Download SelfTest.70-640.925Questions

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Server Message Block wikipedia , lookup

Lag wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Transcript
SelfTest.70-640.925Questions
Number: 70-640
Passing Score: 800
Time Limit: 120 min
File Version: 48.0
http://www.gratisexam.com/
Passed today scored 100%.Thanks to Judy for suggested so very accurate Exam.
No doubt its unique in some ways,after wasting lot of money finally i got the right track leading my way towards success.
Got this vce from my friend who passed with 98% , each and every stuff in it. I am sharing with you guys.
I have redressed few inquiries and now score will be 95% above Guaranteed.
At last, I got right inquiries for this exam and offer with you folks. All the best.
Exam A
QUESTION 1
Your company has a main office and 50 branch offices. Each office contains multiple subnets. You need to automate the creation of Active Directory subnet objects.
What should you use?
A.
B.
C.
D.
the Dsadd tool
the Netsh tool
the New-ADObject cmdlet
the New-Object cmdlet
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/ee617260.aspx
New-ADObjectCreates an Active Directory object.
Syntax:
New-ADObject [-Name] <string> [-Type] <string> [-AuthType {<Negotiate> | <Basic>}] [- Credential
<PSCredential>] [-Description <string>] [-DisplayName <string>] [-Instance <ADObject>] [- OtherAttributes<hashtable>] [-PassThru <switch>] [-Path <string>] [ProtectedFromAccidentalDeletion <System.Nullable[bool]>] [-Server <string>] [-Confirm] [- WhatIf] [<CommonParameters>]
Detailed Description
The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new useraccount. You can use this cmdlet to create any type
of Active Directory object. Many object properties aredefined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using
theOtherAttributes parameter. You must set the Name and Type parameters to create a new Active Directory object. The Name specifies thename of the new
object. The Type parameter specifies the LDAP display name of the Active Directory Schema
Class that represents the type of object you want to create. Examples of Type values include computer, group,organizational unit, and user.
The Path parameter specifies the container where the object will be created.. When you do not specify thePath parameter, the cmdlet creates an object in the
default naming context container for Active Directoryobjects in the domain.
QUESTION 2
Your network contains an Active Directory forest. The forest contains multiple sites.
You need to enable universal group membership caching for a site.
What should you do?
A. From Active Directory Sites and Services, modify the NTDS Settings.
B. From Active Directory Sites and Services, modify the NTDS Site Settings.
C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.
D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the site.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspx Enabling Universal Group Membership Caching in a Site
In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted todetermine the universal group memberships of the user. A
universal group can contain users from otherdomains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest.
Therefore,universal group memberships must be ascertained at domain logon so that the user has appropriate access inthe domain and in other domains during
the logon session. Only global catalog servers store the membershipsof all universal groups in the forest.
If a global catalog server is not available in the site when a user logs on to a domain, the domain controllermust contact a global catalog server in another site. In
multidomain forests where remote sites do not have a global catalog server, the need to contact a globalcatalog server over a potentially slow wide are network
(WAN) connection can be problematic and a user canpotentially be unable to log on to the domain if a global catalog server is not available. You can
enableUniversal Group Membership Caching on domain controllers that are running Windows Server 2008 so thatwhen the domain controller contacts a global
catalog server for the user`s initial domain logon, the domaincontroller retrieves universal group memberships for the user. On subsequent logon requests by the
sameuser, the domain controller uses cached universal group memberships and does not have to contact a global catalog server.
To complete this task, perform the following procedure:
http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspx Enable Universal Group Membership Caching in a Site
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and thenclick Active Directory Sites and Services.
2. In the console tree, expand Sites, and then click the site in which you want to enable Universal GroupMembership Caching.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.
4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
5. In the Refresh cache from list, click the site that you want the domain controller to contact when theUniversal Group membership cache must be updated, and
then click OK.
QUESTION 3
You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and
Services?
A.
B.
C.
D.
From the IP properties, select Ignore all schedules.
From the IP properties, select Disable site link bridging.
From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects.
From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm What is Site Link Bridge and How to create Site Link Bridge A site link bridge
connects two or more site links. A site link bridge enables transitivity between site links. Eachsite link in a bridge must have a site in common with another site link in
the bridge.
By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing thedefault value of "Bridge all site links" (enabled by
default).
We may need to disable "Bridge all site links" and create a site link bridge design if
When the IP network is not fully routed.
When we need to control the replication flow in Active Directory.
QUESTION 4
Your company has a main office and a branch office.
You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.
http://www.gratisexam.com/
You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.
What should you do?
A.
B.
C.
D.
Configure the NTDS Site Settings object.
Create Active Directory subnet objects.
Create Active Directory Domain Services connection objects.
Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Your network contains an Active Directory domain. The domain is configured as shown in the following table.
Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users inBranch2 only authenticate to the domain controllers in Main.
What should you do?
A.
B.
C.
D.
On DC3, set the AutoSiteCoverage value to 0.
On DC3, set the AutoSiteCoverage value to 1.
On DC1 and DC2, set the AutoSiteCoverage value to 0.
On DC1 and DC2, set the AutoSiteCoverage value to 1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has
two domain controllers named DC3 and DC4.
DC3 fails.
You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 and the domain controllers in Site1.
On DC4, you run repadmin.exe /kcc.
Replication between the sites continues to fail.
You need to ensure that Active Directory data replicates between the sites.
What should you do?
A.
B.
C.
D.
From Active Directory Sites and Services, modify the properties of DC3.
From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.
From Active Directory Users and Computers, modify the location settings of DC4.
From Active Directory Users and Computers, modify the delegation settings of DC4.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194
Bridgehead Servers
A bridgehead server is the domain controller designated by each site`s KCC to take control of intersite replication. The bridgehead server receives information
replicated from other sites and replicates it to its site`s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than
between them.
In most cases, the KCC automatically decides which domain controller acts as the bridgehead server.
However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:
1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.
2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.
3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead
server and then click Add.
QUESTION 7
Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.
The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2.
You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).
What should you do first?
A.
B.
C.
D.
Run dfsrdiag.exe PollAD.
Run dfsrmig.exe /SetGlobalState 0.
Upgrade all domain controllers to Windows Server 2008 R2.
Raise the functional level of the domain to Windows Server 2008.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspx Distributed File System
Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly- available access tofiles, load sharing, and WAN-friendly replication. In the
Windows Server® 2003 R2 operating system, Microsoftrevised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snapinwith the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows Server®2008 operating system, Microsoft added the
Windows Server 2008 mode of domain-based namespaces and added a number of usability and performance improvements.
What does Distributed File System (DFS) do?
The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well assimplified, highly-available access to geographically
dispersed files. The two technologies in DFS are thefollowing:
DFS Namespaces. Enables you to group shared folders that are located on different servers into one ormore logically structured namespaces. Each namespace
appears to users as a single shared folder with aseries of subfolders. This structure increases availability and automatically connects users to shared foldersin the
same Active Directory Domain Services site, when available, instead of routing them over WANconnections.
DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use tokeep folders synchronized between servers across limited
bandwidth network connections. It replaces theFile Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicatingtheAD DS
SYSVOL folder in domains that use the Windows Server 2008 domain functional level.
QUESTION 8
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.
You need to ensure that Attribute1 is replicated to the global catalog.
What should you do?
A.
B.
C.
D.
In Active Directory Sites and Services, configure the NTDS Settings.
In Active Directory Sites and Services, configure the universal group membership caching.
From the Active Directory Schema snap-in, modify the properties of the User class schema object.
From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.tech-faq.com/the-global-catalog-server.html
The Global Catalog Server
The Global Catalog (GC) is an important component in Active Directory because it serves as the centralinformation store of the Active Directory objects located in
domains and forests. Because the GC maintains alist of the Active Directory objects in domains and forests without actually including all information on theobjects
and it is used when users search for Active Directory objects or for specific attributes of an object, theGC improves network performance and provides maximum
accessibility to Active Directory objects.
..
How to Include Additional Attributes in the GC
The number of attributes in the GC affects GC replication. The more attributes the GC servers have toreplicate, the more network traffic GC replication creates.
Default attributes are included in the GC when Active
Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute tothe GC. Because the snap-in is by default not included
in the Administrative Tools Menu, users have to add itto the MMC before it can be used to customize the GC.
To add the Active Directory Schema snap-in in the MMC:
1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.
3. Click OK to acknowledge that the dll was successfully registered.
4. Click Start, Run, and enter mmc in the Run dialog box.
5. When the MMC opens, select Add/Remove Snap-in from the File menu.
6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the
Add Standalone Snap-in dialog box.
7. Close all open dialog boxes.
To include additional attributes in the GC:
1. Open the Active Directory Schema snap-in.
2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from theshortcut menu.
3. Additional attributes are added on the General tab.
4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
5. Click OK.
QUESTION 9
Your network contains an Active Directory domain. The domain contains three domain controllers.
One of the domain controllers fails.
Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts.
Which operations master role should you seize?
A.
B.
C.
D.
E.
domain naming master
infrastructure master
primary domain controller (PDC) emulator
RID master
schema master
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles
Active Directory supports multimaster replication of the directory data store between all domain controllers(DC) in the domain, so all domain controllers in a domain
are essentially peers. However, some changes areimpractical to perform in using multimaster replication, so, for each of these types of changes, one
domaincontroller, called the operations master, accepts requests for such changes.
In every forest, there are at least five operations master roles that are assigned to one or more domaincontrollers. Forest-wide operations master roles must appear
only once in every forest. Domain-wideoperations master roles must appear once in every domain in the forest.
..
RID master
The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in itsdomain. At any time, there can be only one domain
controller acting as the RID master in each domain in theforest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a uniquesecurity ID (SID). The SID consists of a domain SID, which is
the same for all SIDs created in the domain, anda RID, which is unique for each SID created in the domain. To move an object between domains (using
Movetree.exe), you must initiate the move on the domaincontroller acting as the RID master of the domain that currently contains the object. http://
www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in- activedirectory/
5081138
Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm
Seizing FSMO Roles
QUESTION 10
Your network contains two standalone servers named Server1 and Server2 that have Active Directory Lightweight Directory Services (AD LDS) installed.
Server1 has an AD LDS instance.
You need to ensure that you can replicate the instance from Server1 to Server2.
What should you do on both servers?
A.
B.
C.
D.
Obtain a server certificate.
Import the MS-User.ldf file.
Create a service user account for AD LDS.
Register the service location (SRV) resource records.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspx Administering AD LDS Instances
Each AD LDS instance runs as an independent--and separately administered--service on a computer. Youcan configure the account under which an AD LDS
instance runs, stop and restart an AD LDS instance, andchange the AD LDS instance service display name and service description. In addition, you can enable
SecureSockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, eachAD LDS instance attempts to create a Service
Principal Name (SPN) object in the directory to be used forreplication authentication. Depending on the network environment into which you install AD LDS, you
may have to create SPNs manually.
AD LDS service account
The service account that an AD LDS instance uses determines the access that the AD LDS instance hason the local computer and on other computers in the
network. AD LDS instances also use the serviceaccount to authenticate other AD LDS instances in their configuration set, to ensure replicationsecurity. You
determine the AD LDS service account during AD LDS installation.
QUESTION 11
Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an Active Directory Lightweight Directory Services (AD LDS)
instance on Server1. You need to create an additional AD LDS application directory partition in the existing instance.
Which tool should you use?
A.
B.
C.
D.
Adaminstall
Dsadd
Dsmod
Ldp
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc755251.aspx
Create an Application Directory Partition
You use Ldp.exe to add a new application directory partition to an existing instance of Active Directory
Lightweight Directory Services (AD LDS).
QUESTION 12
Your network contains a server named Server1 that runs Windows Server 2008 R2.
On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) instance named
Instance1.
http://www.gratisexam.com/
You connect to Instance1 by using ADSI Edit.
You run the Create Object wizard and you discover that there is no User object class. You need to ensure that you can create user objects in Instance1.
What should you do?
A.
B.
C.
D.
Run the AD LDS Setup Wizard.
Modify the schema of Instance1.
Modify the properties of the Instance1 service.
Install the Remote Server Administration Tools (RSAT).
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc772194.aspx
To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are
provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and
OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema.
QUESTION 13
Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2.
You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.
What should you do?
A. Run ldp.exe and use the Bind option.
B. Run diskpart.exe and use the Attach option.
C. Run dsdbutil.exe and use the snapshot option.
D. Run imagex.exe and specify the /mount parameter.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753151%28v=ws.10%29.aspx Dsdbutil
Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitatesconfiguration of Active Directory Lightweight Directory Services
(AD LDS) communication ports, and views ADLDS instances that are installed on a computer.
Commands
snapshot
Manages snapshots.
http://technet.microsoft.com/en-us/library/cc731620%28v=ws.10%29.aspx snapshotManages snapshots of the volumes that contain the Active Directory database
and log files, which you canview on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run thesnapshot subcommand
on an Active Directory Lightweight Directory Services (AD LDS) server.
This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built intoWindows Server 2008 and Windows Server 2008 R2.
Syntaxactivate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]
Parameters
Mount %sMounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of itsGUID.
QUESTION 14
Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network.
A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point
(SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1.
To which group should you add User1?
A.
B.
C.
D.
AD RMS Auditors
AD RMS Service Group
Domain Admins
Schema Admins
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection- point.aspx
The AD RMS Service Connection Point
The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object inActive Directory that holds the web address of the AD
RMS certification cluster. AD RMS-enabled applicationsuse the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD
RMSweb services. The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered afterinstallation has completed. To register
the SCP you must be a member of the local AD RMS EnterpriseAdministrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group,
oryou must have been given the appropriate authority.
QUESTION 15
Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in
contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com.
From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com.
You need to prevent users from impersonating contoso.com users.
What should you do?
A.
B.
C.
D.
Configure trusted e-mail domains.
Enable lockbox exclusion in AD RMS.
Create a forest trust between adatum.com and contoso.com.
Add a certificate from a third-party trusted certification authority (CA).
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753930.aspx
Add a Trusted User Domain
By default, Active Directory Rights Management Services (AD RMS) does not service requests from userswhose rights account certificate (RAC) was issued by a
different AD RMS installation. However, you can adduser domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests.
For each trusted user domain (TUD), you can also add and remove specific users or groups of users. Inaddition, you can remove a TUD; however, you cannot
remove the root cluster for this Active Directory forestfrom the list of TUDs. Every AD RMS server trusts the root cluster in its own forest.
You can add TUDs as follows:
To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that isin your company to process licensing requests that
include a RAC that was issued by Microsoft`s onlineRMS service. For more information about trusting Windows Live ID in your organization, see Use WindowsLive
ID to Establish RACs for Users. To trust external users from another organization`s AD RMS installation, you can add the organization to thelist of TUDs. This
allows an AD RMS cluster to process a licensing request that includes a RAC that wasissued by an AD RMS server that is in the other organization. In the same
manner, to process licensing requests from users within your own organization who reside in adifferent Active Directory forest, you can add the AD RMS installation
in that forest to the list of TUDs. Thisallows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that wasissued by an AD
RMS cluster in the other forest. For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live ID sitesand services, you can specify
which e-mail users or domains are not trusted.
QUESTION 16
Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active
Directory Rights Management Services (AD RMS) is deployed on the network.
You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month.
You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Upgrade all of the Windows Vista computers to Windows 7.
B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).
C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group
Policy.
D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of
Group Policy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who haveWindows Mobile 6 devices report that they cannot access
documents that are protected by AD RMS.
You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.
What should you do?
A.
B.
C.
D.
Modify the security of the ServerCertification.asmx file.
Modify the security of the MobileDeviceCertification.asmx file.
Enable anonymous authentication for the _wmcs virtual directory.
Enable anonymous authentication for the certification virtual directory.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/ff608252%28v=ws.10%29.aspx Windows Mobile Considerations for AD RMS
AD RMS and Windows Mobile Requirements
Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile® inWindows Mobile 6 and later devices. End users can create
and consume protected e- mail messages and canread protected Microsoft Office documents on their Windows Mobile device.
...
AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and laterdevices. There is no AD RMS client available for Windows Mobile
5.0 or earlier; AD RMS can be used only ondevices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected contentbetween
the different versions and editions of Windows Mobile 6 or later.
By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline isrestricted and must be enabled for Windows Mobile 6 or later
devices to obtain certificates andlicenses to create and consume AD RMS protected content. You can enable the certification of mobiledevices by giving the AD
RMS Service Group and the user account objects of the AD RMS-enabledapplication Read and Read & Execute permissions to the MobileDeviceCertification.asmx
file. This fileis located under %systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must completethis process on each AD RMS server in the
cluster.
QUESTION 18
Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS.
You need to update AD RMS to use the new password.
Which console should you use?
A.
B.
C.
D.
Active Directory Rights Management Services
Active Directory Users and Computers
Component Services
Services
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms- serviceaccount-password.aspx
AD RMS How To: Change the RMS Service Account Password
The Active Directory Rights Management Services management console provides a wizard to change orupdate the AD RMS service account. The most common
use for this process is to update the service accountpassword when it has been changed.
It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. These
processes include, but are not limited to the followingitems.
Ensure the service account meets the criteria (is a domain account, is not the domain account that provisioned RMS, and etc.)
Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups
Updates the database role for the service account
Updates and restarts the MSMQ and logging services
Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables
There are important requirements to run this wizard.
Must be logged on to the AD RMS server
Account running the wizard must be:
* A local administrator on the RMS server,
* A member of the AD RMS Enterprise Administrators group, and
* A SQL SysAdmin on the AD RMS instance
Lastly, this must be performed on each server of the AD RMS cluster
QUESTION 19
Your network contains an Active Directory Rights Management Services (AD RMS) cluster.
You have several custom policy templates. The custom policy templates are updated frequently. Some users report that it takes as many as 30 days to receive the
updated policy templates.
You need to ensure that users receive the updated custom policy templates within seven days.
What should you do?
A. Modify the registry on the AD RMS servers.
B. Modify the registry on the users' computers.
C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.
D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771971.aspx
Configuring the AD RMS client
The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency
DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the
registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure
an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM
\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy
templates.
QUESTION 20
Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1.
You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers.
http://www.gratisexam.com/
What should you do?
A. Run ntdsutil.exe and use the Roles option.
B. Run dsmgmt.exe and use the Local Roles option.
C. From Active Directory Sites and Services, modify the NTDS Site Settings.
D. From Active Directory Users and Computers, add the user to the Server Operators group.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration
This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
To configure Administrator Role Separation for an RODC
1. Click Start, click Run, type cmd, and then press ENTER.
2. At the command prompt, type dsmgmt.exe, and then press ENTER.
3. At the DSMGMT prompt, type local roles, and then press ENTER.
QUESTION 21
You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user named User1 can administer RODC1. The solution must
minimize the number of permissions assigned to User1.
Which tool should you use?
A.
B.
C.
D.
Active Directory Administrative Center
Active Directory Users and Computers
Dsadd
Dsmgmt
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group. When you
delegate the ability to log on to an RODC to a user or a security group, the user or group is not added the Domain Admins group and therefore does not have
additional rights to perform directory service operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the following options:
Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click
Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an
individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that
corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account
because the information is stored in AD DS, where it can be centrally managed by domain administrators.
Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators
group and other built-in groups on the RODC. [See also the second reference for more information on how to use dsmgmt.]
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC.
Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the
RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated
administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a
security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal
would have administrative rights on the new RODC in the different domain.
Reference 2:
http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration
This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
To configure Administrator Role Separation for an RODC
Click Start, click Run, type cmd, and then press ENTER.
1.
At the command prompt, type dsmgmt.exe, and then press ENTER.
2.
At the DSMGMT prompt, type local roles, and then press ENTER.
3.
For a list of valid parameters, type ?, and then press ENTER.
4.
By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.
Type add <DOMAIN>\<user><administrative role>
5.
For example, type add CONTOSO\testuser administrators
QUESTION 22
Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a
read-only domain controller (RODC).
You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails. User1 restarts his computer and
reports that he is unable to log on to the domain.
The WAN link is restored and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if the WAN link fails.
What should you do?
A. Create a Password Settings object (PSO) and link the PSO to User1's user account.
B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
Your company has a main office and a branch office.
The network contains an Active Directory domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named DC2.
You discover that the password of an administrator named Admin1 is cached on DC2.
You need to prevent Admin1's password from being cached on DC2.
What should you do?
A.
B.
C.
D.
Modify the NTDS Site Settings.
Modify the properties of the domain.
Create a Password Setting object (PSO).
Modify the properties of DC2's computer account.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password- replication-policy%28v=ws.10%29.aspx
Administering the Password Replication Policy
This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP)and password caching for read-only domain
controllers (RODCs). Viewing the PRPYou can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computerssnap-in or in a
Command Prompt window by using the Repadmin tool. The following procedures describe howto view the PRP. To view the PRP using Active Directory Users and
Computers
1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start.
In Start Search, type dsa.msc, and then press ENTER.
2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the detailspane, right-click the Active Directory Users and
Computers object, and then click Change Domain.3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP,and
then click Properties.
4. Click the Password Replication Policy tab. An example is shown in the following illustration.
QUESTION 24
Your network contains an Active Directory forest.
You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN suffix of all users. You want to achieve this goal by using the
minimum amount of administrative effort.
What should you use?
A.
B.
C.
D.
the Active Directory Domains and Trusts console
the Active Directory Users and Computers console
the Csvde tool
the Ldifde tool
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2).
You need to prevent all users from running an application named App1.exe.
Which Group Policy settings should you configure?
A.
B.
C.
D.
Application Compatibility
AppLocker
Software Installation
Software Restriction Policies
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://gpfaq.se/2007/09/30/how-to-using-software-restriction-policies/ How-to: Using Software Restriction Policies
Using SRP is not that common today and what I will write here is a small how-to so that you can start trying ittoday and maybe even sometime soon apply it in your
production environment.
First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to usersin production.
First you need to choose your default level which you do at Security Levels:
Default when you start using this, the default level is Unrestricted which allows all programs to run. Whichmeans you can use SRP to block specific programs but
the power is that you can change this so Disallowedis the default level which means you specify which programs you can run (all others are blocked) instead
ofblocking specific programs. So to start with change so Disallowed is default. Double-click on Disallowed and press the button Set asDefault
This means that all clients affected by this policy now would be able to run anything except what you define asexclusions which you do at Additional rules:
As you can see in the above picture you have two default values already included. These two values areregistry paths which makes all programs defined in these
two registry paths to unrestricted which of coursemakes them available to run even if you selected Disallowed as your default choice in the above selection
atSecurity Levels. There are four different choices on how to enable/disable programs to run:
Hash-rule
Path-rule
Network zone-rule
Certificate-rule
The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if theuser tries to run a program it looks at the hash-value and
evaluates if you can run the program or not.
Sometimes when you have different versions of a program for example it might be a problem to use HASH,then you use PATH instead. Also if you don`t have the
program installed in the same location on eachcomputer but you know somewhere in the registry where it types the path to the program you can use PATHand use
the registry location instead. I will show you the two ways of allowing Windows Live Messenger to run Hash:
As what you can see above is that it takes the values from the executable and stores the hash- value of the file.
When someone tries to run the program the system evaluates this hash-value and compare it with the one youdefined and then selecting if you can run the program
or not.
Path:
As you can see above is that you need to select the path to the executable. This path needs to be same oneach computer you would like to use this on but of
course you can use environment variables as I have done inthe above picture. You could also use a registry location if you did know where the path to the program
wherestored.
You can of course also use this to block programs instead of allowing them. This is not really the preferredmethod on how to use SRP but fully functional.
On my computer I have Unrestricted as my default and I added an application on my desktop namedradio.exe as Disallowed
So the result if I`m trying to run the file is:
As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with theresult that your users will have a large problem
messing up the computer :) This only covers some parts of SRP. For example local administrators also get these rules but that you canexclude in the Enforcement
choice and also dll-files are excluded by default but you can change that too.
Make sure to try this in a safe environment before applying it to production as you might get a big headache ifyou have made some wrong turns in setting this up. :)
QUESTION 26
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3
(SP3) or Windows Vista.
You need to ensure that all client computers can apply Group Policy preferences.
What should you do?
A.
B.
C.
D.
Upgrade all Windows XP client computers to Windows 7.
Create a central store that contains the Group Policy ADMX files.
Install the Group Policy client-side extensions (CSEs) on all client computers.
Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.microsoft.com/en-us/download/details.aspx?id=3628 Group Policy Preference Client Side Extensions for Windows XP (KB943729) Multiple Group Policy
Preferences have been added to the Windows Server 2008 Group Policy ManagementConsole (which are also available through the Remote Server Administration
Toolset (RSAT) for WindowsVista SP1).
Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy ManagementConsole (which are also available through the Remote
Server Administration Toolset (RSAT) for WindowsVista SP1). Group Policy Preferences enable information technology professionals to configure, deploy,
andmanage operating system and application settings they previously were not able to manage using GroupPolicy. After you install this update, your computer will
be able to process the new Group Policy Preferenceextensions.
http://www.petenetlive.com/KB/Article/0000389.htm
Server 2008 Group Policy Preferences and Client Side Extensions ProblemGroup Policy Preferences (GPP) first came in with Server 2008 and were enhanced for
Server 2008 R2, To beable to apply them to older Windows clients, you need to install the "Client side Extensions" (CSE), You caneither script this, deploy with a
group policy, or if you have WSUS you can send out the update that way.
Solution
You may not have noticed, but if you edit or create a group policy in Server 2008 now, you will see there is a"Preferences" branch. Most IT Pro's will have seen the
addition of the "Policies" folder some time ago becauseit adds an extra level to get to the policies that were there before :)
OK Cool! What can you do with them?
1. Computer Preferences: Windows Settings
Environment: Lets you control, and send out Environment variables via Group Policy. Files: Allows you to copy, modify the attributes, replace or delete a file (for
folders see the next section).
Folder: As above, but for folders.
Ini Files: Allows you to Create, Replace, Update or Delete an ini file. Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either
manually typein the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.
Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.
Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.
2. Computer Preferences: Control Panel Settings
Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings viagroup policy. (Note: there's a bug if your using SQL
authentication see here). Devices: Lets you enable and disable hardware devices by type and class, to be honest it's a little "clunky".
Folder Options: Allows you to set "File Associations" and set the default programs that will open particularfile extensions.
Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups.
Handy if you want to create an additional admin account, or reset all the local administrators passwords viagroup policy.
Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you usePPTP Windows Server VPN's.
Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS's they arePower Plans. This is much needed, I've seen many "Is
there a group policy for power options?" or disablinghibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e.only
apply if there is a battery present). Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to havethe accounts printer.
Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could behandy to deploy a patch or some virus/malware removal
process. Service: Essentially anything you can do in the services snap in you can push out through group policy, setservices to disables or change the logon
credentials used for a service. In addition you can set therecovery option should a service fail.
3. User Configuration: Windows Settings
Applications: Answers on a Postcard? I can't work out what these are for! Drive Mappings: Traditionally done by login script or from the user object, but use this and
you can assignmapped drives on a user/group basis.
Environment: As above lets you control and send out Environment variables via Group Policy, but on auser basis.
Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the nextsection), but on a user basis.
Folders: As above, but for folders on a user by user basis. Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.
Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can eithermanually type in the reference use a Wizard, or extract the key
(s) values you want to send out via grouppolicy, this time for users not computers.
Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policyfor users.
4. User Configuration: Control Panel Settings
All of the following options are covered above on "Computer Configuration" Data Sources
Devices
Folder Options
Local Users and Groups
Network Options
Power Options
Printers
Scheduled Tasks
Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user byuser basis.
Regional Options: Designed so you can change a users Locale, handy if you have one user who wants anAmerican keyboard.
Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu >
Customise, only set user by user.
References:
http://technet.microsoft.com/en-us/library/dd367850%28WS.10%29.aspx Group Policy Preferences
QUESTION 27
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows 7 or Windows Vista
Service Pack 2 (SP2).
You need to audit user access to the administrative shares on the client computers.
What should you do?
A.
B.
C.
D.
Deploy a logon script that runs Icacls.exe.
Deploy a logon script that runs Auditpol.exe.
From the Default Domain Policy, modify the Advanced Audit Policy Configuration.
From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://support.microsoft.com/kb/921469
Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows
Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain. Use the Auditpol.exe command-line
tool to configure the custom audit policy settings that you want.
QUESTION 28
Your network contains an Active Directory domain named contoso.com.
You need to create a central store for the Group Policy Administrative templates.
What should you do?
A. Run dfsrmig.exe /createglobalobjects.
B. Run adprep.exe /domainprep /gpprep.
C. Copy the %SystemRoot%\PolicyDefinitions folder to the
folder.
\\contoso.com\SYSVOL\contoso.com\Policies
D. Copy the %SystemRoot%\System32\GroupPolicy folder to the
\Policies folder.
\\contoso.com\SYSVOL\contoso.com
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstore Creating an ADMX central store for group policies
To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. TheCentral Store is a location that is checked by GPMC.
The GPMC will use .admx files that are in the CentralStore. The files that are in the Central Store are replicated to all domain controllers in the domain.
First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and languagetemplate files in %SYSTEMROOT%\PolicyDefinitions need
copying to %SYSTEMROOT%\SYSVOL\domain
\Policies\PolicyDefinitions.
Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domaincontrollers (the default ADMX policies and EN-US
language templates (ADML) are about 6.5 MB in total).
xcopy /E "%SYSTEMROOT%\PolicyDefinitions"
"%SYSTEMROOT%\SYSVOL\domain\Policies
\PolicyDefinitions\"
Next ensure you have remote server administration tools (RSAT) installed on your client computer you areusing to edit the GPO's. This will need to be Windows
Vista or Windows 7.
For Windows Vista enable the RSAT feature (GPMC).
For Windows 7 download and install RSAT then enable the RSAT feature (GPMC). When editing a GPO in the GMPC you will find that the Administrative
Templates show as "Policy Definitions
(ADMX files) retrieved from the central store".
This confirms it is working as expected.
Further information:
http://support.microsoft.com/kb/929841/en-us
How to create the Central Store for Group Policy Administrative Template files in Windows Vista
http://msdn.microsoft.com/en-us/library/bb530196.aspx
Managing Group Policy ADMX Files Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx Scenario 2: Editing Domain-Based GPOs Using ADMX Files
QUESTION 29
You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.
You need to identify whether a specific application file is allowed to run on a computer.
Which Windows PowerShell cmdlet should you use?
A.
B.
C.
D.
Get-AppLockerFileInformation
Get-GPOReport
Get-GPPermissions
Test-AppLockerPolicy
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/ee460960.aspx
Test-AppLockerPolicy
Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy.
QUESTION 30
You create a Password Settings object (PSO).
You need to apply the PSO to a domain user named User1.
What should you do?
A.
B.
C.
D.
Modify the properties of the PSO.
Modify the account options of the User1 account.
Modify the security settings of the User1 account.
Modify the password policy of the Default Domain Policy Group Policy object (GPO).
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc731589.aspx
To apply PSOs to users or global security groups using the Windows interface
1. Open Active Directory Users and Computers
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, click Password Settings Container.
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.
7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this
PSO to, click Add, and then click OK.
QUESTION 31
You need to create a Password Settings object (PSO).
Which tool should you use?
A.
B.
C.
D.
Active Directory Users and Computers
ADSI Edit
Group Policy Management Console
Ntdsutil
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc754461.aspx
You can create Password Settings objects (PSOs): using the Active Directory module for Windows PowerShell using ADSI Edit using ldifde
QUESTION 32
Your network contains an Active Directory domain. All servers run Windows Server 2008 R2. You need to audit the deletion of registry keys on each server.
What should you do?
http://www.gratisexam.com/
A.
B.
C.
D.
From Audit Policy, modify the Object Access settings and the Process Tracking settings.
From Audit Policy, modify the System Events settings and the Privilege Use settings.
From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.
From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/dd408940.aspx
Advanced Security Audit Policy Step-by-Step Guide
A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.
QUESTION 33
Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.
You need to enable the Active Directory Recycle Bin.
What should you use?
A.
B.
C.
D.
the Dsmod tool
the Enable-ADOptionalFeature cmdlet
the Ntdsutil tool
the Set-ADDomainMode cmdlet
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Similar question to question L/Q5.
Reference:
http://technet.microsoft.com/en-us/library/dd379481.aspx
Enabling Active Directory Recycle Bin
After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active
Directory Recycle Bin by using the following methods:
Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe
QUESTION 34
Your network contains a single Active Directory domain.
You need to create an Active Directory Domain Services snapshot.
What should you do?
A. Use the Ldp tool.
B. Use the NTDSUtil tool.
C. Use the Wbadmin tool.
D. From Windows Server Backup, perform a full backup.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc753609.aspx
To create an AD DS or AD LDS snapshot
1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
2. Click Start, right-click Command Prompt, and then click Run as administrator.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. At the elevated command prompt, type the following command, and then press ENTER:
ntdsutil
5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds
7. At the snapshot prompt, type the following command, and then press ENTER: create
QUESTION 35
Your network contains a single Active Directory domain.
A domain controller named DC2 fails.
You need to remove DC2 from Active Directory.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
At the command prompt, run dcdiag.exe /fix.
At the command prompt, run netdom.exe remove dc2.
From Active Directory Sites and Services, delete DC2.
From Active Directory Users and Computers, delete DC2.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc816907.aspx
Clean Up Server Metadata
Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS).
You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD
DS that identifies a domain controller to the replication system.
Clean up server metadata by using GUI tools
Clean up server metadata by using Active Directory Users and Computers
1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
3. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.
Clean up server metadata by using Active Directory Sites and Services
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services
2. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings
object, and then click Delete.
QUESTION 36
Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008. The functional level of the domain is Windows
Server 2008 R2. All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2.
You need to ensure that you can enable the Active Directory Recycle Bin.
What should you do?
A.
B.
C.
D.
Change the functional level of the forest.
Change the functional level of the domain.
Modify the Active Directory schema.
Modify the Universal Group Membership Caching settings.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/dd392261.aspx
Active Directory Recycle Bin Step-by-Step Guide
By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD
LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to
be running Windows Server 2008 R2.
QUESTION 37
Your network contains an Active Directory domain. The domain contains several domain controllers.All domain controllers run Windows Server 2008 R2. You need
to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings.
What should you do?
A.
B.
C.
D.
Run dcgpofix.exe /target:dc.
Run dcgpofix.exe /target:domain.
Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.
Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/hh875588.aspx
Dcgpofix Recreates the default Group Policy Objects (GPOs) for a domain.
Syntax
DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?] /ignoreschema Ignores the version of the Active Directory® schema when you run this command.
Otherwise, the command only works on the same schema version as the Windows version in which the command was shipped.
/target {Domain | DC | Both} Specifies which GPO to restore. You can restore the Default Domain Policy GPO, the Default Domain Controllers GPO, or both.
Examples
Restore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that you have made to this GPO. dcgpofix /ignoreschema /
target:DC
QUESTION 38
Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers
named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional
level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1. You need to restore the deleted user account. You want to achieve this goal by
using the minimum amount of administrative effort.
http://www.gratisexam.com/
What should you do?
A.
B.
C.
D.
On DC1, run the Restore-ADObject cmdlet.
On DC3, run the Restore-ADObject cmdlet.
On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services.
On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional
level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003."
See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC,
which causes it to replicate the restored user account to other DC's.
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 An authoritative restore restores data that was lost and updates the Update
Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers.
Reference 2:
http://technet.microsoft.com/en-us/library/cc755296.aspx
Authoritative restore of AD DS has the following requirements:
You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is
complete.
QUESTION 39
Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2.
You perform a full backup of the domain controllers every night by using Windows Server Backup.
You update a script in the SYSVOL folder.
You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the
amount of time required to restore the script.
What should you do first?
A.
B.
C.
D.
Run the Restore-ADObject cmdlet.
Restore the system state to its original location.
Restore the system state to an alternate location.
Attach the VHD file created by Windows Server Backup.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008 NTBACKUP vs. Windows
Server Backup
As an added bonus, Windows Server Backup stores its backup images in Microsoft® Virtual Hard Disk (VHD)format. You can actually take a backup image and
mount it as a volume in a virtual machine running underMicrosoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for
aparticular file rather than having to perform test restores of tapes to see which one has the file is on it. (A noteof caution: you can't take a backup image and boot a
virtual machine from it. Since the backed-up hardwareconfiguration doesn't correspond to the virtual machine's configuration, you can't use Windows Server
Backupas a physical-to- virtual migration tool.)
QUESTION 40
Your network contains an Active Directory domain.
You need to restore a deleted computer account from the Active Directory Recycle Bin.
What should you do?
A.
B.
C.
D.
From the command prompt, run recover.exe.
From the command prompt, run ntdsutil.exe.
From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.
From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx Step 2: Restore a Deleted Active Directory Object
Applies To: Windows Server 2008 R2
This step provides instructions for completing the following tasks with Active Directory Recycle Bin:
Displaying the Deleted Objects container
Restoring a deleted Active Directory object using Ldp.exe
Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets
Restoring multiple, deleted Active Directory objects
...
To restore a single, deleted Active Directory object using the Get-ADObject and Restore- ADObject cmdlets
1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, andthen click Run as administrator.
2. At the Active Directory module for Windows PowerShell command prompt, type the following command,and then press ENTER:
Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display
name Mary, typethe following command, and then press ENTER:
Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-objectfrom-the-active-directory- recycle-binusing-ad-powershell.aspx
Restoring object from the Active Directory Recycle Bin using AD Powershell
QUESTION 41
You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.
What should you use?
A.
B.
C.
D.
the Add-WBSystemState cmdlet
the Group Policy Management console
the Wbadmin tool
the Windows Server Backup feature
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc770536.aspx
To back up a Group Policy object
1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to
back up.
2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All.
QUESTION 42
You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2. You need to ensure that you can recover the private key of a certificate
issued to a Web server.
What should you do?
A.
B.
C.
D.
From the CA, run the Get-PfxCertificate cmdlet.
From the Web server, run the Get-PfxCertificate cmdlet.
From the CA, run the certutil.exe tool and specify the -exportpfx parameter.
From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx Manual Key ArchivalManual key archival can be used in the following common scenarios
that are not supported by automatic keyarchival:
Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook.
Certificates issued by CAs that do not support key archival. Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition
operatingsystems.
This topic includes procedures for exporting a private key by using the following programs and for importing aprivate key to a CA database:
Certutil.exe
Certificates snap-in
Microsoft Office Outlook
..
To export private keys by using Certutil.exe
1. Open a Command Prompt window.
2. Type the Certutil.exe exportpfx command using the command-line options described in the followingtable.
Certutil.exe [-p <Password>] exportpfx <CertificateId><OutputFileName>
QUESTION 43
Your company has a main office and a branch office.
The network contains a single Active Directory domain.
The main office contains a domain controller named DC1.
You need to install a domain controller in the branch office by using an offline copy of the Active Directory database.
What should you do first?
A.
B.
C.
D.
From the Ntdsutil tool, create an IFM media set.
From the command prompt, run djoin.exe /loadfile.
From Windows Server Backup, perform a system state backup.
From Windows PowerShell, run the get-ADDomainController cmdlet.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx
Installing an Additional Domain Controller by Using IFM
When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, youcan reduce the replication traffic that is initiated
during the installation of an additional domain controller in anActive Directory domain. Reducing the replication traffic reduces the time that is necessary to install
theadditional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that youcan use to create
installation media for an additional domain controller. You can use Ntdsutil.exe to createinstallation media for additional domain controllers that you are creating in a
domain. The IFM method uses thedata in the installation media to install AD DS, which eliminates the need to replicate every object from apartner domain
controller. However, objects that were modified, added, or deleted since the installation mediawas created must be replicated. If the installation media was created
recently, the amount of replication that isrequired is considerably less than the amount of replication that is required for a regular AD DS installation.
QUESTION 44
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All
client computers run Windows 7.
You install Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
From Server1, run djoin.exe.
From Server1, run netdom.exe.
From a Windows 7 computer, run djoin.exe.
Upgrade one domain controller to Windows Server 2008 R2.
Raise the functional level of the domain to Windows Server 2008.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that
Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the
domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs
to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
QUESTION 45
You have an Active Directory snapshot.
You need to view the contents of the organizational units (OUs) in the snapshot.
Which tools should you run?
A.
B.
C.
D.
explorer.exe, netdom.exe, and dsa.msc
ntdsutil.exe, dsamain.exe, and dsa.msc
wbadmin.msc, dsamain.exe, and netdom.exe
wbadmin.msc, ntdsutil.exe, and explorer.exe
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller:
dsamain.exe -dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit - ldapport 389 -allowNonAdminAccess
The command fails.
You need to ensure that the command completes successfully.
How should you modify the command?
A.
B.
C.
D.
Include the path to Dsamain.
Change the value of the -dbpath parameter.
Change the value of the -ldapport parameter.
Remove the allowNonAdminAccess
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690 Use the AD DS database mounting tool to load the snapshot as an LDAP
server. dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport portnumber
Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the - ldapport value to ensure that you do not conflict with AD DS. Also note
that you can use the minus () sign or the slash (/) for the options in the command.
QUESTION 47
Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file
server role installed. You need to move the Active Directory database on DC1 to an alternate location.The solution must minimize impact on the network during the
database move.
What should you do first?
A.
B.
C.
D.
Restart DC1 in Safe Mode.
Restart DC1 in Directory Services Restore Mode.
Start DC1 from Windows PE.
Stop the Active Directory Domain Services service on DC1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc794895%28v=ws.10%29.aspx Relocating the Active Directory Database Files
Applies To: Windows Server 2008, Windows Server 2008 R2
Relocating Active Directory database files usually involves moving files to a temporary location while hardwareupdates are being performed and then moving the
files to a permanent location. On domain controllers that arerunning versions of Windows 2000 Server and Windows Server 2003, moving database files requires
restartingthe domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introducesrestartable Active Directory Domain Services (AD
DS), which you can use to perform databasemanagement tasks without restarting the domain controller in DSRM. Before you move database files, youmust stop
AD DS as a service.
QUESTION 48
Your company has a main office and a branch office.
The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is
configured as a global catalog server, a DHCP server, and a file server.
You remove the global catalog from DC5.
You need to reduce the size of the Active Directory database on DC5.
The solution must minimize the impact on all users in the branch office.
What should you do first?
A.
B.
C.
D.
Start DC5 in Safe Mode.
Start DC5 in Directory Services Restore Mode.
On DC5, start the Protected Storage service.
On DC5, stop the Active Directory Domain Services service.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://allcomputers.us/windows_server/windows-server-2008-r2---manage-the-active-directory- database-%28part-2%29---defragment-the-directory-database--audit-active-directory- service.aspx
Windows Server 2008 R2 : Manage the Active Directory Database (part 2) - Defragment the DirectoryDatabase & Audit Active Directory Service
3. Defragment the Directory Database
A directory database gets fragmented as you add, change, and delete objects to your database. Like any filesystembased storage, as the directory database is
changed and updated, fragments of disk space will buildup so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active
Directoryperforms an online defragmentation of the directory database every 12 hours with the garbage collectionprocess, an automated directory database
cleanup, and IT pros should be familiar with it. However, onlinedefragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the
data aroundfor easier access. Depending on how much fragmentation you actually have in the database, running an offlinedefragmentation--which does decrease
the size of the database--could have a significant effect on the overallsize of your NTDS.DIT database file.
There is a little problem associated with defragmenting databases. They have to be taken offline in order tohave the fragments removed and the database resized.
In Windows Server 2008 R2, there is a great featurethat allows you to take the database offline without shutting down the server. It's called Restartable
ActiveDirectory, and it could not be much easier to stop and start your directory database than this. Figure 4 showsthe Services tool and how you can use it to stop
the Active Directory service.
1. Start the Services tool from the Control Panel.
2. Right-click Active Directory Domain Services, and select Stop.
Figure 4. You can use the Services tool to stop and restart Active Directory. That's it! Now when you stop Active Directory Domain Services, any other dependent
services will also bestopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in yournetwork. The really cool thing about
Restartable AD is that while the directory services and its dependentservices are stopped, other services on the local machine are not. So, perhaps you have a
shared printerrunning on your DC. Print services still run, and print operations do not stop. Nice!
3.1. Offline Directory Defragmentation
Now that you have stopped Active Directory services, it is time to get down to the business of offlinedefragmentation of the directory database:
1. Back up the database.
2. Open a command prompt, and type NTDSUTIL.
3. Type ACTIVATE INSTANCE NTDS.
4. Type FILES, and press Enter.
5. Type INFO, and press Enter. This will tell you the current location of the directory database, its size, and thesize of the associated log files. Write all this down.
6. Make a folder location that has enough drive space for the directory to be stored.
7. Type COMPACT TO DRIVE:\DIRECTORY, and press Enter. The drive and directory are the locations youset up in step 5. If the drive path contains spaces, put
the whole path in quotation marks, as in "C:\databasedefrag".
A new defragmented and compacted NTDS.DIT is created in the folder you specified.
8. Type QUIT, and press Enter.
9. Type QUIT again, and press Enter to return to the command prompt. 10.If defragmentation succeeds without errors, follow the NTDSUTIL prompts. 11.Delete all
log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive.
12.Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4.
13.Close the command prompt.
14.Open the Services tool, and start Active Directory Domain Services. Defragmenting your directory database using the offline NTDSUTIL process can significantly
reduce the size ofyour database depending on how long it has been since your last offline defrag. The hard thing about offlinedefrag is that every network is
different, so making recommendations about how often to use the offline defragprocess is somewhat spurious. I recommend you get to know your directory
database. Monitor its size andgrowth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using
offline defragmentation on a frequency that works well for your network and yourdirectory database. One of the cool things about offline defragmentation is that if
you should happen to have anerror occur during the defragmentation process, you still have your original NTDS.DIT database in place andcan continue using it with
no problems until you can isolate and fix any issues.
QUESTION 49
Your network contains a domain controller that runs Windows Server 2008 R2.
You need to change the location of the Active Directory log files.
Which tool should you use?
A.
B.
C.
D.
Dsamain
Dsmgmt
Dsmove
Ntdsutil
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/257420
How To Move the Ntds.dit File or Log Files
Moving a Database or Log File
1. Restart the domain controller.
2. Press F8 at the Startup menu, and then click Directory Services Restore Mode.
3. Select the appropriate installation if more than one exists, and then log on as an administrator at the logonprompt.
4. Start a command prompt, and then type ntdsutil.exe.NOTE: To get a list of commands that you can use atthe Ntdsutil prompt, type ?
5. At a Ntdsutil prompt, type files.
6. At the File Maintenance prompt, use one or both of the following procedures:
* To move a database, type move db to %s, where %s is the drive and folder where you want the database moved.
* To move log files, type move logs to %s, where %s is the drive and folder where you want the logfiles moved.
7. To view the log files or database, type info. To verify the integrity of the database at its new location, typeintegrity.
8. Type quit, and then type quit to return to a command prompt.
9. Restart the computer in Normal mode.
NOTE: When you move the database and log files, you must back up the domain controller.
QUESTION 50
Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.
You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network.
You need to ensure that the new server is already joined to the domain when it first connects to the internal network.
What should you do?
A.
B.
C.
D.
From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter.
From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter.
From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter.
From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that
Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the
domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active
Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Reference 2:
http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx Steps for performing an offline domain join
The offline domain join process includes the following steps:
1. Run the djoin.exe /provision command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As
part of this command, you must specify the name of the domain that you want the computer to join.
2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windows directory of the destination computer.
3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain
that you specify.
QUESTION 51
Your network contains an Active Directory domain. The domain contains four domain controllers.
You modify the Active Directory schema.
You need to verify that all the domain controllers received the schema modification.
Which command should you run?
A.
B.
C.
D.
dcdiag.exe /a
netdom.exe query fsmo
repadmin.exe /showrepl *
sc.exe query ntds
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx Getting Over Replmon
Status CheckingReplmon had the option to generate a status report text file. It could tell you which servers were configured toreplicate with each other, if they had
any errors, and so on. It was pretty useful actually, and one of the mainreasons people liked the tool. Repadmin.exe offers similar functionality within a few of its
command line options. For example, we can get asummary report:
Repadmin /replsummary *
Several DCs have been taken offline. Repadmin shows the correct error of 58 that the other DCs are notavailable and cannot tell you their status.
You can also use more verbose commands with Repadmin to see details about which DCs are or are notreplicating:
Repadmin /showrepl *
QUESTION 52
You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller.
You need to create a WMI script query to retrieve information from the bios of each domain controller.
Which format should you use to write the query?
A.
B.
C.
D.
XrML
XML
WQL
HTML
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606%28v=vs.85%29.aspx WQL (SQL for WMI)
The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured QueryLanguage (ANSI SQL)--with minor semantic changes.
QUESTION 53
Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.
You add a logoff script to an existing Group Policy object (GPO).
You need to verify that each domain controller successfully replicates the updated group policy. Which two objects should you verify on each domain controller?
(Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
\\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini
\\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol
the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
the versionNumber value for the
CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc784268%28v=ws.10%29.aspx How Core Group Policy Works
...
The Gpt.ini File
The Gpt.ini file is located at the root of each Group Policy template. Each Gpt.ini file contains GPO versioninformation. Except for the Gpt.ini files created for the
default GPOs, a display name value is also written to thefile.
Each Gpt.ini file contains the GPO version number of the Group Policy template.
[General]
Version=65539
Normally, this is identical to the version-number property of the corresponding GroupPolicyContainerobject. It is encoded in the same way -- as a decimal
representation of a 4 byte hexadecimal number, theupper two bytes of which contain the GPO user settings version and the lower two bytes contain the
computersettings version. In this example the version is equal to 10003 hexadecimal giving a user settings version of 1and a computer settings version of 3.
Storing this version number in the Gpt.ini allows the CSEs to check if the client is out of date to the lastprocessing of policy settings or if the currently applied policy
settings (cached policies) are up-to-date. If thecached version is different from the version in the Group Policy template or Group Policy container, then
policysettings will be reprocessed.
QUESTION 54
Your network contains an Active Directory domain that contains five domain controllers.
You have a management computer that runs Windows 7.
From the Windows 7 computer, you need to view all account logon failures that occur in the domain.
The information must be consolidated on one list.
Which command should you run on each domain controller?
A.
B.
C.
D.
Wecutil.exe qc
Wevtutil.exe gli
Winrm.exe quickconfig
Winrshost.exe
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote- managementtroubleshooting.aspx
WinRM (Windows Remote Management) Troubleshooting
What is WinRM?
New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM &WinRS. Windows Remote Management (known as
WinRM) is a handy new remote management service.
WinRM is the server component of this remote management application and WinRS (Windows Remote Shell)is the client for WinRM, which runs on the remote
computer attempting to remotely manage the WinRMserver. However, I should note that BOTH computers must have WinRM installed and enabled on them
forWinRS to work and retrieve information from the remote system.
..
How to install WinRM
The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on thesame computer, you may see messages that indicate
WinRM cannot be loaded before Interent InformationServices (IIS). However, WinRM does not actually depend on IIS:
these messages occur because the loadorder ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll beregistered.
(Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008)
· The WinRM service starts automatically on Windows Server 2008.
· On Windows Vista, the service must be started manually.
How to configure WinRM
To set the default configuration type:
winrm quickconfig (or the abbreviated version, winrm qc)
winrm qc` performs the following operations:
1. Starts the WinRM service and sets the service startup type to auto-start.
2. Configures a listener for the ports that send and receive WS-Management protocol messages using either
HTTP or HTTPS on any IP address.
3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS. (Note: Winrm quickconfig also configures Winrs default settings)
QUESTION 55
You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. The domain contains five domain controllers.
You need to monitor the replication of the group policy template files.
Which tool should you use?
A.
B.
C.
D.
Dfsrdiag
Fsutil
Ntdsutil
Ntfrsutl
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain
functional level 2003. With domain functional level 2003 you can only use Ntfrsutl.
QUESTION 56
You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run
Windows Server 2008 R2.
You need to monitor the replication of the group policy template files.
Which tool should you use?
A.
B.
C.
D.
Dfsrdiag
Fsutil
Ntdsutil
Ntfrsutl
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain
functional level 2003. With domain functional level 2003 you can only use Ntfrsutl.
QUESTION 57
You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine the size of the Active Directory database on Server1.
What should you do?
http://www.gratisexam.com/
A.
B.
C.
D.
Run the Active Directory Sizer tool.
Run the Active Directory Diagnostics data collector set.
From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.
From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc961761.aspx
Directory Data Store
Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present inseparate locations on a given domain controller:
%SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. Itcontains the values for the domain and a replica of the values
for the forest (the Configuration container data).
%SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is used whenyou promote a Windows 2000 based computer to a
domain controller. The availability of this file allows you torun the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows
2000Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot%\System32 directory into the %SystemRoot%\NTDS
directory. Active Directory is then started from this newcopy of the file, and replication updates the file from other domain controllers.
QUESTION 58
You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?
A.
B.
C.
D.
Active Directory Administrative Center
Event Viewer
Resource Monitor
Security Configuration Wizard
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events
One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events
in three ways: Start A Program - Launches an application. Often, administrators write a script that carries out a series of tasks that they would otherwise need to
manually perform, and automatically run that script when an event appears.
Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP) server you specify.
Often, administrators configure urgent events to be sent to a mobile device. Display A Message - Displays a dialog box showing a message. This is typically useful
only when a user needs to be notified of something happening on the computer. To trigger a task when an event occurs, follow one of these three procedures:
Find an example of the event in Event Viewer. Then, right-click the event and click Attach Task To This Event. A wizard will guide you through the process.
QUESTION 59
Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7.
You need to forward the logon events of all the domain controllers in contoso.com to Computer1.
All new domain controllers must be dynamically added to the subscription.
What should you do?
A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU),
configure the Event Forwarding node.
B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU),
configure the Event Forwarding node.
C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the
Domain Controllers organizational unit (OU).
D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the
Domain Controllers organizational unit (OU).
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx Setting up a Source Initiated Subscription
Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple
remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated
subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription.
QUESTION 60
Your network contains an Active Directory domain that has two sites. You need to identify whether logon scripts are replicated to all domain controllers.
Which folder should you verify?
A.
B.
C.
D.
GroupPolicy
NTDS
SoftwareDistribution
SYSVOL
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc794837.aspx
SYSVOL is a collection of folders that contain a copy of the domain`s public files, including system policies, logon scripts, and important elements of Group Policy
objects (GPOs).
QUESTION 61
You install a standalone root certification authority (CA) on a server named Server1. You need to ensure that every computer in the forest has a copy of the root CA
certificate installed in the local computer's Trusted Root Certification Authorities store.
Which command should you run on Server1?
A.
B.
C.
D.
certreq.exe and specify the -accept parameter
certreq.exe and specify the -retrieve parameter
certutil.exe and specify the -dspublish parameter
certutil.exe and specify the -importcert parameter
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc732443.aspx
Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA)
configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
Syntax
Certutil <-parameter> [-parameter]
Parameter
-dsPublish
Publish a certificate or certificate revocation list (CRL) to Active Directory
QUESTION 62
Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA).
On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled.
You need to install an enterprise subordinate CA on the server.
What should you use to log on to the new server?
A.
B.
C.
D.
an account that is a member of the Certificate Publishers group in the child domain
an account that is a member of the Certificate Publishers group in the forest root domain
an account that is a member of the Schema Admins group in the forest root domain
an account that is a member of the Enterprise Admins group in the forest root domain
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506- 568ddb21d46b
In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in
the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient).
QUESTION 63
You have an enterprise subordinate certification authority (CA).
You have a group named Group1.
You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates.
What should you do?
A.
B.
C.
D.
Add Group1 to the local Administrators group.
Add Group1 to the Certificate Publishers group.
Assign the Manage CA permission to Group1.
Assign the Issue and Manage Certificates permission to Group1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL)
schedules. Revoking certificates is an activity of the Certificate Manager role.
QUESTION 64
You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to
use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
http://www.gratisexam.com/
What should you do?
A.
B.
C.
D.
Add a data recovery agent to the Default Domain Policy.
Modify the value in the Number of recovery agents to use box.
Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357 You enable key archival on the Recovery Agents tab of the CA
Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the
number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a
smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the
private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private
key before beginning recovery.
QUESTION 65
You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?
A. certutil.exe backup
B. certutil.exe backupdb
C. certutil.exe backupkey
D. certutil.exe store
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private
keys from the module. The HSM should have a proprietary procedure for that.
The given commands are:
certutil -backup
Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb
Backup set only includes certificate database
certutil -backupkey
Backup set only includes CA certificate and the CA key pair certutil store Provides a dump of the certificate store onscreen. Since we cannot extract the keys from
the HSM we have to use backupdb.
Reference 1:
Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page For the commands listed above.
Reference 2:
http://technet.microsoft.com/en-us/library/cc732443.aspx
Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA)
configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
Syntax
Certutil <-parameter> [-parameter]
Parameter
-backupdb
Backup the Active Directory Certificate Services database
Reference 3:
http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate- services/
QUESTION 66
You have Active Directory Certificate Services (AD CS) deployed.
You create a custom certificate template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. In a Group Policy object (GPO), configure the autoenrollment settings.
B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/dd379539.aspx
To automatically enroll client computers for certificates in a domain environment, you must:
Configure an autoenrollment policy for the domain.
(...)
In Configuration Model, select Enabled to enable autoenrollment.
Configure certificate templates for autoenrollment.
(...)
In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish
Configure an enterprise CA.
QUESTION 67
You have an enterprise subordinate certification authority (CA).
You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web
enrollment. You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?
A.
B.
C.
D.
Run certutil.exe pulse.
Run certutil.exe installcert.
Change the certificate template to a Version 2 certificate template.
On the certificate template, assign the Autoenroll permission to the users.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation
Explanation:
Identical to F/Q33.
Reference 1:
http://technet.microsoft.com/en-us/library/cc732517.aspx
Certificate Web enrollment cannot be used with version 3 certificate templates.
Reference 2:
http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers
called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template
based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web
page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.
QUESTION 68
You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled
for autoenrollment.
You increase the template key length to 2,048 bits.
You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template.
Which console should you use?
A.
B.
C.
D.
Active Directory Administrative Center
Certification Authority
Certificate Templates
Group Policy Management
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771246.aspx
Re-Enroll All Certificate Holders
This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to reenroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the
subject will re-enroll. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more
information, see Implement Role-Based Administration.
To re-enroll all certificate holders
1. Open the Certificate Templates snap-in.
2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.
QUESTION 69
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:
You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network.
What should you do?
A.
B.
C.
D.
Upgrade Server1 to Windows Server 2008 R2.
Upgrade Server2 to Windows Server 2008 R2.
Raise the functional level of the domain to Windows Server 2008.
Install the Windows Server 2008 R2 Active Directory Schema updates.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/dd759243.aspx
Installation requirements
Before installing the certificate enrollment Web services, ensure that your environment meets these requirements:
A host computer as a domain member running Windows Server
2008 R2.
An Active Directory forest with a Windows Server 2008 R2
schema.
An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or
Windows Server 2003.
QUESTION 70
You have a domain controller that runs the DHCP service.
You need to perform an offline defragmentation of the Active Directory database on the domain controller.
You must achieve this goal without affecting the availability of the DHCP service.
What should you do?
A.
B.
C.
D.
Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.
Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.
Stop the Active Directory Domain Services service. Run the Ntdsutil utility.
Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We don't need to restart the server to defragment the AD database. We do need to stop AD DS in order to defragment the database.
Reference:
http://technet.microsoft.com/en-us/library/cc794920.aspx
To perform offline defragmentation of the directory database
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control
dialog box appears, provide credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER: net stop ntds
3. Type Y to agree to stop additional services, and then press ENTER.
4. At the command prompt, type ntdsutil, and then press ENTER.
QUESTION 71
Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com.
The forest trust is configured to use selective authentication.
Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.
Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned
to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.
You need to ensure that the G_Marketing members can access the folder from the network.
What should you do?
A.
B.
C.
D.
From Windows Explorer, modify the NTFS permissions of the folder.
From Windows Explorer, modify the share permissions of the folder.
From Active Directory Users and Computers, modify the computer object for Server1.
From Active Directory Users and Computers, modify the group object for G_Marketing.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644 After you have selected Selective Authentication for the trust, no trusted
users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To
Authenticate permission on the computer object in the domain.
To assign this permission:
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate--that is, the computer that trusted users will log on to or that
contains resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
QUESTION 72
Your network contains an Active Directory forest.
You need to add a new user principal name (UPN) suffix to the forest.
Which tool should you use?
A.
B.
C.
D.
Active Directory Administrative Center
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/ Demonstration adding a UPN Suffix
To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at
the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.
QUESTION 73
Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains
one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC. On a domain controller in Site1, you change the password for
User1. You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.
Which tool should you use?
A.
B.
C.
D.
Active Directory Sites and Services
Active Directory Users and Computers
Repadmin
Replmon
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc742095.aspx
Repadmin /rodcpwdrepl
Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain
controllers (RODCs).
Example:
The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all
RODCs that have the name prefix dest-rodc:
repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com
QUESTION 74
Your network contains an Active Directory domain named contoso.com. The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click
the Exhibit button.)
You need to update all service location (SRV) records for a domain controller in the domain.
What should you do?
A. Restart the Netlogon service.
B. Restart the DNS Client service.
C. Run sc.exe and specify the triggerinfo parameter.
D. Run ipconfig.exe and specify the /registerdns parameter.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers
registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller`s SRV resource records by restarting this
service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of
SRV resource records.
QUESTION 75
Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?
A.
B.
C.
D.
From the Default Domain Policy, modify the account lockout settings.
From the Default Domain Controller Policy, modify the account lockout settings.
From the properties of the user account, modify the Account options.
From the properties of the user account, modify the Session settings.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Account lockout settings deal with logon security, like how many times a wrong password can be entered before an account gets locked out, or after how many
minutes a locked out user can try again.
To really restrict access to the User1 account it has to be disabled, by modifying the account options.
Reference:
http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx Disabling a user account prevents user access to e-mail and
Microsoft SharePoint Online data, but retains the user`s data. Disabling a user account also keeps the user license associated with that account. This is the best
option to utilize when a person leaves an organization temporarily.
QUESTION 76
Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You have a list that contains the mobile phone number of each user.
You need to add the mobile number of each user to Active Directory.
What should you do?
A.
B.
C.
D.
Create a file that contains the mobile phone numbers, and then run ldifde.exe.
Create a file that contains the mobile phone numbers, and then run csvde.exe.
From Adsiedit, select the CN=Users container, and then modify the properties of the container.
From Active Directory Users and Computers, select all of the users, and then modify the properties of the users.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
CSVDE can only import and export data from AD DS.
http://technet.microsoft.com/en-us/library/cc732101.aspx
Reference:
http://technet.microsoft.com/en-us/library/cc731033.aspx
Ldifde
Creates, modifies, and deletes directory objects.
QUESTION 77
Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers
run Windows 7.
From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object
(GPO).
You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.
You need to ensure that the audit policy is applied to all member servers and all client computers.
What should you do?
A.
B.
C.
D.
Add a WMI filter to the Default Domain Policy GPO.
Modify the security settings of the Default Domain Policy GPO.
Configure a startup script that runs auditpol.exe on the member servers.
Configure a startup script that runs auditpol.exe on the domain controllers.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the
audit policy to the Windows Server 2008 member servers.
Reference1:
http://technet.microsoft.com/en-us/library/ff182311.aspx
Advanced Security Auditing FAQ
The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running
Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.
Note
In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts
generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This
allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a
domain, site, or organizational unit (OU).
QUESTION 78
Your network contains an Active Directory domain. The domain contains a group named Group1.
The minimum password length for the domain is set to six characters. You need to ensure that the passwords for all users in Group1 are at least 10 characters
long. All other users must be able to use passwords that are six characters long.
What should you do first?
A.
B.
C.
D.
Run the New-ADFineGrainedPasswordPolicy cmdlet.
Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.
From the Default Domain Policy, modify the password policy.
From the Default Domain Controller Policy, modify the password policy.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
First we need to create a new Active Directory fine grained password policy, using New- ADFineGrainedPasswordPolicy.
Then we can apply the new policy to Group1, using AddADFineGrainedPasswordPolicySubject.
Reference:
http://technet.microsoft.com/en-us/library/ee617238.aspx
New-ADFineGrainedPasswordPolicy
Creates a new Active Directory fine grained password policy.
QUESTION 79
Your network contains an Active Directory domain. All domain controller run Windows Server 2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008
R2. You need to minimize the amount of SYSVOL replication traffic on the network.
What should you do?
A.
B.
C.
D.
Raise the functional level of the forest to Windows Server 2008 R2.
Modify the path of the SYSVOL folder on all of the domain controllers.
On a global catalog server, run repadmin.exe and specify the KCC parameter.
On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2
we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions.
The migration takes place on a domain controller holding the PDC Emulator role.
Reference 1:
http://technet.microsoft.com/en-us/library/cc794837.aspx
Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows
2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share.
When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is
replicated.
Reference 2:
http://technet.microsoft.com/en-us/library/dd639809.aspx
Migrating to the Prepared State
The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to
Distributed File System (DFS Replication).
This migration phase includes the tasks in the following list. Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the
Prepared state.
QUESTION 80
Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table.
All client computers run Windows 7.
You need to ensure that all client computers in the domain keep the same time as an external time server.
What should you do?
A.
B.
C.
D.
From DC1, run the time command.
From DC2, run the time command.
From DC1, run the w32tm.exe command.
From DC2, run the w32tm.exe command.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc816748.aspx
Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain
The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master
operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest.
Reference 2:
http://technet.microsoft.com/en-us/library/cc773263.aspx
Windows Time Service Tools and Settings
Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception
to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually
configured to synchronize time with an external time source.
W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred
command line tool for configuring, monitoring, or troubleshooting the Windows Time service.
QUESTION 81
Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as
shown in the following table.
All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range.
You need to minimize the number of client authentication requests sent to DC2.
What should you do?
A.
B.
C.
D.
Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1.
Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1.
Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1.
Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet
coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself.
QUESTION 82
Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configure AD RMS to use Kerberos authentication. Which two
actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Register a service principal name (SPN) for AD RMS.
Register a service connection point (SCP) for AD RMS.
Configure the identity setting of the _DRMSAppPool1 application pool.
Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server
running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True Set the Service Principal Names (SPN) value for the AD RMS service account
QUESTION 83
Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain
controller (RODC). You need to configure the RODC to store only the passwords of users in the remote site.
What should you do?
A.
B.
C.
D.
Create a Password Settings object (PSO).
Modify the Partial-Attribute-Set attribute of the forest.
Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.
Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc730883.aspx
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password
Replication Group and Denied RODC Password
Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added
to the msDS- RevealOnDemandGroup and msDSNeverRevealGroup
Active Directory attributes mentioned earlier.
QUESTION 84
Your company has four offices. The network contains a single Active Directory domain. Each office has a domain controller. Each office has an organizational unit
(OU) that contains the user accounts for the users in that office. In each office, support technicians perform basic troubleshooting for the users in their respective
office.
You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only. The solution must prevent the
technicians from creating user accounts.
What should you do?
http://www.gratisexam.com/
A.
B.
C.
D.
For each OU, run the Delegation of Control Wizard.
For the domain, run the Delegation of Control Wizard.
For each office, create an Active Directory group, and then modify the security settings for each group.
For each office, create an Active Directory group, and then modify the controlAccessRights attribute for each group.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc732524.aspx
To delegate control of an organizational unit
1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative
Tools, and then double-click Active Directory Users and Computers.
2. To open Active Directory Users and Computers in Windows Server® 2012, click Start, type dsa.msc.
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.
Reference 2:
http://technet.microsoft.com/en-us/library/dd145442.aspx
Delegate the following common tasks
The following are common tasks that you can select to delegate control of them:
Reset user passwords and force password change at next logon
QUESTION 85
Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts
for the client computers are located in an organizational unit (OU) named OU1.
You link a new Group Policy object (GPO) named GPO10 to OU1. You need to ensure that GPO10 is applied only to client computers that run Windows 7.
What should you do?
A.
B.
C.
D.
Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.
Enable block inheritance on OU1.
Create a WMI filter and assign the filter to GPO10.
Modify the permissions of OU1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc947846.aspx
To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management
MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage
the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each
computer.
QUESTION 86
Your network contains an Active Directory domain named contoso.com. You need to audit changes to a service account. The solution must ensure that the audit
logs contain the before and after values of all the changes.
Which security policy setting should you configure?
A.
B.
C.
D.
Audit Sensitive Privilege Use
Audit User Account Management
Audit Directory Service Changes
Audit Other Account Management Events
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/dd772641.aspx
Audit Directory Service Changes
This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain
Services (AD DS).
Reference 2:
http://technet.microsoft.com/en-us/library/cc731607.aspx
AD DS Auditing Step-by-Step Guide
This guide includes a description of the new Active Directory® Domain Services (AD DS) auditing feature in Windows Server® 2008. With the new auditing feature,
you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte.
QUESTION 87
Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in
each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest.
What should you do?
A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.
B. Create an external trust from nwtraders.com to contoso.com.
C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.
D. Create an external trust from contoso.com to nwtraders.com.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/hh311036.aspx
Using AD RMS trust
It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information
between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user
domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates
(RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust.
QUESTION 88
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0
standalone server.
You plan to add a new token-signing certificate to Server1.
You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)
When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.
You need to ensure that you can use the new certificate for AD FS.
What should you do?
A.
B.
C.
D.
From the properties of the certificate, modify the Certificate Policy OIDs setting.
Import the certificate to the AD FS 2.0 Windows Service personal certificate store.
From the properties of the certificate, modify the Certificate purposes setting.
Import the certificate to the local computer personal certificate store.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/hh341466.aspx
When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal
certificate store on that federation server.
QUESTION 89
You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC).
What should you do?
A.
B.
C.
D.
Run the repadmin.exe command and specify the /prp parameter.
From Active Directory Sites and Services, modify the properties of the RODC computer object.
From Active Directory Users and Computers, modify the properties of the RODC computer object.
Run the dsrm.exe command and specify the -u parameter.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication- policy.aspx
Clearing the authenticated accounts list
In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up
this list may help you more easily determine the new accounts that have authenticated through the RODC.
Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure. To
clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all. Substitute the actual host name of the RODC that you want to clear.
For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.
QUESTION 90
Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch
office site has a site link to the main office site.
You discover that the domain controllers in the branch offices sometimes replicate directly to each other.
You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office.
What should you do?
A.
B.
C.
D.
Modify the firewall settings for the main office site.
Disable the Knowledge Consistency Checker (KCC) for each branch office site.
Disable site link bridging.
Modify the security settings for the main office site.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc757117.aspx
Configuring site link bridges
By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of
intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to
describe every possible path between pairs of sites.
Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually
just for specific site links, in the following cases:
You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain
controller.
QUESTION 91
Your network contains an Active Directory forest. The forest contains one domain. The domain contains two domain controllers named DC1 and DC2 that run
Windows Server 2008 R2.
DC1 was installed before DC2.
DC1 fails.
You need to ensure that you can add 1,000 new user accounts to the domain.
What should you do?
A. Modify the permissions of the DC2 computer account.
B. Seize the schema master FSMO role.
C. Configure DC2 as a global catalog server.
D. Seize the RID master FSMO role.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 536-537 RID master failure
A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or
computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often
go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master
role has been seized, the domain controller that had been performing the role cannot be brought back online.
QUESTION 92
Your network contains an Active Directory domain named contoso.com.
You need to identify whether the Active Directory Recycle Bin is enabled.
What should you do?
A.
B.
C.
D.
From Ldp, search for the Reanimate-Tombstones object.
From Ldp, search for the LostAndFound container.
From Windows PowerShell, run the Get-ADObject cmdlet.
From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://www.frickelsoft.net/blog/?p=224
How can I check whether the AD Recycle-Bin is enabled in my R2 forest? [He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the
AD Recycle Bin is enabled.]
QUESTION 93
Your network contains an Active Directory domain.
You create and mount an Active Directory snapshot.
You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can browse the contents of the Active Directory snapshot.
What should you?
A.
B.
C.
D.
Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.
Change the value of the dbpath parameter, and then rerun dsamain.exe.
Change the value of the ldapport parameter, and then rerun dsamain.exe.
Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The path in the exhibit points to the running Active Directory database, not to the snapshot.
Reference:
http://technet.microsoft.com/en-us/library/cc772168.aspx
For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example:
/dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit Topic 4, Volume D
QUESTION 94
Your network contains an Active Directory domain.
You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain.
What should you do?
A.
B.
C.
D.
From Group Policy Management Console (GPMC), back up the GPOs.
From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.
From Windows Server Backup, perform a system state backup.
From Windows PowerShell, run the Backup-GPO cmdlet.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.microsoft.com/en-us/download/details.aspx?id=22478 Planning and Deploying Group Policy (.doc)
Links to OUs, however, are not part of the backup data and will not be restored during a restore operation.
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266-4991-8309- c957a123a455/
Permissions are backed up but links are not. The links are actually properties of the OU and would be backed up as part of the system state. The backup function in
GPMC only backs up the properties of selected GPOs (the settings inside the GPOs as well as Security Filters and all other things that belong directly to the GPO).
