Windows Server 2008 Active Directory, Configuring

October 30, 2017 | Author: Anonymous | Category: N/A
Share Embed


Short Description

Microsoft EnsurePass 70-640 v2013-05-21 by Venomous 489q.vce .. Status Protocol (OCSP) responder by using Network Load &...

Description

Windows Server 2008 Active Directory, Configuring Number: 70-640 Passing Score: 700 Time Limit: 145 min File Version: 2.0

http://www.gratisexam.com/

This dump is based on the previous released dump "Venomous_v2 - 469q - 2013-01-28", has (hopefully most of) the correct answers with detailed explanations (where previously missing). The questions' text has also been highlighted and set up for (hopefully) better readability and understanding. Special thanks go to Venomous and his contributors. Exam M supposedly contains the new May 2013 questions. They have been extracted from: Microsoft EnsurePass 70-640 v2013-05-21 by Venomous 489q.vce Microsoft Yesuse 70-640 v2013-05-07 by oyfeo 475q.vce And from some of the comments. Good luck! Changed anwers (from original Venomous version): A/Q33 B/Q40 E/Q19 Unverified/uncertain answers: A/Q11 A/Q31 B/Q33 B/Q43 D/Q04 D/Q12 D/Q26 E/Q06 E/Q10 E/Q19

Disclaimer: This dump is provided as is. I do not take any responsibility on the correctness of these answers or whether you pass the test or not. You should study and understand what Active Directory is all about.

Exam A QUESTION 1 You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone. You need to ensure that outdated DNS records are automatically removed from the DNS zone. What should you do? A. B. C. D.

From From From From

the properties of the zone, modify the TTL of the SOA record. the properties of the zone, enable scavenging. the command prompt, run ipconfig /flushdns. the properties of the zone, disable dynamic updates.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: From the properties of the zone, enable scavenging. Explanation: http://technet.microsoft.com/en-us/library/cc753217.aspx Set Aging and Scavenging Properties for the DNS Server The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server. Further information: http://technet.microsoft.com/en-us/library/cc771677.aspx Understanding Aging and Scavenging

QUESTION 2 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes. What should you do? A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU. B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes. C. Enable the Audit account management policy in the Default Domain Controller Policy. D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy. Correct Answer: A Section: (none)

Explanation Explanation/Reference: Answer: Run auditpol.exe and then configure the Security settings of the Domain Controllers OU. Explanation: http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx AD DS Auditing Step-by-Step Guide In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes. .. The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged. If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged. If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain. If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged. .. In Windows Server 2008, you implement the new auditing feature by using the following controls: Global audit policy System access control list (SACL) Schema Global audit policy Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default. You can use the command-line tool Auditpol.exe to view or set audit policy subcategories. There is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories. Further information: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx Auditpol Displays information about and performs functions to manipulate audit policies. http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/ AD Scenario – Auditing Directory Services Auditing of Directory Services depends on several controls, these are: 1. Global Audit Policy (at category level using gpmc.msc tool) 2. Individual Audit Policy (at subcategory level using auditpol.exe tool) 3. System ACLs – to specify which operations are to be audited for a security principal.

4.

Schema (optional) – this is an additional control in the schema that you can use to create exceptions to what is audited.

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes. This can be done using auditpol.exe tool. Command to check which audit policies are active on your machine: auditpol /get /category:*

Command to view the audit policy categories and Subcategories:

How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click

Security Settings, double-click Local Policies, and then click Audit Policy.

In the details pane, right-click Audit directory service access, and then click Properties. Select the Define these policy settings check box. Under Audit these attempts, select the Success, check box, and then click OK.

How to enable the change auditing policy using a command line Click Start, right-click Command Prompt, and then click Run as administrator. Type the following command, and then press ENTER: auditpol /set /subcategory:”directory service changes” /success:enable To verify if the auditing is enabled or not for “Directory Service Changes”, you can run below command: auditpol /get /category:”DS Access”

How to set up auditing in object SACLs Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties. Click the Security tab, click Advanced, and then click the Auditing tab.

Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal) and then click OK.

In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties.

Click OK until you exit the property sheet for the OU or other object.

To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the Security event logs. I just created a new user account in Finance OU named f4.

If you check the security event logs you will find eventid 5137 (Create) Note: Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

QUESTION 3 Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. What should you do? A. B. C. D.

Create a new stub zone named ad.contoso.com on DC2. Create a new standard secondary zone named ad.contoso.com on DC2. Configure the DNS server on DC2 to forward requests to DC1. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: D Section: (none) Explanation

Explanation/Reference: Answer: Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone. Explanation: http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. Further information:

QUESTION 4 Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS). You need to create new organizational units in the AD LDS application directory partition.

What should you do? A. Use the dsmod OU command to create the organizational units. B. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition. C. Use the dsadd OU command to create the organizational units. D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. Correct Answer: D Section: (none) Explanation Explanation/Reference: Answer: Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. Explanation: http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx ADSI Edit (adsiedit.msc) Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema. http://technet.microsoft.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1 Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users Create an OU To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Active Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol (LDAP)–based directories, OUs are most commonly used for keeping users and groups organized. To create an OU 1. Click Start, point to Administrative Tools, and then click ADSI Edit. 2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU. 3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container to which you want to add the OU, point to New, and then click Object. 4. In Select a class, click organizationalUnit, and then click Next. 5. In Value, type a name for the new OU, and then click Next. 6. If you want to set values for additional attributes, click More attributes.

Further information: http://technet.microsoft.com/en-us/library/cc754663%28v=ws.10%29.aspx Step 5: Practice Working with Application Directory Partitions The Active Directory Lightweight Directory Services (AD LDS) directory store is organized into logical directory partitions. There are three different types of directory partitions: Configuration directory partitions Schema directory partitions Application directory partitions Each AD LDS directory store must contain a single configuration directory partition and a single schema directory partition. The directory store can contain zero or more application directory partitions.

Application directory partitions hold the data that your applications use. You can create an application directory partition during AD LDS setup or anytime after installation. QUESTION 5 Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role. DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role. You need to ensure that DC2 holds the Schema Master role. What should you do? A. Configure DC2 as a bridgehead server. B. On DC2, seize the Schema Master role. C. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in. D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in. Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: On DC2, seize the Schema Master role. Explanation: http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspx Transfer the Schema Master You can use this procedure to transfer the schema operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operations master (also known as flexible single master operations or FSMO) role. .. Note: You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you can also transfer this role by using Ntdsutil.exe. Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure. http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspx Seize the AD LDS Schema Master Role The schema master is responsible for performing updates to the Active Directory Lightweight Directory Services (AD LDS) schema. Each configuration set has only one schema master. All write operations to the AD LDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within its configuration set. Those schema updates are replicated from the schema master to all other instances in the configuration set. Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure. Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again.

QUESTION 6 Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Restart IIS. Manually delete the Service Connection Point in AD DS and restart AD RMS. Install Message Queuing. Start the MSSQLSVC service.

Correct Answer: AD Section: (none) Explanation Explanation/Reference: Answer: Start the MSSQLSVC service. Restart IIS. Explanation: http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS Administration Issues "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality. QUESTION 7 Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com. You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone. What should you do? A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard. B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).

C. From the DNS Manager console, modify the permissions of the contoso.com zone. D. From the DNS Manager console, modify the permissions of the nwtraders.com zone. Correct Answer: C Section: (none) Explanation Explanation/Reference: Answer: From the DNS Manager console, modify the permissions of the contoso.com zone. Explanation: http://technet.microsoft.com/en-us/library/cc753213.aspx Modify Security for a Directory-Integrated Zone You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones. Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure. To modify security for a directory-integrated zone: 1. Open DNS Manager. 2. In the console tree, click the applicable zone. Where? DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. On the Action menu, click Properties. 4. On the General tab, verify that the zone type is Active Directory-integrated. 5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed. Further information: http://support.microsoft.com/kb/163971 The Structure of a DNS SOA Record The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates that this DNS name server is the best source of information for the data within this DNS domain. The SOA resource record contains the following information: Source host - The host where the file was created. Contact e-mail - The e-mail address of the person responsible for administering the domain's zone file. Note that a "." is used instead of an "@" in the e-mail name. Serial number - The revision number of this zone file. Increment this number each time the zone file is changed. It is important to increment this value each time a change is made, so that the changes will be distributed to any secondary DNS servers. Refresh Time - The time, in seconds, a secondary DNS server waits before querying the primary DNS server's SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server's current SOA record and the serial number in it's own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600. Retry time - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the

retry time is less than the refresh time. The default value is 600. Expire time - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400. Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600. http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx Modify the start of authority (SOA) record for a zone .. Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. .. QUESTION 8 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highly available. What should you do? A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array. B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO). C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain. Correct Answer: C Section: (none) Explanation Explanation/Reference: Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. Explanation: http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information. What does OCSP support do? The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed

periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. .. Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization's PKI. .. Further information: http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-highavailability.aspx Implementing an OCSP Responder: Part V High Availability There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance. QUESTION 9 You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server1 to support the Online Responder. What should you do? A. B. C. D.

Import the enterprise root CA certificate. Configure the Certificate Revocation List Distribution Point extension. Configure the Authority Information Access (AIA) extension. Add the Server2 computer account to the CertPublishers group.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Answer: Configure the Authority Information Access (AIA) extension. Explanation: http://technet.microsoft.com/en-us/library/cc732526.aspx Configure a CA to Support OCSP Responders To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP) Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a nonMicrosoft OCSP responder. Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

1. 2. 3. 4.

Configure certificate templates and issuance properties for OCSP Response Signing certificates. Configure enrollment permissions for any computers that will be hosting Online Responders. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA. 5. Enable the OCSP Response Signing certificate template for the CA. .. To configure a CA to support an Online Responder or OCSP responder services: 1. Open the Certification Authority snap-in. 2. In the console tree, click the name of the CA. 3. On the Action menu, click Properties. 4. Click the Extensions tab. 5. In the Select extension list, click Authority Information Access (AIA) and then click Add. 6. Specify the locations from which users can obtain certificate revocation data, such as http://computername/ ocsp. 7. Select the Include in the online certificate status protocol (OCSP) extension check box. 8. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. 9. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK. 10. Double-click Certificate Templates, and verify that the modified certificate templates appear in the list. QUESTION 10 Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed. You need to ensure that the user is able to log on to the computer.

http://www.gratisexam.com/ What should you do? A. Run the netsh command with the set and machine options. B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. C. Run the netdom TRUST /reset command. D. Run the Active Directory Users and Computers console to disable, and then enable the computer account. Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. Explanation: http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx

Trust Relationship between Workstation and Primary Domain failed What are the common causes which generates this message on client systems? There might be multiple reasons for this kind of behaviour. Below are listed a few of them: 1. Single SID has been assigned to multiple computers. 2. If the Secure Channel is Broken between Domain controller and workstations 3. If there are no SPN or DNSHost Name mentioned in the computer account attributes 4. Outdated NIC Drivers. How to Troubleshoot this behaviour? .. 2. If the Secure Channel is Broken between Domain controller and workstations When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD. Resolution: Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account) Or You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx Netdom Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). You can use netdom to: Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. Manage computer accounts for domain member workstations and member servers. Management operations include: Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships: Verify or reset the secure channel for the following configurations: * Member workstations and servers. * Backup domain controllers (BDCs) in a Windows NT 4.0 domain. * Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas. Manage trust relationships between domains.

Syntax NetDom [] [{/d: | /domain:} ] [] http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx Netdom reset Resets the secure connection between a workstation and a domain controller. Syntax netdom reset {/d: | /domain:} [{/s: | /server:}] [{/uo: | /usero:} {/po: | / passwordo}{|*}] [{/help | /?}] Further information: http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx Netdom trust Establishes, verifies, or resets a trust relationship between domains. Syntax netdom trust {/d: | /domain:} [{/ud: | /userd:}[\] [{/pd: | /passwordd:}{|*}] [{/uo: | /usero:}] [{/po: | /passwordo:}{|*}] [/ verify] [/reset] [/passwordt:] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/ transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/ namesuffixes: [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/ AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}] QUESTION 11 Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What should you do? A. B. C. D.

Add and configure a new account partner. Add and configure a new resource partner. Add and configure a new account store. Add and configure a Claims-aware application.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Answer: ??? Explanation: http://technet.microsoft.com/en-us/library/cc732095.aspx Understanding Account Stores Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS)

Further information: QUESTION 12 You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller. What tool should you use? A. B. C. D.

Active Directory Users and Computers snap-in ntdsutil Local Users and Groups snap-in dsmod

Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: ntdsutil Explanation: http://technet.microsoft.com/en-us/library/cc753343%28v=ws.10%29.aspx Ntdsutil Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators. .. Commands .. set DSRM password - Resets the Directory Services Restore Mode (DSRM) administrator password. Further information: http://technet.microsoft.com/en-us/library/cc754363%28v=ws.10%29.aspx set DSRM password Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM Administrator Password: prompt, type any of the parameters listed under “Syntax.” This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). QUESTION 13 Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office.

You need to ensure that users at the branch office are able to log on to the domain by using the RODC. What should you do? A. Add another RODC to the branch office. B. Configure a new bridgehead server in the main office. C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console. D. Configure the Password Replication Policy on the RODC. Correct Answer: D Section: (none) Explanation Explanation/Reference: Answer: Configure the Password Replication Policy on the RODC. Explanation: http://technet.microsoft.com/en-us/library/cc754956%28v=ws.10%29.aspx RODC Frequently Asked Questions What new attributes support the RODC Password Replication Policy? Password Replication Policy is the mechanism for determining whether a user or computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008. .. What operations fail if the WAN is offline, but the RODC is online in the branch office? If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail: Password changes Attempts to join a computer to a domain Computer rename Authentication attempts for accounts whose credentials are not cached on the RODC Group Policy updates that an administrator might attempt by running the gpupdate /force command What operations succeed if the WAN is offline, but the RODC is online in the branch office? If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed: Authentication and logon attempts, if the credentials for the resource and the requester are already cached. Local RODC server administration performed by a delegated RODC server administrator. Further information: QUESTION 14 Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records. You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.

What should you do? A. B. C. D.

Set dynamic updates to Secure Only. Remove the Authenticated Users group. Enable zone transfers to Name Servers. Deny the Everyone group the Create All Child Objects permission.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Answer: Set dynamic updates to Secure Only. Explanation: http://technet.microsoft.com/en-us/library/cc753751.aspx Allow Only Secure Dynamic Updates Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address. Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record. Further information: http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update QUESTION 15 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com. You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data. What should you do? A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone. B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone. D. On both servers, modify the interface that the DNS server listens on. Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

Explanation: http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone Type You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS). http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. .. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx Deploy IPsec Policy to DNS Servers You can deploy IPsec rules through one of the following mechanisms: Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier. DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers. Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx Deploying Secure DNS Protecting DNS Servers When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack.

Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks: Use IPsec between DNS clients and servers. Monitor network activity. Close all unused firewall ports. Implementing IPsec Between DNS Clients and Servers IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server. Further information: http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone Types The DNS Server service provides for three types of zones: Primary zone Secondary zone Stub zone Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones and stub zones can be stored in AD DS. The following sections describe each of these zone types: Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the %windir%\System32 \Dns folder on the server. Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS. Stub zone When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. You can use stub zones to: Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing.

There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4317c2c3388c3/ Answered what is non-standard dns secondary zone? Q: While passing through 70-291 exam prep questions, I encountered the term "standard secondary zone". From the context of other questions I understood that "standard", in context of primary zone, mean "non-ADintegrated". A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD database and not in a text file. Q: What does "standard" mean in context of DNS secondary zone? A: It means the same thing in context of a Standard Primary Zone. Simply stated, "Standard" means the zone data is stored in a text file, which can be found in system32\dns. QUESTION 16 You are decommissioning domain controllers that hold all forest-wide operations master roles. You need to transfer all forest-wide operations master roles to another domain controller. Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. E.

Domain naming master Infrastructure master RID master PDC emulator Schema master

Correct Answer: AE Section: (none) Explanation Explanation/Reference: Answer: Schema master Domain naming master Explanation: http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-windows-server2008.aspx Transferring FSMO Roles in Windows Server 2008 One of any system administrator duties, would be to upgrade a current domain controller to a new hardware server. One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single Master Operations, and in a forest there are at least five roles.

The five FSMO roles are: Schema Master Domain Naming Master Infrastructure Master Relative ID (RID) Master PDC Emulator The first two roles above are forest-wide, meaning there is one of each for the entire forest. The last three are domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles. QUESTION 17 Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network. You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain. What should you do? A. B. C. D.

Create a new stub zone for the intranet.fabrikam.com domain. Configure conditional forwarding for the intranet.fabrikam.com domain. Create a standard secondary zone for the intranet.fabrikam.com domain. Create an Active Directory Integrated zone for the intranet.fabrikam.com domain.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: Configure conditional forwarding for the intranet.fabrikam.com domain. Explanation: http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.

... Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Further information: http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx Assign a Conditional Forwarder for a Domain Name http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders QUESTION 18 An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume. What should you do? A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command. B. Move the ntds.dit file to the new volume by using Windows Explorer. C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell. D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility. Correct Answer: D Section: (none) Explanation Explanation/Reference: Answer: Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility. Explanation: http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspx Move the Directory Database and Log Files to a Local Drive You can use this procedure to move Active Directory database and log files to a local drive.

When you move the files to a folder on the local domain controller, you can move them permanently or temporarily. Move the files to a temporary destination if you need to reformat the original location, or move the files to a permanent location if you have additional disk space. If you reformat the original drive, use the same procedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry is always current. On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory Domain Services (AD DS) service and then restart the service after you move the files to their permanent location. To move the directory database and log files to a local drive: .. 7. At the ntdsutil prompt, type files, and then press ENTER. 8. To move the database file, at the file maintenance: prompt, use the following commands: .... Further information: http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/ Moving Active Directory Database and Logs Step 1 Start the server in Directory Services Restore Mode Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller. To perform any files movement related activities using ntdsutil, we need to start the server in Directory Services Restore Mode. To start the server in Directory Services Restore mode, follow these steps: Restart the computer. After the BIOS information is displayed, press F8. Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.

Log on with your local administrative account and password. (Not Domain Administrative account)

Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt type SC query ntds

Step 2 How to Move Active Directory Database and Logs You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory Service uses the new location when you restart the server. To move the data file to another folder, follow these steps: Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.

At the Ntdsutil command prompt, type files, and then press ENTER.

At the file maintenance command prompt, type move DB to (where new location is an existing folder that you have created for this purpose) and then press ENTER. In this case, the new location for database is C:\AD\Database

Now to move logs , at the file maintenance command prompt, type move logs to (where new location is an existing folder that you have created for this purpose) and then press ENTER. In our case, the new location for database is C:\AD\Logs

To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. AD database and Logs are moved successfully to new location. QUESTION 19 Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.

You create a GPO. You need to track which employees access the Payroll files on the file servers. What should you do? A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder. B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder. Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. Explanation: http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspx Audit Policy Establishing an organizational computer system audit policy is an important facet of information security. Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of these kinds of events, Windows® records the events in the Security log, which you can find in Event Viewer. .. Object access. Audit this to record when someone has used a file, folder, printer, or other object. .. Process tracking. Audit this to record when events such as program activation or a process exiting occur. .. When you implement Audit Policy settings: .. If you want to audit directory service access or object access, determine which objects you want to audit access of and what type of access you want to audit. For example, if you want to audit all attempts by users to open a particular file, you can configure audit policy settings in the object access event category so that both successful and failed attempts to read a file are recorded. Further information: http://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx Group Policy for Beginners Group Policy Links At the top level of AD DS are sites and domains. Simple implementations will have a single site and a single domain. Within a domain, you can create organizational units (OUs). OUs are like folders in Windows Explorer. Instead of containing files and subfolders, however, they can contain computers, users, and other objects. For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four

subfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than the Domain Controllers OU that you see in Figure 1, nothing else in the figure is an OU. What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container. QUESTION 20 Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need to implement key archival. What should you do? A. B. C. D.

Configure the certificate for automatic enrollment for the computers that store encrypted files. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files. Apply the Hisecdc security template to the domain controllers. Archive the private key on the server.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Answer: Archive the private key on the server. Explanation: http://technet.microsoft.com/en-us/library/cc753011.aspx Enable Key Archival for a CA Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA). You must be a CA administrator to complete this procedure. To enable key archival for a CA: 1. Open the Certification Authority snap-in. 2. In the console tree, click the name of the CA. 3. On the Action menu, click Properties. 4. Click the Recovery Agents tab, and then click Archive the key. 5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the archived key. The Number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured. 6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK. 7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded. 8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid. Further information: http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspx Key Archival and Management in Windows Server 2008 http://technet.microsoft.com/en-us/library/cc730721.aspx Managing Key Archival and Recovery

QUESTION 21 Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups and an OU for Users. You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the Sales OU. What should you do? A. B. C. D.

Perform Perform Perform Perform

an authoritative restore of the Sales OU. a non-authoritative restore of the Sales OU. an authoritative restore of the Groups OU. a non-authoritative restore of the Groups OU.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Answer: Perform an authoritative restore of the Groups OU. Explanation: http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx Performing Authoritative Restore of Active Directory Objects An authoritative restore process returns a designated, deleted Active Directory object or container of objects to its predeletion state at the time when it was backed up. For example, you might have to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a large number of users. In most cases, there are two parts to the authoritative restore process: a nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you perform a nonauthoritative restore from backup only, the deleted OU is not restored because the restored domain controller is updated after the restore process to the current status of its replication partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and before allowing replication to occur, you must perform an authoritative restore procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain. After an authoritative restore, you also restore group memberships, if necessary. QUESTION 22 Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to create multiple password policies for users in your domain. What should you do? A. B. C. D.

From From From From

the Group Policy Management snap-in, create multiple Group Policy objects. the Schema snap-in, create multiple class schema objects. the ADSI Edit snap-in, create multiple Password Setting objects. the Security Configuration Wizard, create multiple security policies.

Correct Answer: C Section: (none) Explanation

Explanation/Reference: Answer: From the ADSI Edit snap-in, create multiple Password Setting objects. Explanation: http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide .. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. .. To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema: Password Settings Container Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. ... Steps to configure fine-grained password and account lockout policies When the group structure of your organization is defined and implemented, you can configure and apply finegrained password and account lockout policies to users and global security groups. Configuring fine-grained password and account lockout policies involves the following steps: Step 1: Create a PSO Step 2: Apply PSOs to Users and Global Security Groups Step 3: Manage a PSO Step 4: View a Resultant PSO for a User or a Global Security Group http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx Step 1: Create a PSO You can create Password Settings objects (PSOs): Creating a PSO using the Active Directory module for Windows PowerShell Creating a PSO using ADSI Edit Creating a PSO using ldifde QUESTION 23 You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server. You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console? A. B. C. D.

Enable debug logging. Enable automatic testing for simple queries. Configure event logging to log errors and warnings. Enable automatic testing for recursive queries.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Answer: Enable debug logging.

Explanation: http://technet.microsoft.com/en-us/library/cc753579.aspx DNS Tools Event-monitoring utilities The Windows Server 2008 family includes two options for monitoring DNS servers: Default logging of DNS server event messages to the DNS server log. DNS server event messages are separated and kept in their own system event log, the DNS server log, which you can view using DNS Manager or Event Viewer. The DNS server log contains events that are logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, for example, when the server starts but cannot locate initializing data and zones or boot information stored in the registry or (in some cases) Active Directory Domain Services (AD DS). You can use Event Viewer to view and monitor client-related DNS events. These events appear in the System log, and they are written by the DNS Client service at any computers running Windows (all versions). Optional debug options for trace logging to a text file on the DNS server computer. You can also use DNS Manager to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log, is stored in the %systemroot%\System32\Dns folder. http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx Using server debug logging options The following DNS debug logging options are available: Direction of packets Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file. ... Further information: http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx Select and enable debug logging options on the DNS server QUESTION 24 Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You need to enable dynamic DNS updates on DC3. What should you do? A. Run the Dnscmd.exe /ZoneResetType command on DC3. B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller. C. Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones. D. Run the Ntdsutil.exe > DS Behavior commands on DC3. Correct Answer: B

Section: (none) Explanation Explanation/Reference: Answer: Reinstall Active Directory Domain Services on DC3 as a writable domain controller. Explanation: http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS Appendix A: RODC Technical Reference Topics DNS updates for clients that are located in an RODC site When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008 or later and hosts the Active Directory–integrated zone, just as a secondary DNS server handles updates for zones that are not Active Directory–integrated zones. After it receives the name of a writable domain controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS record registration against the writeable server. The RODC waits a certain amount of time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation. Note: For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNS server must register a name server (NS) resource record for the zone. The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle. Further information: http://technet.microsoft.com/en-us/library/dd737255%28v=ws.10%29.aspx Plan DNS Servers for Branch Office Environments This topic describes best practices for installing Domain Name System (DNS) servers to support Active Directory Domain Services (AD DS) in branch office environments. As a best practice, use Active Directory–integrated DNS zones, which are hosted in the application directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumption that you are following this best practice. In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so that client computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS, using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host Active Directory–integrated DNS zones. Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its preferred DNS server. To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which client computers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNS server must register name server (NS) resource records for that zone. By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is because

the updates replicate back to the RODCs in their respective branch offices by means of a replicate-singleobject (RSO) operation, rather than waiting for the next scheduled replication cycle. For example, suppose that you add a new member server in a branch office, Branch1, which includes an RODC. The member server hosts an application that you want client computers in Branch1 to locate by using a DNS query. When the member server attempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1 for its IP address. If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can still succeed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay client computers that use the RODC DNS server for name resolution from locating the new member server. QUESTION 25 Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS server role installed. You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Clear the DNS cache on DC2. Configure conditional forwarding on DC2. Configure the Listen On address on DC2. Delete the Root zone on DC2.

Correct Answer: BD Section: (none) Explanation Explanation/Reference: Answer: Delete the Root zone on DC2. Configure conditional forwarding on DC2. Explanation: http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external DNS names to DNS servers outside that network. You can also configure your server to forward queries according to specific domain names using conditional forwarders. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5a342f9e169f5/ Deleting .root dns zone in 2008 DNS Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name

resolution is not possible. I had tried to add conditional forwarders but i get an error saying that conditional forwarders cannot be created on root DNS servers. A 1: If you have a "root" zone created in your DNS, and you no longer want that configuration, you can just simply delete that zone. There is no reason to have a root "." zone hosted unless you want to make sure that the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name resolution. If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for zones its not authoritative for. A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access while promoting the first DC. Jut remove it, and the Forwarders option reappear. s Further information: http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspx Reviewing DNS Concepts Delegation For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in the namespace. These paths are created by means of delegation. A delegation is a record in a parent zone that lists a name server that is authoritative for the zone in the next level of the hierarchy. Delegations make it possible for servers in one zone to refer clients to servers in other zones. The following illustration shows one example of delegation.

The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to a zone in the next level of the hierarchy, the com zone. The delegation in the root zone tells the DNS root server that, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone tells the Com server that, to find the contoso.com zone, it must contact the Contoso server. Note: A delegation uses two types of records. The name server (NS) resource record provides the name of an authoritative server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP version 6 (IPv6) addresses of an authoritative server.

This system of zones and delegations creates a hierarchical tree that represents the DNS namespace. Each zone represents a layer in the hierarchy, and each delegation represents a branch of the tree. By using the hierarchy of zones and delegations, a DNS root server can find any name in the DNS namespace. The root zone includes delegations that lead directly or indirectly to all other zones in the hierarchy. Any server that can query the DNS root server can use the information in the delegations to find any name in the namespace. QUESTION 26 Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit. You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit. You also need to ensure that the application is not deployed to users in the R&D organizational unit. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Configure the Block Inheritance setting on the R&D organizational unit. B. Configure the Enforce setting on the software deployment GPO. C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group. D. Configure the Block Inheritance setting on the Production organizational unit. Correct Answer: AC Section: (none) Explanation Explanation/Reference: Answer: Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group. Explanation: http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx Managing inheritance of Group Policy .. Blocking Group Policy inheritance You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default) and then block inheritance only on the organizational unit to which the policies should not be applied. Enforcing a GPO link You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, "enforced" was known as "No override." ..

In addition to using GPO links to apply policies, you can also control how GPOs are applied by using security filters or WMI filters. http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx Security filtering using GPMC Security filtering Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO. .. Notes: GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites, domains and organizational units. However, by using security filtering, you can narrow the scope of a GPO so that it applies only to a single group, user, or computer. .. The location of a security group in Active Directory is irrelevant to security group filtering and, more generally, irrelevant to Group Policy processing. Further information: http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups Active Directory Shadow groups In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through object placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5] The division of an organization's information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6] QUESTION 27 Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller. The Active Directory site requires a local Global Catalog server to support a new application.

You need to configure the domain controller as a Global Catalog server. Which tool should you use? A. B. C. D. E.

The Server Manager console The Active Directory Sites and Services console The Dcpromo.exe utility The Computer Management console The Active Directory Domains and Trusts console

Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: The Active Directory Sites and Services console Explanation: http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx Configure a domain controller as a global catalog server To configure a domain controller as a global catalog server 1. Open Active Directory Sites and Services. ... Further information: http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx What Is the Global Catalog? The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server. Note: A global catalog server can also store a full, writable replica of an application directory partition, but objects in application directory partitions are not replicated to the global catalog as partial, read-only directory partitions. The global catalog is built and updated automatically by the AD DS replication system. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog. In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of all

attributes) of the global catalog. Later versions of Windows Server reduce the impact of updating the global catalog by replicating only the attributes that change. In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not store any partial replica. A global catalog server in a single-domain forest functions in the same manner as a nonglobal-catalog server except for the processing of forest-wide searches. QUESTION 28 Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latency between the domain controllers. What should you do? A. B. C. D.

Decrease the replication schedule for the DEFAULTIPSITELINK object. Decrease the replication interval for the DEFAULTIPSITELINK object. Decrease the cost between the connection objects. Decrease the replication interval for all connection objects.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Answer: Decrease the replication interval for the DEFAULTIPSITELINK object. Personal comment: All sites are connected with the DEFAULTIPSITELINK object. on the stand alone server execute: DCPROMO --> and provide the information needed (2) an W2K or W2K3 AD forest already exists: --> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests) --> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests) --> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains) --> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains) --> on the stand alone server execute: DCPROMO --> and provide the information needed

QUESTION 45 Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller. You disable an account that has administrative rights. You need to immediately replicate the disabled account information to all sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers. B. From the Active Directory Sites and Services console, select the existing connection objects and force replication. C. Use Repadmin.exe to force replication between the site connection objects. D. Use Dsmod.exe to configure all domain controllers as global catalog servers. Correct Answer: BC Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /APed By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx Force replication over a connection To force replication over a connection 1. Open Active Directory Sites and Services. ...

QUESTION 46 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to capture all replication errors from all domain controllers to a central location. What should you do? A. Start the Active Directory Diagnostics data collector set. B. Start the System Performance data collector set. C. Install Network Monitor and create a new a new capture.

D. Configure event log subscriptions. Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx Replication Issues

QUESTION 47 Your company has an Active Directory forest that contains client computers that run Windows Vista and Microsoft Windows XP. You need to ensure that users are able to install approved application updates on their computers. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Set up Automatic Updates through Control Panel on the client computers. B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site. C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates. D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates. Correct Answer: CD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx

Configure Automatic Updates by Using Group Policy When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) linked to an Active Directory container appropriate for your environment. QUESTION 48 Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named Sales Managers and Sales Executives. You need to apply desktop restrictions to the Sales Executives group. You must not apply these desktop restrictions to the Sales Managers group. You create a GPO named DesktopLockdown and link it to the Sales organizational unit. What should you do next? A. B. C. D.

Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. Configure the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown GPO. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. Configure the Deny Apply Group Policy permission for the Sales Managers on the DesktopLockdown GPO.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/816100 How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO. Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects. QUESTION 49 Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned. You need to remove the child domain from the Active Directory forest. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role. D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain. Correct Answer: CD

Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx Decommissioning a Domain Controller To complete this task, perform the following procedures: 1. View the current operations master role holders 2. Transfer the schema master 3. Transfer the domain naming master 4. Transfer the domain-level operations master roles 5. Determine whether a domain controller is a global catalog server 6. Verify DNS registration and functionality 7. Verify communication with other domain controllers 8. Verify the availability of the operations masters 9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key 10. Uninstall Active Directory 11. If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re-import the certificate to the server: Import a certificate 12. Determine whether a Server object has child objects 13. Delete a Server object from a site http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx Uninstall Active Directory To uninstall Active Directory 1. Click Start, click Run, type dcpromo and then click OK. ... QUESTION 50 Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You plan to create a new Active Directory-integrated zone. You need to ensure that the new zone is only replicated to four of your domain controllers. What should you do first? A. B. C. D.

From the command prompt, run dnscmd and specify the /createdirectorypartition parameter. Create a new delegation in the ForestDnsZones application directory partition. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter. Create a new delegation in the DomainDnsZones application directory partition.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as D/Q25 and K/Q17, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's

what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

Reference 1: http://technet.microsoft.com/en-us/library/cc725739.aspx Store Data in an AD DS Application Partition You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition. Reference 2: http://technet.microsoft.com/en-us/library/cc730970.aspx partition management Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). This is a subcommand of Ntdsutil and Dsmgmt. Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps: 1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator. 2. Type: ntdsutil 3. Type: Ac in ntds 4. Type: partition management 5. Type: connections 6. Type: Connect to server DC_Name 7. Type: quit 8. Type: list The following partitions will be listed: 0 CN=Configuration,DC=Contoso,DC=com 1 DC=Contoso,DC=com 2 CN=Schema,CN=Configuration,DC=Contoso,DC=com 3 DC=DomainDnsZones,DC=Contoso,DC=com 4 DC=ForestDnsZones,DC=Contoso,DC=com 9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com 10. Run the list command again to refresh the list of partitions.

Exam B QUESTION 1 You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS Server for contoso.com. You install the DNS Server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. What should you do? A. B. C. D.

On DC1, modify the permissions of contoso.com zone. On Server1, add a conditional forwarder. On DC1, modify the zone transfer settings for the contoso.com zone. Add the Server1 computer account to the DNSUpdateProxy group.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q23 and K/Q45. Reference: http://technet.microsoft.com/en-us/library/cc771652.aspx Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer. To modify zone transfer settings using the Windows interface 1. Open DNS Manager. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. QUESTION 2 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA). You need to ensure that only administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers. B. Modify the security settings on the template to allow only administrators to request code signing certificates. C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy. D. Publish the code signing template. Correct Answer: BD Section: (none) Explanation Explanation/Reference: http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it. ... QUESTION 3 Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server. When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available. You need to install the AD CS role as an Enterprise CA. What should you do first? A. B. C. D.

Add the DNS Server role. Add the Active Directory Lightweight Directory Service (AD LDS) role. Add the Web server (IIS) role and the AD CS role. Join the server to the domain.

Correct Answer: D

Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx Active Directory Certificate Services Step-by-Step Guide http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Enterprise CA option is greyed out / unavailable Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:

Well, you need to fulfill basic requirements: Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center

Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting). If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly: First of all, carefully check all above requirements. Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA. Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain. Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups. You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked. View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct. Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName

Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers. If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server. QUESTION 4

Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2. The DNS servers are configured as shown in the following table.

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites. You need to enable Internet name resolution for all client computers. What should you do? A. B. C. D.

Update the list of root hints servers on DNS2. Create a copy of the .(root) zone on DNS1. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone. QUESTION 5 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. You upgrade all domain controllers to Windows Server 2008. You need to configure the Active Directory environment to support the application of multiple password policies. What should you do? A. B. C. D.

Raise the functional level of the domain to Windows Server 2008. On one domain controller, run dcpromo /adv. Create multiple Active Directory sites. On all domain controllers, run dcpromo /adv.

Correct Answer: A Section: (none) Explanation

Explanation/Reference: http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server® 2008 domains. In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set to Windows Server 2008 or higher. etc... QUESTION 6 Your company has two Active Directory forests named contoso.com and fabrikam.com. The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table:

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server. Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain. You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries. What should you do? A. B. C. D.

Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3. Create a copy of the _msdcs.contoso.com zone on the DNS3 server. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names

using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.

... Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. QUESTION 7 Your company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains. You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain. What should you do? A. B. C. D.

Decrease the replication interval for all Connection objects. Decrease the replication interval for the DEFAULTIPSITELINK site link. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc754538.aspx Understanding When to Create a Shortcut Trust When to create a shortcut trust

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process. Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees. Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest. Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.

Using one-way trusts A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a one-way, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path. Using two-way trusts A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path. QUESTION 8 Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application. The registry modifications are in a file that has an .adm extension. You need to prepare the target computers for the application. What should you do? A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers. B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer. C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target computer. D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmp CONTAINER-DN command on each target computer. Correct Answer: A

Section: (none) Explanation Explanation/Reference: http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm Adding New Administrative Templates to a GPO Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps: 1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command. 2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit. ... QUESTION 9 Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One of these GPOs publishes applications to user objects. A user reports that the application is not available for installation. You need to identify whether the GPO has been applied. What should you do? A. B. C. D.

Run the Group Policy Results utility for the user. Run the GPRESULT /S /Z command at the command prompt. Run the GPRESULT /SCOPE COMPUTER command at the command prompt. Run the Group Policy Results utility for the computer.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Personal note: you run the utility for the user and not for the computer because the application publishes to user objects http://technet.microsoft.com/en-us/library/bb456989.aspx How to Use the Group Policy Results (GPResult.exe) Command Line Tool Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns settings in effect on the computer on which GPResult is run. To run GPResult on your own computer: 1. Click Start, Run, and enter cmd to open a command window. 2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:

Figure 1. Directing GPResult data to a text file

3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.

Figure 2. Verifying policies with GPResult Administrators can also direct GPResult to other users and computers. QUESTION 10 Your company has an Active Directory domain. You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2. You need to ensure that members of the Account Operators group are able to issue smartcard credentials. They should not be able to revoke certificates. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) A. B. C. D. E. F.

Create an Enrollment Agent certificate. Create a Smartcard logon certificate. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group. Install the AD CS role and configure it as an Enterprise Root CA. Install the AD CS role and configure it as a Standalone CA. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

Correct Answer: BCD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx AD CS: Restricted Enrollment Agent

The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users. What does the restricted enrollment agent do? Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations. On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA. http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx Enterprise certification authorities The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card. An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx Stand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory. QUESTION 11 You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct. You need to identify the cause of the failure. You also need to ensure that the new users are able to log on. Which utility should you run? A. B. C. D.

Active Directory Domains and Trusts Repadmin Rstools Rsdiag

Correct Answer: B Section: (none) Explanation

Explanation/Reference: Repadmin allows us to check the replication status and also allows us to force a replication between domain controllers. Reference: http://technet.microsoft.com/en-us/library/cc770963.aspx Repadmin /replsummary Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report. Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions. Repadmin /syncall Synchronizes a specified domain controller with all replication partners. QUESTION 12 Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory-integrated zone for contoso.com. You have a Unix-based DNS server. You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS server. What should you do in the DNS Manager console? A. B. C. D.

Enable BIND secondaries Create a stub zone Disable recursion Create a secondary zone

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and-2008-dns-serverbind-secondaries/ Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BIND Secondaries) BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies the type of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of BIND is Berkeley Internet Name domain (BIND). BIND is a based on UNIX operating system. Two window servers do not required BIND. BIND is only required when transfer dns zone between two different dns server vendors (UNIX and Microsoft Window). If you are using only Window server for dns and zone transfer you will have to disable this option in the window dns server. However if you want the server to perform a slow zone transfer and uncompressed data transfer then you will have to enable BIND in the dns server. To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server. BIND is understood to have been introduced in window server to support UNIX. System admin will normally disable this option if they want the data in their dns zone transfer to between

primary and secondary dns server to be transfer faster in order to improve dns queries efficiency within their network environment Bind is used in a DNS window server, when the needs to configured zone transfer between window server and UNIX server or operative system. Bind is enabled when a window server is configured as a primary dns server and a UNIX computer is configured as a secondary dns server for zone transfer. BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two server operating system since they are from different vendors. Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format. However, BIND in window server 2008 and later has improved this problem. This is because it was noted that BIND in window server 2008 and later uses faster, compressed format during zone transfer between primary and secondary DNS server configured in for different server operating system (UNIX and Window server). QUESTION 13 Your company has an Active Directory domain. You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You need to access the Active Directory Schema snap-in. What should you do? A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager. B. Log off and log on again by using an account that is a member of the Schema Administrators group. C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing. D. Register Schmmgmt.dll. Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in 1. To open an elevated command prompt, click Start , type command prompt and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK . To open an elevated command prompt in Windows Server 2012, click Start , type cmd , right click cmd and then click Run as administrator . 2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll 3. Click Start , click Run , type mmc and then click OK . 4. On the File menu, click Add/Remove Snap-in . 5. Under Available snap-ins , click Active Directory Schema , click Add and then click OK . 6. To save this console, on the File menu, click Save . 7. In the Save As dialog box, do one of the following: * To place the snap-in in the Administrative Tools folder, in File name , type a name for the snap-in, and then click Save . * To save the snap-in to a location other than the Administrative Tools folder, in Save in , navigate to a location for the snap-in. In File name , type a name for the snap-in, and then click Save .

QUESTION 14 Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server. You need to audit changes to the CA configuration settings and the CA security settings. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Configure auditing in the Certification Authority snap-in. B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32% \CertSrv directory. C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory. D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server. Correct Answer: AD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772451.aspx Configure CA Event Auditing You can audit a variety of events relating to the management and activities of a certification authority (CA): Back up and restore the CA database. Change the CA configuration. Change CA security settings. Issue and manage certificate requests. Revoke certificates and publish certificate revocation lists (CRLs). Store and retrieve archived keys. Start and stop Active Directory Certificate Services (AD CS). To configure CA event auditing 1. Open the Certification Authority snap-in. 2. In the console tree, click the name of the CA. 3. On the Action menu, click Properties. 4. On the Auditing tab, click the events that you want to audit, and then click OK. 5. On the Action menu, point to All Tasks, and then click Stop Service. 6. On the Action menu, point to All Tasks, and then click Start Service. Additional considerations To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies. QUESTION 15 Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008. You perform the following activities: Create a global distribution group. Add users to the global distribution group. Create a shared folder on a Windows Server 2008 member server. Place the global distribution group in a domain local group that has access to the shared folder. You need to ensure that the users have access to the shared folder.

What should you do? A. B. C. D.

Add the global distribution group to the Domain Administrators group. Change the group type of the global distribution group to a security group. Change the scope of the global distribution group to a Universal distribution group. Raise the forest functional level to Windows Server 2008.

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://kb.iu.edu/data/ajlt.html In Microsoft Active Directory, what are security and distribution groups? In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below: Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists. Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings. http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx Group types QUESTION 16 Your company hires 10 new employees. You want the new employees to connect to the main office through a VPN connection. You create new user accounts and grant the new employees the Allow Read and Allow Execute permissions to shared resources in the main office. The new employees are unable to access shared resources in the main office. You need to ensure that users are able to establish a VPN connection to the main office. What should you do? A. B. C. D.

Grant the new employees the Allow Access Dial-in permission. Grant the new employees the Allow Full control permission. Add the new employees to the Remote Desktop Users security group. Add the new employees to the Windows Authorization Access security group.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx Dial-in properties of a user account

The dial-in properties for a user account are: Remote Access Permission (Dial-in or VPN) You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. ... QUESTION 17 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller. What should you do? A. B. C. D.

Review performance data in Resource Monitor. Review the Hardware Events log in the Event Viewer. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads on the CPU. Download SPA tool: http://www.microsoft.com/en-us/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t have to install SPA anymore. This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here.

When you will check the properties of the collector you will notice that the data is stored under %systemdrive% \perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line.

To start the data collector set, you just have to right click on Active Directory Diagnostics data collector set and select Start. Data will be stored at %systemdrive%\perflogs location.

Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aid in your troubleshooting and server performance trending.

Further information: http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx Monitoring Your Branch Office Environment http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx Son of SPA: AD Data Collector Sets in Win2008 and beyond QUESTION 18 Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers. You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Run the adprep /domainprep command. Raise the forest functional level to Windows Server 2008. Raise the domain functional level to Windows Server 2008. Run the adprep /forestprep command.

Correct Answer: AD Section: (none) Explanation Explanation/Reference: http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm Prepare your Domain for the Windows Server 2008 R2 Domain Controller Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do

so by running a tool called ADPREP. ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system. Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2. What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following: Updating the Active Directory schema Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder Creating new objects, as needed Creating new containers, as needed To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks: Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required. Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe. Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).

To perform this procedure, you must use an account that has membership in all of the following groups: Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better... Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista. In the Command Prompt window, type the following command: adprep /forestprep

You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.

ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.

When completed, you will receive a success message.

Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a nonDC, you will get this error: Adprep cannot run on this platform because it is not an Active Directory Domain Controller. [Status/Consequence] Adprep stopped without making any changes. [User Action] Run Adprep on a Active Directory Domain Controller.

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. In the Command Prompt window, type the following command: adprep /domainprep Process will take less than a second.

ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error: Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed. If you're running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also type the following command:

adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. Process will complete in less than a second.

