool.

Dsdbutil is a command-line tool that is built into Windows Server 2008. It is available if you have the AD LDSserver role installed. To use dsdbutil, you must run the dsdbutil command from an elevated command prompt.To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run asadministrator.

For most of the Dsdbutil commands, you only need to type the first few characters of the command nameinstead than the entire command. For example, you can type either of the following commands to activate anAD LDS instance named instance1:

activate instance instance1ac i instance1

QUESTION 19.

Your network contains a single Active Directory domain. Active Directory Rights Management Services (ADRMS) is deployed on the network.

A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensurethat User1 can change the service connection point (SCP) for the AD RMS installation. The solution mustminimize the administrative rights of User1.

To which group should you add User1?

A. AD RMS AuditorsB. AD RMS Service GroupC. Domain AdminsD. Schema Admins


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756898%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------Domain Admins

QUESTION 20.

Your network contains two Active Directory forests named contoso.com and adatum.com. Active DirectoryRights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD)exists between contoso.com and adatum.com.

From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest areauthenticating as users from contoso.com.

You need to prevent users from impersonating contoso.com users.

What should you do?

A. Configure trusted e-mail domains.B. Enable lockbox exclusion in AD RMS.C. Create a forest trust between adatum.com and contoso.com.D. Add a certificate from a third-party trusted certification authority (CA).

Correct Answer: ASection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753930.aspx--------------------------------------------------------------------------------------Configure Trusted e-mail domains

Exam H

QUESTION 1.

Your network contains an Active Directory domain named contoso.com. The network contains client computersthat run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) isdeployed on the network.

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updatedevery month.

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template. Youwant to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.

Correct Answer: BSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd996658%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------To create a new AD RMS rights policy template

Log on to ADRMS-SRV as cpandl\ADRMSADMIN.

Open the Active Directory Rights Management Services Administration console. Click Start, point toAdministrative Tools, and then click Active Directory Rights Management Services.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and thenclick Continue.

In the Active Directory Rights Management Services Administration console, expand the cluster name.

Right click Rights Policy Templates, and then click Properties.

Select the Enable export check box, type \\adrms-db\public in the Specify templates file location (UNC) box,and then click OK.

In the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed RightsPolicy Template wizard.

Click Add.

In the Language box, choose the appropriate language for the rights policy template.

Type CPANDL.COM CC in the Name box.

Type CPANDL.COM Company Confidential in the Description box, and then click Add.

Click Next.

Click Add, type [email protected] in The e-mail address of a user or group box, and then click OK.

Select the View check box to grant the [email protected] group Read access to any documentcreated by using this AD RMS rights policy template.

Click Finish.

QUESTION 2.

Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS.

You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.

What should you do?

A. Modify the security of the ServerCertification.asmx file.B. Modify the security of the MobileDeviceCertification.asmx file.C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731519.aspx-----------------------------------------------------------------------------------------Enable Certification of Mobile Devices

AD RMS can provide rights account certificates (RACs) and use licenses to AD RMS-enabled applications thatare running Windows Mobile 6. There are a few things that you should be aware of when configuring mobileservices:

Discretionary access control lists (DACLs) on the AD RMS pipelines use the most secure settings by default.You must modify the DACL when using AD RMS mobile services.

Many mobile services use advanced Active Directory Domain Services (AD DS) functionality that is availableonly if all AD DS domain controllers are running Windows Server 2003, Windows Server 2008, or WindowsServer 2008 R2. If you are using any mobile services, we recommend that all domain controllers are runningWindows Server 2003, Windows Server 2008, or Windows Server 2008 R2, and that both the domain andforest Active Directory functional levels are at least at Windows Server 2003.

In a default AD RMS installation, the DACL of the AD RMS mobile certification pipeline is restricted, whichmeans an application cannot obtain certificates and licenses for their users. However, if you have an AD RMS-enabled application for these computers, you can enable them to participate in your AD RMS system byconfiguring the DACLs on the AD RMS mobile certification pipeline.

AD RMS-enabled mobile applications can connect to the AD RMS mobile certification server by using theMobileDeviceCertification.asmx file.

QUESTION 3.

Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.An administrator changes the password of the user account that is used by AD RMS.

You need to update AD RMS to use the new password.

Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Component ServicesD. Services

Correct Answer: ASection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771234%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------------

QUESTION 4.

Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have severalcustom policy templates. The custom policy templates are updated frequently.

Some users report that it takes as many as 30 days to receive the updated policy templates. You need toensure that users receive the updated custom policy templates within seven days.

What should you do?

A. Modify the registry on the AD RMS servers.B. Modify the registry on the users' computers.C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd996658%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------AD RMS Policy Template Considerations

Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. Active Directory Rights Management Services (AD RMS) stores rights policy templates in theconfiguration database. Optionally, it may maintain a copy of all rights policy templates in a shared folder thatyou specify.

When publishing protected content, the author selects the rights policy template to apply from the templatesthat are available on the local computer. To make rights policy templates available for offline publishing, theadministrator must deploy them to client computers from a shared folder. In Windows Vista® with Service Pack1 (SP1), Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2, rights policy templates areautomatically managed by the AD RMS client. A new template distribution pipeline has been created that theAD RMS client can poll for updates. If a rights policy template has been added, changed, or deleted, the client

detects these changes and updates the local rights policy templates during its next refresh. The rights policytemplates are stored locally on the AD RMS client running Windows Vista with SP1, Windows Server 2008,Windows 7, and Windows Server 2008 R2 in the %localappdata%\Microsoft\DRM\templates folder. ForWindows XP, Windows 2000, and Windows Server 2003, the path is %appdata%\Microsoft\DRM\templates.

QUESTION 5.

Your company has a main office and a branch office. The branch office contains a read-only domain controllernamed RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must preventAdmin1 from logging on to other domain controllers.

What should you do?

A. Run ntdsutil.exe and use the Roles option.B. Run dsmgmt.exe and use the Local Roles option.C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.

Correct Answer: BSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://msmvps.com/blogs/jeffloucks/archive/2009/11/28/rodc-using-the-dsmgmt-exe-utility-to-manage-local-administrators.aspx-------------------------------------------------------------------------------------------------------------------------------------------------------------------------One of the benefits of of RODC is that you can add local administrators who do not have full access to thedomain administration. This gives them the abiltiy to manage the server but not add or change active directoryobjects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at thecommand prompt. The following graphic shows a few commands including:

adding local roles showing local roles

QUESTION 6.

You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user namedUser1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.


A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. DsaddD. Dsmgmt



http://technet.microsoft.com/en-us/library/cc732473%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------------dsmgmt is a command-line tool that is built into Windows Server 2008. It is available if you have the AD LDSserver role installed. To use dsmgmt, you must run the dsmgmt command from an elevated command prompt.To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run asadministrator.

For most of the dsmgmt commands, you only need to type the first few characters of the command nameinstead than the entire command. For example, you can type either of the following commands to manageconfigurable settings:

QUESTION 7.

Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1contains four domain controllers. Site2 contains a read-only domain controller (RODC). You add a user namedUser1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails.

User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored andUser1 reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if theWAN link fails.

What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730883%28WS.10%29.aspx---------------------------------------------------------------------------------------------------------------When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domaincontroller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should bepermitted to cache a password. After the RODC receives an authenticated user or computer logon request, itrefers to the Password Replication Policy to determine if the password for the account should be cached. Thesame account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub site is offline.noteNoteYou must include the appropriate user, computer, and service accounts in the Password Replication Policy inorder to allow the RODC to satisfy authentication and service ticket requests locally.

QUESTION 8.

Your company has a main office and a branch office. The network contains an Active Directory domain.

The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named DC2.You discover that the password of an administrator named Admin1 is cached on DC2.

You need to prevent Admin1's password from being cached on DC2.

What should you do?

A. Modify the NTDS Site Settings.B. Modify the properties of the domain.C. Create a Password Setting object (PSO).D. Modify the properties of DC2's computer account.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753459%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------------RODC Filtered Attribute Set, Credential Caching, an d the Authentication Process with an RODC

QUESTION 9.


The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.RODC1 runs Windows Server 2008 R2.

A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 isnot stored on RODC1.

You need to ensure that User1's password is stored on RODC1.

What should you modify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1

Correct Answer: BSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772234%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------RODC

QUESTION 10.

Your company has a main office and a branch office. The branch office has an Active Directory site thatcontains a read-only domain controller (RODC).

A user from the branch office reports that his account is locked out. From a writable domain controller in themain office, you discover that the user's account is not locked out.

You need to ensure that the user can log on to the domain.

What should you do?

A. Modify the Password Replication Policy.B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.



QUESTION 11.

Your network contains a single Active Directory domain. The domain contains five read-only domain controllers(RODCs) and five writable domain controllers. All servers run Windows Server 2008. You plan to install a newRODC that runs Windows Server 2008 R2.

You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using theminimum amount of administrative effort.



A. At the command prompt, run adprep.exe /rodcprep.B. At the command prompt, run adprep.exe /forestprep.C. At the command prompt, run adprep.exe /domainprep.D. From Active Directory Domains and Trusts, raise the functional level of the domain.E. From Active Directory Users and Computers, pre-stage the RODC computer account.

Correct Answer: BCSection: Configuring Additional AD Server RolesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------For more information about running adprep / forestprep, see Prepare a Windows 2000 or Windows Server2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2(http://go.microsoft.com/fwlink/?LinkID=93242).



QUESTION 12.

You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which inbound TCP port should you allow on Server1?

A. 88B. 135C. 443D. 445


Explanation/Reference:http://technet.microsoft.com/en-us/network/bb545423-----------------------------------------------------------------------------------------------------------Configure Windows Server 2008 Firewall

QUESTION 13.

You deploy a new Active Directory Federation Services (AD FS) federation server.

You request new certificates for the AD FS federation server. You need to ensure that the AD FS federationserver can use the new certificates.

To which certificate store should you import the certificates?

A. ComputerB. IIS Admin Service service accountC. Local AdministratorD. World Wide Web Publishing Service service account


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc737262%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------Federation server

Federation servers host the Federation Service component of ADFS. They are used to route authenticationrequests that are made from user accounts in other organizations (in Federated Web Single-Sign-On (SSO)scenarios) or from clients that can be located anywhere on the Internet (in the Web SSO scenario). For moreinformation about the different ADFS scenarios, see Federation scenarios.