It never backs up OU / Site links -these are not properties of the GPO itself, but of the respective OUs and Sites... http://sdmsoftware.com/general-stuff/the-clashof-the-gpo-links/ Group Policy links are stored within the gpLink attribute on an AD container (in the case of GP, the container is a site, domain or OU object).
http://technet.microsoft.com/de-de/library/cc756808%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc784474%28v=ws.10%29.aspx Information
saved in a backup
Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following information:
GPO globally unique identifier (GUID) and domain.
GPO settings.
Discretionary access control list (DACL) on the GPO.
WMI filter link, if there is one, but not the filter itself.
Links to IP Security Policies, if any.
XML report of the GPO settings, which can be viewed as HTML from within GPMC.
Date and time stamp of when the backup was taken.
User-supplied description of the backup.
Information not saved in a backup
Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is not available when the backup is restored to the original
GPO or imported into a new one. This data that becomes unavailable includes the following information:
Links to a site, domain, or organizational unit.
WMI filter.
IP Security policy.
Reference:
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d7c621fc-e0e9-47dd-a4df- 9082b33132a6
For back up all of the Group Policy objets (GPOs Policy permissions, and Group Policy links for the domain) the answer is C.
For details:
System State data
http://technet.microsoft.com/en-us/library/cc785306(WS.10).aspx
QUESTION 95
Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on the
domain controller.
Which tool should you use?
A.
B.
C.
D.
Ntdsutil
Dsamain
Active Directory Users and Computers
Local Users and Groups
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://blogs.technet.com/b/meamcs/archive/2012/05/29/reset-the-dsrm-administrator-password.aspx To Reset the DSRM Administrator Password
1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
QUESTION 96
Your network contains an Active Directory forest. All client computers run Windows 7. The network contains a high-volume enterprise certification authority (CA).
You need to minimize the amount of network bandwidth required to validate a certificate.
What should you do?
A.
B.
C.
D.
Configure an LDAP publishing point for the certificate revocation list (CRL).
Configure an Online Certification Status Protocol (OCSP) responder.
Modify the settings of the delta certificate revocation list (CRL).
Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 779
Online responder
This service is designed to respond to specific certificate validation requests through the Online Certificate
Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a
specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the
requested certificate, it sends back an encrypted response containing the information to the requester. Using online responders is much faster and more efficient
than using CRLs. AD CS includes online responders as a new feature in Windows Server 2008 R2.
QUESTION 97
Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group
Policy object named GPO1 to the domain as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs.
The solution must prevent GPO1 from being applied to users in the Dev OU.
What should you do?
A.
B.
C.
D.
Enforce GPO1.
Modify the security settings of the Dev OU.
Link GPO1 to the Finance OU.
Modify the security settings of the Finance OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. This means that GPO1 will not be applied to those OUs. For
the Dev OU that's ok, but not for the Finance OU. So we have to link GPO1 to the Finance OU.
Reference:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or
organizational units from being automatically inherited by the child-level.
If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree.
QUESTION 98
Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in
the domain.
You need to prevent the managed service accounts from being deleted accidentally from OU1.
http://www.gratisexam.com/
Which cmdlet should you use?
A.
B.
C.
D.
Set-ADUser
Set-ADOrganizationalUnit
Set-ADServiceAccount
Set-ADObject
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to prevent OU1 from being deleted accidentally, but you would
still be able to delete the accounts inside it. Use Set-ADObject to protect the accounts.
Reference:
http://technet.microsoft.com/en-us/library/hh852326.aspx
Set-ADObject Modifies an Active Directory object.
Parameter
-ProtectedFromAccidentalDeletion <Boolean>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the
corresponding object without changing the value of the property. Possible values for this parameter include:
$false or 0
$true or 1
The following example shows how to set this parameter to true.
-ProtectedFromAccidentalDeletion $true
QUESTION 99
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain
controller (RODC) named DC2.
All domain controllers run Windows Server 2008 R2.
You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the
installation of Active Directory Domain Services (AD DS) on DC3.
What should you do first?
A.
B.
C.
D.
Run dcpromo.exe /createdcaccount on DC3.
Run ntdsutil.exe on DC2.
Run dcpromo.exe /adv on DC3.
Run ntdsutil.exe on DC1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We can run dcpromo.exe /adv on DC3 to install a new writable domain controller using the Install From Media (IFM) option. That way there is less replication traffic.
But before we can do that we have to create the installation media first. I suspect that's what they mean when they say "What should you do first?" So first we create
the installation media, then we use the installation media to install DC3.
Technet gives us instructions on how to create the installation media. It says:
"You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media
(IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently."
"You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media
only on a writeable domain controller."
Since DC2 in answer B is a read-only domain controller, that leaves us with answer D ("Run ntdsutil.exe on DC1").
Reference 1:
http://technet.microsoft.com/en-us/library/cc770654.aspx
[Used for the information above]
[Some extra info on using IFM to install the DC:]
Reference 2:
http://http://technet.microsoft.com/en-us/library/cc732887.aspx dcpromo /adv
Performs an install from media (IFM) operation.
Reference 3:
http://http://technet.microsoft.com/en-us/library/cc816722.aspx Installing an Additional Domain Controller by Using IFM
When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated
during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install
the additional domain controller.
QUESTION 100
Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which tool should you use to assign permissions to Admin1?
A.
B.
C.
D.
the Certification Authority console
Active Directory Users and Computers
the Certificates snap-in
Active Directory Sites and Services
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups.
The first reference lists what needs to be done, the second reference explains how to do it.
Reference 1:
http://technet.microsoft.com/en-us/library/cc725621.aspx
Delegating Template Management
You can delegate the ability to manage individual certificate templates or to create any certificate templates by defining appropriate permissions to global groups or
universal groups that a user belongs to.
There are three levels of delegation for certificate template administration:
Modify existing templates
Create new templates (by duplicating existing templates)
Full delegation (including modifying all existing templates and creating new ones)
Create New Templates
To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the
Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS.
To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of
which the user is a member:
Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public
Key Services,CN=Services,CN=Configuration,DC=ForestRoot.
Grant Full Control permission to every certificate template in the following container:
CN=Certificate
Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not
inherited by the individual certificate templates.
Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,
CN=Services,CN=Configuration,DC=ForestRoot container.
Reference 2:
Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissions for Creation of New Templates
You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,
ForestRootDomain container.
1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.
2. Open the Active Directory Sites And Services console.
3. From the View menu, ensure that the Show Services Node setting is enabled.
4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.
5. In the console tree, right-click Certificate Templates, and then click Delegate Control.
6. In the Delegation Of Control wizard, click Next.
7. On the Users Or Groups page, click Add.
8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.
9. On the Users Or Groups page, click Next.
10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.
11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation Of
New Objects In This Folder, and then click Next.
12.On the Permissions page, in the Permissions list, enable Full Control, and then click Next. 13.On the Completing The Delegation Of Control wizard page, click
Finish.
QUESTION 101
Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit. (Click
the Exhibit button.)
You need to ensure that only domain members can register DNS records in the zone.
What should you do first?
A.
B.
C.
D.
Modify the zone type.
Create a trust anchor.
Modify the Advanced properties of the DNS server.
Modify the Dynamic updates setting.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that only domain members are allowed to register DNS records we have to:
1. modify the zone type to Active Directory-Integrated.
2. set the Dynamic updates option to Secure only, which is only available to Active Directory- Integrated zones.
Reference 1:
MCTS Windows Server ® 2008 Active Directory Configuration Study Guide (Sybex, 2008) page 53
Secure only--This means that only machines with accounts in Active Directory can register with DNS.
Before DNS registers any account in its database, it checks Active Directory to make sure that account is an authorized domain computer.
Reference 2:
http://technet.microsoft.com/en-us/library/ee649287.aspx
Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and
directory-integrate the zone before securing it for DNS dynamic updates.
QUESTION 102
Your company has a single Active Directory forest with a single domain. Consultants in different departments of the company require access to different network
resources. The consultants belong to a global group named TempWorkers.
Three file servers are placed in a new organizational unit named SecureServers. The file servers contain confidential data in shared folders.
You need to prevent the consultants from accessing the confidential data.
What should you do?
A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.
Assign the Deny access to this computer from the network user right to the TempWorkers global group.
B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers
global group.
C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control permission for the TempWorkers global group on the
share.
D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.
E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.
Assign the Deny log on locally user right to the TempWorkers global group.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 103
Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functional level of both forests is Windows Server 2003.
Contoso.com contains one domain.
Nwtraders.com contains two domains.
You need to ensure that users in contoso.com can access the resources in all domains. The solution must require the minimum number of trusts.
Which type of trust should you create?
A.
B.
C.
D.
external
forest
realm
shortcut
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771397.aspx
When to create a forest trust
You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. Creating a forest trust between two root
domains with a forest functional level of Windows Server 2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in each
forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and
organizations seeking a solution for administrative autonomy.
QUESTION 104
You install an Active Directory domain in a test environment.
You need to reset the passwords of all the user accounts in the domain from a domain controller. Which two Windows PowerShell commands should you run?
(Each correct answer presents part of the solution, choose two.)
A.
B.
C.
D.
E.
F.
G.
$ newPassword = *
Import-Module ActiveDirectory
Import-Module WebAdministration
Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - Reset
Set- ADAccountPossword - NewPassword - Reset
$ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )
Import-Module ServerManager
Correct Answer: DF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
First we create a variable, $newPassword, and prompt the user for the password to assign it to the variable.
Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to SetADAccountPassword to assign the $newPassword variable to every account's
new password.
Note that Set- ADAccountPossword must be a typo.
Reference 1:
http://technet.microsoft.com/en-us/library/ee176935.aspx
Prompting a User to Enter Information
The Read-Host cmdlet enables you to interactively prompt a user for information. For example, this command prompts the user to enter his or her name, then
stores that name in the variable $Name (to answer the prompt, type a name and then press ENTER):
$Name = Read-Host "Please enter your name"
Reference 2:
http://technet.microsoft.com/en-us/library/ee617241.aspx
Get-ADUser Gets one or more Active Directory users.
Reference 3:
http://technet.microsoft.com/en-us/library/ee617261.aspx
Set-ADAccountPassword Modifies the password of an Active Directory account.
Parameters
NewPassword
Specifies a new password value.
Reset
Specifies to reset the password on an account. When you use this parameter, you must set the NewPassword parameter. You do not need to specify the
OldPassword parameter.
QUESTION 105
Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server 2003. The functional level of
both forests is Windows 2000.
You need to create a forest trust between adatum.com and litwareinc.com.
What should you do first?
A.
B.
C.
D.
Create an external trust.
Raise the functional level of both forests.
Configure SID filtering.
Raise the functional level of all the domains.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771397.aspx
When to create a forest trust
You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher.
QUESTION 106
Your network contains an Active Directory forest named adatum.com. All client computers used by the marketing department are in an organizational unit (OU)
named Marketing Computers. All user accounts for the marketing department are in an OU named Marketing Users.
You purchase a new application.
You need to ensure that every user in the domain who logs on to a marketing department computer can use the application. The application must only be available
from the marketing department computers.
What should you do?
A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a shared folder on the network. Assign the application.
B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a shared folder on the network. Assign the
application.
C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a local drive on each marketing department
computer. Publish the application.
D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a folder on each marketing department computer.
Publish the application.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The software must only be available on the marketing department computers, so we must link the GPO to the Marketing Computers OU. Next we need to assign
the application to the Marketing Computers OU.
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 399
Assigning Software to Computers
When you assign software to computers, it is available to all authenticated users of the computer, regardless of their group membership or privileges. The software
package is installed when the computer is next restarted after the package has been assigned. For example, suppose that you have a design application that
should be available on all computers in the Engineering OU but not to computers elsewhere on your network. You would assign this application to computers in a
Group Policy object (GPO) linked to the Engineering OU.
QUESTION 107
Your network contains an Active Directory forest named adatum.com. You need to create an Active Directory Rights Management Services (AD RMS) licensingonly cluster.
What should you install before you create the AD RMS root cluster?
A.
B.
C.
D.
E.
The Failover Cluster feature
The Active Directory Certificate Services (AD CS) role
Microsoft Exchange Server 2010
Microsoft SharePoint Server 2010
Microsoft SQL Server 2008
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771789.aspx
Before you install AD RMS
Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that
must be met:
(...)
In addition to pre-installation requirements for AD RMS, we strongly recommend the following:
Install the database server that is used to host the AD RMS databases on a separate computer.
(...)
QUESTION 108
Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains a domain controller named DC1.
You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record
is server2.contoso.com. When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
Which command should you run?
A.
B.
C.
D.
Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain
Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest
Dnscmd DCl.contoso.com /config /Enableglobalnamessupport 1
Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Support for Globalnames must be enabled, otherwise the DNS Server service does not resolve single-label names in the GlobalNames zone.
Reference:
http://technet.microsoft.com/en-us/library/cc772069.aspx
dnscmd /config Changes values in the registry for the DNS server and individual zones. Accepts server-level settings and zone-level settings.
Parameter
/enableglobalnamessupport {0|1}
Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of singlelabel
DNS names across a forest.
Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Server service does not resolve single-label names in the
GlobalNames zone. Enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Server service resolves single-label names
in the GlobalNames zone.
QUESTION 109
Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC)
named RODC1.
RODC1 runs Windows Server 2008 R2.
A user logs on to a computer in the branch office site.
You discover that the user's password is not stored on RODC1. You need to ensure that the user's password is stored on RODC1 when he logs on to a branch
office site computer.
What should you do?
A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password
Replication Group.
B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowed users, groups, and computers.
C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1.
D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417 Password Replication Policy
Password Replication Policy (PRP) determines which users` credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user`s credentials,
authentication and service ticket activities of that user can be processed by the RODC. If a user`s credentials cannot be cached on an RODC, authentication and
service ticket activities are referred by the RODC to a writable domain controller.
An RODC`s PRP is determined by two multivalued attributes of the RODC`s computer account. These attributes are commonly known as the Allowed List and the
Denied List. If a user`s account is on the Allowed List, the user`s credentials are cached. You can include groups on the Allowed List, in which case all users who
belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user`s credentials will not be
cached--the Denied List takes precedence.
Configuring Domain-Wide Password Replication Policy
To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group,
Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new
RODC will not cache any user`s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed
RODC Password Replication Group.
QUESTION 110
Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of
192.168.200.100.
You need to identify the zone that contains the Pointer (PTR) record for DC1.
Which zone should you identify?
A.
B.
C.
D.
adatum.com
_msdcs.adatum.com
100.168.192.in-addr.arpa
200.168.192.in-addr.arpa
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57
Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server`s
PTR (pointer) resource record.
Reference 2:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730
You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses
should you use for the reverse lookup zone?
a. 5.168.192.in-addr.arpa
b. 0.5.168.192.in-addr.arpa
c. 192.168.5.in-addr.arpa
d. 192.168.5.0.in-addr.arpa
The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa.
Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in- addr.arpa is incorrect. The octets must be
specified in reverse sequence, so the other two choices are both incorrect.
QUESTION 111
Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
A.
B.
C.
D.
E.
Netlogon
DNS Server
Network Location Awareness
Network Store Interface Service
Online Responder Service
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers
registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller`s SRV resource records by restarting this
service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of
SRV resource records.
QUESTION 112
Your network contains an Active Directory domain named adatum.com.
The password policy of the domain requires that the passwords for all user accounts be changed every 50 days.
You need to create several user accounts that will be used by services. The passwords for these accounts must be changed automatically every 50 days.
Which tool should you use to create the accounts?
A. Active Directory Administrative Center
B.
C.
D.
E.
Active Directory Users and Computers
Active Directory Module for Windows PowerShell
ADSI Edit
Active Directory Domains and Trusts
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic
password management, making password management easier.
Reference 1:
http://technet.microsoft.com/en-us/library/dd367859.aspx
What are the benefits of new service accounts?
In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated
with managed service accounts:
(...)
Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically.
(...)
Reference 2:
http://technet.microsoft.com/en-us/library/dd391964.aspx
Use the Active Directory module for Windows PowerShell to create a managed service account.
Reference 3:
http://technet.microsoft.com/en-us/library/dd548356.aspx
To create a new managed service account
1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers
snap-in. Confirm that the Managed Service Account container exists.
2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.
3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>].
Reference 4:
http://technet.microsoft.com/en-us/library/hh852236.aspx
Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval.
-ManagedPasswordIntervalInDays<Int32>Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on
object creation. After that the setting is read only. This value returns the msDSManagedPasswordInterval of the group managed service account object.
The following example shows how to specify a 90 day password changes interval:
-ManagedPasswordIntervalInDays 90
QUESTION 113
Your network contains an Active Directory domain. The domain contains several domain controllers.
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
A.
B.
C.
D.
E.
Group Policy Management
Active Directory Domains and Trusts
Active Directory Users and Computers
Computer Management
Security Configuration Wizard
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication- policy.aspx
Administering the Password Replication Policy
This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain
controllers (RODCs). To configure the PRP using Active Directory Users and Computers
1. Open Active Directory Users and Computers as a member of the Domain Admins group.
2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.
3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.
4. Click the Password Replication Policy tab.
5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that
should be included in either the Allowed list or the Deny list, click Add.
To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.
To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.
QUESTION 114
Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is
Windows Server 2003. The functional level of the domain is Windows Server 2008.
From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).
What should you do first?
A.
B.
C.
D.
Raise the functional level of the forest
Modify the tombstone lifetime of the forest.
Restore the system state.
Raise the functional level of the domain.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Recycle Bin feature cannot be applied here, see the reference below.
Reference:
Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297 Active Directory Recycle Bin Recovery
Let`s begin this section with a very clear statement: If you need to recover a deleted Active Directory object and the Active Directory Recycle Bin was not enabled
before the object was deleted, skip this section and proceed to the Active Directory Authoritative Restore section.
Active Directory Authoritative Restore
When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the
domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active
Directory database, a single object, or a container, such as an organizational unit including all objects previously stored within the container. To perform an
authoritative restore of Active Directory, perform the System State restore of a domain controller.
QUESTION 115
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.
You need to ensure that Attribute1 is included in the global catalog.
What should you do?
A.
B.
C.
D.
From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.
In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects.
From the Active Directory Schema snap-in, modify the properties of the User classSchema object.
In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set
The attributes that are replicated to the global catalog by default include a base set that have been defined by
Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema
snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to
the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute
to TRUE.
Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest.
For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains
other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the
partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are
replicated to every global catalog server in an AD DS forest.
If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the isMemberOfPartialAttributeSet value
on the respective attributeSchema object. You mark the attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the
isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog.
If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog.
QUESTION 116
Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role
installed. Server1 hosts two AD LDS instances named Instance1 and Instance2.
You need to remove Instance2 from Server1 without affecting Instance1.
Which tool should you use?
A.
B.
C.
D.
NTDSUtil
Dsdbutil
Programs and Features in the Control Panel
Server Manager
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc794857.aspx
Administering AD LDS Instances
Each AD LDS instance runs as an independent--and separately administered--service on a computer.
Reference 2:
technet.microsoft.com/en-us/library/cc794886.aspx
To remove an AD LDS instance
1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click
Programs and Features.
2. Locate and click the AD LDS instance that you want to remove.
3. Click Uninstall.
Note
It is not necessary to restart the computer after you remove an AD LDS instance.
QUESTION 117
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to compact the Active Directory database.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Run the Get-ADForest cmdlet.
Configure subscriptions from Event Viewer.
Run the eventcreate.exe command.
Configure the Active Directory Diagnostics Data Collector Set (OCS).
Create a Data Collector Set (DCS).
Run the repadmin.exe command.
Run the ntdsutil.exe command.
Run the dsquery.exe command.
Run the dsamain.exe command.
Create custom views from Event Viewer.
Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the Directory Database File (Offline Defragmentation) You can use this procedure to compact the Active Directory database offline. Offline
defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory
database integrity. Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Reference 2:
Mastering Windows Server 2008 R2 (Sybex, 2010) page 805
Performing Offline Defragmentation of Ntds.dit
These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder,
map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
QUESTION 118
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Run the ntdsutil.exe command.
Run the repodmin.exe command.
Run the Get-ADForest cmdlet.
Run the dsamain.exe command.
Create custom views from Event Viewer.
Run the dsquery.exe command.
Configure the Active Directory Diagnostics Data Collector Set (DCS),
Configure subscriptions from Event Viewer.
Run the eventcreate.exe command.
Create a Data Collector Set (DCS).
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc749183.aspx
Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create
an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a
subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting computers.
The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must
be running on computers participating in the forwarding and collecting process. To learn about the steps required to configure event collecting and forwarding
computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/en-us/library/cc748890.aspx).
QUESTION 119
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to receive a notification when more than 100 Active Directory objects are deleted per second.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Create custom views from Event Viewer.
Run the Get-ADForest cmdlet.
Run the ntdsutil.exe command.
Configure the Active Directory Diagnostics Data Collector Set (DCS).
Create a Data Collector Set (DCS).
Run the dsamain.exe command.
Run the dsquery.exe command.
Run the repadmin.exe command.
Configure subscriptions from Event Viewer.
Run the eventcreate.exe command.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/magazine/ff458614.aspx
Configure Windows Server 2008 to Notify you when Certain Events Occur You can configure alerts to notify you when certain events occur or when certain
performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also
configure alerts to start applications and performance logs.
To configure an alert, follow these steps:
1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
2. (...)
3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is
triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of
measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select
Over, and then type 95. Repeat this process to configure other counters you`ve selected.
QUESTION 120
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to create a snapshot of Active Directory.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Run the dsquery.exe command.
Run the dsamain.exe command.
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Create a Data Collector Set (DCS).
Configure the Active Directory Diagnostics Data Collector Set (DCS).
Run the repadmin.exe command.
Run the ntdsutil.exe command.
Run the Get-ADForest cmdlet.
Run the eventcreate.exe command.
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc753609.aspx
To create an AD DS or AD LDS snapshot
1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
2. Click Start, right-click Command Prompt, and then click Run as administrator.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. At the elevated command prompt, type the following command, and then press ENTER:
ntdsutil
5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds
7. At the snapshot prompt, type the following command, and then press ENTER: create
QUESTION 121
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can query the snapshot by using LDAP.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Run the dsamain.exe command.
Create custom views from Event Viewer.
Run the ntdsutil.exe command.
Configure subscriptions from Event Viewer.
Run the Get-ADForest cmdlet.
Create a Data Collector Set (DCS).
Run the eventcreate.exe command.
Configure the Active Directory Diagnostics Data Collector Set (DCS).
Run the repadmin.exe command.
Run the dsquery.exe command.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753609.aspx
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it
exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple
backups to compare the Active Directory data that they contain. Requirements for using the Active Directory database mounting tool You do not need any additional
software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if
you have the AD DS or the AD LDS server role installed. These tools include the following:
Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers
QUESTION 122
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2.
The network contains an enterprise certification authority (CA). You need to ensure that all of the members of a group named Managers can view the event log
entries for Certificate Services.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.
Active Directory Administrative Center
Authorization Manager
Certificate Templates
Certificates
Certification Authority
Enterprise PKI
Group Policy Management
Security Configuration Wizard
Share and Storage Management
Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services
events. We can do that by using Group Policy Management.
Reference 1:
It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here's what I did in VMWare, using a domain controller and
a member server. Click along if you want!
In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU
named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.
Start the Group Policy Management console on DC01.
1.
Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..." 2.
I named the GPO "EventLog_TESTGROUP"
3.
Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." 4.
Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted 5.
Groups"
Right-click "Restricted Groups" and choose "Add Group..."
6.
Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event 7.
Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go
find the Event Log Readers group.
Click OK.
Click the Browse button next to "Members of this group", search for the TESTGROUP group and add 8.
it.
9. Click OK.
10. 10. On MEM01 open a command prompt and run gpupdate /force.
11. Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.
Reference 2:
http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read- event-logs-windows-2003-and-windows-2008.aspx
Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the
steps below.
(...)
Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built
in Event Log Readers group.
QUESTION 123
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7
Professional.
The network contains an enterprise certification authority (CA).
You need to approve a pending certificate request.
Which snap-in should you use?
A. Active Directory Administrative Center
B.
C.
D.
E.
F.
G.
H.
I.
Authorization Manager
Certificate Templates
Certificates
Certification Authority
Enterprise PKI
Group Policy Management
Security Configuration Wizard
Share and Storage Management
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/de-de/library/ff849263.aspx
To issue a pending certificate request:
1. Log on to your root CA by using an account that is a certificate manager.
2. Start the Certification Authority snap-in.
3. In the console tree, expand your root CA, and click Pending Certificates.
4. In the details pane, right-click the pending CA certificate, and click Issue.
QUESTION 124
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You
have a Group Policy object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts
in the Sales OU. You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A.
B.
C.
D.
E.
F.
G.
Modify the Group Policy permissions.
Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Sales OU.
J. Link the GPO to the Engineering OU.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher
sites, domains, or organizational units from being automatically inherited by the child-level.
QUESTION 125
A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains 10 domain controllers. The domain controllers run
Windows Server 2008 R2 and are configured as DNS servers.
You plan to create an Active Directory-integrated zone.
You need to ensure that the new zone is replicated to only four of the domain controllers.
What should you do first?
A.
B.
C.
D.
Use the ntdsutil tool to modify the DS behavior for the domain.
Use the ntdsutil tool to add a naming context.
Create a new delegation in the ForestDnsZones application directory partition.
Use the dnscmd tool with the /zoneadd parameter.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc725739.aspx
Store Data in an AD DS Application Partition
You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application
directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory
partition, you can control the zone replication scope by controlling the replication scope of the application directory partition.
Reference 2:
http://technet.microsoft.com/en-us/library/cc730970.aspx
Partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt.
Examples
To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick
Command Prompt, and then click Run as administrator.
2. Type: ntdsutil
3. Type: Ac in ntds
4. Type: partition management
5. Type: connections
6. Type: Connect to server DC_Name
7. Type: quit
8. Type: list
The following partitions will be listed:
0 CN=Configuration,DC=Contoso,DC=com
1 DC=Contoso,DC=com
2 CN=Schema,CN=Configuration,DC=Contoso,DC=com
3 DC=DomainDnsZones,DC=Contoso,DC=com
4 DC=ForestDnsZones,DC=Contoso,DC=com
9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com
10. Run the list command again to refresh the list of partitions.
QUESTION 126
Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains:
Fabrikam.com
Eu.fabrikam.com
Na.fabrikam.com
Eu.contoso.com
Na.contoso.com
You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of contoso.com when they
create user accounts from Active Directory Users and Computers.
Which tool should you use?
A.
B.
C.
D.
Active Directory Sites and Services
Set-ADDomain
Set-ADForest
Active Directory Administrative Center
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We would use the following command to achieve this:
Set-ADForest -UPNSuffixes @{Add="contoso.com"}
Reference 1:
http://technet.microsoft.com/en-us/library/dd391925.aspx
Creating a UPN Suffix for a Forest
This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest.
Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest.
Example
The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:
Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"} Reference 2
http://technet.microsoft.com/en-us/library/ee617221.aspx
Set-ADForest Modifies an Active Directory forest.
Parameter
UPNSuffixes
Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference
container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values.
Syntax:
To add values:
-UPNSuffixes @{Add=value1,value2,...}
QUESTION 127
A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS sites.
The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers. You need to determine which domain controller holds the Inter-Site
Topology Generator role for the Toronto site.
What should you do?
A.
B.
C.
D.
Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site.
Use the Ntdsutil tool with the roles parameter.
Use the Ntdsutil tool with the LDAP policies parameter.
Use the Active Directory Sites and Services console to view the properties of each domain controller in the Toronto site.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc794776.aspx
Determine the ISTG Role Owner for a Site
The Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generating the intersite topology. If you want to regenerate the
intersite topology, you must determine the identity of the ISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties and
determine the ISTG role owner for the site.
To determine the ISTG role owner for a site
1. Open Active Directory Sites and Services.
2. In the console tree, click the site object whose ISTG role owner you want to determine.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current role owner appears in the Server box under Inter-Site
Topology Generator.
QUESTION 128
Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?
A.
B.
C.
D.
Repadmin
Dcdiag
Get-ADDomainControllerPasswordReplicationPolicyUsage
Adtest
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Original answer was C ("Get-ADDomainControllerPasswordReplicationPolicyUsage"). On why it's not correct, I quote the original explanation:
"The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller
(RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list."
So, this revealed list has a list of accounts whose passwords are cached on RODC's. But we don't need the accounts that are cached on RODC1, but the ones that
can be cached on RODC1. Those are in the allowed list, and we can get it using repadmin.
Reference:
http://technet.microsoft.com/en-us/library/cc835090.aspx
Repadmin /prp
Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
Syntax
repadmin /prp view <RODC> {<List_Name>|<User>}
Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.
Parameters
<RODC>
Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a
wildcard character to specify multiple RODCs in one domain.
<List_Name>
Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:
auth2: The list of security principals that the RODC has authenticated. reveal: The list of security principals for which the RODC has cached passwords. allow: The
list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache
passwords for this list of security principals only.
deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache
passwords for any security principals in this list.
Original explanation for answer C:
The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC)
or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.
http://technet.microsoft.com/en-us/library/ee617194.aspx
QUESTION 129
A network contains an Active Directory forest. The forest contains three domains and two sites. You remove the global catalog from a domain controller named
DC2. DC2 is located in Site1.
You need to reduce the size of the Active Directory database on DC2. The solution must minimize the impact on all users in Site1.
What should you do first?
A.
B.
C.
D.
On DC2, start the Protected Storage service.
On DC2, stop the Active Directory Domain Services service.
Start DC2 in Safe Mode.
Start DC2 in Directory Services Restore Mode.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc816811.aspx
Returning Unused Disk Space from the Active Directory Database to the File System During ordinary operation, the free disk space in the Active Directory database
file becomes fragmented. Each time garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented online to optimize its use
within the database file. The unused disk space is maintained for the database; it is not returned to the file system.
Only offline defragmentation can return unused disk space from the directory database to the file system.
When database contents have decreased considerably through a bulk deletion (for example, when you remove the global catalog from a domain controller), or if the
size of the database backup is significantly increased as a result of the amount of free disk space, use offline defragmentation to reduce the size of the Ntds.dit file.
On domain controllers that are running Windows Server 2008, offline defragmentation does not require restarting the domain controller in Directory Services
Restore Mode (DSRM), as is required on domain controllers that are running versions of Windows Server 2000 and Windows Server 2003. You can use a new
feature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the AD DS service. When the service is stopped, services that
depend on AD DS shut down automatically. However, any other services that are running on the domain controller, such as Dynamic Host Configuration Protocol
(DHCP), continue to run and respond to clients.
QUESTION 130
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run
Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
You need to receive a notification when more than 50 Active Directory objects are deleted per second.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Run the Get-ADDomain cmdlet.
Run the dsget.exe command.
Run the ntdsutil.exe command.
Run the ocsetup.exe command.
Run the dsamain.exe command.
Run the eventcreate.exe command.
Create a Data Collector Set (DCS).
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Import the Active Directory module for Windows PowerShell.
Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/magazine/ff458614.aspx
Configure Windows Server 2008 to Notify you when Certain Events Occur You can configure alerts to notify you when certain events occur or when certain
performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also
configure alerts to start applications and performance logs.
To configure an alert, follow these steps:
1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
2. (...)
3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is
triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of
measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select
Over, and then type 95. Repeat this process to configure other counters you`ve selected.
QUESTION 131
You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled
for autoenrollment.
You increase the template key length to 2,048 bits.
You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template.
Which console should you use?
A.
B.
C.
D.
Group Policy Management MMC Snap-In
Certificates MMC Snap-In on the Certificate Authority
Certificate Templates MMC Snap-In
Certification Authority MMC Snap-In
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771246.aspx
Re-Enroll All Certificate Holders
This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to reenroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the
subject will re-enroll.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement
Role-Based Administration.
To re-enroll all certificate holders
1. Open the Certificate Templates snap-in.
2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.
QUESTION 132
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to create a new child domain and you receive the following error message: "An LDAP read of operational attributes failed."
You need to ensure that you can add a new child domain to the forest.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Move the PDC emulator role.
Move the RID master role.
Move the infrastructure master role.
Move the schema master role.
Move the domain naming master role.
Move the global catalog server.
Move the bridgehead server.
Install a read-only domain controller (RODC).
Deploy an additional global catalog server.
Restart the Active Directory Domain Services (AD DS) service.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
This message appears when the domain naming master is unavailable. It needs to be moved to another domain controller to resolve this.
Reference:
http://technet.microsoft.com/en-us/library/bb727058.aspx
Troubleshooting Active Directory Installation Wizard Problems
Symptom or Error
An LDAP read of operational attributes failed.
Root Cause
The domain naming master for the forest is offline or cannot be contacted. Solution Make the current domain naming master accessible. If necessary, see "Seizing
Operations Master Roles" in this guide.
QUESTION 133
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2003. All domain controllers run
Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can connect to the snapshot by using LDAP.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Run the Get-ADDomain cmdlet.
Run the dsget.exe command.
Run the ntdsutil.exe command.
Run the ocsetup.exe command.
Run the dsamain.exe command.
Run the eventcreate.exe command,
Create a Data Collector Set (DCS).
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Import the Active Directory module for Windows PowerShell.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc753609.aspx
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it
exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple
backups to compare the Active Directory data that they contain.
Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All
the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These
tools include the following: (...)
Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers
QUESTION 134
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You
need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the
group when they log off of the client computers.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D.
E.
F.
G.
H.
I.
J.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the Group Policy object (GPO) to the Sales OU.
Link the Group Policy object (GPO) to the Engineering OU.
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/ http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-localadministrator- groups/
QUESTION 135
Your network contains an Active Directory forest named contoso.com. The forest contains two member servers named Server1 and Server2. Server1 and Server2
have the DNS Server server role installed.
Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server for contoso.com.
You experience issues with the copy of the zone on Server2, You verify that both copies of the zone have the same serial number.
You need to transfer a complete copy of the zone from Server1 to Server2.
What should you do on Server2?
A.
B.
C.
D.
E.
From DNS Manager, right-click contoso.com and click Transfer from Master.
From Services, right-click DNS Server and click Refresh.
From Services, right-click DNS Server and click Restart.
From DNS Manager, right-click contoso.com and click Reload.
From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 212 Manually Updating a Secondary Zone
By right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to perform the following secondary zone update operations:
Reload - This operation reloads the secondary zone from the local storage. Transfer From Master - The server hosting the local secondary zone determines
whether the serial number in the secondary zone`s SOA resource record has expired and then pulls a zone transfer from the master server. Transfer New Copy Of
Zone From Master - This operation performs a zone transfer from the secondary zone`s master server regardless of the serial number in the secondary zone`s
SOA resource record.
QUESTION 136
Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers
named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4, The functional level of the domain is Windows Server 2008 R2. The functional
level of the forest is Windows Server 2003.
Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on
to DC1.
You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A.
B.
C.
D.
On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.
On DC3, run the Restore-ADObject cmdlet.
On DC1, run the Restore-ADObject cmdlet.
On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory Domain Services.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional
level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003."
See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC,
which causes it to replicate the restored user account to other DC's.
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 "An authoritative restore restores data that was lost and updates the Update
Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers."
Reference 2:
http://technet.microsoft.com/en-us/library/cc755296.aspx
Authoritative restore of AD DS has the following requirements:
(...)
You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is
complete.
QUESTION 137
You create a standard primary zone for contoso.com.
You need to specify a user named Admin1 as the person responsible for managing the zone.
What should you do? (Each correct answer presents a complete solution. Choose two.)
A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "hostmaster.contoso.com" to
"admin1.contoso.com".
B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com, Specify admin1.contoso.com as the responsible person.
C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "[email protected]" to
"[email protected]".
D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com.Specify [email protected] as the responsible person.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc816941.aspx
To modify the start of authority (SOA) resource record for a zone using the Windows interface
1. Open DNS Manager.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Start of Authority (SOA) tab.
4. As needed, modify properties for the start of authority (SOA) resource record.
5. Click OK to save the modified properties.
Reference 2:
http://technet.microsoft.com/en-us/library/dd197495.aspx
The SOA resource record contains the following information:
SOA resource record fields
Responsible person The e-mail address of the person responsible for administering the zone. A period (.) is used instead of an at sign (@) in this e-mail name.
(...)
QUESTION 138
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2.
The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server
role on RODC1.
You discover that RODC1 does not have any DNS application directory partitions.
You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.
What should you do? (Each correct answer presents a complete solution. Choose two.)
A.
B.
C.
D.
E.
From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.
Run ntdsutil.exe. From the Partition Management context, run the create nc command.
Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.
Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.
Run dnscmd.exe and specify the /enlistdirectorypartition parameter.
Correct Answer: DE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc742490.aspx
RODC Post-Installation Configuration
If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted
automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have
permissions to add or remove other DNS servers that are enlisted in the application directory partitions.
To enlist a DNS server in a DNS application directory partition
1. Open an elevated command prompt.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd<ServerName> /EnlistDirectoryPartition <FQDN>
For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command:
dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com You might encounter the following error when you run this command:
Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF
If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:
1. ntdsutil
2. partition management
3. connections
4. Connect to a writeable domain controller (not an RODC): connect to server <WriteableDC>.Child.contoso.com
5. quit
6. To enlist this server in the replication scope for this zone, run the following command: add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com
<rodc Server>.Child.
contoso.com
Original explanation:
Please Check but I think this should be A and C and not A and D.
I have changed it to A and C.
Reason: Once the application directory partition is created, contoso.com should replicate to it. Dnscmd /enlistdirectorypartition --- Adds the DNS server to the
specified directory partition's replica set.
Dnscmd /createbuiltindirectorypartitions Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is
created at the forest and domain levels. Use this command to create DNS application directory partitions that were deleted or never created. With no parameter,
this command creates a built-in DNS directory partition for the domain.
To create the default DNS application directory partitions Using the Windows interface
Open DNS.
In the console tree, right-click the applicable DNS server.
Where?
DNS/applicable DNS server
Click Create Default Application Directory Partitions.
Follow the instructions to create the DNS application directory partitions.
QUESTION 139
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.
Ntdsutil
Dnscmd
Repadmin
Nslookup
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.
Reference:
http://technet.microsoft.com/en-us/library/cc811569.aspx
Forcing Replication
Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.
Force a replication event with all partners
The repadmin /syncall command synchronizes a specified domain controller with all replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters
<DC>
Specifies the host name of the domain controller to synchronize with all replication partners.
<NamingContext>
Specifies the distinguished name of the directory partition.
<Flags>
Performs specific actions during the replication.
QUESTION 140
Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2. ADFS1 has the Active Directory Federation Services
(AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.
You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 and ADFS3.
In which format should you export the certificate?
A. Personal Information Exchange PKCS #12 (.pfx)
B. DER encoded binary X.509 (.cer)
C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
D. Base-64 encoded X.S09 (.cer)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/ff678038.aspx
Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued
by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.
[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.]
Reference 2:
http://technet.microsoft.com/en-us/library/cc784075.aspx
Export the private key portion of a token-signing certificate
To export the private key of a token-signing certificate
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
1.
Right-click Federation Service, and then click Properties.
2.
On the General tab, click View.
3.
In the Certificate dialog box, click the Details tab.
4.
On the Details tab, click Copy to File.
5.
On the Welcome to the Certificate Export Wizard page, click Next.
6.
On the Export Private Key page, select Yes, export the private key, and then click Next.
7.
On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and 8.
then click Next.
(...)
9.
QUESTION 141
You create a user account template for the marketing department. When you copy the user account template, you discover that the Web page attribute is not
copied.
You need to preserve the Web page attribute when you copy the user account template.
What should you do?
A.
B.
C.
D.
From Active Directory Administrative Center, modify the value of the wWWHomePage attribute for the user account template.
From the Active Directory Schema snap-in, modify the properties of the user class.
From Active Directory Users and Computers, modify the value of the wWWHomePage attribute for the user account template.
From ADSI Edit, modify the properties of the wWWHomePage attribute.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771231.aspx
You can modify which default attributes are carried over to a newly copied user or specify additional attributes that will be copied to the new user. To do this, open
the Active Directory Schema snap-in, view the desired attribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You can
modify or add only the attributes that are instances of the user class.
QUESTION 142
Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2.
The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings. On a domain controller named DC1, an administrator configures the
Advanced Audit Policy Configuration settings by using a local GPO.
You need to identify what will be audited on DC1.
Which tool should you use?
A. Get-ADObject
B. Secedit
C. Security Configuration and Analysis
D. Auditpol
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://technet.microsoft.com/en-us/library/cc772576.aspx
Auditpol get
Retrieves the system policy, per-user policy, auditing options, and audit security descriptor object.
Reference 2:
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670
You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and
subcategories, use the following command:
auditpol /get /category:*
QUESTION 143
A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.
You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.
Which tool should you use?
A.
B.
C.
D.
Dsmod
Csvde
Ldifde
Dsrm
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We can achieve this by using csvde:
CSVDE -f onlyusers.csv -r "objectCategory=person" -l "CN,<CustomAttributeName>" The exported CSV file can be viewed in Excel.
Reference:
http://technet.microsoft.com/en-us/library/cc732101.aspx
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also
support batch operations based on the CSV file format standard.
Syntax
Csvde [-i] [-f <FileName>] [-r <LDAPFilter>] [-l <LDAPAttributeList>] (...) Parameters
-i
Specifies import mode. If not specified, the default mode is export.
-f <FileName>
Identifies the import or export file name.
-r <LDAPFilter>
Creates an LDAP search filter for data export.
-l <LDAPAttributeList>Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to
impose any order on the columns. If you omit this parameter, AD DS returns all attributes.
QUESTION 144
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. All domain
controllers run Windows Server 2008. All forest-wide operations master roles are in child.contoso.com.
An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack 1 (SP1) installation media.
You plan to run adprep.exe /domainprep in each domain.
You need to ensure that you have the required user rights to run the command successfully in each domain.
Of which groups should you be a member? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
F.
Administrators in child.contoso.com
Enterprise Admins in contoso.com
Domain Admins in child.contoso.com
Domain Admins in contoso.com
Administrators in contoso.com
Schema Admins in contoso.com
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/de-de/library/cc731728.aspx
Adprep /domainprep
Prepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run this command after the forestprep command finishes and
after the changes replicate to all the domain controllers in the forest.
Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008.
You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain
Admins group to run this command.
QUESTION 145
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers
run Windows Server 2008 R2 Service Pack 1 (SP1).
The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory
partition.
You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.
Which tool should you use?
A.
B.
C.
D.
Active Directory Sites and Services
Dsmod
Dcpromo
Dsmgmt
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc732887.aspx
Dcpromo
Installs and removes Active Directory Domain Services (AD DS).
Parameter
ApplicationPartitionsToReplicate:""
Specifies the application directory partitions that dcpromo will replicate. Use the following format:
"partition1" "partition2" "partitionN"
Use * to replicate all application directory partitions.
Original explanation:
Please Check Answer
I don't think this is Dsmod. It is most likely Dcpromo.
Dsmod -- Modifies an existing object of a specific type in the directory.
QUESTION 146
A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS) domain.
You need to enable Universal Group Membership Caching on several domain controllers in the domain.
Which tool should you use?
A.
B.
C.
D.
Dsmod
Dscmd
Ntdsutil
Active Directory Sites and Services console
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc816928.aspx
Enable Universal Group Membership Caching in a Site
In a branch site that has no global catalog server and in a forest that has multiple domains, you can use this procedure to enable Universal Group Membership
Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user
logon.
To enable Universal Group Membership Caching in a site
1. Open Active Directory Sites and Services.
2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.
4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
5. In the Refresh cache from list, click the site that you want the domain controller to contact when the
Universal Group membership cache must be updated, and then click OK.
QUESTION 147
Your network contains an Active Directory forest. The forest contains three domains. All domain controllers have the DNS Server server role installed.
The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client computers, and domain controllers of each domain. Site1 contains
the first domain controller deployed to the forest.
The sites connect to each other by using unreliable WAN links. The users in Site2 and Site3 report that is takes a long time to log on to their client computer when
they use their user principal name (UPN). The users in Site1 do not experience the same issue.
You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their client computer by using their UPN.
What should you do?
A.
B.
C.
D.
E.
F.
Configure a global catalog server in Site2 and a global catalog server in Site3.
Reduce the replication interval of the site links.
Move a primary domain controller (PDC) emulator to Site2 and to Site3.
Add additional domain controllers to Site2 and to Site3.
Reduce the cost of the site links.
Enable universal group membership caching in Site2 and in Site3.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc728188.aspx
Common Global Catalog Scenarios
The following events require a global catalog server:
(...) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication:
1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.
2. (...)
QUESTION 148
You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a source-initiated subscription.
You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1.
The subscription is configured to use the HTTP protocol.
You discover that events from the Security log of DC1 are not collected on Computer1. Events from the
Application log of DC1 and the System log of DC1 are collected on Computer1.
You need to ensure that events from the Security log of DC1 are collected on Computer1.
What should you do?
A.
B.
C.
D.
Add the computer account of Computer1 to the Event Log Readers group on the domain controller.
Add the Network Service security principal to the Event Log Readers group on the domain.
Configure the subscription to use custom Event Delivery Optimization settings.
Configure the subscription to use the HTTPS protocol.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event-forwarding-and- you.aspx
Preparing Windows Server 2008 and Windows Server 2008 R2
You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account to the Builtin Event Log Readers group.
Reference 2:
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/8434ffb3-1621-4bc5-8311- 66d88b215886/
How to collect security logs using event forwarding?
For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.
1. Click start->run, type CompMgmt.msc to open Computer Management Console.
2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.
3. Click Add, then click Location button, select your computer and click OK.
4. Click Object Types button, check the checkbox of Build-in security principals and click OK.
5. Add Network Servicebuild-in account to Event Log Readers group.
6. Reboot the client computer.
After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector.
QUESTION 149
Your network contains an Active Directory forest named contoso.com. The forest contains six domains.
You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix oflitwareinc.com when they create user accounts
by using Active Directory Users and Computers.
http://www.gratisexam.com/
Which tool should you use?
A.
B.
C.
D.
Active Directory Administrative Center
Set-ADDomain
Active Directory Sites and Services
Set-ADForest
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We would use the following command to achieve this:
Set-ADForest -UPNSuffixes @{Add="contoso.com"}
Reference 1:
http://technet.microsoft.com/en-us/library/dd391925.aspx
Creating a UPN Suffix for a Forest
This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest.
Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest.
Example
The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:
Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"} Reference 2
http://technet.microsoft.com/en-us/library/ee617221.aspx
Set-ADForest Modifies an Active Directory forest.
Parameter
UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-
reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values.
Syntax:
To add values:
-UPNSuffixes @{Add=value1,value2,...}
QUESTION 150
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Sitel and Site2. Site2 contains a read-only domain
controller (RODC).
You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?
A.
B.
C.
D.
Active Directory Users and Computers
Ntdsutil
Get-ADAccountResultantPasswordReplicationPolicy
Adtest
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Original answer was C ("Get-ADAccountResultantPasswordReplicationPolicy").
Ntdsutil cannot be used for this.
http://technet.microsoft.com/en-us/library/cc753343.aspx
Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed list or denied list of a read-only domain controller's password
replication policy. Get- ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed.
http://technet.microsoft.com/en-us/library/ee617207.aspx
Adtest is used for perfomance testing.
Reference 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Review whose accounts have been authenticated to an RODC
Periodically, you should review whose accounts have been authenticated to an RODC. (...) You can use Active Directory Users and Computers or repadmin /prp to
review whose accounts have been authenticated to an RODC.
Reference 2:
http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3- ebb9d7fa6bf(v=ws.10)#BKMK_Auth2
Gives a step by step explanation on using Active Directory Users and Computers.
Old explanation:
Get-ADDomainControllerPasswordReplicationPolicyUsage o get accounts that are authenticated by the RODC, use the AuthenticatedAccounts parameter. To get
the accounts that have passwords stored on the RODC, use the RevealedAccounts parameter.
http://technet.microsoft.com/en-us/library/ee617194.aspx
QUESTION 151
Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.
You need to generate a file that contains the last logon time and the custom attribute values for each user in the forest.
What should you use?
A.
B.
C.
D.
the Get-ADUser cmdlet
the Export-CSV cmdlet
the Net User command
the Dsquery User tool
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Export-CSV cannot perform queries. It is used to save queries that have been piped through.
Net User is too limited for our question.
Get-ADUser
References:
https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx http://social.technet.microsoft.com/Forums/en-US/
winserverpowershell/thread/8d8649d9-f591-4b44- b838-e0f5f3a591d7
http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/
Export-Csv
Reference:
http://technet.microsoft.com/en-us/library/ee176825.aspx
Saving Data as a Comma-Separated Values File
The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV
file. For example, this command uses Get-Process to grab information about all the processes running on the computer, then uses Export-Csv to write that data to
a file named C:\Scripts\Test.txt: Get-Process | Export- Csv c:\scripts\test.txt.
Net User
Reference:
http://technet.microsoft.com/en-us/library/cc771865.aspx
Adds or modifies user accounts, or displays user account information.
DSQUERY
Reference 1:
http://technet.microsoft.com/en-us/library/cc754232.aspx
Parameters
{<StartNode> | forestroot | domainroot}
Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a
node as the start node <StartNode>. If you specify forestroot, AD DS searches by using the global catalog. -attr {<AttributeList> | *} Specifies that the semicolon
separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this
parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list),
regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name.
Reference 2:
http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379- 02ca38aaa65b
Give an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need.
Reference 3:
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f- 690378e0f787/
List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName
sn sAMAccountName
lastLogon>>c:\last_logon_for_all.txt
QUESTION 152
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A.
B.
C.
D.
Net User
Active Directory Users and Computers
Group Policy Management Console (GPMC)
Computer Management
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 153
A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server for fabrikam.com.
You install the DNS Server server role on a member server named DNS1 and then you create a standard secondary zone for fabrikam.com. You configure DC4 as
the master server for the zone.
You need to ensure that DNS1 receives zone updates from DC4.
What should you do?
A.
B.
C.
D.
Add the DNS1 computer account to the DNSUpdateProxy group.
On DC4, modify the permissions offabrikam.com zone.
On DNS1, add a conditional forwarder.
On DC4, modify the zone transfer settings for the fabrikam.com zone.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings
You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to
servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.
QUESTION 154
A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the
PerimeterNetwork workgroup and is attached to a hardware security module for private key storage.
You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available.
You need to install the AD CS server role as an Enterprise CA on CA1.
What should you do first?
A.
B.
C.
D.
Add the DNS Server server role to CA1.
Add the Web Server (IIS) server role and the AD CS server role to CA1.
Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.
Join CA1 to the domain.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Many times, administrators ask me what to do when installing Active
Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it`s unavailable.
Well, you need to fulfill basic requirements:
1. Server machine has to be a member server (domain joined).
2. (...)
Reference 2:
http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211-9a99- a06108521268
QUESTION 155
Your company has an Active Directory forest. Each regional office has an organizational unit (OU) named Marketing. The Marketing OU contains all users and
computers in the region's Marketing department.
You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs.
You create a GPO named MarketingApps.
What should you do next?
A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain.
B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.
C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU.
D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We need to assign the software to the computers, and link the GPO to each Marketing OU. We do not link it to the domain, then every computer would have the
software.
Reference:
http://support.microsoft.com/kb/816102
You can use Group Policy to distribute computer programs by using the following methods:
Assigning Software You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the
computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and
it is available to all users who log on to the computer. When a user first runs the program, the installation is completed.
Publishing Software
You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog
box, and it can be installed from there.
QUESTION 156
Your network contains an Active Directory domain named contoso.com. The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit
button.)
You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between the sites.
What should you do?
A.
B.
C.
D.
Configure DC1 as a preferred bridgehead server for IP transport.
Configure DC4 as a preferred bridgehead server for IP transport.
From the DC4 server object, create a Connection object for DC1.
From the DC1 server object, create a Connection object for DC4.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194
Bridgehead Servers
A bridgehead server is the domain controller designated by each site`s KCC to take control of intersite replication. The bridgehead server receives information
replicated from other sites and replicates it to its site`s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than
between them.
In most cases, the KCC automatically decides which domain controller acts as the bridgehead server.
However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:
1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.
2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.
3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead
server and then click Add.
Original explanation:
Please Check Answer
Connections. The KCC creates connections that enable domain controllers to replicate with each other. A connection defines a one-way, inbound route from one
domain controller, the source, to another domain controller, the destination. The KCC reuses existing connections where it can, deletes unused connections, and
creates new connections if none exist that meet the current need. Bridgehead Servers. To communicate across site links, the KCC automatically designates a
single server, called the bridgehead server, in each site to perform site-to-site replication. Subsequent replication occurs by replication within a site. When site links
are established, authorized administrators can designate the bridgehead servers that they want to receive replication between sites. By designating a specific server
to receive replication between sites, rather than using any available server, authorized administrators can specify the most beneficial conditions for the connection
between sites. Bridgehead servers ensure that most replication occurs within sites rather than between sites.
http://technet.microsoft.com/library/dd277429.aspx
QUESTION 157
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role
installed and hosts an Active Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are both set to three days. The Advanced
DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit button.)
You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.(Click the Exhibit button.)
You discover that the scavenging process ran today, but the record for Server1 was not deleted.
You run dnscmd.exe and specify the age all records parameter.
You need to identify when the record for Server1 will be deleted from the zone.
In how many days will the record be deleted?
A.
B.
C.
D.
13
10
23
7
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The blank Record time stamp field indicates a static record. That's the reason it wasn't deleted.
The timestamp has been set using dnscmd /ageallrecords.
The Time to live setting means that the server will hold a cached record for 10 days, so it has nothing to do with this question. The record will become stale in six
days (no-refresh interval + refresh interval, that's 3 + 3 days), so now that the timestamp has been set it will be deleted when the next scavenging operation occurs,
in seven days.
Reference 1:
http://technet.microsoft.com/en-us/library/cc772069.aspx
dnscmd /ageallrecords Sets the current time on all time stamps in a zone or node. Record scavenging does not occur unless the records are time stamped. Name
server (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records are not included in the
scavenging process, and they are not time stamped even when the ageallrecords command runs.
Reference 2:
http://www.windowsitpro.com/article/dns/scavenging-stale-dns-records
When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging feature considers the record stale and deletes it. So, when
you set No-refresh interval to 3 days and Refresh interval to
5 days, scavenging will delete records that are more than 8 days old.
QUESTION 158
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.)
Each organizational unit (OU) contains over 500 user accounts. The Finance OU and the Human Resources OU contain several user accounts that are members of
a universal group named Group1.
You have a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
A.
B.
C.
D.
E.
Modify the Group Policy permissions.
Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
F.
G.
H.
I.
J.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Finance OU.
Link the GPO to the Human Resources OU.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
"GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups.
So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members(messy solution)
or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow)."
The reference below explains a situation where the GPO only needs to be applied to one group, it's the other way around so to speak.
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope
By now, you`ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers
rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to
specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a
GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer`s OU), but the computer does not have Read and
Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO
so that its settings apply only to the computers and users you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.
QUESTION 159
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 and a domain controller named DC1.
On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription is configured to collect all events.
After several days, you discover that Server1 failed to collect any events from DC1, although there are more than 100 new events in the Application log of DC1.
You need to ensure that Server1 collects events from DC1.
What should you do?
A.
B.
C.
D.
On Server1, run wecutil quick-config.
On Server1, run winrm quickconfig.
On DC1, run wecutil quick-config.
On DC1, run winrm quickconfig.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Since the subscription has been created, wecutil quick-config has already run on Server1. Only thing left is to configure DC1 to forward the events, using winrm
quickconfig.
Reference1:
Mastering Windows Server 2008 R2 (Sybex, 2010) page 773
Windows event Collector Service
The first time you select the Subscriptions node of Event Viewer or the Subscription tab of any log, a dialog box will appear stating that the Windows Event Collector
Service must be running and configured. It then asks whether you want to start and configure the service. If you click Yes, it starts the service and changes the
startup type from Manual to Automatic (Delayed Start), causing it to start each time Windows starts.
Reference 2:
http://technet.microsoft.com/en-us/library/cc748890.aspx
To configure computers in a domain to forward and collect events
1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges.
2. On each source computer, type the following at an elevated command prompt: winrm quickconfig
QUESTION 160
A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured as shown in the following table.
The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003.
Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M.
to 1:00 A.M. every day.
At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001. You need to restore the deleted user account. You must achieve this goal by
using the minimum administrative effort.
What should you do?
A.
B.
C.
D.
On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.
On DC001, run the Restore-ADObject cmdlet.
On DC006, run the Restore-ADObject cmdlet.
On DC001, stop AD DS, restore the system state, and then start AD DS.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional
level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003."
See http://technet.microsoft.com/nl-nl/library/dd379481.aspx
Performing an authoritative restore on DC006 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to
other DC's.
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 "An authoritative restore restores data that was lost and updates the Update
Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers." Reference 2:
http://technet.microsoft.com/en-us/library/cc755296.aspx
Authoritative restore of AD DS has the following requirements:
(...)
You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is
complete.
QUESTION 161
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.
You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer
accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
Modify the Group Policy permissions.
Configure WMI filtering.
Enable block inheritance.
Enable loopback processing in replace mode.
Configure the link order.
Configure Group Policy Preferences.
Link the GPO to the Human Resources OU.
Configure Restricted Groups.
I. Enable loopback processing in merge mode.
J. Link the GPO to the Finance OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or
organizational units from being automatically inherited by the child-level.
QUESTION 162
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You
have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to theSales OU and contain multiple settings. You discover that
GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in
GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Configure Restricted Groups.
Configure the link order.
Link the GPO to the Sales OU.
Link the GPO to the Engineer OU.
Enable loopback processing in merge mode.
Modify the Group Policy permissions.
Configure WMI filtering.
Configure Group Policy Permissions.
Enable loopback processing in replace mode.
Enable block inheritance.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs.
An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs` link order determines their precedence. In Figure 6-10,
two GPOs are linked to the People OU.
Figure 6-10 GPO link order
The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration
GPO have precedence over these same settings in the Standard User Configuration GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.
QUESTION 163
All vendors belong to a global group named vendors.
You place three file servers in a new organizational unit (OU) named ConfidentialFileServers. The three file servers contain confidential data located in shared
folders.
You need to record any failed attempts made by the vendors to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.
Configure the Audit object access failure audit policy setting.
B. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.
Configure the Audit privilege use Failure audit policy setting.
C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab.
Configure Failed Full control setting in the AuditingEntry dialog box.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab.
Configure Failed Full control setting in the AuditingEntry dialog box.
E. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.
Configure the Deny access to this computer from the network user rights setting for the Vendors global group.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671
Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on
the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling Audit object access and
step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two
options are as follows:
Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.
Audit object access success enables you to see usage patterns. This shows misuse of privilege. After object access auditing is enabled, you can easily monitor
access to resources such as folders, files, and printers.
Auditing Files and Folders
The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind
that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource
requirements.
Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:
1. In Windows Explorer, right-click the file or folder to audit and select Properties.
2. Select the Security tab and then click the Advanced button.
3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.
4. Click the Add button to display the Select User or Group window.
5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.
QUESTION 164
A corporate network includes a single Active Directory Domain Services (AD DS) domain.
The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs: HR Users and HR Computers. User accounts for the HR
department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a
security group named HR Employees. All HR department computers belong to a security group named HR PCs.
Company policy requires that passwords are a minimum of 6 characters. You need to ensure that, the next time HR department employees change their
passwords, the passwords are required to have at least 8 characters. The password length requirement should not change for employees of any other department.
What should you do?
A.
B.
C.
D.
Modify the password policy in the GPO that is applied to the domain.
Create a new GPO, with the necessary password policy, and link it to the HR Users OU.
Create a new GPO, with the necessary password policy, and link it to the HR Computers OU.
Modify the password policy in the GPO that is applied to the domain controllers OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc770394.aspx
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply
different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a
special password policy for accounts whose passwords are synchronized with other data sources.
Are there any special considerations?
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. By default,
only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users.
The domain functional level must be Windows Server 2008.
Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a
shadow group
QUESTION 165
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organisational unit (OU) named
Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited.
What should you do first?
A.
B.
C.
D.
Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU.
Modify the searchFlags property for the Name attribute in the Schema.
Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Admins OU.
Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategory.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We can do that by using auditpol.exe.
Reference:
http://technet.microsoft.com/en-us/library/cc731607.aspx
Auditing changes to objects in AD DS
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service
events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for
implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy
subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one
value, only the values that change as a result of the modify operation are logged.
(...)
Steps to set up auditing
This section includes procedures for each of the primary steps for enabling change auditing:
Step 1: Enable audit policy.
Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.
Step 1: Enable audit policy.
This step includes procedures to enable change auditing with either the Windows interface or a command line:
(...)
By using the Auditpol command-line tool, you can enable individual subcategories.
To enable the change auditing policy using a command line
1. Click Start, right-click Command Prompt, and then click Run as administrator.
2. Type the following command, and then press ENTER:
auditpol /set /subcategory:"directory service changes" /success:enable
QUESTION 166
Your network contains an Active Directory forest named contoso.com. You need to provide a user named User1 with the ability to create and manage subnet
objects.
The solution must minimize the number of permissions assigned to User1.
What should you do?
A.
B.
C.
D.
From Active Directory Users and Computers, run the Delegation of Control wizard.
From Active Directory Administrative Centre, add User1 to the Schema Admins group.
From Active Directory Sites and Services, run the Delegation of Control wizard.
From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Adding the user to the Schema Admins group, or to the Network Configuration Operators group would give User1 too much rights. Since we have to delegate an
administrative task concerning subnets, we have to run the Delegation of Control wizard from Active Directory Sites and Services.
Reference below is for Windows Server 2003 R2, but is still valid for 2008 R2.
Reference:
http://technet.microsoft.com/en-us/library/cc736770.aspx
Delegate control of a site
To delegate control of a site
1. Open Active Directory Sites and Services.
2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the Delegation of Control Wizard.
3. Follow the instructions in the Delegation of Control Wizard.
Notes
(...)
In Active Directory Sites and Services, you can delegate control for the subnets, intersite transports, sites, and server containers.
QUESTION 167
A corporate network contains a Windows Server 2008 R2 Active Directory forest.
You need to add a User Principle Name (UPN) suffix to the forest.
What tool should you use?
A.
B.
C.
D.
Dsmgmt.
Active Directory Domains and Trusts console.
Active Directory Users and Computers console.
Active Directory Sites and Services console.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/
Demonstration adding a UPN Suffix
To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu.
Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the
forest.
QUESTION 168
Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has
two domain controllers named DC3 and DC4.
DC3 fails.
You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 and the domain controllers in Site1.
On DC4, you run repadmin.exe /kcc.
Replication between the sites continues to fail.
You need to ensure that Active Directory data replicates between the sites.
What should you do?
A.
B.
C.
D.
From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.
From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server.
From Active Directory Users and Computers, configure the NTDS settings of DC4.
From Active Directory Users and Computers, configure the location settings of DC4.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194
Bridgehead Servers A bridgehead server is the domain controller designated by each site`s KCC to take control of intersite replication. The bridgehead server
receives information replicated from other sites and replicates it to its site`s other domain controllers. It ensures that the greatest portion of replication occurs within
sites rather than between them.
In most cases, the KCC automatically decides which domain controller acts as the bridgehead server.
However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:
1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.
2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.
3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead
server and then click Add.
QUESTION 169
Your network contains an Active Directory domain named contoso.com.
All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service Pack 1 (SP1). The functional level of the domain is Windows
Server 2003.
You need to configure SYSVOL to use DFS Replication.
Which tools should you use? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Dfsrmig
Frsdiag
Ntdsutil
Set-ADForest
E. Repadmin
F. Set-ADDomainMode
G. DFS Management
Correct Answer: AF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
First we need to upgrade the domain functional level, using Set-ADDomainMode. Then, now that the domain controllers have been upgraded to Windows Server
2008 R2 and the domain functional level has been upgraded (to Windows Server 2008 (R2)), we can migrate to DFS Replication for replicating SYSVOL, instead of
File Replication Service (FRS) of previous Windows Server versions. We can use Dfsrmig for that migration.
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 543 In versions of Windows Server prior to Windows Server 2008, the FRS was
used to replicate the contents of SYSVOL between domain controllers. FRS has limitations in both capacity and performance that cause it to break occasionally.
Unfortunately, troubleshooting and configuring FRS is quite difficult. In Windows Server 2008 and Windows Server 2008 R2 domains, you have the option to use
DFS-R to replicate the contents of SYSVOL.
Reference 2:
http://technet.microsoft.com/en-us/library/ee617230.aspx
Set-ADDomainMode
The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by setting the DomainMode parameter.
The domain mode can be set to the following values that are listed in order of functionality from lowest to highest.
Windows2000Domain
Windows2003InterimDomain
Windows2003Domain
Windows2008Domain
Windows2008R2Domain
Reference 3:
http://technet.microsoft.com/en-us/library/dd639809.aspx
Migrating to the Prepared State
The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to
Distributed File System (DFS Replication).
This migration phase includes the tasks in the following list.
(...)
Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state.
QUESTION 170
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to run adprep /domainprep and the operation fails. You discover that the first domain controller deployed to the forest failed.
You need to run adprep /domainprep successfully.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Move the domain naming master role.
Install a read-only domain controller (RODC).
Move the PDC emulator role.
Move the RID master role.
Move the infrastructure master role.
Deploy an additional global catalog server.
Move the bridgehead server.
Move the schema master role.
Restart the Active Directory Domain Services (AD DS) service.
Move the global catalog server.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Adprep /domainprep must be run on the server holding the Infrastructure Master role. The role was originally installed on the first domain controller in the forest.
Now it's down and another domain controller must get the Infrastructure Master role.
Reference 1:
http://technet.microsoft.com/en-us/library/cc754889.aspx
Planning Operations Master Role Placement
Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master
and domain naming master) are assigned to the first domain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructure
master, and PDC emulator) are assigned to the first domain controller created in a domain.
Reference 2:
http://technet.microsoft.com/en-us/library/dd464018.aspx
Adprep /domainprep Must be run on the infrastructure operations master for the domain.
QUESTION 171
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of client computers: "The time provider NtpClient was unable to find a domain controller to use as a time source.
NtpClient will try again in %1 minutes."
You need to ensure that the client computers can synchronize their clocks properly.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Move the domain naming master role.
Restart Active Directory Domain Services (AD DS) service.
Move the PDC emulator role.
Move the infrastructure master role.
Move the global catalog server.
Move the RID master role.
Move the bridgehead server.
Move the schema master role.
Deploy an additional global catalog server.
Install a read-only domain controller (RODC).
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It could be that the server holding the PDC Emulator role has failed. Whatever the cause, we need to move the PDC Emulator role to another domain controller to
restore time synchronization in the domain.
Reference 1:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System& ProdVer=5.2&EvtID=14&EvtSrc=w32time&LCID=1033
Event ID
Message
The time provider NtpClient was unable to find a domain controller to use as a time source.
NtpClient will try again in %1 minutes.
Explanation
Windows Time Service is configured to use the domain hierarchy to locate its time source. It could not locate a domain controller that is a suitable time source. The
time service will continue to search for an acceptable domain controller. If the time service cannot locate a time source after the maximum number of attempts, the
Win32Time 49 message will be logged.
Reference 2:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 531 PDC Emulator Role
The PDC Emulator role performs multiple, crucial functions for a domain:
(...)
Provides a master time source for the domain - Active Directory, Kerberos, File Replication Service
(FRS), and Distributed File System Replication (DFS-R) each rely on timestamps, so synchronizing the time across all systems in a domain is crucial. The PDC
emulator in the forest root domain is the time master for the entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root
PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain`s PDC emulator. All other domain members synchronize their
time with their preferred domain controller. This hierarchical structure of time synchronization, all implemented through the Win32Time service, ensures consistency
of time. Coordinated Universal Time (UTC) is synchronized, and the time displayed to users is adjusted based on the time zone setting of the computer.
QUESTION 172
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The DNS zone for
contoso.com is Active Directory- integrated.
You deploy a read-only domain controller (RODC) named RODC1.
You install the DNS Server server role on RODC1.
You discover that RODC1 does not have any application directory partitions.
You need to ensure that RODC1 has a directory partition of contoso.com.
What should you do?
A.
B.
C.
D.
From DNS Manager, create secondary zones.
Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter.
From DNS Manager, right-click RODC1 and click Update Server Data Files.
Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc742490.aspx
RODC Post-Installation Configuration
If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted
automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have
permissions to add or remove other DNS servers that are enlisted in the application directory partitions.
To enlist a DNS server in a DNS application directory partition
1. Open an elevated command prompt.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd<ServerName> /EnlistDirectoryPartition <FQDN>
For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command:
dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com
QUESTION 173
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?
A.
B.
C.
D.
Credential Manager
Group Policy Management Editor
Active Directory Users and Computers
Active Directory Sites and Services
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use Active Directory Users and Computers to determine the value of the msDS-PSOApplied attribute of the specific group:
1. Open the Properties windows for the group in Active Directory Users and Computers
2. Click the Attribute Editor tab, and then click Filter
3. Ensure that the Show attributes/Optional check box is selected.
4. Ensure that the Show read-only attributes/Backlinks check box is selected.
5. Locate the value of msDS-PSOApplied in the Attributes list.
Reference:
http://technet.microsoft.com/en-us/library/cc754544.aspx
Defining the scope of fine-grained password policies
A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...)
A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a
back-link to the PSO. Because the msDSPSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it.
As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msDS-PSOApplied attribute of the user and group
objects has a back-link to the PSO.
QUESTION 174
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all other users.
Which tool should you use?
A.
B.
C.
D.
Group Policy Management Editor
Group Policy Management Console (GPMC)
Authorization Manager
Ldifde
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-US/library/cc754461.aspx
Creating a PSO using ldifde
You can use the ldifde command as a scriptable alternative for creating PSOs.
To create a PSO using ldifde
1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn: CN=PSO1, CN=Password Settings
Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: add objectClass: msDS- PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:24
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:0
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
3. Type the following command, and then press ENTER:
ldifde i f pso.ldf
QUESTION 175
Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains one domain. A two-way forest trust exists between
the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.
To which group should you add the users?
A.
B.
C.
D.
E.
F.
Group 1: Security Group - Domain Local.
Group 2: Distribution Group - Domain Local.
Group 3: Security Group - Global.
Group 4: Distribution Group - Global.
Group 5: Security Group - Universal.
Group 6: Distribution Group - Universal.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc772808.aspx
Best practices for using security groups across forests
By carefully using domain local, global, and universal groups, administrators can more effectively control access to resources located in other forests. Consider the
following best practices:
To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these
users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users
in ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the
Sales Department to the group.
Create the global group AccountsOrder and add users in the Accounting Department to that group.
To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global
group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group.
To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use
these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called OrderEntryApp. Add this group to
the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions.
To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add
the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB.
QUESTION 176
Your network contains an Active Directory domain. The domain contains 5,000 user accounts. You need to disable all of the user accounts that have a description
of Temp. You must achieve this goal by using the minimum amount of administrative effort. Which tools should you use? (Each correct answer presents part of the
solution. Choose two.)
A.
B.
C.
D.
E.
F.
Find
Dsget
Dsmod
Dsadd
Net accounts
Dsquery
Correct Answer: CF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Here we can use Dsquery to find the accounts that have "Temp" as their description and pipe it through to Dsmod to disable them. Should look like this:
dsquery user domainroot -desc "Temp" | dsmod user -disabled yes
Reference 1:
http://technet.microsoft.com/en-us/library/cc725702.aspx
Dsquery user Finds users in the directory who match the search criteria that you specify.If the predefined search criteria in this command are insufficient, use the
more general version of the query command, dsquery *.
Syntax
dsmod user
Parameters
domainroot
Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a
node as the start node (<StartNode>). If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
-desc <Description>
Specifies the descriptions of the user objects you want to modify.
Remarks
The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as Dsget, Dsmod, Dsmove, or Dsrm.
Reference 2:
http://technet.microsoft.com/en-us/library/cc732954.aspx
Dsmod user Modifies attributes of one or more existing users in the directory.
Syntax
dsmod user
Parameter-disabled {yes | no} Specifies whether AD DS disables user accounts for logon. The available values are yes and no. Yes indicates that AD DS disables
user accounts for logon and no indicates that AD DS does not disable user accounts for logon.
QUESTION 177
Your network contains an Active Directory domain. The domain contains two file servers. The file servers are configured as shown in the following table.
You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.
You configure the advanced audit policy.
You discover that the settings are not applied to Server1. The settings are applied to Server2. You need to ensure that access to the file shares on Server1 is
audited.
What should you do?
A.
B.
C.
D.
E.
From Active Directory Users and Computers, modify the permissions of the computer account for Server1.
From GPO1, configure the Security Options.
From Active Directory Users and Computers, add Server1 to the Event Log Readers group.
On Server1, run seceditexe and specify the /configure parameter.