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. To verify that adprep /forestprep completed successfully please perform these steps: 1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools. 2. Click Start, click Run, type ADSIEdit.msc, and then click OK. 3. Click Action, and then click Connect to. 4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK. 5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain. 6. Double-click CN=ForestUpdates. 7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

9. Click ADSI Edit, click Action, and then click Connect to. 10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK. 11. Double-click Schema. 12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

QUESTION 19 You need to identify all failed logon attempts on the domain controllers. What should you do?

A. B. C. D.

View the Netlogon.log file. View the Security tab on the domain controller computer object. Run Event Viewer. Run the Security and Configuration Wizard.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/174074 Security Event Descriptions This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of "Security." Event ID: 529 Type: Failure Audit Description: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 530 Type: Failure Audit Description: Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 531 Type: Failure Audit Description: Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 532 Type: Failure Audit Description: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 533 Type: Failure Audit Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 534 Type: Failure Audit

Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 535 Type: Failure Audit Description: Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 536 Type: Failure Audit Description: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 537 Type: Failure Audit Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 QUESTION 20 Your company has a DNS server that has 10 Active Directory integrated zones. You need to provide copies of the zone files of the DNS server to the security department. What should you do? A. B. C. D.

Run the dnscmd /ZoneInfo command. Run the ipconfig /registerdns command. Run the dnscmd /ZoneExport command. Run the ntdsutil > Partition Management > List commands.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/ DNS Zone Export In Non-AD Integrated DNS Zones DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder. When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondary zones that are not AD integrated. The files will be named as .dns.

In AD Integrated DNS Zones AD-integrated zones are stored in the directory they do not have corresponding zone files i.e. they are not stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory. Now it is important task for us to take a backup of these AD integrated zones before making any changes to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is: DnsCmd /ZoneExport — FQDN of zone to export /Cache to export cache As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The command to export the file would be: Dnscmd server1 /ZoneExport habib.local habib.local.bak

You can refer to a complete article on DNSCMD in Microsoft TechNet website http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx QUESTION 21 Your company has an Active Directory forest. The company has three locations. Each location has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department. The company plans to deploy a Microsoft Office 2007 application on all computers within the three Sales organizational units. You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units. What should you do? A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application

to the computer account. Link the SalesAPP GPO to the domain. B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. Correct Answer: C Section: (none) Explanation Explanation/Reference: Almost the same as A/Q38 Self explanatory. QUESTION 22 Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers. You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices. At which level should you deactivate UGMC? A. B. C. D.

Server Connection object Domain Site

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://www.ntweekly.com/?p=788 Question:How To Enable Or Disable Universal Group Membership Caching Windows Server 2008 Answer: Universal Group Membership Caching enables us to allow users to log on to the network without contacting a Global Catalog server, this is recommended to use in remote sites without global a catalog server. To enable or disable Universal Group Membership Caching follow the steps below: Open Active Directory Sites And Service -> Go to the site you need to enable or disable the feature -> Right click on the NTDS Site Settings and Click on Properties

Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script

Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when: 1. Universal Group membership does not change frequently. 2. Low WAN bandwidth between Domain Controllers in different sites. It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs. QUESTION 23 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R). What should you do? A. B. C. D.

From the command prompt, run dfsutil /addroot:sysvol. From the command prompt, run netdom /reset. From the command prompt, run dcpromo /unattend:unattendfile.xml. Raise the functional level of the domain to Windows Server 2008 R2.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspx Introduction to Administering DFS-Replicated SYSVOL SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the network as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domain controller in the domain. Note: For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller. .. Using DFS Replication for replicating SYSVOL in Windows Server 2008 Distributed File System (DFS) Replication is a replication service that is available for replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

QUESTION 24 Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Raise the functional level of the forest to Windows Server 2008. Deploy a Windows Server 2008 domain controller at the main office. Raise the functional level of the domain to Windows Server 2008. Run the adprep/rodcprep command.

Correct Answer: BD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. There are different versions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2. 1. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows: * Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema. * Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role. * If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep. 2. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

QUESTION 25 Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3. You need to use your client computers to edit domainbased GPOs by using the ADMX files that are stored in the ADMX central store.

What should you do? A. B. C. D.

Add your account to the Domain Admins group. Upgrade your client computers to Windows 7. Install .NET Framework 3.0 on your client computers. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide Microsoft Windows Vista® and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows2003-environments.aspx Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was: “…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…” The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and referenced by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can. Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema.

So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy Preferences. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start! QUESTION 26 Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed. You need to perform a non-authoritative restore of the doman controller using an existing backup file. What should you do? A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volume D. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume Correct Answer: A Section: (none) Explanation Explanation/Reference: almost identical to B42 http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx Performing Nonauthoritative Restore of Active Directory Domain Services A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller. You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS. Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller. On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory

Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. To perform a nonauthoritative restore, you need one of the following types of backup for your backup source: System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. QUESTION 27 Your company has an Active Directory domain. All servers run Windows Server. You deploy a Certification Authority (CA) server. You create a new global security group named CertIssuers. You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates. What should you do? A. B. C. D.

Assign the Certificate Manager role to the CertIssuers group Place CertIssuers group in the Certificate Publisher group Run the certsrv -add CertIssuers command promt of the certificate server Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx Role-based administration Role explanation Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

.. Certificate Manager: Delete multiple rows in database (bulk deletion) Issue and approve certificates Deny certificates Revoke certificates Reactivate certificates placed on hold Renew certificates Recover archived key Read CA database Read CA configuration information ... QUESTION 28 Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain. You need to create the computer accounts in an OU. What should you do? A. B. C. D.

Run the csvde -f computers.csv command Run the ldifde -f computers.ldf command Run the dsadd computer command Run the dsmod computer command

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc754539%28v=ws.10%29.aspx Dsadd computer Syntax: dsadd computer [-samid ] [-desc ] [-loc ] [-memberof ] [{-s | -d }] [-u ] [-p { | *}] [-q] [{-uc | -uco | -uci}] Personal comment:

you use ldifde and csvde to import and export directory objects to Active Directory http://support.microsoft.com/kb/237677 http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx QUESTION 29 Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7. You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone. You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone. What should you do first? A. B. C. D.

On the member server, add a conditional forwarder. On the member server, install Active Directory Domain Services. Add all computer accounts to the DNS UpdateProxy group. Convert the standard primary zone to an Active Directory-integrated zone.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller

for the domain. With the multimaster update model of AD DS, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. QUESTION 30 Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist. You need to configure the contoso.com zone to automatically remove expired records. What should you do? A. B. C. D.

Enable only secure updates on the contoso.com zone, Enable scavenging and configure the refresh interval on the contoso.com zone. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://www.it-support.com.au/configure-aging-and-scavenging-of-a-dns-server/2012/12/ Configure aging and scavenging of a DNS Server Resource records that are either outdated or decayed from DNS zone data are removed through the use of the Server aging and scavenging feature in Windows Server 2008. Issues develop if decayed resource records are not dealt with, such as: Zone transfers take longer as the DNS server disk space contains a large number of stale records The accumulation of stale records degrades the DNS server performance and response time Potential conflicts can occur, if an IP address in a dynamic DNS environment is assigned to a different host. By default, the aging and scavenging feature is disabled. In order to use this particular feature, the user is required to enable the operations on the zone and at the DNS server. In addition, a user is able to manually enable individual resource records to be aged and scavenged. This process involves permitting the records to use the current (non-zero) timestamp value. The aging and scavenging operation figures out when the records should be cleared by reviewing their timestamps. The DNS Server uses a simple equation when setting a time value on a record: current server time + refresh interval.

Procedure: Navigate to Start - Administrative Tools – DNS Manager. Right click the relevant DNS server and select Set Aging/Scavenging for All Zones from the drop down list.

The Server Aging/Scavenging Properties dialog box opens. Tick the option Scavenge stale resource records. Under the No-refresh interval heading, specify the duration for which the server must not refresh its records. Configuring this setting reduces replication traffic as unnecessary updates to existing records are prevented. Under the Refresh interval heading, specify the duration for which the server must refresh its records. The fresh interval is the time required between when a no-refresh interval expires and when a record is considered stale. When you have configured these settings, click OK to continue.

A confirmation box appears showing a summary of your settings. Tick the Apply these settings to the existing Active Directory-integrated zones option and click OK.

The Aging and Scavenging intervals have now been configured for all zones managed by the DNS server. http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-bepatient.aspx Don't be afraid of DNS Scavenging. Just be patient. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bb556cfb-3217-4dcf-af4f-460366faa1b8 Answered Best Practices configuration for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.) QUESTION 31 You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certification authority (CA) server that meets the following requirements: Allows the certification authority to automatically issue certificates Integrates with Active Directory Domain Services What should you do? A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA. B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA. C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA. D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master. Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx Enterprise certification authorities The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA).

Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card. An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx Stand-alone certification authorities You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features:

If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory. QUESTION 32 You have a Windows Server 2008 R2 Enterprise Root certification authority (CA). You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates. You grant the Account Operators group the Issue and Manage Certificates permission on the CA. Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.) A. B. C. D. E.

Enable the Restrict Enrollment Agents option on the CA. Enable the Restrict Certificate Managers option on the CA. Add the Basic EFS certificate template for the Account Operators group. Grant the Account Operators group the Manage CA permission on the CA. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCE Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx Role-based administration Role explanation Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

.. Certificate Manager: Delete multiple rows in database (bulk deletion) Issue and approve certificates Deny certificates Revoke certificates Reactivate certificates placed on hold Renew certificates Recover archived key Read CA database Read CA configuration information ... http://technet.microsoft.com/en-us/library/cc753372.aspx Restrict Certificate Managers A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission. When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group. This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA. .. To configure certificate manager restrictions for a CA: 1. Open the Certification Authority snap-in, and right-click the name of the CA. 2. Click Properties, and then click the Security tab. 3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply. 4. Click the Certificate Managers tab. 5. Click Restrict certificate managers, and verify that the name of the group or user is displayed. 6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage. 7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK. 8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny. 9. When you are finished configuring certificate manager restrictions, click OK or Apply.

QUESTION 33 Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2. You need to ensure users are able to enroll new certificates. What should you do? A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA.

B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users' profile. C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations. D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations. Correct Answer: A Section: (none) Explanation Explanation/Reference: ????? http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx Offline Root Certification Authority (CA) A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self-validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path. CA Compromise If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access. To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA. How Do Offline CAs issue certificates? Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate and that certificate will be placed on removable media. Each CA receives its authorization to issue certificates from the CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain Services domain Since offline CAs should not be connected to a network, it does not make sense to join them to an Active Directory Domain Services (AD DS) domain, even with the Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2. Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by problem and better protect your CA by making it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not attempt to install an offline CA as a Windows Server Enterprise CA. http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspx Renewing a certification authority A certification authority may need to be renewed for either of the following reasons: Change in the policy of certificates issued by the CA Expiration of the CA's issuing certificate

QUESTION 34 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA. The Enterprise Intermediate CA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. What should you do? A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server. B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server. C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object. D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object. Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc962065.aspx Certification Authority Trust Model Certification Authority Hierarchies The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certification hierarchy, to provide scalability, ease of administration, and compatibility with a growing number of commercial third-party CA services and public key-aware products. In its simplest form, a certification hierarchy consists of a single CA. However, the hierarchy usually contains multiple CAs that have clearly defined parent-child relationships. Figure 16.5 shows some possible CA hierarchies.

Figure 16.5 Certification Hierarchies You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a root CA . Root CAs are self-certified by using a self-signed CA certificate. Root CAs are the most trusted CAs in the organization and it is recommended that they have the highest security of all. There is no requirement that all CAs in an enterprise share a common top-level CA parent or root. Although trust for CAs depends on each domain's CA trust policy, each CA in the hierarchy can be in a different domain. Child CAs are called subordinate CAs . Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002c08b9c7d4149 Forum FAQ: How to import certificate into Intermediate Certification Authorities store? Question: How to import certificate into Intermediate Certification Authorities store? Answer: In Windows Server 2008 or Windows Server 2008 R2 domain, we can import intermediate CA certificates using group policy: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Intermediate Certification AUthorities The policy is not available in Windows Server 2003. For Windows 2003 domain, you can write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect. Certutil –f –addstore CA .crt Note: CA is the programmatic name of the Intermediate Certification Authorities store. QUESTION 35

Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language version of the administrative templates. You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL \domain\Policies\PolicyDefinitions\FR . You need to ensure that the French-language version of the templates is available. What should you do? A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copy the ADM files to the FR folder. B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772507%28v=ws.10%29.aspx .admx and .adml File Structure In order to support the multilingual display of policy settings, the ADMX file structure must be broken into two types of files: A language-neutral file, .admx, describing the structure of the categories and Administrative template policy settings displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor. A set of language-dependent files, .adml, providing the localized portions displayed in the GPMC or Local Group Policy Editor. Each .adml file represents a single language you wish to support. Language-neutral file (.admx) structure .. Language resource file (.adml) structure The language resource files, .adml, provide the language specific information needed by the language neutral file. The language neutral file will then reference specific sections of the language resource file in order for the GPMC or Local Group Policy Editor to display a policy setting in the correct language. .. QUESTION 36 A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails. You need to enable the user to join a single computer to the domain. You must ensure that the user is denied any additional rights beyond those required to complete the task. What should you do? A. Prestage the computer account in the Active Directory domain. B. Add the user to the Domain Administrators group for one day.

C. Add the user to the Server Operators group in the Active Directory domain. D. Grant the user the right to log on locally by using a Group Policy Object (GPO). Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc770832%28v=ws.10%29.aspx#BKMK_1 Prestaging Client Computers Benefits of Prestaging Client Computers Prestaging clients provides three main benefits: An additional layer of security. You can configure Windows Deployment Services to answer only prestaged clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network. Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. For instructions on performing these tasks, see the “Prestage Computers” section of How to Manage Client Computers. * The computer account name and location within AD DS. * Which server the client should network boot from. * Which network boot program the client should receive. * Other advanced options — for example, what boot image a client will receive or what Windows Deployment Services client unattend file the client should use. The ability for multiple Windows Deployment Services servers to service the same network segment. You can do this by restricting the server to answer only a particular set of clients. Note that the prestaged client must be in the same forest as the Windows Deployment Services server (trusted forests do not work). Further information: http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/ how can I PRESTAGE a computer for WDS? QUESTION 37 The default domain GPO in your company is configured by using the following account policy settings: - Minimum password length: 8 characters - Maximum password age: 30 days - Enforce password history: 12 passwords remembered - Account lockout threshold: 3 invalid logon attempts - Account lockout duration: 30 minutes You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has domain user rights. The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out. You need to resolve the server failure and prevent recurrence of the failure. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Reset the password of the SQLSrv user account. B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user account. C. Configure the properties of the SQLSrv account to Password never expires. D. Configure the properties of the SQLSrv account to User cannot change password. E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon

locally user right. Correct Answer: AC Section: (none) Explanation Explanation/Reference: Personal comment: Maximum password age: 30 days The most probable cause for the malfunction is that the password has expired. You need to reset the password and set it to never expire.

QUESTION 38 Your company has two Active Directory forests named Forest1 and Forest2. The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008. The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003. You need to set up a transitive forest trust between Forest1 and Forest2,

What should you do first? A. B. C. D.

Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode. Raise the forest functional level of Forest2 to Windows Server 2003. Upgrade the domain controllers in Forest2 to Windows Server 2008. Upgrade the domain controllers in Forest2 to Windows Server 2003.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816810.aspx Creating Forest Trusts You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way or two-way, transitive trust relationship. The following are required to create forest trusts successfully: You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest. To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003. (...) QUESTION 39 Your company has an Active Directory forest that contains two domains. The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1. Users at the branch office report that the logon process takes too long. You need to decrease the amount of time it takes for the branch office users to logon. What should you do? A. B. C. D.

Configure DC1 as a Global Catalog server. Configure DC1 as a bridgehead server for the branch office site. Decrease the replication interval on the site link that connects the branch office to the corporate network. Increase the replication interval on the site link that connects the branch office to the corporate network.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc728188.aspx What Is the Global Catalog? The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through

multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server. QUESTION 40 Your company has an Active Directory domain. The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link. You add a new server to the main office. Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server. You need to ensure that the user is able to connect to the new server. What should you do? A. B. C. D.

Clear the cache on DNS2. Reload the zone on DNS1. Refresh the zone on DNS2. Export the zone from DNS1 and import the zone to DNS2.

Correct Answer: A Section: (none) Explanation Explanation/Reference: !*** old answer: Refresh the zone on DNS2. http://technet.microsoft.com/en-us/library/cc794900%28v=ws.10%29.aspx Adjust the Refresh Interval for a Zone You can use this procedure to adjust the refresh interval for a Domain Name System (DNS) zone. The refresh interval determines how often other DNS servers that load and host the zone must attempt to renew the zone. By default, the refresh interval for each zone is set to 15 minutes. http://blog.ijun.org/2008/11/difference-between-dnscmd-clearcache.html difference between dnscmd /clearcache and ipconfig /flushdns Q: Do "dnscmd /clearcache" and "ipconfig /flushdns" the exact same thing, on a windows 2003 server? What is the difference, if any? A: Ipconfig /flushdns will flush the local computer cache. And dnscmd /clearcache will clear the dns server cache. Meaning that with the first you will clear the "local" cache of the server you work on. (Even if it is the dns

server. It will NOT clear the dns server cache.) While with dnscmd you will clear the dns server cache. QUESTION 41 You need to validate whether Active Directory successfully replicated between two domain controllers. What should you do? A. B. C. D.

Run the DSget command. Run the Dsquery command. Run the RepAdmin command. Run the Windows System Resource Manager.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc794749.aspx You can use the repadmin /showrepl command to verify successful replication to a specific domain controller. QUESTION 42 You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller. You need to perform a non-authoritative restore of the domain controller by using an existing backup file. What should you do? A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore. B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore. C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore. D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore. Correct Answer: A Section: (none) Explanation Explanation/Reference: almost identical to B26 http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx Performing Nonauthoritative Restore of Active Directory Domain Services A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.

You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS. Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller. On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. To perform a nonauthoritative restore, you need one of the following types of backup for your backup source: System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. QUESTION 43 Your company has an Active Directory forest. Not all domain controllers in the forest are configured as Global Catalog Servers. Your domain structure contains one root domain and one child domain. You modify the folder permissions on a file server that is in the child domain. You discover that some Access Control entries start with S-1-5-21 and that no account name is listed. You need to list the account names. What should you do? A. B. C. D.

Move the RID master role in the child domain to a domain controller that holds the Global Catalog. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global Catalog.

Correct Answer: D Section: (none) Explanation Explanation/Reference: ????

http://technet.microsoft.com/en-us/library/cc780850%28v=ws.10%29.aspx Security identifiers Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry (ACE), there exists a SID that identifies the user or group for whom access is allowed, denied, or audited. Well-known security identifiers (special identities): Network (S-1-5-2) Includes all users who are logged on through a network connection. Access tokens for interactive users do not contain the Network SID. http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes. In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest. .. Domain-wide operations master roles Every domain in the forest must have the following roles: Relative ID (RID) master Primary domain controller (PDC) emulator master Infrastructure master These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master. ... Infrastructure master At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. Important Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role. The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name

or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication. There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency. QUESTION 44 Your company security policy requires complex passwords. You have a comma delimited file named import.csv that contains user account information. You need to create user account in the domain by using the import.csv file. You also need to ensure that the new user accounts are set to use default passwords and are disabled. What shoulld you do? A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD utility to set default passwords for the user accounts. B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Run the DSMOD utility to set default passwords for the user accounts. C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADD utility to set default passwords for the imported user accounts. D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADD utility to set passwords for the imported user accounts. Correct Answer: A Section: (none) Explanation Explanation/Reference: Personal note: the correct command should be: csvde - i -k -f import.csv http://support.microsoft.com/kb/305144 How to use the UserAccountControl flags to manipulate user account properties When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled. You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in. The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512). http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx Csvde Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard. Syntax: Csvde [-i] [-f ] [-s ] [-c ] [-v] [-j ] [-t ] [-d

] [-r ] [-p nul This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action. QUESTION 2 Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS Servers. You have a standard primary zone for dev.contoso.com that is stored on a member server. You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone. What should you do? A. On the member server, create a stub zone. B. On the member server, create a NS record for each domain controller. C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest. D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.

... Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Further information: http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx Assign a Conditional Forwarder for a Domain Name http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders QUESTION 3 Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain. You need to register the SRV records.

Which command should you run on the new domain controller? A. B. C. D.

Run the netsh interface reset command. Run the ipconfig /flushdns command. Run the dnscmd /EnlistDirectoryPartition command. Run the sc stop netlogon command followed by the sc start netlogon command.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. http://technet.microsoft.com/en-us/library/cc742107%28v=ws.10%29.aspx Sc stop Syntax sc [] stop http://cbfive.com/blog/post/Command-Line-Service-Management-%28NET-v-SC%29.aspx Command Line Service Management (NET v SC) For the most part, everything that NET does, SC can do. The subtle differences are in how they perform the same functions. .. The first, and most consequential, difference is that SC can remotely manage services. For any SC command, simply type the workstation name or IP address of the machine that you would like to manage right after SC and before the command: SC \\SERVERNAME QUERY QUESTION 4 You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed. You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). What should you do? A. Install and configure an Online Responder. B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. C. Install and configure an additional domain controller. D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc725958.aspx What Is an Online Responder? An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. QUESTION 5 You want users to log on to Active Directory by using a new Principal Name (UPN). You need to modify the UPN suffix for all user accounts. Which tool should you use? A. B. C. D.

Dsmod Netdom Redirusr Active Directory Domains and Trusts

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx Dsmod user dsmod user -upn Specifies the user principal names (UPNs) of the users that you want to modify, for example, [email protected]. QUESTION 6 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1. You need to log changes made to the Description attribute on all group objects in OU1 only. What should you do? A. Run auditpol.exe. B. Modify the auditing entry for OU1. C. Modify the auditing entry for the domain.

D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO to OU1. Correct Answer: B Section: (none) Explanation Explanation/Reference: http://ithompson.wordpress.com/tag/organizational-unit-move/ Do you need to track who/where/when for activities done against the OU’s in your AD? With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566). With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart). I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy. Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion. So where do we start so that we can answer our question at the top of this discussion? First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1. **Take note of the green highlight.

For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit. This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

Now that our auditing is setup what type of events can we expect to see? Here are a few examples: In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

Figure 6 shows a Sub OU being created.

Figure 7 shows id 5139, an OU being moved.

Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136. Figure 8 shows the first part of the rename process.

Figure 9 shows the second part of the rename process.

Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

With standard auditing some of the other items that we looked at would be next to impossible with auditing, such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you did get an event. Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.

QUESTION 7 Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data. You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data. What should you do? A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility. B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account. C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group. D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group. Correct Answer: D Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx Group scope Group scope Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local. The following table describes the differences between the scopes of each group.

When to use groups with domain local scope Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer. ... QUESTION 8 Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1. You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1. What should you do? A. B. C. D.

Remove the Request Certificates permission from the Domain Users group. Remove the Request Certificated permission from the Authenticated Users group. Assign the Allow - Manage CA permission to only the Security Manager user Account. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc732590.aspx Implement Role-Based Administration You can use role-based administration to organize certification authority (CA) administrators into separate,

predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform. The following table describes the roles, users, and groups that can be used to implement role-based administration. Roles and groups Certificate manager Security permission Issue and Manage Certificates Description Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in. QUESTION 9 You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What is the minimal forest functional level that you should use? A. B. C. D.

Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc731243.aspx Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. (...) QUESTION 10 Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema. You discover that the Active Directory replication traffic to the Global Catalogs has increased. You need to prevent the new attributes from being replicated to the Global Catalog. You must achieve this goal without affecting application functionality. What should you do? A. Change the replication interval for the DEFAULTIPSITELINK object to 9990. B. Change the cost for the DEFAULTIPSITELINK object to 9990.

C. Make the new attributes in the Active Directory as defunct. D. Modify the properties in the Active Directory schema for the new attributes. Correct Answer: D Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/248717 How to Modify Attributes That Replicate to the Global Catalog The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic. After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article. Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes is kept. When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a "full sync" of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to "True." Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition. In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the "Schema Admins" group. In addition to being a member of this group, a registry key must be set on the Schema master. QUESTION 11 You are decommissioning one of the domain controllers in a child domain. You need to transfer all domain operations master roles within the child domain to a newly installed domain controller in the same child domain. Which three domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose three.) A. B. C. D. E.

RID master PDC emulator Schema master Infrastructure master Domain naming master

Correct Answer: ABD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc781578%28v=ws.10%29.aspx

Transferring operations master roles Transferring an operations master role means moving it from one domain controller to another with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active Directory consoles in Microsoft Management Console (MMC).

QUESTION 12 There are 100 servers and 2000 computers present at your company's headquarters. The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service. The nodes are named as CKMFON1 and CKMFON2. The cluster on CKMFO has one physical shared disk of 400 GB capacity. A 200GB single volume is configured on the shared disk. The company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1. The DHCP and WINS services will be hosted on other nodes. Using High Availability Wizard, you begin creating the WINS service group on the cluster available on CKMFON1 node. The wizard shows an error "no disks are available" during configuration. Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1? A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard. C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFON1 to use CKMFON2 volume for the WINS service group D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard E. None of the above Correct Answer: B Section: (none) Explanation Explanation/Reference: http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage-volumes-on-ckmfon1-tosuccessfully-add-the-wins-service-group-to-ckmfon1/ To configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1, you

need to add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard. This is because a cluster does not use shared storage. A cluster must use a hardware solution based either on shared storage or on replication between nodes. QUESTION 13 Exhibit:

Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has file services role installed. You install some disks for additional storage. The disks are configured as shown in the exhibit. To support data striping with parity, you have to create a new drive volume. What should you do to achieve this objective? A. B. C. D.

Build a new spanned volume by combining Disk0 and Disk1 Create a new Raid-5 volume by adding another disk. Create a new virtual volume by combining Disk 1 and Disk 2 Build a new striped volume by combining Disk0 and Disk 2

Correct Answer: B Section: (none) Explanation Explanation/Reference: https://sort.symantec.com/public/documents/sf/5.0/solaris/html/vxvm_admin/ag_ch_intro_vm17.html RAID-5 (striping with parity)

QUESTION 14 Your company asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you do to create a backup copy of Windows Cardspace cards to be used at home? A. B. C. D. E. F.

Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive Back up the system state data by using backup status tool on your USB drive Employ Windows Cardspace application to backup the data on your USB drive. Reformat the C: Drive None of the above

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros#BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer Windows CardSpace for IT pros Microsoft Windows CardSpace™ is a system for creating relationships with websites and online services. Windows CardSpace provides a consistent way for: Sites to request information from you. You to review the identity of a site. You to manage your information by using Information Cards. You to review card information before you send it. Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites and online services.

15. How do I back up my cards or transfer them to another computer? Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of your cards or to use a card on a different computer, you can save cards to a backup card file. To back up your cards: 1. Start Windows CardSpace. 2. View all your cards. 3. In the pane on the right of your screen, click Back up cards. 4. Select the cards that you want to back up. 5. Browse to the folder where you want to save the backup card file, and then give it a name.

When you complete these steps, you save a file containing some or all of your cards. You can copy the backup card file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup card file on this computer or on another computer. To restore your cards 1. Save the backup card file to the computer. 2. Browse to the location of the file on the computer. 3. Double-click the file, and then follow the instructions to restore the cards.

QUESTION 15 Your company has servers on the main network that run Windows Server 2008. It also has two domain controllers. Active Directory services are running on a domain controller named CKDC1. You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to perform offline critical updates on CKDC1 without rebooting the server? A. Start the Active Directory Domain Services on CKDC1 B. Disconnect from the network and start the Windows update feature C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again. E. None of the above Correct Answer: C Section: (none) Explanation Explanation/Reference: Personal comment: I don't believe you can avoid restarting the server when installing some (not all) updates http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on-ckdc1-withoutrebooting-the-server/ To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way. QUESTION 16 One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2) A. Configure RODC filtered attribute set on the server B. Configure RODC filtered set on the server that holds Schema Operations Master role. C. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set. E. None of the above

Correct Answer: BD Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc753223.aspx Adding attributes to the RODC filtered attribute set The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised. A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed. Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest. QUESTION 17 Your company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. As an administrator at your company, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality? A. B. C. D. E.

Configure an email account in Active Directory Domain Services (AD DS) for each user. Add and configure ADRMSADMIN account in local administrators group on the user computers Add and configure the ADRMSSRVC account in AD RMS server's local administrator group Reinstall the Active Directory domain on user computers All of the above

Correct Answer: A Section: (none) Explanation Explanation/Reference: same as D/Q7 http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx AD RMS Step-by-Step Guide ... For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups. ...

QUESTION 18 Your company has an active directory forest on a single domain. Your company needs a distributed application that employs a custom application. The application uses a custom application directory partition named PARDAT. You need to implement this application for data replication. Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution) A. B. C. D. E.

Dnscmd. Ntdsutil. Ipconfig Dnsutil All of the above

Correct Answer: AB Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/884116 How to create and apply a custom application directory partition on an Active Directory integrated DNS zone in Windows Server 2003 .. You can create a custom Active Directory partition by using the DnsCmd command. ... If the new naming context that you created does not appear in the Repadmin output, you can verify the state of this naming context by using the Ntdsutil command. .. QUESTION 19 Your company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication. The application is installed on one member server in five sites. You need to configure the five member servers to receive the ResData application directory partition for data replication. What should you do? A. B. C. D.

Run the Dcpromo utility on the five member servers. Run the Regsvr32 command on the five member servers Run the Webadmin command on the five member servers Run the RacAgent utility on the five member servers

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732887%28v=ws.10%29.aspx

Dcpromo Syntax dcpromo [/answer[:] | /unattend[:] | /unattend | /adv] /uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount | UseExistingAccount | Demotion}] .. dcpromo Promotion operation parameters: ApplicationPartitionsToReplicate:"" Specifies the application directory partitions that dcpromo will replicate. Use the following format: "partition1" "partition2" "partitionN" Use * to replicate all application directory partitions. QUESTION 20 As an administrator at your company, you have installed an Active Directory forest that has a single domain. You have installed an Active Directory Federation services (AD FS) on the domain member server. What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain? A. B. C. D. E.

Add a new account store and configure it. Add a new resource partner and configure it Add a new resource store and configure it Add a new administrator account on AD FS and configure it None of the above

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772309%28v=ws.10%29.aspx Step 3: Installing and Configuring AD FS Now that you have configured the computers that will be used as federation servers, you are ready to install Active Directory Federation Services (AD FS) components on each of the computers. This section includes the following procedures: Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT Configure ADFS-ACCOUNT to work with AD RMS Configure ADFS-RESOURCE to Work with AD RMS

QUESTION 21 Your company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revoked certificate information. You need to make sure that the revoked certificate information is available at all times. What should you do to achieve that? A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain. B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain

C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array. D. Use network load balancing and publish an OCSP responder. E. None of the above Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx How Certificate Revocation Works

QUESTION 22 As the company administrator you had installed a read-only domain controller (RODC) server at remote location. The remote location doesn't provide enough physical security for the server. What should you do to allow administrative accounts to replicate authentication information to ReadOnly Domain Controllers? A. Remove any administrative accounts from RODC's group B. Add administrative accounts to the domain Allowed RODC Password Replication group C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO) D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO. E. None of the above Correct Answer: B Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline. .. Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.

These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup Active Directory attributes mentioned earlier. By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List attribute contains only the Allowed RODC Password Replication Group. By default, the Denied RODC Password Replication Group contains the following members: Enterprise Domain Controllers Enterprise Read-Only Domain Controllers Group Policy Creator Owners Domain Admins Cert Publishers Enterprise Admins Schema Admins Domain-wide krbtgt account By default, the Denied List attribute contains the following security principals, all of which are built-in groups: Denied RODC Password Replication Group Account Operators Server Operators Backup Operators Administrators The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs. The following table summarizes the three possible administrative models for the Password Replication Policy.

QUESTION 23 ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only. With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web.CK1.com. You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.com NLB cluster to accept HTTP traffic only. Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)

A. B. C. D.

Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console Run the wlbs disable command on the cluster nodes Assign a unique port rule for NLB cluster by using the NLB Cluster console Delete the default port rules through Network Load Balancing Cluster console

Correct Answer: AD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc733056.aspx Create a new Network Load Balancing Port Rule Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various types of TCP/IP traffic, you can set up port rules to control how each port's cluster-network traffic is handled. The method by which a port's network traffic is handled is called its filtering mode. There are three possible filtering modes: Multiple hosts, Single host, and Disabled. You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters: The virtual IP address that the rule should apply to The TCP or UDP port range that this rule should apply to The protocols that this rule should apply to, including TCP, UDP, or both The filtering mode that specifies how the cluster handles traffic, which is described by the port range and the protocols In addition, you can select one of three options for client affinity: None, Single, or Network. Single and Network are used to ensure that all network traffic from a particular client is directed to the same cluster host. To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for your protocol setting. As an extension to the Single and Network options, you can configure a time-out setting to preserve client affinity when the configuration of an NLB cluster is changed. This extension also allows clients to keep affinity to a cluster host even if there are no active, existing connections from the client to the host. QUESTION 24 ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows Server 2003. You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office. What should you do to setup RODC on the computer in branch office? A. B. C. D. E.

Execute an attended installation of AD DS Execute an unattended installation of AD DS Execute RODC through AD DS Execute AD DS by using deploying the image of AD DS none of the above

Correct Answer: B

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc754629.aspx Install an RODC on a Server Core installation To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS. QUESTION 25 You have installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization. Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational. What should you do? (Select all that apply) A. B. C. D.

Go to Services tab, and check if Active Directory Federation Services is running In the event viewer, Applications, Event ID column look for event ID 674. Open a browser window, and then type the Federation Service URL for the new federation server. None of the above

Correct Answer: BC Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc734875.aspx Verify Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. 1. Log on to a client computer with Internet access. 2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy. 3. Press ENTER. Note -At this point your browser should display the error Server Error in '/adfs' Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS). 4. 5. 6. 7.

Log on to the federation server proxy. Click Start, point to Administrative Tools, and then click Event Viewer. In the details pane, double-click Application. In the Event column, look for event ID 674.

QUESTION 26 ABC.com has purchased laptop computers that will be used to connect to a wireless network.

You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks. You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network. What should you do to enforce the group policy wireless settings to the laptop computers? A. B. C. D. E.

Execute gpupdate/target:computer command at the command prompt on laptop computers Execute Add a network command and leave the SSID (service set identifier) blank Execute gpupdate/boot command at the command prompt on laptops computers Connect each laptop computer to a wired network and log off the laptop computer and then login again. None of the above

Correct Answer: D Section: (none) Explanation Explanation/Reference: Personal note: In order for the client computers to download the new Group Policy settings the laptops first need to be connected to one of the DCs. Since they cannot connect through wirelessly (due to previous GP settings denying such connections), they have to use one time a wired connection. QUESTION 27 Your company has a Windows 2008 domain controller server. This server is routinely backed up over the network to a dedicated backup server that is running Windows 2003 OS. You need to prepare the domain controller for disaster recovery apart from the routine backup procedures. You are unable to launch the backup utility while attempting to back up the system state data for the data controller. You need to backup system state data from the Windows Server 2008 domain controller server. What should you do? A. B. C. D.

Add your user account to the local Backup Operators group Install the Windows Server backup feature using the Server Manager feature. Install the Removable Storage Manager feature using the Server Manager feature Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server. E. None of the above Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspx Windows Server Backup Step-by-Step Guide for Windows Server 2008 The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server® 2008 operating system. Windows Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier

versions of the Windows operating system. What is Windows Server Backup? The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console (MMC) snap-in and command-line tools that provide a complete solution for your day-to-day backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery Environment. You can use Windows Server Backup to create and manage backups for the local computer or a remote computer. You can also schedule backups to run automatically and you can perform one-time backups to augment the scheduled backups. QUESTION 28 You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper physical security. You need to activate nonadministrative accounts passwords on that RODC server. Which of the following actions should be considered to populate the RODC server with non-administrative accounts passwords? A. Delete all administrative accounts from the RODC's group B. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO) C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators. E. None of the above Correct Answer: C Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspx Advantages That an RODC Can Provide to an Existing Deployment Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can use to delegate administration of an RODC to a nonadministrative user or group. This means that it is not necessary for a highly privileged administrator to log on to the domain controller in the branch office to perform routine server maintenance. http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate

those accounts, even if the WAN link to the hub site is offline. Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group. .. The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.

QUESTION 29 ABC.com has a network that is comprised of a single Active Directory Domain. As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers. Which tool should you use to test the certificate with AD LDS? A. B. C. D.

Ldp.exe Active Directory Domain services ntdsutil.exe Lds.exe

E. wsamain.exe F. None of the above Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc725767%28v=ws.10%29.aspx Appendix A: Configuring LDAP over SSL Requirements for AD LDS The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. ... Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled. .. QUESTION 30 ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed. Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server? A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts B. Add a password replication policy to the main Domain RODC and add user accounts in the security group C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server D. Configure and add a separate password replication policy on each RODC computer account Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can,

for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline. QUESTION 31 The corporate network of your company consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Company 1 and Company 2. To ensure central monitoring of events you decided to collect all the events on one server. To collect events from Company 2, and transfer them to Company 1. You configure the required event subscriptions. You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol. However, you discovered that none of the subscriptions work. Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution). A. B. C. D. E. F.

Run window execute the winrm quickconfig command on Company 2. Run window execute the wecutil qc command on Company 2. Add the Company 1 account to the Administrators group on Company 2. Run window execute the winrm quickconfig command on Company 1. Add the Company 2 account to the Administrators group on Company 1. Run window execute the wecutil qc command on Company 1.

Correct Answer: ACF Section: (none) Explanation Explanation/Reference: We need to do three things: 1 - run winrm quickconfig on the source computer (Company 2) 2 - run wecutil qc on the collector computer (Company 1) 3 - add the computer account of the collector computer to the local Administrators group on the source computer Had the Event delivery optimization setting been set to Minimize Bandwidth or Minimize Latency, then we would need to run winrm quickconfig on the collector computer too. Because it's set to Normal we can skip that step. If the HTTPS protocol had been used we also would have had to configure Windows Firewall exceptions for port 443. But it's not, and it's not even listed, so that's cool. Reference: http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig

Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector computer. 3. On the collector computer, type the following at an elevated command prompt: wecutil qc 4. Add the computer account of the collector computer to the local Administrators group on each of the source computers. 5. The computers are now configured to forward and collect events. Follow the steps in Create a New Subscription to specify the events you want to have forwarded to the collector. QUESTION 32 Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one of the branch offices. You need to identify the user accounts that were cached on the stolen RODC server. Which utility should you use? A. B. C. D.

Dsmod.exe Ntdsutil.exe Active Directory Sites and Services Active Directory Users and Computers

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc835486%28v=ws.10%29.aspx Securing Accounts After an RODC Is Stolen If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC. An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in. QUESTION 33 ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. ABC.com requires every server in the company to access the Internet. ABC.com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet.

You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy. Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution) A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS) C. Use ABC.com intranet IP addresses on all virtual servers on CKT. D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network. E. None of the above Correct Answer: AD Section: (none) Explanation Explanation/Reference: http://class10e.com/Microsoft/which-two-actions-should-you-perform-to-achieve-this-task-choose-two-answers/ To configure all virtual servers on the CKT server to access the internet and comply with company’s security policy, you should trigger the virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT. Create a virtual network using the new interface. When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses are assigned to the virtual servers on CKT server. By running ipconfig/renew command, the new IP addresses will be renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used by other networks are not been used by the virtual servers on CKT server. You create a new virtual network on the new network interface which will enable you to access internet. QUESTION 34 You are an administrator at ABC.com. The company has a network of 5 member servers acting as file servers. It has an Active Directory domain. You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down. To trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdowns and identify the cause of it. What should you do to perform this task? A. B. C. D. E.

Link the GPO to the domain and enable System Events option Link the GPO to the domain and enable Audit Object Access option Link the GPO to the Domain Controllers and enable Audit Object Access option Link the GPO to the Domain Controllers and enable Audit Process tracking option Perform all of the above actions

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://msdn.microsoft.com/en-us/library/ms813610.aspx Audit system events

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Description Determines whether to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log. By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and in the local policies of workstations and servers. If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when a system event is successfully executed. Failure audits generate an audit entry when a system event is unsuccessfully attempted. You can select No auditing by defining the policy setting and unchecking Success and Failure. QUESTION 35 ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU. You need to execute a non-authoritative restore before an authoritative restore of the OU. Which backup should you use to perform non-authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller? A. B. C. D. E.

Critical volume backup Backup of all the volumes Backup of the volume that hosts Operating system Backup of AD DS folders all of the above

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc730683%28v=ws.10%29.aspx Performing a Nonauthoritative Restore of AD DS To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a system state backup. To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic uses the wbadmin start systemstaterecovery command. You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if you do not have a system state or critical-volume backup. A full server backup is generally larger than a criticalvolume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use the wbadmin start recovery command. QUESTION 36 ABC.com has a network that consists of a single Active Directory domain. Windows Server 2008 is installed on all domain controllers in the network. You are instructed to capture all replication errors from all domain controllers to a central location.

What should you do to achieve this task? A. B. C. D.

Initiate the Active Directory Diagnostics data collector set Set event log subscriptions and configure it Initiate the System Performance data collector set Create a new capture in the Network Monitor

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx Replication Issues

QUESTION 37 Your company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication. What do you need to configure, in order to complete the deployment of AD RMS? A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1 B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _DC1 C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5 D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5 E. None of the above Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/dd772753%28v=ws.10%29.aspx AD RMS Client Requirements Windows AD RMS Client Windows 7, all editions Windows Server 2008 R2, all editions except Core Editions Windows Vista, all editions Windows Server 2008, all editions except Core Editions Windows XP SP3 32-bit Edition Windows XP SP3 64-bit Edition Windows Server 2003 with SP1 32-bit Edition Windows Server 2003 with SP1 64-bit Edition Windows Server 2003 for Itanium-based systems with SP1 Windows Server 2003 R2 32-bit Edition Windows Server 2003 R2 64-bit Edition Windows Server 2003 R2 for Itanium-based systems Windows Small Business Server 2003 32-bit Edition Windows Server 2000 SP4 32-bit Edition http://technet.microsoft.com/en-us/library/dd772659%28v=ws.10%29.aspx AD RMS Prerequisites Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met. Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) forest as the user accounts that will be using rights-protected content. ... QUESTION 38 You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also need to ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do to accomplish this task? A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance C. Move AD LDS database and log files on a separate volume and use windows server backup utility D. None of the above

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc730941.aspx Backing up AD LDS instance data with Dsdbutil.exe With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance. QUESTION 39 You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Which utility you will use to convert basic disks to dynamic disks on FileSrv1? A. B. C. D. E.

Diskpart.exe Chkdsk.exe Fsutil.exe Fdisk.exe None of the above

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc771534.aspx [Diskpart] Convert dynamic Converts a basic disk into a dynamic disk. QUESTION 40 ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boasts 40 Windows Vista client machines. As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificate settings on all machines in a domain from one main location? A. B. C. D. E.

Configure Enterprise CA certificate settings Configure Enterprise trust certificate settings Configure Advance CA certificate settings Configure Group Policy certificate settings All of the above

Correct Answer: D Section: (none) Explanation

Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc725911.aspx AD CS: Policy Settings In the Windows Server® 2008 operating system, certificate-related Group Policy settings enable administrators to manage certificate validation settings according to the security needs of the organization. What are certificate settings in Group Policy? Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. QUESTION 41 A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted. You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online. What should you do? A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility. B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility. C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility. D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility. Correct Answer: D Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/232122 Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ When to offline defrag the Active Directory database

This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database. During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of

operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.

The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary. There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented.

To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer.

Search for event id 1646, usually together with event ids 700 and 701.

Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag.

Note that both the change of registry key and the actual offline defrag has to be done on each domain controller, since neither does replicate. As noted above we will not look at the commands for the offline defragmentation here, since they are well documented already. QUESTION 42 Your company has a server that runs Windows Server 2008 R2. The server runs an instance of Active Directory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network. What should you do? A. B. C. D.

Run the repadmin /kcc command on the test computer. Create a naming context by running the Dsmgmt command on the test computer. Create a new directory partition by running the Dsmgmt command on the test computer. Create and install a replica by running the AD LDS Setup wizard on the test computer.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc771946.aspx Create a Replica AD LDS Instance To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance. To create a replica AD LDS instance 1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard. 2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next. 3. On the Setup Options page, click A replica of an existing instance, and then click Next. 4. Finish creating the new instance by following the wizard instructions. QUESTION 43 Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table: Server name

Operating System

Server role

Server1

Windows 2008

Domain controller

Server2

Windows 2008 R2

Enterprise root certification authority (CA)

Server3

Windows 2008 R2

Network Device Enrollment Service (NDES)

You need to ensure that all device certificate requests use the MD5 hash algorithm. What should you do? A. B. C. D.