Federation servers also host a security token service that issues tokens that are based on the credentials (forexample, user name and password) that are presented to it. After the credentials are verified (by the userlogging on), Claims for the user are collected through examination of the attributes for the user that are stored

in Active Directory or Active Directory Application Mode (ADAM).

In Federated Web SSO scenarios, claims can then be modified by claim mappings for a specific resourcepartner. The claims are built into a token that is sent to a federation server in the resource partner. After afederation server in the resource partner receives the claims as incoming claims, it maps them into theirorganization claims. The organization claims are then built into a new token that is sent to the ADFS WebAgent.

The role that a federation server plays in either of the Federated Web SSO scenarios (Federated Web SSO orFederated Web SSO with Forest Trust) can depend on whether your organization is designated as the accountpartner or the resource partner:

Federation servers in the account partner are used to log on local user accounts in either an Active Directorystore or an Active Directory Application Mode (ADAM) store. Federation servers also issue initial securitytokens that the local user accounts can use to access Web-based applications that are hosted in the resourcepartner. In addition, federation servers in the account partner issue cookies to users to maintain login status.These cookies include claims for those users. These cookies enable SSO capabilities so that users do nothave to enter credentials each time that they visit different Web-based applications in the resource partner.

Federation servers at the resource partner validate the security tokens that are issued by the federationservers at the account partner. Federation servers at the resource partner also issue security tokens that aremeant for the Web-based applications in the resource partner. In addition, federation servers in the resourcepartner issue cookies to the user accounts, which come from the account partner. These cookies enable SSOcapabilities so that users do not have to log in again at their federation servers in the account partner whenusers attempt to access different Web-based applications at the resource partner.

For more information about the account and resource partners, see Partner organizations.Federation server proxy

Federation server proxies host the Federation Service Proxy component of ADFS. Federation server proxiescan be deployed in an organization's perimeter network (also known as a demilitarized zone, extranet, orscreened subnet) to forward requests to federation servers that are not accessible from the Internet.

QUESTION 14.

Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. Server1 has the Active Directory Federation Services (AD FS) role installed.

You have an application named App1 that is configured to use Server1 for AD FS authentication. You deploy anew server named Server2. Server2 is configured as an AD FS 2.0 server. You need to ensure that App1 canuse Server2 for authentication.

What should you do on Server2?

A. Add an attribute store.B. Create a relying party trust.C. Create a claims provider trust.D. Create a relaying provider trust.

Correct Answer: BSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd807132%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------Create a Relying Party Trust Using Federation Metad ata

To add a new relying party trust, using the AD FS 2.0 Management snap-in, by automatically importingconfiguration data about the partner from federation metadata that the partner published to a local network or tothe Internet, perform the following procedure on a federation server in the account partner organization.CautionCautionThough it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate a FederationService that is publishing federation metadata. Therefore, when querying federation metadata, you should onlyuse a fully qualified domain name such as https://myserver.contoso.com.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete thisprocedure. Review details about using the appropriate accounts and group memberships at Local and DomainDefault Groups (http://go.microsoft.com/fwlink/?LinkId=83477).To create a relying party trust using federation metadata

Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

Under the AD FS 2.0\Trust Relationships folder, right-click Relying Party Trusts, and then click Add RelyingParty Trust to open the Add Relying Party Trust Wizard.

On the Welcome page, click Start.

On the Select Data Source page, click Import data about the relying party published online or on a localnetwork. In Federation metadata address (host name or URL), type the federation metadata URL or host namefor the partner, and then click Next.

On the Specify Display Name page type a name in Display name, under Notes type a description for thisrelying party trust, and then click Next.

On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying partyor Deny all users access to this relying party, and then click Next.

On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trustinformation.

On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box. For moreinformation about how to proceed with adding claim rules for this relying party trust, see the Additionalreferences.

QUESTION 15.

Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. The Active Directory Federation Services (AD FS) role is installed on Server1.

Contoso.com is defined as an account store.

A partner company has a Web-based application that uses AD FS authentication. The partner company plansto provide users from contoso.com access to the Web application. You need to configure AD FS oncontoso.com to allow contoso.com users to be authenticated by the partner company.

What should you create on Server1?

A. a new applicationB. a resource partnerC. an account partnerD. an organization claim

Correct Answer: BSection: Configuring AD Federated Services

Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc737262%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------The role that a federation server plays in either of the Federated Web SSO scenarios (Federated Web SSO orFederated Web SSO with Forest Trust) can depend on whether your organization is designated as the accountpartner or the resource partner:

QUESTION 16.

Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has the Active Directory Federation Services (AD FS) Federation Service role service installed.

You plan to deploy AD FS 2.0 on Server2.

You need to export the token-signing certificate from Server1, and then import the certificate to Server2.

Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)C. DER encoded binary X.509 (.cer)D. Personal Information Exchange PKCS #12 (.pfx)

Correct Answer: DSection: Configuring AD Federated ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784075%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------To export the private key of a token-signing certif icate

Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

Right-click Federation Service, and then click Properties.

On the General tab, click View.

In the Certificate dialog box, click the Details tab.

On the Details tab, click Copy to File.

On the Welcome to the Certificate Export Wizard page, click Next.

On the Export Private Key page, select Yes, export the private key, and then click Next.

On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then clickNext.

On the Password page, type and confirm the password that is required to share the token-signing certificate.You will need this password when you select the exported token-signing certificate when installing theFederation Service.

On the File to Export page, specify the certificate file, and then click Next.

On the Completing the Certificate Export Wizard page, click Finish.

Validate the success of your export by confirming that the file you specified is created at the specifiedlocation

QUESTION 17.

Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm.

The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQLServer.You install AD FS 2.0 on Server2.

You need to add Server2 to the existing AD FS farm.

What should you do?

A. On Server1, run fsconfig.exe.B. On Server1, run fsconfigwizard.exe.C. On Server2, run fsconfig.exe.D. On Server2, run fsconfigwizard.exe.


Explanation/Reference:http://blog.msresource.net/2011/05/23/deploying-a-federation-server-with-a-sql-database/

QUESTION 18.

Your network contains an Active Directory forest.You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in thenetwork. You create a Windows PowerShell script named new-users.ps1 that contains the following lines:

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the script fails tocreate the user accounts.

You need to ensure that the script creates the user accounts.

Which cmdlet should you add to the script?

A. Import-ModuleB. Register-ObjectEventC. Set-ADDomainD. Set-ADUser


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd819454.aspx--------------------------------------------------------------------------------------------Import-Module

Applies To: Windows PowerShell 2.0

Adds modules to the current session.Syntax

Import-Module [-Name] <string[]> [-Alias <string[]>] [-ArgumentList <Object[]>] [-AsCustomObject] [-Cmdlet<string[]>] [-DisableNameChecking] [-Force] [-Function <string[]>] [-Global] [-PassThru] [-Prefix <string>] [-Variable <string[]>] [-Version <Version>] [<CommonParameters>]

Import-Module [-Assembly] <Assembly[]> [-Alias <string[]>] [-ArgumentList <Object[]>] [-AsCustomObject] [-Cmdlet <string[]>] [-DisableNameChecking] [-Force] [-Function <string[]>] [-Global] [-PassThru] [-Prefix<string>] [-Variable <string[]>] [-Version <Version>] [<CommonParameters>]

Import-Module [-ModuleInfo] <PSModuleInfo[]> [-Alias <string[]>] [-ArgumentList <Object[]>] [-AsCustomObject][-Cmdlet <string[]>] [-DisableNameChecking] [-Force] [-Function <string[]>] [-Global] [-PassThru] [-Prefix<string>] [-Variable <string[]>] [-Version <Version>]

QUESTION 19.

Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to modify the custom attribute value of 500 user accounts.


A. CsvdeB. DsmodC. DsrmD. Ldifde


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731033%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------Ldifde is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS orActive Directory Lightweight Directory Services (AD LDS) server role installed. To use ldifde, you must run theldifde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

QUESTION 20.

Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to give the human resources department a file that contains the last logon time and the customattribute values for each user in the forest.

Which should you use?

A. the Dsquery toolB. the Export-CSV cmdletC. the Get-ADUser cmdletD. the Net.exe user command


Explanation/Reference:http://technet.microsoft.com/en-us/library/ff730920.aspx

Exam I

QUESTION 1.

You have a Windows PowerShell script that contains the following code:import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword$_.password}

When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.

You need to run a script that successfully creates the user accounts by using the password contained inaccounts.csv.

Which script should you run?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)}

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)}

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString "Password")}

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString $_.Password)}


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd347665.aspx

QUESTION 2.

Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

Your company's corporate security policy states that the password for each user account must be changed atleast every 45 days.

You have a user account named Service1. Service1 is used by a network application named Application1.Every 45 days, Application1 fails.

After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causesApplication1 to fail. The solution must adhere to the corporate security policy.

What should you do?

A. Run the Set-ADAccountControl cmdlet.B. Run the Set-ADServiceAccount cmdlet.C. Create a new password policy.D. Create a new Password Settings object (PSO).


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617252.aspx-----------------------------------------------------------------------------------------Set-ADServiceAccount

Modifies an Active Directory service account.Syntax

Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <System.Nullable[System.DateTime]>] [-AccountNotDelegated <System.Nullable[bool]>] [-Add <hashtable>] [-Certificates <string[]>] [-Clear <string[]>] [-Description <string>] [-DisplayName <string>] [-Enabled <System.Nullable[bool]>] [-HomePage <string>] [-Remove <hashtable>] [-Replace <hashtable>] [-SamAccountName <string>] [-ServicePrincipalNames <hashtable>] [-TrustedForDelegation <System.Nullable[bool]>] [-AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [-PassThru <switch>] [-Server<string>] [-Confirm] [-WhatIf] [<CommonParameters>]

QUESTION 3.

Your network contains an Active Directory forest.

You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN suffix of allusers.

You want to achieve this goal by using the minimum amount of administrative effort.


A. the Active Directory Domains and Trusts consoleB. the Active Directory Users and Computers consoleC. the Csvde toolD. the Ldifde tool

Correct Answer: BSection: Configuring Domains and TrustsExplanation

Explanation/Reference:http://support.microsoft.com/kb/243629------------------------------------------------------------------Adding a UPN Suffix to a Forest

Open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties. On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest. Click Add, and then click OK.

Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.

QUESTION 4.

Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2(SP2).

You need to prevent all users from running an application named App1.exe.

Which Group Policy settings should you configure?

A. Application CompatibilityB. AppLockerC. Software InstallationD. Software Restriction Policies


Explanation/Reference:http://technet.microsoft.com/en-us/library/bb457006.aspx--------------------------------------------------------------------------------------Reason : applocker is a W2k3 R2 and Windows 7 feature. Software Restriction Policies applied to vista andearlier.

QUESTION 5.

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows XP Service Pack 3 (SP3) or Windows Vista.

You need to ensure that all client computers can apply Group Policy preferences.

What should you do?

A. Upgrade all Windows XP client computers to Windows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).

Correct Answer: CSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731892%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------------Reason: Group Policy Preferences/group policy client side extensions(CSEs) enable information technologyprofessionals to configure, deploy, and manage operating system(xp for example) and application settings theypreviously were not able to manage using Group Policy. After you install this update, your computer will be ableto process the new Group Policy Preference extensions

use Group Policy preferences, complete the following steps:

Install the set of client-side extensions (CSEs) on client computers . Supported operating systems:Windows Vista RTM or later, Windows XP with Service Pack 2 or later, Windows Server 2003 with ServicePack 1 or later Download locations: Windows Vista (x86): http://go.microsoft.com/fwlink/?LinkId=111859Windows Vista(x64): http://go.microsoft.com/fwlink/?LinkID=111857Windows XP (x86): http://go.microsoft.com/fwlink/?LinkId=111851Windows XP (x64): http://go.microsoft.com/fwlink/?LinkId=111862Windows Server 2003 (x86):http://go.microsoft.com/fwlink/?LinkId=111852Windows Server 2003 (x64): http://go.microsoft.com/fwlink/?LinkId=111863 For more information, see Article 943729 in the Microsoft Knowledge Base.

QUESTION 6

.

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows 7 or Windows Vista Service Pack 2 (SP2).

You need to audit user access to the administrative shares on the client computers.

What should you do?

A. Deploy a logon script that runs Icacls.exe.B. Deploy a logon script that runs Auditpol.exe.C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.


Explanation/Reference:http://support.microsoft.com/kb/921469------------------------------------------------------------------------------------------------------------------------Reason: Advance audit policy is W2k8 R2 and windows 7 feature.

QUESTION 7.


You need to create a central store for the Group Policy Administrative templates.

What should you do?

A. Run dfsrmig.exe /createglobalobjects.B. Run adprep.exe /domainprep /gpprep.C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\SYSVOL\contoso.com\Policies

folder.D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\contoso.com

\Policies folder.

Correct Answer: CSection: Configuring Group PolicyExplanation

Explanation/Reference:http://support.microsoft.com/kb/929841---------------------------------------------------------------------------------------Create a central store for the Group Policy Adminis trative templates

QUESTION 8.

You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.

You need to identify whether a specific application file is allowed to run on a computer.

Which Windows PowerShell cmdlet should you use?

A. Get-AppLockerFileInformationB. Get-GPOReportC. Get-GPPermissionsD. Test-AppLockerPolicy


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee460960.aspx--------------------------------------------------------------------------------------Test-AppLockerPolicy

Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy.Syntax

Test-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> -Path <String[]> [-User <String>] [-Filter<PolicyDecision[]>] [<CommonParameters>]

Test-AppLockerPolicy [-XMLPolicy] <String> -Path <String[]> [-User <String>] [-Filter <PolicyDecision[]>][<CommonParameters>]

Detailed Description

The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of filesare allowed to run on the local computer for a specific user.

QUESTION 9.

You create a Password Settings object (PSO).

You need to apply the PSO to a domain user named User1.

What should you do?

A. Modify the properties of the PSO.B. Modify the account options of the User1 account.C. Modify the security settings of the User1 account.D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).



QUESTION 10.

You need to create a Password Settings object (PSO).


A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. Ntdsutil


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------------Creating a PSO using the Active Directory module fo r Windows PowerShell

To create a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShellsee, Create a New Fine-Grained Password Policy.

QUESTION 11.

Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.

You need to audit the deletion of registry keys on each server.

What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.B. From Audit Policy, modify the System Events settings and the Privilege Use settings.C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object

Access Auditing settings.

Correct Answer: DSection: Configuring AD InfrastructureExplanation

Explanation/Reference:Reason : Advanced audit policy configuration is a W2k8 R2 feature( see sceenshot below).

QUESTION 12.

Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to enable the Active Directory Recycle Bin.


A. the Dsmod toolB. the Enable-ADOptionalFeature cmdletC. the Ntdsutil toolD. the Set-ADDomainMode cmdlet


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379481%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------------Enabling Active Directory Recycle Bin

After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)

Ldp.exe

noteNoteIn this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible.After you enable Active Directory Recycle Bin in your environment, it cannot be disabled.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete these procedures.Review details about using the appropriate accounts and group memberships at Local and Domain DefaultGroups (http://go.microsoft.com/fwlink/?LinkId=83477).To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and thenclick Run as adm

QUESTION 13.

Your network contains a single Active Directory domain.

You need to create an Active Directory Domain Services snapshot.

What should you do?

A. Use the Ldp tool.B. Use the NTDSUtil tool.C. Use the Wbadmin tool.D. From Windows Server Backup, perform a full backup.


Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc781245(WS.10).aspx-------------------------------------------------------------------------------------------------------The following tools are required to perform the procedures for this task:

ADUC

Active Directory Sites and Services

Dcpromo.exe

Ntdsutil.exe

QUESTION 15.

Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008. The functional level of the domain is Windows Server 2008 R2.

All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2. You need toensure that you can enable the Active Directory Recycle Bin.

What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.

Correct Answer: ASection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379481%28WS.10%29.aspx------------------------------------------------------------------------------------------------------------------Reason : Active directory recycle bin is a W2k8 R2 feature

Enabling Active Directory Recycle Bin

After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)

Ldp.exe

noteNoteIn this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible.After you enable Active Directory Recycle Bin in your environment, it cannot be disabled.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete these procedures.Review details about using the appropriate accounts and group memberships at Local and Domain DefaultGroups (http://go.microsoft.com/fwlink/?LinkId=83477).To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and thenclick Run as adm.

QUESTION 16.

Your network contains an Active Directory domain. The domain contains several domain controllers.All domain controllers run Windows Server 2008 R2.

You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server2008 R2 default settings.

What should you do?

A. Run dcgpofix.exe /target:dc.B. Run dcgpofix.exe /target:domain.C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc739095%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc739095(WS.10).aspx-----------------------------------------------------------------------------------------------------------------The default domain GPOs become corrupted and there are no GPO backups for the Default Domain PolicyGPO and Default Domain Controller Policy GPO.

Cause

The default domain GPOs are corrupted (for example, because of misconfiguration) and you do not havebacked up versions of the Default Domain Policy GPO or the Default Domain Controller Policy GPO.

Solution

If you are in a disaster recovery scenario, you may consider using the Dcgpofix tool. If you use the Dcgpofixtool, it is strongly recommended that as soon as you run it, you review the security settings in these GPOs andmanually adjust the security settings to suit your requirements.

To run Dcgpofix

Type the following at the command prompt: dcgpofix [/ignoreschema][/target: {domain | dc | both}]

Where:

/ignoreschema is an optional parameter. If you set this parameter, the Active Directory schema version numberis ignored.

/target: {domain | dc | both} is an optional parameter that specifies the target domain, domain controller, or both.If you do not specify /target, dcgpofix uses both by default.noteNoteDcgpofix.exe is located in the C:\Windows\Repair folder.

You must be a domain or enterprise Administrator to use this tool.

QUESTION 17.

Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllernamed DC3 and DC4.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, anadministrator deletes a user account while he is logged on to DC1. You need to restore the deleted useraccount. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. On DC1, run the Restore-ADObject cmdlet.B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory

Domain Services.D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active

Directory Domain Services.

Correct Answer: DSection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617262.aspx-----------------------------------------------------------------------------------------Reason : B is incorrect because the functional level of the forest must be W2k8 R2 to use restore-adobjectcmdlet( It is an AD recycled bin feature).

QUESTION 18.

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.You update a script in the SYSVOL folder.

You discover that the new script fails to run properly. You need to restore the previous version of the script inthe SYSVOL folder. The solution must minimize the amount of time required to restore the script.


A. Run the Restore-ADObject cmdlet.B. Restore the system state to its original location.C. Restore the system state to an alternate location.D. Attach the VHD file created by Windows Server Backup.

Correct Answer: DSection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:http://social.technet.microsoft.com/Forums/en-US/windowsbackup/thread/c5368a79-571a-4642-a017-

4341cd63ab43/--------------------------------------------------------------------------------------------------Attach the VHD file created by Windows Server Backu p

QUESTION 19.

Your network contains an Active Directory domain.

You need to restore a deleted computer account from the Active Directory Recycle Bin.

What should you do?

A. From the command prompt, run recover.exe.B. From the command prompt, run ntdsutil.exe.C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617262.aspx-------------------------------------------------------------------------------------Restore-ADObject cmdlet

QUESTION 20.

You need to back up all of the group policies in a domain.

The solution must minimize the size of the backup.


A. the Add-WBSystemState cmdletB. the Group Policy Management consoleC. the Wbadmin toolD. the Windows Server Backup feature


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc782589%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc782589(WS.10).aspx----------------------------------------------------------------------------------------------------------------------Back up a Group Policy object using GPMC

Open Group Policy Management.

In the console tree, double-click Group Policy Objects in the forest and domain containing the GroupPolicy object (GPO) that you want to back up.

Where?

Forest name/Domains/Domain name/Group Policy Objects

To backup a single GPO, right-click the GPO, and then click Back Up . To backup all GPOs in the domain,right-click Group Policy Objects and click Back Up All .

In the Backup Group Policy Object dialog box, in the Location box, enter the path to the location atwhich you want to store the GPO backup(s), or click Browse , locate the folder in which you want to store theGPO backup(s), and then click OK.

In the Description box, type a description for the GPO(s) that you want to back up, and then click Backup .If you are backing up multiple GPOs, the description will apply to all GPOs you back up.

After the operation completes, click OK.