On Server1, run auditpol.exe and specify the /set parameter.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/ff182311.aspx
What are the differences in auditing functionality between versions of Windows? Basic audit policy settings are available in all versions of Windows since Windows
2000 and can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the
settings can only be applied by using logon scripts. In Windows 7 and Windows Server 2008 R2, advanced audit policy settings can be configured and applied by
using local and domain Group Policy settings.
Reference:
http://technet.microsoft.com/en-us/library/cc755264.aspx
Auditpol set
Sets the per-user audit policy, system audit policy, or auditing options.
QUESTION 178
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. Each
OU contains over 200 user accounts.
The Sales OU and the Engineering OU contain several user accounts that are members of a universal group named Group1.
You have a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Modify the Group Policy permissions.
Configure Restricted Groups.
Configure WMI filtering.
Configure the link order.
Enable loopback processing in merge mode.
Link the GPO to the Sales OU.
Configure Group Policy Preferences.
Link the GPO to the Engineering OU.
Enable block inheritance.
Enable loopback processing in replace mode.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
"GPOs are linked to OUs, not groups. Block inheritance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups.
So you have two choices. You could remove authenticated users in the security filter and add groups containing everyone except group1 members(messy solution)
or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will always win over allow)."
The reference below explains a situation where the GPO only needs to be applied to one group, it's the other way around so to speak.
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope
By now, you`ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers
rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to
specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a
GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer`s OU), but the computer does not have Read and
Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO
so that its settings apply only to the computers and users you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.
QUESTION 179
Your network contains an Active Directory domain.
You have two Group Policy objects (GPOS) named GPO1 and GPO2. GPO1 and GPO2 are linked to theFinance organizational unit (OU) and contain multiple
settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
What should you do?
A.
B.
C.
D.
Configure the link order.
Configure Restricted Groups.
Enable block inheritance.
Link the GPO to the Finance OU.
E.
F.
G.
H.
I.
J.
Enable Ioopback processing in merge mode.
Enable Ioopback processing in replace mode.
Link the GPO to the Human Resources OU.
Configure Group Policy Preferences.
Configure WMI filtering.
Modify the Group Policy permissions.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs
An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs` link order determines their precedence. In Figure 6-10,
two GPOs are linked to the People OU.
Figure 6-10 GPO link order
The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration
GPO have precedence over these same settings in the Standard User Configuration GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.
QUESTION 180
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS server for contoso.com.
You install the DNS server server role on a member server named server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as
the master server for the zone. You need to ensure that Server1 receives zone updates from DC1.
What should you do?
A.
B.
C.
D.
On DC1, modify the permissions of contoso.com zone.
On Server1, add a conditional forwarder.
Add the Server1 computer account to the DNsUpdateProxy group.
On DC1, modify the zone transfer settings for the contoso.com zone.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings
You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to
servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.
QUESTION 181
A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A. Active Directory Sites And Services console
B. Ntdsutil
C. Dnslint
D. Nslookup
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc794809.aspx
Forcing Replication
When you need updates to be replicated sooner than the intersite replication schedule allows, or when replication between sites is impossible because of
configuration errors, you can force replication to and from domain controllers.
Forcing replication of all directory updates over a connection If you want to replicate certain updates, such as a significant addition of new passwords or user
accounts, to another domain controller in the domain, you can use the Replicate now option in the Active Directory Sites and Services snap-in to force replication of
all directory partitions over a connection object that represents inbound replication from a specific domain controller. A connection object for a server object that
represents a domain controller identifies the replication partner from which the domain controller receives replication. If the changes are made on one domain
controller, you can select the connection from that domain controller and force replication to its replication partner.
You can also use the Repadmin.exe command-line tool to replication changes from a server to one or more other servers or to all servers.
ssniyer -- In the case where (Exam J, Q24) Repadmin is not an answer option, I will go with AD Sites and
Services because it allows to force AD replication across connection objects. Both DNSLint and nslookup are diagnostic tools. DNSLint is useful to make sure RRs
are associated with the right services and nslookup for domain namespace resolution issues. There is no diagnostic need in this question.
Dnscmd is useful to administer/maintain a DNS server or zone using a command line tool. It is also the right tool to create Application Directory Partition. However, I
don't see literature to suggest it as a good replication tool for AD integrated zones.
QUESTION 182
Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers named DC1 and DC2. DC1 and DC2 are
configured as DNS servers and host the Active Directoryintegrated zone for contoso.com.
From DNS Manager on DC1, you enable scavenging for the contoso.com zone.
You discover stale DNS records in the zone.
You need to ensure that the stale DNS records are deleted from contoso.com.
What should you do?
A.
B.
C.
D.
From DNS Manager, enable scavenging on DC1.
From DNS Manager, reload the zone.
Run dnscmd.exe and specify the ageallrecords parameter.
Run dnscmd.exe and specify the startscavenging parameter.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
According to Technet the answer should be A ("From DNS Manager, enable scavenging on DC1"). Scavenginghas been enabled for the zone, but it also needs te
be enabled on the server.
Reference:
http://technet.microsoft.com/en-us/library/cc771677.aspx
Prerequisites for aging and scavenging
Before you can use the aging and scavenging features of DNS, several conditions must be met:
Scavenging and aging must be enabled, both at the DNS server and on the zone.
QUESTION 183
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of domain controllers: The request for a new accountidentifier pool failed. The operation will be retried until the
request succeeds. The error is %1
You need to ensure that the domain controllers can acquire new account-identifier pools successfully.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
Move the domain naming master role.
Move the global catalog server.
Restart the Active Directory Domain Services (AD DS) service.
Deploy an additional global catalog server.
Move the infrastructure master role.
Move the PDC emulator role.
Install a read-only domain controller (RODC).
Move the RID master role.
I. Move the bridgehead server.
J. Move the schema master role.
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
Explanation:
This error can occur when the server holding the RID master role is not available to provide a new RID pool.
Moving the RID master role to another domain controller will resolve this.
Reference:
http://technet.microsoft.com/en-us/library/cc756699.aspx
Event ID 16651 -- RID Pool Request
Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric
string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security
principal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domain controller is assigned a pool of RIDs from the global
RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The
RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller
in its domain. By default, RID pools are obtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertise
their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security
principals when their current RID pool becomes depleted.
Event Details
Message
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds.
The error is " %1 "
Resolve
Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local
domain controller can communicate with the domain controller that is identified as the RID operations master.
Ensure that the RID master is online and replicating to other domain controllers.
QUESTION 184
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7
Professional.
The network contains an enterprise certification authority (CA). You enable key archival on the CA. The CA is configured to use custom certificate templates for
Encrypted File System (EFS) certificates.
All users plan to encrypt files by using EFS.
You need to ensure that the private keys for all new EFS certificates are archived.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.
Share and Storage Management
Security Configuration wizard
Enterprise PKI
Active Directory Administrative Center
Certification Authority
Group Policy Management
Certificate Templates
Authorization Manager
Certificates
Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc753826.aspx
Configure a Certificate Template for Key Archival
The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are
issued based on this template. Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect
users from data loss, but it can also be useful when applied to other types of certificates.
To configure a certificate template for key archival and recovery
1. Open the Certificate Templates snap-in.
2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.
3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running
Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
4. In Template, type a new template display name, and then modify any other optional properties as needed.
5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.
6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to
automatically issue the certificate, also select the Autoenroll check box.
7. On the Request Handling tab, select the Archive subject's encryption private key check box.
QUESTION 185
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named
Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited.
What should you do first?
A.
B.
C.
D.
Enable the Audit directory service access setting in the Default Domain Controllers Policy Group PolicyObject.
Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU.
Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.
Modify the searchFlags property for the User class in the schema.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To audit changes made to objects in AD DS we have to use Directory Service Changes auditing, which indicates the old and new values of the changed properties
of the objects that were changed. DirectoryService Changes auditing is a subcategory of Audit directory service access, and is not enabled by default.
To use it we have to enable it first, and we can do that specifically for Directory Service Changes by using auditpol.exe, or we can use Group Policy Management to
enable Audit directory service access, which enables all subcategories, including Directory Service Changes. You do this by modifying the Default Domain
Controllers Policy.
Reference:
http://technet.microsoft.com/en-us/library/cc731607.aspx
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service
events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
This step includes procedures to enable change auditing with either the Windows interface or a command line:
By using Group Policy Management, you can turn on the global audit policy, Audit directory service access, which enables all the subcategories for AD DS auditing.
To enable the global audit policy using the Windows interface
1. Click Start, point to Administrative Tools, and then Group Policy Management.
2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click
Default Domain Controllers Policy, and then click Edit.
3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click
Audit Policy.
4. In the details pane, right-click Audit directory service access, and then click Properties.
5. Select the Define these policy settings check box.
6. Under Audit these attempts, select the Success, check box, and then click OK.
QUESTION 186
Your network contains an Active Directory domain named contoso.com.
The Administrator deletes an OU named OU1 accidentally.
You need to restore OU1. Which cmdlet should you use?
A.
B.
C.
D.
Set-ADObject cmdlet.
Set-ADOrganizationalUnit cmdlet.
Set-ADUser cmdlet.
Set-ADGroup cmdlet.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference/Reference:
http://technet.microsoft.com/en-us/library/dd379509.aspx
Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets
You can also restore a deleted Active Directory object by using the Get-ADObject and Restore- ADObject Active Directory module for Windows PowerShell
cmdlets. The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the
Restore-ADObject cmdlet.
QUESTION 187
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.
You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer
accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
Modify the Group Policy Permission.
Configure WMI filtering.
Enable block inheritance.
Enable loopback processing in replace mode.
Configure the link order.
Configure Group Policy Preferences.
Link the GPO to the Human Resources OU.
Configure Restricted Groups.
Enable loopback processing in merge mode.
J. Link the GPO to the Finance OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or
organizational units from being automatically inherited by the child-level.
QUESTION 188
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Configure Restricted Groups.
Configure the link order.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.
Enable loopback processing in merge mode.
Modify the Group Policy permissions.
Configure WMI Filtering.
Configure Group Policy Preferences.
Enable loopback processing in replace mode.
Enable block inheritance.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more
than one GPO linked to it. In the event of multiple GPOs, the GPOs` link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.
Figure 6-10 GPO link order
The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration
GPO have precedence over these same settings in the Standard User Configuration GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.
QUESTION 189
Your network contains an Active Directory forest.
All users have a value set for the Department attribute.
From Active Directory Users and Computers, you search a domain for all users who have a Department attribute value of Marketing. The search returns 50 users.
From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing.
The search does not return any users.
You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute.
What should you do?
A. Install the Windows Search Service role service on a global catalog server.
B. From the Active Directory Schema snap-in modify the properties of the Department attribute.
C. Install the Indexing Service role service on a global catalog server.
D. From the Active Directory Schema snap-in modify the properties of the user class.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set The attributes that are replicated to the global
catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the
Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active
Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the
PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.
QUESTION 190
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of domain controllers: "The request for a new accountidentifier pool failed. The operation will be retried until the
request succeeds. The error is " %1 ""
You need to ensure that the domain controllers can acquire new account-identifier pools successfully.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Move the PDC emulator role.
Move the schema master role.
Move the global catalog server.
Move the domain naming master role.
Move the infrastructure master role.
Move the RID master role.
Restart the Active Directory Domain Services (AD DS) service.
Deploy an additional global catalog server.
Move the bridgehead server.
Install a read-only domain controller (RODC).
Correct Answer: F
Section: (none)
Explanation
Explanation/Reference:
Explanation:
This error can occur when the server holding the RID master role is not available to provide a new RID pool.
Moving the RID master role to another domain controller will resolve this.
Reference:
http://technet.microsoft.com/en-us/library/cc756699.aspx
Event ID 16651 -- RID Pool Request
Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric
string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security
principal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domain controller is assigned a pool of RIDs from the global
RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The
RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller
in its domain. By default, RID pools are obtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertise
their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security
principals when their current RID pool becomes depleted.
Event Details
Message
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds.
The error is " %1 "
Resolve
Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local
domain controller can communicate with the domain controller that is identified as the RID operations master.
Ensure that the RID master is online and replicating to other domain controllers.
QUESTION 191
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all other users.
Which tool should you use?
A.
B.
C.
D.
Ntdsutil
Active Directory Users and Computers
ADSI Edit
Group Policy Management Console (GPMC)
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-US/library/cc754461.aspx
Creating a PSO using ADSI Edit
Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can
use ADSI Edit to query, view, and edit AD DS objects and attributes.
To create a PSO using ADSI Edit
1. Click Start, click Run, type adsiedit.msc, and then click OK.
2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.
4. Double-click the domain.
5. Double-click DC=<domain_name>.
6. Double-click CN=System.
7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domain appear.
8. Right-click CN=Password Settings Container, click New, and then click Object.
9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.
10. In Value, type the name of the new PSO, and then click Next.
11. Continue with the wizard, and enter appropriate values for all mustHave attributes.
QUESTION 192
Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?
A.
B.
C.
D.
Active Directory Sites and Services
Authorization Manager
Local Security Policy
ADSI Edit
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use ADSI Edit to determine the value of the msDS-PSOApplied attribute of the specific group:
1. Open the Properties windows for the group in ADSI Edit
2. On the Attribute Editor tab click Filter
3. Ensure that the Show attributes/Optional check box is selected.
4. Ensure that the Show read-only attributes/Backlinks check box is selected.
5. Locate the value of msDS-PSOApplied in the Attributes list.
Reference:
http://technet.microsoft.com/en-us/library/cc754544.aspx
Defining the scope of fine-grained password policies
A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...)
A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a
back-link to the PSO. Because the msDSPSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it.
As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msDS-PSOApplied attribute of the user and group
objects has a back-link to the PSO.
QUESTION 193
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.
Repadmin
Active Directory Domains and Trusts console
Ldp
Ntdsutil
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.
Reference:
http://technet.microsoft.com/en-us/library/cc811569.aspx
Forcing Replication
Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.
Force a replication event with all partners
The repadmin /syncall command synchronizes a specified domain controller with all replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners.
<NamingContext>
Specifies the distinguished name of the directory partition.
<Flags>
Performs specific actions during the replication.
QUESTION 194
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. The forest
contains two sites named Seattle and Denver. Both sites contain users, client computers, and domain controllers from both domains.
The Seattle site contains the first domain controller deployed to the forest. The Seattle site also contains the primary domain controller (PDC) emulator for both
domains. All of the domain controllers are configured as DNS servers. All DNS zones are replicated to all of the domain controllers in the forest.
The users in the Denver site report that is takes a long time to log on to their client computer when they use their user principal name (UPN). The users in the
Seattle site do not experience the same issue.
You need to reduce the amount of time it takes for the Denver users to log on to their client computer by using their UPN.
What should you do?
A.
B.
C.
D.
E.
F.
Reduce the cost of the site link between the Denver site and the Seattle site.
Enable the global catalog on a domain controller in the Denver site.
Enable universal group membership caching in the Denver site.
Move a PDC emulator to the Denver site.
Reduce the replication interval of the site link between the Denver site and the Seattle site.
Add an additional domain controller to the Denver site.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc728188.aspx
Common Global Catalog Scenarios
The following events require a global catalog server:
(...) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication:
1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.
2. (...)
QUESTION 195
Your network contains two Active Directory forests named contoso.com and fabrikam.com.
Each forest contains a single domain.
A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.
Contoso.com contains a group named Group 1.
Fabrikam.com contains a server named Server1.
You need to ensure that users in Group1 can access resources on Server1.
What should you modify?
A.
B.
C.
D.
the permissions of the Group1 group
the UPN suffixes of the contoso.com forest
the UPN suffixes of the fabrikam.com forest
the permissions of the Server1 computer account
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Group1 must get the 'Allowed To Authenticate' permission on Server1, so I'd go for A, as given. Answer D may sound tempting, but it speaks of permissions of the
Server1 computer account.
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 643, 644 After you have selected Selective Authentication for the trust, no trusted
users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To
Authenticate permission on the computer object in the domain.
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate--that is, the computer that trusted users will log on to or that
contains resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
QUESTION 196
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. Users
in the Sates OU frequently log on to client computers in the Engineering OU.
You need to meet the following requirements:
All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the Engineering OU must be applied to sales users when they log on
to client computers in the Engineering OU.
Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log on to client computers in the Sales OU.
Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Modify the Group Policy permissions.
Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO's that are linked to the Sales OU and the Engineering
OU to be applied.
Reference 1:
http://technet.microsoft.com/en-us/library/cc782810.aspx
Loopback processing with merge or replace
Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in
replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to
any user logging on to a particular computer, regardless of their location in Active Directory.
Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives
user-related policy settings. Loopback with Replace--In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is
already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are
applied to the user.
Loopback with Merge--In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained,
as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after
the user's GPOs, they have precedence if any of the settings conflict.
Reference 2:
http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html
For a clear and easy explanation of Loopback Processing. Recommended! Reference 3:
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028
Loopback Processing
When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The
same goes for domain policy application for computers.
There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or
server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop
environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer
objects.
To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User
Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in
Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied
to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the
computer-linked policies last.
QUESTION 197
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A.
B.
C.
D.
Computer Management
Net Config
Active Directory Users and Computers
Gpresult
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
You can see the required settings when you:
1. Open Active Directory Users and Computers
2. Go to View in the menubar and make sure "Advanced Features"is checked.
3. Right click on the domain and choose Properties
4. On the Attribute Editor tab click on Filter
5. Ensure that the Show attributes/Optional check box is selected.
6. In the Attributes list locate lockoutThreshold and lockoutDuration. Played with the settings in the Group Policy Management Editor and the settings were reflected
in the steps above every time.
QUESTION 198
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com. The contoso.com domain contains a
domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted.
What should you do?
A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rules and outbound rules by using Windows Firewall with
Advanced Security. Create a secondary zone on DC2 and select DC1 as the master.
B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com naming context.
C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com naming context. Create a secondary zone on DC1 and select DC2
as the master.
D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a secondary zone on DC2 and select DC1 as the
master.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc781101.aspx
Securing DNS Zone Replication
Using Active Directory Replication
Replicating zones as part of Active Directory replication provides the following security benefits:
Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted automatically.
(...)
Reference:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such
as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the
information is identical (correct and complete) to the information on the authoritative DNS server. DNSSEC does not provide confidentiality of data; in particular, all
DNSSEC responses are authenticated but not encrypted.
Reference:
http://www.nlnetlabs.nl/publications/dnssec_howto/
Voorbeeld opbouw DNSSEC records.
Reference:
http://www.efficientip.com/dnssec
It is important to note that DNSSEC does not supply a solution for data confidentiality but only a validation of DNS data authenticity and integrity. All information
exchanged is not encrypted; it is only the signature which is encrypted.
Reference:
http://technet.microsoft.com/en-us/library/ee649277.aspx
Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of the resource records, including DNSSEC
resource records, are transferred from the primary server to the secondary servers with no additional setup requirements.
QUESTION 199
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.)
You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Finance organizational unit (OU) and contain multiple
settings.
You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Modify the Group Policy permissions.
Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Finance OU.
Link the GPO to the Human Resources OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 200
A corporate network includes an Active Directory Domain Services (AD DS) forest that contains two domains. All servers run Windows Server 2008 R2. All domain
controllers are configured as DNS servers.
A standard primary zone for dev.contoso.com is stored on a member server. You need to ensure that all domain controllers can resolve names from the
dev.contoso.com zone.
What should you do?
A.
B.
C.
D.
On one domain controller, create a secondary zone.
On the member server, create a secondary zone.
On each domain controller, create a secondary zone.
On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 201
A corporate network includes a single Active Directory Domain Services (AD D5) domain. The domain contains 10 domain controllers. The domain controllers run
Windows Server 2008 R2 and are configured as DNS servers.
You plan to create an Active Directory-integrated zone.
You need to ensure that the new zone is replicated to only four of the domain controllers.
What should you do first?
A.
B.
C.
D.
Create a new delegation in the ForestDnsZones application directory partition.
Create a new delegation in the DomainDnsZones application directory partition.
Use the dnscmd tool with the /zoneadd parameter.
Use the ntdsutil tool to add a naming context.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 202
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role
installed and hosts an Active Directory-integrated zone for contoso.com. The no-refresh interval is set to three days and the refresh interval is set to 10 days.
The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit button.)
You open the properties of a static record named Server1 as shown in the Server1 Record exhibit. (Click the Exhibit button.)
You discover that the scavenging process ran today, but the record for Server1 was not deleted. You run dnscmd.exe and specify the ageallrecords parameter. You
need to identify when the record for Server1 will be deleted from the zone.
In how many days will the record be deleted?
A.
B.
C.
D.
7
10
17
20
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 203
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?
A.
B.
C.
D.
Active Directory Sites and Services
Active Directory Users and Computers
Security Configuration Wizard (SCW)
Local Security Policy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 204
Your network contains an Active Directory forest named contoso.com. The forest contains six domains.
You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of litwareinc.com when they create user accounts
by using Active Directory Users and Computers.
Which tool should you use?
A.
B.
C.
D.
New-ADObject
Active Directory Sites and Services
Active Directory Domains and Trusts
Set-ADAccountControl
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Many thanks to Camel73 for supplying this new question!
Reference:
http://technet.microsoft.com/en-us/library/cc772007.aspx
To add UPN suffixes
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
4. Repeat step 3 to add additional alternative UPN suffixes.
QUESTION 205
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You
have a Group Policy object (GPO) linked to the domain. The GPO is used to deploy a number of software packages.
You need to ensure that the GPO is applied only to client computers that have sufficient free disk space.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Modify the Group Policy permissions.
Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.
Correct Answer: F
Section: (none)
Explanation
Explanation/Reference:
QUESTION 206
A corporate network includes a single Active Directory Domain Services (AD D5) domain. The AD DS infrastructure is shown in the following graphic.
When the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Toronto Site domain controller.
You need to ensure that when the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Quebec City
Site domain controller.
What should you do?
A.
B.
C.
D.
Create a site link bridge between the Montreal Site and the Quebec City Site.
Create a registry entry on each client computer in the Montreal branch office,
Enable the global catalog role on the Montreal Site domain controller
Delete the Toronto-Montreal Site Link.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 207
Your company has two Active Directory sites named New York and Los Angeles. When you disable IPv4 on a computer in the Los Angeles site, the computer
authenticates by using a domain controller in the New York site.
You need to ensure that IPv6-only computers in the Los Angeles site authenticate to domain controllers in the same site.
What should you do?
A.
B.
C.
D.
Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router in the Los Angeles site.
Create Active Directory Domain Services connection objects between the two sites.
Create Active Directory subnet objects for the Los Angeles site.
Configure the NTDS Site Settings object for the Los Angeles site.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 208
A corporate network contains a Windows Server 2008 R2 Active Directory forest. You need to add a user principal name (UPN) suffix to the forest.
Which tool should you use?
A.
B.
C.
D.
Active Directory module for Windows PowerShell
Active Directory Administrative Center console
Active Directory Sites and Services console
Active Directory Users and Computers console
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 209
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Site1 and Site2. Site2 contains a read-only domain
controller (RODC).
You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?
A.
B.
C.
D.
Repadmin
Get-ADAccountResultantPasswordReplicationPolicy
Active Directory Sites and Services
Get-ADFineGrainedPasswordPolicy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 210
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A. Get-ItemProperty
B. Active Directory Domains and Trusts
C. Net User
D. Gpresult
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 211
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Site1 and Site2. Site2 contains a read-only domain
controller (RODC). You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?
A.
B.
C.
D.
Repadmin
Dcdiag
Get-ADAccountResultantPasswordReplicationPolicy
Active Directory Sites and Services
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 212
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2.
The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1.
You install the DNS Server server role on RODC1.
You discover that RODC1 does not have any DNS application directory partitions. You need to ensure that RODC1 has a copy of the DNS application directory
partition of contoso.com.
What should you do?
A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.
B. From DNS Manager, create primary zones.
C. Run ntdsutil.exe. From the Partition Management context, run the create nc command.
D. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 213
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You
have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Modify the Group Policy permissions.
Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 214
Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?
A.
B.
C.
D.
Ntdsutil
Dcdiag
Repadmin
Get-ADAccountResultantPasswordReplicationPolicy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 215
Your network contains four domain controllers. The domain controllers are configured as shown in the following table.
All of the domain controllers are configured to host an Active Directory-integrated zone for their respective domain.
A GlobalNames zone is deployed in the fabrikam.com forest.
You add a canonical (CNAME) record named Server1 to the GlobalNames zone.
You discover that users in the contoso.com forest cannot resolve the name Server1. The users in fabrikam.com can resolve the name Server1.
You need to ensure that the contoso.com users can resolve names in the GlobalNames zone.
What should you do? (Each correct answer presents part of the solution. Choose two.)
A. Run dnscmd.exe and specify the globalnamesqueryorder parameter on CONT-DC1 and CONT-DC2.
B.
C.
D.
E.
F.
Add service location (SRV) records named _globalnames to the _msdcs.contoso.com zone.
Run dnscmd.exe and specify the enableglobalnamessupport parameter on CONT-DC1 and CONT-DC2.
Run dnscmd.exe and specify the globalnamesqueryorder parameter on FABR-DC1 and FABR-DC2.
Run dnscmd.exe and specify the enableglobalnamessupport parameter on FABR-DC1 and FABR-DC2.
Add service location (SRV) records named _globalnames to the _msdcs.fabrikam.com zone.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 216
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.
Repadmin
Ldp
Dnscmd
Ntdsutil
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 217
Your network contains an Active Directory domain. The domain contains two file servers. The file servers are configured as shown in the following table.
You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.
You configure the advanced audit policy as shown in the exhibit. (Click the Exhibit button.)
You discover that the settings are not applied to Server1. The settings are applied to Server2.
You need to ensure that access to the file shares on Server1 is audited.
What should you do?
A.
B.
C.
D.
E.
On Server1, run secedit.exe and specify the /configure parameter.
On Server1, run auditpol.exe and specify the /set parameter.
From GPO1, configure the Security Options.
From Active Directory Users and Computers, modify the permissions of the computer account for Server1.
From Active Directory Users and Computers, add Server1 to the Event Log Readers group.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 218
A corporate network includes a single Active Directory Domain Services (AD DS} domain. The HR department has a dedicated organization unit (OU) named HR.
The HR OU has two sub- OUs: HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer accounts for the HR
department reside in the HR Computers OU. All HR department employees belong to a security group named HR Employees. All HR department computers belong
to a security group named HR PCs.
Company policy requires that passwords are a minimum of six characters.
You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least eight characters. The
password length requirement should not change for employees of any other department.
What should you do?
A.
B.
C.
D.
Modify the local security policy on each computer in the HR PCs group.
Create a fine-grained password policy and apply it to the HR Employees group.
Create a new GPO, with the necessary password policy, and link it to the HR Computers OU.
Create a fine-grained password policy and apply it to the HR Computers OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 219
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. Server1 has a shared folder named
Profiles.
You plan to create a new user template named User_Template. You need to ensure that when you copy User_Temptate, the new user account has a unique profile
folder created in the Profiles share.
Which value should you specify for the profile path?
A.
B.
C.
D.
%Userprofile%\Server1\profiles
\\Server1\profiles\%username%
\\Server1\%userprofile%\
\\Server1\profiles\username
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 220
A corporate network includes a single Active Directory Domain Services (AD D5) domain.
The HR department has a dedicated organization unit (OU) named HR. The HR OU has two sub- OUs: HR Users and HR Computers. User accounts for the HR
department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a
security group named HR Employees. All HR department computers belong to a security group named HR PCs.
Company policy requires that passwords are a minimum of six characters.
You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least eight characters. The
password length requirement should not change for employees of any other department.
What should you do?
A.
B.
C.
D.
Create a fine-grained password policy and apply it to the HR Computers OU.
Modify the password policy in the GPO that is applied to the domain controllers OU.
Create a fine-grained password policy and apply it to the HR Employees group.
Modify the password policy in the GPO that is applied to the domain.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 221
A user attempts to join a computer to the domain, but the attempt fails. You need to ensure that the user can join fifty computer to the domain. You must ensure that
the user is denied any additional rights beyond those required to complete the task.
What should you do?
A.
B.
C.
D.
Prestage each computer account in the Active Directory domain.
Deploy a Group Policy Object (GPO) that modifies the user rights settings.
Add the user to the Domain Administrators group for one day.
Deploy a Group Policy object (GPO) that modifies the Restricted Groups settings.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 222
A corporate network includes a single Active Directory Domain Services (AD D5) domain. All regular user accounts reside in an organizational unit (OU) named
Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited.
What should you do first?
A.
B.
C.
D.
Use the Auditpol.exe command-line tool to enable the directory services access auditing subcategory.
Enable the Audit directory service access setting in the Default Domain Controllers Policy Group Policy Object.
Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU.
Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We can do that by using auditpol.exe.
Reference:
http://technet.microsoft.com/en-us/library/cc731607.aspx
Auditing changes to objects in AD DS
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service
events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for
implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy
subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one
value, only the values that change as a result of the modify operation are logged.
(...)
Steps to set up auditing
This section includes procedures for each of the primary steps for enabling change auditing:
Step 1: Enable audit policy.
Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.
Step 1: Enable audit policy.
This step includes procedures to enable change auditing with either the Windows interface or a command line:
(...)
By using the Auditpol command-line tool, you can enable individual subcategories.
To enable the change auditing policy using a command line
1. Click Start, right-click Command Prompt, and then click Run as administrator.
2. Type the following command, and then press ENTER:
auditpol /set /subcategory:"directory service changes" /success:enable
QUESTION 223
Your network contains an Active Directory domain. The domain contains four domain controllers.
You create a new application directory partition.
You need to ensure that the new application directory partition replicates to only three of the domain controllers.
Which tool should you use?
A.
B.
C.
D.
Active Directory Administrative Center
Dsamain
Dsmod
Ntdsutil
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 224
Your network contains an Active Directory domain named contoso.com. All domain controllers run a Server Core installation of Windows Server 2008 R2.
You need to identify which domain controller holds the PDC emulator role.
Which tool should you run?
A.
B.
C.
D.
Get-AdOptionalFeature
netdom.exe
Search-AdAccount
dsrm.exe
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The FSMO role holders can be easily found by use of the Netdom command. On any domain controller, click Start, click Run, type CMD in the Open box, and then
click OK. In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain).
Note:
The five FSMO roles [in Windows 2003] are:
Schema master - Forest-wide and one per forest.
Domain naming master - Forest-wide and one per forest.
RID master - Domain-specific and one for each domain.
PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain.
QUESTION 225
Your network contains an Active Directory domain named contoso.com. You need to ensure that when computers are joined manually to the domain by using the
System Properties, the computer account of the computers is created automatically in an organizational unit (OU) named NewComputers.
Which command should you run?
A.
B.
C.
D.
dsmgmt.exe
redircmp.exe
csvde.exe
computerdefaults.exe
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 226
A corporate network includes an Active Directory Domain Services (AD DS) forest that contains two domains. All servers run Windows Server 2008 R2. All domain
controllers are configured as DNS servers.
A standard primary zone for dev.contoso.com is stored on a member server. You need to ensure that all domain controllers can resolve names from the
dev.contoso.com zone.
What should you do?
A.
B.
C.
D.
On one domain controller, create a stub zone. Configure the stub zone to replicate to all DNS servers in the forest.
On one domain controller, create a stub zone. Configure the stub zone to replicate to all DNS servers in the domain.
On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain.
On the member server, create a secondary zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 227
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You have a member server named Server1.
Both DC1 and Server1 have the DNS Server server role installed.
On DC1, you create an Active Directory-integrated zone named adatum.com.
You need to ensure that Server1 receives a copy of the zone.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
Create a secondary zone on Server1.
Modify the zone type of adatum.com.
Modify the Zone Transfers settings of adatum.com,
Add Server1 to the DNSUpdateProxy group.
Create a primary zone on Server1.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 228
Your company has one main office and four branch offices.
The main office contains a standard primary DNS zone named adatum.com. Each branch office contains a copy of the adatum.com zone.
When records are added to the adatum.com zone, you discover that it takes up to one hour before the changes replicate to each zone in the branch offices.
You need to minimize the amount of time it takes for the records to be updated in the branch offices.
What should you do?
A. On the DNS server in the main office, configure the Notify settings.
B. On the DNS servers in the branch offices, configure the Notify settings.
C. On the DNS servers in the branch offices, configure the Zone Aging/Scavenging Properties.
D. On the DNS server in the main office, configure the Zone Aging/Scavenging Properties.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 229
Your network contains an Active Directory domain named contoso.com.
The network contains a public key infrastructure (PKI).
You deploy a new certificate revocation list (CRL) distribution point (CDP) to a server named Server1.
You discover that users cannot download delta CRLs from Server1.
You verify that the users can download the complete CRL successfully.
You need to ensure that the users can download delta CRLs from Server1.
Which command should you run?
A.
B.
C.
D.
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering - allowDoubleEscaping:True
Appcmd set config "Certificates" /section:system.webServer/Security/requestFiltering - allowDoubleEscaping:False
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriod "Days"
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 230
Your network contains an Active Directory domain named contoso.com. You need to create one password policy for administrators and another password policy for
all other users.
Which tool should you use?
A.
B.
C.
D.
Group Policy Management Editor
Authorization Manager
Dsadd
Ldifde
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-US/library/cc754461.aspx
Creating a PSO using ldifde
You can use the ldifde command as a scriptable alternative for creating PSOs.
To create a PSO using ldifde
1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn: CN=PSO1, CN=Password Settings
Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: add objectClass: msDS- PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:24
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:0
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
3. Type the following command, and then press ENTER:
ldifde i f pso.ldf
QUESTION 231
Your network contains an Active Directory domain named contoso.com. All domain controllers run a Server Core installation of Windows Server 2008 R2.
You need to identify which domain controller holds the PDC emulator role.
Which tool should you run?
A.
B.
C.
D.
Get-AdForest
Netdom.exe
Get-AdOptionalFeature
Query.exe
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 232
Your network contains an Active Directory forest named contoso.com. The forest contains one domain. The domain contains three domain controllers. The domain
controllers are configured as shown in the following table.
DC2 fails and cannot be recovered.
Several weeks later, administrators report that they can no longer create new users and groups in the domain.
You need to ensure that the administrators can create new users and groups.
What should you add?
A.
B.
C.
D.
the RID master role to DC3
the schema master role to DC1
the infrastructure master role to DC1
the domain naming master role to DC3
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 233
Your network contains an Active Directory domain. The domain contains eight domain controllers.
You need to verify that all the domain controllers can connect to the time server.
Which command should you run?
A.
B.
C.
D.
netdom.exe query fsmo
dcdiag.exe /e /test:Topology
repadmin.exe /showrepl *
dcdiag.exe /a
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 234
Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain
controller (RODC).
You need to identify the user accounts that can be cached on the RODC server.
Which utility should you use?
A.
B.
C.
D.
Dsmod.exe
Repadmin.exe
Active Directory Domain and Trusts
Active Directory Sites and Services
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
valuable answer
QUESTION 235
Your network contains an Active Directory domain named contoso.com. The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click
the Exhibit button.)
You need to update the Host (A) record for a domain controller in the domain.
What should you do?
A. Restart the Netlogon service.
B. Restart the DNS Client service.
C. Run sc.exe and specify the triggerinfo parameter.
D. Run ipconfig.exe and specify the /registerdns parameter.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 236
Your company has two offices. The offices are located in Miami and London. The network contains an Active Directory forest named contoso.com. The forest
contains two child domains named miami.contoso.com and london.contoso.com. The domain contains 50 domain controllers that run Windows Server 2008 R2.
Each office is configured as an Active Directory site.
You plan to deploy several read-only domain controllers (RODCs) to the Miami site.
You need to pre-create the computer accounts of the RODCs.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
Run the dsadd.exe command
Run the nltest.exe command.
Run the Set-AdDomain cmdlet.
Run the dsmove.exe command.
Run the dcpromo.exe command.
Run the Move-AdDirectoryServer cmdlet.
Use the Active Directory Schema snap-in.
Use the Active Directory Users and Computers console.
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 237
Your network contains an Active Directory forest named contoso.com. The forest contains 10 domains. Each domain contains 50 domain controllers that run
Windows Server 2008 R2. The domain functional level is Windows Server 2008.
You need to raise the domain functional level of all the domains to Windows Server 2008 R2.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
Run the dsadd.exe command
Run the nltest.exe command.
Run the Set-AdDomain cmdlet.
Run the dsmove.exe command.
Run the dcpromo.exe command.
Run the Move-AdDirectoryServer cmdlet.
Use the Active Directory Schema snap-in.
Use the Active Directory Users and Computers console.
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 238
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named
DC1 and DC2 that run Windows Server 2008 R2. DC1 is configured as the infrastructure master for contoso.com.
You need to move the infrastructure master role from DC1 to DC2.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
Run the dsadd.exe command
Run the nltest.exe command
Run the Set-AdDomain cmdlet.
Run the dsmove.exe command.
Run the dcpromo.exe command.
Run the Move-AdDirectoryServer cmdlet.
Use the Active Directory Schema snap-in.
Use the Active Directory Users and Computers console.
Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 239
Your network contains an Active Directory forest named contoso.com. The forest contains two domains. All domain controllers are configured as global catalog
servers.
The forest root domain contains five domain controllers. The domain controllers are configured as shown in the following table.
You plan to create a custom attribute in Active Directory that will replicate to all of the global catalog servers.
You need to identify which domain controller must be online to perform the planned action.
Which domain controller should you identify?
A.
B.
C.
D.
E.
DC1
DC2
DC3
DC4
DC5
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 240
Your network contains an Active Directory domain. The domain is configured as shown in the following table.
Users in Branch2 sometimes authenticate to a domain controller in Main. You need to ensure that users in Branch2 only authenticate to the domain controllers in
Branch1.
What should you do?
A.
B.
C.
D.
On DC1 and DC2, set the AutoSiteCoverage value to 1.
On DC1 and DC2, set the AutoSiteCoverage value to 0.
On DC3, set the AutoSiteCoverage value to 0.
On DC3, set the AutoSiteCoverage value to 1.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 241
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named
Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited.
What should you do first?
A. Use the Auditpol.exe command-line tool to enable the directory services access auditing subcategory.
B. Use the Auditpol.exe command-line tool to enable the directory services changes auditing subcategory.
C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Admins OU.
D. Modify the searchFlags property for the Name attribute in the schema.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 242
You have Active Directory Certificate Services (AD CS) deployed.
You have a Version 1 certificate template.
You need to ensure that all of the computers in the domain automatically enroll for a certificate based on the certificate template.
What should you do?
A.
B.
C.
D.
On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.
In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.
In a Group Policy object (GPO), configure the autoenrollment settings.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 243
Your network contains an Active Directory domain named contoso.com. All domain controllers run a Server Core installation of Windows Server 2008 R2.
You need to identify which domain controller holds the PDC emulator role.
Which tool should you run?
A. Get AdDomain
B. Query.exe
C. Netsh.exe
D. Search-AdAccount
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Get-ADDomain
Gets an Active Directory domain.
Example output (see last line):
Get-ADDomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=Fabrikam,DC=com
DeletedObjectsContainer : CN=Deleted Objects,DC=Fabrikam,DC=com DistinguishedName : DC=Fabrikam,DC=com
DNSRoot : Fabrikam.com
DomainControllersContainer : OU=Domain Controllers,DC=Fabrikam,DC=com DomainMode : Windows2003Domain
DomainSID : S-1-5-21-41432690-3719764436-1984117282
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=com Forest : Fabrikam.com
InfrastructureMaster : Fabrikam-DC1.Fabrikam.com
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F00C04FB984F9},CN=Policies,CN=System,DC=Fabrikam,DC=com}
LostAndFoundContainer : CN=LostAndFound,DC=Fabrikam,DC=com ManagedBy :
Name : Fabrikam
NetBIOSName : FABRIKAM
ObjectClass : domainDNS
ObjectGUID : b63b4f44-58b9-49cf-8911-b36e8575d5eb
ParentDomain :
PDCEmulator : Fabrikam-DC1.Fabrikam.com
Etc...
QUESTION 244
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Site1 and Site2. Site2 contains a read-only domain
controller (RODC). You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?
A.
B.
C.
D.
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADFineGrainedPasswordPolicy
Dcdiag
Repadmin
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
valid answer
QUESTION 245
Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six
characters.
You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters
long.
You create an Active Directory Fine Grained Password Policy.
What should you do next?
A.
B.
C.
D.
From the Default Domain Policy, modify the password policy.
Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.
Run the Set-ADDomain cmdlet.
From the Default Domain Controller Policy, modify the password policy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 246
Your network contains an Active Directory forest named contoso.com. The forest contains three domains named contoso.com, childl.contoso.com, and
child2.contoso.com. The childl.contoso.com domain contains five domain controllers. The domain controllers are configured as shown in the following table.
You plan to decommission the child1.contoso.com domain.
You need to identify which two FSMO roles can be moved from childl.contoso.com to child2.contoso.com.
Which two FSMO roles should you identify? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
Domain naming master
Schema master
Infrastructure master
PDC emulator
RID master
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Forestwide Operations Master Roles
The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire
forest.
Note:
* Operations Master Roles
The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the
first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain.
* The five FSMO roles [in Windows 2003] are:
Schema master - Forest-wide and one per forest.
Domain naming master - Forest-wide and one per forest.
RID master - Domain-specific and one for each domain.
PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain.
QUESTION 247
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2008 R2.
Server1 has a file share named Share1.
You plan to configure the audit policy settings of Server1 by using a Group Policy object (GPO). You need to ensure that entries are generated in the Event Log
when the users in a group named Group1 successfully access or fail to access the files in Share1. The event entries must show the specific operation each user
attempted. The solution must minimize the number of audit entries in the Event Log.
Which Object Access audit policy should you configure?
A.
B.
C.
D.
Audit File Share
Audit Detailed File Share
Audit File System
Audit Other Object Access Events
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 248
You deploy a certification authority (CA) named CA1. CA1 will be used to issue a large number of temporary certificates to provide users with access to public
wireless access points (WAPs).
You create a certificate template named Template1. You enable the Do not store certificates and requests in the CA database option.
You need to configure CA1 to ensure that certificate requests and issued certificates for Template1 are not stored in the CA database.
Which command should you run?
A.
B.
C.
D.
certutil -setreg DBFlags +DBFLAGS_MAXCACHESIZEX100
certutil -setreg DBFlags +DBFLAGS_CREATEIFNEEDED
certutil -setreg DBFlags -DBFLAGS_LOGBUFFERSHUGE
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 249
Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit. (Click
the Exhibit button.)
You need to ensure that DNS records can only be updated by the computer that registered the record.
What should you do first?
A.
B.
C.
D.
Modify the Dynamic updates setting.
Create a trust anchor.
Modify the zone type.
Modify the Advanced properties of the DNS server.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 250
You have an enterprise subordinate certification authority (CA).
You have a group named Group1.
You need to ensure that members of Group1 can revoke certificates.
What should you do?
A.
B.
C.
D.
Add Group1 to the Certificate Publishers group.
Assign the Issue and Manage Certificates permission to Group1.
Assign the Manage CA permission to Group1.
Add Group1 to the local Administrators group.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 251
Your network contains an Active Directory domain. The domain is configured as shown in the following table.
Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users in Branch2 only authenticate to the domain controllers in Main.
What should you do?
A.
B.
C.
D.
On DC3, set the AutoSiteCoverage value to 1.
On DC1 and DC2, set the AutoSiteCoverage value to 0.
On DC1 and DC2, set the AutoSiteCoverage value to 1.
On DC3, set the AutoSiteCoverage value to 0.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc787491%28v=ws.10%29.aspx Parameters\AutoSiteCoverage
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
DescriptionSpecifies whether the system can add sites to the coverage area of this domain controller.
Domain controllers cover, that is, provide services to, the site in which they reside and to other sites listed inthe value of the entry SiteCoverage. In addition, when
the value of AutoSiteCoverage is 1, the system canadd sites that do not have domain controllers to this domain controller's coverage area.
The sites added to the domain controller's coverage are stored in memory, and a new list is assembled eachtime the Net Logon service starts or when Netlogon is
notified of the site object changes. While Net Logonruns, it updates this list at an interval specified by the value of the entry DnsRefreshInterval.
...
http://technet.microsoft.com/en-us/library/cc749944.aspx
Planning Active Directory for Branch Office
..
Disabling AutoSiteCoverage Registration in DNS
Another situation that requires configuration of SRV records results from not having a domain controller in aparticular site. This may happen because there are no
users needing constant logon access, or becausereplication to the site might be too expensive or too slow. To ensure that a domain controller can be located inthe
site closest to a client computer, if not the same site, Windows 2000 automatically attempts to register adomain controller in every site by using an
"autositecoverage" algorithm. The algorithm determines how onesite can "cover" another site when no domain controller exists in the second site. By default, the
process uses the replication topology.
The algorithm works as follows. Each domain controller checks all sites in the forest and then checks thereplication cost matrix. A domain controller advertises itself
(registers a site-related SRV record in DNS) in anysite that does not have a domain controller for that domain and for which its site has the lowest-costconnections.
This process ensures that every site has a domain controller even though its domain controllermay not be located in that site. The domain controllers that are
published in DNS are those from the closestsite (as defined by the replication topology).
In the branch office scenario, any computer from other sites should not discover branch office domaincontrollers. A client should always communicate with a local
domain controller, and if that is not available, usea domain controller in the hub site. To achieve this:
1. Disable AutoSiteCoverage on all of the domain controllers, not only for the branch domain controllers, butalso hub domain controllers.
2. Do not register generic records as described above.
If both of these configurations (1. and 2.) are performed, then all-site clients will discover the local domaincontroller if it is available, or its hub domain controller (if
no local domain controller is available).
In the unusual scenario when a site with a domain controller for some domain is closer to another site than thecentral hub, the administrator has the ability to
configure that domain controller with the specific ("close") sitesto be covered using the following registry values: SiteCoverage, GcSiteCoverage. Alternatively,
theadministrator can use the following Group Policy settings:
Sites Covered by the domain controller Locator DNS SRV Records Sites Covered by the global catalog server Locator DNS SRV Records Sites Covered by the
NDNC Locator DNS SRV Records
QUESTION 252
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com.
The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller namedDC2. DC1 and DC2 have
the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted. What should you do?
A. Create a primary zone on DC1 and store the zone in a zone file. Configure IPSec on DC1 and DC2. Create a secondary zone on DC2 and select DC1 as the
master.
B. Create a primary zone on DC1 and store the zone in the
DC=DomainDNSZones,DC=Contoso,DC=com naming context. Create a secondary zone on DC2 and select DC1 as the master.
C. Create a primary zone on DC1 and store the zone in a zone file. Configure Encrypting File System (EFS) encryption. Create a secondary zone on DC2 and
select DC1 as the master.
D. Create a primary zone on DC1 and store the zone in the DC=Contoso,DC=com naming context. Create a secondary zone on DC2 and select DC1 as the
master.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
*DomainDnsZones
DNS application directory partition for each domain in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on
domain controllers in the domain.
QUESTION 253
You have an Active Directory domain named contoso.com.
You have a domain controller named Server1 that is configured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The Zone Aging/
Scavenging Properties of the contoso.com zone are shown in the exhibit. (Click the Exhibit button.)
You discover that stale resource records are not automatically removed from the contoso.com zone.
You need to ensure that the stale resource records are automatically removed from the contoso.com zone.
What should you do?
A.
B.
C.
D.
Convert the contoso.com zone to an Active Directory-integrated zone.
set the scavenging period of Server1 to 0 days.
Configure the aging properties for the contoso.com zone.
Modify the Server Aging/Scavenging properties.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 254
Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com.
Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com.
You need to configure the contoso.com zone to ensure that clients cache records from the zone for 4 days.
What should you do?
A.
B.
C.
D.
Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Configure the Retry interval option for the contoso.com zone to 4 days.
Configure the Refresh interval option for the contoso.com zone to 4 days.
Configure the Expires after option for the contoso.com zone to 4 days.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 255
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run
Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
You need to create a snapshot of Active Directory.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
Run the Get-ADDomain cmdlet.
Run the dsget.exe command.
Run the ntdsutil.exe command.
Run the ocsetup.exe command.
Run the dsamain.exe command
Run the eventcreate.exe command.
Create a Data Collector Set (DCS).
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
J. Import the Active Directory module for Windows PowerShell.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 256
Your network contains an Active Directory domain.
You need to activate the Active Directory Recycle Bin in the domain.
Which tool should you use?
A.
B.
C.
D.
Dsamain
Add-PSSnapin
Enable-ADOptionalFeature
Add-WindowsFeature
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
You can enable Active Directory Recycle Bin by using the following methods:
* Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)
* Ldp.exe
Note:
Before you can make the recycle bin available, you must first update Active Directory schema with the required attributes. When you do this, the schema is updated,
and then every object in the forest is updated with the recycle bin attributes as well. This process is irreversible once it is started.
QUESTION 257
Your network contains an Active Directory forest named contoso.com. The domain contains two domain controllers named DC1 and DC2 that run Windows Server
2008 R2. DC2 holds the PDC emulator role.
The power supply on DC2 fails.
You seize the PDC emulator role to DC1.
You replace the power supply on DC2.
You need to bring DC2 back online as the PDC emulator as soon as possible. The solution must minimize the disruption of services for users.
What should you do?
A.
B.
C.
D.
Connect DC2 to the network. Turn on DC2, and then transfer the PDC emulator role.
Reinstall Windows Server 2008 on DC2 and promote DC2 to a domain controller. Transfer the PDC emulator role.
Reinstall Windows Server 2008 on DC2 and promote DC2 to a domain controller. Seize the PDC emulator role.
Disconnect DC2 from the network. Turn on DC2, and then seize the PDC emulator role.
Connect DC2 to the network.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 258
Your network contains an Active Directory forest named contoso.com. You need to identify the Password Setting object (PSO) applied to a user named User1.
Which cmdlet should you run?
A.
B.
C.
D.
Get-AdFineGrainedPasswordPolicy
Get-AdFineGrainedPasswordPolicySubject
Get- AdUserResultantPasswordPolicy
Get-AdDefaultDomainPasswordPolicy
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 259
Your network contains an Active Directory domain named adatum.com. The domain contains an enterprise certification authority (CA). When submitting a request
for a certificate based on the EnrollmentAgent template, you receive the error message shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can enroll for the certificate successfully.
What should you modify?
A.
B.
C.
D.
the Security settings of the issuing CA
the Cryptography settings of the certificate template
the Security settings of the certificate template
the Enrollment Agents settings of the issuing CA
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 260
Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA). You plan to deploy
certificates to all of the domain users. The certificates will be based on a custom Smartcard Logon template.
You need to recommend a solution to ensure that the users can log on to the domain by using smart cards.
What should you include in the recommendation?
A.
B.
C.
D.
From Certificate Templates, set the minimum certificate key size to 512.
From Active Directory Users and Computers, select Use Kerberos DES encryption types for this account.
From Certificate Templates, include the user principal name (UPN) in the subject alternate name (SAN) of the template.
From Active Directory Users and Computers, configure Published Certificates for user accounts.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Request a smart card certificate from the third-party CA.
Enroll for a certificate from the third-party CA that meets the stated requirements. The method for enrollment varies by the CA vendor.
The smart card certificate has specific format requirements:
* Subject Alternative Name = Other Name: Principal Name= (UPN). For example:
UPN = [email protected]
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string
* Subject = Distinguished name of user.
* The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List) must be populated, online, and available.
* Key Usage = Digital Signature
* Basic Constraints [Subject Type=End Entity, Path Length Constraint=None] (Optional)
* Enhanced Key Usage
QUESTION 261
Your network contains an Active Directory forest named fabrikam.com. You perform a test installation of an enterprise certification authority (CA). After the
installation, you discover that the Issuer Statement option on every certificate issued by the CA is unavailable.
You need to ensure that the Issuer Statement option is available when you install the enterprise CA to the production environment.
What should you do?
A.
B.
C.
D.
Before you install the enterprise CA, install the Certification Authority Web Enrollment role service.
After you install the enterprise CA, modify the Authority Information Access (AIA) extension settings.
During the installation of the enterprise CA, click the Allow administrator interaction when the private key is accessedby the CA cryptographic option.
Before you install the enterprise CA, create a custom CAPolicy.inf file and place the file in the Windows directory.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
specified answer
QUESTION 262
Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains
a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the
ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that DC2 can resolve DNS queries for
ad.contoso.com in the event that a WAN link fails. The solution must prevent DC2 from updating records in ad.contoso.com.
What should you do?
A.
B.
C.
D.
Configure the DNS server on DC2 to forward requests to DC1.
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Create a new secondary zone named ad.contoso.com on DC2.
Create a new stub zone named ad.contoso.com on DC2.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 263
Your network contains an Active Directory forest. The forest contains a single domain. You want to provide users from a domain that is located in another forest
access to resources in your domain.
You need to configure a trust between the domain in your forest and the domain in the other forest.
What should you create?
A.
B.
C.
D.
an incoming realm trust
an incoming external trust
an outgoing external trust
an outgoing realm trust
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 264
Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains:
Fabrikam.com
Eu.fabrikam.com
Na.fabrikam.com
Eu.contoso.com
Na.contoso.com
You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix o contoso.com when they
create user accounts from Active Directory Users and Computers.
Which tool should you use?
A. Active Directory Users and Computers
B. Active Directory Administrative Center
C. Active Directory Domains and Trusts
D. Set-ADAccountControl
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
To add UPN suffixes
1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory
Domains and Trusts .
2. In the console tree, right-click Active Directory Domains and Trusts , and then click Properties .
3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add .
QUESTION 265
Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA). You need to deploy
certificates based on Version 1 templates to all of the computers in the domain. The solution must minimize administrative effort.
You create a Group Policy object (GPO) named GPO1 and link the GPO to the domain.
What should you do next?
A.
B.
C.
D.
In GPO1, configure Certificate Services Client - Certificate Enrollment Policy.
In GPO1, configure Automatic Certificate Request Settings.
In GPO1, configure Software installation.
Duplicate the templates. In GPO1, configure Software installation.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Automatic certificate request settings
Certificate enrollment is the process of requesting, receiving, and installing a certificate. By using automatic certificate settings in public key policies, you can have
computers that are associated with a Group Policy object (GPO) automatically enroll for certificates. This can save you the step of explicitly enrolling for computerrelated certificates for each computer.
After you establish an automatic certificate request, the actual certificate requests occur the next time the computers associated with the GPO log on to the network.
QUESTION 266
Your network contains an Active Directory domain named contoso.com. The domain has one Active Directory site.
The domain contains an organizational unit (OU) named OU1. OU1 contains user accounts for 100 users and their managers.
You apply a Group Policy object (GPO) named GPO1 to OU1. GPO1 restricts several desktop settings.
The managers request that the desktop settings not be applied to them. You need to prevent the desktop settings in GPOl from being applied to the managers. All
other users in OU1 must have GPO1 applied to them.
What should you do?
A.
B.
C.
D.
Configure the permissions on OU1.
Configure the permissions on the user accounts of the managers.
Link GPO1 to a WMI filter.
Configure the permissions of GPOl.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can
specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a
whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.
In order for the GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy (AGP) permissions on the GPO,
either explicitly, or effectively though group membership.
QUESTION 267
Your network contains an Active Directory domain. The domain contains 20 domain controllers. You need to identify which domain controllers are global catalog
servers. Which tool should you use?
A.
B.
C.
D.
Dcdiag
Get-ADComputer
Net computer
Netsh
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The FSMO role holders can be easily found by use of the Netdom command.
On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain).
Note: netsh is also known as the command prompt.
QUESTION 268
Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All
servers run Windows Server 2008.
You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add the new RODC to the domain. You want to achieve this
goal by using the minimum amount of administrative effort. Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
From Active Directory Domains and Trusts, raise the functional level of the domain.
At the command prompt, run adprep.exe /forestprep.
From Active Directory Users and Computers, pre-stage the RODC computer account.
At the command prompt, run adprep.exe /domainprep.
At the command prompt, run adprep.exe /rodcprep.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
C:
* During the first stage of the installation, the wizard records all the data about the RODC that will be stored in the distributed Active Directory database, including
the read-only domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.
* To create an RODC account by using the Windows interface
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action.
Click Pre-create Read-only Domain Controller account
QUESTION 269
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers
run Windows Server 2008 R2 Service Pack 1 (SP1).
The forest contains an application directory partition named dc=app1,dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory
partition. You need to configure a domain controller named DC2 to receive a copy of dc=app1,dc=contoso,dc=com.
Which tool should you use?
A.
B.
C.
D.
Dsamain
Ntdsutil
Active Directory Sites and Services
Dcpromo
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Active DirectorySites and Services is a Microsoft Management Console (MMC) snap-in that you can use to administer the replication of directory data among all
sites in an Active Directory Domain Services (AD DS) forest.
You can use the Active Directory Sites and Services snap-in to manage the site-specific objects that implement the intersite replication topology.
QUESTION 270
Your network contains an Active Directory forest named contoso.com. The forest contains five domains. You have a shortcut trust between two of the domains. You
need to validate that the trust is operating properly. What should you use?
A.
B.
C.
D.
E.
Dsmod
Set-ADForest
Netdom
Dsadd
Netsh
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 271
Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA). You need to deploy
certificates based on Version 1 templates to all of the computers in the domain. The solution must minimize administrative effort.
You create a Group Policy object (GPO) named GPOl and link the GPO to the domain.
What should you do next?
A.
B.
C.
D.
In GPOl, configure Certificate Services Client - Certificate Enrollment Policy.
Duplicate the templates. In GPOl, configure Certificate Services Client - Auto-Enrollment.
Duplicate the templates. In GPOl, configure Automatic Certificate Request Settings.
In GPOl, configure Certificate Services Client - Auto-Enrollment.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Automatic certificate request settings
Certificate enrollment is the process of requesting, receiving, and installing a certificate. By using automatic certificate settings in public key policies, you can have
computers that are associated with a Group Policy object (GPO) automatically enroll for certificates. This can save you the step of explicitly enrolling for computerrelated certificates for each computer.
After you establish an automatic certificate request, the actual certificate requests occur the next time the computers associated with the GPO log on to the network.
Incorrect:
Not A: Certificate enrollment policy provides the locations of certification authorities (CAs) and the types of certificates that can be requested. Organizations that are
using Active Directory Domain Services (AD DS) can use Group Policy to provide certificate enrollment policy to domain members by using the Group Policy
Management Console to configure the certificate enrollment policy settings. The Certificates snap-in can be used to configure certificate enrollment policy settings
for individual client computers unless the Group Policy setting is configured to disable user-configured enrollment policy.
QUESTION 272
Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.
Your company's corporate security policy states that the password for each user account must be changed at least every 45 days.
You have a user account named Service 1. Servicel is used by a network application named Application1.
Every 45 days, Applicationl fails.
After resetting the password for Servicel, Applicationl runs properly. You need to resolve the issue that causes Applicationl to fail. The solution must adhere to the
corporate security policy.
What should you do?
A.
B.
C.
D.
Create a new password policy.
Run the Set-ADServiceAccount cmdlet.
Run the Set-ADAccountControl cmdlet.
Create a new Password Settings object (PSO).
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 273
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute
named Attributel in Active Directory. Attributel is associated to User objects. You need to ensure that Attributel is included in the global catalog. What should you
do?
A.
B.
C.
D.
From the Active Directory Schema snap-in, modify the properties of the Attributel attributeSchema object.
In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest.
In Active Directory Users and Computers, configure the permissions on the Attributel attribute for User objects.
From the Active Directory Schema snap-in, modify the properties of the User classSchema object.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 274
You are the systems administrator for a medium-sized Active Directory domain. Currently, the environment supports many different domain controllers, some of
which are runningWindows NT 4 and others that are running Windows 2003 and Server 2008 R2.
When you are running domain controllers in this type of environment, which of the following types of groupscan you not use?(Choose Two)
A. Universal security groups
B. Global groups
C. Domain local groups
D. Computer groups
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/231273
Group Type and Scope Usage in Windows
Windows 2000 and later extends the Microsoft Windows NT 4.0 concept of user groups by addingUniversal and Distribution groups. In Windows NT 4.0, there are
only Global and Local groups, and both areconsidered Security groups.
QUESTION 275
You are the network administrator for an organization that has all Windows Server 2008 R2 domaincontrollers.
You need to capture all replication errors that occur between all domain controllers.
What should you do?
http://www.gratisexam.com/
A.
B.
C.
D.
Use System Performance data collector sets.
Use ntdsutil.
Configure event log subscriptions.
Use the ADSI Edit tool.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx
Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the collectingcomputer (collector) and each computer from which
events will be collected (source).
http://technet.microsoft.com/en-us/library/cc749183.aspx
Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issuemight require you to examine a set of events stored in
multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store themlocally. To specify which events to collect, you create
an event subscription. Among other details, thesubscription specifies exactly which events will be collected and in which log they will be stored locally. Once
asubscription is active and events are being collected, you can view and manipulate these forwarded events asyou would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting computers.
The functionality depends on the Windows Remote Management (WinRM) service and the Windows EventCollector (Wecsvc) service. Both of these services must
be running on computers participating in theforwarding and collecting process.
http://technet.microsoft.com/en-us/library/cc961808.aspx
QUESTION 276
You are one of two network administrators for your organization.
Your IT partner does most of the work in Active Directory.
While working in Active Directory, your partner accidently deleted a user from the Sales OU. You recover the user from tape backup but you want to help prevent
this from happening again in thefuture.
What can you do?
A.
B.
C.
D.
Enable the Active Directory Recycle Bin.
Use ADSI Edit to restore the user.
Take away all rights from the other administrator.
Use the Directory Services Restore Mode Lockout command.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/dd392261%28v=ws.10%29.aspx Active Directory Recycle Bin Step-by-Step Guide
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserveand restore accidentally deleted Active Directory
objects without restoring Active Directory data from backups,restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.
When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted
Active Directory objects are preserved and the objects are restored in their entirety to the same consistentlogical state that they were in immediately before deletion.
For example, restored user accounts automaticallyregain all group memberships and corresponding access rights that they had immediately before deletion,within
and across domains.
Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services(AD LDS) environments.
Important
By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you mustfirst raise the forest functional level of your AD DS or AD
LDS environment to Windows Server 2008 R2,which in turn requires all forest domain controllers or all servers that host instances of AD LDS configurationsets to
be running Windows Server 2008 R2. After you set the forest functional level of your environment toWindows Server 2008 R2, you can use the instructions in this
guide to enable Active Directory Recycle Bin.In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin isirreversible. After
you enable Active Directory Recycle Bin in your environment, you cannot disable it.
QUESTION 277
What is the maximum number of domains that a Windows Server 2008 R2 computer, configured as adomain controller, may participate in at one time?
A.
B.
C.
D.
Zero
One
Two
Any number of domains
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Personal comment:
A computer, be it a workstation or a server, can be a member of only one domain at a time.
QUESTION 278
You are the systems administrator of a large organization that has recently implemented Windows Server2008 R2.
You have a few remote sites that do not have very tight security.
You have decided to implement read-only domain controllers (RODC).
What forest functional levels does the network need for you to do the install?(Choose Three)
A. Windows 2000 Mixed
B. Windows 2008 R2
C. Windows 2003
D. Windows 2008
Correct Answer: BCD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx Prerequisites for Deploying an RODC
Ensure that the forest functional level is Windows Server 2003 or higher.
..
Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC and ensure that the
writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate
domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.
QUESTION 279
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two
domain controllers. The domain controllers are configured as shown in the following table.
The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.
You need to configure DC2 as a global catalog server.
Which object's properties should you modify?To answer, select the appropriate object in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc794934.aspx
To designate a domain controller to be a global catalog server
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server.
3. Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server.
4. Right-click the NTDS Settings object for the target server, and then click Properties.
5. Select the Global Catalog check box, and then click OK.
QUESTION 280
Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site
is a branch office that contains only a single read-only domain controller (RODC).
You accidentally delete the site link between the two sites.
You recreate the site link while you are connected to a domain controller in Seattle.
You need to replicate the change to the RODC in Montreal.
Which node in Active Directory Sites and Services should you use?To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
http://blogs.technet.com/b/ashleymcglone/archive/2011/06/29/report-and-edit-ad-site-links-from-powershellturbo-your-ad-replication.aspx
Site links are stored in the Configuration partition of the AD database.
Reference 2:
http://technet.microsoft.com/en-us/library/dd736126.aspx
To use Active Directory Sites and Services to force replication of the configuration partition to an RODC
1. Open the Active Directory Sites and Services snap-in (Dssite.msc).
2. Double-click Sites, double-click the name of the site that has the RODC, double-click Servers, double-click the name of the RODC, right-click NTDS Settings,
and then click Replicate configuration to the selected DC.
3. Click OK to close the message indicating that AD DS has replicated the connections.
QUESTION 281
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two
domain controllers. The domain controllers are configured as shown in the following table.
You need to enable universal group membership caching in the Seattle site.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://http://technet.microsoft.com/en-us/magazine/ff797984.aspx
Configure Universal Group Membership Caching in Active Directory
You can enable or disable universal group membership caching by following these steps:
1. In Active Directory Sites And Services, expand and then select the site you want to work with.
2. In the details pane, right-click NTDS Site Settings, and then click Properties.
3. To enable universal group membership caching, select the Enable Universal Group Membership Caching check box on the Site Settings tab. Then, in the
Refresh Cache From list, choose a site from which to cache universal group memberships. The selected site must have a working global catalog server.
4. To disable universal group membership caching, clear the Enable Universal Group Membership Caching check box on the Site Settings tab.
5. Click OK.
QUESTION 282
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter option in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc770848.aspx
View a Resultant PSO for a User or a Global Security Group
You can view the resultant Password Settings object (PSO) for a user object:
Viewing the resultant PSO for users using the Active Directory module for Windows PowerShell
Viewing the resultant PSO for users using the Windows interface
Viewing the resultant PSO for users from the command line using dsget
To view the resultant PSO for a user using Windows interface
1. Open Active Directory Users and Computers.
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, click Users.
4. In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties.
5. Click the Attribute Editor tab, and then click Filter.
6. Ensure that the Show attributes/Optional check box is selected.
7. Ensure that the Show read-only attributes/Constructed check box is selected.
8. Locate the value of the msDS-ResultantPSO attribute in the Attributes list.
QUESTION 283
Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective
authentication is enabled on the trust. Fabrikam.com contains a server named Server1.
You assign Contoso\Domain Users the Manage documents permission and the Print permission to a shared printer on Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to Contoso\Domain Users.
To answer, select the appropriate permission in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc816733.aspx
Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest
For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2008 or
Windows Server 2003 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the
Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest.
QUESTION 284
Your network contains an Active Directory domain. The domain contains a domain controller named DC1 that runs windows Server 2008 R2 Service Pack 1 (SP1).
You need to implement a central store for domain policy templates.
What should you do?
To answer, select the source content that should be copied to the destination folder in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Copy “C:\Windows\PolicyDefinitions” to “C:\Windows\SYSVOL\domain\Policies”
In the reference below the entire PolicyDefinitions folder gets copied. In the question we copy the contents of that PolicyDefinitions folder, which has the same result
of course.
Reference:
http://www.petri.co.il/creating-group-policy-central-store.htm
Creating a Central Store
Creating a central store is actually a rather simple process. The first thing that you will have to do is to log onto a computer that is running either Windows Vista or
Windows Server 2008. If you have one particular machine that has all of your group policy template files installed on it, then that machine is a good candidate.
The next thing that you must do is to open Windows Explorer, and then go into the C:\Windows folder. Locate the PolicyDefinitions folder, right click on it, and then
choose the Copy command from the shortcut menu. This will copy the folder and its contents to the Windows clipboard.
The next step in the process is to map a network drive letter to the sysvol folder on a domain controller. The full path that you will need to access on the domain
controller is c:\Windows\SYSVOL\domain\Policies. Finally, copy the PolicyDefinitions folder to the \Windows\SYSVOL\domain\Policies folder on the domain
controller.
You can see what this looks like in Figure A.
Copy the PolicyDefinitions folder to the domain controller’s \Windows\Sysvol\Domain\Policies folder.
QUESTION 285
Your company plans to open a new branch office.
The new office will have a low-speed connection to the Internet.
You plan to deploy a read-only domain controller (RODC) in the branch office.
You need to create an offline copy of the Active Directory database that can be used to install the Active Directory on the new RODC.
Which commands should you run from Ntdsutil?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc770654.aspx
Installing AD DS from Media
You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media
(IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.
To create installation media
1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.
2. At the command prompt, type the following command, and then press ENTER: ntdsutil
3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds
4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm
5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic), and then press ENTER.
For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia
6. Where C:\InstallationMedia is the path to the folder where you want the installation media to be created.
7. You can save the installation media to a network shared folder or to any other type of removable media.
QUESTION 286
Your network contains an Active Directory forest named contoso.com.
You need to use Group Policies to deploy the applications shown in the following table:
What should you do?
To answer, drag the appropriate deployment method to the correct application in the answer area.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
technet.microsoft.com/en-us/library/cc783502.aspx
Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign
and publish software for groups of users and computers using this extension.
Assigning Applications
When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or
startup (for computer-assigned applications.)
When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that
the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application
package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time
the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install
the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will
always advertise user-assigned applications.
When assigning applications to computers, the application is installed the next time the computer boots up.
Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through
Group Policy requires that the application setup is authored as a Windows Installer (.msi) package.
Publishing Applications
You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove
Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the
Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking
an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish
applications to computers.
QUESTION 287
Your network contains an Active Directory forest named adatum.com.
The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum.com.
You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table.
What should you do?
To answer, drag the appropriate group type to the correct group name in the answer area.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 128
Domain local groups
Domain local groups are essentially the same thing as local groups in Windows NT, and are used to administer resources located only on their own domain. They
can contain users and groups from any other trusted domain. Most typically, these types of groups are used to grant access to resources for groups in different
domains.
Global groups Global groups are on the opposite side from domain local groups. They can contain users only in the domain in which they exist but are used to grant
access to resources in other trusted domains. These types of groups are best used to supply security membership to user accounts that share a similar function,
such as the sales global group.
Universal groups
Universal groups can contain users and groups from any domain in the forest and can grant access to any resource in the forest. Along with this added power come
a few caveats. First, universal groups are available only in domains with a functional level of Windows 2000 Native or later. Second, all members of each universal
group are stored in the global catalog, increasing the replication load. It is important to note, however, that universal group membership replication has been
noticeably streamlined and optimized in Windows Server 2008 R2 because the membership is incrementally replicated.
QUESTION 288
Your network contains an Active Directory domain named adatum.com.
You need to use Group Policies to deploy the line-of-business applications shown in the following table.
What should you do?
To answer, drag the appropriate deployment method to the correct application in the answer area.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
.
Reference:
technet.microsoft.com/en-us/library/cc783502.aspx
Software installation
You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software
for groups of users and computers using this extension.
Assigning Applications
When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or
startup (for computer-assigned applications.)
When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that
the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application
package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time
the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install
the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will
always advertise user-assigned applications.
When assigning applications to computers, the application is installed the next time the computer boots up.
Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through
Group Policy requires that the application setup is authored as a Windows Installer (.msi) package.
Publishing Applications
You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove
Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the
Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking
an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish
applications to computers.
QUESTION 289
Your network contains an Active Directory forest.
The DNS infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
To answer, select the appropriate service in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers
registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this
service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of
SRV resource records.
QUESTION 290
Your network contains an Active Directory forest named contoso.com.
The password policy of the forest requires that the passwords for all of the user accounts be changed every 30 days.
You need to create user accounts that will be used by services. The passwords for these accounts must be changed automatically every 30 days.
Which tool should you use to create these accounts?
To answer, select the appropriate tool in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic
password management, making password management easier.
Reference 1:
http://technet.microsoft.com/en-us/library/dd367859.aspx
What are the benefits of new service accounts?
In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated
with managed service accounts:
Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically.
Reference 2:
http://technet.microsoft.com/en-us/library/dd391964.aspx
Use the Active Directory module for Windows PowerShell to create a managed service account.
Reference 3:
http://technet.microsoft.com/en-us/library/dd548356.aspx
To create a new managed service account
1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers
snap-in. Confirm that the Managed Service Account container exists.
2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.
3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>].
Reference 4:
http://technet.microsoft.com/en-us/library/hh852236.aspx
Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval.
-ManagedPasswordIntervalInDays<Int32>Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on
object creation. After that the setting is read only. This value returns the msDSManagedPasswordInterval of the group managed service account object.
The following example shows how to specify a 90 day password changes interval:
-ManagedPasswordIntervalInDays 90
QUESTION 291
Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7 Enterprise.
You need automatically to create a local group named PowerManagers on each client computer that contains a battery. The solution must minimize the amount of
administrative effort.
Which node in Group Policy Management Editor should you use?
To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc732525.aspx
Configure a Local Group Item
Local Group preference items allow you to centrally create, delete, and rename local groups. Also, you can use these preference items to change local group
memberships. Before you create a local group preference item, you should review the behavior of each type of action possible with the extension.
Creating a Local Group item
1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder.
3. Right-click the Local Users and Groups node, point to New, and select Local Group.
4. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)
5. Enter local group settings for Group Policy to configure or remove. (For more information, see "Local group settings" in this topic.)