On Server2, run the Certutil tool. On Server1, update the CEP Encryption certificate template. On Server1, update the Exchange Enrollment Agent (Offline Request) template. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm \HashAlgorithm registry key.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/ff955642.aspx

Managing Network Device Enrollment Service Configuring NDES NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography \MSCEP. To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table. Key name HashAlgorithm \ HashAlgorithm Value Data Type String Default value SHA1 Description Accepted values are SHA1 and MD5. QUESTION 44 Your network contains an Active Directory domain. You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA). You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computers can automatically enroll for certificates. Which command should you run on Computer1? A. B. C. D.

certreq.exe retrieve certreq.exe submit certutil.exe getkey certutil.exe pulse

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf7c7f80529aab/

What does "certutil -pulse" command do? Certutil -pulse will initiate autoenrollment requests. It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7) Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve Certificates . The command does require that - any autoenrollment GPO settings have already been applied to the target user or computer - a certificate template enables Read, Enroll and Autoenroll permissions for the user or a

global or universal group containing the user - The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. .. -pulse Pulse auto enrollment events .. QUESTION 45 Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA). What should you configure in the adatum.com domain? A. B. C. D.

From From From From

the Default Domain Controllers Policy, modify the Enterprise Trust settings. the Default Domain Controllers Policy, modify the Trusted Publishers settings. the Default Domain Policy, modify the Certificate Enrollment policy. the Default Domain Policy, modify the Trusted Root Certification Authority settings.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/dd851772.aspx Manage Certificate Enrollment Policy by Using Group Policy Configuring certificate enrollment policy settings by using Group Policy QUESTION 46

You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed: Enterprise root certification authority (CA) Certificate Enrollment Web Service Certificate Enrollment Policy Web Service You create a new certificate template. External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users. You need to ensure that the external users can request certificates by using the new template. What should you do on Server1? A. B. C. D.

Run iisreset.exe /restart. Run gpupdate.exe /force. Run certutil.exe dspublish. Restart the Active Directory Certificate Services service.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx Certificate Enrollment Web Services in Active Directory Certificate Services .. Troubleshooting Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset. QUESTION 47 Your network contains an enterprise root certification authority (CA). You need to ensure that a certificate issued by the CA is valid. What should you do? A. B. C. D.

Run syskey.exe and use the Update option. Run sigverif.exe and use the Advanced option. Run certutil.exe and specify the -verify parameter. Run certreq.exe and specify the -retrieve parameter.

Correct Answer: C Section: (none) Explanation

Explanation/Reference: http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx Basic CRL checking with certutil Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, you must use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificate might be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that the certificate is actually invalid. QUESTION 48 You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. Users are required to log on to the domain by using a smart card. Your company's corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked. An employee resigns. You need to immediately prevent the employee from logging on to the domain. What should you do? A. B. C. D.

Revoke the employee's smart card certificate. Disable the employee's Active Directory account. Publish a new delta certificate revocation list (CRL). Reset the password for the employee's Active Directory account.

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. .. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back. ...

Exam D QUESTION 1 You add an Online Responder to an Online Responder Array. You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array. What should you do? A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1. B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32. C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller. D. From the Online Responder Management Console, select the new Online Responder, and then select Synchronize Members with Array Controller. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc770413.aspx Managing Array members For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members. Reference 2: http://technet.microsoft.com/en-us/library/cc771281.aspx To designate an Array controller 1. Open the Online Responder snap-in. 2. In the console tree, click Array Configuration Members. 3. Select the Online Responder that you want to designate as the Array controller. 4. In the Actions pane, click Set as Array Controller. QUESTION 2 Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping. You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. What should you do? A. B. C. D.

Run certutil.exe -crl. Run certutil.exe -delkey. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group. From Active Directory Users and Computers, modify the Contact object for the external partner.

Correct Answer: A

Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Verbs -CRL Publish new certificate revocation lists (CRLs) [or only delta CRLs] http://technet.microsoft.com/en-us/library/cc783835%28v=ws.10%29.aspx Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management) If you have determined the keycontainername for a specific certificate, you can delete the key container with the following command. certutil.exe -delkey The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, you must add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 version of certutil to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used. QUESTION 3 Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com. Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com. You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails. What should you do? A. B. C. D.

Configure the Expires after option for the contoso.com zone to 4 days. Configure the Retry interval option for the contoso.com zone to 4 days. Configure the Refresh interval option for the contoso.com zone to 4 days. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspx Adjust the Expire Interval for a Zone You can use this procedure to adjust the expire interval for a Domain Name System (DNS) zone. Other DNS servers that are configured to load and host the zone use the expire interval to determine when zone data expires if it is not successfully transferred. By default, the expire interval for each zone is set to one day. You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.

To adjust the expire interval for a zone using the Windows interface 1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated. 4. Click the Start of Authority (SOA) tab. 5. In Expires after, click a time period in minutes, hours, or days, and then type a number in the text box. 6. Click OK to save the adjusted interval. QUESTION 4 Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com. You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server. Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has an A record in the fabrikam.com DNS zone. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers. B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com. C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option. D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option. E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com. Correct Answer: BD Section: (none) Explanation Explanation/Reference: ??? QUESTION 5 Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers. The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only. A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers. You need to configure the intranet.adatum.com zone to meet the new security policy requirement. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties. B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties. C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties. D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties. Correct Answer: AD Section: (none) Explanation Explanation/Reference: http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/ Managing DNS Dynamic Updates in Windows Server 2008 R2 What Is DNS Dynamic Update? When a DNS server is installed in a network, during the installation administrators can configure it to accept dynamic updates of client records. Dynamic updates means that DNS client computers can automatically register their names along with their IP addresses in the DNS server. When this happens DNS server automatically creates a Host (A) record for that client computer that contains hostname of the client and its associated IP address. Also, during the installation of DNS server administrators can choose an option according to which DNS server should not automatically update its records and in this condition administrators must manually create Host (A) records in the DNS database. http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your Windows DNS infrastructure: Decide who can resolve Internet host names Don’t co-locate internal and external zones Lock down the DNS cache Enable recursion only where needed Restrict DNS servers to listen on specific addresses Consider using a private root hints file Randomize your DNS source ports Be aware of the Global Query Block List Limit zone transfers Take advantage of Active Directory integrated zone security .. Take advantage of Active Directory integrated zone security Active Directory integrated zones enable you to secure the registration of resource records when dynamic name registration is enabled. Members of the Active Directory domain can register their resource records dynamically while non-domain members will be unable to register their names. You can also use discretionary access control lists (DACLs) to control which computers are able to register or change their addressing information. The figure below shows how you configure secure dynamic updates.

http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/ Configuring DNS Server for Secure Only Dynamic Updates .. QUESTION 6 Your company has two Active Directory forests as shown in the following table. Forest name

Forest functional level

Domain(s)

contoso.com

Windows Server 2008

contoso.com

fabrikam.com

Windows Server 2008

fabrikam.com

eng.fabrikam.com

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain. You need to configure the forest trust to meet the new security policy requirement. What should you do? A. Delete the outgoing forest trust in the contoso.com domain. B. Delete the incoming forest trust in the contoso.com domain.

C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication. D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng.fabrikam.com from the Name Suffix Routing trust properties. Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx How Domain and Forest Trusts Work Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. .. Trust Flow The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive). One-Way and Two-Way Trusts Trust relationships that are established to enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created. All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with: Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains. Kerberos V5 realms. Transitive and Nontransitive Trusts Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource. Default Transitive Trust Relationships

In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts. Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest. Forest trust. A transitive trust between one forest root domain and another forest root domain. Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm. A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between: A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust) By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows

NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust. A nontransitive trust between an Active Directory domain and a Kerberos V5 realm. ... QUESTION 7 Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level. You need to configure AD RMS so that users are able to protect their documents. What should you do? A. B. C. D.

Install the AD RMS client 2.0 on each client computer. Add the RMS service account to the local administrators group on the AD RMS server. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user. Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Correct Answer: C Section: (none) Explanation Explanation/Reference: same as C17 http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx AD RMS Step-by-Step Guide ... For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups. ... QUESTION 8 Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers. The TempWorkers group is not nested in any other groups. You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders. You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers. You must achieve this goal without affecting access to other domain resources. What should you do? A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group. Correct Answer: A Section: (none) Explanation Explanation/Reference: Personal comment: Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the shared folders (implies access from the network). "Deny log on locally" makes no sense in this instance, because we are reffering to shared folder and supposedly physical access to servers should be highly restricted. And best practices recommend that you link GPOs at the domain level only for domain wide purposes. QUESTION 9 Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering. You need to create a password policy for the engineering department that is different from your domain password policy. What should you do? A. Create a new GPO. Link the GPO to the Engineering OU. B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU. C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group. D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard. Correct Answer: C Section: (none) Explanation Explanation/Reference: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1f1b69441175b Complex Password Policy on an OU Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user. A1: I beleive you are referering to PSC and PSO. The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Groups offer better flexibility for managing various sets of users than OUs. For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.

Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects. For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide A2: Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ A3: In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group. Find the step by step info. http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ Tutorial: How to setup Default and Fine Grain Password Policy One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy. Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard. How to set a Default Domain Password Policy Step 1. Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”).

Note: I have elected to create a new GPO at the top of the domain in this case as I always try to avoid modifying the “Default Domain Policy”, see references below. Reference: http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx TechNet: Linking GPOs If you need to modify some of the settings contained in the Default Domain Policy GPO, it is

recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option. http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx TechNet: Establishing Group Policy Operational Guidelines Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies. Step 2. Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire.

Step 3. Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order. TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon.

Done… told you it was easy…. Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting.

For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout-policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-useraccounts.aspx) How to set a Fine Grain Password Policy Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH! Pre-Requisites/Restrictions You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers.

Reference http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies The domain functional level must be Windows Server 2008. The other restriction with this option is that you can only apply FGPP to users object or users in global security groups (not computers).

Reference http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies Fine-grained password policies apply only to user objects … and global security groups. TIP: If you setup an “Automatic Shadow Group (http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-in-windows-server-2008/)” you can apply these password policies to users automatically to any users located in an OU. Creating a Password Setting Object (PSO) Step 1. Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy.

Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\ Step 2. Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”.

Step 3. Right click on “CN=Password Settings Container” and then click on “New” then “Object…”

Step 4. Click on “Next”

Step 5. Type the name of the PSO in the “Value” field and then click “Next”

Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”. Step 6. Type in a number that will be the Precedence for this Password Policy then click “Next”.

Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.

Step 7. Type “FALSE” in the value field and click “Next” Note: You should almost never use “TRUE” for this setting.

Step 8. Type “24” in the “Value” field and click “Next”

Step 9. Type “TRUE” in the “Value” field and click “Next”

Step 10. Type “5” in the “Value” field and click “Next”

Step 11. Type “1:00:00:00” in the “Value” field and click “Next”

Step 12. Type “42:00:00:00” in the “Value” field and click “Next”

Step 13. Type “10” in the “Value” field and click “Next”

Step 14. Type “0:00:30:00” field and click “Next”

Step 15. Type “0:00:33:00” in the “Value” field and click “Next”

Step 16. Click “Finish”

You have now created the Password Settings Object (PSO) and you can close the ADSIEdit tool. Now to apply the PSO to a users or group… Step 17. Open Active Directory Users and Computers and navigate to “System > Password Settings Container” Note: Advanced Mode needs to be enabled.

Step 18. Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit”

Step 19. Click “Add Windows Accounts….” button.

Step 20. Select the user or group you want to apply this PSO and click “OK”

Step 21. Click “OK”

Step 22. Click “OK”

And your are done… (told you it was hard). Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain. QUESTION 10 Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain. You need to configure DNS to allow only secure dynamic updates. What should you do first? A. B. C. D.

On DC1 and DC2, configure a trust anchor. On DC1 and DC2, configure a connection security rule. On DC1, configure the zone transfer settings. On DC1, configure the zone to be stored in Active Directory.

Correct Answer: D Section: (none) Explanation

Explanation/Reference: http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/ Configuring DNS Server for Secure Only Dynamic Updates About Dynamic Updates During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation process automatically installs the DNS server on the computer, in case it does not already exist in the network. After the successful installation of Active Directory Domain Services, the DNS server is by default configured to automatically update the records of only the domain client computers as soon as it receives the registration request from them. This automatic update of DNS records in the DNS database is technically known as ‘Dynamic Updates’. Types of DNS Updates Dynamic updates that DNS server in Windows Server 2008 R2 supports include: Nonsecure and Secure – When this type of dynamic update is selected, any computer can send registration request to the DNS server. The DNS server in return automatically adds the record of the requesting computer in the DNS database, even if the computer does not belong to the same DNS domain. Although this configuration remarkably reduces administrative overhead, this setting is not recommended for the organizations that have highly sensitive information available in the computers. Secure only – When this type of dynamic update is selected, only the computers that are members of the DNS domain can register themselves with the DNS server. The DNS server automatically rejects the requests from the computers that do not belong to the domain. This protects the DNS server from getting automatically populated with records of unwanted, suspicious and/or fake computers. None – When this option is selected, the DNS server does not accept any registration request from any computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database. In most production environments, systems administrators configure Secure Only dynamic updates for DNS. This remarkably reduces the security risks by allowing only the authentic domain client computers to register themselves with the DNS server automatically, and decreases the administrative overhead at the same time. However in some scenarios, administrators choose to have non-Active Directory integrated zone to stay compliant with the policies of the organization. This configuration is not at all recommended because it does not allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database to get replicated automatically to the other DNS servers along with the Active Directory replication process. When DNS zone is not Active Directory integrated, DNS database replication process must be performed manually by the administrators. Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps given as below: 1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on which ‘Secure only’ dynamic updates are to be configured. 2. On the desktop screen, click Start. 3. From the Start menu, go to Administrator Tools > DNS. 4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name. 5. From the expanded list, double-click Forward Lookup Zones. 6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be configured. 7. From the displayed context menu, click Properties.

8. On the zone’s properties box, make sure that the General tab is selected. 9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list. Note: Secure only option is available only if the DNS zone is Active Directory integrated.

Secure Only Dynamic Update 10. 11.

Click OK to apply the modified changes. Close DNS Manager snap-in when done.

QUESTION 11 Your network contains a domain controller that has two network connections named Internal and Private. Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address. What should you do? A. B. C. D.

Modify the netlogon.dns file on the domain controller. Modify the Name Server settings of the DNS zone for the domain. Modify the properties of the Private network connection on the domain controller. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/2023004 Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller Symptoms On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is a possibility that the Host A DNS registration can occur for unwanted NIC(s). If the client queries for DC’s DNS records and gets an unwanted record or the record of a different network which is not reachable to client, the client will fail to contact the DC causing authentication and many other issues. Cause The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC. To prevent this, we need to make sure the unwanted NIC address is not registered in DNS. Below are the services that are responsible for Host A record registration on a DC 1. Netlogon service 2. DNS server service (if the DC is running DNS server service) 3. DHCP client /DNS client (2003/2008) If the NIC card is configured to register the connection address in DNS, then the DHCP /DNS client service will Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS If the DC is running DNS server service, then the DNS service will register the interface Host A record that it has set to listen on. The Zone properties, “Name server” tab list out the IP addresses of interfaces present on the DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses. We need to make sure only the required interface listens for DNS and the zone properties, name server tab has required IP address information

Resolution To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid the issue). 1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -> Advanced -> DNS - > Uncheck "Register this connections Address in DNS" 2. Open the DNS server console: highlight the server on the left pane Action-> Properties and on the "Interfaces" tab select "listen on only the following IP addresses". Remove unwanted IP address from the list 3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP address associated with the DC. Remove unwanted IP address if it is listed. After performing this delete the existing unwanted Host A record of the DC. QUESTION 12 Your network contains an Active Directory forest named contoso.com. You plan to add a new domain named nwtraders.com to the forest. All DNS servers are domain controllers. You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest. What should you do? A. B. C. D.

Add the computer accounts of all the domain controllers to the DnsAdmins group. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group. Create a standard primary zone on a domain controller in the forest root domain. Create an Active Directory-integrated zone on a domain controller in the forest root domain.

Correct Answer: D Section: (none) Explanation Explanation/Reference: ??? QUESTION 13 Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com. You discover that non-domain member computers register records in the contoso.com zone. You need to prevent the non-domain member computers from registering records in the contoso.com zone. All domain member computers must be allowed to register records in the contoso.com zone. What should you do first? A. B. C. D.

Configure a trust anchor. Run the Security Configuration Wizard (SCW). Change the contoso.com zone to an Active Directory-integrated zone. Modify the security settings of the %SystemRoot%\System32\Dns folder.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx Active Directory-Integrated Zones DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages: Multiple masters are created for DNS replication. Therefore: Any domain controller in the domain running the DNS server service can write updates to the Active Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS QUESTION 14 Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com. When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. What should you do? A. B. C. D.

From From From From

the command prompt, use the netsh tool. the command prompt, use the dnscmd tool. DNS Manager, modify the properties of the GlobalNames zone. DNS Manager, modify the advanced settings of the DNS server.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc731744.aspx Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd /config /enableglobalnamessupport 1 QUESTION 15 Your company has a main office and a branch office. The network contains an Active Directory domain named contoso.com.

The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain. The main office contains a writable domain controller named DC1. The branch office contains a read-only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You uninstall the DNS server role from RODC1. You need to prevent DNS records from replicating to RODC1. What should you do? A. B. C. D.

Modify the replication scope for the contoso.com zone. Flush the DNS cache and enable cache locking on RODC1. Configure conditional forwarding for the contoso.com zone. Modify the zone transfer settings for the contoso.com zone.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc754916.aspx Change the Zone Replication Scope You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)–integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. http://technet.microsoft.com/en-us/library/cc772101.aspx Understanding DNS Zone Replication in Active Directory Domain Services You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.

When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS–integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest. AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog. AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000. If an application directory partition's replication scope replicates across AD DS sites, replication will occur with the same intersite replication schedule as is used for domain partition data. By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller. QUESTION 16 Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.

The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003. DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise. You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC. What should you do first? A. B. C. D.

Change the functional level of the forest. Change the functional level of the domain. Upgrade DC1 to Windows Server 2008 R2. Upgrade DNS1 to Windows Server 2008 R2.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx DNS Security Extensions (DNSSEC) What are the major changes? Support for Domain Name System Security Extensions (DNSSEC) is introduced in Windows Server® 2008 R2 and Windows® 7. With Windows Server 2008 R2 DNS server, you can now sign and host DNSSECsigned zones to provide security for your DNS infrastructure. The following changes are available in DNS server in Windows Server 2008 R2: Ability to sign a zone and host signed zones. Support for changes to the DNSSEC protocol. Support for DNSKEY, RRSIG, NSEC, and DS resource records. The following changes are available in DNS client in Windows 7: Ability to indicate knowledge of DNSSEC in queries. Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records. Ability to check whether the DNS server with which it communicated has performed validation on the client’s behalf. The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy. What does DNSSEC do? DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone. ..

QUESTION 17 Your network contains a domain controller that is configured as a DNS server. The server hosts an Active Directory-integrated zone for the domain. You need to reduce how long it takes until stale records are deleted from the zone. What should you do? A. B. C. D.

From From From From

the configuration directory partition of the forest, modify the tombstone lifetime. the configuration directory partition of the forest, modify the garbage collection interval. the aging properties of the zone, modify the no-refresh interval and the refresh interval. the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.

Correct Answer: C Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface 1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. On the General tab, click Aging. 4. Select the Scavenge stale resource records check box. 5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line 1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 2. At the command prompt, type the following command, and then press ENTER: dnscmd /Config {/Aging |/RefreshInterval |/ NoRefreshInterval }

QUESTION 18 You have an Active Directory domain named contoso.com. You have a domain controller named Server1 that is configured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The DNS configuration of Server1 is shown below:

You discover that stale resource records are not automatically removed from the contoso.com zone. You need to ensure that the stale resource records are automatically removed from the contoso.com zone. What should you do? A. B. C. D.

Set the scavenging period of Server1 to 0 days. Modify the Server Aging/Scavenging properties. Configure the aging properties for the contoso.com zone. Convert the contoso.com zone to an Active Directory-integrated zone.

Correct Answer: C Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface 1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. On the General tab, click Aging. 4. Select the Scavenge stale resource records check box. 5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line 1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 2. At the command prompt, type the following command, and then press ENTER: dnscmd /Config {/Aging |/RefreshInterval |/ NoRefreshInterval }

QUESTION 19 Your network contains an Active Directory domain named contoso.com. You remove several computers from the network. You need to ensure that the host (A) records for the removed computers are automatically deleted from the contoso.com DNS zone. What should you do? A. B. C. D.

Configure dynamic updates. Configure aging and scavenging. Create a scheduled task that runs the Dnscmd /ClearCache command. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.

Correct Answer: B Section: (none) Explanation Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface 1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. On the General tab, click Aging. 4. Select the Scavenge stale resource records check box. 5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line 1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 2. At the command prompt, type the following command, and then press ENTER: dnscmd /Config {/Aging |/RefreshInterval |/ NoRefreshInterval }

QUESTION 20 You need to force a domain controller to register all service location (SRV) resource records in DNS. Which command should you run? A. B. C. D.

ipconfig.exe /registerdns net.exe stop dnscache & net.exe start dnscache net.exe stop netlogon & net.exe start netlogon regsvr32.exe dnsrslvr.dll

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 21 Your network contains an Active Directory domain named contoso.com.

You plan to deploy a child domain named sales.contoso.com. The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com. You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fully qualified domain names (FQDNs). What should you do? A. B. C. D.

Create a DNS forwarder. Create a DNS delegation. Configure root hint servers. Configure an alternate DNS server on all client computers.

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc784494%28v=ws.10%29.aspx Delegating zones DNS provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones: A need to delegate management of part of your DNS namespace to another location or department within your organization. A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment. A need to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site. If, for any of these reasons, you could benefit from delegating zones, it might make sense to restructure your namespace by adding additional zones. When choosing how to structure zones, you should use a plan that reflects the structure of your organization. When delegating zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone. When a standard primary zone is first created, it is stored as a text file containing all resource record information on a single DNS server. This server acts as the primary master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance. When structuring your zones, there are several good reasons to use additional DNS servers for zone replication: 1. Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding. 2. Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed WAN link can be useful in managing and reducing network traffic. 3. Additional secondary servers can be used to reduce loads on a primary server for a zone. Example: Delegating a subdomain to a new zone As shown in the following figure, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.

In this example, an authoritative DNS server computer for the newly delegated example.microsoft.com subdomain is named based on a derivative subdomain included in the new zone (ns1.us.example.microsoft.com). To make this server known to others outside of the new delegated zone, two RRs are needed in the microsoft.com zone to complete delegation to the new zone. These RRs include: An NS RR to effect the delegation. This RR is used to advertise that the server named ns1.us.example.microsoft.com is an authoritative server for the delegated subdomain. An A RR (also known as a glue record) is needed to resolve the name of the server specified in the NS RR to its IP address. The process of resolving the host name in this RR to the delegated DNS server in the NS RR is sometimes referred to as glue chasing. Note When zone delegations are correctly configured, normal zone referral behavior can sometimes be circumvented if you are using forwarders in your DNS server configuration. QUESTION 22 Your network contains a single Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone for contoso.com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept secure dynamic updates only. You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone. Which command should you run? A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary

C. dnslint.exe /ql D. repadmin.exe /syncall /force Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_29 Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. dnscmd /zoneresettype Changes the zone type. Syntax dnscmd [] /zoneresettype [/overwrite_mem | /overwrite_ds] Parameters Specifies the DNS server to manage, represented by local computer syntax, IP address, FQDN, or host name. If this parameter is omitted, the local server is used. Identifies the zone on which the type will be changed. Specifies the type of zone to create. Each type has different required parameters: /dsprimary Creates an Active Directory–integrated zone. /primary /file Creates a standard primary zone. /secondary [,...] Creates a standard secondary zone. /stub [,...] /file Creates a file-backed stub zone. /dsstub [,...] Creates an Active Directory–integrated stub zone. /forwarder server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3 > carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3 *** terminator.movie.edu can't find carrie.movie.edu.: Query refused > ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused > QUESTION 24 Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2. You need to identify if all of the DNS records used for Active Directory replication are correctly registered. What should you do? A. B. C. D.

From From From From

the command prompt, use netsh.exe. the command prompt, use dnslint.exe. the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet. the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd197560.aspx Dnslint.exe DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct. QUESTION 25 Your network contains an Active Directory forest. The forest contains one domain and three sites. Each site contains two domain controllers. All domain controllers are DNS servers. You create a new Active Directory-integrated zone. You need to ensure that the new zone is replicated to the domain controllers in only one of the sites. What should you do first?

A. B. C. D.

Modify the NTDS Site Settings object for the site. Modify the replication settings of the default site link. Create an Active Directory connection object. Create an Active Directory application directory partition.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Practically the same question as A/Q50 and K/Q17, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

Reference 1: http://technet.microsoft.com/en-us/library/cc725739.aspx Store Data in an AD DS Application Partition You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the

application directory partition. Reference 2: http://technet.microsoft.com/en-us/library/cc730970.aspx partition management Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). This is a subcommand of Ntdsutil and Dsmgmt. Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps: 1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator. 2. Type: ntdsutil 3. Type: Ac in ntds 4. Type: partition management 5. Type: connections 6. Type: Connect to server DC_Name 7. Type: quit 8. Type: list The following partitions will be listed: 0 CN=Configuration,DC=Contoso,DC=com 1 DC=Contoso,DC=com 2 CN=Schema,CN=Configuration,DC=Contoso,DC=com 3 DC=DomainDnsZones,DC=Contoso,DC=com 4 DC=ForestDnsZones,DC=Contoso,DC=com 9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com 10. Run the list command again to refresh the list of partitions. QUESTION 26 Your network contains a single Active Directory forest. The forest contains two domains named contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following table:

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integrated zones. You need to ensure that contoso.com records are available on DC3. Which command should you run? A. B. C. D.

dnscmd.exe DC1.contoso.com dnscmd.exe DC1.contoso.com dnscmd.exe DC3.contoso.com dnscmd.exe DC3.contoso.com

/ZoneChangeDirectoryPartition contoso.com /ZoneChangeDirectoryPartition contoso.com /ZoneChangeDirectoryPartition contoso.com /ZoneChangeDirectoryPartition contoso.com

/domain /forest /domain /forest

Correct Answer: B Section: (none) Explanation Explanation/Reference: ???? http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_23 Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. dnscmd /zonechangedirectorypartition Changes the directory partition on which the specified zone resides. Syntax dnscmd [] /zonechangedirectorypartition ] {[] | [] } Parameters Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If this parameter is omitted, the local server is used. The FQDN of the current directory partition on which the zone resides. The FQDN of the directory partition that the zone will be moved to. Specifies the type of directory partition that the zone will be moved to. /domain Moves the zone to the built-in domain directory partition. /forest Moves the zone to the built-in forest directory partition. /legacy Moves the zone to the directory partition that is created for pre–Active Directory domain controllers. These directory partitions are not necessary for native mode. QUESTION 27 You have a DNS zone that is stored in a custom application directory partition. You install a new domain controller. You need to ensure that the custom application directory partition replicates to the new domain controller. What should you use?

A. B. C. D.

the Active Directory Administrative Center console the Active Directory Sites and Services console the DNS Manager console the Dnscmd tool

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc772069.aspx dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition's replica set. QUESTION 28 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2008. You have a member server named Server1 that runs Windows Server 2008. You need to ensure that you can add Server1 to contoso.com as a domain controller. What should you run before you promote Server1? A. B. C. D.

dcpromo.exe /CreateDCAccount dcpromo.exe /ReplicaOrNewDomain:replica Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels.aspx After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003. QUESTION 29 Your network contains an Active Directory forest. The forest contains a single domain. You want to access resources in a domain that is located in another forest. You need to configure a trust between the domain in your forest and the domain in the other forest. What should you create?

A. B. C. D.

an incoming external trust an incoming realm trust an outgoing external trust an outgoing realm trust

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816877.aspx A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest). QUESTION 30 Your network contains two Active Directory forests. One forest contains two domains named contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configured between the two forests. You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.com domain by using the user name NA\User1. Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain. You need to ensure that User1 can log on to the computer in the nwtraders.com domain. What should you do? A. B. C. D.

Enable selective authentication over the forest trust. Create an external one-way trust from na.contoso.com to nwtraders.com. Instruct User1 to log on to the computer by using his user principal name (UPN). Instruct User1 to log on to the computer by using the user name nwtraders\User1.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://apttech.wordpress.com/2012/02/29/what-is-upn-and-why-to-use-it/ What is UPN and why to use it? UPN or User Principal Name is a logon method of authentication when you enter the credentials as [email protected] instead of Windows authentication method: domainname\username to be used as login. So UPN is BASICALLY a suffix that is added after a username which can be used in place of “Samaccount” name to authenticate a user. So lets say your company is called ABC, then instead of ABC\Username you can use [email protected] at the authentication popup. The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of “[email protected]”, change it to “username@atlanta”, if you create an UPN suffix called Atlanta.

http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-across-forest-and-achieve-single-signon-part1.aspx Accessing Resources across forest and achieve Single Sign ON (Part1) http://technet.microsoft.com/en-us/library/cc772808%28v=ws.10%29.aspx Accessing resources across forests ... When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are replicated to the global catalog. ... QUESTION 31 Your company has a main office and a branch office. The main office contains two domain controllers. You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branch office, and then add the domain controller to the BranchOfficeSite site. You discover that users in the branch office are randomly authenticated by either the domain controller in the branch office or the domain controllers in the main office. You need to ensure that the users in the branch office always attempt to authenticate to the domain controller in the branch office first. What should you do? A. B. C. D.

Create organizational units (OUs). Create Active Directory subnet objects. Modify the slow link detection threshold. Modify the Location attribute of the computer objects.

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc754697.aspx Understanding Sites, Subnets, and Site Links Sites overview Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller. .. Associating sites and subnets A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses

to the site. Note The term "subnet" in AD DS does not have the strict networking definition of the set of all addresses behind a single router. The only requirement for an AD DS subnet is that the address prefix conforms to the IP version 4 (IPv4) or IP version 6 (IPv6) format. When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites. .. Locating domain controllers by site Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links. QUESTION 32 Your company has a main office and 50 branch offices. Each office contains multiple subnets. You need to automate the creation of Active Directory subnet objects. What should you use? A. B. C. D.

the Dsadd tool the Netsh tool the New-ADObject cmdlet the New-Object cmdlet

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/ee617260.aspx New-ADObject Creates an Active Directory object. Syntax: New-ADObject [-Name] [-Type] [-AuthType { | }] [-Credential ] [-Description ] [-DisplayName ] [-Instance ] [-OtherAttributes ] [-PassThru ] [-Path ] [-ProtectedFromAccidentalDeletion ] [-Server ] [-Confirm] [-WhatIf] []

Detailed Description The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new user account. You can use this cmdlet to create any type of Active Directory object. Many object properties are defined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using the OtherAttributes parameter. You must set the Name and Type parameters to create a new Active Directory object. The Name specifies the name of the new object. The Type parameter specifies the LDAP display name of the Active Directory Schema Class that represents the type of object you want to create. Examples of Type values include computer, group, organizational unit, and user. The Path parameter specifies the container where the object will be created.. When you do not specify the Path parameter, the cmdlet creates an object in the default naming context container for Active Directory objects in the domain.

QUESTION 33 Your network contains an Active Directory forest. The forest contains multiple sites. You need to enable universal group membership caching for a site. What should you do? A. B. C. D.

From From From From site.

Active Directory Sites and Services, modify the NTDS Settings. Active Directory Sites and Services, modify the NTDS Site Settings. Active Directory Users and Computers, modify the properties of all universal groups used in the site. Active Directory Users and Computers, modify the computer objects for the domain controllers in the

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspx Enabling Universal Group Membership Caching in a Site In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest. If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server. To complete this task, perform the following procedure:

http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspx Enable Universal Group Membership Caching in a Site 1. 2. 3. 4. 5.

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching. In the details pane, right-click the NTDS Site Settings object, and then click Properties. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

QUESTION 34 You need to ensure that domain controllers only replicate between domain controllers in adjacent sites. What should you configure from Active Directory Sites and Services? A. From the IP properties, select Ignore all schedules. B. From the IP properties, select Disable site link bridging. C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects. D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site. Correct Answer: B Section: (none) Explanation Explanation/Reference: http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm What is Site Link Bridge and How to create Site Link Bridge A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing the default value of "Bridge all site links" (enabled by default).

We may need to disable "Bridge all site links" and create a site link bridge design if • When the IP network is not fully routed. • When we need to control the replication flow in Active Directory. QUESTION 35 Your company has a main office and a branch office. You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office. You need to ensure that IPv6-only computers authenticate to domain controllers in the same site. What should you do? A. B. C. D.

Configure the NTDS Site Settings object. Create Active Directory subnet objects. Create Active Directory Domain Services connection objects. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc754697.aspx

Understanding Sites, Subnets, and Site Links Sites overview Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller. .. Associating sites and subnets A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the site. Note The term "subnet" in AD DS does not have the strict networking definition of the set of all addresses behind a single router. The only requirement for an AD DS subnet is that the address prefix conforms to the IP version 4 (IPv4) or IP version 6 (IPv6) format. When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites. QUESTION 36 Your network contains an Active Directory domain. The domain is configured as shown in the following table:

Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure that users in Branch2 only authenticate to the domain controllers in Main. What should you do? A. B. C. D.

On DC3, set the AutoSiteCoverage value to 0. On DC3, set the AutoSiteCoverage value to 1. On DC1 and DC2, set the AutoSiteCoverage value to 0. On DC1 and DC2, set the AutoSiteCoverage value to 1.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc787491%28v=ws.10%29.aspx Parameters\AutoSiteCoverage

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Description Specifies whether the system can add sites to the coverage area of this domain controller. Domain controllers cover, that is, provide services to, the site in which they reside and to other sites listed in the value of the entry SiteCoverage. In addition, when the value of AutoSiteCoverage is 1, the system can add sites that do not have domain controllers to this domain controller's coverage area.

The sites added to the domain controller's coverage are stored in memory, and a new list is assembled each time the Net Logon service starts or when Netlogon is notified of the site object changes. While Net Logon runs, it updates this list at an interval specified by the value of the entry DnsRefreshInterval. ... http://technet.microsoft.com/en-us/library/cc749944.aspx Planning Active Directory for Branch Office .. Disabling AutoSiteCoverage Registration in DNS Another situation that requires configuration of SRV records results from not having a domain controller in a particular site. This may happen because there are no users needing constant logon access, or because replication to the site might be too expensive or too slow. To ensure that a domain controller can be located in the site closest to a client computer, if not the same site, Windows 2000 automatically attempts to register a domain controller in every site by using an "autositecoverage" algorithm. The algorithm determines how one site can "cover" another site when no domain controller exists in the second site. By default, the process uses the replication topology. The algorithm works as follows. Each domain controller checks all sites in the forest and then checks the replication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This process ensures that every site has a domain controller even though its domain controller may not be located in that site. The domain controllers that are published in DNS are those from the closest site (as defined by the replication topology). In the branch office scenario, any computer from other sites should not discover branch office domain controllers. A client should always communicate with a local domain controller, and if that is not available, use a domain controller in the hub site. To achieve this: 1. Disable AutoSiteCoverage on all of the domain controllers, not only for the branch domain controllers, but also hub domain controllers. 2. Do not register generic records as described above. If both of these configurations (1. and 2.) are performed, then all-site clients will discover the local domain controller if it is available, or its hub domain controller (if no local domain controller is available). In the unusual scenario when a site with a domain controller for some domain is closer to another site than the central hub, the administrator has the ability to configure that domain controller with the specific ("close") sites to be covered using the following registry values: SiteCoverage, GcSiteCoverage. Alternatively, the administrator can use the following Group Policy settings: Sites Covered by the domain controller Locator DNS SRV Records

Sites Covered by the global catalog server Locator DNS SRV Records Sites Covered by the NDNC Locator DNS SRV Records QUESTION 37 Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. DC3 fails. You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 and the domain controllers in Site1. On DC4, you run repadmin.exe /kcc. Replication between the sites continues to fail. You need to ensure that Active Directory data replicates between the sites. What should you do? A. B. C. D.

From From From From

Active Directory Sites and Services, modify the properties of DC3. Active Directory Sites and Services, modify the NTDS Site Settings of Site2. Active Directory Users and Computers, modify the location settings of DC4. Active Directory Users and Computers, modify the delegation settings of DC4.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Same question as J/Q10. By modifying the properties of DC3 we can remove the preferred bridgehead status of DC3. Reference 1: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. Reference 2: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) pages 589, 590 Preferred Bridgehead Servers

(...) It’s important to understand that if you have specified one or more bridgehead servers and none of the bridgeheads is available, no other server is automatically selected, and replication does not occur for the site even if there are servers that could act as bridgehead servers. QUESTION 38 Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2. You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR). What should you do first? A. B. C. D.

Run dfsrdiag.exe PollAD. Run dfsrmig.exe /SetGlobalState 0. Upgrade all domain controllers to Windows Server 2008 R2. Raise the functional level of the domain to Windows Server 2008.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspx Distributed File System Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly-available access to files, load sharing, and WAN-friendly replication. In the Windows Server® 2003 R2 operating system, Microsoft revised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snap-in with the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows Server® 2008 operating system, Microsoft added the Windows Server 2008 mode of domain-based namespaces and added a number of usability and performance improvements. What does Distributed File System (DFS) do? The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly-available access to geographically dispersed files. The two technologies in DFS are the following: DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available, instead of routing them over WAN connections. DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level. QUESTION 39 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.

You need to ensure that Attribute1 is replicated to the global catalog. What should you do? A. B. C. D.

In Active Directory Sites and Services, configure the NTDS Settings. In Active Directory Sites and Services, configure the universal group membership caching. From the Active Directory Schema snap-in, modify the properties of the User class schema object. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://www.tech-faq.com/the-global-catalog-server.html The Global Catalog Server The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects. .. How to Include Additional Attributes in the GC The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC. To add the Active Directory Schema snap-in in the MMC: 1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter. 2. Enter the following at the command prompt: regsvr32 schmmgmt.dll. 3. Click OK to acknowledge that the dll was successfully registered. 4. Click Start, Run, and enter mmc in the Run dialog box. 5. When the MMC opens, select Add/Remove Snap-in from the File menu. 6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box. 7. Close all open dialog boxes. To include additional attributes in the GC: 1. Open the Active Directory Schema snap-in. 2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu. 3. Additional attributes are added on the General tab. 4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled. 5. Click OK. QUESTION 40 Your network contains an Active Directory domain. The domain contains three domain controllers. One of the domain controllers fails. Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts.

Which operations master role should you seize? A. B. C. D. E.

domain naming master infrastructure master primary domain controller (PDC) emulator RID master schema master

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes. In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest. .. RID master The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object. http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-activedirectory/5081138 Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm Seizing FSMO Roles QUESTION 41 Your network contains two standalone servers named Server1 and Server2 that have Active Directory Lightweight Directory Services (AD LDS) installed. Server1 has an AD LDS instance. You need to ensure that you can replicate the instance from Server1 to Server2. What should you do on both servers? A. Obtain a server certificate. B. Import the MS-User.ldf file.

C. Create a service user account for AD LDS. D. Register the service location (SRV) resource records. Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspx Administering AD LDS Instances Each AD LDS instance runs as an independent—and separately administered—service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually. AD LDS service account The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation. QUESTION 42 Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1. You need to create an additional AD LDS application directory partition in the existing instance. Which tool should you use? A. B. C. D.

Adaminstall Dsadd Dsmod Ldp

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc755251.aspx Create an Application Directory Partition You use Ldp.exe to add a new application directory partition to an existing instance of Active Directory Lightweight Directory Services (AD LDS). QUESTION 43 Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1. You connect to Instance1 by using ADSI Edit.

You run the Create Object wizard and you discover that there is no User object class. You need to ensure that you can create user objects in Instance1. What should you do? A. B. C. D.

Run the AD LDS Setup Wizard. Modify the schema of Instance1. Modify the properties of the Instance1 service. Install the Remote Server Administration Tools (RSAT).

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc772194.aspx To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema. QUESTION 44 Your network contains an Active Directory domain. The domain contains a server named Server1. Server1 runs Windows Server 2008 R2. You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1. What should you do? A. B. C. D.

Run ldp.exe and use the Bind option. Run diskpart.exe and use the Attach option. Run dsdbutil.exe and use the snapshot option. Run imagex.exe and specify the /mount parameter.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc753151%28v=ws.10%29.aspx Dsdbutil Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer. .. Commands .. snapshot

Manages snapshots. http://technet.microsoft.com/en-us/library/cc731620%28v=ws.10%29.aspx snapshot Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. .. This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Syntax activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit] Parameters .. mount %s Mounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of its GUID. QUESTION 45 Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network. A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation. The solution must minimize the administrative rights of User1. To which group should you add User1? A. B. C. D.

AD RMS Auditors AD RMS Service Group Domain Admins Schema Admins

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx The AD RMS Service Connection Point The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. .. The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority. ..

QUESTION 46 Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com. From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com. You need to prevent users from impersonating contoso.com users. What should you do? A. B. C. D.

Configure trusted e-mail domains. Enable lockbox exclusion in AD RMS. Create a forest trust between adatum.com and contoso.com. Add a certificate from a third-party trusted certification authority (CA).

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc753930.aspx Add a Trusted User Domain By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests. For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest. You can add TUDs as follows: To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that is in your company to process licensing requests that include a RAC that was issued by Microsoft’s online RMS service. For more information about trusting Windows Live ID in your organization, see Use Windows Live ID to Establish RACs for Users. To trust external users from another organization’s AD RMS installation, you can add the organization to the list of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that was issued by an AD RMS server that is in the other organization. In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that was issued by an AD RMS cluster in the other forest. For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live ID sites and services, you can specify which e-mail users or domains are not trusted. QUESTION 47 Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network. You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month. You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.

You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. Upgrade all of the Windows Vista computers to Windows 7. B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2). C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy. D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy. Correct Answer: B Section: (none) Explanation Explanation/Reference: http://social.technet.microsoft.com/wiki/contents/articles/3911.how-to-deploy-ad-rms-policy-templates.aspx How to Deploy AD RMS Policy Templates Table of Contents Method 1 - Using Group Policy with Office Administrative Templates Method 2 - Automatic AD RMS Rights Policy Template Distribution Method 3 - Manually copy the ADRMS Rights Policy Templates Method 4 - Offline Folders .. Method 2 - Automatic AD RMS Rights Policy Template Distribution Documented in the AD RMS Rights Policy Templates Deployment Step-by-Step Guide (http:// technet.microsoft.com/en-us/library/cc731070%28WS.10%29.aspx). Essentially involves the following elements Network share where the ADRMS Rights Policy Templates can be stored Desktop clients that are Windows Vista SP2 and above Creating a Scheduled task Few registry edits ... QUESTION 48 Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who have Windows Mobile 6 devices report that they cannot access documents that are protected by AD RMS. You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices. What should you do? A. B. C. D.

Modify the security of the ServerCertification.asmx file. Modify the security of the MobileDeviceCertification.asmx file. Enable anonymous authentication for the _wmcs virtual directory. Enable anonymous authentication for the certification virtual directory.

Correct Answer: B

Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/ff608252%28v=ws.10%29.aspx Windows Mobile Considerations for AD RMS AD RMS and Windows Mobile Requirements Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile® in Windows Mobile 6 and later devices. End users can create and consume protected e-mail messages and can read protected Microsoft Office documents on their Windows Mobile device. ... AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and later devices. There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only on devices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected content between the different versions and editions of Windows Mobile 6 or later. By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline is restricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates and licenses to create and consume AD RMS protected content. You can enable the certification of mobile devices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabled application Read and Read & Execute permissions to the MobileDeviceCertification.asmx file. This file is located under %systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must complete this process on each AD RMS server in the cluster. QUESTION 49 Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password. Which console should you use? A. B. C. D.

Active Directory Rights Management Services Active Directory Users and Computers Component Services Services

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed. It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. These processes include, but are not limited to the following items. Ensure the service account meets the criteria (is a domain account, is not the domain account that

provisioned RMS, and etc.) Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups Updates the database role for the service account Updates and restarts the MSMQ and logging services Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables There are important requirements to run this wizard. Must be logged on to the AD RMS server Account running the wizard must be: * A local administrator on the RMS server, * A member of the AD RMS Enterprise Administrators group, and * A SQL SysAdmin on the AD RMS instance Lastly, this must be performed on each server of the AD RMS cluster

QUESTION 50 Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have several custom policy templates. The custom policy templates are updated frequently. Some users report that it takes as many as 30 days to receive the updated policy templates. You need to ensure that users receive the updated custom policy templates within seven days. What should you do? A. B. C. D.

Modify the registry on the AD RMS servers. Modify the registry on the users' computers. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc771971.aspx Configuring the AD RMS client The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM \TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.

Exam E QUESTION 1 Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1. You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers. What should you do? A. B. C. D.

Run ntdsutil.exe and use the Roles option. Run dsmgmt.exe and use the Local Roles option. From Active Directory Sites and Services, modify the NTDS Site Settings. From Active Directory Users and Computers, add the user to the Server Operators group.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc732301.aspx Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role. To configure Administrator Role Separation for an RODC 1. Click Start, click Run, type cmd, and then press ENTER. 2. At the command prompt, type dsmgmt.exe, and then press ENTER. 3. At the DSMGMT prompt, type local roles, and then press ENTER. 4. (...) QUESTION 2 You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1. Which tool should you use? A. B. C. D.

Active Directory Administrative Center Active Directory Users and Computers Dsadd Dsmgmt

Correct Answer: B Section: (none) Explanation Explanation/Reference: Many thanks to Luffy for pointing me in the right direction with this question! There are a couple of ways to achieve this and two of them are mentioned in the listed answers, Active Directory Users and Computers and Dsmgmt.