Important

To secure backed up GPOs, ensure that only authorized administrators have permission to access the folder towhich you are exporting the GPO.

Exam J

QUESTION 1.

You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.

You need to ensure that you can recover the private key of a certificate issued to a Web server.

What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.B. From the Web server, run the Get-PfxCertificate cmdlet.C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc737187(WS.10).aspx----------------------------------------------------------------------------------------------------------Export certificates from the commandline

You can use certutil.exe to export Private key certificates by name from a command line or you can downloadcertexport.exe from http://www.wintools.com.au/

QUESTION 2.


The network contains a single Active Directory domain. The main office contains a domain controller namedDC1.

You need to install a domain controller in the branch office by using an offline copy of the Active Directorydatabase.


A. From the Ntdsutil tool, create an IFM media set.B. From the command prompt, run djoin.exe /loadfile.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the get-ADDomainController cmdlet.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc816574(WS.10).aspx------------------------------------------------------------------------------------------------------To create installation media for IFM

Open a command prompt (cmd.exe) as an administrator. To open a command prompt as an administrator,

click Start . In Start Search , type Command Prompt . At the top of the Start menu, right-clickCommand Prompt , and then click Run as administrator . If the User Account Control dialogbox appears, enter the appropriate credentials (if requested) and confirm that the action it displays is what youwant, and then click Continue .At the command prompt, type the following command, and then press ENTER:

ntdsutil

At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds

At the ntdsutil prompt, type the following command, and then press ENTER:

ifm

At the ifm prompt, type the command for the type of installation media that you want to create, and then pressENTER. For example, to create installation media for a writable domain controller with SYSVOL, type thefollowing command:

create sysvol full <Drive>:\<InstallationMediaFolde r>

Where <Drive>:\<InstallationMediaFolder> is the path to the folder where you want the installationmedia to be created. You can save the installation media to a network shared folder or to removable media.The IFM process creates a temp database in the %TMP% folder. You need at least 110% of the size of the ADDS or AD LDS database free on the drive where the %TMP% folder is in order for the operation to succeed.You can redirect the %TMP% folder to another disk on the server in order to use more space.

Important

If you create installation media with SYSVOL, use Robocopy.exe to copy the installation media from whereit is saved to the destination domain controller that you want to add to the domain

QUESTION 3.

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. Thefunctional level of the domain is Windows Server 2003. All client computers run Windows 7.

You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline domain join ofServer1.



A. From Server1, run djoin.exe.B. From Server1, run netdom.exe.C. From a Windows 7 computer, run djoin.exe.D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.

Correct Answer: ACSection: Maintaining the AD EnvironmentExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx (Offline DomainJoin (Djoin.exe) Step-by-Step Guide)-----------------------------------------------------------------------------------------------------------------------------------------------Reason : Requirement must be W2k8 R2 DC and Windows 7 to use djoin,exe

QUESTION 4.

You have an Active Directory snapshot.

You need to view the contents of the organizational units (OUs) in the snapshot.

Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.mscB. ntdsutil.exe, dsamain.exe, and dsa.mscC. wbadmin.msc, dsamain.exe, and netdom.exeD. wbadmin.msc, ntdsutil.exe, and explorer.exe


Explanation/Reference:http://social.technet.microsoft.com/Search/en-US?query=dsa.msc&ac=8---------------------------------------------------------------------------------------------------------------Run Ntdsutil .exe to list the snapshots that are availableRun Dsamain .exe to expose the snapshot volumeRUN dsa.msc = ADUC

-----------------------------------------------------------------------------------------------------------How should I prepare to deploy this feature?

The process for using the Active Directory database mounting tool includes the following steps:Although it is not a requirement, you can schedule a task that regularly runs Ntdsutil.exe to take snapshots ofthe volume that contains the AD DS database.

Run Ntdsutil.ex e to list the snapshots that are available , and mount the snapshot that you want to view.

Run Dsamain.exe to expose the snapshot volume as an LDAP server.

Dsamain.exe takes the following arguments:

AD DS database (Ntds.dit) path. By default this path is opened as read-only, but it must be ASCII.

Log path. This can be a temporary path, but you must have write access.

Four port numbers for LDAP, LDAP-SSL, Global Catalog, and Global Catalog–SSL. Only the LDAP port isrequired. If the other ports are not specified, they use LDAP+1, LDAP+2, and LDAP+3, respectively. Forexample, if you specify LDAP port 41389 without specifying other port values, the LDAP-SSL port uses port41390 by default, and so on.

To stop Dsamain, press CTRL+C in the Command Prompt window or, if you are running the commandremotely, set the stopservice attribute on the rootDSE object.

Run and attach Ldp.exe to the snapshot’s LDAP port that you specified when you exposed the snapshot as anLDAP server in the previous step.

Browse the snapshot just as you would with any live domain controller.

QUESTION 5.

Your network contains a domain controller that runs Windows Server 2008 R2. You run the following commandon the domain controller:dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport 389 -allowNonAdminAccess

The command fails.

You need to ensure that the command completes successfully.

How should you modify the command?

A. Include the path to Dsamain.B. Change the value of the dbpath parameter.C. Change the value of the ldapport parameter.D. Remove the allowNonAdminAccess parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx-------------------------------------------------------------------------------------------------------------Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide

At the elevated command prompt, type the following command, and then press ENTER. Be sure to include aspace between the name of the parameter and the value that you specify.

dsamain /dbpath <path_to_database_file> /ldapport < port_#>

If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports thatthe domain controller will use.

For example, type: dsamain /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389

A message indicates that Active Directory Domain Services startup is complete.

QUESTION 6.

Your network contains an Active Directory domain. The domain contains five domain controllers. A domaincontroller named DC1 has the DHCP role and the file server role installed.

You need to move the Active Directory database on DC1 to an alternate location. The solution must minimizeimpact on the network during the database move.


A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794895(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx (Restartable AD DS Step-by-Step Guide)-----------------------------------------------------------------------------------------------------Relocating the Active Directory Database Files

net use, net stop, net start

QUESTION 7.


The network contains an Active Directory forest. The forest contains three domains. The branch office containsone domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a fileserver.

You remove the global catalog from DC5.

You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impacton all users in the branch office.


A. Start DC5 in Safe Mode.B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx (Restartable AD DS Step-by-Step Guide)

QUESTION 8.

Your network contains a domain controller that runs Windows Server 2008 R2.

You need to change the location of the Active Directory log files.


A. Dsamain

B. DsmgmtC. DsmoveD. Ntdsutil


Explanation/Reference:http://support.microsoft.com/kb/257420-----------------------------------------------------------------------------------------------------How To Move the Ntds.dit File or Log Files

Moving a Database or Log File

Restart the domain controller.Press F8 at the Startup menu, and then click Directory Services Restore Mode.

Select the appropriate installation if more than one exists, and then log on as an administrator at the logonprompt.Start a command prompt, and then type ntdsutil.exe.

NOTE: To get a list of commands that you can use at the Ntdsutil prompt, type ?.

At a Ntdsutil prompt, type files.At the File Maintenance prompt, use one or both of the following procedures: To move a database, type move db to %s, where %s is the drive and folder where you want the databasemoved. To move log files, type move logs to %s, where %s is the drive and folder where you want the log files moved.To view the log files or database, type info . To verify the integrity of the database at its new location, typeintegrity .Type quit, and then type quit to return to a command prompt.Restart the computer in Normal mode.

NOTE: When you move the database and log files, you must back up the domain controller.

QUESTION 9.

Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You deploy anew server that runs Windows Server 2008 R2. The server is not connected to the internal network.

You need to ensure that the new server is already joined to the domain when it first connects to the internalnetwork.

What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, runsysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server,run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server,run djoin.exe and specify the /provision parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx------------------------------------------------------------------------------------------------------------------------------------------Offline Domain Join (Djoin.exe) Step-by-Step Guide

Steps for performing an offline domain join

The offline domain join process includes the following steps:

Run the djoin.exe /provision command to create computer account metadata for the destinationcomputer (the computer that you want to join to the domain). As part of this command, you must specify thename of the domain that you want the computer to join.

Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windowsdirectory of the destination computer.

When you start the destination computer, either as a virtual machine or after a complete operating systeminstallation, the computer will be joined to the domain that you specify

QUESTION 10.

Your network contains an Active Directory domain. The domain contains four domain controllers.You modify the Active Directory schema.

You need to verify that all the domain controllers received the schema modification.


A. dcdiag.exe /aB. netdom.exe query fsmoC. repadmin.exe /showrepl *D. sc.exe query ntds



Reason : * means all controllers.

repadmin

/showrepl Displays the replication status when specified domain controller last attempted to inbound replicate Active Directory partitions.

QUESTION 11.

You remotely monitor several domain controllers.

You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query to retrieveinformation from the bios of each domain controller.

Which format should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc181217.aspx------------------------------------------------------------------------------------------------------------------------------------------Reason : the WMI Query Language (WQL) is a subset of the American National Standards Institute StructuredQuery Language (ANSI SQL) with minor semantic changes. Queries built using WQL are used to control theWMI Service.

WMI Query Language

WQL is part of the WMI standard. You can review WQL statements associated with the predefined queriesprovided in the SMS Administrator console to learn more about WQL.

To view the WQL query statement associated with a p redefined query

In the SMS Administrator console, navigate to Queries .Right-click a predefined query and click Properties .

In the Query Statement Properties dialog box, click the General tab, and then click Show QueryLanguage .

The WQL query statement appears in the Query Statement text box.

A complete description of WQL can be found in the Windows Management Instrumentation SDK, which isavailable for download from the MSDN Web site at http://msdn.microsoft.com.

QUESTION 12.

Your network contains an Active Directory domain named contoso.com. The domain contains five domaincontrollers.

You add a logoff script to an existing Group Policy object (GPO). You need to verify that each domain controllersuccessfully replicates the updated group policy.

Which two objects should you verify on each domain controller?


A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol

C. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com containerD. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc736355(WS.10).aspx------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 13.

Your network contains an Active Directory domain that contains five domain controllers. You have amanagement computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the domain.

The information must be consolidated on one list.

Which command should you run on each domain controller?

A. Wecutil.exe qcB. Wevtutil.exe gliC. Winrm.exe quickconfigD. Winrshost.exe


Explanation/Reference:http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/ce100458-54f8-4af0-96ed-48446a8e3f30------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 14.