6. Click the Common tab, configure any options, and then type your comments in the Description box. (For more information, see Configure Common Options.)
7. Click OK. The new preference item appears in the details pane.
Actions This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the
action selected and whether a group with the same name exists.
Create - Create a new local group on the local computer. If the local group exists, then do not modify it.
(...)
QUESTION 292
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1. Server1 has an IP address of
192.168.200.100.
You need to view the Pointer (PTR) record for Server1.
Which zone should you open in the DNS snap-in to view the record?
To answer, select the appropriate zone in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57
Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server’s
PTR (pointer) resource record.
Reference 2:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730
You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses
should you use for the reverse lookup zone?
a. 5.168.192.in-addr.arpa
b. 0.5.168.192.in-addr.arpa
c. 192.168.5.in-addr.arpa
d. 192.168.5.0.in-addr.arpa
The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa.
Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be
specified in reverse sequence, so the other two choices are both incorrect.
QUESTION 293
Your network contains an Active Directory domain.
You need to create a new site link between two sites named Site1 and Site3. The site link must support the replication of domain objects.
Under which node in Active Directory Sites and Services should you create the site link?
To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc794815.aspx
You can use this procedure to create a site link object and add the appropriate sites to it.
To create a site link object
8. Open Active Directory Sites and Services.
9. Expand Sites, and then expand Inter-Site Transports.
10.Right-click IP, and then click New Site Link.
11.In Name, type a name for the site link.
12.In Sites not in this site link, click a site that you want to add to the site link. Hold down the SHIFT key to click a second site that is adjacent in the list, or hold
down the CTRL key to click a second site that is not adjacent in the list.
13.After you select all the sites that you want to add to the site link, click Add, and then click OK.
QUESTION 294
Your network contains an Active Directory domain named contoso.com.
All users have laptops that run Windows 7. The laptops are joined to the domain. Windows Firewall is enabled on all the laptops.
You need to ensure that when the users connect to unidentified networks, Windows Firewall uses the Public Profile.
Which node in Group Policy Management Editor should you use?
To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 295
Your network contains an Active Directory forest named contoso.com.
All client computers used by the sales department are in an organizational unit (OU) named Sales Computers. All user accounts for the sales department are in an
OU named Sales Users.
You purchase a new application.
You need to ensure that every user in the domain who logs on to a sales department computer can use the application. The application must only be available from
the sales department computers.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
Reference:
The application must be made available on the network.
The application need to installed (so need assigned not published- which is optional) whenever a local PC is used (so link GPO to Sales Computers OU).
QUESTION 296
Your network contains an Active Directory domain named contoso.com.
You have a comma separated value (CSV) file named Users.txt. Users.txt contains the information for 500 users and all of the attributes required to create user
accounts.
You plan to automate the creation of user accounts by using the Users.txt file.
You need to identify which two cmdlets you must run. The solution must pipe the output from the first cmdlet to the second cmdlet.
What should you run from Windows PowerShell?To answer, configure the appropriate PowerShell command in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 297
You have a standard primary zone named contoso.com.
You need to configure how often the zone will be transferred to servers that host a secondary copy of the zone.
Which tab should you use?
To answer, select the appropriate tab in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 298
Your network contains an Active Directory domain. The domain contains a domain controller named DC1 that runs Windows Server 208 R2 Service Pack 1 (SP1).
You need to implement a central store for domain policy templates.
What should you do?
To answer, select the source content that should be copied to the destination folder in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 299
Your network contains an Active Directory forest named contoso.com.
The forest contains an enterprise certification authority (CA). The enterprise CA is inaccessible from the internet.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is accessible from the Internet. Server1 can communicate with the enterprise CA.
You need to ensure that laptops that are joined to the domain can renew their certificates automatically from the Internet.
Which two role services should you install on Server1? (To answer, select the two appropriate role services in the answer area.)
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 300
Your network contains an Active Directory domain named contoso.com.
The aging and scavenging settings of the contoso.com zone are configured as shown in the exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc961420.aspx
No-Refresh + Refresh = start scavenging window frame
QUESTION 301
Your network contains an Active Directory domain named contoso.com. The domain contains three domain controllers named DC1, DC2 and DC3.
You need to create a zone named adatum.com that replicates between DC1 and DC2 only. The zone data for adatum.com must be writable on both DC1 and DC2.
Which three actions should you perform in sequence? (To answer, move the appropriate three actions from the list of actions to the answer area and arrange them
in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
* dnscmd /createdirectorypartition
Creates a DNS application directory partition.
* dnscmd /EnlistDirectoryPartition
Adds a DNS server to the replication set of a DNS application directory partition.
QUESTION 302
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The domain contains a domain
controller named DC1. DC1 hosts an Active Directory-integrated zone for contoso.com.
You enable record scavenging for contoso.com by using the default settings. You configure scavenging to run every seven days.
After 30 days, you discover that some DNS records of computers that were removed from the network are still present in the contoso.com zone.
You need to ensure that the scavenging process can remove the stale records.
What command should you run? (To answer, select the appropriate options in the answer area.)
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 303
Your network contains an Active Directory domain named contoso.com. All servers are located in the same Active Directory site. The domain contains two domain
controllers named DC1 and DC2. Both domain controllers host an Active Directory-integrated zone for contoso.com.
The Start of Authority (SOA) record of the contoso.com zone is shown in the exhibit. (Click the Exhibit button.)
You have a member server named Server1. Server1 hosts a secondary zone of contoso.com.
On DC1, you add a new record to the contoso.com zone.
In the table below, identify the maximum amount of time required to replicate the record to each server. Make only one selection in each column.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
* If you use Active Directory integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is
replicated as part of domain replication.
* Most of the Domain Name System (DNS) zone settings that you can change control how the zone is transferred between primary and secondary servers.
* Refresh interval
/Refresh interval – it is use to regulate the secondary DNS server at what interval the secondary DNS server can request a copy of the zone transfer.
/The refresh interval, which is how often the zone is transferred
/ The time, in seconds, that a secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. When the refresh interval expires,
the secondary DNS server requests a copy of the current SOA record for the zone from its source, which answers this request. The secondary DNS server then
compares the serial number of the source server’s current SOA record (as indicated in the response) with the serial number in its own local SOA record. If they are
different, the secondary DNS server requests a zone transfer from the primary DNS server.
QUESTION 304
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You install Active Directory Lightweight Directory Services (AD LDS) on a member server named Server2. On Server2, you create a directory partition named
fabrikam.com.
You need to configure the MS-AdamSyncConfig.xml file to synchronize data from contoso.com to fabrikam.com.
What should you do? (To answer, select the appropriate options in the answer area.)
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 305
Your network contains an Active Directory domain named contoso.com.
The Zone Transfers settings of contoso.com are configured as shown in the Zone Transfers exhibit. (Click the Exhibit button.)
The Name Servers settings of contoso.com are configured as shown in the Name Servers exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibits.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
*
/ Zone Transfers is allowed only to 192.168.1.100 and 192.168.2.100
/ When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The
zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy
the authoritative name server information about the zone.
QUESTION 306
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1. DC1 has the DNS namespaces configured as shown in the following table.
In the table below, identify which queries will have an authoritative or non-authoritative response from DC1. Make only one selection in each row.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 307
Your network contains an Active Directory domain named contoso.com.
You have a server named Server1 that is configured as an enterprise root certification authority (CA).
You need to ensure that private keys can be archived on Server1.
Which three actions should you perform in sequence? (To answer, move the appropriate three actions from the list of actions to the answer area and arrange them
in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
This topic includes requirements and procedures for implementing key archival using Active Directory Certificate Services (AD CS) and the Windows Server 2008
operating system.
Review and complete each of the following sections to implement key archival:
* (step 1) Configuring a key recovery agent certificate template
* (Step 1) Adding a key recovery agent certificate template to an enterprise CA
* (Step 2) Enrolling key recovery agents
/ Enrolling key recovery agents
/Issuing a key recovery agent certificate
* Configuring a CA for key archival and recovery
/ Adding key recovery agent certificates to a CA
/ (step 3) Configuring certificate templates for key archival
Certificate templates can be individually configured to require key archival. Your organization's security or data recovery policies should specify criteria to determine
which certificate templates can be configured for key archival.
This procedure should be completed on an enterprise CA.
Start the Certificate Templates snap-in.
Right-click a certificate template, and then click Properties.
On the Request Handling tab, click Archive subject's encryption private key, and then click OK.
Reference: Implementing Key Archival
QUESTION 308
Your network contains an Active Directory domain named contoso.com.
A portion of the Group Policy object (GPO) settings for a computer in the contoso.com domain is configured as shown in the following exhibit. (Click the Exhibit
button.)
To answer, complete each statement according to the information presented in the exhibit.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 309
Your network contains an Active Directory domain named contoso.com.
You create two global groups named Group1 and Group2. The group membership of each group is shown in the following table.
You create the Password Settings objects (PSOs) shown in the following table.
In the table below, identify which PSOs will apply to User1 and User2. Make only one selection in each column.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
* PSO2 has the lowest precedence. PSO2 is linked to GROUP1. Both User1 and User2 are members of Group1.
* Precedence. This is an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object.
* Each PSO has an additional attribute named msDS-PasswordSettingsPrecedence, which assists in the calculation of RSOP. The msDSPasswordSettingsPrecedence attribute has an integer value of 1 or greater. A lower value for the precedence attribute indicates that the PSO has a higher rank, or
a higher priority, than other PSOs. For example, suppose an object has two PSOs linked to it. One PSO has a precedence value of 2 and the other PSO has a
precedence value of 4. In this case, the PSO that has the precedence value of 2 has a higher rank and, hence, is applied to the object.
* If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to a user object.)
If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global
group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.
If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.
QUESTION 310
Your network contains an Active Directory domain named contoso.com.
Members of the sales department are issued laptops that have wireless network cards.
You need to ensure that when users connect to an unidentified network from their laptop, the network is configured as a Public network.
Which node in Group Policy Management Editor should you use?To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 311
Your network contains an Active Directory domain named contoso.com.
The domain contains an organizational unit (OU) named SalesUsers.The OU contains 50 user accounts. You need to identify the effective Password Settings object
(PSO) of each user in the SalesUsers OU.
Which command should you run? (To answer, select the appropriate options in the answer area.)
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 312
Your network contains an Active Directory domain that has the password policy shown in the following exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
1: Minimum password age: 1 days
2: Passwords must contain characters from three of the following five categories:
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
3: Maximum password age: 42 days
QUESTION 313
Your network contains an Active Directory domain named contoso.com.
You need to create a Group Policy object (GPO) that contains all of the settings included in the Windows Server 2008 R2 Security Baseline. The solution must
minimize administrative effort.
Which three actions should you perform in sequence? (To answer, move the appropriate three actions from the list of actions to the answer area and arrange them
in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
Step 1: Install the SCW tool.
Step 2:From SCW export the appropriate baseline.
Step 3: A new GPO can be based on the exported baseline by using a starter GPO.
* The Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security
baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft
technologies.
* When creating new GPOs you can choose to use a Starter GPO as the Source Starter GPO (read: template) - which makes it easy to create multiple GPOs with
the same baseline configuration, see Figure below.
QUESTION 314
Your network contains an Active Directory domain named contoso.com.
The Zone Transfers settings of contoso.com are configured as shown in the Zone Transfers exhibit. (Click the Exhibit button.)
The Name Servers settings ofcontoso.com are configured as shown in the Name Servers exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibits. Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 315
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and fabrikam.com. The relevant
domain controllers are configured as shown in the following table.
You need to configure the zone storage settings for each zone. The solution must meet the following requirements:
The contoso.com zone must be replicated to all of the domain controllers in the domain.
The fabrikam.com zone must be replicated to all of the domain controllers in the forest that have the DNS Server server role installed.
In the table below, identify in which partition each zone must be stored. Make only one selection in each column. Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 316
You manage a server that runs Windows Server 2008. The server has the Web Server (IIS) role installed. The server hosts an Internet-accessible Web site that
has a virtual directory named /orders/. A Web server certificate is installed and an SSL listener has been configured for the Web site.
The /orders/ virtual directory must meet the following company policy requirements:
Be accessible to authenticated users only.
Allow authentication types to support all browsers.
Encrypt all authentication traffic by using HTTPS.
All other directories of the Web site must be accessible to anonymous users and be available without SSL
You need to configure the /orders/ virtual directory to meet the company policy requirements.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
Configure the Web site to the Require SSL setting.
Configure the /orders/ virtual directory to the Require SSL setting.
Configure the Digest Authentication setting to Enabled for the /orders/ virtual directory.
Configure the Basic Authentication setting to Enabled and the Anonymous Authentication setting to Disabled for the Web site.
Configure the Basic Authentication setting to Enabled and the Anonymous Authentication setting to Disabled for the / orders/ virtual directory.
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure the /salesorders/ virtual directory so that it is accessible to authenticated users only and it should allow authentication types to support all browsers,
you need to configure the Basic Authentication setting to Enabled for the / salesorders / virtual directory, because the Basic authentication is supported by mostly all
the browsers.
Next you need to Disable the Anonymous Authentication setting to for the / salesorders / virtual directory, so that only authenticated users can access the virtual
directory. Finally, you need to configure only the /salesorders / virtual directory to the Require SSL setting so that only the authentication traffic to this directory is
encrypted and all other directories of the Website must be accessible to anonymous users and be available without SSL.
To configure authentication for a virtual directory or a physical directory in a Web site, you need to configure the virtual directory for the Web site and not the
website.
Reference: How to configure IIS Web site authentication http://support.microsoft.com/kb/308160
QUESTION 317
You have a Windows Server 2008 R2 server that has the Web Server (IIS) server role installed. The server hosts multiple Web sites.
You need to configure the server to automatically release memory for a single Web site. You must achieve this goal without affecting the other Web sites.
What should you do?
A. Create a new Web site and edit the bindings for the Web site.
B. Create a new application pool and associate the Web site to the application pool.
C. Create a new virtual directory and modify the Physical Path Credentials on the virtual directory.
D. From the Application Pool Defaults, modify the Recycling options.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure the server to automatically release memory for a single website without affecting the other Web sites, you need to create a new application pool and
associate the Web site to the application pool
An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Application pools set boundaries for the
applications they contain, which means that any applications that are running outside a given application pool cannot affect the applications in the application pool.
You can configure the server to automatically release memory or to release memory after reaching maximum used memory.
Reference: IIS 7.0: Managing Application Pools in IIS 7.0 http://technet2.microsoft.com/windowsserver2008/en/library/1dbaa793-0a05-4914-a0654d109db3b9101033.mspx?mfr=true
Reference: IIS 7.0: Configuring Recycling Settings for an Application Pool http://technet2.microsoft.com/windowsserver2008/en/library/0d5770e3-2f6f-4e11-a47c9bab6a69ebc71033.mspx?mfr=true
QUESTION 318
You install the Windows Deployment Services (WDS) role on a server that runs Windows Server 2008 R2.
You plan to install Windows 7 on a computer that does not support Preboot Execution Environment (PXE). You have a Windows 7 image that is stored on the WDS
server.
You need to start the computer and install the image that is stored on the WDS server.
What should you create?
A.
B.
C.
D.
a capture image
a CD-ROM that contains PXE drivers
a discover image
an install image
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To start the computer and install Windows Vista image stored on the WDS server, you should create the Discover image. If you have a computer that is not PXE
enabled, you can create a discover image and use it to install an operating system on that computer. When you create a discover image and save it to media (CD,
DVD, USB drive, and so on), you can then boot a computer to the media. The discover image on the media locates a Windows Deployment Services server, and
the server deploys the install image to the computer. You can configure discover images to target a specific Windows Deployment Services server. This means that
if you have multiple servers in your environment, you can create a discover image for each, and then name them based on the name of the server.
Reference: http://technet2.microsoft.com/WindowsVista/en/library/9e197135-6711-4c20-bfad- fc80fc2151301033.mspx?mfr=true
QUESTION 319
Your company has an Active Directory domain. The Terminal Services role is installed on a member server named TS01. The Terminal Services Licensing role
service is installed on a new test server named TS10 in a workgroup.
You cannot enable the Terminal Services Per User Client Access License (TS Per User CAL) mode in the Terminal Services Licensing role service on TS10.
You need to ensure that you can use TS Per User CAL mode on TS10.
What should you do?
A.
B.
C.
D.
Join TS10 to the domain.
Disjoin TS01 from the domain.
Extend the schema to add attributes for Terminal Services Licensing.
Create a Group Policy object (GPO) that configures TS01 to use TS10 for licensing.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that you could employ Terminal Services per User CAL mode on TK2, you need to connect TK2 to the Active Directory domain because TS Per User
CAL tracking and reporting is supported only in domain-joined scenarios.
Reference: TS Licensing/Are there any special considerations? http://technet2.microsoft.com/windowsserver2008/en/library/5a4afe2f-5911-4b3f-a98a338b442b76041033.mspx?mfr=true
QUESTION 320
You have a Windows Server 2008 R2 server that has the Web Server (IIS) server role installed. The server contains a Web site.
You need to ensure that the cookies sent from the Web site are encrypted on users' computers.
Which Web site feature should you configure?
A.
B.
C.
D.
Authorization Rules
Machine Key
Pages And Controls
SSL Settings
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To encrypt the cookies sent from the website on the users` computer, you need to use machine key. Encrypting cookies is important to prevent tampering. A hacker
can easily view a cookie and alter it. So to protect the cookie, machine key is used in ASP .NET 2.0. Encryption is based on a hash plus the actual data encrypted,
so that if you try to change the data, it's pretty difficult. ASP.NET's ViewState uses the Machinekey config file section to configure the keys and such... this is
important when the application is going to be run on a web farm, where load balancing webservers may be in no affinity mode.
Reference: http://www.codeproject.com/KB/web-security/HttpCookieEncryption.aspx
QUESTION 321
Your company has a server that runs Windows Server 2008 R2. The server has the Web Server (IIS) role installed.
You need to activate SSL for the default Web site.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Obtain and import a server certificate by using the IIS Manager console.
Select the Generate Key option in the Machine Key dialog box for the default Web site.
Add bindings for the HTTPS protocol to the default Web site by using the IIS Manager console.
Install the Digest Authentication component for the Web server role by using the Server Manager console.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To activate SSL for the default Web site on the server, you need to get an appropriate certificate and create an HTTPS binding on a site. On Windows Vista and
Windows Server 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections.
Moving SSL to kernel mode requiresstoring SSL binding information in two places. First, the binding is stored in %windir%\system32\inetsrv\applicationHost.config
for your site. When the site starts, IIS 7.0sends the binding to HTTP.sys and HTTP.sys starts listening for requests on the specified IP:Port (this works for all
bindings).
Second, SSL configuration associated with the binding is stored in HTTP.sys configuration.When a client connects and initiates an SSL negotiation, HTTP.sys looks
in its SSL configuration for the
IP:Port pair that the client connected to. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate's store for the SSL
negotiation to succeed.
Reference: How to Setup SSL on IIS 7.0
http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/
QUESTION 322
Your network contains a Windows Server 2008 R2 server that has the Web Server (IIS) server role installed.
You have a Web application that uses a custom application pool. The application pool is set to recycle every 1,440 minutes. The Web application does not support
multiple worker processes. You need to configure the application pool to ensure that users can access the Web application after the application pool is recycled.
What should you do?
A.
B.
C.
D.
Set the Shutdown Executable option to True.
Set the Process Orphaning Enabled option to True.
Set the Disable Overlapped Recycle option to True.
Set the Disable Recycling for Configuration Changes option to True.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Explanation:
Overlapped Recycling
In an overlapped recycling scenario, the process targeted for a recycle continues to process all remaining requests while a replacement worker process is created
simultaneously. The new process is started before the old worker process stops, and requests are then directed to the new process. This design prevents delays in
service, since the old process continues to accept requests until the new process has initialized successfully, and is instructed to shut down only after the new
process is ready to handle requests.
Considerations When Recycling Applications
When applications are recycled, it is possible for session state to be lost. During an overlapped recycle, the occurrence of multi-instancing is also a possibility. Loss
of session state: Many IIS applications depend on the ability to store state. IIS 6.0 can cause state to be lost if it automatically shuts down a worker process that has
timed out due to idle processing, or if it restarts a worker process during recycling. Occurrence of multi-instancing: In multi-instancing, two or more instances of a
process run simultaneously. Depending on how the application pool is configured, it is possible for multiple instances of a worker process to run, each possibly
loading and running the same application code. The occurrence of an overlapped recycle is an example of multi-instancing, as is a Web garden in which two or
more processes serve the application pool regardless of the recycling settings. If your application cannot run in a multi-instance environment, you must configure
only one worker process for an application pool (which is the default value), and disable the overlapped recycling feature if application pool recycling is being used.
Source: http://technet.microsoft.com/en-us/library/ms525803(VS.90).aspx
QUESTION 323
You manage a server that runs Windows Server 2008 R2. The Remote Desktop Services server role is installed on the server.
A Remote Desktop Services application runs on the server. Users report that the application stops responding.
You monitor the memory usage on the server for a week. You discover that the application has a memory leak.
A patch is not currently available. You create a new resource-allocation policy in Windows System Resource Manager (WSRM). You configure a Process Matching
Criteria named TrackShip and select the application. You need to terminate the application when the application consumes more than half of the available memory
on the server.
What should you do?
A. Configure the resource-allocation policy and set the maximum working set limit option to half the available memory on the server. Set the new policy as a
Profiling Policy.
B. Configure the resource-allocation policy and set the maximum working set limit option to half the available memory on the server. Set the new policy as a
Managing Policy.
C. Configure the resource-allocation policy and set the maximum committed memory option to half the available memory on the server. Set the new policy as a
Profiling Policy.
D. Configure the resource-allocation policy and set the maximum committed memory option to half the available memory on the server. Set the new policy as a
Managing Policy.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To create a memory resource allocation
1. In the Add or Edit Resource Allocation dialog box, on the General tab, in the Process matching criteria list, select a process matching criterion for the matched
processes that will be managed by the resource allocation.
2. On the Memory tab, select one or both:
Use maximum committed memory for each process
Use maximum working set limit for each process
3. If you selected Use maximum committed memory for each process:
In the Maximum committed memory limit per process box, type a value in megabytes (MB). In the If memory is surpassed box, select an action to take when the
limit is reached.
4. If you selected Use maximum working set limit for each process, in the Maximum working set limit per process box, type a value in MB.
5. Click OK.
To add additional memory resource allocations, click Add, and then repeat steps 15.
Source: http://technet.microsoft.com/en-us/library/cc771472.aspx
QUESTION 324
You manage a member server that runs Windows Server 2008 R2. The server has the Web Server (IIS) role installed.
The Web server hosts a Web site named Intranet1. Only internal Active Directory user accounts have access to the Web site.
The authentication settings for Intranet1 are configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that users authenticate to the Web site by using only the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
encrypted Active Directory credentials.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
Add the Digest Authentication role service and the URL Authorization role service to the server.
Add the Windows Authentication role service to IIS. Configure the Windows Authentication setting to Enabled in the Intranet1 properties.
Configure the Basic Authentication setting to Disabled in the Intranet1 properties.
Configure the Default domain field for the Basic Authentication settings on Intranet1 by adding the name of the Active Directory domain.
Configure the Basic Authentication setting to Disabled and the Anonymous Authentication setting to Enabled in the Intranet1 properties.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that the users accessing the website are authenticated through MS-CHAPv2 encrypted Active Directory credentials, you should Add Windows
Authentication role service to the IIS server. Enable the Windows Authentication settings in the intranet-e properties and disable the basic authentication setting in
the intranet-e properties. Basic authentication is a set of basic rules that authenticate users. To implement MS-CHAPv2, you have to disable the basic
authentication and then, add windows authentication role services to the IIS server. After adding it, you should enable it. The Windows Authentication role service
will allow the website to be authenticated through MS- CHAPv2.
QUESTION 325
Your company has an Active Directory domain. The company runs Remote Desktop Services. A user has remotely logged on to the Remote Desktop Session Host
Server. The user requires help to use an application.
When you connect to the Remote Desktop session, you cannot operate any applications. You need to ensure that you can assist any user on the Remote Desktop
Session Host Server.
What should you do?
A.
B.
C.
D.
From the Remote Desktop Session Host Server run the Tscon /v command. Then reconnect to the session.
Run the Chgusr /execute command on the Remote Desktop Session Host Server. Then reconnect to the session.
Enable Use remote control with default user settings in the RDP-Tcp Properties.
Enable Use remote control with the following settings in the RDP-Tcp Properties. Configure the Level of control policy setting to Interact with the session.
Instruct the user to log off and log back on.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
In Remote Desktop Session Host Configuration rightclick RDP-Tcp and choose properties.
QUESTION 326
Your company runs Windows Server 2008. The company network is configured as an Active Directory domain named contoso.com. The network has a Web server
named WEB1. The domain users access WEB1 by using http://web1.
You generate a self-signed certificate for WEB1 and configure WEB1 to use SSL. Users report that they get a warning message when they connect to WEB1 by
using https://web1.
You need to ensure that users can connect to WEB1 without receiving a warning message.
What should you do?
A. Add the https: //web1 name to the list of Trusted Sites zone on all the computers in the domain.
B. Open the Certificates console on WEB1. Export the self-signed certificate to a web1.cer file.
Install the web1.cer file on all the computers in the domain.
C. Join WEB1 to the contoso.com domain. Reissue the self-signed certificate. Request all the users to use https://web1.contoso.com to connect to WEB1.
D. Create a DNS Host (A) Record for WEB1 in the contoso.com zone. Reissue the self-signed certificate. Request all the users to use https: //webl.contoso.com to
connect to WEB1.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that the users can connect to TK2.com without getting warning messages, you should export the self-signed certificate to a TK2.cer file. Then, you install
the tk2.cer file on all computers accessing the website. The users account will be authenticated through the certificate and they will not get any warning messages.
The .cer file is an internet security certificate extension which confirms the authenticity of a website installed on a server.
QUESTION 327
You have a server that runs Windows Server 2008 R2. The server has the Web Server (IIS) server role installed.
The server contains a Web site that is configured to use only Windows Authentication. You have a security group named Group1 that contains several user
accounts.
You need to prevent the members of Group1 from accessing a Web site. You must not prevent other users from accessing the Web site.
Which Web site feature should you configure?
A.
B.
C.
D.
Authentication
Authorization Rules
IIS Manager Permissions
SSL Settings
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Add or Edit Allow Authorization Rule and Add or Edit Deny Authorization Rule Dialog Boxes Use the Add Allow Authorization Rule,the Edit Allow Authorization Rule,
the Add Deny Authorization Rule, or the Edit Deny Authorization Rule dialog box to define rules for access to content.
QUESTION 328
You install the Web Server (IIS) server role on a new server that runs Windows Server 2008 R2.
You install a Microsoft .NET Framework 1.0 application on a Web site on the Web server. The company security policy states that all applications must run by using
the minimum level of permission.
You need to configure the Web site application so that it has the permissions to execute without creating any other content and without accessing any operating
system components.
What should you do?
A.
B.
C.
D.
Set the .NET Framework trust level to Full for the Web site.
Set the .NET Framework trust level to Low for the Web site.
Set the .NET Framework trust level to High for the Web site.
Set the .NET Framework trust level to Medium for the Web site.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure the website application to have permission to execute without creating other content or accessing Windows Server 2008 system components, you
should configure the .NET Framework website trust level to full.
In the .NET Framework, code access security controls access to resources by controlling how code runs. When a user runs an application, the common language
runtime assigns the application to any one of the following five zones:
My Computer - The application code is hosted directly on the user's computer. Local Intranet - The application code runs from a file share on the user's intranet.
Internet - The application code runs from the Internet. Trusted Sites - The application code runs from a Web site that is defined as "Trusted" in Internet Explorer.
Untrusted Sites - The application code runs from a Web site that is defined as "Restricted" in Internet Explorer.
You can set the security level for each zone to High, Medium, Medium-low, or Low.
Reference: http://support.microsoft.com/kb/832742
QUESTION 329
Your company named Contoso, Ltd. runs Windows Server 2008 R2. You manage a Web server named Server1.
Internet users access Server1 by using http://www.contoso.com and https://www.contoso.com. The Server1 server uses an SSL certificate from a public
certification authority (CA).
You install an additional Web server named Server2. You configure a Network Load Balancing cluster to distribute the incoming HTTP and HTTPS traffic between
both Web servers.
You need to configure an SSL certificate on Server2 to support HTTPS connections.
You must ensure that all users can connect to https://www.contoso.com without receiving security warnings.
What should you do?
A.
B.
C.
D.
Open the Internet Information Services (IIS) Manager console on Server2. Create a self-signed certificate.
Open the Internet Information Services (IIS) Manager console on Server1. Export the SSL certificate to a .pfx file. Import the .pfx file to Server2.
Open the Certificates snap-in on Server1. Export the SSL certificate to a .cer file. Import the .cer file to Server2.
Request a new SSL certificate from the public CA. Use Server2 as the Common Name in the request. Install the new certificate on Server2.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To export a certificate in PFX format using IIS Manager:
Start IIS Manager. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click the name of the computer.
In the IIS section of the center pane, double-click Server Certificates. Right-click the certificate (.cer file) in the center pane, and then click Export. Select the
location for the exported file, type the name for the file (with the .pfx extension), and then type and confirm the password to encrypt the private key.
Click OK.
http://technet.microsoft.com/en-us/library/hh314619(v=ws.10).aspx
QUESTION 330
You have two servers that run Windows Server 2008 R2 named Server1 and Server2. Both servers have the Windows Media Services server role installed. Server2
is a License Clearing House.
You publish an audio file on Server1. The audio file is licensed by Server2.
You need to ensure that users are allowed to use the audio file for only two days.
What should you do?
A. On Server1, modify the key ID.
B. On Server1, modify the license key seed.
C. On Server2, modify the license.
D. On Server2, create a new package.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Windows Media Rights Manager is a digital rights management (DRM) platform that can be used by content providers and retailers to distribute digital media files
securely over a network, such as the Internet. The Windows Media Rights Manager SDK helps protect digital media content (such as songs and videos) by
packaging Windows Media files in an encrypted file format. A packaged file contains a version of a "protected" file that was encrypted and locked with a "key" after
business usage and distribution rules were added to the content header. This packaged file is also bundled with additional information from the content provider
and, optionally, from the distributor. The result is a protected Windows Media file that can only be played by a user who has obtained a license.
The basic Windows Media Rights Manager process is as follows:
Playing the file. To play the file, the user needs a player that supports Windows Media Rights Manager.
Support for Windows Media Rights Manager was first added to Windows Media Player for Windows XP.
Players that were created using the Windows Media Player ActiveX control version 8 or later also support this DRM platform. With the appropriate version of the
Player installed, the customer can then play the file according to the rules or rights that are included in the license. Licenses can have different rights, such as start
times and dates, duration, and counted operations. For instance, default rights may allow the user to play the file on a specific computer and copy the file to a
portable device. Licenses, however, are not transferable. If a customer sends a protected file to a friend, this friend must acquire a different license to play the file.
This per-computer licensing scheme ensures that the protected file can only be played by the computer that has been granted the license key for that file.
Source: http://technet.microsoft.com/en-us/library/cc732309.aspx
QUESTION 331
You have two servers that run Windows Server 2008 named Server1 and Server2. Both servers have the Windows Server visualization role service installed.
You need to remotely manage the visualization settings of Server2 from Server1.
What should you do?
A.
B.
C.
D.
From the command prompt, run vmconnect.exe server2.
From the command prompt, run vmconnect.exe server1 server2.
Open the Visualization Management Console. From the left-hand pane, right-click Server1, point to New and then click Virtual machine.
Open the Virtualization Management Console. From the left-hand pane, right-click Virtualization Services and then click Connect to Server.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To remotely manage the virtualization settings of Server2 from Server1, you need to right-click Virtualization Services from the Virtualization Management Console
and then click Connect to Server.
You can manage multiple Hyper-V server instances in the management console`s left pane. Selecting a server instance displays that server`s VMs in the center
Virtual Machines pane. You can manage the VMs by right-clicking them and selecting the desired commands on the context menu. The Connect command allows
you to connect to a running VM, which starts the Virtual Machine Connection window.
Reference: A First Look at Windows Server 2008 Hyper-V http://windowsitpro.com/Windows/Articles/ArticleID/97857/pg/2/2.html
QUESTION 332
You have a server that runs Windows Server 2008. The server has the Web Server (IIS) server role installed and all the Web Server role services installed.
You need to provide a user the ability to administer a Web site.
Which feature should you configure?
A.
B.
C.
D.
.Net Roles
.Net Users
Authentication
IIS Manager Permissions
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To provide a user the ability to administer a website, you need to configure IIS Manager Permissions feature on the server.
The IIS Manager Permissions feature is used to allow users to connect to sites and applications in IIS Manager. Permitted users can configure delegated features
in any sites or applications for which they have permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS
Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.
Reference: IIS 7.0: Configuring Permissions for IIS Manager Users and Windows Users http://technet2.microsoft.com/windowsserver2008/en/library/33aaec94c0cb-4402-b91e- a5e3b9c3e0e01033.mspx?mfr=true
QUESTION 333
You have a server that runs Windows Server 2008 R2. The server has the Hyper-V server role installed.
You need to merge a differencing disk and a parent disk.
What should you do?
A.
B.
C.
D.
Edit the parent disk.
Inspect the parent disk.
Edit the differencing disk.
Inspect the differencing disk.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:Merging Differencing Disks with Hyper-V
A differencing disk is a disk that is a child of a parent disk. Differencing disks are very helpful in keeping disk images small, manageable and consistent, because
you can create a base parent disk- such as a Windows 2008 Standard base image- and use it as the foundation for all other guest virtual machines and disks that
will be based on Windows Server 2008. For example, I have a Windows Server 2008 guest that I use exclusively as sandbox for development. I am in the process
of building out another guest based on Windows Server 2008 that will be for some TFS 2008 demos that I am working on for an upcoming series of talks. Rather
than copy the Windows Server 2008 guest VPC over and over again, I can simply create one differencing disk for my development environment role and one for my
TFS role. The result is a VHD that represents the intersection of the base/parent disk (in this case, a barebones install of Windows Server 2008 Standard) and any
additional software I've installed or configuration changes I have made. This not only conserves disk space, but also saves me a lot of time in copying hefty gigasome-odd vhds around. Sometimes it is necessary to merge a differencing disk back to it's parent or into a new disk. For example, you may be moving VHDs
around as I did recently to a new, high speed E-SATA drive. My old drive hosted a vhd that I used as my development sandbox that used a parent on the old disk. I
certainly don't want to depend on my clunky old USB 2.0 drive for the parent (the IO cost alone would be just silly), and at a minimum, there is state on the
differenced guest OS that I do not want to lose. The first thing to do is copy over the parent VHD, create a new differencing disk based on the same parent, but in
the new location. Next, since the differenced guest VHD has state that you want to move over (lest you lose it), it is necessary to merge the state of the "old"
differenced guest VHD with the new copy. To do so, under Server Manager, in the Hyper-V Manager, click "Edit Disk", and locate the disk that you want to merge
into a new differenced disk:
On the next screen, under Action, select "Merge":
Select "To a new virtual disk", and choose a name and path for the new disk that you created in the initial copy:
The "old" differenced disk, which is based on the original parent disk plus state from the "old" differenced disk is merged into the new disk on the drive you
specified:
That's all there is to it. Differencing is a powerful feature in virtualization, and there is very nice support for migration of differenced disks right within the Server
Manager.
Source: http://rickgaribay.net/archive/2008/08/15/merging-differencing-disks-with-hyper-v.aspx
QUESTION 334
You have a server that runs Windows Server 2008. The server has the Windows Server virtualization role service installed. You create a new virtual machine and
perform an installation of Windows Server 2008 on the virtual machine. You configure the virtual machine to use the physical network card of the host server.
You notice that you are unable to access network resources from the virtual machine.
You need to ensure that the virtual host can connect to the physical network.
What should you do?
A.
B.
C.
D.
On the host server, install the MS Loopback adapter.
On the host server, enable the Multipath I/O feature.
On the virtual machine, install the MS Loopback adapter.
On the virtual machine, install Windows Server virtualization Guest Integration Components.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that the virtual host can connect to the physical network, you need to install Windows Server virtualization Guest Integration Components on the virtual
machine. The network adapter in the VM ported from Virtual Server to Windows Server is no longer recognized. Workaround is to add a legacy network adapter to
the VM. In WSv, the network adapter seen by the guest OS is not an emulated device (DEC/Intel 21140 Ethernet adapter. It is an entirely new, high performance,
purely synthetic device available as part of the Windows Server virtualization Integration Components call Microsoft VMBus Network Adapter
Reference: Archive for the 'Virtual Server/PC/WSv/Hyper-V' Category / Windows Server 2008 Common FAQ (condensed)
http://www.leedesmond.com/weblog/index.php?cat=6&paged=3
QUESTION 335
You manage a server named SSP1 that runs Windows Server 2008. SSP1 has the Windows SharePoint Services (WSS) role in standalone mode.
You manage another Windows Server 2008 server named SSP2. You install the WSS role on SSP2. During the installation, you indicate that SSP2 must be a
member of a WSS server farm.
You are unable to connect to SSP1 in the server farm.
You need to configure SSP1 and SSP2 in a WSS server farm.
What should you do?
A.
B.
C.
D.
Restart the Web Management service on SSP1.
Set the Microsoft .NET Framework Trust Level to Low on both SSP1 and SSP2.
Set the Microsoft .NET Framework Trust Level to Medium on both SSP1 and SSP2.
Uninstall and reinstall WSS on SSP1 and select the server farm mode during the installation.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure both ERA1 and ERA2 in the WSS server farm, you should uninstall the WSS on ERA1 and select the server farm mode while reinstalling it. The server
farm mode will enable you to configure both the servers in the WSS server farm. Microsoft Windows SharePoint Services was designed to be useful in large server
farms, supporting hundreds or thousands of SharePoint sites and millions of users. When you manage a server farm environment for Windows SharePoint
Services, you need to make certain choices about configuring your environment, and you need to be aware of how Windows SharePoint Services works in that
environment. This topic explains those choices, and describes how to work with Windows SharePoint Services in a large-scale, server farm environment.
Reference: http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en- us/stsf15.mspx?mfr=true
QUESTION 336
You manage a server that runs Windows Server 2008 R2. The server has the Web Server (IIS) role installed. The Web developer at your company creates a new
Web site that runs an ASP.NET 3.0 Web application.
The ASP.NET Web application must run under a security context that is separate from any other ASP.NET application on the Web server.
You create a local user account and grant account rights and permissions to run the ASP.NET Web application.
You need to configure authentication for the new Web site to support the Web application.
What should you do?
A.
B.
C.
D.
Configure the Windows Authentication setting to Enabled.
Configure the Forms Authentication setting to Enabled by using all the default settings.
Configure the ASP.NET State service to log on to the new local user account by using the Services console.
Configure the ASP.NET Impersonation setting to Enabled. Edit the ASP.NET Impersonation setting by specifying the new local user account.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 337
You have a server that runs Windows Server 2008. The Web Server (IIS) role is installed.
You plan to host multiple Web sites on the server. You configure a single IP address for the server. All Web sites are registered in DNS to point to the single IP
address.
You need to ensure that each Web site only responds to requests by name from all client computers.
What should you do?
A.
B.
C.
D.
Configue a unique port for each Web site.
Configue a unique IP address for each Web site.
Configue a unique Host Header for each Web site.
Edit the Hosts file on the server to add all the Web site names associated to the network address.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that each and every website responds only to the name requests from all client machines, you should configure and assign a unique Host Header to
each website. A host header is a third piece of information that you can use in addition to the IP address and port number to uniquely identify a Web domain or, as
Microsoft calls it, an application server. For example, the host header name for the URL http://www.fabrikam.com is www.fabrikam.com.
Reference: http://www.visualwin.com/host-header/
QUESTION 338
Your company has an Active Directory domain. The company runs Terminal Services. All client computers run Windows Vista Service Pack 1.
You need to ensure that users are able to run Windows Media Player 11 during a Terminal Services session. What should you do?
A. Install the Desktop Experience feature on the Terminal Server.
B. Install the Quality Windows Audio Video Experience feature on the Terminal Server.
C. Create a new Group Policy object (GPO) by using the Desktop Window Manager template.
Configure the Do not allow desktop composition option to True. Apply the GPO to all client computers in the domain.
D. Create a new Group Policy object (GPO) that configures the Policy-based QoS option and set the Differential Services Code Point value to 10 for the Windows
Media Player 11 executable. Apply the GPO to the Terminal Server.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
When Desktop Experience is installed on Windows Server 2008, the user can use Windows Vista features, such as Windows Media Player, desktop themes, and
photo management within their remote connection. Therefore to ensure that the users could run Windows Media Player 11 during the Terminal services session,
you need to Install and configure the Desktop Experience feature on the terminal server
Reference: Windows Server 2008 Technical Overview / Terminal Services http://www.microsoft.com/technet/windowsserver/longhorn/evaluate/whitepaper.mspx?
wt.svl=glob alheadline
QUESTION 339
Your company has an Active Directory domain. All servers in the domain run Windows Server 2008 R2. The RD Gateway role service is installed on a server
named Server1. The Remote Desktop Services server role is installed on two servers named Server2 and Server3. Server2 and Server3 are configured in a load
balancing Remote Desktop Services farm named Farm1. You deploy the RD Connection Broker service on a new server named Server4. You confirm that the RD
Connection Broker works correctly.
You deploy a hardware load balancing device to handle the load distribution to the Remote Desktop Services farm. The device has specialized support for remote
desktop services and routing tokens. You discover that the RD Connection Broker no longer works correctly. You need to ensure that the RD Connection Broker
works correctly. Which Group Policy object (GPO) should you create and apply to the Remote Desktop Server farm?
A. A GPO that enables the Use IP Address Redirection policy setting in the RD Connection Broker section of the Remote Desktop Services Group Policy template.
B. A GPO that disables the Use IP Address Redirection policy setting in the RD Connection Broker section of the Remote Desktop Services Group Policy template.
C. A GPO that enables the Use RD Connection Broker load balancing policy setting in the RD Connection Broker section of the Remote Desktop Services Group
Policy template.
D. A GPO that disables the Use RD Connection Broker Load Balancing policy setting in the RD Connection Broker section of the Remote Desktop Services Group
Policy template.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use IP Address Redirection
If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a
client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm.
Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly
connect by IP address to RD Session Host servers in the load-balanced farm.
Source: http://technet.microsoft.com/en-us/library/ee791821(WS.10).aspx
QUESTION 340
You install the Web Server (IIS) server role on a server that runs Windows Server 2008 R2. You configure a Web site named contoso.com and a Web application
named Acctg on the Web server. The Web server runs out of disk space. You move Acctg to another drive on the Web server. The following table shows the
current application configuration:
Users report that they cannot access Acctg.
You need to enable users to access Acctg.
Which command should you run on the server?
A.
B.
C.
D.
appcmd add app /site.name: contoso /path:/Acctg /physicalPath:d:\Acctg
appcmd add app /site.name: contoso /path:/Acctg /physicalPath:f:\Acctg
appcmd set app /site.name: contoso /path:/Acctg /physicalPath:d:V\cctg
appcmd set app /site.name: contoso /path:/Acctg /physicalPath:f:\Acctg
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Explanation:
* The mentioned answer does not work in reallife, atleast not on Windows2008R2 RTM.* But it is the awnser that looks syntax wise the most as the following:
appcmd set app /app.name: contoso/Acctg /[path='/Acctg'].physicalPath:F:\Acctg Command Line To change the path of an application's content, use the following
syntax: appcmd set app /app.name: string /[path='/'].physicalPath: string The variable app.name string is the virtual path of the application, and physicalPath string
is the physical path of the application's content. For example, to change the physical path of the location D:\Acctg for an application named Acctg in a site named
contoso, type the following at the command prompt, and then press ENTER:
appcmd set app /app.name: contoso/Acctg /[path='/Acctg'].physicalPath:F:\Acctg Source: http://technet.microsoft.com/nl-nl/library/cc725781(WS.10).aspx
QUESTION 341
You have a Terminal Server that runs Windows Server 2008. You need to configure the server to end any sessions that are inactive for more than one hour.
What should you do?
A.
B.
C.
D.
From Terminal Services Manager, create a new group.
From Terminal Services Manager, delete the inactive sessions.
From Terminal Services Configuration, modify the RDP-Tcp settings.
From Terminal Services Configuration, modify the User logon mode setting.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure the Terminal Server to end any sessions that are inactive for more than one hour, you need to modify the RDP-Tcp settings from Terminal Services
Configuration.
You can configure the properties of the terminal server`s RDP-TCP connection to provide better protection. You can set session time limits that help to ensure that
sessions are not left unattended and active for long periods
Reference: How Secure are Windows Terminal Services? / Securing the RDP-TCP Connection http://www.windowsecurity.com/articles/
Windows_Terminal_Services.html
QUESTION 342
You have a server that runs Windows Server 2008. The server has the Windows Media Services server role installed.
You plan to distribute a video file on DVD media. Users will view the video while working on computers that are not connected to the Internet.
You need to distribute the video to users. You also need to protect the video from unauthorized use and illegal distribution. What should you do?
A.
B.
C.
D.
From Windows Media Services, publish the video as streaming content, and then burn the video to a DVD.
From Windows Media Services, advertise the video. Create a DVD that contains the HTML and ASPX files for the advertised video.
From Windows Media Digital Rights Manager, package the video and then advertise the video on the corporate Web site.
From Windows Media Digital Rights Manager, create a package and a license for the video file.
Burn the packaged video to a DVD.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To distribute a video file on DVD media while making sure that the video file is protected from unauthorized use and illegal distribution, you need to create a
package and a license for the video file and then burn the packaged video to a DVD using Windows Media Digital Rights Manager
Windows Media Rights Manager is the technology that allows you to package Windows Media DRM files and issues licenses. You can use Windows Media Rights
Manager to encrypt a given digital media file, lock it with a key, and bundle additional information from the content provider. This results in a packaged file that can
only be played by the person who has obtained a license. Windows Media Rights Manager can also act as the license clearing house, authenticating the
consumer's request for a license and issuing the license to the user.
Reference: Windows Media DRM FAQ
http://www.microsoft.com/windows/windowsmedia/forpros/drm/faq.aspx#drmfaq_1_1
QUESTION 343
Your company has an Active Directory domain. A server named Server1 runs Windows Server 2008 R2. The Remote Desktop Services server role and the RD
Web Access role service are installed on Server1.
You install the RD Gateway role service on Server1. You create the Remote Desktop connection authorization policy. Users report that they cannot connect to
Server1.
You need to ensure that users can connect to Server1.
What should you do?
A. Configure Network Access Protection (NAP) on Server1.
B. Configure the Remote Desktop Resource Authorization Policy (RD RAP) on Server1.
C. Create a Remote Desktop Group Policy object (GPO). Enable the Allow log on through Remote Desktop Services setting on the GPO. Link the GPO to the
domain.
D. Create a Remote Desktop Group Policy object (GPO). Enable the Set path for Remote Desktop Services Roaming User Profile setting on the GPO. Create an
organization unit (OU) named RDSUsers. Link the GPO to the RDSUsers OU.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal network resources (computers) that remote users can connect to
through an RD Gateway server. Remote users connecting to the network through an RD Gateway server are granted access to computers on the internal network if
they meet the conditions specified in at least one RD CAP and one RD RAP.
Source: http://technet.microsoft.com/en-us/library/cc772397.aspx
QUESTION 344
You manage a computer named FTPSrv1 that runs Windows Server 2008.
Your company policy requires that the FTP service be available only when required by authorized projects.
You need to ensure that the FTP service is unavailable after restarting the server.
What should you do?
A. Run the iisreset command on the FTPSrv1 server.
B. Run the net stop msftpsvc command on the FTP server.
C. Run the suspend-service msftpsvc cmdlet in Microsoft Windows PowerShell tool.
D. Run the WMIC /NODE:FTPSrv1 SERVICE WHERE caption="FTP Publishing Service" CALL ChangeStartMode "Disabled" command on the FTP server.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To make sure that FTP service unavailable after restarting the server, you need to Run the WMIC /NODE: TKFSVE SERVICE WHERE the caption="FTP
Publishing Service" CALL ChangeStartMode "Disabled" command on this particular FTP server.
The WMI command-line (WMIC) utility provides a command-line interface for WMI. The /Node command allows you to specify computer names and synchronously
execute all commands against all computers listed in this value. To disable FTP service on the computer, you need to use ChangeStartMode "Disabled" command.
Reference: http://msdn2.microsoft.com/en-us/library/aa394531(VS.85).aspx
Reference: Gathering WMI Data without Writing a Single Line of Code / System Configuration Changes
http://technet.microsoft.com/en-us/magazine/cc160919.aspx
QUESTION 345
Your company has an Active Directory domain. The company has a server named Server1 that has the Terminal Services role and the Terminal Services Web
Access role installed. All client computers run Windows XP Service Pack 2 (SP2).
You deploy and publish an application named TimeReport on Server1. The Terminal Services Web Access role uses Active Directory Domain Services (AD DS)
and Network Level Authentication is enabled.
You need to ensure that the users can launch TimeReport on Server1 from the Terminal Services Web Access Web page.
What should you do?
A.
B.
C.
D.
Disable publishing to AD DS for the TimeReport remote application.
Install the Remote Desktop Client 6.1 application on the client computers that run Windows XP SP2.
Publish TimeReport on Server1 as a Microsoft Windows Installer package. Distribute the Windows Installer package to the users.
Install the Terminal Services Gateway (TS Gateway) role on Server1. Reconfigure the TimeReport remote application publishing to reflect the change in the
infrastructure.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that the users can launch App1 on Server1 from the Terminal Services Web Access Web page, you need to install the Remote Desktop Client 6.1
application on the client computers, which eases the deployment of Windows Server 2008 Terminal services on the client computers that run Windows XP Service
Pack 2.
Because the Remote Desktop Client 6.1 application supports Terminal Services Web Access, the Windows XP users can launch App1 on Server1 from their
Terminal Services Web Access Web page.
Reference: Download Microsoft Remote Desktop Connection (Terminal Services Client 6.1) for Windows XP SP2
http://www.dabcc.com/article.aspx?id=8044
QUESTION 346
You manage 20 servers that run Windows Server 2008 R2. The Remote Desktop Services server role and the Windows System Resource Manager (WSRM)
feature are installed on all the servers.
You create and configure a resource-allocation policy that has the required custom settings on a server named TS01.
You need to configure the WSRM settings on all the servers to match the WSRM settings on TS01.
What should you do?
A. Use the Windows Backup tool to back up only the System State data on TS01. Use the Windows Backup tool to restore the System State data on each server.
B. Use the WSRM console on each server to enable the Accounting function. Configure the Remote WSRM accounting option to TS01 on each server.
C. Use the WSRM console on TS01 to export the WSRM information to a shared folder. Use the WSRM console to import the WSRM information from the shared
folder.
D. Use the regedit tool to export the HKLM\SYSTEM\CurrentControlSet\Services\WSRM registry key on TS01 to a shared folder. On each server, delete this
registry key and use the regedit tool to import the registry key from the shared folder.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Import or Export Criteria, Policies, and Schedules
You can import or export Windows System Resource Manager configuration information between computers.
Configuration information stored includes process matching criteria, resource allocation policies, calendar events and schedules, and conditional policies. In this
way, you can create management scenarios and then deploy them on other computers without performing the configuration multiple times.
Files Created and Imported
The files created by or imported by Windows System Resource Manager are:
Exporting and Importing Configuration Information
To export configuration information
1. Open Windows System Resource Manager.
2. In the navigation tree, right-click Windows System Resource Manager, and then click Export WSRM Information.
3. In Location, type a directory path where you want to save the configuration information, or click Browse to find the directory you want to use. When you have
entered the directory information, click OK.
4. Windows System Resource Manager creates four XML documents in the specified directory that contain information about criteria, policies, and schedules.
To import configuration information
1. Open Windows System Resource Manager.
2. In the navigation tree, right-click Windows System Resource Manager, and then click Import WSRM Information.
3. In Location, type a directory path where the configuration information you want to import is located, or click
Browse to find the directory you want to use. When you have entered the directory information, click OK.
4. Windows System Resource Manager loads the XML files into its current configuration, overwriting any previous configuration data.
Source: http://technet.microsoft.com/en-us/library/cc771960(WS.10).aspx
QUESTION 347
You have the Web Server (IIS) role installed on a server that runs Windows Server 2008.
You make changes to the configuration of an application named APP1. Users report that the application fails. You examine the event log and discover the following
error message:
You need to ensure that users are able to connect to APP1.
Which command should you run at the command prompt on the server?
A.
B.
C.
D.
appcmd set config
appcmd stop apppool
appcmd start apppool
appcmd set apppool
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that users are able to connect to App1, you need to run appcmd start apppool on the server.
The 503 Service Unavailable error mostly occurs whenever HTTP.SYS, the kernel HTTP driver that manages http connections for IIS, fails to create an IIS worker
process to process the request. This failure is typically caused by a critical error during worker process initialization, or more likely an unhandled exception / access
violation occurring during worker process startup.
After a certain number of failures, the application pool will trigger Rapid Fail Protection, a WAS feature designed to stop application pools with a persistent failure
condition to avoid an endless loop of failing to start worker processes. At this point, all requests to applications within the stopped application pool will result in the
503 error, and the application pool will need to be re-started manually
Reference: Troubleshooting IIS7 503 "Service unavailable" errors with startup debugging http://mvolo.com/blogs/serverside/archive/2007/05/19/TroubleshootingIIS7-503-_2200_Service- unavailable_2200_-errors-with-startup-debugging.aspx
QUESTION 348
Your company has a server that runs Windows Server 2008. The Windows SharePoint Services (WSS) role is installed on the Windows Server 2008 server.
You need to configure WSS to support SMTP.
What should you do?
A.
B.
C.
D.
Bind the SharePoint Web site to port 25.
Uninstall and reinstall the WSS role.
Install the SMTP Server feature by using the Server Manager console.
Install the Application Server role by using the Server Manager console.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure WSS to support SMTP, you should install the SMTP server feature through Server Manager Console. Based on SMTP, WSS works with any mail
server or SMTP gateway. It acts as an SMTP relay (it does not store mail, only forwards it) and handles all incoming and outgoing SMTP traffic. For most
installations, you'll simply have to modify your domain MX record and make a few configuration changes on your email server. When installing WSS on the same
host as your mail server, you must make additional configuration changes, such as SMTP port numbers.
Reference: http://www.networkcomputing.com/913/913sp3.html
QUESTION 349
Your company has a server named Server1 that runs Windows Server 2008 and Microsoft Hyper-V.
Server1 hosts three virtual machines.
Company policy states that the virtual machines must not connect to the company network.
You need to configure all of the virtual machines to connect to each other. You must meet the company policy.
Which two actions should you perform? (Each answer presents part of the solution. Choose two.)
A. Select the Not connected option for each virtual machine.
B. Enable the Enable virtual LAN identification option for each virtual machine.
C. Set the Connection to Host for the network interface card.
D. Set the Connection to None for the network interface card.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that all the virtual machines connect to each other and you meet the company policy also, you need to first enable the Enable virtual LAN identification
option for each virtual machine and then set the Connection to Host for the network interface card. You can use virtual LAN identification as a way to isolate network
traffic. However, this type of configuration must be supported by the physical network adapter.
Reference: Step-by-Step Guide to Getting Started with Hyper-V To create a virtual network http://technet2.microsoft.com/windowsserver2008/en/library/c513e254adf1-400e-8fcb- c1aec8a029311033.mspx?mfr=true
QUESTION 350
Your company has a new server that runs Windows Server 2008. The Web Server (IIS) role is installed.
Your company hosts a public Web site. You notice unusually high traffic volume on the Web site.
You need to identify the source of the traffic.
What should you do?
A.
B.
C.
D.
Enable the Web scripting option.
Run the netstat Can command on the server.
Create a custom view in Event Viewer to filter information from the security log.
Enable Web site logging in the IIS Server Manager and filter the logs for the source IP address.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To find the source of unexpected source of traffic, you should open the IIS server manager and enable website logging which will filter the logs for the source IP
address. It will list the IP addresses of the people visiting the website and a lot more information.
QUESTION 351
Your company has a single Active Directory domain. All the servers run Windows Server 2008. You have a server named FS1 that has the File Services role
installed.
The company requires that the data disk drives provide redundancy.
The disks are configured as shown in the following exhibit.
You need to configure the hard disk drives to support RAID 1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Convert Disk 1 and Disk 2 to Dynamic.
Create a Striped Volume across Disk 1 and Disk 2.
Create a New Mirrored Volume by using Disk 1 and Disk 2.
Create a New Spanned Volume by using Disk 1 and Disk 2.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure the hard drives to support Raid1, you should create Disk1 and Disk 2 as dynamic drives and create a new mirrored volume using Disk1 and Disk 2. In
data storage, disk mirroring or RAID1 is the replication of logical disk volumes onto separate physical hard disks in real time to ensure continuous availability. A
mirrored volume is a complete logical representation of separate volume copies.
Reference: technet2.microsoft.com/windowsserver/en/library/28af1c0d-8490-4ab0-8be0- 49e5923c4bae1033.mspx
QUESTION 352
Your company named Contoso, Ltd. has a Network Load Balancing cluster named nlb.contoso.com. The cluster hosts are named WEB1 and WEB2. The cluster is
configured with a single port rule that evenly distributes HTTP traffic between both hosts.
You need to configure WEB2 to handle all HTTPS traffic for nlb.contoso.com. You must retain the even distribution of HTTP traffic between WEB1 and WEB2.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
In the properties for WEB2, change the Handling priority option for the TCP 443 port rule to the value of 1.
In the properties for WEB1, change the Handling priority option for the TCP 443 port rule to the value of 0.
In the properties for the cluster, create a new port rule for port TCP 443 that has the Filtering mode option set to Single host.
In the properties for the cluster, create a new port rule for port TCP 443 that has the Filtering mode option set to Multiple host and the Affinity option set to the
value of Single.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Cluster Properties
Cluster Host Properties
QUESTION 353
You install the Windows SharePoint Services (WSS) role on a server that runs Windows Server 2008. You create a group named SPReviewers that will access
content on the WSS server.
You need to restrict the permissions for the SPReviewers group to viewing items, opening items, and viewing versions.
Which permissions should you configure for the SPReviewers group?
A. Read
B. Design
C. Contribute
D. Limited Access
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To restrict the permissions of the group to viewing items, opening items, and viewing versions, you need to assign Read permission. The Read permission level
includes the View Items, Open Items, View Pages, and View Versions permissions (among others), all of which are needed to read documents, items, and pages
on a SharePoint site.
Reference: About security features of Windows SharePoint Services 3.0 http://office.microsoft.com/en-us/sharepointtechnology/HA100215781033.aspx
QUESTION 354
Your company has a single Active Directory domain. All servers run Windows Server 2008 R2. You install an iSCSI storage area network (SAN) for a group of file
servers.
Corporate security policy requires that all data communication to and from the iSCSI SAN must be as secure as possible.
You need to implement the highest security available for communications to and from the iSCSI SAN.
What should you do?
A.
B.
C.
D.
Create a Group Policy object (GPO) to enable the System objects: Strengthen default permission of internal systems objects setting.
Create a Group Policy object (GPO) to enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.
Implement IPsec security in the iSCSI Initiator Properties. Set up inbound and outbound rules by using Windows Firewall.
Implement mutual Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) authentication in the iSCSI Initiator Properties. Set up inbound and
outbound rules by using Windows Firewall.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Security
Microsoft iSCSI Initiator supports using and configuring Challenge Handshake Authentication Protocol (CHAP) and Internet Protocol security (IPsec). All supported
iSCSI HBAs also support CHAP; however, some may not support IPsec.
Ipsec
IPsec is a protocol that provides authentication and data encryption at the IP packet layer. The Internet Key Exchange (IKE) protocol is used between peers to allow
the peers to authenticate each other and negotiate the packet encryption and authentication mechanisms to be used for the connection. Because Microsoft iSCSI
Initiator uses the Windows TCP/IP stack, it can use all of the functionality that is available in the Windows TCP/IP stack. For authentication, this includes preshared
keys, Kerberos protocol, and certificates. Active Directory is used to distribute the IPsec filters to computers running Microsoft iSCSI Initiator. 3DES and HMACSHA1 are supported, in addition to tunnel and transport modes. Because iSCSI HBA has a TCP/IP stack embedded in the adapter, the iSCSI HBA can implement
IPsec and IKE, so the functionality that is available on the iSCSI HBA may vary. At a minimum, it supports preshared keys and 3DES and HMAC-SHA1. Microsoft
iSCSI Initiator has a common API that is used to configure IPsec for Microsoft iSCSI Initiator and iSCSI HBA.
Easier Firewall configuration for Windows Server 2008 R2 and Windows 7 Allowing the use of an Internet Storage Name Service (iSNS) server through the firewall
is possible directly from the iSCSICLI command-line utility. However, you can still controll it through the Windows Firewall with Advanced Security, if desired.
To enable iSNS traffic for use with Microsoft iSCSI Initiator Use the following command to enable iSNS traffic through the firewall. This allows you to use an iSNS
server with the local Microsoft iSCSI Initiator:
iscsicli FirewallExemptiSNSServer
Source: http://technet.microsoft.com/en-us/library/ee338480.aspx
QUESTION 355
Your company has an Active Directory domain. The company has a server named Server1 that has the Remote Desktop Services server role and the RD Web
Access role service installed. The company has a server named Server2 that runs ISA Server 2006. The company deploys the Remote Desktop Gateway (RD
Gateway) role on a new server named Server3. The company wants to use ISA as the SSL endpoint for Remote Desktop connections. You need to configure the
RD Gateway role on Server3 to use ISA 2006 on Server2.
What should you do?
A.
B.
C.
D.
Configure the RD Gateway to use SSL HTTPS-HTTP bridging.
Configure the Remote Desktop Connection Authorization Policy Store on Server3 to use Server2 as the Central Network Policy Server.
Export the SSL certificate from Server2 and install the SSL certificate on Server3. Configure the RD Gateway to use the SSL certificate from Server2.
Export a self-signed SSL certificate from Server3 and install the SSL certificate on Server2.
Configure the ISA service on Server2 to use the SSL certificate from Server3.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To enhance security for an RD Gateway server, you can configure Microsoft Internet Security and Acceleration (ISA) Server or a non-Microsoft product to function
as a Secure Sockets Layer (SSL) bridging device. The SSL bridging device can enhance security by terminating SSL sessions, inspecting packets, and reestablishing SSL sessions. You can configure ISA Server communication with the RD Gateway server in either of the two following ways:
HTTPS-HTTPS bridging. In this configuration, the RD Gateway client initiates an SSL (HTTPS) request to the SSL bridging device. The SSL bridging device
initiates a new HTTPS request to the RD Gateway server, for maximum security.
HTTPS-HTTP bridging. In this configuration, the RD Gateway client initiates an SSL (HTTPS) request to the SSL bridging device. The SSL bridging device initiates
a new HTTP request to the RD Gateway server. To use HTTPS-HTTPS or HTTPS-HTTP bridging, you must enable the Use SSL Bridging setting on the RD
Gateway server.
Source: http://technet.microsoft.com/en-us/library/cc772387.aspx
QUESTION 356
You install the Web Server (IIS) role on a server that runs Windows Server 2008. Your companys human resources department has a Web site named
www.contoso.com/hr. You need to create a virtual directory on the company Web site for the HR department.
Which command should you run on the Web server?
A.
B.
C.
D.
appcmd add app /app.name:contoso /path:/hr/physicalPath:c:\websites\hr
appcmd add site/name:hr/physicalPath:c:\websites\hr
appcmd add vdir/app.name:contoso /path:/hr/physicalPath:c:\websites\hr
appcmd set vdir/vdir.name:hr/path:/hr /physicalPath:c:\websites\hr
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The syntax to add a virtual directory to the root application in a site is:
appcmd add vdir /app.name:string/ /path:string /physicalPath:string
The variable app.namestring is the site name and the / following the name specifies that the virtual directory should be added to the root application of the site. The
variable pathstring is the virtual path of the virtual directory, such as /sl, and physicalPathstring is the physical path of the virtual directory's content in the file system.
For example, to add a virtual directory named sl with a physical location of c:\websites to the root application in a site named contoso, you need to type the following
command prompt appcmd add vdir /app.name: contoso / path:/sl /physicalPath:c:\websites\sl
Reference: IIS 7.0: Create a Virtual Directory
http://technet2.microsoft.com/windowsserver2008/en/library/87d8a3d7-8d90-4626-8f85- 3c782ec9a5331033.mspx?mfr=true
QUESTION 357
You have two servers named FC1 and FC2 that run Windows Server 2008 R2 Enterprise. Both servers have the Failover Clustering feature installed. You configure
the servers as a two-node cluster. The cluster runs an application named APP1. Business hours for your company are 09:00 to
17:00. APP1 must be available during these hours. You configure FC1 as the preferred owner for APP1. You need to prevent failback of the cluster during business
hours.
What should you do?
A.
B.
C.
D.
Set the Period option to 8 hours in the Failover properties.
Set the Allow failback option to allow failback between 17 and 9 hours in the Failover properties.
Enable the Prevent failback option in the Failover properties.
Enable the If resource fails, attempt restart on current node policy for all APP1 resources. Set the Maximum restarts for specified period to 0.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Failback timing
You can set a group to fail back to its preferred node as soon as the Cluster service detects that the failed node has been restored, or you can instruct the Cluster
service to wait until a specified hour of the day, such as after peak business hours.
Important
Failback only occurs when you have defined a preferred nodes list for a resource group and failback is allowed for that resource group. If you specify that a group
failback to a preferred node and then restart the node to test the failback policy you set, the resource group will not failback. A resource group will not failback when
a node is restarted after a planned shutdown and restart. To test the failback policy, you must press the reset button on the node.
Source: http://technet.microsoft.com/en-us/library/cc737785.aspx
QUESTION 358
You have a Terminal Server that runs Windows Server 2008.
You create a Windows Installer package for Microsoft Office Word 2007 by using Terminal Services RemoteApp (TS RemoteApp). You install the package on a
client computer.
You double-click on a Word document and receive the following error. Windows cannot open this file. You need to ensure that you can open the Word document by
double-clicking on the file.
What should you do?
A.
B.
C.
D.
Recreate the Windows Installer package.
Modify the file association on the client computer.
Modify the file association on the TS RemoteApp server.
Install the Windows Installer package by using msiexec.exe.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 359
Your company has an Active Directory domain. The company runs Remote Desktop Services. All Remote Desktop Services accounts are configured to allow
session takeover without permission. A user has logged on to a server named Server2 by using an account named User1. The session ID for User1 is 1337.
You need to perform a session takeover for session ID 1337.
Which commands should you run?
A.
B.
C.
D.
Chgusr 1337 /disable, and then Tscon 1337
Takeown /U User1 1337, and then Tscon 1337
Tsdiscon 1337, and then Chgport /U User1 1337
Tsdiscon 1337, and then Tscon 1337
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Wrong answers:
chgport
Lists or changes the COM port mappings to be compatible with MS-DOS applications. Source: http://technet.microsoft.com/en-us/library/cc771976(WS.10).aspx
chgusr
Changes the install mode for the terminal server.
Source: http://technet.microsoft.com/en-us/library/cc755189(WS.10).aspx takeown Enables an administrator to recover access to a file that previously was denied,
by making the administrator the owner of the file.
Source: http://technet.microsoft.com/en-us/library/cc753024(WS.10).aspx
QUESTION 360
You have a server that runs Windows Server 2008. You install the Windows Media Services server role on the server. You plan to publish an audio file to the
Internet by using Media Server.
You need to create a license for the audio file.
What should you do first?
A.
B.
C.
D.
Publish the audio file to a new Web site.
Publish the audio file to the Windows Media Services server.
Package the audio file as a Windows Installer application.
Package the audio file by using Windows Media Rights Manager.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 361
You manage a new server that runs Windows Server 2008 R2. You plan to install the Streaming Media Services server role on the server.
Users will access content on the new server by using Windows Media Player for Windows 7 and Windows Media Player for Mac.
You need to install the Streaming Media Services server role on the server to support both media players.
What should you do?
A.
B.
C.
D.
Install Session Initiation Protocol (SIP).
Install Simple Object Access Protocol (SOAP).
Install Stream Control Transmission Protocol (SCTP).
Install RPC over HTTPS.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
SCTP: No support in Mac
SIP: Identification over VoIP
SOAP: Access object web
QUESTION 362
You implement a member server that runs Windows Server 2008 R2. The member server has the Web Server (IIS) role installed. The member server also hosts
intranet Web sites.
Your company policy has the following requirements:
Use encryption for all authentication traffic to the intranet Web site. Authenticate users by using their Active Directory credentials. Avoid the use of SSL on the Web
server for performance reasons.
You need to configure all the Web sites on the server to meet the company policy.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A.
B.
C.
D.
E.
Configure the Basic Authentication setting on the server to Enabled.
Configure the Digest Authentication setting on the server to Enabled.
Configure the Windows Authentication setting on the server to Enabled.
Configure the Anonymous Authentication setting on the server to Disabled.
Configure the Active Directory Client Certificate Authentication setting on the server to Enabled.
Correct Answer: BCD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 363
You have a server that runs Windows Server 2008 Enterprise Edition. The server has the Failover Clustering feature installed. The server has three nodes named
NODE1, NODE2, and NODE3.
The Microsoft Distributed Transaction Coordinator (MSDTC) resource is installed on the cluster. The cluster has a dedicated cluster group named Group1 that
includes the MSDTC resource.
You discover that Group1 is unable to failover to NODE3 from NODE1 or NODE2. The failover from NODE1 to NODE2 functions without errors.
You need to configure Group1 to support the failover between all cluster nodes.
What should you do?
A. Remove the MSDTC resource from Group1.
B. Select NODE3 as a preferred owner for Group1.
C. Remove NODE3 as a possible owner from all cluster resources in Group1.
D. Configure NODE3 as a possible owner for all cluster resources in Group1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 364
You have 10 servers that run Windows Server 2008 R2. The servers have the Web Server (IIS) server role installed. The servers are members of a Web server
farm. The servers host the same Web site.
You need to configure the servers to meet the following requirements:
Allow changes to the Web server configurations that are made on one server to be made on all servers in the farm.
Minimize administrative effort to perform the configuration changes.
What should you do?
A.
B.
C.
D.
On all servers, configure the Shared Configuration settings.
On one server, configure the Shared Configuration setting.
On one server, create a scheduled task that copies the Intepub folder to the other servers.
Create a DFS Namespace. On each server configure the Inetpub folder as the target of the DFS Namespace.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure settings to use shared configuration files and encryption keys
1. Open IIS Manager and click the server node. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
2. In Features View, double-click Management Service.
3. On the Management Service page, in the Actions pane, click Stop.
4. In the toolbar, click the back button.
5. In Features View, double-click Shared Configuration.
6. Select Enable shared configuration to enable the Shared Configuration feature.
7. Under Configuration Location, in the Physical path box, type the physical path or click the browse button (...) to locate the physical path of the configuration
directory.
8. In the User name box, type a user name of an account that has access to the configuration directory. Then in the Password and Confirm Password boxes, type
the password associated with this user account.
9. In the Actions pane, click Apply.
10. In the Encryption Keys Password dialog box, in the Enter encryption key password box, type the password that is used to access the encryption keys in the
configuration directory. Then click OK.
Note This is the password that was specified when the configuration files and encryption keys were exported.
11. Close IIS Manager and then reopen it. In the Connections pane, click the server node.
12. In Features View, double-click Management Service. 13.On the Management Service page, in the Actions pane, click Start
Source: http://technet.microsoft.com/en-us/library/cc771871(WS.10).aspx
QUESTION 365
You have a server that runs Windows Server 2008 R2 and has the Hyper-V server role installed? You create a new virtual machine.
You need to configure the virtual machine to meet the following requirements:
Allow network communications between the virtual machine and the host system.
Prevent communications to other network servers.
What should you do first?
A.
B.
C.
D.
Install the Microsoft Loopback Adapter.
Create a new Virtual Network.
Enable Internet Connection Sharing (ICS).
Set the Connection to None for the network interface card.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 366
Your company has a server named VS1 that runs Windows Server 2008 and Microsoft Hyper-V. VS1 hosts 10 virtual machines. You need to configure VS1 to shut
down each virtual machine before the server shuts down.
What should you do?
A.
B.
C.
D.
Create a shutdown script on each virtual machine.
Install Integration Services on each virtual machine.
Enable the Turn off the virtual machine option in the Automatic stop action properties on each virtual machine.
Enable the Shut down the guest operating system option in the Automatic stop action properties on each virtual machine.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 367
You install the FTP role service on a server that runs Windows Server 2008 R2. Users receive an error message when they attempt to upload files to the FTP site.
You need to allow authenticated users to upload files to the FTP site.
What should you do?
A.
B.
C.
D.