Referenced below are two Technet articles. The first explains the different ways to implement Administrator Role Separation on an RODC, and why the use of Active Directory Users is recommended over Dsmgmt. The second reference is now a kind of bonus, explaining how to use dsmgmt for this task. (In version 1 of this dump I used it to explain why dsmgmt should be the answer.) Reference 1: http://technet.microsoft.com/en-us/library/cc755310.aspx Delegating local administration of an RODC Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or a security group, the user or group is not added the Domain Admins group and therefore does not have additional rights to perform directory service operations. Steps and best practices for setting up ARS You can specify a delegated RODC administrator during an RODC installation or after it. To specify the delegated RODC administrator after installation, you can use either of the following options: Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.

Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC. [See also the second reference for more information on how to use dsmgmt.] Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator. In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain. Reference 2: http://technet.microsoft.com/en-us/library/cc732301.aspx Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role. To configure Administrator Role Separation for an RODC 1. Click Start, click Run, type cmd, and then press ENTER.

2. At the command prompt, type dsmgmt.exe, and then press ENTER. 3. At the DSMGMT prompt, type local roles, and then press ENTER. 4. For a list of valid parameters, type ? and then press ENTER. By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter. 5. Type add \ For example, type add CONTOSO\testuser administrators QUESTION 3 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC). You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored and User1 reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if the WAN link fails. What should you do? A. B. C. D.

Create a Password Settings object (PSO) and link the PSO to User1's user account. Create a Password Settings object (PSO) and link the PSO to the Domain Users group. Add the computer account of the RODC to the Allowed RODC Password Replication Group. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline. Note You must include the appropriate user, computer, and service accounts in the Password Replication Policy in order to allow the RODC to satisfy authentication and service ticket requests locally. When only users from the branch are encompassed by the allow list, the RODC is not able to satisfy requests for service tickets locally and it relies on access to a writable Windows Server 2008 domain controller to do so. In the WAN offline scenario, this is likely to lead to a service outage.

.. Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group. These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup Active Directory attributes mentioned earlier. By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List attribute contains only the Allowed RODC Password Replication Group. By default, the Denied RODC Password Replication Group contains the following members: Enterprise Domain Controllers Enterprise Read-Only Domain Controllers Group Policy Creator Owners Domain Admins Cert Publishers Enterprise Admins Schema Admins Domain-wide krbtgt account By default, the Denied List attribute contains the following security principals, all of which are built-in groups: Denied RODC Password Replication Group Account Operators Server Operators Backup Operators Administrators The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs. QUESTION 4 Your company has a main office and a branch office. The network contains an Active Directory domain. The main office contains a writable domain controller named DC1. The branch office contains a read-only domain controller (RODC) named DC2. You discover that the password of an administrator named Admin1 is cached on DC2. You need to prevent Admin1's password from being cached on DC2. What should you do? A. B. C. D.

Modify the NTDS Site Settings. Modify the properties of the domain. Create a Password Setting object (PSO). Modify the properties of DC2's computer account.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy% 28v=ws.10%29.aspx

Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). Viewing the PRP You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP. To view the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. 2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain. 3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties. 4. Click the Password Replication Policy tab. An example is shown in the following illustration.

QUESTION 5 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.

RODC1 runs Windows Server 2008 R2. A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 is not stored on RODC1. You need to ensure that User1's password is stored on RODC1. What should you modify? A. B. C. D.

the Member Of properties of RODC1 the Member Of properties of User1 the Security properties of RODC1 the Security properties of User1

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy% 28v=ws.10%29.aspx Administering the Password Replication Policy Personal comment: Basically, these are the default settings for the Password Replication Policy of a specific RODC:

So, if you would add a user to be a member of a group that is allowed to store passwords on that specific RODC, then that user's password would be stored on that RODC.

QUESTION 6 Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC). A user from the branch office reports that his account is locked out. From a writable domain controller in the main office, you discover that the user's account is not locked out. You need to ensure that the user can log on to the domain. What should you do? A. Modify the Password Replication Policy.

B. Reset the password of the user account. C. Run the Knowledge Consistency Checker (KCC) on the RODC. D. Restore network communication between the branch office and the main office. Correct Answer: D Section: (none) Explanation Explanation/Reference: ??? not sure if: Run the Knowledge Consistency Checker (KCC) on the RODC. or Restore network communication between the branch office and the main office. QUESTION 7 Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008. You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. E.

At the command prompt, run adprep.exe /rodcprep. At the command prompt, run adprep.exe /forestprep. At the command prompt, run adprep.exe /domainprep. From Active Directory Domains and Trusts, raise the functional level of the domain. From Active Directory Users and Computers, pre-stage the RODC computer account.

Correct Answer: BC Section: (none) Explanation Explanation/Reference: Because the domain has only Windows Server 2008 domain controllers, the current domain and forest functional levels are 2008 at most. Introducing a 2008 R2 domain controller requires adprep /forestprep and adprep /domainprep to be run. There's no other way, it has to be done. On top of that, the current domain already has five Windows Server 2008 RODCs. This means that adprep / rodcprep has already run and doesn't need to be run again in this case. Reference: http://technet.microsoft.com/en-us/library/dd464018.aspx What is Adprep.exe? Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server. You must run various Adprep.exe commands on your existing domain controllers to complete these operations in the following cases: Before you add the first domain controller that runs a version of Windows Server that is later than the latest

version that is running in your existing domain. (...) Running Adprep.exe To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. adprep /forestprep Must be run on the schema operations master for the forest. Once for the entire forest adprep /domainprep Must be run on the infrastructure operations master for the domain. Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain. adprep /rodcprep If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2. QUESTION 8 You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named Server1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. Which inbound TCP port should you allow on Server1? A. B. C. D.

88 135 443 445

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-things-to-check%28v=ws.10%29.aspx Things to Check Before Troubleshooting AD FS 2.0 Verify router, firewall, and HTTP proxy configurations In addition to verifying network connectivity, you may also have to verify that any routers, firewalls, or HTTP proxies in your network (or any routers, firewalls, or HTTP proxies that your federation partner is using) have been configured properly to support Web applications and protocols required with AD FS 2.0. For example, Web applications can require both TCP port exceptions to be enabled for HTTP and HTTPS traffic using Secure Sockets Layer (SSL). To ensure that the exceptions are configured appropriately, you may have to verify that the default TCP port numbers (80 for HTTP and 443 for HTTPS), which typically allow Web traffic, are in use. Also, check to see whether alternate TCP port numbers have been configured in any part of the network route between the client computer and all server computers that are involved. If alternate TCP port numbers are configured for Web application protocols, you may have to update your AD FS 2.0 deployment so that federation server and federation server proxy computers can support the alternate TCP ports. QUESTION 9 You deploy a new Active Directory Federation Services (AD FS) federation server.

You request new certificates for the AD FS federation server. You need to ensure that the AD FS federation server can use the new certificates. To which certificate store should you import the certificates? A. B. C. D.

Computer IIS Admin Service service account Local Administrator World Wide Web Publishing Service service account

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_13 Step 2: Installing AD FS Role Services and Configuring Certificates To import the server authentication certificate for adfsresource to adfsweb 1. Click Start, click Run, type mmc, and then click OK. 2. Click File, and then click Add/Remove Snap-in. 3. Select Certificates, click Add, click Computer account, and then click Next. 4. Click Local computer: (the computer this console is running on), click Finish, and then click OK. 5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import. 6. On the Welcome to the Certificate Import Wizard page, click Next. 7. On the File to Import page, type \\adfsresource\d$\adfsresource.pfx, and then click Next. 8. On the Password page, type the password for the adfsresource.pfx file, and then click Next. 9. On the Certificate Store page, click Place all certificates in the following store, and then click Next. 10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish. QUESTION 10 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed. You have an application named App1 that is configured to use Server1 for AD FS authentication. You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server. You need to ensure that App1 can use Server2 for authentication. What should you do on Server2? A. B. C. D.

Add an attribute store. Create a relying party trust. Create a claims provider trust. Create a relaying provider trust.

Correct Answer: B Section: (none) Explanation Explanation/Reference: ????

http://technet.microsoft.com/en-us/library/dd807132%28v=ws.10%29.aspx Create a Relying Party Trust Using Federation Metadata http://pipe2text.com/?page_id=815 Setting up a Relying Party Trust in ADFS 2.0 http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trustin-ad-fs-2-0.aspx Using Federation Metadata to establish a Relying Party Trust in AD FS 2.0 QUESTION 11 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store. A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application. You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company. What should you create on Server1? A. B. C. D.

a new application a resource partner an account partner an organization claim

Correct Answer: D Section: (none) Explanation Explanation/Reference: Many thanks to Luffy for helping me out with this one! Since the account store has already been configured, what needs to be done is to use the account store to map an AD DS global security group to an organization claim (called group claim extraction). So that's what we need to create for authentication: an organization claim. Creating a resource/account partner is part of setting up the Federation Trust. Reference 1: http://technet.microsoft.com/en-us/library/dd378957.aspx Configuring the Federation Servers [All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to post here.] Reference 2: http://technet.microsoft.com/en-us/library/cc732147.aspx Add an AD DS Account Store If user and computer accounts that require access to a resource that is protected by Active Directory Federation Services (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as an account store on a federation server in the Federation Service that authenticates the accounts.

Reference 3: http://technet.microsoft.com/en-us/library/cc731719.aspx Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS) account store for an account Federation Service, you map an organization group claim to a security group in AD DS. This mapping is called a group claim extraction. QUESTION 12 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed. You plan to deploy AD FS 2.0 on Server2. You need to export the token-signing certificate from Server1, and then import the certificate to Server2. Which format should you use to export the certificate? A. B. C. D.

Base-64 encoded X.509 (.cer) Cryptographic Message Syntax Standard PKCS #7 (.p7b) DER encoded binary X.509 (.cer) Personal Information Exchange PKCS #12 (.pfx)

Correct Answer: D Section: (none) Explanation Explanation/Reference: Many thanks to 'confused' from Algeria and Luffy for noting this question needed a correction and for their help! Practically the same question as K/Q32 Reference 1: http://technet.microsoft.com/en-us/library/ff678038.aspx Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x. [The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.] Reference 2: http://technet.microsoft.com/en-us/library/cc784075.aspx Export the private key portion of a token-signing certificate To export the private key of a token-signing certificate 1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services. 2. Right-click Federation Service, and then click Properties. 3. On the General tab, click View. 4. In the Certificate dialog box, click the Details tab. 5. On the Details tab, click Copy to File. 6. On the Welcome to the Certificate Export Wizard page, click Next. 7. On the Export Private Key page, select Yes, export the private key, and then click Next. 8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX) and then click Next.

9. (...) QUESTION 13 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server. You install AD FS 2.0 on Server2. You need to add Server2 to the existing AD FS farm. What should you do? A. B. C. D.

On Server1, run fsconfig.exe. On Server1, run fsconfigwizard.exe. On Server2, run fsconfig.exe. On Server2, run fsconfigwizard.exe.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx Configure a New Federation Server To configure a new federation server using the command line 1. Open a Command Prompt window. 2. Change the directory to the path where AD FS 2.0 was installed. 3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm| CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] Parameter JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server. QUESTION 14 Your network contains an Active Directory forest. You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the network. You create a Windows PowerShell script named new-users.ps1 that contains the following lines: new-aduser user1 new-aduser user2 new-aduser user3 new-aduser user4 new-aduser user5 On the domain controller, you double-click the script and the script runs. You discover that the script fails to create the user accounts.

You need to ensure that the script creates the user accounts. Which cmdlet should you add to the script? A. B. C. D.

Import-Module Register-ObjectEvent Set-ADDomain Set-ADUser

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://blog.coretech.dk/jgs/powershell-creating-new-users-from-csv-with-password-and-enabled-accounts-orhow-to-pipe-into-multiple-cmdlets/ PowerShell: Creating new users from CSV with password and enabled accounts or How to Pipe into multiple cmdlets .. 1. Import-Module ActiveDirectory 2. import-csv e:\users\newusers.csv | 3. New-ADUser -path "ou=test1,dc=contoso,dc=com" -passthru | 4. ForEach-Object { 5. $_ | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" Force) 6. $_ | Enable-ADAccount } QUESTION 15 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to modify the custom attribute value of 500 user accounts. Which tool should you use? A. B. C. D.

Csvde Dsmod Dsrm Ldifde

Correct Answer: D Section: (none) Explanation Explanation/Reference: We cannot use Dsmod here, because it supports only a subset of commonly used object class attributes. Csvde can only import and export data. Dsrm is used to delete objects from the directory. Reference: http://technet.microsoft.com/en-us/library/cc731033.aspx Ldifde Creates, modifies, and deletes directory objects.

QUESTION 16 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest. What should you use? A. B. C. D.

the Dsquery tool the Export-CSV cmdlet the Get-ADUser cmdlet the Net.exe user command

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q43. I find this one a bit tricky, as both the Get-ADUser cmdlet and the Dsquery tool seem to get the job done, I think. The other two options play no role here: Export-CSV cannot perform queries. It is used to save queries that have been piped through. Net User is too limited for our question. Get-ADUser References: https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838e0f5f3a591d7 http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/ Export-Csv Reference: http://technet.microsoft.com/en-us/library/ee176825.aspx Saving Data as a Comma-Separated Values File The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process to grab information about all the processes running on the computer, then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt: Get-Process | Export-Csv c:\scripts\test.txt.

Net User Reference: http://technet.microsoft.com/en-us/library/cc771865.aspx Adds or modifies user accounts, or displays user account information. DSQUERY Reference 1: http://technet.microsoft.com/en-us/library/cc754232.aspx

Parameters { | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node . If you specify forestroot, AD DS searches by using the global catalog. -attr { | *} Specifies that the semicolon separated LDAP display names included in for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default is a distinguished name. Reference 2: http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need. Reference 3: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f690378e0f787/ List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon_for_all.txt QUESTION 17 You have a Windows PowerShell script that contains the following code: import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword $_.password} When you run the script, you receive an error message indicating that the format of the password is incorrect. The script fails. You need to run a script that successfully creates the user accounts by using the password contained in accounts.csv. Which script should you run? A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)} B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)} C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString "Password")} D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString $_.Password)} Correct Answer: B Section: (none) Explanation Explanation/Reference: import-csv Accounts.csv | Foreach {

New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password AsPlainText -force)} Personal comment: import comma separated values file (most probably containing a column for Name and one for Password) for each line of values create a new AD user with the name contained in the Name column enable the account and set the password with the value contained in the Password column; import the password from plain text as a secure string and ignore warnings/errors http://technet.microsoft.com/en-us/library/hh849818.aspx ConvertTo-SecureString .. Parameters -AsPlainText Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter. -Force Confirms that you understand the implications of using the AsPlainText parameter and still want to use it. ... QUESTION 18 Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2. Your company's corporate security policy states that the password for each user account must be changed at least every 45 days. You have a user account named Service1. Service1 is used by a network application named Application1. Every 45 days, Application1 fails. After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy. What should you do? A. B. C. D.

Run the cmdlet. Run the Set-ADServiceAccount cmdlet. Create a new password policy. Create a new Password Settings object (PSO).

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/ee617252.aspx Set-ADServiceAccount

Syntax Set-ADServiceAccount [-Identity] [-AccountExpirationDate ] [-AccountNotDelegated ] [-Add ] [-Certificates ] [-Clear ] [-Description ] [-DisplayName ] [-Enabled ] [HomePage ] [-Remove ] [-Replace ] [-SamAccountName ] [ServicePrincipalNames ] [-TrustedForDelegation ] [-AuthType { | }] [-Credential ] [-Partition ] [-PassThru ] [-Server ] [-Confirm] [-WhatIf] [] Detailed Description The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet. The Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter, see the Instance parameter description. QUESTION 19 Your network contains an Active Directory forest. You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount of administrative effort. What should you use? A. B. C. D.

the Active Directory Domains and Trusts console the Active Directory Users and Computers console the Csvde tool the Ldifde tool

Correct Answer: A Section: (none) Explanation Explanation/Reference: !*** Old answer: the Ldifde tool http://technet.microsoft.com/en-us/library/cc772007.aspx Add User Principal Name Suffixes You can use Active Directory Domains and Trusts to add user principal name (UPN) suffixes for the existing user account. The default UPN suffix for a user account is the Domain Name System (DNS) domain name of

the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is used only within the Active Directory forest, and it is not required to be a valid DNS domain name. To add UPN suffixes 1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools and then click Active Directory Domains and Trusts . 2. In the console tree, right-click Active Directory Domains and Trusts and then click Properties . 3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add . 4. Repeat step 3 to add additional alternative UPN suffixes. Additional considerations .. You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. Community Additions Sample AD PowerShell command to update UPNs in bulk: Get-ADUser-Filter * -properties homemdb | where {$_.homemdb -ne $null} | ForEach-Object ($_.SamAccountName) {$CompleteUPN = $_.SamAccountName + "@contoso.com"; Set-ADUser -Identity $_.DistinguishedName -UserPrincipalName $CompleteUPN} The above script: Gets all users with something in their homemdb attribute (i.e. mailbox users) Creates a temporary variable called $completeUPN which is a combination of every user’s samaccountname plus @contoso.com Sets each user to this new upn QUESTION 20 Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2). You need to prevent all users from running an application named App1.exe. Which Group Policy settings should you configure? A. B. C. D.

Application Compatibility AppLocker Software Installation Software Restriction Policies

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://gpfaq.se/2007/09/30/how-to-using-software-restriction-policies/ How-to: Using Software Restriction Policies Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.

First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production. First you need to choose your default level which you do at Security Levels:

Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of

blocking specific programs. So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”

This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:

As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”. There are four different choices on how to enable/disable programs to run: Hash-rule Path-rule Network zone-rule Certificate-rule The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not. Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead. I will show you the two ways of allowing Windows Live Messenger to run Hash:

As what you can see above is that it takes the values from the executable and stores the hash-value of the file. When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not. Path:

As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored. You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional. On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”

So the result if I’m trying to run the file is:

As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer :) This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too. Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. :) QUESTION 21 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You need to ensure that all client computers can apply Group Policy preferences.

What should you do? A. B. C. D.

Upgrade all Windows XP client computers to Windows 7. Create a central store that contains the Group Policy ADMX files. Install the Group Policy client-side extensions (CSEs) on all client computers. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://www.microsoft.com/en-us/download/details.aspx?id=3628 Group Policy Preference Client Side Extensions for Windows XP (KB943729) Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy Preferences enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy Preference extensions. http://www.petenetlive.com/KB/Article/0000389.htm Server 2008 Group Policy Preferences and Client Side Extensions Problem Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the "Client side Extensions" (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way.

Solution You may not have noticed, but if you edit or create a group policy in Server 2008 now, you will see there is a "Preferences" branch. Most IT Pro's will have seen the addition of the "Policies" folder some time ago because it adds an extra level to get to the policies that were there before :)

OK Cool! What can you do with them? 1. Computer Preferences: Windows Settings Environment: Lets you control, and send out Environment variables via Group Policy. Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section). Folder: As above, but for folders. Ini Files: Allows you to Create, Replace, Update or Delete an ini file. Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send them out via group policy. Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy. Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy. 2. Computer Preferences: Control Panel Settings Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings via group policy. (Note: there's a bug if your using SQL authentication see here). Devices: Lets you enable and disable hardware devices by type and class, to be honest it's a little "clunky". Folder Options: Allows you to set "File Associations" and set the default programs that will open particular file extensions. Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups. Handy if you want to create an additional admin account, or reset all the local administrators passwords via group policy. Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you use PPTP Windows Server VPN's. Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS's they are Power Plans. This is much needed, I've seen many "Is there a group policy for power options?" or disabling hibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e. only apply if there is a battery present). Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to have the accounts printer. Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could be handy to deploy a patch or some virus/malware removal process.

Service: Essentially anything you can do in the services snap in you can push out through group policy, set services to disables or change the logon credentials used for a service. In addition you can set the recovery option should a service fail. 3. User Configuration: Windows Settings Applications: Answers on a Postcard? I can't work out what these are for! Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assign mapped drives on a user/group basis. Environment: As above lets you control and send out Environment variables via Group Policy, but on a user basis. Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the next section), but on a user basis. Folders: As above, but for folders on a user by user basis. Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis. Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send out via group policy, this time for users not computers. Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy for users. 4. User Configuration: Control Panel Settings All of the following options are covered above on "Computer Configuration" Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis. Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard. Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user. References: http://technet.microsoft.com/en-us/library/dd367850%28WS.10%29.aspx Group Policy Preferences QUESTION 22 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2). You need to audit user access to the administrative shares on the client computers. What should you do? A. B. C. D.

Deploy a logon script that runs Icacls.exe. Deploy a logon script that runs Auditpol.exe. From the Default Domain Policy, modify the Advanced Audit Policy Configuration. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.

Correct Answer: B Section: (none) Explanation

Explanation/Reference: Reference: http://support.microsoft.com/kb/921469 Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain. Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want. QUESTION 23 Your network contains an Active Directory domain named contoso.com. You need to create a central store for the Group Policy Administrative templates. What should you do? A. Run dfsrmig.exe /createglobalobjects. B. Run adprep.exe /domainprep /gpprep. C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\SYSVOL\contoso.com\Policies folder. D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\contoso.com \Policies folder. Correct Answer: C Section: (none) Explanation Explanation/Reference: http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstore Creating an ADMX central store for group policies To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. The Central Store is a location that is checked by GPMC. The GPMC will use .admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain. First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and language template files in %SYSTEMROOT%\PolicyDefinitions need copying to %SYSTEMROOT%\SYSVOL\domain \Policies\PolicyDefinitions. Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domain controllers (the default ADMX policies and EN-US language templates (ADML) are about 6.5 MB in total). xcopy /E "%SYSTEMROOT%\PolicyDefinitions" "%SYSTEMROOT%\SYSVOL\domain\Policies \PolicyDefinitions\"

Next ensure you have remote server administration tools (RSAT) installed on your client computer you are using to edit the GPO's. This will need to be Windows Vista or Windows 7. For Windows Vista enable the RSAT feature (GPMC). For Windows 7 download and install RSAT then enable the RSAT feature (GPMC). When editing a GPO in the GMPC you will find that the Administrative Templates show as "Policy Definitions (ADMX files) retrieved from the central store". This confirms it is working as expected.

Further information: http://support.microsoft.com/kb/929841/en-us How to create the Central Store for Group Policy Administrative Template files in Windows Vista http://msdn.microsoft.com/en-us/library/bb530196.aspx Managing Group Policy ADMX Files Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx Scenario 2: Editing Domain-Based GPOs Using ADMX Files

QUESTION 24 You configure and deploy a Group Policy object (GPO) that contains AppLocker settings. You need to identify whether a specific application file is allowed to run on a computer. Which Windows PowerShell cmdlet should you use? A. B. C. D.

Get-AppLockerFileInformation Get-GPOReport Get-GPPermissions Test-AppLockerPolicy

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/ee460960.aspx Test-AppLockerPolicy Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy. QUESTION 25 You create a Password Settings object (PSO). You need to apply the PSO to a domain user named User1. What should you do? A. B. C. D.

Modify the properties of the PSO. Modify the account options of the User1 account. Modify the security settings of the User1 account. Modify the password policy of the Default Domain Policy Group Policy object (GPO).

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policywalkthrough.aspx Windows Server 2008 - Fine Grained Password Policy Walkthrough ... 1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers). 2. On the View menu, ensure that Advanced Features is checked. 3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container 4. In the details pane, right-click the PSO, and then click Properties. 5. Click the Attribute Editor tab. 6. Select the msDS-PsoAppliesTo attribute, and then click Edit. ..

If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/ Optional. Also, clear the Show only attributes that have values check box. 7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK. To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.

Voila! Hit "OK" a couple of times, and your users/groups now have a custom password policy assigned to them. No longer do you have to have separate domains for your developers and standard users. Good times :) QUESTION 26 You need to create a Password Settings object (PSO). Which tool should you use? A. B. C. D.

Active Directory Users and Computers ADSI Edit Group Policy Management Console Ntdsutil

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc754461.aspx You can create Password Settings objects (PSOs):

using the Active Directory module for Windows PowerShell using ADSI Edit using ldifde QUESTION 27 Your network contains an Active Directory domain. All servers run Windows Server 2008 R2. You need to audit the deletion of registry keys on each server. What should you do? A. B. C. D.

From Audit Policy, modify the Object Access settings and the Process Tracking settings. From Audit Policy, modify the System Events settings and the Privilege Use settings. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd408940.aspx Advanced Security Audit Policy Step-by-Step Guide A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry. QUESTION 28 Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to enable the Active Directory Recycle Bin. What should you use? A. B. C. D.

the Dsmod tool the Enable-ADOptionalFeature cmdlet the Ntdsutil tool the Set-ADDomainMode cmdlet

Correct Answer: B Section: (none) Explanation Explanation/Reference: Similar question to question L/Q5. Reference: http://technet.microsoft.com/en-us/library/dd379481.aspx Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe QUESTION 29 Your network contains a single Active Directory domain. You need to create an Active Directory Domain Services snapshot. What should you do? A. B. C. D.

Use the Ldp tool. Use the NTDSUtil tool. Use the Wbadmin tool. From Windows Server Backup, perform a full backup.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc753609.aspx To create an AD DS or AD LDS snapshot 1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group. 2. Click Start, right-click Command Prompt, and then click Run as administrator. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot 6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 7. At the snapshot prompt, type the following command, and then press ENTER: create QUESTION 30 Your network contains a single Active Directory domain. A domain controller named DC2 fails. You need to remove DC2 from Active Directory. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

At the command prompt, run dcdiag.exe /fix. At the command prompt, run netdom.exe remove dc2. From Active Directory Sites and Services, delete DC2. From Active Directory Users and Computers, delete DC2.

Correct Answer: CD Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816907.aspx

Clean Up Server Metadata Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Clean up server metadata by using GUI tools Clean up server metadata by using Active Directory Users and Computers 1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers. 3. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete. Clean up server metadata by using Active Directory Sites and Services 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services 2. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete. QUESTION 31 Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2. You need to ensure that you can enable the Active Directory Recycle Bin. What should you do? A. B. C. D.

Change the functional level of the forest. Change the functional level of the domain. Modify the Active Directory schema. Modify the Universal Group Membership Caching settings.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd392261.aspx Active Directory Recycle Bin Step-by-Step Guide By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. QUESTION 32 Your network contains an Active Directory domain. The domain contains several domain controllers. All domain controllers run Windows Server 2008 R2. You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings.

What should you do? A. B. C. D.

Run dcgpofix.exe /target:dc. Run dcgpofix.exe /target:domain. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/hh875588.aspx Dcgpofix Recreates the default Group Policy Objects (GPOs) for a domain. Syntax DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?] /ignoreschema Ignores the version of the Active Directory® schema when you run this command. Otherwise, the command only works on the same schema version as the Windows version in which the command was shipped. /target {Domain | DC | Both} Specifies which GPO to restore. You can restore the Default Domain Policy GPO, the Default Domain Controllers GPO, or both. Examples Restore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that you have made to this GPO. dcgpofix /ignoreschema /target:DC QUESTION 33 Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1. You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. On DC1, run the Restore-ADObject cmdlet. B. On DC3, run the Restore-ADObject cmdlet. C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services. D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active

Directory Domain Services. Correct Answer: D Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q2 and K/Q28. We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers. Reference 2: http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. QUESTION 34 Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. You perform a full backup of the domain controllers every night by using Windows Server Backup. You update a script in the SYSVOL folder. You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script. What should you do first? A. B. C. D.

Run the Restore-ADObject cmdlet. Restore the system state to its original location. Restore the system state to an alternate location. Attach the VHD file created by Windows Server Backup.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008

NTBACKUP vs. Windows Server Backup .. As an added bonus, Windows Server Backup stores its backup images in Microsoft® Virtual Hard Disk (VHD) format. You can actually take a backup image and mount it as a volume in a virtual machine running under Microsoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for a particular file rather than having to perform test restores of tapes to see which one has the file is on it. (A note of caution: you can't take a backup image and boot a virtual machine from it. Since the backed-up hardware configuration doesn't correspond to the virtual machine's configuration, you can't use Windows Server Backup as a physical-to-virtual migration tool.) ... QUESTION 35 Your network contains an Active Directory domain. You need to restore a deleted computer account from the Active Directory Recycle Bin. What should you do? A. B. C. D.

From From From From

the command prompt, run recover.exe. the command prompt, run ntdsutil.exe. the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet. the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx Step 2: Restore a Deleted Active Directory Object Applies To: Windows Server 2008 R2 This step provides instructions for completing the following tasks with Active Directory Recycle Bin: Displaying the Deleted Objects container Restoring a deleted Active Directory object using Ldp.exe Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets Restoring multiple, deleted Active Directory objects ... To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets 1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator. 2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER: Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active-directory-recycle-bin-usingad-powershell.aspx Restoring object from the Active Directory Recycle Bin using AD Powershell QUESTION 36 You need to back up all of the group policies in a domain.

The solution must minimize the size of the backup. What should you use? A. B. C. D.

the Add-WBSystemState cmdlet the Group Policy Management console the Wbadmin tool the Windows Server Backup feature

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc770536.aspx To back up a Group Policy object 1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up. 2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All. QUESTION 37 You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2. You need to ensure that you can recover the private key of a certificate issued to a Web server. What should you do? A. B. C. D.

From From From From

the CA, run the Get-PfxCertificate cmdlet. the Web server, run the Get-PfxCertificate cmdlet. the CA, run the certutil.exe tool and specify the -exportpfx parameter. the Web server, run the certutil.exe tool and specify the -exportpfx parameter.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx Manual Key Archival Manual key archival can be used in the following common scenarios that are not supported by automatic key archival: Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook. Certificates issued by CAs that do not support key archival. Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition operating systems. This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database: Certutil.exe Certificates snap-in Microsoft Office Outlook ..

To export private keys by using Certutil.exe 1. Open a Command Prompt window. 2. Type the Certutil.exe –exportpfx command using the command-line options described in the following table. Certutil.exe [-p ] –exportpfx

QUESTION 38 Your company has a main office and a branch office. The network contains a single Active Directory domain. The main office contains a domain controller named DC1. You need to install a domain controller in the branch office by using an offline copy of the Active Directory database. What should you do first? A. B. C. D.

From From From From

the Ntdsutil tool, create an IFM media set. the command prompt, run djoin.exe /loadfile. Windows Server Backup, perform a system state backup. Windows PowerShell, run the get-ADDomainController cmdlet.

Correct Answer: A Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create

installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation. ... QUESTION 39 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All client computers run Windows 7. You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline domain join of Server1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. E.

From Server1, run djoin.exe. From Server1, run netdom.exe. From a Windows 7 computer, run djoin.exe. Upgrade one domain controller to Windows Server 2008 R2. Raise the functional level of the domain to Windows Server 2008.

Correct Answer: AC Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. QUESTION 40 You have an Active Directory snapshot. You need to view the contents of the organizational units (OUs) in the snapshot. Which tools should you run?

A. B. C. D.

explorer.exe, netdom.exe, and dsa.msc ntdsutil.exe, dsamain.exe, and dsa.msc wbadmin.msc, dsamain.exe, and netdom.exe wbadmin.msc, ntdsutil.exe, and explorer.exe

Correct Answer: B Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc731620%28v=ws.10%29.aspx snapshot Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server. ... http://technet.microsoft.com/en-us/library/cc757197%28v=ws.10%29.aspx Managing Active Directory from MMC .. Starting Active Directory MMC consoles from the command-line Active Directory MMC consoles, including Active Directory Users and Computers (dsa.msc), Active Directory Domains and Trusts (domain.msc) and Active Directory Sites and Services (dssite.msc), provide command-line options that allow you to start a console focused on a particular domain or domain controller. The commandline options support both fully qualified domain names and NetBIOS names. QUESTION 41 Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller: dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport 389 allowNonAdminAccess The command fails. You need to ensure that the command completes successfully. How should you modify the command? A. B. C. D.

Include the path to Dsamain. Change the value of the -dbpath parameter. Change the value of the -ldapport parameter. Remove the allowNonAdminAccess

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690

Use the AD DS database mounting tool to load the snapshot as an LDAP server. dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport portnumber Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value to ensure that you do not conflict with AD DS. Also note that you can use the minus (–) sign or the slash (/) for the options in the command. QUESTION 42 Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed. You need to move the Active Directory database on DC1 to an alternate location. The solution must minimize impact on the network during the database move. What should you do first? A. B. C. D.

Restart DC1 in Safe Mode. Restart DC1 in Directory Services Restore Mode. Start DC1 from Windows PE. Stop the Active Directory Domain Services service on DC1.

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc794895%28v=ws.10%29.aspx Relocating the Active Directory Database Files Applies To: Windows Server 2008, Windows Server 2008 R2 Relocating Active Directory database files usually involves moving files to a temporary location while hardware updates are being performed and then moving the files to a permanent location. On domain controllers that are running versions of Windows 2000 Server and Windows Server 2003, moving database files requires restarting the domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introduces restartable Active Directory Domain Services (AD DS), which you can use to perform database management tasks without restarting the domain controller in DSRM. Before you move database files, you must stop AD DS as a service. QUESTION 43 Your company has a main office and a branch office. The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server. You remove the global catalog from DC5. You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impact on all users in the branch office. What should you do first? A. Start DC5 in Safe Mode.

B. Start DC5 in Directory Services Restore Mode. C. On DC5, start the Protected Storage service. D. On DC5, stop the Active Directory Domain Services service. Correct Answer: D Section: (none) Explanation Explanation/Reference: http://allcomputers.us/windows_server/windows-server-2008-r2---manage-the-active-directory-database-% 28part-2%29---defragment-the-directory-database---audit-active-directory-service.aspx Windows Server 2008 R2 : Manage the Active Directory Database (part 2) - Defragment the Directory Database & Audit Active Directory Service 3. Defragment the Directory Database A directory database gets fragmented as you add, change, and delete objects to your database. Like any file system–based storage, as the directory database is changed and updated, fragments of disk space will build up so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directory performs an online defragmentation of the directory database every 12 hours with the garbage collection process, an automated directory database cleanup, and IT pros should be familiar with it. However, online defragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data around for easier access. Depending on how much fragmentation you actually have in the database, running an offline defragmentation—which does decrease the size of the database—could have a significant effect on the overall size of your NTDS.DIT database file. There is a little problem associated with defragmenting databases. They have to be taken offline in order to have the fragments removed and the database resized. In Windows Server 2008 R2, there is a great feature that allows you to take the database offline without shutting down the server. It's called Restartable Active Directory, and it could not be much easier to stop and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service. 1. Start the Services tool from the Control Panel. 2. Right-click Active Directory Domain Services, and select Stop.

Figure 4. You can use the Services tool to stop and restart Active Directory. That's it! Now when you stop Active Directory Domain Services, any other dependent services will also be stopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network. The really cool thing about Restartable AD is that while the directory services and its dependent services are stopped, other services on the local machine are not. So, perhaps you have a shared printer running on your DC. Print services still run, and print operations do not stop. Nice! 3.1. Offline Directory Defragmentation Now that you have stopped Active Directory services, it is time to get down to the business of offline defragmentation of the directory database: 1. Back up the database. 2. Open a command prompt, and type NTDSUTIL. 3. Type ACTIVATE INSTANCE NTDS. 4. Type FILES, and press Enter. 5. Type INFO, and press Enter. This will tell you the current location of the directory database, its size, and the size of the associated log files. Write all this down. 6. Make a folder location that has enough drive space for the directory to be stored. 7. Type COMPACT TO DRIVE:\DIRECTORY, and press Enter. The drive and directory are the locations you set up in step 5. If the drive path contains spaces, put the whole path in quotation marks, as in "C:\database defrag". A new defragmented and compacted NTDS.DIT is created in the folder you specified. 8. Type QUIT, and press Enter. 9. Type QUIT again, and press Enter to return to the command prompt. 10. If defragmentation succeeds without errors, follow the NTDSUTIL prompts. 11. Delete all log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive. 12. Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4. 13. Close the command prompt. 14. Open the Services tool, and start Active Directory Domain Services. Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size of your database depending on how long it has been since your last offline defrag. The hard thing about offline

defrag is that every network is different, so making recommendations about how often to use the offline defrag process is somewhat spurious. I recommend you get to know your directory database. Monitor its size and growth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using offline defragmentation on a frequency that works well for your network and your directory database. One of the cool things about offline defragmentation is that if you should happen to have an error occur during the defragmentation process, you still have your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues. QUESTION 44 Your network contains a domain controller that runs Windows Server 2008 R2. You need to change the location of the Active Directory log files. Which tool should you use? A. B. C. D.

Dsamain Dsmgmt Dsmove Ntdsutil

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://support.microsoft.com/kb/257420 How To Move the Ntds.dit File or Log Files Moving a Database or Log File 1. 2. 3. 4. 5. 6.

7. 8. 9.

Restart the domain controller. Press F8 at the Startup menu, and then click Directory Services Restore Mode. Select the appropriate installation if more than one exists, and then log on as an administrator at the logon prompt. Start a command prompt, and then type ntdsutil.exe.NOTE: To get a list of commands that you can use at the Ntdsutil prompt, type ?. At a Ntdsutil prompt, type files. At the File Maintenance prompt, use one or both of the following procedures: * To move a database, type move db to %s, where %s is the drive and folder where you want the database moved. * To move log files, type move logs to %s, where %s is the drive and folder where you want the log files moved. To view the log files or database, type info. To verify the integrity of the database at its new location, type integrity. Type quit, and then type quit to return to a command prompt. Restart the computer in Normal mode.

NOTE: When you move the database and log files, you must back up the domain controller. QUESTION 45 Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network. You need to ensure that the new server is already joined to the domain when it first connects to the internal network.

What should you do? A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter. B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter. C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter. D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. Reference 2: http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx Steps for performing an offline domain join The offline domain join process includes the following steps: 1. Run the djoin.exe /provision command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As part of this command, you must specify the name of the domain that you want the computer to join. 2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windows directory of the destination computer. 3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain that you specify. QUESTION 46 Your network contains an Active Directory domain. The domain contains four domain controllers. You modify the Active Directory schema. You need to verify that all the domain controllers received the schema modification.

Which command should you run? A. B. C. D.

dcdiag.exe /a netdom.exe query fsmo repadmin.exe /showrepl * sc.exe query ntds

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx Getting Over Replmon Status Checking Replmon had the option to generate a status report text file. It could tell you which servers were configured to replicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the main reasons people liked the tool. Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get a summary report: Repadmin /replsummary *

Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the other DCs are not available and cannot tell you their status. You can also use more verbose commands with Repadmin to see details about which DCs are or are not replicating: Repadmin /showrepl *

... QUESTION 47 You remotely monitor several domain controllers. You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query to retrieve information from the bios of each domain controller. Which format should you use to write the query? A. B. C. D.

XrML XML WQL HTML

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606%28v=vs.85%29.aspx WQL (SQL for WMI) The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL)—with minor semantic changes. QUESTION 48 Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.

You add a logoff script to an existing Group Policy object (GPO). You need to verify that each domain controller successfully replicates the updated group policy. Which two objects should you verify on each domain controller? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

\\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container

Correct Answer: AD Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc784268%28v=ws.10%29.aspx How Core Group Policy Works ... The Gpt.ini File The Gpt.ini file is located at the root of each Group Policy template. Each Gpt.ini file contains GPO version information. Except for the Gpt.ini files created for the default GPOs, a display name value is also written to the file. Each Gpt.ini file contains the GPO version number of the Group Policy template. [General] Version=65539 Normally, this is identical to the version-number property of the corresponding GroupPolicyContainer object. It is encoded in the same way — as a decimal representation of a 4 byte hexadecimal number, the upper two bytes of which contain the GPO user settings version and the lower two bytes contain the computer settings version. In this example the version is equal to 10003 hexadecimal giving a user settings version of 1 and a computer settings version of 3. Storing this version number in the Gpt.ini allows the CSEs to check if the client is out of date to the last processing of policy settings or if the currently applied policy settings (cached policies) are up-to-date. If the cached version is different from the version in the Group Policy template or Group Policy container, then policy settings will be reprocessed. QUESTION 49 Your network contains an Active Directory domain that contains five domain controllers. You have a management computer that runs Windows 7. From the Windows 7 computer, you need to view all account logon failures that occur in the domain. The information must be consolidated on one list. Which command should you run on each domain controller? A. B. C. D.

Wecutil.exe qc Wevtutil.exe gli Winrm.exe quickconfig Winrshost.exe

Correct Answer: C

Section: (none) Explanation Explanation/Reference: http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-management-troubleshooting.aspx WinRM (Windows Remote Management) Troubleshooting What is WinRM? New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM & WinRS. Windows Remote Management (known as WinRM) is a handy new remote management service. WinRM is the “server” component of this remote management application and WinRS (Windows Remote Shell) is the “client” for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, I should note that BOTH computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system. .. How to install WinRM The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on the same computer, you may see messages that indicate WinRM cannot be loaded before Interent Information Services (IIS). However, WinRM does not actually depend on IIS: these messages occur because the load order ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll be registered. (Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008) · The WinRM service starts automatically on Windows Server 2008. · On Windows Vista, the service must be started manually. How to configure WinRM To set the default configuration type: winrm quickconfig (or the abbreviated version, winrm qc) ‘winrm qc’ performs the following operations: 1. Starts the WinRM service and sets the service startup type to auto-start. 2. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address. 3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS. (Note: Winrm quickconfig also configures Winrs default settings) ... QUESTION 50 You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. The domain contains five domain controllers. You need to monitor the replication of the group policy template files. Which tool should you use? A. B. C. D.

Dfsrdiag Fsutil Ntdsutil Ntfrsutl

Correct Answer: A Section: (none) Explanation

Explanation/Reference: Personal comment: For lack of a better answer, Dfsrdiag seems to be the answer. Explanation: http://www.windowsnetworking.com/articles-tutorials/common/Understanding-Group-Policy-Replication.html Understanding Group Policy Replication Group Policy replication is controlled by two different replication mechanisms: FRS and Active Directory replication. We will take a look at both mthods within this article. As Group Policy becomes more important for managing desktops and servers in Active Directory, it makes sense that the details around Group Policy need to be understood more completely. There are many moving parts to Group Policy, including client side extensions, ADM/ADMX files, GPC, GPT, and much more. When a change occurs to a Group Policy object (GPO), that change only occurs on one domain controller. Thus, the change to the GPO must be replicated to all of the other domain controllers. This replication affects multiple replication mechanisms and can cause odd effects if not completed properly. This article will discuss the replication of Group Policy and what you can do to verify that all replication has occurred. .. Replication of the Group Policy Template The portion of the GPO that stores the settings into one or more files is the Group Policy Template (GPT). This portion of the GPO and the related files are stored on domain controllers under the Sysvol. The default path for these files is c:\Windows\Sysvol\Sysvol\\Policies, as shown in Figure 3.

Figure 3: All GPOs store settings in files under the Sysvol on domain controllers. The Sysvol on domain controllers is used to deliver Group Policy settings and logon scripts to clients at logon. Since Sysvol is used for authentication of users and computers, it must be up to date on all domain controllers. When any information is changed under the Sysvol on one domain controller, it triggers replication of the Sysvol to all other domain controllers. The Sysvol is replicated using the File Replication System (FRS). FRS does not have a schedule associated with it. FRS uses state-based replication instead. This means that as soon as there is a change to any file under the Sysvol folder structure, replication is triggered. This creates a very efficient and fast replication model for the GPT. As a side note, FRS replication does not adhere to any site boundaries. Thus, replication will converge to all of

the domain controllers within only a few minutes, even to those domain controllers in remote locations. Note: Windows Server 2008 can use FRS or DFS-R to replicate the contents of the Sysvol. ... Verifying GPO Replication The easiest tool to use to verify that both the GPC and GPT have replicated is GPOTool. This tool is free and very easy to use. It comes with the operating system and can be run from a command prompt. Just type gpotool /verbose from the command prompt, like you see in Figure 7.

Figure 7: GPOTool provides information on the convergence of both parts of the GPO. The results of running this command will display the GPT and GPC version numbers for each GPO on the listed domain controller. If a portion of the GPO has not replicated to the domain controller that you are authenticating to, there is a chance that the new settings in the GPO will not apply. Thus, if you know a GPO has been changed, yet the settings are not being delivered, it is a good idea to verify that the GPO has replicated to the domain controller that you are authenticating too. http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx ‘Dfsrdiag.exe ReplicationState’: What’s DFSR up to? .. This command line switch can be executed against servers running Windows Server 2008 R2 only. The output of this command line switch consists of a list of updates that are currently being serviced by the replication service on all inbound and outbound replication connections. Since this command line switch provides a point in time snapshot of replication activity on a server, it is possible to see whether replication is making any progress by comparing the output of this command obtained at different points in time. ..

Monitoring replication on the branch office server n order to monitor the current replication state of the DFS replication service on these servers, the command ‘dfsrdiag.exe ReplicationState’ can be used. The /member (or /mem) option can be used along with the ‘ReplicationState’ command line switch to specify the server against which this command should be run. In this example, I’ve dumped a few files from the ‘Windows\System32’ directory into the replicated folder. dfsrdiag ReplicationState /member:CONTOSO-BRANCH

... Older information: It's hard to find some info on this. Reference: http://www.examcollection.com/microsoft/Microsoft.Dump4Certs.70-640.v2011-0321.by.Scrooge.293q.vce.file.html [Slightly edited to make it more readable:] By Cezar ( Apr 04 2011): With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level 2003. With domain functional level 2003 you can only use Ntfrsutl.