You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2.

The domain contains five domain controllers. You need to monitor the replication of the group policy templatefiles.


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


Explanation/Reference:http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx------------------------------------------------------------------------------------------------------------------------------------------Reason : Dfsrdiag can be used to replicate sysvol if the DC is running 2008 R2.

QUESTION 15.

You create a new Active Directory domain. The functional level of the domain is Windows Server 2003.

The domain contains five domain controllers that run Windows Server 2008 R2.

You need to monitor the replication of the group policy template files.


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc962211.aspxhttp://technet.microsoft.com/en-us/library/cc728265(WS.10).aspx------------------------------------------------------------------------------------------------------------------------------------------Reason: ntfrsutl will be used to replicate sysvol if the functional level is 2008 and below. If you want to usedfsrdiag to replicate sysvol, the functional level must be at 2008 R2.

QUESTION 16.

You have a domain controller named Server1 that runs Windows Server 2008 R2.

You need to determine the size of the Active Directory database on Server1.

What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.

Correct Answer: CSection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc961761.aspx------------------------------------------------------------------------------------------------------------------------------------------Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separatelocations on a given domain controller:

%SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. Itcontains the values for the domain and a replica of the values for the forest (the Configuration container data).

%SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is usedwhen you promote a Windows 2000 – based computer to a domain controller. The availability of this file allowsyou to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot%\System32 directory into the %SystemRoot%\NTDS directory. Active Directory is then started from this newcopy of the file, and replication updates the file from other domain controllers.

QUESTION 17.

You need to receive an e-mail message whenever a domain user account is locked out.


A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard

Correct Answer: BSection: Configuring AD Backup-RestoreExplanation


QUESTION 18.

Your network contains an Active Directory domain named contoso.com. You have a management computernamed Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate onComputer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).


Explanation/Reference:http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx------------------------------------------------------------------------------------------------------------------------------------------Configuring the event source computer

Run the following command from an elevated privilege command prompt on the Windows Server domaincontroller to configure Windows Remote Management: winrm qc -q

Start group policy by running the following command:

%SYSTEMROOT%\System32\gpedit.msc

Under the Computer Configuration node, expand the Administrative Templates node, then expand theWindows Components node, then select the Event Forwarding node.Right-click the SubscriptionManager setting, and select Properties. Enable the SubscriptionManager setting,and click the Show button to add a server address to the setting. Add at least one setting that specifies theevent collector computer. The SubscriptionManager Properties window contains an Explain tab that describesthe syntax for the setting.After the SubscriptionManager setting has been added, run the following command to ensure the policy isapplied:

gpupdate /force

Configuring the event collector computer

Run the following command from an elevated privilege command prompt on the Windows Server domaincontroller to configure Windows Remote Management:

winrm qc -q

Run the following command to configure the Event Collector service:

wecutil qc /q

Create a source initiated subscription. This can either be done programmatically, by using the Event Viewer, orby using Wecutil.exe. For more information about how to create the subscription programmatically, see thecode example in Creating a Source Initiated Subscription. If you use Wecutil.exe, you must create an eventsubscription XML file and use the following command:

wecutil cs configurationFile.xml

The following XML is an example of the contents of a subscription configuration file that creates a source-initiated subscription to forward events from the Application event log of a remote computer to theForwardedEvents log on the event collector computer.

QUESTION 19.

Your network contains an Active Directory domain that has two sites.

You need to identify whether logon scripts are replicated to all domain controllers.

Which folder should you verify?

A. GroupPolicy

B. NTDSC. SoftwareDistributionD. SYSVOL



QUESTION 20.

You install a standalone root certification authority (CA) on a server named Server1.

You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the localcomputer's Trusted Root Certification Authorities store.

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameterB. certreq.exe and specify the -retrieve parameterC. certutil.exe and specify the -dspublish parameterD. certutil.exe and specify the -importcert parameter


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc962081.aspx------------------------------------------------------------------------------------------------------------------------------------------

Exam K

QUESTION 1.

Your network contains an Active Directory forest. The forest contains two domains. You have a standalone rootcertification authority (CA).

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select anenterprise CA is disabled.

You need to install an enterprise subordinate CA on the server.

What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domainC. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784465(WS.10).aspx------------------------------------------------------------------------------------------------------------------------------------------Reason: Enterprise administrator privileges on the DNS, Active Directory, and CA servers. This is especiallyimportant because setup modifies information in numerous places, some of which require enterpriseadministrator privileges.

QUESTION 2.

You have an enterprise subordinate certification authority (CA). You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must notbe allowed to revoke certificates.

What should you do?

A. Add Group1 to the local Administrators group.B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753724.aspx------------------------------------------------------------------------------------------------------------------------------------------Reason : Only CA admin can Manage Certificate Revocation. "B" can only publish normal certificate template.

QUESTION 3.

You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued.The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

A. Add a data recovery agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc962113.aspx------------------------------------------------------------------------------------------

QUESTION 4.

You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardwaresecurity module.

You need to back up Active Directory Certificate Services on the CA.


A. certutil.exe backupB. certutil.exe backupdbC. certutil.exe backupkeyD. certutil.exe store


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732443(WS.10).aspx----------------------------------------------------------------------------------------------------certutil.exe

-back up - Backup Active Directory Certificate Services -backupDB - Backup the Active Directory Certificate Services database

-backupKey - Backup the Active Directory Certificate Services certificate and private key

QUESTION 5.

You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.

You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template.



A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379539(WS.10).aspx

QUESTION 6.

You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificatetemplate.

Users can enroll for certificates based on the custom certificate template by using the Certificates console.

The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template isavailable on the Web enrollment pages.

What should you do?

A. Run certutil.exe pulse.B. Run certutil.exe installcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc783016%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------Creating a Version 2 Certificate Template

To create a new version 2 certificate template

Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as auser who has been granted permission to perform this task.

Open the Certificate Templates MMC console (Certtmpl.msc).

In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate,and then click Duplicate Template.

On the General tab, enter the Template display name and the template name, and then click OK.

Define any additional attributes for the newly created version 2 certificate template.

QUESTION 7.

You have an enterprise subordinate certification authority (CA). You have a custom certificate template that hasa key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.

Which console should you use?

A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc783016(WS.10).aspx-------------------------------------------------------------------------------------------------------

QUESTION 8.

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.The functional level of the domain is Windows Server 2003. You have a certification authority (CA).

The relevant servers in the domain are configured as shown in the following table:

Server name Operating system Server role

Server1 Windows Server 2003 Enterprise root CA

Server2 Windows Server 2008 Enterprise subordinate CA

Server3 Windows Server 2008 R2 Web Server

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx---------------------------------------------------------------------------------------------------

QUESTION 9

Your company has an Active Directory forest that contains multiple domain controllers. The domain controllersrun Windows Server 2008.You need to perform an an authoritative restore of a deleted orgainzational unit and its child objects.Which four actions should you perform in sequence? (To answer, move the appropriate four actions from thelist of actions to the answer area, and arrange them in the correct order.)


Correct Answer:

Section: Maintaining the AD EnvironmentExplanation


Exam L

QUESTION 1Your network contains an Active Directory domain named contoso.comThe properties of the contoso.com DNS zone are configured as shown in the exhibit. You need to update all service location (SRV) records for a domain controller in the domain.

What should you do?

Exhibit:

A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772362.aspx-----------------------------------------------------------------------------------------

QUESTION 2Your network contains an Active Directory domain. The domain contains a group named Group1.The minimum password lenght for the domain is set to six characters.you need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other usersmust be able to use passwords that are six characters long.


A. Run the New-ADFineGrainedPasswordPolicy cmdlet.B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617238.aspx-------------------------------------------------------------------------------------------------------------------------------Important : For the fine-grained password and account lockout policies to function properly in a given domain,the domain functional level of that domain must be set to Windows Server 2008.

QUESTION 3Your network contains an Active Directory domain.A user named User1 takes a leave of absence for one year.You need to restrict access to the User1 user account while User1 is away.

What should you do?

A. From the Default Domain Policy, modify the account lockout settings.B. From the Default Domain Controller Policy, modify the account lockout settings.C. From the properties of the user account, modify the Account options.D. From the properties of the user account, modify the Session settings.



QUESTION 4Your network contain 10 domain controller that run Windows Server R2.The network contain a member server that is configured to collect all of events that occur on the domaincontrollers.Your need to ensure that administrators are notified when a specific event occurs on any of the domaincontrollers. You want to achive the goal by using the minimum amount effort.What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller,run the Create Basic Task Wizard.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc748900.aspx--------------------------------------------------------------------------------------------------Run a Task in Response to a Given Event Applies To: Windows 7, Windows Server 2008 R2, Windows VistaYou can configure a task to run when an event meeting specified criteria is logged.

To Run a Task in Response to a Given Event

Start Event Viewer.In the console tree, navigate to the log that contains the event you want to associate with a task.Right-click the event and select Attach Task to This Event .Perform each step presented by the Create Basic Task Wizard .

Additional Considerations

You cannot assign a task to an event in a saved log.

You cannot assign a task to an event in an analytic or debug log.

QUESTION 5Your network contains an Active Directory domain controller named DC1. DDC1 runs Windows Server 2008R2.You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.


A. At the command prompt, run net stop ntds.B. At the command prompt, run net stop netlogon.C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).



------------------------------------------------------------------------------------------------------To perform offline defragmentation of the directory database

Compact the database file to a local directory or remote shared folder, as follows:

Local directory: Go to step 2.

Remote directory: If you are compacting the database file to a shared folder on a remote computer, beforeyou stop AD DS, prepare a shared directory on a remote server in the domain. For example, create the share \\ServerName\NTDS. Allow access to only the Builtin Administrators group. On the domain controller, map anetwork drive to this shared folder.

Important You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy ona network drive. If the compaction of the database does not work properly, you can then easily restore thedatabase by copying back the copy of the Ntds.dit file that you made. Do not delete this copy of theNtds.dit file until you have verified that the domain controller starts properly.

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt , andthen click Run as administrator . If the User Account Control dialog box appears, providecredentials, if required, and then click Continue .