Run the ftp Ca 192.168.1.200 command on the server that runs Windows Server 2008.
Run the appcmd unlock config command on the server that runs Windows Server 2008.
Configure Write permissions on the FTP site. Configure the NTFS permissions on the FTP destination folder for the Authenticated Users group to Allow- Modify.
Configure Write permissions on the FTP site. Configure the NTFS permissions on the FTP destination folder for the Authenticated Users group to Allow C Write
attributes.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 368
You have the Web Server (IIS) server role installed on a server that runs Windows Server 2008 R2. You create a Web site named contoso.com. You copy an
application named WebContent to the server.
You need to enable the WebContent application on the Web site.
What should you do?
A.
B.
C.
D.
At the command prompt on the server, run the appcmd add site command.
At the command prompt on the server, run the appcmd add vdir command.
Select the Web site from the Internet Information Services (IIS) Manager console. Select Add Application.
Select the Web site from the Internet Information Services (IIS) Manager console. Select Add Virtual Directory.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 369
Your company has a single Active Directory domain. You have a server named WDS1 that runs Windows Server 2008. You install the Windows Deployment
Services (WDS) role on WDS1.
You capture an image of a reference computer. You deploy the image to 30 client computers. The client computers have the same name.
You need to ensure that each client computer receives a unique security identifier.
What should you do?
A. Create an image group by using the WDS snap-in. Redeploy the image to the client computers.
B. Run the imagex /append "computername" command at the command prompt on the WDS1 server. Redeploy the image to the client computers.
C. Run the wdsutil /answerclients:all command at the command prompt on the WDS1 server.
Redeploy the image to the client computers.
D. Run the wdsutil /set-server/prestageusingMAC: yes command at the command prompt on the WDS1 server. Redeploy the image to the client computers.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 370
Your company named Contoso, Ltd. has a two-node Network Load Balancing cluster. The cluster is intended to provide high availability and load balancing for only
the intranet Web site. The name of the cluster is web.contoso.com.
You discover that Contoso users can see the Network Load Balancing cluster in the network neighborhood and can connect to various services by using the
web.contoso.com name. The web.contoso.com Network Load Balancing cluster is configured with only one port rule. You need to configure the web.contoso.com
Network Load Balancing cluster to accept only HTTP traffic.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Log on to one of the cluster nodes and run the wlbs disable all command.
Open the Network Load Balancing Clusters console and delete the default port rules.
Open the Network Load Balancing Clusters console and create a new Allow rule for TCP port 80.
Open the Network Load Balancing Clusters console and change the default port rule to a disabled port range rule.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The following procedure describes how to configure NLB on the Web tier for a typical deployment. To configure NLB on the Web tier Open properties for the frontend adapter (for communicating with clients on the Internet).
In Network Load Balancing Properties dialog box, on the Cluster Parameters tab, type the Primary IP address (the virtual IP address shared across all cluster
members), Subnet Mask, and Full Internet name.
In Network Load Balancing Properties dialog box, on the Host Parameters tab, type the Priority (Unique host ID), Dedicated IP address, and Subnet Mask In
Network Load Balancing Properties dialog box, on the Port Rules tab, remove the default port rule covering ports 0 to 65535 by selecting the port rule, then clicking
Remove. Create a port rule for HTTP using the information in the following table, and then click Add.
Source: http://technet.microsoft.com/en-us/library/ee784931(CS.20).aspx
QUESTION 371
You install the Web Server (IIS) role on and the SMTP Server feature on a server that runs Windows Server 2008.
You need to configure the new SMTP server to forward mail to the mail server of the Internet Service Provider (ISP).
What should you do?
A.
B.
C.
D.
Configure the smart host setting to use the local host.
Configure the smart host setting to use the mail server of the ISP.
Run the appcmd /delivery method:PickupDirectoryFromlis command.
Configure the SMTP delivery setting to Attempt direct delivery before sending to smart host.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 372
You have a server that runs Windows Server 2008. The server has the Windows Server virtualization role service installed and has one virtual machine. The virtual
machine runs Windows Server 2008.
You plan to install a new application on the virtual machine.
You need to ensure that you can restore the virtual machine to its original state in the event the application installation fails.
What should you do?
A.
B.
C.
D.
Log on to the virtual host and enable the Remote Differential Compression Features.
Log on to the virtual host and enable the Windows Recovery Disk feature.
From Virtualization Management Console, create a snapshot.
From Virtualization Management Console, save the state of the virtual machine.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 373
You install the Web Server (IIS) role on a server that runs Windows Server 2008 R2. Your company`s default Web site has an IP address of 10.10.0.1.
You add a Web site named HelpDesk. The HelpDesk Web site cannot be started.
You need to configure the Helpdesk Web site so that it can be started.
What should you do?
A. Run the iisreset /enable command on the server.
B. Configure the Helpdesk Web site to use a host header.
C. Run the appcmd add site /name: HelpDesk /id:2 /physicalPath: c:\HelpDesk /binding:http/*:80:
helpdesk command on the server.
D. Run the set-location Cliteralpath "d:\HelpDesk_content" HelpDesk ID:2 location port:80 domain:helpdesk command in the Microsoft Windows PowerShell tool on
the server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Configure a Host Header for a Web Site (IIS 7)
Host headers (also known as domain names or host names) let you assign more than one site to a single IP address on a Web server.
To configure a host header for a site
1. Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
2. In the Connections pane, expand the Sites node in the tree, and then select the site for which you want to configure a host header.
3. In the Actions pane, click Bindings.
4. In the Site Bindings dialog box, select the binding for which you want to add a host header and then click
Edit or click Add to add a new binding with a host header.
5. In the Host name box, type a host header for the site, such as www.contoso.com.
6. Click OK.
7. To add an additional host header, create a new binding with the same IP address and port, and the new host header. Repeat for each host header that you want
to use this IP address and port.
Source: http://technet.microsoft.com/en-us/library/cc753195(WS.10).aspx
QUESTION 374
Your company named Contoso, Ltd. has a Web server named WEB1.
The Web server runs Windows Server 2008. The fully qualified domain name of WEB1 is web1.contoso.com. The public DNS server has an alias record named
owa.contoso.com that maps to web1.contoso.com. Users access WEB1 from the Internet by using http://owa.contoso.com.
The new company security policy states that the owa.contoso.com site must be available for Internet users only through secure HTTP (HTTPS) protocol. The
security policy also states that users must not get security warnings when they connect to the site.
You need to request a certificate from a public certification authority (CA).
Which Common Name should you use?
A.
B.
C.
D.
Contoso, Ltd.
owa.contoso.com
WEB1
web1.contoso.com
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 375
You manage a server named Server2 that runs Windows Server 2008 R2. You install and test the Remote Desktop Services server role on Server2. You publish an
application by using Remote Desktop Services. All users must connect to the Remote Desktop Services application by using the Remote Desktop Protocol.
You install and configure the RD Gateway role service on Server2. You configure a default domain policy to enable the Enable Connection through RD Gateway
setting. Users report that they cannot connect to the Remote Desktop Services application. You need to ensure that users can access the Remote Desktop
Services application on the intranet and from the Internet.
What should you do?
A. Configure the Enable Connection through RD Gateway Group Policy setting to Disabled.
B. Configure the Set RD Gateway server address Group Policy and configure the IP address of the RD Gateway server. Link the Group Policy object (GPO) to the
domain.
C. Configure Server Authentication on the Remote Desktop Connection client to Always connect, even if server authentication fails for all users.
D. Enable the Set RD Gateway server authentication method Group Policy to the Ask for credential, use NTLM protocol setting. Link the Group Policy object (GPO)
to the domain.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
How to use the Group Policy Management Console (GPMC) to enable connections through RD Gateway. When this policy setting is enabled, when Remote
Desktop Services clients cannot connect directly to an internal network resource (computer), the clients will attempt to connect to the computer through the RD
Gateway server that is specified in the Set RD Gateway server address policy setting.
Source: http://technet.microsoft.com/en-us/library/cc726011.aspx
QUESTION 376
Your company has a single Active Directory domain. All the servers run Windows Server 2008 R2. You have a server named FS1 that has the File Services server
role installed. The disks are configured as shown in the following exhibit.
http://www.gratisexam.com/
You need to create a new drive volume to support data striping with parity.
What should you do?
A.
B.
C.
D.
Add another disk. Create a New RAID-5 Volume.
Create a new Striped Volume by using Disk 1 and Disk 2.
Create a New Mirrored Volume by using Disk 1 and Disk 2.
Create a New Spanned Volume by using Disk 1 and Disk 2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 377
Your company has four regional offices. You install the Windows Deployment Services (WDS) role on the network.
Your company creates three images for each office. There are a total of 12 images for the company. The images will be used as standard images for workstations.
You deploy the images by using WDS.
You need to ensure that each administrator can view only the images for his or her regional office.
What should you do?
A.
B.
C.
D.
Create a global group for each regional office and place the computers in the appropriate global group.
Create an organizational unit (OU) for each regional office and place the computers in the appropriate OU.
Place all images into a single image group on the WDS server. Grant each administrator permissions to the image group.
Place each regional office into a separate image group on the WDS server. Grant each administrator permissions to his or her regional offices image group.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Image group: Each image group has a unique name and an ACL to specify users who are allowed to deploy OS images from the image group. An image group may
contain multiple OS image containers. Source: http://msdn.microsoft.com/en-us/library/dd891274%28v=prot.10%29.aspx
QUESTION 378
Your company has an Active Directory domain. The company runs Remote Desktop Services.
Standard users who connect to the Remote Desktop Session Host Server are in the TSUsers organizational unit (OU). Administrative users are in the TSAdmins
OU. No other users connect to the Remote Desktop Session Host Server.
You need to ensure that only members of OU1 can run the Remote Desktop Protocol files.
What should you do?
A. Create a Group Policy object (GPO) that configures the Allow .rdp files from unknown publishers policy setting in the Remote Desktop Client Connection
template to Disabled. Apply the GPO to the TSUsers OU.
B. Create a Group Policy object (GPO) that configures the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop
Client Connection template to Disabled. Apply the GPO to the TSUsers OU.
C. Create a Group Policy object (GPO) that configures the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop
Client Connection template to Enabled. Apply the GPO to the TSAdmins OU.
D. Create a Group Policy object (GPO) that configures the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy setting in the
Remote Desktop Client Connection template to Enabled. Apply the GPO to the TSAdmins OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To ensure that only members of the TermSerAdmin OU can run the Remote Desktop Protocol files, you need to enable the Allow .rdp files from valid publishers and
users default .rdp settings policy setting in the Remote Desktop Client Connection template.
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A
valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store.
This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote
Desktop Connection [RDC] client without specifying an .rdp file). If you enable this policy setting, users can run .rdp files that are signed with a valid certificate.
Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm
whether they want to connect.
If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly
opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has
been blocked
Reference: Remote Desktop Connection Client
http://technet2.microsoft.com/windowsserver2008/en/library/76fb7e12-b823-429b-9887- 05dc70d28d0c1033.mspx?mfr=true
QUESTION 379
You have installed the Web Server (IIS) role on a server with Windows Server 2008. Company uses SMTP for email.
You need prevent unauthorized transmissions without disrupting valid email traffic.
A.
B.
C.
D.
Creata firewall role to block all outbound SMTP traffic.
Configure High alert items to be removed in Windows Defender.
Enable the TLS encryption option in the outbound security settings.
Add an SMTP relay restriction that limits access to authorized server on the network.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 380
You have a w2k8 IIS server. Your company uses SMTP email. Now you want to prevent the sending of unauthorized email and restrict SMTP only to internal
servers without affecting the current mail flow.
What should you do?
A.
B.
C.
D.
Block all outbound email with a windows firewall rule
Disable the high alerts in windows defender
Enable tls-encryption on the outbound security
You add a SMTP relay restriction that allows SMTP-relaying only from the servers in your domain
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 381
Your network contains a server named Server1 that has Microsoft SharePoint Foundation 2010 installed.
You configure the incoming email settings to use the SharePoint Directory Management service to create distribution groups and contacts in an organizational unit
(OU) named OU1. You need to ensure that email distribution groups created from SharePoint are automatically created in OU1.
What should you do?
A.
B.
C.
D.
From Central Administration, create a new trust relationship.
From Central Administration, modify the Directory Management Service Approval List.
From Active Directory Users and Computers, delegate permissions to the SharePoint 2010 Timer service account in OU1.
From Active Directory Users and Computers, delegate permissions to the SharePoint Central Administration v4 application pool identity in OU1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Configure Active Directory
Incoming email uses the Microsoft SharePoint Directory Management Service to connect SharePoint sites to the directory services used by your organization. If you
enable the Microsoft SharePoint Directory Management Service, users can create and manage distribution groups from SharePoint sites. SharePoint lists that use
email can then be found in directory services, such as the Address Book. You must also select which distribution group requests from SharePoint lists require
approval. The Microsoft SharePoint Directory Management Service can be installed on a server in the farm, or you can use a remote Microsoft SharePoint Directory
Management Service. To use the Microsoft SharePoint Directory Management Service on a farm or server, you must configure the Central Administration
application pool identity account to have the Create, delete, and manage user accounts right to the container that you specify in Active Directory. The preferred way
to do this is by delegating the right to the Central Administration application pool identity account. An Active Directory administrator must set up the organizational
unit (OU) and delegate the Create, delete, and manage user accounts right to the container. The advantage of using the Microsoft SharePoint Directory
Management Service on a remote farm is that you do not have to delegate rights to the organizational unit for multiple farm service accounts. If the application pool
account for Central Administration is different from the application pool account for the Web application of the list or site that is enabled for email, you must use the
application pool account for the Web application when completing the following procedures. You must then delegate additional rights to the Central Administration
application pool account. The following procedures are performed on a domain controller that runs Microsoft Windows Server 2003 SP1 (with DNS Manager) and
Microsoft Exchange Server 2003 SP1. In some deployments, these applications might run on multiple servers in the same domain. Important: Membership in the
Domain Administrators group or delegated authority for domain administration is required to complete this procedure.
Create an organizational unit in Active Directory
1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, right-click the folder for the second-level domain that contains your server farm, point to New, and then click
Organizational Unit.
3. Type the name of the organizational unit, and then click OK. After creating the organization unit, we recommend that you delegate the Create, delete, and
manage user accounts right to the container.
Important: Membership in the Domain Administrators group or the Enterprise Administrators group in Active
Directory, or delegated authority for administration, is required to complete this procedure.
Delegate right to the application pool account
1. In Active Directory Users and Computers, find the organizational unit that you just created.
2. Right-click the organizational unit, and then click Delegate control.
3. On the Welcome page of the Delegation of Control Wizard, click Next.
4. On the Users and Groups page, click Add, and then type the name of the application pool identity account that the Web application uses.
5. In the Select Users, Computers, and Groups dialog box, click OK.
6. On the Users or Groups page of the Delegation of Control Wizard, click Next.
7. On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create, delete, and manage user accounts check box, and then click Next.
8. On the last page of the Delegation of Control Wizard, click Finish to exit the wizard. If you must add permissions for the application pool identity account directly,
complete the following procedure.
Important: Membership in the Account Operators group, Domain Administrators group, or the Enterprise
Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure.
Add permissions for the application pool account
1. In Active Directory Users and Computers, click the View menu, and then click Advanced Features.
2. Right-click the organizational unit that you just created, and then click Properties.
3. In the Properties dialog box, click the Security tab, and then click Advanced.
4. Click Add, and then type the name of the application pool identity account for the Web application.
5. Click OK.
6. In the Permission Entries section, double-click the application pool identity account.
7. In the Permissions section, under Allow, select the Modify permissions check box.
8. Click OK to close the Permissions dialog box.
9. Click OK to close the Properties dialog box.
10. Click OK to close the Active Directory Users and Computers plug-in. If you decide instead to use the remote Microsoft SharePoint Directory Management
Service, you must know the URL for the Web service. This URL is typically in the following format: http:// server:adminport/_vti_bin/SharePointEmailWS.asmx.
Source: http://technet.microsoft.com/en-us/library/cc262947.aspx
QUESTION 382
Your network contains a server named Server1 that has Microsoft SharePoint Foundation 2010 installed.
You install the Office Web Apps Feature on Server1.
You need to ensure that users can use their Web browsers to open the Microsoft Office Word documents stored in the SharePoint site collections.
What should you do first?
A.
B.
C.
D.
Activate the Office Web Apps Feature.
Install the Office File Converter Pack on Server1.
Install Microsoft Office Professional 2010 on Server1.
Create a new Web application named Office Web Apps.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Understanding Office Web Apps (Installed on SharePoint 2010 Products) Microsoft Office Web Apps is the online companion to Office Word, Excel, PowerPoint
and OneNote applications that enables users regardless of their location to access documents and edit documents. Users can view, share, and work on documents
with others online across personal computers, mobile phones, and the Web. Office Web Apps is available to users through Windows Live and to business
customers with Microsoft Office 2010 volume licensing and document management solutions based on Microsoft SharePoint 2010 Products.
Integration with SharePoint 2010 Products
Office Web Apps is tightly integrated with SharePoint 2010 Products. When you install Office Web Apps, the Office Web Apps Services are added to the list of
SharePoint Services and the Office Web Apps Feature is added to the available SharePoint Features. Office Web Apps services include the Word Viewing Service,
PowerPoint Service, and Excel Calculation Services that are created and run within the context of SharePoint Services. The Office Web Apps Feature and services
integrate with SharePoint's robust enterprise content management capabilities to provide users the ability to access and work on your organization's documents
from anywhere using a Web browser.
Understanding the Office Web Apps user experience
Viewing and editing Office documents
Office Web Apps gives users a browser-based viewing and editing experience by providing a representation of an Office document in the browser. When a user
clicks on a document stored in a SharePoint document library, the document opens directly in the browser. The document appears in the browser similar to how it
appears in the Office client application. The Web app also provides many of the same editing features as an Office client application. Office Web Apps provides this
representation of an Office Word document, PowerPoint presentation, Excel workbook, or OneNote notebook using native browser objects such as HTML,
JavaScript, and images. Each document type is handled differently depending on the Office Web Apps services started and whether the Office Web Apps Feature
is activated. A document in the Word Web App, PowerPoint Web App, or Excel Web App can be edited in the browser or can be opened for editing in the
associated Office client application. If while viewing or working in a Web app a user clicks the Edit in Browser button on the Home tab of the toolbar, the user can
perform light editing tasks in the browser. A notebook in the OneNote Web App can be edited in the browser natively without having to click the Edit in Browser
button or it can be opened for editing in the OneNote client application by clicking Open in OneNote.
If while in a Web app a user clicks the Open in Word, Open in PowerPoint, Open in Excel, or Open in OneNote button on the toolbar, the document will open in the
associated Office client application if it is installed on the client computer. Improving the user experience with Silverlight Silverlight is a free plugin that can provide
richer Web experiences for many browsers. The Silverlight plugin is not required to be installed on the client browser to use Office Web Apps. However, having the
Silverlight plugin installed on the browser can provide the following benefits:
When using the Word Web App on browsers with the Silverlight plugin installed, users can experience faster page loading, improved text fidelity at full zoom,
ClearType tuner settings support, and improved accuracy in location of search string instances when using the find on this page feature. When using the
PowerPoint Web App on browsers with the Silverlight plugin installed, users can experience faster page loading, animations will appear smoother than without, and
presentation slides will scale with the\ browser window size. Having Silverlight installed on the client browser does not provide any additional benefits in Excel Web
App and OneNote Web App.
Source: http://technet.microsoft.com/en-us/library/ff431685.aspx
QUESTION 383
Your network contains a server farm that has Microsoft SharePoint Foundation 2010 installed.
You need to ensure that users can receive SMS alerts.
What should you do?
A.
B.
C.
D.
Configure the User Alerts settings.
Configure the Send To Connections.
Modify the Outgoing Email Settings.
Modify the Mobile Accounts Settings.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Configure a mobile account (SharePoint Foundation 2010) This article discusses how to configure and manage a mobile account for Microsoft SharePoint
Foundation 2010 to enable users to subscribe to alerts that are sent by using Short Message Service (SMS). The alerts are sent to users' mobile phones when
changes are made to a SharePoint list or item. The mobile alert feature resembles a feature that already exists in SharePoint Foundation 2010 that enables
outgoing email alerts. However, instead of receiving alerts via email when changes are made in a SharePoint list or item, users receive the alerts on their mobile
phones. For more information about email alerts, see Configure outgoing email (SharePoint Foundation 2010). A SharePoint site is usually located on an intranet.
As a result, access to the SharePoint site can be difficult when users are away from the office -- for example, when they are traveling or attending a business
dinner. The mobile alert feature enables users to react quickly when they receive an SMS alert that an item in a SharePoint list has changed.
Configure a mobile account
You can configure a mobile account for a server farm or for a specific Web application, either by using Central Administration or Windows PowerShell.
Note: If you cannot configure a mobile account, you may have the wrong certificate file. In that case, contact your service provider. If you cannot configure a mobile
account, you may have the wrong certificate file. In that case, contact your service provider.
To configure or edit a mobile account for a server farm by using Central Administration
1. Verify that you have the following administrative credentials:
To configure a mobile account for a server farm, you must be a member of the Farm Administrators group on the computer that is running the SharePoint Central
Administration Web site.
2. On the Central Administration Home page, click System Settings.
3. On the System Settings page, in the Email and Text Messages (SMS) section, click Configure mobile account.
4. On the Mobile Account Settings page, in the Text Message (SMS) Service Settings section, click the Microsoft Office Online link to access a list of service
providers.
5. On the Find an Office 2010 Mobile Service Provider page, in the Choose your wireless service provider's country/region list, select the country or region in which
your wireless service provider is located.
6. On the Find an Office 2010 Mobile Service Provider page, in the Choose your current wireless service provider list, select the wireless service provider that you
want to use. After you make this selection, you are directed to the Web site of the service provider that you selected. On the Web site, you apply for the SMS
service. When you receive the required information from the service provider, return to the Mobile Accounts Settings page.
7. In the The URL of Text Message (SMS) Service box, type the URL of the SMS service. Note: Ensure that the service URL you enter is an HTTPS URL.
8. In the User Name box and Password box, type the user name and password that you received from the SMS service provider.
9. To confirm that the URL and user credentials are correct, click Test Service.
10. Click OK.
Source: http://technet.microsoft.com/en-us/library/ee428292.aspx
QUESTION 384
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2.
Server1 is an SMTP server. Server2 has Microsoft SharePoint Foundation 2010 installed. On Server2, you configure Server1 as an outbound email server. You
discover that users never receive email alerts and invitations. You need to ensure that users receive email alerts and invitations.
What should you do?
A.
B.
C.
D.
On Server1, modify the relay restrictions.
On Server1, modify the connection control settings.
On Server2, create a Send To Connection.
On Server2, modify the Mobile Account Settings.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To change the SMTP Virtual Server Relay Restrictions, one needs to use the Internet Information Servers (IIS) 6.0 Manager. This is an IIS Role Service that needs
to be installed (IIS 6 Management Console)
QUESTION 385
Your network contains a server farm that has Microsoft SharePoint Foundation 2010 installed. The farm contains two Web applications named WebApp1 and
WebApp2. You need to ensure that WebApp1 is enabled for outgoing e-mail.
What should you configure on WebApp1?
A. the General settings
B. the Manage Features
C. the Service Connections settings
D. the User Policy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Section: SharePoint
Explanation:
To configure outgoing email for a specific Web application by using Central Administration Verify that you have the following administrative credentials: You must be
a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site. In Central Administration, in the
Application Management section, click Manage web applications. On the Web Applications Management page, select a Web application, and then in the General
Settings group on the Ribbon, click Outgoing Email. On the Web Application Outgoing Email Settings page, in the Mail Settings section, type the SMTP server
name for outgoing email (for example, mail.fabrikam.com) in the Outbound SMTP server box. In the From address box, type the email address (for example, the
site administrator alias) as you want it to be displayed to email recipients. In the Reply-to address box, type the email address (for example, a help desk alias) to
which you want email recipients to reply. In the Character set list, click the character set that is appropriate for your language. Click OK.
QUESTION 386
Your network contains a server that has Microsoft SharePoint Foundation 2010 installed.
You need to configure the incoming e-mail settings to use the Automatic settings mode.
What should you do first?
A.
B.
C.
D.
Configure the outgoing email settings.
Configure the Message Queuing feature.
Install the SMTP Server feature.
Install the Message Queuing Triggers feature.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
When incoming email is enabled, SharePoint sites can receive and store email messages and attachments in lists and libraries. This article describes two
scenarios, one basic and one advanced. The basic scenario applies to a single-server farm environment and is recommended if you want to use default settings,
whereas the advanced scenario applies to a single-server farm or a multiple- server farm and contains several advanced options from which to choose.
Install and configure the SMTP service
Incoming email for SharePoint Foundation 2010 uses the SMTP service. You can use the SMTP service in one of two ways. You can install the SMTP service on
one or more servers in the farm, or administrators can provide an email drop folder for email that is forwarded from the service on another server.
Install the SMTP service
If you are not using a drop folder for email, the SMTP service must be installed on every front-end Web server in the farm that you want to configure for incoming
email. To install the SMTP service, use the Add Features Wizard in Server Manager. After the procedure is complete, a default SMTP configuration has been
created. You can customize this default SMTP configuration to meet the requirements of your environment.
To install the SMTP service
1. Verify that you have the following administrative credentials:
- You must be a member of the Administrators group on the local computer.
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. In Server Manager, click Features.
4. In Features Summary, click Add Features to open the Add Features Wizard.
5. On the Select Features page, select SMTP Server.
6. In the Add Features Wizard dialog box, click Add Required Features, and then click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Installation Results page, ensure that the installation finished successfully, and then click Close.
Source: http://technet.microsoft.com/en-us/library/cc287879.aspx
QUESTION 387
Your network contains a server named Server1 that has Microsoft SharePoint Foundation 2010 installed.
Server1 contains a Web application named WebApp1.
You activate the Office Web Apps Feature on WebApp1.
When users open Microsoft Office Word documents from WebApp1, the documents open in Word.
You need to ensure that when users open Word documents from WebApp1, the documents open in a Web browser.
What should you do?
A.
B.
C.
D.
Deactivate the OpenInClient feature.
Run the Set-SPWebApplication cmdlet.
Restart the SharePoint 2010 User Code Host service.
Recycle the SharePoint Web Services Root application pool.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Configure the default open behavior for documents
In SharePoint, you can configure whether browser-enabled documents are opened in a client application or in the browser. By default, when Office Web Apps is
installed, Office documents will open in the browser. You can override this setting using the SharePoint OpenInClient feature. The OpenInClient feature can be
configured in Central Administration or by using the SPFeature cmdlet in Windows PowerShell. How documents open in SharePoint varies depending on whether
the OpenInClient feature is present, and either enabled or disabled: If the OpenInClient feature is not present and Office Web Apps is not installed, documents will
open in the client application (SharePoint default). If the OpenInClient feature is not present, Office Web Apps is installed and Office Web Apps service applications
are activated, documents will open in the browser (Office Web Apps default). If the OpenInClient Feature is present and enabled, and Office Web Apps service
applications are activated, documents will open in the client application.
If the OpenInClient Feature is present and disabled, and Office Web Apps service applications are activated, documents in will open in the browser.
Source: http://technet.microsoft.com/en-us/library/ee837425.aspx
QUESTION 388
You install the Windows Deployment Services (WDS) role on a server that runs Windows Server 2008 R2.
When you attempt to upload spanned image files to the WDS server, you receive an error message. You need to ensure that the image files can be uploaded.
What should you do?
A.
B.
C.
D.
Grant the Authenticated Users group Full Control on the \REMINST directory.
Run the wdsutil /Convert command at the command prompt on the WDS server.
Run the imagex /Export command at the command prompt to export *.swm files to one destination *.wim on the WDS server.
Run the wdsutil /add-image /imagefile:\\server\share\sources\install.wim /image type:install command for each component file individually at the command
prompt on the WDS server.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Known issues with creating images
You cannot add split .wim (.swm) files to your Windows Deployment Services server. Instead, you must combine the split images into a single .wim file. Source:
http://download.microsoft.com/download/b/b%2F5/bb50037f-e4ae-40d1-a898-7cdfcf0ee9d8/ WS08_STEP_BY_STEP_GUIDE/Step-by
StepGuideForWindowsDeploymentServicesInWindowsServer2008_En.doc One can combine multiple .swm files to an .wim file with imagex.exe: imagex /export
src_file src_numbersrc_name dest_file dest_name {/boot | /check | /compress [type] | /ref [splitwim.swm] /temp| /logfile filename.log} Exports a copy of the specified
.wim file to another .wim file. The source and destination files must use the same compression type. You can also optimize an image by exporting to a new image
file. When you modify an image, ImageX stores additional resource files that increase the overall size of the image. Exporting the image will remove unnecessary
resource files. src_file Specifies the file path of the .wim file that contains the image to be copied. src_number Specifies the number of the specific volume within the
.wim file. src_name Specifies the name that identifies the image in the source .wim file. dest_file Specifies the file path of the .wim file that will receive the image
copy. dest_name Specifies the unique name for the image in the destination .wim file.
/ref splitwim.swm
Enables the reference of split .wim files (SWMs). splitwim.swm is the name and location of additional split files.
Wildcards are accepted.
Source: http://technet.microsoft.com/en-us/library/dd799302%28WS.10%29.aspx Image Merge
Merge the previously splitted image file back into a single image file. imagex /ref c:\data\splitmerge\output2\splitmerge*.swm /check /export c:\data \splitmerge
\output2\splitmerge.swm 1 c:\data\splitmerge\output3\splitmerge.wim "splitmerge" /COMPRESS maximum
Source: http://www.verboon.info/index.php/2009/10/splitting-and-merging-image-files-with- imagex/
* I've changes the answer from wdsutil /Export to imagex /Export because I couldn't verify the awnser in the dump.*
QUESTION 389
Your company has a single Active Directory domain named contoso.com. All servers in the domain run Windows Server 2008 R2.
The DNS Server server role is installed on two domain controllers named DC1 and DC2. Both DNS servers host Active Directory-integrated zones that are
configured to allow the most secure updates only.
DC1 has Key Management Service (KMS) installed and activated. You discover that the service locator records from the contoso.com zone hosted on DC1 and
DC2 are missing.
You need to force registration of the KMS service locator records in the contoso.com zone.
What should you do?
A.
B.
C.
D.
Configure the contoso.com zone to accept non-secure updates.
On DC1 at the command prompt, run the slmgr.vbs rearm script.
On DC1 at the command prompt, run the net stop slsvc command, and then run the net start slsvc command.
On DC2 at the command prompt, run the net stop netlogon command, and then run the net start netlogon command.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A KMS host will automatically update its SRV entries if the software licensing service (slsvc.exe)
detects that the computer name or TCP port has changed during service startup. It will also update
them once each day, in order to ensure that they are not automatically removed (scavenged) by the
DNS system.
Source: http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b8e855d549154/VolumeActivation2.0Step-By-StepGuide.doc
QUESTION 390
Your company has a single Active Directory domain named contoso.com. The domain has two domain controllers and 60 member servers. All servers run Windows
Server 2008 R2. One of the domain controllers has Key Management Service (KMS) installed and activated. All servers use KMS auto-discovery to find the KMS
server. You need to change the port used by KMS from its default port to port 12200.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Restart the slsvc service on the KMS server.
Restart the DNS Server service on the KMS server.
On the KMS server at the command prompt, run the slmgr.vbs skms KMSServer: 12200 command.
On the client computers at the command prompt, run the slmgr.vbs skms KMSServer: 12200 command.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To change the port of the KMS server:
To set the TCP communications port on a KMS host. Replace PortNumber with the TCP port number to use. The default setting is 1688.
slmgr.vbs /sprt PortNumber
Source: http://technet.microsoft.com/en-us/library/ff793407.aspx Restart slsvc service: A KMS host will automatically update its SRV entries if the software licensing
service (slsvc.exe) detects that the computer name or TCP port has changed during service startup. It will also update them once each day, in order to ensure that
they are not automatically removed (scavenged) by the DNS system.
Source: http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b- 8e855d549154/VolumeActivation2.0Step-ByStepGuide.doc Force the KMS client to update the portnumber:
If configuring KMS clients to use auto-discovery, they automatically choose another KMS host if the original KMS host does not respond to renewal requests. If not
using auto-discovery, update the KMS client computers that were assigned to the failed KMS host by running Slmgr.vbs /skms. To avoid this scenario, configure
KMS clients to use auto-discovery. For more information, see the Volume Activation Deployment Guide.
Source: http://technet.microsoft.com/en-us/library/ff793439.aspx OR
Configuring KMS Hosts (Server)
Sets the TCP communications port on a KMS host. Replace PortNumber with the TCP port number to use. The default setting is 1688.
Slmgr.vbs /sprt PortNumber
The Software Licensing Service must be restarted for any changes to take effect. To restart the Software Licensing Service, use the Microsoft Management
Console (MMC) Services snap-in, or run the following command at an elevated command prompt:
net stop sppsvc && net start sppsvc
Configuring KMS Clients
This section describes concepts for installing and configuring computers as KMS clients. By default, Volume Licensing editions of Windows Vista, Windows 7 ,
Windows Server 2008, and Windows Server 2008 R2 are KMS clients. If the computers the organization wants to activate using KMS are using any of these
operating systems and the network allows DNS auto-discovery, no further configuration is needed. If a KMS client is configured to search for a KMS host using DNS
but does not receive SRV records from DNS, Windows 7 and Windows Server 2008 R2 log the error in the event log.
Manually Specifying a KMS Host
You can manually assign a KMS host to KMS clients by using KMS host caching. Manually assigning a KMS host disables auto-discovery of KMS on the KMS
client. Manually assign a KMS host to a KMS client by running:
slmgr.vbs /skms <value>:<port>
where value is either the KMS_FQDN, IPv4Address, or NetbiosName of the KMS host and port is the TCP port on the KMS host.
Source: http://technet.microsoft.com/en-us/library/ff793409.aspx "You must restart the SLSVC service (Vista/2008) or SPPSVC(Win7/R2)"
Source: http://blogs.technet.com/b/askcore/archive/2009/03/09/kms-error-0xc004c008-activating- client.aspx
QUESTION 391
You have a server that runs Windows Server 2008 R2. The server has the Hyper-V server role installed.
You create a new virtual machine and perform an installation of Windows Server 2003 on the virtual machine.
You configure the virtual machine to use the physical network card of the host server. You notice that you are unable to access network resources from the virtual
machine. You need to ensure that the virtual host can connect to the physical network.
What should you do?
A.
B.
C.
D.
On the host server, install the Microsoft Loopback adapter.
On the host server, enable the Multipath I/O feature.
On the virtual machine, install the Microsoft Loopback adapter.
On the virtual machine, install Microsoft Hyper-V Integration Components.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Networking and virtual machines
To connect a virtual machine to a virtual network, you add a virtual network adapter to the virtual machine and then connect the virtual network adapter to an
existing virtual network. There are two types of network adapters available for Hyper-V: a network adapter and a legacy network adapter. The network adapter is
designed specifically for Hyper-V and requires a virtual machine driver that is included with the Hyper-V integration services. This type of networking adapter
provides better performance than a legacy network adapter and is the recommended choice when it can be used. Because this type of virtual network adapter
requires integration services in the guest operating system, it can be used only with guest operating systems for which integration services are available.
Note If a network adapter is configured for a virtual machine but integration services are not installed in the guest operating system, Device Manager lists the
network adapter as an unknown device.
Source: http://technet.microsoft.com/en-us/library/cc816585.aspx Integration services Integration services are available for supported guest operating systems as
described in the following table.
Windows 2003 SP2 Guest operating system - Device and service support Windows Server 2003 (x64 editions) with Service Pack 2 Drivers: IDE, SCSI, networking,
video, and mouse Services:
operating system shutdown, time synchronization, data exchange, heartbeat, and online backup Note This operating system does not support a legacy network
adapter. Windows Server 2003 (x86 editions) with Service Pack 2 Drivers: IDE, SCSI, networking, video, and mouse Services:
operating system shutdown, time synchronization, data exchange, heartbeat, and online backup Source: http://technet.microsoft.com/en-us/library/cc794868
(WS.10).aspx
QUESTION 392
You have two servers that run Windows Server 2008 R2 Enterprise. Both servers have the Failover Clustering feature installed. You configure the servers as a twonode cluster. The cluster nodes are named NODE1 and NODE2.
You have an application named PrintService that includes a print spooler resource. You need to configure the cluster to automatically return the PrintService
application to NODE1 after a failover.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Set the Period (hours) option to 0 in the properties of the print spooler resource.
Move NODE1 to the top of the list of preferred owners for the PrintService application.
Enable the Allow Failback and Immediate options for the PrintService application.
Disable the If restart is unsuccessful, failover all resources in this server or application option in the properties of the print spooler resource.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Preferred nodes list defined
If you define a complete preferred nodes list for a group (that is, one listing all the nodes in the cluster), then the Cluster service uses this defined list as its internal
list. However, if you define a partial preferred nodes list for a group, then the Cluster service uses this defined list as its internal list and appends any other installed
nodes not on the preferred list, ordered by their node IDs. For example, if you created a 5-node cluster (installing the nodes in the order Node1, Node2, Node3,
Node4, and Node5) and defined Node3, Node4, and Node5 as preferred owners for the resource group, PRINTGR1, the Cluster service would maintain this
ordered list for PRINTGR1: Node3, Node4, Node5, Node1, Node2. How the Cluster service uses this list depends on whether the resource group move is due to a
resource/node failure or a manual move group request.
Preferred lists and resource or node failures
For resource group or node failures, the group fails over to the node next to the current owner on the preferred nodes list. In the example above, if the resource
group PRINTGR1 on Node3 fails, then the Cluster service would fail that group over to the next node on the list, Node4. If you allow failback for that group, then
when Node3 comes up again, the Cluster service will fail back PRINTGR1 to that node.
Source: http://technet.microsoft.com/en-us/library/cc737785.aspx
QUESTION 393
A server runs Windows Server 2008 R2. The Remote Desktop Services server role is installed on the server.
You deploy a new application on the server. The application creates files that have an extension of .xyz.
You need to ensure that users can launch the remote application from their computers by double- clicking a file that has the .xyz extension.
What should you do?
A.
B.
C.
D.
Configure the Remote Desktop Connection Client on the users' computers to point to the server.
Configure the application as a published application by using a Remote Desktop Program file.
Configure the application as a published application by using a Microsoft Windows Installer package file.
Configure the application as a published application by using a Remote Desktop Web Access Web site.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Launching Apps from the Desktop
For users who want to double-click documents to launch the application, terminal services now
provides the ability to "install" the remote application's link to the desktop. This process effectively
wraps the Remote-App's RDP file into a Windows Installer package--an MSI file--that is later
installed to desktops in the environment.
At the same time, the installed MSI can modify the file extension associations on the desktop to
reroute a double-clicked file to its associated RemoteApp on the terminal server. Figure 3 shows
how the file extension associations have been modified on a client system after a Word RemoteApp
is installed. Now, double-clicking any of the common Word file extensions will launch Word via the
Remote Desktop Connection.
Figure 3 File extension associations that have been altered to launch the Remote Desktop
Connection To create a Windows Installer package out of an existing RemoteApp, first navigate to
the TS RemoteApp Manager. Right-click the RemoteApp of interest and select Create Windows
Installer Package. By default, all created Windows Installer packages are stored in the location
C:\Program Files\Packaged Programs, but this location can be changed from within the RemoteApp
Wizard. Also configurable within the wizard are the name and port for the server that will host the
RemoteApp, as well as server authentication, certificate settings, and TS Gateway settings.
Settings that relate to the application's location after installation to a candidate desktop are shown in
Figure 4.
As you can see, it is possible to create a shortcut on the desktop as well as to a location within the
Start menu folder. The most important checkbox on this screen is at the very bottom. It's the
checkbox for Take over client settings, and it re-associates any file extension associations for the
RemoteApp from the local desktop to the terminal server. This checkbox must be selected if you
want users to be able to double-click documents to launch their TS-hosted application. Click Next and Finish to complete the wizard.
Please Note: -Since Windows2008R2 Terminal Services (TS) is now rebranded to Remote Desktop
Services (RDS)Source: http://technet.microsoft.com/en-us/query/dd314392
QUESTION 394
You have a server that runs Windows Server 2008 R2. The server has Remote Desktop Web Access (RD Web Access) installed.
Several line-of-business applications are available on the server by using RD Web Access.
You install a new application on the server.
You need to make the application available through RD Web Access.
What should you do?
A.
B.
C.
D.
From the command prompt, run the mstsc.exe command and specify the /v parameter.
From the RD Web Access Web site, specify the data source for RD Web Access.
From RemoteApp Manager, add the application to the RemoteApp Programs list.
From the Local Users and Groups snap-in, add the users to the TS Web Access Computers group.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Once you've installed a RemoteApp, enabling it for TS Web Access is done by right-clicking the
configured RemoteApp in the TS RemoteApp Manager and selecting Show in TS Web Access.
Please Note: -Since Windows2008R2 Terminal Services (TS) is now rebranded to Remote Desktop
Services (RDS)Source: http://technet.microsoft.com/en-us/query/dd314392
QUESTION 395
You have a server that runs the Remote Desktop Gateway (RD Gateway) role service. Users need to connect remotely through the gateway to desktop computers
located in their offices. You create a security group named Remote1 for the users who need to connect to computers in their offices.
You need to enable the users to connect to the RD Gateway.
What should you do?
A.
B.
C.
D.
Add the Remote1 security group to the local remote desktop users group on the RD Gateway server.
Create a connection authorization policy. Add the Remote1 security group and enable Device redirection.
Create a resource authorization policy. Add the Remote1 security group and enable Users to connect to any resource.
Create a Group Policy object and enable the Set RD Gateway authentication method properties to Ask for credentials, use Basic protocol. Apply the policy to the
RD Gateway server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Once you've installed a RemoteApp, enabling it for TS Web Access is done by right-clicking the configured RemoteApp in the TS RemoteApp Manager and
selecting Show in TS Web Access. Please Note: -Since Windows2008R2 Terminal Services (TS) is now rebranded to Remote Desktop Services (RDS)Source: http://technet.microsoft.com/en-us/query/dd314392
QUESTION 396
Your network contains a server that has Microsoft SharePoint Foundation 2010 installed.
You need to ensure that a user named User1 can use Windows PowerShell to back up SharePoint site collections.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Run the Add-SPShellAdmin cmdlet.
Run the Start-SPAssignment cmdlet.
Add User1 to the Farm Administrators group.
Add User1 to the local Backup Operators group.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Group memberships required to run backup and restore operations in Central Administration You must ensure that all user accounts that will be backing up or
restoring your farm and farm components by using Central Administration have the group memberships that are described in the following table.
Required group memberships
Setting permissions for running backup and restore operations by using Windows PowerShell You must ensure that all user accounts that will be backing up or
restoring your farm and farm components by using Windows PowerShell are added to the SharePoint_Shell_Access role for a specified database and have the
permissions described in the table later in this section. You can run the Add-SPShellAdmin cmdlet to add a user account to this role. You must run the command for
each user account. Moreover, you must run the command for all databases to which you want to grant access.
Add-SPShellAdmin -Username <User account> -Database <Database ID>
Source: http://technet.microsoft.com/en-us/library/ee748626.aspx
QUESTION 397
Your network contains a server that runs Windows Server 2008 R2. The server has Microsoft SharePoint Foundation 2010 installed.
You create a new Web application named WebApp1. Webapp1 is configured to use a service account named Service1.
You need to ensure that the password for Service1 is automatically changed every 30 days.
What should you modify from Central Administration?
A. the Authentication Providers
B. the Managed Accounts settings
C. the Password Management Settings
D. the Service Account settings
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Configure managed accounts
You need to register managed accounts with the farm to make the accounts available to multiple services. You can register a managed account by using the
Register Managed Account page in Central Administration. There are no options on the Register Managed Account page to create an account in Active Directory
Domain Services, or on the local computer. The options can be used to register an existing account on the SharePoint Foundation 2010 farm. Perform the steps in
the following procedure to use Central Administration to configure managed account settings. To configure managed account settings by using Central
Administration
1. Verify that the user account that is performing this procedure is a farm administrator.
2. On the Central Administration Web site, select Security.
3. Under General Security, click Configure managed accounts.
4. On the Managed Accounts page, click Register Managed Account.
5. In the Account Registration section of the Register Managed Account page, enter the service account credentials.
6. In the Automatic Password Change section, select the Enable automatic password change check box to allow SharePoint Foundation 2010 to manage the
password for the selected account. Next, enter a numeric value that indicates the number of days prior to password expiration that the automatic password change
process will be initiated.
7. In the Automatic Password Change section, select the Start notifying by email check box, and then enter a numeric value that indicates the number of days prior
to the initiation of the automatic password change process that an email notification will be sent. You can then configure a weekly or monthly email notification
schedule.
8. Click OK.
Source: http://technet.microsoft.com/en-us/library/ff607826.aspx
QUESTION 398
Your network contains a server that runs Windows Server 2008 R2. The server has Microsoft SharePoint Foundation 2010 installed.
You create a new Web application named WebApp1.
You need to configure WebApp1 to meet the following requirements:
Internal users must be authenticated by using Kerberos authentication. External users must be authenticated by using NTLM authentication.
What should you do first?
A. Extend WebApp1.
B. Modify the User Policy.
C. Modify the Permissions Policy.
D. Configure the Alternate Access Mappings.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Extend a Web application
If you want to expose the same content in a Web application to different types of users by using additional URLs or authentication methods, you can extend an
existing Web application into a new zone. When you extend the Web application into a new zone, you create a separate Internet Information Services (IIS) Web site
to serve the same content, but with a unique URL and authentication type. An extended Web application can use up to five network zones (Default, Intranet,
Internet, Custom, and Extranet). For example, if you want to extend a Web application so that customers can access content from the Internet, you select the
Internet zone and choose to allow anonymous access and grant anonymous users readonly permissions. Customers can then access the same Web application as
internal users, but through different URLs and authentication settings. For more information, see Configure anonymous access for a claims-based Web application
(SharePoint Foundation 2010), and Plan authentication methods (SharePoint Foundation 2010).
Source: http://technet.microsoft.com/en-us/library/cc288162.aspx
QUESTION 399
Your company runs Remote Desktop Services. You plan to install an application update for the lobapp.exe application on the Remote Desktop Session Host Server.
You find instances of the lobapp.exe processes left behind by users who have disconnected.
You need to terminate all instances of the lobapp.exe processes so that you can perform an application update.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A.
B.
C.
D.
Run the Get-Process cmdlet on the Remote Desktop Session Host Server.
Run the Tskill lobapp /a command on the Remote Desktop Session Host Server.
End all instances of lobapp.exe in the Remote Desktop Services Manager console.
Run the Tasklist /fi "IMAGENAME eq lobapp.exe" command on the Remote Desktop Session Host Server.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Wrong Answers:
Tasklist
Displays a list of currently running processes on the local computer or on a remote computer.
Tasklist replaces the tlist tool.
Source: http://technet.microsoft.com/en-us/library/cc730909(WS.10).aspx Get-Process Although the following will work for a single instance:
(Get-Process lobapp).Kill()
This will not work on multiple instances:
(Get-Process lobapp).Kill()
But one could argue that using the ForEach-Object commandlet circumvents the issue:
(Get-Process lobapp)|ForEach-Object {$_.Kill()}
However because this requires more than just the Get-Process cmdlet, I choose to render this answer invalid.
QUESTION 400
You install the Web Server (IIS) server role on two servers named Server1 and Server2. The servers run Windows Server 2008 R2.
Your company has a Web site named www.contoso.com hosted on Server1. The Web site is due for maintenance. The Web content must be available during
maintenance. You create a mirror Web site located on Server2.
You need to configure the www.contoso.com site to redirect requests to Server2.
What should you do first?
A.
B.
C.
D.
Run the appcmd set config /section:httpRedirect /enabled:true command.
Run the appcmd set config /section:httpRedirect /enabled:false command.
Run the appcmd set site /site.name:contoso /-bindings.[protocol='http',www.contoso.com] command.
Run the appcmd set site /site.name:contoso /+bindings.[protocol='http',www1.contoso.com] command.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To enable redirection
You can perform this procedure by running Appcmd.exe commands in a command-line window. Command Line To enable or disable redirection, use the following
syntax:
appcmd set config /section:httpRedirect /enabled:true |false /destination:location By default, the redirection feature is disabled, but you can enable it by specifying
true for the enabled attribute and configuring the location to which to redirect users in the destination attribute. For example, if you want to enable redirection and
redirect users to http://www.contoso.com, type the following at the command prompt, and then press ENTER:
appcmd set config /section:httpRedirect /enabled:true /destination:http://www.
contoso.com
Source: http://technet.microsoft.com/en-us/library/cc732930(WS.10).aspx
QUESTION 401
You install the Web Server (IIS) server role on a new server that runs Windows Server 2008 R2. You install a Microsoft .NET Framework application on a Web site
on the Web server. The application launches a process that presents a real-time graphical report to the Web browser and creates a text report file on the hard disk
drive.
The company security policy states that the application must not perform any of the following tasks:
Write to the event log.
Access Open Database Connectivity (ODBC) data sources.
Make network or Web service calls.
You need to configure the Web site so that the application can be executed. You must ensure that the application meets the outlined security requirements.
What should you do?
A.
B.
C.
D.
Set the .NET Framework trust level to Full for the Web site.
Set the .NET Framework trust level to Low for the Web site.
Set the .NET Framework trust level to High for the Web site.
Set the .NET Framework trust level to Medium for the Web site.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use the .NET Trust Levels feature page to set the trust element in the web.config file. The trust element enables you to configure the level of code access security
(CAS) that is applied to an application.
Full (internal) - Specifies unrestricted permissions. Grants the ASP.NET application permissions to access any resource that is subject to operating system security.
All privileged operations are supported. High (web_hightrust.config) - Specifies a high level of code access security, which means that the application cannot do any
one of the following things by default:
Call unmanaged code.
Call serviced components.
Write to the event log. Access Message Queuing service queues. Access ODBC, OleDb, or Oracle data sources. Medium (web_mediumtrust.config) - Specifies a
medium level of code access security, which means that, in addition to High Trust Level restrictions, the ASP.NET application cannot do any of the following things
by default:
Access files outside the application directory.
Access the registry.
Make network or Web service calls. Low (web_lowtrust.config) - Specifies a low level of code access security, which means that, in addition to
Medium Trust Level restrictions, the application cannot do any of the following things by default:
Write to the file system.
Call the Assert method.
Minimal (web_minimaltrust.config) - Specifies a minimal level of code access security, which means that the application has only execute permissions. Source:
http://technet.microsoft.com/en-us/library/cc754779.aspx
QUESTION 402
You install the Web Server (IIS) on a server that runs Windows Server 2008 R2. You install a Microsoft .NET Framework application on a Web site that is hosted on
the server in a folder named \wwwroot.
The .NET Framework application must write to a log file that resides in the \Program Files\WebApp folder.
You need to configure the .NET Framework trust level setting for the Web site so that the application can write to the log file.
What should you do?
A.
B.
C.
D.
Set the .NET Framework trust level to Full for the Web site.
Set the .NET Framework trust level to High for the Web site.
Set the .NET Framework trust level to Minimal for the Web site.
Set the .NET Framework trust level to Medium for the Web site.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use the .NET Trust Levels feature page to set the trust element in the web.config file. The trust
element enables you to configure the level of code access security (CAS) that is applied to an
application. Full (internal) - Specifies unrestricted permissions. Grants the ASP.NET application
permissions to access any resource that is subject to operating system security. All privileged
operations are supported.
High (web_hightrust.config) - Specifies a high level of code access security, which means that the
application cannot do any one of the following things by default:
Call unmanaged code.
Call serviced components.
Write to the event log.
Access Message Queuing service queues.
Access ODBC, OleDb, or Oracle data sources.
Medium (web_mediumtrust.config) - Specifies a medium level of code access security, which
means that, in addition to High Trust Level restrictions, the ASP.NET application cannot do any of
the following things by default:
Access files outside the application directory.
Access the registry.
Make network or Web service calls.
Low (web_lowtrust.config) - Specifies a low level of code access security, which means that, in
addition to Medium Trust Level restrictions, the application cannot do any of the following things
by default:
Write to the file system.
Call the Assert method.
Minimal (web_minimaltrust.config) - Specifies a minimal level of code access security, which
means that the application has only execute permissions.
Source: http://technet.microsoft.com/en-us/library/cc754779.aspx
QUESTION 403
You have a server that runs Windows Server 2008 R2. The server has the Web Server (IIS) server role and the FTP Service role service installed.
You add a new FTP site to the server.
You need to ensure that the new FTP site is available. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A.
B.
C.
D.
E.
Run the iisreset command on the server.
Configure an alternate TCP port in the FTP site properties.
Configure an alternate IP address in the FTP site properties.
Configure a host header file in the default Web site properties.
Configure an alternate IP address in the default Web site properties.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Creating Multiple FTP Sites
You can create multiple FTP sites using multiple IP addresses and multiple ports. While creating multiple sites with multiple IP addresses is a common and
recommended practice, it can be more complicated because, by default, clients call port 21 when using the FTP protocol. Therefore, if you create multiple FTP sites
using multiple ports, you need to inform users of the new port number so their FTP clients can locate and connect to the port.
If you create a new site using the same port as an existing site with the same IP address, the new site will not start. The general rule is that you can have multiple
sites using the same IP and port, but only one site from this group can run at a time. If you try to start another site from this group, you receive an error message.
Procedures
To create multiple FTP sites using multiple IP addresses
1. In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and click FTP Site
2. Click Next.
3. In the Description box, type a description of your FTP site, and then click Next.
4. Under Enter the IP address to use this FTP site, type a new IP address, and leave the TCP port setting at
21.
5. Complete the rest of the FTP Site Creation Wizard.
To create multiple FTP sites using multiple ports
1. In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and click FTP Site
2. Click Next.
3. In the Description box, type a description of your FTP site, and then click Next.
4. Under Enter the IP address to use for this FTP site , type your Web server's IP address.
5. Under Type the TCP port for this FTP site , change the TCP port from the default setting of 21 to an unallocated port number. If you are uncertain which port
numbers are already allocated, choose a high number, for example a number between 5000 and 5999.
6. Complete the rest of the FTP Site Creation Wizard.
Source: http://technet.microsoft.com/en-us/library/cc753522(WS.10).aspx
QUESTION 404
You have a test lab that contains 20 client computers and a server named Server1. The client computers run Windows 7. Server1 runs Windows Server 2008
Service Pack 2 (SP2).
You install the Key Management Service (KMS) on Server1. You need to ensure that the client computers can successfully activate by using Server1.
What should you do?
A.
B.
C.
D.
Upgrade Server 1 to Windows Server 2008 R2.
Deploy five additional client computers that run Windows 7.
On each client computer, run slmgr.vbs /rearm.
On Server1, restart the Windows Activation Technologies service.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Minimum Computer Requirements
When planning for KMS activation, the network must meet or exceed the activation threshold, or the minimum number of qualifying computers that KMS requires.
You must also understand how the KMS host tracks the number of computers on the network.
KMS Activation Thresholds
KMS can activate both physical computers and virtual machines. To qualify for KMS activation, a network must meet the activation threshold: KMS hosts activate
client computers only after meeting this threshold. To ensure that the activation threshold is met, a KMS host counts the number of computers that are requesting
activation on the network. For computers running Windows Server 2008 or Windows Server 2008 R2, the activation threshold is five. For computers running
Windows Vista or Windows 7, the activation threshold is 25. The thresholds include client computers and servers that are running on physical computers or virtual
machines.
Source: http://technet.microsoft.com/en-us/library/ff793434.aspx
QUESTION 405
You need to manually create a service location (SRV) record for a server that has the Key Management Service (KMS) installed.
Which SRV record should you create?
A.
B.
C.
D.
_kms._tcp.contoso.com
_kms._tcp._msdcs.contoso.com
_mskms._tcp.contoso.com
_vlmcs._tcp.contoso.com
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Manually Create SRV Records in DNS
If the environment does not support DDNS, the SRV RRs must be manually created to publish the KMS host.
Environments that do not support DDNS should disable publishing on all KMS hosts to prevent event logs from collecting failed DNS publishing events. To disable
auto-publishing, use the Slmgr.vbs script with the /cdns command-line option. See the Configuring KMS section for more information about the Slmgr.vbs script.
Note Manually created SRV RRs can coexist with SRV RRs that KMS hosts automatically publish in other domains as long as all records are maintained to prevent
conflicts. Using DNS Manager, in the appropriate forwarding lookup zone, create a new SRV RR using the appropriate information for the location. By default, KMS
listens on TCP port 1688, and the service is _VLMCS. Table 2 contains example settings for a SRV RR.
Table 2 SRV Resource Record
QUESTION 406
Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a Key Management Service (KMS) host.
What should you do first?
A.
B.
C.
D.
At the command prompt, run slmgr.vbs and specify the /dli option.
At the command prompt, run slmgr.vbs and specify the /ipk option.
From the Server Manager console, run the Add Features Wizard and install the Online Responder Tools.
From the Server Manager console, run the Add Features Wizard and install the Windows Process Activation Service.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To install a KMS host on a Windows Vista or Windows Server 2008 computer
1. Log on to the computer that will serve as the KMS host.
2. Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator.
3. To install your KMS key, type the following at the command prompt, and then press Enter:
cscript C:\windows\system32\slmgr.vbs /ipk <KmsKey>
4. Activate the KMS host with Microsoft® using one of the following:
4a. For online activation, type the following at the command prompt and then press Enter:
cscript C:\windows\system32\slmgr.vbs /ato
4b. For telephone activation, type the following at the command prompt and then press Enter:
slui.exe 4
5. After activation is complete, restart the Software Licensing Service using the Service application
Source: http://technet.microsoft.com/en-us/library/cc303280.aspx#_Install_KMS_Hosts
QUESTION 407
Your network contains a server named Server1. Server1 has the Volume Activation Management Tool (VAMT) installed.
You need to activate Windows on a server named Server2 by using VAMT.
Which firewall rule should you enable on Server2?
A.
B.
C.
D.
COM+ Network Access (DCOM-In)
COM+ Remote Administration (DCOM-In)
Remote Service Management (RPC)
Windows Management Instrumentation (WMI-In)
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Section: Key Management Services (KMS)
Explanation:
Product key management with VAMT enables:
Single local console to manage keys for Windows client, Windows Server and Office 2010 Installation of the keys on remote managed systems through WMI
Tracking remaining activations on MAKs3
Source: http://technet.microsoft.com/en-us/library/ff686876.aspx
QUESTION 408
Your network contains a server named Server1 that has the Hyper-V server role installed. Server1 has two network adapters.
You need to configure Server1 to meet the following requirements:
All virtual machines (VMs) on Server1 must be able to communicate with other computers on the network.
The number of virtual network connections must be minimized.
What should you do?
A.
B.
C.
D.
Create one internal virtual network. Clear the Enable virtual LAN identification for management operating system check box for the virtual network.
Create one internal virtual network. Select the Enable virtual LAN identification for management operating system check box for the virtual network.
Create one external virtual network. Clear the Allow management operating system to share this network adapter check box for the virtual network.
Create one external virtual network. Select the Allow management operating system to share this network adapter check box for the virtual network.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
External virtual networks. Use this type when you want to provide virtual machines with access to a physical network to communicate with externally located servers
and clients. This type of virtual network also allows virtual machines on the same virtualization server to communicate with each other. This type of network may
also be available for use by the management operating system, depending on how you configure the networking. (The management operating system runs the
Hyper-V role.) For more information, see A closer look at external virtual networks later in this topic.
Source: http://technet.microsoft.com/en-us/library/cc816585%28WS.10%29.aspx
QUESTION 409
Your network contains a server named Server1 that has the Hyper-V server role installed. Server1 hosts a virtual machine (VM) named VM1.
You add an additional hard disk to Server1. The hard disk is configured as a basic disk.
You need to configure VM1 to use the new hard disk as a pass-through disk.
What should you do before you configure the pass through disk?
A.
B.
C.
D.
Create a simple volume.
Take the new hard disk offline.
Convert the new hard disk to a GPT disk.
Convert the new hard disk to a dynamic disk.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Pass -through Disk Configuration
Hyper-V allows virtual machines to access storage mapped directly to the Hyper-V server without requiring the volume be configured. The storage can either be a
physical disk internal to the Hyper- V server or it can be a
Storage Area Network (SAN) Logical Unit (LUN) mapped to the Hyper-V server. T o ensure the Guest has exclusive access to the storage, it must be placed in an
Offline state from the Hyper- V server perspective. Additionally, this raw piece of storage is not limited in size so, hypothetically, it can be a multiterabyte LUN.
After storage is mapped to the Hyper-V server, it will appear as a raw volume and will be in an Offline state (depending on the SAN Policy (Figure 1-1)) as seen in
Figure 1.
Figure 1: Raw disk is Offline
Figure 1-1 SAN Mode determination using diskpart.exe
I stated earlier that a disk must be Offline from the Hyper-V servers' perspective in order for the Guest to have exclusive access. However, a raw volume must first
be initialized before it can be used. To accomplish this in the Disk Management interface, the disk must first be brought Online. Once Online, the disk will show as
being Not Initialized (Figure 2).
Figure 2: Disk is Online but Not Initialized
Right-click on the disk and select Initialize Disk (Figure 3)
Figure 3: Initialize the disk
Select either an MBR or GPT partition type (Figure 4).
Figure 4: Selecting a partition type
Once a disk is initialized, it can once again be placed in an Offline state. If the disk is not in an Offline state, it will not be available for selection when configuring the
Guest's storage. In order to configure a Pass-through disk in a Guest, you must select Attach a virtual disk later in the New Virtual Machine Wizard (Figure 5).
Figure 5: Choosing to attach a virtual disk later
Figure 6: Attaching a pass-through disk to an IDE Controller Note: If the disk does not appear in the drop down list, ensure the disk is Offline in the Disk
Management interface (In Server CORE, use the diskpart.exe CLI). Once the Pass-through disk is configured, the Guest can be started and data can placed on the
drive. If an operating system will be installed, the installation process will properly prepare the disk. If the disk will be used for data storage, it must be prepared in
the Guest operating system before data can be placed on it.
If a Pass-through disk, being used to support an operating system installation, is brought Online before the Guest is started, the Guest will fail to start. When using
Pass-through disks to support an operating system installation, provisions must be made for storing the Guest configuration file in an alternate location. This is
because the entire Pass-through disk is consumed by the operating system installation. An example would be to locate the configuration file on another internal
drive in the Hyper-V server itself. Or, if it is a cluster, the configuration file can be hosted on a separate cluster providing highly available file services. Be aware that
Pass-through disks cannot be dynamically expanded. Additionally, when using Pass-through disks, you lose the capability to take snapshots, and finally, you cannot
use differencing disks with Pass-through disks.
Note: When using Pass-through disks in a Windows Server 2008 Failover Cluster, you must have the update documented in KB951308: Increased functionality and
virtual machine control in the Windows Server 2008 Failover Cluster Management console for the Hyper-V role installed on all nodes in the cluster.
Source: http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in- hyper-v.aspx
QUESTION 410
Your network contains a server named Server1 that has the Hyper-V server role installed.
Server1 hosts a virtual machine (VM) named VM1 that runs Windows Server 2003 Service Pack 2 (SP2).
VM1 is configured to use a 127-GB dynamically-expanding virtual hard disk (VHD).
You need to add 500 GB of disk space to VM1. The solution must minimize the amount of downtime for VM1.
What should you do?
A.
B.
C.
D.
Increase the size of the VHD drive.
Convert the VHD to a fixed-size disk.
Add a new VHD drive to a SCSI controller.
Add a new VHD drive to an IDE controller.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Dynamic virtual machine storage. Improvements to virtual machine storage include support for hot plug-in and hot removal of the storage on a SCSI controller of the
virtual machine. By supporting the addition or removal of virtual hard disks and physical disks while a virtual machine is running, it is possible to quickly reconfigure
virtual machines to meet changing requirements. Hot plug-in and removal of storage requires the installation of Hyper-V integration services (included in Windows
Server 2008 R2) on the guest operating system.
Source: http://technet.microsoft.com/en-us/library/dd446676.aspx
QUESTION 411
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the Hyper-V server role installed.
Server1 hosts a virtual machine (VM) named VM1.
You take a snapshot of VM1 at 05:00 and at 19:00.
You use Hyper-V Manager to delete the snapshot taken at 05:00. You need to ensure that the files created by the 05:00 snapshot are deleted from the hard disk on
Server1.
What should you do?
A.
B.
C.
D.
At the command prompt, run the rmdir.exe command.
From Windows PowerShell, run the Remove-Item cmdlet.
From the Hyper-V Manager console, shut down VM1.
From the Hyper-V Manager console, right-click VM1 and click Revert.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
When you delete a snapshot, the .avhd files that store the snapshot data remain in the storage location until the virtual machine is shut down, turned off, or put into
a saved state. As a result, when you delete a snapshot, you will need to put the production virtual machine into one of those states at some point to be able to
complete the safe removal of the snapshot. Source: http://technet.microsoft.com/en-us/library/dd560637.aspx
QUESTION 412
Your network contains an Active Directory domain. The domain contains 20 member servers. The domain contains have two servers named Server1 and Server2
that run Windows Server 2008 R2.
You connect Server1 and Server2 to a logical unit number (LUN) on a Storage Area Network (SAN). You create a failover cluster named Cluster1. You add Server1
and Server2 as nodes to Cluster1.
You discover that there are no cluster disks available for a new clustered file server service on Cluster1.
You need to ensure that you can add a clustered file server service to Cluster1.
What should you do?
A.
B.
C.
D.
Enable cluster shared volumes.
Run the Provision Storage Wizard.
Configure Cluster1 to use a No Majority: Disk Only quorum configuration.
Configure Cluster1 to use a Node and File Share Majority quorum configuration.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Quorum configuration choices
You can choose from among four possible quorum configurations:
Node Majority (recommended for clusters with an odd number of nodes) Can sustain failures of half the nodes (rounding up) minus one. For example, a seven node
cluster can sustain three node failures.
Node and Disk Majority (recommended for clusters with an even number of nodes) Can sustain failures of half the nodes (rounding up) if the disk witness remains
online. For example, a six node cluster in which the disk witness is online could sustain three node failures. Can sustain failures of half the nodes (rounding up)
minus one if the disk witness goes offline or fails.
For example, a six node cluster with a failed disk witness could sustain two (3-1=2) node failures.
Node and File Share Majority (for clusters with special configurations) Works in a similar way to Node and Disk Majority, but instead of a disk witness, this cluster
uses a file share witness.
Note that if you use Node and File Share Majority, at least one of the available cluster nodes must contain a current copy of the cluster configuration before you can
start the cluster. Otherwise, you must force the starting of the cluster through a particular node.
No Majority: Disk Only (not recommended) Can sustain failures of all nodes except one (if the disk is online).
However, this configuration is not recommended because the disk might be a single point of failure.
Source: http://technet.microsoft.com/en-us/library/cc731739.aspx
QUESTION 413
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2.
Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature installed.
You deploy a new virtual machine (VM) named VM1 on Server1.
You need to ensure that VM1 is available if one of the Hyper-V servers fails.
What should you do?
A.
B.
C.
D.
Install the Network Load Balancing (NLB) feature on VM1.
Install the Network Load Balancing (NLB) feature on Server1.
Install the Failover Clustering feature on VM1. From Failover Cluster Manager on VM1, click Configure a Service or Application.
From Failover Cluster Manager on Server1, click Configure a Service or Application.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure a virtual machine for high availability
1. Be sure that you have installed the Hyper-V role and have reviewed the steps in Checklist: Create a Clustered Virtual Machine. This procedure is a step in that
checklist.
2. In the Failover Cluster Manager snap-in, if the cluster that you want to configure is not displayed, in the console tree, right-click Failover Cluster Manager, click
Manage a Cluster, and then select or specify the cluster that you want.
3. If the console tree is collapsed, expand the tree under the cluster that you want to configure.
4. Click Services and Applications.
5. If you have already created the virtual machine, skip to step 6. Otherwise, use the New Virtual Machine
Wizard to create a virtual machine and configure it for high availability:
a. In the Action pane, click Virtual machines, point to Virtual machine, and then click a node. The virtual machine will initially be created on that node, and then be
clustered so that it can move to another node or nodes as needed.
b. If the Before You Begin page of the New Virtual Machine Wizard appears, click Next. c. Specify a name for the virtual machine, and then select Store the virtual
machine in a different location and specify a disk in shared storage or, if Cluster Shared Volumes is enabled, a Cluster Shared Volume (a volume that appears to be
on the system drive of the node, under the \ClusterStorage folder).
d. Follow the instructions in the wizard. You can specify details (such as the amount of memory, the network, and the virtual hard disk file) now, and you can also
add or change configuration details later.
e. When you click Finish, the wizard creates the virtual machine and also configures it for high availability.
Skip the remaining step in this procedure.
6. If you have already created the virtual machine and only want to configure it for high availability, first make sure that the virtual machine is not running. Then, use
the High Availability Wizard to configure the virtual machine for high availability:
a. In the Action pane, click Configure a Service or Application. b. If the Before You Begin page of the High Availability Wizard appears, click Next. c. On the Select
Service or Application page, click Virtual Machine and then click Next. d. Select the virtual machine that you want to configure for high availability, and complete the
wizard.
e. After the High Availability wizard runs and the Summary page appears, if you want to view a report of the tasks that the wizard performed, click View Report.
Source: http://technet.microsoft.com/en-us/library/dd759216.aspx
QUESTION 414
Your network contains an Active Directory domain. The domain contains two servers named Server1 and Server2.
You connect Server1 and Server2 to a logical unit number (LUN) on a Storage Area Network (SAN).
You need to ensure that you can use the LUN in a failover cluster.
What should you do?
A. From Server Manager, run the Best Practices Analyzer.
B. From File Server Resource Manager, generate a storage report.
C. From Failover Cluster Manager, run the Validate a Configuration Wizard.
D. From Share and Storage Management, verify the advanced settings of the LUN.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Ensure that the disks (LUNs) that you want to use in the cluster are exposed to the servers you will cluster (and only those servers). You can use any of the
following interfaces to expose disks or LUNs:
1. Microsoft Storage Manager for SANs (part of the operating system in Windows Server 2008). To use this interface, you need to contact the manufacturer of your
storage for a Virtual Disk Service (VDS) provider package that is designed for your storage.
2. If you are using iSCSI, an appropriate iSCSI interface.
3. The interface provided by the manufacturer of the storage. Source: http://technet.microsoft.com/es-es/library/dd197507(WS.10).aspx Considerations when
including storage tests : When cluster validation is performed on an already configured cluster, if the default tests (which include storage tests) are selected, only
disk resources that are in an Offline state or are not assigned to a clustered service or application will be used for testing the storage. This builds in a safety
mechanism, and the cluster validation wizard warns you when storage tests have been selected but will not run on storage in an Online state, that is, storage used
by clustered services or applications. This is by design to avoid disruption to highly available services or applications that depend upon these disk resources being
online. One scenario where Microsoft CSS may request you to run validation tests on production clusters is when there is a cluster storage failure that could be
caused by some underlying storage configuration change or failure. By default, the wizard warns you if storage tests have been selected but will not be run on
storage that is online, that is, storage used by clustered services or applications. In this situation, you can run validation tests (including storage tests) by creating or
choosing a new logical unit number (LUN) from the same shared storage device and presenting it to all nodes. By testing this LUN, you can avoid disruption to
clustered services and applications already online within the cluster and still test the underlying storage subsystem .
How to run the cluster validation wizard for a failover cluster To validate a new or existing failover cluster
Identify the server or servers that you want to test and confirm that the failover cluster feature is installed:
If the cluster does not yet exist, choose the servers that you want to include in the cluster, and make sure you have installed the failover cluster feature on those
servers. To install the feature, on a server running Windows Server 2008 or Windows Server 2008 R2, click Start, click Administrative Tools, click Server Manager,
and under Features Summary, click Add Features. Use the Add Features wizard to add the Failover Clustering feature.
If the cluster already exists, make sure that you know the name of the cluster or a node in the cluster.
Review network or storage hardware that you want to validate, to confirm that it is connected to the servers. For more information, see http://go.microsoft.com/
fwlink/?LinkId=111555. Decide whether you want to run all or only some of the available validation tests. For detailed information about the tests, see the topics
listed in http://go.microsoft.com/fwlink/?LinkId=111554. The following guidelines can help you decide whether to run all tests:
For a planned cluster with all hardware connected: Run all tests. For a planned cluster with parts of the hardware connected: Run System Configuration tests,
Inventory tests, and tests that apply to the hardware that is connected (that is, Network tests if the network is connected or Storage tests if the storage is
connected).
For a cluster to which you plan to add a server: Run all tests. Before you run them, be sure to connect the networks and storage for all servers that you plan to have
in the cluster. For troubleshooting an existing cluster: If you are troubleshooting an existing cluster, you might run all tests, although you could run only the tests that
relate to the apparent issue. Important If a clustered service or application is using a disk when you start the wizard, the wizard will prompt you about whether to
take that clustered service or application offline for the purposes of testing. If you choose to take a clustered service or application offline, it will remain offline until
the tests finish.