Exam F QUESTION 1 You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2. You need to monitor the replication of the group policy template files. Which tool should you use? A. B. C. D.

Dfsrdiag Fsutil Ntdsutil Ntfrsutl

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://www.windowsnetworking.com/articles-tutorials/common/Understanding-Group-Policy-Replication.html Understanding Group Policy Replication Replication of the Group Policy Template The portion of the GPO that stores the settings into one or more files is the Group Policy Template (GPT). This portion of the GPO and the related files are stored on domain controllers under the Sysvol. The default path for these files is c:\Windows\Sysvol\Sysvol\\Policies, as shown in Figure 3.

The Sysvol on domain controllers is used to deliver Group Policy settings and logon scripts to clients at logon. Since Sysvol is used for authentication of users and computers, it must be up to date on all domain controllers. When any information is changed under the Sysvol on one domain controller, it triggers replication of the Sysvol to all other domain controllers. The Sysvol is replicated using the File Replication System (FRS). FRS does not have a schedule

associated with it. FRS uses state-based replication instead. This means that as soon as there is a change to any file under the Sysvol folder structure, replication is triggered. This creates a very efficient and fast replication model for the GPT. As a side note, FRS replication does not adhere to any site boundaries. Thus, replication will converge to all of the domain controllers within only a few minutes, even to those domain controllers in remote locations. Note: Windows Server 2008 can use FRS or DFS-R to replicate the contents of the Sysvol. http://technet.microsoft.com/en-us/library/cc962211.aspx Ntfrsutl Tool You can use the Ntfrsutl tool to do the following: Show the ID table, inbound log, or outbound log for a computer hosting FRS. Examine memory usage by FRS. Show the FRS configuration in Active Directory. List the active replica sets in a domain. List the application programming interface (API) and version number for FRS. Poll immediately, quickly, or slowly for changes to the FRS configuration. The syntax for Ntfrsutl is shown in Figure 18.7:

http://opportunizm.ru/LiB0070.shtml NTFRSutl.exe (RK)

.. Note: NTFRSutl has been included in the Windows 2000 Service Resource Kit. Some Beta versions of Windows .NET server family have also comprised this tool. .. ntfrsutl ds and ntfrsutl sets — these commands display the FRS configuration (replication partners, file filters, schedules, etc.). This information can be partially viewed in the Active Directory Users and Computers snap-in (see the File Replication Service node in the System container, and the objects of FRS Sub-scriptions type, which every domain controller has). .. http://technet.microsoft.com/en-us/library/cc732006%28v=ws.10%29.aspx DFS Management Applies To: Windows Server 2008 .. DfsrDiag Performs diagnostic tests of DFS Replication. Old info: It's hard to find some info on this. Reference: http://www.examcollection.com/microsoft/Microsoft.Dump4Certs.70-640.v2011-0321.by.Scrooge.293q.vce.file.html [Slightly edited to make it more readable:] By Cezar ( Apr 04 2011): With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level 2003. With domain functional level 2003 you can only use Ntfrsutl. QUESTION 2 You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine the size of the Active Directory database on Server1. What should you do? A. B. C. D.

Run the Active Directory Sizer tool. Run the Active Directory Diagnostics data collector set. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc961761.aspx Directory Data Store Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separate locations on a given domain controller:

%SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). %SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is used when you promote a Windows 2000 – based computer to a domain controller. The availability of this file allows you to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot%\System32 directory into the %SystemRoot%\NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers. QUESTION 3 You need to receive an e-mail message whenever a domain user account is locked out. Which tool should you use? A. B. C. D.

Active Directory Administrative Center Event Viewer Resource Monitor Security Configuration Wizard

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways: Start A Program - Launches an application. Often, administrators write a script that carries out a series of tasks that they would otherwise need to manually perform, and automatically run that script when an event appears. Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP) server you specify. Often, administrators configure urgent events to be sent to a mobile device. Display A Message - Displays a dialog box showing a message. This is typically useful only when a user needs to be notified of something happening on the computer. To trigger a task when an event occurs, follow one of these three procedures: Find an example of the event in Event Viewer. Then, right-click the event and click Attach Task To This Event. A wizard will guide you through the process. (...) QUESTION 4 Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7. You need to forward the logon events of all the domain controllers in contoso.com to Computer1. All new domain controllers must be dynamically added to the subscription. What should you do? A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node. B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked

to the Domain Controllers organizational unit (OU), configure the Event Forwarding node. C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU). D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU). Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx Setting up a Source Initiated Subscription Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription. QUESTION 5 Your network contains an Active Directory domain that has two sites. You need to identify whether logon scripts are replicated to all domain controllers. Which folder should you verify? A. B. C. D.

GroupPolicy NTDS SoftwareDistribution SYSVOL

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc794837.aspx SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). QUESTION 6 You install a standalone root certification authority (CA) on a server named Server1. You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the local computer's Trusted Root Certification Authorities store. Which command should you run on Server1? A. B. C. D.

certreq.exe and specify the -accept parameter certreq.exe and specify the -retrieve parameter certutil.exe and specify the -dspublish parameter certutil.exe and specify the -importcert parameter

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil [-parameter] Parameter -dsPublish Publish a certificate or certificate revocation list (CRL) to Active Directory QUESTION 7 Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA). On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled. You need to install an enterprise subordinate CA on the server. What should you use to log on to the new server? A. B. C. D.

an account that is a member of the Certificate Publishers group in the child domain an account that is a member of the Certificate Publishers group in the forest root domain an account that is a member of the Schema Admins group in the forest root domain an account that is a member of the Enterprise Admins group in the forest root domain

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506568ddb21d46b In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient). QUESTION 8 You have an enterprise subordinate certification authority (CA). You have a group named Group1. You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates. What should you do?

A. B. C. D.

Add Group1 to the local Administrators group. Add Group1 to the Certificate Publishers group. Assign the Manage CA permission to Group1. Assign the Issue and Manage Certificates permission to Group1.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc732590.aspx Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules. Revoking certificates is an activity of the Certificate Manager role. QUESTION 9 You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents. You need to ensure that all of the recovery agent certificates can be used to recover all new private keys. What should you do? A. B. C. D.

Add a data recovery agent to the Default Domain Policy. Modify the value in the Number of recovery agents to use box. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357 You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery. QUESTION 10 You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module. You need to back up Active Directory Certificate Services on the CA.

Which command should you run? A. B. C. D.

certutil.exe backup certutil.exe backupdb certutil.exe backupkey certutil.exe store

Correct Answer: B Section: (none) Explanation Explanation/Reference: Because a hardware security module (HSM) is used that stores the private keys, the command certutil.exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that. The given commands are: certutil -backup Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb Backup set only includes certificate database certutil -backupkey Backup set only includes CA certificate and the CA key pair certutil -store Provides a dump of the certificate store onscreen. Since we cannot extract the keys from the HSM we have to use backupdb. Reference 1: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215 For the commands listed above. Reference 2: http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil [-parameter] Parameter -backupdb Backup the Active Directory Certificate Services database Reference 3: http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/ Blog with extra info, tips and a post: kids says: Hello,

Need your expert view on this question: You have an enterprise subordinate certificate authority (CA). The CA is configured to use a hardware security module. You need to back up Active Directory Certificate Services on the CA - certutil.exe -backupkey - certutil.exe -backup - certutil.exe -store - certutil.exe -backupdb the answer is -backupdb since it using hardware security module(HSM). Am i correct? DXter says: Yes. But I whould have used: certutil.exe -backupdb KeepLog QUESTION 11 You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template. You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

In a Group Policy object (GPO), configure the autoenrollment settings. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.

Correct Answer: AD Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd379539.aspx To automatically enroll client computers for certificates in a domain environment, you must: Configure an autoenrollment policy for the domain. (...) In Configuration Model, select Enabled to enable autoenrollment. Configure certificate templates for autoenrollment. (...) In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish Configure an enterprise CA. QUESTION 12 You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web enrollment.

You need to ensure that the certificate template is available on the Web enrollment pages. What should you do? A. B. C. D.

Run certutil.exe pulse. Run certutil.exe installcert. Change the certificate template to a Version 2 certificate template. On the certificate template, assign the Autoenroll permission to the users.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Identical to F33. Reference 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Reference 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. QUESTION 13 You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment. You increase the template key length to 2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template. Which console should you use? A. B. C. D.

Active Directory Administrative Center Certification Authority Certificate Templates Group Policy Management

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q23. Reference: http://technet.microsoft.com/en-us/library/cc771246.aspx

Re-Enroll All Certificate Holders This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration. To re-enroll all certificate holders 1. Open the Certificate Templates snap-in. 2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders. QUESTION 14 Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard. The functional level of the domain is Windows Server 2003. You have a certification authority (CA). The relevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network. What should you do? A. B. C. D.

Upgrade Server1 to Windows Server 2008 R2. Upgrade Server2 to Windows Server 2008 R2. Raise the functional level of the domain to Windows Server 2008. Install the Windows Server 2008 R2 Active Directory Schema updates.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd759243.aspx Installation requirements Before installing the certificate enrollment Web services, ensure that your environment meets these requirements: A host computer as a domain member running Windows Server 2008 R2. An Active Directory forest with a Windows Server 2008 R2 schema. An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. QUESTION 15 You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation of the Active Directory database on the domain

controller. You must achieve this goal without affecting the availability of the DHCP service. What should you do? A. B. C. D.

Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility. Stop the Active Directory Domain Services service. Run the Ntdsutil utility. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.

Correct Answer: C Section: (none) Explanation Explanation/Reference: We don't need to restart the server to defragment the AD database. We do need to stop AD DS in order to defragment the database. Reference: http://technet.microsoft.com/en-us/library/cc794920.aspx To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. (...) QUESTION 16 Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication. Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing. Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder. You need to ensure that the G_Marketing members can access the folder from the network. What should you do? A. B. C. D.

From From From From

Windows Explorer, modify the NTFS permissions of the folder. Windows Explorer, modify the share permissions of the folder. Active Directory Users and Computers, modify the computer object for Server1. Active Directory Users and Computers, modify the group object for G_Marketing.

Correct Answer: C Section: (none) Explanation Explanation/Reference:

Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644 After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain. To assign this permission: 1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu. 2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions. 3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission. QUESTION 17 Your network contains an Active Directory forest. You need to add a new user principal name (UPN) suffix to the forest. Which tool should you use? A. B. C. D.

Active Directory Administrative Center Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Users and Computers

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/ Demonstration adding a UPN Suffix To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest. QUESTION 18 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link. You discover that the cached password for a user named User1 is compromised on the RODC. On a domain controller in Site1, you change the password for User1. You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC. Which tool should you use? A. Active Directory Sites and Services

B. Active Directory Users and Computers C. Repadmin D. Replmon Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc742095.aspx Repadmin /rodcpwdrepl Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs). Example: The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc: repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com QUESTION 19 Your network contains an Active Directory domain named contoso.com. The properties of the contoso.com DNS zone are configured as shown in the exhibit:

You need to update all service location (SRV) records for a domain controller in the domain. What should you do? A. B. C. D.

Restart the Netlogon service. Restart the DNS Client service. Run sc.exe and specify the triggerinfo parameter. Run ipconfig.exe and specify the /registerdns parameter.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

http://en.wikipedia.org/wiki/SRV_record SRV record A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. QUESTION 20 Your network contains an Active Directory domain. A user named User1 takes a leave of absence for one year. You need to restrict access to the User1 user account while User1 is away. What should you do? A. B. C. D.

From From From From

the Default Domain Policy, modify the account lockout settings. the Default Domain Controller Policy, modify the account lockout settings. the properties of the user account, modify the Account options. the properties of the user account, modify the Session settings.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Account lockout settings deal with logon security, like how many times a wrong password can be entered before an account gets locked out, or after how many minutes a locked out user can try again. To really restrict access to the User1 account it has to be disabled, by modifying the account options. Reference: http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online data, but retains the user’s data. Disabling a user account also keeps the user license associated with that account. This is the best option to utilize when a person leaves an organization temporarily. QUESTION 21 Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You have a list that contains the mobile phone number of each user. You need to add the mobile number of each user to Active Directory. What should you do? A. B. C. D.

Create a file that contains the mobile phone numbers, and then run ldifde.exe. Create a file that contains the mobile phone numbers, and then run csvde.exe. From Adsiedit, select the CN=Users container, and then modify the properties of the container. From Active Directory Users and Computers, select all of the users, and then modify the properties of the users.

Correct Answer: A Section: (none) Explanation

Explanation/Reference: CSVDE can only import and export data from AD DS. http://technet.microsoft.com/en-us/library/cc732101.aspx Reference: http://technet.microsoft.com/en-us/library/cc731033.aspx Ldifde Creates, modifies, and deletes directory objects. QUESTION 22 Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7. From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO). You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers. You need to ensure that the audit policy is applied to all member servers and all client computers. What should you do? A. B. C. D.

Add a WMI filter to the Default Domain Policy GPO. Modify the security settings of the Default Domain Policy GPO. Configure a startup script that runs auditpol.exe on the member servers. Configure a startup script that runs auditpol.exe on the domain controllers.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers. Reference1: http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008. Note In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated with Group Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). QUESTION 23 Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six characters.

You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long. What should you do first? A. B. C. D.

Run the New-ADFineGrainedPasswordPolicy cmdlet. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet. From the Default Domain Policy, modify the password policy. From the Default Domain Controller Policy, modify the password policy.

Correct Answer: A Section: (none) Explanation Explanation/Reference: First we need to create a new Active Directory fine grained password policy, using NewADFineGrainedPasswordPolicy. Then we can apply the new policy to Group1, using Add-ADFineGrainedPasswordPolicySubject. Reference: http://technet.microsoft.com/en-us/library/ee617238.aspx New-ADFineGrainedPasswordPolicy Creates a new Active Directory fine grained password policy. QUESTION 24 Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1. You attempt to create a snapshot of Instance1 as shown in the exhibit:

You need to ensure that you can take a snapshot of Instance1. What should you do? A. At the command prompt, run net start VSS.

B. At the command prompt, run net start Instance1. C. Set the Startup Type for the Instance1 service to Disabled. D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual. Correct Answer: A Section: (none) Explanation Explanation/Reference: Hard to find references on this, but the solution can be found by eliminating the rest. Instance1 is running, otherwise you'd get a different message at the snaphot: create step. ("AD service must be running in order to perform this operation", on my virtual server.) Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type for the Volume Shadow Copy Service (VSS) to Manual. QUESTION 25 Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers. You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. B. C. D.

From From From From

Event Viewer on the member server, create a subscription. Event Viewer on each domain controller, create a subscription. Event Viewer on the member server, run the Create Basic Task Wizard. Event Viewer on each domain controller, run the Create Basic Task Wizard.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort. Reference: http://technet.microsoft.com/en-us/library/cc748900.aspx To Run a Task in Response to a Given Event 1. Start Event Viewer. 2. In the console tree, navigate to the log that contains the event you want to associate with a task. 3. Right-click the event and select Attach Task to This Event. 4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an e-mail. QUESTION 26 Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.

You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1. What should you do first? A. B. C. D.

At the command prompt, run net stop ntds. At the command prompt, run net stop netlogon. Restart DC1 in Safe Mode. Restart DC1 in Directory Services Restore Mode (DSRM).

Correct Answer: A Section: (none) Explanation Explanation/Reference: We don't need to restart the server to defragment the AD database. We only need to stop AD DS in order to defragment the database, using ntdsutil. Reference: http://technet.microsoft.com/en-us/library/cc794920.aspx To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. (...) QUESTION 27 Your network contains a single Active Directory domain named contoso.com. An administrator accidentally deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone. You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records. What should you do on each domain controller? A. B. C. D.

Restart the Netlogon service. Restart the DNS Server service. Run dcdiag.exe /fix. Run ipconfig.exe /registerdns.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference 1: http://support.microsoft.com/kb/817470 To register the required records to the single root domain controller, restart the Net Logon service on all the domain controllers. The replication works correctly if the replication window is not less than the default DNS Time to Live (TTL) entry. To restart the Net Logon service, follow these steps: 1. Click Start, click Run, type cmd in the Open box, and then press ENTER.

2. At the command prompt, type the following command, and then press ENTER: net stop netlogon 3. Type net start netlogon, and then press ENTER. Reference 2: http://serverfault.com/questions/383915/how-do-i-manually-create-the-msdcs-dns-zone-for-a-domain-that-wascreated-pre-s Be sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces the DC's to register their SRV records in the _msdcs zone. QUESTION 28 Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the records are replicated to all DNS servers. Which tool should you use? A. B. C. D.

Dnslint Ldp Nslookup Repadmin

Correct Answer: D Section: (none) Explanation Explanation/Reference: Practically the same question as G/Q8, J/Q24, K/Q8, K/Q31, different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Reference: http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall [] [] Parameters Specifies the host name of the domain controller to synchronize with all replication partners. Specifies the distinguished name of the directory partition. Performs specific actions during the replication. QUESTION 29

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit:

You need to ensure that all domain controllers in the forest host a writable copy of _msdcs.contoso.com. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Create a zone delegation record in the contoso.com zone. Create a zone delegation record in the eu.contoso.com zone. Create an Active Directory-integrated zone for _msdcs.contoso.com. Create a secondary zone named _msdcs.contoso.com in eu.contoso.com.

Correct Answer: AC Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc753500.aspx Create a Zone Delegation You can divide your Domain Name System (DNS) namespace into one or more zones. You can delegate management of part of your namespace to another location or department in your organization by delegating the management of the corresponding zone. When you delegate a zone, remember that for each new zone that you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being

made authoritative for the new zone. http://blogs.chrisse.se/2011/04/10/are-you-storing-your-ad-integrated-dns-zones-in-the-dns-applicationpartitions-ncs/ Are you storing your AD-Integrated DNS Zones in the DNS Application Partitions (NCs)? 1. Background Overview A partition is a data structure within Active Directory used to distinguish data for different replication purposes. Every domain controller contains the following three directory partitions: configuration, schema, and domain. A directory partition is also called the “naming context”. Domain controllers in the same forest but in different domains share the same configuration and schema data, but they do not share the same domain data. .. Every object created in the domain naming context, which includes DNS zones and nodes (DNS names, e.g., microsoft.com), are replicated to all the GC’s in the domain. By using application directory partitions to store the DNS data, essentially all DNS objects are removed from the GC. This is a significant reduction in the number of objects that are normally stored in the GC .. Additionally, an application directory partition that is replicated to all DNS servers in the forest can be used for zones like _msdcs. which should be visible to the entire forest. This is ideal because all DC’s register their DsaGuid CNAME resource record in the _msdcs. zone. ... http://standalonelabs.wordpress.com/2011/05/08/what-is-the-_msdcs-subdomain/ What is the _msdcs Subdomain? Some of the materials I have read on Active Directory and DNS I feel have not done a clear job explaining exactly what the _msdcs subdomain is and how it is used in an Active Directory forest. The following is my explanation which I hope makes some sense out of the issue. _msdcs and Domain Controller Location First, all domains in an Active Directory forest have a subdomain beneath them called _msdcs. To illustrate, if I create a domain called parent.local and a child domain called child.parent.local, those domains will each contain a subdomain: _msdcs.parent.local and _msdcs.child.parent.local respectively. You can see the _msdcs subdomain of a domain in my Active Directory forest below:

This subdomain is reserved for the registration of DNS records for Microsoft specific services. For example, when looking for a domain controller, a client will need to query a LDAP service record. Microsoft is not the only software company who makes directory services software using the LDAP protocol. As such, there needs to be a way for a client to specifically request a Microsoft LDAP server (in other words a domain controller). Because the _msdcs domain is reserved specifically for Microsoft, clients can safely query this domain for LDAP service records and know they will be receiving the record for a Microsoft domain controller.

Take a closer look at the _msdcs subdomain. You’ll see it actually has several subdomains of its own.

One of these subdomains is the “dc” domain. The dc._msdcs domain contains two other subdomains called “_sites” and “_tcp.” When a client is querying DNS for a domain controller, if the client does not know what site it belongs to, it will request a _ldap service record from the _tcp.dc._msdcs.domain.tld zone. If the client does know what site it belongs to, it can query for a _ldap record in the subdomain for that site. For example, _tcp.Default-First-Site-Name._sites.dc._msdcs.child.parent.local using the example pictured above. _msdcs Subdomain of the Forest Root Domain The _msdcs subdomain of the forest’s root domain is a little special. First, if you look at the records registered in the root of the zone, you may see several CNAME (or alias) records. There is a CNAME record for each domain controller in the forest and this record maps the GUID of the domain controller to the fully-qualified domain name of the domain controller. These records are used by Active Directory for replication purposes. All writable domain controllers must register a record in this zone for proper replication.

Now, take a look at the _msdcs domain under the forest root domain in the DNS Server Manager. Notice how it is depicted as a gray icon.

This signifies _msdcs is a delegated domain. Recall that delegations are used to specify the IP address of another DNS server that will host the zone. In the case of the _msdcs domain, the delegation does not actually specify a different DNS server, but instead points to the local server as you can see from the properties of the delegation in the screen shot below:

So, what is the point of delegating this subdomain to the same server? Well, essentially by specifying the _msdcs domain as a delegation, you remove it from the parent zone on the DNS server allowing you to create an independent _msdcs zone. The screen shot below highlights this _msdcs zone:

Because this is now a separate zone, it is possible to change it’s replication scope. By default, the replication scope is set to all DNS servers in the forest.

In contrast, the parent domain’s replication scope is set to only the DNS servers in the domain by default. Now, the _msdcs subdomain of the forest root has its own subdomain underneath it called “dc,” like we looked at earlier, where DCs for the domain register their service records. But, because the _msdcs subdomain of the forest root domain is replicated to all DNS servers in the forest, it also make the perfect place for services that are needed throughout the forest to register their DNS records as well. For example, say the global catalog. Looking at the subdomains in the _msdcs domain, you’ll see in addition to the “dc” domain, there is a subdomain called “domains” and another subdomain called “gc.”

The domains._msdcs domain contains subdomains corresponding to all domains in the forest (labeled by the domain’s GUID). In these subdomains are service records for the DCs in those domains. The gc._msdcs domain contains two subdomains of its own called “_sites” and “_tcp.” These function the same way as the “_sites” and “_tcp” subdomains in the dc._msdcs domain function. When a client needs to find a global catalog in the forest, it can query for an _ldap record in the _tcp.gc._msdcs.forestroot.tld zone if it does not know what site it is in or it can query for a global catalog in a specific site by requesting an _ldap record in the _tcp.SiteName._sites.gc._msdcs.forestroot.tld zone. I also want to make it clear, that because the _msdcs subdomain of the forest root is replicated to all DNS servers in the forest, this means every DNS server is authoritative for the _msdcs.forestroot.tld zone. That concludes this look at the _msdcs domain. I hope this description was helpful. QUESTION 30 You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2. What should you do? A. Run defrag.exe /a /c. B. Run defrag.exe /c /u.

C. From Ntdsutil, use the Files option. D. From Ntdsutil, use the Metadata cleanup option. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc794920.aspx Compact the Directory Database File (Offline Defragmentation) You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity. Performing offline defragmentation creates a new, compacted version of the database file in a different location. Reference 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate. 1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator. 2. Type ntdsutil, and then press Enter. 3. Type Activate instance NTDS, and press Enter. 4. At the resulting ntdsutil prompt, type Files (case sensitive) and then press Enter. 5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter. QUESTION 31 Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers. The servers are configured as shown in the following table:

You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Configure the policy module settings. Configure the issuance requirements for the certificate templates. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting. Configure the delegation settings for the Certificate Enrollment Web Service application pool account.

Correct Answer: BD Section: (none) Explanation Explanation/Reference: All credit for correcting this one and providing the explanation goes to Luffy! Reference 1: http://technet.microsoft.com/en-us/library/dd759245.aspx The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA. Reference 2: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx Delegation is required for the Certificate Enrollment Web Service account when all of the following are true: the CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requests the authentication type is set to Windows Integrated Authentication or Client certificate authentication QUESTION 32 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard. You need to install an enterprise subordinate certification authority (CA) that supports private key archival. You must achieve this goal by using the minimum amount of administrative effort. What should you do first? A. B. C. D.

Initialize the Trusted Platform Module (TPM). Upgrade the member server to Windows Server 2008 R2 Standard. Install the Certificate Enrollment Policy Web Service role service on the member server. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services Certification Authority server role template check box.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Not sure about this one. See my thoughts below. ________________________________________________________________________________ According to MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival is not available in the Windows Server 2008 R2 Standard edition, so that would leave out answer B.

Another dump gives the following for answer B: "Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise." Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go for that. In this VCE it doesn't seem to make sense to go for B as it shouldn't work, I think. Certificate Enrollment Policy Web Service role of answer C was introduced in Windows Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008 machine. Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a hardware-based approach to manage user authentication, network access, data protection and more that takes security to higher level than software-based security." (http://www.trustedcomputinggroup.org/resources/ how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/) Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise edition. Hope the VCE is wrong. QUESTION 33 You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template is available on the Web enrollment pages. What should you do? A. B. C. D.

Run certutil.exe Cpulse. Run certutil.exe Cinstallcert. Change the certificate template to a Version 2 certificate template. On the certificate template, assign the Autoenroll permission to the users.

Correct Answer: C Section: (none) Explanation

Explanation/Reference: Identical to F12. Reference 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Reference 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. QUESTION 34 Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a global catalog server. What should you do? A. B. C. D.

Modify the Active Directory schema. From Ntdsutil, use the Roles option. Run the Active Directory Domain Services Installation Wizard on Server1. Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Correct Answer: C Section: (none) Explanation Explanation/Reference: Now it's just a member server, so you'll have to run dcpromo to start the Active Directory Domain Services Installation Wizard in order to promote the server to a domain controller. Only a domain controller can be a global catalog server. Reference: http://technet.microsoft.com/en-us/library/cc728188.aspx The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. QUESTION 35 Your network contains three Active Directory forests named Forest1, Forest2 and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 and Forest3. You need to configure the forests to meet the following requirements: Users in Forest3 must be able to access resources in Forest1

Users in Forest1 must be able to access resources in Forest3. The number of trusts must be minimized. What should you do? A. B. C. D. E.

In Forest2, modify the name suffix routing settings. In Forest1 and Forest3, configure selective authentication. In Forest1 and Forest3, modify the name suffix routing settings. Create a two-way forest trust between Forest1 and Forest3. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) page 639: Forest Trusts (...) You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them. QUESTION 36 Your network contains an Active Directory domain. All domain controllers run Windows Server 2003. You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2. You need to minimize the amount of SYSVOL replication traffic on the network. What should you do? A. B. C. D.

Raise the functional level of the forest to Windows Server 2008 R2. Modify the path of the SYSVOL folder on all of the domain controllers. On a global catalog server, run repadmin.exe and specify the KCC parameter. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role. Reference 1:

http://technet.microsoft.com/en-us/library/cc794837.aspx Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share. When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated. Reference 2: http://technet.microsoft.com/en-us/library/dd639809.aspx Migrating to the Prepared State The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication). This migration phase includes the tasks in the following list. (...) Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state. QUESTION 37 Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table:

All client computers run Windows 7. You need to ensure that all client computers in the domain keep the same time as an external time server. What should you do? A. B. C. D.

From From From From

DC1, run the time command. DC2, run the time command. DC1, run the w32tm.exe command. DC2, run the w32tm.exe command.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc816748.aspx Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest.

Reference 2: http://technet.microsoft.com/en-us/library/cc773263.aspx Windows Time Service Tools and Settings Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source. W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service. QUESTION 38 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table:

All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range. You need to minimize the number of client authentication requests sent to DC2. What should you do? A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1. B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1. C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1. D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2011-04-06.230q.vce.file.html Spider from Switzerland - Apr 12 2011, 7:13 PM Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself. QUESTION 39 Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configure AD RMS to use Kerberos authentication.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Register a service principal name (SPN) for AD RMS. Register a service connection point (SCP) for AD RMS. Configure the identity setting of the _DRMSAppPool1 application pool. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS)

Correct Answer: AD Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd759186.aspx If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures: Set the Internet Information Services (IIS) useAppPoolCredentials variable to True Set the Service Principal Names (SPN) value for the AD RMS service account QUESTION 40 Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC). You need to configure the RODC to store only the passwords of users in the remote site. What should you do? A. B. C. D.

Create a Password Settings object (PSO). Modify the Partial-Attribute-Set attribute of the forest. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc730883.aspx Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group. These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup Active Directory attributes mentioned earlier. QUESTION 41 Your company has four offices.

The network contains a single Active Directory domain. Each office has a domain controller. Each office has an organizational unit (OU) that contains the user accounts for the users in that office. In each office, support technicians perform basic troubleshooting for the users in their respective office. You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only. The solution must prevent the technicians from creating user accounts. What should you do? A. B. C. D.

For each OU, run the Delegation of Control Wizard. For the domain, run the Delegation of Control Wizard. For each office, create an Active Directory group, and then modify the security settings for each group. For each office, create an Active Directory group, and then modify the controlAccessRights attribute for each group.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc732524.aspx To delegate control of an organizational unit 1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers. 2. To open Active Directory Users and Computers in Windows Server® 2012, click Start, type dsa.msc. 3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control. 4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard. Reference 2: http://technet.microsoft.com/en-us/library/dd145442.aspx Delegate the following common tasks The following are common tasks that you can select to delegate control of them: (...) Reset user passwords and force password change at next logon QUESTION 42 Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1. You link a new Group Policy object (GPO) named GPO10 to OU1. You need to ensure that GPO10 is applied only to client computers that run Windows 7. What should you do? A. B. C. D.

Create a new OU in OU1. Move the Windows XP computer accounts to the new OU. Enable block inheritance on OU1. Create a WMI filter and assign the filter to GPO10. Modify the permissions of OU1.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc947846.aspx To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer. QUESTION 43 Your network contains an Active Directory domain named contoso.com. You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes. Which security policy setting should you configure? A. B. C. D.

Audit Sensitive Privilege Use Audit User Account Management Audit Directory Service Changes Audit Other Account Management Events

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/dd772641.aspx Audit Directory Service Changes This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). Reference 2: http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step Guide This guide includes a description of the new Active Directory® Domain Services (AD DS) auditing feature in Windows Server® 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte. QUESTION 44 Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. What should you do? A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.

B. Create an external trust from nwtraders.com to contoso.com. C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. D. Create an external trust from contoso.com to nwtraders.com. Correct Answer: C Section: (none) Explanation Explanation/Reference: Same question as J/Q30. Reference: http://technet.microsoft.com/en-us/library/hh311036.aspx Using AD RMS trust It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. QUESTION 45 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server. You plan to add a new token-signing certificate to Server1. You import the certificate to the server as shown in the exhibit:

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable. You need to ensure that you can use the new certificate for AD FS.

What should you do? A. B. C. D.

From the properties of the certificate, modify the Certificate Policy OIDs setting. Import the certificate to the AD FS 2.0 Windows Service personal certificate store. From the properties of the certificate, modify the Certificate purposes setting. Import the certificate to the local computer personal certificate store.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/hh341466.aspx When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server. QUESTION 46 You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC). What should you do? A. B. C. D.

Run the repadmin.exe command and specify the /prp parameter. From Active Directory Sites and Services, modify the properties of the RODC computer object. From Active Directory Users and Computers, modify the properties of the RODC computer object. Run the dsrm.exe command and specify the -u parameter.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx Clearing the authenticated accounts list In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC. Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure. To clear all entries from the list, run the command repadmin /prp delete auth2 /all. Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER. QUESTION 47 Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site. You discover that the domain controllers in the branch offices sometimes replicate directly to each

other. You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office. What should you do? A. B. C. D.

Modify the firewall settings for the main office site. Disable the Knowledge Consistency Checker (KCC) for each branch office site. Disable site link bridging. Modify the security settings for the main office site.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc757117.aspx Configuring site link bridges By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites. Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases: (...) You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller. QUESTION 48 Your network contains an Active Directory forest. The forest contains one domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 was installed before DC2. DC1 fails. You need to ensure that you can add 1,000 new user accounts to the domain. What should you do? A. B. C. D.

Modify the permissions of the DC2 computer account. Seize the schema master FSMO role. Configure DC2 as a global catalog server. Seize the RID master FSMO role.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)

pages 536-537 RID master failure A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online. QUESTION 49 Your network contains an Active Directory domain named contoso.com. You need to identify whether the Active Directory Recycle Bin is enabled. What should you do? A. B. C. D.

From From From From

Ldp, search for the Reanimate-Tombstones object. Ldp, search for the LostAndFound container. Windows PowerShell, run the Get-ADObject cmdlet. Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://www.frickelsoft.net/blog/?p=224 How can I check whether the AD Recycle-Bin is enabled in my R2 forest? [He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.] QUESTION 50 Your network contains an Active Directory domain. You create and mount an Active Directory snapshot. You run dsamain.exe as shown in the exhibit:

You need to ensure that you can browse the contents of the Active Directory snapshot. What should you? A. B. C. D.

Stop Active Directory Domain Services (AD DS) and then rerun dsamain.exe. Change the value of the dbpath parameter, and then rerun dsamain.exe. Change the value of the ldapport parameter, and then rerun dsamain.exe. Restart the Volume Shadow Copy Service (VSS) and then rerun dsamain.exe.

Correct Answer: B Section: (none) Explanation Explanation/Reference: The path in the exhibit points to the running Active Directory database, not to the snapshot. Reference: http://technet.microsoft.com/en-us/library/cc772168.aspx For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example: /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit

Exam G QUESTION 1 Your network contains an Active Directory domain. You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain. What should you do? A. B. C. D.

From From From From

Group Policy Management Console (GPMC), back up the GPOs. Windows Explorer, copy the content of the %systemroot%\SYSVOL folder. Windows Server Backup, perform a system state backup. Windows PowerShell, run the Backup-GPO cmdlet.

Correct Answer: C Section: (none) Explanation Explanation/Reference: When you backup a GPO using the Group Policy Management Console or the Backup-GPO cmdlet, the links to domains/sites/OUs are not included. The link is indicated in an accompanying gpreport.xml, but it's not in the backup itself. If you restore the backup, then the GPO is not linked to anything. Microsoft recommends that you do not modify the Sysvol structure. This recommendation also applies to backup and restore operations of the Sysvol structure. On top of that, the SYSVOL folder only contains the GPT part of a GPO, so it would be an incomplete backup anyway. The link between GPO and for example an OU is an attribute (gPLink) of the OU, not of the GPO. So, to backup the GPOs, including the links, we have to perform a system state backup. Reference 1: http://www.microsoft.com/en-us/download/details.aspx?id=22478 Planning and Deploying Group Policy (Word-document) Backing up and restoring WMI filter data, IPsec policy settings, and links to OUs Links to WMI filters and IPsec policies are stored in GPOs and are backed up as part of a GPO. When you restore a GPO, these links are preserved if the underlying objects still exist in Active Directory. Links to OUs, however, are not part of the backup data and will not be restored during a restore operation. Reference 2: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266-4991-8309c957a123a455/ Does backup-gpo cmdlet backup GPO links and permission? "Permissions are backed up but links are not. The links are actually properties of the OU and would be backed up as part of the system state. Please see this article for more information: http://technet.microsoft.com/en-us/ library/cc784474.aspx. The article refers to the GPMC process which is the same as the PowerShell cmdlet." Reference 3: http://technet.microsoft.com/en-us/library/cc784474.aspx Information saved in a backup Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following information: GPO globally unique identifier (GUID) and domain.

GPO settings. Discretionary access control list (DACL) on the GPO. WMI filter link, if there is one, but not the filter itself. Links to IP Security Policies, if any. XML report of the GPO settings, which can be viewed as HTML from within GPMC. Date and time stamp of when the backup was taken. User-supplied description of the backup. Information not saved in a backup Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is not available when the backup is restored to the original GPO or imported into a new one. This data that becomes unavailable includes the following information: Links to a site, domain, or organizational unit. WMI filter. IP Security policy. Reference 4: http://technet.microsoft.com/en-us/library/jj134176.aspx Check Group Policy Infrastructure Status Each GPO is stored partly in Active Directory and partly in the SYSVOL on the domain controller. The portion of the GPO stored in Active Directory is called the Group Policy container (GPC) while the portion of the GPO stored in the SYSVOL is called the Group Policy template (GPT). GPMC and Group Policy Management Editor manage the GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC is actually setting permissions on objects in both Active Directory and the SYSVOL. It is not recommended that you manipulate these separate objects independently outside of GPMC and the Group Policy Management Editor. It is important to understand that these two separate features of a GPO rely on different replication mechanisms. The file system portion, GPT, is replicated through Distributed File Service Replication (DFS-R) or File Replication Service (FRS), independently of the replication handled by Active Directory, GPC. QUESTION 2 Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on the domain controller. Which tool should you use? A. B. C. D.

Ntdsutil Dsamain Active Directory Users and Computers Local Users and Groups

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://blogs.technet.com/b/meamcs/archive/2012/05/29/reset-the-dsrm-administrator-password.aspx To Reset the DSRM Administrator Password 1. Click, Start, click Run, type ntdsutil, and then click OK. 2. At the Ntdsutil command prompt, type set dsrm password. 3. (...) QUESTION 3

Your network contains an Active Directory forest. All client computers run Windows 7. The network contains a high-volume enterprise certification authority (CA). You need to minimize the amount of network bandwidth required to validate a certificate. What should you do? A. B. C. D.

Configure an LDAP publishing point for the certificate revocation list (CRL). Configure an Online Certification Status Protocol (OCSP) responder. Modify the settings of the delta certificate revocation list (CRL). Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 779 Online responder This service is designed to respond to specific certificate validation requests through the Online Certificate Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the requested certificate, it sends back an encrypted response containing the information to the requester. Using online responders is much faster and more efficient than using CRLs. AD CS includes online responders as a new feature in Windows Server 2008 R2. QUESTION 4 Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in the exhibit:

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solution must prevent GPO1 from being applied to users in the Dev OU. What should you do? A. B. C. D.

Enforce GPO1. Modify the security settings of the Dev OU. Link GPO1 to the Finance OU. Modify the security settings of the Finance OU.

Correct Answer: C Section: (none) Explanation Explanation/Reference: The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. This means that GPO1 will not be applied to those OUs. For the Dev OU that's ok, but not for the Finance OU. So we have to link GPO1 to the Finance OU. Reference: http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree. QUESTION 5

Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed service accounts from being deleted accidentally from OU1. Which cmdlet should you use? A. B. C. D.

Set-ADUser Set-ADOrganizationalUnit Set-ADServiceAccount Set-ADObject

Correct Answer: D Section: (none) Explanation Explanation/Reference: You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to prevent OU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use SetADObject to protect the accounts. Reference: http://technet.microsoft.com/en-us/library/hh852326.aspx Set-ADObject Modifies an Active Directory object. Parameter -ProtectedFromAccidentalDeletion Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: $false or 0 $true or 1 The following example shows how to set this parameter to true. -ProtectedFromAccidentalDeletion $true QUESTION 6 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllers run Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS) on DC3. What should you do first? A. B. C. D.

Run dcpromo.exe /createdcaccount on DC3. Run ntdsutil.exe on DC2. Run dcpromo.exe /adv on DC3. Run ntdsutil.exe on DC1.

Correct Answer: D

Section: (none) Explanation Explanation/Reference: We can run dcpromo.exe /adv on DC3 to install a new writable domain controller using the Install From Media (IFM) option. That way there is less replication traffic. But before we can do that we have to create the installation media first. I suspect that's what they mean when they say "What should you do first?" So first we create the installation media, then we use the installation media to install DC3. Technet gives us instructions on how to create the installation media. It says: "You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently." "You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller." Since DC2 in answer B is a read-only domain controller, that leaves us with answer D ("Run ntdsutil.exe on DC1"). Reference 1: http://technet.microsoft.com/en-us/library/cc770654.aspx [Used for the information above] [Some extra info on using IFM to install the DC:] Reference 2: http://http://technet.microsoft.com/en-us/library/cc732887.aspx dcpromo /adv Performs an install from media (IFM) operation. Reference 3: http://http://technet.microsoft.com/en-us/library/cc816722.aspx Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. QUESTION 7 Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers are configured as global catalog servers. You remove the global catalog role from a domain controller named DC5. You need to reclaim the hard disk space used by the global catalog on DC5. What should you do? A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC). B. From Active Directory Sites and Services, modify the general properties of DC5. C. From Ntdsutil, use the Semantic database analysis option.

D. From Ntdsutil, use the Files option. Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference 1: http://http://technet.microsoft.com/en-us/library/cc816618.aspx Database defragmentation In cases in which the data decreases significantly, such as when the global catalog is removed from a domain controller, free disk space is not automatically returned to the file system. Although this condition does not affect database operation, it does result in large amounts of free disk space in the database. To decrease the size of the database file by returning free disk space from the database file to the file system, you can perform an offline defragmentation of the database. Whereas online defragmentation occurs automatically while AD DS is running, offline defragmentation requires taking the domain controller offline and using the Ntdsutil.exe command-line tool to perform the procedure. Reference 2: http://technet.microsoft.com/en-us/library/cc794920.aspx To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. 7. (...) QUESTION 8 A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible.

http://www.gratisexam.com/ Which tool should you use? A. B. C. D. E. F.

Ldp Repadmin Ntdsutil Nslookup Active Directory Sites And Services console Active Directory Domains And Trusts console

G. Dnslint H. Dnscmd Correct Answer: B Section: (none) Explanation Explanation/Reference: Practically the same question as F/Q28, J/Q24, K/Q8, K/Q31, different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Reference: http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall [] [] Parameters Specifies the host name of the domain controller to synchronize with all replication partners. Specifies the distinguished name of the directory partition. Performs specific actions during the replication. QUESTION 9 You have a DNS zone that is stored in a custom application partition. You need to add a domain controller to the replication scope of the custom application partition. Which tool should you use? A. B. C. D.

DNScmd DNS Manager Server Manager Dsmod

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc753801.aspx After you create a Domain Name System (DNS) application directory partition to store a zone, you must enlist the DNS server that hosts the zone in the application directory partition.

To enlist a DNS server in a DNS application directory partition 1. Open a command prompt. 2. Type the following command, and then press ENTER: dnscmd / EnlistDirectoryPartition QUESTION 10 Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has the Active Directory Certificate Services (AD CS) role installed. You configure a certificate template named Template1 for autoenrollment. You discover that certificates are not being issued to any client computers. The event logs on the client computers do not contain any autoenrollment errors. You need to ensure that all of the client computers automatically receive certificates based on Template1. What should you do? A. B. C. D.

Modify the Default Domain Policy Group Policy object (GPO). Modify the Default Domain Controllers Policy Group Policy object (GPO). Upgrade Server1 to Windows Server 2008 R2 Enterprise. Restart Certificate Services on Server1.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc731522.aspx Configure Certificate Autoenrollment Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users. To automatically enroll clients for certificates in a domain environment, you must: Configure a certificate template with Autoenroll permissions. Configure an autoenrollment policy for the domain. To configure autoenrollment Group Policy for a domain 1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit. 3. (...) QUESTION 11 Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) role installed. You need to perform an automated installation of an AD LDS instance. Which tool should you use? A. Dism.exe B. Servermanagercmd.exe

C. Adaminstall.exe D. Ocsetup.exe Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816774.aspx To perform an unattended install of an AD LDS instance 1. Create a new text file by using any text editor. 2. Specify the installation parameters. 3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD LDS setup files. 4. At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM \adaminstall.exe /answer:drive:\\.txt" QUESTION 12 Your network contains an Active Directory domain named contoso.com. A partner company has an Active Directory domain named nwtraders.com. The networks for contoso.com and nwtraders.com connect to each other by using a WAN link. You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on the Internet. What should you do first? A. B. C. D.

Modify the Trusted Root Certification Authorities store. Modify the Intermediate Certification Authorities store. Create conditional forwarders. Add a root hint to the DNS server.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 114-115 Conditional Forwarders You can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolution for specified domains only. In other words, the local DNS server will forward all the queries that it receives for names ending with a specific domain name to the conditional forwarder. This is especially useful in situations where users in your company need access to resources in another company with a separate AD DS forest and DNS zones, such as a partner company. In such a case, specify a conditional forwarder that directs such queries to the DNS server in the partner company while other queries are forwarded to the Internet. Doing so reduces the need for adding secondary zones for partner companies on your DNS servers. QUESTION 13 Your network contains an Active Directory forest. The forest contains multiple domains. You need to ensure that users in the human resources department can search for employees by using

the employeeNumber attribute. What should you do? A. B. C. D.

From From From From

Active Directory Sites and Services, modify the properties of each global catalog server. the Active Directory Schema snap-in, modify the properties of the user object class. Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server. the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest." "The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE. QUESTION 14 Your network contains a single Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database. You modify the e-mail certificate template to support key archival. What should you do next? A. B. C. D.

Issue the key recovery agent certificate template. Run certutil.exe -recoverkey. Run certreq.exe-policy. Modify the location of the Authority Information Access (AIA) distribution point.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc770588.aspx Identify a Key Recovery Agent

A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Because the role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned to this role. To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow the person assigned to this role to enroll for a key recovery agent certificate. QUESTION 15 Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that the zone includes DNS records for computers that were removed from the network. You need to ensure that the DNS records are deleted automatically from the zone. What should you do? A. B. C. D.