At the command prompt, type the following command, and then press ENTER:net stop ntds Type Y to agree to stop additional services, and then press ENTER.At the command prompt, type ntdsutil , and then press ENTER.At the ntdsutil prompt, type activate instance ntds , and then press ENTER.At the ntdsutil prompt, type files , and then press ENTER.If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to<drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to alocation on the local computer), and then press ENTER.If you mapped a drive to a shared folder on a remote computer, type the drive letter only, for example, compact to K:\ .

Note When you compact the database to a local drive, you must provide a path. If the path contains anyspaces, enclose the entire path in quotation marks (for example, compact to "c:\new folder" ). Ifthe directory does not exist, Ntdsutil.exe creates the directory and then creates the file named Ntds.dit inthat location. If defragmentation completes successfully, type quit , and then press ENTER to quit the filemaintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. Go to step 9.If defragmentation completes with errors, go to step 12.

Caution Do not overwrite the original Ntds.dit file or delete any log files. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to:To delete all the log files in the log directory, type the following command, and then press ENTER:

del <drive>:\<pathToLogFiles>\*.log

Ntdsutil provides the correct path to the log files in the onscreen instructions.

Note You do not have to delete the Edb.chk file. You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on asecured network drive. If the compaction of the database does not work properly, you can then easily restorethe database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you have

at least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.ditfile to preserve it. Avoid overwriting the original Ntds.dit file.

Manually copy the compacted database file to the original location, as follows:

copy “<temporaryDrive>:\ntds.dit” “<originalDrive>: \<pathToOriginalDatabaseFile>\ntds.dit”

Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file.

At the command prompt, type ntdsutil , and then press ENTER.At the ntdsutil: prompt, type files , and then press ENTER.At the file maintenance: prompt, type integrity , and then press ENTER.If the integrity check fails, the likely cause is that an error occurred during the copy operation in step 9.c. Repeatsteps 9.c through step 12. If the integrity check fails again:Contact Microsoft Customer Service and Support.

Or

Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location, andrepeat the offline defragmentation procedure.

If the integrity check succeeds, proceed as follows:If the initial compact to command failed, go back to step 7 and perform steps 7 through 12.

If the initial compact to command succeeded, type quit and press ENTER to quit the filemaintenance: prompt, and then type quit and press ENTER again to quit Ntdsutil.exe.

Restart AD DS. At the command prompt, type the following command, and then press ENTER:net start ntds

QUESTION 6Your company uses an application that stoares data in an Active Directory Lightweight Directory Services (ADLDS) instance named instance1.You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)You need to ensure that you can take a snapshot of Instance1.What should you do?

Exhibit:

A. At the command prompt, run net start VSS.B. At the command prompt, run net start Instance1.C. Set the Start Type for the Instance1 service to Disabled.D. Set the Start Type for the Volume Shadow Copy Service (VSS) to Manual.

Correct Answer: ASection: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/ee264220(WS.10).aspx----------------------------------------------------------------------------------------------------------

QUESTION 7Your network contains an Active Directory domain named contoso.com. All domain controllers and memberservers run Windows Server 2008. All client computer run Windows 7.From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings inthe Default Domain Policy Group Policy object (GPO).You discover that the audit policy is not applied to the member servers. The audit policy is applied to the clientcomputers.You need to ensure that the audit policy is applied to all member servers and all client computers.

What should you do?

A. Add a WMI filter to the Default Domain Policy GPOB. Modify the security settings of the Default Domain Policy GPOC. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx----------------------------------------------------------------------------------------------------------Advanced audit policy is a 2k8 R2 feature.After applying the policy, make sure "apply group policy" is enable . See screenshot below.

QUESTION 8Your network contains an Active Directory domain. The domain contains 1000 user accounts.You have a list that contains the mobile phone number of each userYou need to add the mobile number of each user to Active Directory.

What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exeB. Create a fila that contains the mobile phone numbers, and then run csvde.exeC. From Adsiedit, select the CN=Users container, and then mofify the properties of the container.D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the

users.


Explanation/Reference:http://support.microsoft.com/kb/237677----------------------------------------------------------------------------------------------------------

QUESTION 9Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way foresttrust exists between contoso.com and nwtraders.com. The forest trust is configured to use selectiveauthentication.Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify

NTFS permissions for the Marketing folder are assignes to the G_Marketing group.Members of G_Marketing report that they cannot accesss the Marketing folder.You need to ensure that the G_Marketing members can accesss the folder from the network.


What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folderB. From Windows Explorer, modify the share permissions of the folderC. From Active Directory Users and Computers, modify the computer object for Server1D. From Active Directory Users and Computers, modify the group object for G_Marketing


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx----------------------------------------------------------------------------------------------------------To create a forest trust


In the console tree, right-click the domain node for the forest root domain, and then click Properties .

On the Trust tab, click New Trust , and then click Next .

On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next .

On the Trust Type page, click Forest trust , and then click Next .

On the Direction of Trust page, do one of the following:

To create a two-way, forest trust, click Two-way .

Users in this forest and users in the specified forest can access resources in either forest.

To create a one-way, incoming forest trust, click One-way:incoming .

Users in the specified forest will not be able to access any resources in this forest.

To create a one-way, outgoing forest trust, click One-way:outgoing .

Users in this forest will not be able to access any resources in the specified forest.

Continue to follow the wizard.

QUESTION 10Your network contains an Active Directory domain named contoso.com. Contoso.com contains three

servers.The servers are configure as shown in the following table.

Server name Server roel ServiceServer1 Certification authority (CA)Server2 Certificate Enrollment Web ServiceServer3 Certificate Enrollment Policy Web Service

You need to ensure that users can manually enroll and renew their certificates by using the CertificateEnrollment Web Service.

Which two actions should you perform? (Each corrent answer presents part of the solution. Choose two).

A. Configure the policy module setting.B. Configure the issuance requirements for the certificate templates.C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.D. Configure the delegation setting for the Certification Enrollment Web Service application pool account.

Correct Answer: BCSection: Configuring AD Certificate ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732517(WS.10).aspx----------------------------------------------------------------------------------------------------------

QUESTION 11Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 Standard.You need to install an enterprise subordinate certification authority (CA) that support private key archival. Youmust achieve this goal by using the minimum amount of administrative effort.What do you do first?

A. Initialize the Trusted Platform Module (TPM)B. Upgrade the menber server to Windows Server 2008 R2 Enterprise.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.


Explanation/Reference:http://download.microsoft.com/download/F/C/6/FC6006B5-866E-42C1-88F8-9AC4B8BC610D/WS%20Brand%20Pages%20-%20Editions%20Comparison%20Guide.pdf----------------------------------------------------------------------------------------------------------The follow support private key archival :

QUESTION 12Your company has four offices.The network contains a single Active Directory domain.Each office has domain controller. Each office has an organitational unit (OU) that contains the user accountsfor the users in that office.In each office, support technicians perform basic troubleshooting for the users in their respective office.You need to ensure that the support technicians can reset the password for the user accounts in theirrespective office only. The solution must prevent the thechnicians from creating user accounts.What shoul you do?

A. Four each OU, run the Delegation of Control Wizard.B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security setting for each group.D. For each office, create an Active Directory group, and then modify the contorlAccessRights attirbute for

each group.



http://technet.microsoft.com/en-us/library/dd145442.aspxhttp://technet.microsoft.com/en-us/library/dd145344.aspx----------------------------------------------------------------------------------------------------------Delegate the following common tasks The following are common tasks that you can select to delegate control of them:

Create, delete, and manage user accounts

Reset user passwords and force password change at next logon

Read all user information

Modify the membership of a group

Join a computer to a domain

Manage Group Policy links

Generate Resultant Set of Policy (Planning)

Generate Resultant Set of Policy (Logging)

Create, delete, and manage inetOrgPerson accounts

Reset inetOrgPerson passwords and force password change at next logon

Read all inetOrgPerson information

Create a custom task to delegate

Select this option to create a custom task if the task that you want to delegate does not appear in the list ofcommon tasks.

QUESTION 13You need to compact an Active Directory database on a domain controller that runs windows Server 2008 R2.What should you do?

A. Run defrag.exe /a /c.B. Run defrag.exe /c /u.C. Form Ntdsutil, use the Files option.D. From Ntdsutil, use the Metadata cleanup option.

Correct Answer: CSection: Configuring AD Backup-RestoreExplanation

Explanation/Reference:http://support.microsoft.com/kb/816120----------------------------------------------------------------------------------------------------------How To Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2003

QUESTION 14Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers. The domain controllers are configured as show in the following table.------------------------------------------------------------------------------------------------------------------------------------- Server Server IP Address Server site-------------------------------------------------------------------------------------------------------------------------------------

DC1 10.1.1.1/16 Default-First-Site-Name

DC2 10.1.1.2/16 Default-First-Site-Name-------------------------------------------------------------------------------------------------------------------------------------All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240You need to minimize the number of client authentication requests send to DC2.What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign thesubnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign thesubnet to Site1. Move DC1 to Site1.

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign thesubnet to Site1. Move DC2 to Site1.

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign thesubnet to Site1. Move DC2 to Site1.

Correct Answer: CSection: AD Sites & ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730868.aspxhttp://technet.microsoft.com/en-us/library/cc730718.aspx----------------------------------------------------------------------------------------------------------Checklist: Configure an Additional Site

Updated: December 30, 2008



Creating the site



QUESTION 15Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zonefor contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com

The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com

Which two actions should you perform? (Each correct answers presents part of the solution. Choose two.)

Exhibit:

A. Create a zone delegation record in the contoso.com zoneB. Create a zone delegation record in the eu.contoso.com zoneC. Create an Active Directory-integrated zone for _msdsc.contoso.comD. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com

Correct Answer: ACSection: Configuring AD DNSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753500.aspx----------------------------------------------------------------------------------------------------------To create a zone delegation using the Windows inter face

Open DNS Manager.

In the console tree, right-click the applicable subdomain, and then click New Delegation.

Follow the instructions in the New Delegation Wizard to finish creating the new delegated domain.

Additional considerations

To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

All domains (or subdomains) that appear as part of the applicable zone delegation must be created in thecurrent zone before delegation is performed as described here. As necessary, use DNS Manager to first adddomains to the zone before you complete this procedure.

To create a zone delegation using a command line

Open a command prompt.