In the failover cluster snap-in, in the console tree, make sure Failover Cluster Management is selected and then, under Management, click Validate a Configuration.
Follow the instructions in the wizard to specify the servers and the tests, and run the tests. Note that when you run the cluster validation wizard on unclustered
servers, you must enter the names of all the servers you want to test, not just one.
The Summary page appears after the tests run.
While still on the Summary page, click View Report to view the test results. To view the results of the tests after you close the wizard, see SystemRoot\Cluster
\Reports\Validation Report date and time.html where SystemRoot is the folder in which the operating system is installed (for example, C:
\Windows).
To view Help topics that will help you interpret the results, click More about cluster validation tests.
To view Help topics about cluster validation after you close the wizard, in the failover cluster snap- in, click Help, click Help Topics, click the Contents tab, expand
the contents for the failover cluster Help, and click\ Validating a Failover Cluster Configuration
Source: http://technet.microsoft.com/en-us/library/cc732035(WS.10).aspx
QUESTION 415
Your network contains two servers named Server1 and Server2. The network contains a Storage Area Network (SAN). Server1 and Server2 each connect to two
logical unit numbers (LUNs) on the SAN.
You create a failover cluster named Cluster1. Server1 and Server2 are nodes in Cluster1. One of the LUNs is used as a witness disk.
You plan to create 10 virtual machine (VM) instances in Cluster1. You need to ensure that each VM instance can be moved between nodes independently of the
other VMs.
How should you configure Cluster1?
A.
B.
C.
D.
Enable cluster shared volumes.
Modify the quorum configuration.
Create a clustered Generic Service instance.
Create a clustered Microsoft Distributed Transaction Coordinator (MSDTC) resource.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Storage: You must use shared storage that is compatible with Windows Server 2008 R2. A feature of failover clusters called Cluster Shared Volumes is specifically
designed to enhance the availability and manageability of virtual machines. Cluster Shared Volumes are volumes in a failover cluster that multiple nodes can read
from and write to at the same time. This feature enables multiple nodes to concurrently access a single shared volume. The Cluster Shared Volumes feature is only
supported for use with Hyper-V and other technologies specified by Microsoft. On a failover cluster that uses Cluster Shared Volumes, multiple clustered virtual
machines that are distributed across multiple cluster nodes can all access their Virtual Hard Disk (VHD) files at the same time, even if the
VHD files are on a single disk (LUN) in the storage. This means that the clustered virtual machines can fail over independently of one another, even if they use only
a single LUN. When Cluster Shared Volumes is not enabled, a single disk (LUN) can only be accessed by a single node at a time. This means that clustered virtual
machines can only fail over independently if each virtual machine has its own LUN, which makes the management of LUNs and clustered virtual machines more
difficult.
For a two-node failover cluster, the storage should contain at least two separate volumes (LUNs), configured at the hardware level. Do not expose the clustered
volumes to servers that are not in the cluster. One volume will function as the witness disk (described later in this section). One volume will contain the files that are
being shared between the cluster nodes. This volume serves as the shared storage on which you will create the virtual machine and the virtual hard disk. To
complete the steps as described in this document, you only need to expose one volume. For Cluster Shared Volumes, there are no special requirements other than
the requirement for NTFS.
For the partition style of the disk, you can use either master boot record (MBR) or GUID partition table (GPT).
Source: http://technet.microsoft.com/en-us/library/cc732181.aspx
QUESTION 416
Your network contains a single Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2.
You have a cluster named Cluster1. Cluster1 has two nodes named Server1 and Server2. Server1 is located in Site1. Server2 is located in Site2. Cluster1 uses a
file share witness that is located in Site1.
Cluster1 hosts a clustered application named App1.
The network in Site1 fails.
You need to ensure that users can access App1.
What should you do?
A.
B.
C.
D.
Force quorum on Server2.
Enable persistent mode for App1.
Modify the dependencies for App1.
Modify the failover settings for App1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Force Quorum in a Single-Site or Multi-Site Failover Cluster You can force quorum in a single-site or multi-site cluster. Forcing quorum means that you start the
cluster even though only a minority of the elements that are required for quorum are in communication.
This command is important to know for multi-site clusters with an odd number of nodes. The recommended design for a multi-site cluster has an even number of
nodes, but it is possible to create a multi-site design using an odd number of nodes, with the majority of nodes at the main site. As with all configurations with an
odd number of nodes, such a design should use the Node Majority quorum configuration. If you use this design and the main site goes down, to start the secondary
site (which has a minority of the nodes) you will need to force quorum, that is, force all nodes which can communicate with each other to begin working together as
a cluster.
To force quorum in a single-site or multi-site cluster
1. On a node that contains a copy of the cluster configuration that you want to use, open a Command Prompt window.
Important The choice of node can be important when you are forcing quorum, because one node could potentially have an older copy of the cluster configuration
database than another node or nodes. The cluster will use the copy of the cluster configuration that is on the node on which you perform this procedure. The cluster
will then replicate that copy to all other nodes.
2. On that node, type the following command: net start clussvc /fq Additional considerations
To open a Command Prompt window, click Start, right-click Command Prompt, and then either click Run as administrator or click Open. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and then click Continue. When a cluster is forced to start without quorum it continually looks
to add nodes to the cluster and is in a special forced state. Once it has majority, the cluster moves out of the forced state and behaves normally, which means it is
not necessary to rerun the command without the /fq option. If the cluster moves out of the forced state, loses a node, and drops below quorum, it will go offline
again. At that point, to bring it online again while it does not have quorum would require running the command again with the /fq option.
Source: http://technet.microsoft.com/nl-nl/library/dd197500.aspx
QUESTION 417
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 and Server2 are configured as a failover cluster named
Cluster1.
Cluster1 hosts a clustered application named App1. App1 has a physical disk resource named Cluster Disk 1.
You need to use the Chkdsk tool to fix all of the errors on Cluster Disk 1.
What should you do first?
A.
B.
C.
D.
From Disk Management, take Cluster Disk 1 offline.
From Disk Management, disable write caching for Cluster Disk 1.
From Failover Cluster Manager, modify the dependencies for Cluster Disk 1.
From Failover Cluster Manager, enable maintenance mode for Cluster Disk 1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Run a Disk Maintenance Tool Such as Chkdsk on a Clustered Disk To run a disk maintenance tool such as Chkdsk on a disk or volume that is configured as part of
a clustered service, application, or virtual machine, you must use maintenance mode. When maintenance mode is on, the disk maintenance tool can finish running
without triggering a failover. If you have a disk witness, you cannot use maintenance mode for that disk. Maintenance mode works somewhat differently on a
volume in Cluster Shared Volumes than it does on other disks in cluster storage, as described in Additional considerations, later in this topic. Membership in the
local Administrators group, or equivalent, is the minimum required to complete this procedure
To run a disk maintenance tool such as Chkdsk on a clustered disk
1. In the Failover Cluster Manager snap-in, if the cluster is not displayed, in the console tree, right- click
Failover Cluster Manager, click Manage a Cluster, and select or specify the cluster you want.
2. If the console tree is collapsed, expand the tree under the cluster that uses the disk on which you want run a disk maintenance tool.
3. In the console tree, click Storage.
4. In the center pane, click the disk on which you want to run the disk maintenance tool.
5. Under Actions, click More Actions, and then click the appropriate command:
If the disk you clicked is under Cluster Shared Volumes and contains multiple volumes, click Maintenance, and then click the command for the appropriate volume.
If prompted, confirm your action.
If the disk you clicked is under Cluster Shared Volumes and contains one volume, click Maintenance, and then click Turn on maintenance mode for this volume . If
prompted, confirm your action.
If the disk you clicked is not under Cluster Shared Volumes, click Turn on maintenance mode for this disk.
6. Run the disk maintenance tool on the disk or volume. When maintenance mode is on, the disk maintenance tool can finish running without triggering a failover.
7. When the disk maintenance tool finishes running, with the disk still selected, under Actions, click More Actions, and then click the appropriate command:
If the disk you clicked is under Cluster Shared Volumes and contains multiple volumes, click Maintenance, and then click the command for the appropriate volume.
If the disk you clicked is under Cluster Shared Volumes and contains one volume, click Maintenance, and then click Turn off maintenance mode for this volume . If
the disk you clicked is not under Cluster Shared Volumes, click Turn off maintenance mode for this disk.
Source: http://technet.microsoft.com/en-us/library/cc772587.aspx
QUESTION 418
Your network contains a Windows Server 2003 server cluster named Cluster1. Cluster1 hosts a print server instance named Print1.
You deploy a Windows Server 2008 R2 failover cluster named Cluster2. You configure Cluster2 to use the physical disk resource used by Print1. From Cluster2,
you run the Migrate a Cluster Wizard to migrate Print1 to Cluster2.
You need to ensure that Print1 runs on Cluster2.
What should you do first?
A.
B.
C.
D.
On Cluster1, take Print1 offline.
On Cluster1, modify the failover settings of Print1.
On Cluster2, modify the failover settings of Print1.
On Cluster2, modify the preferred owner settings of Print1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 419
Your network contains a server named Server1.
You add a new hard disk to Server1.
When you run the Provision Storage Wizard, you do not see the new disk. You need to ensure that you can provision the new disk by using the Provision Storage
Wizard.
What should you do?
A.
B.
C.
D.
At the command prompt, run chkdsk.exe /f.
From Disk Management, initialize the disk.
From Services, restart the Virtual Disk service.
From Storage Explorer, click Refresh SAN View.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 420
Your network contains a single Active Directory domain. The domain contains a server named Server1 that runs Windows Server 2008 R2.
Server1 has an iSCSI host bus adapter that connects to an iSCSI target. You install an additional iSCSI host bus adapter on Server1. You need to ensure that
Server1 can access the iSCSI target if a host bus adapter fails.
What should you do first?
A.
B.
C.
D.
At the command prompt, run mpclaim.exe -l m 6.
Install the Multipath I/O feature.
Bridge the iSCSI host bus adapters.
Install the Internet Storage Name Server (iSNS) feature.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
About MPIO
Microsoft Multipath I/O (MPIO) is a Microsoft-provided framework that allows storage providers to develop multipath solutions that contain the hardware-specific
information needed to optimize connectivity with their storage arrays. These modules are called device-specific modules (DSMs). The concepts around DSMs are
discussed later in this document. MPIO is protocol-independent and can be used with Fibre Channel, Internet SCSI (iSCSI), and Serial Attached SCSI (SAS)
interfaces in Windows ServerR 2008 and Windows Server 2008 R2.
Multipath solutions in Windows Server 2008 R2
When running on Windows Server 2008 R2, an MPIO solution can be deployed in the following ways:
By using a DSM provided by a storage array manufacturer for Windows Server 2008 R2 in a Fibre Channel,
iSCSI, or SAS shared storage configuration.
By using the Microsoft DSM, which is a generic DSM provided for Windows Server 2008 R2 in a Fibre Channel, iSCSI, or SAS shared storage configuration.
High availability through MPIO
MPIO allows WindowsR to manage and efficiently use up to 32 paths between storage devices and the Windows host operating system. MPIO provides fault
tolerant connectivity to storage. By employing MPIO users are able to mitigate the risk of a system outage at the hardware level. MPIO provides the logical facility
for routing I/O over redundant hardware paths connecting server to storage.
These redundant hardware paths are made up of components such as cabling, host bus adapters (HBAs), switches, storage controllers, and possibly even power.
MPIO solutions logically manage these redundant connections so that I/O requests can be rerouted if a component along one path fails.
As more and more data is consolidated on storage area networks (SANs), the potential loss of access to storage resources is unacceptable. To mitigate this risk,
high availability solutions, such as MPIO, have now become a requirement.
Source: http://technet.microsoft.com/en-us/library/ee619734(WS.10).aspx
QUESTION 421
Your network contains a single Active Directory domain. The domain contains a server named Server1 that runs Windows Server 2008 R2. Server1 has two
unallocated disks.
You need to create a mirrored volume.
Which tool should you use?
A.
B.
C.
D.
Disk Management
File Server Resource Manager
Share and Storage Management
Storage Explorer
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Section: Storage Management
Explanation:
To create a mirrored volume
1. Open Server Manager (Local).
2. In the console tree, click Server Manager (Local), click Storage, and then click Disk Management.
3. Right-click the unallocated space on one of the dynamic disks on which you want to create the mirrored volume, and then click New Volume.
4. In the New Volume Wizard, click Next, click Mirrored, and then follow the instructions on your screen.
Notes
To perform this procedure on a local computer, you must be a member of the Backup Operators group or
Administrators group on the local computer, or you must have been delegated the appropriate authority. To perform this procedure remotely, you must be a
member of the Backup Operators group or Administrators group on the remote computer. If the computer is joined to a domain, members of the Domain Admins
group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Server Manager, click Start,
click Administrative Tools, and then click Server Manager.
You need two dynamic disks to create a mirrored volume.
You can mirror an existing simple volume.
Mirrored volumes are fault tolerant and use RAID-1, which provides redundancy by creating two identical copies of a volume.
Mirrored volumes cannot be extended.
Both copies (mirrors) of the mirrored volume share the same drive letter.
Source: http://technet.microsoft.com/en-us/library/cc776202.aspx
QUESTION 422
Your network contains a single Active Directory domain. The domain contains a server named Server1 that runs Windows Server 2008 R2.
An administrator connects Server1 to an iSCSI target.
You restart Server1 and discover that the iSCSI target is not connected. You need to ensure that Server1 automatically connects to the iSCSI target when you
restart the server.
What should you do?
A.
B.
C.
D.
From the iSCSI Initiator console, add Server1 as a target portal.
From the iSCSI Initiator console, add the target to the favorite targets list.
From the Storage Explorer console, add a new iSCSI initiator.
From the Storage Explorer console, disable the default Discovery Domain Set.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
By marking a target as a favorite target, Microsoft iSCSI Initiator configures software and hardware initiators to always attempt to reconnect to a target whenever the
computer is rebooted. The login information that is needed to connect to the favorite targets (for example, Challenge-Handshake Authentication Protocol (CHAP)
secrets, portal information, etc.) is captured when you log in, and is saved by the software and hardware initiators in non-volatile storage. Hardware initiators can
initiate a reconnection early in the boot process while the Microsoft Software Initiator kernel mode driver initiates a reconnection as soon as the Windows TCP/IP
stack and the Microsoft iSCSI Initiator service loads.
Source: http://technet.microsoft.com/en-us/library/dd759126.aspx
Favorite targets
Microsoft iSCSI Initiator supports favorite (formerly called persistent) targets. By using common APIs and UI,
Microsoft iSCSI Initiator can configure software and hardware initiators to always reconnect to a target when the computer is rebooted. Consequently, this requires
that the devices on the target are connected to the computer at all times. The logon information that is needed to connect to the favorite targets (for example, CHAP
secrets and portal) is captured when the persistent logon is performed by the administrator and saved by the software and hardware initiators in non-volatile
storage. Hardware initiators can initiate reconnection early in the boot process, but the kernel-mode driver in Microsoft iSCSI Initiator initiates reconnection when the
Windows TCP/IP stack and Microsoft iSCSI Initiator load.
Source: http://technet.microsoft.com/en-us/library/ee338477(WS.10).aspx
QUESTION 423
Your network contains a server named Server1. Server1 has three hard disk drives. Two hard disk drives named C and E are configured as simple volumes. The
third hard disk drive contains 500 GB of unallocated space.
Drive E hosts a shared folder named Folder1.
Users report that they fail to save files to Folder1.
You discover that drive E has no free space.
You need to ensure that users can save files to Folder1.
What should you do?
A.
B.
C.
D.
From the Disk Management console, run the Add Mirror wizard.
From the Disk Management console, run the Extend Volume Wizard.
From the Share and Storage Management console, run the Provision Storage Wizard.
From the Share and Storage Management console, run the Provision a Shared Folder Wizard.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Extend a Simple or Spanned Volume
A spanned volume is a dynamic volume that consists of disk space on more than one physical disk. If a simple volume is not a system volume or boot volume, you
can extend across additional disks. If you extend a simple volume across multiple disks, it becomes a spanned volume. You can extend a volume only if it does not
have a file system or if it is formatted using the NTFS file system.
You cannot extend volumes formatted using FAT or FAT32.
Backup Operator or Administrator is the minimum membership required to complete the actions below.
Extending a simple or spanned volume
1. In Disk Management, right-click the simple or spanned volume you want to extend.
2. Click Extend Volume.
3. Follow the instructions on your screen.
Source: http://technet.microsoft.com/en-us/library/cc753058.aspx
QUESTION 424
Your network contains a server named Server1 that has two volumes named C and D.
You add a new volume.
You need to ensure that you can access data on the new volume by using the path D:\data.
What should you do?
A.
B.
C.
D.
From Disk Management, create a volume mount point.
From Disk Management, attach a virtual hard disk (VHD).
At the command prompt, run the diskraid.exe command and specify the /v parameter.
At the command prompt, run the dism.exe command and specify the /mount-wim parameter.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Assign a mount point folder path to a drive
You can use Disk Management to assign a mount-point folder path (rather than a drive letter) to the drive.
Mount-point folder paths are available only on empty folders on basic or dynamic NTFS volumes. Backup Operator or Administrator is the minimum membership
required.
Assigning a mount-point folder path to a drive
1. In Disk Manager, right-click the partition or volume where you want to assign the mount-point folder path, and then click Change Drive Letter and Paths.
2. Do one of the following:
To assign a mount-point folder path, click Add. Click Mount in the following empty NTFS folder , type the path to an empty folder on an NTFS volume, or click
Browse to locate it. To remove the mount-point folder path, click it and then click Remove.
Additional considerations
If you are administering a local or remote computer, you can browse NTFS folders on that computer.
When assigning a mount-point folder path to a drive, use Event Viewer to check the system log for any
Cluster service errors or warnings indicating mount point failures. These errors would be listed as ClusSvc in the Source column and Physical Disk Resource in the
Category column.
Source: http://technet.microsoft.com/en-us/library/cc753321.aspx
QUESTION 425
Your network contains a server named Server1.
You start Server1 by using a Microsoft Windows Preinstallation Environment (Windows PE) image. You copy a virtual hard disk (VHD) image named VHD1 to
Server1. VHD1 contains a Windows Server 2008 R2 image.
You need to configure Server1 to start from VHD1.
Which tool should you use?
A.
B.
C.
D.
Bcdedit
Bootcfg
Diskpart
Dism
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To add a native-boot VHD to an existing Windows 7 boot menu If you are deploying the VHD to a computer with an existing Windows 7 or Windows ServerR 2008
R2 installation, you can use the BCDedit tool to make the new VHD bootable and add it to the boot menu. For more information about using the BCDedit tool, see
this Microsoft Web site.
1. Copy an existing boot entry for a Windows 7 installation. You will then modify the copy for use as the VHD boot entry. At a command prompt, type:
bcdedit /copy {default} /d "vhd boot (locate)" When the BCDedit command completes successfully, it returns a {GUID} as output in the Command Prompt window.
2. Locate the {GUID} in the command-prompt output for the previous command. Copy the GUID, including the braces, to use in the following steps.
3. Set the device and osdevice options for the VHD boot entry. At a command prompt, type:
bcdedit /set {guid} device vhd=[locate]\windows7.vhd
bcdedit /set {guid} osdevice vhd=[locate]\windows7.vhd
4. Set the boot entry for the VHD as the default boot entry. When the computer restarts, the boot menu will display all of the Windows installations on the computer
and boot into the VHD after the operating-system selection countdown completes. At a command prompt, type:
bcdedit /default {guid}
5. Some x86-based systems require a boot configuration option for the kernel in order to detect certain hardware information and successfully native-boot from a
VHD. At a command prompt, type: bcdedit /set {guid} detecthal on
Source: http://technet.microsoft.com/en-us/library/dd799299.aspx
QUESTION 426
Your network contains a server named Server1 that runs Windows Server 2008 R2.
You add a new 3-terabyte hard disk to Server1.
You need to create a 3-terabyte volume.
What should you do first?
A.
B.
C.
D.
Disable write caching for the hard disk.
Initialize the disk as a Master Boot Record (MBR) disk.
Initialize the disk as a GUID Partition Table (GPT) disk.
Disable direct memory access (DMA) for the hard disk controller.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A GPT disk uses the GUID partition table (GPT) disk partitioning system. A GPT disk offers these benefits: Allows up to 128 primary partitions. Master Boot Record
(MBR) disks can support up to four primary partitions and an additional 124 partitions inside extended partitions. Allows a much larger partition size--greater than 2
terabytes (TB), which is the limit for MBR disks.
Provides greater reliability because of replication and cyclical redundancy check (CRC) protection of the partition table can be used as a storage volume on all x64based platforms, including platforms running Windows XP Professional x64 Edition. Starting with Windows Server 2003 SP1, GPT disks can also be used as a
storage volume on x86-based Windows platforms. Can be used as a boot volume on x64-based editions of Windows 7, Windows Vista, and Windows Server 2008.
Starting with Windows Server 2003 SP1, GPT disks can also be used as a boot volume on Itaniumbased\ systems.
Note: Windows only supports booting from a GPT disk on systems that contain Unified Extensible Firmware Interface (UEFI) boot firmware.
Source: http://www.microsoft.com/whdc/device/storage/GPT-on-x64.mspx
QUESTION 427
You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers.
The domain contains one Active Directory-integrated DNS zone. You need to ensure that outdated DNS records are automatically removed from the DNS zone.
What should you do?
A. From the properties of the zone, modify the TTL of the SOA record.
B. From the properties of the zone, enable scavenging.
C. From the command prompt, run ipconfig /flushdns.
D. From the properties of the zone, disable dynamic updates.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753217.aspx
Set Aging and Scavenging Properties for the DNS Server
The DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale
resource records, which can accumulate in zone dataover time. You can use this procedure to set the default aging and scavenging properties for the zones on
aserver.
Further information:
http://technet.microsoft.com/en-us/library/cc771677.aspx
Understanding Aging and Scavenging
QUESTION 428
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and
Audit directory services access setting are enabled for the entire domain.
You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes.
What should you do?
A.
B.
C.
D.
Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.
Enable the Audit account management policy in the Default Domain Controller Policy.
Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx AD DS Auditing Step-by-Step Guide
In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and newvalues when changes are made to objects and their
attributes.
..
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory DirectoryService Changes. This guide provides instructions for
implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving,or undeleting an object. The new audit policy
subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and currentvalues of the attribute. If the attribute has more than one
value, only the values that change as a result ofthe modify operation are logged.
If a new object is created, values of the attributes that are populated at the time of creation are logged. If theuser adds attributes during the create operation, those
new attribute values are logged. In most cases, ADDS assigns default values to attributes (such as samAccountName).
The values of such system attributesare not logged.
If an object is moved, the previous and new location (distinguished name) is logged for moves within thedomain. When an object is moved to a different domain, a
create event is generated on the domaincontroller in the target domain.
If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds,modifies, or deletes attributes while performing an
undelete operation, the values of those attributes arelogged.
..
In Windows Server 2008, you implement the new auditing feature by using the following controls:
Global audit policy
System access control list (SACL)
Schema
Global audit policy
Enabling the global audit policy, Audit directory service access, enables all directory service policysubcategories. You can set this global audit policy in the Default
Domain Controllers Group Policy (underSecurity Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabledby default.
Although the subcategory Directory Service Access is enabled for success events by default, theother subcategories are not enabled by default.
You can use the command-line tool Auditpol.exe to view or set audit policy subcategories. There is no
Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories.
Further information:
http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx Auditpol
Displays information about and performs functions to manipulate audit policies. http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/ AD
Scenario Auditing Directory Services
Auditing of Directory Services depends on several controls, these are:
1. Global Audit Policy (at category level using gpmc.msc tool)
2. Individual Audit Policy (at subcategory level using auditpol.exe tool)
3. System ACLs to specify which operations are to be audited for a security principal.
4. Schema (optional) this is an additional control in the schema that you can use to create exceptions towhat is audited.
In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a newaudit policy subcategory (Directory Service Changes) to
log old and new values when changes are made to ADDS objects and their attributes. This can be done using auditpol.exe tool.
Command to check which audit policies are active on your machine:auditpol /get /category:*
Command to view the audit policy categories and Subcategories:
How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or
run gpmc.msccommand.
In the console tree, double-click the name of the forest, double-click Domains, double-click the name ofyour domain, double-click Domain Controllers, right-click
Default Domain Controllers Policy, and thenclick Edit.
Under Computer Configuration, double-click Policies, double-click Windows Settings, double- clickSecurity Settings, double-click Local Policies, and then click Audit
Policy.
In the details pane, right-click Audit directory service access, and then click Properties.
Select the Define these policy settings check box.
Under Audit these attempts, select the Success, check box, and then click OK.
How to enable the change auditing policy using a command line Click Start, right-click Command Prompt, and then click Run as administrator.
Type the following command, and then press ENTER:
auditpol /set /subcategory:directory service changes /success:enable To verify if the auditing is enabled or not for Directory Service Changes, you can run below
command:
auditpol /get /category:DS Access
How to set up auditing in object SACLs
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the organizational unit (OU) (or any object) for which you
want to enable auditing, and then clickProperties.
Click the Security tab, click Advanced, and then click the Auditing tab.
Click Add, and under Enter the object name to select, type Authenticated Users (or any other securityprincipal) and then click OK.
In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties.
Click OK
Click OK until you exit the property sheet for the OU or other object. To Test whether auditing is working or not, try creating or modifying objects in Finance OU and
check theSecurity event logs.
I just created a new user account in Finance OU named f4.
If you check the security event logs you will find eventid 5137 (Create) Note:
Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create),5138 (Undelete), 5139 (Move).
QUESTION 429
Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a
single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the
ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and
resolve DNS queries in the event that aWAN link fails.
What should you do?
A.
B.
C.
D.
Create a new stub zone named ad.contoso.com on DC2.
Create a new standard secondary zone named ad.contoso.com on DC2.
Configure the DNS server on DC2 to forward requests to DC1.
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain
Services(AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in anetwork.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specifieddomain. As part of this process, you are prompted to
specify a DNS domain name for the AD DS domain whichyou are joining and for which you are promoting the server, and you are offered the option to install the
DNSServer role. This option is provided because a DNS server is required to locate this server or other domaincontrollers for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are stronglyrecommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.In a standard zone storage model, DNS updates are
conducted based on a single-master updatemodel. In this model, a single authoritative DNS server for a zone is designated as the primary sourcefor the zone. This
server maintains the master copy of the zone in a local file. With this model, theprimary server for the zone represents a single fixed point of failure. If this server is
not available,update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DSintegrated DNSserver and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. Inthis model, any AD DS-integrated DNS
servercan accept dynamic updates for the zone. Because themaster copy of the zone is maintained in the AD DS database, which is fully replicated to all
domaincontrollers, the zone can be updated by the DNS servers operating at any domain controller for thedomain. With the multimaster update model of AD DS,
any of the primary servers for the directoryintegratedzone can process requests from DNS clients to update the zone as long as a domaincontroller is available and
reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to securea dnsZone object container in the
directory tree. This feature provides detailed access to either thezone or a specified resource record in the zone. For example, an ACL for a zone resource record
canbe restricted so that dynamic updates are allowed only for a specified client computer or a securegroup, such as a domain administrators group. This security
feature is not available with standardprimary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one isadded to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replicationplanning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.
Further information:
QUESTION 430
Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS).
You need to create new organizational units in the AD LDS application directory partition.
What should you do?
A.
B.
C.
D.
Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.
Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition.
Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.
Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directorypartition.
Explanation:
http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx ADSI Edit (adsiedit.msc)
Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP)editor that you can use to manage objects and attributes in
Active Directory. ADSI Edit (adsiedit.msc)provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query,view, and edit
attributes that are not exposed through other Active Directory Microsoft Management Console(MMC) snap-ins: Active Directory Users and Computers, Active
Directory Sites and Services, Active DirectoryDomains and Trusts, and Active Directory Schema.
http://technet.microsoft.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1 Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users
Create an OU
To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Active
Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol
(LDAP)based directories, OUs are most commonly used for keeping users and groups organized.
To create an OU
1. Click Start, point to Administrative Tools, and then click ADSI Edit.
2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.
3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container towhich you want to add the OU, point to New, and then click
Object.
4. In Select a class, click organizationalUnit, and then click Next.
5. In Value, type a name for the new OU, and then click Next.
6. If you want to set values for additional attributes, click More attributes.
Further information:
http://technet.microsoft.com/en-us/library/cc754663%28v=ws.10%29.aspx Step 5: Practice Working with Application Directory Partitions The Active Directory
Lightweight Directory Services (AD LDS) directory store is organized into logical directorypartitions. There are three different types of directory partitions:
Configuration directory partitions
Schema directory partitions
Application directory partitions
Each AD LDS directory store must contain a single configuration directory partition and a single schemadirectory partition. The directory store can contain zero or
more application directory partitions.
Application directory partitions hold the data that your applications use. You can create an application directorypartition during AD LDS setup or anytime after
installation.
QUESTION 431
Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role.
DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role.
You need to ensure that DC2 holds the Schema Master role.
What should you do?
A. Configure DC2 as a bridgehead server.
B. On DC2, seize the Schema Master role.
C. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snapin.
D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: On DC2, seize the Schema Master role.
Explanation:
http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspx Transfer the Schema Master
You can use this procedure to transfer the schema operations master role if the domain controller that currentlyhosts the role is inadequate, has failed, or is being
decommissioned. The schema master is a forest-wideoperations master (also known as flexible single master operations or FSMO) role.
..
Note: You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you canalso transfer this role by using Ntdsutil.exe.
Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure.
http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspx Seize the AD LDS Schema Master Role
The schema master is responsible for performing updates to the Active Directory Lightweight DirectoryServices (AD LDS) schema. Each configuration set has only
one schema master. All write operations to the AD
LDS schema can be performed only when connected to the AD LDS instance that holds the schema masterrole within its configuration set. Those schema updates
are replicated from the schema master to all otherinstances in the configuration set. Membership in the AD LDS Administrators group, or equivalent, is the minimum
required to complete thisprocedure.
Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role isa drastic step that should be considered only if the
current operations master will never be available again.
QUESTION 432
Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.
You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005. When you attempt to open the AD RMS
administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration
Web site.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Restart IIS.
Manually delete the Service Connection Point in AD DS and restart AD RMS.
Install Message Queuing.
Start the MSSQLSVC service.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS Administration Issues
"SQL Server does not exist or access denied" message received when attempting to open the RMS
Administration Web site
If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQLServer Service might not be started. In SQL Server
2005, the MSSQLSERVER service is not configured toautomatically start when the server is started. If you have restarted your SQL Server since installing RMS
andhave not configured this service to automatically restart RMS will not be able to function and only the RMSGlobal Administration page will be accessible.
After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in thecluster to restore RMS functionality.
QUESTION 433
Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are
configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com
zone.
What should you do?
A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.
B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: From the DNS Manager console, modify the permissions of the contoso.com zone.
Explanation:
http://technet.microsoft.com/en-us/library/cc753213.aspx
Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are stored in ActiveDirectory Domain Services (AD DS). You can use the
DACL to control the permissions for the Active Directoryusers and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required tocomplete this procedure.
To modify security for a directory-integrated zone:
1. Open DNS Manager.
2. In the console tree, click the applicable zone.
Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Action menu, click Properties.
4. On the General tab, verify that the zone type is Active Directory-integrated.
5. On the Security tab, modify the list of member users or groups that are allowed to securely update theapplicable zone and reset their permissions as needed.
Further information:
http://support.microsoft.com/kb/163971
The Structure of a DNS SOA Record
The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA)resource record. The SOA resource record indicates
that this DNS name server is the best source ofinformation for the data within this DNS domain. The SOA resource record contains the following information:
Source host - The host where the file was created.
Contact e-mail - The e-mail address of the person responsible for administering the domain's zone file. Notethat a "." is used instead of an "@" in the e-mail name.
Serial number - The revision number of this zone file. Increment this number each time the zone file ischanged. It is important to increment this value each time a
change is made, so that the changes will bedistributed to any secondary DNS servers.
Refresh Time - The time, in seconds, a secondary DNS server waits before querying the primary DNS server'sSOA record to check for changes. When the refresh
time expires, the secondary DNS server requests a copyof the current SOA record from the primary. The primary DNS server complies with this request.
Thesecondary DNS server compares the serial number of the primary DNS server's current SOA record and theserial number in it's own SOA record. If they are
different, the secondary DNS server will request a zonetransfer from the primary DNS server.
The default value is 3,600.
Retry time - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, theretry time is less than the refresh time. The default
value is 600. Expire time - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If thistime expires prior to a successful zone
transfer, the secondary server will expire its zone file. This means thesecondary will stop answering queries, as it considers its data too old to be reliable. The
default value is86,400.
Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file. This value issupplied in query responses to inform other servers how
long they should keep the data in cache. The defaultvalue is 3,600.
http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx Modify the start of authority (SOA) record for a zone
..
Notes: To perform this procedure, you must be a member of the Administrators group on the local computer,or you must have been delegated the appropriate
authority. If the computer is joined to a domain, membersof the Domain Admins group might be able to perform this procedure. As a security best practice,
considerusing Run as to perform this procedure.
QUESTION 434
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certificate authority (CA). You
need to ensure that revoked certificate information is highly available.
What should you do?
A.
B.
C.
D.
Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array.
Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).
Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network LoadBalancing.
Explanation:
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support
Certificate revocation is a necessary part of the process of managing certificates issued by certificationauthorities (CAs). The most common means of
communicating certificate status is by distributing certificaterevocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures
(PKIs)where the use of conventional CRLs is not an optimal solution, an Online Responder based on theOnline Certificate Status Protocol (OCSP) can be used to
manage and distribute revocation statusinformation.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of twocommon methods for conveying information about the
validity of certificates. Unlike CRLs, which aredistributed periodically and contain information about all certificates that have been revoked or suspended, anOnline
Responder receives and responds only to requests from clients for information about the status of asingle certificate. The amount of data retrieved per request
remains constant no matter how many revokedcertificates there might be. In many circumstances, Online Responders can process certificate status requests more
efficiently thanby using CRLs.
..
Adding one or more Online Responders can significantly enhance the flexibility and scalability of anorganization's PKI.
..
Further information:
http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v- highavailability.aspx
Implementing an OCSP Responder: Part V High Availability
There are two major pieces in implementing the High Availability Configuration. The first step is to add theOCSP Responders to what is called an Array. When
OCSP Responders are configured in an Array, theconfiguration of the OCSP responders can be easily maintained, so that all Responders in the Array have
thesame configuration. The configuration of the Array Controller is used as the baseline configuration that is thenapplied to other members of the Array.The second
piece is to load balance the OCSP Responders. Load balancing of the OCSP responders iswhat actually provides fault tolerance.
QUESTION 435
Your network contains a domain controller that has two network connections named Internal and Private.
Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain controller from registering Host (A) records for
the 10.10.10.5 IP address.
What should you do?
A.
B.
C.
D.
Modify the netlogon.dns file on the domain controller.
Modify the Name Server settings of the DNS zone for the domain.
Modify the properties of the Private network connection on the domain controller.
Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/2023004
Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller SymptomsOn Domain Controllers with more than one NIC where each NIC
is connected to separate Network, there is apossibility that the Host A DNS registration can occur for unwanted NIC(s).
If the client queries for DC`s DNS records and gets an unwanted record or the record of a different networkwhich is not reachable to client, the client will fail to
contact the DC causing authentication and many otherissues.
Cause
The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered inDNS. The DNS will serve the client with all the records
available for that DC. To prevent this, we need to make sure the unwanted NIC address is not registered in DNS. Below are the services that are responsible for
Host A record registration on a DC
1. Netlogon service
2. DNS server service (if the DC is running DNS server service)
3. DHCP client /DNS client (2003/2008)
If the NIC card is configured to register the connection address in DNS, then the DHCP /DNS client service will
Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS
If the DC is running DNS server service, then the DNS service will register the interface Host A record that ithas set to listen on. The Zone properties, Name server
tab list out the IP addresses of interfaces present onthe DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses.
We need to make sure only the required interface listens for DNS and the zone properties, name server tabhas required IP address information
ResolutionTo avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid theissue).
1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -> Advanced -> DNS > Uncheck "Register this connections Address in DNS"
2. Open the DNS server console: highlight the server on the left pane Action-> Properties and on the"Interfaces" tab select "listen on only the following IP
addresses". Remove unwanted IP address from the list
3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP addressassociated with the DC. Remove unwanted IP address if
it is listed. After performing this delete the existing unwanted Host A record of the DC.
QUESTION 436
Your network contains an Active Directory forest named contoso.com. You plan to add a new domain named nwtraders.com to the forest.
All DNS servers are domain controllers.
You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest.
What should you do?
A.
B.
C.
D.
Add the computer accounts of all the domain controllers to the DnsAdmins group.
Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
Create a standard primary zone on a domain controller in the forest root domain.
Create an Active Directory-integrated zone on a domain controller in the forest root domain.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 437
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone
for contoso.com. You discover that non-domain member computers register records in the contoso.com zone. You need to prevent the non-domain member
computers from registering records in the contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com zone.
What should you do first?
A. Configure a trust anchor.
B. Run the Security Configuration Wizard (SCW).
C. Change the contoso.com zone to an Active Directory-integrated zone.
D. Modify the security settings of the %SystemRoot%\System32\Dns folder.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx Active Directory-Integrated Zones
DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is notnecessary to configure a separate DNS replication topology
that uses ordinary DNS zone transfers, becauseall zone data is replicated automatically by means of Active Directory replication. This simplifies the process
ofdeploying DNS and provides the following advantages:
Multiple masters are created for DNS replication. Therefore:
Any domain controller in the domain running the DNS server service can write updates to the ActiveDirectoryintegrated zones for the domain name for which they
are authoritative. A separate DNS zonetransfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control whichcomputers update which names, and prevent unauthorized
computers from overwriting existing names inDNS
QUESTION 438
Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. You add an alias (CNAME) resource record named
Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve.
You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?
A.
B.
C.
D.
From the command prompt, use the netsh tool.
From the command prompt, use the dnscmd tool.
From DNS Manager, modify the properties of the GlobalNames zone.
From DNS Manager, modify the advanced settings of the DNS server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc731744.aspx
Enable GlobalNames zone support
The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every
authoritative DNS server in the forest:
dnscmd<ServerName> /config /enableglobalnamessupport 1
QUESTION 439
Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is
replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain
controllers run Windows Server 2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?
A.
B.
C.
D.
Modify the replication scope for the contoso.com zone.
Flush the DNS cache and enable cache locking on RODC1.
Configure conditional forwarding for the contoso.com zone.
Modify the zone transfer settings for the contoso.com zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc754916.aspx
Change the Zone Replication Scope
You can use the following procedure to change the replication scope for a zone. Only Active Directory DomainServices (AD DS)integrated primary and stub forward
lookup zones can change their replication scope.
Secondary forward lookup zones cannot change their replication scope.
http://technet.microsoft.com/en-us/library/cc772101.aspx
Understanding DNS Zone Replication in Active Directory Domain Services You can store Domain Name System (DNS) zones in the domain or application directory
partitions of Active
Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for differentreplication purposes.
The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.
When you decide which replication scope to choose, consider that the broader the replication scope, thegreater the network traffic caused by replication. For
example, if you decide to have AD DSintegrated DNSzone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicatingthe
DNS zone data to all DNS servers in a single AD DS domain in that forest.
AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to theglobal catalog for the forest. The domain controller that
contains the global catalog can also host applicationdirectory partitions, but it will not replicate this data to its global catalog.
AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in itsAD DS domain, and a portion of this data is stored in
the global catalog. This setting is used to supportWindows 2000.
If an application directory partition's replication scope replicates across AD DS sites, replication will occur withthe same intersite replication schedule as is used for
domain partition data. By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for theapplication directory partitions
that are hosted on a domain controller in the same manner as it registersdomain controller locator (Locator) DNS resource records for the domain partition that is
hosted on a domaincontroller.
QUESTION 440
Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
A.
B.
C.
D.
Change the functional level of the forest.
Change the functional level of the domain.
Upgrade DC1 to Windows Server 2008 R2.
Upgrade DNS1 to Windows Server 2008 R2.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in Windows Server®2008 R2 and Windows® 7. With Windows Server 2008 R2
DNS server, you can now sign and host DNSSECsignedzones to provide security for your DNS infrastructure. The following changes are available in DNS server in
Windows Server 2008 R2:
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7:
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records. Ability to check whether the DNS server with which it communicated has performed
validation on theclient`s behalf.
The DNS client`s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table(NRPT), which stores settings that define the DNS
client`s behavior. The NRPT is typically managed throughGroup Policy.
What does DNSSEC do?
DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions arespecified in RFCs 4033, 4034, and 4035 and add origin
authority, data integrity, and authenticated denial ofexistence to DNS. In addition to several new concepts and operations for both the DNS server and the
DNSclient, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS.
In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed.
When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to therecords queried for. A resolver or another server can
obtain the public key of the public/private key pair andvalidate that the responses are authentic and have not been tampered with. In order to do so, the resolver
orserver must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.
QUESTION 441
Your network contains a domain controller that is configured as a DNS server. The server hosts an Active Directory-integrated zone for the domain.
You need to reduce how long it takes until stale records are deleted from the zone.
What should you do?
A.
B.
C.
D.
From the configuration directory partition of the forest, modify the tombstone lifetime.
From the configuration directory partition of the forest, modify the garbage collection interval.
From the aging properties of the zone, modify the no-refresh interval and the refresh interval.
From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone
The DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale
resource records, which can accumulate in zone dataover time.
You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNSManager snap-in or the dnscmd command-line tool.
To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then clickDNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed. To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/ NoRefreshInterval <Value>}
QUESTION 442
You have an Active Directory domain named contoso.com.
You have a domain controller named Server1 that is configured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The DNS configuration
of Server1 is shown in the exhibit. (Click the Exhibit button.)
You discover that stale resource records are not automatically removed from the contoso.com zone.
You need to ensure that the stale resource records are automatically removed from the contoso.com zone.
What should you do?
A. Set the scavenging period of Server1 to 0 days.
B. Modify the Server Aging/Scavenging properties.
C. Configure the aging properties for the contoso.com zone.
D. Convert the contoso.com zone to an Active Directory-integrated zone.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone
The DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale
resource records, which can accumulate in zone dataover time.
You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNSManager snap-in or the dnscmd command-line tool.
To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then clickDNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed. To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/ NoRefreshInterval <Value>}
QUESTION 443
Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units.
Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their branchorganizational units to the branch office administrators. Add the
user accounts of the branch office administrators to the Group Policy Creator Owners Group.
Explanation:
http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative
Tools and then double-click Active Directory Users and Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in thewizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy is one of the mostimportant factors to consider when assessing the
needs of your organization. In organizations that use acentralized administration model, an IT group provides services, makes decisions, and sets standards for
theentire company. In organizations that use a distributed administration model, each business unit manages itsown IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, granting Edit or Read access to a GPO)etc.
...
Delegating Creation of GPOs
The ability to create GPOs in a domain is a permission that is managed on a per-domain basis.
By default, only
Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can createnew Group Policy objects. If the domain administrator
wants a non-administrator or non-administrative groupto be able to create GPOs, that user or group can be added to the Group Policy Creator Owners
securitygroup. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC todelegate creation of GPOs. When a nonadministrator who is a member of the Group Policy Creator Ownersgroup creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO
and modifypermissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs tocontainers unless they have been
separately delegated the right to do so on a particular site, domain, or OU.
Being a member of the Group Policy Creator Owners group gives the non-administrator full control of onlythose GPOs that the user creates. Group Policy Creator
Owner members do not have permissions for GPOsthat they do not create.
Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner ofthe Group Policy object. By default, Domain
Administrators can edit all GPOs in the domain.
The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Besure to delegate both rights to those groups you want to
be able to create and link GPOs. By default, non-Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and linka
GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group PolicyCreator Owners group. After a non- Domain Admin
creates an unlinked GPO, the Domain Admin or someoneelse who has been delegated permissions to link GPOs an a container can link the GPO as appropriate.
Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or userthis permission:
Add the group or user to the Group Policy Creator Owners group. This was the only method availableprior to GPMC.
Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.
You can manage this permission by using the Delegation tab on the Group Policy objects container for a givendomain in GPMC. This tab shows the groups that
have permission to create GPOs in the domain, including theGroup Policy Creator Owners group. From this tab, you can modify the membership of existing groups
thathave this permission, or add new groups. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members fromoutside
the domain. Being able to grant users permissions to create GPOs without using Group Policy CreatorOwners facilitates delegating GPO creation to users outside
the domain. Without GPMC, this task cannot bedelegated to members outside the domain. If you require that users outside the domain have the ability to create
GPOs, create a new domain local groupin the domain (for example, "GPCO External"), grant that group GPO creation permissions in the domain,and then add
domain global groups from external domains to that group. For users and groups in the domain,you should continue to use the Group Policy Creator Owners group
to grant GPO-creation permissions.
Adding a user to the membership of Group Policy Creator Owners and granting the user GPO- creationpermissions directly using the new method available in
GPMC are identical in terms of permissions.
QUESTION 444
Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: "This user
account has expired. Ask your administrator to reactivate the account."
You need to ensure that the user is able to log on to the domain.
What should you do?
A.
B.
C.
D.
Modify the properties of the user account to set the account to never expire.
Modify the properties of the user account to extend the Logon Hours setting.
Modify the default domain policy to decrease the account lockout duration.
Modify the properties of the user account to set the password to never expire.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Further information:
http://technet.microsoft.com/en-us/library/dd145547.aspx
User Properties - Account Tab
Account expires
Sets the account expiration policy for this user. You can select between the following options:
Use Never to specify that the selected account will never expire. This option is the default for new users.
Select End of and then select a date if you want to have the user's account expire on a specified date.
QUESTION 445
You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2.
You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A.
B.
C.
D.
Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2.
Use the Active Directory Sites and Services console to configure a new site link bridge object.
Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.
Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-eplication.htm Inter-site Replication
The process of creating a custom site link has five basic steps:
1. Create the site link.
2. Configure the site link's associated attributes.
3. Create site link bridges.
4. Configure connection objects. (This step is optional.)
5. Designate a preferred bridgehead server. (This step is optional) http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx Replication between
sites
QUESTION 446
Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales.
The Sales organizational unit contains all users and computers of the sales department.
You need to install an Office 2007 application only on the computers in the Sales organizational unit.
You create a GPO named SalesApp GPO.
What should you do next?
A.
B.
C.
D.
Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.
Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain.
Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.
Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 447
Your network consists of an Active Directory forest that contains one domain. All domain controllers run.
Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.
You have two Active Directory sites. Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A.
B.
C.
D.
From the DNS Manager console, reload the zone.
From the DNS Manager console, increase the version number of the SOA record.
From the command prompt, run repadmin /syncall.
From the Services snap-in, restart the DNS Server service.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncallSynchronizes a specified domain controller with all of its replication
partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers
From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a goodtoo to check the status of replication between DC`s.
Below is a command to replicate from a specified DC to all other DC`s. Repadmin /syncall DC_name /ApedBy running a repadmin /syncall with the /A(ll partitions) P
(ush) e(nterprise, cross sites) d(istinguished names)parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it
inone step, not many.And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don`t even have to
specify the server name.
QUESTION 448
Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008 R2. The domain functional level
is Windows 2000 native and the forest functional level is Windows 2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?
A.
B.
C.
D.
Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
Add the new UPN suffix to the forest.
Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest
Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.
Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
QUESTION 449
Your network contains an Active Directory domain named contoso.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193
A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client
provides an IP address, and then the DNS server returns an FQDN.
QUESTION 450
Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operations master roles. DC1 fails.
You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations master roles to their original state.
You perform a metadata cleanup and remove all references of DC1.
Which three actions should you perform next?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
First we need to seize the operations master roles from DC1 to DC2. They are important and need to be in place. Next we rebuild DC1 (not DC2, we need it) and
transfer the operations master roles back to DC1.
QUESTION 451
A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active DirectoryLightweight Directory Services (AD LDS) role installed.
An AD LDS instance named LDS1 stores its data on the C: drive.
You need to relocate the LDS1 instance to the D: drive.
Which three actions should you perform in sequence?(To answer, move the three appropriate actions from the list of actions to the answer area and arrange them
in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://www.ucertify.com/blog/windows-server-2008-tools-used-for-configuring-and-maintaining-active-directory.html
NTDSUTIL
NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory.
Important Usage
To relocate AD LDS directory partition, use the NTDSUTIL tool. Take the following steps:
Stop the LDS by using the net stop command.
Move the Database file through NTDSUTIL tool.
Start the directory service using the net start command.
QUESTION 452
You need to perform an offline defragmentation of an Active Directory database.
Which four actions should you perform in sequence?
(To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the database file to a local directory or remote shared folder, as follows:
1. Open a Command Prompt as an administrator.
2. At the command prompt, type the following command, and then press ENTER: net stop ntds
3. Type Y to agree to stop additional services, and then press ENTER.
4. At the command prompt, type ntdsutil, and then press ENTER.
5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER.
6. At the ntdsutil prompt, type files, and then press ENTER.
7. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\
<LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER.
8. If defragmentation completes successfully, type quit, and then press ENTER to quit the file maintenance: prompt. Type quit again, and then press ENTER to quit
Ntdsutil.exe.
(...)
Note
You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a secured network drive. If the compaction of the
database does not work properly, you can then easily restore the database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until
you have at least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.dit file to preserve it. Avoid overwriting the
original Ntds.dit file.
9. Manually copy the compacted database file to the original location, as follows: copy
“<temporaryDrive>:\ntds.dit” “<originalDrive>:\<pathToOriginalDatabaseFile>
\ntds.dit”
Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file.
(...)
10.Restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds
QUESTION 453
Your company has an Active Directory forest that contains multiple domain controllers. The domain controllers run Windows Server 2008.
You need to perform an authoritative restore of a deleted organizational unit and its child objects.
Which four actions should you perform in sequence?
(To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them in the correct order.)
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
References:
Performing Authoritative Restore of Active Directory Objects
http://technet.microsoft.com/en-us/library/cc816878.aspx
Restart the Domain Controller in Directory Services Restore Mode Locally
http://technet.microsoft.com/en-us/library/cc816897.aspx
Restore AD DS from Backup (Nonauthoritative Restore)
http://technet.microsoft.com/en-us/library/cc794755.aspx
Mark an Object or Objects as Authoritative
http://technet.microsoft.com/en-us/library/cc816813.aspx
Restart the Domain Controller in Directory Services Restore Mode Locally
If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM
takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller.
During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows
Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account.
Restore AD DS from Backup (Nonauthoritative Restore)
Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current state to the previous state of a backup. Use this
procedure before you perform an authoritative restore procedure to recover objects that were deleted after the time of the backup. To restore AD DS from backup,
use a system state or critical-volumes backup.
Mark an Object or Objects as Authoritative
In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers.
Restart the domain controller
[Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.]
QUESTION 454
ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. A new administrator accidentally deletes the entire
organizational unit in the Active Directory database that hosts 6000 objects.
You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore
Mode (DSRM).
You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state.
Which three actions should you perform?
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
References:
Performing Authoritative Restore of Active Directory Objects
http://technet.microsoft.com/en-us/library/cc816878.aspx
Restart the Domain Controller in Directory Services Restore Mode Locally
http://technet.microsoft.com/en-us/library/cc816897.aspx
Restore AD DS from Backup (Nonauthoritative Restore)
http://technet.microsoft.com/en-us/library/cc794755.aspx
Mark an Object or Objects as Authoritative
http://technet.microsoft.com/en-us/library/cc816813.aspx
Restart the Domain Controller in Directory Services Restore Mode Locally
If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM
takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller.
During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows
Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account.
Restore AD DS from Backup (Nonauthoritative Restore)
Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current state to the previous state of a backup. Use this
procedure before you perform an authoritative restore procedure to recover objects that were deleted after the time of the backup. To restore AD DS from backup,
use a system state or critical-volumes backup.
Mark an Object or Objects as Authoritative
In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers.
Restart the domain controller
[Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.]
QUESTION 455
You manage an Active Directory forest named contoso.com.
The forest contains an empty root domain named contoso.com and a child domain named child.contoso.com.
All domain controllers run Windows Server 2008. The functional level of the forest is Windows Server 2008.
You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To upgrade the forest level to Windows Server 2008 R2 we need to upgrade the servers first. And before we upgrade the servers we need to prepare the domain
and forest using adprep.
Reference 1:
http://technet.microsoft.com/en-us/library/cc771949.aspx
Caution Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier.
Reference 2:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 96
The Adprep Utility
Microsoft provides the Adprep utility to prepare a down-level Active Directory domain for receiving Windows Server 2008 and Windows Server 2008 R2 domain
controllers. Found in the \sources\adprep folder of the installation DVD-ROM, this tool prepares the forest and domain by extending the Active Directory schema
and updating several required permissions.
Running the Adprep /forestprep Command
You must run the Adprep /forestprep command on the schema master of the forest first. It extends the schema to receive the new Windows Server 2008
enhancements, including the addition of directory descriptors for certain objects including granular password policies. You have to run this command and let its
changes replicate throughout the forest before you run the Adprep /domainprep command.
Reference 3:
Not really relevant, but some info on why using an empty root domain is no longer preferable:
http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx#adempty
QUESTION 456
You are decommissioning domain controllers that hold all forest-wide operations master roles.
You need to transfer all forest-wide operations master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
Domain naming master
Infrastructure master
RID master
PDC emulator
Schema master
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Schema master
Domain naming master
http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-indows- server-2008.aspx
Transferring FSMO Roles in Windows Server 2008
One of any system administrator duties, would be to upgrade a current domain controller to a new hardwareserver. One of the crucial steps required to successfully
migrate your domain controller, is to be able tosuccessfully transfer the FSMO roles to the new hardware server.
FSMO stands for Flexible Single Master
Operations, and in a forest there are at least five roles.
The five FSMO roles are:
Schema Master
Domain Naming Master
Infrastructure Master
Relative ID (RID) Master
PDC Emulator
The first two roles above are forest-wide, meaning there is one of each for the entire forest. The last three aredomain-wide, meaning there is one of each per
domain. If there is one domain in your forest, you will have fiveFSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.
QUESTION 457
Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam's
security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.
You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.
What should you do?
A.
B.
C.
D.
Create a new stub zone for the intranet.fabrikam.com domain.
Configure conditional forwarding for the intranet.fabrikam.com domain.
Create a standard secondary zone for the intranet.fabrikam.com domain.
Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Configure conditional forwarding for the intranet.fabrikam.com domain.
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNSnames to DNS servers outside that network. You
can also forward queries according to specific domain namesusing conditional forwarders. You designate a DNS server on a network as a forwarder by configuring
the other DNS servers in the networkto forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you canmanage name
resolution for names outside your network, such as names on the Internet, and improve theefficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNSdomain name in the query. For example, you can configure a
DNS server to forward all the queries that itreceives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IPaddresses of
multiple DNS servers.
Further information:
http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx Assign a Conditional Forwarder for a Domain Name
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
QUESTION 458
An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume.
What should you do?
A.
B.
C.
D.
Copy the ntds.dit file to the new volume by using the ROBOCOPY command.
Move the ntds.dit file to the new volume by using Windows Explorer.
Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell.
Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
Explanation:
http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspx Move the Directory Database and Log Files to a Local Drive You can use this procedure
to move Active Directory database and log files to a local drive. When you move the files to a folder on the local domain controller, you can move them permanently
ortemporarily. Move the files to a temporary destination if you need to reformat the original location, or move thefiles to a permanent location if you have additional
disk space. If you reformat the original drive, use the sameprocedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when
youmove files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry isalways current. On a domain controller that is running
Windows Server 2008, you do not have to restart the domain controllerin Directory Services Restore Mode (DSRM) to move database files. You can stop the Active
Directory Domain
Services (AD DS) service and then restart the service after you move the files to their permanent location.
To move the directory database and log files to a local drive:
..
7. At the ntdsutil prompt, type files, and then press ENTER.
8. To move the database file, at the file maintenance: prompt, use the following commands:
....
Further information:
http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/ Moving Active Directory Database and Logs
Step 1
Start the server in Directory Services Restore Mode
Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the filescannot be managed while the server is operating as a
domain controller. To perform any files movementrelated activities using ntdsutil, we need to start the server in Directory Services Restore Mode.
To start the server in Directory Services Restore mode, follow these steps:
Restart the computer.
After the BIOS information is displayed, press F8.
Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.
Log on with your local administrative account and password. (Not Domain Administrative account)
Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped.
In commandprompt type SC query ntds
Step 2
How to Move Active Directory Database and Logs
You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory
Service uses the new location when you restart the server. To move the data file to another folder, follow these steps:
Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.
At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type move DB to <new location> (where new location is anexisting folder that you have created for this purpose) and then
press ENTER. In this case, the new location for database is C:\AD\DatabaseNow
Now to move logs , at the file maintenance command prompt, type move logs to <new location> (where newlocation is an existing folder that you have created for
this purpose) and then press ENTER. In our case, thenew location for database is C:\AD\Logs
To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. AD database and Logs are moved successfully to new
location.
QUESTION 459
Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.
You create a GPO.
You need to track which employees access the Payroll files on the file servers.
What should you do?
A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the
Authenticated Users group in the Payroll folder.
B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the
Payroll folder.
C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the
Payroll folder.
D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the
Payroll folder.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the fileservers, configure Auditing for the Everyone group in the
Payroll folder.
Explanation:
http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspx Audit Policy
Establishing an organizational computer system audit policy is an important facet of information security.
Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to trackpotential security problems, helps to ensure user
accountability, and provides evidence in the event of asecurity breach.
There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of thesekinds of events, Windows® records the events in the
Security log, which you can find in Event Viewer.
..
Object access. Audit this to record when someone has used a file, folder, printer, or other object.
..
Process tracking. Audit this to record when events such as program activation or a process exiting occur.
..
When you implement Audit Policy settings:
..
If you want to audit directory service access or object access, determine which objects you want to auditaccess of and what type of access you want to audit. For
example, if you want to audit all attempts by usersto open a particular file, you can configure audit policy settings in the object access event category so thatboth
successful and failed attempts to read a file are recorded.
Further information:
http://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx Group Policy for Beginners
Group Policy Links
At the top level of AD DS are sites and domains. Simple implementations will have a single site and a singledomain. Within a domain, you can create organizational
units (OUs). OUs are like folders in Windows Explorer.
Instead of containing files and subfolders, however, they can contain computers, users, and other objects.
For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see foursubfolders: Accounting, Engineering, Management, and
Marketing. These are child OUs.
Other than the
Domain Controllers OU that you see in Figure 1, nothing else in the figure is an OU. What does this have to do with Group Policy links? Well, GPOs in the Group
Policy objects folder have noimpact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policyapplies the GPO`s settings to
the computers and users in that container.
QUESTION 460
Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.
You need to implement key archival.
What should you do?
A.
B.
C.
D.
Configure the certificate for automatic enrollment for the computers that store encrypted files.
Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
Apply the Hisecdc security template to the domain controllers.
Archive the private key on the server.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Archive the private key on the server.
Explanation:
http://technet.microsoft.com/en-us/library/cc753011.aspx
Enable Key Archival for a CA
Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled forthe key recovery certificate and be registered as the
recovery agent for the certification authority (CA).
You must be a CA administrator to complete this procedure.
To enable key archival for a CA:
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. Click the Recovery Agents tab, and then click Archive the key.
5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encryptthe archived key.
The Number of recovery agents to use must be between one and the number of key recovery agentcertificates that have been configured.
6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, andclick OK.
7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Notloaded.
8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of thecertificates should be listed as Valid.
Further information:
http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspx Key Archival and Management in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc730721.aspx
Managing Key Archival and Recovery
QUESTION 461
Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for
Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
A.
B.
C.
D.
Perform an authoritative restore of the Sales OU.
Perform a non-authoritative restore of the Sales OU.
Perform an authoritative restore of the Groups OU.
Perform a non-authoritative restore of the Groups OU.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Perform an authoritative restore of the Groups OU.
Explanation:
http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx Performing Authoritative Restore of Active Directory Objects An authoritative restore
process returns a designated, deleted Active Directory object or container of objectsto its predeletion state at the time when it was backed up. For example, you
might have to perform anauthoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a largenumber of users. In most
cases, there are two parts to the authoritative restore process: a nonauthoritativerestore from backup, followed by an authoritative restore of the deleted objects. If
you perform anonauthoritative restore from backup only, the deleted OU is not restored because the restored domaincontroller is updated after the restore process
to the current status of its replication partners, which havedeleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and
before allowing replication to occur, you must perform an authoritative restore procedure. During the authoritativerestore procedure, you mark the OU as
authoritative and let the replication process restore it to all the otherdomain controllers in the domain. After an authoritative restore, you also restore group
memberships, ifnecessary.
QUESTION 462
Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.
You need to create multiple password policies for users in your domain.
What should you do?
A.
B.
C.
D.
From the Group Policy Management snap-in, create multiple Group Policy objects.
From the Schema snap-in, create multiple class schema objects.
From the ADSI Edit snap-in, create multiple Password Setting objects.
From the Security Configuration Wizard, create multiple security policies.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: From the ADSI Edit snap-in, create multiple Password Setting objects.
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide ..
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies andapply different password restrictions and account
lockout policies to different sets of users within a singledomain.
..
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active
Directory Domain Services (AD DS) schema:
Password Settings Container
Password SettingsThe Password Settings Container (PSC) object class is created by default under the System container in thedomain. It stores the Password
Settings objects (PSOs) for that domain. You cannot rename, move, or deletethis container.
...
Steps to configure fine-grained password and account lockout policies When the group structure of your organization is defined and implemented, you can
configure and apply finegrainedpassword and account lockout policies to users and global security groups. Configuring fine-grainedpassword and account lockout
policies involves the following steps:
Step 1: Create a PSO
Step 2: Apply PSOs to Users and Global Security Groups
Step 3: Manage a PSO
Step 4: View a Resultant PSO for a User or a Global Security Group http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx Step 1: Create a
PSO
You can create Password Settings objects (PSOs):
Creating a PSO using the Active Directory module for Windows PowerShell Creating a PSO using ADSI Edit
Creating a PSO using ldifde
QUESTION 463
You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A.
B.
C.
D.
Enable debug logging.
Enable automatic testing for simple queries.
Configure event logging to log errors and warnings.
Enable automatic testing for recursive queries.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753579.aspx
DNS Tools
Event-monitoring utilities
The Windows Server 2008 family includes two options for monitoring DNS servers:
Default logging of DNS server event messages to the DNS server log. DNS server event messages are separated and kept in their own system event log, the DNS
server log,which you can view using DNS Manager or Event Viewer. The DNS server log contains events that are logged by the DNS Server service. For example,
when theDNS server starts or stops, a corresponding event message is written to this log. Most additional criticalDNS Server service events are also logged here,
for example, when the server starts but cannot locateinitializing data and zones or boot information stored in the registry or (in some cases) Active DirectoryDomain
Services (AD DS).
You can use Event Viewer to view and monitor client-related DNS events. These events appear in theSystem log, and they are written by the DNS Client service at
any computers running Windows (allversions).
Optional debug options for trace logging to a text file on the DNS server computer. You can also use DNS Manager to selectively enable additional debug logging
options for temporary tracelogging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log,is stored in the %systemroot
%\System32\Dns folder. http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx Using server debug logging options
The following DNS debug logging options are available:
Direction of packets
Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file.
Further information:
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx Select and enable debug logging options on the DNS server
QUESTION 464
Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named
DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server role and are configured as Active Directory- integrated zones. The DNS zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A.
B.
C.
D.
Run the Dnscmd.exe /ZoneResetType command on DC3.
Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones.
Run the Ntdsutil.exe > DS Behavior commands on DC3.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
Explanation:
http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS Appendix A: RODC Technical Reference Topics
DNS updates for clients that are located in an RODC site
When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred DomainName System (DNS) server. Typically, clients are
configured to use the DNS server in their branch site as theirpreferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it
isqueried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008or later and hosts the Active Directoryintegrated
zone, just as a secondary DNS server handles updates forzones that are not Active Directoryintegrated zones. After it receives the name of a writable domain
controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS recordregistration against the writeable server. The RODC
waits a certain amount of time, as explained below, andthen it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from
theDNS server that it referred the client to through an RSO operation.
Note:
For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server thatruns Windows Server 2008 or later must host writeable
copies of the zone that contains the record. That DNSserver must register a name server (NS) resource record for the zone. The Windows Server 2003
BranchOffice Guide recommended restricting name server (NS) resource record registration to a subset of theavailable DNS servers. If you followed those
guidelines and you do not register at least one writable DNSserver that runs Windows Server 2008 or later as a name server for the zone, the DNS server on the
RODCattempts to perform the RSO operation with a DNS server that runs Windows Server 2003. That operation failsand generates a 4015 Error in the DNS event
log of the RODC, and replication of the DNS record update willbe delayed until the next scheduled replication cycle.
Further information:
http://technet.microsoft.com/en-us/library/dd737255%28v=ws.10%29.aspx Plan DNS Servers for Branch Office Environments
This topic describes best practices for installing Domain Name System (DNS) servers to support ActiveDirectory Domain Services (AD DS) in branch office
environments. As a best practice, use Active Directoryintegrated DNS zones, which are hosted in the application directorypartitions named ForestDNSZones and
DomainDNSZones. The following guidelines are based on theassumption that you are following this best practice. In branch offices that have a read-only domain
controller (RODC), install a DNS server on each RODC so thatclient computers in the branch office can still perform DNS lookups when the wide area network
(WAN) link toa DNS server in a hub site is not available. The best practice is to install the DNS server when you install ADDS, using Dcpromo.exe. Otherwise, you
must use Dnscmd.exe to enlist the RODC in the DNS applicationdirectory partitions that host Active Directoryintegrated DNS zones.
Note: You also have to configure the DNS client`s setting for the RODC so that it points to itself as its preferredDNS server.
To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at leastone writeable Windows Server 2008 DNS server that
hosts the corresponding DNS zone for which clientcomputers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008
DNSserver must register name server (NS) resource records for that zone.
By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers thatare in branch offices that are serviced by RODCs can
make dynamic updates more efficiently. This is becausethe updates replicate back to the RODCs in their respective branch offices by means of a replicatesingleobject(RSO) operation, rather than waiting for the next scheduled replication cycle.
For example, suppose that you add a new member server in a branch office, Branch1, which includes anRODC. The member server hosts an application that you
want client computers in Branch1 to locate by using aDNS query. When the member server attempts to register its host (A or AAAA) resource records for its
IPaddress to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server2008 R2 DNS server that the RODC tracks in
Branch1. If a writeable Windows Server 2008 DNS server hoststhe DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible
from thewriteable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate thenew member server by querying the RODC in
Branch1 for its IP address. If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can stillsucceed against Windows
Server 2003 DNS server if one is available but the updated record in the DNS zonewill not replicate to the RODC in Branch1 until the next scheduled replication
cycle, which can delay clientcomputers that use the RODC DNS server for name resolution from locating the new member server.
QUESTION 465
Your company has a main office and a branch office. All servers are located in the main office. The network contains an Active Directory forest named adatum.com.
The forest contains a domain controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runs Windows
Server 2008 R2 Standard.
You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connected to the network.
You need to join Public_Computer to the adatum.com domain.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that
Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the
domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs
to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
QUESTION 466
Your network contains two forests named contoso.com and fabrikam.com. The functional level of all the domains is Windows Server 2003. The functional level of
both forests is Windows 2000.
You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com can only access the servers in
fabrikam.com that have the Allowed to Authenticate permission set.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Still not really sure whether an external trust or forest trust is needed here.Just left it as it is.
Reference:
http://technet.microsoft.com/en-us/library/cc787623.aspx
Selective authentication over an external trust restricts access to only those users in a trusted domain who have been explicitly given authentication permissions to
computer objects (resource computers) that reside in the trusting domain. To explicitly give authentication permissions to computer objects in the trusting domain to
certain users, administrators must grant those users the Allowed to Authenticate permission in Active Directory.
QUESTION 467
Your network contains an Active Directory forest named contoso.com. You need to create an Active Directory Rights Management Services (AD RMS) licensingonly cluster.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
During the installation of the AD RMS root cluster we need to select a configuration database, so we need to install SQL Server 2008 first. Next we need to install
the AD RMS root cluster, only then can we install the AD RMS licensing-only cluster. The last step is to deploy the AD RMS policy templates.
Reference 1:
http://technet.microsoft.com/en-us/library/cc771789.aspx
Before you install AD RMS
Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that
must be met:
(...)
In addition to pre-installation requirements for AD RMS, we strongly recommend the following:
Install the database server that is used to host the AD RMS databases on a separate computer.
(...)
Reference 2:
http://technet.microsoft.com/en-us/library/cc772087.aspx
A root AD RMS cluster must already be present in the AD DS forest before you can install the licensingonly cluster.
QUESTION 468
Your network contains an Active Directory forest named contoso.com. The forest contains a domain controller named DC1 that runs Windows Server 2008 R2
Enterprise and a member server named Server1 that runs Windows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7.
Computer1 is not connected to the network.
You need to join Computer1 to the contoso.com domain.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that
Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the
domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs
to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Reference 2:
http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step.aspx
Performing an offline domain join using different physical computers
To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller,
one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain.
1. On the provisioning server, open an elevated command prompt.
2. Type the following command to provision the computer account:
djoin /provision /domain <domain to be joined> /machine <name of the destination computer> /savefile blob.txt
3. Copy the blob.txt file to the client computer.
4. On the client computer, open an elevated command prompt, and then type the following command to request the domain join:
djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos
5. Reboot the client computer. The computer will be joined to the domain.
QUESTION 469
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
To answer, select the appropriate tool in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx
Administering the Password Replication Policy
This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain
controllers (RODCs).
To configure the PRP using Active Directory Users and Computers
1. Open Active Directory Users and Computers as a member of the Domain Admins group.
2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.
3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.
4. Click the Password Replication Policy tab.
5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that
should be included in either the Allowed list or the Deny list, click Add.
To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.
To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.
QUESTION 470
Your company plans to open a new branch office. The new office will have a low-speed connection to the Internet.
You plan to deploy a read-only domain controller (RODC) in the branch office.
You need to create an offline copy of the Active Directory database that can be used to install Active Directory on the new RODC.
Which commands should you run from Ntdsutil?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc770654.aspx
Installing AD DS from Media
You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media
(IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.
To create installation media
1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.
2. At the command prompt, type the following command, and then press ENTER: ntdsutil
3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds
4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm
5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic), and then press ENTER.
For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia
Where C:\InstallationMedia is the path to the folder where you want the installation media to be created.
You can save the installation media to a network shared folder or to any other type of removable media.
QUESTION 471
Your network contains two Active Directory forests named contoso.com and fabrikam.com.
Each forest contains one domain. A two-way forest trust exists between the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.
To which group should you add the users?
To answer, select the appropriate group in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 472
Your network contains two Active Directory forests named contoso.com and fabrikam.com. The contoso.com forest contains a server named Server1l that has the
Certification Authority role service installed.
You need to ensure that Windows 7 client computers in the fabrikam.com forest can enroll for certificates from Server1. The solution must minimize the number of
role services installed on Server1.
Which additional role service or role services should you install?
To answer, select the appropriate role service or role services in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 473
Your network contains two DNS servers named Server1 and Server2.
Server1 hosts a primary zone named contoso.com. Server2 hosts a secondary copy of the contoso.com zone.
You need to configure how often Server2 will check for updates for the contoso.com zone.
Which tab should you use?
To answer, select the appropriate tab in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 474
Your company hires 10 new employees.
You want the new employees to connect to the main office through a VPN connection. You create new user accounts and grant the new employees they Allow
Read and Allow Execute permissions to shared resources in the main office.
The new employees are unable to access shared resources in the main office.
You need to ensure that users are able to establish a VPN connection to the main office.
What should you do?
A.
B.
C.
D.
Grant the new employees the Allow Access Dial-in permission.
Grant the new employees the Allow Full control permission.
Add the new employees to the Remote Desktop Users security group.
Add the new employees to the Windows Authorization Access security group.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx Dial-in properties of a user account
The dial-in properties for a user account are:
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, ordetermined through remote access policies. In all cases, remote
access policies are used to authorizethe connection attempt. If access is explicitly allowed, remote access policy conditions, user accountproperties, or profile
properties can still deny the connection attempt.
QUESTION 475
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller.
What should you do?
A.
B.
C.
D.
Review performance data in Resource Monitor.
Review the Hardware Events log in the Event Viewer.
Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.
Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics
Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required theinstallation of SPA. SPA is helpful because the Active
Directory data set collects performance data and itgenerates XML based diagnostic reports that make analyzing AD performance issues easier by identifying theIP
addresses of the highest volume callers and the type of network traffic that is placing the most loads on theCPU. Download SPA tool: http://www.microsoft.com/enus/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and youdon`t have to
install SPA anymore.