From DNS Manager, set the aging properties. Create a scheduled task that runs dnslint.exe /v /d contoso.com. From DNS Manager, modify the refresh interval of the start of authority (SOA) record. Create a scheduled task that runs ipconfig.exe /flushdns.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc753217.aspx Set Aging and Scavenging Properties for the DNS Server The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server. To set aging and scavenging properties for the DNS server using the Windows interface 1. Open DNS Manager. 2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones. 3. Select the Scavenge stale resource records check box. 4. Modify other aging and scavenging properties as needed. QUESTION 16 Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller: dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 allowNonAdminAccess The command fails. You need to ensure that the command completes successfully. How should you modify the command? A. Change the value of the -dbpath parameter. B. Include the path to Dsamain. C. Change the value of the -ldapport parameter.

D. Remove the CallowNonAdminAccess parameter. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690 Use the AD DS database mounting tool to load the snapshot as an LDAP server. dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport portnumber Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value to ensure that you do not conflict with AD DS. Also note that you can use the minus (–) sign or the slash (/) for the options in the command. QUESTION 17 Your network contains an Active Directory domain. The domain contains 10 domain controllers that run Windows Server 2008 R2. You need to monitor the following information on the domain controllers during the next five days: Memory usage Processor usage The number of LDAP queries What should you do? A. B. C. D.

Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. Use the System Performance Data Collector Set (DCS). Create a User Defined Data Collector Set (DCS) that uses the System Performance template. Use the Active Directory Diagnostics Data Collector Set (DCS).

Correct Answer: A Section: (none) Explanation Explanation/Reference: The System Performance Data Collector Set/System Performance template does not monitor Active Directory data (we need the number of LDAP queries). That leaves out answers B ("Use the System Performance Data Collector Set (DCS)") and C ("Create a User Defined Data Collector Set (DCS) that uses the System Performance template"). Because the Active Directory Diagnostics Data Collector Set (DCS) runs only for 5 minutes and we need to monitor for 5 days we have to use a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. For a User Defined Data Collector Set we can set the monitoring duration in seconds, minutes, hours, days or weeks. So we have to create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. Reference: http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx

AD Data Collector Sets in Win2008 and beyond The Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line. If reducing or increasing the time that a data collector set runs is required, and manually stopping the collection is not desirable, then see How to Create a User Defined Data Collection Set. QUESTION 18 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) named RODC1. You need to view the most recent user accounts authenticated by RODC1. What should you do first? A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate Now. B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate Now. C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, and then connect to DC1. D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replicationpolicy.aspx#BKMK_Auth2 To view authenticated accounts using Active Directory Users and Computers 1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively. 3. Click Domain Controllers. 4. In the details pane, right-click the RODC computer account, and then click Properties. 5. Click the Password Replication Policy tab. 6. Click Advanced. 7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

QUESTION 19 Your network contains an Active Directory domain. The domain contains 3,000 client computers. All of the client computers run Windows 7. Users log on to their client computers by using standard user accounts. You plan to deploy a new application named App1. The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run. You need to deploy App1 to all client computers. The solution must meet the following requirements: App1 must automatically detect and replace corrupt application files. App1 must be available from the Start menu on each client computer. What should you do first? A. B. C. D.

Create a logon script that calls Setup.exe for App1. Create a .zap file. Create a startup script that calls Setup.exe for App1. Repackage App1 as a Windows Installer package.

Correct Answer: D

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc739578.aspx Windows Installer features Diagnoses and repairs corrupted applications--An application can query Windows Installer to determine whether an installed application has missing or corrupted files. If any are detected, Windows Installer repairs the application by recopying only those files found to be missing or corrupted. QUESTION 20 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named DC1. In Site1, you install a new domain controller named DC2. You ship DC2 to Site2. You discover that certain users in Site2 authenticate to DC1. You need to ensure that the users in Site2 always attempt to authenticate to DC2 first. What should you do? A. B. C. D.

From From From From

Active Directory Users and Computers, modify the Location settings of the DC2 computer object. Active Directory Sites and Services, modify the Location attribute for Site2. Active Directory Sites and Services, move the DC2 server object. Active Directory Users and Computers, move the DC2 computer object.

Correct Answer: C Section: (none) Explanation Explanation/Reference: DC2 may be shipped to Site2, but it's not yet associated properly with Site2 in Active Directory. Reference1: http://technet.microsoft.com/en-us/library/cc816674.aspx To move a server object to a new site 1. Open Active Directory Sites and Services. 2. In the console tree, expand Sites and the site in which the server object resides. 3. Expand Servers to display the domain controllers that are currently configured for that site. 4. Right-click the server object that you want to move, and then click Move. 5. In Site Name, click the destination site, and then click OK. 6. Expand the site object to which you moved the server, and then expand the Servers container. 7. Verify that an object for the server that you moved exists. 8. Expand the server object, and verify that an NTDS Settings object exists. Reference2: http://technet.microsoft.com/en-us/library/cc754697.aspx Using sites Sites help facilitate several activities, including: (...) Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you

can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections. QUESTION 21 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in the exhibit:

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable. You need to configure Server2 as an enterprise subordinate CA. What should you do first? A. B. C. D.

Upgrade Server2 to Windows Server 2008 R2 Enterprise. Log in as an administrator and run Server Manager. Import the root CA certificate. Join Server2 to the domain.

Correct Answer: D Section: (none) Explanation Explanation/Reference: In doubt about this one, whether to go for A ("Upgrade Server2 to Windows Server 2008 R2 Enterprise"), or D

("Join Server2 to the domain"). Left it at D ("Join Server2 to the domain"), because that's undoubtedly a necessary step we have to take here. See below for my (messy) thoughts. Reference: http://social.technet.microsoft.com/Forums/nl-BE/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7cea254de5dada [Someone asked this question to Brian Komar:] buffaloyoung Okay, so on this same note, I'm looking at a practice test type question for the 70-640 exam that shows the server runnning Windows Server 2008 R2 standard, and mentions that when you set up the Enterprise Sub Certificate Authority, the Enterprise Sub CA option is not available. The mulitple choice solutions are: a. upgrade to enterprise; b. run server manager as an admin; c. import the root CA; d. Join the server to the domain. I had thought it was "A" because of the enterprise 2008 issue, but if this is changed in standard R2 ... looking at the fact that the info shows the Workgroup to be "WORKGROUP," I am inclined to answer D. Is this right? Or should it still be A? Brian: This forum is for helping people with real world PKI and security issues. It is not a study board That being said, D would be my answer. Based on some of the other things I have heard about the exam, that may not be the answer they are looking for ;-) Brian "that may not be the answer they are looking for", what does Brian mean by that? Was he deliberately trying to confuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard for root CA only? I'm talking about this, from the 70-640 Training Kit errata page: Page 781, 1st paragraph The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all features. Note from the Author or Editor: Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only. If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoft wants to hear from us, being answer A. Since the question is about an enterprise subordinate CA. QUESTION 22 Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that only members of a group named Admin1 can create certificate templates. Which tool should you use to assign permissions to Admin1?

A. B. C. D.

the Certification Authority console Active Directory Users and Computers the Certificates snap-in Active Directory Sites and Services

Correct Answer: D Section: (none) Explanation Explanation/Reference: We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups. The first reference lists what needs to be done, the second reference explains how to do it. Reference 1: http://technet.microsoft.com/en-us/library/cc725621.aspx Delegating Template Management You can delegate the ability to manage individual certificate templates or to create any certificate templates by defining appropriate permissions to global groups or universal groups that a user belongs to. There are three levels of delegation for certificate template administration: - Modify existing templates - Create new templates (by duplicating existing templates) - Full delegation (including modifying all existing templates and creating new ones) Create New Templates To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS. To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of which the user is a member: Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. Grant Full Control permission to every certificate template in the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not inherited by the individual certificate templates. Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot container. Reference 2: Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissions for Creation of New Templates You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,ForestRootDomain container. 1. 2. 3. 4. 5. 6. 7.

Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group. Open the Active Directory Sites And Services console. From the View menu, ensure that the Show Services Node setting is enabled. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates. In the console tree, right-click Certificate Templates, and then click Delegate Control. In the Delegation Of Control wizard, click Next. On the Users Or Groups page, click Add.

8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK. 9. On the Users Or Groups page, click Next. 10. On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next. 11. On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation Of New Objects In This Folder, and then click Next. 12. On the Permissions page, in the Permissions list, enable Full Control, and then click Next. 13. On the Completing The Delegation Of Control wizard page, click Finish. QUESTION 23 Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit:

You need to ensure that only domain members can register DNS records in the zone. What should you do first? A. B. C. D.

Modify the zone type. Create a trust anchor. Modify the Advanced properties of the DNS server. Modify the Dynamic updates setting.

Correct Answer: A Section: (none) Explanation Explanation/Reference: To ensure that only domain members are allowed to register DNS records we have to:

1. modify the zone type to Active Directory-Integrated. 2. set the Dynamic updates option to Secure only, which is only available to Active Directory-Integrated zones. Reference 1: MCTS Windows Server ® 2008 Active Directory Configuration Study Guide (Sybex, 2008) page 53 Secure only—This means that only machines with accounts in Active Directory can register with DNS. Before DNS registers any account in its database, it checks Active Directory to make sure that account is an authorized domain computer. Reference 2: http://technet.microsoft.com/en-us/library/ee649287.aspx Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates. QUESTION 24 Your company has a single Active Directory forest with a single domain. Consultants in different departments of the company require access to different network resources. The consultants belong to a global group named TempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The file servers contain confidential data in shared folders. You need to prevent the consultants from accessing the confidential data. What should you do? A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control permission for the TempWorkers global group on the share. D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group. E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group. Correct Answer: A Section: (none) Explanation Explanation/Reference: Same question as D/Q8. Same answer. The other options give the consultants too much or too little rights. Personal comment: Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the shared folders (implies access from the network). "Deny log on locally" makes no sense in this instance, because we are reffering to shared folder and supposedly physical access to servers should be highly restricted. And best practices recommend that you link GPOs at the domain level only for domain wide purposes. QUESTION 25 Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functional level of both forests is Windows Server 2003. Contoso.com contains one domain.

Nwtraders.com contains two domains. You need to ensure that users in contoso.com can access the resources in all domains. The solution must require the minimum number of trusts. Which type of trust should you create? A. B. C. D.

external forest realm shortcut

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc771397.aspx When to create a forest trust You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server 2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in each forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking a solution for administrative autonomy. QUESTION 26 You install an Active Directory domain in a test environment. You need to reset the passwords of all the user accounts in the domain from a domain controller. Which two Windows PowerShell commands should you run? (Each correct answer presents part of the solution, choose two.) A. B. C. D. E. F. G.

$ newPassword = * Import-Module ActiveDirectory Import-Module WebAdministration Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - Reset Set- ADAccountPassword - NewPassword - Reset $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString ) Import-Module ServerManager

Correct Answer: DF Section: (none) Explanation Explanation/Reference: First we create a variable, $newPassword, and prompt the user for the password to assign it to the variable. Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to SetADAccountPassword to assign the $newPassword variable to every account's new password. Note that Set- ADAccountPossword must be a typo. Reference 1:

http://technet.microsoft.com/en-us/library/ee176935.aspx Prompting a User to Enter Information The Read-Host cmdlet enables you to interactively prompt a user for information. For example, this command prompts the user to enter his or her name, then stores that name in the variable $Name (to answer the prompt, type a name and then press ENTER): $Name = Read-Host "Please enter your name" Reference 2: http://technet.microsoft.com/en-us/library/ee617241.aspx Get-ADUser Gets one or more Active Directory users. Reference 3: http://technet.microsoft.com/en-us/library/ee617261.aspx Set-ADAccountPassword Modifies the password of an Active Directory account. Parameters NewPassword Specifies a new password value. Reset Specifies to reset the password on an account. When you use this parameter, you must set the NewPassword parameter. You do not need to specify the OldPassword parameter. QUESTION 27 Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create a forest trust between adatum.com and litwareinc.com. What should you do first? A. B. C. D.

Create an external trust. Raise the functional level of both forests. Configure SID filtering. Raise the functional level of all the domains.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc771397.aspx When to create a forest trust You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. QUESTION 28 Your network contains an Active Directory forest named adatum.com. All client computers used by the marketing department are in an organizational unit (OU) named Marketing Computers.

All user accounts for the marketing department are in an OU named Marketing Users. You purchase a new application. You need to ensure that every user in the domain who logs on to a marketing department computer can use the application. The application must only be available from the marketing department computers. What should you do? A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a shared folder on the network. Assign the application. B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a shared folder on the network. Assign the application. C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a local drive on each marketing department computer. Publish the application. D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a folder on each marketing department computer. Publish the application. Correct Answer: B Section: (none) Explanation Explanation/Reference: The software must only be available on the marketing department computers, so we must link the GPO to the Marketing Computers OU. Next we need to assign the application to the Marketing Computers OU. Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 399 Assigning Software to Computers When you assign software to computers, it is available to all authenticated users of the computer, regardless of their group membership or privileges. The software package is installed when the computer is next restarted after the package has been assigned. For example, suppose that you have a design application that should be available on all computers in the Engineering OU but not to computers elsewhere on your network. You would assign this application to computers in a Group Policy object (GPO) linked to the Engineering OU. QUESTION 29 Your network contains an Active Directory forest named adatum.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. What should you install before you create the AD RMS root cluster? A. B. C. D. E.

The Failover Cluster feature The Active Directory Certificate Services (AD CS) role Microsoft Exchange Server 2010 Microsoft SharePoint Server 2010 Microsoft SQL Server 2008

Correct Answer: E Section: (none) Explanation Explanation/Reference: Reference:

http://technet.microsoft.com/en-us/library/cc771789.aspx Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met: (...) In addition to pre-installation requirements for AD RMS, we strongly recommend the following: Install the database server that is used to host the AD RMS databases on a separate computer. (...) QUESTION 30 Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains a domain controller named DC1. You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com. When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping server2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. Which command should you run? A. B. C. D.

Dnscmd DC1.contoso.com Dnscmd DC1.contoso.com Dnscmd DC1.contoso.com Dnscmd DC1.contoso.com

/ZoneAdd GlobalNames /DsPrimary /DP /domain /config /Enableglobalnamessupport forest /config /Enableglobalnamessupport 1 /ZoneAdd GlobalNames /DsPrimary /DP /forest

Correct Answer: C Section: (none) Explanation Explanation/Reference: Support for Globalnames must be enabled, otherwise the DNS Server service does not resolve single-label names in the GlobalNames zone. Reference: http://technet.microsoft.com/en-us/library/cc772069.aspx dnscmd /config Changes values in the registry for the DNS server and individual zones. Accepts server-level settings and zonelevel settings. Parameter /enableglobalnamessupport {0|1} Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of singlelabel DNS names across a forest. 0 Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Server service does not resolve single-label names in the GlobalNames zone. 1 Enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Server service resolves single-label names in the GlobalNames zone.

QUESTION 31 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. A user logs on to a computer in the branch office site. You discover that the user's password is not stored on RODC1. You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office site computer. What should you do? A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password Replication Group. B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowed users, groups, and computers. C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1. D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417 Password Replication Policy Password Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller. An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. These attributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached. You can include groups on the Allowed List, in which case all users who belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user’s credentials will not be cached—the Denied List takes precedence. Configuring Domain-Wide Password Replication Policy To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group. QUESTION 32 You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named Server1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. Which protocol should you allow on Server1? A. Kerberos

B. SSL C. SMB D. RPC Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 903 AD FS relies on secure HTTP communications by using SSL authentication certificates to verify the identity of both the server and the client during communications. Because of this, all communications occur through port 443 over HTTPS. QUESTION 33 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 R2 Standard. You need to create an enterprise subordinate certification authority (CA) that can issue certificates based on version 3 certificate templates. You must achieve this goal by using the minimum amount of administrative effort. What should you do first? A. B. C. D.

Run the certutil.exe - addenrollmentserver command. Install the Active Directory Certificate Services (AD CS) role on the member server. Upgrade the member server to Windows Server 2008 R2 Enterprise. Run the certutil.exe - installdefaulttemplates command.

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc725838.aspx Certificate Template Versions Active Directory Certificate Services (AD CS) provides these versions of certificate templates that are available on enterprise certification authorities (CA). Version 3 certificate templates In addition to version 2 template features and autoenrollment, version 3 certificate templates provide support for Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information. Template availability Windows Server 2008 R2, all editions Windows Server 2008, Enterprise and Datacenter editions http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/ Q_26736075.html Windows 2008 R2 Standard or Enterprise for CA ..

With some of the new features in R2 you could technically scrape by with Standard, but you really want to do Enterprise edition for your online subordinate CA so you have access to all the features that will make things easier to manage and to ensure that you have access to potential future requirements. .. Old info: At first I changed the answer to B ("Install the Active Directory Certificate Services (AD CS) role on the member server.") and I reasoned like this: Version 3 certificates are supported on Windows Server 2008 R2 Standard, so there's no upgrade to Enterprise necessary. The first thing to do would be to install the Active Directory Certificate Services (AD CS) role. Reference 1: http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificatetemplates.aspx "Version 3 templates are supported by CAs installed on Windows Server 2008 Enterprise and Datacenter Editions. They are also supported by CAs installed on Windows Server 2008 R2 Standard, Enterprise, Datacenter, Foundation and Server Core Editions." Reference 2: http://technet.microsoft.com/en-us/library/cc772192.aspx To install a subordinate CA 1. Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. 2. (...) While this still may be true I left it at the original answer C ("Upgrade the member server to Windows Server 2008 R2 Enterprise"). Quite frankly, I'm not sure whether it's right or wrong. Hopefully someone can clear this up once and for all. Some other notes and quotes I collected: -------------------------------------------------MS Press Training Kit 70-640 - 2nd Edition page 781 "Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition." Errata: "This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all features." Note from the Author or Editor: Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only. ------------------------------Reference: http://technet.microsoft.com/en-us/library/cc725838.aspx Version 3 certificate templates In addition to version 2 template features and autoenrollment, version 3 certificate templates provide support for Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.

Template availability Windows Server 2008 R2, all editions Windows Server 2008, Enterprise and Datacenter editions -------------------------http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7cea254de5dada/ I am looking for some clarifaction on deploying a Windows Server 2008 R2 Standard CA and version 2 and version 3 certificates. I currently have a Windows Server 2008 Standard CA. Server 2008 Standard can only issue certificates based on V1 certificate templates. Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates Windows Server 2008 does not equal Windows Server 2008 R2 This ability was introduced with the Windows server 2008 R2 sku you will have one of two choices: - Upgrade to Server 2008 Enterprise - Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise Brian Komar, thank you for the answer! I have another question. In Training Kit (Exam 70-640) described: "Enterprice CAs can run only on Windows Server 2008 R2 Enterprise edition or Datacenter edition". Is it true? If yes, how we can issue certificate based on V3 certificate templates on Windows Server 2008 R2 Standard? The training kit is incorrect. It probably was updated from Windows Server 2008 (or Windows Server 2003) where the statement was correct Brian QUESTION 34 Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password. Which console should you use? A. B. C. D.

Active Directory Rights Management Services Active Directory Users and Computers Local Users and Groups Services

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed. It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly.

QUESTION 35 Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. What should you do? A. B. C. D.

Create a new secondary zone named ad.contoso.com on DC2. Create a new stub zone named ad.contoso.com on DC2. Configure the DNS server on DC2 to forward requests to DC1. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Three answers don't make sense, leaving us with the one that works. Create a new secondary zone named ad.contoso.com on DC2. This would create a read-only zone, so it couldn't be updated Create a new stub zone named ad.contoso.com on DC2. This stub zone would contain source information about authoritative name servers for its zone only, being DC1, but that one would be unavailable in the WAN link fails. Configure the DNS server on DC2 to forward requests to DC1. This doesn't help if the WAN link fails and DC1 is unavailable. QUESTION 36 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates. You need to archive the private key for all new EFS certificates. Which snap-in should you use? A. B. C. D. E. F.

Active Directory Users and Computers Authorization Manager Group Policy Management Enterprise PKI Security Templates TPM Management

G. Certificates H. Certification Authority I. Certificate Templates Correct Answer: I Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q27. Reference: http://technet.microsoft.com/en-us/library/cc753826.aspx Configure a Certificate Template for Key Archival The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template. Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates. To configure a certificate template for key archival and recovery 1. Open the Certificate Templates snap-in. 2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template. 3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. 4. In Template, type a new template display name, and then modify any other optional properties as needed. 5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK. 6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box. 7. On the Request Handling tab, select the Archive subject's encryption private key check box. QUESTION 37 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that all of the members of a group named Group1 can view the event log entries for Certificate Services. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Certificate Templates Certification Authority Authorization Manager Active Directory Users and Computers TPM Management Security Templates Group Policy Management Enterprise PKI Certificates

Correct Answer: G Section: (none) Explanation Explanation/Reference: All credit goes to Luffy for correcting this one! Practically the same as K/Q14. We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by using Group Policy Management. Reference 1: It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here's what I did in VMWare, using a domain controller and a member server. Click along if you want! In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01. 1. 2. 3. 4. 5.

Start the Group Policy Management console on DC01. Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..." I named the GPO "EventLog_TESTGROUP" Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted Groups" 6. Right-click "Restricted Groups" and choose "Add Group..." 7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go find the Event Log Readers group. Click OK. 8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it. It should look like this now:

9. Click OK. 10. On MEM01 open a command prompt and run gpupdate /force. 11. Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

Reference 2: http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-eventlogs-windows-2003-and-windows-2008.aspx Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below. (...) Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

QUESTION 38 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate template. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Enterprise PKI TPM Management Certificates Active Directory Users and Computers Authorization Manager Certification Authority Group Policy Management Security Templates Certificate Templates

Correct Answer: I Section: (none) Explanation Explanation/Reference: Reference: http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/962be5d1-d824-4dd8-a5013c3a9d600083 (...) the user should have proper permission on Certificate Templates. Please follow the steps below for troubleshooting: 1. Open MMC, add Certificate Templates snap-in. 2. Double-click IPSec (Offline Request), switch to Security tab, give the user Read and Enroll rights. 3. Close and restart IE on clients computer to test. QUESTION 39 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You have a custom certificate template named Template 1. Template1 is published to the CA. You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Security Templates Enterprise PKI Certification Authority Certificate Templates Certificates TPM Management Authorization Manager Group Policy Management Active Directory Users and Computers

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 593 Configuring Certificate Templates AD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the following capabilities: (...) Configuring access control lists (ACLs) on certificate templates QUESTION 40 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to approve a pending certificate request. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Active Directory Users and Computers Authorization Manager Certification Authority Group Policy Management Certificate Templates TPM Management Certificates Enterprise PKI Security Templates

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q15. Reference: http://technet.microsoft.com/de-de/library/ff849263.aspx To issue a pending certificate request: 1. Log on to your root CA by using an account that is a certificate manager. 2. Start the Certification Authority snap-in. 3. In the console tree, expand your root CA, and click Pending Certificates. 4. In the details pane, right-click the pending CA certificate, and click Issue.

Exam H QUESTION 1 Your network contains an Active Directory domain named adatum.com. You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap-in should you add a zone? A. B. C. D. E.

Reverse Lookup Zones adatum.com Forward Lookup Zones Conditional Forwarders _msdcs.adatum.com

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same as I/Q13. Reference: Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193 A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN. QUESTION 2 Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of 192.168.200.100. You need to identify the zone that contains the Pointer (PTR) record for DC1. Which zone should you identify? A. B. C. D.

adatum.com _msdcs.adatum.com 100.168.192.in-addr.arpa 200.168.192.in-addr.arpa

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference 1: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57 Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server’s PTR (pointer) resource record. Reference 2:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730 You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone? a. 5.168.192.in-addr.arpa b. 0.5.168.192.in-addr.arpa c. 192.168.5.in-addr.arpa d. 192.168.5.0.in-addr.arpa The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect. QUESTION 3 Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails. You rebuild the DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which service should you restart on the domain controllers? A. B. C. D. E.

Netlogon DNS Server Network Location Awareness Network Store Interface Service Online Responder Service

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 4 Your network contains an Active Directory domain named adatum.com. The password policy of the domain requires that the passwords for all user accounts be changed every 50 days. You need to create several user accounts that will be used by services. The passwords for these accounts must be changed automatically every 50 days. Which tool should you use to create the accounts? A. Active Directory Administrative Center

B. C. D. E.

Active Directory Users and Computers Active Directory Module for Windows PowerShell ADSI Edit Active Directory Domains and Trusts

Correct Answer: C Section: (none) Explanation Explanation/Reference: Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic password management, making password management easier. Reference 1: http://technet.microsoft.com/en-us/library/dd367859.aspx What are the benefits of new service accounts? In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: (...) Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically. (...) Reference 2: http://technet.microsoft.com/en-us/library/dd391964.aspx Use the Active Directory module for Windows PowerShell to create a managed service account. Reference 3: http://technet.microsoft.com/en-us/library/dd548356.aspx To create a new managed service account 1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists. 2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon. 3. Run the following command: New-ADServiceAccount [-SAMAccountName ] [-Path ]. Reference 4: http://technet.microsoft.com/en-us/library/hh852236.aspx Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval. -ManagedPasswordIntervalInDays Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDSManagedPasswordInterval of the group managed service account object. The following example shows how to specify a 90 day password changes interval: -ManagedPasswordIntervalInDays 90 QUESTION 5 Your network contains an Active Directory domain.

The domain contains several domain controllers. You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? A. B. C. D. E.

Group Policy Management Active Directory Domains and Trusts Active Directory Users and Computers Computer Management Security Configuration Wizard

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same as I/Q12. Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). To configure the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers as a member of the Domain Admins group. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. 3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties. 4. Click the Password Replication Policy tab. 5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add. To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC. To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC. QUESTION 6 Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2008. From a domain controller, you need to perform an authoritative restore of an organizational unit (OU). What should you do first? A. B. C. D.

Raise the functional level of the forest Modify the tombstone lifetime of the forest. Restore the system state. Raise the functional level of the domain.

Correct Answer: C

Section: (none) Explanation Explanation/Reference: The Recycle Bin feature cannot be applied here, see the reference below. Reference: Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297 Active Directory Recycle Bin Recovery Let’s begin this section with a very clear statement: If you need to recover a deleted Active Directory object and the Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceed to the “Active Directory Authoritative Restore” section. Active Directory Authoritative Restore When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active Directory database, a single object, or a container, such as an organizational unit including all objects previously stored within the container. To perform an authoritative restore of Active Directory, perform the System State restore of a domain controller. QUESTION 7 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute named Attribute1 in Active Directory. Attribute1 is associated to User objects. You need to ensure that Attribute1 is included in the Global Catalog. What should you do? A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object. B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects. C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object. D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest. Correct Answer: A Section: (none) Explanation Explanation/Reference: Same question as D/Q39 Reference: http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest. If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object. You mark the attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog. If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog. QUESTION 8 Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named Instance1 and Instance2. You need to remove Instance2 from Server1 without affecting Instance1. Which tool should you use? A. B. C. D.

NTDSUtil Dsdbutil Programs and Features in the Control Panel Server Manager

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc794857.aspx Administering AD LDS Instances Each AD LDS instance runs as an independent—and separately administered—service on a computer. Reference 2: technet.microsoft.com/en-us/library/cc794886.aspx To remove an AD LDS instance 1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features. 2. Locate and click the AD LDS instance that you want to remove. 3. Click Uninstall. Note It is not necessary to restart the computer after you remove an AD LDS instance. QUESTION 9 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to compact the Active Directory database.

What should you do? A. B. C. D. E. F. G. H. I. J.

Run the Get-ADForest cmdlet. Configure subscriptions from Event Viewer. Run the eventcreate.exe command. Configure the Active Directory Diagnostics Data Collector Set (OCS). Create a Data Collector Set (DCS). Run the repadmin.exe command. Run the ntdsutil.exe command. Run the dsquery.exe command. Run the dsamain.exe command. Create custom views from Event Viewer.

Correct Answer: G Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc794920.aspx Compact the Directory Database File (Offline Defragmentation) You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity. Performing offline defragmentation creates a new, compacted version of the database file in a different location. Reference 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate. 1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator. 2. Type ntdsutil, and then press Enter. 3. Type Activate instance NTDS, and press Enter. 4. At the resulting ntdsutil prompt, type Files (case sensitive) and then press Enter. 5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter. QUESTION 10 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer. What should you do? A. Run the ntdsutil.exe command.

B. C. D. E. F. G. H. I. J.

Run the repodmin.exe command. Run the Get-ADForest cmdlet. Run the dsamain.exe command. Create custom views from Event Viewer. Run the dsquery.exe command. Configure the Active Directory Diagnostics Data Collector Set (DCS), Configure subscriptions from Event Viewer. Run the eventcreate.exe command. Create a Data Collector Set (DCS).

Correct Answer: H Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. To learn about the steps required to configure event collecting and forwarding computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/ en-us/library/cc748890.aspx). QUESTION 11 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to receive a notification when more than 100 Active Directory objects are deleted per second. What should you do? A. B. C. D. E. F. G. H. I. J.

Create custom views from Event Viewer. Run the Get-ADForest cmdlet. Run the ntdsutil.exe command. Configure the Active Directory Diagnostics Data Collector Set (DCS). Create a Data Collector Set (DCS). Run the dsamain.exe command. Run the dsquery.exe command. Run the repadmin.exe command. Configure subscriptions from Event Viewer. Run the eventcreate.exe command.

Correct Answer: E

Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q22. Reference: http://technet.microsoft.com/en-us/magazine/ff458614.aspx Configure Windows Server 2008 to Notify you when Certain Events Occur You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs. To configure an alert, follow these steps: 1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set. 2. (...) 3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected. QUESTION 12 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to create a snapshot of Active Directory. What should you do? A. B. C. D. E. F. G. H. I. J.

Run the dsquery.exe command. Run the dsamain.exe command. Create custom views from Event Viewer. Configure subscriptions from Event Viewer. Create a Data Collector Set (DCS). Configure the Active Directory Diagnostics Data Collector Set (DCS). Run the repadmin.exe command. Run the ntdsutil.exe command. Run the Get-ADForest cmdlet. Run the eventcreate.exe command.

Correct Answer: H Section: (none) Explanation Explanation/Reference: Practically the same question as E/Q29 Reference: http://technet.microsoft.com/en-us/library/cc753609.aspx To create an AD DS or AD LDS snapshot 1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group. 2. Click Start, right-click Command Prompt, and then click Run as administrator.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot 6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 7. At the snapshot prompt, type the following command, and then press ENTER: create QUESTION 13 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You mount an Active Directory snapshot. You need to ensure that you can query the snapshot by using LDAP. What should you do? A. B. C. D. E. F. G. H. I. J.

Run the dsamain.exe command. Create custom views from Event Viewer. Run the ntdsutil.exe command. Configure subscriptions from Event Viewer. Run the Get-ADForest cmdlet. Create a Data Collector Set (DCS). Run the eventcreate.exe command. Configure the Active Directory Diagnostics Data Collector Set (DCS). Run the repadmin.exe command. Run the dsquery.exe command.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q25. Reference: http://technet.microsoft.com/en-us/library/cc753609.aspx The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (...) Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers

Exam I QUESTION 1 Your network contains an Active Directory forest named adatum.com. The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum.com. You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table:

What should you do? To answer, drag the appropriate group type to the correct group name in the answer area. Select and Place:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 128 Domain local groups Domain local groups are essentially the same thing as local groups in Windows NT, and are used to administer resources located only on their own domain. They can contain users and groups from any other trusted domain. Most typically, these types of groups are used to grant access to resources for groups in different domains. Global groups Global groups are on the opposite side from domain local groups. They can contain users only in the domain in which they exist but are used to grant access to resources in other trusted domains. These types of groups are best used to supply security membership to user accounts that share a similar function, such as the sales global group. Universal groups Universal groups can contain users and groups from any domain in the forest and can grant access to any resource in the forest. Along with this added power come a few caveats. First, universal groups are available only in domains with a functional level of Windows 2000 Native or later. Second, all members of each universal group are stored in the global catalog, increasing the replication load. It is important to note, however, that universal group membership replication has been noticeably streamlined and optimized in Windows Server 2008 R2 because the membership is incrementally replicated. QUESTION 2 Your network contains an Active Directory domain named adatum.com. You need to use Group Policies to deploy the line-of-business applications shown in the following table:

What should you do? To answer, drag the appropriate deployment method to the correct application in the answer area. Select and Place:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Practically the same question as L/Q10. Reference: technet.microsoft.com/en-us/library/cc783502.aspx Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if

it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. QUESTION 3 Your network contains an Active Directory forest. The DNS infrastructure fails. You rebuild the DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which service should you restart on the domain controllers? To answer, select the appropriate service in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 4 Your network contains an Active Directory forest named contoso.com. The password policy of the forest requires that the passwords for all of the user accounts be changed every 30 days. You need to create user accounts that will be used by services. The passwords for these accounts must be changed automatically every 30 days. Which tool should you use to create these accounts? To answer, select the appropriate tool in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic password management, making password management easier. Reference 1: http://technet.microsoft.com/en-us/library/dd367859.aspx What are the benefits of new service accounts? In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: (...) Unlike with regular domain accounts in which administrators must reset passwords manually, the network

passwords for these accounts will be reset automatically. (...) Reference 2: http://technet.microsoft.com/en-us/library/dd391964.aspx Use the Active Directory module for Windows PowerShell to create a managed service account. Reference 3: http://technet.microsoft.com/en-us/library/dd548356.aspx To create a new managed service account 1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists. 2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon. 3. Run the following command: New-ADServiceAccount [-SAMAccountName ] [-Path ]. Reference 4: http://technet.microsoft.com/en-us/library/hh852236.aspx Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval. -ManagedPasswordIntervalInDays Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDSManagedPasswordInterval of the group managed service account object. The following example shows how to specify a 90 day password changes interval: -ManagedPasswordIntervalInDays 90 QUESTION 5 Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7 Enterprise. You need to automatically create a local group named PowerManagers on each client computer that contains a battery. The solution must minimize the amount of administrative effort. Which node in Group Policy Management Editor should you use? To answer, select the appropriate node in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc732525.aspx Configure a Local Group Item Local Group preference items allow you to centrally create, delete, and rename local groups. Also, you can use these preference items to change local group memberships. Before you create a local group preference item, you should review the behavior of each type of action possible with the extension. Creating a Local Group item 1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. 2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder. 3. Right-click the Local Users and Groups node, point to New, and select Local Group. 4. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.) 5. Enter local group settings for Group Policy to configure or remove. (For more information, see "Local group settings" in this topic.)

6. Click the Common tab, configure any options, and then type your comments in the Description box. (For more information, see Configure Common Options.) 7. Click OK. The new preference item appears in the details pane. Actions This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether a group with the same name exists. Create - Create a new local group on the local computer. If the local group exists, then do not modify it. (...) QUESTION 6 Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1. Server1 has an IP address of 192.168.200.100. You need to view the Pointer (PTR) record for Server1. Which zone should you open in the DNS snap-in to view the record? To answer, select the appropriate zone in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Practically the same question as H/Q2. Reference 1: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57 Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server’s PTR (pointer) resource record. Reference 2: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730 You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone? a. 5.168.192.in-addr.arpa b. 0.5.168.192.in-addr.arpa c. 192.168.5.in-addr.arpa d. 192.168.5.0.in-addr.arpa The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect. QUESTION 7 Your network contains an Active Directory domain. You need to create a new site link between two sites named Site1 and Site3. The site link must support the replication of domain objects. Under which node in Active Directory Sites and Services should you create the site link? To answer, select the appropriate node in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc794815.aspx You can use this procedure to create a site link object and add the appropriate sites to it.

To create a site link object 8. Open Active Directory Sites and Services. 9. Expand Sites, and then expand Inter-Site Transports. 10. Right-click IP, and then click New Site Link. 11. In Name, type a name for the site link. 12. In Sites not in this site link, click a site that you want to add to the site link. Hold down the SHIFT key to click a second site that is adjacent in the list, or hold down the CTRL key to click a second site that is not adjacent in the list. 13. After you select all the sites that you want to add to the site link, click Add, and then click OK. QUESTION 8 Your company has a main office and a branch office. All servers are located in the main office. The network contains an Active Directory forest named adatum.com. The forest contains a domain controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runs Windows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connected to the network. You need to join Public_Computer to the adatum.com domain. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. QUESTION 9 Your network contains two forests named contoso.com and fabrikam.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com can only access the servers in fabrikam.com that have the Allowed to Authenticate permission set. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Still not really sure whether an external trust or forest trust is needed here. Just left it as it is. Reference: http://technet.microsoft.com/en-us/library/cc787623.aspx Selective authentication over an external trust restricts access to only those users in a trusted domain who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting domain. To explicitly give authentication permissions to computer objects in the trusting domain to certain users, administrators must grant those users the Allowed to Authenticate permission in Active Directory. QUESTION 10 Your network contains an Active Directory forest named contoso.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder:

Correct Answer:

Section: (none) Explanation

Explanation/Reference: During the installation of the AD RMS root cluster we need to select a configuration database, so we need to install SQL Server 2008 first. Next we need to install the AD RMS root cluster, only then can we install the AD RMS licensing-only cluster. The last step is to deploy the AD RMS policy templates. Reference 1: http://technet.microsoft.com/en-us/library/cc771789.aspx Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met: (...) In addition to pre-installation requirements for AD RMS, we strongly recommend the following: Install the database server that is used to host the AD RMS databases on a separate computer. (...) Reference 2: http://technet.microsoft.com/en-us/library/cc772087.aspx A root AD RMS cluster must already be present in the AD DS forest before you can install the licensingonly cluster. QUESTION 11 Your network contains an Active Directory forest named contoso.com. The forest contains a domain controller named DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runs Windows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7. Computer1 is not connected to the network. You need to join Computer1 to the contoso.com domain. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. Reference 2: http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step.aspx Performing an offline domain join using different physical computers To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller, one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain. 1. On the provisioning server, open an elevated command prompt. 2. Type the following command to provision the computer account: djoin /provision /domain /machine /savefile blob.txt 3. Copy the blob.txt file to the client computer. 4. On the client computer, open an elevated command prompt, and then type the following command to request the domain join: djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos 5. Reboot the client computer. The computer will be joined to the domain. QUESTION 12 You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? To answer, select the appropriate tool in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Practically the same as H/Q5. Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). To configure the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers as a member of the Domain Admins group. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

domain. 3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties. 4. Click the Password Replication Policy tab. 5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add. To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC. To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC. QUESTION 13 Your network contains an Active Directory domain named contoso.com. You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap-in should you add a zone? To answer, select the appropriate node in the answer area. Point and Shoot:

Correct Answer:

Section: (none) Explanation

Explanation/Reference: Practically the same as H/Q1. Reference: Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193 A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN. QUESTION 14 Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operations master roles. DC1 fails. You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations master roles to their original state. You perform a metadata cleanup and remove all references of DC1. Which three actions should you perform next? (To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.) Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference:

First we need to seize the operations master roles from DC1 to DC2. They are important and need to be in place. Next we rebuild DC1 (not DC2, we need it) and transfer the operations master roles back to DC1. QUESTION 15 A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on the C: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform in sequence? (To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.) Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://www.ucertify.com/blog/windows-server-2008-tools-used-for-configuring-and-maintaining-activedirectory.html NTDSUTIL NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory. Important Usage To relocate AD LDS directory partition, use the NTDSUTIL tool. Take the following steps:

Stop the LDS by using the net stop command. Move the Database file through NTDSUTIL tool. Start the directory service using the net start command. QUESTION 16 You need to perform an offline defragmentation of an Active Directory database. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.) Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc794920.aspx Compact the database file to a local directory or remote shared folder, as follows: 1. Open a Command Prompt as an administrator. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. 7. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to :\ (where :\ is the path to a location on the local computer) and then press ENTER. 8. If defragmentation completes successfully, type quit, and then press ENTER to quit the file maintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe.

(...) Note You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a secured network drive. If the compaction of the database does not work properly, you can then easily restore the database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you have at least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.dit file to preserve it. Avoid overwriting the original Ntds.dit file. 9. Manually copy the compacted database file to the original location, as follows: copy “:\ntds.dit” “:\ \ntds.dit” Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file. (...) 10. Restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds QUESTION 17 Your company has an Active Directory forest that contains multiple domain controllers. The domain controllers run Windows Server 2008. You need to perform an an authoritative restore of a deleted organizational unit and its child objects. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them in the correct order.) Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: References: Performing Authoritative Restore of Active Directory Objects http://technet.microsoft.com/en-us/library/cc816878.aspx Restart the Domain Controller in Directory Services Restore Mode Locally http://technet.microsoft.com/en-us/library/cc816897.aspx Restore AD DS from Backup (Nonauthoritative Restore) http://technet.microsoft.com/en-us/library/cc794755.aspx Mark an Object or Objects as Authoritative http://technet.microsoft.com/en-us/library/cc816813.aspx Restart the Domain Controller in Directory Services Restore Mode Locally If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller. During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account. Restore AD DS from Backup (Nonauthoritative Restore) Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current state to the previous state of a backup. Use this procedure before you perform an authoritative restore procedure to recover objects that were deleted after the time of the backup. To restore AD DS from backup, use a system state or critical-volumes backup. Mark an Object or Objects as Authoritative In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers. Restart the domain controller [Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.] QUESTION 18 ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6000 objects. You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state. Which three actions should you perform? Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: References: Performing Authoritative Restore of Active Directory Objects http://technet.microsoft.com/en-us/library/cc816878.aspx Restart the Domain Controller in Directory Services Restore Mode Locally http://technet.microsoft.com/en-us/library/cc816897.aspx Restore AD DS from Backup (Nonauthoritative Restore) http://technet.microsoft.com/en-us/library/cc794755.aspx Mark an Object or Objects as Authoritative http://technet.microsoft.com/en-us/library/cc816813.aspx Restart the Domain Controller in Directory Services Restore Mode Locally If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller. During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account. Restore AD DS from Backup (Nonauthoritative Restore) Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current state to the previous state of a backup. Use this procedure before you perform an authoritative restore procedure to recover objects that were deleted after the time of the backup. To restore AD DS from backup, use a system state or critical-volumes backup. Mark an Object or Objects as Authoritative In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers.

Restart the domain controller [Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.]

Exam J QUESTION 1 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 and a domain controller named DC1. On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription is configured to collect all events. After several days, you discover that Server1 failed to collect any events from DC1, although there are more than 100 new events in the Application log of DC1. You need to ensure that Server1 collects events from DC1. What should you do? A. B. C. D.

On Server1, run wecutil quick-config. On Server1, run winrm quickconfig. On DC1, run wecutil quick-config. On DC1, run winrm quickconfig.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Since the subscription has been created, wecutil quick-config has already run on Server1. Only thing left is to configure DC1 to forward the events, using winrm quickconfig. Reference1 : Mastering Windows Server 2008 R2 (Sybex, 2010) page 773 Windows event Collector Service The first time you select the Subscriptions node of Event Viewer or the Subscription tab of any log, a dialog box will appear stating that the Windows Event Collector Service must be running and configured. It then asks whether you want to start and configure the service. If you click Yes, it starts the service and changes the startup type from Manual to Automatic (Delayed Start), causing it to start each time Windows starts. Reference 2: http://technet.microsoft.com/en-us/library/cc748890.aspx To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig QUESTION 2 A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured as shown in the following table:

The functional level of the domain is Windows Server 2008 R2.

The functional level of the forest is Windows Server 2003. Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00 A.M. every day. At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001. You need to restore the deleted user account. You must achieve this goal by using the minimum administrative effort. What should you do? A. B. C. D.

On DC006, stop AD DS, perform an authoritative restore, and then start AD DS. On DC001, run the Restore-ADObject cmdlet. On DC006, run the Restore-ADObject cmdlet. On DC001, stop AD DS, restore the system state, and then start AD DS.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as E/Q33 and K/Q28. We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC006 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 "An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers." Reference 2: http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. QUESTION 3 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit:

You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort. What should you do? A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Configure WMI filtering. Enable block inheritance. Enable loopback processing in replace mode. Configure the link order. Configure Group Policy Preferences. Link the GPO to the Human Resources OU. Configure Restricted Groups. Enable loopback processing in merge mode. Link the GPO to the Finance OU.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Same question as K/Q2, but with the exhibit. Reference: http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy

objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. QUESTION 4 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied. What should you do? A. B. C. D. E. F. G. H. I. J.

Configure Restricted Groups. Configure the link order. Link the GPO to the Sales OU. Link the GPO to the Engineer OU. Enable loopback processing in merge mode. Modify the Group Policy permissions. Configure WMI filtering. Configure Group Policy Permissions. Enable loopback processing in replace mode. Enable block inheritance.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Practically the same as J/Q22 and K/Q3. Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.

figure 6-10 GPO link order The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are

enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO. To change the precedence of a GPO link: 1. Select the OU, site, or domain in the GPMC console tree. 2. Click the Linked Group Policy Objects tab in the details pane. 3. Select the GPO. 4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO. QUESTION 5 All vendors belong to a global group named vendors. You place three file servers in a new organizational unit (OU) named ConfidentialFileServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the vendors to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configure the Audit object access failure audit policy setting. B. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configure the Audit privilege use Failure audit policy setting. C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab. Configure Failed Full control setting in the AuditingEntry dialog box. D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure Failed Full control setting in the AuditingEntry dialog box. E. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configure the Deny access to this computer from the network user rights setting for the Vendors global group. Correct Answer: AC Section: (none) Explanation Explanation/Reference: Practically the same as A/Q30. Reference: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671 Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows: Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts. Audit object access success enables you to see usage patterns. This shows misuse of privilege. After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers. Auditing Files and Folders The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the

property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements. Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following: 1. 2. 3. 4. 5.