Type the following command, and then press ENTER:

dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [/OpenAcl] [<Ttl>] NS{<HostName>|<FQDN>}

QUESTION 16Your network contains three Active Directory forest named Forest1, Forest2, and Forest3. Each forest containsthree domains.

A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.

You need to configure the forest to meet the following requirements

Users in Forest3 must be able to access resources in Forest1.Users in Forest1 must be able to access resources in Forest3.The number of trusts must be minimized.

What should you do?

A. In Forest2, modify the name suffix routing settings.B. In Forest1 and Forest3, configure selective authentication.C. In Forest1 and Forest3, modify the name suffix routing settings.D. Create a two-way forest trust between Forest1 and Forest3.E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.

Correct Answer: DSection: Configuring Domains and TrustsExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc778851%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------

To create a two-way, forest trust for both sides of the trust


In the console tree, right-click the domain node for the domain that you want to establish a trust with, andthen click Properties.



On the Trust Type page, click Forest trust, and then click Next.

On the Direction of Trust page, click Two-way, and then click Next.


On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.


On the User Name and Password page, type the user name and password for the appropriate administratorin the specified domain.

On the Outgoing Trust Authentication Level--Local Forest page, do one of the following, and then click Next: Click Forest-wide authentication.


On the Outgoing Trust Authentication Level--Specified Forest page, do one of the following, and then clickNext: Click Forest-wide authentication.


On the Trust Selections Complete page, review the results, and then click Next.


On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do notconfirm the trust at this stage, the secure channel will not be established until the first time the trust is used byusers.

If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriateadministrative credentials from the specified domain.




QUESTION 17Your network contains an Active Directory forest. The forest contains two domain controllers. The domaincontrollers are configured as shown in the following table.

Server name Server configuration-------------------------------------------------------------------------------------------------- Global catalog serverDC1 Schema master Domain naming master-------------------------------------------------------------------------------------------------- Primary domain controller (PDC) emulatorDC2 RID master Infrastructure master--------------------------------------------------------------------------------------------------

All client computers run Windows 7.

You need to ensure that all client computers in the domain keep the same time as an external time server.

What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc773263%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------This has to be run on PDC emulator.

W32tm.exe: Windows Time

This tool is installed as part of Windows XP, Windows Vista, Windows 7, Windows Server 2003, WindowsServer 2003 R2, Windows Server 2008, and Windows Server® 2008 R2 default installations.

QUESTION 18Your network contains a single Active Directory domain named contoso.com.

An administrator accidentally deletes the _msdsc.contoso.com zone.

You recreate the _msdsc.contoso.com zone.

You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.

What should you do on each domain controller?

A. Restart the Netlogon service.B. Restart the DNS Server service.C. Run dcdiag.exe /fix.D. Run ipconfig.exe /registerdns.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd347673.aspx----------------------------------------------------------------------------------------------------------

QUESTION 19Active Directory Rights Management Services (AD RMS) is deployed on your network.

You need to configure AD RMS to use Kerberos authentication.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.

Correct Answer: ADSection: Configuring AD Rights Mgmt ServicesExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/dd759186.aspx----------------------------------------------------------------------------------------------------------Set the Service Principal Names (SPN) value for the AD RMS service account

Open an elevated command prompt window. To open an elevated Command Prompt window, click Start,point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

Type setspn -a HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount>, where <ServerName> isthe name of the server, <ServiceAccountDomain> is the name of the domain containing the AD RMS serviceaccount, and <ServiceAccount> is the name of the AD RMS service account.

Type setspn -a HTTP/<ServerFQDN> <ServiceAccountDomain>\<ServiceAccount>, where <ServerFQDN>is the fully qualified domain name (FQDN) of the server.

Type setspn -a HTTP/<ClusterName> <ServiceAccountDomain>\<ServiceAccount>, where <ClusterName>is the name of the AD RMS cluster.

Type setspn -a HTTP/<ClusterFQDN> <ServiceAccountDomain>\<ServiceAccount>, where <ClusterFQDN>is the fully qualified domain name (FQDN) of the cluster.

QUESTION 20Your network contains an Active Directory forest. The forest contains an Acitve Directory site for a remoteoffice. The remote site contains a read-only domain controller (RODC).

You need to configure the RODC to store only the password of users in the remote site.

What should you do?

A. Create a Paasword Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the users accounts of the remote site users to the Allowed RODC Password Replication Group.

D. Add the users accounts of users who are not in the remote site to the Denied RODC Password ReplicationGroup.


Explanation/Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28WS.10%29.aspx----------------------------------------------------------------------------------------------------------Administering the Password Replication Policy

Updated: March 14, 2010

Applies To: Windows Server 2008

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP)and password caching for read-only domain controllers (RODCs).

Viewing the PRP

Reviewing the accounts that are authenticated to an RODC

Clearing the authenticated accounts list

Configuring the PRP

Moving accounts from the Auth2 list to the Allow list

Reviewing PRP resultant policy

Reviewing accounts with cached passwords on the RODC

Prepopulating the password cache for an RODC

QUESTION 21Your network contains an Active Directory domain. All domain controller run Windows Server 2003.

You replace all domain controllers with domain controllers that run Windows Server 2008 R2.

You raise the functional level of the domain to Windows Server 2008 R2.

You need to minimize the amount of SYSVOL replication traffic on the network.

What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.


Explanation/Reference:http://blogs.technet.com/b/filecab/archive/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool.aspx----------------------------------------------------------------------------------------------------------Reason: Windows Server 2008 includes a command line tool called dfsrmig.exe which can be used byadministrators to control the process of migrating replication of the SYSVOL share from FRS to the DFSReplication service.

Exam M

QUESTION 1Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Managements Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in thecontoso.com forestWhat should you do?

A. Create an external trust from contoso.com to nwtraders.com.B. Create an external trust from nwtraders.com to contoso.comC. Add a trusted user domain to the AD RMS cluster in the contoso.com domainD. Add a trusted user domin to the AD RMS cluster in the nwtraders.com domain.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd772670%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------------A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificatesor use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS rootcluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster that isto be trusted. You can also add trust policies so that AD RMS can process licensing requests for usercertificates from a different AD RMS cluster.Business-to-business is one such type of TUD and is shown in the following diagram. This type of TUD wouldinvolve two different companies sharing rights-protected content between them. Before you set up this type ofTUD, there are some requirements that must be met.

QUESTION 2You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC)What should you do?

A. From Active Directory Users and Computers, modify the properties of the RODC computer objectB. Run the repadmin.exe command an specify the /prp parameterC. Run the dsrm.exe command and specify the -u parameterD. From Active Directory Sites an Services, modify the properties of the RODC computer object


Explanation/Reference:http://technet.microsoft.com/en-us/library/administer-prp-for-rodc-with-repadmin.exe%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc835486%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------------------------------------------------------repadmin /prp

You can use this command to view or modify the PRP for an RODC. The PRP determines which accountpasswords are allowed to be cached on an RODC and which account are denied from being cached.

DELETE Syntax

Repadmin /prp [operation] RODC [additional arguments]

repadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}repadmin /prp delete <RODC> auth2 /all

Additional parameters Parameter Definition

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition,you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL>

Specifies the name of the security principal that you want to delete from the Allowed List. Specify /all to havethe operation delete all security principals.

/all

Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.

QUESTION 3Your nertwork contains an Active Directory domain.

You nee to back up all of the Group Policy objects (GPOs) Group Policy permissions, and Group Policy links forthe domain.

What should you do?

A. From Windows PowerShell, run the Backup-GPO cmdlet.B. From Windows Server Backup, perform a system state backupC. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.D. From Group Policy Management Console (GPMC), back up the GPOs


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee461027.aspx-------------------------------------------------------------------------------------------Backup-GPO - Backs up one GPO or all the GPOs in a domain.

QUESTION 4Your network contains an Active Directory forest. The forest contains one domain. Teh domain contains twodomain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 was installed before DC2.

DC1 fails

You need to ensure that you can add 1,000 new user accounts to the domain.

What should you do?

A. Seize the schema master FSMO role.B. Configure DC2 as a global catalog server.C. Seize the RID master FSMO roleD. Modify the permissions of the DC2 computer account


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784077%28WS.10%29.aspx--------------------------------------------------------------------------------------------------------------------------Seize the RID master role


Type:

ntdsutil

At the ntdsutil command prompt, type:

roles

At the fsmo maintenance command prompt, type:

connections

At the server connections command prompt, type:

connect to serverDomainController

At the server connections prompt, type:

quit

At the fsmo maintenance command prompt, type:

seize RID master

***Caution

Do not seize the RID master role if you can transfer it instead. Seizing the RID master is a drastic step thatshould be considered only if the current operations master will never be available again. For more informationabout transferring operations master roles, see Related Topics.

QUESTION 5Your network contains an Active Directory domian named contoso.com. Contoso.com contains two sitesnamed Site1 and Site2. Site1 contains a domain controller named DC1.

In Site1 , you install a new domain controller named DC2. You ship DC2 to Site2.

You discover that certain users in Site2 authenticate to DC1.

You need to ensure that the users in Site2 always attemp to authentcate to DC2 first.

What should you do?

A. From Active Dirctory Sites and Services, move the DC2 server object.B. From Active Directory Users and Computers, modigy te Location settings of the DC2 computer object.C. From Active Directory Sites and Services, modify the Location attribute for Site2.D. From Active Directory Userrs and Computers, move the DC2 computer object.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730718.aspx----------------------------------------------------------------------------------------------------Configure an Additional Site



Creating the site



Task Reference

(Optional) Review sites and replication concepts.

Understanding Sites, Subnets, and Site Links

Create a new site object to represent the domain controllers in a geographic location.

Create a Site

Identify the range of IP addresses that domain controllers in this site use—and that identify the domaincontrollers as members of this site—by creating a subnet object and associating it with the new site.

Create a Subnet

Create a site link object that connects the new site with an existing site so that replication can occur betweenthe two sites. You can use the site link object to manage the replication schedule.

Create a Site Link

Change the site link association of the new site from its existing site link to the new site link so that replicationwill begin with the new site link.

Add a Site to or Remove a Site from a Site Link

QUESTION 6Your company has a main office and four branch offices.

An Active Directory site exists for each office. Each site contains one domain controller. Each branch office sitehas a site link to the main office site.

You discover that the domain controllers in the brans offices sometimes replicate directly to each other.