This performance feature is located in the Server Manager snap-in under the Diagnostics node and whenthe Active Directory Domain Services Role is installed the
Active Directory Diagnostics data collector set isautomatically created under System as shown here.
When you will check the properties of the collector you will notice that the data is stored under %systemdrive%\perflogs, only now it is under the \ADDS folder and
when a data collection is run it creates a new subfoldercalled YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 .
ActiveDirectory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot bemodified for the built-in collector. However, the
collection can be stopped manually by clicking the Stop buttonor from the command line.
To start the data collector set, you just have to right click on Active Directory Diagnostics data collector setand select Start. Data will be stored at %systemdrive%
\perflogs location.
Once you`ve gathered your data, you will have these interesting and useful reports under Report section, to aidin your troubleshooting and server performance
trending.
Further information:
http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx Monitoring Your Branch Office Environment
http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in- win2008-andbeyond.aspx
Son of SPA: AD Data Collector Sets in Win2008 and beyond
QUESTION 476
Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the adprep /domainprep command.
B. Raise the forest functional level to Windows Server 2008.
C. Raise the domain functional level to Windows Server 2008.
D. Run the adprep /forestprep command.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm Prepare your Domain for the Windows Server 2008 R2 Domain Controller Before installing
the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000,Windows Server 2003 or Windows Server 2008 domain, you must prepare
the AD forest and domain. You doso by running a tool called ADPREP. ADPREP extends the Active Directory schema and updates permissions as necessary to
prepare a forest anddomain for a domain controller that runs the Windows Server 2008 R2 operating system.
Note: You may remember that ADPREP was used on previous operating systems such as Windows Server2003, Windows Server 2003 R2 and Windows Server
2008. This article focuses on Windows Server 2008 R2.
What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare anexisting Active Directory environment for a domain
controller that runs Windows Server 2008 R2. Not allversions of ADPREP perform the same operations, but generally the different types of operations that
ADPREPcan perform include the following:
Updating the Active Directory schema
Updating security descriptors
Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL sharedfolder
Creating new objects, as needed
Creating new containers, as needed
To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controllerplease perform these tasks:
Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domaincontroller. If you plan on simply joining a Windows
Server 2008 R2 Server to the domain and configuring as aregular member server, none of the following tasks are required. Another lamer note: Please make sure
you read the system requirements for Windows Server 2008 R2. Forexample, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not
can itparticipate as a domain controller in a mixed domain. If any domain controllers in the forest are runningWindows 2000 Server, they must be running Service
Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as partof the schema management process in
Active Directory Domain Services (AD DS). You should test theADPREP schema updates in a lab environment to ensure that they will not conflict with any
applications thatrun in your environment. You must make a system state backup for your domain controllers, including the schema master and at leastone other
domain controller from each domain in the forest (you do have backups, don't you?).Also, make sure that you can log on to the schema master with an account that
has sufficient credentials torun adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group,and the Domain Admins
group of the domain that hosts the schema master, which is, by default, the forest rootdomain. Next, insert the Windows Server 2008 R2 DVD media into your DVD
drive. Note that if you do not have themedia handy, you may use the evaluation version that is available to download from Microsoft's website.
If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you canmount it by using a virtual ISO mounting tool such as
MagicIso (can Convert BIN to ISO, Create, Edit, Burn,Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:\support\adprep folder, where X: is the
drive letter of your DVD drive. Find a file calledadprep.exe or adprep32.exe.
Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to getthe right version of ADPREP, Windows Server 2008
R2 ADPREP is available in a 32-bit version and a 64-bitversion. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32bitversion (adprep32.exe).
To perform this procedure, you must use an account that has membership in all of the following groups:
Enterprise Admins
Schema Admins
Domain Admins for the domain that contains the schema master Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag
the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if youwant, you can always manually type the path of the file in
the Command Prompt window if that makes you feelbetter...
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt,click Start, right-click Command Prompt, and then click
Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt windowwill not work, as that feature
was intentionally disabled in windows Server 2008 and Windows Vista.
In the Command Prompt window, type the following command:adprep /forestprep
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the ADSchema, and messages will be displayed in the
Command Prompt window.
File sch47.ldf seems to be thelargest one.
When completed, you will receive a success message.
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory DomainController.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the forest beforeyou prepare any domains for a domain controller that runs
Windows Server 2008 R2. In the Command Prompt window, type the following command:adprep /domainprep Process will take less than a second.
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode youwill get this error:
Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest
beforeyou prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no
additional tasks are needed.
If you're running a Windows 2000 Active Directory domain, you must also the following command:adprep /domainprep /gpprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before youprepare any domains for a domain controller that runs
Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, ifyou're planing to run
Read Only Domain controllers (RODCs), you must alsotype the following command:adprep /rodcprep
If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server2008 R2.
Process will complete in less than a second.
Allow the operation to complete, and then allow the changes to replicate throughout the forest beforeyou prepare any domains for a domain controller that runs
Windows Server 2008 R2. To verify that adprep /forestprep completed successfully please perform these steps:
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default ondomain controllers that run Windows Server 2008 or
Windows Server 2008 R2. On Windows Server 2003 youmust install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, andthen click OK.
5. Double-click Configuration, and then double-click
CN=Configuration,DC=forest_root_domain whereforest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, andthen click OK.
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and thenclick OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value isset to 47, and then click OK.
QUESTION 477
You need to identify all failed logon attempts on the domain controllers.
What should you do?
A.
B.
C.
D.
View the Netlogon.log file.
View the Security tab on the domain controller computer object.
Run Event Viewer.
Run the Security and Configuration Wizard.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/174074
Security Event Descriptions
This article contains descriptions of various security-related and auditing- related events, and tips for
interpreting them.
These events will all appear in the Security event log and will be logged with a source of "Security."
Event ID: 529
Type: Failure Audit
Description: Logon Failure:
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 530
Type: Failure Audit
Description: Logon Failure:
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 531
Type: Failure Audit
Description: Logon Failure:
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 532
Type: Failure Audit
Description: Logon Failure:
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 533
Type: Failure Audit
Description: Logon Failure:
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 534
Type: Failure Audit
Description: Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 535
Type: Failure Audit
Description: Logon Failure:
Reason: The specified account's password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 536
Type: Failure Audit
Description: Logon Failure:
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 537
Type: Failure Audit
Description: Logon Failure:
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
QUESTION 478
Your company has a DNS server that has 10 Active Directory integrated zones.
You need to provide copies of the zone files of the DNS server to the security department.
What should you do?
A.
B.
C.
D.
Run the dnscmd /ZoneInfo command.
Run the ipconfig /registerdns command.
Run the dnscmd /ZoneExport command.
Run the ntdsutil > Partition Management > List commands.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/ DNS Zone Export
In Non-AD Integrated DNS Zones
DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder. When theDNS Server service starts it loads zones from these
files. This behavior is limited to any primary and secondaryzones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.
In AD Integrated DNS Zones
AD-integrated zones are stored in the directory they do not have corresponding zone files i.e. they are notstored as .dns files. This makes sense because the zones
are stored in, and loaded from, the directory.Now it is important task for us to take a backup of these AD integrated zones before making any changes toDNS
infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is:
DnsCmd <ServerName> /ZoneExport <ZoneName><ZoneExportFile> <ZoneName> -- FQDN of zone to export
/Cache to export cache
As an example, let`s say we have an AD integrated zone named habib.local, our DC is server1.
The commandto export the file would be:
Dnscmd server1 /ZoneExport habib.local habib.local.bak
You can refer to a complete article on DNSCMD in Microsoft TechNet website http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx
QUESTION 479
Your company has an Active Directory forest. The company has three locations. Each location has an organizational unit and a child organizational unit named
Sales.
The Sales organizational unit contains all users and computers of the sales department. The company plans to deploy a Microsoft Office 2007 application on all
computers within the three Sales organizational units.
You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units.
What should you do?
A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to
the domain.
B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the
Sales organizational unit in each location.
C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to
the Sales organizational unit in each location.
D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the
Sales organizational unit in each location.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 480
Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers
in the main office are configured as Global Catalog servers.
You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.
At which level should you deactivate UGMC?
A. Server
B. Connection object
C. Domain
D. Site
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.ntweekly.com/?p=788
Question:How To Enable Or Disable Universal Group Membership Caching Windows Server 2008Answer: Universal Group Membership Caching enables us to
allow users to log on to the network withoutcontacting a Global Catalog server, this is recommended to use in remote sites without global a catalog server.To enable
or disable Universal Group Membership Caching follow the steps below:Open Active Directory Sites And Service -> Go to the site you need to enable or disable the
feature -> Rightclick on the NTDS Site Settings and Click on Properties
Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.
http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How
to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership
Caching (UGMC)caches a user`s membership in Universal Groups on domain controllers authenticating the user. This featureallows a domain controller to have
knowledge of Universal Groups a user is member of rather than contactinga Global Catalog.
Unlike Global group memberships, which are stored in each domain, Universal Group memberships are onlystored in a Global Catalog. For example, when a user
who belongs to a Universal Group logs on to a domainthat is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides
UniversalGroup membership information for the user`s account at the time the user logs on to the domain to theauthenticating domain controller. UGMC is
generally a good idea for multiple domain forests when:
1. Universal Group membership does not change frequently.
2. Low WAN bandwidth between Domain Controllers in different sites. It is also recommended to disable UGMC if all Domain Controllers in a forest are Global
Catalogs.
QUESTION 481
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008 R2.
http://www.gratisexam.com/
You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).
What should you do?
A.
B.
C.
D.
From the command prompt, run dfsutil /addroot:sysvol.
From the command prompt, run netdom /reset.
From the command prompt, run dcpromo /unattend:unattendfile.xml.
Raise the functional level of the domain to Windows Server 2008 R2.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspx Introduction to Administering DFS-Replicated SYSVOL
SYSVOL is a collection of folders that contain a copy of the domain`s public files, including system policies,logon scripts, and important elements of Group Policy
objects (GPOs). The SYSVOL directory must be presentand the appropriate subdirectories must be shared on a server before the server can advertise itself on
thenetwork as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domaincontroller in the domain.
Note:
For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The
Group Policy container (GPC), which is stored in the domain, is replicated through Active Directoryreplication. For Group Policy to be effective, both parts must be
available on a domain controller.
Using DFS Replication for replicating SYSVOL in Windows Server 2008 Distributed File System (DFS) Replication is a replication service that is available for
replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functionallevel. DFS Replication was introduced in Windows
Server 2003 R2. However, on domain controllers that arerunning Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).
QUESTION 482
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2008 R2. All client computers run Windows 7.
You discover that users can use Encrypting File System (EFS) when the smart cards on their computers are removed.
You need to prevent the users from accessing EFS-encrypted files when their smart cards are removed. From the EFS properties, you click Require a smart card
for EFS.
What should you do next?
A.
B.
C.
D.
Set the Elliptic Curve Cryptography to Allow.
Set the Elliptic Curve Cryptography to Require.
Disable the Allow delegating saved credentials setting.
Disable the Create caching-capable user key from smart card option.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 483
Your network contains a server named Server1. Server1 is configured as a BranchCache server.
The cache is located at D:\Branchcache.
You need to remove all existing files and hashes from the cache.
Which command should you run?
A.
B.
C.
D.
hashgen.exe -d d:\branchcache
net.exe stop PeerDistSvc & net.exe start PeerDistSvc
netsh.exe branchcache flush
rd.exe d:\branchcache /s /q
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
netsh branchcache flush - deletes the contents of the local BranchCache cache all cache from branchcache
http://technet.microsoft.com/pt-br/library/dd979561(v=ws.10).aspx#BKMK_2
QUESTION 484
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is located in a branch office.
You view the BranchCache configuration of Server1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that client computers in the branch office retrieve cached files from Server1 only.
What should you do on Server1?
A.
B.
C.
D.
Install the BranchCache for Network Files role service.
Install the Services for Network File System role service.
Run netsh.exe branchcache set service mode=DISTRIBUTED.
Run netsh.exe branchcache set service mode=HOSTEDSERVER.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 485
Your network contains the servers shown in the following table.
Office1 and Office2 connect to each other by using a WAN link.
Users in Office2 frequently access the same set of files stored in Data1.
You need to reduce the amount of file transfer traffic across the WAN link.
What should you add to Server1?
A.
B.
C.
D.
the Background Intelligent Transfer Service (BITS) feature
the BranchCache feature
the BranchCache for network files role service
the Distributed File System (DFS) role service
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 486
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is located in a branch office. You discover that users cannot obtain
cached documents from Server1.
The BranchCache configuration on Server1 is shown in the exhibit. (Click the Exhibit button.)
You need to ensure that Server1 hosts cached content for client computers in the branch office.
What should you do?
A.
B.
C.
D.
Enable Peer Discovery firewall rules.
Set the Startup Type of the BranchCache service to Automatic, and then start the service.
At the command prompt, run netsh.exe branchcache set service mode=DISTRIBUTED.
At the command prompt, run netsh.exe branchcache set service mode=HOSTEDCLIENT.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 487
Your network contains a single Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Server1 and Server2
are namespace servers for the \\contoso.com\DFS1 namespace.
You need to ensure that users only connect to the \\contoso.com\DFS1 namespace on Server1 if Server2 is unavailable.
How should you configure the \\contoso.com\DFS1 namespace?
A.
B.
C.
D.
From the properties of the \\contoso.com\DFS1 namespace, modify the referrals settings.
From the properties of the \\contoso.com\DFS1 namespace, modify the advanced settings.
From the properties of the \\SERVER1\DFS1 namespace servers entry, modify the advanced settings.
From the properties of the \\SERVER2\DFS1 namespace servers entry, modify the advanced settings.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 488
Your network contains a domain-based namespace named DFS1. DFS1 has Windows 2008 Server mode enabled.
You need to ensure that only files and folders in DFS1 that users have permissions to access are displayed.
What should you do?
A.
B.
C.
D.
Disable referrals.
Modify the system access control list.
Enable access-based enumeration (ABE).
Modify the discretionary access control list.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 489
Your company has a main office and a branch office.
The network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 is located in the main office. Server2 is located in the
branch office. You have a domain-based namespace named \\contoso.com\DFS1. Server1 is configured as the namespace server for \\contoso.com\DFS1.
\\contoso.com\DFS1 has a folder named Folder1. The folder targets for Folder1 are \\Server1\Folder1 and \\Server2\Folder1.
Users in the main office report that they view different content in Folder1 than users in the branch office. You need to ensure that the content in Folder1 is identical
for all of the users.
What should you do?
A.
B.
C.
D.
Create a new replication group.
Configure Server2 as a namespace server.
From Server2, run dfsutil.exe cache domain.
From Server2, run dfsutil.exe root forcesync \\contoso.com\DFS1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 490
Your network contains a Distributed File System (DFS) target folder named Folder1 that contains 100 GB of data.
You plan to create a new DFS replica of Folder1 on a server named Server2. You need to prestage the data in Folder1 on Server2. The solution must ensure that
the amount of initial DFS replication traffic is minimized.
Which tool should you use to prestage the Folder1 data?
A.
B.
C.
D.
Dfscmd
Dfsrmig
Dfsutil
Wbadmin
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Distributed File System (DFS) replication is a new technology that has been included in Microsoft Windows Server starting in Microsoft Windows Server 2003 R2.
Some Microsoft TechNet articles discuss the concept of prestaging to reduce network traffic during the initial synchronization of DFS data. Whether data that is
located on each replication partner is considered the same depends on the hashing algorithm that is applied to the file, to the file permissions (discretionary access
control lists), and to the file audit properties (system access control lists).
The hashes of prestaged data are affected by the following:
Permissions
Audit properties
Inheritance
The copy tool, such as Robocopy.exe or Xcopy.exe, that is used Because the possible combinations of these factors are so wide and varied, predicting the success
of prestaging operations is very difficult. However, the Backup program in Windows Server is a reliable mechanism to prestage data.
How to use the Backup program to prestage DFSR data Back up the data by using the Backup program. You can back up to tape or to a file.
Transfer the backup to the destination server.
Restore the backup to the destination server.
The hashes that are computed by DFSR for each server should be identical for files that have not changed.
http://support.microsoft.com/kb/947726
QUESTION 491
Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com
\DFS1.
You have two servers named Server1 and Server2 that are configured as namespace servers for \\contoso.com\DFS1.
You need to verify that the DFS namespace replicates successfully between Server1 and Server2.
Which tool should you use?
A.
B.
C.
D.
Dfscmd
Dfsdiag
Dfsrdiag
Dfsutil
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up- to.aspx
QUESTION 492
Your network contains a server that runs Windows Server 2008 R2. Windows BitLocker Drive Encryption (BitLocker) is enabled for all drives.
You need to perform a bare metal recovery of the server.
What should you do first?
A.
B.
C.
D.
From the BIOS, disable the Trusted Platform Module.
From the BIOS, disable the processor's No Execute feature.
Start the computer in Safe Mode.
Start the computer from the Windows Server 2008 R2 installation media.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 493
Your network contains two servers named Server1 and Server2. Server1 runs Windows Server 2008 R2.
Server2 runs Windows Server 2008.
You need to ensure that you can initiate a full server backup of Server2 from Server1.
What should you do?
A.
B.
C.
D.
Install Windows Server Backup on Server2.
Upgrade Server2 to Windows Server 2008 R2.
Add an exception to Windows Firewall on Server2.
Add your user account to the Backup Operators group on Server2.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/ee344835(v=ws.10).aspx
QUESTION 494
Your network contains a server that runs Windows Server 2008 R2. You need to schedule backups of the server. The solution must ensure that multiple versions of
the backup are available.
Which two possible backup locations should you use? (Each correct answer presents a complete solution. Choose two.)
A.
B.
C.
D.
E.
external hard disk
internal hard disk
optical media
remote shared folder
tape drive
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 495
Your network contains a server named Server1 that runs Windows Server 2008 R2. The disks on Server1 are configured as shown in the following table.
You run the Backup Once wizard and discover that the option for Full Server backup is unavailable. You need to ensure that you can run a full server backup of
Server1.
What should you do?
A.
B.
C.
D.
Take Disk 1 offline.
Take Disk 2 offline.
Run the Set-WBPolicy cmdlet.
Run Windows Server Backup as an Administrator.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 496
Your network contains a server named Server1 that runs Windows Server 2008 R2.
You need to configure scheduled backups on Server1 to meet the following requirements:
Maintain 60 days of backups.
Minimize the performance impact on Server1 while a backup is running.
What should you do?
A. From Windows PowerShell, run the New-WBPolicy cmdlet.
B. From Windows PowerShell, run the Set-WBVssBackupOptions cmdlet.
C. From the Backup Schedule Wizard, click the Backup to a volume option.
D. From the Backup Schedule Wizard, click the Backup to hard disk that is dedicated for backups (recommended) option.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 497
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has Microsoft Exchange Server 2010 deployed.
You schedule a backup of the server.
You discover that the Exchange Server 2010 transaction log files are purged during the backup. You need to prevent the Exchange Server 2010 transaction log files
from being purged.
What should you do?
A.
B.
C.
D.
From the properties of the backup, add an exclusion.
From the properties of the backup, modify the VSS settings.
From Windows PowerShell, run the New-WBFileSpec cmdlet.
From Windows PowerShell, run the New-WBBackupTarget cmdlet.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 498
Your network contains a file server that runs Windows Server 2008 R2. The server has File Server Resource Manager (FSRM) installed.
A file screen is created for a folder named Data. Data is located on the C drive. The file screen is configured to block files contained in the Audio and Video file
group.
You need to allow users in the sales department to upload video files to C:\Data\Sales.
What should you do?
A.
B.
C.
D.
Create a file screen exception.
Modify the Audio and Video file group.
Implement an active file screen on C:\Data\Sales.
Implement a passive file screen on C:\Data\Sales.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With File screen exceptions, expand the flexibility of the file screening capabilities in File Server Resource Manager by creating an exception to any file screening
rules derived from a parent folder (C:\Data).
QUESTION 499
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the File
Services role installed.
You configure a file classification rule.
You discover that scanned documents stored as JPG files are not being classified. You need to ensure that all file classification rules apply to scanned documents.
What should you do?
A.
B.
C.
D.
Enable the Windows TIFF IFilter feature.
Modify the properties of the file classification rule.
Modify the properties of the Windows Search Service.
Install the Office 2007 System Converter: Microsoft Filter Pack.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
1- Not classified as a matter of operation to the file. As soon the file "steps onto the ground" - I mean being copied to NTFS File system if there is a classification
rule/pattern that match file strings it will apply;
2 - If there is a classification rule for a "JPG" file format at all - it will classify the scanned JPGs, 3 - This might be our winner!! =)) The word "document"
A) Enable the Windows TIFF IFilter feature. Cheers! =)
In order FCI /File Classification Infrastructure/ to classify images based on their content by using optical character recognition (OCR), you need to install Windows
TIFF IFilter on the server that is running FCI. Then the content classifier can recognize TIFF images and extract text from those files TIFF IFilter supports the most
frequent compressions, such as LZW, JPG, CCITT v4, CCITT v6, uncompressed, and so forth.
"You discover that scanned documents stored as JPG files are not being classified. You need to ensure that all file classification rules apply to scanned
documents." So, we have "Folder"and "Content" classifiers types. =Folder Classifier:
- This rule uses the Folder Classifier which assigns the specified value to the classification property for all files within the rule's scope /within the target folder/.
Which means that this mechanism does not "care" for a file type or whatever is the operation that created the file in the set for classification folder... as soon the file
is in the folder - it will be classified. ;)
=Content Clasifier:
- Searches for text or patterns using the same mechanism as the search indexer and if it finds them assigns the specified value to the classification property. When
parameters are found in a file, then the rule will assign the property value /Example : If a word/string "Confidential" is set in the rule and there is a file containing that
word
- file will be classified./
So we have tree "magic words" mentioned as a factors for the not-classified files in the "Question" :
1. File is scanned to the server
2. File type is JPG
3. File subject - contains document
QUESTION 500
Your network contains a file server named Server1 that runs Windows Server 2008 R2. On Server1, you create a disk quota for volume E that limits storage to 200
MB for all users.
You need to ensure that a user named User1 can store files that are larger than 200 MB on volume E.
What should you do?
A.
B.
C.
D.
From File Server Resource Manager, create a file screen exception.
From a command prompt, run dirquota.exe.
From Disk Management, create a new quota entry.
From Windows Explorer, modify the security properties of the volume.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
You can set quota limits on individual users, or you can have limits apply equally to all non- administrative users. Unfortunately, you can't set limits on groups of
users. And any users who already own files on the disk will have their quotas initially disabled. New users will have the default quotas for the disk applied as you
would expect when they first save a file on the disk.
To set the quotas for individual users, follow these steps:
In Disk Management, right-click a drive letter and open the properties of that drive. Click the Quota tab, and then click Show Quota Settings to bring up the Quota
Settings dialog box for that disk.
Click Quota Entries to open the Quota Entries dialog box for the disk.
- To create a quota for a user who doesn't have one yet, and who needs a quota different from the default for the disk, click New Quota Entry.
- To modify the quota for a user already listed, select the user and then click Properties to open the quota settings for that user. Set the quota for the user and click
OK to return to the Quota Entries dialog box.
QUESTION 501
Your network contains a file server named Server1 that runs Windows Server 2008 R2. Server1 has a volume named E.
From the File Server Resource Manager console, you create a new quota for volume E.
The quota is derived from the 100 MB limit quota template.
You need to prevent users from storing audio and video files on volume E.
What should you do?
A.
B.
C.
D.
Create a file screen.
Create a file management task.
Modify the properties of the quota.
Modify the properties of the Audio and Video Files file group.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Create a File Screen to prevent users from saving of video/audio files to a share and send notifications when users attempt to do that.
QUESTION 502
Your network contains a file server named Server1 that runs Windows Server 2008 R2. You have a folder named Folder1.
You need to ensure that files in Folder1 that are older than 365 days are automatically moved to an archive folder.
What should you create from the File Server Resource Manager console?
A.
B.
C.
D.
a file group
a file management task
a file screen
a quota
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
You can use file management tasks to perform the following actions:
- Create and update file expiration tasks, which move all files that match a set of criteria to a specified directory where an administrator can then back up and delete
the files. Files can be set to expire based on classification values, or after a specified number of days since the file was created, modified, or last accessed.
- Create and update custom tasks, which allow you to run a command or script in a specified working directory.
- Send e-mail notifications, send a warning to the event log, or run a command or script at a specified number of days before the file management task is scheduled
to run.
QUESTION 503
Your network contains a print server named Server1. Server1 has three shared printers named Printer1, Printer2, and Printer3. Each shared printer uses a different
driver.
You need to ensure that if Printer1 causes an exception, users can still print to Printer2 and Printer3.
What should you do?
A.
B.
C.
D.
Add a driver filter.
Add a printer filter.
Modify the print processor options.
Modify the driver isolation settings.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 504
Your network contains an Active Directory domain.
You have a print server named Server1 that runs Windows Server 2008 R2.
You deploy a new print device and create a shared printer.
You need to ensure that only members of a group named Marketing can print color documents on the new print device. All other users must only be able to print
black and white documents on the new print device.
What should you do?
A.
B.
C.
D.
Create a printer port.
Create a second shared printer.
Modify the Active Directory printer object.
Modify the properties of the shared printer.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 505
Your network contains an Active Directory domain. The domain contains a print server named Server1. Server1 runs Windows Server 2008 R2.
You need to ensure that users can locate all shared printers on Server1 by using Active Directory.
What should you do from Server1?
A.
B.
C.
D.
Run the pubprn.vbs script.
Run dism.exe.
Run the Set-ADObject cmdlet.
Modify the Print Server properties.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The script pubprn.vbs publishes a printer to the Active Directory Domain Services.
QUESTION 506
Your network contains an Active Directory domain. The domain contains two print servers named Server1 and Server2 that run Windows Server 2008 R2.
Server1 has a printer named Printer1. Server2 has a printer named Printer2. Both printers use the same driver.
The print device for Printer1 fails.
You need to ensure that the print jobs in the Printer1 queue are printed. What should you do?
A.
B.
C.
D.
Modify the Ports settings of Printer1.
Modify the Sharing settings of Printer1.
Run the Printer Migration tool.
Run the Remove-Job and Copy-Item cmdlets.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 507
Your network contains an Active Directory domain named contoso.com. The functional level of the domain and the functional level of the forest are Windows Server
2003. All domain controllers run Windows Server 2008.
You have a member server that runs Windows Server 2008 R2 named Server1. You install the Distributed Scan Server role service on Server1. From the Scan
Management console, you attempt to add a scan process and you receive the following error.
You need to ensure that you can add a scan process.
What should you do?
A.
B.
C.
D.
Install the Fax Server role.
Install the Print Server role service.
Update the Active Directory schema.
Set the functional level of the forest to Windows Server 2008.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
In order to use DSM its needed to upgrade the AD Schema thats found here - http://www.microsoft.com/en-us/download/details.aspx?id=9494
http://blogs.technet.com/b/askperf/archive/2009/10/11/windows-7-windows-server-2008-r2- distributedscanmanagement.aspx
http://blogs.technet.com/b/print/archive/2009/10/22/distributed-scan-management.aspx
QUESTION 508
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS Server for contoso.com.
You install the DNS Server role on a member server named Server1 and then you create a standard secondary zone for contoso.com.
You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?
A.
B.
C.
D.
On DC1, modify the permissions of contoso.com zone.
On Server1, add a conditional forwarder.
On DC1, modify the zone transfer settings for the contoso.com zone.
Add the Server1 computer account to the DNSUpdateProxy group.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings
You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to
servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.
QUESTION 509
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers.
Modify the security settings on the template to allow only administrators to request code signing certificates.
Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy.
Publish the code signing template.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://techblog.mirabito.net.au/?p=297
Generating and working with code signing certificates
A code signing certificate is a security measure designed to assist in the prevention of malicious codeexecution. The intention is that code must be signed with a
certificate that is trusted by the machine on whichthe code is executed. The trust is verified by contacting the certification authority for the certificate, which couldbe
either a local (on the machine itself, such as a self- signed certificate), internal (on the domain, such as anenterprise certification authority) or external certification
authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root
certificationauthority infrastructure is trusted by all machines that are a member of the Active Directory domain, andtherefore any certificates issued by this
certification authority are automatically trusted.
In the case of code signing, it may be necessary also for the issued certificate to be in the Trusted Publishersstore of the local machine in order to avoid any
prompts upon executing code, even if the certificate was issuedby a trusted certification authority. Therefore, it is required to ensure that certificates are added to
this storewhere user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer,
which will then be the publisher of the code in question.
Generally, this should be the user, and the user will then become the trusted publisher. As an example,members of the development team in your organisation will
probably each have their own code signingcertificate, which would all be added to the Trusted Publishers store on the domain machines. Alternatively, aspecial
domain account might exist specifically for signing code, although one of the advantages of codesigning is to be able to determine the person who signed it.
QUESTION 510
Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server. When you attempt to add the Active Directory Certificate Services
(AD CS) role, you find that the Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?
A.
B.
C.
D.
Add the DNS Server role.
Add the Active Directory Lightweight Directory Service (AD LDS) role.
Add the Web server (IIS) role and the AD CS role.
Join the server to the domain.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx Active Directory Certificate Services Step-by-Step Guide
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Enterprise CA option is greyed out / unavailable
Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannotchoose to install Enterprise Certification Authority,
because it`s unavailable as in following picture:
Well, you need to fulfill basic requirements:
Server machine has to be a member server (domain joined).
You can run an Enterprise CA on the Standard, Enterprise, or Data Center WindowsEdition. The difference is the number of ADCS features and components that
can beenabled. To get full functionality, you need to run on Enterprise or Data Center WindowsServer 2008 /R2/ Editions. It includes functionality like Role
separation, Certificatemanager restrictions, Delegated enrollment agent restrictions, Certificateenrollment across forests, Online Responder, Network Device
Enrollment.In order to install an Enterprise CA, you must be a member of either Enterprise Adminsor Domain Admins in the forest root domain (either directly or
through a groupnesting).
If issue still persists, there is probably a problem with getting correct credentials of youraccount. There are many thing that can cause it (network blockage, domain
settings, serverconfiguration, and other issues). In all cases I got, this troubleshooting helped perfectly:
First of all, carefully check all above requirements.
Secondly, install all available patches and Service Packs with Windows Update beforetrying to install Enterprise CA.
Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain.
Sufficient privileges for writing the Enterprise CA configuration information in ADconfiguration partition are required. Determine if you are a member of the
EnterpriseAdmins or Domain Admins in the forest root domain. Think about the account you arecurrently trying to install ADCS with. In fact, you may be sure, that
your account is inEnterprise Admins group, but check this how CA Server sees your account membershipby typingwhoami /groups. You also need to be a member
of local Administrators group. If you are not, youwouldn`t be able to run Server Manager, but still needs to be checked.
View C:\windows\certocm.log file. There you can find helpful details on problems withgroup membership. For example status
ofENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates thatneeded memberships are not correct.
Don`t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking
accessfrom/to server and Domain Controllers. If so, Certificate Authority Server may not becommunicating correctly with the domain. To check that, simply runnltest
/sc_verify:DomainName Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has
ADCS required full controlpermissions, but who knows maybe someone changed default permissions? Runadsiedit.msc on Domain Controller, connect to default
context and first of all checkif CN=Public Key
Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com containerdoes exist. If so, check permissions for all subcontainers under Public Key
Service ifEnterprise Admins group has full control permissions. The main subcontainers toverify are Certificate Templates, OID, KRA containers.
If no above tips help, disjoin the server from domain and join again. Ultimately reinstalloperation system on CA Server.
QUESTION 511
Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2.
The DNS servers are configured as shown in the following table.
Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites.
You need to enable Internet name resolution for all client computers.
What should you do?
A. Update the list of root hints servers on DNS2.
B. Create a copy of the .(root) zone on DNS1.
C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.
D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as
a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones
otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.
QUESTION 512
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008. You need to configure the Active Directory environment to support the application of multiple password
policies.
What should you do?
A.
B.
C.
D.
Raise the functional level of the domain to Windows Server 2008.
On one domain controller, run dcpromo /adv.
Create multiple Active Directory sites.
On all domain controllers, run dcpromo /adv.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide This
step-by-step guide provides instructions for configuring and applying fine-grained password and accountlockout policies for different sets of users in Windows
Server® 2008 domains. In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could apply only onepassword and account
lockout policy, which is specified in the domain's Default Domain Policy, to all users inthe domain. As a result, if you wanted different password and account lockout
settings for different sets ofusers, you had to either create a password filter or deploy multiple domains. Both options were costly fordifferent reasons. In Windows
Server 2008, you can use fine-grained password policies to specify multiple password policies andapply different password restrictions and account lockout policies
to different sets of users within a singledomain.
Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set
to Windows Server 2008 or higher.
QUESTION 513
Your company has two Active Directory forests named contoso.com and fabrikam.com. The company network has three DNS servers named DNS1, DNS2, and
DNS3. The DNS servers are configured as shown in the following table.
All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS
server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A.
B.
C.
D.
Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNSnames to DNS servers outside that network. You
can also forward queries according to specific domain namesusing conditional forwarders. You designate a DNS server on a network as a forwarder by configuring
the other DNS servers in the networkto forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you canmanage name
resolution for names outside your network, such as names on the Internet, and improve theefficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNSdomain name in the query. For example, you can configure a
DNS server to forward all the queries that itreceives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IPaddresses of
multiple DNS servers.
QUESTION 514
Your company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains.
You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain.
What should you do?
A.
B.
C.
D.
Decrease the replication interval for all Connection objects.
Decrease the replication interval for the DEFAULTIPSITELINK site link.
Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize theauthentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can taketime, which you can reduce with shortcut trusts. A trust
path is the series of domain trust relationships thatauthentication requests must traverse between any two domains. Shortcut trusts effectively shorten the paththat
authentication requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and domain D,between domain A and domain 1, and so on.
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce thetime that is necessary to fulfill authentication requests-but in only one direction. For example, when a oneway,shortcut trust is established between domain A and domain B, authentication requests that are made
indomain A to domain B can use the new one-way trust path. However, authentication requests that are made indomain B to domain A must still travel the longer
trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the timethat is necessary to fulfill authentication requests that
originate in either domain. For example, when a two-waytrust is established between domain A and domain B, authentication requests that are made from
eitherdomain to the other domain can use the new, two-way trust path.
QUESTION 515
Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at
ABC.com makes it necessary to examine revoked certificate information.
You need to make sure that the revoked certificate information is available at all times.
What should you do to achieve that?
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder.
E. None of the above
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx How Certificate Revocation Works
QUESTION 516
As the Company administrator you had installed a read-only domain controller (RODC) server at remote location.
The remote location doesn't provide enough physical security for the server. What should you do to allow administrative accounts to replicate authentication
information to Read-Only Domain Controllers?
A. Remove any administrative accounts from RODC's group
B. Add administrative accounts to the domain Allowed RODC Password Replication group
C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account
Security tab for the Group Policy Object (GPO)
D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled.
Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the
GPO.
E. None of the above
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writabledomain controller that will be its replication partner. The
Password Replication Policy acts as an access control list (ACL). It determines if an RODC should bepermitted to cache a password. After the RODC receives an
authenticated user or computer logon request, itrefers to the Password Replication Policy to determine if the password for the account should be cached. Thesame
account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and
computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator
can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub
site is offline.
..
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password
Replication Group and Denied RODC PasswordReplication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password ReplicationPolicy. By default, the two groups are respectively added to
the msDS- RevealOnDemandGroup and msDSNeverRevealGroup
Active Directory attributes mentioned earlier.
By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed Listattribute contains only the Allowed RODC Password
Replication Group. By default, the Denied RODC Password Replication Group contains the following members:
Enterprise Domain Controllers
Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are built-in groups:
Denied RODC Password Replication Group
Account Operators
Server Operators
Backup Operators
Administrators
The combination of the Allowed List and Denied List attributes for each RODC and the domain- wide Denied
RODC Password Replication Group and Allowed RODC Password Replication Group give administrators greatflexibility. They can decide precisely which accounts
can be cached on specific RODCs.
The following table summarizes the three possible administrative models for the Password Replication Policy.
QUESTION 517
ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster is to provide load balancing and high
availability of the intranet website only.
With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect
to various services by using the name web.CK1.com.
You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.com NLB cluster to accept HTTP
traffic only.
Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)
A.
B.
C.
D.
Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
Run the wlbs disable command on the cluster nodes
Assign a unique port rule for NLB cluster by using the NLB Cluster console
Delete the default port rules through Network Load Balancing Cluster console
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc733056.aspx
Create a new Network Load Balancing Port Rule
Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various typesof TCP/IP traffic, you can set up port rules to control
how each port's cluster- network traffic is handled. Themethod by which a port's network traffic is handled is called its filtering mode. There are three possible
filteringmodes: Multiple hosts, Single host, and Disabled.
You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a portrule with a set of configuration parameters that define
the filtering mode. Each rule consists of the followingconfiguration parameters:
The virtual IP address that the rule should apply to
The TCP or UDP port range that this rule should apply to
The protocols that this rule should apply to, including TCP, UDP, or both The filtering mode that specifies how the cluster handles traffic, which is described by the
port range andthe protocols
In addition, you can select one of three options for client affinity: None, Single, or Network. Single andNetwork are used to ensure that all network traffic from a
particular client is directed to the same cluster host.
To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both foryour protocol setting. As an extension to the Single
and Network options, you can configure a time-out settingto preserve client affinity when the configuration of an NLB cluster is changed. This extension also
allowsclients to keep affinity to a cluster host even if there are no active, existing connections from the client to thehost.
QUESTION 518
ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.
Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.
You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch
office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain
Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?
A.
B.
C.
D.
E.
Execute an attended installation of AD DS
Execute an unattended installation of AD DS
Execute RODC through AD DS
Execute AD DS by using deploying the image of AD DS
none of the above
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc754629.aspx
Install an RODC on a Server Core installation
To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS.
QUESTION 519
You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization.
Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is
operational.
What should you do? (Select all that apply)
A.
B.
C.
D.
Go to Services tab, and check if Active Directory Federation Services is running
In the event viewer, Applications, Event ID column look for event ID 674.
Open a browser window, and then type the Federation Service URL for the new federation server.
None of the above
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc734875.aspx
Verify
Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to
successfully communicate with the Federation Service.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
1. Log on to a client computer with Internet access.
2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page
that is stored on the federation server proxy.
3. Press ENTER.
Note -At this point your browser should display the error Server Error in '/adfs' Application. This step is necessary to generate event message 674 to verify that the
clientlogon.aspx page is being loaded properly by
Internet Information Services (IIS).
4. Log on to the federation server proxy.
5. Click Start, point to Administrative Tools, and then click Event Viewer.
6. In the details pane, double-click Application.
7. In the Event column, look for event ID 674.
QUESTION 520
ABC.com has purchased laptop computers that will be used to connect to a wireless network.
You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks.
You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network.
What should you do to enforce the group policy wireless settings to the laptop computers?
A.
B.
C.
D.
E.
Execute gpupdate/target:computer command at the command prompt on laptop computers
Execute Add a network command and leave the SSID (service set identifier) blank
Execute gpupdate/boot command at the command prompt on laptops computers
Connect each laptop computer to a wired network and log off the laptop computer and then login again.
None of the above
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 521
The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running
Windows 2003 OS. You need to prepare the domain controller for disaster recovery apart from the routine backup procedures.
You are unable to launch the backup utility while attempting to back up the system state data for the data controller.
You need to backup system state data from the Windows Server 2008 domain controller server.
What should you do?
A.
B.
C.
D.
E.
Add your user account to the local Backup Operators group
Install the Windows Server backup feature using the Server Manager feature.
Install the Removable Storage Manager feature using the Server Manager feature
Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server.
None of the above
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspx Windows Server Backup Step-by-Step Guide for Windows Server 2008 The Windows
Server Backup feature provides a basic backup and recovery solution for computers running theWindows Server® 2008 operating system. Windows Server Backup
introduces new backup and recoverytechnology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlierversions of the
Windows operating system.
What is Windows Server Backup?
The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console(MMC) snap-in and command-line tools that provide a
complete solution for your day-to-day backup andrecovery needs. You can use four wizards to guide you through running backups and recoveries. You can
useWindows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You canrecover volumes, folders, files, certain
applications, and the system state. And, in case of disasters like harddisk failures, you can perform a system recovery, which will restore your complete system onto
the new hard disk, by using a full server backup and the Windows Recovery Environment. You can use Windows Server Backup to create and manage backups for
the local computer or a remotecomputer. You can also schedule backups to run automatically and you can perform one- time backups toaugment the scheduled
backups.
QUESTION 522
You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper
physical security.
You need to activate nonadministrative accounts passwords on that RODC server.
Which of the following action should be considered to populate the RODC server with non- administrative accounts passwords?
A.
B.
C.
D.
Delete all administrative accounts from the RODC's group
Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO)
Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group
Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply
group policy permissions for the administrators.
E. None of the above
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspx Advantages That an RODC Can Provide to an Existing DeploymentBranch office server
administration. RODCs provide Administrator Role Separation (ARS), which you can useto delegate administration of an RODC to a nonadministrative user or
group. This means that it is notnecessary for a highly privileged administrator to log on to the domain controller in the branch office to performroutine server
maintenance.
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writabledomain controller that will be its replication partner. The
Password Replication Policy acts as an access control list (ACL). It determines if an RODC should bepermitted to cache a password. After the RODC receives an
authenticated user or computer logon request, itrefers to the Password Replication Policy to determine if the password for the account should be cached. Thesame
account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and
computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator
can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub
site is offline.
Password Replication Policy Allowed and Denied listsTwo new built-in groups are introduced in Windows Server 2008 Active Directory domains to support
RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC PasswordReplication Group. The combination of the Allowed List
and Denied List attributes for each RODC and the domain- wide DeniedRODC Password Replication Group and Allowed RODC Password Replication Group give
administrators greatflexibility. They can decide precisely which accounts can be cached on specific RODCs.
QUESTION 523
ABC.com has a network that is comprise of a single Active Directory Domain. As an administrator at ABC.com, you install Active Directory Lightweight Directory
Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install
certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers.
Which tool should you use to test the certificate with AD LDS?
A.
B.
C.
D.
E.
F.
Ldp.exe
Active Directory Domain services
ntdsutil.exe
Lds.exe
wsamain.exe
None of the above
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc725767%28v=ws.10%29.aspx Appendix A: Configuring LDAP over SSL Requirements for AD LDS The Lightweight
Directory Access Protocol (LDAP) is used to read from and write to Active Directory
Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can makeLDAP traffic confidential and secure by using Secure
Sockets Layer (SSL) / Transport Layer Security (TLS)technology.
Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe To test your server authentication certificate, you can open Ldp.exe on the computer that is
running the ADLDS instance and then connect to this AD LDS instance that has the SSL option enabled.
QUESTION 524
ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server
installed.
Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts
are only stored in their local branch office RODC server?
A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts
B. Add a password replication policy to the main Domain RODC and add user accounts in the security group
C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password
replication allowed group on the main RODC server
D. Configure and add a separate password replication policy on each RODC computer account
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writabledomain controller that will be its replication partner. The
Password Replication Policy acts as an access control list (ACL). It determines if an RODC should bepermitted to cache a password. After the RODC receives an
authenticated user or computer logon request, itrefers to the Password Replication Policy to determine if the password for the account should be cached. Thesame
account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and
computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator
can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub
site is offline.
QUESTION 525
The corporate network of Company consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Company 1 and
Company 2. To ensure central monitoring of events you decided to collect all the events on one server, to collect events from Company, and transfer them to
Company 1.
You configure the required event subscriptions.
You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol.
However, you discovered that none of the subscriptions work.
Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of
the complete solution).
A.
B.
C.
D.
E.
F.
Run window execute the winrm quickconfig command on Company 2.
Run window execute the wecutil qc command on Company 2.
Add the Company 1 account to the Administrators group on Company 2.
Run window execute the winrm quickconfig command on Company 1.
Add the Company 2 account to the Administrators group on Company 1.
Run window execute the wecutil qc command on Company 1.
Correct Answer: ACF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We need to do three things:
1 - run winrm quickconfig on the source computer (Company 2) 2 - run wecutil qc on the collector computer (Company 1)
3 - add the computer account of the collector computer to the local Administrators group on the source computer
Had the Event delivery optimization setting been set to Minimize Bandwidth or Minimize Latency, then we would need to run winrm quickconfig on the collector
computer too. Because it's set to Normal we can skip that step.
If the HTTPS protocol had been used we also would have had to configure Windows Firewall exceptions for port 443. But it's not, and it's not even listed, so that's
cool.
Reference:
http://technet.microsoft.com/en-us/library/cc748890.aspx
Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which
events will be collected (source).
To configure computers in a domain to forward and collect events
1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges.
2. On each source computer, type the following at an elevated command prompt: winrm quickconfig
Note
If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector
computer.
3. On the collector computer, type the following at an elevated command prompt: wecutil qc
4. Add the computer account of the collector computer to the local Administrators group on each of the source computers.
5. The computers are now configured to forward and collect events. Follow the steps in Create a New
Subscription to specify the events you want to have forwarded to the collector.
QUESTION 526
Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain
controller (RODC).
An RODC server is stolen from one of the branch offices.
You need to identify the user accounts that were cached on the stolen RODC server.
Which utility should you use?
A.
B.
C.
D.
Dsmod.exe
Ntdsutil.exe
Active Directory Sites and Services
Active Directory Users and Computers
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc835486%28v=ws.10%29.aspx Securing Accounts After an RODC Is Stolen
If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you shouldact quickly to delete the RODC account from the
domain and to reset the passwords of the accounts whosecurrent passwords are stored on the RODC. An efficient tool for removing the RODC computer account
and resetting all the passwords for the accountsthat were authenticated to it is the Active Directory Users and Computers snap-in.
QUESTION 527
ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005
R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card.
ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IP address space used by software evaluation lab must
not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network.
As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers
on the internet. You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy.
Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution)
A.
B.
C.
D.
E.
Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server
On CKT's physical network interface, activate the Internet Connection Sharing (ICS)
Use ABC.com intranet IP addresses on all virtual servers on CKT.
Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network.
None of the above
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://class10e.com/Microsoft/which-two-actions-should-you-perform-to-achieve-this-task- choose-two-answers/
To configure all virtual servers on the CKT server to access the internet and comply with company`s securitypolicy, you should trigger the virtual DHCP server for
the external virtual network and run ipconfig/renewcommand on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT.
Create a virtual network using the new interface.
When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses areassigned to the virtual servers on CKT server. By running
ipconfig/renew command, the new IP addresses willbe renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used
byother networks are not been used by the virtual servers on CKT server. You create a new virtual network onthe new network interface which will enable you to
access internet.
QUESTION 528
You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain.
You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify
the problem, you create a Group Policy Object (GPO).
You need to change the domain security settings to trace the shutdowns and identify the cause of it.
What should you do to perform this task?
A.
B.
C.
D.
E.
Link the GPO to the domain and enable System Events option
Link the GPO to the domain and enable Audit Object Access option
Link the GPO to the Domain Controllers and enable Audit Object Access option
Link the GPO to the Domain Controllers and enable Audit Process tracking option
Perform all of the above actions
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://msdn.microsoft.com/en-us/library/ms813610.aspx
Audit system events
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy DescriptionDetermines whether to audit when a user restarts or shuts down
the computer; or an event has occurred thataffects either the system security or the security log. By default, this value is set to No auditing in the Default Domain
Controller Group Policy object (GPO) and inthe local policies of workstations and servers. If you define this policy setting, you can specify whether to audit
successes, audit failures, or not to audit theevent type at all. Success audits generate an audit entry when a system event is successfully executed.Failure audits
generate an audit entry when a system event is unsuccessfully attempted. You can select Noauditing by defining the policy setting and unchecking Success and
Failure.
QUESTION 529
ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller.
As an administrator of ABC.com, you are in process of restoring the OU.
You need to execute a non-authoritative restore before an authoritative restore of the OU.
Which backup should you use to perform non- authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain
controller?
A.
B.
C.
D.
E.
Critical volume backup
Backup of all the volumes
Backup of the volume that hosts Operating system
Backup of AD DS folders
all of the above
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc730683%28v=ws.10%29.aspx Performing a Nonauthoritative Restore of AD DS
To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least asystem state backup.
To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure inthis topic uses the wbadmin start systemstaterecovery
command. You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup ifyou do not have a system state or criticalvolume backup. A full server backup is generally larger than acritical-volume backup or system state backup. Restoring a full server backup not only rolls back data
in AD DSto the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is notnecessary to achieve nonauthoritative restore of
AD DS. To restore a critical-volume backup or full serverbackup, use the wbadmin start recovery command.
QUESTION 530
ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network.
You are instructed to capture all replication errors from all domain controllers to a central location.
What should you do to achieve this task?
A.
B.
C.
D.
Initiate the Active Directory Diagnostics data collector set
Set event log subscriptions and configure it
Initiate the System Performance data collector set
Create a new capture in the Network Monitor
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx
Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the collectingcomputer (collector) and each computer from which
events will be collected (source).
http://technet.microsoft.com/en-us/library/cc749183.aspx
Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issuemight require you to examine a set of events stored in
multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store themlocally. To specify which events to collect, you create
an event subscription. Among other details, thesubscription specifies exactly which events will be collected and in which log they will be stored locally. Once
asubscription is active and events are being collected, you can view and manipulate these forwarded events asyou would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting computers.
The functionality depends on the Windows Remote Management (WinRM) service and the Windows EventCollector (Wecsvc) service. Both of these services must
be running on computers participating in theforwarding and collecting process.
http://technet.microsoft.com/en-us/library/cc961808.aspx
Replication Issues
QUESTION 531
Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows
Vista. All domain controllers are running Windows server 2008.
You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication.
What do you need to configure, in order to complete the deployment of AD RMS?
A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1
B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company
_DC1
C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company
_SRV5
E. None of the above
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/dd772753%28v=ws.10%29.aspx AD RMS Client Requirements
Windows AD RMS Client
Windows 7, all editions
Windows Server 2008 R2, all editions except Core Editions
Windows Vista, all editions
Windows Server 2008, all editions except Core Editions
Windows XP SP3 32-bit Edition
Windows XP SP3 64-bit Edition
Windows Server 2003 with SP1 32-bit Edition
Windows Server 2003 with SP1 64-bit Edition
Windows Server 2003 for Itanium-based systems with SP1
Windows Server 2003 R2 32-bit Edition
Windows Server 2003 R2 64-bit Edition
Windows Server 2003 R2 for Itanium-based systems
Windows Small Business Server 2003 32-bit Edition
Windows Server 2000 SP4 32-bit Edition
http://technet.microsoft.com/en-us/library/dd772659%28v=ws.10%29.aspx AD RMS Prerequisites
Before you install AD RMS
Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 forthe first time, there are several requirements that must
be met. Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS)forest as the user accounts that will be using rightsprotected content.
QUESTION 532
You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This
will also ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided
to backup only specific ADLDS instance instead of taking backup of the entire volume.
What should you do to accomplish this task?
A.
B.
C.
D.
Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS
Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance
Move AD LDS database and log files on a separate volume and use windows server backup utility
None of the above
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
http://technet.microsoft.com/en-us/library/cc730941.aspx
Backing up AD LDS instance data with Dsdbutil.exe
With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up
entire volumes that contain the AD LDS instance.
QUESTION 533
Your network contains an Active Directory domain named contoso.com. The network contains 10 subnets.
You install a Web server on three different subnets. Each Web server hosts a web application accessed by using an FQDN of webl.contoso.com.
For webl.contoso.com, you create three host (A) records that each points to one of the Web servers.
You need to configure the DNS settings to meet the following requirements:
Users who access webl.contoso.com from a subnet that contains one of the Web servers must connect to the server on their local subnet.
When users connect from a subnet that does not contain a Web server hosting the web application, the connections must be balanced between the three Web
servers.
Which two settings should you modify? (To answer, select the two appropriate settings in the answer area.)
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 534
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers named Serverl and Server2.
DNS Manager on Server2 is shown in the exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit. Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 535
Your network contains an Active Directory domain named contoso.com. A domain controller named DC1 runs Windows Server 2008 R2 Service Pack 1 (SP1).
You install Windows Server 2008 R2 SP1 on a server named Server1.
You need to perform an offline domain join of Serverl to the domain.
What should you do?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Note:
Performing an offline domain join using different physical computers
To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller,
one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain.
1.On the provisioning server, open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click
Accessories, right-click Command Prompt, and then click Run as administrator.
Type the following command to provision the computer account:
djoin /provision /domain <domain to be joined> /machine <name of the destination computer> /savefile blob.txt
2.Copy the blob.txt file to the client computer.
3. On the client computer, open an elevated command prompt, and then type the following command to request the domain join:
djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos
* Offline domain join is a new process that computers that run Windows 7/8 or Windows Server 2008/2012 R2 can use to join a domain without contacting a domain
controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network.
QUESTION 536
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2. Both domain controllers
host an Active Directory-integrated zone for contoso.com. Each domain controller is located in a different city.
You have a member server named Serverl. Serverl hosts a stub zone for contoso.com.
On DC1, you add a name server (NS) record to the contoso.com zone.
In the table below, identify which toot you must use to replicate the record to each server. Make only one selection in each column. Each correct selection is worth
one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 537
Your network contains an Active Directory forest named contoso.com. The forest contains four child domains named east.contoso.com, west.contoso.com,
south.contoso.com, and north.contoso.com.
You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table.
What should you do?
To answer, drag the appropriate group type to the correct group name in the answer area.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 538
A server runs Windows Server 2008. The Terminal Services role is installed on the server. You deploy a new application on the server. The application creates files
that have an extension of .xyz.
You need to ensure that users can launch the remote application from their computers by double- clicking a file that has the .xyz extension.
What should you do?
A. Configure the Remote Desktop Connection Client on the users' computers to point to the server.
B. Configure the application as a published application by using a Remote Desktop Program file.
C. Configure the application as a published application by using a Windows Installer package file.
D. Configure the application as a published application by using a Terminal Server Web Access Web site.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Launching Apps from the Desktop For users who want to double-click documents to launch the application, terminal services now provides the ability to "install" the
remote application's link to the desktop. This process effectively wraps the RemoteApp's RDP file into a Windows Installer package--an MSI file--that is later
installed to desktops in the environment. At the same time, the installed MSI can modify the file extension associations on the desktop to reroute a double-clicked
file to its associated RemoteApp on the terminal server. Figure 3 shows how the file extension associations have been modified on a client system after a Word
RemoteApp is installed. Now, double-clicking any of the common Word file extensions will launch Word via the Remote Desktop Connection.
Figure 3 File extension associations that have been altered to launch the Remote Desktop Connection
To create a Windows Installer package out of an existing RemoteApp, first navigate to the TS RemoteApp Manager. Right-click the RemoteApp of interest and
select Create Windows Installer Package. By default, all created Windows Installer packages are stored in the location C:\Program Files\Packaged Programs, but
this location can be changed from within the RemoteApp Wizard. Also configurable within the wizard are the name and port for the server that will host the
RemoteApp, as well as server authentication, certificate settings, and TS Gateway settings. Settings that relate to the application's location after installation to a
candidate desktop are shown in Figure
4. As you can see, it is possible to create a shortcut on the desktop as well as to a location within the Start menu folder. The most important checkbox on this
screen is at the very bottom. It's the checkbox for Take over client settings, and it re-associates any file extension associations for the RemoteApp from the local
desktop to the terminal server. This checkbox must be selected if you want users to be able to double-click documents to launch their TS-hosted application. Click
Next and Finish to complete the wizard. Please Note: -Since Windows2008R2 Terminal Services (TS) is now rebranded to Remote Desktop Services (RDS)Source: http://technet.microsoft.com/en-us/query/dd314392
QUESTION 539
You have a server that runs Windows Server 2008 R2. The server has the RD Gateway role service installed.
You need to provide a security group access to the RD Gateway server.
What should you do?
A.
B.
C.
D.
Add the security group to the Remote Desktop Users group.
Add the security group to the TS Web Access Computers group.
Create and configure a Remote Desktop Resource Authorization Policy.
Create and configure a Remote Desktop Connection Authorization Policy.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway server.
Source: http://technet.microsoft.com/en-us/library/cc753324.aspx
QUESTION 540
Your company uses Public folders and Web Distributed Authoring and Versioning. The company asks you to install Microsoft Windows SharePoint Services (WSS)
as a server in a new server farm. You plan to install WSS on a server that runs Windows Server 2008 R2.
You start the Configuration Wizard to begin the installation. You receive an error message as shown in the exhibit.
You need to configure WSS to start SharePoint Services 3.0 SP 2 Central Administration.
What should you do?
A.
B.
C.
D.
Install the Windows Internal Database.
Install a Microsoft SQL Server 2005 server.
Install the Active Directory Rights Management Services role.
Install the Active Directory Lightweight Directory Services role.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To resolve this problem, you need to install Microsoft SQL Server 2005 server on the farm. This error message occurs when either the SQL Server does not exist or
the SQL Server services id stopped.
The server farm account is used to access your configuration database. It also acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration
Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. If SQL
Server is not available then the above mentioned error message will appear.
Reference: Configuration Wizard - Failed to Connect
http://blogs.msdn.com/neilth/archive/2008/04/25/failed-to-connect-or-database-name-does-not- exist.aspx
QUESTION 541
You manage a member server that runs Windows Server 2008 R2. The server runs the Remote Desktop Gateway (RD Gateway) role service.
You need to find out whether a user named User1 has ever connected to his office workstation through the RD Gateway server.
What should you do?
A.
B.
C.
D.
View the events in the Monitoring folder from the RD Gateway Manager console.
View the Event Viewer Security log.
View the Event Viewer Application log.
View the Event Viewer Terminal Services-Gateway log.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
By using TS Gateway Manager, you can specify the types of events that you want to monitor, such as unsuccessful or successful connection attempts to internal
network computers through a TS Gateway server.
When these events occur, you can monitor the corresponding events by using Windows Event Viewer. TS
Gateway server events are stored in Event Viewer under Application and Services Logs\Microsoft\Windows
\Terminal Services-Gateway\.
Source: http://technet.microsoft.com/en-us/library/cc730618(WS.10).aspx
QUESTION 542
Your company has an Active Directory domain. All the servers in the company run either Windows Server 2008 R2 or Windows Server 2003. A Windows Server
2003 server named Server1 runs Microsoft SQL Server 2005 SP2 and Microsoft Windows SharePoint Services (WSS) 2.0.
The company plans to migrate to WSS 3.0 SP2 on a Windows Server 2008 R2 server named Server2.
You need to migrate the configuration and content from Server1 to Server2.
What should you do?
A. Back up the SharePoint configuration and content from Server1. Install WSS 3.0 SP2 on Server2. Restore the backup from Server1 to Server2.
B. Upgrade Server1 to Windows Server 2008 R2. Back up the SharePoint configuration and content from Server1. Install WSS 3.0 SP2 on Server2. Restore the
backup from Server1 to Server2.
C. Back up the SQL Server 2005 configuration and the WSS 2.0 databases from Server1. Install SQL Server 2005 on Server2. Restore the SQL Server 2005
backup from Server1 to Server2.
D. Back up the WSS 2.0 configuration and content from Server1. Install WSS 2.0 on Server2.
Restore the backup from Server1 to Server2. Perform an in-place upgrade of WSS 2.0 to WSS 3.0 SP2 on Server2.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To migrate to SharePoint Services (WSS) 3.0. from Server1 to Server2 with all the configuration and content, you need to install WSS 2.0 on Server2. Back up the
WSS 2.0 configuration and content from Server1 and restore the backup from Server1 to Server2. Perform an in-place upgrade of WSS 2.0 to WSS 3.0 on
Server2.
When you run an in-place upgrade, all content and configuration data is upgraded in-place, at one time. When you start the in-place upgrade process, the Web
server and Web sites remain offline until the upgrade has been installed. In-place upgrades are best for a stand-alone server and small installations as in this case
Reference: Install and configure Office SharePoint Server for an in-place upgrade http://technet.microsoft.com/en-us/library/cc263212(TechNet.10).aspx
Reference: Determine upgrade approach (Office SharePoint Server) http://technet.microsoft.com/en-us/library/cc263447(TechNet.10).aspx
QUESTION 543
Your company has an Active Directory domain. You have a server named KMS1 that runs Windows Server 2008 R2. You install and configure Key Management
Service (KMS) on KMS1. You plan to deploy Windows Server 2008 R2 on 10 new servers. You install the first two servers. The servers fail to activate by using
KMS1.
You need to activate the new servers by using the KMS server.
What should you do first?
A.
B.
C.
D.
Complete the installation of the remaining eight servers.
Configure Windows Management Instrumentation (WMI) exceptions in Windows Firewall on the new servers.
Install Volume Activation Management Tool (VAMT) on the KMS server and configure Multiple Activation Key (MAK) Proxy Activation.
Install Volume Activation Management Tool (VAMT) on the KMS server and configure Multiple Activation Key (MAK) Independent Activation.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Key Management Service
With KMS, IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. KMS
is a lightweight service that does not require a dedicated system and can easily be co-hosted on a system that provides other services. By default, volume editions
of Windows 7 and Windows Server 2008 R2 connect to a system that hosts the KMS service to request activation. No action is required from the user. KMS
requires a minimum number of computers (physical or virtual machines) in a network environment.
The organization must have at least five computers to activate Windows Server 2008 R2 and at least 25 computers to activate clients that are running Windows 7.
These minimums are referred to as activation thresholds.
To use KMS activation with Windows 7, the computer must have the qualifying OS license (often obtained through OEMs as part of the new PC purchase) and
contain a Windows Marker in BIOS.
Source: http://technet.microsoft.com/en-us/library/ff793423.aspx
QUESTION 544
You have four Remote Desktop Session Host Servers that run Windows Server 2008 R2. The Remote Desktop Session Host Servers are named Server1, Server2,
Server3, and Server4.
You install the Remote Desktop Connection Broker role service on Server1.
You need to configure load balancing for the four Remote Desktop Session Host Servers. You must ensure that Server2 is the preferred server for Remote Desktop
Services sessions.
Which tool should you use?
A.
B.
C.
D.
Group Policy Management
Remote Desktop Session Host Configuration
Remote Desktop Connection Manager
RD Gateway Manager
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
ExplanationExplanation:
You can configure a Remote Desktop Session Host (RD Session Host) server to join a farm in RD Connection
Broker, and to participate in RD Connection Broker Load Balancing, by using the Remote Desktop Session Host Configuration tool.
To configure RD Connection Broker settings
1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to
Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration .
2. In the Edit settings area, under RD Connection Broker, double-click Member of farm in RD Connection Broker.
3. On the RD Connection Broker tab of the Properties dialog box, click Change Settings.
4. In the RD Connection Broker Settings dialog box, click Farm member.
5. In the RD Connection Broker server name box, type the name of the RD Connection Broker server.
6. In the Farm name box, type the name of the farm that you want to join in RD Connection Broker.
7. Click OK to close the RD Connection Broker Settings dialog box.
8. To participate in RD Connection Broker Load Balancing, select the Participate in Connection Broker Load-Balancing check box.
9. Optionally, in the Relative weight of this server in the farm box, modify the server weight. By default, the value is 100. The server weight is relative. Therefore, if
you assign one server a value of 50, and one a value of 100, the server with a weight of 50 will receive half the number of sessions.
10. Verify that you want to use IP address redirection. By default, the Use IP address redirection setting is enabled. If you want to use token redirection mode, select
Use token redirection. For more information, see About IP Address and Token Redirection.
11. In the Select IP addresses to be used for reconnection box, select the check box next to each IP address that you want to use.
12. When you are finished, click OK.
Source: http://technet.microsoft.com/en-us/library/cc771383.aspx
QUESTION 545
You have a server that runs Windows Server 2008 R2. The server has Microsoft SharePoint Foundation 2010 installed. The server is configured to accept incoming
email.
You create a new document library.
You need to ensure that any user can send e-mail to the document library.
What should you do?
A.
B.
C.
D.
Modify the RSS setting for the document library.
Modify the permissions for the document library.
Modify the incoming email settings for the document library.
Enable anonymous authentication for the Web application.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Explanation:
Enable and configure email settings for a library
Use this procedure to enable and configure email settings for a library to receive email messages in the
SharePoint document library in a site.
Enable and configure email settings for a library
1. Open the site in which you want to receive email messages by using either of the following methods:
- In Internet Explorer, type the URL o the site.
- On the View Site Collection page, click the site collection that you want to view.
2. In the left navigation pane of the home page, click View All Site Content.
3. In the Documents section, click a document library name to open the library for which you want to enable and configure email settings.
4. On the Settings menu, click Document Library Settings, Picture Library Settings, or Form Library Settings, depending on the kind of library that you are enabling
and configuring.
5. In the Communications section, click Incoming email settings.
6. In the Email section, select Yes to enable this library to receive email messages.
7. In the Email address box, type a unique name to use as part of the email address for this library.
8. In the Email Attachments section, decide where to save and how to group the email attachments in this library, and then choose whether to overwrite files that
have the same name. Note: If you decide not to overwrite files that have the same name and then later try to save a file that has the same name as one that already
exists in the library, four random digits are appended to the file name for the new attachment. If this action fails, a globally unique identifier (GUID) is appended to
the file name. If neither of these actions can produce a unique file name, the attachment is discarded.
9. In the Email Message section, choose whether to save the original email message in this library. If you select Yes, the original message is saved as a separate
item in the library.
10. In the Email Meeting Invitations section, choose whether to save the attachments to your meeting invitations in this library.
11. In the Email Security section, choose whether to archive email messages only from members of the site who can write to the library or to archive regardless of
who sends the email message.
12. Click OK to save the changes that you have made in the settings.
Source: http://technet.microsoft.com/en-us/library/cc262800.aspx
QUESTION 546
A server named Server2 runs Windows Server 2008 R2. The Remote Desktop Services server role is installed on Server2.
You plan to deploy an application on Server2. The application vendor confirms that the application can be deployed in a Remote Desktop Services environment.
The application does not use Microsoft Windows Installer packages for installation. The application makes changes to the current user registry during installation.
You need to install the application to support multiple user sessions.
What should you do?
A.
B.
C.
D.
Run the mstsc /v:Server2 /admin command from the client computer to log on to Server2. Install the application.
Run the change user /execute command on Server2. Install the application and run the change user /install command on Server2.
Run the change user /install command on Server2. Install the application and run the change user /execute command on Server2.
Run the change logon /disable command on Server2. Install the application and run the change logon /enable command on Server2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Change user
Changes the install mode for the terminal server
Source: http://technet.microsoft.com/en-us/library/cc730696(WS.10).aspx
QUESTION 547
Your company has an Active Directory domain. A server named Server2 runs Windows Server 2008 R2. All client computers run Windows 7.
You install the Remote Desktop Services server role, RD Web Access role service, and RD Gateway role service on Server2.
You need to ensure that all client computers have compliant firewall, antivirus software, and antispyware.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Configure Network Access Protection (NAP) on a server in the domain.
Add the Remote Desktop Services servers to the Windows Authorization Access domain local security group.
Add the Remote Desktop Services client computers to the Windows Authorization Access domain local security group.
Enable the Request clients to send a statement of health option in the Remote Desktop client access policy.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation
To ensure that all client machines have firewall, antivirus software and anti-spyware software installed, you should set the Request clients to sent a health option
statement in the Remote Desktop Services client access policy and install and configure Network Access Protection (NAP) on the server in the domain.
Source: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8e47649e-962c-42f8- 9e6f-21c5ccdcf490&displaylang=en
QUESTION 548
Your network consists of a single Active Directory domain. The domain contains a server that runs Windows Server 2008 R2. The server has Microsoft SharePoint
Foundation 2010 installed. You need to allow users to create distribution lists from a SharePoint site. What should you do on the SharePoint Foundation 2010
server?
A. Set the outgoing mail character set to 1200(Unicode).
B. Enable the SharePoint Directory Management Service.
C. Configure the site to accept messages from authenticated users only.
D. Configure the site to use the default Rights Management server in Active Directory Domain Services.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To configure WSS server in such a way that it allow users to create distribution lists from a SharePoint site, you need to enable the SharePoint Directory
Management Service on the server. A distribution list contains the email addresses of existing address lists as well as the email addresses of other site members.
Distribution lists are available only if the SharePoint Directory Management Service is enabled in Central Administration.
All new subsites that are created in an email-enabled site collection are automatically email-enabled also. If you choose to use an existing group during site
creation, the distribution list for the parent site (if available) will be associated with the new site
Reference: Introduction to incoming email/ New site creation walkthrough http://office.microsoft.com/en-us/help/HA100823061033.aspx
QUESTION 549
Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers
have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to
DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2.
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Clear the DNS cache on DC2.
Configure conditional forwarding on DC2.
Configure the Listen On address on DC2.
Delete the Root zone on DC2.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Delete the Root zone on DC2.
Configure conditional forwarding on DC2.
Explanation:
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries forexternal DNS names to DNS servers outside that
network. You can also configure your server to forwardqueries according to specific domain names using conditional forwarders. http://social.technet.microsoft.com/
Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0- 85d5-a342f9e169f5/
Deleting .root dns zone in 2008 DNS
Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external nameresolution is not possible. I had tried to add conditional
forwarders but i get an error saying that conditionalforwarders cannot be created on root DNS servers. A 1: If you have a "root" zone created in your DNS, and you
no longer want that configuration, you can justsimply delete that zone. There is no reason to have a root "." zone hosted unless you want to make sure thatthe DNS
server is authoritative for all queries and not allow the DNS server to go elsewhere for nameresolution.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries forzones its not authoritative for.
A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access whilepromoting the first DC. Jut remove it, and the
Forwarders option reappear.
Further information:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspx Reviewing DNS Concepts
DelegationFor a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in thenamespace. These paths are created by
means of delegation. A delegation is a record in a parent zone thatlists a name server that is authoritative for the zone in the next level of the hierarchy. Delegations
make itpossible for servers in one zone to refer clients to servers in other zones. The following illustration shows oneexample of delegation.
The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to azone in the next level of the hierarchy, the com zone.
The delegation in the root zone tells the DNS root serverthat, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone tells
theCom server that, to find the contoso.com zone, it must contact the Contoso server.
Note: A delegation uses two types of records. The name server (NS) resource record provides the name of anauthoritative server. Host (A) and host (AAAA)
resource records provide IP version 4 (IPv4) and IP version 6(IPv6) addresses of an authoritative server. This system of zones and delegations creates a
hierarchical tree that represents the DNS namespace. Eachzone represents a layer in the hierarchy, and each delegation represents a branch of the tree.By using
the hierarchy of zones and delegations, a DNS root server can find any name in the DNS namespace.
The root zone includes delegations that lead directly or indirectly to all other zones in the hierarchy. Any serverthat can query the DNS root server can use the
information in the delegations to find any name in thenamespace.
QUESTION 550
Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO
named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A.
B.
C.
D.
Configure the Block Inheritance setting on the R&D organizational unit.
Configure the Enforce setting on the software deployment GPO.
Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.
Configure the Block Inheritance setting on the Production organizational unit.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group
policy for the R&Dsecurity group.
Explanation:
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx Managing inheritance of Group Policy
..
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOslinked to higher sites, domains, or organizational units
from being automatically inherited by the child-level. Bydefault, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For
example,if you want to apply a single set of policies to an entire domain except for one organizational unit, you can linkthe required GPOs at the domain level (from
which all organizational units inherit policies by default) and thenblock inheritance only on the organizational unit to which the policies should not be applied.
Enforcing a GPO linkYou can specify that the settings in a GPO link should take precedence over the settings of any child object bysetting that link to Enforced.
GPO-links that are enforced cannot be blocked from the parent container. Withoutenforcement from above, the settings of the GPO links at the higher level (parent)
are overwritten by settings inGPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has
precedence. By default, GPO links are not enforced. In tools prior to GPMC, "enforced"was known as "No override."
..
In addition to using GPO links to apply policies, you can also control how GPOs are applied by using securityfilters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx Security filtering using GPMC
Security filteringSecurity filtering is a way of refining which users and computers will receive and apply the settings in a GroupPolicy object (GPO). Using security
filtering, you can specify that only certain security principals within acontainer where the GPO is linked apply the GPO. Security group filtering determines whether
the GPO as awhole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.
..
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites,domains and organizational units. However, by using
security filtering, you can narrow the scope of a GPOso that it applies only to a single group, user, or computer.
..
The location of a security group in Active Directory is irrelevant to security group filtering and, moregenerally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups Active Directory
Shadow groups
In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are notautomatically assigned access privileges based on
their containing OU. This is a design limitation specific toActive Directory. Other competing directories such as Novell NDS are able to assign access privileges
throughobject placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a member of agroup also
within that OU. Relying on OU location alone to determine access permissions is unreliable,because the object may not have been assigned to the group object for
that OU.A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basicscript to automatically create and maintain a
user group for each OU in their directory. The scripts are runperiodically to update the group to match the OU's account membership, but are unable to instantly
update thesecurity groups anytime the directory changes, as occurs in competing directories where security is directlyimplemented into the directory itself. Such
groups are known as Shadow Groups. Once created, theseshadow groups are selectable in place of the OU in the administrative tools.
Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how tocreate them. There are no built-in server methods or
console snap-ins for managing shadow groups.[5]
The division of an organization's information infrastructure into a hierarchy of one or more domains and toplevelOUs is a key decision. Common models are by
business unit, by geographical location, by IT Service, orby object type and hybrids of these. OUs should be structured primarily to facilitate administrative
delegation,and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the onlytrue security boundary is the forest itself
and an administrator of any domain in the forest must be trustedacross all domains in the forest.[6]
QUESTION 551
Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application. You need to configure the domain controller as a Global Catalog
server.
Which tool should you use?
A.
B.
C.
D.
E.
The Server Manager console
The Active Directory Sites and Services console
The Dcpromo.exe utility
The Computer Management console
The Active Directory Domains and Trusts console
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: The Active Directory Sites and Services console
http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx Configure a domain controller as a global catalog server
To configure a domain controller as a global catalog server
1. Open Active Directory Sites and Services.
...
Further information:
http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multidomain Active Directory
Domain Services (AD DS) forest. The global catalogis stored on domain controllers that have been designated as global catalog servers and is distributed
throughmultimaster replication. Searches that are directed to the global catalog are faster because they do not involvereferrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a forest stores afull, writable replica of a single domain directory
partition. Therefore, a domain controller can locate only theobjects in its domain. Locating an object in a different domain would require the user or application to
providethe domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domainname. A
global catalog server is a domain controller that, in addition to its full, writable domain directorypartition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. Theadditional domain directory partitions are partial because only a limited set of attributes is included for eachobject. By
including only the attributes that are most used for searching, every object in every domain in eventhe largest forest can be represented in the database of a single
global catalog server. Note: A global catalog server can also store a full, writable replica of an application directory partition, butobjects in application directory
partitions are not replicated to the global catalog as partial, read-only directorypartitions.
The global catalog is built and updated automatically by the AD DS replication system. The attributes that arereplicated to the global catalog are identified in the
schema as the partial attribute set (PAS) and are defined bydefault by Microsoft. However, to optimize searching, you can edit the schema by adding or removing
attributesthat are stored in the global catalog. In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of allattributes)
of the global catalog. Later versions of Windows Server reduce the impact of updating the globalcatalog by replicating only the attributes that change. In a singledomain forest, a global catalog server stores a full, writable replica of the domain and does not storeany partial replica. A global catalog server in a single-domain
forest functions in the same manner as a nonglobal-catalog server except for the processing of forest-wide searches.
QUESTION 552
Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain
controller. Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latency between the domain controllers.
What should you do?
A.
B.
C.
D.
Decrease the replication schedule for the DEFAULTIPSITELINK object.
Decrease the replication interval for the DEFAULTIPSITELINK object.
Decrease the cost between the connection objects.
Decrease the replication interval for all connection objects.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Decrease the replication interval for the DEFAULTIPSITELINK object.
Personal comment:
All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into all sites areconnected with the first domain controller in the forest So the
topology is star shaped.
Thus, decreasing the cost between the connection objects will offer no benefit. We know we have multiple sites linked and are using a DEFAULTIPSITELINK
object. Thus, the most plausible answer is to decrease the replication interval for DEFAULTIPSITELINK.
Explanation:
http://www.informit.com/articles/article.aspx?p=26866&seqNum=5 Understanding Active Directory, Part III
Replication
Active Directory replication between domain controllers is managed by the system administrator on a site-bysitebasis. As domain controllers are added, a replication
path must be established. This is done by theKnowledge Consistency Checker (KCC), coupled with Active Directory replication components. The KCC is adynamic
process that runs on all domain controllers to create and modify the replication topology. If a domaincontroller fails, the KCC automatically creates new paths to the
remaining domain controllers. Manualintervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain controllerretains a copy of the entire directory for that particular
domain. As changes are made in one domain controller,the originator communicates these changes to the peer domain controllers. The directory data itself is
stored inthe ntds.dit file. Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site.Replication between sites
can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for datatransmission. The default intersite replication protocol is RPC.
Intersite and Intrasite Replication
There are distinct differences in internal and intersite domain controller replication. In theory, the networkbandwidth within a site is sufficient to handle all network
traffic associated with replication and other ActiveDirectory activities. By the definition of a site, the network must be reliable and fast. A change notificationprocess
is initiated when modifications occur on a domain controller. The domain controller waits for aconfigurable period (by default, five minutes) before it forwards a
message to its replication partners. Duringthis interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copythe
modification from the original domain controller. In the event that no changes were noted during aconfigurable period (six hours, by default), a replication sequence
ensures that all possible modifications arecommunicated. Replication within a site involves the transmission of uncompressed data.
NOTE
Security-related modifications are replicated within a site immediately. These changes include account andindividual user lockout policies, changes to password
policies, changes to computer account passwords, andmodifications to the Local Security Authority (LSA). Replication between sites assumes that there are
network-connectivity problems, including insufficientbandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make
decisionson the type, frequency, and timing of intersite replication. All replication objects transmitted between sites arecompressed, which may reduce traffic by 10
to 25 percent, but because this is not sufficient to guaranteeproper replication, the system administrator has the responsibility of scheduling intersite replication.
Replication Component Objects
Whereas the KCC represents the process elements associated with replication, the following comprise theActive Directory object components:
Connection object. Domain controllers become replication "partners" when linked by a connection object.
This is represented by a one-way path between two domain controller server objects. Connection objectsare created by the KCC by default. They can also be
manually created by the system administrator.
NTDS settings object. The NTDS settings object is a container that is automatically created by the ActiveDirectory. It contains all of the connection objects, and is a
child of the server object. Server object. The Active Directory represents every computer as a computer object. The domain controlleris also represented by a
computer object, plus a specially created server object. The server object's parentis the site object that defines its IP subnet. However, in the event that the domain
controller server objectwas created prior to site creation, it will be necessary to manually define the IP subnet to properly assign thedomain controller a site. When it
is necessary to link multiple sites, two additional objects are created to manage the replicationtopology.
Site link. The site link object specifies a series of values (cost, interval, and schedule) that define theconnection between sites. The KCC uses these values to
manage replication and to modify the replicationpath if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default until thesystem
administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of theactual cost of data transmission as defined bandwidth. The interval
value sets the number of timesreplication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; threehours is the default. The
schedule interval establishes the time when replication should occur. Althoughreplication can be at any time by default, the system administrator may want to
schedule it only during offpeaknetwork hours. Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol. Bydefault,
all site links use the same protocol, and are transitive. Moreover, they belong to a single site linkbridge. No configuration is necessary to the site link bridge if the IP
network is fully routed. Otherwise,manual configuration may be necessary.
Further information:
http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspx What Is Active Directory Replication Topology?
Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keepreplicas of directory partitions synchronized. Multiple
domains are common in large organizations, as aremultiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placedin
more than one site.
Therefore, replication must often occur both within sites and between sites to keep domain and forest dataconsistent among domain controllers that store the same
directory partitions. Site objects can be configured toinclude a set of subnets that provide local area network (LAN) network speeds. As such, replication within
sitesgenerally occurs at high speeds between domain controllers that are on the same network segment. Similarly,site link objects can be configured to represent
the wide area network (WAN) links that connect LANs. Replication between sites usually occurs over these WAN links, which might be costly in terms of bandwidth.
To accommodate the differences in distance and cost of replication within a site and replication between sites,the intrasite replication topology is created to optimize
speed, and the intersite replication topology is created tominimize cost.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controllerand is responsible for creating the connections between
domain controllers that collectively form the replicationtopology. The KCC uses Active Directory data to determine where (from what source domain controller to
whatdestination domain controller) to create these connections.
..
The following diagram shows the interaction of these technologies with the replication topology, which isindicated by the two-way connections between each set of
domain controllers.
Replication Topology and Dependent Technologies
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx How Active Directory Replication Topology Works
..
Replication Topology Physical Structure
The Active Directory replication topology can use many different components. Some components are requiredand others are not required but are available for
optimization. The following diagram illustrates most replicationtopology components and their place in a sample Active Directory multisite and multidomain forest.
Thedepiction of the intersite topology that uses multiple bridgehead servers for each domain assumes that at leastone domain controller in each site is running at
least Windows Server 2003. All components of this diagramand their interactions are explained in detail later in this section.
Replication Topology Physical Structure
In the preceding diagram, all servers are domain controllers. They independently use global knowledge ofonfiguration data to generate one-way, inbound
connection objects. The KCCs in a site collectively create anintrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an
intersitetopology. Within sites, one-way arrows indicate the inbound connections by which each domain controllerreplicates changes from its partner in the ring. For
intersite replication, one-way arrows represent inboundconnections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain
(orfrom a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sites that share a site link. Domains are indicated as D1,
D2, D3, and D4. Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a siteobject in Active Directory. Heavy solid
lines between sites indicate WAN links over which two-way replicationcan occur, and each WAN link is represented in Active Directory as a site link object. Site link
objects allowconnections to be created between bridgehead servers in each site that is connected by the site link.
Not shown in the diagram is that where TCP/IP WAN links are available, replication between sites uses theRPC replication transport. RPC is always used within
sites. The site link between Site A and Site D uses theSMTP protocol for the replication transport to replicate the configuration and schema directory partitions
andglobal catalog partial, read-only directory partitions. Although the SMTP transport cannot be used to replicatewritable domain directory partitions, this transport is
required because a TCP/IP connection is not availablebetween Site A and Site D. This configuration is acceptable for replication because Site D does not
hostdomain controllers for any domains that must be replicated over the site link A-D. By default, site links A-B and A-C are transitive (bridged), which means that
replication of domain D2 ispossible between Site B and Site C, although no site link connects the two sites. The cost values on site linksA-B and A-C are site link
settings that determine the routing preference for replication, which is based on theaggregated cost of available site links. The cost of a direct connection between
Site C and Site B is the sum ofcosts on site links A-B and A-C. For this reason, replication between Site B and Site C is automatically routedthrough Site A to avoid
the more expensive, transitive route. Connections are created between Site B and Site C only if replication through Site A becomes impossible due to network or
bridgehead server conditions.
...
Control Replication Latency and Cost
Replication latency is inherent in a multimaster directory service. A period of replication latency begins when adirectory update occurs on an originating domain
controller and ends when replication of the change isreceived on the last domain controller in the forest that requires the change. Generally, the latency that
isinherent in a WAN link is relative to a combination of the speed of the connection and the available bandwidth.
Replication cost is an administrative value that can be used to indicate the latency that is associated withdifferent replication routes between sites. A lower-cost
route is preferred by the ISTG when generating thereplication topology.
Site topology is the topology as represented by the physical network: the LANs and WANs that connect domaincontrollers in a forest. The replication topology is
built to use the site topology. The site topology is representedin Active Directory by site objects and site link objects. These objects influence Active Directory
replication toachieve the best balance between replication speed and the cost of bandwidth utilization by distinguishingbetween replication that occurs within a site
and replication that must span sites. When the KCC createsreplication connections between domain controllers to generate the replication topology, it creates
moreconnections between domain controllers in the same site than between domain controllers in different sites. The results are lower replication latency within a
site and less replication bandwidth utilization between sites.
Within sites, replication is optimized for speed as follows:
Connections between domain controllers in the same site are always arranged in a ring, with possibleadditional connections to reduce latency.
Replication within a site is triggered by a change notification mechanism when an update occurs, moderatedby a short, configurable delay (because groups of
updates frequently occur together). Data is sent uncompressed, and thus without the processing overhead of data compression. Between sites, replication is
optimized for minimal bandwidth usage (cost) as follows:
Replication data is compressed to minimize bandwidth consumption over WAN links. Store-and-forward replication makes efficient use of WAN links -- each update
crosses an expensive linkonly once.
Replication occurs at intervals that you can schedule so that use of expensive WAN links is managed.
The intersite topology is a layering of spanning trees (one intersite connection between any two sites foreach directory partition) and generally does not contain
redundant connections.
...
Topology-Related Objects in Active Directory
Active Directory stores replication topology information in the configuration directory partition. Severalconfiguration objects define the components that are required
by the KCC to establish and implement thereplication topology:
..
Site Link Objects
For a connection object to be created on a destination domain controller in one site that specifies a sourcedomain controller in another site, you must manually
create a site link object (class siteLink ) that connectsthe two sites. Site link objects identify the transport protocol and scheduling required to replicate between
twoor more sites. You can use Active Directory Sites and Services to create the site links. The KCC uses theinformation stored in the properties of these site links to
create the intersite topology connections. A site link is associated with a network transport by creating the site link object in the appropriate transportcontainer
(either IP or SMTP). All intersite domain replication must use IP site links. The Simple Mail TransferProtocol (SMTP) transport can be used for replication between
sites that contain domain controllers that donot host any common domain directory partition replicas.
Site Link Properties
A site link specifies the following:
Two or more sites that are permitted to replicate with each other. An administrator-defined cost value associated with that replication path. The cost value controls
the routethat replication takes, and thus the remote sites that are used as sources of replication information.
A schedule during which replication is permitted to occur. An interval that determines how frequently replication occurs over this site link during the times when
theschedule allows replication.
Default Site Link
When you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP
container within the Inter-Site Transportscontainer). This site link contains only one site, Default-First-Site-Name.
QUESTION 553
Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008.
The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode.
You configure an external trust between contoso.com and fabrikam.com.
You need to enable the Kerberos AES encryption option.
What should you do?
A.
B.
C.
D.
Raise the forest functional level of fabrikam.com to Windows Server 2008.
Raise the domain functional level of fabrikam.com to Windows Server 2008.
Raise the forest functional level of contoso.com to Windows Server 2008.
Create a new forest trust and enable forest-wide authentication.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Raise the domain functional level of fabrikam.com to Windows Server 2008.
Explanation:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional- levels%28v=ws.10%29.aspx
Understanding Active Directory Domain Services (AD DS) Functional Levels Functional levels determine the available Active Directory Domain Services (AD DS)
domain or forestcapabilities. They also determine which Windows Server operating systems you can run on domain controllersin the domain or forest. However,
functional levels do not affect which operating systems you can run onworkstations and member servers that are joined to the domain or forest.
..
Features that are available at domain functional levels
..
Windows Server 2008
All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level,and the following features are available:
..
* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for
TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and thedomain password needs to be changed.
...
Further information:
http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx Kerberos Enhancements
..
Requirements
All Kerberos authentication requests involve three different parties: the client requesting a connection, theserver that will provide the requested data, and the
Kerberos KDC that provides the keys that are used toprotect the various messages.
This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messagesand data structures that are exchanged among the
three parties. Typically, when the parties are operatingsystems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of
theparties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP,or Windows Server 2003, the exchange will not use
AES.
QUESTION 554
All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file
servers contain confidential data located in shared folders.
You need to record any failed attempts made by the consultants to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the
TempWorkers global group.
B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use
Failure audit policy setting.
C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access
Failure audit policy setting.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab.
Configure the Failed Full control setting in the Auditing Entry dialog box.
E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing
Entry dialog box.
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671
Auditing Resource Access
Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should
only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling Audit object access and step two is selecting the
objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows:
Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.
Audit object access success enables you to see usage patterns. This shows misuse of privilege. After object access auditing is enabled, you can easily monitor
access to resources such as folders, files, and printers.
Auditing Files and Folders
The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind
that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource
requirements.
Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:
1. In Windows Explorer, right-click the file or folder to audit and select Properties.
2. Select the Security tab and then click the Advanced button.
3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.
4. Click the Add button to display the Select User or Group window.
5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.
QUESTION 555
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority
(CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Import the enterprise root CA certificate.
Import the OCSP Response Signing certificate.
Add the Server1 computer account to the CertPublishers group.
Set the Startup Type of the Certificate Propagation service to Automatic.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Further information:
http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx Online Responder Installation, Configuration, and Troubleshooting Guide Public key
infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists(CRLs) and certification authorities (CAs). In most cases,
applications that depend on X.509 certificates, suchas Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards,
arerequired to validate the status of the certificates used when performing authentication, signing, or encryptionoperations. The certificate status and revocation
checking is the process by which the validity of certificates isverified based on two main categories: time and revocation status.
..
Although validating the revocation status of certificates can be performed in multiple ways, the commonmechanisms are CRLs, delta CRLs, and Online Certificate
Status Protocol (OCSP) responses.
...
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx Active Directory Certificate Services Step-by-Step Guide
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i- design-andplanning.aspx
Designing and Implementing a PKI: Part I Design and Planning http://technet.microsoft.com/en-us/library/cc725937.aspx
Set Up an Online Responder
http://technet.microsoft.com/en-us/library/cc731099.aspx
Creating a Revocation Configuration
QUESTION 556
Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations:
London
Chicago
New York
Madrid
Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department.
The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection.
You need to install an application on all the computers in the sales department. Which two actions should you perform? (Each correct answer presents part of the
solution.
Choose two.)
A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.
Link the GPO to each Sales organizational unit.
B. Disable the slow link detection setting in the Group Policy Object (GPO).
C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).
D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link the GPO to each Sales organizational unit.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx Specifying Group Policy for Slow Link Detection
Administrators can partially control which Group Policy extensions are processed over a slow link. By default,when processing over a slow link, not all components
of Group Policy are processed.
Table 2.6 shows the default settings for processing Group Policy over slow links.
Administrators can use a Group Policy setting to define a slow link for the purposes of applying and updatingGroup Policy. The default value defines a rate slower
than 500 Kbps as a slow link. http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx Assigning and Publishing Software
..
Assigning software to computers
After you assign a software package to computers in a site, domain, or OU, the software is installed the nexttime the computer restarts or the user logs on.
Further information:
http://technet.microsoft.com/en-us/library/cc978717.aspx
Group Policy slow link detection
QUESTION 557
Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you
install the application.
The registry modifications are in a file that has an .adm extension.
You need to prepare the target computers for the application.
What should you do?
A.
B.
C.
D.
Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers.
Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer.
Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target computer.
Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmp CONTAINER-DN command on each target
computer.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm Adding New Administrative Templates to a GPO
Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please
follow thenext steps:
1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Statmenu, or by typing gpmc.msc in the Run command.
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
QUESTION 558
Your network contains a server that runs Windows Server 2008 R2. You need to create a script to identify known configuration issues.
What should you include in the script?
A. the Get-BPAModel cmdlet
B. the Invoke-BPAModel cmdlet
C. the Mrinfo tool
D. the Systeminfo tool
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Invoke-BPAModel cmdlet allows you to start a Best Practices Analyzer (BPA) scan for a specific model that is installed on your computer.
Check the technet here:
http://technet.microsoft.com/en-us/library/ee617290.aspx
QUESTION 559
Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to identify which processes perform the most disk writes and disk
reads per second.
Which tool should you use?
A.
B.
C.
D.
Disk Management
Reliability Monitor
Resource Monitor
Storage Explorer
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 560
Your network contains a server named Server1 that runs Windows Server 2008 R2.
You have a user named User1.
You need to ensure that User1 can schedule Data Collector Sets (DCSs) on Server1. The solution must minimize the number of rights assigned to User1.
What should you do?
A.
B.
C.
D.
Add User1 to the Performance Log Users group.
Add User1 to the Performance Monitor Users group.
Assign the Profile single process user right to User1.
Assign the Bypass traverse checking user right to User1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Both A and B are valid users group but:
Performance Log users group : Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally
and via remote access to this computer
Performance Monitor users group : Members of this group can access performance counter data locally and remotely.
Hence answer is "A".
QUESTION 561
Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to ensure that an administrator is notified by e-mail if the Event
Viewer logs any error.
What should you do from the Event Viewer console?
A.
B.
C.
D.
Create a custom view, and then click the Filter Current Custom View action.
Create a custom view, and then click the Attach Task to This Custom View action.
From the System log, click the Filter Current Log action.
From the System log, select an Error event, and then click the Attach Task to This Event action.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 562
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. From
Server1, you create a collector-initiated subscription that uses Server2 as a source computer.
You verify the event subscription and discover the error message shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the subscription collection runs successfully.
What should you do?
A.
B.
C.
D.
On Server1, run winrm quickconfig.
On Server2, run winrm quickconfig.
From the properties of the subscription, modify the User Account options.
From the properties of the subscription, modify the Protocol and Port options.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 563
Your network contains a DNS server named DNS1 that runs Windows Server 2008 R2. You need to be notified by e-mail if the DNS service logs errors or warnings.
The solution must minimize the number of e-mail notifications you receive.
What should you do?
A.
B.
C.
D.
Create an alert in Performance Monitor.
Run the Configure a DNS Server Wizard.
Select the DNS Server log from Event Viewer and attach a task to the log.
Create a custom view from Event Viewer and attach a task to the custom view.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 564
Your network contains a server named Server1 that runs Windows Server 2008 R2.
You have a user named User1.
You need to ensure that User1 can view the events in the Security event log. The solution must minimize the number of rights assigned to User1.
What should you do?
A.
B.
C.
D.
In Event Viewer, filter the Security log.
In Event Viewer, configure the properties of the Security log.
In the Local Security Policy console, modify the Security Options.
In the Registry Editor, add a Security Descriptor Definition Language (SDDL) value.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. For more information about SDDL syntax, see the
Platform SDK, or visit the Microsoft Web site mentioned in the "References" section of this article. To construct an SDDL string, note that there are three distinct
rights that pertain to event logs:
Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:
1= Read
2 = Write
4 = Clear
Read more here:
http://support.microsoft.com/kb/323076
QUESTION 565
Your network contains 200 servers that run Windows Server 2008 R2. You need to archive the Security log for each server on a daily basis.
Which tool should you use?
A.
B.
C.
D.
Netsh
Secedit
Wecutil
Wevtutil
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
wevtutil al <FileName.evtx> [/l:<LocaleString>]
http://technet.microsoft.com/en-us/library/cc749339.aspx
http://technet.microsoft.com/pt-br/library/cc732848(v=ws.10).aspx
QUESTION 566
Your company has four DNS servers that run Windows Server 2008 R2. Each server has a static IP address. You need to prevent DHCP from assigning the
addresses of the DNS servers to DHCP clients. What should you do?
A.
B.
C.
D.
Create a new scope for the DNS servers.
Create a reservation for the DHCP server.
Configure the 005Name Servers scope option.
Configure an exclusion that contains the IP addresses of the four DNS servers.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 567
You have a DHCP server named Server1 and an application server named Server2. Both servers run Windows Server 2008 R2. The DHCP server contains one
scope.
You need to ensure that Server2 always receives the same IP address. Server2 must receive its DNS settings and its WINS settings from DHCP.
What should you do?
A.
B.
C.
D.
Create a multicast scope.
Assign a static IP address to Server2.
Create an exclusion range in the DHCP scope.
Create a DHCP reservation in the DHCP scope.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 568
Your network contains a file server that runs Windows Server 2008 R2.
You create a shared folder on the server.
You need to ensure that an administrator is notified whenever a user saves .exe files to the shared folder. What should you do?
A.
B.
C.
D.
Configure access-based enumeration (ABE).
Create a file screen.
Modify the NTFS permissions and the share permissions.
Create a soft quota.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc732349(WS.10).aspx
QUESTION 569
Your company is implementing Network Access Protection (NAP) with DHCP enforcement. You need to define which network resources non-compliant client
computers can access.
What should you configure?
A.
B.
C.
D.
remediation server groups
health policies
connection request policies
system health validators (SHVs)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Remediation server groups are used to specify servers that are available to noncompliant Network Access Protection (NAP) clients for the purpose of remediating
their health state to comply with health requirements.
The type of remediation servers that are required depend on your health requirements and network access methods.
http://technet.microsoft.com/en-us/library/dd759158.aspx
QUESTION 570
You need to mount a VHD file that was created by using Windows Server Backup.
Which tool should you use?
A.
B.
C.
D.
Storage Explorer
Imagex
Disk Management
Mount
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Disk Management - How to Mount and Unmount VHD Images:
http://www.7tutorials.com/disk-management-how-mount-and-unmount-vhd-images
QUESTION 571
Your network contains a server named DC1 that has the DHCP Server server role installed.
Clients located on the same subnet as DC1 are assigned valid IP addresses from DC1. Clients located on a different subnet are not assigned IP addresses from
DC1. You verify that there is network connectivity between the two subnets.
You need to ensure that the clients on both of the subnets can receive IP addresses from DC1.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
Authorize DC1 in Active Directory.
Increase the database cleanup interval.
Configure Routing Information Protocol version 2 (RIPv2) on the router.
Configure a DHCP Relay Agent.
Restore the database from a backup.
Configure name protection.
Reconcile the scope.
Configure DHCP link layer-based filtering.
Modify the start address.
Configure Open Shortest Path First (OSPF) on the router.
Compact the database.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 572
Your network contains a server named Server1 that runs Windows Server 2008 R2 Service Pack 1 (SP1).
You log on to Server1 by using an account named Admin1, and then you open Event Viewer as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can view all of the events in the Security log.
What should you do?
A.
B.
C.
D.
E.
From the Local Group Policy Editor, set Retain old events to Enabled for the Security log.
From a command prompt, run net localgroup /add "Event Log Readers" Admin1.
From Event Viewer, right-click Security, and then click Refresh.
From the Local Group Policy Editor, set Log access to Enabled for the Security log.
From Event Viewer, right-click Security, and then click Clear Filter.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 573
Your network contains a server named Server1 that runs Windows Server 2008 R2 Service Pack 1 (SP1). Server1 has Microsoft SQL Server 2008 R2 and the File
Services server role installed.
Users report that access to Server1 during the morning is very slow. An administrator creates a Data Collector Set and provides the results shown in the exhibit.
(Click the Exhibit button.)
You need to log the CPU utilization of the processes running on Server1 if the CPU utilization exceeds 85 percent for more than one minute.
What should you do? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
Configure an action on the performance alert to run the systempropertiesperformance.exe command.
Configure a trigger on the performance alert to start the System Performance Data Collector Set.
Enable the SQMLogger event trace session.
Create a scheduled task that runs the Get-PSProvider cmdlet.
Create a Data Collector Set that has a performance alert for \Processor (_Total)\%Processor Time.
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 574
Your network contains an Active Directory domain named contoso.com. The domain contains two Active
Directory sites named Site1 and Site2.
You have a domain-based Distributed File System (DFS) namespace named \\contoso.com\public that has a single namespace server located in Site1.
You install another namespace server in Site2.
You need to verify that the client computers in Site2 use the new namespace server.
You want to achieve this goal by using the minimum amount of administrative effort.
Which tool should you use?
A.
B.
C.
D.
Share and Storage Management
DfsrAdmin
Dfscmd
Dfsrdiag
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Displays the following client information currently in the Partition Knowledge Table (PKT):
Parts of the DFS namespace cached by the client
Names of the servers participating in the DFS share
Clients' randomization order of the participating servers
Current "go to" server
http://technet.microsoft.com/en-us/library/cc736784(v=ws.10).aspx#BKMK_26
QUESTION 575
Your network contains a server named DC1 that has the DHCP Server server role installed.
DC1 has a DHCP scope for the 10.10.10.0/24 network ID.
You discover the following warning message in the Event log on DC1: "Scope, Scope1, is 98 percent full with only two IP addresses remaining."
You need to ensure that DC1 has enough IP addresses to assign to clients. The solution must not cause any IP conflicts.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
Configure Routing Information Protocol version 2 (RIPv2) on the router.
Authorize DC1 in Active Directory.
Configure Open Shortest Path First (OSPF) on the router.
Modify the start address.
Configure DHCP link layer-based filtering.
Configure name protection.
Restore the database from a backup.
Compact the database.
Increase the database cleanup interval.
Configure a DHCP Relay Agent.
Reconcile the scope.
Correct Answer: I
Section: (none)
Explanation
Explanation/Reference:
QUESTION 576
Your company has an Active Directory domain.
You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.
Which three actions should you perform? (Each correct answer presents part of the solution.
Choose three.)
A. Create an Enrollment Agent certificate.
B. Create a Smartcard logon certificate.
C.
D.
E.
F.
Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
Install the AD CS role and configure it as an Enterprise Root CA.
Install the AD CS role and configure it as a Standalone CA.
Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
Correct Answer: BCD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx AD CS: Restricted Enrollment Agent
The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operatingsystem that allows limiting the permissions that users
designated as enrollment agents have for enrolling smartcard certificates on behalf of other users.
What does the restricted enrollment agent do?
Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needsto be issued an enrollment agent certificate, which
enables the agent to enroll for smart card certificates onbehalf of users. Enrollment agents are typically members of the corporate security, Information Technology
(IT)security, or help desk teams because these individuals have already been trusted with safeguarding valuableresources. In some organizations, such as banks
that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or
other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued frommultiple locations.
On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agentfeatures allow an enrollment agent to be used for one or
many certificate templates. For each certificatetemplate, you can choose which users or security groups the enrollment agent can enroll on behalf of. Youcannot
constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) orcontainer; you must use security groups instead. The restricted
enrollment agent is not available on a Windows
http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx
Enterprise certification authorities
The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA).
Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME(Secure Multipurpose Internet Mail Extensions),
authentication to a secure Web server using Secure SocketsLayer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family
domainusing a smart card.
An enterprise CA has the following features:
An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the
TrustedRoot Certification Authorities certificate store for all users and computers in the domain. You must be aDomain Administrator or be an administrator with
write access to Active Directory to install an enterprise rootCA.
Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards.The enterprise exit module publishes user certificates and the
certificate revocation list (CRL) to ActiveDirectory. In order to publish certificates to Active Directory, the server that the CA is installed on must be amember of the
Certificate Publishers group. This is automatic for the domain the server is in, but the servermust be delegated the proper security permissions to publish
certificates in other domains. For moreinformation about the exit module, see Policy and exit modules.
An enterprise CA uses certificate types, which are based on a certificate template. The following functionality ispossible when you use certificate templates:
Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate templatehas a security permission set in Active Directory that
determines whether the certificate requester isauthorized to receive the type of certificate they have requested. The certificate subject name can be generated
automatically from the information in Active Directory orsupplied explicitly by the requestor.
The policy module adds a predefined list of certificate extensions to the issued certificate. The extensionsare defined by the certificate template. This reduces the
amount of information a certificate requester has toprovide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501%
28WS.10%29.aspx Stand-alone certification authorities
You can install Certificate Services to create a stand-alone certification authority (CA). Stand- alone CAs canissue certificates for purposes such as digital
signatures, secure e-mail using S/MIME (Secure Multipurpose
Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) orTransport Layer Security (TLS).
A stand-alone CA has the following characteristics:
Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directoryservice. Stand-alone CAs are primarily intended to be used as
Trusted Offline Root CAs in a CA hierarchy orwhen extranets and the Internet are involved. Additionally, if you want to use a custom policy module for aCA, you
would first install a stand-alone CA and then replace the stand-alone policy module with yourcustom policy module. When submitting a certificate request to a standalone CA, a certificate requester must explicitly supply allidentifying information about themselves and the type of certificate that is wanted in the certificate request.
(This does not need to be done when submitting a request to an enterprise CA, since the enterprise user'sinformation is already in Active Directory and the
certificate type is described by a certificate template). Theauthentication information for requests is obtained from the local computer's Security Accounts
Managerdatabase. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator ofthe stand-alone CA verifies the identity
of the requester and approves the request. This is done for securityreasons, because the certificate requester's credentials are not verified by the stand-alone
CA.Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards,but other types of
certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trustedroot
store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active Directory,installs a stand-alone root CA, it is automatically added to
the Trusted Root Certification Authoritiescertificate store for all users and computers in the domain. For this reason, if you install a stand-alone rootCA in an Active
Directory domain, you should not change the default action of the CA upon receivingcertificate requests (which marks requests as Pending). Otherwise, you will
have a trusted root CA thatautomatically issues certificates without verifying the identity of the certificate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain ofa tree in the enterprise, or by an administrator with write
access to Active Directory, then the stand-alone CAwill publish its CA certificate and the certificate revocation list (CRL) to Active Directory.
QUESTION 577
You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log
on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password
information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Repadmin allows us to check the replication status and also allows us to force a replication between domain controllers.
Reference:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl
Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.
QUESTION 578
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone for contoso.com.
You have a Unix-based DNS server.
You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS server.
What should you do in the DNS Manager console?
A.
B.
C.
D.
Enable BIND secondaries
Create a stub zone
Disable recursion
Create a secondary zone
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and- 2008-dns-serverbind-secondaries/
Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BINDSecondaries)
BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies thetype of format used zone transfer, whether it is fast or slow
transfer (zone transfer). The full mean of BIND isBerkeley Internet Name domain (BIND). BIND is a based on UNIX operating system.
Two window servers do not required BIND. BIND is only required when transfer dns zone between twodifferent dns server vendors (UNIX and Microsoft Window). If
you are using only Window server for dnsand zone transfer you will have to disable this option in the window dns server. However if you want the serverto perform a
slow zone transfer and uncompressed data transfer then you will have to enable BIND in the dnsserver. To reiterate, BIND only provide slow dns zone transfer and
data compression mechanism for DNS server.
BIND is understood to have been introduced in window server to support UNIX. System admin will normally disable this option if they want the data in their dns zone
transfer to betweenprimary and secondary dns server to be transfer faster in order to improve dns queries efficiency within theirnetwork environment
Bind is used in a DNS window server, when the needs to configured zone transfer between window server andUNIX server or operative system.
Bind is enabled when a window server is configured as a primary dns server and a UNIX computer isconfigured as a secondary dns server for zone transfer. BIND
Secondaries need to be configured to mitigate, the problem of interoperability between the two serveroperating system since they are from different vendors. Note
that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format.
However, BIND in window server 2008 and later has improved this problem. This is because it was noted that
BIND in window server 2008 and later uses faster, compressed format during zone transfer between primaryand secondary DNS server configured in for different
server operating system (UNIX and Window server).
QUESTION 579
Your company has an Active Directory domain.
You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A.
B.
C.
D.
Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager.
Log off and log on again by using an account that is a member of the Schema Administrators group.
Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing.
Register Schmmgmt.dll.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc732110.aspx
Install the Active Directory Schema Snap-In
You can use this procedure to first register the dynamic-link library (DLL) that is required for the ActiveDirectory Schema snap-in. You can then add the snap-in to
Microsoft Management Console (MMC).
To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start, type command prompt and then right-click Command
Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012,
click Start, type cmd, right click cmd and then click Run as administrator.
2. Type the following command, and then press ENTER:
regsvr32 schmmgmt.dll
3. Click Start, click Run, type mmc and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK.
6. To save this console, on the File menu, click Save.
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap- in, andthen click Save.
* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to alocation for the snap-in. In File name, type a name for the
snap-in, and then click Save
QUESTION 580
Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority
(CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%
\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc772451.aspx
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification authority (CA):
Back up and restore the CA database.
Change the CA configuration.
Change CA security settings.
Issue and manage certificate requests.
Revoke certificates and publish certificate revocation lists (CRLs).
Store and retrieve archived keys.
Start and stop Active Directory Certificate Services (AD CS).
To configure CA event auditing
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. On the Auditing tab, click the events that you want to audit, and then click OK.
5. On the Action menu, point to All Tasks, and then click Stop Service.
6. On the Action menu, point to All Tasks, and then click Start Service.
Additional considerations
To audit events, the computer must also be configured for auditing of object access. Audit policy optionscan be viewed and managed in local or domain Group
Policy under Computer Configuration\WindowsSettings\Security Settings\Local Policies.
QUESTION 581
Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared folder. You need to ensure that the users have access to the shared folder.
What should you do?
A.
B.
C.
D.
Add the global distribution group to the Domain Administrators group.
Change the group type of the global distribution group to a security group.
Change the scope of the global distribution group to a Universal distribution group.
Raise the forest functional level to Windows Server 2008.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://kb.iu.edu/data/ajlt.html
In Microsoft Active Directory, what are security and distribution groups? In Microsoft Active Directory, when you create a new group, you must select a group type.
The two grouptypes, security and distribution, are described below:
Security: Security groups allow you to manage user and computer access to shared resources. You canalso control who receives group policy settings. This
simplifies administration by allowing you to setpermissions once on multiple computers, then to change the membership of the group as your needschange. The
change in group membership automatically takes effect everywhere. You can also use thesegroups as email distribution lists. Distribution: Distribution groups are
intended to be used solely as email distribution lists. These lists arefor use with email applications such as Microsoft Exchange or Outlook. You can add and
remove contactsfrom the list so that they will or will not receive email sent to the distribution group. You can't use distributiongroups to assign permissions on any
objects, and you can't use them to filter group policy settings.
http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx Group types
QUESTION 582
Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is
Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office.
You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Raise the functional level of the forest to Windows Server 2008.
Deploy a Windows Server 2008 domain controller at the main office.
Raise the functional level of the domain to Windows Server 2008.
Run the adprep/rodcprep command.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx Prerequisites for Deploying an RODC
Complete the following prerequisites before you deploy a read-only domain controller (RODC):
Ensure that the forest functional level is Windows Server 2003 or higher Run Adprep.exe commands to prepare your existing forest and domains for domain
controllers that runWindows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directoryschema and update security descriptors
so that you can add the new domain controllers. There are differentversions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2.
1. Prepare the forest and domains. There are three adprep commands to complete and have the changesreplicate throughout the forest. Run the three commands
as follows:
* Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations
or FSMO) role to update the schema.
* Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role.
* If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep.
2. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, thecommand line, or an answer file.
Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC and ensure that the
writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate
domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.
QUESTION 583
Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP
SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store.
What should you do?
A.
B.
C.
D.
Add your account to the Domain Admins group.
Upgrade your client computers to Windows 7.
Install .NET Framework 3.0 on your client computers.
Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide
Microsoft Windows Vista® and Windows Server 2008 introduce a new format for displaying registry-based
policy settings. Registry-based policy settings (located under the Administrative Templates category in the
Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These
new files replace ADM files, which used their own markup language. The Group Policy tools -- Group Policy
Object Editor and Group Policy Management Console--remain largely unchanged. In the majority of situations,
you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp- and-windows2003environments.aspx
Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in
Windows XP/Server2003 environments. Essentially the question was:
...What`s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domainwith or with no W2k8 DCs. What I`ve done in test is,
created a central store in the /Sysvol/domain/policiesfolder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member
serverapplying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?...
The answer is Yes. Again this is one of those things that confuse people. The template format has nothing todo with the policy file that`s created. Its just used to
create the policy by the administrative tool itself. In the caseof GPMC on Windows XP and Windows Server 2003 and previous this tool used the ADM file format.
TheseADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicatedbloat per policy. This was one of the areas that
caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards
a newXML based format that aimed to eliminate SYSVOL bloat. It doesn`t copy itself into every policy object butrelies on a central or local store of these templates
(Note that even in the newer tools you can still importcustom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the
local store, located under
c:/windows/policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store andreferenced by the newer admin tools. Again
the domain functional mode has little to do with Group Policy. Italked about that one before. The things that we care about are the administrative tools and the client
supportfor the policy functions. So of course it can. Here`s the confusion-reducing scoop Group Policy as a platform only relies on two main factors. ActiveDirectory
to store metadata about the policy objects and to allow client discoverability for the location of thepolicy files. The other is the SYSVOL to store the policy files. So at
its core that`s LDAP and SMB file shares.
Specific extensions on top of the policy platform may require certain domain functionality but that`s very specificto that extension. Examples are the new Wireless
policy and BitLocker extensions in Vista SP1. They requireschema updates not GP itself. So if you don't currently use them then you don't have to update schema.
So provided you`re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policiesyou get all the benefits to manage downlevel clients.
That means eliminating SYSVOL bloat. That means allthe joys of Group Policy Preferences. Honestly it amazes us the amount of IT Pros that still
haven`tdiscovered GPP...especially with the power it has to practically eliminate logon scripts!As a last point IT Pros also ask us when we will be producing an
updated GPMC version for Windows XP tosupport all the new stuff. The answer is that we are not producing any updated GPMC versions for WindowsXP and
Server 2003. All the new administrative work is being done on the newer platforms. So get movingahead! There are some really good benefits in the newer tools
and very low impact to your currentenvironment. You only need a single Windows Vista SP1 machine to start!
QUESTION 584
Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed.
You need to perform a non-authoritative restore of the doman controller using an existing backup file.
What should you do?
A.
B.
C.
D.
Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume
Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume
Restart the domain controller in Safe Mode and use wbadmin to restore critical volume
Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Almost identical to B42
http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx Performing Nonauthoritative Restore of Active Directory Domain Services A
nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a systemstate, critical-volumes, or full server backup. A
nonauthoritative restore returns the domain controller to its stateat the time of backup and then allows normal replication to overwrite that state with any changes
that occurredafter the backup was taken. After you restore AD DS from backup, the domain controller queries its replicationpartners. Replication partners use the
standard replication protocols to update AD DS and associatedinformation, including the SYSVOL shared folder, on the restored domain controller. You can use a
nonauthoritative restore to restore the directory service on a domain controller withoutreintroducing or changing objects that have been modified since the backup.
The most common use of anonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardwarefailures. In the case of data
corruption, do not use nonauthoritative restore unless you have confirmed that theproblem is with AD DS. Nonauthoritative Restore RequirementsYou can perform
a nonauthoritative restore from backup on a Windows Server 2008 system that is a standaloneserver, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service.Therefore, in Windows Server 2008, performing offline
defragmentation and other databasemanagement tasks does not require restarting the domain controller in Directory Services RestoreMode (DSRM). However, you
cannot perform a nonauthoritative restore after simply stopping the ADDS service in regular startup mode. You must be able to start the domain controller in
DirectoryServices Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must firstreinstall the operating system. To perform a
nonauthoritative restore, you need one of the following types of backup for your backup source:
System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operatingsystem, you must use a critical-volumes or full server backup.
If you are restoring a system state backup,use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all
data on all volumes that contain operatingsystem and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if youwant to restore
more than the system state. To restore a critical-volumes backup, use the wbadmin startrecovery command.
Full server backup: Use this type of backup only if you cannot start the server or you do not have a systemstate or critical-volumes backup. A full server backup is
generally larger than a critical- volumes backup.
Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls backall data in all other volumes. Rolling back this additional
data is not necessary to achieve nonauthoritativerestore of AD DS.
QUESTION 585
Your company has an Active Directory domain. All servers run Windows Server.
You deploy a Certification Authority (CA) server.
You create a new global security group named CertIssuers.
You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates.
What should you do?
A.
B.
C.
D.
Assign the Certificate Manager role to the CertIssuers group
Place CertIssuers group in the Certificate Publisher group
Run the certsrv -add CertIssuers command promt of the certificate server
Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx Role-based administration
Role explanation
Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you mustassign the role's corresponding security permissions,
group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distinguish which users havewhich roles. The following table describes the CA roles of
role-based administration and the groups relevant torole-based administration.
Certificate Manager:
Delete multiple rows in database (bulk deletion)
Issue and approve certificates
Deny certificates
Revoke certificates
Reactivate certificates placed on hold
Renew certificates
Recover archived key
Read CA database
Read CA configuration information
QUESTION 586
Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain.
You need to create the computer accounts in an OU.
What should you do?
A.
B.
C.
D.
Run the csvde -f computers.csv command
Run the ldifde -f computers.ldf command
Run the dsadd computer <computerdn> command
Run the dsmod computer <computerdn> command
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc754539%28v=ws.10%29.aspx Dsadd computer
Syntax:dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof
<GroupDN ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{- uc | -uco | -uci}]
Personal comment:you use ldifde and csvde to import and export directory objects to Active Directory
http://support.microsoft.com/kb/237677
http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
QUESTION 587
Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are
configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7.
You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone.
You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.
What should you do first?
A.
B.
C.
D.
On the member server, add a conditional forwarder.
On the member server, install Active Directory Domain Services.
Add all computer accounts to the DNS UpdateProxy group.
Convert the standard primary zone to an Active Directory-integrated zone.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain
Services(AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in anetwork.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specifieddomain. As part of this process, you are prompted to
specify a DNS domain name for the AD DS domain whichyou are joining and for which you are promoting the server, and you are offered the option to install the
DNSServer role. This option is provided because a DNS server is required to locate this server or other domaincontrollers for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are stronglyrecommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone
is designated as the primary sourcefor the zone. This server maintains the master copy of the zone in a local file. With this model, theprimary server for the zone
represents a single fixed point of failure. If this server is not available,update requests from DNS clients are not processed for the zone. With directory-integrated
storage, dynamic updates to DNS are sent to any AD DS-integrated DNSserver and are replicated to all other AD DS-integrated DNS servers by means of AD DS
replication. Inthis model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because themaster copy of the zone is maintained in the AD
DS database, which is fully replicated to all domaincontrollers, the zone can be updated by the DNS servers operating at any domain controller for thedomain. With
the multimaster update model of AD DS, any of the primary servers for the directoryintegratedzone can process requests from DNS clients to update the zone as
long as a domaincontroller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing
to securea dnsZone object container in the directory tree. This feature provides detailed access to either thezone or a specified resource record in the zone. For
example, an ACL for a zone resource record canbe restricted so that dynamic updates are allowed only for a specified client computer or a securegroup, such as a
domain administrators group. This security feature is not available with standardprimary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one isadded to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replicationplanning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.
QUESTION 588
Your network contains an Active Directory domain. The domain contains several domain controllers. All domain controllers run Windows Server 2008 R2.
You need to restore the Default Domain Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings.
What should you do?
A.
B.
C.
D.
Run dcgpofix.exe /target:dc.
Run dcgpofix.exe /target:domain.
Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.
Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 589
Domains provide which of the following functions?
http://www.gratisexam.com/
A.
B.
C.
D.
Creating logical boundaries
Easing the administration of users, groups, computers, and other objects
Providing a central database of network objects
All of the above
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc756901%28v=ws.10%29.aspx Active Directory Logical Structure Background Information
Before you design your Active Directory logical structure, it is important to understand the Active Directorylogical model. Active Directory is a distributed database
that stores and manages information about networkresources, as well as application-specific data from directory enabled applications. Active Directory
allowsadministrators to organize elements of a network (such as users, computers, devices, and so on) into ahierarchical containment structure. The top- level
container is the forest. Within forests are domains, and withindomains are organizational units. This is called the logical model because it is independent of the
physicalaspects of the deployment, such as the number of domain controllers required within each domain and networktopology.
Figure 2.2 Relationship Between Active Directory Forests, Domains, and OUs.
QUESTION 590
You are the administrator for a large organization with multiple remote sites.
Your supervisor would like to have remote users log in locally to their own site, but he is nervous aboutsecurity.
What type of server can you implement to ease their concerns?
A.
B.
C.
D.
Domain controller
Global Catalog
Read-only domain controller
Universal Group Membership Caching Server
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc772234%28v=ws.10%29.aspx Read-Only Domain Controllers Step-by-Step Guide
An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physicalsecurity cannot be guaranteed, such as branch office
locations, or in scenarios where local storage of alldomain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
QUESTION 591
You are the network administrator for the ABC Company.
Your network consists of two DNS servers named DNS1 and DNS2.
The users who are configured to use DNS2 complain because they are unable to connect to Internetwebsites.
The following table shows the configuration of both servers:
The users connected to DNS2 need to be able to access the Internet.
What needs to be done?
A.
B.
C.
D.
Build a new Active Directory Integrated zone on DNS2.
Delete the .(root) zone from DNS2 and configure Conditional forwarding on DNS2.
Delete the current cache.dns file.
Update your cache.dns file and root hints.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as
a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones
otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.
QUESTION 592
You are the network administrator for a large company that has one main site and one branch office.
Your company has a single Active Directory forest, ABC.com.
You have a single domain controller named ServerA in the main site that has the DNS role installed.
ServerA is configured as a primary DNS zone.
You have decided to place a domain controller named ServerB in the remote site and implement the DNSrole on that server.
You want to configure DNS so that if the WAN link fails, users in both sites can still update records andresolve any DNS queries.
How should you configure the DNS servers?
A.
B.
C.
D.
Configure Server B as a secondary DNS server. Set replication to occur every 5 minutes.
Configure Server B as s stub zone.
Configure Server B as an Active Directory Integrated zone and convert Server A to an Active DirectoryIntegrated zone.
Configure Server A as an Active Directory Integrated zone and configure Server B as a secondary zone.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain
Services(AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in anetwork.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specifieddomain. As part of this process, you are prompted to
specify a DNS domain name for the AD DS domain whichyou are joining and for which you are promoting the server, and you are offered the option to install the
DNSServer role. This option is provided because a DNS server is required to locate this server or other domaincontrollers for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are stronglyrecommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone
is designated as the primary sourcefor the zone. This server maintains the master copy of the zone in a local file. With this model, theprimary server for the zone
represents a single fixed point of failure. If this server is not available,update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNSserver and are replicated to all other AD DS-integrated DNS
servers by means of AD DS replication. Inthis model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because themaster copy of the
zone is maintained in the AD DS database, which is fully replicated to all domaincontrollers, the zone can be updated by the DNS servers operating at any domain
controller for thedomain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegratedzone can process requests from DNS
clients to update the zone as long as a domaincontroller is available and reachable on the network.
Also, when you use directory-integrated zones, you can use access control list (ACL) editing to securea dnsZone object container in the directory tree. This feature
provides detailed access to either thezone or a specified resource record in the zone. For example, an ACL for a zone resource record canbe restricted so that
dynamic updates are allowed only for a specified client computer or a securegroup, such as a domain administrators group. This security feature is not available
with standardprimary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one isadded to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replicationplanning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.
QUESTION 593
You are the network administrator for an organization that has two locations, New York and London.
Each location has multiple domains but all domains fall under the same tree, Stellacon.com. Users in the NY.us.stellacon.com domain need to access resources in
the London.uk.stellacon.comdomain.
You need to reduce the amount of time it takes for authentication when users from NY.us.stellacon.com access resources in London.uk.stellacon.com.
What can you do?
A.
B.
C.
D.
Set up a one-way shortcut trust from London.uk.stellacon.com to NY.us.stellacon.com.
Set up a one-way shortcut trust from NY.us.stellacon.com to London.uk.stellacon.com.
Enable Universal Group Membership Caching in NY.us.stellacon.com.
Enable Universal Group Membership Caching in London.uk.stellacon.com.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Basically the same as B/Q7.
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize theauthentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can taketime, which you can reduce with shortcut trusts. A trust
path is the series of domain trust relationships thatauthentication requests must traverse between any two domains. Shortcut trusts effectively shorten the paththat
authentication requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and domain D,between domain A and domain 1, and so on.
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce thetime that is necessary to fulfill authentication requests-but in only one direction. For example, when a oneway,shortcut trust is established between domain A and domain B, authentication requests that are made
indomain A to domain B can use the new one-way trust path. However, authentication requests that are made indomain B to domain A must still travel the longer
trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the timethat is necessary to fulfill authentication requests that
originate in either domain. For example, when a two-waytrust is established between domain A and domain B, authentication requests that are made from
eitherdomain to the other domain can use the new, two-way trust path.
QUESTION 594
You are hired as a consultant by ABC Corporation to implement a Windows Server 2008 R2 computer ontotheir Windows Server 2003 domain.
All of the client machines are Windows 7.
You install Windows Server 2008 R2 onto a new computer and join that computer to the Windows 2003domain.
You want to upgrade the Windows Server 2008 R2 to a domain controller.
What should you do first?
A.
B.
C.
D.
On the new server, run adprep /domainprep.
On the new server, run adprep /forestprep.
On a Windows Server 2003 domain controller, run adprep /domainprep.
On a Windows Server 2003 domain controller, run adprep /forestprep.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0- a7a1-2598a96cd0c1/
DC promotion and adprep/forestprep
Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in anexisting domain. I am informed that, first, I must run
adprep/forestprep ("To install a domain controller into thisActive Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility
isavailable on the Windows Server 2008 installation media in the Windows\sources\adprep folder"
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the\sources\adprep folder from the Windows Server 2008
installation DVD to the schema master role holder andrun Adprep from there.
A2:
to introduce the first W2K8 DC within an AD forest....
(1) no AD forest exists yet:
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests) --> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests) -->
ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains) --> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k
domains) --> on the stand alone server execute: DCPROMO
--> and provide the information needed
QUESTION 595
You need to deactivate the UGMC option on some of your domain controllers.
At which level in Active Directory would you deactivate UGMC?
A.
B.
C.
D.
Server
Site
Domain
Forest
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.ntweekly.com/?p=788
Question:How To Enable Or Disable Universal Group Membership Caching Windows Server 2008Answer: Universal Group Membership Caching enables us to
allow users to log on to the network withoutcontacting a Global Catalog server, this is recommended to use in remote sites without global a catalog server.
To enable or disable Universal Group Membership Caching follow the steps below:
Open Active Directory Sites And Service -> Go to the site you need to enable or disable the feature -> Rightclick on the NTDS Site Settings and Click on Properties
Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.
http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How
to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership
Caching (UGMC)caches a user`s membership in Universal Groups on domain controllers authenticating the user. This featureallows a domain controller to have
knowledge of Universal Groups a user is member of rather than contactinga Global Catalog.
Unlike Global group memberships, which are stored in each domain, Universal Group memberships are onlystored in a Global Catalog. For example, when a user
who belongs to a Universal Group logs on to a domainthat is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides
UniversalGroup membership information for the user`s account at the time the user logs on to the domain to theauthenticating domain controller.
UGMC is generally a good idea for multiple domain forests when:
1. Universal Group membership does not change frequently.
2. Low WAN bandwidth between Domain Controllers in different sites. It is also recommended to disable UGMC if all Domain Controllers in a forest are Global
Catalogs.
QUESTION 596
You are the network administrator for the ABC Company.
The ABC Company has all Windows Server 2008 R2 Active Directory domains and uses an EnterpriseRoot certificate server.
You need to verify that revoked certificate data is highly available.
What should you do?
A.
B.
C.
D.
Implement a Group Policy Object(GPO) that has the Certificate Verification Enabled option.
Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP) responder.
Implement a Group Policy object(GPO) that enables the Online Certificate Status Protocol(OCSP)responder.
Using Network Load Balancing, implement the Certificate Verification Enabled option.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network LoadBalancing.
Explanation:
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support
Certificate revocation is a necessary part of the process of managing certificates issued by certificationauthorities (CAs). The most common means of
communicating certificate status is by distributing certificaterevocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures
(PKIs)where the use of conventional CRLs is not an optimal solution, an Online Responder based on theOnline Certificate Status Protocol (OCSP) can be used to
manage and distribute revocation statusinformation.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of twocommon methods for conveying information about the
validity of certificates. Unlike CRLs, which aredistributed periodically and contain information about all certificates that have been revoked or suspended, anOnline
Responder receives and responds only to requests from clients for information about the status of asingle certificate. The amount of data retrieved per request
remains constant no matter how many revokedcertificates there might be. In many circumstances, Online Responders can process certificate status requests more
efficiently thanby using CRLs.
..
Adding one or more Online Responders can significantly enhance the flexibility and scalability of anorganization's PKI.
..
Further information:
http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v- highavailability.aspx
Implementing an OCSP Responder: Part V High Availability
There are two major pieces in implementing the High Availability Configuration. The first step is to add theOCSP Responders to what is called an Array. When
OCSP Responders are configured in an Array, theconfiguration of the OCSP responders can be easily maintained, so that all Responders in the Array have
thesame configuration. The configuration of the Array Controller is used as the baseline configuration that is thenapplied to other members of the Array.
The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders iswhat actually provides fault tolerance.
QUESTION 597
Your network contains one Active Directory domain. You have a member server that runs Windows Server 2008 R2.
You need to immediately disable all incoming connections to the server.
What should you do?
A.
B.
C.
D.
From the Services snap-in, disable the IP Helper.
From the Services snap-in, disable the Netlogon service.
From Windows Firewall, enable the Block all connections option on the Public Profile.
From Windows Firewall, enable the Block all connections option on the Domain Profile.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 598
Your network consists of a single Active Directory domain. The domain contains a server named Server1 that runs Windows Server 2008 R2. All client computers
run Windows 7. All computers are members of the Active Directory domain.
You assign the Secure Server (Require Security) IPsec policy to Server1 by using a Group Policy object (GPO). Users report that they fail to connect to Server1.
You need to ensure that users can connect to Server1. All connections to Server1 must be encrypted.
What should you do?
A.
B.
C.
D.
Restart the IPsec Policy Agent service on Server1.
Assign the Client (Respond Only) IPsec policy to Server1.
Assign the Server (Request Security) IPsec policy to Server1.
Assign the Client (Respond Only) IPsec policy to all client computers.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Client (Respond Only) - This default policy contains one rule, the default response rule. The default response rule secures communication only upon request by
another computer. This policy does not attempt to negotiate security for any other traffic. http://technet.microsoft.com/en-us/library/cc786870(v=ws.10).aspx
QUESTION 599
Your company has two servers that run Windows Server 2008 R2 named Server2 and Server3. Both servers have the DNS Server server role installed. Server3 is
configured to forward all DNS requests to Server2.
You update a DNS record on Server2.
You need to ensure that Server3 is able to immediately resolve the updated DNS record.
What should you do?
A.
B.
C.
D.
Run the dnscmd . /clearcache command on Server3.
Run the ipconfig /flushdns command on Server3.
Decrease the Time-to-Live (TTL) on the Start of Authority (SOA) record of na.contoso.com to 15 minutes.
Increase the Retry Interval value on the Start of Authority (SOA) record of na.contoso.com to 15 minutes.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
dnscmd /clearcache - Clears the DNS server cache.
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx
QUESTION 600
Your company has a single domain named contoso.com. The contoso.com DNS zone is Active Directoryintegrated.
Your partner company has a single domain named partner.com. The partner.com DNS zone is Active Directory-integrated.
The IP addresses of the DNS servers in the partner domain will change. You need to ensure name resolution for users in contoso.com to resources in partner.com.
What should you do?
A.
B.
C.
D.
Create a stub zone for partner.com on each DNS server in contoso.com.
Configure the Zone Replication Scope for partner.com to replicate to all DNS servers in the forest.
Configure an application directory partition in the contoso.com forest. Enlist all DNS servers in the contoso.com forest in the partition.
Configure an application directory partition in the partner forest. Enlist all DNS servers in the partner forest in the partition.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 601
Your network contains a server that runs a Server Core installation of Windows Server 2008 R2.
You need to configure outbound firewall rules on the server.
Which tool should you use?
A.
B.
C.
D.
ocsetup
servermanagercmd
netcfg
netsh
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 602
Your company has multiple DNS servers in the main office.
You plan to install DNS on a member server in a branch office. You need to ensure that the DNS server in the branch office is able to query any DNS server in the
main office, and you need to limit the number of DNS records that are transferred to the DNS server in the branch office.
What should you do?
A.
B.
C.
D.
Configure a secondary zone on the DNS server in the branch office.
Configure a stub zone on the DNS server in the branch office.
Configure a stub zone on the DNS server in the main office.
Configure a primary zone on the DNS server in the branch office.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.
A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the
DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
A stub zone consists of:
- The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.
- The IP address of one or more master servers that can be used to update the stub zone. http://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspx
QUESTION 603
Your company has a main office and two branch offices. Domain controllers in the main office host an Active Directory-integrated zone.
The DNS servers in the branch offices host a secondary zone for the domain and use the main office DNS servers as the DNS Master servers for the zone.
Each branch office has an application server.
Users access the application server by using its fully qualified domain name.
You need to ensure that users in the branch offices can access their local application server even if the WAN links are down for three days.
What should you do?
A.
B.
C.
D.
Increase the Expires After setting to 4 days on the Start of Authority (SOA) record for the zone.
Increase the Refresh Interval setting to 4 days on the Start of Authority (SOA) record for the zone.
Configure the Zone Aging / Scavenging Properties dialog box to enable Scavenge stale resource records, and set the Refresh setting to 4 days.
Configure the Zone Aging / Scavenging Properties dialog box to enable Scavenge stale resource records, and set the No-refresh interval setting to 4 days.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 604
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 and Server2 are configured as DNS servers.
On Server1, you create a primary DNS zone named contoso.com.
You configure Server2 to host a secondary copy of contoso.com. On Server2, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the contoso.com zone is available on Server2.
What should you do?
A.
B.
C.
D.
From Server2, modify the root hints.
From Server1, modify the zone transfer settings of the primary zone.
From Server1, add Server2 as a name server for the zone.
From Server2, modify the zone transfer settings of the secondary zone.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 605
Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com\dfs. \\contoso.com\\dfs is configured to use Windows 2000
Server mode.
The domain contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 is configured as a namespace server for \\contoso.com
\dfs.
You need to migrate \\contoso.com\dfs to Windows Server 2008 mode. You install the Distributed File System role service on Server2.
What should you do next?
A.
B.
C.
D.
Configure Server2 as a namespace server for \\contoso.com\dfs.
At the command prompt, run dfsutil root export \\contoso.com\dfs c:\dfs.xml.
At the command prompt, run dfsutil root adddom \\contoso.com\dfs v2.
Create a new shared folder named DFS on Server2.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
At a command prompt
Dfsutil root export \\domain\namespace c:\filename.xml
http://technet.microsoft.com/en-us/library/cc753875.aspx
QUESTION 606
Your network has Network Access Protection (NAP) policies deployed.
You need to identify the health agent compliance status of a client computer.
Which command should you run?
A.
B.
C.
D.
net config workstation
net statistics workstation
netsh nap client show config
netsh nap client show state
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
netsh nap client show state - Displays state information, including client access restriction state, the state of installed enforcement clients and system health agents,
and the client compliance and remediation results.
http://technet.microsoft.com/en-us/library/cc732873(v=ws.10).aspx#BKMK_29
QUESTION 607
Your company has a domain controller named Server1 that runs Windows Server 2008 R2.
Server1 has the DNS Server server role installed.
You need to configure the DNS server to resolve IP addresses to host names.
Which record should you create?
A.
B.
C.
D.
Pointer (PTR)
Host Info (HINFO)
Service Location (SRV)
Canonical Name (CNAME)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Pointer (PTR) resource records support the reverse lookup process, based on zones that are created and rooted in the in-addr.arpa domain. These records locate a
computer by its IP address and resolve this information to the DNS domain name for that computer
QUESTION 608
Your company has a main office and a branch office. The main office has a domain controller named DC1 that hosts a DNS primary zone. The branch office has a
DNS server named SRV1 that hosts a DNS secondary zone. All client computers are configured to use their local server for DNS resolution.
You change the IP address of an existing server named SRV2 in the main office. You need to ensure that
SRV1 reflects the change immediately.
What should you do?
A.
B.
C.
D.
Restart the DNS Server service on DC1.
Run the dnscmd command by using the /zonerefresh option on DC1.
Run the dnscmd command by using the /zonerefresh option on SRV1.
Set the refresh interval to 10 minutes on the Start of Authority (SOA) record.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
dnscmd ServerName /zonerefresh ZoneName - Forces a secondary DNS zone to update from the master.
Parameters ServerName: Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Host name. If omitted, the local
server is used.
ZoneName: Specifies the name of the zone to be refreshed.
Remarks:
The zonerefresh operation forces a check of the version number in the master's SOA record. If the version number on the master is higher than the secondary's
version number, then a zone transfer is initiated, updating the secondary server. If the version number is the same, no zone transfer occurs.
*The forced check occurs by default every 15 minutes. To change the default, use the dnscmd config
refreshinterval operation.
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx#BKMK_30
QUESTION 609
Your company has a single Active Directory domain. The company has a main office and a branch office. Both the offices have domain controllers that run Active
Directory-integrated DNS zones.
All client computers are configured to use the local domain controllers for DNS resolution. The domain controllers at the branch office location are configured as
Read-Only Domain Controllers (RODC).
You change the IP address of an existing server named SRV2 in the main office.
You need the branch office DNS servers to reflect the change immediately.
What should you do?
A.
B.
C.
D.
Run the dnscmd /ZoneUpdateFromDs command on the branch office servers.
Run the dnscmd /ZoneUpdateFromDs command on a domain controller in the main office.
Change the domain controllers at the branch offices from RODCs to standard domain controllers.
Decrease the Minimum (default) TTL option to 15 minutes on the Start of Authority (SOA) record for the zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
dnscmd /zoneupdatefromds - Updates an Active Directoryintegrated zone with data from Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx
QUESTION 610
Your company has a single Active Directory domain.
The company has a main office and three branch offices. The domain controller in the main office runs
Windows Server 2008 R2 and provides DNS for the main office and all of the branch offices. Each branch office contains a file server that runs Windows Server
2008 R2. Users in the branch offices report that it takes a long time to access network resources. You confirm that there are no problems with WAN connectivity or
bandwidth. You need to ensure that users in the branch offices are able to access network resources as quickly as possible.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Configure a standard primary zone in each of the branch offices.
Configure forwarders that point to the DNS server in the main office.
Configure a secondary zone in each of the branch offices that uses the main office DNS server as a master.
Install DNS servers in each of the branch offices.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 611
Your company has a server named Server1 that runs Windows Server 2008 R2. Server1 runs the DHCP Server server role and the DNS Server server role. You
also have a server named ServerCore that runs a Server Core installation of Windows Server 2008 R2.
All computers are configured to use only Server1 for DNS resolution. The IP address of Server1 is 192.168.0.1.
The network interface on all the computers is named LAN.
Server1 is temporarily offline. A new DNS server named Server2 has been configured to use the IP address 192.168.0.254.
You need to configure ServerCore to use Server2 as the preferred DNS server and Server1 as the alternate DNS server.
What should you do?
A. Run the netsh interface ipv4 add dnsserver "LAN" static 192.168.0.254 index=1 command.
B. Run the netsh interface ipv4 set dnsserver "LAN" static 192.168.0.254 192.168.0.1 both command.
C. Run the netsh interface ipv4 set dnsserver "LAN" static 192.168.0.254 primary command and the netsh interface ipv4 set dnsserver "LAN" static 192.168.0.1
both command.
D. Run the netsh interface ipv4 set dnsserver "LAN" static 192.168.0.254 primary command and the netsh interface ipv4 add dnsserver "LAN" static 192.168.0.1
index=1 command.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 612
Your network contains an Active Directory forest named contoso.com. Contoso.com contains three domain controllers that run Windows Server 2008 R2 and three
domain controllers that run Windows Server 2003. All domain controllers are configured as DNS servers.
You configure the contoso.com zone to use DNSSEC.
You need to ensure that the zone only replicates to DNS servers that support DNSSEC.
What should you do first?
A.
B.
C.
D.
Modify the Notify settings of the contoso.com zone.
Create an application directory partition.
Move the contoso.com zone to the ForestDnsZones application directory partition.
Add a server certificate to the Windows Server 2003 DNS servers.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 613
Your company has a single Active Directory domain. The company network is protected by a firewall.
Remote users connect to your network through a VPN server by using PPTP. When the users try to connect to the VPN server, they receive the following error
message:
"Error 721: The remote computer is not responding."
You need to ensure that users can establish a VPN connection.
What should you do?
A.
B.
C.
D.
Open port 1423 on the firewall.
Open port 1723 on the firewall.
Open port 3389 on the firewall.
Open port 6000 on the firewall.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc757501(v=ws.10).aspx
QUESTION 614
Your company has a single Active Directory domain. The domain has servers that run Windows Server 2008 R2.
You have a server named NAT1 that functions as a NAT server. You need to ensure that administrators can access a server named RDP1 by using Remote
Desktop Protocol (RDP).
What should you do?
A.
B.
C.
D.
Configure NAT1 to forward port 389 to RDP1.
Configure NAT1 to forward port 1432 to RDP1.
Configure NAT1 to forward port 3339 to RDP1.
Configure NAT1 to forward port 3389 to RDP1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 615
Your company has a main office and 15 branch offices. The company has a single Active Directory domain. All servers run Windows Server 2008 R2.
You need to ensure that the VPN connections between the main office and the branch offices meet the following requirements:
All data must be encrypted by using end-to-end encryption.
The VPN connection must use computer-level authentication.
User names and passwords cannot be used for authentication.
What should you do?
A.
B.
C.
D.
Configure an IPsec connection to use tunnel mode and preshared key authentication.
Configure a PPTP connection to use version 2 of the MS-CHAP v2 authentication.
Configure a L2TP/IPsec connection to use the EAP-TLS authentication.
Configure a L2TP/IPsec connection to use version 2 of the MS-CHAP v2 authentication.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard, and is well supported among wireless vendors. The security of the TLS
protocol is strong, provided the user understands potential warnings about false credentials. It uses PKI to secure communication to a RADIUS authentication
server or another type of authentication server. So even though EAP-TLS provides excellent security, the overhead of client-side certificates may be its Achilles'
heel.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP
standards available and is universally supported by all manufacturers of wireless LAN hardware and software. The requirement for a client-side certificate, however
unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. A compromised password is not
enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side private key. The highest security available is when clientside keys are housed in smart cards.[4] This is because there is no way to steal a certificate's corresponding private key from a smart card without stealing the card
itself. It is significantly more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft
would be noticed. Up until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo.[5] There are client and server
implementations of EAP-TLS in 3Com, Apple, Avaya, Brocade Communications, Cisco, Enterasys Networks, Foundry, HP, Juniper, and Microsoft, and open source
operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above, Windows 2000 SP4, Windows XP and above, Windows Mobile 2003 and above,
and Windows CE 4.2
QUESTION 616
Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You configure RAS1 to use the Routing and Remote Access
Services (RRAS).
The company's remote access policy allows members of the Domain Users group to dial in to RAS1. The company issues smart cards to all employees.
You need to ensure that smart card users are able to connect to RAS1 by using a dial-up connection.
What should you do?
A. Install the Network Policy Server (NPS) server role on RAS1.
B. Create a remote access policy that requires users to authenticate by using SPAP.
C. Create a remote access policy that requires users to authenticate by using EAP-TLS.
D. Create a remote access policy that requires users to authenticate by using MS-CHAP v2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard, and is wellsupported among wireless vendors. The security of the TLS
protocol is strong, provided the user understands potential warnings about false credentials. It uses PKI to secure communication to a RADIUS authentication
server or another type of authentication server. So even though EAP-TLS provides excellent security, the overhead of client-side certificates may be its Achilles'
heel.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP
standards available and is universally supported by all manufacturers of wireless LAN hardware and software. The requirement for a client-side certificate, however
unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. A compromised password is not
enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side private key. The highest security available is when clientside keys are housed in smart cards.[4] This is because there is no way to steal a certificate's corresponding private key from a smart card without stealing the card
itself. It is significantly more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft
would be noticed. Up until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo.[5] There are client and server
implementations of EAP-TLS in 3Com, Apple, Avaya, Brocade Communications, Cisco, Enterasys Networks, Foundry, HP, Juniper, and Microsoft, and open source
operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above, Windows 2000 SP4, Windows XP and above, Windows Mobile 2003 and above,
and Windows CE 4.2
QUESTION 617
Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.
The servers are configured as shown in the following table.
You plan to give users access to the files shares on Server2 by using DirectAccess. You need to ensure that you can deploy DirectAccess on Server3.
What should you do?
A.
B.
C.
D.
Add a static IPv6 address to DC1.
Add a static IPv6 address to Server2.
Upgrade DC1 to Windows Server 2008 R2.
Upgrade Server2 to Windows Server 2008 R2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
- One or more DirectAccess servers running Windows Server 2008 R2 (with or without UAG) with two network adapters: one that is connected directly to the
Internet and one that is connected to the intranet. DirectAccess servers must be a member of an AD DS domain.
- On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.
- DirectAccess client computers that are running Windows 7 Enterprise or Windows 7 Ultimate.
DirectAccess clients must be members of an AD DS domain.
- At least one domain controller and DNS server that is running Windows Server 2008 SP2 or Windows Server 2008 R2. When UAG is used, DirectAccess can be
deployed with DNS servers and domain controllers that are running Windows Server 2003 when NAT64 functionality is enabled.
- A public key infrastructure (PKI) to issue computer certificates, and optionally, smart card certificates for smart card authentication and health certificates for NAP.
For more information, see Public Key Infrastructure on the Microsoft Web site.
- Without UAG, an optional NAT64 device to provide access to IPv4-only resources for DirectAccess clients.
DirectAccess with UAG provides a built-in NAT64.
http://technet.microsoft.com/en-us/library/dd637797(v=ws.10).aspx
QUESTION 618
Your network contains one Active Directory domain. You have a member server named Server1 that runs Windows Server 2008 R2. The server has the Routing
and Remote Access Services role service installed.
You implement Network Access Protection (NAP) for the domain. You need to configure the Point-to-Point Protocol (PPP) authentication method on Server1.
Which authentication method should you use?
A.
B.
C.
D.
Challenge Handshake Authentication Protocol (CHAP)
Extensible Authentication Protocol (EAP)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Password Authentication Protocol (PAP)
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With EAP, the specific authentication mechanism is not chosen during the link establishment phase of the PPP connection; instead, the PPP peers negotiate to
perform EAP during the connection authentication phase. When the connection authentication phase is reached, the peers negotiate the use of a specific EAP
authentication scheme known as an EAP method. After the EAP method is agreed upon, EAP allows for an open-ended exchange of messages