In Windows Explorer, right-click the file or folder to audit and select Properties. Select the Security tab and then click the Advanced button. In the Advanced Security Settings window, select the Auditing tab and click the Edit button. Click the Add button to display the Select User or Group window. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.

QUESTION 6 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs: HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a security group named HR Employees. All HR department computers belong to a security group named HR PCs. Company policy requires that passwords are a minimum of 6 characters. You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least 8 characters. The password length requirement should not change for employees of any other department. What should you do? A. B. C. D.

Modify the password policy in the GPO that is applied to the domain. Create a new GPO, with the necessary password policy, and link it to the HR Users OU. Create a fine-grained password policy and apply it to the security group named HR Employees. Modify the password policy in the GPO that is applied to the domain controllers OU.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Thanks to Camel73 for confirming there was an error in answer C. That's fixed now. Reference: http://technet.microsoft.com/en-us/library/cc770394.aspx What do fine-grained password policies do? You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. Are there any special considerations? Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain functional level must be Windows Server 2008.

Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply finegrained password policy to users of an OU, you can use a shadow group. QUESTION 7 A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OU named Admins. You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited. What should you do first? A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU. B. Modify the searchFlags property for the Name attribute in the Schema. C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Admins OU. D. Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategory. Correct Answer: D Section: (none) Explanation Explanation/Reference: Same question as J/Q37, different set of answers. Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We can do that by using auditpol.exe. Reference: http://technet.microsoft.com/en-us/library/cc731607.aspx Auditing changes to objects in AD DS In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged. (...) Steps to set up auditing This section includes procedures for each of the primary steps for enabling change auditing: Step 1: Enable audit policy. Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.

Step 1: Enable audit policy. This step includes procedures to enable change auditing with either the Windows interface or a command line: (...) By using the Auditpol command-line tool, you can enable individual subcategories. To enable the change auditing policy using a command line 1. Click Start, right-click Command Prompt, and then click Run as administrator. 2. Type the following command, and then press ENTER: auditpol /set /subcategory:"directory service changes" /success:enable QUESTION 8 Your network contains an Active Directory forest named contoso.com. You need to provide a user named User1 with the ability to create and manage subnet objects. The solution must minimize the number of permissions assigned to User1. What should you do? A. B. C. D.

From From From From

Active Directory Users and Computers, run the Delegation of Control wizard. Active Directory Administrative Centre, add User1 to the Schema Admins group. Active Directory Sites and Services, run the Delegation of Control wizard. Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Adding the user to the Schema Admins group, or to the Network Configuration Operators group would give User1 too much rights. Since we have to delegate an administrative task concerning subnets, we have to run the Delegation of Control wizard from Active Directory Sites and Services. Reference below is for Windows Server 2003 R2, but is still valid for 2008 R2. Reference: http://technet.microsoft.com/en-us/library/cc736770.aspx Delegate control of a site To delegate control of a site 1. Open Active Directory Sites and Services. 2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the Delegation of Control Wizard. 3. Follow the instructions in the Delegation of Control Wizard. Notes (...) In Active Directory Sites and Services, you can delegate control for the subnets, intersite transports, sites, and server containers. QUESTION 9 A corporate network contains a Windows Server 2008 R2 Active Directory forest. You need to add a User Principal Name (UPN) suffix to the forest. What tool should you use? A. Dsmgmt.

B. Active Directory Domains and Trusts console. C. Active Directory Users and Computers console. D. Active Directory Sites and Services console. Correct Answer: B Section: (none) Explanation Explanation/Reference: Practically the same as F/Q17 Reference: http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/ Demonstration adding a UPN Suffix To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest. QUESTION 10 Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. DC3 fails. You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 and the domain controllers in Site1. On DC4, you run repadmin.exe /kcc. Replication between the sites continues to fail. You need to ensure that Active Directory data replicates between the sites. What should you do? A. B. C. D.

From From From From

Active Directory Sites and Services, configure the NTDS Site Settings of Site2. Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server. Active Directory Users and Computers, configure the NTDS settings of DC4. Active Directory Users and Computers, configure the location settings of DC4.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Same question as D/Q37. By modifying the properties of DC3 we can remove the preferred bridgehead status of DC3. Reference 1: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them.

In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. Reference 2: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) pages 589, 590 Preferred Bridgehead Servers (...) It’s important to understand that if you have specified one or more bridgehead servers and none of the bridgeheads is available, no other server is automatically selected, and replication does not occur for the site even if there are servers that could act as bridgehead servers. QUESTION 11 Your network contains an Active Directory domain named contoso.com. All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service Pack 1 (SP1). The functional level of the domain is Windows Server 2003. You need to configure SYSVOL to use DFS Replication. Which tools should you use? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. E. F. G.

Dfsrmig Frsdiag Ntdsutil Set-ADForest Repadmin Set-ADDomainMode DFS Management

Correct Answer: AF Section: (none) Explanation Explanation/Reference: First we need to upgrade the domain functional level, using Set-ADDomainMode. Then, now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded (to Windows Server 2008 (R2)), we can migrate to DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. We can use Dfsrmig for that migration. Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 543 In versions of Windows Server prior to Windows Server 2008, the FRS was used to replicate the contents of SYSVOL between domain controllers. FRS has limitations in both capacity and performance that cause it to break occasionally. Unfortunately, troubleshooting and configuring FRS is quite difficult. In Windows Server 2008 and Windows Server 2008 R2 domains, you have the option to use DFS-R to replicate the contents

of SYSVOL. Reference 2: http://technet.microsoft.com/en-us/library/ee617230.aspx Set-ADDomainMode The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by setting the DomainMode parameter. The domain mode can be set to the following values that are listed in order of functionality from lowest to highest. Windows2000Domain Windows2003InterimDomain Windows2003Domain Windows2008Domain Windows2008R2Domain Reference 3: http://technet.microsoft.com/en-us/library/dd639809.aspx Migrating to the Prepared State The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication). This migration phase includes the tasks in the following list. (...) Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state. QUESTION 12 You manage an Active Directory forest named contoso.com. The forest contains an empty root domain named contoso.com and a child domain named child.contoso.com. All domain controllers run Windows Server 2008. The functional level of the forest is Windows Server 2008. You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal by using the minimum amount of administrative effort. What should you do? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference: To upgrade the forest level to Windows Server 2008 R2 we need to upgrade the servers first. And before we upgrade the servers we need to prepare the domain and forest using adprep. Reference 1: http://technet.microsoft.com/en-us/library/cc771949.aspx Caution Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier. Reference 2: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 96 The Adprep Utility Microsoft provides the Adprep utility to prepare a down-level Active Directory domain for receiving Windows Server 2008 and Windows Server 2008 R2 domain controllers. Found in the \sources\adprep folder of the installation DVD-ROM, this tool prepares the forest and domain by extending the Active Directory schema and

updating several required permissions. Running the Adprep /forestprep Command You must run the Adprep /forestprep command on the schema master of the forest first. It extends the schema to receive the new Windows Server 2008 enhancements, including the addition of directory descriptors for certain objects including granular password policies. You have to run this command and let its changes replicate throughout the forest before you run the Adprep /domainprep command. Reference 3: Not really relevant, but some info on why using an empty root domain is no longer preferable: http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comicsedition.aspx#adempty QUESTION 13 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You attempt to run adprep /domainprep and the operation fails. You discover that the first domain controller deployed to the forest failed. You need to run adprep /domainprep successfully. What should you do? A. B. C. D. E. F. G. H. I. J.

Move the domain naming master role. Install a read-only domain controller (RODC). Move the PDC emulator role. Move the RID master role. Move the infrastructure master role. Deploy an additional global catalog server. Move the bridgehead server. Move the schema master role. Restart the Active Directory Domain Services (AD DS) service. Move the global catalog server.

Correct Answer: E Section: (none) Explanation Explanation/Reference: Adprep /domainprep must be run on the server holding the Infrastructure Master role. The role was originally installed on the first domain controller in the forest. Now it's down and another domain controller must get the Infrastructure Master role. Reference 1: http://technet.microsoft.com/en-us/library/cc754889.aspx Planning Operations Master Role Placement Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructure master, and PDC emulator) are assigned to the first domain controller created in a domain. Reference 2: http://technet.microsoft.com/en-us/library/dd464018.aspx adprep /domainprep

Must be run on the infrastructure operations master for the domain. QUESTION 14 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You discover the following event in the Event log of client computers: "The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in %1 minutes." You need to ensure that the client computers can synchronize their clocks properly. What should you do? A. B. C. D. E. F. G. H. I. J.

Move the domain naming master role. Restart Active Directory Domain Services (AD DS) service. Move the PDC emulator role. Move the infrastructure master role. Move the global catalog server. Move the RID master role. Move the bridgehead server. Move the schema master role. Deploy an additional global catalog server. Install a read-only domain controller (RODC).

Correct Answer: C Section: (none) Explanation Explanation/Reference: It could be that the server holding the PDC Emulator role has failed. Whatever the cause, we need to move the PDC Emulator role to another domain controller to restore time synchronization in the domain. Reference 1: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating +System&ProdVer=5.2&EvtID=14&EvtSrc=w32time&LCID=1033 Event ID 14 Message The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in %1 minutes. Explanation Windows Time Service is configured to use the domain hierarchy to locate its time source. It could not locate a domain controller that is a suitable time source. The time service will continue to search for an acceptable domain controller. If the time service cannot locate a time source after the maximum number of attempts, the Win32Time 49 message will be logged. Reference 2: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 531 PDC Emulator Role The PDC Emulator role performs multiple, crucial functions for a domain: (...)

Provides a master time source for the domain - Active Directory, Kerberos, File Replication Service (FRS) and Distributed File System Replication (DFS-R) each rely on timestamps, so synchronizing the time across all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for the entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC emulator. All other domain members synchronize their time with their preferred domain controller. This hierarchical structure of time synchronization, all implemented through the Win32Time service, ensures consistency of time. Coordinated Universal Time (UTC) is synchronized, and the time displayed to users is adjusted based on the time zone setting of the computer. QUESTION 15 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1. You discover that RODC1 does not have any application directory partitions. You need to ensure that RODC1 has a directory partition of contoso.com. What should you do? A. B. C. D.

From DNS Manager, create secondary zones. Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter. From DNS Manager, right-click RODC1 and click Update Server Data Files. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc742490.aspx RODC Post-Installation Configuration If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions. To enlist a DNS server in a DNS application directory partition 1. Open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: dnscmd /EnlistDirectoryPartition For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command: dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com QUESTION 16 Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group.

Which tool should you use? A. B. C. D.

Credential Manager Group Policy Management Editor Active Directory Users and Computers Active Directory Sites and Services

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q7, different set of answers. Use Active Directory Users and Computers to determine the value of the msDS-PSOApplied attribute of the specific group: 1. 2. 3. 4. 5.

Open the Properties windows for the group in Active Directory Users and Computers Click the Attribute Editor tab, and then click Filter Ensure that the Show attributes/Optional check box is selected. Ensure that the Show read-only attributes/Backlinks check box is selected. Locate the value of msDS-PSOApplied in the Attributes list.

Reference: http://technet.microsoft.com/en-us/library/cc754544.aspx Defining the scope of fine-grained password policies A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...) A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDSPSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it. As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msDS-PSOApplied attribute of the user and group objects has a back-link to the PSO. QUESTION 17 Your network contains an Active Directory domain named contoso.com. You need to create one password policy for administrators and another password policy for all other users. Which tool should you use? A. B. C. D.

Group Policy Management Editor Group Policy Management Console (GPMC) Authorization Manager Ldifde

Correct Answer: D Section: (none) Explanation Explanation/Reference: Same question as K/Q6, different set of answers. Reference:

http://technet.microsoft.com/en-US/library/cc754461.aspx Creating a PSO using ldifde You can use the ldifde command as a scriptable alternative for creating PSOs. To create a PSO using ldifde 1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: add objectClass: msDS-PasswordSettings msDS-MaximumPasswordAge:-1728000000000 msDS-MinimumPasswordAge:-864000000000 msDS-MinimumPasswordLength:8 msDS-PasswordHistoryLength:24 msDS-PasswordComplexityEnabled:TRUE msDS-PasswordReversibleEncryptionEnabled:FALSE msDS-LockoutObservationWindow:-18000000000 msDS-LockoutDuration:-18000000000 msDS-LockoutThreshold:0 msDS-PasswordSettingsPrecedence:20 msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com 2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK. 3. Type the following command, and then press ENTER: ldifde –i –f pso.ldf QUESTION 18 Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains one domain. A two-way forest trust exists between the forests. You plan to add users from fabrikam.com to groups in contoso.com. You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com. To which group should you add the users? A. B. C. D. E. F.

Group 1: Security Group - Domain Local. Group 2: Distribution Group - Domain Local. Group 3: Security Group - Global. Group 4: Distribution Group - Global. Group 5: Security Group - Universal. Group 6: Distribution Group - Univeral.

Correct Answer: C Section: (none) Explanation Explanation/Reference: This one is a bit tricky. According to Microsoft's advice we should put Users Accounts into a Global Group, then add the Global Group to a Universal Group, and then add the Universal Group to a Domain Local group which is used to assigned permissions to. Microsoft calls this AGUDLP. See the reference below. So, the users need to be put in a Global Group (answer C ("Group 3: Security Group - Global")), but it's the Universal Group that travels across the forest trust (answer E ("Group 5: Security Group - Universal")). Another way of looking at the question might be that they're asking what kind of group actually is assigned

access to the shared folders. That would be a Domain Local security group, being answer A ("Group 1: Security Group - Domain Local"). Because of Microsoft's advice I choose answer C ("Group 3: Security Group - Global"). But it could just as well be A or E. Again, it's tricky one. Reference: http://technet.microsoft.com/en-us/library/cc772808.aspx Best practices for using security groups across forests By carefully using domain local, global, and universal groups, administrators can more effectively control access to resources located in other forests. Consider the following best practices: To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users in ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the Sales Department to the group. Create the global group AccountsOrder and add users in the Accounting Department to that group. To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group. To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called OrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions. To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB. QUESTION 19 Your network contains an Active Directory domain. The domain contains 5,000 user accounts. You need to disable all of the user accounts that have a description of Temp. You must achieve this goal by using the minimum amount of administrative effort. Which tools should you use? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. E. F.

Find Dsget Dsmod Dsadd Net accounts Dsquery

Correct Answer: CF Section: (none) Explanation Explanation/Reference: Here we can use Dsquery to find the accounts that have "Temp" as their description and pipe it through to Dsmod to disable them. Should look like this: dsquery user domainroot -desc "Temp" | dsmod user -disabled yes

Reference 1: http://technet.microsoft.com/en-us/library/cc725702.aspx Dsquery user Finds users in the directory who match the search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *. Syntax dsmod user Parameters domainroot Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node (). If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot. -desc Specifies the descriptions of the user objects you want to modify. Remarks The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as Dsget, Dsmod, Dsmove, or Dsrm. Reference 2: http://technet.microsoft.com/en-us/library/cc732954.aspx Dsmod user Modifies attributes of one or more existing users in the directory. Syntax dsmod user Parameter -disabled {yes | no} Specifies whether AD DS disables user accounts for logon. The available values are yes and no. Yes indicates that AD DS disables user accounts for logon and no indicates that AD DS does not disable user accounts for logon. QUESTION 20 Your network contains an Active Directory domain. The domain contains two file servers. The file servers are configured as shown in the following table:

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1. You configure the advanced audit policy. You discover that the settings are not applied to Server1. The settings are applied to Server2. You need to ensure that access to the file shares on Server1 is audited. What should you do?

A. B. C. D. E.

From Active Directory Users and Computers, modify the permissions of the computer account for Server1. From GPO1, configure the Security Options. From Active Directory Users and Computers, add Server1 to the Event Log Readers group. On Server1, run seceditexe and specify the /configure parameter. On Server1, run auditpol.exe and specify the /set parameter.

Correct Answer: E Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/ff182311.aspx What are the differences in auditing functionality between versions of Windows? Basic audit policy settings are available in all versions of Windows since Windows 2000 and can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts. In Windows 7 and Windows Server 2008 R2, advanced audit policy settings can be configured and applied by using local and domain Group Policy settings. Reference 2: http://technet.microsoft.com/en-us/library/cc755264.aspx Auditpol set Sets the per-user audit policy, system audit policy, or auditing options. QUESTION 21 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU contains over 200 user accounts. The Sales OU and the Engineering OU contain several user accounts that are members of a universal group named Group1. You have a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members of Group1 only. What should you do? A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Configure Restricted Groups. Configure WMI filtering. Configure the link order. Enable loopback processing in merge mode. Link the GPO to the Sales OU. Configure Group Policy Preferences. Link the GPO to the Engineering OU. Enable block inheritance. Enable loopback processing in replace mode.

Correct Answer: A Section: (none) Explanation

Explanation/Reference: Practically the same question as K/Q50. Best way to handle this is how graimer from Norway desribed it in http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-0704.by.Andyfx.401q.vce.file.html "GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the security filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow)." The reference below explains a situation where the GPO only needs to be applied to one group, it's the other way around so to speak. Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO. Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify. Filtering a GPO to Apply to Specific Groups To apply a GPO to a specific security group, perform the following steps: 4. Select the GPO in the Group Policy Objects container in the console tree. 5. In the Security Filtering section, select the Authenticated Users group and click Remove. 6. Click OK to confirm the change. 7. Click Add. 8. Select the group to which you want the policy to apply and click OK. QUESTION 22 Your network contains an Active Directory domain. You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Finance organizational unit (OU) and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied. What should you do? A. B. C. D.

Configure the link order. Configure Restricted Groups. Enable block inheritance. Link the GPO to the Finance OU.

E. F. G. H. I. J.

Enable Ioopback processing in merge mode. Enable Ioopback processing in replace mode. Link the GPO to the Human Resources OU. Configure Group Policy Preferences. Configure WMI filtering. Modify the Group Policy permissions.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same as J/Q4 and K/Q3. Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.

figure 6-10 GPO link order The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO. To change the precedence of a GPO link: 1. Select the OU, site, or domain in the GPMC console tree. 2. Click the Linked Group Policy Objects tab in the details pane. 3. Select the GPO. 4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO. QUESTION 23 You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS server for contoso.com. You install the DNS server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. What should you do?

A. B. C. D.

On DC1, modify the permissions of contoso.com zone. On Server1, add a conditional forwarder. Add the Server1 computer account to the DNsUpdateProxy group. On DC1, modify the zone transfer settings for the contoso.com zone.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Practically the same question as B/Q1 and K/Q45. Reference: http://technet.microsoft.com/en-us/library/cc771652.aspx Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer. To modify zone transfer settings using the Windows interface 1. Open DNS Manager. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. QUESTION 24 A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. B. C. D.

Active Directory Sites And Services console Ntdsutil Dnslint Nslookup

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as F/Q28, G/Q8, K/Q8, K/Q31, different set of answers sometimes.

Reference: http://technet.microsoft.com/en-us/library/cc794809.aspx Forcing Replication When you need updates to be replicated sooner than the intersite replication schedule allows, or when replication between sites is impossible because of configuration errors, you can force replication to and from domain controllers. Forcing replication of all directory updates over a connection If you want to replicate certain updates, such as a significant addition of new passwords or user accounts, to another domain controller in the domain, you can use the Replicate now option in the Active Directory Sites and Services snap-in to force replication of all directory partitions over a connection object that represents inbound replication from a specific domain controller. A connection object for a server object that represents a domain controller identifies the replication partner from which the domain controller receives replication. If the changes are made on one domain controller, you can select the connection from that domain controller and force replication to its replication partner. You can also use the Repadmin.exe command-line tool to replication changes from a server to one or more other servers or to all servers. QUESTION 25 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the Active Directory-integrated zone for contoso.com. From DNS Manager on DC1, you enable scavenging for the contoso.com zone. You discover stale DNS records in the zone. You need to ensure that the stale DNS records are deleted from contoso.com. What should you do? A. B. C. D.

From DNS Manager, enable scavenging on DC1. From DNS Manager, reload the zone. Run dnscmd.exe and specify the ageallrecords parameter. Run dnscmd.exe and specify the startscavenging parameter.

Correct Answer: A Section: (none) Explanation Explanation/Reference: According to Technet the answer should be A ("From DNS Manager, enable scavenging on DC1"). Scavenging has been enabled for the zone, but it also needs te be enabled on the server. Reference: http://technet.microsoft.com/en-us/library/cc771677.aspx Prerequisites for aging and scavenging Before you can use the aging and scavenging features of DNS, several conditions must be met: Scavenging and aging must be enabled, both at the DNS server and on the zone. (...) QUESTION 26 Your network contains an Active Directory forest. The forest contains one domain named contoso.com.

You discover the following event in the Event log of domain controllers: " The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 " " You need to ensure that the domain controllers can acquire new account-identifier pools successfully. What should you do? A. B. C. D. E. F. G. H. I. J.

Move the domain naming master role. Move the global catalog server. Restart the Active Directory Domain Services (AD DS) service. Deploy an additional global catalog server. Move the infrastructure master role. Move the PDC emulator role. Install a read-only domain controller (RODC). Move the RID master role. Move the bridgehead server. Move the schema master role.

Correct Answer: H Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q5. This error can occur when the server holding the RID master role is not available to provide a new RID pool. Moving the RID master role to another domain controller will resolve this. Reference: http://technet.microsoft.com/en-us/library/cc756699.aspx Event ID 16651 — RID Pool Request Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted. Event Details Message The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 " Resolve Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controller can communicate with the domain controller that is identified as the RID operations master. Ensure that the RID master is online and replicating to other domain controllers.

QUESTION 27 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA). You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates. All users plan to encrypt files by using EFS. You need to ensure that the private keys for all new EFS certificates are archived. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Share and Storage Management Security Configuration wizard Enterprise PKI Active Directory Administrative Center Certification Authority Group Policy Management Certificate Templates Authorization Manager Certificates

Correct Answer: G Section: (none) Explanation Explanation/Reference: Practically the same question as G/Q36. Reference: http://technet.microsoft.com/en-us/library/cc753826.aspx Configure a Certificate Template for Key Archival The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template. Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates. To configure a certificate template for key archival and recovery 1. Open the Certificate Templates snap-in. 2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template. 3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. 4. In Template, type a new template display name, and then modify any other optional properties as needed. 5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK. 6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box. 7. On the Request Handling tab, select the Archive subject's encryption private key check box.

QUESTION 28 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA). You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA. You need to ensure that all of the members of a group named Sales can enroll for certificates that use Sales_Temp. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Enterprise PKI Certification Authority Share and storage Management Certificate Templates Security Configuration Wizard Authorization Manager Group Policy Management Certificates Active Directory Administrative Center

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc770794.aspx Deploying Certificate Templates After creating a new certificate template, the next step is to deploy the certificate template so that a certification authority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to one or more CAs, defining which security principals have Enroll permissions for the certificate template, and deciding whether to configure autoenrollment for the certificate template. To define permissions to allow a specific security principal to enroll for certificates based on a certificate template 1. Open the Certificate Templates snap-in (Certtmpl.msc). 2. In the details pane, right-click the certificate template you want to change, and then click Properties. 3. On the Security tab, ensure that Authenticated users is assigned Read permissions. This ensures that all authenticated users on the network can see the certificate templates. 4. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK. 5. On the Security tab, select the newly added security group, and then assign Allow for the Read and Enroll permissions. 6. Click OK. Permission Design Use the following recommendations for permissions assignments: Assign permissions only to global groups or to universal groups. It is not recommended to assign permissions to domain local groups. Domain local groups are only recognized in the domain where they exist, and assigning permissions to them can result in inconsistent application of permissions. You should not assign permissions directly to an individual user or computer account.

(...) QUESTION 29 Your network contains an Active Directory forest named adatum.com. All domain controllers currently run Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows Server 2003. You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What should you do first? A. B. C. D.

Deploy a writable domain controller that runs Windows Server 2008 R2. Raise the functional level of the forest to Windows Server 2008. Run adprep.exe. Raise the functional level of the domain to Windows Server 2003.

Correct Answer: C Section: (none) Explanation Explanation/Reference: An RODC requires a writable domain controller running Windows Server 2008 or Windows Server 2008 R2. So, whether you install the writable domain controller first or the Windows Server 2008 R2 server (your future RODC), you have to run adprep.exe first to prepare the domain/forest for either domain controller. Reference: http://technet.microsoft.com/en-us/library/cc731243.aspx Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher. Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2. QUESTION 30 Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. What should you do? A. B. C. D.

Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. Create an external trust from nwtraders.com to contoso.com. Create an external trust from contoso.com to nwtraders.corn.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Same question as F/Q44. Reference: http://technet.microsoft.com/en-us/library/hh311036.aspx Using AD RMS trust It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. QUESTION 31 Your company plans to open a new branch office. The new office will have a Iow-speed connection to the Internet. You plan to deploy a read-only domain controller (RODC) in the branch office. You need to create an offline copy of the Active Directory database that can be used to install Active Directory on the new RODC. Which commands should you run from Ntdsutil? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Build List and Reorder:

Correct Answer:

Section: (none) Explanation Explanation/Reference:

Same question as L/Q9, same answers. Reference: http://technet.microsoft.com/en-us/library/cc770654.aspx Installing AD DS from Media You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. To create installation media 1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: ntdsutil 3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds 4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm 5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic) and then press ENTER. For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia Where C:\InstallationMedia is the path to the folder where you want the installation media to be created. You can save the installation media to a network shared folder or to any other type of removable media. QUESTION 32 Your network contains an Active Directory forest. All users have a value set for the Department attribute. From Active Directory Users and computers, you search a domain for all users who have a Department attribute value of Marketing. The search returns 50 users. From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing. The search does not return any users. You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute. What should you do? A. B. C. D.

Install the Windows Search Service role service on a global catalog server. From the Active Directory Schema snap-in, modify the properties of the Department attribute. Install the Indexing Service role service on a global catalog server. From the Active Directory Schema snap-in, modify the properties of the user class.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Same question as K/Q4. Reference: http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to

the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE. QUESTION 33 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The AD DS infrastructure is shown in the following graphic:

When the Montreal site domain controller is offline, authentication requests for Montreal branch office users are sent to the Toronto site domain controller. You need to ensure that when the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Quebec City site domain controller. What should you do? A. B. C. D.

Create a site link bridge between the Montreal site and the Quebec City site. Enable the global catalog role on the Montreal site domain controller. Modify the Default Domain Policy Group Policy Object. Delete the Toronto-Montreal Site Link

Correct Answer: C Section: (none) Explanation

Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc772592.aspx Enable Clients to Locate a Domain Controller in the Next Closest Site You can modify the Default Domain Policy to enable Windows Vista and Windows Server 2008 clients in the domain to locate domain controllers in the next closest site if no domain controller in their own site or the closest site is available. To enable clients to locate a domain controller in the next closest site 1. Click Start, click Administrative Tools, and then click Group Policy Management. 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3. Double-click Forest:forest_name, double-click Domains, and then double-click domain_name. 4. Right-click Default Domain Policy, and then click Edit. 5. In Group Policy Management Editor, in the console tree, go to Computer Configuration/Policies/ Administrative Templates/System/Netlogon/DC Locator DNS Records. 6. In the details pane, double-click Try Next Closest Site, click Enabled, and then click OK. Reference 2: http://technet.microsoft.com/en-us/library/cc733142.aspx Enabling Clients to Locate the Next Closest Domain Controller If you have a domain controller that runs Windows Server 2008 or Windows Server 2008 R2, you can make it possible for client computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 to locate domain controllers more efficiently by enabling the Try Next Closest Site Group Policy setting. This setting improves the Domain Controller Locator (DC Locator) by helping to streamline network traffic, especially in large enterprises that have many branch offices and sites. By default, the Try Next Closest Site setting is not enabled. When the setting is not enabled, DC Locator uses the following algorithm to locate a domain controller: Try to find a domain controller in the same site. If no domain controller is available in the same site, try to find any domain controller in the domain. If you enable the Try Next Closest Site setting, DC Locator uses the following algorithm to locate a domain controller: Try to find a domain controller in the same site. If no domain controller is available in the same site, try to find a domain controller in the next closest site. A site is closer if it has a lower site-link cost than another site with a higher site-link cost. If no domain controller is available in the next closest site, try to find any domain controller in the domain. QUESTION 34 A corporate environment includes two Active Directory Domain Services (AD DS) forests, as shown in the following table:

You need to ensure that users in the contoso.com domain can access resources in the eng.fabrikam.com domain. What should you do? A. Enable selective authentication. B. Enable forest-wide authentication.

C. Create an external trust between contoso.com and eng.fabrikam.com. D. Enable domain-wide authentication. Correct Answer: C Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816837.aspx Creating External Trusts You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources that are located in a Windows NT 4.0 domain or in a domain that is in a separate Active Directory Domain Services (AD DS) forest that is not joined by a forest trust. QUESTION 35 Your network contains an Active Directory domain. You need to activate the Active Directory Recycle Bin in the domain. Which tool should you use? A. B. C. D.

Dsamain Set-ADDomain Add-WindowsFeature Ldp

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd379481.aspx Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe QUESTION 36 Your network contains an Active Directory domain named contoso.com. You need to create a script that runs the Best Practices Analyzer (BPA) each week for all of the server roles that BPA supports on each domain controller. You must achieve this goal by using the minimum amount of administrative effort. Which tools should you use? (Each correct answer presents part of the solution. Choose three.) A. B. C. D.

Get-Troubleshooting Pack / Invoke-Troubleshooting Pack. Import-Module Best Practices. Get-BPA Model / Invoke-BPA Model. Import-Module Troubleshooting Pack.

E. Get- BPA Result. Correct Answer: BCE Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/dd759206.aspx To scan all roles by using Windows PowerShell cmdlets 1. Open a Windows PowerShell session with elevated user rights. 2. Import the Server Manager module into your Windows PowerShell session. To import the Server Manager module, type the following, and then press ENTER. Import-Module ServerManager 3. Import the BPA module. Type the following, and then press Enter. Import-Module BestPractices 4. Pipe all roles for which BPA scans can be performed into the Invoke-BPAModel cmdlet to start scans. Get-BPAModel | Invoke-BPAModel Reference 2: http://technet.microsoft.com/en-us/library/ee617286.aspx Get-BpaResult The Get-BPAResult cmdlet allows you to retrieve and view the results of the most recent Best Practices Analyzer (BPA) scan for a specific model. QUESTION 37 A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OU named Admins. You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited. What should you do first? A. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group Policy Object. B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU. C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object. D. Modify the searchFlags property for the User class in the schema. Correct Answer: A Section: (none) Explanation Explanation/Reference: Same question as J/Q7, different set of answers. To audit changes made to objects in AD DS we have to use Directory Service Changes auditing, which indicates the old and new values of the changed properties of the objects that were changed. Directory Service Changes auditing is a subcategory of Audit directory service access, and is not enabled by default. To use it we have to enable it first, and we can do that specifically for Directory Service Changes by using

auditpol.exe, or we can use Group Policy Management to enable Audit directory service access, which enables all subcategories, including Directory Service Changes. You do this by modifying the Default Domain Controllers Policy. Reference: http://technet.microsoft.com/en-us/library/cc731607.aspx In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication This step includes procedures to enable change auditing with either the Windows interface or a command line: By using Group Policy Management, you can turn on the global audit policy, Audit directory service access, which enables all the subcategories for AD DS auditing. To enable the global audit policy using the Windows interface 1. Click Start, point to Administrative Tools, and then Group Policy Management. 2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit. 3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy. 4. In the details pane, right-click Audit directory service access, and then click Properties. 5. Select the Define these policy settings check box. 6. Under Audit these attempts, select the Success, check box, and then click OK.

Exam K QUESTION 1 Your network contains an Active Directory domain named contoso.com. The Administrator deletes an OU named OU1 accidentally. You need to restore OU1. Which cmdlet should you use? A. B. C. D.

Get-ADObject cmdlet. Get-ADOrganizationalUnit cmdlet. Get-ADUser cmdlet. Get-ADGroup cmdlet.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/dd379509.aspx Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject Active Directory module for Windows PowerShell cmdlets. The recommended approach is to use the GetADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the RestoreADObject cmdlet. QUESTION 2 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit:

You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort. What should you do? A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy Permission. Configure WMI filtering. Enable block inheritance. Enable loopback processing in replace mode. Configure the link order. Configure Group Policy Preferences. Link the GPO to the Human Resources OU. Configure Restricted Groups. Enable loopback processing in merge mode. Link the GPO to the Finance OU.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Thanks to Wesley for pointing out the exhibit was missing! Same question as J/Q3, slightly different answers. Reference: http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. QUESTION 3 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied. What should you do? A. B. C. D.

Configure Restricted Groups. Configure the link order. Link the GPO to the Sales OU. Link the GPO to the Engineering OU.

E. F. G. H. I. J.

Enable loopback processing in merge mode. Modify the Group Policy permissions. Configure WMI Filtering. Configure Group Policy Preferences. Enable loopback processing in replace mode. Enable block inheritance.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Practically the same as J/Q4 and J/Q22. Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.

figure 6-10 GPO link order The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO. To change the precedence of a GPO link: 1. Select the OU, site, or domain in the GPMC console tree. 2. Click the Linked Group Policy Objects tab in the details pane. 3. Select the GPO. 4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO. QUESTION 4 Your network contains an Active Directory forest. All users have a value set for the Department attribute. From Active Directory Users and Computers, you search a domain for all users who have a Department attribute value of Marketing. The search returns 50 users. From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing. The search does not return any users. You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute.

What should you do? A. B. C. D.

Install the Windows Search Service role service on a global catalog server. From the Active Directory Schema snap-in modify the properties of the Department attribute. Install the Indexing Service role service on a global catalog server. From the Active Directory Schema snap-in modify the properties of the user class.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Same question as J/Q32. Reference: http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE. QUESTION 5 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You discover the following event in the Event log of domain controllers: "The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 "" You need to ensure that the domain controllers can acquire new account-identifier pools successfully. What should you do? A. B. C. D. E. F. G. H. I. J.

Move the PDC emulator role. Move the schema master role. Move the global catalog server. Move the domain naming master role. Move the infrastructure master role. Move the RID master role. Restart the Active Directory Domain Services (AD DS) service. Deploy an additional global catalog server. Move the bridgehead server. Install a read-only domain controller (RODC).

Correct Answer: F Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q26.

This error can occur when the server holding the RID master role is not available to provide a new RID pool. Moving the RID master role to another domain controller will resolve this. Reference: http://technet.microsoft.com/en-us/library/cc756699.aspx Event ID 16651 — RID Pool Request Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted. Event Details Message The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 " Resolve Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controller can communicate with the domain controller that is identified as the RID operations master. Ensure that the RID master is online and replicating to other domain controllers. QUESTION 6 Your network contains an Active Directory domain named contoso.com. You need to create one password policy for administrators and another password policy for all other users. Which tool should you use? A. B. C. D.

Ntdsutil Active Directory Users and Computers ADSI Edit Group Policy Management Console (GPMC)

Correct Answer: C Section: (none) Explanation Explanation/Reference: Same question as J/Q17, different set of answers. Reference: http://technet.microsoft.com/en-US/library/cc754461.aspx Creating a PSO using ADSI Edit Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and

attributes. To create a PSO using ADSI Edit 1. Click Start, click Run, type adsiedit.msc, and then click OK. 2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to. 3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK. 4. Double-click the domain. 5. Double-click DC=. 6. Double-click CN=System. 7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domain appear. 8. Right-click CN=Password Settings Container, click New, and then click Object. 9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next. 10. In Value, type the name of the new PSO, and then click Next. 11. Continue with the wizard, and enter appropriate values for all mustHave attributes. QUESTION 7 Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group. Which tool should you use? A. B. C. D.

Active Directory Sites and Services Authorization Manager Local Security Policy ADSI Edit

Correct Answer: D Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q16, different set of answers. Use ADSI Edit to determine the value of the msDS-PSOApplied attribute of the specific group: 1. 2. 3. 4. 5.

Open the Properties windows for the group in ADSI Edit On the Attribute Editor tab click Filter Ensure that the Show attributes/Optional check box is selected. Ensure that the Show read-only attributes/Backlinks check box is selected. Locate the value of msDS-PSOApplied in the Attributes list.

Reference: http://technet.microsoft.com/en-us/library/cc754544.aspx Defining the scope of fine-grained password policies A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...) A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDSPSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it. As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msDS-PSOApplied attribute of the user and group objects has a back-link to the PSO. QUESTION 8 A corporate network includes an Active Directory-integrated zone.

All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. B. C. D.

Repadmin Active Directory Domains and Trusts console Ldp Ntdsutil

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as F/Q28, G/Q8, J/Q24, K/Q31 , different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Reference: http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall [] [] Parameters Specifies the host name of the domain controller to synchronize with all replication partners. Specifies the distinguished name of the directory partition. Performs specific actions during the replication. QUESTION 9 Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. The forest contains two sites named Seattle and Denver. Both sites contain users, client computers, and domain controllers from both domains. The Seattle site contains the first domain controller deployed to the forest. The Seattle site also contains the primary domain controller (PDC) emulator for both domains. All of the domain controllers are configured as DNS servers. All DNS zones are replicated to all of the domain controllers in the forest. The users in the Denver site report that is takes a long time to log on to their client computer when they use their user principal name (UPN).

The users in the Seattle site do not experience the same issue. You need to reduce the amount of time it takes for the Denver users to log on to their client computer by using their UPN. What should you do? A. B. C. D. E. F.

Reduce the cost of the site link between the Denver site and the Seattle site. Enable the global catalog on a domain controller in the Denver site. Enable universal group membership caching in the Denver site. Move a PDC emulator to the Denver site. Reduce the replication interval of the site link between the Denver site and the Seattle site. Add an additional domain controller to the Denver site.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Quite similar to K/Q39. Reference: http://technet.microsoft.com/en-us/library/cc728188.aspx Common Global Catalog Scenarios The following events require a global catalog server: (...) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication: 1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name. 2. (...) QUESTION 10 Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains a single domain. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Contoso.com contains a group named Group1. Fabrikam.com contains a server named Server1. You need to ensure that users in Group1 can access resources on Server1. What should you modify? A. B. C. D.

the permissions of the Group1 group the UPN suffixes of the contoso.com forest the UPN suffixes of the fabrikam.com forest the permissions of the Server1 computer account

Correct Answer: A Section: (none) Explanation Explanation/Reference:

Group1 must get the 'Allowed To Authenticate' permission on Server1, so I'd go for A, as given. Answer D may sound tempting, but it speaks of permissions of the Server1 computer account. Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 643, 644 After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain. 1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu. 2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions. 3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission. QUESTION 11 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. Users in the Sates OU frequently log on to client computers in the Engineering OU. You need to meet the following requirements: All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the Engineering OU must be applied to sales users when they log on to client computers in the Engineering OU. Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log on to client computers in the Sales OU. Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU. What should you do? A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Enable block inheritance. Configure the link order. Enable loopback processing in merge mode. Enable loopback processing in replace mode. Configure WMI filtering. Configure Restricted Groups. Configure Group Policy Preferences. Link the GPO to the Sales OU. Link the GPO to the Engineering OU.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Very similar question to L/Q6. We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO's that are linked to the Sales OU and the Engineering OU to be applied.

Reference 1: http://technet.microsoft.com/en-us/library/cc782810.aspx Loopback processing with merge or replace Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory. Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings. Loopback with Replace—In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user. Loopback with Merge—In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict. Reference 2: http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html For a clear and easy explanation of Loopback Processing. Recommended! Reference 3: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028 Loopback Processing When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects. To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computerlinked policies last. QUESTION 12 You have an Active Directory domain named contoso.com. You need to view the account lockout threshold and duration for the domain. Which tool should you use? A. B. C. D.

Computer Management Net Config Active Directory Users and Computers Gpresult

Correct Answer: C Section: (none)

Explanation Explanation/Reference: Same question as K/Q44. Hard to find references for this one. I checked the steps below on a virtual lab. You can see the required settings when you: 1. Open Active Directory Users and Computers 2. Go to View in the menubar and make sure "Advanced Features"is checked. 3. Right click on the domain and choose Properties 4. On the Attribute Editor tab click on Filter 5. Ensure that the Show attributes/Optional check box is selected. 6. In the Attributes list locate lockoutThreshold and lockoutDuration. Played with the settings in the Group Policy Management Editor and the settings were reflected in the steps above every time. QUESTION 13 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com. The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed. You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted. What should you do? A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rules and outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2 and select DC1 as the master. B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com naming context. C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso, DC=com naming context. Create a secondary zone on DC1 and select DC2 as the master. D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a secondary zone on DC2 and select DC1 as the master. Correct Answer: B Section: (none) Explanation Explanation/Reference: This one looks a bit like question A/Q15, in which we had two domain controllers, one having a primary zone, and the second with the secondary zone. We needed to ensure that the replication of the zone was encrypted. The solution was to use an Active Directory-integrated zone, and it makes sense to apply that here too. IPsec could be a valid option too, but is not listed. DNSSEC is used to sign DNS responses between servers and clients, not to encrypt zone transfers. Reference 1: http://technet.microsoft.com/en-us/library/cc781101.aspx Securing DNS Zone Replication

Using Active Directory Replication Replicating zones as part of Active Directory replication provides the following security benefits: Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted automatically. (...) Reference 2: http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted. Reference 3: http://www.efficientip.com/dnssec It is important to note that DNSSEC does not supply a solution for data confidentiality but only a validation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only the signature which is encrypted. Reference 4: http://technet.microsoft.com/en-us/library/ee649277.aspx Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of the resource records, including DNSSEC resource records, are transferred from the primary server to the secondary servers with no additional setup requirements. Reference 5: http://technet.microsoft.com/en-us/library/jj200221.aspx Overview of DNSSEC Domain Name System Security Extensions (DNSSEC) is a suite of extensions that adds security to the DNS protocol by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource records are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a DNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. If validation is successful, this proves that the data has not been modified or tampered with in any way. QUESTION 14 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2. The network contains an enterprise certification authority (CA). You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services. Which snap-in should you use? A. B. C. D.

Active Directory Administrative Center Authorization Manager Certificate Templates Certificates

E. F. G. H. I.

Certification Authority Enterprise PKI Group Policy Management Security Configuration Wizard Share and Storage Management

Correct Answer: G Section: (none) Explanation Explanation/Reference: All credit goes to Luffy for correcting this one! Practically the same as G/Q37. We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by using Group Policy Management. Reference 1: It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here's what I did in VMWare, using a domain controller and a member server. Click along if you want! In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01. 1. 2. 3. 4. 5.

Start the Group Policy Management console on DC01. Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..." I named the GPO "EventLog_TESTGROUP" Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted Groups" 6. Right-click "Restricted Groups" and choose "Add Group..." 7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go find the Event Log Readers group. Click OK. 8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it. It should look like this now:

9. Click OK. 10. On MEM01 open a command prompt and run gpupdate /force. 11. Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

Reference 2: http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-eventlogs-windows-2003-and-windows-2008.aspx Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below. (...) Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

QUESTION 15 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA). You need to approve a pending certificate request. Which snap-in should you use? A. B. C. D. E. F. G. H. I.

Active Directory Administrative Center Authorization Manager Certificate Templates Certificates Certification Authority Enterprise PKI Group Policy Management Security Configuration Wizard Share and Storage Management

Correct Answer: E Section: (none) Explanation Explanation/Reference: Practically the same question as G/Q40. Reference 1: http://technet.microsoft.com/de-de/library/ff849263.aspx To issue a pending certificate request: 1. Log on to your root CA by using an account that is a certificate manager. 2. Start the Certification Authority snap-in. 3. In the console tree, expand your root CA, and click Pending Certificates. 4. In the details pane, right-click the pending CA certificate, and click Issue. QUESTION 16 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You have a Group Policy object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Sales OU. You must achieve this goal by using the minimum amount of administrative effort. What should you do? A. B. C. D. E. F. G.

Modify the Group Policy permissions. Enable block inheritance. Configure the link order. Enable loopback processing in merge mode. Enable loopback processing in replace mode. Configure WMI filtering. Configure Restricted Groups.

H. Configure Group Policy Preferences. I. Link the GPO to the Sales OU. J. Link the GPO to the Engineering OU. Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. QUESTION 17 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You plan to create an Active Directory-integrated zone. You need to ensure that the new zone is replicated to only four of the domain controllers. What should you do first? A. B. C. D.