You need to ensure that domain controllers in the branch offices only replicate to the domain controller in themain office.

What should you do?

A. Disable the Knowledge Consistency Checker (KCC) for each branch office site.B. Modify the firewall settings for the main office siteC. Modify the security settings for the main office siteD. Disable site link bridging


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc738789(WS.10).aspx-----------------------------------------------------------------------------------------------Enable or disable site link bridges

To enable or disable site link bridgesOpen Active Directory Sites and Services.

In the console tree, right-click the intersite transport folder (such as IP or SMTP) for which you want to enableor disable site link bridges, and then click Properties .

Where?

Active Directory Sites and Services/Sites/Inter-Site Transports/intersite transport for which you want to enableor disable link bridges

Do one of the following:

To enable site link bridges, select the Bridge all site links check box.

To disable site link bridges, clear the Bridge all site links check box.

Important By default, all site links are bridged. For more information about disabling this option and its affects on intersitereplication, see Related Topics.

Notes To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Adminsgroup in Active Directory, or you must have been delegated the appropriate authority. As a security bestpractice, consider using Run as to perform this procedure. For more information, see Default local groups,Default groups, and Using Run as.

To open Active Directory Sites and Services, click Start , click Control Panel , double-clickAdministrative Tools , and then double-click Active Directory Sites and Services .

QUESTION 7

Your network contains a single Active Directory domain. Client compyters run either Windows XP Service Pack3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizationalunit (OU) named OU1.

You link a new Group Policy object (GPO) named GPO10 to OU1.

You need to ensure that GPO10 is applied only to client computers that run Windows 7.

What should you do?

A. Enable block inheritance on OU1.B. Create a new OU in OU1. Move the Windows Xp computer accounts to the new OUC. Modify the permissions of OU1.D. Create a WMI filter and assign the filter to GPO10

Correct Answer: DSection: Configuring Group PolicyExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc947846%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------To create a WMI filter that queries for a specified version of Windows

On a computer that has the Group Policy Management feature installed, click Start, click AdministrativeTools, and then click Group Policy Management.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and thenclick Continue.

In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, andthen click WMI Filters.

Click Action, and then click New.

In the Name text box, type the name of the WMI filter. noteNote Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has anaming convention.

In the Description text box, type a description for the WMI filter. For example, if the filter excludes domaincontrollers, you might consider stating that in the description.

Click Add.

Leave the Namespace value set to root\CIMv2.

In the Query text box, type:

select * from Win32_OperatingSystem where Version like "6.%"

QUESTION 8Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority(CA).

You need to minimize the amount of nerwork bandwidth required to validate a certificate.

What should you do?

A. Configure an Online Certification Status Protocol (OSCP) responderB. Configure an LDAP publishing point for the certificate revocation list (CRL).C. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS)D. Modify the settings of the delta certificate revocation list (CRL)

Correct Answer: ASection: Configuring AD LDSExplanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732526.aspx------------------------------------------------------------------------------------------------http://www.windowsitpro.com/article/security/online-certificate-status-protocol-ocsp-in-windows-server-2008-and-vista-

Traditionally, the status of a certificate is determined by checking a CRL. This method works well for PKIs thatissue a limited number of certificates, but for public CAs or large enterprises, CRLs don't scale well ifcertificates are revoked on a regular basis. CRLs detail all revoked certificates, and as this list grows, itbecomes more bandwidth-intensive to distribute, potentially making users wait longer for a response. Thebandwidth requirements for determining certificate revocation status using CRLs can be so large that if youenable it in applications like Internet Explorer or Outlook prior to Windows Vista, the programs often grind to ahalt. Delta CRLs provide a partial solution to the problem by transferring only changes to the CRL.

Online Responders answer queries from OCSP clients, including Vista and Server 2008, when the status of acertificate needs to be verified. OCSP is an HTTP protocol used to address the scale and performancelimitations of CRLs, reducing the amount of bandwid th required to perform certificate status checks byenabling Online Responders to receive all the CRL data from the CAs, as opposed to the clients downloadinga CRL. When OCSP is used to determine certificate status, a request for information about a single certificateis sent from the OCSP client, and the amount of data returned to the OCSP client doesn't vary, no matter howmany revoked certificates are on a CA's CRL. The data returned to the OCSP client is digitally signed. OnlineResponders, in the case of Microsoft's implementation, receive certificate revocation status from CRLs, so arestill limited by the frequency with which CRLs are published. Some Online Responders, however, are able tocommunicate directly with a CA's certificate database to get up-to-date status information.

Configure a CA to Support OCSP Responders

Applies To: Windows Server 2008 R2

To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.

Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

Configure certificate templates and issuance properties for OCSP Response Signing certificates.

Configure enrollment permissions for any computers that will be hosting Online Responders.

If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.

Add the location of the Online Responder or OCSP responder to the authority information access extensionon the CA.

Enable the OCSP Response Signing certificate template for the CA.

QUESTION 9Your nerwork contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard.

You need to create an enterprise subordinate certification authority (CA) that can issue certidicates based onversion 3 certificate templates. You must achieve this goal by using the minimun amount of administrativeeffort.


A. Upgrade the member server to Windows Server 2008 R2 Enterprise.B. Disjoin the member server from the domain.C. Run certutil.exe -addenrollmentserver.D. Install the Active Directory Certificate Services (AD CS) role on the member server.


Explanation/Reference:http://d3planet.com/rtfb/2009/11/10/install-certificate-services-on-windows-server-2008-r2/

Windows 2008 R2 Editions

http://en.wikipedia.org/wiki/Windows_Server_2008_R2

http://www.microsoft.com/en-us/server-cloud/windows-server/2008-r2-editions.aspx

QUESTION 10Your Network contains an Active Directory domain. You create and mount an Active Directory snapshot.

You run the following command on the domain controller :

dsamain.exe dbpath C:\Windows\NTDS\ntds.dit ldapport 54321 -allowNonAdminAccess

and the command fails as shown in the exhibit. ( Click the Exhibit button ).

You need to ensure that you can browse the contents of Active Directory snapshot. What should you do ?

Exhibit:

A. Change the value of the ldapport parameter, and then rerun dsamain.exe .B. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe .C. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe .D. Change the value of the dbpath parameter, and then rerun dsamain.exe .


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753609%28WS.10%29.aspx-------------------------------------------------------------------------------------------------------------------------------------------------------NOTE: THE COMPLETE COMMAND THAT YOU WILL SEE IN THE EXHIBIT (in the exam) IS :

dsamain.exe dbpath C:\Windows\NTDS\ntds.dit ldapport 54321 -allowNonAdminAccess

Now Take a look :To make and use snapshots: Use :** Ntdsutil snapshot ** To create a snapshot of the Active Directory database. Run the

** Ntdsutil mount ** command to mount (make active) a database snapshot. You can mount multiplesnapshots. Run the ** Dsamain.exe ** command to expose a snapshot as an LDAP server. This step allows you to connect to andview the snapshot. With *Dsamain.exe *, you specify the path to the snapshot, along with a port number that will be used toconnect to the snapshot. But in the EXHIBIT , the path is the real Active Directory database path , not the snapshot path .Finally ,,Run the ** Ldp ** tool or Active Directory Users and Computers using the specified port to view the snapshot data.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser)Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx

Simplifying the forest recovery process

For organizations that have domain controllers running Windows Server 2003, the forest recovery processrequires a determination of which backup is best to use for recovery. In general, you must consider whether torestore a recent backup of your data or an older backup that you believe may be safer. Choosing a more recentbackup recovers more useful data, but it might increase the risk of reintroducing dangerous data into therestored forest. To determine which backup is best, you must restore it to a domain controller to view its contents. Each restoreoperation requires that you restart the domain controller in Directory Services Restore Mode (DSRM). For some organizations, the loss of productivity caused by the time required for such restore operations isgreat. These organizations often must keep detailed logs about the Active Directory health state on a dailybasis so that, in case of a failure throughout the forest, the approximate time of failure can be identified.In a forest recovery scenario, the ability to precisely determine which backup contains the best data to recovercan drastically reduce downtime.

Auditing modified and deleted objects

Dsamain.exe helps you examine any changes that are made to Active Directory data. For example, if an objectis accidentally modified, you can use this tool to examine the changes and to help you better decide how tocorrect them if necessary.By scheduling a task to regularly create snapshots of the AD DS database, you can keep detailed records ofAD DS data as it changes over time. You can create AD DS snapshots without devoting as much time andstorage space as Windows Server Backup requires for critical-volume backups.

Requirements for using the Active Directory databas e mounting tool

You do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following:A new ntdsutil snapshot operation that you can use to create, list, mount, and unmount snapshots of ADDS or AD LDS data

QUESTION 11Your network contains an Active Directory domain named contoso.com.You need to audit changes to a service account.Which security policy setting should you configure ?

A. Audit Sensitive Privilege Use .

B. Audit Directory Service Changes .C. Audit User Account Management .D. Audit Other Account Management Events .


Explanation/Reference:http://support.microsoft.com/kb/814595-------------------------------------------------------------------------------------------------------------------------------------Audit User Account ManagementThis security policy setting determines whether the operating system generates audit events when the followinguser account management tasks are performed: * A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. * A user account password is set or changed. * Security identifier (SID) history is added to a user account. * The Directory Services Restore Mode password is set. * Permissions on accounts that are members of administrators groups are changed. * Credential Manager credentials are backed up or restored.This policy setting is essential for tracking events that involve provisioning and managing user accounts.

QUESTION 12Your network contains an Active Directory domain named contoso.com.The Adminisrator deletes an OU named OU1 accidentally.You need to restore OU1. Which cmdlet should you use ?

A. Set-ADObject cmdletB. Set-ADOrganizationalUnit cmdletC. Set-ADUser cmdletD. Set-ADGroup cmdlet


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379509%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/ee617254.aspx (Set-ADObject)---------------------------------------------------------------------------------------------------------------------------------------------------To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets

Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and thenclick Run as administrator.

At the Active Directory module for Windows PowerShell command prompt, type the following command, andthen press ENTER:

Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject

For example, if you want to restore an accidentally deleted user object with the display name Mary, type thefollowing command, and then press ENTER:

Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

ts: windows server 2008 active directory, … windows server 2008 active directory, configuring...

Documents