Use the ntdsutil tool to modify the DS behavior for the domain. Use the ntdsutil tool to add a naming context. Create a new delegation in the ForestDnsZones application directory partition. Use the dnscmd tool with the /zoneadd parameter.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Practically the same question as A/Q50 and D/Q25, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

Reference 1: http://technet.microsoft.com/en-us/library/cc725739.aspx Store Data in an AD DS Application Partition You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the

application directory partition. Reference 2: http://technet.microsoft.com/en-us/library/cc730970.aspx partition management Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). This is a subcommand of Ntdsutil and Dsmgmt. Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps: 1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator. 2. Type: ntdsutil 3. Type: Ac in ntds 4. Type: partition management 5. Type: connections 6. Type: Connect to server DC_Name 7. Type: quit 8. Type: list The following partitions will be listed: 0 CN=Configuration,DC=Contoso,DC=com 1 DC=Contoso,DC=com 2 CN=Schema,CN=Configuration,DC=Contoso,DC=com 3 DC=DomainDnsZones,DC=Contoso,DC=com 4 DC=ForestDnsZones,DC=Contoso,DC=com 9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com 10. Run the list command again to refresh the list of partitions. QUESTION 18 Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains: Fabrikam.com Eu.fabrikam.com Na.fabrikam.com Eu.contoso.com Na.contoso.com You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of contoso.com when they create user accounts from Active Directory Users and Computers. Which tool should you use? A. B. C. D.

Active Directory Sites and Services Set-ADDomain Set-ADForest Active Directory Administrative Center

Correct Answer: C Section: (none)

Explanation Explanation/Reference: Quite similar to K/Q41. We would use the following command to achieve this: Set-ADForest -UPNSuffixes @{Add="contoso.com"} Reference 1: http://technet.microsoft.com/en-us/library/dd391925.aspx Creating a UPN Suffix for a Forest This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest. Example The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest: Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"} Reference 2 http://technet.microsoft.com/en-us/library/ee617221.aspx Set-ADForest Modifies an Active Directory forest. Parameter UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values. Syntax: To add values: -UPNSuffixes @{Add=value1,value2,...} QUESTION 19 A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS sites. The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers. You need to determine which domain controller holds the Inter-Site Topology Generator role for the Toronto site. What should you do? A. B. C. D.

Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site. Use the Ntdsutil tool with the roles parameter. Use the Ntdsutil tool with the LDAP policies parameter. Use the Active Directory Sites and Services console to view the properties of each domain controller in the Toronto site.

Correct Answer: A Section: (none) Explanation

Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc794776.aspx Determine the ISTG Role Owner for a Site The Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generating the intersite topology. If you want to regenerate the intersite topology, you must determine the identity of the ISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties and determine the ISTG role owner for the site. To determine the ISTG role owner for a site 1. Open Active Directory Sites and Services. 2. In the console tree, click the site object whose ISTG role owner you want to determine. 3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current role owner appears in the Server box under Inter-Site Topology Generator. QUESTION 20 Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1. You need to identify which user accounts can have their password cached on RODC1. Which tool should you use? A. B. C. D.

Repadmin Dcdiag Get-ADDomainControllerPasswordReplicationPolicyUsage Adtest

Correct Answer: A Section: (none) Explanation Explanation/Reference: "The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list." So, this revealed list has a list of accounts whose passwords are cached on RODC's. But we don't need the accounts that are cached on RODC1, but the ones that can be cached on RODC1. Those are in the allowed list, and we can get it using repadmin. Reference: http://technet.microsoft.com/en-us/library/cc835090.aspx Repadmin /prp Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). Syntax repadmin /prp view {|} Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user. Parameters

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. Specifies all the security principals that are in the list that you want to view. The valid list names are as follows: auth2: The list of security principals that the RODC has authenticated. reveal: The list of security principals for which the RODC has cached passwords. allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only. deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list. QUESTION 21 A network contains an Active Directory forest. The forest contains three domains and two sites. You remove the global catalog from a domain controller named DC2. DC2 is located in Site1. You need to reduce the size of the Active Directory database on DC2. The solution must minimize the impact on all users in Site1. What should you do first? A. B. C. D.

On DC2, start the Protected Storage service. On DC2, stop the Active Directory Domain Services service. Start DC2 in Safe Mode. Start DC2 in Directory Services Restore Mode.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816811.aspx Returning Unused Disk Space from the Active Directory Database to the File System During ordinary operation, the free disk space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented online to optimize its use within the database file. The unused disk space is maintained for the database; it is not returned to the file system. Only offline defragmentation can return unused disk space from the directory database to the file system. When database contents have decreased considerably through a bulk deletion (for example, when you remove the global catalog from a domain controller), or if the size of the database backup is significantly increased as a result of the amount of free disk space, use offline defragmentation to reduce the size of the Ntds.dit file. On domain controllers that are running Windows Server 2008, offline defragmentation does not require restarting the domain controller in Directory Services Restore Mode (DSRM), as is required on domain controllers that are running versions of Windows Server 2000 and Windows Server 2003. You can use a new feature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the AD DS service. When the service is stopped, services that depend on AD DS shut down automatically. However, any other services that are running on the domain controller, such as Dynamic Host Configuration Protocol (DHCP), continue to run and respond to clients.

QUESTION 22 Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise. You need to receive a notification when more than 50 Active Directory objects are deleted per second. What should you do? A. B. C. D. E. F. G. H. I. J.

Run the Get-ADDomain cmdlet. Run the dsget.exe command. Run the ntdsutil.exe command. Run the ocsetup.exe command. Run the dsamain.exe command. Run the eventcreate.exe command. Create a Data Collector Set (DCS). Create custom views from Event Viewer. Configure subscriptions from Event Viewer. Import the Active Directory module for Windows PowerShell.

Correct Answer: G Section: (none) Explanation Explanation/Reference: Practically the same question as H/Q11. Reference: http://technet.microsoft.com/en-us/magazine/ff458614.aspx Configure Windows Server 2008 to Notify you when Certain Events Occur You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs. To configure an alert, follow these steps: 1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set. 2. (...) 3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected. QUESTION 23 You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment. You increase the template key length to 2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template. Which console should you use?

A. B. C. D.

Group Policy Management MMC Snap-In Certificates MMC Snap-In on the Certificate Authority Certificate Templates MMC Snap-In Certification Authority MMC Snap-In

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as F/Q13. Reference: http://technet.microsoft.com/en-us/library/cc771246.aspx Re-Enroll All Certificate Holders This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration. To re-enroll all certificate holders 1. Open the Certificate Templates snap-in. 2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders. QUESTION 24 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You attempt to create a new child domain and you receive the following error message: "An LDAP read of operational attributes failed." You need to ensure that you can add a new child domain to the forest. What should you do? A. B. C. D. E. F. G. H. I. J.

Move the PDC emulator role. Move the RID master role. Move the infrastructure master role. Move the schema master role. Move the domain naming master role. Move the global catalog server. Move the bridgehead server. Install a read-only domain controller (RODC). Deploy an additional global catalog server. Restart the Active Directory Domain Services (AD DS) service.

Correct Answer: E Section: (none) Explanation Explanation/Reference:

This message appears when the domain naming master is unavailable. It needs to be moved to another domain controller to resolve this. Reference: http://technet.microsoft.com/en-us/library/bb727058.aspx Troubleshooting Active Directory Installation Wizard Problems Symptom or Error An LDAP read of operational attributes failed. Root Cause The domain naming master for the forest is offline or cannot be contacted. Solution Make the current domain naming master accessible. If necessary, see "Seizing Operations Master Roles" in this guide. QUESTION 25 Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2003. All domain controllers run Windows Server 2008 R2. You mount an Active Directory snapshot. You need to ensure that you can connect to the snapshot by using LDAP. What should you do? A. B. C. D. E. F. G. H. I. J.

Run the Get-ADDomain cmdlet. Run the dsget.exe command. Run the ntdsutil.exe command. Run the ocsetup.exe command. Run the dsamain.exe command. Run the eventcreate.exe command, Create a Data Collector Set (DCS). Create custom views from Event Viewer. Configure subscriptions from Event Viewer. Import the Active Directory module for Windows PowerShell.

Correct Answer: E Section: (none) Explanation Explanation/Reference: Practically the same question as H/Q13. Reference: http://technet.microsoft.com/en-us/library/cc753609.aspx The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All the tools that

are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (...) Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers QUESTION 26 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the group when they log off of the client computers. What should you do? A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Enable block inheritance. Configure the link order. Enable loopback processing in merge mode. Enable loopback processing in replace mode. Configure WMI filtering. Configure Restricted Groups. Configure Group Policy Preferences. Link the Group Policy object (GPO) to the Sales OU. Link the Group Policy object (GPO) to the Engineering OU.

Correct Answer: H Section: (none) Explanation Explanation/Reference: Practically the same question as L/Q8. Reference: http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/ http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ QUESTION 27 Your network contains an Active Directory forest named contoso.com. The forest contains two member servers named Server1 and Server2. Server1 and Server2 have the DNS Server server role installed. Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server for contoso.com. You experience issues with the copy of the zone on Server2. You verify that both copies of the zone have the same serial number. You need to transfer a complete copy of the zone from Server1 to Server2. What should you do on Server2? A. B. C. D.

From From From From

DNS Manager, right-click contoso.com and click Transfer from Master. Services, right-click DNS Server and click Refresh. Services, right-click DNS Server and click Restart. DNS Manager, right-click contoso.com and click Reload.

E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master. Correct Answer: E Section: (none) Explanation Explanation/Reference: Must be a typo in E, because it's actually Transfer new copy of zone from Master. Restarting the DNS service does initiate a zone transfer request, but because the serial/version numbers are the same no zone transfer will take place. Only if the Master had a higher number would there be a zone transfer. Reference: MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 212 Manually Updating a Secondary Zone By right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to perform the following secondary zone update operations: Reload - This operation reloads the secondary zone from the local storage. Transfer From Master - The server hosting the local secondary zone determines whether the serial number in the secondary zone’s SOA resource record has expired and then pulls a zone transfer from the master server. Transfer New Copy Of Zone From Master - This operation performs a zone transfer from the secondary zone’s master server regardless of the serial number in the secondary zone’s SOA resource record. QUESTION 28 Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllers named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1. You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services. B. On DC3, run the Restore-ADObject cmdlet. C. On DC1, run the Restore-ADObject cmdlet. D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory Domain Services. Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as E/Q33 and J/Q2. We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you

can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Reference 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 "An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers." Reference 2: http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. QUESTION 29 You create a standard primary zone for contoso.com. You need to specify a user named Admin1 as the person responsible for managing the zone. What should you do? (Each correct answer presents a complete solution. Choose two.) A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "hostmaster.contoso.com" to "admin1.contoso.com". B. From DNS Manager, open the properties of the Start of Authority (SOA) record of contoso.com. Specify admin1.contoso.com as the responsible person. C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "[email protected]" to "[email protected]". D. From DNS Manager, open the properties of the Start of Authority (SOA) record of contoso.com. Specify [email protected] as the responsible person. Correct Answer: AB Section: (none) Explanation Explanation/Reference: You can use Notepad to edit the dns file, but the email address of the person responsible for this zone must be listed with a ".", instead of a "@". That's why C is wrong here. Reference 1: http://technet.microsoft.com/en-us/library/cc816941.aspx To modify the start of authority (SOA) resource record for a zone using the Windows interface 1. Open DNS Manager. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Start of Authority (SOA) tab. 4. As needed, modify properties for the start of authority (SOA) resource record. 5. Click OK to save the modified properties. Reference 2: http://technet.microsoft.com/en-us/library/dd197495.aspx

The SOA resource record contains the following information: SOA resource record fields Responsible person The e-mail address of the person responsible for administering the zone. A period (.) is used instead of an at sign (@) in this e-mail name. (...) QUESTION 30 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1. You discover that RODC1 does not have any DNS application directory partitions. You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com. What should you do? (Each correct answer presents a complete solution. Choose two.) A. B. C. D. E.

From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions. Run ntdsutil.exe. From the Partition Management context, run the create nc command. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DE Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q15, different set of answers. Reference: http://technet.microsoft.com/en-us/library/cc742490.aspx RODC Post-Installation Configuration If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions. To enlist a DNS server in a DNS application directory partition 1. Open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: dnscmd /EnlistDirectoryPartition For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command: dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com You might encounter the following error when you run this command:

Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated: 1. 2. 3. 4.

ntdsutil partition management connections Connect to a writeable domain controller (not an RODC): connect to server .Child.contoso.com 5. quit 6. To enlist this server in the replication scope for this zone, run the following command: add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com .Child.contoso.com QUESTION 31 A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. B. C. D.

Ntdsutil Dnscmd Repadmin Nslookup

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as F/Q28, G/Q8, J/Q24, K/Q8, different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Reference: http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall [] [] Parameters Specifies the host name of the domain controller to synchronize with all replication partners. Specifies the distinguished name of the directory partition.

Performs specific actions during the replication. QUESTION 32 Your network contains three servers named ADFS1, ADFS2 and ADFS3 that run Windows Server 2008 R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed. You plan to deploy AD FS 2.0 on ADFS2 and ADFS3. You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 and ADFS3. Which format should you use to export the certificate? A. B. C. D.

Personal Information Exchange PKCS #12 (.pfx) DER encoded binary X.509 (.cer) Cryptographic Message Syntax Standard PKCS #7 (.p7b) Base-64 encoded X.S09 (.cer)

Correct Answer: A Section: (none) Explanation Explanation/Reference: Many thanks to 'confused' from Algeria and Luffy for noting this question needed a correction and for their help! Practically the same question as E/Q12. Reference 1: http://technet.microsoft.com/en-us/library/ff678038.aspx Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x. [The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.] Reference 2: http://technet.microsoft.com/en-us/library/cc784075.aspx Export the private key portion of a token-signing certificate To export the private key of a token-signing certificate 1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services. 2. Right-click Federation Service, and then click Properties. 3. On the General tab, click View. 4. In the Certificate dialog box, click the Details tab. 5. On the Details tab, click Copy to File. 6. On the Welcome to the Certificate Export Wizard page, click Next. 7. On the Export Private Key page, select Yes, export the private key, and then click Next. 8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX) and then click Next. 9. (...) QUESTION 33 You create a user account template for the marketing department. When you copy the user account template, you discover that the Web page attribute is not copied.

You need to preserve the Web page attribute when you copy the user account template. What should you do? A. From Active Directory Administrative Center, modify the value of the wWWHomePage attribute for the user account template. B. From the Active Directory Schema snap-in, modify the properties of the user class. C. From Active Directory Users and Computers, modify the value of the wWWHomePage attribute for the user account template. D. From ADSI Edit, modify the properties of the wWWHomePage attribute. Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc771231.aspx You can modify which default attributes are carried over to a newly copied user or specify additional attributes that will be copied to the new user. To do this, open the Active Directory Schema snap-in, view the desired attribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You can modify or add only the attributes that are instances of the user class. QUESTION 34 Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2. The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings. On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration settings by using a local GPO. You need to identify what will be audited on DC1. Which tool should you use? A. B. C. D.

Get-ADObject Secedit Security Configuration and Analysis Auditpol

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference 1: http://technet.microsoft.com/en-us/library/cc772576.aspx Auditpol get Retrieves the system policy, per-user policy, auditing options, and audit security descriptor object. Reference 2: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670

You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and subcategories, use the following command: auditpol /get /category:* QUESTION 35 A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table. Which tool should you use? A. B. C. D.

Dsmod Csvde Ldifde Dsrm

Correct Answer: B Section: (none) Explanation Explanation/Reference: We can achieve this by using csvde: CSVDE -f onlyusers.csv -r "objectCategory=person" -l "CN," The exported CSV file can be viewed in Excel. Reference: http://technet.microsoft.com/en-us/library/cc732101.aspx Csvde Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard. Syntax Csvde [-i] [-f ] [-r ] [-l ] (...) Parameters -i Specifies import mode. If not specified, the default mode is export. -f Identifies the import or export file name. -r Creates an LDAP search filter for data export. -l Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes. QUESTION 36 Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. All domain controllers run Windows Server 2008. All forest-wide operations master roles are in child.contoso.com.

An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack 1 (SP1) installation media. You plan to run adprep.exe /domainprep in each domain. You need to ensure that you have the required user rights to run the command successfully in each domain. Of which groups should you be a member? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. E. F.

Administrators in child.contoso.com Enterprise Admins in contoso.com Domain Admins in child.contoso.com Domain Admins in contoso.com Administrators in contoso.com Schema Admins in contoso.com

Correct Answer: CD Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/de-de/library/cc731728.aspx adprep /domainprep Prepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run this command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest. Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008. You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain Admins group to run this command. QUESTION 37 Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1). The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory partition. You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn. Which tool should you use? A. B. C. D.

Active Directory Sites and Services Dsmod Dcpromo Dsmgmt

Correct Answer: C Section: (none) Explanation

Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc732887.aspx Dcpromo Installs and removes Active Directory Domain Services (AD DS). Parameter ApplicationPartitionsToReplicate:"" Specifies the application directory partitions that dcpromo will replicate. Use the following format: "partition1" "partition2" "partitionN" Use * to replicate all application directory partitions. QUESTION 38 A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS) domain. You need to enable Universal Group Membership Caching on several domain controllers in the domain. Which tool should you use? A. B. C. D.

Dsmod Dscmd Ntdsutil Active Directory Sites and Services console

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816928.aspx Enable Universal Group Membership Caching in a Site In a branch site that has no global catalog server and in a forest that has multiple domains, you can use this procedure to enable Universal Group Membership Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user logon. To enable Universal Group Membership Caching in a site 1. Open Active Directory Sites and Services. 2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching. 3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. 4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching. 5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK. QUESTION 39 Your network contains an Active Directory forest. The forest contains three domains. All domain controllers have the DNS Server server role installed. The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client computers, and domain controllers of each domain. Site1 contains the first domain controller deployed to the forest. The sites connect to each other by using unreliable WAN links.

The users in Site2 and Site3 report that it takes a long time to log on to their client computer when they use their user principal name (UPN). The users in Site1 do not experience the same issue. You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their client computer by using their UPN. What should you do? A. B. C. D. E. F.

Configure a global catalog server in Site2 and a global catalog server in Site3. Reduce the replication interval of the site links. Move a primary domain controller (PDC) emulator to Site2 and to Site3. Add additional domain controllers to Site2 and to Site3. Reduce the cost of the site links. Enable universal group membership caching in Site2 and in Site3.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Quite similar to K/Q9. Reference: http://technet.microsoft.com/en-us/library/cc728188.aspx Common Global Catalog Scenarios The following events require a global catalog server: (...) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication: 1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name. 2. (...) QUESTION 40 You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a source-initiated subscription. You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1. The subscription is configured to use the HTTP protocol. You discover that events from the Security log of DC1 are not collected on Computer1. Events from the Application log of DC1 and the System log of DC1 are collected on Computer1. You need to ensure that events from the Security log of DC1 are collected on Computer1. What should you do? A. B. C. D.

Add the computer account of Computer1 to the Event Log Readers group on the domain controller. Add the Network Service security principal to the Event Log Readers group on the domain. Configure the subscription to use custom Event Delivery Optimization settings. Configure the subscription to use the HTTPS protocol.

Correct Answer: B Section: (none)

Explanation Explanation/Reference: Reference 1: http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event-forwarding-and-you.aspx Preparing Windows Server 2008 and Windows Server 2008 R2 You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account to the Built-in Event Log Readers group. Reference 2: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/8434ffb3-1621-4bc5-831166d88b215886/ How to collect security logs using event forwarding? For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it. 1. Click start->run, type CompMgmt.msc to open Computer Management Console. 2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties. 3. Click Add, then click Location button, select your computer and click OK. 4. Click Object Types button, check the checkbox of Build-in security principals and click OK. 5. Add “Network Service”build-in account to Event Log Readers group. 6. Reboot the client computer. After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector. QUESTION 41 Your network contains an Active Directory forest named contoso.com. The forest contains six domains. You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of litwareinc.com when they create user accounts by using Active Directory Users and Computers. Which tool should you use? A. B. C. D.

Active Directory Administrative Center Set-ADDomain Active Directory Sites and Services Set-ADForest

Correct Answer: D Section: (none) Explanation Explanation/Reference: Quite similar to K/Q18. We would use the following command to achieve this: Set-ADForest -UPNSuffixes @{Add="contoso.com"} Reference 1: http://technet.microsoft.com/en-us/library/dd391925.aspx Creating a UPN Suffix for a Forest

This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest. Example The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest: Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"} Reference 2 http://technet.microsoft.com/en-us/library/ee617221.aspx Set-ADForest Modifies an Active Directory forest. Parameter UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values. Syntax: To add values: -UPNSuffixes @{Add=value1,value2,...} QUESTION 42 Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Site1 and Site2. Site2 contains a read-only domain controller (RODC). You need to identify which user accounts attempted to authenticate to the RODC. Which tool should you use? A. B. C. D.

Active Directory Users and Computers Ntdsutil Get-ADAccountResultantPasswordReplicationPolicy Adtest

Correct Answer: A Section: (none) Explanation Explanation/Reference: Ntdsutil cannot be used for this. http://technet.microsoft.com/en-us/library/cc753343.aspx Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed list or denied list of a read-only domain controller's password replication policy. GetADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed. http://technet.microsoft.com/en-us/library/ee617207.aspx Adtest is used for perfomance testing. Reference 1: http://technet.microsoft.com/en-us/library/cc755310.aspx Review whose accounts have been authenticated to an RODC

Periodically, you should review whose accounts have been authenticated to an RODC. (...) You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have been authenticated to an RODC. Reference 2: http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3-6ebb9d7fa6bf(v=ws.10)#BKMK_Auth2 [Gives a step by step explanation on using Active Directory Users and Computers for this.] QUESTION 43 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to generate a file that contains the last logon time and the custom attribute values for each user in the forest. What should you use? A. B. C. D.

the Get-ADUser cmdlet the Export-CSV cmdlet the Net User command the Dsquery User tool

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as E/Q16. I find this one a bit tricky, as both the Get-ADUser cmdlet and the Dsquery tool seem to get the job done, I think. The other two options play no role here: Export-CSV cannot perform queries. It is used to save queries that have been piped through. Net User is too limited for our question. Get-ADUser References: https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838e0f5f3a591d7 http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/ Export-Csv Reference: http://technet.microsoft.com/en-us/library/ee176825.aspx Saving Data as a Comma-Separated Values File The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process to grab information about all the processes running on the computer, then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt: Get-Process | Export-Csv c:\scripts\test.txt.

Net User

Reference: http://technet.microsoft.com/en-us/library/cc771865.aspx Adds or modifies user accounts, or displays user account information. DSQUERY Reference 1: http://technet.microsoft.com/en-us/library/cc754232.aspx Parameters { | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node . If you specify forestroot, AD DS searches by using the global catalog. -attr { | *} Specifies that the semicolon separated LDAP display names included in for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default is a distinguished name. Reference 2: http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need. Reference 3: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f690378e0f787/ List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon_for_all.txt QUESTION 44 You have an Active Directory domain named contoso.com. You need to view the account lockout threshold and duration for the domain. Which tool should you use? A. B. C. D.

Net User Active Directory Users and Computers Group Policy Management Console (GPMC) Computer Management

Correct Answer: C Section: (none) Explanation Explanation/Reference: Same question as K/Q12. For K/Q12 I thought there was only one option, but here there are two correct answers: B ("Active Directory Users and Computers") C ("Group Policy Management Console (GPMC)")

Am I missing something? Which is the "right" one? You tell me. QUESTION 45 A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server for fabrikam.com. You install the DNS Server server role on a member server named DNS1 and then you create a standard secondary zone for fabrikam.com. You configure DC4 as the master server for the zone.

You need to ensure that DNS1 receives zone updates from DC4. What should you do? A. B. C. D.

Add the DNS1 computer account to the DNSUpdateProxy group. On DC4, modify the permissions of fabrikam.com zone. On DNS1, add a conditional forwarder. On DC4, modify the zone transfer settings for the fabrikam.com zone.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Practically the same question as B/Q1 and J/Q23. Reference: http://technet.microsoft.com/en-us/library/cc771652.aspx Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer. To modify zone transfer settings using the Windows interface 1. Open DNS Manager. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. QUESTION 46 A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module for private key storage. You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available. You need to install the AD CS server role as an Enterprise CA on CA1. What should you do first? A. B. C. D.

Add the DNS Server server role to CA1. Add the Web Server (IIS) server role and the AD CS server role to CA1. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1. Join CA1 to the domain.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference 1: http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable. Well, you need to fulfill basic requirements: 1. Server machine has to be a member server (domain joined). 2. (...) Reference 2: http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211-9a99-a06108521268 I am trying to install a new enterprise root CA on my windows server 2008 r2 system, but the enterprise option is always greyed out. The server was originally setup and put on the domain, but has since been removed from the domain and left in a workgroup. its greyed out because it's not in a domain; that's one of the requirements for Enterprise CA. QUESTION 47 Your company has an Active Directory forest. Each regional office has an organizational unit (OU) named Marketing. The Marketing OU contains all users and computers in the region's Marketing department. You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs. You create a GPO named MarketingApps. What should you do next? A. B. C. D.

Configure the GPO to assign the application to the computer account. Link the GPO to the domain. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.

Correct Answer: C Section: (none) Explanation Explanation/Reference: Practically the same question as A/Q38. We need to assign the software to the computers, and link the GPO to each Marketing OU. We do not link it to the domain, then every computer would have the software. Reference: http://support.microsoft.com/kb/816102 You can use Group Policy to distribute computer programs by using the following methods: Assigning Software You can assign a program distribution to users or computers. If you assign the program to a user, it is installed

when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed. Publishing Software You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there. QUESTION 48 Your network contains an Active Directory domain named contoso.com. The Active Directory sites are configured as shown in the Sites exhibit:

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between the sites. What should you do? Exhibit:

A. B. C. D.

Configure DC1 as a preferred bridgehead server for IP transport. Configure DC4 as a preferred bridgehead server for IP transport. From the DC4 server object, create a Connection object for DC1. From the DC1 server object, create a Connection object for DC4.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Same question as L/Q4, with a different Exhibit, so with a different answer. Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. QUESTION 49 Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.

DC1 has the DNS Server role installed and hosts an Active Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are both set to three days. The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit:

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit:

You discover that the scavenging process ran today, but the record for Server1 was not deleted. You run dnscmd.exe and specify the ageallrecords parameter. You need to identify when the record for Server1 will be deleted from the zone. In how many days will the record be deleted? A. B. C. D.

13 10 23 7

Correct Answer: D Section: (none) Explanation Explanation/Reference: The blank Record time stamp field indicates a static record. That's the reason it wasn't deleted. The timestamp has been set using dnscmd /ageallrecords. The Time to live setting means that the server will hold a cached record for 10 days, so it has nothing to do with this question. The record will become stale in six days (no-refresh interval + refresh interval, that's 3 + 3 days), so now that the timestamp has been set it will be deleted when the next scavenging operation occurs, in seven days.

Reference 1: http://technet.microsoft.com/en-us/library/cc772069.aspx dnscmd /ageallrecords Sets the current time on all time stamps in a zone or node. Record scavenging does not occur unless the records are time stamped. Name server (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records are not included in the scavenging process, and they are not time stamped even when the ageallrecords command runs. Reference 2: http://www.windowsitpro.com/article/dns/scavenging-stale-dns-records When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging feature considers the record stale and deletes it. So, when you set No-refresh interval to 3 days and Refresh interval to 5 days, scavenging will delete records that are more than 8 days old. QUESTION 50 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit:

Each organizational unit (OU) contains over 500 user accounts. The Finance OU and the Human Resources OU contain several user accounts that are members of a universal group named Group1. You have a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members of Group1 only.

What should you do? Exhibit:

A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Enable block inheritance. Configure the link order. Enable loopback processing in merge mode. Enable loopback processing in replace mode. Configure WMI filtering. Configure Restricted Groups. Configure Group Policy Preferences. Link the GPO to the Finance OU. Link the GPO to the Human Resources OU.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Practically the same question as J/Q21. Best way to handle this is how graimer from Norway desribed it in http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-0704.by.Andyfx.401q.vce.file.html "GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since

deny will alwys win over allow)." The reference below explains a situation where the GPO only needs to be applied to one group, it's the other way around so to speak. Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO. Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify. Filtering a GPO to Apply to Specific Groups To apply a GPO to a specific security group, perform the following steps: 4. Select the GPO in the Group Policy Objects container in the console tree. 5. In the Security Filtering section, select the Authenticated Users group and click Remove. 6. Click OK to confirm the change. 7. Click Add. 8. Select the group to which you want the policy to apply and click OK.

Exam L QUESTION 1 Your network contains an Active Directory domain. The domain contains a domain controller named DC1 that runs Windows Server 2008 R2 Service Pack 1 (SP1). You need to implement a central store for domain policy templates. What should you do? To answer, select the source content that should be copied to the destination folder in the answer area. Hot Area:

Correct Answer:

Section: (none) Explanation Explanation/Reference: In the reference below the entire PolicyDefinitions folder gets copied. In the question we copy the contents of that PolicyDefinitions folder, which has the same result of course. Reference: http://www.petri.co.il/creating-group-policy-central-store.htm Creating a Central Store Creating a central store is actually a rather simple process. The first thing that you will have to do is to log onto a computer that is running either Windows Vista or Windows Server 2008. If you have one particular machine that has all of your group policy template files installed on it, then that machine is a good candidate. The next thing that you must do is to open Windows Explorer, and then go into the C:\Windows folder. Locate the PolicyDefinitions folder, right click on it, and then choose the Copy command from the shortcut menu. This will copy the folder and its contents to the Windows clipboard.

The next step in the process is to map a network drive letter to the sysvol folder on a domain controller. The full path that you will need to access on the domain controller is c:\Windows\SYSVOL\domain\Policies. Finally, copy the PolicyDefinitions folder to the \Windows\SYSVOL\domain\Policies folder on the domain controller. You can see what this looks like in Figure A.

Figure A Copy the PolicyDefinitions folder to the domain controller’s \Windows\Sysvol\Domain\Policies folder. QUESTION 2 Your network contains an Active Directory forest named contoso.com. You plan to migrate all user accounts to a new forest named litwareinc.com. The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains four servers. The servers are configured as shown in the following table:

The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains four servers. The servers are configured as shown in the following table:

You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration Tool version 3.2 (ADMT v3.2). Which server should you identify? A. B. C. D.

Litw_Srv4 Litw_Srv1 Litw_Srv2 Litw_Srv3

Correct Answer: D Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc974370.aspx Prerequisites for installing ADMT v3.2 Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments that have a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a server running Windows Server 2008 R2. In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 must not be installed under the Server Core installation option or be running as a read-only domain controller (RODC).

QUESTION 3 Your network contains an Active Directory domain. The password policy for the domain is configured as shown in the Current Policy exhibit:

You change the password policy for the domain as shown in the New Policy exhibit:

You need to provide users with examples of a valid password. Which password examples should you provide to the users? (Each correct answer presents a complete solution. Choose three.) A. B. C. D. E. F.

123456!@#$%^ !@#$1234ABCD password1234 1-2-3-4-5-a-b-c-e %%PASS1234%% 111111aaaaaaa

Correct Answer: BDE Section: (none)

Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc786468.aspx Passwords must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created. If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created: 1. Passwords must not contain the user's entire samAccountName (Account Name) value or entire displayName (Full Name) value. 2. Passwords must contain characters from three of the following five categories: Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) Base 10 digits (0 through 9) Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"',.?/ Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. QUESTION 4 Your network contains an Active Directory domain named contoso.com. The Active Directory sites are configured as shown in the Sites exhibit:

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between the sites. What should you do? Exhibit:

A. B. C. D.

Configure DC1 as a preferred bridgehead server for IP transport. Configure DC4 as a preferred bridgehead server for IP transport. From the DC4 server object, create a Connection object for DC1. From the DC1 server object, create a Connection object for DC4.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Same question as K/Q48, with a different Exhibit, so with a different answer. Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. QUESTION 5 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The forest contains a single domain.

You need to ensure that objects can be restored from the Active Directory Recycle Bin. Which tool should you use? A. B. C. D.

Ntdsutil Set-ADDomain Dsamain Enable-ADOptionalFeature

Correct Answer: D Section: (none) Explanation Explanation/Reference: Similar question to question E/Q28. Reference: http://technet.microsoft.com/en-us/library/dd379481.aspx Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe QUESTION 6 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit:

Users in the Finance organizational unit (OU) frequently log on to client computers in the Human Resources OU. You need to meet the following requirements: All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the Human Resources OU must be applied to finance users when they log on to client computers in the Engineering OU. Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they log on to client computers in the Finance OU. Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human Resources OU. What should you do? Exhibit:

A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Enable block inheritance. Configure the link order. Enable loopback processing in merge mode. Enable loopback processing in replace mode. Configure WMI filtering. Configure Restricted Groups. Configure Group Policy Preferences. Link the GPO to the Finance OU. Link the GPO to the Human Resources OU.

Correct Answer: D Section: (none)

Explanation Explanation/Reference: Very similar question to K/Q11. We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO's that are linked to the Sales OU and the Engineering OU to be applied. Reference 1: http://technet.microsoft.com/en-us/library/cc782810.aspx Loopback processing with merge or replace Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory. Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings. Loopback with Replace—In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user. Loopback with Merge—In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict. Reference 2: http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html For a clear and easy explanation of Loopback Processing. Recommended! Reference 3: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028 Loopback Processing When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects. To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computerlinked policies last. QUESTION 7 Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The computers are configured as shown in the following table:

An administrator creates a script that contains the following commands:

You need to identity which computers can successfully run all of the commands in the script. Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.) A. B. C. D.

Computer1 Server1 Computer2 Server2

Correct Answer: CD Section: (none) Explanation Explanation/Reference: According to Technet the "Auditpol /resourceSACL" command applies only to Windows 7 and Windows Server 2008 R2 (and I suppose Windows 8 and Windows Server 2012), so the answer should be Computer2 and Server2 Reference: http://technet.microsoft.com/en-us/library/ff625687.aspx Auditpol resourceSACL Applies only to Windows 7 and Windows Server 2008 R2. QUESTION 8 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit:

You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the group when they log off of the client computers. What should you do? Exhibit:

A. B. C. D. E. F. G. H. I. J.

Modify the Group Policy permissions. Enable block inheritance. Configure the link order. Enable loopback processing in merge mode. Enable loopback processing in replace mode. Configure WMI filtering. Configure Restricted Groups. Configure Group Policy Preferences. Link the Group Policy object (GPO) to the Finance organizational unit (OU). Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Correct Answer: H Section: (none) Explanation Explanation/Reference: Practically the same question as K/Q26. Reference: http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/ http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ QUESTION 9 Your company plans to open a new branch office. The new office will have a low-speed connection to the Internet. You plan to deploy a read-only domain controller (RODC) in the branch office. You need to create an offline copy of the Active Directory database that can be used to install the Active Directory on the new RODC.

Which commands should you run from Ntdsutil? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Same question as J/Q31, same answers. Reference: http://technet.microsoft.com/en-us/library/cc770654.aspx Installing AD DS from Media You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. To create installation media

1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: ntdsutil 3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds 4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm 5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic) and then press ENTER. For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia 6. Where C:\InstallationMedia is the path to the folder where you want the installation media to be created. 7. You can save the installation media to a network shared folder or to any other type of removable media. QUESTION 10 Your network contains an Active Directory forest named contoso.com. You need to use Group Policies to deploy the applications shown in the following table:

What should you do? To answer, drag the appropriate deployment method to the correct application in the answer area. Select and Place:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Practically the same question as I/Q2. Reference: technet.microsoft.com/en-us/library/cc783502.aspx Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. QUESTION 11 Your network contains an Active Directory domain named contoso.com. You need to view which password setting object is applied to a user. Which filter option in Attribute Editor should you enable?

To answer, select the appropriate filter option in the answer area. Hot Area:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc770848.aspx View a Resultant PSO for a User or a Global Security Group You can view the resultant Password Settings object (PSO) for a user object: Viewing the resultant PSO for users using the Active Directory module for Windows PowerShell Viewing the resultant PSO for users using the Windows interface Viewing the resultant PSO for users from the command line using dsget To view the resultant PSO for a user using Windows interface 1. 2. 3. 4.

Open Active Directory Users and Computers. On the View menu, ensure that Advanced Features is checked. In the console tree, click Users. In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties. 5. Click the Attribute Editor tab, and then click Filter. 6. Ensure that the Show attributes/Optional check box is selected.

7. Ensure that the Show read-only attributes/Constructed check box is selected. 8. Locate the value of the msDS-ResultantPSO attribute in the Attributes list. QUESTION 12 Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1. You assign Contoso\Domain Users the Manage documents permission and the Print permission to a shared printer on Server1. You discover that users from contoso.com cannot access the shared printer on Server1. You need to ensure that the contoso.com users can access the shared printer on Server1. Which permission should you assign to Contoso\Domain Users? To answer, select the appropriate permission in the answer area. Hot Area:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc816733.aspx Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest. QUESTION 13 Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table:

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest. You need to configure DC2 as a global catalog server. Which object's properties should you modify? To answer, select the appropriate object in the answer area. Hot Area:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://technet.microsoft.com/en-us/library/cc794934.aspx To designate a domain controller to be a global catalog server 1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server. 3. Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server. 4. Right-click the NTDS Settings object for the target server, and then click Properties. 5. Select the Global Catalog check box, and then click OK. QUESTION 14 Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-only domain controller (RODC). You accidentally delete the site link between the two sites. You recreate the site link while you are connected to a domain controller in Seattle. You need to replicate the change to the RODC in Montreal. Which node in Active Directory Sites and Services should you use? To answer, select the appropriate node in the answer area. Hot Area:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference 1: http://blogs.technet.com/b/ashleymcglone/archive/2011/06/29/report-and-edit-ad-site-links-from-powershellturbo-your-ad-replication.aspx Site links are stored in the Configuration partition of the AD database. Reference 2: http://technet.microsoft.com/en-us/library/dd736126.aspx To use Active Directory Sites and Services to force replication of the configuration partition to an RODC 1. Open the Active Directory Sites and Services snap-in (Dssite.msc). 2. Double-click Sites, double-click the name of the site that has the RODC, double-click Servers, double-click the name of the RODC, right-click NTDS Settings, and then click Replicate configuration to the selected DC. 3. Click OK to close the message indicating that AD DS has replicated the connections. QUESTION 15 Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table:

You need to enable universal group membership caching in the Seattle site. Which object's properties should you modify?

To answer, select the appropriate object in the answer area. Hot Area:

Correct Answer:

Section: (none) Explanation Explanation/Reference: Reference: http://http://technet.microsoft.com/en-us/magazine/ff797984.aspx Configure Universal Group Membership Caching in Active Directory You can enable or disable universal group membership caching by following these steps:

1. In Active Directory Sites And Services, expand and then select the site you want to work with. 2. In the details pane, right-click NTDS Site Settings, and then click Properties. 3. To enable universal group membership caching, select the Enable Universal Group Membership Caching check box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cache universal group memberships. The selected site must have a working global catalog server. 4. To disable universal group membership caching, clear the Enable Universal Group Membership Caching check box on the Site Settings tab. 5. Click OK. QUESTION 16 Your network contains an Active Directory forest named contoso.com. The forest contains six domains. You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of litwareinc.com when they create user accounts by using Active Directory Users and Computers. Which tool should you use? A. B. C. D.

Active Directory Domains and Trusts Set-ADDomain Active Directory Sites and Services Active Directory Users and Computers

Correct Answer: A Section: (none) Explanation Explanation/Reference: Many thanks to Camel73 for supplying this new question! Reference: http://technet.microsoft.com/en-us/library/cc772007.aspx To add UPN suffixes 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties. 3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add. 4. Repeat step 3 to add additional alternative UPN suffixes.

Exam M QUESTION 1 Domains provide which of the following functions? A. B. C. D.

Creating logical boundaries Easing the administration of users, groups, computers, and other objects Providing a central database of network objects All of the above

Correct Answer: D Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc756901%28v=ws.10%29.aspx Active Directory Logical Structure Background Information Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. Active Directory is a distributed database that stores and manages information about network resources, as well as application-specific data from directory enabled applications. Active Directory allows administrators to organize elements of a network (such as users, computers, devices, and so on) into a hierarchical containment structure. The top-level container is the forest. Within forests are domains, and within domains are organizational units. This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology.

Figure 2.2 Relationship Between Active Directory Forests, Domains, and OUs

QUESTION 2 You are the administrator for a large organization with multiple remote sites. Your supervisor would like to have remote users log in locally to their own site, but he is nervous about security. What type of server can you implement to ease their concerns?

A. B. C. D.

Domain controller Global Catalog Read-only domain controller Universal Group Membership Caching Server

Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772234%28v=ws.10%29.aspx Read-Only Domain Controllers Step-by-Step Guide An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. QUESTION 3 You are the network administrator for the ABC Company. Your network consists of two DNS servers named DNS1 and DNS2. The users who are configured to use DNS2 complain because they are unable to connect to Internet websites. The following table shows the configuration of both servers:

The users connected to DNS2 need to be able to access the Internet. What needs to be done? A. B. C. D.

Build a new Active Directory Integrated zone on DNS2. Delete the .(root) zone from DNS2 and configure Conditional forwarding on DNS2. Delete the current cache.dns file. Update your cache.dns file and root hints.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Basically the same as B/Q4. http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone. QUESTION 4

You are the network administrator for a large company that has one main site and one branch office. Your company has a single Active Directory forest, ABC.com. You have a single domain controller named ServerA in the main site that has the DNS role installed. ServerA is configured as a primary DNS zone. You have decided to place a domain controller named ServerB in the remote site and implement the DNS role on that server. You want to configure DNS so that if the WAN link fails, users in both sites can still update records and resolve any DNS queries. How should you configure the DNS servers? A. Configure Server B as a secondary DNS server. Set replication to occur every 5 minutes. B. Configure Server B as s stub zone. C. Configure Server B as an Active Directory Integrated zone and convert Server A to an Active Directory Integrated zone. D. Configure Server A as an Active Directory Integrated zone and configure Server B as a secondary zone. Correct Answer: C Section: (none) Explanation Explanation/Reference: http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to

either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. QUESTION 5 You are the network administrator for an organization that has two locations, New York and London. Each location has multiple domains but all domains fall under the same tree, Stellacon.com. Users in the NY.us.stellacon.com domain need to access resources in the London.uk.stellacon.com domain. You need to reduce the amount of time it takes for authentication when users from NY.us.stellacon.com access resources in London.uk.stellacon.com. What can you do? A. B. C. D.

Set up a one-way shortcut trust from London.uk.stellacon.com to NY.us.stellacon.com. Set up a one-way shortcut trust from NY.us.stellacon.com to London.uk.stellacon.com. Enable Universal Group Membership Caching in NY.us.stellacon.com. Enable Universal Group Membership Caching in London.uk.stellacon.com.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Basically the same as B/Q7. http://technet.microsoft.com/en-us/library/cc754538.aspx Understanding When to Create a Shortcut Trust When to create a shortcut trust Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process. Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees. Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest. Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.

Using one-way trusts A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a one-way, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path. Using two-way trusts A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path. QUESTION 6 You are hired as a consultant by ABC Corporation to implement a Windows Server 2008 R2 computer onto their Windows Server 2003 domain. All of the client machines are Windows 7. You install Windows Server 2008 R2 onto a new computer and join that computer to the Windows 2003 domain. You want to upgrade the Windows Server 2008 R2 to a domain controller. What should you do first? A. B. C. D.

On the new server, run adprep /domainprep. On the new server, run adprep /forestprep. On a Windows Server 2003 domain controller, run adprep /domainprep. On a Windows Server 2003 domain controller, run adprep /forestprep.

Correct Answer: D Section: (none) Explanation Explanation/Reference: Same as A/Q44: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a12598a96cd0c1/ DC promotion and adprep/forestprep Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder"

A1: You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to the schema master role holder and run Adprep from there. A2: to introduce the first W2K8 DC within an AD forest.... (1) no AD forest exists yet: --> on the stand alone server execute: DCPROMO --> and provide the information needed (2) an W2K or W2K3 AD forest already exists: --> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests) --> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests) --> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains) --> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains) --> on the stand alone server execute: DCPROMO --> and provide the information needed

QUESTION 7 You need to deactivate the UGMC option on some of your domain controllers. At which level in Active Directory would you deactivate UGMC? A. B. C. D.

Server Site Domain Forest

Correct Answer: B Section: (none) Explanation Explanation/Reference: Basically the same as B/Q22: http://www.ntweekly.com/?p=788 Question:How To Enable Or Disable Universal Group Membership Caching Windows Server 2008 Answer: Universal Group Membership Caching enables us to allow users to log on to the network without contacting a Global Catalog server, this is recommended to use in remote sites without global a catalog server. To enable or disable Universal Group Membership Caching follow the steps below: Open Active Directory Sites And Service -> Go to the site you need to enable or disable the feature -> Right click on the NTDS Site Settings and Click on Properties

Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script

Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when: 1. Universal Group membership does not change frequently. 2. Low WAN bandwidth between Domain Controllers in different sites. It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs. QUESTION 8 You work for an organization with a single domain forest. Your company has one main location and two branch locations. All locations are configured as Active Directory sites and all sites are connected with the DEFAULTIPSITELINK object. Your connections are running slower than the company policy allows. You want to decrease the replication latency between all domain controllers in the various sites. What should you do? A. B. C. D.

Decrease the Replication interval for the DEFAULTIPSITELINK object. Decrease the Replication interval for the site. Decrease the Replication schedule for the site. Decrease the Replication schedule for all domain controllers.

Correct Answer: A Section: (none) Explanation Explanation/Reference: Basically the same as A/Q28: Answer: Decrease the replication interval for the DEFAULTIPSITELINK object. Personal comment: All sites are connected with the DEFAULTIPSITELINK object.
View more...

Comments

Copyright © 2017 PDFSECRET Inc.